故事情境:我有一個主要網站 Main Web 是用 Nginx 架設,目前有以下需求需要完成:
新增 docker-compose.yml
version: "2" services: nginx-proxy: restart: always image: nginx container_name: nginx-proxy ports: - "80:80" - "443:443" volumes: - "/docker_vol/nginx-proxy/etc-nginx/conf.d:/etc/nginx/conf.d" - "/docker_vol/cert-letsencrypt:/etc/letsencrypt" - "/docker_vol/data-letsencrypt:/data/letsencrypt"
建立需要的目錄
mkdir -p /docker_vol/nginx-proxy/etc-nginx/conf.d mkdir -p /docker_vol/cert-letsencrypt mkdir -p /docker_vol/data-letsencrypt
新增 Nginx 設定檔
/docker_vol/nginx-proxy/etc-nginx/conf.d/proxy.conf
server { listen 80; server_name _; location / { proxy_pass http://your-main-web-ip; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }
http://your-main-web-ip 這裡填入主網站的 IP 位址
啟動nginx-proxy 服務 (使用 docker-compose)
第一次啟動,系統會自動新增與佈署需要的 containers
#> docker-compose up -d
佈署後檢查服務狀態
#> docker-compose ps Name Command State Ports ------------------------------------------------------------------------------------- nginx-proxy nginx -g daemon off; Up 0.0.0.0:443->443/tcp, 0.0.0.0:80->80/tcp
TIPs:
如果一直無法正常啟動服務,試著先將 proxy.conf 移除,然後啟動試試;如果啟動正常,再將 proxy.conf 回復後重新啟動。
Reverse Proxy 基本測試
如果 nginx-proxy 服務啟動正常,若在瀏覽器上輸入 http://reverse-proxy-ip 有顯示主網站的首頁,表示服務運作正常。
使用 Reverse Proxy 同部主機,運用 docker 技術,將 Let's Encrypt 憑證服務與 Reverse Proxy 做整合。
需要的步驟有二:
編輯 /docker_vol/nginx-proxy/etc-nginx/conf.d/proxy.conf
加上以下這幾行
... # Statically serve all files in .well-known, which is the location where letsencrypt stores the proof file location /.well-known/ { alias /data/letsencrypt/.well-known/; }
重啟 nginx-proxy 服務
docker-compose stop docker-compose start
線上建立憑證
docker run -it --rm \ -v "/docker_vol/cert-letsencrypt:/etc/letsencrypt" \ -v "/docker_vol/data-letsencrypt:/data/letsencrypt" \ deliverous/certbot \ certonly \ --webroot --webroot-path=/data/letsencrypt \ -d main-web-domain
TIPs:
main-web-domain 請改成主要網站的網域名稱,例如 www.your.domain。如果要建立多個網站的憑證,改成
-d first.my.web -d second.my.web -d third.my.web執行後,系統會要求輸入 email,請輸入有效的 email。
憑證建立成功
成功的畫面輸出內容如下
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.your.domain/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.your.domain/privkey.pem
Your cert will expire on 2018-05-06. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
憑證檔存放路徑
container 系統