在中部署dockerwindows 11并使用docker-composer,我正在尝试ssl为我的设置启用证书,我想启用nginx作为反向代理以允许安全的websocket wss://,并将其重定向到我的web服务器容器,我显示了文件的延续:
系统结构:
docker-compose.yml文件:
version: "3.8"
services:
reverse-proxy:
env_file:
- .env
container_name: Proxy-Server
image: jwilder/nginx-proxy:alpine
restart: always
volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro
- ${LH_CERTBOT}:/etc/nginx/certs:ro
ports:
- "${LH_HOST_MACHINE_UNSECURE_HOST_PORT:-80}:80"
- "${LH_HOST_MACHINE_SECURE_HOST_PORT:-443}:443"
depends_on:
- webserver
- phpmyadmin
networks:
- lamp-network
extra_hosts:
- "${LH_WEB_SERVER_DOMAIN}:127.0.0.1"
- "${LH_PHPMYADMIN_DOMAIN}:127.0.0.1"
environment:
- DEFAULT_HOST=${LH_WEB_SERVER_DOMAIN}
- TRUST_DOWNSTREAM_PROXY=true
- ENABLE_WEBSOCKETS=true
labels:
- "lh2.setup.description=Proxy Server"
- "lh2.setup.role=reverse-proxy"
certbot:
env_file:
- .env
container_name: SSL-Generator
build:
context: ./bin/certbot
volumes:
- ${LH_CERTBOT}:/etc/app/update-ssl.sh
- /var/run/docker.sock:/var/run/docker.sock
environment:
- DOCKER_HOST=unix:///var/run/docker.sock
depends_on:
- reverse-proxy
networks:
- lamp-network
webserver:
env_file:
- .env
container_name: ${LH_SYSTEM_NAME}-Web-Server
build:
context: ./bin/${LH_PHP_ENVIRONMENT}
restart: always
expose:
- 80
- 443
networks:
- lamp-network
depends_on:
- database
volumes:
- ${LH_PROJECT_ROOT}:/var/www/html:rw
- ${LH_PROJECT_ROOT}${LH_DOCUMENT_ROOT}:/var/www/html/public:rw
- ${LH_VHOSTS_DIR}:/etc/apache2/sites-enabled
- ${LH_PHP_INI}:/usr/local/etc/php/php.ini
- ${LH_LOG_DIR}:/var/log/apache2
- ${LH_LOG_CRON}:/var/log/cron
environment:
LH_WEB_MASTER: ${LH_WEB_MASTER}
VIRTUAL_HOST: ${LH_WEB_SERVER_DOMAIN}
LH_APACHE_DOCUMENT_ROOT: ${LH_APACHE_DOCUMENT_ROOT}
LH_DOCUMENT_ROOT: ${LH_DOCUMENT_ROOT}
HOST_MACHINE_MYSQL_PORT: ${LH_HOST_MACHINE_MYSQL_PORT}
MYSQL_DATABASE: ${LH_MYSQL_DATABASE}
MYSQL_ROOT_PASSWORD: ${LH_MYSQL_ROOT_PASSWORD}
MYSQL_USER: ${LH_MYSQL_USER}
MYSQL_PASSWORD: ${LH_MYSQL_PASSWORD}
extra_hosts:
- "host.docker.internal:host-gateway"
labels:
- "lh2.setup.description=Web Server"
- "lh2.setup.role=webserver"
...
networks:
lamp-network:
name: lamp-network
driver: bridge
在我的Dockerfile中:
FROM certbot/certbot
CMD chmod +x /etc/app/update-ssl.sh && ./etc/app/update-ssl.sh
我希望做的是:
我的主要想法是设置 certbot,并在certbot完全启动后共享容器之间的交互;使用该文件执行证书生成/etc/app/update-ssl.sh,然后重新启动容器中的 nginx 服务reverse-proxy,以便它读取并获取ssl证书
我收到的错误: 但是即使 certbot 容器已组装,它也无法启动,并且日志显示此错误:
2023-09-25 16:09:10 用法:2023-09-25 16:09:10 certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ... 2023-09-25 16:09:10 2023-09-25 16:09:10 Certbot 可以获取和安装 HTTPS/TLS/SSL 证书。默认情况下,2023-09-25 16:09:10 它将尝试使用 Web 服务器来获取和安装 2023-09-25 16:09:10 证书。 2023-09-25 16:09:10 certbot:错误:无法打开配置文件:chmod +x /etc/app/update-ssl.sh && ./etc/app/update-ssl.sh。错误:没有此文件或目录
期待:
虽然错误与挂载和执行文件有关,但修复它并不能保证我的脚本/etc/app/update-ssl.sh能够按照我的预期执行:
文件/etc/app/update-ssl.sh:
#!/bin/sh
# Define variables
WEB_ROOT="${LH_PROJECT_ROOT}${LH_DOCUMENT_ROOT}"
# Run Certbot to obtain the SSL certificate
certbot certonly --webroot --webroot-path="$WEB_ROOT" --email "${LH_WEB_MASTER}" --agree-tos -d "${LH_WEB_SERVER_DOMAIN}" -d "${LH_PHPMYADMIN_DOMAIN}"
# Check if the certificate was obtained successfully
if [ $? -eq 0 ]; then
echo "Certificate obtained successfully. Restarting Nginx in the reverse-proxy container..."
# Restart Nginx in the reverse-proxy container using Docker
docker exec -it reverse-proxy service nginx restart
else
echo "Certificate acquisition failed."
fi
# Start Certbot's renewal process in the background
certbot renew --quiet --no-self-upgrade &
# Keep the container running
exec "$@"
简而言之,我甚至不知道我所做的事情是否有效,或者我是否从一开始就错误地执行了 SSL 证书实施。
问题:
我是否以正确的方式让它按预期工作?sug:是/否如何解决挂载文件.sh以运行文件的错误CMD(当容器启动时)。虽然我还没有尝试过/etc/app/update-ssl.sh我喜欢的脚本文件,但我不清楚它是否能实现在单独的容器中重新启动 nginx 服务的目的。
最终目标: 在docker中的LAMP+反向代理环境中启用websocket,用于开发聊天、通知、产品库存实时统计等子系统。
语境: 在发表此出版物之前,我已尽力用尽我的研究能力,并且本网站和英文网站上的出版物,甚至其他网站都没有重点介绍我所呈现的情况,因此,我所取得的进展是几种设置的混合。
- 更新 -
我一直在调查这个问题,从结果来看,我显然已经设法安装了证书,至少我没有通过端口 80 丢失访问权限,但现在它给了我一个错误 500,我在错误日志中找不到它,此时我已经更新了设置,环境配置代码docker-compose.yaml不再相同:
version: "3.8"
services:
reverse-proxy:
env_file:
- .env
container_name: Proxy-Server
image: nginxproxy/nginx-proxy
restart: always
volumes:
- conf:/etc/nginx/conf.d
- certs:/etc/nginx/certs
- vhost:/etc/nginx/vhost.d
- html:/usr/share/nginx/html
- dhparam:/etc/nginx/dhparam
- /var/run/docker.sock:/tmp/docker.sock:ro
ports:
- "${LH_HOST_MACHINE_UNSECURE_HOST_PORT:-80}:80"
- "${LH_HOST_MACHINE_SECURE_HOST_PORT:-443}:443"
depends_on:
- webserver
- phpmyadmin
networks:
- lamp-network
environment:
- TRUST_DOWNSTREAM_PROXY=true
- ENABLE_WEBSOCKETS=true
labels:
com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
privileged: true
nginx-ssl:
env_file:
- .env
container_name: SSL-Generator
image: nginxproxy/acme-companion
volumes:
- certs:/etc/nginx/certs
- acme:/etc/acme.sh
- vhost:/etc/nginx/vhost.d
- dhparam:/etc/nginx/dhparam
- html:/usr/share/nginx/html
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
NGINX_PROXY_CONTAINER: Proxy-Server
DEFAULT_EMAIL: ${LH_WEB_MASTER}
depends_on:
- reverse-proxy
networks:
- lamp-network
webserver:
env_file:
- .env
container_name: ${LH_SYSTEM_NAME}-Web-Server
build:
context: ./bin/${LH_PHP_ENVIRONMENT}
restart: always
expose:
- 80
- 443
networks:
- lamp-network
depends_on:
- database
volumes:
- ${LH_PROJECT_ROOT}:/var/www/html:rw
- ${LH_PROJECT_ROOT}${LH_DOCUMENT_ROOT}:/var/www/html/public:rw
- ${LH_VHOSTS_DIR}:/etc/apache2/sites-enabled
- ${LH_PHP_INI}:/usr/local/etc/php/php.ini
- ${LH_LOG_DIR}:/var/log/apache2
- ${LH_LOG_CRON}:/var/log/cron
environment:
VIRTUAL_HOST: ${LH_WEB_SERVER_DOMAIN}
LETSENCRYPT_HOST: ${LH_WEB_SERVER_DOMAIN}
LH_WEB_MASTER: ${LH_WEB_MASTER}
LH_APACHE_DOCUMENT_ROOT: ${LH_APACHE_DOCUMENT_ROOT}
LH_DOCUMENT_ROOT: ${LH_DOCUMENT_ROOT}
HOST_MACHINE_MYSQL_PORT: ${LH_HOST_MACHINE_MYSQL_PORT}
MYSQL_DATABASE: ${LH_MYSQL_DATABASE}
MYSQL_ROOT_PASSWORD: ${LH_MYSQL_ROOT_PASSWORD}
MYSQL_USER: ${LH_MYSQL_USER}
MYSQL_PASSWORD: ${LH_MYSQL_PASSWORD}
extra_hosts:
- "host.docker.internal:host-gateway"
labels:
- "lh2.setup.description=Web Server"
- "lh2.setup.role=webserver"
...
phpmyadmin:
env_file:
- .env
container_name: ${LH_SYSTEM_NAME}-phpmyadmin
image: phpmyadmin/phpmyadmin
restart: always
expose:
- 80
- 443
depends_on:
- database
environment:
VIRTUAL_HOST: ${LH_PHPMYADMIN_DOMAIN}
LETSENCRYPT_HOST: ${LH_PHPMYADMIN_DOMAIN}
PMA_HOST: database
PMA_PORT: 3306
PMA_USER: root
PMA_PASSWORD: ${LH_MYSQL_ROOT_PASSWORD}
MYSQL_ROOT_PASSWORD: ${LH_MYSQL_ROOT_PASSWORD}
MYSQL_USER: ${LH_MYSQL_USER}
MYSQL_PASSWORD: ${LH_MYSQL_PASSWORD}
UPLOAD_LIMIT: ${LH_UPLOAD_LIMIT}
MEMORY_LIMIT: ${LH_MEMORY_LIMIT}
volumes:
- /sessions
- ${LH_PHP_INI}:/usr/local/etc/php/conf.d/php-phpmyadmin.ini
networks:
- lamp-network
labels:
- "lh2.setup.description=phpMyAdmin"
- "lh2.setup.role=phpmyadmin"
...
volumes:
vhost:
html:
certs:
acme:
conf:
dhparam:
networks:
lamp-network:
name: lamp-network
driver: bridge
实际情况:
我正在尝试通过docker的内联网锚定反向代理和web服务器与phpmyamin容器之间的通信...实现VIRTUAL_HOST,我确实相信运行Apache的容器,尽管打开了端口443,但Apache并没有配置为用它做任何事情,我之前已经把这个虚拟主机的配置添加到了这个帖子中,记住我正在从文件中做所有这些YAML,我正在寻找一种避免终端的方法..出于安装自动化的原因,现在所有这些都围绕着websocket的消耗;我没有看到将SSL证书锚定到代理和web服务器的方法,我以为这个想法是只使用代理使用SSL,并让它只通过端口80进行通信来使用容器...但是我现在犯了错误我所付出的代价是还想使用web服务器容器的端口443,因此也是phpmyadmin的端口...并且如果他们正在实现它的话,要与未来的生产环境建立兼容性。