在容器中运行nginx,实现https及反向代理后端tomcat的功能
1.创建部署目录:mkdir -p /data/nginx
2.创建基础nginx配置文件nginx.conf,
worker_processes 2;
events {
use epoll;
multi_accept on;
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
keepalive_timeout 60;
tcp_nopush on;
tcp_nodelay on;
gzip on;
gzip_min_length 1k;
gzip_comp_level 2;
gzip_types text/plain text/css text/javascript image/jpeg image/png;
gzip_vary off;
gzip_disable "MSIE [1-6]\.";
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
error_log /var/log/nginx/error.log;
include /sft/host/*.conf;
}
3.部署目录下创建主机部署目录host,添加虚拟主机配置文件
server {
listen 18888;
server_name localhost;
access_log /var/log/nginx/http_youdomain_access.log;
rewrite ^(.*)$ https://youdomain.com:1888$1 permanent;
}
server {
listen 1888 ssl;
server_name youdomain.com;
charset utf-8;
access_log /var/log/nginx/youdomain_access.log;
keepalive_timeout 70;
# 证书
ssl_certificate /sft/certs/youdomain.com.crt;
# 私钥
ssl_certificate_key /sft/certs/youdomain.com.key;
ssl_prefer_server_ciphers on;
ssl_dhparam /sft/certs/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-Xss-Protection 1;
location ~ \.(gif|jpg|png|css|js|flv|ico|swf) {
proxy_pass http://127.0.0.1:8888;
expires 1h;
}
proxy_redirect http:// $scheme://;
port_in_redirect on;
location / {
proxy_intercept_errors on;
proxy_pass http://127.0.0.1:8888;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Nginx-Proxy true;
}
error_page 404 /404.html;
location = /404.html {
root /sft/static/html;
}
}
4.部署目录下创建证书存放目录certs,将从第三方申请到的证书文件上传到次目录中
5.创建服务端会话自加密文件到certs目录中:openssl dhparam -out dhparam.pem 2048
6.部署目录中创建存放常见错误的页面目录html,如404.html,500.html
7.创建容器启动和终止脚本
start.sh
#!/bin/sh
CONTAINER_NAME=nginx
if (docker inspect $CONTAINER_NAME &>/dev/null)
then
echo "$CONTAINER_NAME is running!"
exit 0
fi
BASE_DIR=`readlink -f $(dirname $0)`
DATA_DIR="/data/docker/$CONTAINER_NAME"
sudo mkdir -p "$DATA_DIR"/logs
docker run \
--detach \
--network host \
--name $CONTAINER_NAME \
-v /etc/localtime:/etc/localtime \
-v "$BASE_DIR/nginx.conf":/etc/nginx/nginx.conf:ro \
-v "$BASE_DIR/host":/sft/host \
-v "$BASE_DIR/certs":/sft/certs \
-v "$BASE_DIR/html":/sft/static/html \
-v "$DATA_DIR/logs":/var/log/nginx \
nginx:1.12-alpine
stop.sh
#!/bin/sh
CONTAINERNAME=nginx
if ! docker stop $CONTAINERNAME &>/dev/null
then
docker kill $CONTAINERNAME &>/dev/null
fi
if !(docker inspect $CONTAINERNAME &>/dev/null) || docker rm $CONTAINERNAME &>/dev/null
then
echo "$CONTAINERNAME stoped"
else
echo "failed to stop $CONTAINERNAME"
fi