blank的编程之路


  • 首页

  • 归档

  • 搜索
consul atomikos mybatisplus druid nexus nas named bind mysqldump acme.sh Dockerfile rsync keepalived swarm kibana ubuntu linux scp bugfix https ssl certbot curl gogs adminer harbor yum portainer python kubernetes idea java springboot maven docker-compose redis nginx mysql brew git chocolatey jenkins elasticsearch docker haproxy rabbitmq centos

docker nginx 利用阿里 key secret 配置泛域名证书

发表于 2019-12-03 | 分类于 运维 | 0 | 阅读次数 574

准备

# nginx 配置文件目录
mkdir -p /docker/nginx/conf.d

# ssl 证书/配置目录
mkdir -p /docker/nginx/ssl

# 日志目录
mkdir -p /docker/nginx/log/blankhang.com
验证泛域名证书

Ali_Key Ali_Secret 为阿里提供的 key 和 secret

docker run --rm  -it  \
  -v "/docker/nginx/ssl":/acme.sh  \
  -e Ali_Key="" \
  -e Ali_Secret="" \
  neilpang/acme.sh --issue --log --dns dns_ali -d *.blankhang.com

安装证书

docker run --rm  -it  \
  -v "/docker/nginx/ssl":/acme.sh  \
  neilpang/acme.sh acme.sh --installcert -d *.blankhang.com --key-file /acme.sh/*.blankhang.com.key --fullchain-file /acme.sh/*.blankhang.com.fullchain.cer

nginx 默认配置文件

cat /docker/nginx/nginx.conf <<EOF
# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   10m;
    types_hash_max_size 2048;
    #Set Upload File limtit to 100MB
    client_max_body_size 1G;
    #Fix the timeout error during the upload time is too long
    client_header_timeout         10m; 
    client_body_timeout           10m; 
    proxy_connect_timeout         5m; 
    proxy_read_timeout            10m; 
    proxy_send_timeout            10m;


    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # hiding nginx version version
    server_tokens off;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

}

EOF

生成 ssl_dhparam

openssl dhparam -out /docker/nginx/ssl/dhparam.pem 2048

nginx 加密配置

cat /docker/nginx/ssl/options-ssl-nginx.conf <<EOF
# ciphers' order matters
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

# the Elliptic curve key used for the ECDHE cipher.
ssl_ecdh_curve secp384r1;

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1.2 TLSv1.3;

# let the server choose the cipher
ssl_prefer_server_ciphers on;

# turn on the OCSP Stapling and verify
ssl_stapling on;
ssl_stapling_verify on;

# use command line
# openssl dhparam -out dhparam.pem 2048
# to generate Diffie Hellman Ephemeral Parameters
ssl_dhparam /etc/nginx/ssl/dhparam.pem;


# http compression method is not secure in https
# opens you up to vulnerabilities like BREACH, CRIME
gzip off;
EOF

nginx 网站独立配置文件



cat > /docker/nginx/conf.d/blankhang.conf <<EOF
server {
    listen 80;
    server_name blankhang.com;
    return 301 https://$host$request_uri;
}


server {
    listen 443 ssl http2;
    server_name blankhang.com;

    ssl_certificate /etc/nginx/ssl/*.blankhang.com.fullchain.cer;
    ssl_certificate_key /etc/nginx/ssl/*.blankhang.com.key;

    # load ssl conf
    include /etc/nginx/ssl/options-ssl-nginx.conf;


    location / {

        root   /usr/share/nginx/html;
    }

    error_log  /var/log/nginx/blankhang.com/error.log;
    access_log /var/log/nginx/blankhang.com/access.log;
}
EOF

配置 nginx docker-compose.yml 文件

cat > /docker/nginx/docker-compose.yml <<EOF
version: '3.7'
services:

  nginx:
    image: nginx:alpine
    container_name: nginx
    #privileged: true
    restart: always
    environment:
      - TZ=Asia/Shanghai
    volumes:
      - /docker/nginx/nginx.conf:/etc/nginx/nginx.conf      
      - /docker/nginx/conf.d:/etc/nginx/conf.d
      - /docker/nginx/ssl:/etc/nginx/ssl
      - /docker/nginx/log:/var/log/nginx
    ports:
      - "80:80"
      - "443:443"
    networks:
      - default
      #- jenkins_default
    command: [nginx, '-g', 'daemon off;']
#networks:
#  jenkins_default:
#    external: true
EOF

启动 nginx

cd /docker/nginx && docker-compose up -d

访问网址 blankhang.com

应该已经是 https 证书应该是泛域名的

  • 本文作者: blank
  • 本文链接: https://blankhang.com/2019/12/03/201912031525
  • 版权声明: 本博客所有文章除特别声明外,均采用CC BY-NC-SA 3.0 许可协议。转载请注明出处!
# consul # atomikos # mybatisplus # druid # nexus # nas # named # bind # mysqldump # acme.sh # Dockerfile # rsync # keepalived # swarm # kibana # ubuntu # linux # scp # bugfix # https # ssl # certbot # curl # gogs # adminer # harbor # yum # portainer # python # kubernetes # idea # java # springboot # maven # docker-compose # redis # nginx # mysql # brew # git # chocolatey # jenkins # elasticsearch # docker # haproxy # rabbitmq # centos
docker 自制基于 centos7 的 中文支持带 openjdk 运行环境的底包 Dockerfile
每天自动定时备份 远程服务器上 mysql 数据库
© 2023 blank
Everything is energy and everything has a frequency