docker启动Nginx并配置SSL自动续期

1.fastapi 测试demo

docker run -p 8068:8088 registry.cn-hangzhou.aliyuncs.com/spider_tie/api_test:2 python api_zhenzhi.py

运行之后,安全组放行8068端口

访问端口之后得到

{
  "message": "臻致测试接口"
}

1.1 docker方式启动nginx

docker run --name nginx_1 -p 80:80 -p 443:443 \
-v /usr/local/nginx/conf/nginx.conf:/etc/nginx/nginx.conf \
-v /usr/local/nginx/logs:/var/log/nginx \
-v /usr/local/nginx/ssl:/etc/nginx/ssl \
--restart=always -d nginx

其中nginx配置,nginx.conf配置文件如下

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';


    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 4096;

    # include             /etc/nginx/mime.types;
    # default_type        application/octet-stream;

    #gzip  on;

    #include /etc/nginx/conf.d/*.conf;

    server {
        listen       80;
        listen       [::]:80;
        #server_name  _;
        #root         /usr/share/nginx/html;
        
	   server_name tieyongjie.cn;
        location ^~ /.well-known/acme-challenge/ {
        allow all; # 允许所有IP访问
        root /usr/share/nginx/html; # 必须和容器内挂载的webroot路径一致
        try_files $uri $uri/ =404;
     }
        location / {
            proxy_pass http://1.95.141.8:8068;  # 指向Docker容器的 8068
            # proxy_set_header Host $host:$server_port;
            proxy_set_header X-Real-IP $remote_addr;
        }
        
        location /api/ { # 注意末尾的斜�?   proxy_pass http://1.95.141.8:8068; 
            proxy_set_header Host $host:$server_port;
            proxy_set_header X-Real-IP $remote_addr;
        }
        # Load configuration files for the default server block.
#        include /etc/nginx/default.d/*.conf;

        error_page 404 /404.html;
        location = /404.html {
        }

        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
        }

        # return 301 https://$host$request_uri;
    }

    server {
        listen 443 ssl;
        server_name tieyongjie.cn;
	      ssl_certificate /etc/letsencrypt/live/tieyongjie.cn/fullchain.pem; # ssl 证书 pem 路径
        ssl_certificate_key /etc/letsencrypt/live/tieyongjie.cn/privkey.pem;    # ssl 证书 key 路径
        location / {
            proxy_pass http://113.44.32.209:8090;  # 指向Docker容器的端口:8090
            proxy_set_header Host $host; 
            proxy_set_header X-Real-IP $remote_addr;
        }
    }
}

1.2 docker-compose 方式启动

docker-compose.yml配置文件文件如下

version: '3.8'

services:
  nginx:
    image: registry.cn-hangzhou.aliyuncs.com/devops_de/nginx:latest
    container_name: nginx
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      # 挂载自定义的 Nginx 配置
      - ./nginx/conf/nginx.conf:/etc/nginx/nginx.conf
      # 挂载共享的 SSL 证书卷
      - nginx_ssl:/etc/letsencrypt
      # 挂载 webroot 目录，用于 Certbot 验证
      - nginx_webroot:/usr/share/nginx/html
    networks:
      - webnet

  certbot:
    image: registry.cn-hangzhou.aliyuncs.com/devops_de/certbot
    container_name: certbot
    volumes:
      # 共享 SSL 证书卷，让 Certbot 能把证书写到 Nginx 能读取的地方
      - nginx_ssl:/etc/letsencrypt
      # 共享 webroot 目录，Certbot 会在这里放置验证文件
      - nginx_webroot:/var/www/html
    # 这个容器不需要长期运行，只在需要续签时启动
    command: certonly --webroot --webroot-path=/var/www/html --email 1042798703@qq.com --agree-tos --no-eff-email -d tieyongjie.cn -d tieyongjie.cn --dry-run
    # 注意：首次测试请使用 --dry-run 参数，避免触发 Let's Encrypt 的频率限制。
    # 测试成功后，移除 --dry-run 再次运行以获取真实证书。
    networks:
      - webnet

# 定义共享卷
volumes:
  nginx_ssl: # 用于共享 SSL 证书
  nginx_webroot: # 用于共享 Webroot 验证文件

networks:
  webnet:

重启nginx

docker-compose exec nginx nginx -s reload

2.certbot生成证书

docker-compose run --rm certbot

先使用

command: certonly --webroot --webroot-path=/var/www/html --email 1042798703@qq.com --agree-tos --no-eff-email -d tieyongjie.cn -d tieyongjie.cn --dry-run

得到成功的响应success

[root@hcss-ecs-9b96 certbot]# docker-compose run --rm certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating a certificate request for tieyongjie.cn
The dry run was successful.

然后将–dry-run去掉生成真实的证书

2.1 查看证书路径

# 1. 找到卷的实际名称
docker volume ls | grep nginx_ssl
# 输出类似：yourprojectname_nginx_ssl

# 2. 检查该卷的详细信息，找到 "Mountpoint"
docker volume inspect certbot_nginx_ssl

在我的服务器测试如下

[root@hcss-ecs-9b96 nginx_ssl]# docker volume inspect nginx_ssl
[]
Error response from daemon: get nginx_ssl: no such volume
[root@hcss-ecs-9b96 nginx_ssl]# docker volume inspect certbot_nginx_ssl
[
    {
        "CreatedAt": "2025-09-15T16:57:10+08:00",
        "Driver": "local",
        "Labels": {
            "com.docker.compose.project": "certbot",
            "com.docker.compose.version": "2.5.0",
            "com.docker.compose.volume": "nginx_ssl"
        },
        "Mountpoint": "/var/lib/docker/volumes/certbot_nginx_ssl/_data",
        "Name": "certbot_nginx_ssl",
        "Options": null,
        "Scope": "local"
    }
]

3. certbot设置自动续期

1.宿主机编辑crontab

sudo crontab -e

2.添加以下行（例如，每天凌晨 2:30 检查一次）：

# 注意：你需要切换到你的项目目录下执行命令
30 2 * * * cd /root/certbot && docker-compose run --rm certbot renew && docker-compose exec nginx nginx -s reload