我已经这样做了两天了,但无法理解它。
我已经在运行 WHM 的服务器上安装了 Docker。在 Docker 中,我安装了 listmonk.app。
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0eb46a14e3c2 listmonk/listmonk:latest "./listmonk" 20 hours ago Up 9 minutes 0.0.0.0:9000->9000/tcp, :::9000->9000/tcp listmonk_app
43b308157ebe postgres:13-alpine "docker-entrypoint.s…" 20 hours ago Up 9 minutes (healthy) 0.0.0.0:9432->5432/tcp, :::9432->5432/tcp listmonk_db
接下来,我安装了一个 Cloudflare Tunnel,以允许通过
https://listmonk.ygprodeck.com
访问 http://localhost:9000
。
在我在服务器上安装 ConfigServer 安全和防火墙 (CSF) 之前,此功能一直有效。端口 9000 被阻止(不是通过
TCP_IN
或 TCP_OUT
添加),这正是我想要的,但现在我的 Cloudflare 隧道无法连接到 docker 容器,因为它超时了。
在服务器上,我运行了
curl -v http://127.0.0.1:9000
* Rebuilt URL to: http://127.0.0.1:9000/
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 9000 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1:9000
> User-Agent: curl/7.61.1
> Accept: */*
>
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
禁用 CSF 可以解决问题,但随后这些端口就会暴露,这是我试图避免的。
昨天,我没有使用 CloudFlare Tunnel,而是使用了 Apache 反向代理,最终结果基本相同。
此外,我尝试将
docker0
添加到 ETH_DEVICE_SKIP
,这只是向外部开放端口 9000(我相信这只会导致它完全跳过防火墙规则)。
我发现了一个可能类似的Stack问题,但我对Docker不太熟悉。对于 listmonk.app,我使用了简易生产安装。
docker-compose.yml:
version: "3.7"
x-app-defaults: &app-defaults
restart: unless-stopped
image: listmonk/listmonk:latest
ports:
- "9000:9000"
networks:
- listmonk
environment:
- TZ=Etc/UTC
x-db-defaults: &db-defaults
image: postgres:13-alpine
ports:
networks:
- listmonk
environment:
- POSTGRES_PASSWORD=<REMOVED>
- POSTGRES_USER=<REMOVED>
- POSTGRES_DB=<REMOVED>
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "pg_isready -U listmonk"]
interval: 10s
timeout: 5s
retries: 6
services:
db:
<<: *db-defaults
container_name: listmonk_db
volumes:
- type: volume
source: listmonk-data
target: /var/lib/postgresql/data
app:
<<: *app-defaults
container_name: listmonk_app
depends_on:
- db
volumes:
- ./config.toml:/listmonk/config.toml
demo-db:
container_name: listmonk_demo_db
<<: *db-defaults
demo-app:
<<: *app-defaults
container_name: listmonk_demo_app
command: [sh, -c, "yes | ./listmonk --install --config config-demo.toml && ./listmonk --config config-demo.toml"]
depends_on:
- demo-db
networks:
listmonk:
volumes:
listmonk-data:
我还将包含 listmonk.app config.toml 文件,但我认为大部分需要保持原样:
[app]
# Interface and port where the app will run its webserver. The default value
# of localhost will only listen to connections from the current machine. To
# listen on all interfaces use '0.0.0.0'. To listen on the default web address
# port, use port 80 (this will require running with elevated permissions).
address = "0.0.0.0:9000"
# BasicAuth authentication for the admin dashboard. This will eventually
# be replaced with a better multi-user, role-based authentication system.
# IMPORTANT: Leave both values empty to disable authentication on admin
# only where an external authentication is already setup.
admin_username = "<REMOVED>"
admin_password = "<REMOVED>"
# Database.
[db]
host = "listmonk_db"
port = 5432
user = "<REMOVED>"
password = "<REMOVED>"
# Ensure that this database has been created in Postgres.
database = "listmonk"
ssl_mode = "disable"
max_open = 25
max_idle = 25
max_lifetime = "300s"
# Optional space separated Postgres DSN params. eg: "application_name=listmonk gssencmode=disable"
params = ""
您没有提及如何部署 Cloudflare Tunnel 客户端。由于您已经通过 Docker 部署了
listmonk
,因此只有对 CF Tunnel 客户端执行相同操作并为这两个服务使用共享 Docker 网络才有意义。
使用以下撰写文件,您可以将 CF Tunnel 客户端添加到现有的 docker 网络
listmonk
:
version: '3.9'
networks:
listmonk:
external: true
services:
cloudflaretunnel:
image: cloudflare/cloudflared
environment:
- TUNNEL_TOKEN=$TUNNEL_TOKEN
command: tunnel --no-autoupdate run
restart: unless-stopped
networks:
- listmonk
好处是您不需要在防火墙可能干扰的
listmonk
上公开 0.0.0.0:9000
服务。这意味着您可以摆脱:
ports:
- "9000:9000"
在 listmonk 撰写文件中。
来自文档:
您可以通过 Cloudflare Tunnel 实施积极的安全模型 阻止所有入口流量并仅允许出口流量 云彩闪耀。仅在隧道配置中指定的服务 会暴露在外面的世界。
您只需要允许端口上的出站连接
7844
:
cloudflared 通过端口
连接到 Cloudflare 的全球网络。到 使用 Cloudflare Tunnel,您的防火墙必须允许出站连接 前往7844
港口的以下目的地(如果使用7844
,则经UDP
协议或quic
(如果使用TCP
协议)。http2