如何将 Let encrypt 添加到在 Elastic Beanstalk 上运行的多容器中
Posted
技术标签:
【中文标题】如何将 Let encrypt 添加到在 Elastic Beanstalk 上运行的多容器中【英文标题】:How to add lets encrypt to a multi container running on Elastic Beanstalk 【发布时间】:2020-07-18 00:28:22 【问题描述】:我正在尝试使用让我们在 aws eb 上加密将 https 添加到我的域。我的预算很紧,所以我负担不起使用 AWS 证书和负载均衡器。我已经梳理了网络以找到解决此问题的最佳方法,但我似乎只找到使用单个容器的实现,因此使用 .ebextensions
我发现的关于堆栈溢出的唯一文档是HTTPS on Elastic Beanstalk (Docker Multi-container)
我还在Free HTTPS on AWS Elastic Beanstalk without Load Balancer上找到了有关如何使用 Dockerrun.aws.json 的文档
但我似乎无法正确配置。我已经有一个 nginx 服务器了。如何配置 jwilder/nginx-proxy、jrcs/letsencrypt-nginx-proxy-companion 和 nginx
Dockerrun.aws.json
"AWSEBDockerrunVersion": 2,
"volumes": [
"name": "home-ec2-user-certs",
"host":
"sourcePath": "/home/ec2-user/certs"
,
"name": "etc-nginx-vhost-d",
"host":
"sourcePath": "/etc/nginx/vhost.d"
,
"name": "usr-share-nginx-html",
"host":
"sourcePath": "/usr/share/nginx/html"
,
"name": "var-run-docker-sock",
"host":
"sourcePath": "/var/run/docker.sock"
],
"containerDefinitions": [
"name": "client",
"image": "example/site-client",
"hostname": "client",
"essential": false,
"memory": 128,
"environment": [
"name": "VIRTUAL_HOST",
"value": "www.example.com, example.com"
,
"name": "LETSENCRYPT_HOST",
"value": "www.example.com, example.com"
]
,
"name": "server",
"image": "example/site-server",
"hostname": "api",
"essential": false,
"memory": 128
,
"name": "admin",
"image": "example/site-admin",
"hostname": "admin",
"essential": false,
"memory": 128,
"environment": [
"name": "VIRTUAL_HOST",
"value": "admin.example.com"
,
"name": "LETSENCRYPT_HOST",
"value": "admin.example.com"
]
,
"name": "worker",
"image": "example/site-worker",
"hostname": "worker",
"essential": false,
"memory": 128
,
"name": "sales",
"image": "example/site-payment",
"hostname": "sales",
"essential": false,
"memory": 128
,
"name": "nginx-proxy",
"image": "jwilder/nginx-proxy",
"essential": true,
"memoryReservation": 128,
"dockerLabels":
"com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy": "true"
,
"portMappings": [
"containerPort": 80,
"hostPort": 80
,
"containerPort": 443,
"hostPort": 443
],
"mountPoints": [
"sourceVolume": "home-ec2-user-certs",
"containerPath": "/etc/nginx/certs",
"readOnly": true
,
"sourceVolume": "etc-nginx-vhost-d",
"containerPath": "/etc/nginx/vhost.d"
,
"sourceVolume": "usr-share-nginx-html",
"containerPath": "/usr/share/nginx/html"
,
"sourceVolume": "var-run-docker-sock",
"containerPath": "/tmp/docker.sock",
"readOnly": true
]
,
"name": "letsencrypt-nginx-proxy-companion",
"image": "jrcs/letsencrypt-nginx-proxy-companion",
"essential": true,
"memoryReservation": 128,
"volumesFrom": [
"sourceContainer": "nginx-proxy"
],
"mountPoints": [
"sourceVolume": "home-ec2-user-certs",
"containerPath": "/etc/nginx/certs"
,
"sourceVolume": "var-run-docker-sock",
"containerPath": "/var/run/docker.sock",
"readOnly": true
]
,
"name": "nginx",
"image": "example/site-nginx",
"hostname": "nginx",
"essential": true,
"portMappings": [
"hostPort": 80,
"containerPort": 80
],
"links": ["client", "server", "admin", "sales"],
"memory": 128
]
还有我的 nginx 文件
upstream client
server client:3000;
upstream admin
server admin:8000;
upstream sales
server sales:8626;
upstream api
server api:5000;
listen 80;
server_name example.com www.example.com;
return 301 https://$host$request_ur;
server
# listen 80;
listen 443 ssl;
server_name example.com www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem.;
ssl_certificate_key /etc/letsencrypt/live/example.com/fullchain.pem.;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
location /
proxy_pass http://client;
location /sales
rewrite /sales/(.*) /$1 break;
proxy_pass http://sales;
location /api
rewrite /api/(.*) /$1 break;
proxy_pass http://api;
server
listen 80;
server_name admin.example.com;
location /
proxy_pass http://admin;
【问题讨论】:
你解决了吗?我现在也有同样的问题 不是我无法解决它。你有什么办法吗? 是的,看我的回答 【参考方案1】:在设置时可以“Dockerize” nginx 服务器并运行一些配置脚本。所以是这样的:
FROM nginx:1.16-alpine
RUN apk add --no-cache certbot
RUN mkdir /var/lib/certbot
COPY scripts/setup.sh /setup.sh
RUN chmod +x /setup.sh
COPY config/nginx.conf /etc/nginx/nginx.conf
ENTRYPOINT [ "../setup.sh" ]
脚本:
#!/bin/sh
certbot certonly -n -d DOMAINS \
--standalone --preferred-challenges http --email EMAIL --agree-tos --expand
/usr/sbin/nginx -g "daemon off;"
然后像往常一样将 ssl 证书和密钥添加到您的 nginx 配置中。
【讨论】:
以上是关于如何将 Let encrypt 添加到在 Elastic Beanstalk 上运行的多容器中的主要内容,如果未能解决你的问题,请参考以下文章
Alpine Linux添加Let‘s Encrypt CA证书或者自签CA证书
利用Let's Encrypt 为Istio(Envoy)添加TLS 支持
windows server 服务器添加免费域名证书的方法(Let's Encrypt)
用win-acme给windows服务器添加SSL(Let's Encrypt)证书