生成证书
docker-compose run --rm certbot certonly --manual --preferred-challenges=dns --email service@qq.com --agree-tos --expand -d abc.com,*.abc.com --server https://acme-v02.api.letsencrypt.org/directory
在生成证书过程中,会提示你设置一个域名(TXT)解析,来验证域名所有权,根据提示操作即可。还有一种 webroot的方式,不需要通过域名解析来验证域名所有权,但是不支持泛域名解析,在此不采用。
生成后会有如下提示,可以看到证书的存储路径。
生成Perfect Forward Security(PFS)键值
PFS(perfect forward secrecy),中文可叫做完全前向保密。要求一个密钥只能访问由它所保护的数据;用来产生密钥的元素一次一换,不能再产生其他的密钥;一个密钥被破解,并不影响其他密钥的安全性。
#创建目录
mkdir /etc/ssl/private/ -p
#执行命令
cd /etc/ssl/private/
openssl dhparam 2048 -out dhparam.pem
nginx配置文件修改
server {
listen 80;
listen [::]:80;
server_name example.org www.example.org;
server_tokens off;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://example.org$request_uri;
}
}
docker compose文件修改
version: '3'
services:
nginx:
image: nginx:1.8.1
ports: #端口映射
- "80:80"
- "443:443"
command: [ "/bin/sh", "-c", "while :;do sleep 24h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"" ]
volumes:
- "${PWD}/nginx/nginx.conf:/etc/nginx/nginx.conf"
- "${PWD}/nginx/conf.d:/etc/nginx/conf.d" #将宿主机上nginx配置文件映射到容器中
- "${PWD}/dataweb/abc:/var/www/html/abc" #映射网站根目录
- "${PWD}/nginx/log:/var/log/nginx"
- ./certbot/conf:/etc/letsencrypt
- ./certbot/www:/var/www/certbot
- /etc/ssl:/etc/ssl
networks:
- app_net
container_name: "compose-nginx" #容器名称
certbot:
container_name: certbot
image: certbot/certbot:latest
# command: certonly --webroot --webroot-path=/var/www/certbot --agree-tos --email service@qq.com -d abc.com
#entrypoint: ["/bin/sh", "-c", "trap exit TERM;while :; do certbot renew --webroot -w /var/www/certbot; sleep 24h & wait $${!}; done;"]
volumes:
- ./certbot/conf:/etc/letsencrypt
- ./certbot/logs:/var/log/letsencrypt
- ./certbot/www:/var/www/certbot
nginx的ssl配置
首先增加443端口的监听,然后在conf文件中增加一个server指令,以前写在80的server中的设置都写在这个server中,并且在80端口的server中设置跳转,将http请求跳转到https
server {
listen 80;
server_name abc.com;
return 301 https://abc.com$request_uri;
location ~ /.well-known/acme-challenge {
allow all;
root /var/www/certbot;
}
}
server {
listen 443 ssl default_server;
server_name abc.com;
server_tokens off;
access_log /var/log/nginx/abc.com.access.log main;
index index.php index.html index.htm;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_stapling on;
ssl_stapling_verify on;
ssl_certificate /etc/letsencrypt/live/xiaocilao.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xiaocilao.com/privkey.pem;
ssl_dhparam /etc/ssl/private/dhparam.pem;
#charset koi8-r;
#access_log logs/host.gaoxueping.log main;
root /var/www/html/abc;
location / {
try_files $uri $uri/ /index.php?q=$uri&$args;
#if (!-e $request_filename){
#rewrite ^(.*)$ /index.php?s=$1 last;
#break;
#}
index index.php index.html index.htm;
}
error_page 404 /404.html;
location = /404.html {
root /usr/share/nginx/html;
}
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/www/html/abc;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_pass php7:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ /\. {
deny all;
}
location ~ /\.ht {
deny all;
}
}
自动更新
可以在docker compose中设置commond来自动定时更新。
Reference
Boilerplate for nginx with Let’s Encrypt on docker-compose
HTTPS using Nginx and Let's encrypt in Docker