docker-compose - Docker-compose nginx withletsencrypt - > ln:未能创建符号链接 - 不支持
问题描述
设置:本地 Intel-NUC 上 OpenSuse-Server 上的 Docker
这是我的 docker.compose.yml
version: '3.5'
services:
proxy:
image: jwilder/nginx-proxy:alpine
labels:
- "com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy=true"
container_name: nextcloud-proxy
networks:
- nextcloud_network
dns:
- 192.168.178.15
ports:
- 443:443
- 80:80
volumes:
- ./proxy/conf.d:/etc/nginx/conf.d:rw
- ./proxy/vhost.d:/etc/nginx/vhost.d:ro
- ./proxy/html:/usr/share/nginx/html:rw
- ./proxy/certs:/etc/nginx/certs:rw
- /var/run/docker.sock:/tmp/docker.sock:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
restart: unless-stopped
letsencrypt:
image: jrcs/letsencrypt-nginx-proxy-companion
container_name: nextcloud-letsencrypt
depends_on:
- proxy
networks:
- nextcloud_network
dns:
- 192.168.178.15 #need for access the letdyencrypt API
volumes:
- ./proxy/acme:/etc/acme.sh
- ./proxy/certs:/etc/nginx/certs:rw
- ./proxy/vhost.d:/etc/nginx/vhost.d:rw
- ./proxy/html:/usr/share/nginx/html:rw
- /etc/localtime:/etc/localtime:rw
- /var/run/docker.sock:/tmp/docker.sock:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
NGINX_PROXY_CONTAINER: "nextcloud-proxy"
DEFAULT_EMAIL: "mymail@pm.me"
restart: unless-stopped
db:
image: mariadb
container_name: nextcloud-mariadb
networks:
- nextcloud_network
dns:
- 192.168.178.15
volumes:
- db-data2:/var/lib/mysql:rw
- /etc/localtime:/etc/localtime:ro
environment:
- MYSQL_ROOT_PASSWORD=Tstrong
- MYSQL_PASSWORD=Tstrong
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
restart: unless-stopped
app:
image: nextcloud:latest
container_name: nextcloud-app
networks:
- nextcloud_network
depends_on:
- letsencrypt
- proxy
- db
dns:
- 192.168.178.15
# - 8.8.8.8
# ports:
# - 10000:80 -> makes the app available without nginx and ssl
volumes:
- nextcloud-stage:/var/www/html
- ./app/config:/var/www/html/config
- ./app/custom_apps:/var/www/html/custom_apps
- ./app/data:/var/www/html/data
- ./app/themes:/var/www/html/themes
- /etc/localtime:/etc/localtime:ro
environment:
- VIRTUAL_HOST=mydomain.chickenkiller.com
- LETSENCRYPT_HOST=mydomain.chickenkiller.com
- LETSENCRYPT_EMAIL=mymail@pm.me
- "ServerName=nextcloud"
restart: unless-stopped
volumes:
nextcloud-stage:
db-data2:
networks:
nextcloud_network:
# external:
driver: bridge
name: nginx-proxy
然后它抛出这个警告/信息并且 SSL 不起作用。如果我打开这个容器上的端口,应用程序只能通过端口 80 使用——这显然是错误的。
那么这个警告实际上是一个问题还是我错过了其他东西?
nextcloud-letsencrypt | ln: failed to create symbolic link '/etc/nginx/certs/mydomain.chickenkiller.com.dhparam.pem': Not supported
我需要指定 DNS,以便让letsencrypt 容器能够与 API 通信,所以我确实将 Docker DNS 指向我的本地路由器 192.168.178.15。对于其他服务,我是否也需要此设置?或者是破坏符号链接的问题?
nextcloud-letsencrypt | [Wed Dec 23 10:47:19 CET 2020] Your cert is in /etc/acme.sh/mymail@pm.me/mydomain.chickenkiller.com/mydomain.chickenkiller.com.cer
nextcloud-letsencrypt | [Wed Dec 23 10:47:19 CET 2020] Your cert key is in /etc/acme.sh/mymail@pm.me/mydomain.chickenkiller.com/mydomain.chickenkiller.com.key
nextcloud-letsencrypt | [Wed Dec 23 10:47:19 CET 2020] The intermediate CA cert is in /etc/acme.sh/mymail@pm.me/mydomain.chickenkiller.com/ca.cer
nextcloud-letsencrypt | [Wed Dec 23 10:47:19 CET 2020] And the full chain certs is there: /etc/acme.sh/mymail@pm.me/mydomain.chickenkiller.com/fullchain.cer
nextcloud-letsencrypt | [Wed Dec 23 10:47:19 CET 2020] Installing cert to:/etc/nginx/certs/mydomain.chickenkiller.com/cert.pem
nextcloud-letsencrypt | [Wed Dec 23 10:47:19 CET 2020] Installing CA to:/etc/nginx/certs/mydomain.chickenkiller.com/chain.pem
nextcloud-letsencrypt | [Wed Dec 23 10:47:19 CET 2020] Installing key to:/etc/nginx/certs/mydomain.chickenkiller.com/key.pem
nextcloud-letsencrypt | [Wed Dec 23 10:47:20 CET 2020] Installing full chain to:/etc/nginx/certs/mydomain.chickenkiller.com/fullchain.pem
nextcloud-letsencrypt | ln: failed to create symbolic link '/etc/nginx/certs/mydomain.chickenkiller.com.crt': Not supported
nextcloud-letsencrypt | ln: failed to create symbolic link '/etc/nginx/certs/mydomain.chickenkiller.com.key': Not supported
nextcloud-letsencrypt | ln: failed to create symbolic link '/etc/nginx/certs/mydomain.chickenkiller.com.dhparam.pem': Not supported
nextcloud-letsencrypt | ln: failed to create symbolic link '/etc/nginx/certs/mydomain.chickenkiller.com.chain.pem': Not supported
nextcloud-letsencrypt | Reloading nginx proxy (ac49344ba0acb6026615358abf5568dc6a1df173a308a936b615fa00e413f767)...
nextcloud-letsencrypt | 2020/12/23 09:47:20 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''
nextcloud-letsencrypt | 2020/12/23 09:47:20 [notice] 115#115: signal process started
nextcloud-letsencrypt | Sleep for 3600s
Nginx 在使用 IP(而不是 DynDNS)从 WAN 访问应用程序时抛出错误 503 所以本地端口转发也应该是正确的,对吧?从路由器转发到 NUC 的 80 和 443 端口
使用 DynDNS 从 WAN 访问应用程序会导致 SSL 错误 (HSTS)
所以我认为这只是从证书文件夹到应用程序的连接(符号链接)?
让我知道我是否可以提供更多信息/日志
干杯
UDPATE:
这是来自 /proxy/conf.d/default.conf 的 NGINX 配置
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $http_x_forwarded_proto;
'' $scheme;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
default $http_x_forwarded_port;
'' $server_port;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
default upgrade;
'' close;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header
map $scheme $proxy_x_forwarded_ssl {
default off;
https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
resolver 127.0.0.11;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
listen 80;
access_log /var/log/nginx/access.log vhost;
return 503;
}
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
listen 443 ssl http2;
access_log /var/log/nginx/access.log vhost;
return 503;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/default.crt;
ssl_certificate_key /etc/nginx/certs/default.key;
}
# mydomain.chickenkiller.com
upstream mydomain.chickenkiller.com {
## Can be connected with "nginx-proxy" network
# nextcloud-app
server 172.23.0.5:80;
}
server {
server_name mydomain.chickenkiller.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://mydomain.chickenkiller.com;
}
}
server {
server_name mydomain.chickenkiller.com;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
return 500;
ssl_certificate /etc/nginx/certs/default.crt;
ssl_certificate_key /etc/nginx/certs/default.key;
}
解决方案
我有这个确切的问题。对我来说,证书保存到的卷是 Azure 中的已安装文件共享,并且那些不支持开箱即用的符号链接。
请参阅:https ://docs.microsoft.com/en-us/azure/storage/files/storage-troubleshoot-linux-file-connection-problems 。
我正在使用 autofs,但在“fstype”部分的末尾添加“,mfsymlinks”一旦重新启动就可以正常工作。
推荐阅读
- reactjs - 从外部 api 获取数据,如何遍历数组并显示值
- python - 从 NETCDF 文件中提取子域并将其写入 python 中的 txt 文件
- sbt - 无需事先编译即可执行 sbt 任务(用于使用 JOOQ 生成数据库类)
- ios - iOS PHImageManager.default().requestImage 回调为同一张图片调用了两次
- python - 基于另一列在列中的单元格上运行函数
- html - 在贝宝中设置高级定期付款
- python - 使用 tf.map_fn 计算张量的逆
- python - 用于数字数据框的 Keras 自定义 fit_generator
- process - 我喜欢从 Blueprism 的应用程序建模器中获取元素的特定属性,例如 Web Value、Web Style 等。这怎么可能?
- angular - Angular - DialogRef - 取消订阅 - 我需要从 afterClosed 取消订阅吗?