V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
miaomiao2014
V2EX  ›  Docker

有没有试过 Portainer+ssl?

  •  
  •   miaomiao2014 · 2021-06-05 17:57:55 +08:00 · 1183 次点击
    这是一个创建于 1298 天前的主题,其中的信息可能已经有所发展或是发生改变。
    我一直用 Portainer,但没有加 ssl,官方文档好像有教程,但看不懂。
    执行
    /var/run/docker.sock:/var/run/docker.sock -v ~/local-certs:/certs -v portainer_data:/data portainer/portainer-ce --ssl --sslcert /certs/portainer.crt --sslkey /certs/portainer.key
    然后弄证书放到哪个文件夹?
    或者有没有简单教程?感激!!!
    lx0758
        1
    lx0758  
       2021-06-09 10:48:44 +08:00
    前置反向代理, 统一 ssl
    miaomiao2014
        2
    miaomiao2014  
    OP
       2021-06-10 12:11:58 +08:00 via iPhone
    @lx0758 #1 用 nginx?方便发下教程吗?
    AllenHua
        3
    AllenHua  
       2021-06-14 18:45:24 +08:00
    ```
    server
    {
    listen 443 ssl http2;
    proxy_ssl_server_name on;
    # ssl on;
    server_tokens off;
    ssl_certificate /etc/letsencrypt/live/hellodk.cn/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/hellodk.cn/privkey.pem;
    ssl_session_timeout 1d;
    #ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # intermediate configuration. tweak to your needs.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    server_name xxx.hellodk.cn;
    client_max_body_size 128M;
    location / {
    proxy_set_header Host 'xxx.hellodk.cn';
    proxy_pass http://127.0.0.1:85;
    proxy_redirect off;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
    location /notifications/hub {
    proxy_pass http://127.0.0.1:3012;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    }

    location /notifications/hub/negotiate {
    proxy_pass http://127.0.0.1:85;
    }

    }
    ```

    类似于这样,nginx 监听,server 块加 ssl_certificate 和 ssl_certificate_key

    location 匹配路径,proxy_pass 代理 host 实际端口
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   3055 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 25ms · UTC 13:08 · PVG 21:08 · LAX 05:08 · JFK 08:08
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.