PodmanでNginxリバースプロキシの起動

ルートフォルダだったので、パスを /srv から /home に変更(2024/09/29)

サーバー証明書(Let’s Encrypt)の取得

certbotのインストール

dnf install -y epel-release
dnf install -y certbot python3-certbot-nginx

証明書の取得

# certbot certonly --standalone -d ydlprog.ddns.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): メールアドレス

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at


404 Page not found -  Let's Encrypt
Let's Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Res...
letsencrypt.org
 You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Account registered.
Requesting a certificate for ydlprog.ddns.net

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/ydlprog.ddns.net/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/ydlprog.ddns.net/privkey.pem
This certificate expires on 2023-04-30.
These files will be updated when the certificate renews.

NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

ネットワークの作成

podman network create --subnet 10.0.10.0/24 --gateway 10.0.10.1 network-revproxy

リバースプロキシ用のポッド作成

ダミーコンテナを作成し設定ファイル取り出し

mkdir -p \
  /home/podman/revproxy-pod/nginx/conf.d \
  /home/podman/revproxy-pod/public
echo "Hello World!" > /home/podman/revproxy-pod/public/index.html
podman run -d --name tmp docker.io/library/nginx:latest
podman cp tmp:/etc/nginx/nginx.conf /home/podman/revproxy-pod/nginx/nginx.conf
podman cp tmp:/etc/nginx/conf.d/default.conf /home/podman/revproxy-pod/nginx/conf.d/default.conf
podman rm -f tmp

ポッド作成

podman pod create --name revproxy-pod -p 80:80 -p 443:443 --network=network-revproxy
podman create --pod revproxy-pod --name revproxy-nginx \
  -v /home/podman/revproxy-pod/nginx/nginx.conf:/etc/nginx/nginx.conf:ro \
  -v /home/podman/revproxy-pod/nginx/conf.d/default.conf:/etc/nginx/conf.d/default.conf:ro \
  -v /home/podman/revproxy-pod/public:/usr/share/nginx/html \
  -v /etc/letsencrypt/live/ydlprog.ddns.net/fullchain.pem:/etc/nginx/server.crt:ro \
  -v /etc/letsencrypt/live/ydlprog.ddns.net/privkey.pem:/etc/nginx/server.key:ro \
  docker.io/library/nginx:latest

リバースプロキシ設定

# http
server {
    listen			80;
    listen			[::]:80;
    server_name		_;

    # httpアクセスは全てhttpsへリダイレクト
    location / {
        return 301 https://$host$request_uri;
    }
}

# https
server {
    ssl						on;
    listen					443;
    listen					[::]:443;
    ssl_certificate			/etc/nginx/server.crt;
    ssl_certificate_key		/etc/nginx/server.key;
    server_name				_;

    # エラーページ
    error_page 500 502 503 504  /50x.html;
    location = /50x.html {
        root /usr/share/nginx/html;
    }

    # Let's Encrypt(未チェック)
    location ^~ /.well-known/acme-challenge/ {
        root /usr/share/nginx/html/letsencrypt;
    }
    location = /.well-known/acme-challenge/ {
        return 404;
    }

    # リバースプロキシ設定
    proxy_redirect							off;
    proxy_set_header Host					$host;
    proxy_set_header X-Real-IP				$remote_addr;
    proxy_set_header X-Forwarded-Host		$host;
    proxy_set_header X-Forwarded-Server 	$host;
    proxy_set_header X-Forwarded-Proto		$scheme;
    proxy_set_header X-Forwarded-For		$proxy_add_x_forwarded_for;

    # 以前のdokuwikiページへリバースプロキシ
    location /ydlprog {
        proxy_pass http://10.0.30.1:30080/ydlprog;
    }

    # GitLabへリバースプロキシ
    location /gitlab {
        client_max_body_size 1000M;
        proxy_pass http://10.0.40.1:22080/gitlab;
    }

    # WordPressへリバースプロキシ
    location / {
        proxy_pass http://10.0.20.1:21080/;
    }
}

リバースプロキシの起動

podman pod start revproxy-pod

自動起動設定

自動起動用にユニットファイル作成

# cd /usr/lib/systemd/system
# podman generate systemd --name revproxy-pod --files --restart-policy=always
/usr/lib/systemd/system/pod-revproxy-pod.service
/usr/lib/systemd/system/container-revproxy-nginx.service

自動起動設定

systemctl daemon-reload
systemctl enable pod-revproxy-pod.service
systemctl enable container-revproxy-nginx.service

コンテナ作成用スクリプト

#! /bin/bash

PodName='revproxy'

# 起動済みのポッド削除
echo ポッド削除
podman pod stop ${PodName}-pod
podman pod rm ${PodName}-pod

# ポッド作成
echo ポッド作成
podman pod create --name ${PodName}-pod -p 80:80 -p 443:443 --network=network-${PodName}
podman create --pod ${PodName}-pod --name ${PodName}-nginx \
  -v /home/podman/${PodName}-pod/nginx/nginx.conf:/etc/nginx/nginx.conf:ro \
  -v /home/podman/${PodName}-pod/nginx/conf.d/default.conf:/etc/nginx/conf.d/default.conf:ro \
  -v /home/podman/${PodName}-pod/public:/usr/share/nginx/html \
  -v /etc/letsencrypt/live/ydlprog.ddns.net/fullchain.pem:/etc/nginx/server.crt:ro \
  -v /etc/letsencrypt/live/ydlprog.ddns.net/privkey.pem:/etc/nginx/server.key:ro \
  docker.io/library/nginx:latest

# ポッド起動
echo ポッド起動
podman pod start ${PodName}-pod

echo Finish!

コメント

タイトルとURLをコピーしました