項目背景:遷移前后端應用,prod環境要求保留443端口,開發環境37800端口,后端容器端口為8000,前端為80,fastAPI對外端口為41000
生產環境部署在VM01,開發環境部署在VM03,在VM01配置nginx轉發
[root@vm01 conf.d]# docker ps | grep mig
73fbafgc2811 mig_backend-buildnum3 "python ./main.py" 5 days ago Up 5 days 0.0.0.0:40000->8000/tcp mig_backend
07db12b64b75 mig_frontend-buildnum3 "/docker-entrypoint.…" 5 days ago Up 5 days 0.0.0.0:40001->80/tcp mig_frontend
[root@wx8vm00007 conf.d]# ping 192.168.119.120
PING 192.168.119.120 (192.168.119.120) 56(84) bytes of data.
64 bytes from 192.168.119.120: icmp_seq=1 ttl=64 time=0.304 ms
64 bytes from 192.168.119.120: icmp_seq=2 ttl=64 time=0.277 ms
^C
--- 192.168.119.120 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1006ms
rtt min/avg/max/mdev = 0.277/0.290/0.304/0.021 ms
[root@vm01 conf.d]# ss -tunlp | grep 37800
tcp LISTEN 0 511 0.0.0.0:37800 0.0.0.0:* users:(("nginx",pid=1340282,fd=6),("nginx",pid=1340281,fd=6),("nginx",pid=1340280,fd=6),("nginx",pid=1340279,fd=6),("nginx",pid=1340230,fd=6))
問題:vm01與vm03網絡互通,nginx監聽37800端口,sso配置正確,訪問前端頁面登錄超時
以下是排查步驟:
1. 檢查后端服務是否監聽正確接口
-
確認后端服務(運行在Docker容器中的Python應用)是否綁定到
0.0.0.0:8000
,而非127.0.0.1:8000
。 -
驗證方法:進入容器執行
docker logs <容器id>
,查看8000端口是否監聽在0.0.0.0
。 -
修復:如果應用綁定到
127.0.0.1
,修改其配置以監聽0.0.0.0
。 -
[root@vm01 ~]# docker logs 492 開始加載 service.db DATABASE_URL='mysql+pymysql://此處手動打🐎charset=utf8mb4' SessionLocal 定義完成 INFO: Uvicorn running on http://0.0.0.0:8000 (Press CTRL+C to quit) INFO: Started parent process [1] SessionLocal 定義完成 SessionLocal 定義完成 SessionLocal 定義完成 SessionLocal 定義完成 INFO: Started server process [8] INFO: Waiting for application startup. INFO: Application startup complete. INFO: Started server process [12] INFO: Waiting for application startup. INFO: Started server process [15] INFO: Waiting for application startup. INFO: Application startup complete. INFO: Started server process [9] INFO: Waiting for application startup. INFO: Application startup complete. INFO: Started server process [14] INFO: Waiting for application startup. INFO: Application startup complete. INFO: Application startup complete. INFO: Started server process [11] INFO: Waiting for application startup. INFO: Application startup complete. INFO: Started server process [10] INFO: Waiting for application startup. INFO: Application startup complete. INFO: Started server process [13] INFO: Waiting for application startup. INFO: Application startup complete.
可見容器內部已正常啟動,故排除容器內部問題。
2. 確認Docker端口映射正確
-
確保宿主機的40000端口已正確映射到容器的8000端口。
-
驗證方法:在宿主機運行:
ss -tuln | grep 40000
應看到
0.0.0.0:40000
的監聽狀態。 -
修復:如果未監聽,重啟容器并確保使用
-p 40000:8000
參數。[root@vm01 ~]# ss -tuln | grep 40000 tcp LISTEN 0 2048 0.0.0.0:40000 0.0.0.0:*
-
可見端口映射正常,故排除Docker端口映射問題。
3. 測試后端端口連通性
-
從Nginx服務器直接測試與后端40000端口的連通性:
telnet 192.168.119.120 40000 # 或使用 nc -zv 192.168.119.120 40000
-
結果分析:
[root@vm01 ~]# telnet 192.168.119.120 40000 Trying 192.168.119.120... Connected to 192.168.119.120. Escape character is '^]'.
可見連接成功,到這里我排查的思路為:
-
if(連接成功) {Nginx配置或應用路徑問題}
-
else {防火墻/Docker/服務未啟動}
但還是看了看防火墻
-
4. 檢查防火墻規則
-
在宿主機(192.168.119.120)檢查防火墻是否允許40000和40001端口:
firewall-cmd --list-ports # 若使用firewalld iptables -L -n -v # 檢查iptables規則
-
修復:開放端口:
firewall-cmd --add-port=40000/tcp --permanent firewall-cmd --reload
此處VM01和03為1-65535全開放,故排除防火墻問題
5. 檢查Nginx代理配置
-
路徑問題:確保
proxy_pass
末尾的斜杠正確。例如:location /rqone {proxy_pass http://192.168.119.122:40000; # 無斜杠,保留原始URI路徑 }
-
日志調試:檢查Nginx錯誤日志:
tail -f /var/log/nginx/error.log
觀察是否有
connect() failed (111: Connection refused)
或超時錯誤。
6. 驗證HTTPS證書和域名
-
使用
curl
繞過證書驗證測試:curl -vk https://<your domain>:port/接口
-
檢查證書是否有效且域名匹配:
openssl s_client -connect <your domain>:port -servername <your domain>
7. 簡化測試(臨時關閉SSL)
-
修改Nginx配置,暫時禁用SSL,改用HTTP監聽:
listen 37800; # 移除ssl # ssl_certificate... 注釋掉SSL相關行
-
重啟Nginx后通過HTTP訪問,確認是否是SSL問題。
8. 檢查SELinux/AppArmor
-
臨時禁用SELinux:
setenforce 0
-
如果問題解決,調整策略:
semanage port -a -t http_port_t -p tcp 37800
上述步驟均確認無誤,隨后和前端開發人員會議溝通確認,發現有跨域報錯,原來如此
檢查發現是前端配錯了回調地址😀