1。环境准备阿里云服务器1centos7.9docker最新版本二、Docker安装步骤设置仓库安装所需的软件包。yum-utils提供了yum-config-manager,devicemapper存储驱动需要device-mapper-persistent-data和lvm2。sudoyuminstall-yyum-utilsdevice-mapper-persistent-datalvm2设置阿里云源sudoyum-config-manager\--add-repo\http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo安装最新版本的DockerEngine-Community和containerdsudoyuminstalldocker-cedocker-ce-clicontainerd.iostartDockersudosystemctlstartdockerconfigureDocker镜像加速curl-sSLhttps://get.daocloud.io/daotools/set_mirror.sh|sh-shttp://f1361db2.m.daocloud.io重启Dockersudosystemctldaemon-reloadsudosystemctlrestartdocker3。配置证书创建存储证书目录mkdir-p/usr/local/cacd/usr/local/ca创建一键式证书生成脚本vica.sh按A键切换到输入法,然后粘贴以下内容code#!/bin/bashSERVER="服务器外网ip"PASSWORD="yinfeng"COUNTRY="CN"STATE="shanghai"CITY="shanghai"ORGANIZATION="yinfeng"ORGANIZATIONAL_UNIT="dev"EMAIL="yinfeng@qq.com"echo"starting..."cd/usr/local/caopensslgenrsa-aes256-passoutpass:$PASSWORD-outca-key.pem4096opensslreq-new-x509-passin"pass:$PASSWORD"-days3650-keyca-key.pem-sha256-outca.pem-subj"/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$SERVER/emailAddress=$EMAIL"opensslgenrsa-outserver-key.pem4096opensslreq-subj"/CN=$SERVER"-new-keyserver-key.pem-outserver.csrsh-c'echo"subjectAltName=IP:'$SERVER',IP:0.0.0.0">>extfile.cnf'sh-c'echo"extendedKeyUsage=serverAuth">>extfile.cn'sh-c'echo"extendedKeyUsage=serverAuth">>extfile.cnf'opensslx509-req-days3650-inserver.csr-CAca.pem-CAkeyca-key.pem-passin"pass:$PASSWORD"-CAcreateserial-outserver-cert.pem-extfileextfile.cnfopensslgenrsa-outkey.pem4096opensslreq-subj"/CN=client"-new-keykey.pem-outclient.csrsh-c'echoextendedKeyUsage=clientAuth>>extfile-client.cnf'opensslx509-req-days3650-sha256-inclient.csr-CAca.pem-CAkeyca-key.pem-passin"pass:$PASSWORD"-CAcreateserial-outcert.pem-extfileextfile-client.cnfrmclient.csrserver.csrcpserver-*.pem/etc/docker/cpca.pem/etc/docker/echo"=========end========"保存脚本,执行shca.sh执行完成后会生成如下文件。找了半天,总结了全网唯一可用的脚本。哎,修改Docker配置,让Docker守护进程只接收来自提供CA信任证书的客户端的链接vim/lib/systemd/system/docker.service替换ExecStart属性值ExecStart=/usr/bin/dockerd--tlsverify--tlscacert=/usr/local/ca/ca.pem--tlscert=/usr/local/ca/server-cert.pem--tlskey=/usr/local/ca/server-key.pem-Htcp://0.0.0.0:2375-Hunix:///var/run/docker.sockreloadserviceandrestartdockersystemctldaemon-reload&&systemctlrestartdocker保存证书客户端文件到本地我用sz,如果不需要要先安装yum-yinstalllrzsz安装成功后执行szca.pemcert.pemkey.pem。我将它们直接保存在桌面上以测试证书配置是否成功。如果成功,会输出证书相关信息。如果失败,请检查证书。生成过程docker--tlsverify--tlscacert=ca.pem--tlscert=cert.pem--tlskey=key.pem-H=server外网ip:2375version最后在idea上测试一下,移动证书你刚下载到我们需要先打开阿里云的2375端口,然后链接到我们电脑的证书目录,不然会被阿里云拦截,通过idea的docker插件连接。可以看到连接成功。我们正在测试之前通过tcp连接是否还能连接。成功四、总结最后总结一下,在为自己的服务配置docker外网链接时,一定要做好加密措施,否则很容易挂马。目前网上的步骤一般只有tcp免密码链接,很不安全。我昨天试过了。过了一会,不到半小时就被扫描挂了,所以决定写个笔记记录下我的部署过程,希望大家借鉴这是阿里云的告警信息。一键加密部署springboot到docker容器的思路有空我再写一篇。
