docker - Docker：带有ssl后端的nginx-proxy(Docker: nginx-proxy with ssl backend)

Question

I am currently in the process of containerizing wordpress apps for development.

(我目前正在将wordpress应用进行容器化以进行开发。)

And that has been going reasonably well so far :)

(到目前为止，一切进展顺利：))

At the moment I am using one docker-compose.yml file (and some configs) per app.

(目前，我为每个应用使用一个docker-compose.yml文件（和一些配置）。)

Each app consists of an nginx-webserver, a database and wordpress with fpm.

(每个应用程序都由一个nginx网络服务器，一个数据库和带有fpm的wordpress组成。)

(example docker-compose.yml below).

(（下面的示例docker-compose.yml）。)

Each app handles it's ssl on it's own and I have confirmed, that it works.

(每个应用程序都自行处理它的ssl，我已经确认它可以工作。)

The next step in my masterplan is to use an nginx reverse proxy to have all app containers up at the same time without the need to use different ports on the host.

(我的总体规划的下一步是使用nginx反向代理来同时启动所有应用程序容器，而无需使用主机上的其他端口。)

As I understand jwilder/nginx-proxy is the best tool for the job.

(据我了解， jwilder / nginx-proxy是完成这项工作的最佳工具。)

So I was thinking - and please correct me if that is not best practice - that I could create a compose.yml file for the nginx-proxy that could run all the time and that would expose ports 80 and 443 to the host while automatically generating the nginx-configs for every container I' spin up afterwards.

(所以我在想-如果不是最佳实践，请纠正我-我可以为nginx-proxy创建一个compose.yml文件，该文件可以一直运行，并且在自动生成端口时将端口80和443暴露给主机之后我为每个容器旋转的nginx-configs。)

version: '3.6'

services:
  nginx-proxy:
    image: jwilder/nginx-proxy
    container_name: nginx_proxy
    ports:
      - '80:80'
      - '443:443'
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro

networks:
  default:
    external:
      name: nginx-proxy

I tried that with an nginx-proxy which exposed port 80 to the host and a wordpress app setup in its own docker-compose.yml file using the mariadb:latest and wordpress:latest images.

(我尝试使用nginx-proxy将端口80暴露给主机，并使用mariadb：latest和wordpress：latest图像在自己的docker-compose.yml文件中安装了wordpress应用程序。)

That did indeed work simply by adding the expose: \ -80 and the VIRTUAL_HOST environment variable.

(确实确实如此，只需添加暴露：\ -80和VIRTUAL_HOST环境变量即可。)

But I don't quite get how to use the reverse proxy in front of my aforementioned wordpress apps.

(但是我在前面提到的wordpress应用之前还不太了解如何使用反向代理。)

The documentation states this:

(该文档指出：)

SSL Backends

(SSL后端)

If you would like the reverse proxy to connect to your backend using HTTPS instead of HTTP, set VIRTUAL_PROTO=https on the backend container.

(如果您希望反向代理使用HTTPS而不是HTTP连接到后端，请在后端容器上设置VIRTUAL_PROTO = https。)

Note: If you use VIRTUAL_PROTO=https and your backend container exposes port 80 and 443, nginx-proxy will use HTTPS on port 80. This is almost certainly not what you want, so you should also include VIRTUAL_PORT=443.

(注意：如果使用VIRTUAL_PROTO = https，并且后端容器公开端口80和443，则nginx-proxy将在端口80上使用HTTPS。这几乎肯定不是您想要的，因此，您还应该包括VIRTUAL_PORT = 443。)

so I tried adding these environment variables to the app's docker-compose.yml file.

(所以我尝试将这些环境变量添加到应用程序的docker-compose.yml文件中。)

Specifically on the nginx service inside and added exposed ports 80 and 443.

(特别是在内部的nginx服务上，并添加了暴露的端口80和443。)

version: '3.6'
services:

  wordpress:
    image: wordpress:4.7.2-php7.1-fpm
    volumes:
      - ../public:/var/www/html
    environment:
      - WORDPRESS_DB_NAME=${WORDPRESS_DB_NAME:-wordpress}
      - WORDPRESS_TABLE_PREFIX=${WORDPRESS_TABLE_PREFIX:-wp_}
      - WORDPRESS_DB_HOST=${WORDPRESS_DB_HOST:-mysql}
      - WORDPRESS_DB_USER=${WORDPRESS_DB_USER:-root}
      - WORDPRESS_DB_PASSWORD=${WORDPRESS_DB_PASSWORD:-password}
    depends_on:
      - db
    restart: always

  db:
    image: mariadb:${MARIADB_VERSION:-latest}
    volumes:
      - tss-data:/var/lib/mysql
      # - ./db:/docker-entrypoint-initdb.d/
    environment:
      - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD:-password}
      - MYSQL_USER=${MYSQL_USER:-root}
      - MYSQL_PASSWORD=${MYSQL_PASSWORD:-password}
      - MYSQL_DATABASE=${MYSQL_DATABASE:-wordpress}
    restart: always

  nginx:
    image: nginx:${NGINX_VERSION:-latest}
    container_name: nginx
    volumes:
      - ${NGINX_CONF_DIR:-./nginx}:/etc/nginx/conf.d
      - ${NGINX_LOG_DIR:-./logs/nginx}:/var/log/nginx
      - ${WORDPRESS_DATA_DIR:-./wordpress}:/var/www/html
      - ${SSL_CERTS_DIR:-./certs}:/etc/letsencrypt
      - ${SSL_CERTS_DATA_DIR:-./certs-data}:/data/letsencrypt
    environment:
      - VIRTUAL_HOST:local.my-app.com
      - VIRTUAL_PROTO:https
      - VIRTUAL_PORT:443
    expose:
      - 80
      - 443
    depends_on:
      - wordpress
    restart: always

volumes:
  tss-data:

networks:
  default:
    external:
      name: nginx-proxy

Alas, if I try to browse to local.my-app.com on port 80 I get 503 Service Temporarily Unavailable

(las，如果我尝试浏览端口80上的local.my-app.com，我将获得503服务暂时不可用)

If I try on port 443 the nginx reverse proxy does not respond at all.

(如果我尝试使用端口443，nginx反向代理根本不会响应。)

I feel like I am missing something fairly obvious but I can't seem to find it and I would really appreciate any thoughts on the matter.

(我觉得我似乎遗漏了一些明显的东西，但似乎找不到，我对此表示感谢。)

  ask by j4g0 translate from so

Answer 1

In the end, I opted to not handle the SSL encryption in each individual app.

(最后，我选择不对每个应用程序进行SSL加密。)

But instead I changed the reverse proxy to

(但是相反，我将反向代理更改为)

version: '3.6'

services:
  nginx-proxy:
    image: jwilder/nginx-proxy:alpine
    container_name: nginx_proxy
    ports:
      - '80:80'
      - '443:443'
    volumes:
      - ./certs:/etc/nginx/certs
      - /var/run/docker.sock:/tmp/docker.sock:ro
    restart: unless-stopped

networks:
  default:
    external:
      name: nginx-proxy

So now I can reach each app on Port 80 until I add a cert for it in which case it becomes reachable on port 443.

(因此，现在我可以在端口80上访问每个应用程序，直到为其添加证书为止，在这种情况下，它可以在端口443上访问。)