有没有试过 Portainer+ssl?

2021-06-05 17:57:55 +08:00
 miaomiao2014
我一直用 Portainer,但没有加 ssl,官方文档好像有教程,但看不懂。
执行
/var/run/docker.sock:/var/run/docker.sock -v ~/local-certs:/certs -v portainer_data:/data portainer/portainer-ce --ssl --sslcert /certs/portainer.crt --sslkey /certs/portainer.key
然后弄证书放到哪个文件夹?
或者有没有简单教程?感激!!!
1185 次点击
所在节点    Docker
3 条回复
lx0758
2021-06-09 10:48:44 +08:00
前置反向代理, 统一 ssl
miaomiao2014
2021-06-10 12:11:58 +08:00
@lx0758 #1 用 nginx?方便发下教程吗?
AllenHua
2021-06-14 18:45:24 +08:00
```
server
{
listen 443 ssl http2;
proxy_ssl_server_name on;
# ssl on;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/hellodk.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hellodk.cn/privkey.pem;
ssl_session_timeout 1d;
#ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;

# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;

server_name xxx.hellodk.cn;
client_max_body_size 128M;
location / {
proxy_set_header Host 'xxx.hellodk.cn';
proxy_pass http://127.0.0.1:85;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /notifications/hub {
proxy_pass http://127.0.0.1:3012;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}

location /notifications/hub/negotiate {
proxy_pass http://127.0.0.1:85;
}

}
```

类似于这样,nginx 监听,server 块加 ssl_certificate 和 ssl_certificate_key

location 匹配路径,proxy_pass 代理 host 实际端口

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/781582

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX