配置反向代理
https://docs.portainer.io/advanced/reverse-proxy/nginx
这里有非常重要的一点,官方给的另一个nginx proxy 服务并不是单纯的 nginx。docker中如果想要通过域名形式代理的话,最好采用http协议选择portainer的9000端口,因为docker的内部网关会对https的域名进行验证的。
因为portainer默认是localhost域名,所以会有下面的报错。
{
"level": "error",
"ts": 1733380193.0202732,
"logger": "http.log.error",
"msg": "tls: failed to verify certificate: x509: certificate is valid for localhost, not portainer",
"request": {
"remote_ip": "172.25.0.1",
"remote_port": "42308",
"client_ip": "172.25.0.1",
"proto": "HTTP/1.1",
"method": "GET",
"host": "localhost:1027",
"uri": "/",
"headers": {
"Cache-Control": [
"max-age=0"
],
"Sec-Fetch-Site": [
"none"
],
"Sec-Fetch-User": [
"?1"
],
"Accept-Language": [
"zh-CN,zh;q=0.9"
],
"Sec-Ch-Ua": [
"\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\""
],
"Sec-Fetch-Mode": [
"navigate"
],
"Sec-Fetch-Dest": [
"document"
],
"Cookie": [
"REDACTED"
],
"Connection": [
"keep-alive"
],
"Sec-Ch-Ua-Mobile": [
"?0"
],
"Sec-Ch-Ua-Platform": [
"\"Windows\""
],
"Upgrade-Insecure-Requests": [
"1"
],
"User-Agent": [
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
],
"Accept": [
"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"
],
"Accept-Encoding": [
"gzip, deflate, br, zstd"
]
}
},
"duration": 0.00317577,
"status": 502,
"err_id": "gpbhem59z",
"err_trace": "reverseproxy.statusError (reverseproxy.go:1269)"
}
使用在线网站生成的ssl证书,证书的类型有问题。
{
"level": "error",
"ts": 1733381980.5287666,
"logger": "http.log.error",
"msg": "tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead",
"request": {
"remote_ip": "172.25.0.1",
"remote_port": "59280",
"client_ip": "172.25.0.1",
"proto": "HTTP/1.1",
"method": "GET",
"host": "localhost:1024",
"uri": "/",
"headers": {
"Sec-Ch-Ua-Platform": [
"\"Windows\""
],
"Sec-Fetch-User": [
"?1"
],
"Accept-Encoding": [
"gzip, deflate, br, zstd"
],
"Accept-Language": [
"zh-CN,zh;q=0.9"
],
"Sec-Ch-Ua": [
"\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\""
],
"Sec-Fetch-Site": [
"none"
],
"Sec-Fetch-Dest": [
"document"
],
"Upgrade-Insecure-Requests": [
"1"
],
"User-Agent": [
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
],
"Accept": [
"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"
],
"Sec-Fetch-Mode": [
"navigate"
],
"Cookie": [
"REDACTED"
],
"Connection": [
"keep-alive"
],
"Sec-Ch-Ua-Mobile": [
"?0"
]
}
},
"duration": 0.003323056,
"status": 502,
"err_id": "gge451nit",
"err_trace": "reverseproxy.statusError (reverseproxy.go:1269)"
}
最后使用openssl req -newkey rsa:4096 -nodes -sha256 -keyout domain.key -x509 -days 36500 -out domain.crt -addext "subjectAltName = DNS:portainer"命令生成证书还是有问题,是因为自签的证书不被信任,参考这篇博客:https://blog.csdn.net/tom_fans/article/details/107620248
{
"level": "error",
"ts": 1733382717.6806178,
"logger": "http.log.error",
"msg": "tls: failed to verify certificate: x509: certificate signed by unknown authority",
"request": {
"remote_ip": "172.25.0.1",
"remote_port": "49990",
"client_ip": "172.25.0.1",
"proto": "HTTP/1.1",
"method": "GET",
"host": "localhost:1024",
"uri": "/",
"headers": {
"Accept-Encoding": [
"gzip, deflate, br, zstd"
],
"Cookie": [
"REDACTED"
],
"Sec-Ch-Ua-Platform": [
"\"Windows\""
],
"Upgrade-Insecure-Requests": [
"1"
],
"User-Agent": [
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
],
"Sec-Ch-Ua-Mobile": [
"?0"
],
"Accept": [
"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"
],
"Sec-Fetch-Mode": [
"navigate"
],
"Sec-Fetch-Dest": [
"document"
],
"Connection": [
"keep-alive"
],
"Sec-Fetch-Site": [
"none"
],
"Sec-Ch-Ua": [
"\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\""
],
"Sec-Fetch-User": [
"?1"
],
"Accept-Language": [
"zh-CN,zh;q=0.9"
]
}
},
"duration": 0.009459574,
"status": 502,
"err_id": "zykmcedwf",
"err_trace": "reverseproxy.statusError (reverseproxy.go:1269)"
}
更优雅的反向代理
base_url:https://docs.portainer.io/advanced/cli#configuration-flags-available-at-the-command-line
配置远程连接docker
远程环境配置官方文档:https://docs.portainer.io/admin/environments/add/api#remote-endpoint
官方文档中是使用docker run 方式启动的,并且没提供composer方式。我更喜欢使用composer文件启动。
services:
portainer:
image: portainer/portainer-ce2.21.4
container_name: portainer
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./portainer_data:/data
ports:
- 8000:8000
- 9443:9443
restart: unless-stopped
使用https访问9443端口
配置远程docker连接
一共有四种方式,agent最为简单——只需要安装一个portainer/agent并连接上就行,我更倾向于使用API的方式,多装一个服务给本就不怎么样的服务器增加了负荷。但是这种就需要配置,较为麻烦。
配置API连接
docker文档:https://docs.docker.com/engine/daemon/remote-access
个人博客:https://www.cnblogs.com/niceyoo/p/13270224.html
# 没有效果
systemctl edit docker.service
# 修改之后docker无法正常启动
vim /etc/docker/daemon.json
# 检测docker远程连接是否开启
sudo netstat -lntp | grep dockerd
配置agent连接
api连接坑太多,还是用最简单方法来。而且如果机器重装docker就需要重新配置了重复劳动是不能接受的。只支持一对一的连接,有点鸡肋了。我原本以为agent容器应该是比较小的,结果一看竟然也有200多MB,还不如直接装一个portainer(也就300多MB),还能在多个电脑上登录。
常见问题
无法获取镜像详情
https://www.cnblogs.com/xwgli/p/18110766
无法新增stack
有一种可能是因为你的stack拉取的镜像太大或者是网络问题会一直卡在部署镜像的过程当中而portainer是异步的,此时你能够点击其他按钮,然后在切回来发现stack没有部署成功,然后再次部署其他的stack会发现还是失败的,因为上一个还在部署,只是没有UI界面展示。这种情况重启portainer容器就可以了。
I'm not sure what Area 52 has to do with any of this?
I can't understand what you said.