0

我刚刚成功 dockerized 我的 seafile 安装,现在想把它放在反向代理后面,因为我想托管多个服务。但是,我从 nginx 得到“错误网关”,无法弄清楚问题可能是什么。

这是工作的 seafile docker-compose.yml(没有反向代理):

version: '2.0'
services:
  db:
    image: mariadb:10.1
    container_name: seafile-mysql
    environment:
      - MYSQL_ROOT_PASSWORD=password
      - MYSQL_LOG_CONSOLE=true
    volumes:
      - /home/docker-seafile/seafile-mysql/db:/var/lib/mysql
    networks:
      - seafile-net
  memcached:
    image: memcached:1.5.6
    container_name: seafile-memcached
    entrypoint: memcached -m 256
    networks:
      - seafile-net
  seafile:
    image: seafileltd/seafile-mc:latest
    container_name: seafile
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /home/docker-seafile/seafile-data:/shared
    environment:
      - DB_HOST=db
      - DB_ROOT_PASSWD=password
      - TIME_ZONE=Europe/Zurich
      - SEAFILE_ADMIN_EMAIL=info@domain.com
      - SEAFILE_ADMIN_PASSWORD=password
      - SEAFILE_SERVER_LETSENCRYPT=true
      - SEAFILE_SERVER_HOSTNAME=seafile.domain.com
    depends_on:
      - db
      - memcached
    networks:
      - seafile-net
networks:
  seafile-net:

这是 jwilder/proxy 的 docker-compose.yml 和letsencrypt伴侣:

version: '2'
services:
  nginx-proxy:
    image: jwilder/nginx-proxy
    container_name: nginx-proxy
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /home/docker-nginx-proxy/conf:/etc/nginx/conf.d
      - /home/docker-nginx-proxy/vhost:/etc/nginx/vhost.d
      - /home/docker-nginx-proxy/html:/usr/share/nginx/html
      - /home/docker-nginx-proxy/dhparam:/etc/nginx/dhparam
      - /home/docker-nginx-proxy/certs:/etc/nginx/certs:ro
      - /var/run/docker.sock:/tmp/docker.sock:ro
    restart: always
  letsencrypt:
    image: jrcs/letsencrypt-nginx-proxy-companion
    container_name: nginx-proxy-le
    depends_on:
      - nginx-proxy
    volumes_from:
      - nginx-proxy
    volumes:
      - /home/docker-nginx-proxy/certs:/etc/nginx/certs
      - /var/run/docker.sock:/var/run/docker.sock:ro
    restart: always
networks:
  default:
    external:
      name: nginx-proxy

这是反向代理后面的 seafile 修改后的 docker-compose.yml:

version: '2.0'
services:
  db:
    image: mariadb:10.1
    container_name: seafile-mysql
    environment:
      - MYSQL_ROOT_PASSWORD=password
      - MYSQL_LOG_CONSOLE=true
    volumes:
      - /home/docker-seafile/seafile-mysql/db:/var/lib/mysql
    networks:
      - seafile-net
  memcached:
    image: memcached:1.5.6
    container_name: seafile-memcached
    entrypoint: memcached -m 256
    networks:
      - seafile-net
  seafile:
    image: seafileltd/seafile-mc:latest
    container_name: seafile
    ports:
      - "3000:80"
    volumes:
      - /home/docker-seafile/seafile-data:/shared # Requested, specifies the path to Seafile data persistent store.
    environment:
      - DB_HOST=db
      - DB_ROOT_PASSWD=password
      - TIME_ZONE=Europe/Zurich
      - SEAFILE_ADMIN_EMAIL=info@domain.com
      - SEAFILE_ADMIN_PASSWORD=password
      - VIRTUAL_HOST=seafile.domain.com
      - VIRTUAL_NETWORK=nginx-proxy
      - VIRTUAL_PORT=3000
      - LETSENCRYPT_HOST=seafile.domain.com
      - LETSENCRYPT_EMAIL=info@domain.com
    depends_on:
      - db
      - memcached
    networks:
      - seafile-net
      - nginx-proxy
networks:
  seafile-net:
  nginx-proxy:
    external: true

有什么想法可能是错的吗?

编辑:

jwilder/proxy 的 nginx 配置如下所示:

root@7a10734e8ba2:/etc/nginx/conf.d# cat default.conf
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  default $http_x_forwarded_proto;
  ''      $scheme;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
  default $http_x_forwarded_port;
  ''      $server_port;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
  default upgrade;
  '' close;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header
map $scheme $proxy_x_forwarded_ssl {
  default off;
  https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
                 '"$request" $status $body_bytes_sent '
                 '"$http_referer" "$http_user_agent"';
access_log off;
                ssl_protocols TLSv1.2 TLSv1.3;
                ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
                ssl_prefer_server_ciphers off;
resolver 127.0.0.11;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
        server_name _; # This is just an invalid value which will never trigger on a real hostname.
        listen 80;
        access_log /var/log/nginx/access.log vhost;
        return 503;
}
server {
        server_name _; # This is just an invalid value which will never trigger on a real hostname.
        listen 443 ssl http2;
        access_log /var/log/nginx/access.log vhost;
        return 503;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
        ssl_certificate /etc/nginx/certs/default.crt;
        ssl_certificate_key /etc/nginx/certs/default.key;
}
# seafile.domain.com
upstream seafile.domain.com {
                                # Cannot connect to network of this container
                                server 127.0.0.1 down;
                                ## Can be connected with "nginx-proxy" network
                        # seafile
                        server 172.19.0.4:80;
}
server {
        server_name seafile.domain.com;
        listen 80 ;
        access_log /var/log/nginx/access.log vhost;
        # Do not HTTPS redirect Let'sEncrypt ACME challenge
        location /.well-known/acme-challenge/ {
                auth_basic off;
                allow all;
                root /usr/share/nginx/html;
                try_files $uri =404;
                break;
        }
        location / {
                return 301 https://$host$request_uri;
        }
}
server {
        server_name seafile.domain.com;
        listen 443 ssl http2 ;
        access_log /var/log/nginx/access.log vhost;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
        ssl_certificate /etc/nginx/certs/seafile.domain.com.crt;
        ssl_certificate_key /etc/nginx/certs/seafile.domain.com.key;
        ssl_dhparam /etc/nginx/certs/seafile.domain.com.dhparam.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/nginx/certs/seafile.domain.com.chain.pem;
        add_header Strict-Transport-Security "max-age=31536000" always;
        include /etc/nginx/vhost.d/default;
        location / {
                proxy_pass http://seafile.domain.com;
        }
}

到http://seafile.domain.com的 proxy_pass看起来不对还是我弄错了?

4

5 回答 5

1

我在https://github.com/haiwen/seafile-docker/issues/91的帮助下找到了部分解决方案

seafile 的 docker-compose.yml 现在看起来像这样:

version: '2.0'
services:
  db:
    image: mariadb:10.1
    container_name: seafile-mysql
    environment:
      - MYSQL_ROOT_PASSWORD= 
      - MYSQL_LOG_CONSOLE=true
    volumes:
      - ./seafile-mysql/db:/var/lib/mysql

  memcached:
    image: memcached:1.5.6
    container_name: seafile-memcached
    entrypoint: memcached -m 256

  seafile:
    image: seafileltd/seafile-mc:latest
    container_name: seafile
    expose:
      - "80"
    volumes:
      - ./seafile-data:/shared
      - ./seafile.nginx.conf.template:/templates/seafile.nginx.conf.template:ro
    environment:
      - DB_HOST=db
      - DB_ROOT_PASSWD=
      - TIME_ZONE=Europe/Zurich
      - SEAFILE_ADMIN_EMAIL=
      - SEAFILE_ADMIN_PASSWORD=
      - VIRTUAL_HOST=seafile.domain.com
      - VIRTUAL_NETWORK=nginx-proxy
      - VIRTUAL_PORT=80
      - LETSENCRYPT_HOST=seafile.domain.com
      - LETSENCRYPT_EMAIL=
    depends_on:
      - db
      - memcached
networks:
  default:
    external:
      name: nginx-proxy

以及对应的 seafile.nginx.conf.template

# -*- mode: nginx -*-
# Auto generated at {{ current_timestr }}
{% if https -%}
server {
    listen 80;
    server_name _ default_server;

    # allow certbot to connect to challenge location via HTTP Port 80
    # otherwise renewal request will fail
    location /.well-known/acme-challenge/ {
        alias /var/www/challenges/;
        try_files $uri =404;
    }

    location / {
        rewrite ^ https://{{ domain }}$request_uri? permanent;
    }
}
{% endif -%}

server {
{% if https -%}
    listen 443;
    ssl on;
    ssl_certificate      /shared/ssl/{{ domain }}.crt;
    ssl_certificate_key  /shared/ssl/{{ domain }}.key;

    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

    # TODO: More SSL security hardening: ssl_session_tickets & ssl_dhparam
    # ssl_session_tickets on;
    # ssl_session_ticket_key /etc/nginx/sessionticket.key;
    # ssl_session_cache shared:SSL:10m;
    # ssl_session_timeout 10m;
{% else -%}
    listen 80;
{% endif -%}

    server_name {{ domain }};

    client_max_body_size 10m;

    location / {
        proxy_pass http://127.0.0.1:8000/;
        proxy_read_timeout 310s;
        proxy_set_header Host $host;
#       proxy_set_header Forwarded "for=$remote_addr;proto=$scheme";
        proxy_set_header Forwarded "for=$proxy_add_x_forwarded_for;proto=$http_x_forwarded_proto";
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#       proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
#       proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Real-IP $proxy_add_x_forwarded_for;
        proxy_set_header Connection "";
        proxy_http_version 1.1;

        client_max_body_size 0;
        access_log      /var/log/nginx/seahub.access.log seafileformat;
        error_log       /var/log/nginx/seahub.error.log;
    }

    location /seafhttp {
        rewrite ^/seafhttp(.*)$ $1 break;
        proxy_pass http://127.0.0.1:8082;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        client_max_body_size 0;
        proxy_connect_timeout  36000s;
        proxy_read_timeout  36000s;
        proxy_request_buffering off;
        access_log      /var/log/nginx/seafhttp.access.log seafileformat;
        error_log       /var/log/nginx/seafhttp.error.log;
    }

    location /seafdav {
        client_max_body_size 0;
        fastcgi_pass    127.0.0.1:8080;
        fastcgi_param   SCRIPT_FILENAME     $document_root$fastcgi_script_name;
        fastcgi_param   PATH_INFO           $fastcgi_script_name;

        fastcgi_param   SERVER_PROTOCOL     $server_protocol;
        fastcgi_param   QUERY_STRING        $query_string;
        fastcgi_param   REQUEST_METHOD      $request_method;
        fastcgi_param   CONTENT_TYPE        $content_type;
        fastcgi_param   CONTENT_LENGTH      $content_length;
        fastcgi_param   SERVER_ADDR         $server_addr;
        fastcgi_param   SERVER_PORT         $server_port;
        fastcgi_param   SERVER_NAME         $server_name;

        access_log      /var/log/nginx/seafdav.access.log seafileformat;
        error_log       /var/log/nginx/seafdav.error.log;
    }

    location /media {
        root /opt/seafile/seafile-server-latest/seahub;
    }

    # For letsencrypt
    location /.well-known/acme-challenge/ {
        alias /var/www/challenges/;
        try_files $uri =404;
    }
}

这样,可以通过代理访问 seafile.domain.com。但是,客户端仍然无法同步,可能是因为 fastcgi。https://github.com/haiwen/seafile-docker/issues/91#issuecomment-549025051提到了一个开放的拉取请求,希望能解决这个问题。

于 2020-03-01T12:03:00.390 回答
0

我努力使用 jwilder nginx-proxy 和 letencrypt 伴侣来设置一个新的空 seafile-mc 7.0.5。我遇到了bad gateway错误。

我在这里实现了答案: https ://stackoverflow.com/a/60474891/2744870 。(这是这个问题的答案)

它允许 Web 界面工作,但不能同步。

我添加了我之前与 docker seafile server 6.2.5 一起使用的配置,现在它同步了。

配置位于:https ://github.com/dgleba/proxy457/blob/master/vol/nginx/vhost.d/s.dg.gleba.com

这也是这里。

#
# for seafile.  ./vol/nginx/vhost.d/s.dg.gleba.com
#
  location /seafhttp {
      rewrite ^/seafhttp(.*)$ $1 break;
      proxy_pass http://seafile3:8082;
      client_max_body_size 0;
      proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_connect_timeout  36000s;
      proxy_read_timeout  36000s;
      proxy_send_timeout  36000s;
      send_timeout  36000s;
  }

下面链接的 repo 是我用来运行 seafile-mc 7.0.5 的。请参阅https://github.com/dgleba/proxy457/blob/master/docker-compose.yml中的 seafile3 服务

我不确定我在 . /vol/nginx/vhost.d/s.dg.gleba.com是很好的做法。

可能需要进一步调查,但 webui、同步客户端和上传显然正在运行。

更新:

我在 webui 系统管理中的 SERVICE_URL 和 FILE_SERVER_ROOT 中有错字,这阻止了 webui 中的文件上传和相机上传,但现在可以正常工作。我认为这一切都有效。

更新 2:

我现在收到错误:please check the network在 seahub webui 中。这是随机的。我可能在这里配置错误。

于 2020-04-04T15:40:27.917 回答
0

我想出了如何在自动生成的 nginx 配置的底部添加一个块。

关键部分如下。如果有兴趣,我可以发布一个完整的示例。

最后两卷挂载了我编辑的 nginx2.tmpl,其中包括覆盖节。

# This is part of docker-compose.yml
  jproxy:
  # docker-compose pull nproxy to update...
    image: jwilder/nginx-proxy:alpine
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ./vol/nginx/certs:/etc/nginx/certs:ro
      - ./vol/nginx/html:/usr/share/nginx/html
      - ./vol/nginx/vhost.d:/etc/nginx/vhost.d:ro
      # - ./vol/nginx/conf.d:/etc/nginx/conf.d/
      - ./vol/nginx/conf.d/my_proxy.conf:/etc/nginx/conf.d/my_proxy.conf:ro
      - ./nginx2.tmpl:/app/nginx.tmpl
      - ./vol/nginx/jwilder-nginx-override:/etc/nginx/jwilder-nginx-override
    labels:
      com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
    restart: always

我在标准的底部添加了一行 jwilder/nginx-proxy nginx.tmpl并调用它nginx2.tmpl

# added to bottom of `nginx.tmpl`
include /etc/nginx/jwilder-nginx-override/*.conf;

因此 /etc/nginx/jwilder-nginx-override/ 中的任何 .conf 文件都将逐字添加到生成的配置文件中。

这样就可以完全控制一些主机。您为该主机提供整个配置。

为这个 seafile 主机添加了以下配置。


# 82 for seafile4 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  # sf4.example.com
  # commented out..  upstream sf4.example.com {..}

  upstream sf4.example.com {
            # proxy457d_seafile4_1
           server 172.27.0.30:14191;
            # server 172.27.0.30:8000;
            # server 172.27.0.30:8082;
            # server 172.21.0.20:80;
  }

  server {
    server_name sf4.example.com;
    listen 80 ;

    access_log /var/log/nginx/access.log vhost;
    # Do not HTTPS redirect LetsEncrypt ACME challenge
    location /.well-known/acme-challenge/ {
      auth_basic off;
      allow all;
      root /usr/share/nginx/html;
      try_files $uri =404;
      break;
    }

    #rewrite ^ https://$http_host$request_uri? permanent; # force redirect http to https

    location / {
      return 301 https://$host$request_uri;
    }

    server_tokens off; 
  }
  server {
    server_name sf4.example.com;
    listen 443 ssl;
    # depricated.. ssl on;
    access_log /var/log/nginx/access.log vhost;
    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_certificate /etc/nginx/certs/sf4.example.com.crt;
    ssl_certificate_key /etc/nginx/certs/sf4.example.com.key;
    ssl_dhparam /etc/nginx/certs/sf4.example.com.dhparam.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/certs/sf4.example.com.chain.pem;

    # secure settings (A+ at SSL Labs ssltest at time of writing)
    # see https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-
AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES256-GCM-
SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-SEED-SHA:DHE-RSA-CAMELLIA128-
SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS';
    ssl_prefer_server_ciphers on;
    proxy_set_header X-Forwarded-For $remote_addr;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
    server_tokens off;    

    location / {
    proxy_pass http://sf4.example.com;
    proxy_set_header   Host $host;
    proxy_set_header   X-Real-IP $remote_addr;
    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header   X-Forwarded-Host $server_name;
    proxy_set_header   X-Forwarded-Proto https;
    proxy_read_timeout 36001s;
    client_max_body_size 0;
    }
    location /seafhttp {
        rewrite ^/seafhttp(.*)$ $1 break;
        # proxy_pass http://172.27.0.30:8082;
        # proxy_pass http://sf4.example.com:8082;
        proxy_pass http://seafile4:8082;
        client_max_body_size 0;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_read_timeout 36001s;
        proxy_connect_timeout  36000s;
        proxy_send_timeout  36000s;
        send_timeout  36000s;
    }
    #location /media {
    #    root /home/user/haiwen/seafile-server-latest/seahub;
    #}       
  }
# 82 for seafile4 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
于 2020-05-26T16:47:10.707 回答
0

我得到了网络问题的解决方案 jwilder 的问题是 client_max_body_size。没有设置所以最大上传是1M。

我通过代理容器的 docker-compose.yml 中的新文件和新行解决了它。在这里查看完整的解释:

[https://github.com/strahli30/HowTo-use-Docker-Seafile-Plex-NGINX][1]

简而言之:

  • 新建一个文件夹mkdir nginx.template

  • 创建一个新文件sudo nano nginx.template/client_max_body_size.conf

  • 此文件中的一行:client_max_body_size 0;

  • 在 jwilder/nginx-proxy:alpine 的 docker-compose.yml 卷中,这一行: ./nginx.template/client_max_body_size.conf:/etc/nginx/conf.d/client_max_body_size.conf:ro

重启 Seafile 和 Nginx 后一切正常!:-)

于 2022-03-06T00:26:15.070 回答
0

我得到了网络问题的解决方案 jwilder 的问题是 client_max_body_size。没有设置所以最大上传是1M。

我通过代理容器的 docker-compose.yml 中的新文件和新行解决了它。在这里查看完整的解释:

https://github.com/strahli30/HowTo-use-Docker-Seafile-Plex-NGINX

简而言之:

新建一个文件夹mkdir nginx.template

创建一个新文件sudo nano nginx.template/client_max_body_size.conf

此文件中的一行:client_max_body_size 0;

在 jwilder/nginx-proxy:alpine 的 docker-compose.yml 卷中,这一行:

./nginx.template/client_max_body_size.conf:/etc/nginx/conf.d/client_max_body_size.conf:ro

重启 Seafile 和 Nginx 后一切正常!:-)

于 2020-08-03T23:06:57.427 回答