How to use Nginx to realize the coexistence of multiple containers in the server

background

There is a Tencent Linux cloud host, on which a docker (called ServiceDocker, named sign, the same below) is deployed. ServiceDocker uses ports 80, 443, and 3306 internally, which are mapped to the same ports of the host (cloud host) (i.e. 80, 443, and 3306) respectively.

XAMPP is installed in ServiceDocker, and the server of the QR code scan sign-in applet is deployed on this basis. ServiceDocker's ports 80 and 443 provide http and https services respectively, and port 3306 is the port of the MySQL database.

ServiceDocker is bound to the domain name sign.famend.cn.

Target

A ServiceDocker in the cloud host occupies ports 80 and 443. If you want to deploy another server in the host to provide external services, you cannot use ports 80 and 443.

Our goal is to deploy multiple ServiceDockers in the host, each ServiceDocker is bound to its own domain name, provides services to the outside world, and ensures that ports 80 and 443 are available.

Ideas

Modify the port mapping of ServiceDocker and map ServiceDocker ports 80 and 443 to the host's ports 89 and 449 respectively. This will release the host's ports 80 and 443.

The released ports 80 and 443 are used by Nginx. Install Docker with Nginx (called NginxDocker, named mynginx, the same below). NginxDocker uses ports 80 and 443 internally, which are mapped to ports 80 and 443 of the host respectively.

NginxDocker is used as a reverse proxy. When there is an access request, after reading the Nginx configuration, different URLs are directed to their corresponding Dockers. For example, if you visit http://sign.famend.cn:80, it will be automatically mapped to http://sign.famend.cn:89.

Implementation steps

1. Modify the port mapping of ServiceDocker and release ports 80 and 443.

Docker does not provide a command to change the port. I found two methods on the Internet.

Method 1: Stop the container first, package the container into an image, and then run the new image. Specify the new port when running the new image. The commands used are as follows:

#Stop the container first docker stop containerA 
#Commit the container into a mirror docker commit containerA newImageB 
#Run the container docker run -p 8080:8080 -p 8081:8081 -v /home/data/:/home/data/ -dt newImageB

Method 2: First stop the container, then stop the container service, then modify the container configuration file, and finally start the container service and start the container. Here are the steps:

①Stop ServiceDocker (the name of ServiceDocker is sign) and stop the Docker service.

sudo docker stop sign 
sudo service docker stop

②Use the docker ps -a command to find the CONTAINER ID of the container to be modified.

③Run the docker inspect [CONTAINER ID] | grep Id command.

④Execute the cd /var/lib/docker/containers command to enter and find the directory with the same ID.

If permission denied is displayed when executing the cd command, execute sudo -s first.

After entering the directory corresponding to the id, open the file hostconfig.json.

Find the mapping of port 80 as follows:

"80/tcp": [ 
{ 
"HostIp": "0.0.0.0", 
"HostPort": "80" 
}] 
 
Change "HostPort": "80" to "HostPort": "89" as follows: "80/tcp": [ 
{ 
"HostIp": "0.0.0.0", 
"HostPort": "89" 
}]

Before the modification, port 80 inside ServiceDocker is mapped to port 80 on the host; after the modification, port 80 inside ServiceDocker is mapped to port 89 on the host.

A brief explanation: some articles (2 and 3 in the references) mentioned that config.v2.json needs to be modified, but I personally tested that it is not necessary. This file is automatically modified when you start ServiceDocker.

⑤Start the docker service, and then start ServiceDocker (named sign).

sudo service docker start 
sudo docker start sign

Both method (1) and method (2) are acceptable. I chose method (2).

After executing method (2), open the browser to verify and it will prompt "Website cannot be accessed".

It is preliminarily estimated that the server in docker is not started, run the command:

sudo /opt/lampp/lampp stop 
sudo /opt/lampp/lampp start

When running stop, I found that Apache did not start, which may be because port 80 was modified.

After executing start, open the browser to verify http://sign.famend.cn:89 and https://sign.famend.cn:449, and the access is successful.

The method of modifying the Docker port is not complicated. If future versions of Docker can provide corresponding commands, I believe it will be much more convenient.

By the way, run crontab -l to check whether the scheduled task in ServiceDocker is started. If not, run service cron start to start the scheduled task.

Next, configure NginxDocker reverse proxy so that http://sign.famend.cn:80 and https://sign.famend.cn:443 can also be successfully accessed.

2. Configure NginxDocker reverse proxy.

①Download nginx and run it.

docker container run \ 
 -d \ 
 -p 80:80 \ 
 -p 443:443 \ 
 --rm \ 
 --name mynginx \ 
 nginx

②Configure the nginx configuration file.

mkdir nginx-files 
docker container cp mynginx:/etc/nginx . 
mv nginx conf 
vi conf/nginx.conf

In nginx.conf, add the following reverse proxy information.

server{ 
 listen 443 ssl; 
 server_name sign.famend.cn; 
 ssl_certificate /etc/nginx/ssl/sign.famend.cn/1_sign.famend.cn_bundle.crt; 
 ssl_certificate_key /etc/nginx/ssl/sign.famend.cn/2_sign.famend.cn.key; 
 
 location / { 
  proxy_set_header HOST $host; 
  proxy_set_header X-Real-IP $remote_addr; 
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
  proxy_set_header X-Forwarded-Proto $scheme; 
  proxy_pass http://sign.famend.cn:89/; 
 } 
} 
 
server{ 
 listen 80; 
 server_name famend.cn sign.famend.cn; 
 location / { 
  proxy_set_header HOST $host; 
  proxy_set_header X-Real-IP $remote_addr:89; 
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
  proxy_set_header X-Forwarded-Proto $scheme; 
  proxy_pass http://sign.famend.cn:89/; 
 } 
}

For port 443, you need to use ssl_certificate and ssl_certificate_key. The LetsEncrypt SSL certificate used in ServiceDocker is renewed every 90 days.

Source of SSL certificates: A way for them to share SSL certificates from LetsEncrypt. In addition, Tencent provides free SSL certificates for domain names registered with it, which are valid for 1 year.

For simplicity, I directly used Tencent's SSL certificate. Of course, the certificate must be renewed before it expires within one year.

③Stop mynginx and then restart it.

docker container run \ 
 --name mynginx \ 
 --volume "$PWD/conf":/etc/nginx \ 
 -p 80:80 \ 
 -p 443:443 \ 
 -d \ 
 nginx

This time, leave out the --rm option so that the container is preserved when you stop it.

Now the configuration is complete.

verify

Open in browser

sign.famend.cn:80 
sign.famend.cn:89 
sign.famend.cn:449 
sign.famend.cn:443

Can access normally. Of course, when opening 449 and 443, you can find that the certificates used by the two URLs are different. 449 is provided by LetsEncrypt and is valid for 90 days; 443 comes from Tencent (issued by TrustAsia) and is valid for 1 year.

Of course, another website in ServiceDocker, famend.cn, can also be visited:

famend.cn:80
famend.cn:89

Summarize

The above is the method introduced by the editor to use Nginx to achieve multi-container coexistence in the server. I hope it will be helpful to everyone. If you have any questions, please leave me a message and the editor will reply to you in time. I would also like to thank everyone for their support of the 123WORDPRESS.COM website!