Добрый день.
Уже несколько дней не получается настроить https на проекте.
Имеем:
- ubuntu 16.04
- Docker+Nginx
- yii2-starter-kit
Долго изучал мануалы и понял примерно следующий алгоритм:
1. Генерируем сертификаты certbot'ом
2. Настраиваем в docker доступ к файлам сертификата и порту 443
3. Настраиваем конфиг nginx, добавляя port 443 и путь до сертификатов.
4. Настраиваем env для yii, чтоб был доступ по https
Но, как только меняю добавляю в конфиг nginx пути сертификата - сайт становится не доступен, ни по http, ни по https.
Конфиги:
vhost.conf (конфиг nginx):
server {
server_name jekacompas.ml;
listen 80;
listen 443 ssl; # default_server;
# выше можно добавить default_server для клиентов без SNI
ssl_certificate /etc/letsencrypt/live/jekacompas.ml/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/jekacompas.ml/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/jekacompas.ml/chain.pem;
ssl_stapling on;
ssl_stapling_verify on;
#resolver 127.0.0.1 8.8.8.8;
# исключим возврат на http-версию сайта
add_header Strict-Transport-Security "max-age=31536000";
# явно "сломаем" все картинки с http://
add_header Content-Security-Policy "img-src https: data:; upgrade-insecure-requests";
root /app;
index index.php index.html;
charset utf-8;
location ~* ^.+\.(jpg|jpeg|gif|png|ico|css|pdf|ppt|txt|bmp|rtf|js)$ {
access_log off;
expires max;
}
location / {
root /frontend;
try_files $uri /frontend/web/index.php?$args;
}
location /backend {
try_files $uri /backend/web/index.php?$args;
}
# storage access
location /storage {
try_files $uri /storage/web/index.php?$args;
}
client_max_body_size 32m;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass php-fpm;
fastcgi_index index.php;
include fastcgi_params;
## Cache
# fastcgi_pass_header Cookie; # fill cookie valiables, $cookie_phpsessid for exmaple
# fastcgi_ignore_headers Cache-Control Expires Set-Cookie; # Use it with caution because it is cause SEO problems
# fastcgi_cache_key "$request_method|$server_addr:$server_port$request_uri|$cookie_phpsessid"; # generating unique key
# fastcgi_cache fastcgi_cache; # use fastcgi_cache keys_zone
# fastcgi_cache_path /tmp/nginx/ levels=1:2 keys_zone=fastcgi_cache:16m max_size=256m inactive=1d;
# fastcgi_temp_path /tmp/nginx/temp 1 2; # temp files folder
# fastcgi_cache_use_stale updating error timeout invalid_header http_500; # show cached page if error (even if it is outdated)
# fastcgi_cache_valid 200 404 10s; # cache lifetime for 200 404;
# or fastcgi_cache_valid any 10s; # use it if you want to cache any responses
}
}
## PHP-FPM Servers ##
upstream php-fpm {
server app:9000;
}
docker-compose.yml
version: "3"
services:
app:
build: docker/php
volumes:
- ./:/app
depends_on:
- db
- mailcatcher
env_file:
- .env
webpacker:
image: node:9-alpine
working_dir: /app
volumes:
- ./:/app
command: /bin/true
nginx:
image: nginx:1.12-alpine
ports:
- 80:80
- 443:443
volumes:
- ./:/app
- ./docker/nginx/vhost.conf:/etc/nginx/conf.d/vhost.conf
- /etc/letsencrypt/live/jekacompas.ml/fullchain.pem:/etc/letsencrypt/live/jekacompas.ml/fullchain.pem
- /etc/letsencrypt/live/jekacompas.ml/chain.pem:/etc/letsencrypt/live/jekacompas.ml/chain.pem
- /etc/letsencrypt/live/jekacompas.ml/privkey.pem:/etc/letsencrypt/live/jekacompas.ml/privkey.pem
depends_on:
- app
mailcatcher:
image: schickling/mailcatcher:latest
ports:
- 1080:1080
db:
image: mysql:5.7
volumes:
- /var/lib/mysql
- ./docker/mysql/config.cnf:/etc/mysql/conf.d/config.cnf
ports:
- 3306:3306
environment:
MYSQL_ROOT_PASSWORD: root
MYSQL_DATABASE: _
MYSQL_USER: _
MYSQL_PASSWORD: _
