主页 / user-530255

polymath's questions

Martin Hope
polymath
Asked: 2021-09-02 17:07:36 +0800 CST
  • 2

我已经使用 docker-compose 设置了 iptables,但是我只将我想要的 ip 地址列入白名单似乎不起作用,因为服务器仍在进行远程访问尝试:

Connection matched pg_hba.conf line 95: "host all all all md5"
2021-09-01 21:36:42.132 UTC [8821] FATAL:  password authentication failed for user "postgres"
2021-09-01 21:36:42.132 UTC [8821] DETAIL:  Role "postgres" does not exist.

如何修复我的 iptables 以正确设置?我在这里做错了什么?

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s xxx.xxx.xx.xx/xx -p tcp -m tcp --dport 5432 -j ACCEPT (where x is removed ip addresses)
-A INPUT -s xxx.xxx.xx.xx/xx -p tcp -m tcp --dport 5432 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-1de8a78b46b8 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-1de8a78b46b8 -j DOCKER
-A FORWARD -i br-1de8a78b46b8 ! -o br-1de8a78b46b8 -j ACCEPT
-A FORWARD -i br-1de8a78b46b8 -o br-1de8a78b46b8 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5432 -m iprange --src-range 82.208.14.110-82.208.14.119 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5432 -j REJECT --reject-with icmp-port-unreachable
-A DOCKER -d 172.18.0.2/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 6379 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 2368 -j ACCEPT
-A DOCKER -d 172.18.0.4/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 5432 -j ACCEPT
-A DOCKER -d 172.18.0.5/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 5900 -j ACCEPT
-A DOCKER -d 172.18.0.5/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 4444 -j ACCEPT
-A DOCKER -d 172.18.0.8/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 8000 -j ACCEPT
-A DOCKER -d 172.18.0.9/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.18.0.9/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.18.0.6/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 9300 -j ACCEPT
-A DOCKER -d 172.18.0.6/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 9200 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-1de8a78b46b8 ! -o br-1de8a78b46b8 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-1de8a78b46b8 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN

编辑:

这是我的 docker-compose 配置:

  postgres:
    image: "postgres:12.1"
    env_file:
      - '.env'
    ports:
      - '5432:5432' # removed 127.0.0.1: - adding firewalls in iptables

    restart: "${DOCKER_RESTART_POLICY:-unless-stopped}"
    stop_grace_period: "${DOCKER_STOP_GRACE_PERIOD:-3s}"
    volumes:
      - postgres:/var/lib/postgresql/data
      - /opt/ghost_postgres:/var/lib/postgres
    networks: 
      - esnet

  redis:
    image: redis:5.0.6-alpine
    command: redis-server --requirepass "${REDIS_PASS}"
    restart: "${DOCKER_RESTART_POLICY:-unless-stopped}"
    stop_grace_period: "${DOCKER_STOP_GRACE_PERIOD:-3s}"
    ports:
      - '6379:6379'
    volumes:
      - redis:/var/lib/redis/data
    networks: 
      - esnet


  prosebit:
    build: 
      context: "."
      args:
        - "FLASK_ENV=${FLASK_ENV:-production}"
        - "NODE_ENV=${NODE_ENV:-production}"
    depends_on:
      - "postgres"
      - "redis"
    env_file:
      - ".env"
    ports:
      - "${DOCKER_WEB_PORT:-127.0.0.1:8000}:8000"
    restart: "${DOCKER_RESTART_POLICY:-unless-stopped}"
    stop_grace_period: "${DOCKER_STOP_GRACE_PERIOD:-3s}"
    volumes:
      - "${DOCKER_WEB_VOLUME:-./public:/app/public}"
    networks:
      - esnet
      
  web: 
    depends_on:
      - prosebit
    restart: always
    build:
      context: ../nginx #added /deploy for development, remove for production
      dockerfile: Dockerfile
    volumes:
      ...
    ports:
      - 80:80
      - 443:443
    networks:
      - "esnet"


  celery:
    build: 
      context: "."
      args: 
        - "FLASK_ENV=${FLASK_ENV:-production}"
        - "NODE_ENV=${NODE_ENV:-production}"
    command: celery worker -B -l info -A 
    env_file:
      - '.env'
    depends_on:
      - "postgres"
      - "redis"
    env_file:
      - ".env"
    restart: "${DOCKER_RESTART_POLICY:-unless-stopped}"
    stop_grace_period: "${DOCKER_STOP_GRACE_PERIOD:-3s}"
    volumes:
      - "${DOCKER_WEB_VOLUME:-./public:/app/public}"
    networks:
      - "esnet"
firewall iptables
Martin Hope
polymath
Asked: 2020-09-07 02:19:28 +0800 CST
  • 0

好的,我会尽力解释这一点。我已成功设置到服务器块(网站 A)/blog/上的子目录位置,该位置成功在子域服务器块(网站 B)example.com上显示我的博客,网址为.blog.example.com.auexample.com/blog/

但是,当我单击主页上的任何链接example.com/blog/时,当它应该链接到网站 B 上的文章时,它会显示网站 A 的 404。

期望的行为: 显示时example.com/blog/article的链接blog.example.com/articleexample.com/blog/article

实际行为: 显示404时example.com/blog/article的链接example.com/articleexample.com/article

我想确保出现在通过位置块/blog/传递到网站 B 的每个请求上。/blog/

这是我当前的网站 A 为网站 B 上的博客提供服务的服务器块:

server {
  server_name example.com;

...

  location ^~ /blog/ {
      proxy_pass https://blog.example.com.au/;
      proxy_set_header Host blog.example.com.au;
  }

  # This is needed to correctly serve static files for Website B and not have same 404 behaviour as explained above
  location /assets/ {
     proxy_pass https://blog.example.com.au/assets/; 
}

  # This is needed to correctly serve static files for Website B and not have same 404 behaviour as explained above
  location /content/ {
    proxy_pass http://blog.example.com.au/content/;
  }
}

如果它有助于网站 A 和 B 都被反向代理并在同一个 conf 文件中完美地工作:

upstream Website_A {
  server Website_A:8000;
}

upstream Website_B {
    server Website_B:2368;
}

...
nginx reverse-proxy ghost-blog
Martin Hope
polymath
Asked: 2019-07-07 19:30:29 +0800 CST
  • 0

虽然我是 nginx 的新手,但几乎一切似乎都运行良好。唯一的问题是,当我尝试使用 https:// 地址访问地址时,加载需要 30-60 秒,但在键入 http:// 时只需几秒钟即可重定向和加载 https://。

我确定这与我的 nginx conf 文件有关,但看不出问题出在哪里,希望能有一些新鲜的眼光。引用我的 ssl 上下文时是否有问题?

    upstream custodian {
  # The web application.
  server custodian:8000;

server {
  listen 80;
  server_name custodian.fund www.custodian.fund;
  root /var/www/letsencrypt;

  location /.well-known/acme-challenge/ {
    default_type "text/plain";

    try_files $uri =404;
  }

  location / {
    return 301 https://custodian.fund$request_uri;
  }
}

server {

  listen 443 ssl;
  server_name custodian.fund;

  # Static asset path, which is read from the custodian container's VOLUME.
  root /custodian/static;

  # Ensure timeouts are equal across browsers and raise the max content-length size.
  keepalive_timeout 60;
  client_max_body_size 5m;

  # SSL goodness.
  ssl                       on;
  ssl_certificate /etc/ssl/private/custodian.fund.pem;
  ssl_certificate_key /etc/ssl/custodian.fund.key;
  ssl_trusted_certificate /etc/ssl/private/custodian.fund.pem;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
  ssl_dhparam /etc/ssl/dhparam.pem;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:50m;
  ssl_session_timeout 5m;
  ssl_stapling on;
  ssl_stapling_verify on;
  resolver 8.8.8.8;
  resolver_timeout 5s;
  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";


 # ssl_certificate /etc/ssl/certs/productionexample.crt;
 # ssl_certificate_key /etc/ssl/private/productionexample.key;


  # Disallow access to hidden files and directories.
  location ~ /\. {
    return 404;
    access_log off;
    log_not_found off;
  }

  # Allow optionally writing an index.html file to take precedence over the upstream.
  try_files $uri $uri/index.html $uri.html @custodian;

  # Attempt to load the favicon or fall back to status code 204.
  location = /favicon.ico {
    try_files /favicon.ico = 204;
    access_log off;
    log_not_found off;
  }

  # Load the web app back end with proper headers.
  location @custodian {
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $http_host;
networking