devops
docker-compose를 이용한 spring,Nginx 서버 연결 및 https설정하기
yougeun
2024. 4. 2. 21:55
728x90
1.docker-compose 다운
sudo apt install docker-compose2.Nginx spring.conf(/nginx/conf.d/spring.conf) 작성
upstream app{
server docker_gradle:8081;
}
server {
listen 80;
server_name [domain];
#access_log /var/log/nginx/host.access.log main;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
proxy_pass http://app;
}
}
upstream: server 설정에서 Nginx 받아들인 요청을 어떤 서버로 흘려보내 줄 것인지 결정할 때 사용된다.
listen:포트 번호를 설정한다.
proxy_pass:정해진 pass로 요청을 전달한다.
3.docker-compose.yml 작성
version: '3'
services:
docker_gradle:
container_name: docker_gradle
image: docker_gradle
ports:
- "8081:8081"
nginx:
container_name: nginx-server
image: nginx
ports:
- "80:80"
- "443:443"
environment:
TZ: "Asia/Seoul"
volumes:
- ./nginx/conf.d:/etc/nginx/conf.d
- ./nginx/nginx.conf:/etc/nginx/nginx.conf
- ./nginx/log:/var/log/nginx
- ./data/certbot/conf:/etc/letsencrypt
- ./data/certbot/www:/var/www/certbot
depends_on:
- docker_gradle
certbot:
container_name: certbot-server
image: certbot/certbot
restart: unless-stopped
volumes:
- ./data/certbot/conf:/etc/letsencrypt
- ./data/certbot/www:/var/www/certbot
depends_on:
- nginx
services: docker_gradle(spring-server)와 nginx(nginx-server)로 나뉜다.
container_name:docker에 올라갈 container_name을 설정한다.
image:container에 쓰일 image를 선택한다.
ports: 외부접속포트와 docker내부 container의 포트를 설정하고 외부와 통신이 가능합니다.
volumes:docker volume들을 설정한다.
depends_on:container의 실행 순서를 정한다.(위의 yml 파일에서는 docker_gradle container가 먼저 올라가고 nginx서버가 올라간다.)
TZ: TimeZone 설정
4.docker compose 실행
# docker compose 실행
docker compose up -d
#실행 중인 컨테이너 확인
docker ps
docker compose를 실행하고 실행 중인 컨테이너를 확인 해 3개의 컨테이너가 정상적으로 작동되는지 확인합니다.
5.인증서 발급 스크립트 생성
# 인증서 발급 스크립트 생성
vim init-letsencrypt.sh
#!/bin/bash
if ! [ -x "$(command -v docker-compose)" ]; then
echo 'Error: docker-compose is not installed.' >&2
exit 1
fi
domains=([domain] www.[domain])
rsa_key_size=4096
data_path="./data/certbot"
email="[email]" # Adding a valid address is strongly recommended
staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits
if [ -d "$data_path" ]; then
read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
exit
fi
fi
if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
echo "### Downloading recommended TLS parameters ..."
mkdir -p "$data_path/conf"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
echo
fi
echo "### Creating dummy certificate for $domains ..."
path="/etc/letsencrypt/live/$domains"
mkdir -p "$data_path/conf/live/$domains"
docker-compose run --rm --entrypoint "\
openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\
-keyout '$path/privkey.pem' \
-out '$path/fullchain.pem' \
-subj '/CN=localhost'" certbot
echo
echo "### Starting nginx ..."
docker-compose up --force-recreate -d nginx
echo
echo "### Deleting dummy certificate for $domains ..."
docker-compose run --rm --entrypoint "\
rm -Rf /etc/letsencrypt/live/$domains && \
rm -Rf /etc/letsencrypt/archive/$domains && \
rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
echo
echo "### Requesting Let's Encrypt certificate for $domains ..."
#Join $domains to -d args
domain_args=""
for domain in "${domains[@]}"; do
domain_args="$domain_args -d $domain"
done
# Select appropriate email arg
case "$email" in
"") email_arg="--register-unsafely-without-email" ;;
*) email_arg="--email $email" ;;
esac
# Enable staging mode if needed
if [ $staging != "0" ]; then staging_arg="--staging"; fi
docker-compose run --rm --entrypoint "\
certbot certonly --webroot -w /var/www/certbot \
$staging_arg \
$email_arg \
$domain_args \
--rsa-key-size $rsa_key_size \
--agree-tos \
--force-renewal" certbot
echo
echo "### Reloading nginx ..."
docker-compose exec nginx nginx -s reload
docker-compose.yml이 있는 디렉토리에 인증서발급 스크립트를 생성합니다.
위의 스크립트에서 [domain].[email]에 사용 할 domain과 email을 입력하고 저장합니다.
6. 인증서 발급 스크립트 실행
sudo bash init-letsencrypt.sh
인증서 발급 스크립트를 실행하여 SSL인증서를 발급해줍니다.
7. spring.conf https 설정
upstream app{
server docker_gradle:8081;
}
server {
listen 80;
server_name [domain];
#access_log /var/log/nginx/host.access.log main;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri; #http접속시 https로 redirect
}
}
server {
listen 443 ssl;
server_name [domain];
server_tokens off; #nginx 버전 숨김
ssl_certificate /etc/letsencrypt/live/[domain]/fullchain.pem; # SSL/TLS 인증서 경로
ssl_certificate_key /etc/letsencrypt/live/[domain]/privkey.pem; # SSL/TLS 개인 키 경로
include /etc/letsencrypt/options-ssl-nginx.conf; # Let's Encrypt에서 제공하는 Nginx SSL 옵션
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass http://app;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
2번에서 만든 spring.conf파일에 https 설정을 추가해줍니다.
8. 인증서 자동갱신 command 추가
version: '3'
services:
docker_gradle:
container_name: docker_gradle
image: docker_gradle
ports:
- "8081:8081"
nginx:
container_name: nginx-server
image: nginx
ports:
- "80:80"
- "443:443"
environment:
TZ: "Asia/Seoul"
volumes:
- ./nginx/conf.d:/etc/nginx/conf.d
- ./nginx/nginx.conf:/etc/nginx/nginx.conf
- ./nginx/log:/var/log/nginx
- ./data/certbot/conf:/etc/letsencrypt
- ./data/certbot/www:/var/www/certbot
depends_on:
- docker_gradle
command: '/bin/sh -c ''while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g "daemon off;"'''
certbot:
container_name: certbot-server
image: certbot/certbot
restart: unless-stopped
volumes:
- ./data/certbot/conf:/etc/letsencrypt
- ./data/certbot/www:/var/www/certbot
depends_on:
- nginx
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"9.https 확인
# docker compose 실행
docker compose up -d
http로 들어가 https로 redirect가 되는 것을 확인하고 https로 연결되어있는지 확인합니다.
728x90