San artaigil seo, tha mi airson dòigh a cho-roinn riut airson teisteanas SSL a chruthachadh airson an tagradh lìn agad a tha a’ ruith air Docker, oir ... Cha do lorg mi a leithid de fhuasgladh anns a’ phàirt Ruiseanach den eadar-lìn.
Barrachd mion-fhiosrachaidh fon ghearradh.
Bha docker v.17.05 againn, docker-compose v.1.21, Ubuntu Server 18 agus peant de Let'sEncrypt fìor-ghlan. Chan e gu bheil feum air cinneasachadh a chuir air Docker. Ach aon uair ‘s gun tòisich thu a’ togail Docker, bidh e duilich stad.
Mar sin, an toiseach, bheir mi seachad na roghainnean àbhaisteach - a bh’ againn aig an ìre dev, i.e. às aonais port 443 agus SSL san fharsaingeachd:
docker-compose.yml
version: '2'
services:
php:
build: ./php-fpm
volumes:
- ./StomUp:/var/www/StomUp
- ./php-fpm/php.ini:/usr/local/etc/php/php.ini
depends_on:
- mysql
container_name: "StomPHP"
web:
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./StomUp:/var/www/StomUp
- ./nginx/main.conf:/etc/nginx/conf.d/default.conf
depends_on:
- php
mysql:
image: mysql:5.7
command: mysqld --sql_mode=""
environment:
MYSQL_ROOT_PASSWORD: xxx
ports:
- "3333:3306"
nginx/prìomh.conf
server {
listen 80;
server_name *.stomup.ru stomup.ru;
root /var/www/StomUp/public;
client_max_body_size 5M;
location / {
# try to serve file directly, fallback to index.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/index.php(/|$) {
#fastcgi_pass unix:/var/run/php7.2-fpm.sock;
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
internal;
}
location ~ .php$ {
return 404;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
An ath rud, feumaidh sinn SSL a chuir an gnìomh. Gus a bhith onarach, chuir mi seachad timcheall air 2 uair a’ sgrùdadh an raon com. Tha na roghainnean uile a tha air an tabhann an sin inntinneach. Ach aig an ìre làithreach den phròiseact, dh'fheumadh sinne (an gnìomhachas) sgrìobadh gu luath agus gu earbsach SSL Leigamaid a-steach к nginx container agus gun dad a bharrachd.
An toiseach, chuir sinn a-steach e air an fhrithealaiche certbot
sudo apt-get install certbot
An uairsin, chruthaich sinn teisteanasan cairt-fiadhaich airson an àrainn againn
sudo certbot certonly -d stomup.ru -d *.stomup.ru --manual --preferred-challenges dns
às deidh a chuir gu bàs, bheir certbot dhuinn clàran 2 TXT a dh’ fheumar a shònrachadh anns na roghainnean DNS.
_acme-challenge.stomup.ru TXT {тотКлючКоторыйВамВыдалCertBot}
Agus brùth a-steach.
Às deidh seo, nì certbot sgrùdadh airson làthaireachd nan clàran sin ann an DNS agus cruthaichidh iad teisteanasan dhut.
ma tha thu air teisteanas a chuir ris ach certbot cha do lorg mi e - feuch ris an àithne ath-thòiseachadh às deidh 5-10 mionaidean.
Uill, seo sinn na sealbhadairean pròiseil air teisteanas Let'sEncrypt airson 90 latha, ach a-nis feumaidh sinn a luchdachadh suas gu Docker.
Gus seo a dhèanamh, anns an dòigh as dorra, ann an docker-compose.yml, ann an roinn nginx, bidh sinn a’ ceangal nan seòlaidhean.
Eisimpleir docker-compose.yml le SSL
version: '2'
services:
php:
build: ./php-fpm
volumes:
- ./StomUp:/var/www/StomUp
- /etc/letsencrypt/live/stomup.ru/:/etc/letsencrypt/live/stomup.ru/
- ./php-fpm/php.ini:/usr/local/etc/php/php.ini
depends_on:
- mysql
container_name: "StomPHP"
web:
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./StomUp:/var/www/StomUp
- /etc/letsencrypt/:/etc/letsencrypt/
- ./nginx/main.conf:/etc/nginx/conf.d/default.conf
depends_on:
- php
mysql:
image: mysql:5.7
command: mysqld --sql_mode=""
environment:
MYSQL_ROOT_PASSWORD: xxx
ports:
- "3333:3306"
Ceangailte? Sgoinneil - leanamaid oirnn:
A-nis feumaidh sinn an config atharrachadh nginx a bhith ag obair leis 443 port agus SSL san fharsaingeachd:
Eisimpleir main.conf config le SSL
#
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name *.stomup.ru stomup.ru;
set $base /var/www/StomUp;
root $base/public;
# SSL
ssl_certificate /etc/letsencrypt/live/stomup.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/stomup.ru/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/stomup.ru/chain.pem;
client_max_body_size 5M;
location / {
# try to serve file directly, fallback to index.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/index.php(/|$) {
#fastcgi_pass unix:/var/run/php7.2-fpm.sock;
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
internal;
}
location ~ .php$ {
return 404;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
# HTTP redirect
server {
listen 80;
listen [::]:80;
server_name *.stomup.ru stomup.ru;
location / {
return 301 https://stomup.ru$request_uri;
}
}
Gu fìrinneach, às deidh na gluasadan sin, thèid sinn chun eòlaire le Docker-compose, sgrìobh docker-compose suas -d. Agus bidh sinn a’ sgrùdadh gnìomhachd SSL. Bu chòir a h-uile càil a thoirt dheth.
Is e am prìomh rud gun a bhith a’ dìochuimhneachadh gu bheil an teisteanas Let'sEnctypt air a thoirt a-mach airson 90 latha agus feumaidh tu ùrachadh tron àithne sudo certbot renew
, agus an uairsin ath-thòisich am pròiseact leis an àithne docker-compose restart
Is e roghainn eile an t-sreath seo a chur ri crontab.
Nam bheachd-sa, is e seo an dòigh as fhasa air SSL a cheangal ri Docker Web-app.
PS Thoir an aire nach eil a h-uile sgriobt a tha air a thaisbeanadh san teacsa deireannach, tha am pròiseact a-nis aig ìre domhainn Dev, agus mar sin bu mhath leam iarraidh ort gun a bhith a’ càineadh nan configs - bidh iad air an atharrachadh iomadh uair.
Source: www.habr.com