HTTPs setup - Certbot + Docker + Nginx
Background:
Let's Encrypt is a certificate authority that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge,The certificate is valid for 90 days, during which renewal can take place at anytime.
這樣我們就可以用上免費的CA cert來 安全expose我們自己的網站或者服務
基本的http和https知識請閱讀https://linuxstory.org/deploy-lets-encrypt-ssl-certificate-with-certbot/的‘背景知識’部分,作者講述的非常很不錯。
Objectives:
通過例子來demo如何生成和使用Internet Security Research Group推出的Let’s Encrypt 免費證照
主要涉及如下:
- Docker, docker-compose用來部署nginx
- Certbot,用來為域名生成CA證照
Not In Scope
- Docker 和docker compose的相關概念和安裝,請參考docker官方文件
Steps:
1. 生成CA證照
- 安裝Certbot 客戶端
wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
./certbot-auto --help
- 驗證域名所有權
該步驟需要啟動nginx
a. 準備docker-compose file
version: '3.0'
services:
nginx:
restart: always
image: nginx:1.15.6
ports:
- 80:80
- 443:443
volumes:
- ./conf.d:/etc/nginx/conf.d
- ./log:/var/log/nginx
- ./wwwroot:/var/www
- /etc/letsencrypt:/etc/letsencrypt
Docker volume的對映關係
./conf.d nginx的配置所在
./log 日誌檔案位置
./wwwroot 專案路徑
/etc/letsencrypt CA cert的父目錄
b. nginx 配置檔案 .conf.d/app.conf
server {
listen 80;
server_name domain.com;
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www;
}
location = /.well-known/acme-challenge/ {
return 404;
}
}
PS:
如上兩個location配置是為了通過 Let’s Encrypt 的驗證,驗證域名歸屬
c. 啟動nginx
root@aws-techpoc-c02:~/web# ls conf.d/app.conf
root@aws-techpoc-c02:~/web# ls wwwroot/
index.html
root@aws-techpoc-c02:~/web# docker-compose up -d
Creating network "web_default" with the default driver
Creating web_nginx_1 ...
Creating web_nginx_1 ... done
d. 生成Cert
./certbot-auto certonly -d domain1.com domain2.com
該步驟過程中會自動執行和安裝很多linux的以來包,不用幹預,其中有兩布需要注意:
i.選擇用standalone的方式執行還是webroot,一般80埠已經備用了,無法使用standalone,所以選擇webroot方式,然後輸入webroot的地址,及上面指定的主機專案目錄,如本例,/root/web/wwwroot
2.有一步要求輸入郵箱地址的提示,照著輸入自己的郵箱即可,順利完成的話,螢幕上會有提示資訊。
最後,證照成功成功後,會有如下資訊:
IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/<domain.com>/fullchain.pem. Your cert
will expire on xxxx-xx-xxxx. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
至此,證照就生成好了,接下來就可以去配置nginx ssl監聽了
2. 配置SSL監聽 for Nginx
a. 修改nginx配置檔案
server {
listen 443 ssl;
server_name domain.com;
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
location / {
root /var/www;
index index.jsp index.html index.htm index.php;
}
location /proxy/ {
root /var/www;
index index.jsp index.html index.htm index.php;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_pass http://172.19.0.1:8080/;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
server {
listen 80;
server_name domain.com www.domain.com;
return 301 https://$server_name$request_uri;
}
proxy_pass 指定代理地址,注意代理地址後面有沒有’/‘,區別很大
b. [optional]準備一個測試的html,用來檢測nginx配置是否正常,./wwwroot/index.html
<!DOCTYPE html>
<html>
<head>
<title>TEST WebSite</title>
</head>
<body>
<div>Hello, this is a test web site</div>
<body>
</html>
c. Reload nginx config
docker container exec <container> nginx -s reload
然後就可以去測試了,https://<domain.com>,如果成功可以顯示那個test html page,如果有問題,請使用docker logs -f <container>,或者檢視日誌目錄先access.log 和 error.log
Q&A:
- policy-forbids-issuing-for-name-on-amazon-ec2-domain
issue related post
amazonaws.com happens to be on the blacklist Let’s Encrypt uses for high-risk domain names,及無法使用free cert for aws,可以考慮使用route53
Related posts:
https://linuxstory.org/deploy-lets-encrypt-ssl-certificate-with-certbot/
https://www.jianshu.com/p/c136c7ec2572
相關文章
- nginx docker容器配置https(ssl)NginxDockerHTTP
- linux環境使用Certbot配置httpsLinuxHTTP
- 使用 Docker CertBot 獲取 SSL 證書Docker
- Docker安裝Redmine並使用Nginx反向代理為httpsDockerNginxHTTP
- Nginx配置HTTPSNginxHTTP
- 申請Let’s Encrypt萬用字元HTTPS證書(certbot版)字元HTTP
- Setup MariaDB Master/Slave Replication for Docker MariaDBASTDocker
- Nginx Configuring HTTPS serversNginxHTTPServer
- 二、Nginx 配置 httpsNginxHTTP
- Setup SSL using .PFX file on nginx/apache2NginxApache
- docker 安裝 wordpress,通過nginx反向代理,繫結域名,配置httpsDockerNginxHTTP
- Nginx 配置https證書NginxHTTP
- nginx + https(tomcat2)NginxHTTPTomcat
- nginx 部署vue http、httpsNginxVueHTTP
- Nginx配置Https專案NginxHTTP
- Nginx-04-Docker NginxNginxDocker
- 全站HTTPS升級系列(三)nginx配置全站HTTPSHTTPNginx
- CertBot搭配DNSPodDNS
- Nginx如何配置HTTPS詳解NginxHTTP
- nginx+php-fpm配置HTTPSNginxPHPHTTP
- docker建立nginxDockerNginx
- Docker配置nginxDockerNginx
- 通過 Certbot 安裝 Let's Encrypt 證書,來實現全站的 HTTPS 訪問HTTP
- 透過 Certbot 安裝 Let's Encrypt 證書,來實現全站的 HTTPS 訪問HTTP
- centos nginx下配置免費httpsCentOSNginxHTTP
- Nginx+Tomcat Https SSL部署方案NginxTomcatHTTP
- nginx配置https協議訪問NginxHTTP協議
- Nginx使用SSL模組配置httpsNginxHTTP
- nginx 專案配置 https 訪問NginxHTTP
- nginx配置https詳細過程NginxHTTP
- Nginx配置網站預設httpsNginx網站HTTP
- Nginx如何配置Http、Https、WS、WSS?NginxHTTP
- certbot 使用說明
- docker小結(nginx)DockerNginx
- docker -nginx2DockerNginx
- docker下的nginxDockerNginx
- docker安裝nginxDockerNginx
- 通過 Certbot 安裝 Let's Encrypt 證書,實現免費的全站 HTTPS 訪問HTTP