您的位置:上海毫米网络优化公司 > 网站优化分享 >
相关推荐recommended
- -bash: hadoop: 未找到命令
- 基于VSCode安装Node.js开发环境
- 革新鞋服零售:数据驱动的智能商品管理 解锁库存优化与高效增长
- 基于Django美食菜谱网站和点评系统设计与实现(Pycharm+Py
- springboot 查看和修改内置 tomcat 版本
- 如何利用SpringSecurity进行认证与授权
- 关于Node.js作为后端的入门教程
- 如果项目在上线后才发现Bug怎么办?
- 【SpringSecurity】五、UserDetails接口和Use
- MySQL中的CASE WHEN语句:用法、示例与解析
- Mysql SQL优化
- .Net4.0 Web.config 配置实践
- Springboot集成 Spring AI ,深度学习下的与时俱进
- 【Ambari】Ansible自动化部署大数据集群
- MySQL中的SQL高级语句[一](上篇)
- 【工作记录】springboot应用实现license认证
- Nginx使用教程
- 【Golang入门教程】Go语言变量的声明
- IOC使用Spring实现附实例详解
- 若依(前后端分离版)部署全流程 | 宝塔部署SpringBoot项目踩
- Kubernetes(K8s)与虚拟GPU(vGPU):实现高效管理和
- MysqlOracle的DATE、DATETIME 和 TIMESTA
- SQL Sever 基础知识 - 数据排序
- PostgreSQL的date
- Springer Latex投稿(编写中遇到问题及解决方案)
- 智慧工地管理平台APP源码基于物联网、云计算、大数据等技术
- No ‘Access-Control-Allow-Origin‘ he
- nginx: 集群环境配置搭建
- 【新知实验室 - TRTC 实践】音视频互动 Demo、即时通信 IM
- 【Jenkins PipeLine】Jenkins PipeLine
【docker启动nginx】
作者:mmseoamin日期:2024-04-27
docker启动nginx
- docker启动nginx
- 1. 抓取镜像并生成目录
- 2. 生成自签名证书(生产环境需要到CA申请)
- 2.1 首先将openssl拷贝到nginx/ssl目录
- 2.2 编辑 openssl.cnf
- 2.3 生成证书
- 3. 生成Nginx basic认证密码
- 3.1 安装httpd工具
- 3.2 生成密码文件
- 3.3 配置密码文件
- 4. 配置Nginx
- 4.1 生成nginx.conf文件
- 4.2 生成default.conf(包含各个server块,每个server块监听指定的server_name和port)
- 4.3 生成80_server(将HTTP请求转发为对应的HTTPS请求)
- 4.4 生成admin_9443_server文件(用于管理员访问etcd, es, kibana, grafana等)
- 4.5 生成meta_locations(一般无需改变)
- 4.6 生成extra_locations(一般无需改变)
- 4.7 生成meta_server
- 4.8 生成proxy选项
- 5. 启动Docker
- 6. 打通防火墙
- 7. 外部访问验证
docker启动nginx
nginx一般用做web服务器,一般为了公网访问需要申请https证书,并进行配置,本次自己制作证书。
使用容器后,需要考虑网络以及配置和日志的持久化,本次复用宿主机网络,生产环境一般来说做端口映射。
集群一般在前置添加负载均衡即可。
1. 抓取镜像并生成目录
docker pull nginx:1.21.6 && mkdir -p /home/nginx/conf && mkdir -p /home/nginx/logs && mkdir -p /home/nginx/ssl && mkdir -p /home/nginx/conf/conf.d
2. 生成自签名证书(生产环境需要到CA申请)
2.1 首先将openssl拷贝到nginx/ssl目录
cp /etc/pki/tls/openssl.cnf /home/nginx/ssl
2.2 编辑 openssl.cnf
vi /home/nginx/ssl/openssl.cnf
[ req ] req_extensions = v3_req //取消对应的注释
2.3 生成证书
cd /home/nginx/ssl && openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -config openssl.cnf -extensions v3_req -keyout /home/nginx/ssl/nginx.key -out /home/nginx/ssl/nginx.crt
上面的证书生成命令请依次输入口令:XX XX XX XX XX (回车) (回车)
cp /home/nginx/ssl/nginx.crt /home/nginx/ssl/space.crt && cp /home/nginx/ssl/nginx.key /home/nginx/ssl/space.key
3. 生成Nginx basic认证密码
3.1 安装httpd工具
yum install httpd-tools -y
3.2 生成密码文件
htpasswd -c -d /home/nginx/conf/conf.d/admin_pwd admin
然后输入16位随机密码
注意:如果要删除密码文件:htpasswd -D -d /home/nginx/conf/conf.d/admin_pwd admin
3.3 配置密码文件
tee /home/nginx/conf/conf.d/admin_pwd.config <<-'EOF' auth_basic "login"; auth_basic_user_file /etc/nginx/conf.d/admin_pwd; EOF
4. 配置Nginx
4.1 生成nginx.conf文件
tee /home/nginx/conf/nginx.conf <<-'EOF' user nginx; worker_processes auto; worker_cpu_affinity auto; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; client_max_body_size 200m; sendfile on; #tcp_nopush on; keepalive_timeout 65; proxy_connect_timeout 1s; #gzip on; root /usr/share/nginx/html; proxy_http_version 1.1; proxy_set_header Host $http_host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Forwarded-For $remote_addr; #如果不是第一层Nginx代理(例如学校防火墙就是Nginx代理),则要配置为$proxy_add_x_forwarded_for; include /etc/nginx/conf.d/*.conf; server_tokens off; } EOF4.2 生成default.conf(包含各个server块,每个server块监听指定的server_name和port)
tee /home/nginx/conf/conf.d/default.conf <<-'EOF' include /etc/nginx/conf.d/*_server; EOF
4.3 生成80_server(将HTTP请求转发为对应的HTTPS请求)
tee /home/nginx/conf/conf.d/80_server <<-'EOF' server { listen 80; server_name 0.0.0.0; #return 301 https://$host$request_uri; rewrite ^(.*)$ https://$host permanent; } EOF4.4 生成admin_9443_server文件(用于管理员访问etcd, es, kibana, grafana等)
tee /home/nginx/conf/conf.d/admin_9443_server <<-'EOF' server { listen 9443 ssl http2; server_name 192.168.100.149; ssl_certificate /etc/nginx/ssl/nginx.crt; #使用自签名证书 ssl_certificate_key /etc/nginx/ssl/nginx.key; ssl_protocols TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; fastcgi_param HTTPS on; fastcgi_param HTTP_SCHEME https; server_tokens off; #charset koi8-r; access_log /var/log/nginx/access-admin.log; error_log /var/log/nginx/error-admin.log; #添加basic认证 include /etc/nginx/conf.d/admin_pwd.config; location /es { rewrite /es(.*) break; proxy_pass http://libsys-cluster-3:9200; } location /es_log { rewrite /es_log(.*) break; proxy_pass http://libsys-prom:9201; } location /kibana { proxy_pass http://libsys-cluster-3:5601; } location /kibana_log { proxy_pass http://libsys-prom:5602; } location /rc { proxy_pass http://libsys-cluster-3:9877; } location /prom { proxy_pass http://libsys-prom:9090; } location /grafana/ { proxy_pass http://libsys-prom:3000/; proxy_set_header X-WEBAUTH-USER admin; proxy_set_header Authorization ""; } location /tools-etcd { proxy_pass http://127.0.0.1:8089; } location /nc { proxy_pass http://127.0.0.1:8150; } location /bigdata-local { proxy_pass http://libsys-mongo:8889; } location /libsys-ldbs { proxy_pass http://127.0.0.1:8052; } location ~ ^/tools-etcd/.*\.(html|htm|gif|jpg|jpeg|bmp|png|ico|txt|js|css|json|woff|ttf|eof|woff2)$ { gzip on; gzip_min_length 100k; gzip_types text/plain application/javascript application/x-javascript text/css application/xml application/json text/javascript; } } EOF4.5 生成meta_locations(一般无需改变)
tee /home/nginx/conf/conf.d/meta_locations <<-'EOF' location /meta-local/devops { proxy_pass http://meta-devops; } location /meta-local/common { proxy_pass http://meta-admin; } location /meta-local/sys { proxy_pass http://meta-admin; } location /meta-local/user { proxy_pass http://meta-admin; } location /meta-local/job { proxy_pass http://meta-admin; } location /meta-local/admin { proxy_pass http://meta-admin; } location /meta-local/pdf { proxy_pass http://meta-admin; } location /meta-local/acq { proxy_pass http://meta-acq; } location /meta-local/serial { proxy_pass http://meta-acq; } location /meta-local/ckb { proxy_pass http://meta-acq; } location /meta-local/file { proxy_pass http://meta-acq; } location /meta-local/res { proxy_pass http://meta-res; } location /meta-local/dc { proxy_pass http://meta-dc; } location /meta-local/cs { proxy_pass http://meta-cs; } location /meta-local/erm { proxy_pass http://meta-erm; } location /meta-local/social { proxy_pass http://meta-social; } location = /meta-local/stat { proxy_pass http://meta-stat; } location /meta-local/stat/ { proxy_pass http://meta-stat; } location /meta-local/indexer { proxy_pass http://meta-indexer; } location /meta-local/sync { proxy_pass http://meta-sync; } location /meta-local/opac { proxy_read_timeout 60; proxy_pass http://meta-opac; } location /meta-local/wechat { proxy_read_timeout 60; proxy_pass http://meta-wechat; } location /meta-local/api { proxy_pass http://meta-api; } location /meta-local/gateway { proxy_pass http://gateway; } location /meta-local/app/server { proxy_pass http://meta-appserver; } location /meta/ { proxy_pass http://meta-web/; include /etc/nginx/conf.d/include.d/proxy; add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate"; expires 0; } location ~ ^/meta/assets/(.*) { proxy_pass http://meta-web; include /etc/nginx/conf.d/include.d/proxy; add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate"; expires 0; rewrite ^/meta(.*) / break; } location ~ ^/meta/(.*)\.(js|css|woff|woff2|ttf|svg|eot|otf)$ { proxy_pass http://meta-web; include /etc/nginx/conf.d/include.d/proxy; #add_header x_debug $upstream_addr; #add_header x_debug $request; access_log off; expires 1y; add_header Cache-Control 'max-age=31536000'; # one year rewrite ^/meta(.*) / break; } location /space/ { proxy_pass http://meta-space/; include /etc/nginx/conf.d/include.d/proxy; add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate"; expires 0; } location ~ ^/space/(css|fonts|img|js) { proxy_pass http://meta-space; include /etc/nginx/conf.d/include.d/proxy; #add_header x_debug $upstream_addr; #add_header x_debug $request; access_log off; expires 1y; add_header Cache-Control 'max-age=31536000'; # one year rewrite ^/space(.*) / break; } location /mspace/ { proxy_pass http://meta-mspace/; include /etc/nginx/conf.d/include.d/proxy; add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate"; expires 0; } location ~ ^/mspace/(css|fonts|img|js) { proxy_pass http://meta-mspace; include /etc/nginx/conf.d/include.d/proxy; #add_header x_debug $upstream_addr; #add_header x_debug $request; access_log off; expires 1y; add_header Cache-Control 'max-age=31536000'; # one year rewrite ^/mspace(.*) / break; } #----- redirect to mobile check (starts) -----# set $mobile_rewrite do_not_perform; # this regex string is actually much longer to match more mobile devices if ($http_user_agent ~* "android|ip(ad|hone|od)|kindle") { set $mobile_rewrite perform; } if ($mobile_rewrite = perform) { rewrite ^/space/(.*) /mspace/ redirect; break; } if ($mobile_rewrite = do_not_perform) { rewrite ^/mspace/(.*) /space/ redirect; break; } #----- redirect to mobile check (ends) -----# EOF4.6 生成extra_locations(一般无需改变)
tee /home/nginx/conf/conf.d/extra_locations <<-'EOF' location /oss { rewrite /oss(.*) break; proxy_set_header Host libsys-mongo:9000; proxy_pass http://oss; } EOF4.7 生成meta_server
tee /home/nginx/conf/conf.d/meta_server <<-'EOF' upstream oss { server libsys-mongo:9000; } upstream meta-acq { server 127.0.0.1:8021; } upstream meta-admin { server 127.0.0.1:8020; } upstream meta-cs { server 127.0.0.1:8024; } upstream meta-dc { server 127.0.0.1:8023; } upstream meta-devops { server 127.0.0.1:8028; } upstream meta-erm { server 127.0.0.1:8025; } upstream gateway { server 127.0.0.1:20000; } upstream meta-indexer { server 127.0.0.1:8019; } upstream meta-opac { server 127.0.0.1:8030; } upstream meta-res { server 127.0.0.1:8022; } upstream meta-social { server 127.0.0.1:8027; } upstream meta-stat { server 127.0.0.1:8029; } upstream meta-sync { server 127.0.0.1:8013; } upstream meta-web { server 127.0.0.1:10010; } upstream meta-space { server 127.0.0.1:10011; } upstream meta-mspace { server 127.0.0.1:10012; } upstream meta-wechat { server 127.0.0.1:8013; } upstream meta-api { server 127.0.0.1:8012; } upstream meta-appserver { server 127.0.0.1:8011; } server { listen 443 ssl http2 default_server; server_name 0.0.0.0; ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; ssl_protocols TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; fastcgi_param HTTPS on; fastcgi_param HTTP_SCHEME https; server_tokens off; #charset koi8-r; access_log /var/log/nginx/access-meta.log; error_log /var/log/nginx/error-meta.log; proxy_read_timeout 1800; #确定使用这么大的超时?对读者服务的可以使用较小的超时,例如opac,wechat gzip on; gzip_disable "msie6"; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_types application/javascript application/rss+xml application/vnd.ms-fontobject application/x-font application/x-font-opentype application/x-font-otf application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/opentype font/otf font/ttf image/svg+xml image/x-icon text/css text/javascript text/plain text/xml; include /etc/nginx/conf.d/extra_locations; location ~ /(status|metrics|extra_metrics)(/?)$ { return 404; } include /etc/nginx/conf.d/meta_locations; #error_page 500 502 503 504 /50x.html; #location = /50x.html { # root /usr/share/nginx/html; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} } server { listen 8079; server_name 127.0.0.1; ssl_protocols TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; fastcgi_param HTTPS on; fastcgi_param HTTP_SCHEME https; server_tokens off; #charset koi8-r; access_log /var/log/nginx/access-meta.log; error_log /var/log/nginx/error-meta.log; proxy_read_timeout 1800; #确定使用这么大的超时?对读者服务的可以使用较小的超时,例如opac,wechat gzip on; gzip_disable "msie6"; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_types application/javascript application/rss+xml application/vnd.ms-fontobject application/x-font application/x-font-opentype application/x-font-otf application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/opentype font/otf font/ttf image/svg+xml image/x-icon text/css text/javascript text/plain text/xml; location ~ /(status|metrics|extra_metrics)(/?)$ { return 404; } include /etc/nginx/conf.d/meta_locations; #error_page 500 502 503 504 /50x.html; #location = /50x.html { # root /usr/share/nginx/html; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} } server { listen 443 ssl http2; server_name _; ssl_certificate /etc/nginx/ssl/space.crt; ssl_certificate_key /etc/nginx/ssl/space.key; ssl_protocols TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; fastcgi_param HTTPS on; fastcgi_param HTTP_SCHEME https; server_tokens off; #charset koi8-r; access_log /var/log/nginx/access-space.log; error_log /var/log/nginx/error-space.log; gzip on; gzip_disable "msie6"; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_types application/javascript application/rss+xml application/vnd.ms-fontobject application/x-font application/x-font-opentype application/x-font-otf application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/opentype font/otf font/ttf image/svg+xml image/x-icon text/css text/javascript text/plain text/xml; include /etc/nginx/conf.d/extra_locations; location ~ /(status|metrics|extra_metrics)(/?)$ { return 404; } location /meta-local/wechat { proxy_pass http://meta-wechat; } location /meta-local/opac { proxy_pass http://meta-opac; } location /space/ { proxy_pass http://meta-space/; include /etc/nginx/conf.d/include.d/proxy; add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate"; expires 0; } location ~ ^/space/(css|fonts|img|js) { proxy_pass http://meta-space; include /etc/nginx/conf.d/include.d/proxy; #add_header x_debug $upstream_addr; #add_header x_debug $request; access_log off; expires 1y; add_header Cache-Control 'max-age=31536000'; # one year rewrite ^/space(.*) / break; } location /mspace/ { proxy_pass http://meta-mspace/; include /etc/nginx/conf.d/include.d/proxy; add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate"; expires 0; } location ~ ^/mspace/(css|fonts|img|js) { proxy_pass http://meta-mspace; include /etc/nginx/conf.d/include.d/proxy; #add_header x_debug $upstream_addr; #add_header x_debug $request; access_log off; expires 1y; add_header Cache-Control 'max-age=31536000'; # one year rewrite ^/mspace(.*) / break; } #----- redirect to mobile check (starts) -----# set $mobile_rewrite do_not_perform; # this regex string is actually much longer to match more mobile devices if ($http_user_agent ~* "android|ip(ad|hone|od)|kindle") { set $mobile_rewrite perform; } if ($mobile_rewrite = perform) { rewrite ^/space/(.*) /mspace/ redirect; break; } if ($mobile_rewrite = do_not_perform) { rewrite ^/mspace/(.*) /space/ redirect; break; } #----- redirect to mobile check (ends) -----# } EOF4.8 生成proxy选项
mkdir -p /home/nginx/conf/conf.d/include.d && tee /home/nginx/conf/conf.d/include.d/proxy <<-'EOF' proxy_cache off; proxy_redirect off; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Host $server_name; EOF
5. 启动Docker
docker run -d --net=host --name nginx --restart=always \ -v /etc/localtime:/etc/localtime:ro \ -v /home/nginx/conf/nginx.conf:/etc/nginx/nginx.conf \ -v /home/nginx/conf/conf.d/:/etc/nginx/conf.d:ro \ -v /home/nginx/logs:/var/log/nginx \ -v /home/nginx/ssl:/etc/nginx/ssl:ro \ -v /home/nginx/html:/usr/share/nginx/html \ nginx:1.21.6
6. 打通防火墙
firewall-cmd --permanen --add-port 80/tcp && firewall-cmd --permanen --add-port 443/tcp && firewall-cmd --permanen --add-port 9443/tcp && firewall-cmd --reload
7. 外部访问验证
- 关注我们
- 扫描二维码
- 获取更多信息
- 精彩一手掌握
Copyright © 2014-2019 seo,上海网站优化_网络制作_网站seo排名_网站建设推广_上海网络公司 版权所有
沪ICP备19022315号
沪ICP备19022315号 
