配置Nginx回复http://my-domain.com/.well-known/acme-challenge/test.html
Configure Nginx to reply to http://my-domain.com/.well-known/acme-challenge/test.html
有很多关于这个问题的帖子,但 none 解决了我的问题。
我正在使用 jwilder/nginx-proxy 作为反向代理并使用 jrcs/letsencrypt-nginx-proxy-companion 生成证书。
由于某种原因,认证过程在某个时候停止了。这似乎是因为 /.well-known/acme-challenge/somefilename 正在返回 404。
据我所知这个配置:
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
应该允许浏览例如/usr/share/nginx/html/.well-known/acme-challenge/test.html,它存在于两个 docker 图片中,应该可以在 https://headphones.my-domain.com/.well-known/acme-challenge/test.html.
浏览
当我尝试查看这些 url 时,我得到了 404:
$ curl http://phpmyadmin.my-domain.com.work/.well-known/acme-challenge/test.html
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.17.6</center>
</body>
</html>
谁能从我的配置文件中看出为什么这个文件不能浏览?
这是我的完整 /etc/nginx/nginx.conf(使用 nginx -T 生成):
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
daemon off;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/conf.d/default.conf:
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $http_x_forwarded_proto;
'' $scheme;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
default $http_x_forwarded_port;
'' $server_port;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
default upgrade;
'' close;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header
map $scheme $proxy_x_forwarded_ssl {
default off;
https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
resolver 192.168.1.1;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
listen 80;
access_log /var/log/nginx/access.log vhost;
return 503;
}
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
listen 443 ssl http2;
access_log /var/log/nginx/access.log vhost;
return 503;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/default.crt;
ssl_certificate_key /etc/nginx/certs/default.key;
}
# emby.my-domain.com
upstream emby.my-domain.com {
## Can be connected with "bridge" network
# emby
server 172.17.0.3:8096;
}
server {
server_name emby.my-domain.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
root /usr/share/nginx/html;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
allow all;
root /usr/share/nginx/html;
default_type "text/plain";
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name emby.my-domain.com;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/emby.my-domain.com.crt;
ssl_certificate_key /etc/nginx/certs/emby.my-domain.com.key;
ssl_dhparam /etc/nginx/certs/emby.my-domain.com.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/emby.my-domain.com.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/emby.my-domain.com;
location / {
proxy_pass http://emby.my-domain.com;
}
}
# headphones.my-domain.com
upstream headphones.my-domain.com {
## Can be connected with "bridge" network
# headphones
server 172.17.0.9:8181;
}
server {
server_name headphones.my-domain.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
root /usr/share/nginx/html;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
allow all;
root /usr/share/nginx/html;
default_type "text/plain";
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name headphones.my-domain.com;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/headphones.my-domain.com.crt;
ssl_certificate_key /etc/nginx/certs/headphones.my-domain.com.key;
ssl_dhparam /etc/nginx/certs/headphones.my-domain.com.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/headphones.my-domain.com.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://headphones.my-domain.com;
}
}
# homeassistant.my-domain.com
upstream homeassistant.my-domain.com {
## Can be connected with "bridge" network
# homeassistant
server 172.17.0.15:8123;
}
server {
server_name homeassistant.my-domain.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
root /usr/share/nginx/html;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
allow all;
root /usr/share/nginx/html;
default_type "text/plain";
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name homeassistant.my-domain.com;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/homeassistant.my-domain.com.crt;
ssl_certificate_key /etc/nginx/certs/homeassistant.my-domain.com.key;
ssl_dhparam /etc/nginx/certs/homeassistant.my-domain.com.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/homeassistant.my-domain.com.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://homeassistant.my-domain.com;
}
}
# hydra.my-domain.com
upstream hydra.my-domain.com {
## Can be connected with "bridge" network
# hydra
server 172.17.0.6:5075;
}
server {
server_name hydra.my-domain.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
root /usr/share/nginx/html;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
allow all;
root /usr/share/nginx/html;
default_type "text/plain";
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name hydra.my-domain.com;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hydra.my-domain.com.crt;
ssl_certificate_key /etc/nginx/certs/hydra.my-domain.com.key;
ssl_dhparam /etc/nginx/certs/hydra.my-domain.com.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/hydra.my-domain.com.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://hydra.my-domain.com;
}
}
# nextcloud.my-domain.com
upstream nextcloud.my-domain.com {
## Can be connected with "bridge" network
# nextcloud
server 172.17.0.17:80;
}
server {
server_name nextcloud.my-domain.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
root /usr/share/nginx/html;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
allow all;
root /usr/share/nginx/html;
default_type "text/plain";
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name nextcloud.my-domain.com;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/nextcloud.my-domain.com.crt;
ssl_certificate_key /etc/nginx/certs/nextcloud.my-domain.com.key;
ssl_dhparam /etc/nginx/certs/nextcloud.my-domain.com.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/nextcloud.my-domain.com.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/nextcloud.my-domain.com;
location / {
proxy_pass http://nextcloud.my-domain.com;
}
}
# nzbget.my-domain.com
upstream nzbget.my-domain.com {
## Can be connected with "bridge" network
# nzbget
server 172.17.0.4:6789;
}
server {
server_name nzbget.my-domain.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
root /usr/share/nginx/html;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
allow all;
root /usr/share/nginx/html;
default_type "text/plain";
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name nzbget.my-domain.com;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/nzbget.my-domain.com.crt;
ssl_certificate_key /etc/nginx/certs/nzbget.my-domain.com.key;
ssl_dhparam /etc/nginx/certs/nzbget.my-domain.com.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/nzbget.my-domain.com.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/nzbget.my-domain.com;
location / {
proxy_pass http://nzbget.my-domain.com;
}
}
# organizr.my-domain.com
upstream organizr.my-domain.com {
## Can be connected with "bridge" network
# organizr
server 172.17.0.10:80;
}
server {
server_name organizr.my-domain.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
root /usr/share/nginx/html;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
allow all;
root /usr/share/nginx/html;
default_type "text/plain";
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name organizr.my-domain.com;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/organizr.my-domain.com.crt;
ssl_certificate_key /etc/nginx/certs/organizr.my-domain.com.key;
ssl_dhparam /etc/nginx/certs/organizr.my-domain.com.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/organizr.my-domain.com.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://organizr.my-domain.com;
}
}
# phpmyadmin.my-domain.com
upstream phpmyadmin.my-domain.com {
## Can be connected with "bridge" network
# phpmyadmin
server 172.17.0.16:80;
}
server {
server_name phpmyadmin.my-domain.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
root /usr/share/nginx/html;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
allow all;
root /usr/share/nginx/html;
default_type "text/plain";
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name phpmyadmin.my-domain.com;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/phpmyadmin.my-domain.com.crt;
ssl_certificate_key /etc/nginx/certs/phpmyadmin.my-domain.com.key;
ssl_dhparam /etc/nginx/certs/phpmyadmin.my-domain.com.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/phpmyadmin.my-domain.com.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://phpmyadmin.my-domain.com;
}
}
# portainer.my-domain.com
upstream portainer.my-domain.com {
## Can be connected with "bridge" network
# portainer
server 172.17.0.2:9000;
}
server {
server_name portainer.my-domain.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
root /usr/share/nginx/html;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
allow all;
root /usr/share/nginx/html;
default_type "text/plain";
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name portainer.my-domain.com;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/portainer.my-domain.com.crt;
ssl_certificate_key /etc/nginx/certs/portainer.my-domain.com.key;
ssl_dhparam /etc/nginx/certs/portainer.my-domain.com.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/portainer.my-domain.com.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://portainer.my-domain.com;
}
}
# radarr.my-domain.com
upstream radarr.my-domain.com {
## Can be connected with "bridge" network
# radarr
server 172.17.0.11:7878;
}
server {
server_name radarr.my-domain.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
root /usr/share/nginx/html;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
allow all;
root /usr/share/nginx/html;
default_type "text/plain";
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name radarr.my-domain.com;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/radarr.my-domain.com.crt;
ssl_certificate_key /etc/nginx/certs/radarr.my-domain.com.key;
ssl_dhparam /etc/nginx/certs/radarr.my-domain.com.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/radarr.my-domain.com.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://radarr.my-domain.com;
}
}
# sonarr.my-domain.com
upstream sonarr.my-domain.com {
## Can be connected with "bridge" network
# sonarr
server 172.17.0.8:8989;
}
server {
server_name sonarr.my-domain.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
root /usr/share/nginx/html;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
allow all;
root /usr/share/nginx/html;
default_type "text/plain";
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name sonarr.my-domain.com;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/sonarr.my-domain.com.crt;
ssl_certificate_key /etc/nginx/certs/sonarr.my-domain.com.key;
ssl_dhparam /etc/nginx/certs/sonarr.my-domain.com.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/sonarr.my-domain.com.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://sonarr.my-domain.com;
}
}
# configuration file /etc/nginx/vhost.d/emby.my-domain.com:
client_max_body_size 50M;
# configuration file /etc/nginx/vhost.d/default:
## Start of configuration add by letsencrypt container
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
## End of configuration add by letsencrypt container
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
# configuration file /etc/nginx/vhost.d/nextcloud.my-domain.com:
rewrite ^/.well-known/caldav /remote.php/dav redirect;
rewrite ^/.well-known/carddav /remote.php/dav redirect;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
# configuration file /etc/nginx/vhost.d/nzbget.my-domain.com:
client_max_body_size 50M;
以防万一其他人遇到这个问题我已经通过删除容器、配置文件和图像然后重新创建它们来修复它...以下是那些与我的设置类似的过程:
// Stop and remove the containers and images
docker stop nginx-proxy-letsencrypt
docker stop reverseproxy
docker rm nginx-proxy-letsencrypt
docker rm reverseproxy
docker rmi jwilder/nginx-proxy
docker rmi jrcs/letsencrypt-nginx-proxy-companion
# Backup config files
mv /mnt/data/config/reverseproxy /mnt/data/config/reverseproxy.old
# Create and start the reverse proxy
docker run -d \
--name=reverseproxy \
-e DEFAULT_HOST=pihole.my-domain.com \
-p 80:80 \
-p 443:443 \
-v /mnt/data/config/reverseproxy/certs:/etc/nginx/certs \
-v /mnt/data/config/reverseproxy/vhost.d:/etc/nginx/vhost.d \
-v /mnt/data/config/reverseproxy/html:/usr/share/nginx/html \
-v /mnt/data/config/reverseproxy/conf.d:/etc/nginx/conf.d \
-v /mnt/data/config/reverseproxy/dhparam:/etc/nginx/dhparam \
-v /var/run/docker.sock:/tmp/docker.sock:ro \
--log-opt max-size=50m \
--restart=unless-stopped \
jwilder/nginx-proxy
docker start reverseproxy
# Create and start the reverse proxy companion
docker run -d \
--name nginx-proxy-letsencrypt \
--volumes-from reverseproxy \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
--restart=unless-stopped \
jrcs/letsencrypt-nginx-proxy-companion
docker start nginx-proxy-letsencrypt
docker logs -f nginx-proxy-letsencrypt
现在等到所有相关证书都创建完毕。按 ctrl+c 退出日志输出就可以了。
有很多关于这个问题的帖子,但 none 解决了我的问题。
我正在使用 jwilder/nginx-proxy 作为反向代理并使用 jrcs/letsencrypt-nginx-proxy-companion 生成证书。
由于某种原因,认证过程在某个时候停止了。这似乎是因为 /.well-known/acme-challenge/somefilename 正在返回 404。
据我所知这个配置:
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
应该允许浏览例如/usr/share/nginx/html/.well-known/acme-challenge/test.html,它存在于两个 docker 图片中,应该可以在 https://headphones.my-domain.com/.well-known/acme-challenge/test.html.
当我尝试查看这些 url 时,我得到了 404:
$ curl http://phpmyadmin.my-domain.com.work/.well-known/acme-challenge/test.html
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.17.6</center>
</body>
</html>
谁能从我的配置文件中看出为什么这个文件不能浏览?
这是我的完整 /etc/nginx/nginx.conf(使用 nginx -T 生成):
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
daemon off;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/conf.d/default.conf:
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $http_x_forwarded_proto;
'' $scheme;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
default $http_x_forwarded_port;
'' $server_port;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
default upgrade;
'' close;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header
map $scheme $proxy_x_forwarded_ssl {
default off;
https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
resolver 192.168.1.1;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
listen 80;
access_log /var/log/nginx/access.log vhost;
return 503;
}
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
listen 443 ssl http2;
access_log /var/log/nginx/access.log vhost;
return 503;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/default.crt;
ssl_certificate_key /etc/nginx/certs/default.key;
}
# emby.my-domain.com
upstream emby.my-domain.com {
## Can be connected with "bridge" network
# emby
server 172.17.0.3:8096;
}
server {
server_name emby.my-domain.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
root /usr/share/nginx/html;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
allow all;
root /usr/share/nginx/html;
default_type "text/plain";
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name emby.my-domain.com;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/emby.my-domain.com.crt;
ssl_certificate_key /etc/nginx/certs/emby.my-domain.com.key;
ssl_dhparam /etc/nginx/certs/emby.my-domain.com.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/emby.my-domain.com.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/emby.my-domain.com;
location / {
proxy_pass http://emby.my-domain.com;
}
}
# headphones.my-domain.com
upstream headphones.my-domain.com {
## Can be connected with "bridge" network
# headphones
server 172.17.0.9:8181;
}
server {
server_name headphones.my-domain.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
root /usr/share/nginx/html;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
allow all;
root /usr/share/nginx/html;
default_type "text/plain";
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name headphones.my-domain.com;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/headphones.my-domain.com.crt;
ssl_certificate_key /etc/nginx/certs/headphones.my-domain.com.key;
ssl_dhparam /etc/nginx/certs/headphones.my-domain.com.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/headphones.my-domain.com.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://headphones.my-domain.com;
}
}
# homeassistant.my-domain.com
upstream homeassistant.my-domain.com {
## Can be connected with "bridge" network
# homeassistant
server 172.17.0.15:8123;
}
server {
server_name homeassistant.my-domain.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
root /usr/share/nginx/html;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
allow all;
root /usr/share/nginx/html;
default_type "text/plain";
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name homeassistant.my-domain.com;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/homeassistant.my-domain.com.crt;
ssl_certificate_key /etc/nginx/certs/homeassistant.my-domain.com.key;
ssl_dhparam /etc/nginx/certs/homeassistant.my-domain.com.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/homeassistant.my-domain.com.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://homeassistant.my-domain.com;
}
}
# hydra.my-domain.com
upstream hydra.my-domain.com {
## Can be connected with "bridge" network
# hydra
server 172.17.0.6:5075;
}
server {
server_name hydra.my-domain.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
root /usr/share/nginx/html;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
allow all;
root /usr/share/nginx/html;
default_type "text/plain";
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name hydra.my-domain.com;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hydra.my-domain.com.crt;
ssl_certificate_key /etc/nginx/certs/hydra.my-domain.com.key;
ssl_dhparam /etc/nginx/certs/hydra.my-domain.com.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/hydra.my-domain.com.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://hydra.my-domain.com;
}
}
# nextcloud.my-domain.com
upstream nextcloud.my-domain.com {
## Can be connected with "bridge" network
# nextcloud
server 172.17.0.17:80;
}
server {
server_name nextcloud.my-domain.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
root /usr/share/nginx/html;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
allow all;
root /usr/share/nginx/html;
default_type "text/plain";
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name nextcloud.my-domain.com;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/nextcloud.my-domain.com.crt;
ssl_certificate_key /etc/nginx/certs/nextcloud.my-domain.com.key;
ssl_dhparam /etc/nginx/certs/nextcloud.my-domain.com.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/nextcloud.my-domain.com.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/nextcloud.my-domain.com;
location / {
proxy_pass http://nextcloud.my-domain.com;
}
}
# nzbget.my-domain.com
upstream nzbget.my-domain.com {
## Can be connected with "bridge" network
# nzbget
server 172.17.0.4:6789;
}
server {
server_name nzbget.my-domain.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
root /usr/share/nginx/html;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
allow all;
root /usr/share/nginx/html;
default_type "text/plain";
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name nzbget.my-domain.com;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/nzbget.my-domain.com.crt;
ssl_certificate_key /etc/nginx/certs/nzbget.my-domain.com.key;
ssl_dhparam /etc/nginx/certs/nzbget.my-domain.com.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/nzbget.my-domain.com.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/nzbget.my-domain.com;
location / {
proxy_pass http://nzbget.my-domain.com;
}
}
# organizr.my-domain.com
upstream organizr.my-domain.com {
## Can be connected with "bridge" network
# organizr
server 172.17.0.10:80;
}
server {
server_name organizr.my-domain.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
root /usr/share/nginx/html;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
allow all;
root /usr/share/nginx/html;
default_type "text/plain";
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name organizr.my-domain.com;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/organizr.my-domain.com.crt;
ssl_certificate_key /etc/nginx/certs/organizr.my-domain.com.key;
ssl_dhparam /etc/nginx/certs/organizr.my-domain.com.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/organizr.my-domain.com.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://organizr.my-domain.com;
}
}
# phpmyadmin.my-domain.com
upstream phpmyadmin.my-domain.com {
## Can be connected with "bridge" network
# phpmyadmin
server 172.17.0.16:80;
}
server {
server_name phpmyadmin.my-domain.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
root /usr/share/nginx/html;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
allow all;
root /usr/share/nginx/html;
default_type "text/plain";
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name phpmyadmin.my-domain.com;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/phpmyadmin.my-domain.com.crt;
ssl_certificate_key /etc/nginx/certs/phpmyadmin.my-domain.com.key;
ssl_dhparam /etc/nginx/certs/phpmyadmin.my-domain.com.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/phpmyadmin.my-domain.com.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://phpmyadmin.my-domain.com;
}
}
# portainer.my-domain.com
upstream portainer.my-domain.com {
## Can be connected with "bridge" network
# portainer
server 172.17.0.2:9000;
}
server {
server_name portainer.my-domain.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
root /usr/share/nginx/html;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
allow all;
root /usr/share/nginx/html;
default_type "text/plain";
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name portainer.my-domain.com;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/portainer.my-domain.com.crt;
ssl_certificate_key /etc/nginx/certs/portainer.my-domain.com.key;
ssl_dhparam /etc/nginx/certs/portainer.my-domain.com.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/portainer.my-domain.com.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://portainer.my-domain.com;
}
}
# radarr.my-domain.com
upstream radarr.my-domain.com {
## Can be connected with "bridge" network
# radarr
server 172.17.0.11:7878;
}
server {
server_name radarr.my-domain.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
root /usr/share/nginx/html;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
allow all;
root /usr/share/nginx/html;
default_type "text/plain";
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name radarr.my-domain.com;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/radarr.my-domain.com.crt;
ssl_certificate_key /etc/nginx/certs/radarr.my-domain.com.key;
ssl_dhparam /etc/nginx/certs/radarr.my-domain.com.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/radarr.my-domain.com.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://radarr.my-domain.com;
}
}
# sonarr.my-domain.com
upstream sonarr.my-domain.com {
## Can be connected with "bridge" network
# sonarr
server 172.17.0.8:8989;
}
server {
server_name sonarr.my-domain.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
root /usr/share/nginx/html;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
allow all;
root /usr/share/nginx/html;
default_type "text/plain";
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name sonarr.my-domain.com;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/sonarr.my-domain.com.crt;
ssl_certificate_key /etc/nginx/certs/sonarr.my-domain.com.key;
ssl_dhparam /etc/nginx/certs/sonarr.my-domain.com.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/sonarr.my-domain.com.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://sonarr.my-domain.com;
}
}
# configuration file /etc/nginx/vhost.d/emby.my-domain.com:
client_max_body_size 50M;
# configuration file /etc/nginx/vhost.d/default:
## Start of configuration add by letsencrypt container
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
## End of configuration add by letsencrypt container
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
# configuration file /etc/nginx/vhost.d/nextcloud.my-domain.com:
rewrite ^/.well-known/caldav /remote.php/dav redirect;
rewrite ^/.well-known/carddav /remote.php/dav redirect;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
# configuration file /etc/nginx/vhost.d/nzbget.my-domain.com:
client_max_body_size 50M;
以防万一其他人遇到这个问题我已经通过删除容器、配置文件和图像然后重新创建它们来修复它...以下是那些与我的设置类似的过程:
// Stop and remove the containers and images
docker stop nginx-proxy-letsencrypt
docker stop reverseproxy
docker rm nginx-proxy-letsencrypt
docker rm reverseproxy
docker rmi jwilder/nginx-proxy
docker rmi jrcs/letsencrypt-nginx-proxy-companion
# Backup config files
mv /mnt/data/config/reverseproxy /mnt/data/config/reverseproxy.old
# Create and start the reverse proxy
docker run -d \
--name=reverseproxy \
-e DEFAULT_HOST=pihole.my-domain.com \
-p 80:80 \
-p 443:443 \
-v /mnt/data/config/reverseproxy/certs:/etc/nginx/certs \
-v /mnt/data/config/reverseproxy/vhost.d:/etc/nginx/vhost.d \
-v /mnt/data/config/reverseproxy/html:/usr/share/nginx/html \
-v /mnt/data/config/reverseproxy/conf.d:/etc/nginx/conf.d \
-v /mnt/data/config/reverseproxy/dhparam:/etc/nginx/dhparam \
-v /var/run/docker.sock:/tmp/docker.sock:ro \
--log-opt max-size=50m \
--restart=unless-stopped \
jwilder/nginx-proxy
docker start reverseproxy
# Create and start the reverse proxy companion
docker run -d \
--name nginx-proxy-letsencrypt \
--volumes-from reverseproxy \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
--restart=unless-stopped \
jrcs/letsencrypt-nginx-proxy-companion
docker start nginx-proxy-letsencrypt
docker logs -f nginx-proxy-letsencrypt
现在等到所有相关证书都创建完毕。按 ctrl+c 退出日志输出就可以了。