Docker版本Omnibus Gitlab 加Lets Encrypt免费SSL一键搭建
首先使用下列文件gitlab_run.sh生成LetsEncrypt的certificate。
来源:
https://github.com/flasheryu/docker-letsencrypt-nginx-proxy-companion-examples
https://github.com/alastaircoote/docker-letsencrypt-nginx-proxy-companion
前提:
将你的域名解析到当前服务器公网ip地址,
比如本文中的dockeryu.com, 解析生效后继续以下操作。
有一个bug,先用以下命令fix:
mkdir -p /volumes/proxy/templates/vi /volumes/proxy/templates/nginx.tmpl
{{ define "upstream" }}{{ if .Address }}{{/* If we got the containers from swarm and this container's port is published to host, use host IP:PORT */}}{{ if and .Container.Node.ID .Address.HostPort }}# {{ .Container.Node.Name }}/{{ .Container.Name }}server {{ .Container.Node.Address.IP }}:{{ .Address.HostPort }};{{/* If there is no swarm node or the port is not published on host, use container's IP:PORT */}}{{ else }}# {{ .Container.Name }}server {{ .Address.IP }}:{{ .Address.Port }};{{ end }}{{ else }}# {{ .Container.Name }}server {{ .Container.IP }} down;{{ end }} {{ end }}# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the # scheme used to connect to this server map $http_x_forwarded_proto $proxy_x_forwarded_proto {default $http_x_forwarded_proto;'' $scheme; }# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any # Connection header that may have been passed to this server map $http_upgrade $proxy_connection {default upgrade;'' close; }gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;log_format vhost '$host $remote_addr - $remote_user [$time_local] ''"$request" $status $body_bytes_sent ''"$http_referer" "$http_user_agent"';access_log off;{{ if (exists "/etc/nginx/proxy.conf") }} include /etc/nginx/proxy.conf; {{ else }} # HTTP 1.1 support proxy_http_version 1.1; proxy_buffering off; proxy_set_header Host $http_host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $proxy_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; {{ end }}server {server_name _; # This is just an invalid value which will never trigger on a real hostname.listen 80;access_log /var/log/nginx/access.log vhost;return 503; }{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }} server {server_name _; # This is just an invalid value which will never trigger on a real hostname.listen 443 ssl http2;access_log /var/log/nginx/access.log vhost;return 503;ssl_certificate /etc/nginx/certs/default.crt;ssl_certificate_key /etc/nginx/certs/default.key; } {{ end }}{{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }}upstream {{ $host }} { {{ range $container := $containers }}{{ $addrLen := len $container.Addresses }}{{/* If only 1 port exposed, use that */}}{{ if eq $addrLen 1 }}{{ $address := index $container.Addresses 0 }}{{ template "upstream" (dict "Container" $container "Address" $address) }}{{/* If more than one port exposed, use the one matching VIRTUAL_PORT env var, falling back to standard web port 80 */}}{{ else }}{{ $port := coalesce $container.Env.VIRTUAL_PORT "80" }}{{ $address := where $container.Addresses "Port" $port | first }}{{ template "upstream" (dict "Container" $container "Address" $address) }}{{ end }} {{ end }} }{{ $default_host := or ($.Env.DEFAULT_HOST) "" }} {{ $default_server := index (dict $host "" $default_host "default_server") $host }}{{/* Get the VIRTUAL_PROTO defined by containers w/ the same vhost, falling back to "http" */}} {{ $proto := or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http" }}{{/* Get the first cert name defined by containers w/ the same vhost */}} {{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }}{{/* Get the best matching cert by name for the vhost. */}} {{ $vhostCert := (closest (dir "/etc/nginx/certs") (printf "%s.crt" $host))}}{{/* vhostCert is actually a filename so remove any suffixes since they are added later */}} {{ $vhostCert := replace $vhostCert ".crt" "" -1 }} {{ $vhostCert := replace $vhostCert ".key" "" -1 }}{{/* Use the cert specifid on the container or fallback to the best vhost match */}} {{ $cert := (coalesce $certName $vhostCert) }}{{ if (and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}server {server_name {{ $host }};listen 80 {{ $default_server }};access_log /var/log/nginx/access.log vhost;return 301 https://$host$request_uri; }server {server_name {{ $host }};listen 443 ssl http2 {{ $default_server }};access_log /var/log/nginx/access.log vhost;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;ssl_prefer_server_ciphers on;ssl_session_timeout 5m;ssl_session_cache shared:SSL:50m;ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }};ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }};{{ if (exists (printf "/etc/nginx/certs/%s.dhparam.pem" $cert)) }}ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }};{{ end }}add_header Strict-Transport-Security "max-age=31536000";{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}include {{ printf "/etc/nginx/vhost.d/%s" $host }};{{ else if (exists "/etc/nginx/vhost.d/default") }}include /etc/nginx/vhost.d/default;{{ end }}location / {proxy_pass {{ trim $proto }}://{{ trim $host }};{{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}auth_basic "Restricted {{ $host }}";auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }};{{ end }}{{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }}include {{ printf "/etc/nginx/vhost.d/%s_location" $host}};{{ else if (exists "/etc/nginx/vhost.d/default_location") }}include /etc/nginx/vhost.d/default_location;{{ end }}} } {{ else }}server {server_name {{ $host }};listen 80 {{ $default_server }};access_log /var/log/nginx/access.log vhost;{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}include {{ printf "/etc/nginx/vhost.d/%s" $host }};{{ else if (exists "/etc/nginx/vhost.d/default") }}include /etc/nginx/vhost.d/default;{{ end }}location / {proxy_pass {{ trim $proto }}://{{ trim $host }};{{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}auth_basic "Restricted {{ $host }}";auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }};{{ end }}{{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }}include {{ printf "/etc/nginx/vhost.d/%s_location" $host}};{{ else if (exists "/etc/nginx/vhost.d/default_location") }}include /etc/nginx/vhost.d/default_location;{{ end }}} }{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }} server {server_name {{ $host }};listen 443 ssl http2 {{ $default_server }};access_log /var/log/nginx/access.log vhost;return 503;ssl_certificate /etc/nginx/certs/default.crt;ssl_certificate_key /etc/nginx/certs/default.key; } {{ end }}{{ end }} {{ end }}
接下来,新建以下shell脚本并运行:
#!/bin/bash # This example will run a basic nginx server provisionned with an index.html file # Make sure to replace "site.example.com" with a public accessible domain poiting to the server you will run this on.# This nginx container will get a configuration generated by the docker-gen instance and act as a reverse-proxy echo "Starting nginx instance..." docker run -d -p 80:80 -p 443:443\--name nginx \-v /etc/nginx/conf.d \-v /etc/nginx/vhost.d \-v /usr/share/nginx/html \-v $(pwd)/../../volumes/proxy/certs:/etc/nginx/certs:ro \nginx# This nginx-gen container using the docker-gen image will generate a 'default.conf' file from the 'nginx.tmpl' located in volumes/proxy/templates. echo "Starting docker-gen instance..." docker run -d \--name nginx-gen \--volumes-from nginx \-v $(pwd)/../../volumes/proxy/templates:/etc/docker-gen/templates:ro \-v /var/run/docker.sock:/tmp/docker.sock:ro \jwilder/docker-gen \-notify-sighup nginx -watch -only-exposed -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.confecho "Starting letsencrypt-nginx-proxy-companion..." docker run -d \-e "NGINX_DOCKER_GEN_CONTAINER=nginx-gen" \--volumes-from nginx \-v $(pwd)/../../volumes/proxy/certs:/etc/nginx/certs:rw \-v /var/run/docker.sock:/var/run/docker.sock:ro \ jrcs/letsencrypt-nginx-proxy-companion
# This original repo stopped maintaining and now have bugs, and error is as follows:# Deserialization error: Wrong directory# jrcs/letsencrypt-nginx-proxy-companion # alastaircoote/docker-letsencrypt-nginx-proxy-companion
# This an example service that will get picked up and served by the reverse proxy. # Make sure you change all the default values in this file and in volumes/examples/simple-site echo "Starting simple-site nginx example..." docker run -d \--name simple-site \-e "VIRTUAL_HOST=dockeryu.com" \-e "LETSENCRYPT_HOST=dockeryu.com" \-e "LETSENCRYPT_EMAIL=yugq@gityu.com" \-v $(pwd)/../../volumes/examples/simple-site/conf.d/:/etc/nginx/conf.d \nginx
注意:需要用你自己网站的域名,替换以上脚本中最后一个命令中的dockeryu.com.
使用自己的邮箱替换yugq@gityu.com的邮箱地址。
然后视网络情况需耐心等待3-5分钟,待/volumes/proxy/certs下生成certs。
此时:
1.若是首次申请证书搭建gitlab,则删除所有docker。
docker stop $(docker ps -a -q)docker rm $(docker ps -a -q)
并使用如下命令一键搭建带有LetsEncrypt免费SSL版本的Omnibus版本Gitlab。
docker run --detach --hostname dockeryu.com --env GITLAB_OMNIBUS_CONFIG="registry_external_url 'https://dockeryu.com:4040';registry_nginx['ssl_certificate']='/etc/letsencrypt/live/dockeryu.com/dockeryu.com.crt';registry_nginx['ssl_certificate_key']='/etc/letsencrypt/live/dockeryu.com/dockeryu.com.key';external_url 'https://dockeryu.com/';nginx['redirect_http_to_https']=true;nginx['ssl_certificate']='/etc/letsencrypt/live/dockeryu.com/dockeryu.com.crt';nginx['ssl_certificate_key']='/etc/letsencrypt/live/dockeryu.com/dockeryu.com.key';" --publish 443:443 --publish 80:80 --publish 222:22 --publish 4040:4040 --name gitlab --restart always --volume /srv/gitlab/config:/etc/gitlab --volume /srv/gitlab/logs:/var/log/gitlab --volume /srv/gitlab/data:/var/opt/gitlab --volume /volumes/proxy/certs:/etc/letsencrypt/live/dockeryu.com --volume /var/run/docker.sock:/var/run/docker.sock --volume $(which docker):/usr/bin/docker
gitlab/gitlab-ce
2.若是证书续期,即此前已经搭建过带certbot(LetsEncrypt)的gitlab,则重启gitlab服务即可:
docker restart gitlab
两分钟后gitlab可启动成功。
注意,此时如果出错,按照提示,使用以下命令解决:
docker exec -it gitlab update-permissions
Gitlab更多配置使用方法参考:
http://docs.gitlab.com/omnibus/docker/
注意,使用LetsEncrypt可能超限(limit rates,20次一周),具体参见:
https://letsencrypt.org/docs/rate-limits/
转载于:https://www.cnblogs.com/flasheryu/p/5776492.html
Docker版本Omnibus Gitlab 加Lets Encrypt免费SSL一键搭建相关推荐
- 利用Certbot工具快速给网站部署Let's Encrypt免费SSL证书
使用https证书的话,强制使用域名 很多商家也都提供免费证书,比如腾讯云提供免费一年GeoTrust DV SSL证书.Let's Encrypt永久免费但需要90天激活一次续约,当然如果要购买证书 ...
- Centos7.0安装 Lets encrypt 的SSL证书
Centos7.0安装 Lets encrypt 的SSL证书 本文链接:https://blog.csdn.net/yangshuai518/article/details/99951202 1.安 ...
- wordpress个人博客申请Let’s Encrypt免费SSL证书
最近,在网上火透半边天的,非 Let's Encrypt 的免费SSL证书莫属了.Let's Encrypt 是一个将于2015年末推出的数字证书认证机构,将通过旨在消除当前手动创建和安装证书的复杂过 ...
- Django服务器安装ssl证书,Django网站(Apache部署)安装Let's Encrypt免费SSL证书
为什么要HTTPS 2018年2月8日,谷歌浏览器发布官方博客称,2018年7月发布的新版谷歌浏览器Chrome将把所有的HTTP网站标记为不安全.这项举措是为了促进网络安全,倡导更多网站使用HTTP ...
- windows server使用 LetsEncrypt-Win-Simple来安装和使用用Let's Encrypt免费SSL证书
一.网站部署 LetsEncrypt-Win-Simple可以自动发现已经部署的网站供我们选择要生成证书的网站,而且还需要进行验证.所以在生成证书之前,确保网站已经部署好并可以正常访问. 二.生成证书 ...
- Let‘s Encrypt免费SSL证书申请
摘要: Let's Encrypt作为一个公共且免费SSL,目前Let's Encrypt免费SSL证书默认是90天有效期,但是我们也可以到期自动续约. 参考搬砖内容: GitHub - acmesh ...
- Acme.sh 自动生成、续期 Let‘s Encrypt 免费SSL证书
Let's Encrypt 提供了90天免费证书,而 acme.sh 实现了 acme 协议, 可以从 Let's Encrypt 生成免费的证书.,通过计划任务可实现自动续期,自动部署,完全 ...
- Let's Encrypt 免费SSL配置
2019独角兽企业重金招聘Python工程师标准>>> 官方网址 https://letsencrypt.org/ UPDATE: [2018/10/26]如果创建证书时出现 Cli ...
- 申请Let‘s Encrypt免费SSL证书、自动化续签证书
一.环境 安装证书的环境为Centos + Nginx,如果没有安装Nginx则需要先安装. 二.申请流程 1.开放80和443端口 firewall-cmd --permanent --add-po ...
- 【建站笔记】apache配置赛门铁克免费ssl证书搭建https
最近一段时间,我会逐步把自己建站过程中的小笔记整理并发出来,供大家参考 上一篇教程配置了https,但是创建的证书只能自己用,在最后我提了一下赛门铁克的免费证书,那怎么用呢?这里就要简单介绍一下了. ...
最新文章
- TCL系列 - incr命令
- 微服务架构下的安全认证与鉴权
- Java千万数据导入mysql_java之5分钟插入千万条数据
- 数据库编程——intro to JDBC
- R 多变量数据预处理_超长文详解:C语言预处理命令
- centos7使用kubeadm部署高可用k8s集群
- Server、Workstation服务无法启动(导致无法访问共享)
- 坚持早睡早起,我收获了...
- git冲突解决和放弃本地操作
- 层次分析法和多属性决策算法
- SAP PI SLD RZ70 系统架构目录数据提供者 HTTP(S) 配置
- ffmpeg命令下载m3u8原画质视频
- 我是谁?——第一次CSDN发文
- ajax无法载入datagrid,easyui datagrid加载超时
- ppt中如何插入页码(如何从第二页插入页码?)
- 设备VMnet0上的网桥因桥接的以太网接口关闭而暂时停止运行(此虚拟机可能无法与主机或网络中的其他计算机通信)
- Thinkpad L440 无线驱动突然无法使用,无法搜索到无线上网
- 计算机系举办迎新晚会简报,大学生迎新晚会简报
- GitHub 学生认证,申请 GitHub 学生包
- 幽灵交易策略_程序化策略里,幽灵交易者策略的虚拟账户应该怎么设置?