项目背景:迁移前后端应用,prod环境要求保留443端口,开发环境37800端口,后端容器端口为8000,前端为80,fastAPI对外端口为41000
生产环境部署在VM01,开发环境部署在VM03,在VM01配置nginx转发
[root@vm01 conf.d]# docker ps | grep mig
73fbafgc2811 mig_backend-buildnum3 "python ./main.py" 5 days ago Up 5 days 0.0.0.0:40000->8000/tcp mig_backend
07db12b64b75 mig_frontend-buildnum3 "/docker-entrypoint.…" 5 days ago Up 5 days 0.0.0.0:40001->80/tcp mig_frontend
[root@wx8vm00007 conf.d]# ping 192.168.119.120
PING 192.168.119.120 (192.168.119.120) 56(84) bytes of data.
64 bytes from 192.168.119.120: icmp_seq=1 ttl=64 time=0.304 ms
64 bytes from 192.168.119.120: icmp_seq=2 ttl=64 time=0.277 ms
^C
--- 192.168.119.120 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1006ms
rtt min/avg/max/mdev = 0.277/0.290/0.304/0.021 ms
[root@vm01 conf.d]# ss -tunlp | grep 37800
tcp LISTEN 0 511 0.0.0.0:37800 0.0.0.0:* users:(("nginx",pid=1340282,fd=6),("nginx",pid=1340281,fd=6),("nginx",pid=1340280,fd=6),("nginx",pid=1340279,fd=6),("nginx",pid=1340230,fd=6))
问题:vm01与vm03网络互通,nginx监听37800端口,sso配置正确,访问前端页面登录超时
以下是排查步骤:
1. 检查后端服务是否监听正确接口
确认后端服务(运行在Docker容器中的Python应用)是否绑定到
0.0.0.0:8000,而非127.0.0.1:8000。验证方法:进入容器执行
docker logs <容器id>,查看8000端口是否监听在0.0.0.0。修复:如果应用绑定到
127.0.0.1,修改其配置以监听0.0.0.0。[root@vm01 ~]# docker logs 492 开始加载 service.db DATABASE_URL='mysql+pymysql://此处手动打🐎charset=utf8mb4' SessionLocal 定义完成 INFO: Uvicorn running on http://0.0.0.0:8000 (Press CTRL+C to quit) INFO: Started parent process [1] SessionLocal 定义完成 SessionLocal 定义完成 SessionLocal 定义完成 SessionLocal 定义完成 INFO: Started server process [8] INFO: Waiting for application startup. INFO: Application startup complete. INFO: Started server process [12] INFO: Waiting for application startup. INFO: Started server process [15] INFO: Waiting for application startup. INFO: Application startup complete. INFO: Started server process [9] INFO: Waiting for application startup. INFO: Application startup complete. INFO: Started server process [14] INFO: Waiting for application startup. INFO: Application startup complete. INFO: Application startup complete. INFO: Started server process [11] INFO: Waiting for application startup. INFO: Application startup complete. INFO: Started server process [10] INFO: Waiting for application startup. INFO: Application startup complete. INFO: Started server process [13] INFO: Waiting for application startup. INFO: Application startup complete.可见容器内部已正常启动,故排除容器内部问题。
2. 确认Docker端口映射正确
确保宿主机的40000端口已正确映射到容器的8000端口。
验证方法:在宿主机运行:
ss -tuln | grep 40000应看到
0.0.0.0:40000的监听状态。修复:如果未监听,重启容器并确保使用
-p 40000:8000参数。[root@vm01 ~]# ss -tuln | grep 40000 tcp LISTEN 0 2048 0.0.0.0:40000 0.0.0.0:*可见端口映射正常,故排除Docker端口映射问题。
3. 测试后端端口连通性
从Nginx服务器直接测试与后端40000端口的连通性:
telnet 192.168.119.120 40000 # 或使用 nc -zv 192.168.119.120 40000结果分析:
[root@vm01 ~]# telnet 192.168.119.120 40000 Trying 192.168.119.120... Connected to 192.168.119.120. Escape character is '^]'.可见连接成功,到这里我排查的思路为:
if(连接成功) {Nginx配置或应用路径问题}
else {防火墙/Docker/服务未启动}
但还是看了看防火墙
4. 检查防火墙规则
在宿主机(192.168.119.120)检查防火墙是否允许40000和40001端口:
firewall-cmd --list-ports # 若使用firewalld iptables -L -n -v # 检查iptables规则修复:开放端口:
firewall-cmd --add-port=40000/tcp --permanent firewall-cmd --reload
此处VM01和03为1-65535全开放,故排除防火墙问题
5. 检查Nginx代理配置
路径问题:确保
proxy_pass末尾的斜杠正确。例如:location /rqone { proxy_pass http://192.168.119.122:40000; # 无斜杠,保留原始URI路径 }日志调试:检查Nginx错误日志:
tail -f /var/log/nginx/error.log观察是否有
connect() failed (111: Connection refused)或超时错误。
6. 验证HTTPS证书和域名
使用
curl绕过证书验证测试:curl -vk https://<your domain>:port/接口检查证书是否有效且域名匹配:
openssl s_client -connect <your domain>:port -servername <your domain>
7. 简化测试(临时关闭SSL)
修改Nginx配置,暂时禁用SSL,改用HTTP监听:
listen 37800; # 移除ssl # ssl_certificate... 注释掉SSL相关行重启Nginx后通过HTTP访问,确认是否是SSL问题。
8. 检查SELinux/AppArmor
临时禁用SELinux:
setenforce 0如果问题解决,调整策略:
semanage port -a -t http_port_t -p tcp 37800
上述步骤均确认无误,随后和前端开发人员会议沟通确认,发现有跨域报错,原来如此
检查发现是前端配错了回调地址😀