質問編集履歴
10
https を待ち受けているバーチャルサーバーの設定を追記
test
CHANGED
File without changes
|
test
CHANGED
@@ -1,5 +1,3 @@
|
|
1
|
-
# やりたいこと
|
2
|
-
|
3
1
|
ホストOS:WindowsServer2016
|
4
2
|
|
5
3
|
ゲストOS:CentOS7(VirtualBox)
|
@@ -328,130 +326,6 @@
|
|
328
326
|
|
329
327
|
|
330
328
|
|
331
|
-
```
|
332
|
-
|
333
|
-
$ docker network list
|
334
|
-
|
335
|
-
NETWORK ID NAME DRIVER SCOPE
|
336
|
-
|
337
|
-
d9e59ffd2d93 bridge bridge local
|
338
|
-
|
339
|
-
fd9e53c427b4 host host local
|
340
|
-
|
341
|
-
ff3ac73490ce none null local
|
342
|
-
|
343
|
-
dd1e87624732 shared bridge local
|
344
|
-
|
345
|
-
```
|
346
|
-
|
347
|
-
|
348
|
-
|
349
|
-
## 追記
|
350
|
-
|
351
|
-
`docker-compose up`したところ以下のようなエラーが出ていました。
|
352
|
-
|
353
|
-
```
|
354
|
-
|
355
|
-
letsencrypt | Error: can't get docker-gen container id !
|
356
|
-
|
357
|
-
letsencrypt | If you are running a three containers setup, check that you are doing one of the following :
|
358
|
-
|
359
|
-
proxy exited with code 0
|
360
|
-
|
361
|
-
letsencrypt | - Set the NGINX_DOCKER_GEN_CONTAINER env var on the letsencrypt-companion container to the name of the docker-gen container.
|
362
|
-
|
363
|
-
letsencrypt | - Label the docker-gen container to use with 'com.github.jrcs.letsencrypt_nginx_proxy_companion.docker_gen.'
|
364
|
-
|
365
|
-
proxy | Custom dhparam.pem file found, generation skipped
|
366
|
-
|
367
|
-
proxy | forego | starting dockergen.1 on port 5000
|
368
|
-
|
369
|
-
proxy | forego | starting nginx.1 on port 5100
|
370
|
-
|
371
|
-
proxy | nginx.1 | 2019/06/10 02:54:09 [emerg] 22#22: PEM_read_bio_DHparams("/etc/nginx/dhparam/dhparam.pem") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: DH PARAMETERS)
|
372
|
-
|
373
|
-
proxy | forego | starting nginx.1 on port 5200
|
374
|
-
|
375
|
-
proxy | forego | sending SIGTERM to nginx.1
|
376
|
-
|
377
|
-
proxy | forego | sending SIGTERM to dockergen.1
|
378
|
-
|
379
|
-
```
|
380
|
-
|
381
|
-
|
382
|
-
|
383
|
-
|
384
|
-
|
385
|
-
`labels: com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true" `の記載を外したところ以下のようになりました。
|
386
|
-
|
387
|
-
```
|
388
|
-
|
389
|
-
$ docker-compose up
|
390
|
-
|
391
|
-
Starting proxy ... done
|
392
|
-
|
393
|
-
Starting mysql ... done
|
394
|
-
|
395
|
-
Starting letsencrypt ... done
|
396
|
-
|
397
|
-
Attaching to mysql, proxy, letsencrypt
|
398
|
-
|
399
|
-
proxy | Custom dhparam.pem file found, generation skipped
|
400
|
-
|
401
|
-
proxy | forego | starting dockergen.1 on port 5000
|
402
|
-
|
403
|
-
proxy | forego | starting nginx.1 on port 5100
|
404
|
-
|
405
|
-
proxy | nginx.1 | 2019/06/10 03:14:58 [emerg] 21#21: PEM_read_bio_DHparams("/etc/nginx/dhparam/dhparam.pem") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: DH PARAMETERS)
|
406
|
-
|
407
|
-
proxy | forego | starting nginx.1 on port 5200
|
408
|
-
|
409
|
-
proxy | forego | sending SIGTERM to dockergen.1
|
410
|
-
|
411
|
-
proxy | forego | sending SIGTERM to nginx.1
|
412
|
-
|
413
|
-
```
|
414
|
-
|
415
|
-
|
416
|
-
|
417
|
-
## 追記2(opensslに変更、--resolveオプションを使用)
|
418
|
-
|
419
|
-
`curl -vk`
|
420
|
-
|
421
|
-
|
422
|
-
|
423
|
-
```
|
424
|
-
|
425
|
-
$ openssl version
|
426
|
-
|
427
|
-
OpenSSL 1.0.2s 28 May 2019
|
428
|
-
|
429
|
-
|
430
|
-
|
431
|
-
$ curl -v https://xxx.com --resolve xxx.com:443:{ip}
|
432
|
-
|
433
|
-
* Added xxx.com:{ip} to DNS cache
|
434
|
-
|
435
|
-
* Hostname xxx.com was found in DNS cache
|
436
|
-
|
437
|
-
* Trying {ip}:443...
|
438
|
-
|
439
|
-
* TCP_NODELAY set
|
440
|
-
|
441
|
-
* Connected to xxx.com ({ip}) port 443 (#0)
|
442
|
-
|
443
|
-
* ALPN, offering http/1.1
|
444
|
-
|
445
|
-
* Server aborted the SSL handshake
|
446
|
-
|
447
|
-
* Closing connection 0
|
448
|
-
|
449
|
-
curl: (35) Server aborted the SSL handshake
|
450
|
-
|
451
|
-
```
|
452
|
-
|
453
|
-
|
454
|
-
|
455
329
|
## 追記3
|
456
330
|
|
457
331
|
|
@@ -536,7 +410,7 @@
|
|
536
410
|
|
537
411
|
|
538
412
|
|
539
|
-
https を待ち受けているバーチャルサーバーの設定です
|
413
|
+
https を待ち受けているバーチャルサーバーの設定です。
|
540
414
|
|
541
415
|
こちらも`proxy側のdocker-compose.yml`で設定した以外は特に変更していません。
|
542
416
|
|
@@ -544,26 +418,194 @@
|
|
544
418
|
|
545
419
|
```
|
546
420
|
|
547
|
-
|
548
|
-
|
549
|
-
|
550
|
-
|
551
|
-
|
552
|
-
|
553
|
-
|
554
|
-
|
555
|
-
|
556
|
-
|
557
|
-
|
558
|
-
|
559
|
-
ro
|
560
|
-
|
561
|
-
|
562
|
-
|
563
|
-
|
564
|
-
|
565
|
-
|
566
|
-
|
567
|
-
|
568
|
-
|
569
|
-
|
421
|
+
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
|
422
|
+
|
423
|
+
# scheme used to connect to this server
|
424
|
+
|
425
|
+
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
|
426
|
+
|
427
|
+
default $http_x_forwarded_proto;
|
428
|
+
|
429
|
+
'' $scheme;
|
430
|
+
|
431
|
+
}
|
432
|
+
|
433
|
+
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
|
434
|
+
|
435
|
+
# server port the client connected to
|
436
|
+
|
437
|
+
map $http_x_forwarded_port $proxy_x_forwarded_port {
|
438
|
+
|
439
|
+
default $http_x_forwarded_port;
|
440
|
+
|
441
|
+
'' $server_port;
|
442
|
+
|
443
|
+
}
|
444
|
+
|
445
|
+
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
|
446
|
+
|
447
|
+
# Connection header that may have been passed to this server
|
448
|
+
|
449
|
+
map $http_upgrade $proxy_connection {
|
450
|
+
|
451
|
+
default upgrade;
|
452
|
+
|
453
|
+
'' close;
|
454
|
+
|
455
|
+
}
|
456
|
+
|
457
|
+
# Apply fix for very long server names
|
458
|
+
|
459
|
+
server_names_hash_bucket_size 128;
|
460
|
+
|
461
|
+
# Default dhparam
|
462
|
+
|
463
|
+
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
|
464
|
+
|
465
|
+
# Set appropriate X-Forwarded-Ssl header
|
466
|
+
|
467
|
+
map $scheme $proxy_x_forwarded_ssl {
|
468
|
+
|
469
|
+
default off;
|
470
|
+
|
471
|
+
https on;
|
472
|
+
|
473
|
+
}
|
474
|
+
|
475
|
+
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
|
476
|
+
|
477
|
+
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
|
478
|
+
|
479
|
+
'"$request" $status $body_bytes_sent '
|
480
|
+
|
481
|
+
'"$http_referer" "$http_user_agent"';
|
482
|
+
|
483
|
+
access_log off;
|
484
|
+
|
485
|
+
resolver 127.0.0.11;
|
486
|
+
|
487
|
+
# HTTP 1.1 support
|
488
|
+
|
489
|
+
proxy_http_version 1.1;
|
490
|
+
|
491
|
+
proxy_buffering off;
|
492
|
+
|
493
|
+
proxy_set_header Host $http_host;
|
494
|
+
|
495
|
+
proxy_set_header Upgrade $http_upgrade;
|
496
|
+
|
497
|
+
proxy_set_header Connection $proxy_connection;
|
498
|
+
|
499
|
+
proxy_set_header X-Real-IP $remote_addr;
|
500
|
+
|
501
|
+
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
502
|
+
|
503
|
+
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
|
504
|
+
|
505
|
+
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
|
506
|
+
|
507
|
+
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
|
508
|
+
|
509
|
+
# Mitigate httpoxy attack (see README for details)
|
510
|
+
|
511
|
+
proxy_set_header Proxy "";
|
512
|
+
|
513
|
+
server {
|
514
|
+
|
515
|
+
server_name _; # This is just an invalid value which will never trigger on a real hostname.
|
516
|
+
|
517
|
+
listen 80;
|
518
|
+
|
519
|
+
access_log /var/log/nginx/access.log vhost;
|
520
|
+
|
521
|
+
return 503;
|
522
|
+
|
523
|
+
}
|
524
|
+
|
525
|
+
server {
|
526
|
+
|
527
|
+
server_name _; # This is just an invalid value which will never trigger on a real hostname.
|
528
|
+
|
529
|
+
listen 443 ssl http2;
|
530
|
+
|
531
|
+
access_log /var/log/nginx/access.log vhost;
|
532
|
+
|
533
|
+
return 503;
|
534
|
+
|
535
|
+
ssl_session_tickets off;
|
536
|
+
|
537
|
+
ssl_certificate /etc/nginx/certs/default.crt;
|
538
|
+
|
539
|
+
ssl_certificate_key /etc/nginx/certs/default.key;
|
540
|
+
|
541
|
+
}
|
542
|
+
|
543
|
+
# xxx.com
|
544
|
+
|
545
|
+
upstream xxx.com {
|
546
|
+
|
547
|
+
## Can be connected with "shared" network
|
548
|
+
|
549
|
+
# nginx
|
550
|
+
|
551
|
+
server 172.18.0.2:80;
|
552
|
+
|
553
|
+
}
|
554
|
+
|
555
|
+
server {
|
556
|
+
|
557
|
+
server_name xxx.com;
|
558
|
+
|
559
|
+
listen 80 ;
|
560
|
+
|
561
|
+
access_log /var/log/nginx/access.log vhost;
|
562
|
+
|
563
|
+
return 301 https://$host$request_uri;
|
564
|
+
|
565
|
+
}
|
566
|
+
|
567
|
+
server {
|
568
|
+
|
569
|
+
server_name xxx.com;
|
570
|
+
|
571
|
+
listen 443 ssl http2 ;
|
572
|
+
|
573
|
+
access_log /var/log/nginx/access.log vhost;
|
574
|
+
|
575
|
+
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
576
|
+
|
577
|
+
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
|
578
|
+
|
579
|
+
ssl_prefer_server_ciphers on;
|
580
|
+
|
581
|
+
ssl_session_timeout 5m;
|
582
|
+
|
583
|
+
ssl_session_cache shared:SSL:50m;
|
584
|
+
|
585
|
+
ssl_session_tickets off;
|
586
|
+
|
587
|
+
ssl_certificate /etc/nginx/certs/xxx.com.crt;
|
588
|
+
|
589
|
+
ssl_certificate_key /etc/nginx/certs/xxx.com.key;
|
590
|
+
|
591
|
+
ssl_dhparam /etc/nginx/certs/xxx.com.dhparam.pem;
|
592
|
+
|
593
|
+
ssl_stapling on;
|
594
|
+
|
595
|
+
ssl_stapling_verify on;
|
596
|
+
|
597
|
+
ssl_trusted_certificate /etc/nginx/certs/xxx.com.chain.pem;
|
598
|
+
|
599
|
+
add_header Strict-Transport-Security "max-age=31536000" always;
|
600
|
+
|
601
|
+
include /etc/nginx/vhost.d/default;
|
602
|
+
|
603
|
+
location / {
|
604
|
+
|
605
|
+
proxy_pass http://xxx.com;
|
606
|
+
|
607
|
+
}
|
608
|
+
|
609
|
+
}
|
610
|
+
|
611
|
+
```
|
9
追記4
test
CHANGED
File without changes
|
test
CHANGED
@@ -449,3 +449,121 @@
|
|
449
449
|
curl: (35) Server aborted the SSL handshake
|
450
450
|
|
451
451
|
```
|
452
|
+
|
453
|
+
|
454
|
+
|
455
|
+
## 追記3
|
456
|
+
|
457
|
+
|
458
|
+
|
459
|
+
conf.dの中にはdefault.confのみで、`/etc/nginx/nginx.conf`からdocker-compose.ymlから設定したdefault.confを読み込むような設定になっていました。
|
460
|
+
|
461
|
+
コンテナ内は触っていません。
|
462
|
+
|
463
|
+
```
|
464
|
+
|
465
|
+
// /etc/nginx/nginx.conf
|
466
|
+
|
467
|
+
|
468
|
+
|
469
|
+
user {user};
|
470
|
+
|
471
|
+
worker_processes 1;
|
472
|
+
|
473
|
+
|
474
|
+
|
475
|
+
error_log /var/log/nginx/error.log warn;
|
476
|
+
|
477
|
+
pid /var/run/nginx.pid;
|
478
|
+
|
479
|
+
|
480
|
+
|
481
|
+
|
482
|
+
|
483
|
+
events {
|
484
|
+
|
485
|
+
worker_connections 1024;
|
486
|
+
|
487
|
+
}
|
488
|
+
|
489
|
+
|
490
|
+
|
491
|
+
|
492
|
+
|
493
|
+
http {
|
494
|
+
|
495
|
+
include /etc/nginx/mime.types;
|
496
|
+
|
497
|
+
default_type application/octet-stream;
|
498
|
+
|
499
|
+
|
500
|
+
|
501
|
+
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
502
|
+
|
503
|
+
'$status $body_bytes_sent "$http_referer" '
|
504
|
+
|
505
|
+
'"$http_user_agent" "$http_x_forwarded_for"';
|
506
|
+
|
507
|
+
|
508
|
+
|
509
|
+
access_log /var/log/nginx/access.log main;
|
510
|
+
|
511
|
+
|
512
|
+
|
513
|
+
sendfile on;
|
514
|
+
|
515
|
+
#tcp_nopush on;
|
516
|
+
|
517
|
+
|
518
|
+
|
519
|
+
keepalive_timeout 65;
|
520
|
+
|
521
|
+
|
522
|
+
|
523
|
+
#gzip on;
|
524
|
+
|
525
|
+
|
526
|
+
|
527
|
+
include /etc/nginx/conf.d/*.conf;
|
528
|
+
|
529
|
+
}
|
530
|
+
|
531
|
+
```
|
532
|
+
|
533
|
+
|
534
|
+
|
535
|
+
### 追記4
|
536
|
+
|
537
|
+
|
538
|
+
|
539
|
+
https を待ち受けているバーチャルサーバーの設定ですが、`jwilder/nginx-proxy`コンテナに入って確認したところ設定ファイルっぽいものは`/etc/nginx/vhost.d`くらいしかみつかりませんでした。
|
540
|
+
|
541
|
+
こちらも`proxy側のdocker-compose.yml`で設定した以外は特に変更していません。
|
542
|
+
|
543
|
+
|
544
|
+
|
545
|
+
```
|
546
|
+
|
547
|
+
// /etc/nginx/vhost.d
|
548
|
+
|
549
|
+
|
550
|
+
|
551
|
+
## Start of configuration add by letsencrypt container
|
552
|
+
|
553
|
+
location ^~ /.well-known/acme-challenge/ {
|
554
|
+
|
555
|
+
auth_basic off;
|
556
|
+
|
557
|
+
allow all;
|
558
|
+
|
559
|
+
root /usr/share/nginx/html;
|
560
|
+
|
561
|
+
try_files $uri =404;
|
562
|
+
|
563
|
+
break;
|
564
|
+
|
565
|
+
}
|
566
|
+
|
567
|
+
## End of configuration add by letsencrypt container
|
568
|
+
|
569
|
+
```
|
8
--resolveオプションを使用してcurlを追記
test
CHANGED
File without changes
|
test
CHANGED
@@ -414,7 +414,7 @@
|
|
414
414
|
|
415
415
|
|
416
416
|
|
417
|
-
## 追記2(opensslに変更)
|
417
|
+
## 追記2(opensslに変更、--resolveオプションを使用)
|
418
418
|
|
419
419
|
`curl -vk`
|
420
420
|
|
@@ -426,9 +426,15 @@
|
|
426
426
|
|
427
427
|
OpenSSL 1.0.2s 28 May 2019
|
428
428
|
|
429
|
+
|
430
|
+
|
429
|
-
$ curl -v
|
431
|
+
$ curl -v https://xxx.com --resolve xxx.com:443:{ip}
|
432
|
+
|
430
|
-
|
433
|
+
* Added xxx.com:{ip} to DNS cache
|
434
|
+
|
435
|
+
* Hostname xxx.com was found in DNS cache
|
436
|
+
|
431
|
-
* Trying
|
437
|
+
* Trying {ip}:443...
|
432
438
|
|
433
439
|
* TCP_NODELAY set
|
434
440
|
|
@@ -436,8 +442,6 @@
|
|
436
442
|
|
437
443
|
* ALPN, offering http/1.1
|
438
444
|
|
439
|
-
* WARNING: disabling hostname validation also disables SNI.
|
440
|
-
|
441
445
|
* Server aborted the SSL handshake
|
442
446
|
|
443
447
|
* Closing connection 0
|
7
curl -vk opensslを使用した時に変更
test
CHANGED
File without changes
|
test
CHANGED
@@ -414,40 +414,34 @@
|
|
414
414
|
|
415
415
|
|
416
416
|
|
417
|
-
## 追記2
|
417
|
+
## 追記2(opensslに変更)
|
418
|
-
|
418
|
+
|
419
|
-
`curl
|
419
|
+
`curl -vk`
|
420
|
-
|
420
|
+
|
421
|
+
|
422
|
+
|
421
|
-
```
|
423
|
+
```
|
424
|
+
|
422
|
-
|
425
|
+
$ openssl version
|
426
|
+
|
427
|
+
OpenSSL 1.0.2s 28 May 2019
|
428
|
+
|
423
|
-
|
429
|
+
$ curl -vk https://xxx.com
|
424
|
-
|
425
|
-
|
430
|
+
|
426
|
-
|
427
|
-
* Trying
|
431
|
+
* Trying 133.202.202.31:443...
|
428
432
|
|
429
433
|
* TCP_NODELAY set
|
430
434
|
|
431
435
|
* Connected to xxx.com ({ip}) port 443 (#0)
|
432
436
|
|
433
|
-
* ALPN, offering h2
|
434
|
-
|
435
437
|
* ALPN, offering http/1.1
|
436
438
|
|
437
|
-
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
|
438
|
-
|
439
|
-
* s
|
439
|
+
* WARNING: disabling hostname validation also disables SNI.
|
440
|
-
|
441
|
-
|
440
|
+
|
442
|
-
|
443
|
-
CApath: none
|
444
|
-
|
445
|
-
*
|
441
|
+
* Server aborted the SSL handshake
|
446
|
-
|
447
|
-
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to xxx.com:443
|
448
442
|
|
449
443
|
* Closing connection 0
|
450
444
|
|
451
|
-
curl: (35)
|
445
|
+
curl: (35) Server aborted the SSL handshake
|
452
|
-
|
446
|
+
|
453
|
-
```
|
447
|
+
```
|
6
クライアントOS追加
test
CHANGED
File without changes
|
test
CHANGED
@@ -4,6 +4,8 @@
|
|
4
4
|
|
5
5
|
ゲストOS:CentOS7(VirtualBox)
|
6
6
|
|
7
|
+
クライアントOS:Mojave 10.14.5
|
8
|
+
|
7
9
|
ゲストOS内にdocker-composeで下記リンクのようなことをしたいと思っています。
|
8
10
|
|
9
11
|
|
5
curl -vkを追記
test
CHANGED
File without changes
|
test
CHANGED
@@ -409,3 +409,43 @@
|
|
409
409
|
proxy | forego | sending SIGTERM to nginx.1
|
410
410
|
|
411
411
|
```
|
412
|
+
|
413
|
+
|
414
|
+
|
415
|
+
## 追記2
|
416
|
+
|
417
|
+
`curlc -vk`
|
418
|
+
|
419
|
+
```
|
420
|
+
|
421
|
+
% curl -vk https://xxx.com
|
422
|
+
|
423
|
+
* Rebuilt URL to: https://xxx.com/
|
424
|
+
|
425
|
+
* Trying {ip}...
|
426
|
+
|
427
|
+
* TCP_NODELAY set
|
428
|
+
|
429
|
+
* Connected to xxx.com ({ip}) port 443 (#0)
|
430
|
+
|
431
|
+
* ALPN, offering h2
|
432
|
+
|
433
|
+
* ALPN, offering http/1.1
|
434
|
+
|
435
|
+
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
|
436
|
+
|
437
|
+
* successfully set certificate verify locations:
|
438
|
+
|
439
|
+
* CAfile: /etc/ssl/cert.pem
|
440
|
+
|
441
|
+
CApath: none
|
442
|
+
|
443
|
+
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
|
444
|
+
|
445
|
+
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to xxx.com:443
|
446
|
+
|
447
|
+
* Closing connection 0
|
448
|
+
|
449
|
+
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to xxx.com:443
|
450
|
+
|
451
|
+
```
|
4
追記
test
CHANGED
File without changes
|
test
CHANGED
@@ -375,3 +375,37 @@
|
|
375
375
|
proxy | forego | sending SIGTERM to dockergen.1
|
376
376
|
|
377
377
|
```
|
378
|
+
|
379
|
+
|
380
|
+
|
381
|
+
|
382
|
+
|
383
|
+
`labels: com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true" `の記載を外したところ以下のようになりました。
|
384
|
+
|
385
|
+
```
|
386
|
+
|
387
|
+
$ docker-compose up
|
388
|
+
|
389
|
+
Starting proxy ... done
|
390
|
+
|
391
|
+
Starting mysql ... done
|
392
|
+
|
393
|
+
Starting letsencrypt ... done
|
394
|
+
|
395
|
+
Attaching to mysql, proxy, letsencrypt
|
396
|
+
|
397
|
+
proxy | Custom dhparam.pem file found, generation skipped
|
398
|
+
|
399
|
+
proxy | forego | starting dockergen.1 on port 5000
|
400
|
+
|
401
|
+
proxy | forego | starting nginx.1 on port 5100
|
402
|
+
|
403
|
+
proxy | nginx.1 | 2019/06/10 03:14:58 [emerg] 21#21: PEM_read_bio_DHparams("/etc/nginx/dhparam/dhparam.pem") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: DH PARAMETERS)
|
404
|
+
|
405
|
+
proxy | forego | starting nginx.1 on port 5200
|
406
|
+
|
407
|
+
proxy | forego | sending SIGTERM to dockergen.1
|
408
|
+
|
409
|
+
proxy | forego | sending SIGTERM to nginx.1
|
410
|
+
|
411
|
+
```
|
3
修正依頼についての追記
test
CHANGED
File without changes
|
test
CHANGED
@@ -344,206 +344,34 @@
|
|
344
344
|
|
345
345
|
|
346
346
|
|
347
|
-
##
|
348
|
-
|
349
|
-
|
350
|
-
|
351
|
-
|
352
|
-
|
353
|
-
|
354
|
-
|
355
|
-
|
356
|
-
|
357
|
-
|
358
|
-
|
359
|
-
|
360
|
-
|
361
|
-
|
362
|
-
|
363
|
-
|
364
|
-
|
365
|
-
|
366
|
-
|
367
|
-
|
368
|
-
|
369
|
-
|
370
|
-
|
371
|
-
|
372
|
-
|
373
|
-
|
374
|
-
|
375
|
-
|
376
|
-
|
377
|
-
|
378
|
-
|
379
|
-
'' $server_port;
|
380
|
-
|
381
|
-
}
|
382
|
-
|
383
|
-
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
|
384
|
-
|
385
|
-
# Connection header that may have been passed to this server
|
386
|
-
|
387
|
-
map $http_upgrade $proxy_connection {
|
388
|
-
|
389
|
-
default upgrade;
|
390
|
-
|
391
|
-
'' close;
|
392
|
-
|
393
|
-
}
|
394
|
-
|
395
|
-
# Apply fix for very long server names
|
396
|
-
|
397
|
-
server_names_hash_bucket_size 128;
|
398
|
-
|
399
|
-
# Default dhparam
|
400
|
-
|
401
|
-
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
|
402
|
-
|
403
|
-
# Set appropriate X-Forwarded-Ssl header
|
404
|
-
|
405
|
-
map $scheme $proxy_x_forwarded_ssl {
|
406
|
-
|
407
|
-
default off;
|
408
|
-
|
409
|
-
https on;
|
410
|
-
|
411
|
-
}
|
412
|
-
|
413
|
-
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
|
414
|
-
|
415
|
-
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
|
416
|
-
|
417
|
-
'"$request" $status $body_bytes_sent '
|
418
|
-
|
419
|
-
'"$http_referer" "$http_user_agent"';
|
420
|
-
|
421
|
-
access_log off;
|
422
|
-
|
423
|
-
resolver 127.0.0.11;
|
424
|
-
|
425
|
-
# HTTP 1.1 support
|
426
|
-
|
427
|
-
proxy_http_version 1.1;
|
428
|
-
|
429
|
-
proxy_buffering off;
|
430
|
-
|
431
|
-
proxy_set_header Host $http_host;
|
432
|
-
|
433
|
-
proxy_set_header Upgrade $http_upgrade;
|
434
|
-
|
435
|
-
proxy_set_header Connection $proxy_connection;
|
436
|
-
|
437
|
-
proxy_set_header X-Real-IP $remote_addr;
|
438
|
-
|
439
|
-
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
440
|
-
|
441
|
-
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
|
442
|
-
|
443
|
-
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
|
444
|
-
|
445
|
-
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
|
446
|
-
|
447
|
-
# Mitigate httpoxy attack (see README for details)
|
448
|
-
|
449
|
-
proxy_set_header Proxy "";
|
450
|
-
|
451
|
-
server {
|
452
|
-
|
453
|
-
server_name _; # This is just an invalid value which will never trigger on a real hostname.
|
454
|
-
|
455
|
-
listen 80;
|
456
|
-
|
457
|
-
access_log /var/log/nginx/access.log vhost;
|
458
|
-
|
459
|
-
return 503;
|
460
|
-
|
461
|
-
}
|
462
|
-
|
463
|
-
server {
|
464
|
-
|
465
|
-
server_name _; # This is just an invalid value which will never trigger on a real hostname.
|
466
|
-
|
467
|
-
listen 443 ssl http2;
|
468
|
-
|
469
|
-
access_log /var/log/nginx/access.log vhost;
|
470
|
-
|
471
|
-
return 503;
|
472
|
-
|
473
|
-
ssl_session_tickets off;
|
474
|
-
|
475
|
-
ssl_certificate /etc/nginx/certs/default.crt;
|
476
|
-
|
477
|
-
ssl_certificate_key /etc/nginx/certs/default.key;
|
478
|
-
|
479
|
-
}
|
480
|
-
|
481
|
-
# xxx.com
|
482
|
-
|
483
|
-
upstream xxx.com {
|
484
|
-
|
485
|
-
## Can be connected with "shared" network
|
486
|
-
|
487
|
-
# nginx
|
488
|
-
|
489
|
-
server 172.18.0.4:80;
|
490
|
-
|
491
|
-
}
|
492
|
-
|
493
|
-
server {
|
494
|
-
|
495
|
-
server_name xxx.com;
|
496
|
-
|
497
|
-
listen 80 ;
|
498
|
-
|
499
|
-
access_log /var/log/nginx/access.log vhost;
|
500
|
-
|
501
|
-
return 301 https://$host$request_uri;
|
502
|
-
|
503
|
-
}
|
504
|
-
|
505
|
-
server {
|
506
|
-
|
507
|
-
server_name xxx.com;
|
508
|
-
|
509
|
-
listen 443 ssl http2 ;
|
510
|
-
|
511
|
-
access_log /var/log/nginx/access.log vhost;
|
512
|
-
|
513
|
-
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
514
|
-
|
515
|
-
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
|
516
|
-
|
517
|
-
ssl_prefer_server_ciphers on;
|
518
|
-
|
519
|
-
ssl_session_timeout 5m;
|
520
|
-
|
521
|
-
ssl_session_cache shared:SSL:50m;
|
522
|
-
|
523
|
-
ssl_session_tickets off;
|
524
|
-
|
525
|
-
ssl_certificate /etc/nginx/certs/xxx.com.crt;
|
526
|
-
|
527
|
-
ssl_certificate_key /etc/nginx/certs/xxx.com.key;
|
528
|
-
|
529
|
-
ssl_dhparam /etc/nginx/certs/xxx.com.dhparam.pem;
|
530
|
-
|
531
|
-
ssl_stapling on;
|
532
|
-
|
533
|
-
ssl_stapling_verify on;
|
534
|
-
|
535
|
-
ssl_trusted_certificate /etc/nginx/certs/xxx.com.chain.pem;
|
536
|
-
|
537
|
-
add_header Strict-Transport-Security "max-age=31536000" always;
|
538
|
-
|
539
|
-
include /etc/nginx/vhost.d/default;
|
540
|
-
|
541
|
-
location / {
|
542
|
-
|
543
|
-
proxy_pass http://xxx.com;
|
544
|
-
|
545
|
-
}
|
546
|
-
|
547
|
-
}
|
548
|
-
|
549
|
-
```
|
347
|
+
## 追記
|
348
|
+
|
349
|
+
`docker-compose up`したところ以下のようなエラーが出ていました。
|
350
|
+
|
351
|
+
```
|
352
|
+
|
353
|
+
letsencrypt | Error: can't get docker-gen container id !
|
354
|
+
|
355
|
+
letsencrypt | If you are running a three containers setup, check that you are doing one of the following :
|
356
|
+
|
357
|
+
proxy exited with code 0
|
358
|
+
|
359
|
+
letsencrypt | - Set the NGINX_DOCKER_GEN_CONTAINER env var on the letsencrypt-companion container to the name of the docker-gen container.
|
360
|
+
|
361
|
+
letsencrypt | - Label the docker-gen container to use with 'com.github.jrcs.letsencrypt_nginx_proxy_companion.docker_gen.'
|
362
|
+
|
363
|
+
proxy | Custom dhparam.pem file found, generation skipped
|
364
|
+
|
365
|
+
proxy | forego | starting dockergen.1 on port 5000
|
366
|
+
|
367
|
+
proxy | forego | starting nginx.1 on port 5100
|
368
|
+
|
369
|
+
proxy | nginx.1 | 2019/06/10 02:54:09 [emerg] 22#22: PEM_read_bio_DHparams("/etc/nginx/dhparam/dhparam.pem") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: DH PARAMETERS)
|
370
|
+
|
371
|
+
proxy | forego | starting nginx.1 on port 5200
|
372
|
+
|
373
|
+
proxy | forego | sending SIGTERM to nginx.1
|
374
|
+
|
375
|
+
proxy | forego | sending SIGTERM to dockergen.1
|
376
|
+
|
377
|
+
```
|
2
nginx443の設定を追記
test
CHANGED
File without changes
|
test
CHANGED
@@ -341,3 +341,209 @@
|
|
341
341
|
dd1e87624732 shared bridge local
|
342
342
|
|
343
343
|
```
|
344
|
+
|
345
|
+
|
346
|
+
|
347
|
+
### 追記
|
348
|
+
|
349
|
+
|
350
|
+
|
351
|
+
proxyコンテナで以下のようにnginxの設定がされています
|
352
|
+
|
353
|
+
```
|
354
|
+
|
355
|
+
// proxyコンテナの/etc/nginx/conf.d/default.conf
|
356
|
+
|
357
|
+
|
358
|
+
|
359
|
+
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
|
360
|
+
|
361
|
+
# scheme used to connect to this server
|
362
|
+
|
363
|
+
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
|
364
|
+
|
365
|
+
default $http_x_forwarded_proto;
|
366
|
+
|
367
|
+
'' $scheme;
|
368
|
+
|
369
|
+
}
|
370
|
+
|
371
|
+
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
|
372
|
+
|
373
|
+
# server port the client connected to
|
374
|
+
|
375
|
+
map $http_x_forwarded_port $proxy_x_forwarded_port {
|
376
|
+
|
377
|
+
default $http_x_forwarded_port;
|
378
|
+
|
379
|
+
'' $server_port;
|
380
|
+
|
381
|
+
}
|
382
|
+
|
383
|
+
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
|
384
|
+
|
385
|
+
# Connection header that may have been passed to this server
|
386
|
+
|
387
|
+
map $http_upgrade $proxy_connection {
|
388
|
+
|
389
|
+
default upgrade;
|
390
|
+
|
391
|
+
'' close;
|
392
|
+
|
393
|
+
}
|
394
|
+
|
395
|
+
# Apply fix for very long server names
|
396
|
+
|
397
|
+
server_names_hash_bucket_size 128;
|
398
|
+
|
399
|
+
# Default dhparam
|
400
|
+
|
401
|
+
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
|
402
|
+
|
403
|
+
# Set appropriate X-Forwarded-Ssl header
|
404
|
+
|
405
|
+
map $scheme $proxy_x_forwarded_ssl {
|
406
|
+
|
407
|
+
default off;
|
408
|
+
|
409
|
+
https on;
|
410
|
+
|
411
|
+
}
|
412
|
+
|
413
|
+
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
|
414
|
+
|
415
|
+
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
|
416
|
+
|
417
|
+
'"$request" $status $body_bytes_sent '
|
418
|
+
|
419
|
+
'"$http_referer" "$http_user_agent"';
|
420
|
+
|
421
|
+
access_log off;
|
422
|
+
|
423
|
+
resolver 127.0.0.11;
|
424
|
+
|
425
|
+
# HTTP 1.1 support
|
426
|
+
|
427
|
+
proxy_http_version 1.1;
|
428
|
+
|
429
|
+
proxy_buffering off;
|
430
|
+
|
431
|
+
proxy_set_header Host $http_host;
|
432
|
+
|
433
|
+
proxy_set_header Upgrade $http_upgrade;
|
434
|
+
|
435
|
+
proxy_set_header Connection $proxy_connection;
|
436
|
+
|
437
|
+
proxy_set_header X-Real-IP $remote_addr;
|
438
|
+
|
439
|
+
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
440
|
+
|
441
|
+
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
|
442
|
+
|
443
|
+
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
|
444
|
+
|
445
|
+
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
|
446
|
+
|
447
|
+
# Mitigate httpoxy attack (see README for details)
|
448
|
+
|
449
|
+
proxy_set_header Proxy "";
|
450
|
+
|
451
|
+
server {
|
452
|
+
|
453
|
+
server_name _; # This is just an invalid value which will never trigger on a real hostname.
|
454
|
+
|
455
|
+
listen 80;
|
456
|
+
|
457
|
+
access_log /var/log/nginx/access.log vhost;
|
458
|
+
|
459
|
+
return 503;
|
460
|
+
|
461
|
+
}
|
462
|
+
|
463
|
+
server {
|
464
|
+
|
465
|
+
server_name _; # This is just an invalid value which will never trigger on a real hostname.
|
466
|
+
|
467
|
+
listen 443 ssl http2;
|
468
|
+
|
469
|
+
access_log /var/log/nginx/access.log vhost;
|
470
|
+
|
471
|
+
return 503;
|
472
|
+
|
473
|
+
ssl_session_tickets off;
|
474
|
+
|
475
|
+
ssl_certificate /etc/nginx/certs/default.crt;
|
476
|
+
|
477
|
+
ssl_certificate_key /etc/nginx/certs/default.key;
|
478
|
+
|
479
|
+
}
|
480
|
+
|
481
|
+
# xxx.com
|
482
|
+
|
483
|
+
upstream xxx.com {
|
484
|
+
|
485
|
+
## Can be connected with "shared" network
|
486
|
+
|
487
|
+
# nginx
|
488
|
+
|
489
|
+
server 172.18.0.4:80;
|
490
|
+
|
491
|
+
}
|
492
|
+
|
493
|
+
server {
|
494
|
+
|
495
|
+
server_name xxx.com;
|
496
|
+
|
497
|
+
listen 80 ;
|
498
|
+
|
499
|
+
access_log /var/log/nginx/access.log vhost;
|
500
|
+
|
501
|
+
return 301 https://$host$request_uri;
|
502
|
+
|
503
|
+
}
|
504
|
+
|
505
|
+
server {
|
506
|
+
|
507
|
+
server_name xxx.com;
|
508
|
+
|
509
|
+
listen 443 ssl http2 ;
|
510
|
+
|
511
|
+
access_log /var/log/nginx/access.log vhost;
|
512
|
+
|
513
|
+
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
514
|
+
|
515
|
+
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
|
516
|
+
|
517
|
+
ssl_prefer_server_ciphers on;
|
518
|
+
|
519
|
+
ssl_session_timeout 5m;
|
520
|
+
|
521
|
+
ssl_session_cache shared:SSL:50m;
|
522
|
+
|
523
|
+
ssl_session_tickets off;
|
524
|
+
|
525
|
+
ssl_certificate /etc/nginx/certs/xxx.com.crt;
|
526
|
+
|
527
|
+
ssl_certificate_key /etc/nginx/certs/xxx.com.key;
|
528
|
+
|
529
|
+
ssl_dhparam /etc/nginx/certs/xxx.com.dhparam.pem;
|
530
|
+
|
531
|
+
ssl_stapling on;
|
532
|
+
|
533
|
+
ssl_stapling_verify on;
|
534
|
+
|
535
|
+
ssl_trusted_certificate /etc/nginx/certs/xxx.com.chain.pem;
|
536
|
+
|
537
|
+
add_header Strict-Transport-Security "max-age=31536000" always;
|
538
|
+
|
539
|
+
include /etc/nginx/vhost.d/default;
|
540
|
+
|
541
|
+
location / {
|
542
|
+
|
543
|
+
proxy_pass http://xxx.com;
|
544
|
+
|
545
|
+
}
|
546
|
+
|
547
|
+
}
|
548
|
+
|
549
|
+
```
|
1
タイトル編集
test
CHANGED
@@ -1 +1 @@
|
|
1
|
-
|
1
|
+
dockerでLet's Encriptでhttpsアクセスしたいが証明書エラーが発生してしまいます
|
test
CHANGED
File without changes
|