https://gist.github.com/arikfr/64c9ff8d2f2b703d4e44fe9e45a7730e
- make directory
|
1 2 |
sudo su - mkdir -p /opt/redash/nginx/certs && mkdir -p /opt/redash/nginx/certs-data |
- /opt/redash/nginx/nginx.conf
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
upstream redash { server redash:5000; } server { listen 80; listen [::]:80; server_name redash.adachin.me; location ^~ /ping { proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; proxy_pass http://redash; } location / { rewrite ^ https://$host$request_uri? permanent; } location ^~ /.well-known { allow all; root /data/letsencrypt/; } } |
- /opt/redash/docker-compose.yml
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
nginx: image: nginx:latest ports: - "80:80" - "443:443" #追加 depends_on: - server links: - server:redash volumes: #追加 - /opt/redash/nginx/nginx.conf:/etc/nginx/conf.d/default.conf #追加 - /opt/redash/nginx/certs:/etc/letsencrypt #追加 - /opt/redash/nginx/certs-data:/data/letsencrypt #追加 restart: always |
- down
|
1 |
docker-compose down |
- make cert
|
1 2 3 4 5 6 7 |
docker run -it --rm \ -v /opt/redash/nginx/certs:/etc/letsencrypt \ -v /opt/redash/nginx/certs-data:/data/letsencrypt \ deliverous/certbot \ certonly \ --webroot --webroot-path=/data/letsencrypt \ -d redash.adachin.me #変更 |
- /opt/redash/nginx/nginx.conf
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 |
upstream redash { server redash:5000; } server { listen 80; listen [::]:80; server_name redash.adachin.me; location ^~ /ping { proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://redash; } location / { rewrite ^ https://$host$request_uri? permanent; } location ^~ /.well-known { allow all; root /data/letsencrypt/; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name redash.adachin.me; add_header Strict-Transport-Security "max-age=31536000" always; ssl_session_cache shared:SSL:20m; ssl_session_timeout 10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;"; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4; ssl_certificate /etc/letsencrypt/live/redash.adachin.me/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/redash.adachin.me/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/redash.adachin.me/chain.pem; access_log /dev/stdout; error_log /dev/stderr info; # other configs location / { auth_basic "Basic Authentication"; auth_basic_user_file /etc/nginx/conf.d/.htpasswd; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; proxy_pass http://redash; } } |
- add digest
|
1 2 3 4 5 6 7 8 |
apt install apache2-utils cd /opt/redash/nginx htpasswd -c .htpasswd adachindayo docker-compose down docker-compose up -d |
- reload nginx
|
1 |
docker-compose restart nginx |
- update cert
|
1 2 3 |
docker run -t --rm -v /opt/redash/nginx/certs:/etc/letsencrypt -v /opt/redash/nginx/certs-data:/data/letsencrypt deliverous/certbot renew --webroot --webroot-path=/data/letsencrypt docker-compose restart nginx |
- update cert shellscripts
|
1 2 3 4 5 6 7 8 9 |
# cat update-ssl.sh #/bin/bash cd /opt/redash && docker run -t --rm -v /opt/redash/nginx/certs:/etc/letsencrypt -v /opt/redash/nginx/certs-data:/data/letsencrypt deliverous/certbot renew --webroot --webroot-path=/data/letsencrypt docker-compose restart nginx # crontab -l 0 5 * * * /home/hoge/update-ssl.sh |
Was this helpful?
0 / 0
1989年生まれのFindy/SRE。ホスティングから大規模なアドテクなどのインフラエンジニアとして携わる。現在はサービスの信頼性向上、DevOps、可用性、レイテンシ、パフォーマンス、モニタリング、オブザーバビリティ、緊急対応、AWSでのインフラ構築、Docker開発環境の提供、IaC、新技術の検証、リファクタリング、セキュリティ強化、分析基盤の運用などを担当している。個人事業主では数社サーバー保守とベンチャー企業のインフラコンサルティングを行うほか、TechBull創業と未経験者にSREのコーチング、コミュニティ運営、Members 会員管理システムの開発をリードしている。過去には脆弱性スキャナVulsのOSS活動にも貢献。