Docker 搭建 Nginx 并启用 HTTPS 具体部署流程

前言

一、目录结构设计

[二、构建 Nginx 镜像](#二、构建 Nginx 镜像)

[三、Docker Compose 配置](#三、Docker Compose 配置)

四、生成自签证书

[五、nginx.conf 配置](#五、nginx.conf 配置)

六、启动与验证

七、总结

八、附录

docker安装步骤

[docker compose安装步骤](#docker compose安装步骤)

前言

在现代微服务和容器化环境中,通过 Docker 部署 Nginx 并启用 HTTPS 已成为常见需求。本文将详细介绍从零搭建、配置自签证书到访问的完整流程,并提供可执行的命令示例。


一、目录结构设计

项目目录为 /opt/compose_nginx/,建议结构如下:

复制代码
/opt/compose_nginx/
├─ docker-compose.yml      # Docker Compose 配置
├─ nginx/                  # Dockerfile 或 Nginx 源码
├─ nginx.conf              # 自定义 Nginx 配置文件
├─ ssl/                    # 存放证书
│  ├─ private/
│  └─ certs/
└─ wwwroot/                # 网站根目录

这种结构清晰区分了配置、证书和网页内容,并方便通过挂载保持数据持久化。


二、构建 Nginx 镜像

如果希望自定义编译 Nginx 并启用 SSL 模块,可以使用 Dockerfile:

复制代码
#创建必要的文件夹以及配置文件
mkdir -p /opt/compose_nginx/nginx
mkdir -p /opt/compose_nginx/ssl/private
mkdir -p /opt/compose_nginx/ssl/certs
mkdir -p /opt/compose_nginx/wwwroot
cd /opt/compose_nginx/nginx
cp /etc/yum.repo.d/C* ./
cp /opt/nginx-1.20.2.tar.gz ./
touch /opt/compose_nginx/nginx.conf
echo "<h1>this is test web</h1>" > /opt/compose_nginx/wwwroot/index.html
-----------------------------------------------------------------------------
vim Dockerfile
​
FROM centos:7
MAINTAINER this is nginx image
RUN rm -rf /etc/yum.repos.d/*
ADD CentOS-Base.repo /etc/yum.repos.d/
RUN yum clean all && yum makecache && \
    yum install -y  pcre-devel zlib-devel gcc gcc-c++ make openssl-devel && \
    useradd -M -s /sbin/nologin nginx
ADD nginx-1.20.2.tar.gz /opt
WORKDIR /opt/nginx-1.20.2
RUN ./configure \
    --prefix=/usr/local/nginx \
    --user=nginx \
    --group=nginx \
    --with-http_stub_status_module \
    --with-http_ssl_module && \
    make && make install
ENV PATH /usr/local/nginx/sbin:$PATH
EXPOSE 80
EXPOSE 443
RUN echo "daemon off;" >> /usr/local/nginx/conf/nginx.conf
ADD run.sh /run.sh
RUN chmod 755 /run.sh
CMD ["/run.sh"]
------------------------------------------------------------------
vim run.sh
​
#!/bin/bash
/usr/local/nginx/sbin/nginx

如果使用官方 nginx:latest 镜像,可以省略编译步骤,直接挂载配置即可。


三、Docker Compose 配置

复制代码
cd /opt/compose_nginx
​
vim docker-compose.yml
​
version: '3'
services:
  nginx:
    container_name: web1
    hostname: nginx
    build:
      context: ./nginx
      dockerfile: Dockerfile
    ports:
      - 1216:80
      - 1217:443
    networks:
      lnmp:
        ipv4_address: 172.18.0.10
    volumes:
      - ./wwwroot:/usr/local/nginx/html
      - ./nginx.conf:/usr/local/nginx/conf/nginx.conf
      - ./ssl/private:/usr/local/nginx/ssl/private
      - ./ssl/certs:/usr/local/nginx/ssl/certs
networks:
  lnmp:
    driver: bridge
    ipam:
      config:
        - subnet: 172.18.0.0/24
-------------------------------------------------------------------------------- 
#这里写点东西以防启动报错,后面会改       
vim nginx.conf
​
#user  nobody;
worker_processes  1;
​
#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;
​
#pid        logs/nginx.pid;
​
​
events {
    worker_connections  1024;
}
​
​
http {
    include       mime.types;
    default_type  application/octet-stream;
​
    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';
​
    #access_log  logs/access.log  main;
​
    sendfile        on;
    #tcp_nopush     on;
​
    #keepalive_timeout  0;
    keepalive_timeout  65;
​
    #gzip  on;
​
    server {
        listen       80;
        server_name  localhost;
​
        #charset koi8-r;
​
        #access_log  logs/host.access.log  main;
​
        location / {
            root   html;
            index  index.html index.htm;
        }
​
        #error_page  404              /404.html;
​
        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
​
        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}
​
        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}
​
        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }
​
​
    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;
​
    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}
​
​
    # HTTPS server
    #
    #server {
    #    listen       443 ssl;
    #    server_name  localhost;
​
    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;
​
    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;
​
    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;
​
    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}
​
}
daemon off;
--------------------------------------------------------------------
#执行命令,生成容器,注意先用docker pull centos:7,不然Dockerfile会报错
docker-compose -f docker-compose.yml up -d

说明:

  • volumes 保证网页目录、配置文件、证书挂载到容器,实现持久化

四、生成自签证书

复制代码
#先进入容器
docker exec -it web1 /bin/bash
​
#安装依赖包
yum install epel-release -y
yum install certbot python2-certbot-nginx -y
​
#生成密钥文件和证书签名请求
openssl genpkey -algorithm RSA -out /usr/local/nginx/ssl/private/nginx-selfsigned.key -pkeyopt rsa_keygen_bits:2048
​
openssl req -new -key /usr/local/nginx/ssl/private/nginx-selfsigned.key -out /usr/local/nginx/ssl/certs/nginx-selfsigned.csr
​
#生成自签名证书
openssl x509 -req -days 365 -in /usr/local/nginx/ssl/certs/nginx-selfsigned.csr -signkey /usr/local/nginx/ssl/private/nginx-selfsigned.key -out /usr/local/nginx/ssl/certs/nginx-selfsigned.crt

五、nginx.conf 配置

注:该配置在宿主机上操作

复制代码
​
#user  nobody;
worker_processes  1;
​
#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;
​
#pid        logs/nginx.pid;
​
​
events {
    worker_connections  1024;
}
​
​
http {
    include       mime.types;
    default_type  application/octet-stream;
​
    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';
​
    #access_log  logs/access.log  main;
​
    sendfile        on;
    #tcp_nopush     on;
​
    #keepalive_timeout  0;
    keepalive_timeout  65;
​
    #gzip  on;
​
    server {
        listen       443 ssl;
        server_name  localhost;
        ssl_certificate /usr/local/nginx/ssl/certs/nginx-selfsigned.crt;
        ssl_certificate_key /usr/local/nginx/ssl/private/nginx-selfsigned.key;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384';
        ssl_prefer_server_ciphers on;
​
​
        #access_log  logs/host.access.log  main;
​
        location / {
            root   html;
            index  index.html index.htm;
        }
​
        #error_page  404              /404.html;
​
        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
​
        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}
​
        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}
​
        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }
​
​
    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;
​
    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}
​
​
    # HTTPS server
    #
    #server {
    #    listen       443 ssl;
    #    server_name  localhost;
​
    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;
​
    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;
​
    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;
​
    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}
​
}
daemon off;

注意事项:

  • 使用挂载的证书路径,保证容器重启不会丢失

六、启动与验证

检查挂载是否生效

复制代码
docker inspect web1 | grep -A 10 Mounts

重载 Nginx 配置

复制代码
docker-compose down
docker-compose up -d

访问网站

复制代码
https://宿主机IP:1217
  • HTTPS → 自签证书会提示浏览器安全警告,可忽略

七、总结

  1. 挂载配置、证书和网站目录,容器重启不丢失数据

  2. 宿主机修改配置或证书,只需 Nginx reload

  3. 生成自签证书可以在宿主机或容器内完成,但挂载到宿主机更安全

  4. Docker Compose volume 修改后,必须重建容器才能生效

八、附录

docker安装步骤

复制代码
#安装依赖包
yum install -y yum-utils device-mapper-persistent-data lvm2
#设置阿里云镜像源
yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
#安装Docker-CE
yum install -y docker-ce docker-ce-cli containerd.io
注意:如果是指定版本docker-ce-20.10.3
如:yum install -y docker-ce-20.10.3 docker-ce-cli-20.10.3 containerd.io
​
systemctl start docker.service

docker compose安装步骤

复制代码
#下载
curl -L https://github.com/docker/compose/releases/download/1.21.1/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
#安装
chmod +x /usr/local/bin/docker-compose
#查看版本
docker-compose --version
相关推荐
漫谈网络3 小时前
KVM创建的虚拟机,虚拟机的网卡是如何生成的
运维·服务器·网络·qemu·虚拟化·kvm
NiKo_W4 小时前
Linux 进程通信——匿名管道
linux·运维·服务器
zz-zjx4 小时前
Nginx 生产级知识架构树(按流量路径 + 运维维度组织)含生产常见错误
运维·nginx·架构
励志不掉头发的内向程序员6 小时前
【Linux系列】并发世界的基石:透彻理解 Linux 进程 — 进程状态
linux·运维·服务器·开发语言·学习
会飞的土拨鼠呀6 小时前
docker-compose 安装MySQL8.0.39
adb·docker·容器
养生技术人8 小时前
Oracle OCP认证考试题目详解082系列第50题
运维·数据库·sql·oracle·database·开闭原则
朱包林8 小时前
Prometheus监控K8S集群-ExternalName-endpoints-ElasticStack采集K8S集群日志实战
运维·云原生·容器·kubernetes·prometheus
谢语花8 小时前
【VS2022】LNK assimp64.lib找不到文件_openframework
android·运维·服务器
对着晚风做鬼脸8 小时前
MySQL 运维知识点(十五)---- 分库分表与MyCat
运维·数据库·mysql