Versionen im Vergleich

Alte Version 1

changes.mady.by.user Nemeth, Zoltan

Gespeichert am

verglichen mit

Neue Version Aktuell

changes.mady.by.user Nemeth, Zoltan

Gespeichert am

Schlüssel

  • Diese Zeile wurde hinzugefügt.
  • Diese Zeile wurde entfernt.
  • Formatierung wurde geändert.

...

  1. create following volumes first:
       reverse_proxy_conf
       reverse_proxy_data
       certbot_cfg
       certbot_www
  2. prerequisites:
    1. port 80 (and 443) are accessible from the outside world
    2. ports are routed to the docker host
    3. created public DNS record for your planned <hostname>
  3. run the nginx:
       docker run -it --rm --name reverse-proxy \
        -p 80:80 -p 8080:8080 -p 443:443 -p 8443:8443 \
        -v reverse_proxy_conf:/etc/nginx/ \
        -v reverse_proxy_data:/usr/share/nginx/ \
        -v certbot_cfg:/etc/letsencrypt \
        -v certbot_www:/var/www/certbot \
        -d nginx:latest
  4. create following entry in the nginx server configuration in server section listening on unencrypted port 80:
       #for certbot challenges (renewal process)
       location /.well-known/acme-challenge 
          {
          allow all;
          root /var/www/certbot; 
          }

  5. run certbot in dry-run mode to prevent "too many failed authorizations" error:
        docker run -it --rm --name certbot \
        -v certbot_cfg:/etc/letsencrypt \
        -v  certbot_www:/var/www/certbot certbot/certbot \
        certonly --register-unsafely-without-email --webroot --dry-run -w /var/www/certbot -d <hostname>
  6. if all went fine, just repeat the command without --dry-run parameter.

  7. the keys will be stored here:
        /var/lib/docker/volumes/certbot_cfg/_data/archive/<hostname>
    And links to the latest are here:
        /var/lib/docker/volumes/certbot_cfg/_data/live/<hostname>

  8. adjust nginx configuration by modifying the ssl section in config file:
       server 
          {
          listen 443 ssl;
          server_name <hostname>;
         
          ssl_certificate /etc/letsencrypt/live/<hostname>/fullchain.pem;
          ssl_certificate_key /etc/letsencrypt/live/<hostname>/privkey.pem;
          }

  9. restart nginx container ant test

  10. for certificate renewal run following command:
       docker run -it --rm --name certbot \
       -v certbot_cfg:/etc/letsencrypt \
       -v certbot_www:/var/www/certbot \
       certbot/certbot renew --webroot -w /var/www/certbot
  11. after successful renewal, the nginx container has to be restarted
  12. add your services to the proxy, e.g. for Confluence (you're accessing this page via this right now ):

       #
       # Confluence
       #
       location /
          {
          client_max_body_size 100M;
          proxy_pass http://<confluence server>:8090/;
          proxy_set_header X-Forwarded-Host $host;
          proxy_set_header X-Forwarded-Server $host;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

          }
       location /synchrony 
          {
          proxy_set_header X-Forwarded-Host $host;
          proxy_set_header X-Forwarded-Server $host;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_pass http://<confluence server>:8091/synchrony;
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "Upgrade";
          }

...