Docker 部署 Nginx 并在容器内配置申请免费 SSL 证书

文章目录

docker
docker-compose.yml
申请免费 SSL 证书
请求头参数带下划线

docker

https://hub.docker.com/_/nginx

docker pull nginx:1.27

注：国内网络原因无法下载镜像，nginx 镜像文件下载链接 https://pan.baidu.com/s/1O35cPbx6AHWUJL1v5-REzA?pwd=yjsv 提取码: yjsv。

导入 nginx 镜像

docker load -i nginx-1.27.tar

cd /home
mkdir nginx && cd nginx
mkdir ssl logs

docker run --name nginx -d nginx:1.27
# 拷贝容器内目录与文件
docker cp nginx:/etc/nginx/nginx.conf /home/nginx
docker cp nginx:/etc/nginx/conf.d /home/nginx
docker cp nginx:/usr/share/nginx/html /home/nginx

docker-compose.yml

services:nginx:image: nginx:1.27container_name: nginxrestart: always# network_mode: "host"ports:- 8080:80- 443:443volumes:- /etc/localtime:/etc/localtime- /home/nginx/nginx.conf:/etc/nginx/nginx.conf- /home/nginx/conf.d:/etc/nginx/conf.d- /home/nginx/ssl:/etc/nginx/ssl- /home/nginx/logs:/var/log/nginx- /home/nginx/html:/usr/share/nginx/html

docker-compose up -d nginx

查看 80 端口被占用情况

# Linux 环境
netstat -tulpn | grep :80
# Mac 环境
sudo lsof -iTCP -sTCP:LISTEN -n -P | grep LISTEN | grep ":80"

申请免费 SSL 证书

配置 Nginx 以验证域名所有权

cd /home/nginx/conf.d
vim default.conf

server {listen       80;listen  [::]:80;server_name  localhost;location / {root   /usr/share/nginx/html;index  index.html index.htm;}error_page   500 502 503 504  /50x.html;location = /50x.html {root   /usr/share/nginx/html;}# 配置 Nginx 验证域名所有权location ^~ /.well-known/acme-challenge/ {default_type "text/plain";root /usr/share/nginx/html; }
}

重新加载 nginx 配置

# 进入容器
docker exec -it nginx /bin/bash
# 测试配置
nginx -t
# 重新加载配置
nginx -s reload

# 或直接执行命令
docker exec nginx nginx -v
docker exec nginx nginx -t
docker exec nginx nginx -s reload

注意： 以下所有操作均在容器内执行。

安装 acme.sh 依赖

apt-get update
apt-get install -y git socat cron vim

安装 acme.sh

# 下载源码
git clone https://github.com/acmesh-official/acme.sh.git
cd ./acme.sh
# 查看帮助
./acme.sh -h
# 安装 acme.sh
./acme.sh --install -m xxxxxxxx@qq.com
# 查看 acme.sh 更新证书任务
crontab -l

注：目前证书在 60 天以后会自动更新, 你无需任何操作. 今后有可能会缩短这个时间, 不过都是自动的, 你不用关心。

域名所有权完成验证后将自动生成证书

./acme.sh --issue -d mydomain.com -w /usr/share/nginx/html

生成 SSL 证书

./acme.sh --install-cert -d mydomain.com \
--key-file       /etc/nginx/sslmydomain.com.key  \
--fullchain-file /etc/nginx/sslmydomain.com.pem

修改配置文件，添加 SSL 证书配置

cd /home/nginx/conf.d
vim default.conf

server {listen        80;server_name   mydomain.com;rewrite ^(.*) https://mydomain.com$1 permanent;
}server {listen       443 ssl;server_name  mydomain.com;# 配置 SSL 证书ssl_certificate /etc/nginx/ssl/sslmydomain.com.pem;ssl_certificate_key /etc/nginx/ssl/sslmydomain.com.key;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;ssl_prefer_server_ciphers on;ssl_session_timeout 1d;client_max_body_size 20M;client_body_buffer_size 128k;location / {root   /usr/share/nginx/html;index  index.html index.htm;}error_page   500 502 503 504  /50x.html;location = /50x.html {root   /usr/share/nginx/html;}
}

重新加载 nginx 配置

nginx -s reload

查看已安装证书

./acme.sh --info -d mydomain.com

请求头参数带下划线

cd /home/nginx
vim nginx.conf

user  nginx;
worker_processes  auto;error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;events {worker_connections  1024;
}http {include       /etc/nginx/mime.types;default_type  application/octet-stream;log_format  main  '$remote_addr - $remote_user [$time_local] "$request" ''$status $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';access_log  /var/log/nginx/access.log  main;sendfile        on;#tcp_nopush     on;# 请求头参数带下划线underscores_in_headers on;keepalive_timeout  65;#gzip  on;include /etc/nginx/conf.d/*.conf;
}