Muchinyorwa chino, ini ndinoda kugovera newe nzira yekugadzira SSL chitupa chewebhu application yako inoshanda paDocker, nekuti... Handina kuwana mhinduro yakadaro mumutauro weRussian chikamu cheInternet.
Mamwe mashoko pasi pekucheka.
Takanga tine docker v.17.05, docker-compose v.1.21, Ubuntu Server 18 uye pint yeLet'sEncrypt yakachena. Hazvirevi kuti zvakakosha kuendesa kugadzirwa paDocker. Asi kana uchinge watanga kuvaka Docker, zvinova zvakaoma kumira.
Saka, kutanga, ini ndichapa zviyero zvakajairwa - izvo zvataive nazvo padanho re dev, i.e. pasina port 443 uye SSL zvakazara:
docker-kunyora.yml
version: '2'
services:
php:
build: ./php-fpm
volumes:
- ./StomUp:/var/www/StomUp
- ./php-fpm/php.ini:/usr/local/etc/php/php.ini
depends_on:
- mysql
container_name: "StomPHP"
web:
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./StomUp:/var/www/StomUp
- ./nginx/main.conf:/etc/nginx/conf.d/default.conf
depends_on:
- php
mysql:
image: mysql:5.7
command: mysqld --sql_mode=""
environment:
MYSQL_ROOT_PASSWORD: xxx
ports:
- "3333:3306"
nginx/main.conf
server {
listen 80;
server_name *.stomup.ru stomup.ru;
root /var/www/StomUp/public;
client_max_body_size 5M;
location / {
# try to serve file directly, fallback to index.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/index.php(/|$) {
#fastcgi_pass unix:/var/run/php7.2-fpm.sock;
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
internal;
}
location ~ .php$ {
return 404;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
Tevere, isu tinofanirwa kuita SSL. Kutaura chokwadi, ndakapedza anenge maawa maviri ndichidzidza com zone. Zvose zvinopihwa ipapo zvinonakidza. Asi padanho razvino reprojekiti, isu (bhizinesi) raida kukurumidza uye nekuvimbika screw SSL Let'sEnctypt ΠΊ nginx mudziyo uye hapana chimwe.
Chokutanga pane zvose, takaiisa pane server certbot
sudo apt-get install certbot
Tevere, takagadzira zvitupa zvemusango zvedura redu
sudo certbot certonly -d stomup.ru -d *.stomup.ru --manual --preferred-challenges dns
mushure mekuurayiwa, certbot ichatipa 2 TXT zvinyorwa zvinoda kutsanangurwa muDNS marongero.
_acme-challenge.stomup.ru TXT {ΡΠΎΡΠΠ»ΡΡΠΠΎΡΠΎΡΡΠΉΠΠ°ΠΌΠΡΠ΄Π°Π»CertBot}
Uye tinya enter.
Mushure meizvi, certbot inoongorora kuvepo kweaya marekodhi muDNS uye inogadzira zvitupa zvako.
kana wawedzera chitupa asi certbot handina kuiwana - edza kutangazve murairo mushure memaminitsi mashanu-5.
Zvakanaka, isu tiri varidzi vanodada veRetEncrypt chitupa kwemazuva makumi mapfumbamwe, asi ikozvino isu tinoda kuiisa kuDocker.
Kuti uite izvi, nenzira yakanyanyisa, mu docker-compose.yml, muchikamu che nginx, tinobatanidza zvinyorwa.
Muenzaniso docker-compose.yml ine SSL
version: '2'
services:
php:
build: ./php-fpm
volumes:
- ./StomUp:/var/www/StomUp
- /etc/letsencrypt/live/stomup.ru/:/etc/letsencrypt/live/stomup.ru/
- ./php-fpm/php.ini:/usr/local/etc/php/php.ini
depends_on:
- mysql
container_name: "StomPHP"
web:
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./StomUp:/var/www/StomUp
- /etc/letsencrypt/:/etc/letsencrypt/
- ./nginx/main.conf:/etc/nginx/conf.d/default.conf
depends_on:
- php
mysql:
image: mysql:5.7
command: mysqld --sql_mode=""
environment:
MYSQL_ROOT_PASSWORD: xxx
ports:
- "3333:3306"
Yakabatanidzwa? Zvakanaka - ngatienderere mberi:
Iye zvino tinoda kuchinja config nginx kushanda nayo 443 port uye SSL kazhinji:
Muenzaniso main.conf config neSSL
#
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name *.stomup.ru stomup.ru;
set $base /var/www/StomUp;
root $base/public;
# SSL
ssl_certificate /etc/letsencrypt/live/stomup.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/stomup.ru/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/stomup.ru/chain.pem;
client_max_body_size 5M;
location / {
# try to serve file directly, fallback to index.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/index.php(/|$) {
#fastcgi_pass unix:/var/run/php7.2-fpm.sock;
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
internal;
}
location ~ .php$ {
return 404;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
# HTTP redirect
server {
listen 80;
listen [::]:80;
server_name *.stomup.ru stomup.ru;
location / {
return 301 https://stomup.ru$request_uri;
}
}
Chaizvoizvo, mushure mekuita uku, tinoenda kune dhairekitori neDocker-compose, nyora docker-compose up -d. Uye isu tinotarisa kushanda kweSSL. Zvese zvinofanirwa kusimuka.
Chinhu chikuru ndechekuti usakanganwe kuti Let'sEnctypt chitupa chakapihwa kwemazuva makumi mapfumbamwe uye uchafanirwa kuivandudza kuburikidza nemurairo. sudo certbot renew, uye wozotangazve chirongwa nekuraira docker-compose restart
Imwe sarudzo ndeyekuwedzera iyi inoteedzana kune crontab.
Sekuona kwangu iyi ndiyo nzira iri nyore yekubatanidza SSL kuDocker Web-app.
PS Ndokumbira utarise kuti zvese zvinyorwa zvinoratidzwa muzvinyorwa hazvisi zvekupedzisira, purojekiti ikozvino yakadzika Dev nhanho, saka ndinoda kukukumbira kuti usatsoropodza magadzirirwo - anozogadziridzwa kakawanda.
Source: www.habr.com