【实验】根据docker部署nginx并且实现https

news/2024/9/22 15:10:00/

环境准备

systemctl stop firewalld
setenforce 0

安装docker

#安装依赖包
yum -y install yum-utils device-mapper-persistent-data lvm2
#设置阿里云镜像
yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo 
#安装最新版本的docker
yum -y install docker-ce docker-ce-cli containerd.io
#设置开机自启
systemctl enable docker.service 
#镜像加速下载
mkdir -p /etc/docker
tee /etc/docker/daemon.json <<-'EOF'
{"registry-mirrors": ["https://fil0uwf5.mirror.aliyuncs.com"]
}
EOF
#重新加载配置，重启docker
systemctl daemon-reload
systemctl restart docker
#下载nginx镜像
docker pull nginx
docker images

准备证书

证书生成脚本

cd /opt
vim /opt/cert.sh
i

# 该脚本，可以生成对应域名的所需的证书文件
CA_SUBJECT="/O=kgc/CN=ca.kgc.com"
SUBJECT="/C=CN/ST=js/L=nj/O=kgc/CN=www.kgc.com"
SERIAL=34
EXPIRE=365
FILE=kgc.com#生成一个自签名的X.509证书
openssl req  -x509 -newkey rsa:2048 -subj $CA_SUBJECT -keyout ca.key -nodes -days 365 -out ca.crt#生成一个RSA密钥对和证书签名请求
openssl req -newkey rsa:2048 -nodes -keyout ${FILE}.key  -subj $SUBJECT -out ${FILE}.csropenssl x509 -req -in ${FILE}.csr  -CA ca.crt -CAkey ca.key -set_serial $SERIAL  -days $EXPIRE -out ${FILE}.crtchmod 600 ${FILE}.key ca.key

执行脚本

bash cert.sh

#执行该脚本后执行后会生成ca.crt ca.key certificate.sh kgc.com.crt kgc.com.csr kgc.com.key 这几个文件，需要对其进行处理

kgc.com.crt(购买者) ca.crt(b颁发者) www.kgc.com.key(验证钥匙

创建cert目录存放证书文件

cat kgc.com.crt ca.crt > www.kgc.com.crt
mv kgc.com.key www.kgc.com.key 
ll /mnt/cert/

nginx.conf 文件

cd /mnt
vim /mnt/nginx.conf
i

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;events {worker_connections 1024;
}http {log_format  main  '$remote_addr - $remote_user [$time_local] "$request" ''$status $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';access_log  /var/log/nginx/access.log  main;sendfile            on;tcp_nopush          on;tcp_nodelay         on;keepalive_timeout   65;types_hash_max_size 4096;include             /etc/nginx/mime.types;default_type        application/octet-stream;server {listen 80;listen 443 ssl;   ssl_certificate /mnt/www.kgc.com.crt;ssl_certificate_key /mnt/www.kgc.com.key;ssl_session_cache shared:sslcache:20m;ssl_session_timeout 10m;server_name www.kgc.com;root     /usr/share/nginx/html;error_page 404 /404.html;location = /404.html {}error_page 500 502 503 504 /50x.html;location = /50x.html {}}
}

index.html 文件

cd /mnt
echo "monor" > /mnt/index.html

生成nginx 容器

docker run -itd -p 8080:80 -p 8090:443 -v /mnt/nginx.conf:/etc/nginx/nginx.conf -v /mnt/index.html:/usr/share/nginx/html/index.html -v /mnt/cert/:/mnt/ --name nginx nginx:latest

#生成容器，指定容器内80端口映射到本机的8080端口，指定容器内443端口映射到本机的8090端口

#将/mnt/nginx.conf挂载到容器内/etc/nginx/nginx.conf下，

#将/mnt/index.html挂载到容器内的/usr/share/nginx/html/index.html,将容器内的index.html覆盖掉

#将/mnt/cert挂载到容器内的/mnt下，/mnt/cert下的所有文件都会出现在容器的/mnt下

#别名为 nginx 使用 nginx:latest 镜像生成并启动