Dina tulisan ieu, kuring hoyong bagikeun ka anjeun metode pikeun nyiptakeun sertipikat SSL pikeun aplikasi wéb anjeun dijalankeun dina Docker, sabab ... Kuring henteu mendakan solusi sapertos kitu dina bagian Internét basa Rusia.
Leuwih rinci handapeun cut.
Kami ngagaduhan docker v.17.05, docker-compose v.1.21, Ubuntu Server 18 sareng pint Let'sEncrypt murni. Henteu yén éta perlu nyebarkeun produksi dina Docker. Tapi sakali anjeun ngamimitian ngawangun Docker, janten sesah eureun.
Janten, pikeun ngamimitian, kuring bakal masihan setélan standar - anu urang ngagaduhan dina tahap dev, nyaéta. tanpa port 443 sareng SSL sacara umum:
docker-compose.yml
version: '2'
services:
php:
build: ./php-fpm
volumes:
- ./StomUp:/var/www/StomUp
- ./php-fpm/php.ini:/usr/local/etc/php/php.ini
depends_on:
- mysql
container_name: "StomPHP"
web:
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./StomUp:/var/www/StomUp
- ./nginx/main.conf:/etc/nginx/conf.d/default.conf
depends_on:
- php
mysql:
image: mysql:5.7
command: mysqld --sql_mode=""
environment:
MYSQL_ROOT_PASSWORD: xxx
ports:
- "3333:3306"
nginx/main.conf
server {
listen 80;
server_name *.stomup.ru stomup.ru;
root /var/www/StomUp/public;
client_max_body_size 5M;
location / {
# try to serve file directly, fallback to index.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/index.php(/|$) {
#fastcgi_pass unix:/var/run/php7.2-fpm.sock;
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
internal;
}
location ~ .php$ {
return 404;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
Salajengna, urang sabenerna kudu nerapkeun SSL. Jujur, kuring nyéépkeun sakitar 2 jam diajar zona kom. Kabéh pilihan ditawarkeun aya metot. Tapi dina tahap ayeuna proyek, urang (usaha) diperlukeun pikeun gancang jeung reliably screw SSL Let'sEnctypt к nginx wadahna jeung sia leuwih.
Anu mimiti, urang dipasang dina server sertipikat
sudo apt-get install certbot
Salajengna, urang ngahasilkeun sertipikat wildcard pikeun domain urang
sudo certbot certonly -d stomup.ru -d *.stomup.ru --manual --preferred-challenges dns
sanggeus palaksanaan, certbot bakal nyadiakeun kami kalawan 2 rékaman TXT nu kudu dieusian dina setélan DNS.
_acme-challenge.stomup.ru TXT {тотКлючКоторыйВамВыдалCertBot}
Jeung pencét asupkeun.
Saatos ieu, certbot bakal mariksa ayana rékaman ieu dina DNS sareng nyiptakeun sertipikat pikeun anjeun.
lamun geus ditambahkeun sertipikat tapi sertipikat henteu mendakan - cobian balikan deui paréntah saatos 5-10 menit.
Nya, ieu kami anu gaduh sertipikat Let'sEncrypt salami 90 dinten, tapi ayeuna urang kedah unggah ka Docker.
Jang ngalampahkeun ieu, dina cara paling trivial, dina docker-compose.yml, dina bagian nginx, urang numbu diréktori.
Conto docker-compose.yml sareng SSL
version: '2'
services:
php:
build: ./php-fpm
volumes:
- ./StomUp:/var/www/StomUp
- /etc/letsencrypt/live/stomup.ru/:/etc/letsencrypt/live/stomup.ru/
- ./php-fpm/php.ini:/usr/local/etc/php/php.ini
depends_on:
- mysql
container_name: "StomPHP"
web:
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./StomUp:/var/www/StomUp
- /etc/letsencrypt/:/etc/letsencrypt/
- ./nginx/main.conf:/etc/nginx/conf.d/default.conf
depends_on:
- php
mysql:
image: mysql:5.7
command: mysqld --sql_mode=""
environment:
MYSQL_ROOT_PASSWORD: xxx
ports:
- "3333:3306"
Numbu? Hébat - hayu urang teraskeun:
Ayeuna urang kudu ngarobah config nginx digawekeun ku 443 palabuhan jeung SSL umumna:
Conto main.conf config kalawan SSL
#
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name *.stomup.ru stomup.ru;
set $base /var/www/StomUp;
root $base/public;
# SSL
ssl_certificate /etc/letsencrypt/live/stomup.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/stomup.ru/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/stomup.ru/chain.pem;
client_max_body_size 5M;
location / {
# try to serve file directly, fallback to index.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/index.php(/|$) {
#fastcgi_pass unix:/var/run/php7.2-fpm.sock;
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
internal;
}
location ~ .php$ {
return 404;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
# HTTP redirect
server {
listen 80;
listen [::]:80;
server_name *.stomup.ru stomup.ru;
location / {
return 301 https://stomup.ru$request_uri;
}
}
Sabenerna, saatos manipulasi ieu, urang angkat ka diréktori sareng Docker-compose, nyerat docker-compose up -d. Sarta kami pariksa pungsionalitas SSL. Sadayana kedah angkat.
Hal utama henteu hilap yén sertipikat Let'sEnctypt dikaluarkeun salami 90 dinten sareng anjeun kedah nganyarankeunana ku paréntah. sudo certbot renew, teras balikan deui proyék kalayan paréntah docker-compose restart
Pilihan séjén nyaéta nambahkeun runtuyan ieu crontab.
Dina pamanggih kuring ieu cara panggampangna pikeun nyambungkeun SSL ka Docker Web-aplikasi.
PS Mangga tumut kana akun yén sakabéh Aksara dibere dina téks teu final, proyék nu ayeuna dina tahap Dev jero, jadi Abdi hoyong nanya teu nyempad configs - aranjeunna bakal dirobah sababaraha kali.
sumber: www.habr.com