前言

服务器内网下有nacos cluster（3个节点），开放到公网并指定公司网络访问需要配置三次IP白名单，因此需要简化流程，通过nginx反向代理只配置1次IP白名单。
现在通过docker容器模拟环境，准备1台云服务器。
nacos cluster docker-compose.yaml端口配置如下：

version: "3.0"
# nginx使用到IP和端口，因此部分配置不在此赘述，nacos具体配置参考博主nacos章节
# image：nacos/nacos-server:v2.5.0
# volumes、restart、healthcheck ： 略
# environment配置集群模式，采用mysql持久化，mysql配置、java_opts配置 ： 略
services:nacos1:hostname: nacos1container_name: nacos1environment:- NACOS_SERVERS=172.20.0.2:8848 172.20.0.3:8848 172.20.0.4:8848- NACOS_SERVER_IP=172.20.0.2ports:- "8248:8848" # http- "9248:9848" # grpc- "7248:7848"- "9249:9849"networks:nacos_cluster_network:ipv4_address: 172.20.0.2nacos2:hostname: nacos2container_name: nacos2environment:- NACOS_SERVERS=172.20.0.2:8848 172.20.0.3:8848 172.20.0.4:8848- NACOS_SERVER_IP=172.20.0.3ports:- "8348:8848"- "9348:9848"- "7348:7848"- "9349:9849"networks:nacos_cluster_network:ipv4_address: 172.20.0.3nacos3:hostname: nacos3container_name: nacos3environment:- NACOS_SERVERS=172.20.0.2:8848 172.20.0.3:8848 172.20.0.4:8848- NACOS_SERVER_IP=172.20.0.4ports:- "8448:8848"- "9448:9848"- "7448:7848"- "9449:9849"networks:nacos_cluster_network:ipv4_address: 172.20.0.4networks:nacos_cluster_network:ipam:config:- subnet: 172.20.0.0/16

Nginx配置

docker-compose.yaml配置

services:nginx:image: nginx:latestcontainer_name: nginxrestart: alwaysports:- "8848:80" # 宿主机的8848端口，容器80端口volumes:- ./conf/nginx.conf:/etc/nginx/nginx.conf:ro- ./conf.d:/etc/nginx/conf.d:ro- ./html:/usr/share/nginx/html:ro- ./logs:/var/log/nginxnetworks:nginx_docker_network:ipv4_address: 172.16.0.30 networks:nginx_docker_network:external: truename: docker_network

nginx的./conf/nginx.conf配置，nginx的conf配置文件，除了{、}，其他需以;结尾，注释为 #，本文只配置公网+内网信息，其他负载均衡、缓存、限流、黑/白名单、静态资源服务、动静分离、防盗链、跨域、高可用参考博主Nginx系列文章。

user  nginx;
worker_processes  1;error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;events {worker_connections 1024;
}http {include       /etc/nginx/mime.types;  # 引入配置文件default_type  application/octet-stream;log_format  main  '$remote_addr - $remote_user [$time_local] "$request" ''$status $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"'; # 设置日志格式，main为格式名称，后面一串为具体access_log  /var/log/nginx/access.log  main; # 日志目录，引用上面设置的格式mainsendfile        on;keepalive_timeout  65;client_max_body_size 500m;include /etc/nginx/conf.d/*.conf; # 引入代理文件，需放在html 范围内
}

设置nacos反向代理配置，./conf.d/nacos_cluster.conf

upstream nacos_http {server 172.20.0.2:8848;server 172.20.0.3:8848; server 172.20.0.4:8848;
}  upstream nacos_grpc {server 172.20.0.2:9848 max_fails=3 fail_timeout=30s;server 172.20.0.3:9848 max_fails=3 fail_timeout=30s;server 172.20.0.4:9848 max_fails=3 fail_timeout=30s;
}server {listen 80; # 记得是容器的80端口，非宿主机的8848端口server_name 117.77.200.222;  # 公网IP或者域名，该服务器已经做过IP白名单，访问无效location /nacos/ {proxy_pass  http://nacos_http/nacos/;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;# Nacos需要的特殊配置proxy_set_header X-Forwarded-Proto $scheme;# 以下是为Nacos Web控制台和API添加的配置proxy_connect_timeout 30s;proxy_read_timeout 120s;proxy_send_timeout 120s;# 解决WebSocket问题（如果使用2.x版本）proxy_http_version 1.1;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "upgrade";}# gRPC服务代理location / {grpc_pass grpc://nacos_grpc;# gRPC相关配置grpc_connect_timeout 30s;grpc_read_timeout 120s;grpc_send_timeout 120s;# 必要的头信息proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}# 健康检查端点location /nacos/actuator/health {proxy_pass http://nacos_http/nacos/actuator/health;access_log off;}
}

验收

聪明的你也许看出来了：为啥访问的是8848端口，而不是80端口。访问流程分解

浏览器请求 http://117.77.200.222:8848/nacos/ (公网)↓
宿主机防火墙放行8848端口↓
Docker 将宿主机8848端口映射到Nginx容器的80端口↓
Nginx 监听容器内的80端口，收到请求↓
Nginx 根据配置将请求代理到 nacos_http (172.20.0.[2-4]:8848)↓
返回响应数据

参考资料

1. 3分钟配置好nacos集群（docker compose）
2. Nginx代理转发Nacos集群：基于Nacos2.0.3版本
3. 使用nginx代理请求到内网

如遇问题，请留言博主