Open rainit2006 opened 4 years ago
docker run --privileged -td -p 80:80 -p 443:443 -v /Users/xxxx/Document/Docker:/Docker --name=inken centos /sbin/init
docker exec -it inken /bin/bash
docker run --privileged -p 8080:80 -td -v /users/xxx/Document/Docker:/usr/share/nginx/html:ro (ro表示read only) --name = xxx <image名> /sbin/init
启动新的containerDocker-compose
複数のコンテナから成るサービスを構築・実行する手順を自動的にし、管理を容易にする機能です。 Docker compose では、compose ファイルを用意してコマンドを1 回実行することで、そのファイルから設定を読み込んですべてのコンテナサービスを起動することができます。 Compose 则允许用户在一个模板(YAML 格式)中定义一组相关联的应用容器(被称为一个 project,即项目),例如一个 Web 服务容器再加上后端的数据库服务容器等。
服务 (service) :一个应用的容器,实际上可以包括若干运行相同镜像的容器实例。 项目 (project) :由一组关联的应用容器组成的一个完整业务单元,在 docker-compose.yml 文件中定义。
Tutorial&Examples: https://docs.docker.com/compose/gettingstarted/
Openssl openssl.cnf location: /etc/ssl/
####################################################################
[ ca ]
default_ca = CA_default # 默认的CA配置;CA_default指向下面配置块
####################################################################
[ CA_default ]
dir = /etc/ssl/CA # CA的默认工作目录
certs = $dir/certs # 认证证书的目录
crl_dir = $dir/crl # 证书吊销列表的路径
database = $dir/index.txt # 数据库的索引文件
new_certs_dir = $dir/newcerts # 新颁发证书的默认路径
certificate = $dir/cacert.pem # 此服务认证证书,如果此服务器为根CA那么这里为自颁发证书
serial = $dir/serial # 下一个证书的证书编号
crlnumber = $dir/crlnumber # 下一个吊销的证书编号
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# CA的私钥
RANDFILE = $dir/private/.rand # 随机数文件
# x509_extensions = usr_cert # The extentions to add to the cert
email_in_dn = no # <-- fixes CONF_get_string:no value
name_opt = ca_default # 命名方式,以ca_default定义为准
cert_opt = ca_default # 证书参数,以ca_default定义为准
default_days = 365 # 证书默认有效期
default_crl_days= 30 # CRl的有效期
default_md = sha256 # 加密算法
preserve = no # keep passed DN ordering
policy = policy_match #policy_match策略生效
# For the CA policy
[ policy_match ]
countryName = match #国家;match表示申请者的申请信息必须与此一致
stateOrProvinceName = match #州、省
organizationName = match #组织名、公司名
organizationalUnitName = optional #部门名称;optional表示申请者可以的信息与此可以不一致
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ] #由于定义了policy_match策略生效,所以此策略暂未生效
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, your website’s domain name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
[v3_req]
# Extensions to add to a certificate request
basicConstraints = critical,CA:true
basicConstraints = CA:true
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alt_names
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.company.com
DNS.2 = company.com
DNS.3 = www.company.net
DNS.4 = company.net
[ usr_cert ]
nsCertType = client, email, objsign # <= クライアント用途を指定
======================
后续见楼下
======================
创建目录/etc/ssl/CA和相应子目录(certs,clr,private,newcerts和index.txt, serial)
执行下面命令: (umask 077;openssl genrsa -out private/cakey.pem 2048) openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 30
(umask 077;openssl genrsa -out app.key 2048) openssl req -new -key app.key -out app.csr openssl ca -in app.csr -out certs/app.crt -days 10
Nginx服务器: 把app.crt和app.key拷贝到nginx服务器的相应目录下(比如/etc/nginx/key),设置/etc/nginx/conf.d目录的自建文件:dw_conf.conf文件内容:
# HTTPS server
server {
listen 443 ssl;
server_name localhost;
#charset koi8-r;
#access_log /var/log/nginx/host.access.log main;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
ssl_certificate /etc/nginx/key/app.crt; #指定crt位置
ssl_certificate_key /etc/nginx/key/app.key; # 指定key位置
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
}
设置完后执行 nginx -s reload命令
在Mac主机上安装app.key证书, keychain application里,导入cekey.pem,双击证书选择“总是信任”。 用Safari访问“https://localhost”可正常打开。Chrome仍会报错,但选择继续浏览后也可以打开。
Let's encrypt:
https://community.letsencrypt.org/t/ssl-on-a-ip-instead-of-domain/90635 Unfortunately Let's Encrypt doesn't issue certificates for bare IP addresses, only domain names. You'll need to register a domain name in order to get a Let's Encrypt certificate.
///