Letsencrypt和cerbot自制免费证书,使用docker compose部署

生成证书

docker-compose run --rm certbot certonly --manual --preferred-challenges=dns --email service@qq.com --agree-tos --expand -d abc.com,*.abc.com --server https://acme-v02.api.letsencrypt.org/directory

在生成证书过程中,会提示你设置一个域名(TXT)解析,来验证域名所有权,根据提示操作即可。还有一种 webroot的方式,不需要通过域名解析来验证域名所有权,但是不支持泛域名解析,在此不采用。

生成后会有如下提示,可以看到证书的存储路径

生成Perfect Forward Security(PFS)键值

PFS(perfect forward secrecy),中文可叫做完全前向保密。要求一个密钥只能访问由它所保护的数据;用来产生密钥的元素一次一换,不能再产生其他的密钥;一个密钥被破解,并不影响其他密钥的安全性。

#创建目录
mkdir /etc/ssl/private/ -p
#执行命令
cd /etc/ssl/private/
openssl dhparam 2048 -out dhparam.pem

nginx配置文件修改

server {
    listen 80;
    listen [::]:80;

    server_name example.org www.example.org;
    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://example.org$request_uri;
    }
}

docker compose文件修改

version: '3'
services:
 nginx:
     image: nginx:1.8.1
     ports:              #端口映射
         - "80:80"
         - "443:443"
     command: [ "/bin/sh", "-c", "while :;do sleep 24h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"" ]
     volumes:
         - "${PWD}/nginx/nginx.conf:/etc/nginx/nginx.conf"
         - "${PWD}/nginx/conf.d:/etc/nginx/conf.d"   #将宿主机上nginx配置文件映射到容器中
         - "${PWD}/dataweb/abc:/var/www/html/abc" #映射网站根目录
         - "${PWD}/nginx/log:/var/log/nginx"
         - ./certbot/conf:/etc/letsencrypt
         - ./certbot/www:/var/www/certbot
         - /etc/ssl:/etc/ssl
     networks:
         - app_net
     container_name: "compose-nginx"  #容器名称
 certbot:
     container_name: certbot
     image: certbot/certbot:latest
     # command: certonly --webroot --webroot-path=/var/www/certbot --agree-tos --email service@qq.com -d  abc.com
     #entrypoint: ["/bin/sh", "-c", "trap exit TERM;while :; do certbot renew --webroot -w /var/www/certbot; sleep 24h & wait $${!}; done;"]
     volumes:
       - ./certbot/conf:/etc/letsencrypt
       - ./certbot/logs:/var/log/letsencrypt
       - ./certbot/www:/var/www/certbot

nginx的ssl配置

首先增加443端口的监听,然后在conf文件中增加一个server指令,以前写在80的server中的设置都写在这个server中,并且在80端口的server中设置跳转,将http请求跳转到https

server {
    listen       80;
    server_name  abc.com;

    return 301 https://abc.com$request_uri;

     location ~ /.well-known/acme-challenge {
         allow all;
         root /var/www/certbot;
     }
}

server {
       listen 443 ssl default_server;
       server_name abc.com;
       server_tokens off;

       access_log  /var/log/nginx/abc.com.access.log  main;
       index   index.php index.html index.htm;

       ssl_session_timeout 5m;
       ssl_prefer_server_ciphers on;
       ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
       ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

       ssl_stapling on;
       ssl_stapling_verify on;

       ssl_certificate /etc/letsencrypt/live/xiaocilao.com/fullchain.pem;
       ssl_certificate_key /etc/letsencrypt/live/xiaocilao.com/privkey.pem;

       ssl_dhparam /etc/ssl/private/dhparam.pem;

        #charset koi8-r;
        #access_log  logs/host.gaoxueping.log  main;
        root   /var/www/html/abc;
        location / {
            try_files $uri $uri/ /index.php?q=$uri&$args;
            #if (!-e $request_filename){
                #rewrite ^(.*)$ /index.php?s=$1 last;
                #break;
            #}
            index  index.php index.html index.htm;
        }

        error_page  404              /404.html;
        location = /404.html {
            root   /usr/share/nginx/html;
        }
        # redirect server error pages to the static page /50x.html
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /var/www/html/abc;
        }

        location ~ \.php$ {
            fastcgi_split_path_info  ^(.+\.php)(.*)$;
            fastcgi_pass   php7:9000;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include        fastcgi_params;
        }

        location ~ /\. {
            deny  all;
        }

        location ~ /\.ht {
            deny  all;
        }
}

自动更新

可以在docker compose中设置commond来自动定时更新。

Reference

Boilerplate for nginx with Let’s Encrypt on docker-compose
HTTPS using Nginx and Let’s encrypt in Docker

Avatar photo

About Blackford

这是个最好的时代,这是个最坏的时代,这是个充满希望的春天,这是个令人绝望的冬天,我们前面什么都有,我们前面什么都没有。梦想,让我们一次次的走远,又一次次的回头,一个关于人生的梦想还在不断奔跑,带着喜悦和疼痛,不过一切才刚刚开始,并且直到今天也远远没有结束
This entry was posted in 架构运维. Bookmark the permalink.

发表评论

电子邮件地址不会被公开。 必填项已用*标注