docker安装nginx并配置ssl

/ 技术相关 / 0 条评论 / 680浏览

docker安装nginx并配置ssl

一、直接安装最新的nginx

docker pull nginx

二、准备工作

1、创建挂载目录

方便后期配置与管理nginx,需要把nginx容器内的文件夹挂载到宿主机中(本文使用/opt目录)。

mkdir nginx && cd $_ && mkdir -p {ssl,logs}

ssl放域名对应证书 logs放nginx日志

2、放置域名对应的证书到ssl文件夹

如果不配置ssl可跳过此步骤。

三、启动nginx容器

用于cp对应的文件夹类型,用于后期挂载使用

docker run --name nginx -p 80:80 -d nginx 

四、拷贝文件

docker cp nginx:/etc/nginx/nginx.conf /opt/nginx
docker cp nginx:/etc/nginx/conf.d /opt/nginx
docker cp nginx:/usr/share/nginx/html /opt/nginx/html

五、删除已启动容器

docker rm -f nginx

六、修改nginx.conf配置

nginx.conf文件可直接用下面的配置

user nginx;
#一般为cpu核心数量或者核心数量X2
#cpu核心数量查看命令 lscpu
worker_processes  auto;
 
error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;
 
#每台nginx 服务器的最大连接数为:worker_processes*worker_connections
#系统的最大打开文件数>= worker_connections*worker_process
#系统的最大打开文件数命令 ulimit -n
events {
    worker_connections  264000;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
                      
    access_log  /var/log/nginx/host.access.log  main;
    client_max_body_size 100m;
    
    sendfile        on;
    tcp_nopush      on;
    tcp_nodelay     on;

    keepalive_timeout  65;

    #gzip  on;
    gzip               on;
    gzip_vary          on;
    gzip_comp_level    2;
    gzip_buffers       32 4k;
    gzip_min_length    1k;
    gzip_proxied       any;
    gzip_disable       "msie6";
    gzip_http_version  1.0;
    gzip_disable "MSIE [1-6]\.";
    gzip_types text/plain text/xml text/css text/javascript application/javascript application/x-javascript application/xml application/xml+rss application/json application/x-httpd-php application/vnd.ms-fontobject font/ttf font/opentype font/x-woff image/svg+xml image/jpeg image/jpg image/gif image/png ;
 
    # 引入扩展配置(可以细分服务nginx)
    include /etc/nginx/conf.d/*.conf;
}

七、default.conf配置

1、proxy_pass替换成自己的服务器域名或者ip 地址。 2、把icusu.com相关向替换成自己的域名(如果不配置ssl,相关配置可忽略)。

upstream www.icusu.com {
    server 172.17.0.1:3000;
}

# 80端口带www跳https
server {
    listen 80;
    listen  [::]:80;
    server_name www.icusu.com;
    rewrite ^(.*) https://$server_name$1 permanent;
}

# 80端口不带www跳https
server {
    listen 80;
    listen  [::]:80;
    server_name icusu.com;
    rewrite ^(.*) https://$server_name$1 permanent;
}

# 443端口带www跳https
server {
    listen 443;
    listen  [::]:443;
    server_name icusu.com;
    ssl_certificate /etc/nginx/ssl/icusu.com_bundle.crt;
    ssl_certificate_key /etc/nginx/ssl/icusu.com.key;
    ssl_trusted_certificate /etc/nginx/ssl/icusu.com_bundle.crt;
    return 301 https://www.icusu.com$request_uri;
}

server {
    #监听ipv4的443端口 并设置允许http2
    listen 443 ssl http2;
    #监听ipv4的443端口 并设置允许http2
    listen  [::]:443 http2;
    #填写绑定证书的域名
    server_name www.icusu.com;
    
    #指定证书的位置,注意,路径是/etc/nginx/ssl
    ssl_certificate /etc/nginx/ssl/icusu.com_bundle.crt;
    ssl_certificate_key /etc/nginx/ssl/icusu.com.key;
    ssl_trusted_certificate /etc/nginx/ssl/icusu.com_bundle.crt;
    
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
    ssl_ecdh_curve secp384r1;
    
    ssl_session_timeout  10m;
    ssl_session_cache builtin:1000 shared:SSL:10m;
    ssl_session_tickets on;
    ssl_session_ticket_key /etc/nginx/ssl/icusu.com.session_ticket.key;
    
    resolver 8.8.8.8 8.8.4.4 valid=60s ipv6=off;
    resolver_timeout 5s;

    add_header Strict-Transport-Security "max-age=63072000" always;

    fastcgi_param  HTTPS on;
    fastcgi_param  HTTP_SCHEME https;
    
    location / {
        #网站主页路径
        root   /usr/share/nginx/html;
        index  index.html index.htm;
        #访问不存在的路径时会直接跳到Nginx的404页面,加上下句防止跳转404
        try_files $uri $uri/ /index.html /index.htm;
        
        autoindex_localtime on;
        
        #添加反向代理相关配置
        proxy_set_header Host $host:$server_port;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        
        client_max_body_size        100m;
        client_body_buffer_size     128k;

        proxy_buffer_size           4k;
        proxy_buffers               4 32k;
        proxy_busy_buffers_size     64k;
        proxy_temp_file_write_size  64k;

        resolver 114.114.114.114;
        set $www www.icusu.com;
        proxy_pass http://$www;
    }
}

https 配置ssl_session_tickets

ssl_session_tickets是一个加密的数据blob,其中包含需要重用的TLS连接信息,如会话key等,它一般是使用ticket key加密,因为ticket key服务器端也知道,在初始握手中服务器发送一个会话ticket到客户端,存储到客户端本地,当重用会话时,客户端发送会话ticket到服务器,服务器解密然后重用会话。

1、文件配置路径从nginx.conf所在目录开始

2、配置 ssl_session_ticket_key

可以实现多台nginx间共用会话缓存,解决了会话缓存共享问题 可通过如下命令生成

openssl rand 80 > /opt/nginx/ssl/session_ticket.key

3、配置项设置

server {
    listen 443 ssl default_server;
    ssl_certificate /etc/nginx/ssl/icusu.com_bundle.crt;
    ssl_certificate_key /etc/nginx/ssl/icusu.com.key;

    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_session_tickets     on;
    ssl_session_ticket_key  /etc/nginx/ssl/session_ticket.key;
}

::: tip 注意事项 在nginx中使用ssl_session_tickets,它们都没有自动轮换ticket key的自动机制,只能通过重启apache nginx来重新加载或创建新的随机key。 :::

八、启动nginx

::: tip 注意事项 一定要放开80和443端口。 :::

docker run \
--name nginx \
-p 443:443 -p 80:80 \
-v /opt/nginx/logs:/var/log/nginx \
-v /opt/nginx/html:/usr/share/nginx/html \
-v /opt/nginx/nginx.conf:/etc/nginx/nginx.conf \
-v /opt/nginx/conf.d:/etc/nginx/conf.d \
-v /opt/nginx/ssl:/etc/nginx/ssl/  \
--privileged=true -d --restart=on-failure:3 nginx

至此,整个安装配置完毕

常用命令

#关闭nginx
docker stop nginx
#重启nginx
docker restart nginx
#查看nginx日志信息
docker logs -f nginx