Ing artikel iki, aku pengin nuduhake karo sampeyan cara nggawe sertifikat SSL kanggo aplikasi web sing mlaku ing Docker, amarga ... Aku ora nemokake solusi kasebut ing bagean Internet ing basa Rusia.
Rincian liyane ing ngisor potong.
Kita duwe docker v.17.05, docker-compose v.1.21, Ubuntu Server 18 lan pint saka Let'sEncrypt murni. Iku ora perlu kanggo nyebarake produksi ing Docker. Nanging yen sampeyan miwiti mbangun Docker, dadi angel mandheg.
Dadi, kanggo miwiti, aku bakal menehi setelan standar - sing ana ing tahap dev, yaiku. tanpa port 443 lan SSL umume:
docker-compose.yml
version: '2'
services:
php:
build: ./php-fpm
volumes:
- ./StomUp:/var/www/StomUp
- ./php-fpm/php.ini:/usr/local/etc/php/php.ini
depends_on:
- mysql
container_name: "StomPHP"
web:
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./StomUp:/var/www/StomUp
- ./nginx/main.conf:/etc/nginx/conf.d/default.conf
depends_on:
- php
mysql:
image: mysql:5.7
command: mysqld --sql_mode=""
environment:
MYSQL_ROOT_PASSWORD: xxx
ports:
- "3333:3306"
nginx/main.conf
server {
listen 80;
server_name *.stomup.ru stomup.ru;
root /var/www/StomUp/public;
client_max_body_size 5M;
location / {
# try to serve file directly, fallback to index.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/index.php(/|$) {
#fastcgi_pass unix:/var/run/php7.2-fpm.sock;
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
internal;
}
location ~ .php$ {
return 404;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
Sabanjure, kita kudu ngetrapake SSL. Jujur, aku ngentekake udakara 2 jam sinau zona kom. Kabeh opsi sing ditawakake ana menarik. Nanging ing tataran saiki proyek, kita (bisnis) kudu cepet lan andal meneng SSL Let'sEnctypt ΠΊ nginx wadhah lan ora liya.
Kaping pisanan, kita nginstal ing server sertifikat
sudo apt-get install certbot
Sabanjure, kita ngasilake sertifikat wildcard kanggo domain kita
sudo certbot certonly -d stomup.ru -d *.stomup.ru --manual --preferred-challenges dns
sawise eksekusi, certbot bakal nyedhiyani kita karo 2 cathetan TXT sing kudu kasebut ing setelan DNS.
_acme-challenge.stomup.ru TXT {ΡΠΎΡΠΠ»ΡΡΠΠΎΡΠΎΡΡΠΉΠΠ°ΠΌΠΡΠ΄Π°Π»CertBot}
Lan pencet enter.
Sawise iki, certbot bakal mriksa ananΓ© cathetan kasebut ing DNS lan nggawe sertifikat kanggo sampeyan.
yen sampeyan wis nambah sertifikat nanging sertifikat ora ketemu - nyoba miwiti maneh printah sawise 5-10 menit.
Ya, ing kene kita dadi pamilik sertifikat Let'sEncrypt sajrone 90 dina, nanging saiki kudu diunggah menyang Docker.
Kanggo nindakake iki, kanthi cara sing paling ora pati penting, ing docker-compose.yml, ing bagean nginx, kita nyambungake direktori kasebut.
Conto docker-compose.yml nganggo SSL
version: '2'
services:
php:
build: ./php-fpm
volumes:
- ./StomUp:/var/www/StomUp
- /etc/letsencrypt/live/stomup.ru/:/etc/letsencrypt/live/stomup.ru/
- ./php-fpm/php.ini:/usr/local/etc/php/php.ini
depends_on:
- mysql
container_name: "StomPHP"
web:
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./StomUp:/var/www/StomUp
- /etc/letsencrypt/:/etc/letsencrypt/
- ./nginx/main.conf:/etc/nginx/conf.d/default.conf
depends_on:
- php
mysql:
image: mysql:5.7
command: mysqld --sql_mode=""
environment:
MYSQL_ROOT_PASSWORD: xxx
ports:
- "3333:3306"
Disambung? Apik - ayo nerusake:
Saiki kita kudu ngganti konfigurasi nginx kanggo nggarap 443 port lan SSL umume:
Conto main.conf config karo SSL
#
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name *.stomup.ru stomup.ru;
set $base /var/www/StomUp;
root $base/public;
# SSL
ssl_certificate /etc/letsencrypt/live/stomup.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/stomup.ru/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/stomup.ru/chain.pem;
client_max_body_size 5M;
location / {
# try to serve file directly, fallback to index.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/index.php(/|$) {
#fastcgi_pass unix:/var/run/php7.2-fpm.sock;
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
internal;
}
location ~ .php$ {
return 404;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
# HTTP redirect
server {
listen 80;
listen [::]:80;
server_name *.stomup.ru stomup.ru;
location / {
return 301 https://stomup.ru$request_uri;
}
}
Bener, sawise manipulasi kasebut, kita pindhah menyang direktori karo Docker-compose, nulis docker-compose up -d. Lan kita mriksa fungsi SSL. Kabeh kudu njupuk mati.
Sing utama ora lali yen sertifikat Let'sEnctypt ditanggepi sajrone 90 dina lan sampeyan kudu nganyari maneh liwat printah kasebut. sudo certbot renew, banjur miwiti maneh proyek kanthi printah docker-compose restart
Pilihan liyane yaiku nambahake urutan iki menyang crontab.
Ing mratelakake panemume iki cara paling gampang kanggo nyambung SSL kanggo Docker Web-app.
PS Mangga njupuk menyang akun sing kabeh Tulisan presented ing teks ora final, project saiki ing tataran Dev jero, supaya aku arep takon sampeyan ora ngritik configs - padha bakal diowahi kaping pirang-pirang.
Source: www.habr.com