我正在使用docker-compose将Django / Nginx / Gunicorn Webapp部署到EC2实例。 EC2实例具有mywebapp.com / www.mywebapp.com指向的静态IP,我已经完成certbot验证(站点在HTTP上的端口80上工作),但现在尝试通过SSL进行工作。
现在,HTTP(包括加载静态文件)正在为我工作,而HTTPS动态内容(来自Django)正在工作,但静态文件却没有。我认为我的nginx配置很奇怪。
我尝试将location /static/块复制到nginx conf文件中的SSL服务器上下文中,但这导致SSL完全停止工作,而不仅仅是SSL上的静态文件。
这是最终的docker-compose.yml:
services:
certbot:
entrypoint: /bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h &
wait $${!}; done;'
image: certbot/certbot
volumes:
- /home/ec2-user/certbot/conf:/etc/letsencrypt:rw
- /home/ec2-user/certbot/www:/var/www/certbot:rw
nginx:
command: /bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done
& nginx -g "daemon off;"'
depends_on:
- web
image: xxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/xxxxxxxx:latest
ports:
- 80:80/tcp
- 443:443/tcp
volumes:
- /home/ec2-user/certbot/conf:/etc/letsencrypt:rw
- static_volume:/usr/src/app/public:rw
- /home/ec2-user/certbot/www:/var/www/certbot:rw
web:
entrypoint: gunicorn mywebapp.wsgi:application --bind 0.0.0.0:7000"
image: xxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/xxxxxxxx:latest
volumes:
- static_volume:/usr/src/app/public:rw
version: '3.0'
volumes:
static_volume: {}
nginx.prod.conf:
upstream mywebapp {
# web is the name of the service in the docker-compose.yml
# 7000 is the port that gunicorn listens on
server web:7000;
}
server {
listen 80;
server_name mywebapp;
location / {
proxy_pass http://mywebapp;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
}
location /static/ {
alias /usr/src/app/public/;
}
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
}
server {
# https://github.com/wmnnd/nginx-certbot/blob/master/data/nginx/app.conf
listen 443 ssl;
server_name mywebapp;
server_tokens off;
location / {
proxy_pass http://mywebapp;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# generated with help of certbot
ssl_certificate /etc/letsencrypt/live/mywebapp.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mywebapp.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
最后是Nginx服务Dockerfile:
FROM nginx:1.15.12-alpine
RUN rm /etc/nginx/conf.d/default.conf
COPY ./nginx.prod.conf /etc/nginx/conf.d
我只是构建,先推送到本地计算机上的ECR,然后docker-compose pull并在EC2实例上与docker-compose up -d一起运行。
我在docker-compose logs中看到的错误是:
nginx_1 | 2019/05/09 02:30:34 [error] 8#8: *1 connect() failed (111: Connection refused) while connecting to upstream, client: xx.xx.xx.xx, server: mywebapp, request: "GET / HTTP/1.1", upstream: "http://192.168.111.3:7000/", host: "ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com"
我不确定发生了什么问题。我正在尝试使用生成和验证的证书在HTTPS下正确获取动态内容(gunicorn)和静态内容(来自:/ usr / src / app / public)。
有人知道我在做什么错吗?
答案 0 :(得分:1)
使用nginx -T检查您的配置文件-您看到正确的配置了吗?您的构建过程是否引入了正确的conf?
仅在远程计算机上进行调试很有帮助-docker-compose exec nginx sh进入内部并从那里和nginx -s reload调整conf。这将加快调试SSL问题的迭代周期。