Of Stack

docker nginx + https Subdomain Configuration Detailed Tutorial

  • 2021-10-27 09:56:08
  • OfStack

Today, I just want to help my friend's server move, so I configured the basic equipment of the server once, but I encountered some problems when configuring it. It turns out that the current google chrome/safari will forcibly convert http into https.

At the beginning, I didn't know what was going on, and I reset the domain name record once. And in ping domain names can be successfully resolved out of the server address, so the spearhead turned to http- > In the process of https, I found that I can access the domain name of http with WeChat's built-in browser. Therefore, you want to set the certificate under 1.

The certificate I use here is also free acme. sh can be found on github. Let's download him first 


curl https://get.acme.sh | sh

Then reload bash under 1 


source ~/.bashrc

At this time, you enter acme.sh --help You can see the relevant output clearly

Configuring acme

After the installation, we began to produce certificates. Here, we directly use DNS API to complete domain name verification and other operations

See dnsapi for details

Suppose I take godady as an example here

First, set key and secret in the terminal configuration file (obtained from the service provider) 


export GD_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export GD_Secret="asdfsdfsfsdfsdfdfsdf"

Next, let's enter the command directly 


acme.sh --issue --dns dns_gd -d demo.com -d *.demo.com

A certificate file is generated here. It is usually saved under/root/.acme. sh/xxx. com/xxx. com. cer.

To facilitate the maintenance of our docker volume, we re-created a folder to put these certificates 


mkdir /opt/www/nginx/ssl

Then enter the command to put the certificate in the ssl directory 


acme.sh --install-cert -d demo.com \
--key-file /opt/www/nginx/ssl/demo.com.key \
--fullchain-file /opt/www/nginx/ssl/demo.com.crt\

At this time, you can see that there are 2 files here under/opt/www/nginx/ssl

At this time, the configuration of domain name certificate is completed. Then we configure docker-compose. yml under 1

Creating a container using docker-compose 


version: '3.5'
services:
 app:
  image: nginx:1.19.8
  ports:
   - 80:80
   - 443:443
  volumes:
   - ./conf/nginx.conf:/etc/nginx/nginx.conf #  Configuration file 
   - /opt/www:/opt/www            #  Catalog of the project 
   - /opt/www/nginx/ssl:/opt/www/ssl     #  Certificate file 
  restart: always
networks:
 default:
  name: defualt-network

After writing the yml file, we will configure the nginx under 1. Before configuring the nginx settings, we should first configure the key exchange file under 1, DHE parameter file 


openssl dhparam -out /opt/www/nginx/ssl/dhparam.pem 2048

Then I configure another 1 /.well-known/acme-challenge This directory is a directory that you must make let's encrypt To access, so we must first configure the directory under 1

Create 1 directory first mkdir /opt/www/letsencrypt Then configure the following server in the nginx configuration file 


server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;

    location /.well-known/acme-challenge {
        root /opt/www/letsencrypt;
    }

    location / {
        return 301 https://$host$request_uri;
    }
 }

The configuration above is to jump all http requests to https,

Then we configure our own domain name under Configuration 1. 


server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    server_name demo.com;

    root /opt/www/html;
    index index.html index.htm index.php;

   #  Duffy - Herman key exchange 
    ssl_dhparam /opt/www/ssl/dhparam.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;

    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 1d;


    # Certificate file 
    ssl_certificate /opt/www/ssl/demo.com.crt;
    ssl_certificate_key /opt/www/ssl/demo.com.key;

    #  Open  HSTS Preload  Support 
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; 
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    access_log /var/log/nginx/demo.com.access.log;
    error_log /var/log/nginx/demo.com.error.log;
 }

If there are sub-domain needs to be configured, only need to copy 1 above the configuration modification 1 of these locations, other configurations can remain unchanged. The domain name service provider should also add an A record 


source ~/.bashrc
0

The final nginx conf is: 


source ~/.bashrc
1

Up to now, our configuration has basically come to paragraph 1

Now you just need to run the command 


source ~/.bashrc
2

You can complete the + https multi-domain name configuration of nginx in docker

Related articles: