A cikin wannan labarin, ina so in raba tare da ku hanyar ƙirƙirar takardar shaidar SSL don aikace-aikacen gidan yanar gizon ku da ke gudana akan Docker, saboda... Ban sami irin wannan mafita ba a cikin harshen Rashanci na Intanet.
Ƙarin cikakkun bayanai a ƙarƙashin yanke.
Muna da docker v.17.05, docker-compose v.1.21, Ubuntu Server 18 da pint na tsarki Let'sEncrypt. Ba lallai ba ne don tura samarwa akan Docker. Amma da zarar ka fara gina Docker, zai zama da wuya a tsaya.
Don haka, don farawa, zan ba da daidaitattun saitunan - waɗanda muke da su a matakin dev, i.e. ba tare da tashar jiragen ruwa 443 da SSL gabaɗaya ba:
docker-compose.yml
version: '2'
services:
php:
build: ./php-fpm
volumes:
- ./StomUp:/var/www/StomUp
- ./php-fpm/php.ini:/usr/local/etc/php/php.ini
depends_on:
- mysql
container_name: "StomPHP"
web:
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./StomUp:/var/www/StomUp
- ./nginx/main.conf:/etc/nginx/conf.d/default.conf
depends_on:
- php
mysql:
image: mysql:5.7
command: mysqld --sql_mode=""
environment:
MYSQL_ROOT_PASSWORD: xxx
ports:
- "3333:3306"
nginx/main.conf
server {
listen 80;
server_name *.stomup.ru stomup.ru;
root /var/www/StomUp/public;
client_max_body_size 5M;
location / {
# try to serve file directly, fallback to index.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/index.php(/|$) {
#fastcgi_pass unix:/var/run/php7.2-fpm.sock;
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
internal;
}
location ~ .php$ {
return 404;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
Na gaba, muna buƙatar aiwatar da SSL a zahiri. A gaskiya, na shafe kusan awa 2 ina nazarin com zone. Duk zaɓuɓɓukan da aka bayar a can suna da ban sha'awa. Amma a matakin yanzu na aikin, mu (kasuwancin) muna buƙatar yin sauri da dogaro da sauri SSL Bari mu Enctypt к nginx ganga kuma ba komai.
Da farko, mun shigar da shi a kan uwar garke certbot
sudo apt-get install certbot
Bayan haka, mun ƙirƙiri takaddun shaida na yanki don yankinmu
sudo certbot certonly -d stomup.ru -d *.stomup.ru --manual --preferred-challenges dns
bayan aiwatarwa, certbot zai samar mana da bayanan TXT guda 2 waɗanda ke buƙatar ƙayyade a cikin saitunan DNS.
_acme-challenge.stomup.ru TXT {тотКлючКоторыйВамВыдалCertBot}
Kuma danna shigar.
Bayan wannan, certbot zai bincika kasancewar waɗannan bayanan a cikin DNS kuma ya ƙirƙiri takaddun shaida a gare ku.
idan kun kara da satifiket amma certbot bai same shi ba - gwada sake kunna umarnin bayan mintuna 5-10.
Da kyau, a nan mu ne masu girman kai na takardar shaidar Let'sEncrypt na kwanaki 90, amma yanzu muna buƙatar loda shi zuwa Docker.
Don yin wannan, a cikin mafi ƙarancin hanya, a cikin docker-compose.yml, a cikin sashin nginx, muna haɗa kundayen adireshi.
Misali docker-compose.yml tare da SSL
version: '2'
services:
php:
build: ./php-fpm
volumes:
- ./StomUp:/var/www/StomUp
- /etc/letsencrypt/live/stomup.ru/:/etc/letsencrypt/live/stomup.ru/
- ./php-fpm/php.ini:/usr/local/etc/php/php.ini
depends_on:
- mysql
container_name: "StomPHP"
web:
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./StomUp:/var/www/StomUp
- /etc/letsencrypt/:/etc/letsencrypt/
- ./nginx/main.conf:/etc/nginx/conf.d/default.conf
depends_on:
- php
mysql:
image: mysql:5.7
command: mysqld --sql_mode=""
environment:
MYSQL_ROOT_PASSWORD: xxx
ports:
- "3333:3306"
An haɗa? Babban - bari mu ci gaba:
Yanzu muna buƙatar canza saitin nginx yin aiki da 443 tashar jiragen ruwa da SSL gabaɗaya:
Misali main.conf saitin tare da SSL
#
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name *.stomup.ru stomup.ru;
set $base /var/www/StomUp;
root $base/public;
# SSL
ssl_certificate /etc/letsencrypt/live/stomup.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/stomup.ru/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/stomup.ru/chain.pem;
client_max_body_size 5M;
location / {
# try to serve file directly, fallback to index.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/index.php(/|$) {
#fastcgi_pass unix:/var/run/php7.2-fpm.sock;
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
internal;
}
location ~ .php$ {
return 404;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
# HTTP redirect
server {
listen 80;
listen [::]:80;
server_name *.stomup.ru stomup.ru;
location / {
return 301 https://stomup.ru$request_uri;
}
}
A zahiri, bayan waɗannan magudi, za mu je zuwa kundin adireshi tare da Docker-compose, rubuta docker-compose up -d. Kuma muna duba ayyukan SSL. Komai yakamata ya tashi.
Babban abu shine kar a manta cewa an ba da takardar shaidar Let'sEnctypt na kwanaki 90 kuma kuna buƙatar sabunta ta ta hanyar umarnin. sudo certbot renew, sannan kuma sake kunna aikin tare da umarnin docker-compose restart
Wani zaɓi shine ƙara wannan jerin zuwa crontab.
A ganina wannan ita ce hanya mafi sauƙi don haɗa SSL zuwa Docker Web-app.
PS Don Allah a yi la'akari da cewa duk rubutun da aka gabatar a cikin rubutun ba su ƙare ba, aikin yanzu yana cikin zurfin Dev mataki, don haka ina so in tambaye ku kada ku soki configs - za a canza su sau da yawa.
source: www.habr.com