Docker Community Forums

Share and learn in the Docker community.

How to create a image from this?


(Keondisaster) #1

Hey Guys,

i’m new to docker and actually trying to setup my own little swarm which should later handle my own website with validated lets encrypt certificate.

I was reading the documentation and reading some how to’s - thats what i got:

ct-ws-tg-ext-1 (directory)
-> src (directory)
—>letsencrypt (directory)
------>docker-compose.yml (file)
------>nginx.conf (file)
------>sub1.foo.bar (directory)
--------->favicon.ico (file)
--------->index.html (file)
--------->styles (directory)
------------>style.css (file)
------>sub2.foo.bar (directory)
--------->favicon.ico (file)
--------->index.html (file)
--------->styles (directory)
------------>style.css (file)
------>sub3.foo.bar (directory)
--------->favicon.ico (file)
--------->index.html (file)
--------->styles (directory)
------------>style.css (file)
------>sub4.foo.bar (directory)
--------->favicon.ico (file)
--------->index.html (file)
--------->styles (directory)
------------>style.css (file)

—>production (directory)
------>docker-compose.yml (file)
------>production.conf (file)
------>sub1.foo.bar (directory)
--------->my website content from sub1.foo.bar (files and directorys)
------>sub2.foo.bar (directory)
--------->my website content from sub2.foo.bar (files and directorys)
------>sub3.foo.bar (directory)
--------->my website content from sub3.foo.bar (files and directorys)
------>sub4.foo.bar (directory)
--------->my website content from sub4.foo.bar (files and directorys)
------>dh-param (directory)
--------->dhparam-2048.pem (file)

Here the docker-compose.yml from the letsencrypt folder:

version: '3.1'

services:

        ct-ws-tg-ext-1-letsencrypt:
                container_name: 'ct-ws-tg-ext-1-letsencrypt'
                image: nginx:latest
                ports:
                        - "80:80"

                volumes:
                        - ./sub1.foo.bar:/usr/share/nginx/html/sub1.foo.bar/
                        - ./sub2.foo.bar:/usr/share/nginx/html/sub2.foo.bar/
                        - ./sub3.foo.bar:/usr/share/nginx/html/sub3.foo.bar/
                        - ./sub4.foo.bar:/usr/share/nginx/html/sub4.foo.bar/
                        - ./nginx.conf:/etc/nginx/conf.d/default.conf
                networks:
                        - docker-network

networks:
        docker-network:
                driver: bridge

Here from the production folder:

version: '3.1'

services:

  ct-ws-tg-ext-1-production:
    container_name: 'ct-ws-tg-ext-1-production'
    image: nginx:latest
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./production.conf:/etc/nginx/conf.d/default.conf
      - ./sub1.foo.bar:/usr/share/nginx/html/sub1.foo.bar
      - ./sub2.foo.bar:/usr/share/nginx/html/sub2.foo.bar
      - ./sub3.foo.bar:/usr/share/nginx/html/sub3.foo.bar
      - ./sub4.foo.bar:/usr/share/nginx/html/sub4.foo.bar
      - ./dh-param/dhparam-2048.pem:/etc/ssl/certs/dhparam-2048.pem
      - /docker-volumes/etc/letsencrypt/live/foo.bar/fullchain.pem:/etc/letsencrypt/live/foo.bar/fullchain.pem
      - /docker-volumes/etc/letsencrypt/live/foo.bar/privkey.pem:/etc/letsencrypt/live/foo.bar/privkey.pem
    networks:
      - docker-network

networks:
  docker-network:
    driver: bridge

Here the nginx.conf (from letsencrypt folder):

#http://foo.bar
server {
    listen 80;
    listen [::]:80;
    server_name foo.bar;

    location ~ /.well-known/acme-challenge {
        allow all;
        root /usr/share/nginx/html/sub1.foo.bar/;
    }

    root /usr/share/nginx/html/sub1.foo.bar/;
    index index.html;
}
#http://sub1.foo.bar
server {
    listen 80;
    listen [::]:80;
    server_name sub1.foo.bar;

    location ~ /.well-known/acme-challenge {
        allow all;
        root /usr/share/nginx/html/sub1.foo.bar/;
    }

    root /usr/share/nginx/html/sub1.foo.bar/;
    index index.html;
}
#http://sub2.foo.bar
server {
    listen 80;
    listen [::]:80;
    server_name sub2.foo.bar;

    location ~ /.well-known/acme-challenge {
        allow all;
        root /usr/share/nginx/html/sub2.foo.bar/;
    }

    root /usr/share/nginx/html/sub2.foo.bar/;
    index index.html;
}
#http://sub3.foo.bar
server {
    listen 80;
    listen [::]:80;
    server_name sub3.foo.bar;

    location ~ /.well-known/acme-challenge {
        allow all;
        root /usr/share/nginx/html/sub3.foo.bar/;
    }

    root /usr/share/nginx/html/sub3.foo.bar/;
    index index.html;
}
#http://sub4.foo.bar
server {
    listen 80;
    listen [::]:80;
    server_name sub4.foo.bar;

    location ~ /.well-known/acme-challenge {
        allow all;
        root /usr/share/nginx/html/sub4.foo.bar/;
    }

    root /usr/share/nginx/html/sub4.foo.bar/;
    index index.html;
}

Here the production.conf:

server {
    listen      80;
    listen [::]:80;
    server_name foo.bar sub2.foo.bar sub1.foo.bar sub3.foo.bar sub4.foo.bar;

    location / {
        rewrite ^ https://$host$request_uri? permanent;
    }

    #for certbot challenges (renewal process)
    location ~ /.well-known/acme-challenge {
        allow all;
        root /data/letsencrypt;
    }

}

#https://foo.bar
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name foo.bar;

    server_tokens off;

    ssl_certificate /etc/letsencrypt/live/foo.bar/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/foo.bar/privkey.pem;

    ssl_buffer_size 8k;

    ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;

    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_prefer_server_ciphers on;

    ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

    ssl_ecdh_curve secp384r1;
    ssl_session_tickets off;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8;

    return 301 https://sub1.foo.bar$request_uri;

    location / {
        #security headers
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
        add_header X-XSS-Protection "1; mode=block" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Frame-Options "DENY" always;
        #CSP
        add_header Content-Security-Policy "frame-src 'self'; default-src 'self'; script-src 'self' 'unsafe-inline' https://maxcdn.bootstrapcdn.com https://ajax.googleapis.com; img-src 'self'; style-src 'self' https://maxcdn.bootstrapcdn.com; font-src 'self' data: https://maxcdn.bootstrapcdn.com; form-action 'self'; upgrade-insecure-requests;" always;
        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    }

}

#https://sub1.foo.bar
server {
    server_name sub1.foo.bar;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_tokens off;

    ssl_buffer_size 8k;
    ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;

    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

    ssl_ecdh_curve secp384r1;
    ssl_session_tickets off;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4;

    ssl_certificate /etc/letsencrypt/live/foo.bar/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/foo.bar/privkey.pem;

    location / {
        #security headers
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
        add_header X-XSS-Protection "1; mode=block" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Frame-Options "DENY" always;
        #CSP
        add_header Content-Security-Policy "frame-src 'self'; default-src 'self'; script-src 'self' 'unsafe-inline' https://maxcdn.bootstrapcdn.com https://ajax.googleapis.com; img-src 'self'; style-src 'self' https://maxcdn.bootstrapcdn.com; font-src 'self' data: https://maxcdn.bootstrapcdn.com; form-action 'self'; upgrade-insecure-requests;" always;
        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    }

    root /usr/share/nginx/html/sub1.foo.bar/;
    index index.html;
}
#https://sub2.foo.bar
server {
    server_name sub2.foo.bar;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_tokens off;

    ssl_buffer_size 8k;
    ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;

    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

    ssl_ecdh_curve secp384r1;
    ssl_session_tickets off;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4;

    ssl_certificate /etc/letsencrypt/live/foo.bar/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/foo.bar/privkey.pem;

    location / {
        #security headers
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
        add_header X-XSS-Protection "1; mode=block" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Frame-Options "DENY" always;
        #CSP
        add_header Content-Security-Policy "frame-src 'self'; default-src 'self'; script-src 'self' 'unsafe-inline' https://maxcdn.bootstrapcdn.com https://ajax.googleapis.com; img-src 'self'; style-src 'self' https://maxcdn.bootstrapcdn.com; font-src 'self' data: https://maxcdn.bootstrapcdn.com; form-action 'self'; upgrade-insecure-requests;" always;
        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    }

    root /usr/share/nginx/html/sub2.foo.bar/;
    index index.html;
}
#https://sub3.foo.bar
server {
    server_name sub3.foo.bar;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_tokens off;

    ssl_buffer_size 8k;
    ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;

    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

    ssl_ecdh_curve secp384r1;
    ssl_session_tickets off;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4;

    ssl_certificate /etc/letsencrypt/live/foo.bar/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/foo.bar/privkey.pem;

    location / {
        #security headers
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
        add_header X-XSS-Protection "1; mode=block" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Frame-Options "DENY" always;
        #CSP
        add_header Content-Security-Policy "frame-src 'self'; default-src 'self'; script-src 'self' 'unsafe-inline' https://maxcdn.bootstrapcdn.com https://ajax.googleapis.com; img-src 'self'; style-src 'self' https://maxcdn.bootstrapcdn.com; font-src 'self' data: https://maxcdn.bootstrapcdn.com; form-action 'self'; upgrade-insecure-requests;" always;
        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    }

    root /usr/share/nginx/html/sub3.foo.bar/;
    index index.html;
}
#https://sub4.foo.bar
server {
    server_name sub4.foo.bar;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_tokens off;

    ssl_buffer_size 8k;
    ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;

    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

    ssl_ecdh_curve secp384r1;
    ssl_session_tickets off;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4;

    ssl_certificate /etc/letsencrypt/live/foo.bar/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/foo.bar/privkey.pem;

    location / {
        #security headers
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
        add_header X-XSS-Protection "1; mode=block" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Frame-Options "DENY" always;
        #CSP
        add_header Content-Security-Policy "frame-src 'self'; default-src 'self'; script-src 'self' 'unsafe-inline' https://maxcdn.bootstrapcdn.com https://ajax.googleapis.com; img-src 'self'; style-src 'self' https://maxcdn.bootstrapcdn.com; font-src 'self' data: https://maxcdn.bootstrapcdn.com; form-action 'self'; upgrade-insecure-requests;" always;
        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    }

    root /usr/share/nginx/html/sub4.foo.bar/;
    index index.html;
}

Before I ask my right question - how do I integrate PHP-FPM and is this a clean solution at all?

My real question to you now - how do I make an image of it, which I can then put on my repo? I really want to be able to use it in my swarm (based on a 4 machine cluster (1 manager, 3 workers).

And at best … How can I deploy this container then on the swarm?

On what must the DNS records of the individual subdomains look, so that always the right host is addressed? ^^

I would be very happy about your help. Of course, you can also like to quote explicit areas from the documentary ^ ^