version: '3'
services:
app:
image: 'jc21/nginx-proxy-manager:latest'
container_name: nginx-proxy-manager
restart: unless-stopped
ports:
- '80:80'
- '81:81'
- '443:443'
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencrypt
environment:
DB_SQLITE_FILE: "/data/database.sqlite"
DISABLE_IPV6: "true" # 禁用IPv6减少复杂度
networks:
- proxy-network
deploy:
resources:
limits:
cpus: '2'
memory: 512M
reservations:
cpus: '0.5'
memory: 256M
networks:
proxy-network:
driver: bridge
ipam:
config:
- subnet: 172.20.0.0/24
worker_processes auto;
worker_rlimit_nofile 65535;
events {
worker_connections 4096;
multi_accept on;
use epoll;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
# 缓冲区优化
client_body_buffer_size 10K;
client_header_buffer_size 1k;
client_max_body_size 20m;
large_client_header_buffers 2 1k;
}
networks:
frontend-network:
driver: bridge
attachable: true
backend-network:
driver: bridge
internal: true # 内部网络,不暴露到宿主机
database-network:
driver: bridge
internal: true
docker network create -d macvlan \
--subnet=192.168.1.0/24 \
--gateway=192.168.1.1 \
-o parent=eth0 \
macvlan-net
docker network create -d overlay \
--subnet=10.10.0.0/16 \
--attachable \
proxy-overlay
services:
npm1:
image: jc21/nginx-proxy-manager:latest
networks:
- proxy-network
deploy:
replicas: 2
update_config:
parallelism: 1
delay: 10s
restart_policy:
condition: on-failure
haproxy:
image: haproxy:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
depends_on:
- npm1
location / {
access_by_lua_block {
local redis = require "resty.redis"
local red = redis:new()
red:connect("redis-service", 6379)
local backend = red:get(ngx.var.host)
if backend == ngx.null then
ngx.exit(ngx.HTTP_NOT_FOUND)
end
ngx.var.upstream = backend
}
proxy_pass http://$upstream;
}
services:
npm:
networks:
frontend-network:
aliases:
- proxy
backend-network:
aliases:
- proxy-admin
networks:
frontend-network:
driver: bridge
enable_ipv6: false
internal: false
backend-network:
driver: bridge
internal: true
在NPM的Advanced配置中添加:
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
services:
nginx-exporter:
image: nginx/nginx-prometheus-exporter
ports:
- "9113:9113"
command:
- '-nginx.scrape-uri=http://nginx-proxy-manager:81/metrics'
depends_on:
- nginx-proxy-manager
services:
npm:
logging:
driver: "syslog"
options:
syslog-address: "tcp://192.168.1.100:514"
tag: "nginx-proxy-manager"
fluentd:
image: fluent/fluentd
volumes:
- ./fluentd.conf:/fluentd/etc/fluent.conf
ports:
- "514:514"
# 检查容器网络连接
docker exec -it nginx-proxy-manager curl -v http://target-service
# 检查DNS解析
docker exec -it nginx-proxy-manager nslookup target-service
# 检查网络路由
docker exec -it nginx-proxy-manager ip route
# 检查端口监听
docker exec -it nginx-proxy-manager netstat -tulnp
# 查看Nginx worker进程状态
docker exec nginx-proxy-manager nginx -T
# 实时监控连接数
watch -n 1 "docker exec nginx-proxy-manager \
netstat -an | grep -E ':80|:443' | wc -l"
# 压力测试工具
docker run --rm --network host jordi/ab \
-n 10000 -c 100 https://yourdomain.com
通过以上优化和扩展方案,可以显著提升Nginx Proxy Manager在容器环境中的性能、可靠性和安全性,同时为未来的扩展需求做好准备。