As used herein, "Attribution 4.0 International (CC BY 4.0)" license agreement, welcome to reprint, modify or re-use, but need to specify the source. Attribution 4.0 International (CC BY 4.0)
Author: Su Yang
Created: August 10, 2019 Statistical Word Count: 2779 words Reading Time: 6 minutes to read this article link: soulteary.com/2019/08/10/...
Using Apache proxy server set up VPC
Some junior partner may not have used the server under VPC network, in the network environment, server default is no public IP, so users can not access to the server. The general strategy is carried out using SLB network traffic agent, so that users can access applications from the server's public network.
But this can only solve the problem of traffic entering and can not solve the problem of network machines to access the public network resources under the VPC environment, to each machine individually assigned IP is clearly not the optimal solution, then we generally will choose to use a server as an export, set up a proxy server.
Container configuration using Apache proxy server
To set up a proxy server within the network server environment, we generally prefer the Apache Traffic Server , but in fact, use Apachecan also be a simple solution to the problem.
Compared Traffic Server, using Apache as a proxy server is very simple. Container layout files docker-compose.ymlonly need 22 lines:
version: "3.6"
services:
proxy:
image: httpd:2.4.39-alpine
restart: always
container_name: network-proxy
ports:
- 1080:80
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro
- ./httpd.conf:/usr/local/apache2/conf/httpd.conf
healthcheck:
test: ["CMD-SHELL", "httpd -T"]
interval: 5s
retries: 12
logging:
driver: "json-file"
options:
max-size: "10m"
复制代码Apache configuration files httpd.confdo not need to configure the Internet like so complicated, just below the 30 to the line on the line:
ServerName localhost
Listen 80
LoadModule mpm_event_module modules/mod_mpm_event.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_http2_module modules/mod_proxy_http2.so
LoadModule unixd_module modules/mod_unixd.so
User daemon
Group daemon
ErrorLog /proc/self/fd/2
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog /proc/self/fd/1 common
ProxyRequests On
ProxyVia On
<Proxy *>
Order deny,allow
Deny from all
Allow from 192.168.0.0/24
</Proxy>
复制代码If you're like me, clear proxy service target server, you can <Proxy>configure it in the statement, to avoid unauthorized use of the service, of course, recommend strategies used in conjunction with firewall security, foolproof.
Use docker-compose uplaunch the application, you will see something like the following log:
network-proxy | [Sat Aug 10 15:32:06.652264 2019] [mpm_event:notice] [pid 1:tid 140135351733576] AH00489: Apache/2.4.39 (Unix) configured -- resuming normal operations
network-proxy | [Sat Aug 10 15:32:06.652318 2019] [core:notice] [pid 1:tid 140135351733576] AH00094: Command line: 'httpd -D FOREGROUND'
复制代码Look logging service is really started up, but the effectiveness is not known, so we have to be tested.
Testing Services
Using curl test the proxy server is working on another server, if working correctly, the results will be similar to the following:
# http_proxy=http://192.168.0.50:1080 curl http://cip.cc/
IP : 39.xxx.xxx.xxx
地址 : 中国 北京
运营商 : 阿里云/电信/联通/移动/铁通/教育网
数据二 : 香港 | 特别行政区
数据三 : 中国北京北京市 | 阿里云
URL : http://www.cip.cc/39.xxx.xxx.xxx
复制代码Server Configuration
Let the default server traffic to go public network proxy server is very simple, only you need to /etc/profileadd two lines to the configuration file:
export http_proxy=http://192.168.0.50:1080
export https_proxy=http://192.168.0.50:1080
复制代码After profile file is modified, you need to manually reload the file:
source /etc/profile
复制代码The current terminal is connected or disconnected, reconnect to the server, but also allows configuration to take effect. Again using curl proxy server for authentication, you will see a default public network traffic will go through the proxy server.
# curl -v https://www.baidu.com
* Rebuilt URL to: https://www.baidu.com/
* Trying 192.168.0.50...
* TCP_NODELAY set
* Connected to 192.168.0.50 (192.168.0.50) port 1080 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to www.baidu.com:443
> CONNECT www.baidu.com:443 HTTP/1.1
> Host: www.baidu.com:443
> User-Agent: curl/7.58.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.0 200 Connection Established
< Proxy-agent: Apache/2.4.39 (Unix)
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
复制代码Configuration Container Service
Docker official documents have mentioned , if you want to Docker Daemon to use the system proxy configuration, you need to be configured before its start, the configuration daemon.jsonDafa it does not apply here.
The solution is to override the default docker.serviceconfiguration file, create a directory service configuration:
sudo mkdir -p /etc/systemd/system/docker.service.d
复制代码Then create a file and edit the contents of the file /etc/systemd/system/docker.service.d/http-proxy.conf, adding environment variables:
[Service]
Environment="HTTP_PROXY=http://192.168.0.50:1080"
Environment="HTTPS_PROXY=http://192.168.0.50:1080"
Environment="NO_PROXY=localhost,127.0.0.1,192.168.0.0/24,*.domain.ltd"
复制代码Then restart the service:
sudo systemctl daemon-reload && sudo systemctl restart docker
复制代码Finally, use the docker pullcommand to verify the configuration is working:
# docker pull alpine
Using default tag: latest
latest: Pulling from library/alpine
050382585609: Already exists
Digest: sha256:6a92cd1fcdc8d8cdec60f33dda4db2cb1fcdcacf3410a8e05b3741f44a9b5998
Status: Downloaded newer image for alpine:latest
docker.io/library/alpine:latest
复制代码Configuration container internal environment
Without internal network configuration container, use the container to access public services, basic experience network timeouts:
docker run --rm -it alpine
/ # apk update
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/main/x86_64/APKINDEX.tar.gz
ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.10/main: network error (check Internet connection and firewall)
WARNING: Ignoring APKINDEX.00740ba1.tar.gz: No such file or directory
复制代码Docker fact, official documents have mentioned , the principle of the solution is: by editing ~/.docker/config.jsonconfiguration files Docker client to automatically inject PROXY environment variables for the container.
{
"proxies": {
"default": {
"httpProxy": "http://192.168.0.50:1080",
"httpsProxy": "http://192.168.0.50:1080",
"noProxy": "127.0.0.1,localhost,192.168.0.0/24,*.domain.ltd"
}
}
}
复制代码After you add the above configuration is good, no need to restart the container service, you can directly execute the command again:
# docker run --rm -it alpine
/ # apk update
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/community/x86_64/APKINDEX.tar.gz
v3.10.1-62-g89778c626e [http://dl-cdn.alpinelinux.org/alpine/v3.10/main]
v3.10.1-60-gb0081284ea [http://dl-cdn.alpinelinux.org/alpine/v3.10/community]
OK: 10337 distinct packages available
复制代码So far, servers and containers under the VPC access the Internet environment is set up on the matter.
At last
Do not forget to set firewall rules, IP server to access the public network do not allow incoming traffic, reduce server external security risks.
—EOF
I now have a little frustrating group, which gathered some like tossing a small partner.
Without hair ad, we will talk with the software inside, some of the issues HomeLab, programming, also in the group from time to time to share some technical information salon.
Like tossing a small partner welcome scan code to add a friend. (Please specify the source and destination, it would not be approved)