Shulou(Shulou.com)06/02 Report--

Sites without https support will gradually be marked as insecure by browsers, so it has become urgent to add https to the site. For commercial websites, it is not a problem to spend money on SSL/TLS certificates. But for individual users, it will be very happy to have a free SSL/TLS certificate available! Let's Encrypt is a website that provides free SSL/TLS certificates. Because its certificate term is only three months, we need to update the certificate in an automated way. This article shows you how to add https support to sites in nginx running over docker and automatically update certificates. The demo environment of this article is: Ubuntu 16.04host running on Azure (this figure is from the Internet):

Prepare the environment

It's easy to create virtual machine events of type Ubuntu on Azure, and there's no need to talk about installing docker. It is easy to ignore the configuration of appropriate network security group rules, such as opening ports 80 and 443:

There is also the configuration of DNS:

Create a normal http site

For simplicity, directly use the nodejs application in an image as the web site:

$docker pull ljfpower/nodedemo$ docker network create-d bridge webnet$ docker run-d-restart=always-- expose=3000\-- network=webnet-- name=myweb\ ljfpower/nodedemo

Create the nginx directory and its subdirectories conf.d, conf.crt, and html under the user's home directory, and create the logs directory and its subdirectories nginx and letsencrypt:

$mkdir-p nginx/ {conf.d,conf.crt,html} $mkdir-p logs/ {nginx,letsencrypt}

Note that the file and directory structure that we need to create manually in the example demonstrated in this article is as follows:

Create a nginx/nginx.conf file as follows:

User nginx;worker_processes auto;error_log / var/log/nginx/error.log warn;pid / var/run/nginx.pid;events {worker_connections 2048;} http {include / etc/nginx/mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; client_max_body_size 10M; include / etc/nginx/conf.d/*.conf;}

Then create the nginx/conf.d/default.conf file as follows:

Upstream web {server myweb:3000;} server {listen 80; listen [:]: 80; server_name filterinto.com www.filterinto.com; location ^ ~ / .well-known/acme-challenge/ {default_type "text/plain"; root / usr/share/nginx/html;} location = / .well-known/acme-challenge/ {return 404;} location / {proxy_pass http://web;}}

Where the / .well-known/acme-challenge/ directory is created by the certbot tool when it generates the certificate. Next, create the file nginx/html/index.html file, which is as follows:

Let's Encrypt First Time Cert Issue Site Hello HTTPS!

Just used for the very first time SSL certificates are issued by Let's Encrypt's certbot.

This page is also needed by certbot when generating certificates. Finally, let's start the container (execute the following command in the user's home directory):

$docker run-d\-p 80:80\-v $(pwd) / nginx/conf.d:/etc/nginx/conf.d:ro\-v $(pwd) / nginx/nginx.conf:/etc/nginx/nginx.conf:ro\-v $/ logs/nginx:/var/log/nginx\-v $(pwd) / nginx/html:/usr/share/nginx/html\-restart=always\-name=gateway\-- network=webnet\ nginx:1.14

Note: port 443 is not mapped at this time, and the directory where the certificate is stored is not mounted. Our site can only be accessed using the http protocol:

Generate a SSL/TLS certificate for the site

Let's Encrypt is a website that provides free SSL/TLS certificates and provides users with certbot tools to generate SSL/TLS certificates. For convenience, we simply encapsulate the certbot in a container. Create a certbot directory under the user's home directory, enter the certbot directory, and save the following contents to the Dockerfile file:

FROM alpine:3.4RUN apk add-- update bash certbotVOLUME ["/ etc/letsencrypt"]

Then execute the following command to create a certbot image:

$docker build-t certbot:1.0.

Then create a script renew_cert.sh to update the certificate automatically under the certbot directory, as follows:

#! / bin/bashWEBDIR= "$1" LIST= ('filterinto.com'' www.filterinto.com') LED_LIST= () WWW_ROOT=/usr/share/nginx/htmlfor domain in ${LIST [@]} Do docker run\-rm\-v ${WEBDIR} / nginx/conf.crt:/etc/letsencrypt\-v ${WEBDIR} / logs/letsencrypt:/var/log/letsencrypt\-v ${WEBDIR} / nginx/html:$ {WWW_ROOT}\ certbot:1.0\ certbot certonly-- verbose-- noninteractive-- quiet-- agree-tos\-webroot-w ${WWW_ROOT}\-email= "nick.li@grapecity.com"\-d "$domain" CODE=$? If [$CODE-ne 0]; then FAILED_LIST+= ($domain) fidone# output failed domainsif [${# FAILED_LIST [@]}-ne 0]; then echo 'failed domain:' for ((iTuno; I)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.