nginx 啟動時會自動安裝let’s encrypt ssl ,nginx與tomcat及php-fpm間使用proxy_pass,大概如下:
server {
# Listen to port 443 on both IPv4 and IPv6.
listen 443 ssl default_server reuseport;
listen [::]:443 ssl default_server reuseport;
# Domain names this server should respond to.
server_name a.yslifes.com;
root /var/www/html;
# Load the certificate files.
ssl_certificate /etc/letsencrypt/live/a.yslifes.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/a.yslifes.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/a.yslifes.com/chain.pem;
# Load the Diffie-Hellman parameter.
ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
#return 200 'Let\'s Encrypt certificate successfully installed!';
#add_header Content-Type text/plain;
gzip on;
gzip_types text/plain application/xml application/json;
gzip_comp_level 9;
gzip_min_length 1000;
#brotli on;
# 預設為 6, 0 ~ 11; 值愈大壓縮率愈高,使用的 CPU 愈多~
#brotli_comp_level 6;
#brotli_static on;
# 壓縮對像
#brotli_types application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#location / {
# proxy_pass http://api/;
#}
# Add index.php to the list if you are using PHP
index index.php index.html index.htm index.nginx-debian.html;
# location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
# try_files $uri $uri/ =404;
# }
location / {
proxy_pass http://tomcat10:8080/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Forwarded $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
}
# location ~ [^/]\.php(/|$) {
# fastcgi_split_path_info ^(.+?\.php)(/.*)$;
# if (!-f $document_root$fastcgi_script_name) {
# return 404;
# }
# Mitigate https://httpoxy.org/ vulnerabilities
# fastcgi_param HTTP_PROXY "";
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# fastcgi_param PATH_INFO $fastcgi_path_info;
# fastcgi_pass phpfpm7.4:9000;
# fastcgi_index index.php;
# include the fastcgi_param setting
# include fastcgi_params;
# SCRIPT_FILENAME parameter is used for PHP FPM determining
# the script name. If it is not set in fastcgi_params file,
# i.e. /etc/nginx/fastcgi_params or in the parent contexts,
# please comment off following line:
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# }
}
docker-compose.yml檔如下:
version: '3'
services:
nginx:
container_name: nginx
image: jonasal/nginx-certbot:latest
environment:
CERTBOT_EMAIL: [email protected]
TZ: Asia/Taipei
env_file:
- ./nginx-certbot.env
ports:
- 80:80
- 443:443
volumes:
- nginx_secrets:/etc/letsencrypt
- ./nginx/user_conf.d:/etc/nginx/user_conf.d
- /var/www:/var/www
- ./nginx/nginx.conf:/etc/nginx/nginx.conf
- ./nginx/log:/var/log/nginx
logging:
options:
max-size: 512M
phpfpm:
container_name: phpfpm7.4
build: ./fpm
environment:
TZ: Asia/Taipei
restart: unless-stopped
volumes:
- /var/www:/var/www
logging:
options:
max-size: 512M
tomcat:
container_name: tomcat10
image: tomcat:10.0.26-jre17-temurin-jammy
restart: unless-stopped
environment:
TZ: Asia/Taipei
CATALINA_OPTS: -Xms128m -Xmx256m
volumes:
- ./tomcat/webapps:/usr/local/tomcat/webapps
- ./tomcat/logs:/usr/local/tomcat/logs
- ./tomcat/conf/server.xml:/usr/local/tomcat/conf/server.xml
- ./tomcat/conf/tomcat-users.xml:/usr/local/tomcat/conf/tomcat-users.xml
links:
- 'mariadb:mariadb'
logging:
options:
max-size: 512M
mariadb:
container_name: mariadb
image: mariadb:latest
environment:
- MYSQL_ROOT_PASSWORD=test123
- MYSQL_DATABASE=mydb
- character-set-server=utf8mb4
- collation-server=utf8mb4_unicode_ci
# ALLOW_EMPTY_PASSWORD is recommended only for development.
- ALLOW_EMPTY_PASSWORD=no
ports:
- "127.0.0.1:3306:3306"
volumes:
- ./mariadb-data:/var/lib/mysql
restart: unless-stopped
logging:
options:
max-size: 512M
volumes:
nginx_secrets: