Sehloohong sena, ke batla ho arolelana le uena mokhoa oa ho theha setifikeiti sa SSL bakeng sa sesebelisoa sa hau sa marang-rang se sebetsang ho Docker, hobane ... Ha kea ka ka fumana tharollo e joalo karolong ea puo ea Serussia Inthaneteng.
Lintlha tse ling tlas'a sehiloeng.
Re ne re e-na le docker v.17.05, docker-compose v.1.21, Ubuntu Server 18 le pint ea LetsEncrypt e hloekileng. Ha se hore hoa hlokahala ho tsamaisa tlhahiso ho Docker. Empa hang ha o qala ho aha Docker, ho ba thata ho emisa.
Kahoo, ho qala, ke tla fana ka litlhophiso tse tloaelehileng - tseo re neng re e-na le tsona sethaleng sa dev, i.e. ntle le port 443 le SSL ka kakaretso:
docker-compose.yml
version: '2'
services:
php:
build: ./php-fpm
volumes:
- ./StomUp:/var/www/StomUp
- ./php-fpm/php.ini:/usr/local/etc/php/php.ini
depends_on:
- mysql
container_name: "StomPHP"
web:
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./StomUp:/var/www/StomUp
- ./nginx/main.conf:/etc/nginx/conf.d/default.conf
depends_on:
- php
mysql:
image: mysql:5.7
command: mysqld --sql_mode=""
environment:
MYSQL_ROOT_PASSWORD: xxx
ports:
- "3333:3306"
nginx/main.conf
server {
listen 80;
server_name *.stomup.ru stomup.ru;
root /var/www/StomUp/public;
client_max_body_size 5M;
location / {
# try to serve file directly, fallback to index.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/index.php(/|$) {
#fastcgi_pass unix:/var/run/php7.2-fpm.sock;
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
internal;
}
location ~ .php$ {
return 404;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
Ka mor'a moo, re hlile re hloka ho kenya ts'ebetsong SSL. Ho bua 'nete, ke qetile lihora tse ka bang 2 ke ithuta sebaka sa com. Likhetho tsohle tse fanoang moo lia thahasellisa. Empa mothating oa hajoale oa morero, rona (khoebo) re ne re hloka ho senya kapele le ka ts'epo SSL Let'sEnctypt к nginx setshelo le letho ho feta.
Pele ho tsohle, re e kentse ho seva netefatso
sudo apt-get install certbot
Ka mor'a moo, re ile ra hlahisa litifikeiti tsa wildcard bakeng sa sebaka sa rona
sudo certbot certonly -d stomup.ru -d *.stomup.ru --manual --preferred-challenges dns
ka mor'a ho bolaoa, certbot e tla re fa lirekoto tse 2 tsa TXT tse hlokang ho hlalosoa ho litlhophiso tsa DNS.
_acme-challenge.stomup.ru TXT {тотКлючКоторыйВамВыдалCertBot}
Ebe o tobetsa Enter.
Kamora sena, certbot e tla hlahloba boteng ba lirekoto tsena ho DNS ebe e u etsetsa litifikeiti.
haeba o kentse setifikeiti empa netefatso ha kea e fumana - leka ho qala taelo hape kamora metsotso e 5-10.
Ke rona bana ba ikhohomosang ba setifikeiti sa Let'sEncrypt matsatsi a 90, empa joale re hloka ho se kenya ho Docker.
Ho etsa sena, ka tsela e sa reng letho, ho docker-compose.yml, karolong ea nginx, re hokahanya litsamaiso.
Mohlala docker-compose.yml le SSL
version: '2'
services:
php:
build: ./php-fpm
volumes:
- ./StomUp:/var/www/StomUp
- /etc/letsencrypt/live/stomup.ru/:/etc/letsencrypt/live/stomup.ru/
- ./php-fpm/php.ini:/usr/local/etc/php/php.ini
depends_on:
- mysql
container_name: "StomPHP"
web:
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./StomUp:/var/www/StomUp
- /etc/letsencrypt/:/etc/letsencrypt/
- ./nginx/main.conf:/etc/nginx/conf.d/default.conf
depends_on:
- php
mysql:
image: mysql:5.7
command: mysqld --sql_mode=""
environment:
MYSQL_ROOT_PASSWORD: xxx
ports:
- "3333:3306"
E amana? E kholo - ha re tsoeleng pele:
Hona joale re hloka ho fetola config nginx ho sebetsa le 443 koung le SSL ka kakaretso:
Mohlala main.conf config le SSL
#
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name *.stomup.ru stomup.ru;
set $base /var/www/StomUp;
root $base/public;
# SSL
ssl_certificate /etc/letsencrypt/live/stomup.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/stomup.ru/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/stomup.ru/chain.pem;
client_max_body_size 5M;
location / {
# try to serve file directly, fallback to index.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/index.php(/|$) {
#fastcgi_pass unix:/var/run/php7.2-fpm.sock;
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
internal;
}
location ~ .php$ {
return 404;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
# HTTP redirect
server {
listen 80;
listen [::]:80;
server_name *.stomup.ru stomup.ru;
location / {
return 301 https://stomup.ru$request_uri;
}
}
Ha e le hantle, ka mor'a mekhoa ena e bolotsana, re ea bukeng e nang le Docker-compose, ngola docker-compose up -d. 'Me re hlahloba ts'ebetso ea SSL. Tsohle li lokela ho tloha.
Ntho ea bohlokoa ke ho se lebale hore setifikeiti sa Let'sEnctypt se fanoe ka matsatsi a 90 mme o tla hloka ho se nchafatsa ka taelo. sudo certbot renew, ebe o qala morero bocha ka taelo docker-compose restart
Khetho e 'ngoe ke ho kenyelletsa tatellano ena ho crontab.
Ka maikutlo a ka ena ke eona tsela e bonolo ka ho fetesisa ea ho hokela SSL ho Docker Web-app.
PS Ka kopo ela hloko hore lingoloa tsohle tse hlahisitsoeng sengolong ha se tsa ho qetela, morero o se o le mothating o tebileng oa Dev, ka hona ke kopa ho u kopa hore u se ke ua nyatsa li-configs - li tla fetoloa hangata.
Source: www.habr.com