Update slides

parent 312504f4
Pipeline #561 passed with stage
in 1 minute and 23 seconds
......@@ -66,7 +66,7 @@ Similar, but instead of the method we get a status code
## Demo
```
telnet poul.org 80
telnet poul.org 80 # telnet or netcat
Trying 176.31.102.216...
Connected to poul.org.
Escape character is '^]'.
......@@ -173,11 +173,11 @@ curl -L poul.org
- However, we will use Docker/Podman
```bash
docker run -it -p 80:80 -p 443:443 nginx:1-alpine
podman run -it -p 80:80 -p 443:443 nginx:1-alpine
docker run -p 80:80 -p 443:443 nginx
podman run -p 80:80 -p 443:443 nginx
```
<small>We'll use the Alpine image since it's smaller</small>
<small>We're using the Debian-based image, we'll see later why</small>
----
......@@ -189,8 +189,8 @@ to perform some tests on nginx.
That is usually a matter of running:
```
docker/podman ps # get the container ID
docker/podman run -it <container ID> <our command>
docker ps # get the container ID
docker exec -it <container ID> <our command>
```
<small>
......@@ -204,14 +204,11 @@ docker/podman run -it <container ID> <our command>
## Commands
- Check if the config is valid without loading it (**very useful**)
```
nginx -t
```
The commands need to be run inside the container.
- List the installed modules
- Check if the config is valid without loading it
```
nginx -V
nginx -t
```
- Reload the configuration (without restarting the container)
......@@ -304,11 +301,11 @@ How do we override the container's config?
With a **volume**!
```bash
docker/podman run \
docker run \
-v /path/to/nginx.conf:/etc/nginx/nginx.conf:ro \
-v /path/to/nginx/conf.d:/etc/nginx/conf.d:ro \
-p 80:80 -p 443:443 \
nginx:1-alpine
nginx
```
<small>Note that we made sure everything is mounted read-only</small>
......@@ -412,9 +409,9 @@ But today we have a simpler (and free) option...
Certification Authority
- Free (as in "free beer")
- Free (as in freedom)
- Open source
- Free (as in "free beer")
- Automatic
----
......@@ -434,26 +431,85 @@ How it works:
- Let's install `certbot`
```
# Ubuntu only
sudo add-apt-repository ppa:certbot/certbot
# Ubuntu and Debian
sudo apt update
sudo apt install cerbot python-certbot-nginx
```
...but don't do it yet
----
## Let's Encrypt
- Make sure **server_name** is specified in the configs
- Since we're using Nginx in Docker, we need to **add it to the container**
- In order to use `certbot`'s Nginx configurator, we want to run it in the same container
It's quite easy, let's see how to do it.
----
## Let's Encrypt
We'll extend the (Debian-based) Nginx image and add Certbot:
<pre>File: Dockerfile</pre>
```docker
FROM nginx
RUN apt-get update && \
apt-get install -y certbot python-certbot-nginx
```
----
## Let's Encrypt
Once that's done, we can this image instead:
```bash
docker build -t nginx-letsencrypt .
docker run \
-v /path/to/nginx.conf:/etc/nginx/nginx.conf:ro \
-v /path/to/nginx/conf.d:/etc/nginx/conf.d:ro \
-v /path/to/letsencrypt_certs:/etc/letsencrypt \
-p 80:80 -p 443:443 \
--name nginx-container --detach \
nginx-letsencrypt
```
----
## Let's Encrypt
- Now the Nginx container is running in the background.
- We can use `docker exec` to get a bash shell inside the active container
```bash
docker exec -it nginx-container bash
# To stop it
docker stop nginx-container && docker rm nginx-container
```
----
## Let's Encrypt
- First, make sure **server_name** is specified in the VirtualHosts
```
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
###########
server_name example.com www.example.com;
###########
}
```
```
sudo nginx -t && sudo nginx -s reload
nginx -t && nginx -s reload
```
----
......@@ -462,12 +518,12 @@ sudo nginx -t && sudo nginx -s reload
- Obtain and install the certificates
```
sudo certbot --nginx -d example.com -d www.example.com
certbot --nginx
```
- You will be asked to agree to the ToS and provide an email address
```
```txt
Congratulations! You have successfully enabled https://example.com
and https://www.example.com
......@@ -478,7 +534,7 @@ Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com//privkey.pem
Your cert will expire on 2017-12-12.
Your cert will expire on 2020-05-10.
```
----
......@@ -497,25 +553,21 @@ We'll see how in the demo.
- Renewing them manually might be inconvenient
- We can renew them automatically with `certbot`
```
certbot renew
```
----
## Automatic renewal
Test first to see if everything is good:
```
sudo certbot renew
```
If it works, enable the systemd timer:
When running natively, there's a systemd timer that will periodically ensure the certificates are up to date.
```
sudo systemctl enable --now certbot.timer
```
---
# Demo
We'll see later how to do it with our container.
---
......@@ -531,11 +583,18 @@ We will see how to reverse-proxy apps over
## Reverse Proxy
```
upstream other_container {
server hostname;
}
server {
location / {
proxy_pass http://other_container:8080;
# For transparent proxying and websockets:
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
}
# Serve images directly, improves performance
location ~ \.(gif|jpg|png)$ {
root /var/www/images;
......@@ -564,6 +623,10 @@ server {
}
```
----
# Demo
---
## Useful links
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment