docker筆記
nginx+uwsgi+flask+letsencrypt
Env: Python3
Line串接API使用,需執行crontab更新憑證(簽署期限為30天)
note:
certbot-auto可單一clone此檔案就好
產生憑證: (docker裡執行)
certbot-auto certonly --webroot --webroot-path=WEB_ROOT -d DOMAIN_NAME
更新憑證:
docker exec -it CONTAINER_ID /opt/letsencrypt/certbot-auto renew --quiet --renew-hook "/etc/init.d/nginx restart"
啟動程序:
docker run -p 80:80 -p 443:443 CONTAINER_ID /opt/start. &
/opt/start.sh:
#!/bin/bash
/bin/bash/uwsgi --socket 0.0.0.0:8080 --protocol=http -w PROGRAM_NAME
/etc/init.d/nginx start
Nginx Config:
原理是使用proxy_pass來串接uwsgi
而我強制轉換為HTTPS,配置方式如下,只列出重點配置
server {
listen 80;
server_name DOMAIN.COM.TW;
return 301 https://$server_name$request_uri;
}
server {
listen 443;
server_name DOMAIN.COM.TW;
ssl_certificate /etc/letsencrypt/live/blog.gtwang.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/blog.gtwang.org/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_pass http://127.0.0.1:8080;
}
Nginx Config:
原理是使用proxy_pass來串接uwsgi
而我強制轉換為HTTPS,配置方式如下,只列出重點配置
server {
listen 80;
server_name DOMAIN.COM.TW;
return 301 https://$server_name$request_uri;
}
server {
listen 443;
server_name DOMAIN.COM.TW;
ssl_certificate /etc/letsencrypt/live/blog.gtwang.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/blog.gtwang.org/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_pass http://127.0.0.1:8080;
}
這邊只使用到TLSv1.2而不使用最新的1.3原因是因為1.3存在漏洞
我們使用proxy_pass代理uwsgi的服務
使用letsencrypt前別忘了在nginx根目錄裡建立.well-known的資料夾以作為webroot認證
備註:
create docker image:
when quit docker use CTRL+P & CTRL+Q
docker ps (searching docker container_id)
docker commit -m "COMMENT" CONTAINER_ID your_account/container_name:tag
docker run container:
docker run -p 80:80 -p 443:443 CONTAINER_ID PROGRAM (multi port)
docker enter when container is running:
docker exec -it CONTAINER_ID /bin/bash
docker remove images:
docker rmi IMAGES_ID
docker delete container:
docker rm CONTAINER_ID
20170831 , David in Taipei