Work often need to do what experiments on the server, hands-on look at the effect is the same as the theoretical description. docker can easily configure the environment required for use, the following records with docker how to configure a server nginx
Download nginx
Central warehouse from the default download nginx
docker pull nginx
start nginx images and into the background
docker run -it nginx /bin/bash
by looking at its use linux distributions package management tool which
cat /proc/version
Linux version 4.14.92-boot2docker (root @ 2c85d808f0f3) (gcc version 6.3.0 20170516 (Debian 6.3.0-18 + deb9u1)) # 1 SMP Wed Jan 9 22:03:23 UTC 2019
can be seen here with the default It is Debian, and therefore package management tool apt-get
Installation of common tools such as vim curl
apt-get install vim
if not installed, the command prompt is as follows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package vimThis is when you need to knock: apt-get updatethis action command is: source synchronous /etc/apt/sources.list index and list /etc/apt/sources.list.d in, so as to get the latest software packages.
So after the update is complete re-run apt-get install vim command.
Ll set alias
vi ~ / .bashrc
Add the following sentence
alias ll = 'ls $ LS_OPTIONS -l '
docker port mapping This machine is easy to access
docker run -p 8080: 80 -it nginx / bin / bash
access localhost in the host machine: 8080 to see nginx welcome page
note
in the host window is 192.168.99.100, so access address is http: //192.168. 99.100: 8080
The reason: docker is running on Linux, running on Windows docker, in fact or in Windows to install a Linux environment, then docker run in this system. In other words, the service used localhost refers to the address of the Linux environment, rather than our hosting environment Windows. Find the Linux ip address that under normal circumstances is 192.168.99.100 (docker-machine ip default command to find out)
nginx configuration
The compressed output configuration nginx
# 开启gzip
gzip on;
# 启用gzip压缩的最小文件
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
# gzip 压缩级别
gzip_comp_level 2;
# 进行压缩的文件类型。
gzip_types text/plain application/x-javascript application/css text/css application/xml text/javascript application/x-httpd-php
gzip_vary on;Nginx configuration of static resources cross-domain access
location / {
add_header Access-Control-Allow-Origin http://php.jesse.com; //只允许的域名
add_header Access-Control-Allow-Methods GET,POST,PUT,DELETE,OPTIONS; //只允许的方法
root /var/www/php;
index index.html index.htm;
}Nginx configuration of static resources security chain
location ~ .*\.(jpg|gif|png)$ {
valid_referers none blocked php.jesse.com;
if ($invalid_referer) {
return 403;
}
}Nginx static resource cache settings
location ~ .*\.(php|htm|html)$ {
add_header Cache-Control no-cache;
add_header Pragma no-cache;
}
location ~ .*\.(css|js|swf)$ {
add_header Cache-Control max-age=600;
}
location ~ .*\.(jpg|gif|png)$ {
expires 3d;
}Cache-Control and Expires action is consistent, is to specify the duration of the current resources, control whether the browser cache fetch data directly from the browser or re-send the request to the server to take data. Cache-Control just more options, more detailed settings, if at the same time set, it takes priority over Expires.
Cache-Control header http protocol
values may be public, private, no-cache, no- store, no-transform, must-revalidate, proxy-revalidate, max-age
each message instructions have the following meanings:
- Public response may be indicative of any cache buffer.
- Private indication of the whole or part of the individual user's response message can not be shared caching. This allows the server only when the user's description of partial response message, the response message to other user request is invalid.
- tells the browser no-cache, cache server, regardless of whether a local copy of the expired copy of the resource prior to use, be sure to check the validity of a copy of the source server.
- no-store request and response messages do not use the cache.
- max-age client can receive an indication of survival is not greater than a specified time (in seconds) of the response.
- must-revalidate tells the browser cache server, the local copy before expiration, you can use a local copy; local copy once expired, it is necessary to verify the validity of the source server
Configuring SSL and Nginx Http to Https Jump
The following is a simplified process to create a self-signed certificate, you need to install openssl, use the following steps:
- Creating Key;
- Create a signature request;
- Key password will be removed;
- With Key-signed certificate.
Generating a private key
Generate an RSA private key using openssl tool
openssl genrsa -des3 -out server.key 1024
Parameters: generate rsa private key, des3 algorithm, 1024 strength, server.key is secret key filename.
Generate CSR (Certificate Signing Request)
openssl req -new -key server.key -out server.csr
After generating the certificate signing request file, it can be the signature of the certificate, but this time you can have two options.
The first is that you take this CSR document, sent to the authority of the CA, authentication and duly signed by them, certificates after the signature of this way is to get the authorities to verify, with validity, effect is that all clients the browser can recognize your certificate, but this approach is free.
Second, self CA, self-signed certificate, meaning that certify ourselves, it is clear that the signing certificate this way, you can not get verification authority, have not recognized the validity, so if the client access will display the certificate is invalid, or unsafe and the like, in this way is free, general internal testing, or used, in this way on it.
Delete the private key password
During the first step to create a private key, because the need to specify a password. And this code will bring a side effect, that is, every time you start nginx, will be asked to enter a password, which is obviously very inconvenient. To delete the private key in the password, as follows:
openssl rsa -in server.key.org -out server.key
Generate a self-signed certificate
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
The original 80-port do 301 jumps
server {
listen 80;
server_name php.jesse.com;
return 301 https://php.jesse.com$request_uri; #跳转到Https
}Due to user habits, usually when preparing to visit a site, the browser will only enter a domain name, but not in front of the domain name with http: // or https: //, but filled automatically by the browser, all current the default browser is filled with http: //. Typically webmasters will use a 301/302 jump by the way HTTP Jump to HTTPS, but the process always use the HTTP therefore prone to hijacking, attacks by third parties. This time we need to use HSTS (HTTP Strict secure transmission).
Open ssl function
server {
listen 443;
server_name php.jesse.com;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; # hsts
root /var/www/php;
index index.html index.htm;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
}Production mynginx Mirror
We did a lot more than nginx image generation operation in the container, and the necessary plug-ins are also installed. The next time we want to be used in operations based on the original container before we can use directly, we can also make a mirror image of the previous container.
docker commit -a "username" -m "this is mynginx" <container id> mynginx