如何将 Let encrypt 添加到在 Elastic Beanstalk 上运行的多容器中

Posted

技术标签:

【中文标题】如何将 Let encrypt 添加到在 Elastic Beanstalk 上运行的多容器中【英文标题】:How to add lets encrypt to a multi container running on Elastic Beanstalk 【发布时间】:2020-07-18 00:28:22 【问题描述】:

我正在尝试使用让我们在 aws eb 上加密将 https 添加到我的域。我的预算很紧,所以我负担不起使用 AWS 证书和负载均衡器。我已经梳理了网络以找到解决此问题的最佳方法,但我似乎只找到使用单个容器的实现,因此使用 .ebextensions 我发现的关于堆栈溢出的唯一文档是HTTPS on Elastic Beanstalk (Docker Multi-container)

我还在Free HTTPS on AWS Elastic Beanstalk without Load Balancer上找到了有关如何使用 Dockerrun.aws.json 的文档

但我似乎无法正确配置。我已经有一个 nginx 服务器了。如何配置 jwilder/nginx-proxy、jrcs/letsencrypt-nginx-proxy-companion 和 nginx

Dockerrun.aws.json

    "AWSEBDockerrunVersion": 2,
    "volumes": [
            "name": "home-ec2-user-certs",
            "host": 
                "sourcePath": "/home/ec2-user/certs"
            
        ,
        
            "name": "etc-nginx-vhost-d",
            "host": 
                "sourcePath": "/etc/nginx/vhost.d"
            
        ,
        
            "name": "usr-share-nginx-html",
            "host": 
                "sourcePath": "/usr/share/nginx/html"
            
        ,
        
            "name": "var-run-docker-sock",
            "host": 
                "sourcePath": "/var/run/docker.sock"
            
        
    ],
    "containerDefinitions": [
            "name": "client",
            "image": "example/site-client",
            "hostname": "client",
            "essential": false,
            "memory": 128,
            "environment": [
                    "name": "VIRTUAL_HOST",
                    "value": "www.example.com, example.com"
                ,
                
                    "name": "LETSENCRYPT_HOST",
                    "value": "www.example.com, example.com"
                
            ]
        ,
        
            "name": "server",
            "image": "example/site-server",
            "hostname": "api",
            "essential": false,
            "memory": 128
        ,
        
            "name": "admin",
            "image": "example/site-admin",
            "hostname": "admin",
            "essential": false,
            "memory": 128,
            "environment": [
                    "name": "VIRTUAL_HOST",
                    "value": "admin.example.com"
                ,
                
                    "name": "LETSENCRYPT_HOST",
                    "value": "admin.example.com"
                
            ]
        ,
        
            "name": "worker",
            "image": "example/site-worker",
            "hostname": "worker",
            "essential": false,
            "memory": 128
        ,
        
            "name": "sales",
            "image": "example/site-payment",
            "hostname": "sales",
            "essential": false,
            "memory": 128
        ,
        
            "name": "nginx-proxy",
            "image": "jwilder/nginx-proxy",
            "essential": true,
            "memoryReservation": 128,
            "dockerLabels": 
                "com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy": "true"
            ,
            "portMappings": [
                    "containerPort": 80,
                    "hostPort": 80
                ,
                
                    "containerPort": 443,
                    "hostPort": 443
                
            ],
            "mountPoints": [
                    "sourceVolume": "home-ec2-user-certs",
                    "containerPath": "/etc/nginx/certs",
                    "readOnly": true
                ,
                
                    "sourceVolume": "etc-nginx-vhost-d",
                    "containerPath": "/etc/nginx/vhost.d"
                ,
                
                    "sourceVolume": "usr-share-nginx-html",
                    "containerPath": "/usr/share/nginx/html"
                ,
                
                    "sourceVolume": "var-run-docker-sock",
                    "containerPath": "/tmp/docker.sock",
                    "readOnly": true
                
            ]
        ,
        
            "name": "letsencrypt-nginx-proxy-companion",
            "image": "jrcs/letsencrypt-nginx-proxy-companion",
            "essential": true,
            "memoryReservation": 128,
            "volumesFrom": [
                "sourceContainer": "nginx-proxy"
            ],
            "mountPoints": [
                    "sourceVolume": "home-ec2-user-certs",
                    "containerPath": "/etc/nginx/certs"
                ,
                
                    "sourceVolume": "var-run-docker-sock",
                    "containerPath": "/var/run/docker.sock",
                    "readOnly": true
                
            ]
        ,
        
            "name": "nginx",
            "image": "example/site-nginx",
            "hostname": "nginx",
            "essential": true,
            "portMappings": [
                "hostPort": 80,
                "containerPort": 80
            ],
            "links": ["client", "server", "admin", "sales"],
            "memory": 128
        
    ]

还有我的 nginx 文件

upstream client 
    server client:3000;


upstream admin 
    server admin:8000;


upstream sales 
    server sales:8626;



upstream api 
    server api:5000;



    listen 80;
    server_name example.com www.example.com;
    return 301 https://$host$request_ur;


server 
#    listen 80;

    listen 443 ssl;
    server_name example.com www.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem.;
    ssl_certificate_key /etc/letsencrypt/live/example.com/fullchain.pem.;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

    location / 
        proxy_pass http://client;
    

    location /sales 
        rewrite /sales/(.*) /$1 break;
        proxy_pass http://sales;
    

    location /api 
        rewrite /api/(.*) /$1 break;
        proxy_pass http://api;
    


server 
    listen 80;
    server_name admin.example.com;

    location / 
        proxy_pass http://admin;
    


【问题讨论】:

你解决了吗?我现在也有同样的问题 不是我无法解决它。你有什么办法吗? 是的,看我的回答 【参考方案1】:

在设置时可以“Dockerize” nginx 服务器并运行一些配置脚本。所以是这样的:

FROM nginx:1.16-alpine

RUN apk add --no-cache certbot

RUN mkdir /var/lib/certbot

COPY scripts/setup.sh /setup.sh
RUN chmod +x /setup.sh

COPY config/nginx.conf /etc/nginx/nginx.conf

ENTRYPOINT [ "../setup.sh" ]

脚本:

#!/bin/sh

certbot certonly -n -d DOMAINS \
    --standalone --preferred-challenges http --email EMAIL --agree-tos --expand


/usr/sbin/nginx -g "daemon off;"

然后像往常一样将 ssl 证书和密钥添加到您的 nginx 配置中。

【讨论】:

以上是关于如何将 Let encrypt 添加到在 Elastic Beanstalk 上运行的多容器中的主要内容,如果未能解决你的问题,请参考以下文章

Alpine Linux添加Let‘s Encrypt CA证书或者自签CA证书

利用Let's Encrypt 为Istio(Envoy)添加TLS 支持

windows server 服务器添加免费域名证书的方法(Let's Encrypt)

用win-acme给windows服务器添加SSL(Let's Encrypt)证书

如何在没有交互的情况下安装 Certbot (Let's Encrypt)?

如何使用Let's Encrypt证书加密