https://gist.github.com/arikfr/64c9ff8d2f2b703d4e44fe9e45a7730e
- make directory
1 2 | sudo su - mkdir -p /opt/redash/nginx/certs && mkdir -p /opt/redash/nginx/certs-data |
- /opt/redash/nginx/nginx.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | upstream redash { server redash:5000; } server { listen 80; listen [::]:80; server_name redash.adachin.me; location ^~ /ping { proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; proxy_pass http://redash; } location / { rewrite ^ https://$host$request_uri? permanent; } location ^~ /.well-known { allow all; root /data/letsencrypt/; } } |
- /opt/redash/docker-compose.yml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | nginx: image: nginx:latest ports: - "80:80" - "443:443" #追加 depends_on: - server links: - server:redash volumes: #追加 - /opt/redash/nginx/nginx.conf:/etc/nginx/conf.d/default.conf #追加 - /opt/redash/nginx/certs:/etc/letsencrypt #追加 - /opt/redash/nginx/certs-data:/data/letsencrypt #追加 restart: always |
- down
1 | docker-compose down |
- make cert
1 2 3 4 5 6 7 | docker run -it --rm \ -v /opt/redash/nginx/certs:/etc/letsencrypt \ -v /opt/redash/nginx/certs-data:/data/letsencrypt \ deliverous/certbot \ certonly \ --webroot --webroot-path=/data/letsencrypt \ -d redash.adachin.me #変更 |
- /opt/redash/nginx/nginx.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 | upstream redash { server redash:5000; } server { listen 80; listen [::]:80; server_name redash.adachin.me; location ^~ /ping { proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://redash; } location / { rewrite ^ https://$host$request_uri? permanent; } location ^~ /.well-known { allow all; root /data/letsencrypt/; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name redash.adachin.me; add_header Strict-Transport-Security "max-age=31536000" always; ssl_session_cache shared:SSL:20m; ssl_session_timeout 10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;"; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4; ssl_certificate /etc/letsencrypt/live/redash.adachin.me/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/redash.adachin.me/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/redash.adachin.me/chain.pem; access_log /dev/stdout; error_log /dev/stderr info; # other configs location / { auth_basic "Basic Authentication"; auth_basic_user_file /etc/nginx/conf.d/.htpasswd; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; proxy_pass http://redash; } } |
- add digest
1 2 3 4 5 6 7 8 | apt install apache2-utils cd /opt/redash/nginx htpasswd -c .htpasswd adachindayo docker-compose down docker-compose up -d |
- reload nginx
1 | docker-compose restart nginx |
- update cert
1 2 3 | docker run -t --rm -v /opt/redash/nginx/certs:/etc/letsencrypt -v /opt/redash/nginx/certs-data:/data/letsencrypt deliverous/certbot renew --webroot --webroot-path=/data/letsencrypt docker-compose restart nginx |
- update cert shellscripts
1 2 3 4 5 6 7 8 9 | # cat update-ssl.sh #/bin/bash cd /opt/redash && docker run -t --rm -v /opt/redash/nginx/certs:/etc/letsencrypt -v /opt/redash/nginx/certs-data:/data/letsencrypt deliverous/certbot renew --webroot --webroot-path=/data/letsencrypt docker-compose restart nginx # crontab -l 0 5 * * * /home/hoge/update-ssl.sh |
Was this helpful?
0 / 0
1989年生まれのSRE。ホスティングから大規模なアドテクなどのインフラエンジニアとして携わる。現在はサービスの信頼性向上、DevOps、可用性、レイテンシ、パフォーマンス、モニタリング、オブザーバビリティ、緊急対応、AWS/Azureでのインフラ構築、Docker開発環境の提供、Kubernetes保守、インフラコード化、新技術の検証、リファクタリング、セキュリティ強化などを担当している。個人事業主では数社サーバー保守とベンチャー企業のSREインフラコンサルティングやMENTA/CloudTech Academyで未経験者にインフラのコーチング/コミュニティの運用を実施している。また、「脆弱性スキャナVuls」のOSS活動もしており、自称エバンジェリスト/技術広報/テクニカルサポート/コントリビュータでもある。