'%3e%3cpath%20d='M9%2021H15'%20stroke='black'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M5.25001%209.75C5.25001%207.95979%205.96116%206.2429%207.22703%204.97703C8.4929%203.71116%2010.2098%203%2012%203C13.7902%203%2015.5071%203.71116%2016.773%204.97703C18.0388%206.2429%2018.75%207.95979%2018.75%209.75C18.75%2013.1081%2019.5281%2015.8063%2020.1469%2016.875C20.2126%2016.9888%2020.2472%2017.1179%2020.2474%2017.2493C20.2475%2017.3808%2020.2131%2017.5099%2020.1475%2017.6239C20.082%2017.7378%2019.9877%2017.8325%2019.8741%2017.8985C19.7604%2017.9645%2019.6314%2017.9995%2019.5%2018H4.50001C4.36874%2017.9992%204.23997%2017.964%204.12659%2017.8978C4.0132%2017.8317%203.91916%2017.7369%203.85387%2017.6231C3.78858%2017.5092%203.75432%2017.3801%203.75452%2017.2489C3.75472%2017.1176%203.78937%2016.9887%203.85501%2016.875C4.47282%2015.8063%205.25001%2013.1072%205.25001%209.75Z'%20stroke='black'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_4762_133'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M24%200H0V24H24V0Z'%20fill='white'%20fill-opacity='0.01'/%3e%3cpath%20d='M12%2011C14.2091%2011%2016%209.20914%2016%207C16%204.79086%2014.2091%203%2012%203C9.79086%203%208%204.79086%208%207C8%209.20914%209.79086%2011%2012%2011Z'%20stroke='black'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2021V20.4857C4%2018.5655%204%2017.6055%204.38753%2016.872C4.72841%2016.2269%205.27235%2015.7024%205.94138%2015.3737C6.70196%2015%207.6976%2015%209.68889%2015H14.3111C16.3024%2015%2017.298%2015%2018.0586%2015.3737C18.7276%2015.7024%2019.2716%2016.2269%2019.6125%2016.872C20%2017.6055%2020%2018.5655%2020%2020.4857V21'%20stroke='black'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_4762_139'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
懒猫微服开发篇(六):用 Openresty 做反向代理来解决跨域问题
忘机山人
发布于334天前博客图片修整中,看不了可以先搜索公众号“忘机山人”看。
对于 Web 开发而言, 经常会遇到跨域问题。我们先来看一下什么是跨域问题:
**跨域问题(Cross-Origin)**本质上是浏览器的**同源策略(Same-Origin Policy, SOP)**在发挥作用:
> **同源**指“协议 + 域名(或 IP)+ 端口”三要素完全一致。只要三者有任何一个不同,就被视为**跨域**。
#### 为什么浏览器要限制跨域?
- **安全**:阻止一个站点随意读取或修改另一个站点的敏感资源(如 Cookie、LocalStorage、DOM),避免 XSS、CSRF 等攻击链被无限放大。
- **隔离**:让不同网站在沙盒里各自运行,互不干扰。
> 同源策略只在**浏览器环境**生效;后端服务之间(如服务器 A 请求服务器 B)并没有 SOP 的限制。
| 场景 | 描述 | 是否受限 |
| ------------------------------------------------------------ | -------------- | -------- |
| `fetch('https://api.foo.com')` 从 `https://www.bar.com` 发出 | 协议、域名不同 | **受限** |
| `http://example.com:3000` 调用 `http://example.com:4000` | 端口不同 | **受限** |
> ⚠️ **用 Nginx/OpenResty 并不会“自动”解决 CORS**。
>
> - 你可以把前端请求代理到后端 API,使浏览器认为请求仍在同一域名下,达到“变同源”的效果。
> - 或者直接在后端/代理层加 CORS 响应头,两种方式都可以。
懒猫微服的上使用的是 OpenResty,这是一个功能齐全的 Web 应用服务器,它集成了标准的 nginx core、大量第三方 nginx 模块以及它们的大部分外部依赖项。所以和 Nginx 的配置文件是通用的。
以我之前比赛做的项目为例,这个是 Nginx 作为网关,监听 80 端口,然后反向代理到 Next.js 和 Flask。
```yml
services:
nginx:
build:
context: .
dockerfile: Dockerfile
ports:
- "80:80"
depends_on:
- next-app
- backend
restart: unless-stopped
next-app:
image: smart-shopping-app
container_name: next-frontend
expose:
- "3000"
environment:
- NODE_ENV=production
- NEXT_TELEMETRY_DISABLED=1
restart: unless-stopped
backend:
image: shoppingassistant-backend
container_name: backend-app
expose:
- "5005"
restart: unless-stopped
```
而 Nginx 的配置文件如写,做七成的转发,把根路径转发到前端,/api 转发到后端。所以前端的 axios 请求等于访问的/api 这个端点,所以可以规避跨域的问题。
```conf
server {
listen 80;
server_name localhost;
location / {
proxy_pass http://next-app:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /api {
proxy_pass http://backend:5005;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
```
其实对于懒猫微服的 OpenResty 的也是一样的,好处是不用自己再找 base image 了,直接把配置文件写进去就能用了。
```yml
lzc-sdk-version: "0.1"
name: APP Proxy Test
package: cloud.lazycat.app.app-proxy-test
version: 0.0.1
application:
routes:
- /=http://app-proxy.cloud.lazycat.app.app-proxy-test.lzcapp:80
subdomain: app-proxy-test #
services:
app-proxy:
image: registry.lazycat.cloud/app-proxy:v0.1.0
setup_script: |
cat /etc/nginx/conf.d/default.conf
server {
listen 80;
server_name _;
# 静态页面
location / {
root /usr/local/openresty/nginx/html;
index index.html index.htm;
}
# API 反向代理,保留 /api 前缀
location /api/ {
proxy_pass http://flask:5000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
EOF
flask:
image: registry.lazycat.cloud/u04123229/cloudsmithy/flask-demo:c14689303facd82c
```
flask 的 image 是我之前做的一个镜像仓库`docker run -p 5005:5000 cloudsmithy/flask-demo:latest`
然后通过`lzc-cli appstore copy-image cloudsmithy/flask-demo` 把镜像换成懒猫的镜像,`registry.lazycat.cloud/u04123229/cloudsmithy/flask-demo:c14689303facd82c`
通过`setup_script`传入和 Nginx 类似的配置文件,原理是替换 docker image 本身的 entrypoint/command 参数。
```bash
# 打包成 LPK
lzc-cli project build -o release.lpk
# 在线安装 LPK
lzc-cli app install release.lpk
```
我们可以看到这个是 OpenResty 的主页,然后访问`https://app-proxy-test.micro.heiyu.space/api/` 也能返回 Flask 容器“Hello from multi-arch Flask Docker in production mode!”。
如果你想把根路由直接代理到容器,也可以使用这个办法。这个一般是用来做反向代理来访问内网的服务,即使是 http 也没有关系。这个环境变量应该是懒猫魔改的快捷方式。不要和配置文件混用。
```yml
lzc-sdk-version: "0.1"
name: APP Proxy Test
package: cloud.lazycat.app.app-proxy-test
version: 0.0.1
application:
routes:
- /=http://app-proxy.cloud.lazycat.app.app-proxy-test.lzcapp:80
subdomain: app-proxy-test #
services:
app-proxy:
image: registry.lazycat.cloud/app-proxy:v0.1.0
environment:
- UPSTREAM="http://flask:5000"
flask:
image: registry.lazycat.cloud/u04123229/cloudsmithy/flask-demo:c14689303facd82c
```
有时候还会加上`BASIC_AUTH_HEADER`这个字段来让 nginx/Openresty 自动填写密码,除了你的容器以外,代理外边服务也行。
其实用`echo -n "user:password" | base64`,的数据来填充`BASIC_AUTH_HEADER`"Basic "
```yml
lzc-sdk-version: "0.1"
name: APP Proxy Test
package: cloud.lazycat.app.app-proxy-test
version: 0.0.1
application:
routes:
- /=http://app-proxy.cloud.lazycat.app.app-proxy-test.lzcapp:80
subdomain: app-proxy-test #
services:
app-proxy:
image: registry.lazycat.cloud/app-proxy:v0.1.0
environment:
- UPSTREAM="https://xxx:9200/"
- BASIC_AUTH_HEADER="Basic YWRt46YzssdsfFlOk="
flask:
image: registry.lazycat.cloud/u04123229/cloudsmithy/flask-demo:c14689303facd82c
```
另外也支持多域名解析,这个在传统的线下机房比较常见,而云上基本上还是 7 层基于路由转发,比如第一种,我也更加熟悉第一种。
这个其实就是加了一个 secondary_domains 的字段,然后把后端单独暴露出来了。这样就子域名就可以访问后端。
```yml
lzc-sdk-version: "0.1"
name: APP Proxy Test
package: cloud.lazycat.app.app-proxy-test
version: 0.0.1
application:
routes:
- /=http://app-proxy.cloud.lazycat.app.app-proxy-test.lzcapp:80
subdomain: app-proxy-test # 应用列表里默认打开的域名
secondary_domains:
- flask
services:
app-proxy:
image: registry.lazycat.cloud/app-proxy:v0.1.0
setup_script: |
cat /etc/nginx/conf.d/default.conf
server {
server_name app-proxy-test.*;
location / {
root /usr/local/openresty/nginx/html;
index index.html index.htm;
}
}
server {
server_name flask.*;
location / {
proxy_pass http://flask:5000;
}
}
EOF
flask:
image: registry.lazycat.cloud/u04123229/cloudsmithy/flask-demo:c14689303facd82c
```
评论
0暂无评论