我正在使用Docker,Nginx和Django。我想使用ssl保护我的应用程序,但无法正常工作。 我使用certbot获得了有效的证书
这是我的nginx.conf文件:
upstream app {
server app:80;
}
server {
listen 80;
listen [::]:80;
server_name mydomain.de;
return 301 https://$server_name$request_uri;
location ~ /.well-known/acme-challenge {
allow all;
root /var/www/certbot;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name mydomain.de;
ssl_certificate /etc/nginx/ssl/live/mydomain.de/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/live/mydomain.de/privkey.pem;
location / {
proxy_pass https://app;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Host $host;
# proxy_redirect off;
}
location /staticfiles/ {
alias /app/staticfiles/;
add_header Access-Control-Allow-Origin *;
location ~ /.well-known/acme-challenge {
allow all;
root /var/www/certbot;
}
}
}
那是我的docker-compose文件:
version: '3.4'
services:
app:
image: django
build:
context: ./app
dockerfile: Dockerfile
env_file:
- ./.env
volumes:
- ./app/:/app/
- ./app/staticfiles/:/app/staticfiles
command: gunicorn --bind 0.0.0.0:8000 --chdir /app/ Webserver.wsgi
nginx:
build: ./nginx
ports:
- 80:80
- 433:433
depends_on:
- app
volumes:
- ./app/staticfiles/:/app/staticfiles
- ./certbot/conf:/etc/nginx/ssl
- ./certbot/data:/var/www/certbot
db:
image: postgres
volumes:
- postgres_data:/var/lib/postgresql/data/
environment:
POSTGRES_DB_PORT: "5432"
POSTGRES_DB_HOST: "myhost"
POSTGRES_PASSWORD: "mypw"
POSTGRES_USER: myname
POSTGRES_DB: dev_db
volumes:
postgres_data:
如果我尝试访问我的网站,我只会看到浏览器消息“连接被拒绝”
我重命名了敏感信息,例如域名和密码
答案 0 :(得分:0)
下面,我提供一个有效的certbot nginx 配置示例:
server {
# show half the users an optimized site, half the regular site
listen 80;
gzip on;
gzip_http_version 1.0;
gzip_min_length 1100;
gzip_buffers 4 32k;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 9;
gzip_disable "MSIE [1-6]\.";
gzip_types text/plain text/xml text/css
text/comma-separated-values
text/javascript
application/x-javascript
application/atom+xml;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# side note: only use TLS since SSLv2 and SSLv3 have had recent vulnerabilities
access_log /var/www/vhosts/mydomain.de/logs/access_log;
error_log /var/www/vhosts/mydomain.de/logs/error_log;
server_name 3dact.com www.mydomain.de;
location ~* .+.>(xml|jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js|swf) {
access_log off;
expires 30d;
break;
}
charset utf-8;
root /var/www/vhosts/mydomain.de/public/dist;
index index.html index.htm;
location / {
try_files $uri $uri/ /index.html;
}
# what to serve if upstream is not available or crashes
error_page 500 502 503 504 /media/50x.html;
location ~* .+.>(xml|jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js|swf) {
root /var/www/vhosts/mydomain.de/public/dist;
access_log off;
expires 30d;
add_header Pragma public;
add_header Cache-Control "public";
break;
}
location /dist {
alias /var/www/vhosts/mydomain.de/public/dist;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/nginx/ssl/live/mydomain.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/nginx/ssl/live/mydomain.de/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.mydomain.de) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = mydomain.de) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name mydomain.de www.mydomain.de;
return 404; # managed by Certbot
}
第一个 server 块提供了实际的位置和certbot配置,第二个由certbot用于域重定向(www.)。如果您已正确映射 docker-compose.yml 中的卷,则在连接时应保持一致性。另外,请确保端口80和443在容器外部有适当的暴露。
在您的 docker-compose.yml 中:
nginx:
build: ./nginx
ports:
- 80:80
- 433:433
depends_on:
- app
volumes:
- ./app/staticfiles/:/app/staticfiles
- ./certbot/conf:/etc/nginx/ssl # Make sure it maps into /etc/nginx/ssl/live/mydomain.de
- ./certbot/data:/var/www/certbot
- ./letsencrypt:/etc/letsencrypt # This is where options-ssl-nginx.conf and ssl-dhparams.pem are located
如果您没有本地./letsencrypt目录,或者文件位于其他位置,请创建任何目录,然后在其中复制文件并相应地配置映射。