docker反向代理与自动续签证书

玩具机器一直没有证书，本文添加与记录一下。

nginx + acme 的docker-compose文件

version: '2.1'
services:
  nginxi-certs:
    image: nginxproxy/acme-companion
    container_name: 'nginx-certs'
    volumes_from:
      - 'nginx'
    volumes:
      - '/var/run/docker.sock:/var/run/docker.sock:ro'
    environment:
      DEFAULT_EMAIL: 'me@bigbrotherlee.com'
  nginx:
    image: nginxproxy/nginx-proxy
    container_name: 'nginx'
    volumes:
      - 'certs:/etc/nginx/certs'
      - 'vhost:/etc/nginx/vhost.d'
      -  'html:/usr/share/nginx/html'
      - 'nginx_data:/etc/nginx/'
      - '/var/run/docker.sock:/tmp/docker.sock:ro'
    ports:
      - '80:80'
      - '443:443'
      - '3306:3306'
      - '6379:6379'
    networks:
      public :
networks:
  public:
    external: true
volumes:
  certs:
    external: true
  html:
    external: true
  vhost:
    external: true
  nginx_data:
    external: true

服务

• portainer：

  version: '2.1'
  services:
  portainer:
    image: portainer/portainer-ce
    container_name: 'portainer'
    environment:
      VIRTUAL_HOST: 'server.bigbrotherlee.com'
      LETSENCRYPT_HOST: 'server.bigbrotherlee.com'
      VIRTUAL_PORT: 9000
    volumes:
      - '/var/run/docker.sock:/var/run/docker.sock'
      - 'portainer_data:/data'
    networks:
      public :
  networks:
  public:
    external: true
  volumes:
  portainer_data:
    external: true

• showdoc

  version: '2.1'
  services:
  showdoc:
    image: star7th/showdoc
    mem_limit: 2048m
    container_name: 'showdoc'
    environment:
      VIRTUAL_HOST: 'doc.bigbrotherlee.com'
      LETSENCRYPT_HOST: 'doc.bigbrotherlee.com'
      VIRTUAL_PORT: 80
    networks:
      public :
  networks:
  public:
    external: true

• tasks

  version: '2.1'
  services:
  task:
    image: whyour/qinglong:latest
    container_name: 'qinglong'
    environment:
      VIRTUAL_HOST: 'task.bigbrotherlee.com'
      LETSENCRYPT_HOST: 'task.bigbrotherlee.com'
      VIRTUAL_PORT: 5700
    networks:
      public :
  networks:
  public:
    external: true

• drive

  version: '2.1'
  services:
  alist:
    image: xhofe/alist:latest
    container_name: 'alist'
    volumes:
      - 'alist_data:/opt/alist/data'
    environment:
      VIRTUAL_HOST: 'drive.liganma.com,drive.bigbrotherlee.com'
      LETSENCRYPT_HOST: 'drive.liganma.com,drive.bigbrotherlee.com'
      VIRTUAL_PORT: 5244
    networks:
      public :
  volumes:
  alist_data:
    external: true
  networks:
  public:
    external: true

另外

mysql与redis也走代理，在nginx.conf添加

stream {
  server {
    listen 6379;
    proxy_pass redis:6379;
  }
  server {
    listen 3306;
    proxy_pass mysql:3306;
  }
}

总结

核心是这个监听了docker状态，使得nginx可以与容器交互，这样就使得nginx可以自动代理添加了特定环境变量的容器。
另外，整个服务就只有nginx对外暴露了端口，使得整个服务都在nginx代理的控制之下。可惜了我在showdoc保存的文档了，全没了，建volume真的是一个很好的习惯。