Docker nginx + https subdomain configuration detailed tutorial

Today I happened to be helping a friend move his server, so I configured the basic equipment of the server, but encountered some problems during the configuration. It turns out that the current Google Chrome / Safari will forcibly convert http to https.

At first, I didn’t know what was going on and reset the domain name records. Moreover, when pinging, the domain name can be successfully resolved to the server address. Therefore, I turned my attention to the process of http -> https. I used WeChat's built-in browser and found that it was possible to access the http domain name. So set up the certificate.

The certificate I use here is also free acme.sh, which can be found on github. Let’s download it first.

curl https://get.acme.sh | sh

Then reload bash

source ~/.bashrc

At this time, you can enter acme.sh --help to see the relevant output clearly.

Configure acme

After the installation is complete, we start to produce certificates. Here we directly use the DNS API to complete domain name verification and other operations.

For details, please see dnsapi

Suppose I take godady as an example

First set the key and secret in the terminal configuration file (obtained from the service provider)

export GD_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export GD_Secret="asdfsdfsdfsdfdfsdf"

Next, we directly enter the command

acme.sh --issue --dns dns_gd -d demo.com -d *.demo.com

A certificate file will be generated here. Usually it is saved in /root/.acme.sh/xxx.com/xxx.com.cer.

In order to facilitate the maintenance of our docker volume, we recreate a folder to store these certificates

mkdir /opt/www/nginx/ssl

Enter the command again to put the certificate in the ssl directory

acme.sh --install-cert -d demo.com \
--key-file /opt/www/nginx/ssl/demo.com.key \
--fullchain-file /opt/www/nginx/ssl/demo.com.crt\

At this time you can see two files under /opt/www/nginx/ssl

At this point, the configuration of the domain name certificate is complete. Then we configure docker-compose.yml

Creating containers using docker-compose

version: '3.5'
services:
 app:
  image: nginx:1.19.8
  ports:
   - 80:80
   -443:443
  volumes:
   - ./conf/nginx.conf:/etc/nginx/nginx.conf # Configuration file - /opt/www:/opt/www # Project directory - /opt/www/nginx/ssl:/opt/www/ssl # Certificate file restart: always
networks:
 default:
  name: default-network

After writing the yml file, let's configure nginx. Before configuring nginx settings, we must first configure the key exchange file DHE parameter file

openssl dhparam -out /opt/www/nginx/ssl/dhparam.pem 2048

Then I configure /.well-known/acme-challenge . This directory must be accessed by let's encrypt so we must configure this directory first.

First create a directory mkdir /opt/www/letsencrypt and then configure the following server in the nginx configuration file

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;

    location /.well-known/acme-challenge {
        root /opt/www/letsencrypt;
    }

    location / {
        return 301 https://$host$request_uri;
    }
 }

The above configuration redirects all http requests to https.

Then we configure our own domain name,

server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    server_name demo.com;

    root /opt/www/html;
    index index.html index.htm index.php;

   # Diffie-Hellman key exchange ssl_dhparam /opt/www/ssl/dhparam.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;

    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 1d;


    #Certificate file ssl_certificate /opt/www/ssl/demo.com.crt;
    ssl_certificate_key /opt/www/ssl/demo.com.key;

    # Enable HSTS Preload support add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; 
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    access_log /var/log/nginx/demo.com.access.log;
    error_log /var/log/nginx/demo.com.error.log;
 }

If there are subdomains that need to be configured, just copy the above configuration and modify these locations. Other configurations can remain unchanged. The domain name service provider also needs to add an A record

server {
    listen 443 ssl http2; #Note that there is no default server here 
    listen [::]:443 ssl http2; #Note that there is no default server here

    server_name example.demo.com; #Subdomain access_log /var/log/nginx/example.demo.com.access.log;
    error_log /var/log/nginx/example.demo.com.error.log;
 }

The final nginx conf is:

events {
worker_connections 1024;
}

http {
 include mime.types;
 default_type application/octet-stream;

 sendfile on;

 keepalive_timeout 300;
 
 server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;

    location /.well-known/acme-challenge {
        root /opt/www/letsencrypt;
    }

    location / {
        return 301 https://$host$request_uri;
    }
 }
 
 server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    server_name demo.com;

    root /opt/www/html;
    index index.html index.htm index.php;

   # Diffie-Hellman key exchange ssl_dhparam /opt/www/ssl/dhparam.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;

    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 1d;


    #Certificate file ssl_certificate /opt/www/ssl/demo.com.crt;
    ssl_certificate_key /opt/www/ssl/demo.com.key;

    # Enable HSTS Preload support add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; 
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    access_log /var/log/nginx/demo.com.access.log;
    error_log /var/log/nginx/demo.com.error.log;
 }

}

At this point our configuration is basically complete.

Now just run the command

docker-compose -f docker-compose.yml up -d

You can complete the +https multi-domain name configuration of nginx in docker

This is the end of this article about the detailed tutorial on docker nginx + https subdomain configuration. For more relevant docker nginx https configuration content, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope everyone will support 123WORDPRESS.COM in the future!

You may also be interested in:

Use Docker to install Nginx and configure port forwarding problems and solutions
Docker deploys Nginx and configures reverse proxy
Start nginxssl configuration based on docker
How to deploy nginx with Docker and modify the configuration file
nginx automatically generates configuration files in docker container
Detailed explanation of nginx plug-in configuration and files under Docker

<<: JavaScript implements div mouse drag effect

>>: Summarize some general principles of web design and production