docker启动nginx
- docker启动nginx
-
- 1. 抓取镜像并生成目录
- 2. 生成自签名证书(生产环境需要到CA申请)
-
- 2.1 首先将openssl拷贝到nginx/ssl目录
- 2.2 编辑 openssl.cnf
- 2.3 生成证书
- 3. 生成Nginx basic认证密码
-
- 3.1 安装httpd工具
- 3.2 生成密码文件
- 3.3 配置密码文件
- 4. 配置Nginx
-
- 4.1 生成nginx.conf文件
- 4.2 生成default.conf(包含各个server块,每个server块监听指定的server_name和port)
- 4.3 生成80_server(将HTTP请求转发为对应的HTTPS请求)
- 4.4 生成admin_9443_server文件(用于管理员访问etcd, es, kibana, grafana等)
- 4.5 生成meta_locations(一般无需改变)
- 4.6 生成extra_locations(一般无需改变)
- 4.7 生成meta_server
- 4.8 生成proxy选项
- 5. 启动Docker
- 6. 打通防火墙
- 7. 外部访问验证
docker启动nginx
nginx一般用做web服务器,一般为了公网访问需要申请https证书,并进行配置,本次自己制作证书。
使用容器后,需要考虑网络以及配置和日志的持久化,本次复用宿主机网络,生产环境一般来说做端口映射。
集群一般在前置添加负载均衡即可。
1. 抓取镜像并生成目录
docker pull nginx:1.21.6 &&
mkdir -p /home/nginx/conf &&
mkdir -p /home/nginx/logs &&
mkdir -p /home/nginx/ssl &&
mkdir -p /home/nginx/conf/conf.d
2. 生成自签名证书(生产环境需要到CA申请)
2.1 首先将openssl拷贝到nginx/ssl目录
cp /etc/pki/tls/openssl.cnf /home/nginx/ssl
2.2 编辑 openssl.cnf
vi /home/nginx/ssl/openssl.cnf
[ req ] req_extensions = v3_req //取消对应的注释
2.3 生成证书
cd /home/nginx/ssl &&
openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -config openssl.cnf -extensions v3_req -keyout /home/nginx/ssl/nginx.key -out /home/nginx/ssl/nginx.crt
上面的证书生成命令请依次输入口令:XX XX XX XX XX (回车) (回车)
cp /home/nginx/ssl/nginx.crt /home/nginx/ssl/space.crt &&
cp /home/nginx/ssl/nginx.key /home/nginx/ssl/space.key
3. 生成Nginx basic认证密码
3.1 安装httpd工具
yum install httpd-tools -y
3.2 生成密码文件
htpasswd -c -d /home/nginx/conf/conf.d/admin_pwd admin
然后输入16位随机密码
注意:如果要删除密码文件:htpasswd -D -d /home/nginx/conf/conf.d/admin_pwd admin
3.3 配置密码文件
tee /home/nginx/conf/conf.d/admin_pwd.config 'EOF'
auth_basic "login";
auth_basic_user_file /etc/nginx/conf.d/admin_pwd;
EOF
4. 配置Nginx
4.1 生成nginx.conf文件
tee /home/nginx/conf/nginx.conf 'EOF'
user nginx;
worker_processes auto;
worker_cpu_affinity auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
client_max_body_size 200m;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
proxy_connect_timeout 1s;
#gzip on;
root /usr/share/nginx/html;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-For $remote_addr; #如果不是第一层Nginx代理(例如学校防火墙就是Nginx代理),则要配置为$proxy_add_x_forwarded_for;
include /etc/nginx/conf.d/*.conf;
server_tokens off;
}
EOF
4.2 生成default.conf(包含各个server块,每个server块监听指定的server_name和port)
tee /home/nginx/conf/conf.d/default.conf 'EOF'
include /etc/nginx/conf.d/*_server;
EOF
4.3 生成80_server(将HTTP请求转发为对应的HTTPS请求)
tee /home/nginx/conf/conf.d/80_server 'EOF'
server {
listen 80;
server_name 0.0.0.0;
#return 301 https://$host$request_uri;
rewrite ^(.*)$ https://$host$1 permanent;
}
EOF
4.4 生成admin_9443_server文件(用于管理员访问etcd, es, kibana, grafana等)
tee /home/nginx/conf/conf.d/admin_9443_server 'EOF'
server {
listen 9443 ssl http2;
server_name 192.168.100.149;
ssl_certificate /etc/nginx/ssl/nginx.crt; #使用自签名证书
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
fastcgi_param HTTPS on;
fastcgi_param HTTP_SCHEME https;
server_tokens off;
#charset koi8-r;
access_log /var/log/nginx/access-admin.log;
error_log /var/log/nginx/error-admin.log;
#添加basic认证
include /etc/nginx/conf.d/admin_pwd.config;
location /es {
rewrite /es(.*) $1 break;
proxy_pass http://libsys-cluster-3:9200;
}
location /es_log {
rewrite /es_log(.*) $1 break;
proxy_pass http://libsys-prom:9201;
}
location /kibana {
proxy_pass http://libsys-cluster-3:5601;
}
location /kibana_log {
proxy_pass http://libsys-prom:5602;
}
location /rc {
proxy_pass http://libsys-cluster-3:9877;
}
location /prom {
proxy_pass http://libsys-prom:9090;
}
location /grafana/ {
proxy_pass http://libsys-prom:3000/;
proxy_set_header X-WEBAUTH-USER admin;
proxy_set_header Authorization "";
}
location /tools-etcd {
proxy_pass http://127.0.0.1:8089;
}
location /nc {
proxy_pass http://127.0.0.1:8150;
}
location /bigdata-local {
proxy_pass http://libsys-mongo:8889;
}
location /libsys-ldbs {
proxy_pass http://127.0.0.1:8052;
}
location ~ ^/tools-etcd/.*.(html|htm|gif|jpg|jpeg|bmp|png|ico|txt|js|css|json|woff|ttf|eof|woff2)$ {
gzip on;
gzip_min_length 100k;
gzip_types text/plain application/javascript application/x-javascript text/css application/xml application/json text/javascript;
}
}
EOF
4.5 生成meta_locations(一般无需改变)
tee /home/nginx/conf/conf.d/meta_locations 'EOF'
location /meta-local/devops {
proxy_pass http://meta-devops;
}
location /meta-local/common {
proxy_pass http://meta-admin;
}
location /meta-local/sys {
proxy_pass http://meta-admin;
}
location /meta-local/user {
proxy_pass http://meta-admin;
}
location /meta-local/job {
proxy_pass http://meta-admin;
}
location /meta-local/admin {
proxy_pass http://meta-admin;
}
location /meta-local/pdf {
proxy_pass http://meta-admin;
}
location /meta-local/acq {
proxy_pass http://meta-acq;
}
location /meta-local/serial {
proxy_pass http://meta-acq;
}
location /meta-local/ckb {
proxy_pass http://meta-acq;
}
location /meta-local/file {
proxy_pass http://meta-acq;
}
location /meta-local/res {
proxy_pass http://meta-res;
}
location /meta-local/dc {
proxy_pass http://meta-dc;
}
location /meta-local/cs {
proxy_pass http://meta-cs;
}
location /meta-local/erm {
proxy_pass http://meta-erm;
}
location /meta-local/social {
proxy_pass http://meta-social;
}
location = /meta-local/stat {
proxy_pass http://meta-stat;
}
location /meta-local/stat/ {
proxy_pass http://meta-stat;
}
location /meta-local/indexer {
proxy_pass http://meta-indexer;
}
location /meta-local/sync {
proxy_pass http://meta-sync;
}
location /meta-local/opac {
proxy_read_timeout 60;
proxy_pass http://meta-opac;
}
location /meta-local/wechat {
proxy_read_timeout 60;
proxy_pass http://meta-wechat;
}
location /meta-local/api {
proxy_pass http://meta-api;
}
location /meta-local/gateway {
proxy_pass http://gateway;
}
location /meta-local/app/server {
proxy_pass http://meta-appserver;
}
location /meta/ {
proxy_pass http://meta-web/;
include /etc/nginx/conf.d/include.d/proxy;
add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate";
expires 0;
}
location ~ ^/meta/assets/(.*) {
proxy_pass http://meta-web;
include /etc/nginx/conf.d/include.d/proxy;
add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate";
expires 0;
rewrite ^/meta(.*) /$1 break;
}
location ~ ^/meta/(.*).(js|css|woff|woff2|ttf|svg|eot|otf)$ {
proxy_pass http://meta-web;
include /etc/nginx/conf.d/include.d/proxy;
#add_header x_debug $upstream_addr;
#add_header x_debug $request;
access_log off;
expires 1y;
add_header Cache-Control 'max-age=31536000'; # one year
rewrite ^/meta(.*) /$1 break;
}
location /space/ {
proxy_pass http://meta-space/;
include /etc/nginx/conf.d/include.d/proxy;
add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate";
expires 0;
}
location ~ ^/space/(css|fonts|img|js) {
proxy_pass http://meta-space;
include /etc/nginx/conf.d/include.d/proxy;
#add_header x_debug $upstream_addr;
#add_header x_debug $request;
access_log off;
expires 1y;
add_header Cache-Control 'max-age=31536000'; # one year
rewrite ^/space(.*) /$1 break;
}
location /mspace/ {
proxy_pass http://meta-mspace/;
include /etc/nginx/conf.d/include.d/proxy;
add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate";
expires 0;
}
location ~ ^/mspace/(css|fonts|img|js) {
proxy_pass http://meta-mspace;
include /etc/nginx/conf.d/include.d/proxy;
#add_header x_debug $upstream_addr;
#add_header x_debug $request;
access_log off;
expires 1y;
add_header Cache-Control 'max-age=31536000'; # one year
rewrite ^/mspace(.*) /$1 break;
}
#----- redirect to mobile check (starts) -----#
set $mobile_rewrite do_not_perform;
# this regex string is actually much longer to match more mobile devices
if ($http_user_agent ~* "android|ip(ad|hone|od)|kindle") {
set $mobile_rewrite perform;
}
if ($mobile_rewrite = perform) {
rewrite ^/space/(.*) /mspace/$1 redirect;
break;
}
if ($mobile_rewrite = do_not_perform) {
rewrite ^/mspace/(.*) /space/$1 redirect;
break;
}
#----- redirect to mobile check (ends) -----#
EOF
4.6 生成extra_locations(一般无需改变)
tee /home/nginx/conf/conf.d/extra_locations 'EOF'
location /oss {
rewrite /oss(.*) $1 break;
proxy_set_header Host libsys-mongo:9000;
proxy_pass http://oss;
}
EOF
4.7 生成meta_server
tee /home/nginx/conf/conf.d/meta_server 'EOF'
upstream oss {
server libsys-mongo:9000;
}
upstream meta-acq {
server 127.0.0.1:8021;
}
upstream meta-admin {
server 127.0.0.1:8020;
}
upstream meta-cs {
server 127.0.0.1:8024;
}
upstream meta-dc {
server 127.0.0.1:8023;
}
upstream meta-devops {
server 127.0.0.1:8028;
}
upstream meta-erm {
server 127.0.0.1:8025;
}
upstream gateway {
server 127.0.0.1:20000;
}
upstream meta-indexer {
server 127.0.0.1:8019;
}
upstream meta-opac {
server 127.0.0.1:8030;
}
upstream meta-res {
server 127.0.0.1:8022;
}
upstream meta-social {
server 127.0.0.1:8027;
}
upstream meta-stat {
server 127.0.0.1:8029;
}
upstream meta-sync {
server 127.0.0.1:8013;
}
upstream meta-web {
server 127.0.0.1:10010;
}
upstream meta-space {
server 127.0.0.1:10011;
}
upstream meta-mspace {
server 127.0.0.1:10012;
}
upstream meta-wechat {
server 127.0.0.1:8013;
}
upstream meta-api {
server 127.0.0.1:8012;
}
upstream meta-appserver {
server 127.0.0.1:8011;
}
server {
listen 443 ssl http2 default_server;
server_name 0.0.0.0;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
fastcgi_param HTTPS on;
fastcgi_param HTTP_SCHEME https;
server_tokens off;
#charset koi8-r;
access_log /var/log/nginx/access-meta.log;
error_log /var/log/nginx/error-meta.log;
proxy_read_timeout 1800; #确定使用这么大的超时?对读者服务的可以使用较小的超时,例如opac,wechat
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types application/javascript
application/rss+xml
application/vnd.ms-fontobject
application/x-font
application/x-font-opentype
application/x-font-otf
application/x-font-truetype
application/x-font-ttf
application/x-javascript
application/xhtml+xml
application/xml
font/opentype
font/otf
font/ttf
image/svg+xml
image/x-icon
text/css
text/javascript
text/plain
text/xml;
include /etc/nginx/conf.d/extra_locations;
location ~ /(status|metrics|extra_metrics)(/?)$ {
return 404;
}
include /etc/nginx/conf.d/meta_locations;
#error_page 500 502 503 504 /50x.html;
#location = /50x.html {
# root /usr/share/nginx/html;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /.ht {
# deny all;
#}
}
server {
listen 8079;
server_name 127.0.0.1;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
fastcgi_param HTTPS on;
fastcgi_param HTTP_SCHEME https;
server_tokens off;
#charset koi8-r;
access_log /var/log/nginx/access-meta.log;
error_log /var/log/nginx/error-meta.log;
proxy_read_timeout 1800; #确定使用这么大的超时?对读者服务的可以使用较小的超时,例如opac,wechat
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types application/javascript
application/rss+xml
application/vnd.ms-fontobject
application/x-font
application/x-font-opentype
application/x-font-otf
application/x-font-truetype
application/x-font-ttf
application/x-javascript
application/xhtml+xml
application/xml
font/opentype
font/otf
font/ttf
image/svg+xml
image/x-icon
text/css
text/javascript
text/plain
text/xml;
location ~ /(status|metrics|extra_metrics)(/?)$ {
return 404;
}
include /etc/nginx/conf.d/meta_locations;
#error_page 500 502 503 504 /50x.html;
#location = /50x.html {
# root /usr/share/nginx/html;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /.ht {
# deny all;
#}
}
server {
listen 443 ssl http2;
server_name _;
ssl_certificate /etc/nginx/ssl/space.crt;
ssl_certificate_key /etc/nginx/ssl/space.key;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
fastcgi_param HTTPS on;
fastcgi_param HTTP_SCHEME https;
server_tokens off;
#charset koi8-r;
access_log /var/log/nginx/access-space.log;
error_log /var/log/nginx/error-space.log;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types application/javascript
application/rss+xml
application/vnd.ms-fontobject
application/x-font
application/x-font-opentype
application/x-font-otf
application/x-font-truetype
application/x-font-ttf
application/x-javascript
application/xhtml+xml
application/xml
font/opentype
font/otf
font/ttf
image/svg+xml
image/x-icon
text/css
text/javascript
text/plain
text/xml;
include /etc/nginx/conf.d/extra_locations;
location ~ /(status|metrics|extra_metrics)(/?)$ {
return 404;
}
location /meta-local/wechat {
proxy_pass http://meta-wechat;
}
location /meta-local/opac {
proxy_pass http://meta-opac;
}
location /space/ {
proxy_pass http://meta-space/;
include /etc/nginx/conf.d/include.d/proxy;
add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate";
expires 0;
}
location ~ ^/space/(css|fonts|img|js) {
proxy_pass http://meta-space;
include /etc/nginx/conf.d/include.d/proxy;
#add_header x_debug $upstream_addr;
#add_header x_debug $request;
access_log off;
expires 1y;
add_header Cache-Control 'max-age=31536000'; # one year
rewrite ^/space(.*) /$1 break;
}
location /mspace/ {
proxy_pass http://meta-mspace/;
include /etc/nginx/conf.d/include.d/proxy;
add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate";
expires 0;
}
location ~ ^/mspace/(css|fonts|img|js) {
proxy_pass http://meta-mspace;
include /etc/nginx/conf.d/include.d/proxy;
#add_header x_debug $upstream_addr;
#add_header x_debug $request;
access_log off;
expires 1y;
add_header Cache-Control 'max-age=31536000'; # one year
rewrite ^/mspace(.*) /$1 break;
}
#----- redirect to mobile check (starts) -----#
set $mobile_rewrite do_not_perform;
# this regex string is actually much longer to match more mobile devices
if ($http_user_agent ~* "android|ip(ad|hone|od)|kindle") {
set $mobile_rewrite perform;
}
if ($mobile_rewrite = perform) {
rewrite ^/space/(.*) /mspace/$1 redirect;
break;
}
if ($mobile_rewrite = do_not_perform) {
rewrite ^/mspace/(.*) /space/$1 redirect;
break;
}
#----- redirect to mobile check (ends) -----#
}
EOF
4.8 生成proxy选项
mkdir -p /home/nginx/conf/conf.d/include.d &&
tee /home/nginx/conf/conf.d/include.d/proxy 'EOF'
proxy_cache off;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $server_name;
EOF
5. 启动Docker
docker run -d --net=host --name nginx --restart=always
-v /etc/localtime:/etc/localtime:ro
-v /home/nginx/conf/nginx.conf:/etc/nginx/nginx.conf
-v /home/nginx/conf/conf.d/:/etc/nginx/conf.d:ro
-v /home/nginx/logs:/var/log/nginx
-v /home/nginx/ssl:/etc/nginx/ssl:ro
-v /home/nginx/html:/usr/share/nginx/html
nginx:1.21.6
6. 打通防火墙
firewall-cmd --permanen --add-port 80/tcp &&
firewall-cmd --permanen --add-port 443/tcp &&
firewall-cmd --permanen --add-port 9443/tcp &&
firewall-cmd --reload