我部署了两个几乎相同的 Azure Docker 容器。唯一的区别是,一个配置为虚拟网络,另一个配置为公共访问。我尝试从 Azure Web 应用程序上的终端执行这两个操作,该应用程序也在虚拟网络(不同的子网)上,公共实例正常工作,私有实例收到 404 错误。
这是内部实例的 yaml:
additional_properties: {}
apiVersion: '2023-05-01'
extended_location: null
identity:
type: SystemAssigned
location: australiaeast
name: myprivatecontainergroup
properties:
containers:
- name: myprivatecontainer
properties:
environmentVariables:
- name: MODSEC_RULE_ENGINE
value: 'DetectionOnly'
- name: LOGLEVEL
value: 'info'
- name: SERVER_NAME
value: private.example.com
- name: PROXY_SSL
value: 'on'
- name: PROXY
value: '1'
- name: BACKEND
value: https://mysamebackend.com
image: owasp/modsecurity-crs:latest
ports:
- port: 443
protocol: TCP
resources:
requests:
cpu: 1.0
memoryInGB: 1.5
volumeMounts:
- mountPath: /etc/nginx/conf
name: myshare1
- mountPath: /var/log/nginx
name: logs
initContainers: []
ipAddress:
autoGeneratedDomainNameLabelScope: Unsecure
ports:
- port: 443
protocol: TCP
type: Private
isCustomProvisioningTimeout: false
osType: Linux
restartPolicy: OnFailure
subnetIds:
- id: /subscriptions/mysubscription/resourceGroups/myrg/providers/Microsoft.Network/virtualNetworks/amy-vn/subnets/mystorage
name: mystorage
sku: Standard
volumes:
- name: myvol1
azureFile:
sharename: myshare1
storageAccountName: myaccount
storageAccountKey: <key>
- name: myvol2
azureFile:
sharename: myshare2
storageAccountName: myacount
storageAccountKey: <key>
tags: {}
type: Microsoft.ContainerInstance/containerGroups
这是公共实例:
additional_properties: {}
apiVersion: '2023-05-01'
extended_location: null
identity:
type: SystemAssigned
location: australiaeast
name: mypubliccontainergroup
properties:
containers:
- name: mypubliccontainer
properties:
environmentVariables:
- name: MODSEC_RULE_ENGINE
value: 'DetectionOnly'
- name: SERVER_NAME
value: public.example.com
- name: PROXY_SSL
value: 'on'
- name: PROXY
value: '1'
- name: BACKEND
value: https://mysamebackend.com
image: owasp/modsecurity-crs:latest
ports:
- port: 443
protocol: TCP
resources:
requests:
cpu: 1.0
memoryInGB: 1.5
volumeMounts:
- mountPath: /etc/nginx/conf
name: myshare1
- mountPath: /var/log/nginx
name: logs
initContainers: []
ipAddress:
autoGeneratedDomainNameLabelScope: Unsecure
dnsNameLabel: mydnslabel
fqdn: my.public.azurecontainer.io
ports:
- port: 443
protocol: TCP
type: Public
isCustomProvisioningTimeout: false
osType: Linux
restartPolicy: OnFailure
sku: Standard
volumes:
- name: myvol1
azureFile:
sharename: myshare1
storageAccountName: myaccount
storageAccountKey: mykey
- name: myvol2
azureFile:
sharename: myshare2
storageAccountName: myaccount
storageAccountKey: mykey
tags: {}
type: Microsoft.ContainerInstance/containerGroups
我在虚拟网络中的同一终端上运行以下curl命令:
当我运行curl https://public.example.com时,它会返回页面
当我运行curl https://private.example.com它返回404错误
私有容器中的日志显示 404 错误,因此我知道它正在连接。
出于测试目的,我将下游服务器设置为公共访问,因此应该不是防火墙问题。我已经从内部容器运行了curl,并验证了它可以看到下游服务器。
对于他们为什么会有不同的行为有什么想法吗?
我让 Microsoft 支持人员对此进行了调查,他们建议,由于所有连接均成功,因此问题必定出在容器的配置中。
我已经解决了这个问题。这实际上是一个SSL证书问题。尽管两个容器最终都访问同一个上游服务器 (samebackend.com),但它被容器服务器名称(public.example.com 和 private.example.com)掩盖。只有 public.example.com 在 Samebackend.com 上拥有 SSL 证书。我添加了 private.example.com 的证书并且它起作用了。