前言
服务器内网下有nacos cluster(3个节点),开放到公网并指定公司网络访问需要配置三次IP白名单,因此需要简化流程,通过nginx反向代理只配置1次IP白名单。
现在通过docker容器模拟环境,准备1台云服务器。
nacos cluster docker-compose.yaml
端口配置如下:
version: "3.0"
# nginx使用到IP和端口,因此部分配置不在此赘述,nacos具体配置参考博主nacos章节
# image:nacos/nacos-server:v2.5.0
# volumes、restart、healthcheck : 略
# environment配置集群模式,采用mysql持久化,mysql配置、java_opts配置 : 略
services:
nacos1:
hostname: nacos1
container_name: nacos1
environment:
- NACOS_SERVERS=172.20.0.2:8848 172.20.0.3:8848 172.20.0.4:8848
- NACOS_SERVER_IP=172.20.0.2
ports:
- "8248:8848" # http
- "9248:9848" # grpc
- "7248:7848"
- "9249:9849"
networks:
nacos_cluster_network:
ipv4_address: 172.20.0.2
nacos2:
hostname: nacos2
container_name: nacos2
environment:
- NACOS_SERVERS=172.20.0.2:8848 172.20.0.3:8848 172.20.0.4:8848
- NACOS_SERVER_IP=172.20.0.3
ports:
- "8348:8848"
- "9348:9848"
- "7348:7848"
- "9349:9849"
networks:
nacos_cluster_network:
ipv4_address: 172.20.0.3
nacos3:
hostname: nacos3
container_name: nacos3
environment:
- NACOS_SERVERS=172.20.0.2:8848 172.20.0.3:8848 172.20.0.4:8848
- NACOS_SERVER_IP=172.20.0.4
ports:
- "8448:8848"
- "9448:9848"
- "7448:7848"
- "9449:9849"
networks:
nacos_cluster_network:
ipv4_address: 172.20.0.4
networks:
nacos_cluster_network:
ipam:
config:
- subnet: 172.20.0.0/16
Nginx配置
docker-compose.yaml配置
services:
nginx:
image: nginx:latest
container_name: nginx
restart: always
ports:
- "8848:80" # 宿主机的8848端口,容器80端口
volumes:
- ./conf/nginx.conf:/etc/nginx/nginx.conf:ro
- ./conf.d:/etc/nginx/conf.d:ro
- ./html:/usr/share/nginx/html:ro
- ./logs:/var/log/nginx
networks:
nginx_docker_network:
ipv4_address: 172.16.0.30
networks:
nginx_docker_network:
external: true
name: docker_network
nginx的./conf/nginx.conf
配置,nginx的conf配置文件,除了{
、}
,其他需以;
结尾,注释为 #
,本文只配置公网+内网信息,其他负载均衡、缓存、限流、黑/白名单、静态资源服务、动静分离、防盗链、跨域、高可用参考博主Nginx系列文章。
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types; # 引入配置文件
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"'; # 设置日志格式,main为格式名称,后面一串为具体
access_log /var/log/nginx/access.log main; # 日志目录,引用上面设置的格式main
sendfile on;
keepalive_timeout 65;
client_max_body_size 500m;
include /etc/nginx/conf.d/*.conf; # 引入代理文件,需放在html 范围内
}
设置nacos反向代理配置,./conf.d/nacos_cluster.conf
upstream nacos_http {
server 172.20.0.2:8848;
server 172.20.0.3:8848;
server 172.20.0.4:8848;
}
upstream nacos_grpc {
server 172.20.0.2:9848 max_fails=3 fail_timeout=30s;
server 172.20.0.3:9848 max_fails=3 fail_timeout=30s;
server 172.20.0.4:9848 max_fails=3 fail_timeout=30s;
}
server {
listen 80; # 记得是容器的80端口,非宿主机的8848端口
server_name 117.77.200.222; # 公网IP或者域名,该服务器已经做过IP白名单,访问无效
location /nacos/ {
proxy_pass http://nacos_http/nacos/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Nacos需要的特殊配置
proxy_set_header X-Forwarded-Proto $scheme;
# 以下是为Nacos Web控制台和API添加的配置
proxy_connect_timeout 30s;
proxy_read_timeout 120s;
proxy_send_timeout 120s;
# 解决WebSocket问题(如果使用2.x版本)
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# gRPC服务代理
location / {
grpc_pass grpc://nacos_grpc;
# gRPC相关配置
grpc_connect_timeout 30s;
grpc_read_timeout 120s;
grpc_send_timeout 120s;
# 必要的头信息
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# 健康检查端点
location /nacos/actuator/health {
proxy_pass http://nacos_http/nacos/actuator/health;
access_log off;
}
}
验收
聪明的你也许看出来了:为啥访问的是8848端口,而不是80端口。访问流程分解
浏览器请求 http://117.77.200.222:8848/nacos/ (公网)
↓
宿主机防火墙放行8848端口
↓
Docker 将宿主机8848端口映射到Nginx容器的80端口
↓
Nginx 监听容器内的80端口,收到请求
↓
Nginx 根据配置将请求代理到 nacos_http (172.20.0.[2-4]:8848)
↓
返回响应数据
参考资料
如遇问题,请留言博主