Before The introduction of Docker, when we deploy a software or service, we need to consider the compatibility of different platforms and whether it conflicts with the software already installed on the server. Since the appearance of Docker, these problems have been solved to a large extent. As long as the software provides the corresponding Docker image, we only need a simple single command to quickly install and use the software, and we do not need to consider the difference of the platform and whether there will be conflicts with other software. Even, due to the lightweight nature of Docker, we can deploy multiple software on a server to provide external services at the same time. We just need to be careful that the ports of each container mapping host do not conflict.
However, we also know that the default HTTP port is 80, and the default HTTPS port is 443. If we want users to access the services run by different Docker containers on the same server through different domain names without specifying ports, we need to install an Nginx service on the host. Nginx reverse proxy is used to reverse proxy different domain names to different services.
In addition, if we want to use HTTPS, we must have the certificate corresponding to the domain name. The most popular free certificate is Letsencrypt. Although the validity period of the certificate is only three months, you can use the Certbot tool provided by Letsencrypt to automatically renew the certificate before it expires. You do not need to worry about the certificate failure.
One of Docker’s strengths is its rich ecosystem, with not only a variety of service mirrors, but also some interesting and useful tool mirrors. Nginx-proxy and Acme-Companion can be used together to automatically run services in the reverse proxy container and automatically issue certificates.
In order to demonstrate the operation process today, I used Tencent Cloud lightweight server. The reason for using Tencent Cloud lightweight server is that its cost performance is very high. For new users, the configuration of 1 core 2G only costs 99 yuan a year, which is simply a clean stream in the host industry. Provides a variety of preset images including docker, can be used quickly.
Buying a server
First of all, we need to buy a Tencent Cloud lightweight server, click here to open the purchase page, select the required configuration, region and duration, select Docker CE 19.03.9 for image, click Buy now, and after payment, we will have our first cloud server.
Because you need to use a reverse proxy and issue certificates, you must register a domain name. At present, due to the policy of the mainland, the use of domain name pointing to the server in Hong Kong needs ICP record (Tencent Cloud will assist to record), and the record time is usually about 10 days. If you can’t wait, you can buy the Hong Kong nodes of lightweight cloud for use, and the use of Hong Kong nodes does not need to be recorded. Please refer here to purchase Hong Kong server, purchase domain name and set resolution.
After the purchase, go to the console, and on the Lightweight Application Server page, you can see that we have a lightweight server running
Click the “Login” button in the figure above, a black dialog box like the one below will pop up, and the commands we will follow will be input directly in this dialog box, without the need to install a third-party client.
The test environment
When we purchased the server, we chose the image Docker CE. Therefore, we already have the Docker environment in our current server. Moreover, the Docker environment provided by the lightweight cloud has replaced the Docker image source with Tencent cloud’s own Docker image source, and the speed of pulling the image is also fast.
After testing, it only takes about 1 minute to download and decompress an image of about 1G. Compared to using the official Docker image source directly, the time saved is enough to travel around the world three times
! Download [images] (static1. Huiyuanai. Cn/stroage / 202… images.png)
The Docker environment is fine, and the next step is to start and run the Nginx-Proxy and Acme-Companion containers.
Start the nginx proxy
Function Of the nginx-proxy container You can configure a reverse proxy to expose services in other containers to the public network through port 80 or 443. The nginx-proxy container monitors the startup of other containers. If two environment variables VIRTUAL_HOST(Host specified) and VIRTUAL_PORT(port specified for service listening in the container) are found in other containers, the nginx-proxy container automatically adds corresponding reverse proxy configuration to them.
First you need to start the nginx-proxy container. Before starting, create the /data/nginx directory. You can also modify this directory to a desired directory. Once the directory is created, you can enter the following command to start nginx-proxy.
sudo docker run --detach \
--name nginx-proxy \
--publish 80:80 \
--publish 443:443 \
--volume /data/nginx/certs:/etc/nginx/certs \
--volume /data/nginx/vhost:/etc/nginx/vhost.d \
--volume /data/nginx/html:/usr/share/nginx/html \
--volume /var/run/docker.sock:/tmp/docker.sock:ro \
nginxproxy/nginx-proxy
Copy the codeAfter startup, if we see the following text, it indicates that IPv4 forwarding is disabled. IPv4 Forwarding needs to be enabled first; otherwise, we cannot access the services in our Docker container from the public network
IPv4 forwarding is disabled. Networking will not work
Copy the codeTo open it, simply change the net.ipv4.ip_forward in the **/etc/sysctl.conf** file to 1 and restart the network with the following command
systemctl restart network
Copy the codeSudo docker rm -f nginx-proxy is used to delete the container and restart the container.
Once the container is successfully started, you can see that it is working properly
We can run a service to simply test whether Nginx-Proxy works as expected.
First, I resolved grafana.lixf.ink to the IP of this server. If you have any questions about this step, please refer here
Then, run a Grafana using the following command. The VIRTUAL_HOST and VIRTUAL_PORT environment variables are added to tell nginx-proxy that the domain name it wants to use is grafana.lixf.ink. The port served in the container is 3000.
sudo docker run --detach \
--name grafana \
--env "VIRTUAL_HOST=grafana.lixf.ink" \
--env "VIRTUAL_PORT=3000" \
grafana/grafana
Copy the codeAfter the container is successfully started, grafana can be accessed by accessing grafana.lixf.in in a browser.
Start the acme – companion
The Acme-Companion container automatically issues certificates for domain names. It also automatically issues new certificates before the certificates expire, ensuring that they never expire. Like the nginx-proxy container, the Acme-Companion container monitors the startup of other containers, and finds LETSENCRYPT_HOST(which specifies the domain name to issue the certificate) and LETSENCRYPT_EMAIL(which specifies the mailbox). Will issue the corresponding certificate for the specified domain name. After a certificate is issued, the Acme-Companion container automatically modifies the configuration in nginx-proxy to make HTTPS and the certificate take effect.
Note that, unlike Nginx-proxy, nginx-Proxy does not need to be used in a public network environment, whereas Acme-Companion must be used in a public network environment. One reason is that letsENCRYPT servers need to access domain names to verify domain name ownership, and another more immediate reason is that Acme-Companion cannot access letsEncrypt servers, let alone issue certificates.
Well, so much verbose, in fact, there is only the following command to run
sudo docker run --detach \
--name nginx-proxy-acme \
--volumes-from nginx-proxy \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
--volume acme:/etc/acme.sh \
--env "[email protected]" \
nginxproxy/acme-companion
Copy the codeWhen docker ps is executed, nginx-Proxy and Acme-Companion are running
We can run a service to simply test whether Acme-Companion works as expected. Here I launch Grafana and wordpress at the same time to test
docker run --detach \
--name grafana \
--env "VIRTUAL_HOST=grafana.lixf.ink" \
--env "VIRTUAL_PORT=3000" \
--env "LETSENCRYPT_HOST=grafana.lixf.ink" \
grafana/grafana
docker run --detach \
--name wordpress \
--env "VIRTUAL_HOST=blog.lixf.ink" \
--env "VIRTUAL_PORT=80" \
--env "LETSENCRYPT_HOST=blog.lixf.ink" \
wordpress
Copy the codeInk and blog.lixf.ink, respectively, can be accessed in the browser, and you can see that even the address is HTTPS.
summary
This tutorial uses The Tencent Cloud Lightweight server, Nginx-Proxy and Acme-Companion to create an environment that automatically issues certificates for container services, so that when we use it later, we only need to specify the appropriate environment variables, that is, we can automatically have a secure small lock flag. Now that HTTPS is mainstream, Google Chrome will not only flag HTTP sites as insecure, but will also use HTTPS by default for domain names entered by users in the future. In addition, HTTPS also protects users’ data security by using certificate signatures, preventing data content from being tampered with and listened to by middlemen, and even preventing websites from being hijacked by carriers. Upgrading websites from HTTP to HTTPS is a trend in many ways. In addition to good tools, choosing a good server can also be more effective. Tencent cloud lightweight server Docker image can be removed from the process of re-installing Docker, and the price is also very optimized, 99 yuan a year can have a server of their own. What are you guys waiting for?