为 Nginx docker 容器启用 HTTPS
[英]Enable HTTPS for Nginx docker container
问题描述
For development environment I need to enable SSL connection with a Nginx container.
对于开发环境,我需要启用 SSL 与 Nginx 容器的连接。
I am getting a certificate generated from Azure Key Vault and its on the PFX format.我正在获取从 Azure Key Vault 及其 PFX 格式生成的证书。
I have been trying to install opensll inside my nginx container and generate a crt and key file from the PFX without any luck.我一直在尝试在我的 nginx 容器中安装 opensll,并从 PFX 生成一个 crt 和密钥文件,但没有任何运气。
What would be easiest way to enable HTTPS connection to my NGINX container?启用 HTTPS 连接到我的 NGINX 容器的最简单方法是什么?
This is my non working dockerfile from now.从现在开始,这是我的非工作 dockerfile。
FROM nginx:1.17.1-alpine
ARG CERT
RUN apk upgrade --update-cache --available && \
apk add openssl && \
rm -rf /var/cache/apk/*
RUN echo "$CERT"
RUN test -z "$CERT" || echo "$CERT" && echo "no certificates setup"
COPY cert.pfx /opt/certificate.pfx
RUN mkdir /etc/nginx/certs
RUN test -z "$CERT" || openssl pkcs12 -in /certificate.pfx -nocerts -out /etc/nginx/certs/cert.key -password pass:FakePassword && :
RUN test -z "$CERT" || openssl pkcs12 -in /certificate.pfx -clcerts -nokeys -out /etc/nginx/certs/cert.crt -password pass:FakePassword && :
RUN test -z "$CERT" || echo $'server { \n\
\tlisten 443 ssl; \n\
\tserver_name www.yoursite.com; \n\
\tssl_certificate /etc/nginx/certs/cert.crt; \n\
\tssl_certificate_key /etc/nginx/certs/cert.key; \n\
\tlocation / { \n\
\t\tproxy_pass http://frontend:5000/; \n\
\t\terror_log /var/log/front_end_errors.log; \n\
\t} \n\
}' >> /etc/nginx/conf.d/nginx.conf
EXPOSE 80 443
COPY --from=build /app/dist /usr/share/nginx/html/
My error is:我的错误是:
Step 18/25 : RUN if [ "x$CERT" = "x" ] ; then : ; else openssl pkcs12 -in /opt/certificate.pfx -nocerts -out /etc/nginx/certs/cert.key ; fi
---> Running in f5d8b255e51c
Enter Import Password:
Can't read Password
The command '/bin/sh -c if [ "x$CERT" = "x" ] ; then : ; else openssl pkcs12 -in /opt/certificate.pfx -nocerts -out /etc/nginx/certs/cert.key ; fi' returned a non-zero code: 1
1 个解决方案
解决方案1
0 2020-04-20 20:51:51
Probably not what you want to hear, but the solution you propose is dangerous to very dangerous depending on the use case.可能不是您想听到的,但是根据用例,您提出的解决方案是危险的甚至是非常危险的。 What you're doing is baking in the certificate into the image itself.您正在做的是将证书烘焙到图像本身中。 Certificates and other secrets should be mounted as Docker volumes, so in your case make /etc/nginx/certs a volume would better solve your problem证书和其他机密应安装为 Docker 卷,因此在您的情况下,制作/etc/nginx/certs卷会更好地解决您的问题
There are multiple ways of getting the SSL certificate into the container depending on how you orchestrate the container.根据您编排容器的方式,有多种方法可以将 SSL 证书放入容器中。 Since you tag with "Azure" I assume you ether use Azure Kubernetes Service or the Azure Container Instances.由于您使用“Azure”标记,我假设您使用 Azure Kubernetes 服务或 Azure 容器实例。 In AKS there are tons of ways of doing this but a common way is to create an init container, give it access to the key vault and load the secret directly from the key vault into a shared (tmpfs) volume.在 AKS 中,有很多方法可以做到这一点,但一种常见的方法是创建一个 init 容器,为其提供对密钥保管库的访问权限,并将密钥直接从密钥保管库加载到共享 (tmpfs) 卷中。
In Container Instances, you can read the secret directly from the key vault at run time by assigning the container rights to the key vault (similar to how you would do it in AKS), the create an entry point script in your Docker image that downloads the certificate to a temporary volume and then starts nginx.在容器实例中,您可以在运行时通过将容器权限分配给密钥保险库(类似于您在 AKS 中的操作方式)直接从密钥保险库中读取密钥,在您的 Docker 映像中创建一个入口点脚本来下载将证书复制到临时卷,然后启动 nginx。
Whichever way you choose: Never, ever persist secrets from a key vault to any kind of storage.无论您选择哪种方式:永远不会将密钥从密钥保管库保存到任何类型的存储中。
See this page for an example on how to use curl to download secrets from an Azure key vault inside a container at run time.有关如何使用curl在运行时从容器内的 Azure 密钥保管库下载机密的示例,请参阅此页面。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.