准备
# nginx 配置文件目录
mkdir -p /docker/nginx/conf.d
# ssl 证书/配置目录
mkdir -p /docker/nginx/ssl
# 日志目录
mkdir -p /docker/nginx/log/blankhang.com
验证泛域名证书
Ali_Key Ali_Secret 为阿里提供的 key 和 secret
docker run --rm -it \
-v "/docker/nginx/ssl":/acme.sh \
-e Ali_Key="" \
-e Ali_Secret="" \
neilpang/acme.sh --issue --log --dns dns_ali -d *.blankhang.com
安装证书
docker run --rm -it \
-v "/docker/nginx/ssl":/acme.sh \
neilpang/acme.sh acme.sh --installcert -d *.blankhang.com --key-file /acme.sh/*.blankhang.com.key --fullchain-file /acme.sh/*.blankhang.com.fullchain.cer
nginx 默认配置文件
cat /docker/nginx/nginx.conf <<EOF
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 10m;
types_hash_max_size 2048;
#Set Upload File limtit to 100MB
client_max_body_size 1G;
#Fix the timeout error during the upload time is too long
client_header_timeout 10m;
client_body_timeout 10m;
proxy_connect_timeout 5m;
proxy_read_timeout 10m;
proxy_send_timeout 10m;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# hiding nginx version version
server_tokens off;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
}
EOF
生成 ssl_dhparam
openssl dhparam -out /docker/nginx/ssl/dhparam.pem 2048
nginx 加密配置
cat /docker/nginx/ssl/options-ssl-nginx.conf <<EOF
# ciphers' order matters
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
# the Elliptic curve key used for the ECDHE cipher.
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1.2 TLSv1.3;
# let the server choose the cipher
ssl_prefer_server_ciphers on;
# turn on the OCSP Stapling and verify
ssl_stapling on;
ssl_stapling_verify on;
# use command line
# openssl dhparam -out dhparam.pem 2048
# to generate Diffie Hellman Ephemeral Parameters
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# http compression method is not secure in https
# opens you up to vulnerabilities like BREACH, CRIME
gzip off;
EOF
nginx 网站独立配置文件
cat > /docker/nginx/conf.d/blankhang.conf <<EOF
server {
listen 80;
server_name blankhang.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name blankhang.com;
ssl_certificate /etc/nginx/ssl/*.blankhang.com.fullchain.cer;
ssl_certificate_key /etc/nginx/ssl/*.blankhang.com.key;
# load ssl conf
include /etc/nginx/ssl/options-ssl-nginx.conf;
location / {
root /usr/share/nginx/html;
}
error_log /var/log/nginx/blankhang.com/error.log;
access_log /var/log/nginx/blankhang.com/access.log;
}
EOF
配置 nginx docker-compose.yml 文件
cat > /docker/nginx/docker-compose.yml <<EOF
version: '3.7'
services:
nginx:
image: nginx:alpine
container_name: nginx
#privileged: true
restart: always
environment:
- TZ=Asia/Shanghai
volumes:
- /docker/nginx/nginx.conf:/etc/nginx/nginx.conf
- /docker/nginx/conf.d:/etc/nginx/conf.d
- /docker/nginx/ssl:/etc/nginx/ssl
- /docker/nginx/log:/var/log/nginx
ports:
- "80:80"
- "443:443"
networks:
- default
#- jenkins_default
command: [nginx, '-g', 'daemon off;']
#networks:
# jenkins_default:
# external: true
EOF
启动 nginx
cd /docker/nginx && docker-compose up -d
访问网址 blankhang.com
应该已经是 https 证书应该是泛域名的