本文详细介绍了如何在Centos7.9云服务器上使用Docker部署静态站点并配置SSL证书。首先,通过Docker安装并运行Nginx,然后通过Certbot在Docker容器内获取SSL证书,解决403错误,并调整Nginx配置文件以启用HTTPS。整个过程涉及防火墙端口开放、证书申请及Nginx配置等多个步骤。
1 概述
部署一个站点对维护人员来说是不可绕过的一道坎,今天就围绕这道坎说道说道。站点部署以静态站点为例展开说明
2 环境说明:
服务器:云服务器
操作系统:Centos7.9.2009(Core)
docker:20.10.7
nginx:1.21.1
git 1.8.3.1
3 操作步骤
3.1 安装nginx
1、docker 的安装
使用的是docker安装,所以需要确保docker的正确安装,本文不做过多介绍,如果不熟悉这块可以去查看之前的文章《云服务器搭建docker环境》
2、安装docker-compose
编排文件使用,可以不强制安装使用,安装步骤参考《Centos7系统下搭建个人网盘》
3、下载nginx版本
打开dockerhub网址,输入nginx,找到对应的版本进行下载。
#docker pull nginx:1.21.1
4、运行nginx
#docker run -d --name=nginx-web -p 8080:80 nginx
服务器查看端口开放情况,如果没有8080端口,使用除80以外的端口测试,防止有运营商屏蔽80端口导致,打开页面失败的情况。需要提前在防火墙上开具端口
开具方法
#firewall-cmd --zone=public --add-port=8080/tcp --permanent
#firewall-cmd --reload
浏览器中输入IP:端口
5、设置nginx
#docker run --rm -d -p 8080:80 --name nginx-web \
-v /data/docker/nginx/html:/usr/share/nginx/html \
-v /data/docker/nginx/conf.d/nginx.conf:/etc/nginx/nginx.conf \
-v /home/nginx/logs:/var/log/nginx \
nginx
再此打开浏览器后,提示403界面
403显示
解决方案:
如果在/usr/share/nginx/html下面没有index.html,直接访问域名,找不到文件,会报403 forbidden
因此需要在/usr/share/nginx/html目录下存在index.html文件(对本次配置,对应于宿主机上 /data/docker/nginx/html目录下存在index.html文件)
将文件部署到/data/docker/nginx/html目录下,重新打开页面
至此,基本站点已经可以正常访问了,但是浏览器地址栏前门的不安全字样像一把刀插在了标题前面
3.2 SSL部署
证书的选择
查看是否安装git如果没有,需要安装git工具
安装完毕查看
查看python版本
创建etc目录进入
#mkdir -p /data/docker/nginx/etc
1、确认安装ssh
ps -ef |grep ssh
ssh -V
2、安装snapd
2.1、安装依赖epel-release
#yum install eqel-release -y
2.2、安装snapd
#yum install snapd
加入系统服务
#systemctl enable --now snapd.socket
创建链接
ln -s /var/lib/snapd/snap /snap
3 更新snap版本
更新确保版本为最新的版本
#snap install core;
#snap refresh core
4、删除之前安装的证书文件和包文件
#yum remove certbot
5、安装证书Certbot
#snap install --classic certbot
6、准备证书命令
ln -s /snap/bin/certbot /usr/bin/certbot
7、选择安装方式
certbot --nginx
此步骤执行后,提示没有nginx,nginx是按照在docker里面的,所以这个没有找到也是正常
接下来转换思路,继续
[root@www etc]# docker run -it --rm certbot/certbot --help
Unable to find image 'certbot/certbot:latest' locally
latest: Pulling from certbot/certbot
339de151aab4: Pull complete
a860e27ad689: Pull complete
910a9a405b4b: Pull complete
bde2ad12a253: Pull complete
c6c8e9f0153d: Pull complete
508bd6ef00f6: Pull complete
6f44af20a45c: Pull complete
8cbf9de8cc9f: Pull complete
947c6eaba472: Pull complete
ac02c811cd16: Pull complete
a538d588fb92: Pull complete
25e2795d6dac: Pull complete
72b7fbf0c609: Pull complete
Digest: sha256:5bfc6f4cff95554ffb530b0298820b8e9509c58fffca0be79af63627bd9c1a0b
Status: Downloaded newer image for certbot/certbot:latest
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:
obtain, install, and renew certificates:
(default) run Obtain & install a certificate in your current webserver
certonly Obtain or renew a certificate, but do not install it
renew Renew all previously obtained certificates that are near
expiry
enhance Add security enhancements to your existing configuration
-d DOMAINS Comma-separated list of domains to obtain a certificate for
(the certbot apache plugin is not installed)
--standalone Run a standalone webserver for authentication
(the certbot nginx plugin is not installed)
--webroot Place files in a server's webroot folder for authentication
--manual Obtain certificates interactively, or using shell script
hooks
-n Run non-interactively
--test-cert Obtain a test certificate from a staging server
--dry-run Test "renew" or "certonly" without saving any certificates
to disk
manage certificates:
certificates Display information about certificates you have from Certbot
revoke Revoke a certificate (supply --cert-name or --cert-path)
delete Delete a certificate (supply --cert-name)
manage your account:
register Create an ACME account
unregister Deactivate an ACME account
update_account Update an ACME account
--agree-tos Agree to the ACME server's Subscriber Agreement
-m EMAIL Email address for important account notifications
More detailed help:
-h, --help [TOPIC] print this message, or detailed help on a topic;
the available TOPICS are:
all, automation, commands, paths, security, testing, or any of the
subcommands or plugins (certonly, renew, install, register, nginx,
apache, standalone, webroot, etc.)
-h all print a detailed help page including all topics
--version print the version number
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@www etc]#
使用docker生成证书
将下文中的目录替换成本机的目录,邮箱和www.XXXX.com更换成自己的邮箱和域名(邮箱用来到期前提醒续约,域名用来生成证书),注意证书生成需要调用域名的80端口,所以需要开启80端口
docker run -it --rm \
-v /data/docker/nginx/etc/certs/www.201509.xyz:/etc/letsencrypt \
-v /data/docker/nginx/etc/certs/www.201509.xyz:/var/lib/letsencrypt \
-v /data/docker/nginx/etc/certs/www.201509.xyz:/var/log/letsencrypt \
-v /data/docker/nginx/etc/certs/app:/data/letsencrypt \
certbot/certbot certonly \
--webroot \
--agree-tos \
--webroot-path=/data/letsencrypt \
-m yyyyyy@126.com \
-d www.XXXX.com \
操作过程中如果域名没有备案或者云服务器的限制可能会出现拦截的情况
以上执行完毕会在目录下生成证书文件,因为使用的是certonly参数,仅生成证书,需要将证书放置到nginx的对应的位置,编辑/data/docker/nginx/conf.d/nginx.conf
server
{
listen 80;
listen 443 ssl;
server_name www.XXXX.com;
ssl_certificate /home/certs/www.xxxx.com/live/www.xxxx.com/fullchain.pem; #证书里面,必须是包含两套完整的-----BEGIN CERTIFICATE-----和-----END CERTIFICATE-----
ssl_certificate_key /home/certswww.xxx.com/live/www.xxx.com/privkey.pem; #证书密钥文件
location / {
proxy_set_header Host $proxy_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Via "nginx";
proxy_pass http://webapp; #转向.netcore处理
}
}
防止网络设置原因引起以上问题,端口80、8080、443端口提前在防火墙上和nginx.conf配置文件中设置,确保低级错误不影响整体进度。
浏览器中打开在原IP地址上加上https访问
以上为网站的搭建和SSL设置。过程比较曲折,看的可能会比较懵逼,走一遍下来就好多了。
扫一扫
8241
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
