使用openresty自动生成letsencrypt证书

openresty支持lua插件。最近看到有个第三方的auto ssl的实现。做个docker image，方便使用。

• nginx.conf

# user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}

http {

    include       mime.types;
    default_type  application/octet-stream;

    client_body_temp_path /var/run/openresty/nginx-client-body;
    proxy_temp_path       /var/run/openresty/nginx-proxy;
    fastcgi_temp_path     /var/run/openresty/nginx-fastcgi;
    uwsgi_temp_path       /var/run/openresty/nginx-uwsgi;
    scgi_temp_path        /var/run/openresty/nginx-scgi;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    gzip  on;

    lua_shared_dict auto_ssl 1m;
    lua_shared_dict auto_ssl_settings 64k;

      # A DNS resolver must be defined for OCSP stapling to function.
    #
    # This example uses Google's DNS server. You may want to use your system's
    # default DNS servers, which can be found in /etc/resolv.conf. If your network
    # is not IPv6 compatible, you may wish to disable IPv6 results by using the
    # "ipv6=off" flag (like "resolver 8.8.8.8 ipv6=off").
    resolver 8.8.8.8;

      # Initial setup tasks.
    init_by_lua_block {
        auto_ssl = (require "resty.auto-ssl").new()
        auto_ssl:set("allow_domain", function(domain)
            return true
        end)
        -- auto_ssl:set("storage_adapter", "resty.auto-ssl.storage_adapters.redis")
        -- auto_ssl:set("redis", {
        --     host = "REDIS_HOST"
        -- })
        auto_ssl:init()
    
    }

    init_worker_by_lua_block {
        auto_ssl:init_worker()
    }

    server {
        listen 80;
        server_name  _ ;

        # Endpoint used for performing domain verification with Let's Encrypt.
        location  /.well-known/acme-challenge/ {
            content_by_lua_block {
                auto_ssl:challenge_server()
            }
        }
        location / {
            return 301 https://$host$request_uri;
        }
    }


    server {
        listen 127.0.0.1:8999;

        # Increase the body buffer size, to ensure the internal POSTs can always
        # parse the full POST contents into memory.
        client_body_buffer_size 128k;
        client_max_body_size 128k;

        location / {
            content_by_lua_block {
                auto_ssl:hook_server()
            }
        }
    }

    server {
           listen       443 ssl;
           server_name  _;


            ssl_certificate_by_lua_block {
                auto_ssl:ssl_certificate()
            }


           ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
           ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;



           location / {
               root   html;
               index  index.html index.htm;
           }
        }

    include /etc/nginx/conf.d/*.conf;
}

• gen_ssl.sh

openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
      -subj '/CN=sni-support-required-for-valid-ssl' \
      -keyout /etc/ssl/resty-auto-ssl-fallback.key \
      -out /etc/ssl/resty-auto-ssl-fallback.crt

• Dockerfile：

FROM openresty/openresty:1.19.3.2-2-alpine-fat

COPY config/nginx.conf /usr/local/openresty/nginx/conf/nginx.conf
COPY config/gen_ssl.sh /bin/gen_ssl.sh

RUN apk add --no-cache \
    bash \
    curl \
    diffutils \
    grep \
    openssl \
    sed
    
RUN luarocks install lua-resty-auto-ssl && \
    sh /bin/gen_ssl.sh 

• Build

docker build -t openresty-ssl .

• Run

docker run -p 80:80 -p 443:443 -v $(pwd)/auto_ssl:/etc/resty-auto-ssl --name openresty -d  openresty-ssl

• Github

https://github.com/yufeikang/openresty-docker