Nan atik sa a, mwen vle pataje avèk ou yon metòd pou kreye yon sètifika SSL pou aplikasyon entènèt ou a ap kouri sou Docker, paske... Mwen pa t 'jwenn yon solisyon konsa nan pati nan lang Ris nan entènèt la.
Plis detay anba koupe a.
Nou te gen docker v.17.05, docker-compose v.1.21, Ubuntu Server 18 ak yon pent pi bon kalite Let'sEncrypt. Li pa ke li nesesè deplwaye pwodiksyon sou Docker. Men, yon fwa ou kòmanse bati Docker, li vin difisil pou sispann.
Se konsa, pou kòmanse, mwen pral bay anviwònman estanda yo - ke nou te gen nan etap nan dev, i.e. san pò 443 ak SSL an jeneral:
docker-compose.yml
version: '2'
services:
php:
build: ./php-fpm
volumes:
- ./StomUp:/var/www/StomUp
- ./php-fpm/php.ini:/usr/local/etc/php/php.ini
depends_on:
- mysql
container_name: "StomPHP"
web:
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./StomUp:/var/www/StomUp
- ./nginx/main.conf:/etc/nginx/conf.d/default.conf
depends_on:
- php
mysql:
image: mysql:5.7
command: mysqld --sql_mode=""
environment:
MYSQL_ROOT_PASSWORD: xxx
ports:
- "3333:3306"
nginx/main.conf
server {
listen 80;
server_name *.stomup.ru stomup.ru;
root /var/www/StomUp/public;
client_max_body_size 5M;
location / {
# try to serve file directly, fallback to index.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/index.php(/|$) {
#fastcgi_pass unix:/var/run/php7.2-fpm.sock;
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
internal;
}
location ~ .php$ {
return 404;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
Apre sa, nou aktyèlman bezwen aplike SSL. Pou mwen onèt, mwen te pase apeprè 2 èdtan etidye zòn nan. Tout opsyon yo ofri yo enteresan. Men, nan etap aktyèl la nan pwojè a, nou (biznis la) bezwen vit ak seryezman vis SSL Let'sEnctypt к nginx veso e pa gen anyen plis.
Premye a tout, nou enstale li sou sèvè a certbot
sudo apt-get install certbot
Apre sa, nou te pwodwi sètifika wildcard pou domèn nou an
sudo certbot certonly -d stomup.ru -d *.stomup.ru --manual --preferred-challenges dns
apre ekzekisyon, certbot ap ba nou 2 dosye TXT ki bezwen espesifye nan paramèt DNS yo.
_acme-challenge.stomup.ru TXT {тотКлючКоторыйВамВыдалCertBot}
Epi peze antre.
Apre sa, certbot pral tcheke pou prezans dosye sa yo nan DNS epi kreye sètifika pou ou.
si ou te ajoute yon sètifika men certbot pa t 'jwenn li - eseye rekòmanse lòd la apre 5-10 minit.
Oke, isit la nou se mèt pwopriyete yo fyè nan yon sètifika Let'sEncrypt pou 90 jou, men kounye a nou bezwen telechaje li nan Docker.
Pou fè sa, nan fason ki pi trivial, nan docker-compose.yml, nan seksyon nginx, nou konekte repèrtwar yo.
Egzanp docker-compose.yml ak SSL
version: '2'
services:
php:
build: ./php-fpm
volumes:
- ./StomUp:/var/www/StomUp
- /etc/letsencrypt/live/stomup.ru/:/etc/letsencrypt/live/stomup.ru/
- ./php-fpm/php.ini:/usr/local/etc/php/php.ini
depends_on:
- mysql
container_name: "StomPHP"
web:
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./StomUp:/var/www/StomUp
- /etc/letsencrypt/:/etc/letsencrypt/
- ./nginx/main.conf:/etc/nginx/conf.d/default.conf
depends_on:
- php
mysql:
image: mysql:5.7
command: mysqld --sql_mode=""
environment:
MYSQL_ROOT_PASSWORD: xxx
ports:
- "3333:3306"
Liye? Gwo - ann kontinye:
Koulye a, nou bezwen chanje konfigirasyon an nginx pou travay avèk 443 pò ak Ssl jeneralman:
Egzanp main.conf konfigirasyon ak SSL
#
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name *.stomup.ru stomup.ru;
set $base /var/www/StomUp;
root $base/public;
# SSL
ssl_certificate /etc/letsencrypt/live/stomup.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/stomup.ru/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/stomup.ru/chain.pem;
client_max_body_size 5M;
location / {
# try to serve file directly, fallback to index.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/index.php(/|$) {
#fastcgi_pass unix:/var/run/php7.2-fpm.sock;
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
internal;
}
location ~ .php$ {
return 404;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
# HTTP redirect
server {
listen 80;
listen [::]:80;
server_name *.stomup.ru stomup.ru;
location / {
return 301 https://stomup.ru$request_uri;
}
}
Aktyèlman, apre manipilasyon sa yo, nou ale nan anyè a ak Docker-compose, ekri docker-compose moute -d. Epi nou tcheke fonksyonalite SSL. Tout bagay ta dwe dekole.
Bagay pwensipal lan se pa bliye ke sètifika Let'sEnctypt la bay pou 90 jou epi w ap bezwen renouvle li nan lòd la. sudo certbot renew, ak Lè sa a, rekòmanse pwojè a ak lòd la docker-compose restart
Yon lòt opsyon se ajoute sekans sa a nan crontab.
Dapre mwen, sa a se fason ki pi fasil yo konekte SSL ak Docker Web-app.
PS Tanpri pran an kont ke tout scripts yo prezante nan tèks la pa final, pwojè a se kounye a nan etap Dev gwo twou san fon an, kidonk mwen ta renmen mande ou pa kritike konfigirasyon yo - yo pral modifye anpil fwa.
Sous: www.habr.com