docker启动Nginx并配置SSL自动续期.md

1.fastapi 测试demo

docker run -p 8068:8088 registry.cn-hangzhou.aliyuncs.com/spider_tie/api_test:2 python api_zhenzhi.py

运行之后,安全组放行8068端口

访问端口之后得到

{"message": "臻致测试接口"
}

1.1 docker方式启动nginx

docker run --name nginx_1 -p 80:80 -p 443:443 \
-v /usr/local/nginx/conf/nginx.conf:/etc/nginx/nginx.conf \
-v /usr/local/nginx/logs:/var/log/nginx \
-v /usr/local/nginx/ssl:/etc/nginx/ssl \
--restart=always -d nginx

其中nginx配置,nginx.conf配置文件如下

user  nginx;
worker_processes  auto;error_log  /var/log/nginx/error.log notice;
pid        /run/nginx.pid;events {worker_connections  1024;
}http {include       /etc/nginx/mime.types;default_type  application/octet-stream;log_format  main  '$remote_addr - $remote_user [$time_local] "$request" ''$status $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';access_log  /var/log/nginx/access.log  main;sendfile            on;tcp_nopush          on;tcp_nodelay         on;keepalive_timeout   65;types_hash_max_size 4096;# include             /etc/nginx/mime.types;# default_type        application/octet-stream;#gzip  on;#include /etc/nginx/conf.d/*.conf;server {listen       80;listen       [::]:80;#server_name  _;#root         /usr/share/nginx/html;server_name tieyongjie.cn;location ^~ /.well-known/acme-challenge/ {allow all; # 允许所有IP访问root /usr/share/nginx/html; # 必须和容器内挂载的webroot路径一致try_files $uri $uri/ =404;}location / {proxy_pass http://1.95.141.8:8068;  # 指向Docker容器的 8068# proxy_set_header Host $host:$server_port;proxy_set_header X-Real-IP $remote_addr;}location /api/ { # 注意末尾的斜�?   proxy_pass http://1.95.141.8:8068; proxy_set_header Host $host:$server_port;proxy_set_header X-Real-IP $remote_addr;}# Load configuration files for the default server block.
#        include /etc/nginx/default.d/*.conf;error_page 404 /404.html;location = /404.html {}error_page 500 502 503 504 /50x.html;location = /50x.html {}# return 301 https://$host$request_uri;}server {listen 443 ssl;server_name tieyongjie.cn;ssl_certificate /etc/letsencrypt/live/tieyongjie.cn/fullchain.pem; # ssl 证书 pem 路径ssl_certificate_key /etc/letsencrypt/live/tieyongjie.cn/privkey.pem;    # ssl 证书 key 路径location / {proxy_pass http://113.44.32.209:8090;  # 指向Docker容器的端口:8090proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr;}}
}

1.2 docker-compose 方式启动

docker-compose.yml配置文件文件如下

version: '3.8'services:nginx:image: registry.cn-hangzhou.aliyuncs.com/devops_de/nginx:latestcontainer_name: nginxrestart: unless-stoppedports:- "80:80"- "443:443"volumes:# 挂载自定义的 Nginx 配置- ./nginx/conf/nginx.conf:/etc/nginx/nginx.conf# 挂载共享的 SSL 证书卷- nginx_ssl:/etc/letsencrypt# 挂载 webroot 目录，用于 Certbot 验证- nginx_webroot:/usr/share/nginx/htmlnetworks:- webnetcertbot:image: registry.cn-hangzhou.aliyuncs.com/devops_de/certbotcontainer_name: certbotvolumes:# 共享 SSL 证书卷，让 Certbot 能把证书写到 Nginx 能读取的地方- nginx_ssl:/etc/letsencrypt# 共享 webroot 目录，Certbot 会在这里放置验证文件- nginx_webroot:/var/www/html# 这个容器不需要长期运行，只在需要续签时启动command: certonly --webroot --webroot-path=/var/www/html --email 1042798703@qq.com --agree-tos --no-eff-email -d tieyongjie.cn -d tieyongjie.cn --dry-run# 注意：首次测试请使用 --dry-run 参数，避免触发 Let's Encrypt 的频率限制。# 测试成功后，移除 --dry-run 再次运行以获取真实证书。networks:- webnet# 定义共享卷
volumes:nginx_ssl: # 用于共享 SSL 证书nginx_webroot: # 用于共享 Webroot 验证文件networks:webnet:

重启nginx

docker-compose exec nginx nginx -s reload

2.certbot生成证书

docker-compose run --rm certbot

先使用

command: certonly --webroot --webroot-path=/var/www/html --email 1042798703@qq.com --agree-tos --no-eff-email -d tieyongjie.cn -d tieyongjie.cn --dry-run

得到成功的响应success

[root@hcss-ecs-9b96 certbot]# docker-compose run --rm certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating a certificate request for tieyongjie.cn
The dry run was successful.

然后将–dry-run去掉生成真实的证书

2.1 查看证书路径

# 1. 找到卷的实际名称
docker volume ls | grep nginx_ssl
# 输出类似：yourprojectname_nginx_ssl# 2. 检查该卷的详细信息，找到 "Mountpoint"
docker volume inspect certbot_nginx_ssl

在我的服务器测试如下

[root@hcss-ecs-9b96 nginx_ssl]# docker volume inspect nginx_ssl
[]
Error response from daemon: get nginx_ssl: no such volume
[root@hcss-ecs-9b96 nginx_ssl]# docker volume inspect certbot_nginx_ssl
[{"CreatedAt": "2025-09-15T16:57:10+08:00","Driver": "local","Labels": {"com.docker.compose.project": "certbot","com.docker.compose.version": "2.5.0","com.docker.compose.volume": "nginx_ssl"},"Mountpoint": "/var/lib/docker/volumes/certbot_nginx_ssl/_data","Name": "certbot_nginx_ssl","Options": null,"Scope": "local"}
]

3. certbot设置自动续期

1.宿主机编辑crontab

sudo crontab -e

2.添加以下行（例如，每天凌晨 2:30 检查一次）：

# 注意：你需要切换到你的项目目录下执行命令
30 2 * * * cd /root/certbot && docker-compose run --rm certbot renew && docker-compose exec nginx nginx -s reload