nginx acme 官方模块
看到nginx官方支持了acme
检测了一下dockerhub的官方nginx镜像,发现并没有带acme,于是自己打包一个
FROM alpine:latest
ENV TZ=Asia/Shanghai
RUN printf "%s%s%s%s\n" \
"@nginx " \
"http://nginx.org/packages/mainline/alpine/v" \
"$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)" \
"/main" \
>> /etc/apk/repositories && \
wget -O /etc/apk/keys/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub
RUN apk add --no-cache tzdata nginx@nginx nginx-module-acme@nginx
RUN sed -i '1i load_module modules/ngx_http_acme_module.so;' /etc/nginx/nginx.conf
RUN ln -sf /dev/stdout /var/log/nginx/access.log \
&& ln -sf /dev/stderr /var/log/nginx/error.log
CMD ["nginx", "-g", "daemon off;"]使用时配置resolver 和acme_issuer,然后在service块中启用并配置好域名即可,除此之外还要确保http路径.well-known能够访问
这个我的default.conf配置,其中还包含了与typecho frpc的联动
resolver 192.168.123.2;
acme_issuer letsencrypt {
uri https://acme-v02.api.letsencrypt.org/directory;
state_path /var/cache/nginx/acme-letsencrypt;
accept_terms_of_service;
}
server {
listen 443 ssl default_server proxy_protocol;
server_name han.kozow.com;
set_real_ip_from 172.18.0.0/16;
real_ip_header proxy_protocol;
http2 on;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
root /app;
index index.php;
location / {
if (!-e $request_filename) {
rewrite ^(.*)$ /index.php$1 last;
}
}
location ~ /usr/.*\.db$ {
deny all;
return 404;
}
location ~ /\. {
deny all;
return 404;
}
location ~ /(wp-admin|wp-content) {
deny all;
return 404;
}
location ~ .*\.php(\/.*)*$ {
include fastcgi.conf;
fastcgi_hide_header X-Powered-By;
fastcgi_pass php-fpm:9000;
}
}
server {
listen 80 default_server proxy_protocol;
server_name _;
set_real_ip_from 172.18.0.0/16;
real_ip_header proxy_protocol;
location / {
return 301 https://$host$request_uri;
}
location ^~ /.well-known/ {
root /app;
}
}
暂无标签