ルートフォルダだったので、パスを /srv から /home に変更(2024/09/29)
サーバー証明書(Let’s Encrypt)の取得
certbotのインストール
dnf install -y epel-release
dnf install -y certbot python3-certbot-nginx
証明書の取得
# certbot certonly --standalone -d ydlprog.ddns.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): メールアドレス
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
404 Page not found - Let's EncryptLet's Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Res... You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Account registered.
Requesting a certificate for ydlprog.ddns.net
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/ydlprog.ddns.net/fullchain.pem
Key is saved at: /etc/letsencrypt/live/ydlprog.ddns.net/privkey.pem
This certificate expires on 2023-04-30.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ネットワークの作成
podman network create --subnet 10.0.10.0/24 --gateway 10.0.10.1 network-revproxy
リバースプロキシ用のポッド作成
ダミーコンテナを作成し設定ファイル取り出し
mkdir -p \
/home/podman/revproxy-pod/nginx/conf.d \
/home/podman/revproxy-pod/public
echo "Hello World!" > /home/podman/revproxy-pod/public/index.html
podman run -d --name tmp docker.io/library/nginx:latest
podman cp tmp:/etc/nginx/nginx.conf /home/podman/revproxy-pod/nginx/nginx.conf
podman cp tmp:/etc/nginx/conf.d/default.conf /home/podman/revproxy-pod/nginx/conf.d/default.conf
podman rm -f tmp
ポッド作成
podman pod create --name revproxy-pod -p 80:80 -p 443:443 --network=network-revproxy
podman create --pod revproxy-pod --name revproxy-nginx \
-v /home/podman/revproxy-pod/nginx/nginx.conf:/etc/nginx/nginx.conf:ro \
-v /home/podman/revproxy-pod/nginx/conf.d/default.conf:/etc/nginx/conf.d/default.conf:ro \
-v /home/podman/revproxy-pod/public:/usr/share/nginx/html \
-v /etc/letsencrypt/live/ydlprog.ddns.net/fullchain.pem:/etc/nginx/server.crt:ro \
-v /etc/letsencrypt/live/ydlprog.ddns.net/privkey.pem:/etc/nginx/server.key:ro \
docker.io/library/nginx:latest
リバースプロキシ設定
# http
server {
listen 80;
listen [::]:80;
server_name _;
# httpアクセスは全てhttpsへリダイレクト
location / {
return 301 https://$host$request_uri;
}
}
# https
server {
ssl on;
listen 443;
listen [::]:443;
ssl_certificate /etc/nginx/server.crt;
ssl_certificate_key /etc/nginx/server.key;
server_name _;
# エラーページ
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# Let's Encrypt(未チェック)
location ^~ /.well-known/acme-challenge/ {
root /usr/share/nginx/html/letsencrypt;
}
location = /.well-known/acme-challenge/ {
return 404;
}
# リバースプロキシ設定
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 以前のdokuwikiページへリバースプロキシ
location /ydlprog {
proxy_pass http://10.0.30.1:30080/ydlprog;
}
# GitLabへリバースプロキシ
location /gitlab {
client_max_body_size 1000M;
proxy_pass http://10.0.40.1:22080/gitlab;
}
# WordPressへリバースプロキシ
location / {
proxy_pass http://10.0.20.1:21080/;
}
}
リバースプロキシの起動
podman pod start revproxy-pod
自動起動設定
自動起動用にユニットファイル作成
# cd /usr/lib/systemd/system
# podman generate systemd --name revproxy-pod --files --restart-policy=always
/usr/lib/systemd/system/pod-revproxy-pod.service
/usr/lib/systemd/system/container-revproxy-nginx.service
自動起動設定
systemctl daemon-reload
systemctl enable pod-revproxy-pod.service
systemctl enable container-revproxy-nginx.service
コンテナ作成用スクリプト
#! /bin/bash
PodName='revproxy'
# 起動済みのポッド削除
echo ポッド削除
podman pod stop ${PodName}-pod
podman pod rm ${PodName}-pod
# ポッド作成
echo ポッド作成
podman pod create --name ${PodName}-pod -p 80:80 -p 443:443 --network=network-${PodName}
podman create --pod ${PodName}-pod --name ${PodName}-nginx \
-v /home/podman/${PodName}-pod/nginx/nginx.conf:/etc/nginx/nginx.conf:ro \
-v /home/podman/${PodName}-pod/nginx/conf.d/default.conf:/etc/nginx/conf.d/default.conf:ro \
-v /home/podman/${PodName}-pod/public:/usr/share/nginx/html \
-v /etc/letsencrypt/live/ydlprog.ddns.net/fullchain.pem:/etc/nginx/server.crt:ro \
-v /etc/letsencrypt/live/ydlprog.ddns.net/privkey.pem:/etc/nginx/server.key:ro \
docker.io/library/nginx:latest
# ポッド起動
echo ポッド起動
podman pod start ${PodName}-pod
echo Finish!
コメント