M'nkhaniyi, ndikufuna kugawana nanu njira yopangira satifiketi ya SSL pa intaneti yomwe ikuyenda pa Docker, chifukwa ... Sindinapeze yankho loterolo pagawo la chilankhulo cha Chirasha pa intaneti.
Zambiri pansi pa odulidwa.
Tinali ndi docker v.17.05, docker-compose v.1.21, Ubuntu Server 18 ndi pint ya Let'sEncrypt yoyera. Sikuti ndikofunikira kuyika kupanga pa Docker. Koma mukangoyamba kupanga Docker, zimakhala zovuta kuyimitsa.
Chifukwa chake, poyambira, ndipereka makonda okhazikika - omwe tinali nawo pagawo la dev, i.e. opanda port 443 ndi SSL ambiri:
makina oyimba.yml
version: '2'
services:
php:
build: ./php-fpm
volumes:
- ./StomUp:/var/www/StomUp
- ./php-fpm/php.ini:/usr/local/etc/php/php.ini
depends_on:
- mysql
container_name: "StomPHP"
web:
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./StomUp:/var/www/StomUp
- ./nginx/main.conf:/etc/nginx/conf.d/default.conf
depends_on:
- php
mysql:
image: mysql:5.7
command: mysqld --sql_mode=""
environment:
MYSQL_ROOT_PASSWORD: xxx
ports:
- "3333:3306"
nginx/main.conf
server {
listen 80;
server_name *.stomup.ru stomup.ru;
root /var/www/StomUp/public;
client_max_body_size 5M;
location / {
# try to serve file directly, fallback to index.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/index.php(/|$) {
#fastcgi_pass unix:/var/run/php7.2-fpm.sock;
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
internal;
}
location ~ .php$ {
return 404;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
Pambuyo pake, tifunika kukhazikitsa SSL. Kunena zowona, ndidakhala pafupifupi maola 2 ndikuwerenga zone ya com. Zosankha zonse zomwe zimaperekedwa pamenepo ndizosangalatsa. Koma pakadali pano polojekitiyi, ife (bizinesi) tifunika kuwononga mwachangu komanso modalirika SSL Let'sEnctypt ΠΊ nginx chidebe ndi china chilichonse.
Choyamba, tinayika pa seva certbot
sudo apt-get install certbot
Kenako, tinapanga ziphaso zakutchire za domain yathu
sudo certbot certonly -d stomup.ru -d *.stomup.ru --manual --preferred-challenges dns
ikatha, certbot idzatipatsa ma 2 TXT ma rekodi omwe akuyenera kufotokozedwa muzokonda za DNS.
_acme-challenge.stomup.ru TXT {ΡΠΎΡΠΠ»ΡΡΠΠΎΡΠΎΡΡΠΉΠΠ°ΠΌΠΡΠ΄Π°Π»CertBot}
Ndipo dinani Enter.
Pambuyo pake, certbot idzayang'ana kupezeka kwa zolemba izi mu DNS ndikupangira satifiketi.
ngati mwawonjezera satifiketi koma certbot sanachipeze - yesani kuyambitsanso lamulo pambuyo pa mphindi 5-10.
Apa ndife onyada a satifiketi ya Let'sEncrypt kwa masiku 90, koma tsopano tifunika kuyiyika ku Docker.
Kuti tichite izi, m'njira yochepetsetsa kwambiri, mu docker-compose.yml, mu gawo la nginx, timagwirizanitsa zolembazo.
Chitsanzo docker-compose.yml ndi SSL
version: '2'
services:
php:
build: ./php-fpm
volumes:
- ./StomUp:/var/www/StomUp
- /etc/letsencrypt/live/stomup.ru/:/etc/letsencrypt/live/stomup.ru/
- ./php-fpm/php.ini:/usr/local/etc/php/php.ini
depends_on:
- mysql
container_name: "StomPHP"
web:
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./StomUp:/var/www/StomUp
- /etc/letsencrypt/:/etc/letsencrypt/
- ./nginx/main.conf:/etc/nginx/conf.d/default.conf
depends_on:
- php
mysql:
image: mysql:5.7
command: mysqld --sql_mode=""
environment:
MYSQL_ROOT_PASSWORD: xxx
ports:
- "3333:3306"
Zolumikizidwa? Zabwino - tiyeni tipitilize:
Tsopano tiyenera kusintha config nginx kugwira nawo ntchito 443 port ndi SSL kawirikawiri:
Chitsanzo main.conf config ndi SSL
#
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name *.stomup.ru stomup.ru;
set $base /var/www/StomUp;
root $base/public;
# SSL
ssl_certificate /etc/letsencrypt/live/stomup.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/stomup.ru/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/stomup.ru/chain.pem;
client_max_body_size 5M;
location / {
# try to serve file directly, fallback to index.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/index.php(/|$) {
#fastcgi_pass unix:/var/run/php7.2-fpm.sock;
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
internal;
}
location ~ .php$ {
return 404;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
# HTTP redirect
server {
listen 80;
listen [::]:80;
server_name *.stomup.ru stomup.ru;
location / {
return 301 https://stomup.ru$request_uri;
}
}
Kwenikweni, zitatha izi, timapita ku chikwatu ndi Docker-compose, lembani docker-compose up -d. Ndipo timayang'ana magwiridwe antchito a SSL. Chilichonse chiyenera kuchoka.
Chachikulu ndichakuti musaiwale kuti satifiketi ya Let'sEnctypt imaperekedwa kwa masiku 90 ndipo muyenera kuyikonzanso kudzera mu lamulo. sudo certbot renew
, ndikuyambitsanso polojekitiyo ndi lamulo docker-compose restart
Njira ina ndikuwonjezera izi ku crontab.
M'malingaliro anga iyi ndi njira yosavuta yolumikizira SSL ku Docker Web-app.
PS Chonde dziwani kuti zolembedwa zonse zomwe zafotokozedwa m'mawuwo sizomaliza, pulojekitiyi tsopano ili pamtunda wakuya wa Dev, kotero ndikufuna ndikufunseni kuti musadzudzule ma configs - adzasinthidwa nthawi zambiri.
Source: www.habr.com