David Hsu

    DevOps Engineering / AWS / Cloud Native

David

docker筆記


nginx+uwsgi+flask+letsencrypt

Env: Python3

Line串接API使用,需執行crontab更新憑證(簽署期限為30天)


note:

certbot-auto可單一clone此檔案就好

產生憑證: (docker裡執行)
certbot-auto certonly --webroot --webroot-path=WEB_ROOT -d DOMAIN_NAME

更新憑證: 
docker exec -it CONTAINER_ID /opt/letsencrypt/certbot-auto renew --quiet --renew-hook "/etc/init.d/nginx restart"

啟動程序: 
docker run -p 80:80 -p 443:443 CONTAINER_ID /opt/start. &

/opt/start.sh:

#!/bin/bash
/bin/bash/uwsgi --socket 0.0.0.0:8080 --protocol=http -w PROGRAM_NAME
/etc/init.d/nginx start


Nginx Config:

原理是使用proxy_pass來串接uwsgi
而我強制轉換為HTTPS,配置方式如下,只列出重點配置


server {
  listen 80;
  server_name DOMAIN.COM.TW;
 
  return 301 https://$server_name$request_uri;
  }

server {
  listen 443;
  server_name DOMAIN.COM.TW;
  ssl_certificate /etc/letsencrypt/live/blog.gtwang.org/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/blog.gtwang.org/privkey.pem;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

  proxy_pass http://127.0.0.1:8080;
  }


這邊只使用到TLSv1.2而不使用最新的1.3原因是因為1.3存在漏洞
我們使用proxy_pass代理uwsgi的服務

使用letsencrypt前別忘了在nginx根目錄裡建立.well-known的資料夾以作為webroot認證

備註:

create docker image:
when quit docker use CTRL+P & CTRL+Q
docker ps (searching docker container_id)
docker commit -m "COMMENT" CONTAINER_ID your_account/container_name:tag

docker run container:
docker run -p 80:80 -p 443:443 CONTAINER_ID PROGRAM (multi port)

docker enter when container is running:
docker exec -it CONTAINER_ID /bin/bash

docker remove images:
docker rmi IMAGES_ID

docker delete container:
docker rm CONTAINER_ID



20170831 , David in Taipei





comments powered by Disqus

Categories

Recent posts