我使用nginx作为代理将请求转发给其他组件(服务器)。
每个组件,包括nginx都实现为docker容器,即我有一个docker容器,用于'nginx-proxy','dashboard-server','backend-server'(REST API)和'landing-server'(登陆页面)。后三个组件都是NodeJS Express服务器并且当我使用命令docker-compose build
时没有错误但是当我使用docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d
启动容器时NodeJS容器工作正常,但是nginx容器给了我使用docker-compose logs nginx-proxy
:
Attaching to docker_nginx-proxy_1
nginx-proxy_1 | /start.sh: line 5: openssl: command not found
nginx-proxy_1 | Creating dhparams…\c
nginx-proxy_1 | ok
nginx-proxy_1 | Starting nginx…
nginx-proxy_1 | 2017/08/23 23:27:20 [emerg] 6#6:
BIO_new_file(“/etc/letsencrypt/live/admin.domain.com/fullchain.pem”)
failed (SSL: error:02001002:system library:fopen:No such file or directory:
fopen(‘/etc/letsencrypt/live/admin.domain.com/fullchain.pem’,‘r’) error:2006D080:BIO routines:BIO_new_file:no such file)
nginx-proxy_1 | nginx: [emerg]
BIO_new_file(“/etc/letsencrypt/live/admin.domain.com/fullchain.pem”) failed (SSL: error:02001002:system library:fopen:
No such file or directory:fopen(‘/etc/letsencrypt/live/admin.domain.com/fullchain.pem’,‘r’)error:2006D080:BIO routines:BIO_new_file:no such file)
我正在使用Lets Encrypt来获取SSL证书,但命令certbot certonly --webroot -w /var/www/letsencrypt -d admin.domain.com -d api.domain.com -d www.domain.com -d domain.com
会导致错误连接被拒绝,因为nginx服务器无法开始处理请求。
我的nginx Dockerfile (nginx-proxy / Dockerfile):
FROM nginx:1.12
COPY start.sh /start.sh
RUN chmod u+x /start.sh
COPY conf.d /etc/nginx/conf.d
COPY sites-enabled /etc/nginx/sites-enabled
ENTRYPOINT ["/start.sh"]
我的 start.sh 文件(nginx-proxy / start.sh):
#!/bin/bash
if [ ! -f /etc/nginx/ssl/dhparam.pem ]; then
echo "Creating dhparams…\c"
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
echo "ok"
fi
echo "Starting nginx…"
nginx -g 'daemon off;
我的 default.conf 文件(nginx-proxy / conf.d / default.conf):
include /etc/nginx/sites-enabled/*.conf;
我的 api.conf 文件(其他类似文件)(nginx-proxy / sites-enabled / api.conf):
server {
listen 80;
server_name api.domain.com;
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/letsencrypt;
}
location = /.well-known/acme-challenge/ {
return 404;
}
return 301 https://$host$request_uri;
}
server {
listen 443;
server_name api.domain.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/api.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/api.domain.com/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:1m;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
client_max_body_size 0;
chunked_transfer_encoding on;
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/letsencrypt;
}
location = /.well-known/acme-challenge/ {
return 404;
}
location / {
proxy_read_timeout 900;
proxy_pass_header Server;
proxy_cookie_path ~*^/.* /;
proxy_pass http://backend-server:3000;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
}
}
有什么想法吗?
答案 0 :(得分:5)
我找到了解决方案。
在我的nginx Dockerfile中,我不得不使用
FROM nginx:1.12-alpine
RUN apk update \
&& apk add openssl
...
然后openssl命令正常工作。
答案 1 :(得分:0)
首先,您可以尝试在openssl
行编辑您的start.sh文件到/usr/bin/openssl
。 /usr/bin/openssl
是否存在?
第二次,在/etc/letsencrypt/live/api.domain.com/fullchain.pem
和/etc/letsencrypt/live/api.domain.com/privkey.pem
文件存在之前,您的nginx服务器才会启动。
删除或注释处理443端口的所有服务器块,保留处理80端口的服务器块。你的api.conf将成为这个:
server {
listen 80;
server_name api.domain.com;
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/letsencrypt;
}
location = /.well-known/acme-challenge/ {
return 404;
}
return 301 https://$host$request_uri;
}
然后启动你的nginx服务器并重试安装Let的加密证书。