docker镜像发布的应用程序,其配置https的流程
1、docker启动命令:将443端口映射出来,其中注意 /root/app/nginx/ai-ssl(证书存放路径)、/data/app/ai-nginx/nginx.conf(nginx的配置路径)
docker run -d --restart=always -p 12324:80 -p 8443:443 -v /root/app/nginx/ai-ssl:/etc/ssl/agent -v /data/app/ai-nginx/nginx.conf:/etc/nginx/nginx.conf registry.cn-hangzhou.aliyuncs.com/suqinghua/ai-web:0.0.1
2、配置 /data/app/ai-nginx/nginx.conf文件,暴露443端口:
server {
listen 443 ssl;
server_name localhost;
add_header X-Frame-Options DENY; # 可以根据需求选择 DENY、SAMEORIGIN 或 ALLOW-FROM
ssl_certificate /etc/ssl/agent/ca.crt; #证书路径及文件名
ssl_certificate_key /etc/ssl/agent/ca.key; #证书路径及文件名
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
add_header Permissions-Policy "microphone=*" always;
#add_header Feature-Policy "microphone *" always;
location / {
root /home/nginx/www/dist/digital-web;
try_files $uri $uri/ /index.html;
index index.html index.htm;
}
location /prod-api/{
proxy_cache off; # 转发流式数据
proxy_buffering off;
chunked_transfer_encoding on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 300;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Scheme $scheme; # 关键:透传HTTPS协议
proxy_pass http://ip:38081/;
}
location /profile/{
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Scheme $scheme; # 关键:透传HTTPS协议
proxy_pass http://ip:38081/profile/;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
3、将证书放置 /root/app/nginx/ai-ssl路径下,如下:
root@ssdmx62:~/app/nginx/aihd-ssl# ls
ca.crt ca.key
需要注意的是,文件名要与nginx中的文件名对应(下列代码出现在步骤二中的nginx.conf文件):
ssl_certificate /etc/ssl/agent/ca.crt;
ssl_certificate_key /etc/ssl/agent/ca.key;
4、下面就可以通过域名:8443访问应用。