Of Stack

docker installs nginx and configure methods accessed through https

  • 2021-01-02 22:03:49
  • OfStack

1. Download the latest nginx docker image 


$ docker pull nginx:latest

2. Start the nginx container

Run the following command to start nginx container 


docker run --detach \
    --name wx-nginx \
    -p 443:443\
    -p 80:80 \
    -v /home/evan/workspace/wxserver/nginx/data:/usr/share/nginx/html:rw\
    -v /home/evan/workspace/wxserver/nginx/config/nginx.conf:/etc/nginx/nginx.conf/:rw\
    -v /home/evan/workspace/wxserver/nginx/config/conf.d/default.conf:/etc/nginx/conf.d/default.conf:rw\
    -v /home/evan/workspace/wxserver/nginx/logs:/var/log/nginx/:rw\
    -v /home/evan/workspace/wxserver/nginx/ssl:/ssl/:rw\
    -d nginx
Map port 443 for https requests Map port 80 for http requests; The default home page html nginx storage directory mapping to host disk directory, / home/evan/workspace/wxserver/nginx/data nginx configuration file mapping to host disk file, / home/evan/workspace/wxserver/nginx/config/nginx conf

Here you need to prepare the following files,

1. Configuration file of nginx

The first is the ES45en.conf file. The default configuration file is shown below 


# run nginx The user 
user nginx;
# The startup process is set to and CPU Equal number 
worker_processes 1;

# Global error log and PID File location 
error_log /var/log/nginx/error.log warn;
pid    /var/run/nginx.pid;

# Working mode and upper limit of connections 
events {
    # A single background work The maximum number of concurrent processes is set to 1024
  worker_connections 1024;
}


http {
    # set mime type 
  include    /etc/nginx/mime.types;
  default_type application/octet-stream;

    # Set log format 
  log_format main '$remote_addr - $remote_user [$time_local] "$request" '
           '$status $body_bytes_sent "$http_referer" '
           '"$http_user_agent" "$http_x_forwarded_for"';

  access_log /var/log/nginx/access.log main;

  sendfile    on;
  #tcp_nopush   on;

    # Sets the connection timeout event 
  keepalive_timeout 65;

    # open GZIP The compression 
  #gzip on;

  include /etc/nginx/conf.d/*.conf;
}

Can see the last 1 row 1 configuration file also contains the other conf. d/default conf, used to configure server fields 


server {
  listen  80;    # To listen to 80 Port, if forced all access must be HTTPs This line needs to be logged off 
  server_name www.buagengen.com;       # The domain name 

  #charset koi8-r;
  #access_log /var/log/nginx/host.access.log main;

    #  Define the home page index directory and name 
  location / {
    root  /usr/share/nginx/html;
    index index.html index.htm;
  }

  # Define the error message page 
  #error_page 404       /404.html;

  # Redirect the error page to  /50x.html
  error_page  500 502 503 504 /50x.html;
  location = /50x.html {
    root  /usr/share/nginx/html;
  }
}

2. html file of the default homepage of nginx

This html can define one of its own, any one of them.

At this point, you can access the html file defined by nginx directly through the IP address. However, at this time, the access is only for http, but the access to https is still not enough, we need to add the certificate to the nginx server.

3. Generate certificates through openssl

Set server. key. The password needs to be set twice: 


openssl genrsa -des3 -out server.key 1024

Parameter setting. First, you need to enter the password previously set: 


openssl req -new -key server.key -out server.csr

And then you need to type in the following information, so maybe you just need to fill in 1, which is for testing anyway 


Country Name (2 letter code) [AU]:  State the name of the 
State or Province Name (full name) [Some-State]:  province 
Locality Name (eg, city) []:  city 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:  Company name 
Organizational Unit Name (eg, section) []: 
Common Name (e.g. server FQDN or YOUR name) []:  Website domain name 
Email Address []:  email 

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:  A password is required here 
An optional company name []:

Write the RSA secret key (the previous password is also required here) : 


openssl rsa -in server.key -out server_nopwd.key

Obtain private key: 


openssl x509 -req -days 365 -in server.csr -signkey server_nopwd.key -out server.crt

After this step, we have the certificate file and private key we need

server.crt server.key

4. Configure nginx server to support https access

The previous step 1 of the generated file copy to host ssl directory, / home evan workspace/wxserver/nginx/ssl.

Then modify the configuration file ES118en.conf to add ssl support, 


server {
  listen  80;    # To listen to 80 Port, if forced all access must be HTTPs This line needs to be logged off 
  listen  443 ssl;
  server_name www.buagengen.com;       # The domain name 

  #  increase ssl
  #ssl on;    # If the force HTTPs Access, this line has to be open 
  ssl_certificate /ssl/server.crt;
  ssl_certificate_key /ssl/server.key;

  ssl_session_cache  shared:SSL:1m;
  ssl_session_timeout 5m;

   #  Specify password as openssl Supported formats 
   ssl_protocols SSLv2 SSLv3 TLSv1.2;

   ssl_ciphers HIGH:!aNULL:!MD5; #  Password encryption method 
   ssl_prefer_server_ciphers on;  #  Rely on SSLv3 and TLSv1 The server password for the protocol will take precedence over the client password 

   #  Define the home page index directory and name 
   location / {
    root  /usr/share/nginx/html;
    index index.html index.htm;
   }

  # Redirect the error page to  /50x.html
  error_page  500 502 503 504 /50x.html;
  location = /50x.html {
    root  /usr/share/nginx/html;
  }
}

Restart the nginx container and you can now access the nginx server via https

Related articles: