トップに関する質問 dockerでLet's Encriptでhttpsアクセスしたいが証明書エラーが発生してしまいます

編集履歴

質問編集履歴

https を待ち受けているバーチャルサーバーの設定を追記

2019/06/21 03:27

投稿

bws

スコア98

test CHANGED Viewed

File without changes

test CHANGED Viewed

@@ -1,5 +1,3 @@
-# やりたいこと
 ホストOS:WindowsServer2016
 ゲストOS:CentOS7(VirtualBox)
@@ -328,130 +326,6 @@
-```
-$ docker network list
-NETWORK ID          NAME                DRIVER              SCOPE
-d9e59ffd2d93        bridge              bridge              local
-fd9e53c427b4        host                host                local
-ff3ac73490ce        none                null                local
-dd1e87624732        shared              bridge              local
-```
-## 追記
-`docker-compose up`したところ以下のようなエラーが出ていました。
-```
-letsencrypt    | Error: can't get docker-gen container id !
-letsencrypt    | If you are running a three containers setup, check that you are doing one of the following :
-proxy exited with code 0
-letsencrypt    |        - Set the NGINX_DOCKER_GEN_CONTAINER env var on the letsencrypt-companion container to the name of the docker-gen container.
-letsencrypt    |        - Label the docker-gen container to use with 'com.github.jrcs.letsencrypt_nginx_proxy_companion.docker_gen.'
-proxy          | Custom dhparam.pem file found, generation skipped
-proxy          | forego     | starting dockergen.1 on port 5000
-proxy          | forego     | starting nginx.1 on port 5100
-proxy          | nginx.1    | 2019/06/10 02:54:09 [emerg] 22#22: PEM_read_bio_DHparams("/etc/nginx/dhparam/dhparam.pem") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: DH PARAMETERS)
-proxy          | forego     | starting nginx.1 on port 5200
-proxy          | forego     | sending SIGTERM to nginx.1
-proxy          | forego     | sending SIGTERM to dockergen.1
-```
-`labels: com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true" `の記載を外したところ以下のようになりました。
-```
-$ docker-compose up
-Starting proxy ... done
-Starting mysql ... done
-Starting letsencrypt ... done
-Attaching to mysql, proxy, letsencrypt
-proxy          | Custom dhparam.pem file found, generation skipped
-proxy          | forego     | starting dockergen.1 on port 5000
-proxy          | forego     | starting nginx.1 on port 5100
-proxy          | nginx.1    | 2019/06/10 03:14:58 [emerg] 21#21: PEM_read_bio_DHparams("/etc/nginx/dhparam/dhparam.pem") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: DH PARAMETERS)
-proxy          | forego     | starting nginx.1 on port 5200
-proxy          | forego     | sending SIGTERM to dockergen.1
-proxy          | forego     | sending SIGTERM to nginx.1
-```
-## 追記２(opensslに変更、--resolveオプションを使用)
-`curl -vk`
-```
-$ openssl version
-OpenSSL 1.0.2s  28 May 2019
-$ curl -v https://xxx.com --resolve xxx.com:443:{ip}
-* Added xxx.com:{ip} to DNS cache
-* Hostname xxx.com was found in DNS cache
-*   Trying {ip}:443...
-* TCP_NODELAY set
-* Connected to xxx.com ({ip}) port 443 (#0)
-* ALPN, offering http/1.1
-* Server aborted the SSL handshake
-* Closing connection 0
-curl: (35) Server aborted the SSL handshake
-```
 ## 追記３
@@ -536,7 +410,7 @@
-https を待ち受けているバーチャルサーバーの設定ですが、`jwilder/nginx-proxy`コンテナに入って確認したところ設定ファイルっぽいものは`/etc/nginx/vhost.d`くらいしかみつかりませんでした。
+https を待ち受けているバーチャルサーバーの設定です。
 こちらも`proxy側のdocker-compose.yml`で設定した以外は特に変更していません。
@@ -544,26 +418,194 @@
 ```
-// /etc/nginx/vhost.d
-## Start of configuration add by letsencrypt container
-location ^~ /.well-known/acme-challenge/ {
-    auth_basic off;
-    allow all;
-    root /usr/share/nginx/html;
-    try_files $uri =404;
-    break;
-}
-## End of configuration add by letsencrypt container
-```
+# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
+# scheme used to connect to this server
+map $http_x_forwarded_proto $proxy_x_forwarded_proto {
+  default $http_x_forwarded_proto;
+  ''      $scheme;
+}
+# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
+# server port the client connected to
+map $http_x_forwarded_port $proxy_x_forwarded_port {
+  default $http_x_forwarded_port;
+  ''      $server_port;
+}
+# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
+# Connection header that may have been passed to this server
+map $http_upgrade $proxy_connection {
+  default upgrade;
+  '' close;
+}
+# Apply fix for very long server names
+server_names_hash_bucket_size 128;
+# Default dhparam
+ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
+# Set appropriate X-Forwarded-Ssl header
+map $scheme $proxy_x_forwarded_ssl {
+  default off;
+  https on;
+}
+gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+log_format vhost '$host $remote_addr - $remote_user [$time_local] '
+                 '"$request" $status $body_bytes_sent '
+                 '"$http_referer" "$http_user_agent"';
+access_log off;
+resolver 127.0.0.11;
+# HTTP 1.1 support
+proxy_http_version 1.1;
+proxy_buffering off;
+proxy_set_header Host $http_host;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection $proxy_connection;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
+proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
+proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
+# Mitigate httpoxy attack (see README for details)
+proxy_set_header Proxy "";
+server {
+        server_name _; # This is just an invalid value which will never trigger on a real hostname.
+        listen 80;
+        access_log /var/log/nginx/access.log vhost;
+        return 503;
+}
+server {
+        server_name _; # This is just an invalid value which will never trigger on a real hostname.
+        listen 443 ssl http2;
+        access_log /var/log/nginx/access.log vhost;
+        return 503;
+        ssl_session_tickets off;
+        ssl_certificate /etc/nginx/certs/default.crt;
+        ssl_certificate_key /etc/nginx/certs/default.key;
+}
+# xxx.com
+upstream xxx.com {
+                                ## Can be connected with "shared" network
+                        # nginx
+                        server 172.18.0.2:80;
+}
+server {
+        server_name xxx.com;
+        listen 80 ;
+        access_log /var/log/nginx/access.log vhost;
+        return 301 https://$host$request_uri;
+}
+server {
+        server_name xxx.com;
+        listen 443 ssl http2 ;
+        access_log /var/log/nginx/access.log vhost;
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
+        ssl_prefer_server_ciphers on;
+        ssl_session_timeout 5m;
+        ssl_session_cache shared:SSL:50m;
+        ssl_session_tickets off;
+        ssl_certificate /etc/nginx/certs/xxx.com.crt;
+        ssl_certificate_key /etc/nginx/certs/xxx.com.key;
+        ssl_dhparam /etc/nginx/certs/xxx.com.dhparam.pem;
+        ssl_stapling on;
+        ssl_stapling_verify on;
+        ssl_trusted_certificate /etc/nginx/certs/xxx.com.chain.pem;
+        add_header Strict-Transport-Security "max-age=31536000" always;
+        include /etc/nginx/vhost.d/default;
+        location / {
+                proxy_pass http://xxx.com;
+        }
+}
+```

追記4

2019/06/21 03:27

投稿

bws

スコア98

test CHANGED Viewed

File without changes

test CHANGED Viewed

@@ -449,3 +449,121 @@
 curl: (35) Server aborted the SSL handshake
 ```
+## 追記３
+conf.dの中にはdefault.confのみで、`/etc/nginx/nginx.conf`からdocker-compose.ymlから設定したdefault.confを読み込むような設定になっていました。
+コンテナ内は触っていません。
+```
+// /etc/nginx/nginx.conf
+user  {user};
+worker_processes  1;
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+events {
+    worker_connections  1024;
+}
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+    access_log  /var/log/nginx/access.log  main;
+    sendfile        on;
+    #tcp_nopush     on;
+    keepalive_timeout  65;
+    #gzip  on;
+    include /etc/nginx/conf.d/*.conf;
+}
+```
+### 追記4
+https を待ち受けているバーチャルサーバーの設定ですが、`jwilder/nginx-proxy`コンテナに入って確認したところ設定ファイルっぽいものは`/etc/nginx/vhost.d`くらいしかみつかりませんでした。
+こちらも`proxy側のdocker-compose.yml`で設定した以外は特に変更していません。
+```
+// /etc/nginx/vhost.d
+## Start of configuration add by letsencrypt container
+location ^~ /.well-known/acme-challenge/ {
+    auth_basic off;
+    allow all;
+    root /usr/share/nginx/html;
+    try_files $uri =404;
+    break;
+}
+## End of configuration add by letsencrypt container
+```

--resolveオプションを使用してcurlを追記

2019/06/21 03:10

投稿

bws

スコア98

test CHANGED Viewed

File without changes

test CHANGED Viewed

@@ -414,7 +414,7 @@
-## 追記２(opensslに変更)
+## 追記２(opensslに変更、--resolveオプションを使用)
 `curl -vk`
@@ -426,9 +426,15 @@
 OpenSSL 1.0.2s  28 May 2019
-$ curl -vk https://xxx.com
+$ curl -v https://xxx.com --resolve xxx.com:443:{ip}
+* Added xxx.com:{ip} to DNS cache
+* Hostname xxx.com was found in DNS cache
-*   Trying 133.202.202.31:443...
+*   Trying {ip}:443...
 * TCP_NODELAY set
@@ -436,8 +442,6 @@
 * ALPN, offering http/1.1
-* WARNING: disabling hostname validation also disables SNI.
 * Server aborted the SSL handshake
 * Closing connection 0

curl -vk opensslを使用した時に変更

2019/06/14 02:23

投稿

bws

スコア98

test CHANGED Viewed

File without changes

test CHANGED Viewed

@@ -414,40 +414,34 @@
-## 追記２
+## 追記２(opensslに変更)
-`curlc -vk`
+`curl -vk`
-```
+```
+$ openssl version
+OpenSSL 1.0.2s  28 May 2019
-% curl -vk https://xxx.com
+$ curl -vk https://xxx.com
-* Rebuilt URL to: https://xxx.com/
-*   Trying {ip}...
+*   Trying 133.202.202.31:443...
 * TCP_NODELAY set
 * Connected to xxx.com ({ip}) port 443 (#0)
-* ALPN, offering h2
 * ALPN, offering http/1.1
-* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
-* successfully set certificate verify locations:
+* WARNING: disabling hostname validation also disables SNI.
-*   CAfile: /etc/ssl/cert.pem
-  CApath: none
-* TLSv1.2 (OUT), TLS handshake, Client hello (1):
+* Server aborted the SSL handshake
-* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to xxx.com:443
 * Closing connection 0
-curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to xxx.com:443
+curl: (35) Server aborted the SSL handshake
-```
+```

クライアントOS追加

2019/06/14 01:20

投稿

bws

スコア98

test CHANGED Viewed

File without changes

test CHANGED Viewed

@@ -4,6 +4,8 @@
 ゲストOS:CentOS7(VirtualBox)
+クライアントOS:Mojave 10.14.5
 ゲストOS内にdocker-composeで下記リンクのようなことをしたいと思っています。

curl -vkを追記

2019/06/13 10:58

投稿

bws

スコア98

test CHANGED Viewed

File without changes

test CHANGED Viewed

@@ -409,3 +409,43 @@
 proxy          | forego     | sending SIGTERM to nginx.1
 ```
+## 追記２
+`curlc -vk`
+```
+% curl -vk https://xxx.com
+* Rebuilt URL to: https://xxx.com/
+*   Trying {ip}...
+* TCP_NODELAY set
+* Connected to xxx.com ({ip}) port 443 (#0)
+* ALPN, offering h2
+* ALPN, offering http/1.1
+* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
+* successfully set certificate verify locations:
+*   CAfile: /etc/ssl/cert.pem
+  CApath: none
+* TLSv1.2 (OUT), TLS handshake, Client hello (1):
+* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to xxx.com:443
+* Closing connection 0
+curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to xxx.com:443
+```

追記

2019/06/11 01:03

投稿

bws

スコア98

test CHANGED Viewed

File without changes

test CHANGED Viewed

@@ -375,3 +375,37 @@
 proxy          | forego     | sending SIGTERM to dockergen.1
 ```
+`labels: com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true" `の記載を外したところ以下のようになりました。
+```
+$ docker-compose up
+Starting proxy ... done
+Starting mysql ... done
+Starting letsencrypt ... done
+Attaching to mysql, proxy, letsencrypt
+proxy          | Custom dhparam.pem file found, generation skipped
+proxy          | forego     | starting dockergen.1 on port 5000
+proxy          | forego     | starting nginx.1 on port 5100
+proxy          | nginx.1    | 2019/06/10 03:14:58 [emerg] 21#21: PEM_read_bio_DHparams("/etc/nginx/dhparam/dhparam.pem") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: DH PARAMETERS)
+proxy          | forego     | starting nginx.1 on port 5200
+proxy          | forego     | sending SIGTERM to dockergen.1
+proxy          | forego     | sending SIGTERM to nginx.1
+```

修正依頼についての追記

2019/06/10 03:19

投稿

bws

スコア98

test CHANGED Viewed

File without changes

test CHANGED Viewed

@@ -344,206 +344,34 @@
-### 追記
-proxyコンテナで以下のようにnginxの設定がされています
-```
-// proxyコンテナの/etc/nginx/conf.d/default.conf
-# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
-# scheme used to connect to this server
-map $http_x_forwarded_proto $proxy_x_forwarded_proto {
-  default $http_x_forwarded_proto;
-  ''      $scheme;
-}
-# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
-# server port the client connected to
-map $http_x_forwarded_port $proxy_x_forwarded_port {
-  default $http_x_forwarded_port;
-  ''      $server_port;
-}
-# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
-# Connection header that may have been passed to this server
-map $http_upgrade $proxy_connection {
-  default upgrade;
-  '' close;
-}
-# Apply fix for very long server names
-server_names_hash_bucket_size 128;
-# Default dhparam
-ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
-# Set appropriate X-Forwarded-Ssl header
-map $scheme $proxy_x_forwarded_ssl {
-  default off;
-  https on;
-}
-gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
-log_format vhost '$host $remote_addr - $remote_user [$time_local] '
-                 '"$request" $status $body_bytes_sent '
-                 '"$http_referer" "$http_user_agent"';
-access_log off;
-resolver 127.0.0.11;
-# HTTP 1.1 support
-proxy_http_version 1.1;
-proxy_buffering off;
-proxy_set_header Host $http_host;
-proxy_set_header Upgrade $http_upgrade;
-proxy_set_header Connection $proxy_connection;
-proxy_set_header X-Real-IP $remote_addr;
-proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
-proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
-proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
-# Mitigate httpoxy attack (see README for details)
-proxy_set_header Proxy "";
-server {
-        server_name _; # This is just an invalid value which will never trigger on a real hostname.
-        listen 80;
-        access_log /var/log/nginx/access.log vhost;
-        return 503;
-}
-server {
-        server_name _; # This is just an invalid value which will never trigger on a real hostname.
-        listen 443 ssl http2;
-        access_log /var/log/nginx/access.log vhost;
-        return 503;
-        ssl_session_tickets off;
-        ssl_certificate /etc/nginx/certs/default.crt;
-        ssl_certificate_key /etc/nginx/certs/default.key;
-}
-# xxx.com
-upstream xxx.com {
-                                ## Can be connected with "shared" network
-                        # nginx
-                        server 172.18.0.4:80;
-}
-server {
-        server_name xxx.com;
-        listen 80 ;
-        access_log /var/log/nginx/access.log vhost;
-        return 301 https://$host$request_uri;
-}
-server {
-        server_name xxx.com;
-        listen 443 ssl http2 ;
-        access_log /var/log/nginx/access.log vhost;
-        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
-        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
-        ssl_prefer_server_ciphers on;
-        ssl_session_timeout 5m;
-        ssl_session_cache shared:SSL:50m;
-        ssl_session_tickets off;
-        ssl_certificate /etc/nginx/certs/xxx.com.crt;
-        ssl_certificate_key /etc/nginx/certs/xxx.com.key;
-        ssl_dhparam /etc/nginx/certs/xxx.com.dhparam.pem;
-        ssl_stapling on;
-        ssl_stapling_verify on;
-        ssl_trusted_certificate /etc/nginx/certs/xxx.com.chain.pem;
-        add_header Strict-Transport-Security "max-age=31536000" always;
-        include /etc/nginx/vhost.d/default;
-        location / {
-                proxy_pass http://xxx.com;
-        }
-}
-```
+## 追記
+`docker-compose up`したところ以下のようなエラーが出ていました。
+```
+letsencrypt    | Error: can't get docker-gen container id !
+letsencrypt    | If you are running a three containers setup, check that you are doing one of the following :
+proxy exited with code 0
+letsencrypt    |        - Set the NGINX_DOCKER_GEN_CONTAINER env var on the letsencrypt-companion container to the name of the docker-gen container.
+letsencrypt    |        - Label the docker-gen container to use with 'com.github.jrcs.letsencrypt_nginx_proxy_companion.docker_gen.'
+proxy          | Custom dhparam.pem file found, generation skipped
+proxy          | forego     | starting dockergen.1 on port 5000
+proxy          | forego     | starting nginx.1 on port 5100
+proxy          | nginx.1    | 2019/06/10 02:54:09 [emerg] 22#22: PEM_read_bio_DHparams("/etc/nginx/dhparam/dhparam.pem") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: DH PARAMETERS)
+proxy          | forego     | starting nginx.1 on port 5200
+proxy          | forego     | sending SIGTERM to nginx.1
+proxy          | forego     | sending SIGTERM to dockergen.1
+```

nginx443の設定を追記

2019/06/10 03:10

投稿

bws

スコア98

test CHANGED Viewed

File without changes

test CHANGED Viewed

@@ -341,3 +341,209 @@
 dd1e87624732        shared              bridge              local
 ```
+### 追記
+proxyコンテナで以下のようにnginxの設定がされています
+```
+// proxyコンテナの/etc/nginx/conf.d/default.conf
+# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
+# scheme used to connect to this server
+map $http_x_forwarded_proto $proxy_x_forwarded_proto {
+  default $http_x_forwarded_proto;
+  ''      $scheme;
+}
+# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
+# server port the client connected to
+map $http_x_forwarded_port $proxy_x_forwarded_port {
+  default $http_x_forwarded_port;
+  ''      $server_port;
+}
+# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
+# Connection header that may have been passed to this server
+map $http_upgrade $proxy_connection {
+  default upgrade;
+  '' close;
+}
+# Apply fix for very long server names
+server_names_hash_bucket_size 128;
+# Default dhparam
+ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
+# Set appropriate X-Forwarded-Ssl header
+map $scheme $proxy_x_forwarded_ssl {
+  default off;
+  https on;
+}
+gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+log_format vhost '$host $remote_addr - $remote_user [$time_local] '
+                 '"$request" $status $body_bytes_sent '
+                 '"$http_referer" "$http_user_agent"';
+access_log off;
+resolver 127.0.0.11;
+# HTTP 1.1 support
+proxy_http_version 1.1;
+proxy_buffering off;
+proxy_set_header Host $http_host;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection $proxy_connection;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
+proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
+proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
+# Mitigate httpoxy attack (see README for details)
+proxy_set_header Proxy "";
+server {
+        server_name _; # This is just an invalid value which will never trigger on a real hostname.
+        listen 80;
+        access_log /var/log/nginx/access.log vhost;
+        return 503;
+}
+server {
+        server_name _; # This is just an invalid value which will never trigger on a real hostname.
+        listen 443 ssl http2;
+        access_log /var/log/nginx/access.log vhost;
+        return 503;
+        ssl_session_tickets off;
+        ssl_certificate /etc/nginx/certs/default.crt;
+        ssl_certificate_key /etc/nginx/certs/default.key;
+}
+# xxx.com
+upstream xxx.com {
+                                ## Can be connected with "shared" network
+                        # nginx
+                        server 172.18.0.4:80;
+}
+server {
+        server_name xxx.com;
+        listen 80 ;
+        access_log /var/log/nginx/access.log vhost;
+        return 301 https://$host$request_uri;
+}
+server {
+        server_name xxx.com;
+        listen 443 ssl http2 ;
+        access_log /var/log/nginx/access.log vhost;
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
+        ssl_prefer_server_ciphers on;
+        ssl_session_timeout 5m;
+        ssl_session_cache shared:SSL:50m;
+        ssl_session_tickets off;
+        ssl_certificate /etc/nginx/certs/xxx.com.crt;
+        ssl_certificate_key /etc/nginx/certs/xxx.com.key;
+        ssl_dhparam /etc/nginx/certs/xxx.com.dhparam.pem;
+        ssl_stapling on;
+        ssl_stapling_verify on;
+        ssl_trusted_certificate /etc/nginx/certs/xxx.com.chain.pem;
+        add_header Strict-Transport-Security "max-age=31536000" always;
+        include /etc/nginx/vhost.d/default;
+        location / {
+                proxy_pass http://xxx.com;
+        }
+}
+```

タイトル編集

2019/05/24 03:04

投稿

bws

スコア98

test CHANGED Viewed

	@@ -1 +1 @@
1	- ~~jwil~~d~~er/nginx-pr~~o~~xyとjr~~c~~s/l~~etsencrypt~~-nginx-~~p~~roxy-companionで~~証明書エラーが発生する
1	+ dockerでLet's Encriptでhttpsアクセスしたいが証明書エラーが発生してしまいます

test CHANGED Viewed

File without changes