网站均运行在 Docker 容器中,希望通过在主机上安装 Nginx 作为反向代理实现对容器中站点的 http 和 https 反向代理访问。从 Let‘s encrypt 获取证书。

各容器映射到主机的端口按顺序使用 10000+

certbot 获取 ssl 证书

sudo certbot certonly --manual

另一种配置方法

http

server {
    listen 80;
    server_name www.abc.fun;

    location / {
        proxy_pass  http://127.0.0.1:10000;
        proxy_redirect     off;
        proxy_set_header   Host             $host;
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
    }
}

https

server {
    listen 443;
    server_name www.abc.fun;

    ssl_certificate           /etc/letsencrypt/live/www.abc.fun/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/www.abc.fun/privkey.pem;

    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    location / {
      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

      # Fix the “It appears that your reverse proxy set up is broken" error.
      proxy_pass          http://127.0.0.1:10000;
      proxy_read_timeout  90;

      #proxy_redirect      http://localhost:8080 https://jenkins.domain.com;
    }
}

Nginx 配置策略

一级域名和二级域名分别创建配置文件,例如,to8.cn.confwww.to8.cn.conf

每个配置文件中同时设置 httphttps 的内容。

Nginx 站点配置示例

配置文件 /etc/nginx/conf.d/www.to8.cn.conf

server {
    listen        80;
    server_name   www.to8.cn;

    rewrite ^(.*) https://www.to8.cn$1 permanent;
}

server {
    listen       443 ssl;
    server_name  www.to8.cn;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/www.to8.cn/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/www.to8.cn/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location / {
        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $host;
        proxy_pass http://127.0.0.1:10001;
    }
}

配置文件 /etc/nginx/conf.d/to8.cn.conf

server {
    listen        80;
    server_name   to8.cn;

    rewrite ^(.*) https://www.to8.cn$1 permanent;
}

server {
    listen       443 ssl;
    server_name  to8.cn;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/to8.cn/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/to8.cn/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    rewrite ^(.*) https://www.to8.cn$1 permanent;
}

存在的问题

由于 docker 容器只将 80 端口映射到主机,虽然主机可以通过反向代理获取 ssl 证书,但网站在访问时经常会由于页面混杂着 http 的内容而无法正常显示 https 的内容。