Docker + Golang HTTPS问题。OpenSSL SSL_connect: SSL_ERROR_SYSCALL

huangapple
go评论75阅读模式
英文:

Docker + Golang HTTPS issue. OpenSSL SSL_connect: SSL_ERROR_SYSCALL

问题

我正在尝试从Docker容器中连接到Go创建的HTTPS会话,当我在本地运行时,它可以正常工作,但是一旦我尝试在容器中运行它,我无法访问URL。

以下是我的代码:

func main() {
    // 我使用的是Go-Chi V5
    r := chi.NewRouter()

    // TLS连接。灵感来自于https://blog.cloudflare.com/exposing-go-on-the-internet
    tlsConfig := &tls.Config{
        PreferServerCipherSuites: true,
        CurvePreferences: []tls.CurveID{
            tls.CurveP256,
            tls.X25519,
        },

        MinVersion: tls.VersionTLS12,
        CipherSuites: []uint16{
            tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
            tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
            tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
            tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
            tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
            tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
        },
    }
    srv := &http.Server{
        Addr:         "localhost:9090",
        ReadTimeout:  5 * time.Second,
        WriteTimeout: 20 * time.Second,
        IdleTimeout:  200 * time.Second,
        TLSConfig:    tlsConfig,
        Handler:      r,
    }

    r.Get("/", func(w http.ResponseWriter, r *http.Request) {
        w.Write([]byte("hello world"))
    })

    err := srv.ListenAndServeTLS("./.dev/localhost.crt", "./.dev/localhost.key")
    if err != nil {
        log.Fatalf("server failed to start: %v", err)
    }
}

我的Dockerfile:

FROM golang:1.17-buster AS build

WORKDIR /app

COPY go.mod .
COPY go.sum .
RUN go mod download

COPY ./.dev/localhost.key .
COPY ./.dev/localhost.crt .

COPY . .

RUN go build -o /dev-admin ./cmd/admin

##
## 部署
##

FROM gcr.io/distroless/base-debian10

WORKDIR /

COPY --from=build /dev-admin /dev-admin

COPY --from=build ./app/localhost.key ./.dev/localhost.key
COPY --from=build ./app/localhost.crt ./.dev/localhost.crt

EXPOSE 9090
EXPOSE 443

ENTRYPOINT ["/dev-admin"]

docker-compose.yml:

version: '3.9'
services:
  web:
    image: api_test
    build: .
    ports:
      - '9090:9090'
    volumes:
      - .:/app

当我尝试使用普通的HTTP版本时,容器可以正常工作,所以问题只出现在HTTPS上,我无法找出具体原因。

英文:

I'm trying to connect to an HTTPS session created in Go from a Docker container, it works fine when I run it on my local, but as soon as I try to run it in the container I can't access to the URL.

func main() {

	// I'm using Go-Chi V5
	r := chi.NewRouter()

	// TLS connection. Inspired from https://blog.cloudflare.com/exposing-go-on-the-internet
	tlsConfig := &tls.Config{
		PreferServerCipherSuites: true,
		CurvePreferences: []tls.CurveID{
			tls.CurveP256,
			tls.X25519,
		},

		MinVersion: tls.VersionTLS12,
		CipherSuites: []uint16{
			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
		},
	}
	srv := &http.Server{
		Addr:         "localhost:9090",
		ReadTimeout:  5 * time.Second,
		WriteTimeout: 20 * time.Second,
		IdleTimeout:  200 * time.Second,
		TLSConfig:    tlsConfig,
		Handler:      r,
	}

	r.Get("/", func(w http.ResponseWriter, r *http.Request) {
		w.Write([]byte("hello world"))
	})

	err := srv.ListenAndServeTLS("./.dev/localhost.crt", "./.dev/localhost.key")
	if err != nil {
		log.Fatalf("server failed to start: %v", err)
	}
}

My Dockerfile:

FROM golang:1.17-buster AS build

WORKDIR /app

COPY go.mod .
COPY go.sum .
RUN go mod download

COPY ./.dev/localhost.key .
COPY ./.dev/localhost.crt .

COPY . .

RUN go build -o /dev-admin ./cmd/admin

##
## Deploy
##

FROM gcr.io/distroless/base-debian10

WORKDIR /

COPY --from=build /dev-admin /dev-admin

COPY --from=build ./app/localhost.key ./.dev/localhost.key
COPY --from=build ./app/localhost.crt ./.dev/localhost.crt

EXPOSE 9090
EXPOSE 443

ENTRYPOINT ["/dev-admin"]

docker-compose.yml:

version: '3.9'
services:
  web:
    image: api_test
    build: .
    ports:
      - '9090:9090'
    volumes:
      - .:/app

$ curl https://localhost:9090
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:9090

The container works fine when I try the normal HTTP version, so there is a blockage on the HTTPS only and I can't figure out what it is.

答案1

得分: 3

你正在指定在Server定义中要监听的地址:

srv := &http.Server{
        Addr:         "localhost:9090",
...

将其更改为:

srv := &http.Server{
        Addr:         ":9090",
...

需要进行此更改的原因是地址“指定服务器要侦听的TCP地址”。当你指定localhost:9090时,你绑定到容器内的回环接口,在大多数情况下,这是无法从外部访问的(有关更多信息,请参见此问题)。

英文:

You are specifying the address to listen on in your Server definition:

srv := &http.Server{
        Addr:         "localhost:9090",
...

change this to:

srv := &http.Server{
        Addr:         ":9090",
...

The reason that this change is needed is that the address "specifies the TCP address for the server to listen on". When you specify localhost:9090 you are binding to the loopback interface within the container and, in most cases, this is not accessible externally (see this question for more info).

huangapple
  • 本文由 发表于 2021年12月29日 02:09:03
  • 转载请务必保留本文链接:https://go.coder-hub.com/70510882.html
  • docker
  • go
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定