为 docker 中的 nginx 配置 https

Docker 2019-02-09

就是一个提供免费 SSL/TLS 证书的网站,由于其证书期限只有三个月,所以需要我们用自动化的方式去更新证书。本文将介绍如何为通过 docker 运行的 nginx 中的站点添加 https 支持,并自动完成证书的更新。本文的演示环境为:运行在 Azure 上的 Ubuntu 16.04 主机(此图来自互联网):

$ docker pull ljfpower/--d --restart=always --expose=--network=webnet --name=/nodedemo

$ -p nginx/ -p logs/{nginx,letsencrypt}

error_log /var/log/nginx/<span style="color: #000000">error.log warn;
pid /var/run/<span style="color: #000000">nginx.pid;

events {
worker_connections <span style="color: #800080">2048<span style="color: #000000">;
}

http {
include /etc/nginx/<span style="color: #000000">mime.types;
default_type application/octet-<span style="color: #000000">stream;

sendfile        on;
keepalive_timeout    </span><span style="color: #800080"&gt;65</span><span style="color: #000000"&gt;;
client_max_body_size 10M;

include </span>/etc/nginx/conf.d<span style="color: #008000"&gt;/*</span><span style="color: #008000"&gt;.conf;

}

location </span>^~ /.well-known/acme-challenge/<span style="color: #000000"&gt; { default_type </span><span style="color: #800000"&gt;"</span><span style="color: #800000"&gt;text/plain</span><span style="color: #800000"&gt;"</span><span style="color: #000000"&gt;; root </span>/usr/share/nginx/<span style="color: #000000"&gt;html; } location </span>= /.well-known/acme-challenge/<span style="color: #000000"&gt; { return </span><span style="color: #800080"&gt;404</span><span style="color: #000000"&gt;; } location </span>/<span style="color: #000000"&gt; { proxy_pass http:</span><span style="color: #008000"&gt;//</span><span style="color: #008000"&gt;web;</span>

<span style="color: #000000"> }
}

Let's Encrypt First Time Cert Issue Site Hello HTTPS!

$ docker run --p :-v $()/nginx/conf.d:/etc/nginx/-v $()/nginx/nginx.conf:/etc/nginx/-v $()/logs/nginx:/var/log/-v $()/nginx/html:/usr/share/nginx/--restart=--name=--network=

是一个提供免费 SSL/TLS 证书的网站,它为用户提供了 certbot 工具用来生成 SSL/TLS 证书。方便起见,我们把 certbot 简单的封装到容器中。在用户的家目录下创建 certbot 目录,进入 certbot 目录并把下面的内容保存到 Dockerfile 文件中:

FROM alpine:--]

$ docker build -t certbot: .

#!/bin/==( ==/usr/share/nginx/ domain ${LIST[@]};---v ${WEBDIR}/nginx/conf.crt:/etc/-v ${WEBDIR}/logs/letsencrypt:/var/log/-v ${WEBDIR}/nginx/--verbose --noninteractive --quiet --agree---webroot ---email=-d =$? [ $CODE -ne ]; += output failed domains

<span style="color: #0000ff">if [ ${#FAILED_LIST[@]} -ne <span style="color: #800080">0 ];<span style="color: #0000ff">then
<span style="color: #0000ff">echo <span style="color: #800000">'<span style="color: #800000">failed domain:<span style="color: #800000">'
<span style="color: #0000ff">for (( i=<span style="color: #800080">0; i<${#FAILED_LIST[@]}; i++<span style="color: #000000"> ));
<span style="color: #0000ff">do
<span style="color: #0000ff">echo<span style="color: #000000"> ${FAILED_LIST[$i]}
<span style="color: #0000ff">done
<span style="color: #0000ff">fi

server {
listen <span style="color: #800080">80<span style="color: #000000">;
listen [::]:<span style="color: #800080">80<span style="color: #000000">;
server_name filterinto.com www.filterinto.com;

location </span>^~ /.well-known/acme-challenge/<span style="color: #000000"&gt; {
    default_type </span><span style="color: #800000"&gt;"</span><span style="color: #800000"&gt;text/plain</span><span style="color: #800000"&gt;"</span><span style="color: #000000"&gt;;
    root </span>/usr/share/nginx/<span style="color: #000000"&gt;html;
}
location </span>= /.well-known/acme-challenge/<span style="color: #000000"&gt; {
    return </span><span style="color: #800080"&gt;404</span><span style="color: #000000"&gt;;
}
return </span><span style="color: #800080"&gt;301</span> https:<span style="color: #008000"&gt;//</span><span style="color: #008000"&gt;$server_name$request_uri;</span>

<span style="color: #000000">}
server {
listen <span style="color: #800080">443<span style="color: #000000">;
listen [::]:<span style="color: #800080">443<span style="color: #000000">;
server_name filterinto.com;

# enable ssl
ssl                       on;
ssl_protocols TLSv1 TLSv1.</span><span style="color: #800080"&gt;1</span> TLSv1.<span style="color: #800080"&gt;2</span><span style="color: #000000"&gt;;
ssl_prefer_server_ciphers on;
ssl_ciphers               </span><span style="color: #800000"&gt;"</span><span style="color: #800000"&gt;EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4</span><span style="color: #800000"&gt;"</span><span style="color: #000000"&gt;;

# config ssl certificate

<span style="color: #ff0000"> ssl_certificate conf.crt<span style="color: #ff0000">/live/filterinto.com/fullchain.pem;
ssl_certificate_key conf.crt/live/filterinto.com/<span style="color: #000000"><span style="color: #ff0000">privkey.pem;

location </span>^~ /.well-known/acme-challenge/<span style="color: #000000"&gt; {
    default_type </span><span style="color: #800000"&gt;"</span><span style="color: #800000"&gt;text/plain</span><span style="color: #800000"&gt;"</span><span style="color: #000000"&gt;;
    root </span>/usr/share/nginx/<span style="color: #000000"&gt;html;
}
location </span>= /.well-known/acme-challenge/<span style="color: #000000"&gt; {
        return </span><span style="color: #800080"&gt;404</span><span style="color: #000000"&gt;;
}
location </span>/<span style="color: #000000"&gt; {
    proxy_pass http:</span><span style="color: #008000"&gt;//</span><span style="color: #008000"&gt;web;</span>

<span style="color: #000000"> }
}
server {
listen <span style="color: #800080">443<span style="color: #000000">;
listen [::]:<span style="color: #800080">443<span style="color: #000000">;
server_name www.filterinto.com;

# enable ssl
ssl                       on;
ssl_protocols TLSv1 TLSv1.</span><span style="color: #800080"&gt;1</span> TLSv1.<span style="color: #800080"&gt;2</span><span style="color: #000000"&gt;;
ssl_prefer_server_ciphers on;
ssl_ciphers               </span><span style="color: #800000"&gt;"</span><span style="color: #800000"&gt;EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4</span><span style="color: #800000"&gt;"</span><span style="color: #000000"&gt;;

# config ssl certificate

<span style="color: #ff0000"> ssl_certificate conf.crt<span style="color: #ff0000">/live/www.filterinto.com/fullchain.pem;
ssl_certificate_key conf.crt/live/www.filterinto.com/<span style="color: #000000"><span style="color: #ff0000">privkey.pem;

location </span>^~ /.well-known/acme-challenge/<span style="color: #000000"&gt; {
    default_type </span><span style="color: #800000"&gt;"</span><span style="color: #800000"&gt;text/plain</span><span style="color: #800000"&gt;"</span><span style="color: #000000"&gt;;
    root </span>/usr/share/nginx/<span style="color: #000000"&gt;html;
}
location </span>= /.well-known/acme-challenge/<span style="color: #000000"&gt; {
        return </span><span style="color: #800080"&gt;404</span><span style="color: #000000"&gt;;
}
location </span>/<span style="color: #000000"&gt; {
    proxy_pass http:</span><span style="color: #008000"&gt;//</span><span style="color: #008000"&gt;web;</span>

<span style="color: #000000"> }
}

$ docker run --p :-p :-v $()/nginx/conf.d:/etc/nginx/-v $()/nginx/nginx.conf:/etc/nginx/-v $()/logs/nginx:/var/log/-v $()/nginx/html:/usr/share/nginx/--restart=--name=--network=

* * /home/nick/certbot/renew_cert. /home/nick >> /home/nick/logs/cert.log >> /home/nick/logs/ * * docker exec gateway nginx -s reload

相关文章

Docker:Ubuntu下的安装
Docker是什么Docker是 Docker.Inc 公司开源的一个基于 LXC技...
Docker+nginx+tomcat7配置简单的负载均衡
本文为原创,原始地址为:http://www.cnblogs.com/fengzheng...
Docker:镜像操作和容器操作
镜像操作列出镜像:$ sudo docker imagesREPOSITORY TAG IMA...
如何用Dockerfile创建镜像
本文原创,原文地址为:http://www.cnblogs.com/fengzheng/p...
docker 修改容器内容后更新镜像的流程
在 Docker 中,如果你修改了一个容器的内容并希望将这些更改...
docker 参数'--privileged' 的作用
在Docker中,--privileged 参数给予容器内的进程几乎相同的权...