Katika nakala hii, nataka kushiriki nawe njia ya kuunda cheti cha SSL kwa programu yako ya wavuti inayoendesha kwenye Docker, kwa sababu ... Sikupata suluhisho kama hilo katika sehemu ya lugha ya Kirusi ya mtandao.
Maelezo zaidi chini ya kukata.
Tulikuwa na docker v.17.05, docker-compose v.1.21, Ubuntu Server 18 na pint ya Let'sEncrypt safi. Sio kwamba ni muhimu kupeleka uzalishaji kwenye Docker. Lakini mara tu unapoanza kujenga Docker, inakuwa ngumu kuacha.
Kwa hiyo, kwa kuanzia, nitatoa mipangilio ya kawaida - ambayo tulikuwa nayo kwenye hatua ya dev, i.e. bila bandari 443 na SSL kwa ujumla:
docker-compose.yml
version: '2'
services:
php:
build: ./php-fpm
volumes:
- ./StomUp:/var/www/StomUp
- ./php-fpm/php.ini:/usr/local/etc/php/php.ini
depends_on:
- mysql
container_name: "StomPHP"
web:
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./StomUp:/var/www/StomUp
- ./nginx/main.conf:/etc/nginx/conf.d/default.conf
depends_on:
- php
mysql:
image: mysql:5.7
command: mysqld --sql_mode=""
environment:
MYSQL_ROOT_PASSWORD: xxx
ports:
- "3333:3306"
nginx/main.conf
server {
listen 80;
server_name *.stomup.ru stomup.ru;
root /var/www/StomUp/public;
client_max_body_size 5M;
location / {
# try to serve file directly, fallback to index.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/index.php(/|$) {
#fastcgi_pass unix:/var/run/php7.2-fpm.sock;
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
internal;
}
location ~ .php$ {
return 404;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
Ifuatayo, tunahitaji kutekeleza SSL. Kuwa mkweli, nilitumia kama masaa 2 kusoma eneo la com. Chaguzi zote zinazotolewa hapo zinavutia. Lakini katika hatua ya sasa ya mradi, sisi (biashara) tulihitaji kufunga haraka na kwa uhakika SSL Let'sEnctype ΠΊ nginx chombo na hakuna zaidi.
Kwanza kabisa, tuliiweka kwenye seva certbot
sudo apt-get install certbot
Kisha, tulitoa vyeti vya wildcard kwa kikoa chetu
sudo certbot certonly -d stomup.ru -d *.stomup.ru --manual --preferred-challenges dns
baada ya utekelezaji, certbot itatupatia rekodi 2 za TXT ambazo zinahitaji kubainishwa katika mipangilio ya DNS.
_acme-challenge.stomup.ru TXT {ΡΠΎΡΠΠ»ΡΡΠΠΎΡΠΎΡΡΠΉΠΠ°ΠΌΠΡΠ΄Π°Π»CertBot}
Na bonyeza Enter.
Baada ya hayo, certbot itaangalia uwepo wa rekodi hizi katika DNS na kuunda vyeti kwa ajili yako.
ikiwa umeongeza cheti lakini certbot hakuipata - jaribu kuanzisha tena amri baada ya dakika 5-10.
Kweli, sisi ndio wamiliki wenye fahari wa cheti cha Let'sEncrypt kwa siku 90, lakini sasa tunahitaji kukipakia kwenye Docker.
Ili kufanya hivyo, kwa njia isiyo na maana zaidi, katika docker-compose.yml, katika sehemu ya nginx, tunaunganisha saraka.
Mfano docker-compose.yml na SSL
version: '2'
services:
php:
build: ./php-fpm
volumes:
- ./StomUp:/var/www/StomUp
- /etc/letsencrypt/live/stomup.ru/:/etc/letsencrypt/live/stomup.ru/
- ./php-fpm/php.ini:/usr/local/etc/php/php.ini
depends_on:
- mysql
container_name: "StomPHP"
web:
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./StomUp:/var/www/StomUp
- /etc/letsencrypt/:/etc/letsencrypt/
- ./nginx/main.conf:/etc/nginx/conf.d/default.conf
depends_on:
- php
mysql:
image: mysql:5.7
command: mysqld --sql_mode=""
environment:
MYSQL_ROOT_PASSWORD: xxx
ports:
- "3333:3306"
Imeunganishwa? Sawa - wacha tuendelee:
Sasa tunahitaji kubadilisha usanidi nginx kufanya kazi na 443 bandari na SSL kwa ujumla:
Mfano main.conf config na SSL
#
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name *.stomup.ru stomup.ru;
set $base /var/www/StomUp;
root $base/public;
# SSL
ssl_certificate /etc/letsencrypt/live/stomup.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/stomup.ru/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/stomup.ru/chain.pem;
client_max_body_size 5M;
location / {
# try to serve file directly, fallback to index.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/index.php(/|$) {
#fastcgi_pass unix:/var/run/php7.2-fpm.sock;
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
internal;
}
location ~ .php$ {
return 404;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
# HTTP redirect
server {
listen 80;
listen [::]:80;
server_name *.stomup.ru stomup.ru;
location / {
return 301 https://stomup.ru$request_uri;
}
}
Kwa kweli, baada ya ghiliba hizi, tunaenda kwenye saraka na Docker-compose, andika docker-compose up -d. Na tunaangalia utendaji wa SSL. Kila kitu kinapaswa kuondoka.
Jambo kuu sio kusahau kuwa cheti cha Let'sEnctypt kinatolewa kwa siku 90 na utahitaji kuifanya upya kupitia amri. sudo certbot renew
, na kisha anza tena mradi kwa amri docker-compose restart
Chaguo jingine ni kuongeza mlolongo huu kwa crontab.
Kwa maoni yangu hii ndio njia rahisi ya kuunganisha SSL kwa programu ya Wavuti ya Docker.
PS Tafadhali zingatia kuwa maandishi yote yaliyowasilishwa katika maandishi sio ya mwisho, mradi sasa uko kwenye hatua ya kina ya Dev, kwa hivyo ningependa kukuuliza usikosoa usanidi - utarekebishwa mara nyingi.
Chanzo: mapenzi.com