In hoc articulo, methodum vobiscum communicare volo pro certificatorio SSL creandi pro applicatione interretiali in Docker currenti, quia... Talem solutionem non inveni in parte linguae Russicae interreti.
Accuratius sub incisis.
Habuimus docker v.17.05, docker-compono v.1.21, Decuria Servo 18 et sextarios purae Let'sEncrypt. Non est necessarium esse productionem in Docker explicandi. Sed cum Docker aedificare incipias, difficile est prohibere.
So, incipiam occasus signum dabo β quod habuimus at the dev stage, i.e. sine portu 443 et SSL generatim;
Docker compose.yml,
version: '2'
services:
php:
build: ./php-fpm
volumes:
- ./StomUp:/var/www/StomUp
- ./php-fpm/php.ini:/usr/local/etc/php/php.ini
depends_on:
- mysql
container_name: "StomPHP"
web:
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./StomUp:/var/www/StomUp
- ./nginx/main.conf:/etc/nginx/conf.d/default.conf
depends_on:
- php
mysql:
image: mysql:5.7
command: mysqld --sql_mode=""
environment:
MYSQL_ROOT_PASSWORD: xxx
ports:
- "3333:3306"
nginx/main.conf
server {
listen 80;
server_name *.stomup.ru stomup.ru;
root /var/www/StomUp/public;
client_max_body_size 5M;
location / {
# try to serve file directly, fallback to index.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/index.php(/|$) {
#fastcgi_pass unix:/var/run/php7.2-fpm.sock;
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
internal;
}
location ~ .php$ {
return 404;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
Deinde actu SSL efficere oportet. Ut honestus essem, circiter 2 horas per zonam studebam. Omnes optiones oblatae sunt iucundae. Sed in statu currenti propositi, opus est nobis cito et fideliter cochleae SSL Let'sEnctypt ΠΊ nginx continens et nihil amplius.
Imprimis nos in calculonis instituimus certbot
sudo apt-get install certbot
Deinde, testimoniales pro dominio nostro generavimus wildcard
sudo certbot certonly -d stomup.ru -d *.stomup.ru --manual --preferred-challenges dns
post executionem certibot nobis praebebit cum 2 TXT monumentis quae in DNS occasus specificari debent.
_acme-challenge.stomup.ru TXT {ΡΠΎΡΠΠ»ΡΡΠΠΎΡΠΎΡΡΠΉΠΠ°ΠΌΠΡΠ΄Π°Π»CertBot}
et adeat intret.
Post haec, certbot reprehendo coram his chartis in DNS ac testimoniales tibi crea.
Si autem libellum addidit certbot non invenit - experiri restarting mandatum post 5-10 minuta.
Bene, hic sumus superbi possessores cuiusdam certificatorium Let'sEncrypt per 90 dies, sed nunc necesse est ut Docker eam upload.
Ad hoc, levissimo modo, in docker-compose.yml, in nginx sectione, directoria coniungimus.
Exemplum docker-compose.yml cum SSL
version: '2'
services:
php:
build: ./php-fpm
volumes:
- ./StomUp:/var/www/StomUp
- /etc/letsencrypt/live/stomup.ru/:/etc/letsencrypt/live/stomup.ru/
- ./php-fpm/php.ini:/usr/local/etc/php/php.ini
depends_on:
- mysql
container_name: "StomPHP"
web:
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./StomUp:/var/www/StomUp
- /etc/letsencrypt/:/etc/letsencrypt/
- ./nginx/main.conf:/etc/nginx/conf.d/default.conf
depends_on:
- php
mysql:
image: mysql:5.7
command: mysqld --sql_mode=""
environment:
MYSQL_ROOT_PASSWORD: xxx
ports:
- "3333:3306"
Coniuncta? Magna - pergamus:
Nunc opus est mutare aboutconfig nginx ad opus 443 portum ac * SSL vulgo;
Exemplum main.conf config cum SSL
#
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name *.stomup.ru stomup.ru;
set $base /var/www/StomUp;
root $base/public;
# SSL
ssl_certificate /etc/letsencrypt/live/stomup.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/stomup.ru/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/stomup.ru/chain.pem;
client_max_body_size 5M;
location / {
# try to serve file directly, fallback to index.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/index.php(/|$) {
#fastcgi_pass unix:/var/run/php7.2-fpm.sock;
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
internal;
}
location ~ .php$ {
return 404;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
# HTTP redirect
server {
listen 80;
listen [::]:80;
server_name *.stomup.ru stomup.ru;
location / {
return 301 https://stomup.ru$request_uri;
}
}
Profecto post has machinationes in indicem cum Docker-componere imus, docker-componere scribe. Et refutamus functionem SSL. Omnia depone.
Summa res non est oblivisci quod libellum Let'sEnctypum per 90 dies editur et necesse est illud per mandatum renovare. sudo certbot renew
ac deinde sileo documentum cum imperio docker-compose restart
Aliam optionem huic seriei addere crontab.
Opinor haec via facillima est coniungendi SSL cum Docker Web-app.
PS Vide quaeso omnia scripta quae in textu non sunt finalia, consilium nunc est in scaena profunda Dev, ideo rogare te vellem ne ficas reprehendas - pluries mutabuntur.
Source: www.habr.com