дата действия CA 365 дней
services:
nginx:
image: nginx:alpine
restart: always
ports:
- 80:80
- 443:443
networks:
- web
volumes:
- ./letsencrypt:/etc/letsencrypt:ro
- ./www:/var/www/html
- ./nginx/nginx.conf:/etc/nginx/nginx.conf
- ./nginx/conf:/etc/nginx/conf.d
- ./nginx/logs:/var/log/nginx
command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
certbot:
image: certbot/certbot
environment:
- PGID=101
- PUID=101
volumes:
- ./letsencrypt:/etc/letsencrypt:rw
- ./www/certbot:/var/www/certbot
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
curl_setopt( $ch, CURLOPT_SSLCERT, 'https://interotkos.ru/admin/SSL/certificate_fbb854...' );
certificate_fbb85415-7416-4a5d-aa54-93321dc2306d.p12
version: "3"
services:
traefik:
image: "traefik:v2.10"
container_name: "traefik"
command:
#- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.myresolver.acme.httpchallenge=true"
- "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
#- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.myresolver.acme.email=MYEMAIL@gmail.com"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
ports:
- "80:80"
- "443:443"
# - "8080:8080"
volumes:
- "./letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
networks:
private_network:
ipv4_address: 10.2.0.120
unbound:
image: "mvance/unbound:1.17.0"
container_name: unbound
restart: unless-stopped
hostname: "unbound"
volumes:
- "./unbound:/opt/unbound/etc/unbound/"
networks:
private_network:
ipv4_address: 10.2.0.200
wg-easy:
depends_on: [unbound, adguardhome]
environment:
- WG_HOST=MYHOST_IP
- PASSWORD=openode
- WG_PORT=51820
- WG_DEFAULT_ADDRESS=10.10.10.x
- WG_DEFAULT_DNS=10.2.0.100
- WG_ALLOWED_IPS=10.2.0.0/24, 0.0.0.0/0, ::/0
- WG_PERSISTENT_KEEPALIVE=25
- WG_MTU=1280
#image: ditek/wg-easy
image: weejewel/wg-easy
container_name: wg-easy
volumes:
- .:/etc/wireguard
ports:
- "51820:51820/udp"
# - "51821:51821/tcp"
restart: unless-stopped
cap_add:
- NET_ADMIN
- SYS_MODULE
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
dns:
- 10.2.0.100
- 10.2.0.200
networks:
private_network:
ipv4_address: 10.2.0.3
labels:
- "traefik.enable=true"
- "traefik.http.routers.vpn.rule=Host(`vpn.site.com`)"
- "traefik.http.routers.vpn.entrypoints=websecure"
- 'traefik.http.routers.vpn.tls=true'
- "traefik.http.routers.vpn.tls.certresolver=myresolver"
- "traefik.http.services.vpn.loadbalancer.server.port=51821"
adguardhome:
depends_on: [unbound]
image: adguard/adguardhome
container_name: adguardhome
restart: unless-stopped
environment:
- TZ=America/Los_Angeles
volumes:
- ./work:/opt/adguardhome/work
- ./conf:/opt/adguardhome/conf
networks:
private_network:
ipv4_address: 10.2.0.100
networks:
private_network:
ipam:
driver: default
config:
- subnet: 10.2.0.0/24
http {
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream websocket {
server 0.0.0.0:8831;
}
}
server {
listen 443 ssl;
ssl_certificate /etc/ssl/nginx/syn-q.ru.crt;
ssl_certificate_key /etc/ssl/nginx/syn-q.ru.key;
server_name syqq.ru;
location /websocket {
proxy_pass http://websocket;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
location /auth {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://localhost:3000;
}
}
sudo mkdir -p /var/www/cert_bot/.well-known/acme-challenge
sudo chown -R www-data:www-data /var/www/cert_bot
server {
listen 80;
listen [::]:80;
server_name git.mydomain.com;
root /var/www/cert_bot;
location /.well-known/acme-challenge/ {
access_log off;
default_type "text/plain";
}
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:8091;
}
}
sudo certbot certonly --webroot --agree-tos --email user@gmail.com -w /var/www/cert_bot/ -d git.mydomain.com
server {
listen [::]:443 ssl ipv6only=on;
server_name git.mydomain.com;
ssl_certificate /etc/letsencrypt/live/git.mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/git.mydomain.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:8091;
}
}
сначала расшифровывает файл "sign.sha256" публичным ключем
## Ставим CertBot
sudo apt-get install certbot
## Создаем папку
sudo mkdir -p /var/www/cert_bot/.well-known/acme-challenge
sudo chown -R www-data:www-data /var/www/cert_bot
## Создаем базовый конфиг в /etc/nginx/site-enable/default
server {
listen 80;
server_name _;
root /var/www/cert_bot;
location /.well-known/acme-challenge/ {
access_log off;
default_type "text/plain";
}
location / {
return 301 https://$server_name$request_uri;
}
}
## Пробуем запросить сертификат
sudo certbot certonly --dry-run--webroot --agree-tos --email hostmaster@domain.com -w /var/www/cert_bot/ -d domain.com
## Если все ок, заправиваем без --dry-run
sudo certbot certonly --webroot --agree-tos --email hostmaster@domain.com -w /var/www/cert_bot/ -d domain.com
## Добавляем конфиг с SSL /etc/nginx/site-enable/domain-ssl
server {
listen 443 ssl;
server_name domain.com;
ssl on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/domain.com/privkey.pem;
#ssl_dhparam /etc/nginx/dhparam.pem;
root /var/www/html
}
## Добавляем в крон автообновление сертификата
sudo crontab -e -u root
0 0 10,25 * * certbot renew
app.run(host='0.0.0.0', port=8095, debug=False)
services:
app:
command: python wsgi_docker.py
nginx:
volumes:
- ./file_setting/fullchain.pem:/etc/nginx/fullchain.pem
- ./file_setting/privkey.pem:/etc/nginx/privkey.pem
build: ./nginx
container_name: t_nginx
restart: always
ports:
- 80:95
- 443:96
depends_on:
- app
server {
listen 95;
server_name my_domain.ru www.my_domain.ru;
return 301 https://$host$request_uri;
}
server {
listen 96 ssl;
server_name my_domain.ru www.my_domain.ru;
ssl_certificate fullchain.pem;
ssl_certificate_key privkey.pem;
location / {
proxy_pass "http://app:8095/";
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
}
services:
app1:
command: python wsgi_docker.py
app2:
command: python wsgi_docker.py
app3:
command: python wsgi_docker.py
nginx:
ports:
- 80:95
- 443:96
server {
listen 96 ssl;
server_name my_domain.ru www.my_domain.ru;
ssl_certificate fullchain.pem;
ssl_certificate_key privkey.pem;
location /app1 {
proxy_pass "http://app1:8095/";
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
location /app2 {
proxy_pass "http://app2:8095/";
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
location /app3 {
proxy_pass "http://app3:8095/";
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
}
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
-keyout example.key -out example.crt -subj "/CN=myawsdomain.com" \
-addext "subjectAltName=DNS:www.myawsdomain.com,DNS:myawsdomain.com,IP:10.11.10.11"