持续监控许多服务器运行状况的简单方法？

Question

Alex44

Asked: 2021-11-14 08:26:41 +0800 CST2021-11-14 08:26:41 +0800 CST 2021-11-14 08:26:41 +0800 CST

通过 NGINX 的驾驶舱 - 设置使其他服务无法访问

772

我有一个服务器（Ubuntu-Server），带有一些基于 Docker 的服务器（Gitlab、Redmine）和 NGINX 作为代理。

gitlab.<myserver>    => NGINX -> <docker-net-ip>:port => Gitlab-container  
redmine.<myserver>   => NGINX -> <docker-net-ip>:port => Redmine-container
                                                         SQL-container  
                                                         Certbot

这就像一个魅力。现在我想通过 Cockpit Web Service 扩展我的服务器：

cockpit.<myserver>   => NGINX -> localhost:9090       => Cockpit running on the server  
gitlab.<myserver>    => NGINX -> <docker-net-ip>:port => Gitlab-container  
redmine.<myserver>   => NGINX -> <docker-net-ip>:port => Redmine-container
                                                         SQL-container  
                                                         Certbot

我为驾驶舱添加了一个额外的 NGINX 规则（对应于https://github.com/cockpit-project/cockpit/wiki/Proxying-Cockpit-over-NGINX），然后驾驶舱可用，但 Redmine 和 Gitlab 都没有。如果我删除规则，反之亦然。

在/etc/nginx/sites-available/和/etc/nginx/sites-enabled/中存储了以下 NGINX 规则：

gitlab.<我的服务器>

server {

    listen 80;
    listen [::]:80;

    server_name gitlab.<myserver>;

    location / {
        proxy_pass         http://<docker-net-ip>:port;
        proxy_buffering    off;
        proxy_set_header   X-Real-IP       $remote_addr;
    }
}

redmine.<我的服务器>

server {

    listen 80;
    listen [::]:80;

    server_name redmine.<myserver>;

    location / {
        proxy_pass         http://<docker-net-ip>:port;
        proxy_set_header   Host                $host;
        proxy_set_header   X-Real-IP           $remote_addr;
        proxy_set_header   X-Forwarded-for     $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto   $scheme;
    }
}

现在我添加了：
cockpit.<myserver>

server {
    listen         80;
    listen         443 ssl;

    server_name    cockpit.<myserver>;

    location / {
        # Required to proxy the connection to Cockpit
        proxy_pass https://127.0.0.1:9090;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Required for web sockets to function
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Pass ETag header from Cockpit to clients.
        # See: https://github.com/cockpit-project/cockpit/issues/5239
        gzip off;
    }
}

和/etc/cockpit/cockpit.conf

[WebService]
Origins = https://cockpit.<myserver> 127.0.0.1:9090
ProtocolHeader = X-Forwarded-Proto

[Log]
Fatal = /var/log/cockpit.log

[Session]
IdleTimeout=15

这里缺少什么？

1 个回答

Voted

Alex44 · Answer 1 · 2021-11-15T06:23:35+08:00

这里缺少什么？

并非所有设备都会出现此问题。有些人显示“此连接不安全”。对于 redmine 和 gitlab。但驾驶舱没有。现在谜题的解决方案是，Gitlab 和 Redmine 的规则不完整，https 请求无处可去。

缺少端口 443 (https) 的规则。现在我把块变成了两个：

将http请求重定向到https
监听 https 请求并将它们转发到应用程序

现在看起来像这样：

/etc/nginx/sites-available/gitlab.<myserver>链接到/etc/nginx/sites-enabled/gitlab.<myserver>

# redirect http request to https while keeping the request uri
server {

    listen 80;
    listen [::]:80;

    server_name gitlab.<myserver>;

    return 301 https://gitlab.<myserver>$request_uri;
}

# https requests will forwarded to the server application
server {

    listen 443 ssl;
    listen [::]:443 ssl;

    server_name gitlab.<myserver>;

    location / {
        proxy_pass         http://<docker-net-ip>:<port>;
        proxy_buffering    off;
        proxy_set_header   X-Real-IP       $remote_addr;

        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        gzip off;
    }
}

/etc/nginx/sites-available/redmine.<myserver>链接到/etc/nginx/sites-enabled/redmine.<myserver>

# redirect http request to https while keeping the request uri
server {

    listen 80;
    listen [::]:80;

    server_name redmine.<myserver>;

    return 301 https://redmine.<myserver>$request_uri;
}

# https requests will forwarded to the server application
server {

    listen 443 ssl;
    listen [::]:443 ssl;

    server_name redmine.<myserver>;

    location / {
        proxy_pass         http://<docker-net-ip>:<port>;
        proxy_set_header   Host                $host;
        proxy_set_header   X-Real-IP           $remote_addr;
        proxy_set_header   X-Forwarded-for     $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto   $scheme;

        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        gzip off;
    }
}

/etc/nginx/sites-available/cockpit.<myserver>链接到/etc/nginx/sites-enabled/cockpit.<myserver>

server {
    listen         80;
    listen         443 ssl;

    server_name    cockpit.<myserver>;

    location / {
        # Required to proxy the connection to Cockpit
        proxy_pass https://127.0.0.1:9090;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Required for web sockets to function
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Pass ETag header from Cockpit to clients.
        # See: https://github.com/cockpit-project/cockpit/issues/5239
        gzip off;
    }
}

和/etc/cockpit/cockpit.conf

[WebService]
Origins = https://cockpit.<myserver> 127.0.0.1:9090
ProtocolHeader = X-Forwarded-Proto

[Log]
Fatal = /var/log/cockpit.log

[Session]
IdleTimeout=15

并且为了完成：
/etc/nginx/sites-available/default链接到/etc/nginx/sites-enabled/default

##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or WordPress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
    listen 80 default_server;
    listen [::]:80 default_server;

    # SSL configuration
    #
    # listen 443 ssl default_server;
    # listen [::]:443 ssl default_server;
    #
    # Note: You should disable gzip for SSL traffic.
    # See: https://bugs.debian.org/773332
    #
    # Read up on ssl_ciphers to ensure a secure configuration.
    # See: https://bugs.debian.org/765782
    #
    # Self signed certs generated by the ssl-cert package
    # Don't use them in a production server!
    #
    # include snippets/snakeoil.conf;

    root /var/www/html;

    error_log /opt/logs/certbot_error debug;
}

通过 NGINX 的驾驶舱 - 设置使其他服务无法访问

新安装后 postgres 的默认超级用户用户名/密码是什么？

SFTP 使用什么端口？

命令行列出 Windows Active Directory 组中的用户？

什么是 Pem 文件，它与其他 OpenSSL 生成的密钥文件格式有何不同？

如何确定bash变量是否为空？

通过 NGINX 的驾驶舱 - 设置使其他服务无法访问

1 个回答

相关问题