我正在尝试为通过Docker Machine(DigitalOcean)部署的Nginx添加自动TLS/SSL终止。
我发现了一些很好的资源[humankode/how-to-set-up..., medium/nginx-and-lets-encrypt...],介绍了如何通过docker-compose实现它,但都是从服务器的角度进行说明。我真的想避免这种情况。我希望能够在本地完成所有工作,将其捆绑在一起并发送出去。或者,甚至可以在没有任何ssh的情况下远程执行它。
几次尝试失败了,但感觉离成功很近。主要障碍似乎在于文件/卷。按照 medium/nginx-and-lets-encrypt... 指南,我在保存 OpenSSL privkey.pem 时遇到了问题。另一个教程 (humankode),据我所知,所有操作都在服务器上进行,那里就有卷。我最近的尝试是通过 DigitalOcean 教程 在机器上设置证书,然后尝试在我的 docker-compose 构建中包含它们。没有成功。
进行了许多修改,但我的设置与以下类似:
docker-compose.yml
version: '3.7'
services:
nginx:
image: nginx:1.15.9-alpine
container_name: nginx
build:
context: ./nginx
dockerfile: Dockerfile
restart: always
volumes:
- /etc/letsencrypt
- /var/www/certbot
ports:
- "80:80"
- "443:443"
command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
certbot:
image: certbot/certbot
restart: unless-stopped
volumes:
- "/etc/letsencrypt"
- "/var/www/certbot"
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
nginx/Dockerfile
FROM nginx:1.15.9-alpine
RUN rm /etc/nginx/conf.d/default.conf
COPY prod.conf /etc/nginx/conf.d/
nginx/conf.d
# PRODUCTION
server {
listen 80;
listen [::]:80;
server_name example.site;
location ~ /.well-known/acme-challenge {
allow all;
root /usr/share/nginx/html;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name example.site;
ssl_certificate /etc/letsencrypt/live/example.site/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.site/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;