調整 Docker SSL 入口與部署說明

2026-04-15 23:15:52 +08:00
parent b0908b4d3c
commit 7a8436db47
5 changed files with 220 additions and 18 deletions
--- a/docker/nginx/Dockerfile
+++ b/docker/nginx/Dockerfile
@@ -0,0 +1,9 @@
+FROM nginx:1.27-alpine
+
+RUN apk add --no-cache inotify-tools
+
+COPY docker/nginx/entrypoint.sh /entrypoint.sh
+
+RUN chmod +x /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]
--- a/docker/nginx/entrypoint.sh
+++ b/docker/nginx/entrypoint.sh
@@ -0,0 +1,96 @@
+#!/bin/sh
+set -eu
+
+NGINX_PORT="${NGINX_PORT:-3501}"
+NGINX_SERVER_NAME="${NGINX_SERVER_NAME:-_}"
+SSL_CERT_DIR="${SSL_CERT_DIR:-/etc/nginx/certs}"
+SSL_CERT_FILE_NAME="${SSL_CERT_FILE_NAME:-RSA-cert.pem}"
+SSL_CHAIN_FILE_NAME="${SSL_CHAIN_FILE_NAME:-RSA-chain.pem}"
+SSL_KEY_FILE_NAME="${SSL_KEY_FILE_NAME:-RSA-privkey.pem}"
+UPSTREAM_HOST="${UPSTREAM_HOST:-badminton-scoreboard}"
+UPSTREAM_PORT="${UPSTREAM_PORT:-8788}"
+
+GENERATED_DIR="/etc/nginx/generated"
+GENERATED_CERT_PATH="${GENERATED_DIR}/fullchain.pem"
+GENERATED_KEY_PATH="${GENERATED_DIR}/privkey.pem"
+
+mkdir -p "${GENERATED_DIR}"
+
+build_cert_bundle() {
+  cert_path="${SSL_CERT_DIR}/${SSL_CERT_FILE_NAME}"
+  chain_path="${SSL_CERT_DIR}/${SSL_CHAIN_FILE_NAME}"
+  key_path="${SSL_CERT_DIR}/${SSL_KEY_FILE_NAME}"
+
+  if [ ! -f "${cert_path}" ]; then
+    echo "Missing certificate file: ${cert_path}" >&2
+    exit 1
+  fi
+
+  if [ ! -f "${chain_path}" ]; then
+    echo "Missing chain file: ${chain_path}" >&2
+    exit 1
+  fi
+
+  if [ ! -f "${key_path}" ]; then
+    echo "Missing key file: ${key_path}" >&2
+    exit 1
+  fi
+
+  cat "${cert_path}" "${chain_path}" > "${GENERATED_CERT_PATH}"
+  cp "${key_path}" "${GENERATED_KEY_PATH}"
+}
+
+write_nginx_config() {
+  cat > /etc/nginx/conf.d/default.conf <<EOF
+server {
+    listen ${NGINX_PORT} ssl;
+    server_name ${NGINX_SERVER_NAME};
+
+    ssl_certificate ${GENERATED_CERT_PATH};
+    ssl_certificate_key ${GENERATED_KEY_PATH};
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+
+    client_max_body_size 20m;
+
+    location / {
+        proxy_pass http://${UPSTREAM_HOST}:${UPSTREAM_PORT};
+        proxy_http_version 1.1;
+        proxy_set_header Host \$host;
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header Upgrade \$http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+}
+EOF
+}
+
+watch_cert_updates() {
+  while inotifywait -qq -e close_write,create,delete,move "${SSL_CERT_DIR}"; do
+    echo "Certificate files changed, reloading nginx..."
+    build_cert_bundle
+    nginx -s reload
+  done
+}
+
+build_cert_bundle
+write_nginx_config
+nginx -t
+
+watch_cert_updates &
+WATCHER_PID=$!
+
+cleanup() {
+  kill "${WATCHER_PID}" 2>/dev/null || true
+}
+
+trap cleanup INT TERM
+
+nginx -g 'daemon off;' &
+NGINX_PID=$!
+
+wait "${NGINX_PID}"