2

我正在尝试在运行 ubuntu 的 AWS EC2 上托管 API,并且通信需要通过 HTTPS

我正在 R 中构建代码并使用 Plumber 创建 API 并构建 docker 映像

  1. 首先我构建图像:

    docker build github.com/eaoestergaard/UNPIE -t eaoestergaard/unpie

  2. 然后在 8001 端口运行镜像

    docker run -d -p 8001:8000 --name unpie1 eaoestergaard/unpie

  3. 然后我按照这个(很棒的)指南使用 Let's Encrypt 和 Certbot 设置 nginx,但用我的 API 替换生产站点

我的 docker-compose.yml 看起来像这样

    version: '3.1'

    services:

      production-nginx-container:
        container_name: 'production-nginx-container'
        image: nginx:latest
        ports:
          - "80:80"
          - "443:443"
        volumes:
          - ./production.conf:/etc/nginx/conf.d/default.conf
          - ./production-site:/usr/share/nginx/html
          - ./dh-param/dhparam-2048.pem:/etc/ssl/certs/dhparam-2048.pem
          - /docker-volumes/etc/letsencrypt/live/example.com/fullchain.pem:/etc/letsencrypt/live/example.com/fullchain.pem
          - /docker-volumes/etc/letsencrypt/live/example.com/privkey.pem:/etc/letsencrypt/live/example.com/privkey.pem
        networks:
          - docker-network
        depends_on:
          - unpie1

      unpie1:
        image: eaoestergaard/unpie
        restart: always
        ports:
         - "7001:8000"


    networks:
      docker-network:
        driver: bridge

还有我的 Nginx 配置文件 production.conf

    server {
        listen      80;
        listen [::]:80;
        server_name example.com www.example.com;

        location ^~ /.well-known/acme-challenge {
            root   /usr/share/nginx/html;
            default_type text/plain;
            allow all;
        }

        location / {
            rewrite ^ https://$host$request_uri? permanent;
        }
    }

    #https://example.com
    server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name example.com;

        server_tokens off;

        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

        ssl_buffer_size 8k;

        ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;

        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
        ssl_prefer_server_ciphers on;

        ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

        ssl_ecdh_curve secp384r1;
        ssl_session_tickets off;

        # OCSP stapling
        ssl_stapling on;
        ssl_stapling_verify on;
        resolver 8.8.8.8;

        location ^~ /.well-known/acme-challenge {
            root   /usr/share/nginx/html;
            default_type text/plain;
            allow all;
        }

        location /unpie1/ {
                            proxy_pass http://unpie1:8000/;
                            proxy_set_header Host $host;
                    }

        return 301 https://www.example.com$request_uri;
    }

    #https://www.example.com
    server {
        server_name www.example.com;
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        server_tokens off;

        ssl on;

        ssl_buffer_size 8k;
        ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;

        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

        ssl_ecdh_curve secp384r1;
        ssl_session_tickets off;

        # OCSP stapling
        ssl_stapling on;
        ssl_stapling_verify on;
        resolver 8.8.8.8 8.8.4.4;

        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

        location ^~ /.well-known/acme-challenge {
            root   /usr/share/nginx/html;
            default_type text/plain;
            allow all;
        }

        location / {
            #security headers
            add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
            add_header X-XSS-Protection "1; mode=block" always;
            add_header X-Content-Type-Options "nosniff" always;
            add_header X-Frame-Options "DENY" always;
            #CSP
            add_header Content-Security-Policy "frame-src 'self'; default-src 'self'; script-src 'self' 'unsafe-inline' https://maxcdn.bootstrapcdn.com https://ajax.googleapis.com; img-src 'self'; style-src 'self' https://maxcdn.bootstrapcdn.com; font-src 'self' data: https://maxcdn.bootstrapcdn.com; form-action 'self'; upgrade-insecure-requests;" always;
            add_header Referrer-Policy "strict-origin-when-cross-origin" always;
        }

        root /usr/share/nginx/html;
        index index.html;
    }

两者都是在水管工文档第 7.4.2 节的启发下创建的

  1. 然后启动 docker 容器

cd /docker/letsencrypt-docker-nginx/src/production

sudo docker-compose up -d

我可以通过 http 连接到 API(例如http://example.com:7001/fv.annuity),但不幸的是不在 https - 我怀疑我的配置文件不完整,但由于我是新手,所以不是让我清楚我错过了什么。

4

0 回答 0