在Proxmox VE上设置的私有网络上的虚拟机尝试使用反向代理进行访问
你好。
我是Class Act Infrastructure事业部的大塚。
上次,我使用Proxmox VE和OVS部署了一个没有连接到互联网的私有网络,并且顺便启动了一些虚拟机。
这次我打算继续启动nginx VM,并通过反向代理访问位于私有网络上的VM。
建造目标
下面是以前提到的文章的内容。nginx虚拟机搭载了两个网络接口卡(NIC),其中一个连接到互联网的网络,另一个连接到私有网络。
我想在PC上使用Web浏览器通过指定8000端口访问nginx虚拟机时,将其重定向到位于私有网络上的apache虚拟机。两个虚拟机的操作系统都是ubuntu22.04。
建立
确认在Proxmox VE上启动VM的步骤与往常一样,现跳过。
确认从nginx VM到默认网关以及apache VM的通信正常。
看起来没问题。
root@nginx:~# ping 192.168.2.254
PING 192.168.2.254 (192.168.2.254) 56(84) bytes of data.
64 bytes from 192.168.2.254: icmp_seq=1 ttl=64 time=0.967 ms
64 bytes from 192.168.2.254: icmp_seq=2 ttl=64 time=0.741 ms
64 bytes from 192.168.2.254: icmp_seq=3 ttl=64 time=0.625 ms
64 bytes from 192.168.2.254: icmp_seq=4 ttl=64 time=0.728 ms
64 bytes from 192.168.2.254: icmp_seq=5 ttl=64 time=0.728 ms
^C
--- 192.168.2.254 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4056ms
rtt min/avg/max/mdev = 0.625/0.757/0.967/0.112 ms
root@nginx:~# ping 192.168.200.10
PING 192.168.200.10 (192.168.200.10) 56(84) bytes of data.
64 bytes from 192.168.200.10: icmp_seq=1 ttl=64 time=0.501 ms
64 bytes from 192.168.200.10: icmp_seq=2 ttl=64 time=1.33 ms
64 bytes from 192.168.200.10: icmp_seq=3 ttl=64 time=0.433 ms
64 bytes from 192.168.200.10: icmp_seq=4 ttl=64 time=0.602 ms
64 bytes from 192.168.200.10: icmp_seq=5 ttl=64 time=0.423 ms
^C
--- 192.168.200.10 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4071ms
rtt min/avg/max/mdev = 0.423/0.658/1.332/0.342 ms
我可以毫无问题地使用SSH从nginx虚拟机连接到apache虚拟机,也就是所谓的通过apache虚拟机进行跳板访问。
※由于在/etc/hosts中进行了名称解析的设置,所以我可以通过指定主机名进行访问,但也可以使用IP地址。
root@nginx:~# ssh test@ovs-apache2.com
The authenticity of host 'ovs-apache2.com (192.168.200.10)' can't be established.
ED25519 key fingerprint is SHA256:n7QLZYMhpMZ3DEo2IYxcQIDMZALl9VVi5MmuG44c8/I.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'ovs-apache2.com' (ED25519) to the list of known hosts.
test@ovs-apache2.com's password:
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-60-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat Apr 8 11:56:35 PM UTC 2023
System load: 0.76220703125 Processes: 102
Usage of /: 39.3% of 14.66GB Users logged in: 1
Memory usage: 5% IPv4 address for ens18: 192.168.200.10
Swap usage: 0%
* Introducing Expanded Security Maintenance for Applications.
Receive updates to over 25,000 software packages with your
Ubuntu Pro subscription. Free for personal use.
https://ubuntu.com/pro
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sat Apr 8 03:20:57 2023
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
test@ovs-vm:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 9e:7d:83:04:21:fc brd ff:ff:ff:ff:ff:ff
altname enp0s18
inet 192.168.200.10/24 brd 192.168.200.255 scope global ens18
valid_lft forever preferred_lft forever
inet6 fe80::9c7d:83ff:fe04:21fc/64 scope link
valid_lft forever preferred_lft forever
test@ovs-vm:~$
我将在nginx虚拟机上安装nginx。
我参考了以下网页文章。
root@nginx:~# apt install curl gnupg2 ca-certificates lsb-release ubuntu-keyring
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
root@nginx:~# gpg --dry-run --quiet --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg
gpg: keyblock resource '/root/.gnupg/pubring.kbx': No such file or directory
pub rsa2048 2011-08-19 [SC] [expires: 2024-06-14]
573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
uid nginx signing key <signing-key@nginx.com>
root@nginx:~# echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" \
| sudo tee /etc/apt/sources.list.d/nginx.list
root@nginx:~# apt update
root@nginx:~# apt install nginx
安装完nginx后,确认版本号。执行启动和启用操作。
root@nginx:~# nginx -v
nginx version: nginx/1.22.1
root@nginx:~# systemctl start nginx
root@nginx:~# systemctl enable nginx
Synchronizing state of nginx.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable nginx
root@nginx:~# systemctl status nginx
● nginx.service - nginx - high performance web server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2023-04-08 23:07:04 UTC; 14s ago
Docs: https://nginx.org/en/docs/
Main PID: 2554 (nginx)
Tasks: 5 (limit: 5773)
Memory: 4.0M
CPU: 14ms
CGroup: /system.slice/nginx.service
tq2554 "nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf"
tq2555 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
tq2556 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
tq2557 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
mq2558 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
Apr 08 23:07:04 nginx systemd[1]: Starting nginx - high performance web server...
Apr 08 23:07:04 nginx systemd[1]: Started nginx - high performance web server.
我們將設置反向代理。
我們將參考以下指南。
将default.conf文件从/etc/nginx/conf.d/目录中复制到server.conf文件中。
进行如下配置:
在server指令的listen选项中输入nginx服务器接受请求的端口号,在server_name选项中输入自身的IP地址。
在location指令中指定重定向目标服务器的IP地址和端口号。
root@nginx:/etc/nginx/conf.d# cat server.conf
server {
listen 8000;
server_name 192.168.2.190;
location / {
proxy_pass http://192.168.200.10:8000/;
}
}
我将重新启动nginx。
root@nginx:/etc/nginx/conf.d# systemctl restart nginx
我会在Apache VM中安装Apache2。
虽然也可以在Nginx上设置正向代理,但太麻烦了,所以我暂时在这个VM上添加了一个可连接到互联网的网络接口卡(NIC),以便安装。
我们将在VM上设置添加的NIC的IP地址。
同时,我们将使用ip命令来检查设置是否生效。
为了使IP地址生效,我们使用netplan。
root@ovs-vm:~# cd /etc/netplan
root@ovs-vm:/etc/netplan# ls -ltr
total 4
-rw-r--r-- 1 root root 279 Apr 8 02:53 00-installer-config.yaml
root@ovs-vm:/etc/netplan# vi 00-installer-config.yaml
root@ovs-vm:/etc/netplan# cat 00-installer-config.yaml
# This is the network config written by 'subiquity'
network:
ethernets:
ens18:
addresses:
- 192.168.200.10/24
nameservers:
addresses:
- 8.8.8.8
search: []
routes:
- to: default
via: 192.168.200.254
ens19:
addresses:
- 192.168.2.192/24
version: 2
root@ovs-vm:/etc/netplan# netplan apply
root@ovs-vm:/etc/netplan# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 9e:7d:83:04:21:fc brd ff:ff:ff:ff:ff:ff
altname enp0s18
inet 192.168.200.10/24 brd 192.168.200.255 scope global ens18
valid_lft forever preferred_lft forever
inet6 fe80::9c7d:83ff:fe04:21fc/64 scope link
valid_lft forever preferred_lft forever
3: ens19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 3a:40:fa:91:39:67 brd ff:ff:ff:ff:ff:ff
altname enp0s19
inet 192.168.2.192/24 brd 192.168.2.255 scope global ens19
valid_lft forever preferred_lft forever
inet6 fe80::3840:faff:fe91:3967/64 scope link
valid_lft forever preferred_lft forever
修改默认网关,并确认可以进行名称解析。
root@ovs-vm:~# ip route show
default via 192.168.200.254 dev ens18 proto static
192.168.2.0/24 dev ens19 proto kernel scope link src 192.168.2.192
192.168.200.0/24 dev ens18 proto kernel scope link src 192.168.200.10
root@ovs-vm:~# ip route del default
root@ovs-vm:~# ip route show
192.168.2.0/24 dev ens19 proto kernel scope link src 192.168.2.192
192.168.200.0/24 dev ens18 proto kernel scope link src 192.168.200.10
root@ovs-vm:~# ip route add default via 192.168.2.254 dev ens19
root@ovs-vm:~# ip route show
default via 192.168.2.254 dev ens19
192.168.2.0/24 dev ens19 proto kernel scope link src 192.168.2.192
192.168.200.0/24 dev ens18 proto kernel scope link src 192.168.200.10
root@ovs-vm:~# ping google.com
PING google.com (142.251.42.206) 56(84) bytes of data.
64 bytes from nrt12s47-in-f14.1e100.net (142.251.42.206): icmp_seq=1 ttl=117 time=4.01 ms
64 bytes from nrt12s47-in-f14.1e100.net (142.251.42.206): icmp_seq=2 ttl=117 time=3.32 ms
64 bytes from nrt12s47-in-f14.1e100.net (142.251.42.206): icmp_seq=3 ttl=117 time=3.41 ms
64 bytes from nrt12s47-in-f14.1e100.net (142.251.42.206): icmp_seq=4 ttl=117 time=3.68 ms
64 bytes from nrt12s47-in-f14.1e100.net (142.251.42.206): icmp_seq=5 ttl=117 time=3.11 ms
^C
--- google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3996ms
rtt min/avg/max/mdev = 3.114/3.506/4.013/0.311 ms
我将安装Apache2。
root@ovs-vm:~# apt update
root@ovs-vm:~# apt install -y apache2
root@ovs-vm:~# systemctl start apache2
root@ovs-vm:~# systemctl enable apache2
Synchronizing state of apache2.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable apache2
root@ovs-vm:~# systemctl status apache2
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2023-04-09 00:19:55 UTC; 31s ago
Docs: https://httpd.apache.org/docs/2.4/
Main PID: 2527 (apache2)
Tasks: 55 (limit: 5777)
Memory: 5.1M
CPU: 42ms
CGroup: /system.slice/apache2.service
tq2527 /usr/sbin/apache2 -k start
tq2528 /usr/sbin/apache2 -k start
mq2529 /usr/sbin/apache2 -k start
Apr 09 00:19:55 ovs-vm systemd[1]: Starting The Apache HTTP Server...
Apr 09 00:19:55 ovs-vm apachectl[2526]: AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppres>
Apr 09 00:19:55 ovs-vm systemd[1]: Started The Apache HTTP Server.
我们将把apache2的监听端口从80端口更改为8000端口。
root@ovs-vm:~# cd /etc/apache2
root@ovs-vm:/etc/apache2# cp -p ports.conf ports.conf.org
root@ovs-vm:/etc/apache2# vi ports.conf
root@ovs-vm:/etc/apache2# diff ports.conf ports.conf.org
5,6c5
< #Listen 80
< Listen 8000
---
> Listen 80
root@ovs-vm:/etc/apache2# systemctl restart apache2
检查ip命令的输出结果。
root@ovs-vm:/etc/apache2# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 9e:7d:83:04:21:fc brd ff:ff:ff:ff:ff:ff
altname enp0s18
inet 192.168.200.10/24 brd 192.168.200.255 scope global ens18
valid_lft forever preferred_lft forever
inet6 fe80::9c7d:83ff:fe04:21fc/64 scope link
valid_lft forever preferred_lft forever
以此状态下,您可以指定将8000端口访问nginx虚拟机。
然后将重定向到apache2虚拟机的8000端口,并显示apache的网页。
