我尝试在 aws eb 上使用 lets encrypt 将 https 添加到我的域。我的预算很紧,所以我无力使用 AWS 证书和负载均衡器。我已经梳理了网络以找到解决此问题的最佳方法,但我似乎只找到使用单个容器的实现,因此使用 .ebextensions
我找到的关于堆栈溢出的唯一文档是 HTTPS on Elastic Beanstalk (Docker Multi-container)
我还在 Free HTTPS on AWS Elastic Beanstalk without Load Balancer 上找到了关于如何使用 Dockerrun.aws.json 的文档。
但我似乎无法正确配置。我已经有一个 nginx 服务器了。如何配置 jwilder/nginx-proxy、jrcs/letsencrypt-nginx-proxy-companion 和 nginx
Dockerrun.aws.json
{
"AWSEBDockerrunVersion": 2,
"volumes": [{
"name": "home-ec2-user-certs",
"host": {
"sourcePath": "/home/ec2-user/certs"
}
},
{
"name": "etc-nginx-vhost-d",
"host": {
"sourcePath": "/etc/nginx/vhost.d"
}
},
{
"name": "usr-share-nginx-html",
"host": {
"sourcePath": "/usr/share/nginx/html"
}
},
{
"name": "var-run-docker-sock",
"host": {
"sourcePath": "/var/run/docker.sock"
}
}
],
"containerDefinitions": [{
"name": "client",
"image": "example/site-client",
"hostname": "client",
"essential": false,
"memory": 128,
"environment": [{
"name": "VIRTUAL_HOST",
"value": "www.example.com, example.com"
},
{
"name": "LETSENCRYPT_HOST",
"value": "www.example.com, example.com"
}
]
},
{
"name": "server",
"image": "example/site-server",
"hostname": "api",
"essential": false,
"memory": 128
},
{
"name": "admin",
"image": "example/site-admin",
"hostname": "admin",
"essential": false,
"memory": 128,
"environment": [{
"name": "VIRTUAL_HOST",
"value": "admin.example.com"
},
{
"name": "LETSENCRYPT_HOST",
"value": "admin.example.com"
}
]
},
{
"name": "worker",
"image": "example/site-worker",
"hostname": "worker",
"essential": false,
"memory": 128
},
{
"name": "sales",
"image": "example/site-payment",
"hostname": "sales",
"essential": false,
"memory": 128
},
{
"name": "nginx-proxy",
"image": "jwilder/nginx-proxy",
"essential": true,
"memoryReservation": 128,
"dockerLabels": {
"com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy": "true"
},
"portMappings": [{
"containerPort": 80,
"hostPort": 80
},
{
"containerPort": 443,
"hostPort": 443
}
],
"mountPoints": [{
"sourceVolume": "home-ec2-user-certs",
"containerPath": "/etc/nginx/certs",
"readOnly": true
},
{
"sourceVolume": "etc-nginx-vhost-d",
"containerPath": "/etc/nginx/vhost.d"
},
{
"sourceVolume": "usr-share-nginx-html",
"containerPath": "/usr/share/nginx/html"
},
{
"sourceVolume": "var-run-docker-sock",
"containerPath": "/tmp/docker.sock",
"readOnly": true
}
]
},
{
"name": "letsencrypt-nginx-proxy-companion",
"image": "jrcs/letsencrypt-nginx-proxy-companion",
"essential": true,
"memoryReservation": 128,
"volumesFrom": [{
"sourceContainer": "nginx-proxy"
}],
"mountPoints": [{
"sourceVolume": "home-ec2-user-certs",
"containerPath": "/etc/nginx/certs"
},
{
"sourceVolume": "var-run-docker-sock",
"containerPath": "/var/run/docker.sock",
"readOnly": true
}
]
},
{
"name": "nginx",
"image": "example/site-nginx",
"hostname": "nginx",
"essential": true,
"portMappings": [{
"hostPort": 80,
"containerPort": 80
}],
"links": ["client", "server", "admin", "sales"],
"memory": 128
}
]
}
还有我的 nginx 文件
upstream client {
server client:3000;
}
upstream admin {
server admin:8000;
}
upstream sales {
server sales:8626;
}
upstream api {
server api:5000;
}
{
listen 80;
server_name example.com www.example.com;
return 301 https://$host$request_ur;
}
server {
# listen 80;
listen 443 ssl;
server_name example.com www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem.;
ssl_certificate_key /etc/letsencrypt/live/example.com/fullchain.pem.;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
location / {
proxy_pass http://client;
}
location /sales {
rewrite /sales/(.*) /$1 break;
proxy_pass http://sales;
}
location /api {
rewrite /api/(.*) /$1 break;
proxy_pass http://api;
}
}
server {
listen 80;
server_name admin.example.com;
location / {
proxy_pass http://admin;
}
}
最佳答案
可以将 nginx 服务器“Docker化”并在设置时运行一些配置脚本。所以像这样:
FROM nginx:1.16-alpine
RUN apk add --no-cache certbot
RUN mkdir /var/lib/certbot
COPY scripts/setup.sh /setup.sh
RUN chmod +x /setup.sh
COPY config/nginx.conf /etc/nginx/nginx.conf
ENTRYPOINT [ "../setup.sh" ]
脚本:
#!/bin/sh
certbot certonly -n -d DOMAINS \
--standalone --preferred-challenges http --email EMAIL --agree-tos --expand
/usr/sbin/nginx -g "daemon off;"
然后像往常一样将 ssl 证书和 key 添加到您的 nginx 配置中。
关于amazon-web-services - 如何将 lets encrypt 添加到在 Elastic Beanstalk 上运行的多容器,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/61052489/