Ushbu maqolada men siz bilan Docker-da ishlaydigan veb-ilovangiz uchun SSL sertifikatini yaratish usulini baham ko'rmoqchiman, chunki... Internetning rus tilidagi qismida men bunday yechim topmadim.
Kesish ostida batafsil ma'lumot.
Bizda docker v.17.05, docker-compose v.1.21, Ubuntu Server 18 va bir litr toza Let'sEncrypt bor edi. Docker-da ishlab chiqarishni joylashtirish kerak emas. Ammo Docker-ni qurishni boshlaganingizdan so'ng, uni to'xtatish qiyin bo'ladi.
Shunday qilib, boshlash uchun men standart sozlamalarni beraman - bizda ishlab chiqish bosqichida bo'lgan, ya'ni. port 443 va umuman SSL holda:
docker-compose.yml
version: '2'
services:
php:
build: ./php-fpm
volumes:
- ./StomUp:/var/www/StomUp
- ./php-fpm/php.ini:/usr/local/etc/php/php.ini
depends_on:
- mysql
container_name: "StomPHP"
web:
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./StomUp:/var/www/StomUp
- ./nginx/main.conf:/etc/nginx/conf.d/default.conf
depends_on:
- php
mysql:
image: mysql:5.7
command: mysqld --sql_mode=""
environment:
MYSQL_ROOT_PASSWORD: xxx
ports:
- "3333:3306"
nginx/main.conf
server {
listen 80;
server_name *.stomup.ru stomup.ru;
root /var/www/StomUp/public;
client_max_body_size 5M;
location / {
# try to serve file directly, fallback to index.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/index.php(/|$) {
#fastcgi_pass unix:/var/run/php7.2-fpm.sock;
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
internal;
}
location ~ .php$ {
return 404;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
Keyinchalik, biz aslida SSL-ni qo'llashimiz kerak. Rostini aytsam, com zonasini o'rganishga 2 soatcha vaqt sarfladim. U erda taklif qilingan barcha variantlar qiziqarli. Ammo loyihaning hozirgi bosqichida biz (biznes) tez va ishonchli tarzda vidalanishimiz kerak edi SSL Let'sEnctypt ΠΊ nginx konteyner va boshqa hech narsa.
Avvalo, biz uni serverga o'rnatdik sertifikat
sudo apt-get install certbot
Keyinchalik, biz domenimiz uchun joker belgilar sertifikatlarini yaratdik
sudo certbot certonly -d stomup.ru -d *.stomup.ru --manual --preferred-challenges dns
bajarilgandan so'ng, certbot bizga DNS sozlamalarida ko'rsatilishi kerak bo'lgan 2 ta TXT yozuvini taqdim etadi.
_acme-challenge.stomup.ru TXT {ΡΠΎΡΠΠ»ΡΡΠΠΎΡΠΎΡΡΠΉΠΠ°ΠΌΠΡΠ΄Π°Π»CertBot}
Va Enter tugmasini bosing.
Shundan so'ng, certbot ushbu yozuvlarning DNS-da mavjudligini tekshiradi va siz uchun sertifikatlar yaratadi.
agar siz sertifikat qo'shgan bo'lsangiz, lekin sertifikat topilmadi - 5-10 daqiqadan so'ng buyruqni qayta ishga tushirishga harakat qiling.
Mana, biz 90 kun davomida Let'sEncrypt sertifikatining faxrli egalarimiz, ammo endi uni Docker-ga yuklashimiz kerak.
Buning uchun, eng ahamiyatsiz tarzda, docker-compose.yml da, nginx bo'limida biz kataloglarni bog'laymiz.
SSL bilan docker-compose.yml misoli
version: '2'
services:
php:
build: ./php-fpm
volumes:
- ./StomUp:/var/www/StomUp
- /etc/letsencrypt/live/stomup.ru/:/etc/letsencrypt/live/stomup.ru/
- ./php-fpm/php.ini:/usr/local/etc/php/php.ini
depends_on:
- mysql
container_name: "StomPHP"
web:
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./StomUp:/var/www/StomUp
- /etc/letsencrypt/:/etc/letsencrypt/
- ./nginx/main.conf:/etc/nginx/conf.d/default.conf
depends_on:
- php
mysql:
image: mysql:5.7
command: mysqld --sql_mode=""
environment:
MYSQL_ROOT_PASSWORD: xxx
ports:
- "3333:3306"
Bog'langanmi? Ajoyib - keling, davom etamiz:
Endi biz konfiguratsiyani o'zgartirishimiz kerak nginx bilan ishlash 443 port va SSL umuman:
SSL bilan main.conf konfiguratsiyasiga misol
#
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name *.stomup.ru stomup.ru;
set $base /var/www/StomUp;
root $base/public;
# SSL
ssl_certificate /etc/letsencrypt/live/stomup.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/stomup.ru/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/stomup.ru/chain.pem;
client_max_body_size 5M;
location / {
# try to serve file directly, fallback to index.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/index.php(/|$) {
#fastcgi_pass unix:/var/run/php7.2-fpm.sock;
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
internal;
}
location ~ .php$ {
return 404;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
# HTTP redirect
server {
listen 80;
listen [::]:80;
server_name *.stomup.ru stomup.ru;
location / {
return 301 https://stomup.ru$request_uri;
}
}
Aslida, bu manipulyatsiyalardan so'ng biz Docker-compose bilan katalogga o'tamiz, docker-compose up -d yozamiz. Va biz SSL funksiyasini tekshiramiz. Hammasi uchib ketishi kerak.
Asosiysi, Let'sEnctypt sertifikati 90 kunga beriladi va uni buyruq orqali yangilashingiz kerakligini unutmang. sudo certbot renew, va keyin buyruq bilan loyihani qayta ishga tushiring docker-compose restart
Yana bir variant - bu ketma-ketlikni crontab-ga qo'shish.
Menimcha, bu SSL ni Docker Web-ilovasiga ulashning eng oson yo'li.
PS Iltimos, matnda taqdim etilgan barcha skriptlar yakuniy emasligini hisobga oling, loyiha hozir chuqur ishlab chiqish bosqichida, shuning uchun sizdan konfiguratsiyalarni tanqid qilmaslikni so'rayman - ular ko'p marta o'zgartiriladi.
Manba: www.habr.com