docker部署nginx并实现https
1、服务器环境
[root@liuyanfen12 ~]
[root@liuyanfen12 ~]
2、安装docker
[root@liuyanfen12 ~]
[root@liuyanfen12 ~]
[root@liuyanfen12 ~]
[root@liuyanfen12 ~]
[root@liuyanfen12 ~]
3、准备证书
[root@liuyanfen12 ~]
[root@liuyanfen12 ~]
[root@liuyanfen12 nginx]
[root@liuyanfen12 nginx]
CA_SUBJECT="/O=luck/CN=ca.luck.com"
SUBJECT="/C=CN/ST=js/L=nj/O=luck/CN=www.luck.com"
SERIAL=34
EXPIRE=202002
FILE=luck.com
openssl req -x509 -newkey rsa:2048 -subj $CA_SUBJECT -keyout ca.key -nodes -days 202002 -out ca.crt
openssl req -newkey rsa:2048 -nodes -keyout ${FILE}.key -subj $SUBJECT -out ${FILE}.csr
openssl x509 -req -in ${FILE}.csr -CA ca.crt -CAkey ca.key -set_serial $SERIAL -days $EXPIRE -out ${FILE}.crt
chmod 600 ${FILE}.key ca.key
--------------------------------------------------------------------------------------------------------
-x509: 生成自签名的证书,而不是生成 CSR(证书签名请求)。
-newkey rsa:2048: 使用 RSA 算法生成一个新的密钥对,密钥长度为2048位。
-subj $CA_SUBJECT: 指定证书的主体信息,这里是定义的 CA 主体信息。
-keyout ca.key: 指定生成的私钥文件名为 ca.key。
-nodes: 创建的私钥不加密,即没有密码保护。
-days $EXPIRE: 设置证书有效期,这里是到2020年2月。
-out ca.crt: 指定生成的自签名CA证书文件名为 ca.crt
--------------------------------------------------------------------------------------------------------
-newkey rsa:2048: 同上,创建一个新的RSA密钥对。
-keyout ${FILE}.key: 生成的服务器私钥文件名为 ${FILE}.key,此处为 kgc.com.key。
-subj $SUBJECT: 指定服务器证书的主体信息。
-out ${FILE}.csr: 生成的证书签名请求文件名为 ${FILE}.csr,此处为 kgc.com.csr。
--------------------------------------------------------------------------------------------------------
-req: 表明接下来的操作是基于一个证书请求文件。
-in ${FILE}.csr: 指定要使用的证书请求文件,即之前生成的 kgc.com.csr。
-CA ca.crt: 指定签发证书的CA证书文件,即第一步生成的 ca.crt。
-CAkey ca.key: 指定CA的私钥文件,用于签署新的证书。
-set_serial $SERIAL: 指定新证书的序列号。
-days $EXPIRE: 设置服务器证书的有效期。
-out ${FILE}.crt: 生成的服务器证书文件名为 ${FILE}.crt,此处为 kgc.com.crt。
--------------------------------------------------------------------------------------------------------
chmod 600: 改变文件权限,使其只有所有者有读写权限,增强安全性。
${FILE}.key 和 ca.key: 分别指服务器私钥和CA私钥文件,确保它们的访问权限受限
--------------------------------------------------------------------------------------------------------
[root@liuyanfen12 nginx]
[root@liuyanfen12 nginx]
Generating a 2048 bit RSA private key
..........................................................................................................+++
.................+++
writing new private key to 'ca.key'
-----
Generating a 2048 bit RSA private key
.....................+++
..+++
writing new private key to 'luck.com.key'
-----
Signature ok
subject=/C=CN/ST=js/L=nj/O=luck/CN=www.luck.com
Getting CA Private Key
[root@liuyanfen12 nginx]
ca.crt ca.key certificate.sh luck.com.crt luck.com.csr luck.com.key
[root@liuyanfen12 nginx]
[root@liuyanfen12 nginx]
[root@liuyanfen12 nginx]
ca.crt ca.key certificate.sh luck.com.crt luck.com.csr www.luck.com.crt www.luck.com.key
4、准备nginx配置文件和dockerfile文件
[root@liuyanfen12 nginx]
ca.crt certificate.sh luck.com.crt nginx-1.12.0.tar.gz www.luck.com.crt
ca.key Dockerfile luck.com.csr nginx.conf www.luck.com.key
[root@liuyanfen12 nginx]
FROM centos:7
MAINTAINER this is nginx image <nginx>
RUN yum -y install pcre-devel zlib-devel gcc gcc-c++ make openssl openssl-devel
RUN useradd -M -s /sbin/nologin nginx
ADD nginx-1.12.0.tar.gz /usr/local/src/
WORKDIR /usr/local/src/nginx-1.12.0
RUN ./configure \
--prefix=/usr/local/nginx \
--user=nginx \
--group=nginx \
--with-http_ssl_module \
--with-http_stub_status_module;make -j4 && make install
ENV PATH /usr/local/nginx/sbin:$PATH
ADD nginx.conf /usr/local/nginx/conf/nginx.conf
ADD www.luck.com.crt /usr/local/nginx/conf/
ADD www.luck.com.key /usr/local/nginx/conf/
EXPOSE 80
EXPOSE 443
CMD [ "/usr/local/nginx/sbin/nginx","-g","daemon off;" ]
[root@liuyanfen12 nginx]
server {
listen 80;
listen 443 ssl;
ssl_certificate /usr/local/nginx/conf/www.luck.com.crt;
ssl_certificate_key /usr/local/nginx/conf/www.luck.com.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
server_name localhost;
--------------------------------------------------------------------------------------------------------
listen 443 ssl;
ssl_certificate /usr/local/nginx/conf/www.dockerng.com.crt;
ssl_certificate_key /usr/local/nginx/conf/www.dockerng.com.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
--------------------------------------------------------------------------------------------------------
5、创建nginx镜像与容器
[root@liuyanfen12 ~]
[root@liuyanfen12 ~]
[root@liuyanfen12 nginx]
[root@liuyanfen12 nginx]
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx centos c3f56b07162d 25 seconds ago 592MB
centos 7 eeb6ee3f44bd 2 years ago 204MB
[root@liuyanfen12 nginx]
618a521cf19a57ada8db2769b38fafcd2b09ff0065c2aa879ca7aed5c3fdd779
[root@liuyanfen12 nginx]
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
618a521cf19a nginx:centos "/usr/local/nginx/sb…" 4 seconds ago Up 3 seconds 0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp nginx
6、验证访问
https://192.168.10.12/