2021年12月29日 02:09:03go评论121阅读模式

英文:

Docker + Golang HTTPS issue. OpenSSL SSL_connect: SSL_ERROR_SYSCALL

问题

我正在尝试从Docker容器中连接到Go创建的HTTPS会话，当我在本地运行时，它可以正常工作，但是一旦我尝试在容器中运行它，我无法访问URL。

以下是我的代码：

func main() {
    // 我使用的是Go-Chi V5
    r := chi.NewRouter()
    // TLS连接。灵感来自于https://blog.cloudflare.com/exposing-go-on-the-internet
    tlsConfig := &tls.Config{
        PreferServerCipherSuites: true,
        CurvePreferences: []tls.CurveID{
            tls.CurveP256,
            tls.X25519,
        },
        MinVersion: tls.VersionTLS12,
        CipherSuites: []uint16{
            tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
            tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
            tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
            tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
            tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
            tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
        },
    }
    srv := &http.Server{
        Addr:         "localhost:9090",
        ReadTimeout:  5 * time.Second,
        WriteTimeout: 20 * time.Second,
        IdleTimeout:  200 * time.Second,
        TLSConfig:    tlsConfig,
        Handler:      r,
    }
    r.Get("/", func(w http.ResponseWriter, r *http.Request) {
        w.Write([]byte("hello world"))
    })
    err := srv.ListenAndServeTLS("./.dev/localhost.crt", "./.dev/localhost.key")
    if err != nil {
        log.Fatalf("server failed to start: %v", err)
    }
}

我的Dockerfile：

FROM golang:1.17-buster AS build
WORKDIR /app
COPY go.mod .
COPY go.sum .
RUN go mod download
COPY ./.dev/localhost.key .
COPY ./.dev/localhost.crt .
COPY . .
RUN go build -o /dev-admin ./cmd/admin
##
## 部署
##
FROM gcr.io/distroless/base-debian10
WORKDIR /
COPY --from=build /dev-admin /dev-admin
COPY --from=build ./app/localhost.key ./.dev/localhost.key
COPY --from=build ./app/localhost.crt ./.dev/localhost.crt
EXPOSE 9090
EXPOSE 443
ENTRYPOINT ["/dev-admin"]

docker-compose.yml：

version: '3.9'
services:
  web:
    image: api_test
    build: .
    ports:
      - '9090:9090'
    volumes:
      - .:/app

当我尝试使用普通的HTTP版本时，容器可以正常工作，所以问题只出现在HTTPS上，我无法找出具体原因。

英文:

I'm trying to connect to an HTTPS session created in Go from a Docker container, it works fine when I run it on my local, but as soon as I try to run it in the container I can't access to the URL.

func main() {
	// I&#39;m using Go-Chi V5
	r := chi.NewRouter()
	// TLS connection. Inspired from https://blog.cloudflare.com/exposing-go-on-the-internet
	tlsConfig := &amp;tls.Config{
		PreferServerCipherSuites: true,
		CurvePreferences: []tls.CurveID{
			tls.CurveP256,
			tls.X25519,
		},
		MinVersion: tls.VersionTLS12,
		CipherSuites: []uint16{
			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
		},
	}
	srv := &amp;http.Server{
		Addr:         &quot;localhost:9090&quot;,
		ReadTimeout:  5 * time.Second,
		WriteTimeout: 20 * time.Second,
		IdleTimeout:  200 * time.Second,
		TLSConfig:    tlsConfig,
		Handler:      r,
	}
	r.Get(&quot;/&quot;, func(w http.ResponseWriter, r *http.Request) {
		w.Write([]byte(&quot;hello world&quot;))
	})
	err := srv.ListenAndServeTLS(&quot;./.dev/localhost.crt&quot;, &quot;./.dev/localhost.key&quot;)
	if err != nil {
		log.Fatalf(&quot;server failed to start: %v&quot;, err)
	}
}

My Dockerfile:

FROM golang:1.17-buster AS build
WORKDIR /app
COPY go.mod .
COPY go.sum .
RUN go mod download
COPY ./.dev/localhost.key .
COPY ./.dev/localhost.crt .
COPY . .
RUN go build -o /dev-admin ./cmd/admin
##
## Deploy
##
FROM gcr.io/distroless/base-debian10
WORKDIR /
COPY --from=build /dev-admin /dev-admin
COPY --from=build ./app/localhost.key ./.dev/localhost.key
COPY --from=build ./app/localhost.crt ./.dev/localhost.crt
EXPOSE 9090
EXPOSE 443
ENTRYPOINT [&quot;/dev-admin&quot;]

docker-compose.yml:

version: &#39;3.9&#39;
services:
  web:
    image: api_test
    build: .
    ports:
      - &#39;9090:9090&#39;
    volumes:
      - .:/app

$ curl https://localhost:9090
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:9090

The container works fine when I try the normal HTTP version, so there is a blockage on the HTTPS only and I can't figure out what it is.

答案1

得分: 3

你正在指定在Server定义中要监听的地址：

srv := &http.Server{
        Addr:         "localhost:9090",
...

将其更改为：

srv := &http.Server{
        Addr:         ":9090",
...

需要进行此更改的原因是地址“指定服务器要侦听的TCP地址”。当你指定localhost:9090时，你绑定到容器内的回环接口，在大多数情况下，这是无法从外部访问的（有关更多信息，请参见此问题）。

英文:

You are specifying the address to listen on in your Server definition:

srv := &amp;http.Server{
        Addr:         &quot;localhost:9090&quot;,
...

change this to:

srv := &amp;http.Server{
        Addr:         &quot;:9090&quot;,
...

The reason that this change is needed is that the address "specifies the TCP address for the server to listen on". When you specify localhost:9090 you are binding to the loopback interface within the container and, in most cases, this is not accessible externally (see this question for more info).

通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库，让每个人都能够通过互相帮助和分享经验来进步。

Docker + Golang HTTPS问题。OpenSSL SSL_connect: SSL_ERROR_SYSCALL

问题

答案1

如何在Unmarshal中使用泛型（go 1.18）

GO：未知标志- trimpath

无法运行gqlgen generate，因为缺少go.sum文件中的模块条目。

mgo正则表达式不起作用。

如何在Playwright视觉比较中屏蔽多个定位器？

在C++中，可以使用可变模板参数来检索类型的内部类型。

selenium.common.exceptions.StaleElementReferenceException: Message: stale element reference: stale element not found

Creating and opening a URL to log in to Website via Basic Auth with Robot Framework/Selenium (Python)

AG Grid 在上下文菜单中以大文本形式打开

What's the correct way to type hint an empty list as a literal in python?

如何在Highcharts Gantt中更改本地化的星期名称

如何在同一个流中使用多个过滤器和映射函数？

如何使用Map/Set来将代码优化到O(n)？

.NET MAUI Android在GitHub Actions上构建失败，错误代码为1。