blank
blank
发布于 2019-12-03 / 611 阅读 / 0 评论 / 0 点赞

docker nginx 利用阿里 key secret 配置泛域名证书

准备

# nginx 配置文件目录
mkdir -p /docker/nginx/conf.d

# ssl 证书/配置目录
mkdir -p /docker/nginx/ssl

# 日志目录
mkdir -p /docker/nginx/log/blankhang.com
验证泛域名证书

Ali_Key Ali_Secret 为阿里提供的 key 和 secret

docker run --rm  -it  \
  -v "/docker/nginx/ssl":/acme.sh  \
  -e Ali_Key="" \
  -e Ali_Secret="" \
  neilpang/acme.sh --issue --log --dns dns_ali -d *.blankhang.com

安装证书

docker run --rm  -it  \
  -v "/docker/nginx/ssl":/acme.sh  \
  neilpang/acme.sh acme.sh --installcert -d *.blankhang.com --key-file /acme.sh/*.blankhang.com.key --fullchain-file /acme.sh/*.blankhang.com.fullchain.cer

nginx 默认配置文件

cat /docker/nginx/nginx.conf <<EOF
# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   10m;
    types_hash_max_size 2048;
    #Set Upload File limtit to 100MB
    client_max_body_size 1G;
    #Fix the timeout error during the upload time is too long
    client_header_timeout         10m; 
    client_body_timeout           10m; 
    proxy_connect_timeout         5m; 
    proxy_read_timeout            10m; 
    proxy_send_timeout            10m;


    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # hiding nginx version version
    server_tokens off;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

}

EOF

生成 ssl_dhparam

openssl dhparam -out /docker/nginx/ssl/dhparam.pem 2048

nginx 加密配置

cat /docker/nginx/ssl/options-ssl-nginx.conf <<EOF
# ciphers' order matters
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

# the Elliptic curve key used for the ECDHE cipher.
ssl_ecdh_curve secp384r1;

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1.2 TLSv1.3;

# let the server choose the cipher
ssl_prefer_server_ciphers on;

# turn on the OCSP Stapling and verify
ssl_stapling on;
ssl_stapling_verify on;

# use command line
# openssl dhparam -out dhparam.pem 2048
# to generate Diffie Hellman Ephemeral Parameters
ssl_dhparam /etc/nginx/ssl/dhparam.pem;


# http compression method is not secure in https
# opens you up to vulnerabilities like BREACH, CRIME
gzip off;
EOF

nginx 网站独立配置文件



cat > /docker/nginx/conf.d/blankhang.conf <<EOF
server {
    listen 80;
    server_name blankhang.com;
    return 301 https://$host$request_uri;
}


server {
    listen 443 ssl http2;
    server_name blankhang.com;

    ssl_certificate /etc/nginx/ssl/*.blankhang.com.fullchain.cer;
    ssl_certificate_key /etc/nginx/ssl/*.blankhang.com.key;

    # load ssl conf
    include /etc/nginx/ssl/options-ssl-nginx.conf;


    location / {

        root   /usr/share/nginx/html;
    }

    error_log  /var/log/nginx/blankhang.com/error.log;
    access_log /var/log/nginx/blankhang.com/access.log;
}
EOF

配置 nginx docker-compose.yml 文件

cat > /docker/nginx/docker-compose.yml <<EOF
version: '3.7'
services:

  nginx:
    image: nginx:alpine
    container_name: nginx
    #privileged: true
    restart: always
    environment:
      - TZ=Asia/Shanghai
    volumes:
      - /docker/nginx/nginx.conf:/etc/nginx/nginx.conf      
      - /docker/nginx/conf.d:/etc/nginx/conf.d
      - /docker/nginx/ssl:/etc/nginx/ssl
      - /docker/nginx/log:/var/log/nginx
    ports:
      - "80:80"
      - "443:443"
    networks:
      - default
      #- jenkins_default
    command: [nginx, '-g', 'daemon off;']
#networks:
#  jenkins_default:
#    external: true
EOF

启动 nginx

cd /docker/nginx && docker-compose up -d

访问网址 blankhang.com

应该已经是 https 证书应该是泛域名的


评论