Ninu nkan yii, Mo fẹ lati pin pẹlu rẹ ọna kan fun ṣiṣẹda ijẹrisi SSL kan fun ohun elo wẹẹbu rẹ ti n ṣiṣẹ lori Docker, nitori… Emi ko ri iru ojutu kan ni apakan ede Russian ti Intanẹẹti.
Awọn alaye diẹ sii labẹ gige.
A ni docker v.17.05, docker-compose v.1.21, Ubuntu Server 18 ati pint funfun Let'sEncrypt. Kii ṣe pe o ṣe pataki lati mu iṣelọpọ ṣiṣẹ lori Docker. Ṣugbọn ni kete ti o ba bẹrẹ kikọ Docker, o nira lati da duro.
Nitorinaa, lati bẹrẹ pẹlu, Emi yoo fun awọn eto boṣewa - eyiti a ni ni ipele dev, i.e. laisi ibudo 443 ati SSL ni gbogbogbo:
docker-compose.yml
version: '2'
services:
php:
build: ./php-fpm
volumes:
- ./StomUp:/var/www/StomUp
- ./php-fpm/php.ini:/usr/local/etc/php/php.ini
depends_on:
- mysql
container_name: "StomPHP"
web:
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./StomUp:/var/www/StomUp
- ./nginx/main.conf:/etc/nginx/conf.d/default.conf
depends_on:
- php
mysql:
image: mysql:5.7
command: mysqld --sql_mode=""
environment:
MYSQL_ROOT_PASSWORD: xxx
ports:
- "3333:3306"
nginx/main.conf
server {
listen 80;
server_name *.stomup.ru stomup.ru;
root /var/www/StomUp/public;
client_max_body_size 5M;
location / {
# try to serve file directly, fallback to index.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/index.php(/|$) {
#fastcgi_pass unix:/var/run/php7.2-fpm.sock;
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
internal;
}
location ~ .php$ {
return 404;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
Nigbamii ti, a nilo gangan lati ṣe SSL. Lati so ooto, Mo lo bii wakati 2 ni ikẹkọ agbegbe com. Gbogbo awọn aṣayan ti a nṣe nibẹ ni o wa awon. Ṣugbọn ni ipele lọwọlọwọ ti iṣẹ akanṣe, a (owo naa) nilo lati yara ati ni igbẹkẹle dabaru SSL Jẹ ki a Enctypt к nginx eiyan ati ohunkohun siwaju sii.
Ni akọkọ, a fi sori ẹrọ lori olupin naa ijẹrisi
sudo apt-get install certbot
Nigbamii ti, a ṣe ipilẹṣẹ awọn iwe-ẹri wildcard fun agbegbe wa
sudo certbot certonly -d stomup.ru -d *.stomup.ru --manual --preferred-challenges dns
lẹhin ipaniyan, certbot yoo fun wa ni awọn igbasilẹ 2 TXT ti o nilo lati wa ni pato ninu awọn eto DNS.
_acme-challenge.stomup.ru TXT {тотКлючКоторыйВамВыдалCertBot}
Ki o si tẹ tẹ.
Lẹhin eyi, certbot yoo ṣayẹwo fun wiwa awọn igbasilẹ wọnyi ni DNS ati ṣẹda awọn iwe-ẹri fun ọ.
ti o ba ti fi kun a ijẹrisi sugbon ijẹrisi ko rii - gbiyanju tun bẹrẹ aṣẹ naa lẹhin iṣẹju 5-10.
O dara, nibi a jẹ oniwun igberaga ti ijẹrisi Let'sEncrypt fun awọn ọjọ 90, ṣugbọn ni bayi a nilo lati gbe si Docker.
Lati ṣe eyi, ni ọna ti o kere julọ, ni docker-compose.yml, ni apakan nginx, a ṣe asopọ awọn ilana.
Apeere docker-compose.yml pẹlu SSL
version: '2'
services:
php:
build: ./php-fpm
volumes:
- ./StomUp:/var/www/StomUp
- /etc/letsencrypt/live/stomup.ru/:/etc/letsencrypt/live/stomup.ru/
- ./php-fpm/php.ini:/usr/local/etc/php/php.ini
depends_on:
- mysql
container_name: "StomPHP"
web:
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./StomUp:/var/www/StomUp
- /etc/letsencrypt/:/etc/letsencrypt/
- ./nginx/main.conf:/etc/nginx/conf.d/default.conf
depends_on:
- php
mysql:
image: mysql:5.7
command: mysqld --sql_mode=""
environment:
MYSQL_ROOT_PASSWORD: xxx
ports:
- "3333:3306"
Ti sopọ mọ? O dara - jẹ ki a tẹsiwaju:
Bayi a nilo lati yi atunto naa pada nginx lati ṣiṣẹ pẹlu awọn 443 ibudo ati SSL ni gbogbogbo:
Apeere main.conf konfigi pẹlu SSL
#
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name *.stomup.ru stomup.ru;
set $base /var/www/StomUp;
root $base/public;
# SSL
ssl_certificate /etc/letsencrypt/live/stomup.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/stomup.ru/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/stomup.ru/chain.pem;
client_max_body_size 5M;
location / {
# try to serve file directly, fallback to index.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/index.php(/|$) {
#fastcgi_pass unix:/var/run/php7.2-fpm.sock;
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
internal;
}
location ~ .php$ {
return 404;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
# HTTP redirect
server {
listen 80;
listen [::]:80;
server_name *.stomup.ru stomup.ru;
location / {
return 301 https://stomup.ru$request_uri;
}
}
Lootọ, lẹhin awọn ifọwọyi wọnyi, a lọ si itọsọna pẹlu Docker-compose, kọ docker-compose up -d. Ati pe a ṣayẹwo iṣẹ ṣiṣe ti SSL. Ohun gbogbo yẹ ki o yọ kuro.
Ohun akọkọ kii ṣe lati gbagbe pe ijẹrisi Let'sEnctypt ti funni fun awọn ọjọ 90 ati pe iwọ yoo nilo lati tunse nipasẹ aṣẹ naa. sudo certbot renew, ati lẹhinna tun bẹrẹ iṣẹ naa pẹlu aṣẹ naa docker-compose restart
Aṣayan miiran ni lati ṣafikun ọna yii si crontab.
Ni ero mi eyi ni ọna ti o rọrun julọ lati sopọ SSL si Docker Web-app.
PS Jọwọ ṣe akiyesi pe gbogbo awọn iwe afọwọkọ ti a gbekalẹ ninu ọrọ ko ni ipari, iṣẹ akanṣe naa wa ni ipele Dev ti o jinlẹ, nitorinaa Emi yoo fẹ lati beere lọwọ rẹ lati ma ṣofintoto awọn atunto - wọn yoo yipada ni ọpọlọpọ igba.
orisun: www.habr.com