Ninu nkan yii, Mo fẹ lati pin pẹlu rẹ ọna kan fun ṣiṣẹda ijẹrisi SSL kan fun ohun elo wẹẹbu rẹ ti n ṣiṣẹ lori Docker, nitori… Emi ko ri iru ojutu kan ni apakan ede Russian ti Intanẹẹti.
Awọn alaye diẹ sii labẹ gige.
A ni docker v.17.05, docker-compose v.1.21, Ubuntu Server 18 ati pint funfun Let'sEncrypt. Kii ṣe pe o ṣe pataki lati mu iṣelọpọ ṣiṣẹ lori Docker. Ṣugbọn ni kete ti o ba bẹrẹ kikọ Docker, o nira lati da duro.
Nitorinaa, lati bẹrẹ pẹlu, Emi yoo fun awọn eto boṣewa - eyiti a ni ni ipele dev, i.e. laisi ibudo 443 ati SSL ni gbogbogbo:
docker-compose.yml
version: '2'
services:
php:
build: ./php-fpm
volumes:
- ./StomUp:/var/www/StomUp
- ./php-fpm/php.ini:/usr/local/etc/php/php.ini
depends_on:
- mysql
container_name: "StomPHP"
web:
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./StomUp:/var/www/StomUp
- ./nginx/main.conf:/etc/nginx/conf.d/default.conf
depends_on:
- php
mysql:
image: mysql:5.7
command: mysqld --sql_mode=""
environment:
MYSQL_ROOT_PASSWORD: xxx
ports:
- "3333:3306"
nginx/main.conf
server {
listen 80;
server_name *.stomup.ru stomup.ru;
root /var/www/StomUp/public;
client_max_body_size 5M;
location / {
# try to serve file directly, fallback to index.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/index.php(/|$) {
#fastcgi_pass unix:/var/run/php7.2-fpm.sock;
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
internal;
}
location ~ .php$ {
return 404;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
Nigbamii ti, a nilo gangan lati ṣe SSL. Lati so ooto, Mo lo bii wakati 2 ni ikẹkọ agbegbe com. Gbogbo awọn aṣayan ti a nṣe nibẹ ni o wa awon. Ṣugbọn ni ipele lọwọlọwọ ti iṣẹ akanṣe, a (owo naa) nilo lati yara ati ni igbẹkẹle dabaru SSL Jẹ ki a Enctypt к nginx eiyan ati ohunkohun siwaju sii.
Ni akọkọ, a fi sori ẹrọ lori olupin naa ijẹrisi
sudo apt-get install certbot
Nigbamii ti, a ṣe ipilẹṣẹ awọn iwe-ẹri wildcard fun agbegbe wa
sudo certbot certonly -d stomup.ru -d *.stomup.ru --manual --preferred-challenges dns
lẹhin ipaniyan, certbot yoo fun wa ni awọn igbasilẹ 2 TXT ti o nilo lati wa ni pato ninu awọn eto DNS.
_acme-challenge.stomup.ru TXT {тотКлючКоторыйВамВыдалCertBot}
Ki o si tẹ tẹ.
Lẹhin eyi, certbot yoo ṣayẹwo fun wiwa awọn igbasilẹ wọnyi ni DNS ati ṣẹda awọn iwe-ẹri fun ọ.
ti o ba ti fi kun a ijẹrisi sugbon ijẹrisi ko rii - gbiyanju tun bẹrẹ aṣẹ naa lẹhin iṣẹju 5-10.
O dara, nibi a jẹ oniwun igberaga ti ijẹrisi Let'sEncrypt fun awọn ọjọ 90, ṣugbọn ni bayi a nilo lati gbe si Docker.
Lati ṣe eyi, ni ọna ti o kere julọ, ni docker-compose.yml, ni apakan nginx, a ṣe asopọ awọn ilana.
Apeere docker-compose.yml pẹlu SSL
version: '2'
services:
php:
build: ./php-fpm
volumes:
- ./StomUp:/var/www/StomUp
- /etc/letsencrypt/live/stomup.ru/:/etc/letsencrypt/live/stomup.ru/
- ./php-fpm/php.ini:/usr/local/etc/php/php.ini
depends_on:
- mysql
container_name: "StomPHP"
web:
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./StomUp:/var/www/StomUp
- /etc/letsencrypt/:/etc/letsencrypt/
- ./nginx/main.conf:/etc/nginx/conf.d/default.conf
depends_on:
- php
mysql:
image: mysql:5.7
command: mysqld --sql_mode=""
environment:
MYSQL_ROOT_PASSWORD: xxx
ports:
- "3333:3306"
Ti sopọ mọ? O dara - jẹ ki a tẹsiwaju:
Bayi a nilo lati yi atunto naa pada nginx lati ṣiṣẹ pẹlu awọn 443 ibudo ati SSL ni gbogbogbo:
Apeere main.conf konfigi pẹlu SSL
#
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name *.stomup.ru stomup.ru;
set $base /var/www/StomUp;
root $base/public;
# SSL
ssl_certificate /etc/letsencrypt/live/stomup.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/stomup.ru/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/stomup.ru/chain.pem;
client_max_body_size 5M;
location / {
# try to serve file directly, fallback to index.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/index.php(/|$) {
#fastcgi_pass unix:/var/run/php7.2-fpm.sock;
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
internal;
}
location ~ .php$ {
return 404;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
# HTTP redirect
server {
listen 80;
listen [::]:80;
server_name *.stomup.ru stomup.ru;
location / {
return 301 https://stomup.ru$request_uri;
}
}
Lootọ, lẹhin awọn ifọwọyi wọnyi, a lọ si itọsọna pẹlu Docker-compose, kọ docker-compose up -d. Ati pe a ṣayẹwo iṣẹ ṣiṣe ti SSL. Ohun gbogbo yẹ ki o yọ kuro.
Ohun akọkọ kii ṣe lati gbagbe pe ijẹrisi Let'sEnctypt ti funni fun awọn ọjọ 90 ati pe iwọ yoo nilo lati tunse nipasẹ aṣẹ naa. sudo certbot renew
, ati lẹhinna tun bẹrẹ iṣẹ naa pẹlu aṣẹ naa docker-compose restart
Aṣayan miiran ni lati ṣafikun ọna yii si crontab.
Ni ero mi eyi ni ọna ti o rọrun julọ lati sopọ SSL si Docker Web-app.
PS Jọwọ ṣe akiyesi pe gbogbo awọn iwe afọwọkọ ti a gbekalẹ ninu ọrọ ko ni ipari, iṣẹ akanṣe naa wa ni ipele Dev ti o jinlẹ, nitorinaa Emi yoo fẹ lati beere lọwọ rẹ lati ma ṣofintoto awọn atunto - wọn yoo yipada ni ọpọlọpọ igba.
orisun: www.habr.com