此帖子记录如何将CERTBOT安装到Debian Docker中以使用Letsencrypt证书保护Nginx和Portainer Docker的步骤。


相关文章:

#for ubuntu 20.04版
#Ubuntu 20.04
sudo apt install docker.io
sudo apt install docker-compose

或其他Linux版本:
#CentOS 7, Debian, Ubuntu 18.04/16.04
curl -sSL //get.docker.com/ | sh 
systemctl start docker 
systemctl enable docker

安装portainer.

[email protected]:/# docker volume create portainer_data
[email protected]:/# docker run -d -p 9000:9000 --name portainer --restart always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:latest

您应该能够使用VPS的Public IP访问Portainer网站。 http://<public ip>:9000

使用portainer部署nginx docker

在此实验室中,我正在使用opc2portainer.51sec.org作为域URL。确保您的域opc2portainer.51sec.org指向您的VPS公共IP。 


在Portainer中创建一个新的容器:
注意:端口80和443都需要从Docker映射到主机。 

使用nginx作为portainer的反向代理服务器

在此实验室中,nginx将被配置为反向代理,可将OPC2portainer.51Sec.org的所有流量重定向到端口80和443到代理Docker网站Portainer。 

apt update && apt install nano
nano /etc/nginx/conf.d/portainer.conf.conf.conf.



nano /etc/nginx/conf.d/novnc.conf
server {
    listen       80;
    server_name  opc2portainer.51sec.org;

location / {
    proxy_pass       http://172.31.23.170:6080;
    proxy_http_version         1.1;
    proxy_read_timeout 300;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Real-PORT $remote_port;
           }
}
不要忘记重新启动nginx serviec使用以下命令将变更生效:
服务nginx重启

Once nginx service restarted, the configuration will take effect. We will able to access portainer site using sub domain name on port 80 ,  http//opc2portainer.fabiandinkins.com

安装certbot.

基于您的Nginx Docker版本,您可以使用不同的安装命令。在我这个实验室中,我正在使用debian 10作为操作系统。 


[email protected]:/# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="//www.debian.org/"
SUPPORT_URL="//www.debian.org/support"
BUG_REPORT_URL="//bugs.debian.org/"
[email protected]:/# uname -aLinux. 3a4767f0c009 3.10.0-1127.10.1.el7.x86_64 #1 SMP Wed Jun 3 14:28:03 UTC 2020 x86_64 GNU/Linux
[email protected]:/#

使用portainer或vps命令行命令登录nginx docker的命令行:Docker Exec-it nginx bin / bash
以下三个命令可以让您安装CERTBOT并配置NGINX以使用证书。

apt update
apt install certbot python-certbot-nginx
certbot --nginx
[email protected]:/# certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
//letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
//acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: opc2portainer.51sec.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for opc2portainer.51sec.org
2021/03/07 01:57:27 [notice] 3765#3765: signal process started
Waiting for verification...
Cleaning up challenges
2021/03/07 01:57:31 [notice] 3767#3767: signal process started
Deploying Certificate to VirtualHost /etc/nginx/conf.d/portainer.conf
2021/03/07 01:57:34 [notice] 3769#3769: signal process started

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled //opc2portainer.51sec.org

You should test your configuration at:
//www.ssllabs.com/ssltest/analyze.html?d=opc2portainer.51sec.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/opc2portainer.51sec.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/opc2portainer.51sec.org/privkey.pem
   Your cert will expire on 2021-06-05. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   //letsencrypt.org/donate
   Donating to EFF:                    //eff.org/donate-le

 - We were unable to subscribe you the EFF mailing list because your
   e-mail address appears to be invalid. You can try again later by
   visiting //act.eff.org.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

现在nginx portainer.conf配置文件更改为:


[email protected]:/etc/nginx/conf.d# cat portainer.conf
server {
    listen       80;
    server_name  opc2portainer.51sec.org;

location / {
    proxy_pass       http://172.31.23.170:9000;
    proxy_redirect             off;
    proxy_http_version         1.1;
    proxy_set_header Upgrade   $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host      $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/opc2portainer.51sec.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/opc2portainer.51sec.org/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}


此时,您的Portainer URL可以从HTTPS端口443访问。请确保VPS防火墙将此HTTPS / 443端口打开到Internet。 

来自Blogger. http://blog.fabiandinkins.com/2021/03/install-certbot-on-debian-docker-to.html

经过 Jon.

发表评论