[Ubuntu][docker]RedashをLetsEncryptでHTTPS化

LINEで送る
Pocket

https://gist.github.com/arikfr/64c9ff8d2f2b703d4e44fe9e45a7730e

[Ubuntu][docker][v8.0.0]Redash構築手順

  • make directory
sudo su -
mkdir -p /opt/redash/nginx/certs && mkdir -p /opt/redash/nginx/certs-data
  • /opt/redash/nginx/nginx.conf
upstream redash {
    server redash:5000;
}

server {
    listen      80;
    listen [::]:80;
    server_name redash.adachin.me;

    location ^~ /ping {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;

        proxy_pass       http://redash;
    }

    location / {
        rewrite ^ https://$host$request_uri? permanent;
    }

    location ^~ /.well-known {
        allow all;
        root  /data/letsencrypt/;
    }
}
  • /opt/redash/docker-compose.yml
nginx:
 image: nginx:latest
 ports:
   - "80:80"
   - "443:443" #追加
 depends_on:
   - server
 links:
   - server:redash
 volumes: #追加
   - /opt/redash/nginx/nginx.conf:/etc/nginx/conf.d/default.conf #追加
   - /opt/redash/nginx/certs:/etc/letsencrypt #追加
   - /opt/redash/nginx/certs-data:/data/letsencrypt #追加
 restart: always
  • down
docker-compose down
  • make cert
docker run -it --rm \
   -v /opt/redash/nginx/certs:/etc/letsencrypt \
   -v /opt/redash/nginx/certs-data:/data/letsencrypt \
   deliverous/certbot \
   certonly \
   --webroot --webroot-path=/data/letsencrypt \
   -d redash.adachin.me #変更
  • /opt/redash/nginx/nginx.conf
upstream redash {
    server redash:5000;
}

server {
    listen      80;
    listen [::]:80;
    server_name redash.adachin.me;

    location ^~ /ping {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_pass       http://redash;
    }

    location / {
        rewrite ^ https://$host$request_uri? permanent;
    }

    location ^~ /.well-known {
        allow all;
        root  /data/letsencrypt/;
    }
}

server {
 listen      443           ssl http2;
 listen [::]:443           ssl http2;
 server_name               redash.adachin.me;

 add_header                Strict-Transport-Security "max-age=31536000" always;

 ssl_session_cache         shared:SSL:20m;
 ssl_session_timeout       10m;

 ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
 ssl_ciphers               "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;";

 ssl_stapling              on;
 ssl_stapling_verify       on;
 resolver                  8.8.8.8 8.8.4.4;

 ssl_certificate           /etc/letsencrypt/live/redash.adachin.me/fullchain.pem;
 ssl_certificate_key       /etc/letsencrypt/live/redash.adachin.me/privkey.pem;
 ssl_trusted_certificate   /etc/letsencrypt/live/redash.adachin.me/chain.pem;

 access_log                /dev/stdout;
 error_log                 /dev/stderr info;

 # other configs

 location / {
     auth_basic "Basic Authentication";
     auth_basic_user_file /etc/nginx/conf.d/.htpasswd;
     proxy_set_header Host $http_host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;

     proxy_pass       http://redash;
 }
}
  • add digest
apt install apache2-utils
cd /opt/redash/nginx

htpasswd -c .htpasswd adachindayo

docker-compose down

docker-compose up -d
  • reload nginx
docker-compose restart nginx
  • update cert
docker run -t --rm -v /opt/redash/nginx/certs:/etc/letsencrypt -v /opt/redash/nginx/certs-data:/data/letsencrypt deliverous/certbot renew --webroot --webroot-path=/data/letsencrypt

docker-compose restart nginx
  • update cert shellscripts
# cat update-ssl.sh
#/bin/bash

cd /opt/redash && docker run -t --rm -v /opt/redash/nginx/certs:/etc/letsencrypt -v /opt/redash/nginx/certs-data:/data/letsencrypt deliverous/certbot renew --webroot --webroot-path=/data/letsencrypt

docker-compose restart nginx

# crontab -l
0 5 * * * /home/hoge/update-ssl.sh

Was this helpful?

0 / 0

コメントを残す 0

Your email address will not be published. Required fields are marked *