docker启动nginx
docker启动nginx1. 抓取镜像并生成目录2. 生成自签名证书(生产环境需要到CA申请)2.1 首先将openssl拷贝到nginx/ssl目录2.2 编辑 openssl.cnf2.3 生成证书 3. 生成Nginx basic认证密码3.1 安装httpd工具3.2 生成密码文件3.3 配置密码文件 4. 配置Nginx4.1 生成nginx.conf文件4.2 生成default.conf(包含各个server块,每个server块监听指定的server_name和port)4.3 生成80_server(将HTTP请求转发为对应的HTTPS请求)4.4 生成admin_9443_server文件(用于管理员访问etcd, es, kibana, grafana等)4.5 生成meta_locations(一般无需改变)4.6 生成extra_locations(一般无需改变)4.7 生成meta_server4.8 生成proxy选项 5. 启动Docker6. 打通防火墙7. 外部访问验证
docker启动nginx
nginx一般用做web服务器,一般为了公网访问需要申请https证书,并进行配置,本次自己制作证书。
使用容器后,需要考虑网络以及配置和日志的持久化,本次复用宿主机网络,生产环境一般来说做端口映射。
集群一般在前置添加负载均衡即可。
1. 抓取镜像并生成目录
docker pull nginx:1.21.6 &&mkdir -p /home/nginx/conf &&mkdir -p /home/nginx/logs &&mkdir -p /home/nginx/ssl &&mkdir -p /home/nginx/conf/conf.d2. 生成自签名证书(生产环境需要到CA申请)
2.1 首先将openssl拷贝到nginx/ssl目录
cp /etc/pki/tls/openssl.cnf /home/nginx/ssl2.2 编辑 openssl.cnf
vi /home/nginx/ssl/openssl.cnf[ req ] req_extensions = v3_req //取消对应的注释 2.3 生成证书
cd /home/nginx/ssl &&openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -config openssl.cnf -extensions v3_req -keyout /home/nginx/ssl/nginx.key -out /home/nginx/ssl/nginx.crt上面的证书生成命令请依次输入口令:XX XX XX XX XX (回车) (回车)
cp /home/nginx/ssl/nginx.crt /home/nginx/ssl/space.crt &&cp /home/nginx/ssl/nginx.key /home/nginx/ssl/space.key3. 生成Nginx basic认证密码
3.1 安装httpd工具
yum install httpd-tools -y3.2 生成密码文件
htpasswd -c -d /home/nginx/conf/conf.d/admin_pwd admin然后输入16位随机密码
注意:如果要删除密码文件:htpasswd -D -d /home/nginx/conf/conf.d/admin_pwd admin
3.3 配置密码文件
tee /home/nginx/conf/conf.d/admin_pwd.config <<-'EOF'auth_basic "login";auth_basic_user_file /etc/nginx/conf.d/admin_pwd;EOF4. 配置Nginx
4.1 生成nginx.conf文件
tee /home/nginx/conf/nginx.conf <<-'EOF'user nginx;worker_processes auto;worker_cpu_affinity auto;error_log /var/log/nginx/error.log warn;pid /var/run/nginx.pid;events { worker_connections 1024;}http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; client_max_body_size 200m; sendfile on; #tcp_nopush on; keepalive_timeout 65;proxy_connect_timeout 1s; #gzip on; root /usr/share/nginx/html; proxy_http_version 1.1; proxy_set_header Host $http_host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Forwarded-For $remote_addr; #如果不是第一层Nginx代理(例如学校防火墙就是Nginx代理),则要配置为$proxy_add_x_forwarded_for; include /etc/nginx/conf.d/*.conf;server_tokens off;}EOF4.2 生成default.conf(包含各个server块,每个server块监听指定的server_name和port)
tee /home/nginx/conf/conf.d/default.conf <<-'EOF'include /etc/nginx/conf.d/*_server;EOF4.3 生成80_server(将HTTP请求转发为对应的HTTPS请求)
tee /home/nginx/conf/conf.d/80_server <<-'EOF'server { listen 80; server_name 0.0.0.0; #return 301 https://$host$request_uri; rewrite ^(.*)$ https://$host$1 permanent; }EOF4.4 生成admin_9443_server文件(用于管理员访问etcd, es, kibana, grafana等)
tee /home/nginx/conf/conf.d/admin_9443_server <<-'EOF'server { listen 9443 ssl http2; server_name 192.168.100.149; ssl_certificate /etc/nginx/ssl/nginx.crt; #使用自签名证书 ssl_certificate_key /etc/nginx/ssl/nginx.key; ssl_protocols TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; fastcgi_param HTTPS on; fastcgi_param HTTP_SCHEME https; server_tokens off; #charset koi8-r; access_log /var/log/nginx/access-admin.log; error_log /var/log/nginx/error-admin.log; #添加basic认证 include /etc/nginx/conf.d/admin_pwd.config; location /es { rewrite /es(.*) $1 break; proxy_pass http://libsys-cluster-3:9200; } location /es_log { rewrite /es_log(.*) $1 break; proxy_pass http://libsys-prom:9201; } location /kibana { proxy_pass http://libsys-cluster-3:5601; } location /kibana_log { proxy_pass http://libsys-prom:5602; } location /rc { proxy_pass http://libsys-cluster-3:9877; } location /prom { proxy_pass http://libsys-prom:9090; } location /grafana/ { proxy_pass http://libsys-prom:3000/; proxy_set_header X-WEBAUTH-USER admin; proxy_set_header Authorization ""; } location /tools-etcd { proxy_pass http://127.0.0.1:8089; } location /nc { proxy_pass http://127.0.0.1:8150; } location /bigdata-local { proxy_pass http://libsys-mongo:8889; } location /libsys-ldbs { proxy_pass http://127.0.0.1:8052; } location ~ ^/tools-etcd/.*\.(html|htm|gif|jpg|jpeg|bmp|png|ico|txt|js|css|json|woff|ttf|eof|woff2)$ { gzip on; gzip_min_length 100k; gzip_types text/plain application/javascript application/x-javascript text/css application/xml application/json text/javascript; }}EOF4.5 生成meta_locations(一般无需改变)
tee /home/nginx/conf/conf.d/meta_locations <<-'EOF' location /meta-local/devops { proxy_pass http://meta-devops; } location /meta-local/common { proxy_pass http://meta-admin; } location /meta-local/sys { proxy_pass http://meta-admin; } location /meta-local/user { proxy_pass http://meta-admin; } location /meta-local/job { proxy_pass http://meta-admin; } location /meta-local/admin { proxy_pass http://meta-admin; } location /meta-local/pdf { proxy_pass http://meta-admin; } location /meta-local/acq { proxy_pass http://meta-acq; } location /meta-local/serial { proxy_pass http://meta-acq; } location /meta-local/ckb { proxy_pass http://meta-acq; } location /meta-local/file { proxy_pass http://meta-acq; } location /meta-local/res { proxy_pass http://meta-res; } location /meta-local/dc { proxy_pass http://meta-dc; } location /meta-local/cs { proxy_pass http://meta-cs; } location /meta-local/erm { proxy_pass http://meta-erm; } location /meta-local/social { proxy_pass http://meta-social; } location = /meta-local/stat { proxy_pass http://meta-stat; } location /meta-local/stat/ { proxy_pass http://meta-stat; } location /meta-local/indexer { proxy_pass http://meta-indexer; } location /meta-local/sync { proxy_pass http://meta-sync; } location /meta-local/opac { proxy_read_timeout 60; proxy_pass http://meta-opac; } location /meta-local/wechat { proxy_read_timeout 60; proxy_pass http://meta-wechat; } location /meta-local/api { proxy_pass http://meta-api; } location /meta-local/gateway { proxy_pass http://gateway; } location /meta-local/app/server { proxy_pass http://meta-appserver; } location /meta/ { proxy_pass http://meta-web/; include /etc/nginx/conf.d/include.d/proxy; add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate"; expires 0; } location ~ ^/meta/assets/(.*) { proxy_pass http://meta-web; include /etc/nginx/conf.d/include.d/proxy; add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate"; expires 0; rewrite ^/meta(.*) /$1 break; } location ~ ^/meta/(.*)\.(js|css|woff|woff2|ttf|svg|eot|otf)$ { proxy_pass http://meta-web; include /etc/nginx/conf.d/include.d/proxy; #add_header x_debug $upstream_addr; #add_header x_debug $request; access_log off; expires 1y; add_header Cache-Control 'max-age=31536000'; # one year rewrite ^/meta(.*) /$1 break; } location /space/ { proxy_pass http://meta-space/; include /etc/nginx/conf.d/include.d/proxy; add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate"; expires 0; } location ~ ^/space/(css|fonts|img|js) { proxy_pass http://meta-space; include /etc/nginx/conf.d/include.d/proxy; #add_header x_debug $upstream_addr; #add_header x_debug $request; access_log off; expires 1y; add_header Cache-Control 'max-age=31536000'; # one year rewrite ^/space(.*) /$1 break; } location /mspace/ { proxy_pass http://meta-mspace/; include /etc/nginx/conf.d/include.d/proxy; add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate"; expires 0; } location ~ ^/mspace/(css|fonts|img|js) { proxy_pass http://meta-mspace; include /etc/nginx/conf.d/include.d/proxy; #add_header x_debug $upstream_addr; #add_header x_debug $request; access_log off; expires 1y; add_header Cache-Control 'max-age=31536000'; # one year rewrite ^/mspace(.*) /$1 break; } #----- redirect to mobile check (starts) -----# set $mobile_rewrite do_not_perform; # this regex string is actually much longer to match more mobile devices if ($http_user_agent ~* "android|ip(ad|hone|od)|kindle") { set $mobile_rewrite perform; } if ($mobile_rewrite = perform) { rewrite ^/space/(.*) /mspace/$1 redirect; break; } if ($mobile_rewrite = do_not_perform) { rewrite ^/mspace/(.*) /space/$1 redirect; break; } #----- redirect to mobile check (ends) -----#EOF4.6 生成extra_locations(一般无需改变)
tee /home/nginx/conf/conf.d/extra_locations <<-'EOF'location /oss { rewrite /oss(.*) $1 break; proxy_set_header Host libsys-mongo:9000; proxy_pass http://oss;}EOF4.7 生成meta_server
tee /home/nginx/conf/conf.d/meta_server <<-'EOF'upstream oss { server libsys-mongo:9000;}upstream meta-acq { server 127.0.0.1:8021;}upstream meta-admin { server 127.0.0.1:8020;}upstream meta-cs { server 127.0.0.1:8024;}upstream meta-dc { server 127.0.0.1:8023;}upstream meta-devops { server 127.0.0.1:8028;}upstream meta-erm { server 127.0.0.1:8025;}upstream gateway { server 127.0.0.1:20000;}upstream meta-indexer { server 127.0.0.1:8019;}upstream meta-opac { server 127.0.0.1:8030;}upstream meta-res { server 127.0.0.1:8022;}upstream meta-social { server 127.0.0.1:8027;}upstream meta-stat { server 127.0.0.1:8029;}upstream meta-sync { server 127.0.0.1:8013;}upstream meta-web { server 127.0.0.1:10010;}upstream meta-space { server 127.0.0.1:10011;}upstream meta-mspace { server 127.0.0.1:10012;}upstream meta-wechat { server 127.0.0.1:8013;}upstream meta-api { server 127.0.0.1:8012;}upstream meta-appserver { server 127.0.0.1:8011;}server { listen 443 ssl http2 default_server; server_name 0.0.0.0; ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; ssl_protocols TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; fastcgi_param HTTPS on; fastcgi_param HTTP_SCHEME https; server_tokens off; #charset koi8-r; access_log /var/log/nginx/access-meta.log; error_log /var/log/nginx/error-meta.log; proxy_read_timeout 1800; #确定使用这么大的超时?对读者服务的可以使用较小的超时,例如opac,wechat gzip on; gzip_disable "msie6"; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_types application/javascript application/rss+xml application/vnd.ms-fontobject application/x-font application/x-font-opentype application/x-font-otf application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/opentype font/otf font/ttf image/svg+xml image/x-icon text/css text/javascript text/plain text/xml; include /etc/nginx/conf.d/extra_locations;location ~ /(status|metrics|extra_metrics)(/?)$ { return 404;} include /etc/nginx/conf.d/meta_locations; #error_page 500 502 503 504 /50x.html; #location = /50x.html { # root /usr/share/nginx/html; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #}}server { listen 8079; server_name 127.0.0.1; ssl_protocols TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; fastcgi_param HTTPS on; fastcgi_param HTTP_SCHEME https; server_tokens off; #charset koi8-r; access_log /var/log/nginx/access-meta.log; error_log /var/log/nginx/error-meta.log; proxy_read_timeout 1800; #确定使用这么大的超时?对读者服务的可以使用较小的超时,例如opac,wechat gzip on; gzip_disable "msie6"; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_types application/javascript application/rss+xml application/vnd.ms-fontobject application/x-font application/x-font-opentype application/x-font-otf application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/opentype font/otf font/ttf image/svg+xml image/x-icon text/css text/javascript text/plain text/xml;location ~ /(status|metrics|extra_metrics)(/?)$ { return 404;} include /etc/nginx/conf.d/meta_locations; #error_page 500 502 503 504 /50x.html; #location = /50x.html { # root /usr/share/nginx/html; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #}}server { listen 443 ssl http2; server_name _; ssl_certificate /etc/nginx/ssl/space.crt; ssl_certificate_key /etc/nginx/ssl/space.key; ssl_protocols TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; fastcgi_param HTTPS on; fastcgi_param HTTP_SCHEME https; server_tokens off; #charset koi8-r; access_log /var/log/nginx/access-space.log; error_log /var/log/nginx/error-space.log; gzip on; gzip_disable "msie6"; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_types application/javascript application/rss+xml application/vnd.ms-fontobject application/x-font application/x-font-opentype application/x-font-otf application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/opentype font/otf font/ttf image/svg+xml image/x-icon text/css text/javascript text/plain text/xml; include /etc/nginx/conf.d/extra_locations;location ~ /(status|metrics|extra_metrics)(/?)$ { return 404;} location /meta-local/wechat { proxy_pass http://meta-wechat; } location /meta-local/opac { proxy_pass http://meta-opac; } location /space/ { proxy_pass http://meta-space/; include /etc/nginx/conf.d/include.d/proxy; add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate"; expires 0; } location ~ ^/space/(css|fonts|img|js) { proxy_pass http://meta-space; include /etc/nginx/conf.d/include.d/proxy; #add_header x_debug $upstream_addr; #add_header x_debug $request; access_log off; expires 1y; add_header Cache-Control 'max-age=31536000'; # one year rewrite ^/space(.*) /$1 break; } location /mspace/ { proxy_pass http://meta-mspace/; include /etc/nginx/conf.d/include.d/proxy; add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate"; expires 0; } location ~ ^/mspace/(css|fonts|img|js) { proxy_pass http://meta-mspace; include /etc/nginx/conf.d/include.d/proxy; #add_header x_debug $upstream_addr; #add_header x_debug $request; access_log off; expires 1y; add_header Cache-Control 'max-age=31536000'; # one year rewrite ^/mspace(.*) /$1 break; } #----- redirect to mobile check (starts) -----# set $mobile_rewrite do_not_perform; # this regex string is actually much longer to match more mobile devices if ($http_user_agent ~* "android|ip(ad|hone|od)|kindle") { set $mobile_rewrite perform; } if ($mobile_rewrite = perform) { rewrite ^/space/(.*) /mspace/$1 redirect; break; } if ($mobile_rewrite = do_not_perform) { rewrite ^/mspace/(.*) /space/$1 redirect; break; } #----- redirect to mobile check (ends) -----#}EOF4.8 生成proxy选项
mkdir -p /home/nginx/conf/conf.d/include.d && tee /home/nginx/conf/conf.d/include.d/proxy <<-'EOF'proxy_cache off;proxy_redirect off;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-Host $server_name;EOF5. 启动Docker
docker run -d --net=host --name nginx --restart=always \-v /etc/localtime:/etc/localtime:ro \-v /home/nginx/conf/nginx.conf:/etc/nginx/nginx.conf \-v /home/nginx/conf/conf.d/:/etc/nginx/conf.d:ro \-v /home/nginx/logs:/var/log/nginx \-v /home/nginx/ssl:/etc/nginx/ssl:ro \-v /home/nginx/html:/usr/share/nginx/html \nginx:1.21.66. 打通防火墙
firewall-cmd --permanen --add-port 80/tcp &&firewall-cmd --permanen --add-port 443/tcp &&firewall-cmd --permanen --add-port 9443/tcp &&firewall-cmd --reload
