(1) Docker 설치 및 Jenkins 설정
(2) 백엔드, 프론트 엔드 도커 이미지 빌드
(3) 원격 서버에서 도커 이미지 실행: Jenkins 파이프라인 작성
(4) HTTPS 적용 및 Nginx 설정 : letsencrypt와 certbot을 사용한 SSL 인증서 설치, 리버스 프록시 적용
만들었던 서비스는 실시간으로 영상을 수신하게 만들어야 해서 https 적용을 해야했다.
1. Certbot container 생성 및 인증서 발급
cd
sudo mkdir certbot
cd certbot
sudo mkdir conf www logs
sudo docker pull certbot/certbot
sudo docker run -it --rm --name certbot -p 80:80\\
-v "/home/ubuntu/certbot/conf:/etc/letsencrypt" \\
-v "/home/ubuntu/certbot/log:/var/log/letsencrypt" \\
-v "/home/ubuntu/certbot/www:/var/www/certbot" \\
certbot/certbot certonly/home/ubuntu 에 certbot 디렉토리를 생성하고 conf와 www 디렉토리를 생성한다.
생성한 디렉토리는 certbot 컨테이너와 연동시킨다. 이렇게 하는 이유는 certbot 컨테이너에서 만든 인증서를 외부에서 사용하기 위해서 이다.
SSL 인증서 발급 과정
- standalone, agree, no, <domain_name> 으로 작성하면 인증서가 발급된다.
- domain_name은 사용하려는 실제 도메인이어야 한다.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): <<email>>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Account registered.
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): <<domain_name>>
Requesting a certificate for <<domain_name>>
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/<<domain_name>>/fullchain.pem
Key is saved at: /etc/letsencrypt/live/<<domain_name>>/privkey.pem
This certificate expires on 2021-12-25.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See for instructions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt:
* Donating to EFF:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2. jenkins pipeline 수정
ls /home/ubuntu/jenkins_home/images_tar
sudo docker load < /home/ubuntu/jenkins_home/images_tar/vue-client.tar
sudo docker load < /home/ubuntu/jenkins_home/images_tar/node-server.tar
if (sudo docker ps | grep "vue-client"); then sudo docker stop vue-client; fi
if (sudo docker ps | grep "node-server"); then sudo docker stop node-server; fi
sudo docker run -it -d --rm -p 80:80 -p 443:443 -v /home/ubuntu/certbot/conf:/etc/letsencrypt/ -v /home/ubuntu/certbot/www:/var/www/certbot --name vue-client vue-client
echo "Run client"
sudo docker run -it -d --rm -p 3000:3000 --name node-server node-server
echo "Run server"
sudo docker ps인증서를 추가해야하므로 도커 컨테이너와 certbot 인증서가 있는 디렉토리를 연결한다.(호스트와 컨테이너 볼륨을 연결한다)
3. Nginx 설정(conf.d/default.conf)
upstream backend {
server node-server:12001;
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
server_name <<domain_name>>;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name <<domain_name>>;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
ssl_certificate /etc/letsencrypt/live/<<domain_name>>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<<domain_name>>/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 SSLv3;
ssl_ciphers ALL;
location / {
root /usr/share/nginx/html;
index index.html index.htm
proxy_redirect off;
charset utf-8;
try_files $uri $uri/ /index.html;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Nginx-Proxy true;
}
location /api {
rewrite ^/api/(.*|$) /$1 break;
proxy_pass <http://backend>;
proxy_redirect off;
charset utf-8;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Nginx-Proxy true;
}
}- https 설정은 80포트(http)로 들어오면 443(https)포트로 리다이렉션 시켰다.
- 그리고 리버스 프록시도 설정했다. /api로 들어오면 백엔드서버에 연결하였다.
- 사실 nginx 설정은 봐도봐도 잘 모르겠다.
참고글
https://www.lostcatbox.com/2020/08/12/nginx-proxy/
'STUDY > Web' 카테고리의 다른 글
| SOP & CORS (0) | 2023.09.04 |
|---|---|
| Cookie & Session (0) | 2023.09.04 |
| 배포 자동화 (3) Jenkins 파이프라인 작성 (0) | 2022.01.04 |
| 배포 자동화 (2) 백엔드, 프론트엔드 도커 이미지 빌드 (0) | 2021.10.08 |
| 배포 자동화 (1) Docker 설치 및 Jenkins 설정 (0) | 2021.09.27 |