安装docker+docker版NG+NG配置

一、关闭selinux

cat > /etc/sysconfig/selinux << EOF
SELINUX=disabled
SELINUXTYPE=targeted
EOF
sestatus
reboot

二、yum安装docker和docker-compose

#=================检测是否有wget,如果没有先下载====================
# 安装wget下载工具
yum install wget -y


#=================下载阿里云base、epel、docker-ce的repo文件==========
# 基于centos7系统
# 下载repo文件、清理缓存、生产缓存
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo && \
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo && \
wget -O /etc/yum.repos.d/docker-ce.repo \
http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo && \
yum clean all && \
yum makecache fast 


#==================安装docker=======================================
#1.卸载旧版本
yum remove docker \
docker-client \
docker-client-latest \
docker-common \
docker-latest \
docker-latest-logrotate \
docker-logrotate \
docker-engine
#2.需要的安装包
yum install -y yum-utils device-mapper-persistent-data lvm2
#3.设置镜像的仓库
#yum-config-manager \
#--add-repo \
#https://download.docker.com/linux/centos/docker-ce.repo
#默认是从国外的,不推荐
#推荐使用国内的
yum-config-manager \
--add-repo \
https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
#更新yum软件包索引
yum makecache fast
#4.安装docker相关的 docker-ce 社区版 而ee是企业版
yum install docker-ce docker-ce-cli containerd.io -y
#6. 使用docker version查看是否按照成功
docker version
systemctl enable docker
systemctl start docker
#7. 测试
#docker run hello-world


#====================安装docker-compose=======================
# 官方地址
#https://github.com/docker/compose/releases

# 使用国内下载
sudo curl -L https://get.daocloud.io/docker/compose/releases/download/1.29.2/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose

# /usr/local/bin/已经配置环境变量,可以直接使用docker-compose
sudo chmod +x /usr/local/bin/docker-compose

# 查看版本
docker-compose -version

三、dcoker安装nginx

1、sh版本

使用cat > <<EOF 变量为空
调用变量有引号"$a" EOF要加引号 例如cat > <<'EOF'

tee ~/docker_install_nginx.sh <<-'EOF'
#!/bin/bash
echo "==>开始安装nginx..."
docker rm -f nginx > /dev/null 2>&1
docker run -d -p 80:80 --name nginx nginx:latest > /dev/null 2>&1

a=$(docker ps | grep nginx | awk '{print $2}')
#echo "a is ==>"$a
# 变量和值比较,值是单引号
if [ "$a" == 'nginx:latest' ];then
  echo "==>临时nginx容器安装成功"
  mkdir -p /home/nginx/conf  
  mkdir -p /home/nginx/html  
  mkdir -p /home/nginx/log  
  rm -rf /home/nginx/conf/*   
  rm -rf /home/nginx/html/*   
  rm -rf /home/nginx/log/*   
  docker cp nginx:/etc/nginx/ /home/nginx/conf/  
  docker cp nginx:/usr/share/nginx/html/ /home/nginx/html/  
  docker cp nginx:/var/log/nginx/ /home/nginx/log/ 
fi

echo "==>nginx配置文件复制完成"
# 注意不要使用ll,使用ls -l
count=$(ls -l /home/nginx/conf/nginx | wc -l)
#echo "connt is ==>"$count
count2=$(ls -l /home/nginx/html/html | wc -l)
#echo "connt2 is ==>"$count2
count3=$(ls -l /home/nginx/log/nginx | wc -l)
#echo "connt3 is ==>"$count3

# -a 逻辑与
# -o 逻辑或
# 只能写两个判断
#if (( a > b )) && (( a < c )) 
#if [[ $a > $b ]] && [[ $a < $c ]] 
if [ "$count" -gt '0' ];then
  if [ "$count" -gt '0' -a "$count" -gt '0' ];then
    docker rm -f nginx > /dev/null 2>&1
    echo "==>nginx临时容器已删除"
  else
    echo "==>docker cp 失败!"
    exit
  fi
fi

docker run -d \
--name nginx \
--net=host \
--restart=always \
--privileged=true \
-v /home/nginx/conf/nginx:/etc/nginx/ \
-v /home/nginx/html/html:/usr/share/nginx/html/ \
-v /home/nginx/log/nginx:/var/log/nginx/ \
nginx:latest > /dev/null 2>&1

b=$(docker ps | grep nginx | awk '{print $2}')
#echo "b is ==>"$b
if [ "$b" == 'nginx:latest' ];then
  echo "==>nginx容器安装成功"
else
  echo "==>nginx容器安装失败,请检查!"  
  exit
fi
EOF
echo "=================================="
chmod 755 docker_install_nginx.sh  
./docker_install_nginx.sh  
docker ps

2、简单版本

docker rm -f nginx
docker run -d -p 80:80 --name nginx nginx:latest

mkdir -p /home/nginx/conf
mkdir -p /home/nginx/html
mkdir -p /home/ningx/log

rm -rf /home/nginx/conf/*
rm -rf /home/nginx/html/*
rm -rf /home/nginx/log/*

docker cp nginx:/etc/nginx/ /home/nginx/conf/
docker cp nginx:/usr/share/nginx/html/ /home/nginx/html/
docker cp nginx:/var/log/nginx/ /home/nginx/log/

docker rm -f nginx

docker run -d \
--name nginx \
--net=host \
--restart=always \
--privileged=true \
-v /home/nginx/conf/nginx:/etc/nginx/ \
-v /home/nginx/html/html:/usr/share/nginx/html/ \
-v /home/nginx/log/nginx:/var/log/nginx/ \
nginx:latest

四、配置文件

1、反向代理+ssl

[root@node16 conf.d]# cat zentao.conf 
upstream zentao {
  server 10.10.1.17:80;
}

server {
  listen 80;
  server_name xxx;
  rewrite ^(.*)$ https://${server_name}$1 permanent;
}


server {
  listen 443 ssl;
  server_name xxx;

  ssl_certificate /etc/letsencrypt/archive/leliven.com/fullchain1.pem;
  ssl_certificate_key /etc/letsencrypt/archive/leliven.com/privkey1.pem;
  ssl_session_timeout 5m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
  ssl_prefer_server_ciphers on;

#SNI(Server Name Indication):就是为了解决一个服务器,同一个IP,使用多个域名证书的情况,也就是使用SSL连接服务器的时候,
#先发送访问的站点域名,这样服务器就会根据域名返回一个合适的证书。
#Nginx开启SNI: proxy_ssl_server_name on;

  location / {   
    proxy_pass http://zentao;
    proxy_ssl_server_name on;
    proxy_set_header HOST $host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
    #防止ab
    if ($http_user_agent ~ "Wget|ApacheBench"){
    	set $block_user_agent 1;
	}
    if ($block_user_agent =1){
    	retrun 403;
	}
 

  error_page 404 500 502 503 504 /error.html;
  location = /error.html {
    root  /usr/share/nginx/html;
  }

}

2、ssl错误页面

[root@node16 conf.d]# cat error.conf 

server {

    listen 443;

    error_page 502 /502.html;

    location = /502.html {
      root /usr/share/nginx/html;
    }
 
    error_page 404 /404.html;

    location = /404.html {
      root /usr/share/nginx/html;
    }
}

3、tcp代理

tee > /home/nginx/conf/nginx/nginx.conf <<-'EOF'
#stream只能写在nginx.conf配置文件中
user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    #===================================nginx限流===============================================
    #limit_req_zone用来限制单位时间内的请求数,即速率限制,采用的漏桶算法 "leaky bucket"
    #limit_req_conn用来限制同一时间连接数,即并发限制。
    limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
    limit_req zone=one burst=10 nodelay;

    # 浏览器限制,写在server,写在这会报错
    #limit_req_zone $anti_spider zone=one2:10m rate=10r/s;
    #limit_req zone=one2 burst=10 nodelay;
    #if ($http_user_agent ~* "googlebot|bingbot|Feedfetcher-Google") {
        #set $anti_spider $http_user_agent;
    #}

    # 单个ip请求限制
    limit_conn_zone $binary_remote_addr zone=perip:10m;
    limit_conn_zone $server_name zone=perserver:10m;
    limit_conn perip 10;
    limit_conn perserver 100;
    #==========================================================================================
    include /etc/nginx/conf.d/*.conf;
}

stream {
    upstream xxx {
        hash $remote_addr consistent;
        # $binary_remote_addr;
        server 127.0.0.1:8080 weight=5 max_fails=3 fail_timeout=30s;
    }

    server {
        listen 80; #监听端口
        proxy_connect_timeout 10s;
        proxy_timeout 300s; #设置客户端和代理服务之间的超时时间,如果5分钟内没操作将自动断开。
        proxy_pass xxx;  # 不能写成http://xxx;
        #proxy_set_header都不能加
        #proxy_set_header HOST $host;
        #proxy_set_header X-Forwarded-Proto $scheme;
        #proxy_set_header X-Real-IP $remote_addr;
        # 后端的Web服务器可以通过X-Forwarded-For获取用户真实IP
        #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}
EOF
docker restart nginx
docker logs -f nginx

4、防火墙

systemctl stop firewalld
systemctl disable firewalld
systemctl start firewalld
systemctl enable firewalld
firewall-cmd --permanent --zone=public --add-port=80/tcp
firewall-cmd --permanent --zone=public --remove-port=80/tcp
firewall-cmd --reload
firewall-cmd --list-all-zone

# 操作防火墙需重启docker容器
posted @ 2021-08-28 10:31  1769987233  阅读(134)  评论(0编辑  收藏  举报