구조
.env
compose.yml
init-letsencrypt.sh
nginx / nginx.conf
nginx / catch-prize-front
hellonode / Dockerfile
hellonode / app.js
hellonode / package.json
certbot(자동생성)
[.env]
MYSQL_ROOT_PASSWORD=ssafy
MYSQL_PORT=13308
HELLO_PORT=8085
[compose.yml]
services:
mysql:
container_name: mysql-container
image: mysql:8.0
restart: always
volumes:
- mysql-volume:/var/lib/mysql
environment:
MYSQL_ROOT_PASSWORD: "${MYSQL_ROOT_PASSWORD}"
MYSQL_DATABASE: todos
expose:
- "${MYSQL_PORT}"
nginx:
container_name: nginx-container
depends_on:
- hellonode
image: nginx:1.23.1
restart: always
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
- ./nginx/catch-prize-front:/var/nginx/catch-prize-front:ro
- ./certbot/conf:/etc/letsencrypt:ro
- ./certbot/www:/var/www/certbot:ro
networks:
- backend
command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
certbot:
container_name: certbot-container
image: certbot/certbot:latest
restart: unless-stopped
volumes:
- ./certbot/conf:/etc/letsencrypt:rw
- ./certbot/www:/var/www/certbot:rw
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
hellonode:
container_name: hello-node-container
image: hello-node:1.0.0
build:
context: ./hellonode
dockerfile: Dockerfile
args:
HELLO_PORT: ${HELLO_PORT}
environment:
HELLO_PORT: "${HELLO_PORT}"
expose:
- "${HELLO_PORT}"
networks:
- backend
volumes:
mysql-volume:
networks:
backend:
driver: bridge
[init-letsencrypt.sh]
#!/bin/bash
if ! [ -x "$(command -v docker-compose)" ]; then
echo 'Error: docker-compose is not installed.' >&2
exit 1
fi
domains="catch-prize.com"
rsa_key_size=4096
data_path="./certbot"
email="berry2971@hanmail.net" # Adding a valid address is strongly recommended
staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits
if [ -d "$data_path" ]; then
read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
exit
fi
fi
if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
echo "### Downloading recommended TLS parameters ..."
mkdir -p "$data_path/conf"
curl -s <https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf> > "$data_path/conf/options-ssl-nginx.conf"
curl -s <https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem> > "$data_path/conf/ssl-dhparams.pem"
echo
fi
echo "### Creating dummy certificate for $domains ..."
path="/etc/letsencrypt/live/$domains"
mkdir -p "$data_path/conf/live/$domains"
docker-compose run --rm --entrypoint "\
openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\
-keyout '$path/privkey.pem' \
-out '$path/fullchain.pem' \
-subj '/CN=localhost'" certbot
echo
echo "### Starting nginx ..."
docker-compose up --force-recreate -d nginx
echo
echo "### Deleting dummy certificate for $domains ..."
docker-compose run --rm --entrypoint "\
rm -Rf /etc/letsencrypt/live/$domains && \
rm -Rf /etc/letsencrypt/archive/$domains && \
rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
echo
echo "### Requesting Let's Encrypt certificate for $domains ..."
#Join $domains to -d args
domain_args=""
for domain in "${domains[@]}"; do
domain_args="$domain_args -d $domain"
done
# Select appropriate email arg
case "$email" in
"") email_arg="--register-unsafely-without-email" ;;
*) email_arg="--email $email" ;;
esac
# Enable staging mode if needed
if [ $staging != "0" ]; then staging_arg="--staging"; fi
docker-compose run --rm --entrypoint "\
certbot certonly --webroot -w /var/www/certbot \
$staging_arg \
$email_arg \
$domain_args \
--rsa-key-size $rsa_key_size \
--agree-tos \
--force-renewal" certbot
echo
echo "### Reloading nginx ..."
docker-compose exec nginx nginx -s reload
[nginx / nginx.conf]
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
##### Basic Settings #####
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
server_tokens off;
server_names_hash_bucket_size 64;
server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##### SSL Settings #####
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##### Logging Settings #####
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##### Gzip Settings #####
gzip on;
#gzip_disable "msie6";
#gzip_vary on;
#gzip_proxied any;
#gzip_comp_level 6;
#gzip_min_length 500;
#gzip_buffers 16 8k;
#gzip_http_version 1.1;
#gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##### Virtual Host Configs #####
#include /etc/nginx/conf.d/*.conf;
#include /etc/nginx/sites-enabled/*;
resolver 127.0.0.11 ipv6=off valid=30s;
resolver_timeout 10s;
upstream sss {
server hellonode:8085;
}
server {
listen 80;
listen [::]:80;
server_name catch-prize.com www.catch-prize.com;
server_tokens off;
access_log /var/log/nginx/catch-prize-80.access.log.main;
resolver 127.0.0.11;
location /.well-known/acme-challenge/ {
allow all;
root /var/www/certbot;
}
# location / {
# proxy_pass <http://sss/>;
# proxy_http_version 1.1;
# proxy_set_header Connection "";
# }
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name catch-prize.com www.catch-prize.com;
server_tokens off;
resolver 127.0.0.11;
ssl_certificate /etc/letsencrypt/live/catch-prize.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/catch-prize.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass <http://sss/>;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
}