docker部署https

1. 获取证书(阿里云)

  • 进入阿里云控制台
  • 点击SSL证书安装
  • 点击左侧菜单栏,SSL
  • 点击免费证书申请(个人版有20个免费)

docker部署https_第1张图片

  • 申请之后,点击创建,
  • 然后再次申请

docker部署https_第2张图片

  • 根据提示填写,域名最好填写,你买的一级域名

docker部署https_第3张图片

  • 下载nginx版本的证书

docker部署https_第4张图片

  • 解压上传到服务器上

2.  https的方案

  • 监听配置域名的80端口,当请求来80时,进行转发/重定向去https路由,进行匹配
  •  rewrite 进行内部重定向的语法,
  • redirect #临时重定向,重写完成后以临时重定向方式直接返回重写后生成的新URL给客户端,有客户端重新发起请求,使用相对路径,http://或https://开头,状态码:302
  • permanent #永久重定向,以永久重定向的方式直接返回重写后生成的新URL给客户端,由客户端重新发起新的请求,状态码:301
  • last #重写完成后停止对当前location中后续的其他重写操作,而后对新的URL启动新一轮重写检查,不建议在location中使用
  • break #重写完成后停止对当前URL在当前location中后续的其他重写操作,而后直接跳转至重写规则匹配块之后的其他配置;结束循环,建议在location中使用
  • docker部署https_第5张图片

$1介绍:

$---> shell的语法
# 例子
name = 'dbj'
在shell里面,如果想取出name的值,就得用$name,也就是说 $name<--->'dbj'

# $1
$1--->指代正则表达式分组括号里面的内容
举个例子 www.0528.ltd/dbj.html   $1就是dbj.html
也可以这样理解,$1指代ip后面的路由

方式1:使用rewrite指令测试

server {
    listen 80;
    server_name 10.0.0.100;
    rewrite ^(.*) https://$server_name$1 permanent;
}
server {
        listen       443 ssl;
        server_name  10.0.0.100;

        ssl_certificate      /opt/tngx230/cert/7.pem;
        ssl_certificate_key  /opt/tngx230/cert/7.key;
        
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;
        }
    }

方式2:使用return指令

server {
    listen 80;
    server_name 10.0.0.100;
    return 301 https://$server_name$request_uri;
}
server {
        listen       443 ssl;
        server_name  10.0.0.100;

        ssl_certificate      /opt/tngx230/cert/7.pem;
        ssl_certificate_key  /opt/tngx230/cert/7.key;
        
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;
        }
    }

方式3:项目部署使用(前后端不分离使用的配置)

server {
    listen 80;
    server_name 10.0.0.100;
    rewrite ^(.*) https://$server_name$1 permanent;
}
# 负载均衡的配置
upstream u_text {
        server 10.0.0.1:8081;
    	#server 106.14.42.253:8082;
    }
server {
        listen       443 ssl;
        server_name  10.0.0.100;

        ssl_certificate      /opt/tngx230/cert/7.pem;
        ssl_certificate_key  /opt/tngx230/cert/7.key;
        
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
        uwsgi_pass u_text;
        #uwsgi以http起动
        #proxy_pass  http://公网地址:项目端口号;
        include /etc/nginx/uwsgi_params;
    }
    location /static {
        #alias 重命名
        alias /opt/static;
    }
    }

方式4 多域名(未测试)

server {
    listen 80; #侦听80端口
    listen 443 ssl; #侦听443端口,用于SSL
    server_name blog.tandk.com;  # 自己的域名
    # 注意证书文件位置,是从/etc/nginx/下开始算起的
    ssl_certificate 1_blog.tandk.com_bundle.crt;
    ssl_certificate_key 2_blog.tandk.com.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers on;

    client_max_body_size 1024m;

    location / {
        proxy_set_header HOST $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	    # 这里写的是我的腾讯云内网地址,不知道为啥,不能用127.0.0.1...
        proxy_pass http://xx.xx.xx.xx:8080;
    }
}

server {
    listen 80; #侦听80端口
    listen 443 ssl; #侦听443端口,用于SSL
    server_name mail.tandk.com;  # 自己的域名
    # 注意证书文件位置,是从/etc/nginx/下开始算起的
    ssl_certificate 1_mail.tandk.com_bundle.crt;
    ssl_certificate_key 2_mail.tandk.com.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers on;

    client_max_body_size 1024m;

    location / {
        proxy_set_header HOST $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	    # 这里写的是我的腾讯云内网地址,不知道为啥,不能用127.0.0.1...
        proxy_pass http://xx.xx.xx.xx:8181;
    }
}

ps. 附送一套基于docker部署前后端不分离项目(https)

步骤

# 下载到opt
git clone https://gitee.com/yqmc/u_text.git
# 进入项目
cd u_text/
# 按照自己的配置修改uwsgi(一定要与manage.py同级)
vim uwsgi.ini
# 按照自己的配置修改Dockerfile(一定要与manage.py同级)
vim Dockerfile
# 静态文件的收集
vim u_text/settings.py
# 解开注释(django静态文件存放的路径)
STATIC_ROOT='/opt/static'
# 收集
python3 manage.py collectstatic
# 构建镜像
docker build -t='u_t' .
# 创建目录挂载文件(自己把证书放进cert,做挂载使用)
mkdir -p /opt/nginx/conf  /opt/nginx/logs /opt/nginx/cert
touch /opt/nginx/conf/nginx.conf
touch /opt/nginx/conf/default.conf
touch /opt/nginx/logs/error.log
touch /opt/nginx/logs/access.log
# 打开nginx.conf
vim /opt/nginx/conf/nginx.conf
# default配置
vim /opt/nginx/conf/default.conf
# 起容器
docker run -di --name=t1 -v /opt/u_text/:/opt/u_text -p 8081:8080 u_t
# 起nginx
docker run --name=nginx -id -p 80:80 -p 443:443 -v /opt/nginx/conf/nginx.conf:/etc/nginx/nginx.conf -v /opt/nginx/conf/default.conf:/etc/nginx/conf.d/default.conf -v /opt/nginx/logs/error.log:/var/log/nginx/error.log -v /opt/nginx/logs/access.log:/var/log/nginx/access.log -v /opt/static:/opt/static -v /opt/nginx/cert:/opt/nginx/cert nginx

uwsgi.ini

[uwsgi]
socket=0.0.0.0:8080
chdir = /opt/u_text
wsgi-file = u_text/wsgi.py
processes = 4
threads = 2
master = True

Dockerfile

# 基于基础镜像,默认会去宿主机里找,没有会去hub上拉取。在没有,报错
FROM python:3.6
# 制作者
MAINTAINER ymq
# 暴露端口(可以不写) -p 映射,但最好留着
EXPOSE 8080
# 宿主机文件requirement.txt copy到容器内home路径下
ADD ./requirement.txt /home/
# 构建镜像执行执行命令
RUN pip install -r /home/requirement.txt -i https://pypi.douban.com/simple/
RUN pip install uwsgi -i https://pypi.douban.com/simple/
# 用来保存数据,防止容器挂掉,数据丢失 可以不写 -v 映射,但最好留着
VOLUME ["/home"]
# 工作路径,WORKDIR --> cd 
WORKDIR /opt/u_text
# 执行的命令,当容器启动的时候,会自动执行使django以uwsgi启动
CMD ["uwsgi", "--ini", "uwsgi.ini"]

nginx配置

  • docker安装的nginx,配置文件进行了解耦合
  • 日志配置在nginx.conf
  • server配置在default.conf
  • server_name  可以放置域名或者IP

nginx.conf

user  nginx;
worker_processes  auto;
 
error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;
 
 
events {
    worker_connections  1024;
}
 
 
http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
 
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
 
    access_log  /var/log/nginx/access.log  main;
 
    sendfile        on;
    #tcp_nopush     on;
 
    keepalive_timeout  65;
 
    #gzip  on;
 
    include /etc/nginx/conf.d/*.conf;
}

default.conf

server {
    listen 80;
    server_name 10.0.0.100;
    rewrite ^(.*) https://$server_name$1 permanent;
}
# 负载均衡的配置
upstream u_text {
        server 10.0.0.1:8081;
    	#server 106.14.42.253:8082;
    }
server {
        listen       443 ssl;
        server_name  10.0.0.100;

        ssl_certificate      /opt/nginx/cert/7.pem;
        ssl_certificate_key  /opt/nginx/cert/7.key;
        
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
        uwsgi_pass u_text;
        #uwsgi以http起动
        #proxy_pass  http://公网地址:项目端口号;
        include /etc/nginx/uwsgi_params;
    }
    location /static {
        #alias 重命名
        alias /opt/static;
    }
    }

你可能感兴趣的:(docker,项目部署,docker,https,nginx)