docker nginx + https Subdomain Configuration Detailed Tutorial
- 2021-10-27 09:56:08
- OfStack
Today, I just want to help my friend's server move, so I configured the basic equipment of the server once, but I encountered some problems when configuring it. It turns out that the current google chrome/safari will forcibly convert http into https.
At the beginning, I didn't know what was going on, and I reset the domain name record once. And in ping domain names can be successfully resolved out of the server address, so the spearhead turned to http- > In the process of https, I found that I can access the domain name of http with WeChat's built-in browser. Therefore, you want to set the certificate under 1.
The certificate I use here is also free acme. sh can be found on github. Let's download him first
curl https://get.acme.sh | sh
Then reload bash under 1
source ~/.bashrc
At this time, you enter
acme.sh --help
You can see the relevant output clearly
Configuring acme
After the installation, we began to produce certificates. Here, we directly use DNS API to complete domain name verification and other operations
See dnsapi for details
Suppose I take godady as an example here
First, set key and secret in the terminal configuration file (obtained from the service provider)
export GD_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export GD_Secret="asdfsdfsfsdfsdfdfsdf"
Next, let's enter the command directly
acme.sh --issue --dns dns_gd -d demo.com -d *.demo.com
A certificate file is generated here. It is usually saved under/root/.acme. sh/xxx. com/xxx. com. cer.
To facilitate the maintenance of our docker volume, we re-created a folder to put these certificates
mkdir /opt/www/nginx/ssl
Then enter the command to put the certificate in the ssl directory
acme.sh --install-cert -d demo.com \
--key-file /opt/www/nginx/ssl/demo.com.key \
--fullchain-file /opt/www/nginx/ssl/demo.com.crt\
At this time, you can see that there are 2 files here under/opt/www/nginx/ssl
At this time, the configuration of domain name certificate is completed. Then we configure docker-compose. yml under 1
Creating a container using docker-compose
version: '3.5'
services:
app:
image: nginx:1.19.8
ports:
- 80:80
- 443:443
volumes:
- ./conf/nginx.conf:/etc/nginx/nginx.conf # Configuration file
- /opt/www:/opt/www # Catalog of the project
- /opt/www/nginx/ssl:/opt/www/ssl # Certificate file
restart: always
networks:
default:
name: defualt-network
After writing the yml file, we will configure the nginx under 1. Before configuring the nginx settings, we should first configure the key exchange file under 1, DHE parameter file
openssl dhparam -out /opt/www/nginx/ssl/dhparam.pem 2048
Then I configure another 1
/.well-known/acme-challenge
This directory is a directory that you must make
let's encrypt
To access, so we must first configure the directory under 1
Create 1 directory first
mkdir /opt/www/letsencrypt
Then configure the following server in the nginx configuration file
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
location /.well-known/acme-challenge {
root /opt/www/letsencrypt;
}
location / {
return 301 https://$host$request_uri;
}
}
The configuration above is to jump all http requests to https,
Then we configure our own domain name under Configuration 1.
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name demo.com;
root /opt/www/html;
index index.html index.htm index.php;
# Duffy - Herman key exchange
ssl_dhparam /opt/www/ssl/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
# Certificate file
ssl_certificate /opt/www/ssl/demo.com.crt;
ssl_certificate_key /opt/www/ssl/demo.com.key;
# Open HSTS Preload Support
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
access_log /var/log/nginx/demo.com.access.log;
error_log /var/log/nginx/demo.com.error.log;
}
If there are sub-domain needs to be configured, only need to copy 1 above the configuration modification 1 of these locations, other configurations can remain unchanged. The domain name service provider should also add an A record
source ~/.bashrc
0
The final nginx conf is:
source ~/.bashrc
1
Up to now, our configuration has basically come to paragraph 1
Now you just need to run the command
source ~/.bashrc
2
You can complete the + https multi-domain name configuration of nginx in docker