[Ubuntu][docker]RedashをLetsEncryptでHTTPS化

https://gist.github.com/arikfr/64c9ff8d2f2b703d4e44fe9e45a7730e

make directory

1 2	sudo su - mkdir -p /opt/redash/nginx/certs && mkdir -p /opt/redash/nginx/certs-data

/opt/redash/nginx/nginx.conf

upstream redash {

server redash:5000;

}

server {

listen 80;

listen [::]:80;

server_name redash.adachin.me;

location ^~ /ping {

proxy_set_header Host $http_host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;

proxy_pass http://redash;

}

location / {

rewrite ^ https://$host$request_uri? permanent;

}

location ^~ /.well-known {

allow all;

root /data/letsencrypt/;

}

/opt/redash/docker-compose.yml

nginx:

image: nginx:latest

ports:

- "80:80"

- "443:443" #追加

depends_on:

- server

links:

- server:redash

volumes: #追加

- /opt/redash/nginx/nginx.conf:/etc/nginx/conf.d/default.conf #追加

- /opt/redash/nginx/certs:/etc/letsencrypt #追加

- /opt/redash/nginx/certs-data:/data/letsencrypt #追加

restart: always

down

1	docker-compose down

make cert

docker run -it --rm \

-v /opt/redash/nginx/certs:/etc/letsencrypt \

-v /opt/redash/nginx/certs-data:/data/letsencrypt \

deliverous/certbot \

certonly \

--webroot --webroot-path=/data/letsencrypt \

-d redash.adachin.me #変更

/opt/redash/nginx/nginx.conf

upstream redash {

server redash:5000;

}

server {

listen 80;

listen [::]:80;

server_name redash.adachin.me;

location ^~ /ping {

proxy_set_header Host $http_host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;

proxy_pass http://redash;

}

location / {

rewrite ^ https://$host$request_uri? permanent;

}

location ^~ /.well-known {

allow all;

root /data/letsencrypt/;

}

server {

listen 443 ssl http2;

listen [::]:443 ssl http2;

server_name redash.adachin.me;

add_header Strict-Transport-Security "max-age=31536000" always;

ssl_session_cache shared:SSL:20m;

ssl_session_timeout 10m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;

ssl_ciphers "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;";

ssl_stapling on;

ssl_stapling_verify on;

resolver 8.8.8.8 8.8.4.4;

ssl_certificate /etc/letsencrypt/live/redash.adachin.me/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/redash.adachin.me/privkey.pem;

ssl_trusted_certificate /etc/letsencrypt/live/redash.adachin.me/chain.pem;

access_log /dev/stdout;

error_log /dev/stderr info;

# other configs

location / {

auth_basic "Basic Authentication";

auth_basic_user_file /etc/nginx/conf.d/.htpasswd;

proxy_set_header Host $http_host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;

proxy_pass http://redash;

}

add digest

apt install apache2-utils

cd /opt/redash/nginx

htpasswd -c .htpasswd adachindayo

docker-compose down

docker-compose up -d

reload nginx

1	docker-compose restart nginx

update cert

docker run -t --rm -v /opt/redash/nginx/certs:/etc/letsencrypt -v /opt/redash/nginx/certs-data:/data/letsencrypt deliverous/certbot renew --webroot --webroot-path=/data/letsencrypt

docker-compose restart nginx

update cert shellscripts

# cat update-ssl.sh

#/bin/bash

cd /opt/redash && docker run -t --rm -v /opt/redash/nginx/certs:/etc/letsencrypt -v /opt/redash/nginx/certs-data:/data/letsencrypt deliverous/certbot renew --webroot --webroot-path=/data/letsencrypt

docker-compose restart nginx

# crontab -l

0 5 * * * /home/hoge/update-ssl.sh

Was this helpful?

0 / 0

adachin

1989年生まれのFindy/SRE。ホスティングから大規模なアドテクなどのインフラエンジニアとして携わる。現在はサービスの信頼性向上、DevOps、可用性、レイテンシ、パフォーマンス、モニタリング、オブザーバビリティ、緊急対応、AWSでのインフラ構築、Docker開発環境の提供、IaC、新技術の検証、リファクタリング、セキュリティ強化、分析基盤の運用などを担当している。個人事業主では数社サーバー保守とベンチャー企業のインフラコンサルティングを行うほか、TechBullで未経験者にSREのコーチング、コミュニティ運営、Members 会員管理システムの開発をリードしている。過去には脆弱性スキャナVulsのOSS活動にも貢献。

[Ubuntu][docker]RedashをLetsEncryptでHTTPS化

いいね:

関連

コメントを残すコメントをキャンセル