patch-nginx 容器错误地解析了 nginx 进程内的 patch-backend 的 IP 地址,但当我从 nginx 命令行手动检查它时却没有。
我有 nginx 作为 podman 容器内的代理运行,尽管谷歌搜索似乎显示 Docker 上也存在这个问题并且没有解决方案。
在 nginx 日志中我看到:
2023/07/12 19:33:52 [error] 24#24: *52 connect() failed (113: No route to host) while connecting to upstream, client: 10.89.0.119, server: patches.lan, request: "GET /api/auth HTTP/1.1", upstream: "https://10.89.0.117:9000/api/auth", host: "10.10.25.131", referrer: "https://10.10.25.131/"
10.89.0.119 - - [12/Jul/2023:19:33:52 +0000]
"GET /api/auth HTTP/1.1" 502 559
"https://10.10.25.131/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
Certificate: "-"
Client Key: "-"
我们看到上游主机是10.89.0.117。我去检查 nginx 配置 - proxy_pass 指向patches-backend:
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
log_format custom '
$remote_addr - $remote_user [$time_local]
"$request" $status $body_bytes_sent
"$http_referer" "$http_user_agent"
Certificate: "$ssl_client_cert"
Client Key: "$ssl_client_raw_cert"
';
server {
listen 80;
listen [::]:80;
server_name patches.lan 10.10.25.131 ;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name patches.lan 10.10.25.131 ;
access_log /var/log/nginx/access.log custom;
# Client-facing certificate and key
ssl_certificate /patches/server_certs/patches.lan.crt;
ssl_certificate_key /patches/server_certs/patches.lan.key;
# Disable client certificate request
ssl_verify_client optional_no_ca;
location /api {
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
# Set X-SSL-CERT header with client certificate
proxy_set_header X-SSL-CERT $ssl_client_escaped_cert;
proxy_pass https://patches-backend:9000;
}
location / {
proxy_set_header Host $http_host;
# Set X-SSL-CERT header with client certificate
proxy_set_header X-SSL-CERT $ssl_client_escaped_cert;
proxy_pass http://patches-frontend:3000;
}
}
一切都是它应该的样子。我根据从 nginx 容器到后端的 DNS 名称检查curl:
root@87c91993cab5:/# curl patches-backend:9000
curl: (52) Empty reply from server
这也是理所应当的。但是当我检查时podman inspect patches-backend我看到:
...SNIP...
"Networks": {
"host-bridge-net": {
"EndpointID": "",
"Gateway": "10.89.0.1",
"IPAddress": "10.89.0.120",
"IPPrefixLen": 24,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "3e:c9:de:23:44:a6",
"NetworkID": "host-bridge-net",
"DriverOpts": null,
"IPAMConfig": null,
"Links": null,
"Aliases": [
"e9485d2c8cf7"
]
}
}
...SNIP...
patch-backend 显然是 10.89.0.120,但不知何故,在 nginx 的上下文中,它将该主机名解析为10.89.0.117(正如我们在日志中看到的)网络上任何地方都不存在的主机名。
我完全不知道这是怎么发生的。patches-backendnginx 配置具有主机名而不是 IP,因此它不是某个地方的硬编码 IP,并且如上所示,从命令行检查时,nginx 容器可以正确解析。然而,nginx 进程以某种方式获取了不存在的 IP 地址。我的容器都没有 IP 117:
# Reverse search 10.89.0.117 (the wrong IP) across all containers
[grant@patches2 opt]$ podman inspect -f '{{.Name}}' $(podman ps -a -q --format='{{.ID}}') | xargs -I {} sh -c 'podman inspect -f "{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}" {} | grep -w 10.89.0.117 && echo Container: {}'
# Reverse search 10.89.0.120 (the correct IP) across all containers
[grant@patches2 opt]$ podman inspect -f '{{.Name}}' $(podman ps -a -q --format='{{.ID}}') | xargs -I {} sh -c 'podman inspect -f "{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}" {} | grep -w 10.89.0.120 && echo Container: {}'
10.89.0.120
Container: patches-backend
我无法想象这是如何发生的,并且我无法在任何简单的示例中重现它。值得注意的是,没有对 nginx 应用进一步的配置。这是唯一的配置。
简短的回答是,
nginx在大多数情况下,在配置加载时缓存 DNS 解析,重新启动nginx将刷新 DNS 缓存并获取新的 IP 地址,或者您可以等待 TTL 过期。https://serverfault.com 上有一个很好的答案,其中提供了更好的解释和技巧,您可以使用 DNS 解析器和
nginx变量对每个请求进行新的查找。