我有几个支持HTTPS连接的容器:
certbot:
image: certbot/certbot
restart: unless-stopped
volumes:
- ./certbot/conf:/etc/letsencrypt
- ./certbot/www:/var/www/certbot
# Update certificates every 12 hours.
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
它将安装LetsEncrypt证书,并每12小时更新一次。
另外,我还有两个容器:
nginx:
restart: always
build: ./nginx
ports:
- "80:80"
- "443:443"
volumes:
- db-data:/var/lib/postgresql
- ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
- ./nginx/app.conf:/etc/nginx/conf.d/app.conf:ro
- frontend-webroot:/var/www/app.com/public_html/:ro
- ./certbot/conf:/etc/letsencrypt
- ./certbot/www:/var/www/certbot
depends_on:
- api
- frontend
# Reloads nginx every 6 hours to make it sure everything is OK.
command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
每6小时安装一次证书并重新加载nginx(建议)
和另一个容器:
api:
container_name: api
restart: always
build: ./web
ports:
- "9002:9002"
volumes:
- /usr/src/app/app/static
- ./certbot/conf:/etc/letsencrypt
- ./certbot/www:/var/www/certbot
depends_on:
- postgres
此容器提供了REST API,我不确定,每隔X个小时重新加载此容器以更新LetsEncrypt证书是个好主意。
此架构有什么问题?以及如何进行改进以避免使用REST API重新加载容器,而使使用证书成为可能?
更新
我对应用程序的期望:
应该以主页等形式提供,例如API调用:
GET https://localhost:9000/api/endpoint # API call
GET https://localhost:443/home # Home page from another container with React app
等