前言
原来的是 http://aito.eu.org 访问,现在要 支持 https://
Certbot 是一款由(EFF)开发的自动化 从 Let’s Encrypt 免费获取SSL/TLS 证书的工具.
docker Nginx
version: '3'
services:
nginx:
image: nginx:latest
container_name: nginx
restart: always
ports:
- "80:80"
- "443:443"
volumes:
- /home/docker/nginx/certbot:/etc/nginx/cert
- /home/docker/nginx/conf.d:/etc/nginx/conf.d
- /home/docker/nginx/logs:/var/log/nginx
- /home/docker/nginx/html:/usr/share/nginx/html
- /home/docker/nginx/ssl:/etc/nginx/ssl
networks:
- basic_net
networks:
basic_net:
driver: bridge
或者直接运行:
docker run -d \
--name nginx \
--restart always \
-p 80:80 \
-p 443:443 \
-v /home/docker/nginx/certbot:/etc/nginx/cert \
-v /home/docker/nginx/conf.d:/etc/nginx/conf.d \
-v /home/docker/nginx/logs:/var/log/nginx \
-v /home/docker/nginx/html:/usr/share/nginx/html \
-v /home/docker/nginx/ssl:/etc/nginx/ssl \
nginx:latest
- nginx 配置cerbot的认证目录
vi /home/docker/nginx/conf.d/default.conf
server {
listen 80;
#listen 443 ssl;
#server_name aito.eu.org ;
index index.html index.php index.htm;
error_page 400 /errpage/400.html;
error_page 403 /errpage/403.html;
error_page 404 /errpage/404.html;
error_page 503 /errpage/503.html;
location /.well-known/acme-challenge/ {
root /usr/share/nginx/html/certbot/ ;
}
location / {
return 444;
}
}
docker restart nginx
docker cerbot
- 运行 certbot 第一次获取证书
docker run -it --rm --name certbot \
-v "/home/docker/nginx/certbot/etc/letsencrypt:/etc/letsencrypt" \
-v "/home/docker/nginx/certbot/var/lib/letsencrypt:/var/lib/letsencrypt" \
-v "/home/docker/nginx/html/certbot:/data/letsencrypt" \
certbot/certbot certonly \
--webroot \
--webroot-path=/data/letsencrypt \
--agree-tos -d aito.eu.org
注意: 验证网页的路径是/data/letsencrypt映射的路径 /home/docker/nginx/html/certbot ,要在nginx 配置对.
证书生成成功
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/aito.eu.org/fullchain.pem
Key is saved at: /etc/letsencrypt/live/aito.eu.org/privkey.pem
This certificate expires on 2025-06-07.
These files will be updated when the certificate renews.
nginx 配置ssl
server {
listen 80;
listen 443 ssl;
server_name aito.eu.org ;
ssl_certificate /etc/nginx/cert/etc/letsencrypt/live/aito.eu.org/fullchain.pem;
ssl_certificate_key /etc/nginx/cert/etc/letsencrypt/live/aito.eu.org/privkey.pem;
ssl_session_timeout 15m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
index index.html index.php index.htm;
error_page 400 /errpage/400.html;
error_page 403 /errpage/403.html;
error_page 404 /errpage/404.html;
error_page 503 /errpage/503.html;
location /.well-known/acme-challenge/ {
root /usr/share/nginx/html/certbot/ ;
}
location / {
proxy_pass http://172.17.0.1:8080/;
proxy_set_header Host $host;
proxy_set_header User-Agent $http_user_agent;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
更新证书 renew
现在证书有效期只有90天, certonly后面内容改成 renew ,会自动更新所有证书,在计划任务中,加入 每周获取更新一次证书
docker run -it --rm --name certbot \
-v "/home/docker/nginx/certbot/etc/letsencrypt:/etc/letsencrypt" \
-v "/home/docker/nginx/certbot/var/lib/letsencrypt:/var/lib/letsencrypt" \
-v "/home/docker/nginx/html/certbot:/data/letsencrypt" \
certbot/certbot renew
## nginx重启一下
docker restart nginx定时任务
每周一更新一次: 2 2 * * 1 /home/docker/nginx-cerbot-renew/cer_update.sh
禁止用IP访问
nginx返回 444是直接关闭连接,不返回任何东西,连http头都不返回.
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl;
server_tokens off;
ssl_certificate /etc/nginx/cert/etc/letsencrypt/live/xxx.com/fullchain.pem;
ssl_certificate_key /etc/nginx/cert/etc/letsencrypt/live/xxx.com/privkey.pem;
# 当用户通过 IP 访问时,直接断开连接
return 444;
}这个444是nginx特有的,就很有用了,可以抵挡一些不良居心的人通过IP来看我的网站,我只想我自己看.
最后一次更新于2025-03-17
