Podman 部署 Nginx + HTTPS + 反向代理
1. 创建目录结构
建议项目目录如下:
plaintextprojects/nginx ├── certs │ ├── domain1 │ │ ├── cert.pem │ │ ├── chain.pem │ │ ├── fullchain.pem │ │ └── privkey.pem │ ├── domain2 │ ├── options-ssl-nginx.conf │ └── ssl-dhparams.pem ├── conf.d │ ├── blog.conf │ └── oos.conf └── logs ├── access.log └── error.log
certs/:存放证书和 SSL 配置conf.d/:Nginx 配置文件logs/:访问与错误日志
2. 获取证书(Certbot)
方式 1:Standalone 模式
bashsudo certbot certonly --standalone -d <domain>
方式 2:DNS 手动模式(80 端口被占用)
bashsudo certbot certonly --manual --preferred-challenges dns -d <domain>
复制证书到项目目录
bashsudo cp -L /etc/letsencrypt/live/<domain>/{cert.pem,chain.pem,fullchain.pem,privkey.pem} ~/projects/nginx/certs/<domain>/
生成 DH 参数:
bashsudo openssl dhparam -out ~/projects/nginx/certs/ssl-dhparams.pem 2048
创建 SSL 选项文件 options-ssl-nginx.conf:
nginxssl_session_cache shared:le_nginx_SSL:10m; ssl_session_timeout 1d; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384'; # 路径也是容器内的 ssl_dhparam /etc/nginx/certs/ssl-dhparams.pem;
3. 配置反向代理(示例)
nginxserver { listen 80; server_name <domain>; return 301 https://$host$request_uri; } server { listen 443 ssl; http2 on; server_name <domain>; # 设置客户端请求体最大大小 client_max_body_size 300m; # 注意路径是容器内的 ssl_certificate /etc/nginx/certs/<domain>/fullchain.pem; ssl_certificate_key /etc/nginx/certs/<domain>/privkey.pem; ssl_trusted_certificate /etc/nginx/certs/<domain>/chain.pem; include /etc/nginx/certs/options-ssl-nginx.conf; # HSTS 强制客户端使用 HTTPS(根据需要启用) add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options "nosniff"; add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; # add_header Content-Security-Policy "default-src 'self';style-src 'self' 'unsafe-inline'" always; add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; large_client_header_buffers 4 32k; # 启用 Gzip 压缩,减小响应体积,提升加载速度 gzip on; gzip_disable "msie6"; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_types text/plain text/css application/javascript application/json application/xml image/svg+xml; # 配置反向代理到前端和后端 location / { # podman 开启了直接使用宿主机端口 proxy_pass http://localhost:3000; # 前端服务 proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # 防止缓存前端静态资源 proxy_cache_bypass $http_upgrade; } location /api/v1/ { # podman 开启了直接使用宿主机端口 proxy_pass http://localhost:8000; # 后端服务 proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # 防止缓存 API 请求 proxy_cache_bypass $http_upgrade; } }
注意容器内路径必须对应挂载路径
/etc/nginx/certs和/etc/nginx/conf.d
4. 拉取并运行 Nginx 容器
bashsudo podman run -d \ --name nginx \ --network host \ -v /home/immortal/projects/nginx/conf.d:/etc/nginx/conf.d:ro \ -v /home/immortal/projects/nginx/certs:/etc/nginx/certs:ro \ -v /home/immortal/projects/nginx/logs:/var/log/nginx \ docker.io/library/nginx:latest
说明:
--network host:直接使用宿主机网络,便于端口映射:ro:只读挂载证书和配置logs挂载到宿主机便于查看日志
5. 常用管理命令
bashpodman logs -f nginx # 查看日志 podman stop nginx # 停止容器 podman start nginx # 启动容器 podman exec -it nginx bash # 进入容器