需求: rancher 部署在 192.168.188.167服务器上 控制台访问地址 https://192.168.188.167:8443 在本地只有192.168.80.111有权限访问, 需要在80.111上配置一个nginx代理,使本地其他机器也能访问到
使用此配置,发现无法登录rancher了
upstream rancher {
server 192.168.188.167:8443;
}
server {
listen 8088;
server_name 192.168.80.111;
location / {
proxy_pass https://rancher;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
解决:需要使用https监听
1.安装OpenSSL:
yum install mod_ssl openssl
mkdir /etc/nginx/cert/
cd /etc/nginx/cert/
2.生成私钥和自签证书:
openssl req -new -keyout server.key -out server.csr -subj "/CN=localhost" -nodes
3.生成证书:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
4.在Nginx处配置
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
#rancher
upstream rancher {
server 192.168.188.167:8443;
}
server {
listen 443 ssl;
server_name 192.168.80.111;
ssl_certificate /etc/nginx/cert/server.crt;
ssl_certificate_key /etc/nginx/cert/server.key;
location / {
proxy_pass https://rancher;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# 此项允许执行的 shell 窗口保持开启,最长可达15分钟。不使用此参数的话,默认1分钟后自动关闭。
proxy_read_timeout 900s;
proxy_buffering off;
}
}
- 重启nginx ok 登录成功
