Docker安装Nginx配置SSL PHP 列表 反代

发布于 2021-12-11  33 次阅读


Docker安装Nginx

docker pull nginx

拷贝配置文件

docker run -d -p 880:80 -p 4443:443 --name nginx \
-v /data/nginx/www:/usr/share/nginx/html \
-v /data/nginx/logs:/var/log/nginx \
nginx
docker container cp nginx:/etc/nginx /data/nginx/
cd /data/nginx/
mv nginx conf
docker stop nginx
docker rm nginx

创建欢迎页

nano  /data/nginx/www/index.html
docker run -d -p 80:80 -p 443:443 --name nginx \
-v /data/nginx/www:/usr/share/nginx/html \
-v /data/nginx/logs:/var/log/nginx \
-v /data/nginx/conf:/etc/nginx \
nginx

创建网站配置文件

nano /data/nginx/conf/conf.d/【xxx.xxx.xxx.conf】
server {
  listen 80;
  listen [::]:80;

  server_name 【xxx.xxx xxx.xxx.xxx】;
  access_log /var/log/nginx/【xxx.xxx.xxx】_nginx.log combined;
  index index.html index.htm index.php;
  root /usr/share/nginx/html;

  location ~ .*\.(wma|wmv|asf|mp3|mmf|zip|rar|jpg|gif|png|swf|flv|mp4)$ {
    valid_referers none blocked 【xxx.xxx xxx.xxx.xxx】;
    if ($invalid_referer) {
        return 403;
    }
  }

  location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
    expires 30d;
    access_log off;
  }
  location ~ .*\.(js|css)?$ {
    expires 7d;
    access_log off;
  }
  location ~ /(\.user\.ini|\.ht|\.git|\.svn|\.project|LICENSE|README\.md) {
    deny all;
  }
}

Docker签发证书

docker stop nginx
docker run -d \
--cap-add=NET_ADMIN \
--name=letsencrypt \
-v /data/letsencrypt/【文件夹】:/config \
-e PGID=1002 -e PUID=1001  \
-e URL=【域名 or 根域名】 \
【-e SUBDOMAINS=www \】
-e VALIDATION=http \
-p 80:80 -p 443:443 \
-e TZ=Asia/Shanghai \
linuxserver/letsencrypt
#查看日志输出(CTRL + z退出)
docker logs -f letsencrypt
#出现Server ready即成功

配置SSL

mkdir /data/nginx/conf/ssl
cp -r /data/letsencrypt/【文件夹】 /data/nginx/conf/ssl
nano /data/nginx/conf/conf.d/【xxx.xxx.xxx.conf】
server {
  listen 80;
  listen [::]:80;

  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  ssl_certificate /etc/nginx/ssl/【文件夹】/keys/cert.crt;
  ssl_certificate_key /etc/nginx/ssl/【文件夹】/keys/cert.key;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
  ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
  ssl_prefer_server_ciphers on;
  ssl_session_timeout 10m;
  ssl_session_cache builtin:1000 shared:SSL:10m;
  ssl_buffer_size 1400;
  add_header Strict-Transport-Security max-age=15768000;
  ssl_stapling on;
  ssl_stapling_verify on;

  server_name 【xxx.xxx xxx.xxx.xxx】;
  access_log /var/log/nginx/【xxx.xxx.xxx】_nginx.log combined;
  index index.html index.htm index.php;
  root /usr/share/nginx/html;

  location ~ .*\.(wma|wmv|asf|mp3|mmf|zip|rar|jpg|gif|png|swf|flv|mp4)$ {
    valid_referers none blocked 【xxx.xxx xxx.xxx.xxx】;
    if ($invalid_referer) {
        return 403;
    }
  }

  location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
    expires 30d;
    access_log off;
  }
  location ~ .*\.(js|css)?$ {
    expires 7d;
    access_log off;
  }
  location ~ /(\.user\.ini|\.ht|\.git|\.svn|\.project|LICENSE|README\.md) {
    deny all;
  }
}
docker stop letsencrypt
docker start nginx

安装PHP

docker run --name php-fpm -p 9000:9000 -v /data/nginx/www/:/var/www/html/ -d php:fpm
docker stop nginx
nano /data/nginx/conf/conf.d/【xxx.xxx.xxx.conf】
server {
  listen 80;
  listen [::]:80;

  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  ssl_certificate /etc/nginx/ssl/【文件夹】/keys/cert.crt;
  ssl_certificate_key /etc/nginx/ssl/【文件夹】/keys/cert.key;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
  ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
  ssl_prefer_server_ciphers on;
  ssl_session_timeout 10m;
  ssl_session_cache builtin:1000 shared:SSL:10m;
  ssl_buffer_size 1400;
  add_header Strict-Transport-Security max-age=15768000;
  ssl_stapling on;
  ssl_stapling_verify on;

  server_name 【xxx.xxx xxx.xxx.xxx】;
  access_log /var/log/nginx/【xxx.xxx.xxx】_nginx.log combined;
  index index.html index.htm index.php;
  root /usr/share/nginx/html;【对应修改为网站路径如/usr/share/nginx/html/xxx.xxx.xxx】

  location ~ .*\.(wma|wmv|asf|mp3|mmf|zip|rar|jpg|gif|png|swf|flv|mp4)$ {
    valid_referers none blocked 【xxx.xxx xxx.xxx.xxx】;
    if ($invalid_referer) {
        return 403;
    }
  }





  location ~ \.php(.*)$ {
        root /var/www/html;【对应修改为网站路径如/var/www/html/xxx.xxx.xxx】
        fastcgi_pass   【IP】:9000;
        fastcgi_index index.php;
        fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
        include  fastcgi_params;
  }




  location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
    expires 30d;
    access_log off;
  }
  location ~ .*\.(js|css)?$ {
    expires 7d;
    access_log off;
  }
  location ~ /(\.user\.ini|\.ht|\.git|\.svn|\.project|LICENSE|README\.md) {
    deny all;
  }
}
cd /data/nginx/www  【对应修改为网站路径如/data/nginx/www/xxx.xxx.xxx】
echo "<?php echo phpinfo();" > info.php
docker start nginx

访问 【xxx.xxx.xxx】 /info.php出现配置信息及成功。

配置nginx反向代理

nano /data/nginx/conf/conf.d/【xxx.xxx.xxx.conf】
server {
  listen 80;
  listen [::]:80;

  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  ssl_certificate /etc/nginx/ssl/【文件夹】/keys/cert.crt;
  ssl_certificate_key /etc/nginx/ssl/【文件夹】/keys/cert.key;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
  ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
  ssl_prefer_server_ciphers on;
  ssl_session_timeout 10m;
  ssl_session_cache builtin:1000 shared:SSL:10m;
  ssl_buffer_size 1400;
  add_header Strict-Transport-Security max-age=15768000;
  ssl_stapling on;
  ssl_stapling_verify on;

  server_name 【xxx.xxx xxx.xxx.xxx】;
  access_log /var/log/nginx/【xxx.xxx.xxx】_nginx.log combined;
  index index.html index.htm index.php;
  root /usr/share/nginx/html;


  #location ~ \.php(.*)$ {
  #      root /var/www/html;【对应修改为网站路径如/var/www/html/xxx.xxx.xxx】
  #      fastcgi_pass   【IP】:9000;
  #      fastcgi_index index.php;
  #      fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
  #      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
  #      fastcgi_param PATH_INFO $fastcgi_path_info;
  #      fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
  #      include  fastcgi_params;
  #}



  location / {
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://【反代地址】/;
	proxy_set_header X-Forwarded-Proto $scheme;
        client_max_body_size  1000m;
  }
}

将域名转发到本地另一个端口上

server{
  listen 80;
  server_name  tomcat.maskviral.com;
  index  index.php index.html index.htm;
  location / {
    proxy_pass  http://127.0.0.1:8080; # 转发规则
    proxy_set_header Host $proxy_host; # 修改转发请求头,让8080端口的应用可以受到真实的请求
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }
}

这样访问 http://tomcat.maskviral.com 时就会转发到本地的 8080 端口

将域名转发到另一个域名

server{
  listen 80;
  server_name  baidu.maskviral.com;
  index  index.php index.html index.htm;
  location / {
    proxy_pass  http://www.baidu.com;
    proxy_set_header Host $proxy_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }
}

这样访问 http://baidu.maskviral.com 时就会转发到 http://www.baidu.com

本地一个端口转发到另一个端口或另一个域名

server{
  listen 80;
  server_name 127.0.0.1; # 公网ip
  index  index.php index.html index.htm;
  location / {
    proxy_pass  http://127.0.0.1:8080; # 或 http://www.baidu.com
    proxy_set_header Host $proxy_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }
}

这样访问 http://127.0.0.1 时就会转发到本地的 8080 端口或 http://www.baidu.com

加 / 与不加 /

在配置proxy_pass代理转发时,如果后面的url加/,表示绝对根路径;如果没有/,表示相对路径

例如 加 /

server_name shaochenfeng.com
location /data/ {
    proxy_pass http://127.0.0.1/;
}

访问 http://maskviral.com/data/index.html 会转发到 http://127.0.0.1/index.html

不加 /

server_name shaochenfeng.com
location /data/ {
    proxy_pass http://127.0.0.1;
}

访问 http://maskviral.com/data/index.html 会转发到 http://127.0.0.1/data/index.html

https://www.maskviral.com/nginx-reverse-proxy.html

Nginx开启列表功能

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
		# alias /var/log/nginx/;
         #Nginx日志目录
        autoindex on;
         #打开目录浏览功能
        autoindex_exact_size off;
         #默认为on,显示出文件的确切大小,单位是bytes
         #显示出文件的大概大小,单位是kB或者MB或者GB
        autoindex_localtime on;
         #默认为off,显示的文件时间为GMT时间。
         #改为on后,显示的文件时间为文件的服务器时间
        #add_header Cache-Control no-store;
         #让浏览器不保存临时文件
    }

Love is merely a madness.