升级到SSL站点
本文档介绍您如何将自己的站点升级为SSL站点
首先您需要获取SSL证书,请参考SSL证书的创建
您的现有站点已经有一个按您的域名配置好的nginx.conf,他在如下位置:
vi /opt/kubernetes/nginx.conf
我们需要为每个server节点添加如下内容:
server {
listen 443;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
#其它原有配置不要动!!!
}
通过如下命令更新config map :
kubectl create configmap confnginx --from-file=/opt/kubernetes/nginx.conf --namespace=ns-shoptnt -o yaml --dry-run | kubectl apply -f -
更新应用和服务:
修改ip
vi /opt/docker/k8s/gateway-ssl.yaml
在这里将ip修改正确后,重新部署nginx和服务
kubectl apply -f /opt/kubernetes/gateway-ssl.yaml
验证:
https://yourdomain
如果需要配置微信公众号的安全文件,可以参考以下内容
通过如下命令创建config map :
kubectl create secret generic nginx-certs-keys --from-file=/opt/ssl/XXXX.txt --namespace=ns-shoptnt
更新网关配置,映射配置字典进docker 容器(gateway-ssl.yaml)
spec:
containers:
- name: nginx
image: registry.cn-beijing.aliyuncs.com/shoptnt-k8s-images/nginx:alpine-v1
ports:
- containerPort: 80
- containerPort: 443
volumeMounts:
- name: nginx-config
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
- mountPath: /etc/nginx/ssl
name: secret-volume
- mountPath: /etc/nginx/weixin
name: weixin-verify
volumes:
- name: nginx-config
configMap:
name: confnginx
- name: secret-volume
secret:
secretName: nginx-certs-keys
- name: weixin-verify
secret:
secretName: weixin-certs
由于上边的配置是代码格式,所以这里无法在源文件中进行格式化,所以特意提取到下方
containers:
- name: nginx、
volumeMounts:
- mountPath: /etc/nginx/weixin
name: weixin-verify
volumes:
- name: weixin-verify
secret:
secretName: weixin-certs
更新nginx配置
location /MP_verify_zqbqcofIqb6LjPZ7.txt {
alias /opt/nginx/weixin/MP_verify_zqbqcofIqb6LjPZ7.txt;
}
location /WW_verify_f8jPuHHMXmlxvlJK.txt {
alias /etc/nginx/weixin/WW_verify_f8jPuHHMXmlxvlJK.txt;
}
如果需要配置微信退款安全文件,可以参考一下配置:
将微信退款安全文件上传到服务器/opt/weixin/文件夹下,执行下方命令创建一个secret,以供部署seller-api使用
kubectl create secret generic apiclient-certs --from-file=/opt/weixin/apiclient_cert.p12 --namespace=ns-shoptnt
修改api.yaml文件,配置挂载
containers:
- image: registry.cn-zhangjiakou.aliyuncs.com/yinbei-shoptnt/seller-api:7.1.5.1
name: seller-api-container
ports:
- containerPort: 7003
volumeMounts:
- mountPath: /opt/weixin/
name: secret-volume
imagePullSecrets:
- name: aliyun-secret
volumes:
- name: secret-volume
secret:
secretName: apiclient-certs