whm/web
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(nginx): 启动时从 resolv.conf 注入 resolver + tpl 生成配置,修复 Podman host not found api

Browse Source 
Made-with: Cursor
This commit is contained in:
whm
2026-03-22 01:34:23 +08:00
parent 7c9649356a
commit 948494bca0
6 changed files with 102 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
nginx/runtime-confd/.gitkeep Normal file
View File

51
nginx/yuheng.docker.conf
View File

@@ -1,48 +1,5 @@
# 供 docker-compose 中 nginx 使用:仅监听 443反代到 api/web/admin证书挂载到 /etc/ssl/yh_web/yuheng.yuxindazhineng.com/
# 已迁移:实际运行使用 yuheng.docker.conf.tpl
# 启动时由 scripts/nginx-entrypoint-wait-dns.sh 将 resolv.conf 中的 nameserver 注入为 resolver
# 并配合变量 proxy_pass避免 Docker/Podman 下「upstream OK」后仍出现 host not found in upstream "api"。
#
# 使用静态 proxy_pass依赖 Compose/Podman 内置 DNS。容器启动顺序由 depends_on + docker-compose.yml
# 中 entrypoint 等待脚本保证:解析就绪后再启动 nginx避免「host not found in upstream」。
# 勿配合 127.0.0.11 resolver + 变量 proxy_pass 用于 Podman无该 DNS 时会导致长时间超时 → 502。
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name yuheng.yuxindazhineng.com;
client_max_body_size 800m;
ssl_certificate /etc/ssl/yh_web/yuheng.yuxindazhineng.com/fullchain.pem;
ssl_certificate_key /etc/ssl/yh_web/yuheng.yuxindazhineng.com/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
location / {
proxy_pass http://web:80;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /admin/ {
proxy_pass http://admin:80/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# 不要用尾部斜杠,否则 /api/health 会变成 /health而后端注册的是 /api/health
location /api/ {
proxy_pass http://api:8088;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# 修改 HTTPS 反代请编辑nginx/yuheng.docker.conf.tpl

49
nginx/yuheng.docker.conf.tpl Normal file
View File

@@ -0,0 +1,49 @@
# 由 scripts/nginx-entrypoint-wait-dns.sh 在启动时 sed 替换 @@NGINX_RESOLVER@@(来自容器 /etc/resolv.conf
# 再写入 /etc/nginx/conf.d/default.conf。使用 resolver + 变量 proxy_pass避免 Podman 下启动瞬间 host not found in upstream。
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name yuheng.yuxindazhineng.com;
client_max_body_size 800m;
resolver @@NGINX_RESOLVER@@ valid=10s ipv6=off;
ssl_certificate /etc/ssl/yh_web/yuheng.yuxindazhineng.com/fullchain.pem;
ssl_certificate_key /etc/ssl/yh_web/yuheng.yuxindazhineng.com/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
location / {
set $upstream_web web;
proxy_pass http://$upstream_web:80;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /admin/ {
set $upstream_admin admin;
proxy_pass http://$upstream_admin:80/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /api/ {
set $upstream_api api;
proxy_pass http://$upstream_api:8088;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}