A cikin wannan labarin, ina so in raba tare da ku hanyar ƙirƙirar takardar shaidar SSL don aikace-aikacen gidan yanar gizon ku da ke gudana akan Docker, saboda... Ban sami irin wannan mafita ba a cikin harshen Rashanci na Intanet.
Ƙarin cikakkun bayanai a ƙarƙashin yanke.
Muna da docker v.17.05, docker-compose v.1.21, Ubuntu Server 18 da pint na tsarki Let'sEncrypt. Ba lallai ba ne don tura samarwa akan Docker. Amma da zarar ka fara gina Docker, zai zama da wuya a tsaya.
Don haka, don farawa, zan ba da daidaitattun saitunan - waɗanda muke da su a matakin dev, i.e. ba tare da tashar jiragen ruwa 443 da SSL gabaɗaya ba:
docker-compose.yml
version: '2'
services:
php:
build: ./php-fpm
volumes:
- ./StomUp:/var/www/StomUp
- ./php-fpm/php.ini:/usr/local/etc/php/php.ini
depends_on:
- mysql
container_name: "StomPHP"
web:
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./StomUp:/var/www/StomUp
- ./nginx/main.conf:/etc/nginx/conf.d/default.conf
depends_on:
- php
mysql:
image: mysql:5.7
command: mysqld --sql_mode=""
environment:
MYSQL_ROOT_PASSWORD: xxx
ports:
- "3333:3306"
nginx/main.conf
server {
listen 80;
server_name *.stomup.ru stomup.ru;
root /var/www/StomUp/public;
client_max_body_size 5M;
location / {
# try to serve file directly, fallback to index.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/index.php(/|$) {
#fastcgi_pass unix:/var/run/php7.2-fpm.sock;
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
internal;
}
location ~ .php$ {
return 404;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
Na gaba, muna buƙatar aiwatar da SSL a zahiri. A gaskiya, na shafe kusan awa 2 ina nazarin com zone. Duk zaɓuɓɓukan da aka bayar a can suna da ban sha'awa. Amma a matakin yanzu na aikin, mu (kasuwancin) muna buƙatar yin sauri da dogaro da sauri SSL Bari mu Enctypt к nginx ganga kuma ba komai.
Da farko, mun shigar da shi a kan uwar garke certbot
sudo apt-get install certbot
Bayan haka, mun ƙirƙiri takaddun shaida na yanki don yankinmu
sudo certbot certonly -d stomup.ru -d *.stomup.ru --manual --preferred-challenges dns
bayan aiwatarwa, certbot zai samar mana da bayanan TXT guda 2 waɗanda ke buƙatar ƙayyade a cikin saitunan DNS.
_acme-challenge.stomup.ru TXT {тотКлючКоторыйВамВыдалCertBot}
Kuma danna shigar.
Bayan wannan, certbot zai bincika kasancewar waɗannan bayanan a cikin DNS kuma ya ƙirƙiri takaddun shaida a gare ku.
idan kun kara da satifiket amma certbot bai same shi ba - gwada sake kunna umarnin bayan mintuna 5-10.
Da kyau, a nan mu ne masu girman kai na takardar shaidar Let'sEncrypt na kwanaki 90, amma yanzu muna buƙatar loda shi zuwa Docker.
Don yin wannan, a cikin mafi ƙarancin hanya, a cikin docker-compose.yml, a cikin sashin nginx, muna haɗa kundayen adireshi.
Misali docker-compose.yml tare da SSL
version: '2'
services:
php:
build: ./php-fpm
volumes:
- ./StomUp:/var/www/StomUp
- /etc/letsencrypt/live/stomup.ru/:/etc/letsencrypt/live/stomup.ru/
- ./php-fpm/php.ini:/usr/local/etc/php/php.ini
depends_on:
- mysql
container_name: "StomPHP"
web:
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./StomUp:/var/www/StomUp
- /etc/letsencrypt/:/etc/letsencrypt/
- ./nginx/main.conf:/etc/nginx/conf.d/default.conf
depends_on:
- php
mysql:
image: mysql:5.7
command: mysqld --sql_mode=""
environment:
MYSQL_ROOT_PASSWORD: xxx
ports:
- "3333:3306"
An haɗa? Babban - bari mu ci gaba:
Yanzu muna buƙatar canza saitin nginx yin aiki da 443 tashar jiragen ruwa da SSL gabaɗaya:
Misali main.conf saitin tare da SSL
#
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name *.stomup.ru stomup.ru;
set $base /var/www/StomUp;
root $base/public;
# SSL
ssl_certificate /etc/letsencrypt/live/stomup.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/stomup.ru/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/stomup.ru/chain.pem;
client_max_body_size 5M;
location / {
# try to serve file directly, fallback to index.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/index.php(/|$) {
#fastcgi_pass unix:/var/run/php7.2-fpm.sock;
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
internal;
}
location ~ .php$ {
return 404;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
# HTTP redirect
server {
listen 80;
listen [::]:80;
server_name *.stomup.ru stomup.ru;
location / {
return 301 https://stomup.ru$request_uri;
}
}
A zahiri, bayan waɗannan magudi, za mu je zuwa kundin adireshi tare da Docker-compose, rubuta docker-compose up -d. Kuma muna duba ayyukan SSL. Komai yakamata ya tashi.
Babban abu shine kar a manta cewa an ba da takardar shaidar Let'sEnctypt na kwanaki 90 kuma kuna buƙatar sabunta ta ta hanyar umarnin. sudo certbot renew
, sannan kuma sake kunna aikin tare da umarnin docker-compose restart
Wani zaɓi shine ƙara wannan jerin zuwa crontab.
A ganina wannan ita ce hanya mafi sauƙi don haɗa SSL zuwa Docker Web-app.
PS Don Allah a yi la'akari da cewa duk rubutun da aka gabatar a cikin rubutun ba su ƙare ba, aikin yanzu yana cikin zurfin Dev mataki, don haka ina so in tambaye ku kada ku soki configs - za a canza su sau da yawa.
source: www.habr.com