如果您曾在 Docker 环境中设置 SSL 方面遇到困难,那么您并不孤单。 SSL 对许多人来说可能是一个令人生畏的障碍,但保护您的应用程序至关重要,尤其是当它暴露在互联网上时。在这篇文章中,我将指导您添加 Nginx 和 Certbot,以便在 Docker 化设置中生成 Let's Encrypt SSL。这使您可以自动续订证书并以最小的麻烦确保您的环境安全。
让我们开始吧!
在此示例中,我们使用 Nginx 作为反向代理并使用 Certbot 来管理 SSL 证书。下面,您将找到 docker-compose.yml、用于自动重新加载 Nginx 的 shell 脚本,以及设置所有内容所需的配置文件。
首先,让我向您展示用于设置 Nginx 和 Certbot 的 Docker Compose 配置。
# docker-compose.yml services: nginx: container_name: nginx image: nginx:latest restart: unless-stopped env_file: .env networks: - your-app-network # Update this with your application service network ports: - 80:80 - 443:443 depends_on: - your-app # Your application service volumes: - ./nginx/secure/:/etc/nginx/templates/ - /etc/localtime:/etc/localtime:ro - ./nginx/certbot/conf:/etc/letsencrypt - ./nginx/certbot/www:/var/www/certbot - ./nginx/99-autoreload.sh:/docker-entrypoint.d/99-autoreload.sh # Script to autoreload Nginx when certs are renewed certbot: image: certbot/certbot volumes: - ./nginx/certbot/conf:/etc/letsencrypt - ./nginx/certbot/www:/var/www/certbot entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'" # Renew certificates every 12 hours
这个 Docker Compose 文件定义了两个服务:
certbot 服务无限循环运行,每 12 小时更新一次证书。证书存储在共享卷(./nginx/certbot/conf)中,允许Nginx访问最新的证书文件。
Nginx 充当反向代理,处理 HTTP 和 HTTPS 流量。对于初始请求,Certbot 需要 HTTP(端口 80)来完成域验证过程。
# default.conf.template server { listen 80; server_name ${APP_DOMAIN}; location / { return 301 https://$host$request_uri; } location /.well-known/acme-challenge/ { root /var/www/certbot; } } server { listen 443 ssl; server_name ${APP_DOMAIN}; server_tokens off; client_max_body_size 20M; ssl_certificate /etc/letsencrypt/live/${APP_DOMAIN}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/${APP_DOMAIN}/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; location / { proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Url-Scheme $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_redirect off; proxy_pass http://my-app:3000; // Your app service name } }
在上面的配置文件中,Nginx 执行以下操作:
SSL证书更新后,需要重新加载Nginx以应用更新的证书。要自动化此过程,请添加一个简单的自动重新加载脚本:
# 99-autoreload.sh #!/bin/sh while :; do # Optional: Instead of sleep, detect config changes and only reload if necessary. sleep 6h nginx -t && nginx -s reload done &
此脚本在 Nginx 容器内运行,并每 6 小时或每当证书更新时重新加载 Nginx。
创建一个 .env 文件来存储您的域名和电子邮件地址以供 Certbot 注册:
# .env file APP_DOMAIN=your-domain.com SSL_EMAIL=contact@your-domain.com
在 Nginx 可以提供 HTTPS 流量之前,您需要生成初始 SSL 证书。使用以下 bash 脚本 (init-letsencrypt.sh) 生成 SSL 证书:
#!/bin/bash # Source the .env file if [ -f .env ]; then export $(grep -v '^#' .env | xargs) fi if ! [ -x "$(command -v docker compose)" ]; then echo 'Error: docker compose is not installed.' >&2 exit 1 fi domains=(${APP_DOMAIN:-example.com}) rsa_key_size=4096 data_path="./nginx/certbot" email="${SSL_EMAIL:-hello@example.com}" # Adding a valid address is strongly recommended staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits if [ -d "$data_path" ]; then read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then exit fi fi if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then echo "### Downloading recommended TLS parameters ..." mkdir -p "$data_path/conf" curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf >"$data_path/conf/options-ssl-nginx.conf" curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem >"$data_path/conf/ssl-dhparams.pem" echo fi echo "### Creating dummy certificate for $domains ..." path="/etc/letsencrypt/live/$domains" mkdir -p "$data_path/conf/live/$domains" docker compose -f "docker-compose.yml" run --rm --entrypoint "\ openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\ -keyout '$path/privkey.pem' \ -out '$path/fullchain.pem' \ -subj '/CN=localhost'" certbot echo echo "### Starting nginx ..." docker compose -f "docker-compose.yml" up --force-recreate -d nginx echo echo "### Deleting dummy certificate for $domains ..." docker compose -f "docker-compose.yml" run --rm --entrypoint "\ rm -Rf /etc/letsencrypt/live/$domains && \ rm -Rf /etc/letsencrypt/archive/$domains && \ rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot echo echo "### Requesting Let's Encrypt certificate for $domains ..." #Join $domains to -d args domain_args="" for domain in "${domains[@]}"; do domain_args="$domain_args -d $domain" done # Select appropriate email arg case "$email" in "") email_arg="--register-unsafely-without-email" ;; *) email_arg="--email $email" ;; esac # Enable staging mode if needed if [ $staging != "0" ]; then staging_arg="--staging"; fi docker compose -f "docker-compose.yml" run --rm --entrypoint "\ certbot certonly --webroot -w /var/www/certbot \ $staging_arg \ $email_arg \ $domain_args \ --rsa-key-size $rsa_key_size \ --agree-tos \ --force-renewal" certbot echo #echo "### Reloading nginx ..." docker compose -f "docker-compose.yml" exec nginx nginx -s reload
总之,上面提供的配置将 Nginx 设置为 Docker 化应用程序的反向代理,并由 Certbot 自动管理 Let's Encrypt SSL 证书。此设置可确保与您的应用程序的安全连接,而无需手动续订 SSL。
要首次调出您的环境,请使用:
chmod a+x init-letsencrypt.sh ./init-letsencrypt.sh
以下时间您可以使用常用的 docker compose 命令启动您的环境:
docker-compose up -d
确保您的域名指向您的服务器,并且端口 80 和 443 已打开以允许访问 HTTP 和 HTTPS 流量。
如果您遇到任何问题或有改进建议,请在下面的评论中告诉我!我很乐意帮助解决问题或扩展特定主题。
以上是Docker 容器中 SSL 的挑战无人谈论的详细内容。更多信息请关注PHP中文网其他相关文章!