解释:

tag-icon tag-icon nginx amazon-web-services docker elastic-beanstalk
解释:

我在 AWS EB 上运行多 Docker。设置如下:

Dockerrun.aws.json(xxx 作为域的占位符。该应用程序不安全)

{
  "AWSEBDockerrunVersion": 2,
  "volumes": [
    {
      "name": "nginx-conf",
      "host": {
        "sourcePath": "/var/app/current/nginx.conf"
      }
    },
    {
      "name": "nginx-cert-conf",
      "host": {
        "sourcePath": "/var/app/current/nginx.cert.conf"
      }
    },
    {
      "name": "cert-bot-lib",
      "host": {
        "sourcePath": "/var/app/current/django_project/certbot"
      }
    },
    {
      "name": "lets-encrypt",
      "host": {
        "sourcePath": "/var/app/current/django_project/certs"
      }
    },
    {
      "name": "cert-challenge",
      "host": {
        "sourcePath": "/var/app/current/django_project/cert_challenge"
      }
    }
  ],
  "containerDefinitions": [{
      "name": "web-app",
      "image": "xxx",
      "command": [
        "…"
      ],
      "essential": true,
      "memory": 1000,
      "mountPoints": [
      ]
    },
    {
      "name": "channels-app",
      "image": "xxx",
      "command": [
        "…"
      ],
      "essential": true,
      "memory": 1000,
      "mountPoints": [
      ]
    },
    {
      "name": "nginx-proxy",
      "image": "nginx",
      "essential": false,
      "memory": 500,
      "portMappings": [{
        "hostPort": 443,
        "containerPort": 443
      }],
      "links": ["web-app", "channels-app"],
      "mountPoints": [{
          "sourceVolume": "nginx-conf",
          "containerPath": "/etc/nginx/conf.d/default.conf",
          "readOnly": true
        },
        {
          "sourceVolume": "lets-encrypt",
          "containerPath": "/etc/ssl/certs",
          "readOnly": true
        }
      ]
    },
    {
      "name": "nginx-cert-proxy",
      "image": "nginx",
      "essential": true,
      "memory": 250,
      "portMappings": [{
        "hostPort": 80,
        "containerPort": 80
      }],
      "mountPoints": [{
          "sourceVolume": "nginx-cert-conf",
          "containerPath": "/etc/nginx/conf.d/default.conf",
          "readOnly": true
        },
        {
          "sourceVolume": "cert-challenge",
          "containerPath": "/cert_challenge",
          "readOnly": true
        }
      ]
    },
    {
      "name": "certbot",
      "image": "yspreen/certbot-bash",
      "command": [
        "-c",
        "(([ -d /etc/letsencrypt/live ] && certbot renew --staging --webroot --register-unsafely-without-email --agree-tos --no-eff-email --webroot-path=/cert_challenge) || certbot certonly --staging --webroot --register-unsafely-without-email --agree-tos --no-eff-email --webroot-path=/cert_challenge -d xxx) && cp -Lr /etc/letsencrypt/live /etc/letsencrypt/live_cp"
      ],
      "essential": false,
      "memory": 250,
      "mountPoints": [{
          "sourceVolume": "lets-encrypt",
          "containerPath": "/etc/letsencrypt",
          "readOnly": false
        },
        {
          "sourceVolume": "cert-challenge",
          "containerPath": "/cert_challenge",
          "readOnly": false
        },
        {
          "sourceVolume": "cert-bot-lib",
          "containerPath": "/var/lib/letsencrypt",
          "readOnly": false
        }
      ]
    }
  ]
}

nginx.conf

upstream djangomain {
    server web-app:8000;
}

upstream djangochannels {
    server channels-app:8001;
}

server {
    server_name xxx;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_tokens off;
    disable_symlinks off;

    ssl on;

    ssl_buffer_size 8k;
    ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;

    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

    ssl_ecdh_curve secp384r1;
    ssl_session_tickets off;

    ## OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 1.1.1.1 1.0.0.1;

    ssl_certificate /etc/ssl/certs/live_cp/xxx/fullchain.pem;
    ssl_certificate_key /etc/ssl/certs/live_cp/xxx/privkey.pem;


    location /ws/ {
        proxy_pass         http://djangochannels/;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection "upgrade";
        proxy_redirect     off;
    }
    location /static/ {
        alias /static_root/;
        autoindex on;
    }
    location / {
        proxy_pass         http://djangomain/;
        proxy_redirect     off;
        proxy_set_header   Host $host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Host $server_name;
    }
}

nginx.cert.conf

server {
    listen      80;
    listen [::]:80;
    server_name  localhost;

    location ~ /.well-known/acme-challenge {
        allow all;
        root /cert_challenge;
    }
    location / {
        rewrite ^ https://$host$request_uri? permanent;
    }
}

解释:

密钥文件需要由容器创建certbot。为此,挑战被放置在cert-challenge卷中并由nginx-cert-proxy容器公开。这有效。

不起作用的是将证书应用到容器nginx-proxy。它失败并出现以下错误:

nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/default.conf:17
nginx: [emerg] BIO_new_file("/etc/ssl/certs/live_cp/xxx/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/ssl/certs/live_cp/xxx/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

现在简单的解释就是出现了一些拼写错误,或者 nginx 因来自 certbot 的符号链接而出现混乱。

但是我已将其更改nginx.conf为默认值,在容器内启动了 bash,并且 ls 显示:

root@a58f8e87ca:/# ls /etc/ssl/certs/live_cp/xxx/fullchain.pem -lAh
-rw-r--r-- 1 root root 3.8K Oct 25 21:43 /etc/ssl/certs/live_cp/xxx/fullchain.pem

所以文件存在。至于符号链接,它绝对不是链接,而是一个实际文件。修改后的 certbot 映像允许添加复制命令,因为入口点是bash

我完全糊涂了。为什么 nginx 无法读取该文件?

答案1

事实证明这是一个时间问题。

当所有容器同时启动时,证书在 nginx 查找之前不会生成。当我手动进入容器进行检查时,它们已经同时生成并且正常工作。所以这是一个添加

until [ -f $cert ]; do sleep 1; done

在 nginx 运行命令之前。

我没有想到这一点,因为我忘记了每次运行安装程序时证书都会被删除。
我测试它的方式是通过 EB CLI 的部署命令。这每次都会创建一个新版本的应用程序,导致存储被刷新。

相关内容