mkdir -p /home/middleware/nginx/{conf.d,cert}
cd /home/middleware/nginx

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    
    access_log  /var/log/nginx/access.log  main;
    
    sendfile        on;
    keepalive_timeout  65;
    
    # 包含其他配置
    include /etc/nginx/conf.d/*.conf;
}

# 處理 HTTP 請(qǐng)求
server {
    listen 80;
    server_name example.com www.example.com;
    
    # Certbot 驗(yàn)證目錄
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    
    # 其他所有請(qǐng)求重定向到 HTTPS
    location / {
        return 301 https://$host$request_uri;
    }
}

# HTTPS 服務(wù)器
server {
    listen 443 ssl http2;
    server_name example.com www.example.com;
    
    # SSL 證書配置
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    
    # 安全配置
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1d;
    
    # 安全頭
    add_header Strict-Transport-Security "max-age=63072000" always;
    
    # 你的應(yīng)用配置 (如果是已有的網(wǎng)站這里可配置代理跳轉(zhuǎn))
    location / {
        root /usr/share/nginx/html;
        index index.html;
    }
    
    # 保留證書驗(yàn)證路徑
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
}

version: '3.8'

services:
  nginx:
    image: nginx:alpine
    container_name: nginx
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf
      - ./conf.d:/etc/nginx/conf.d
      - ./cert:/etc/letsencrypt
      - certbot_www:/var/www/certbot
    restart: unless-stopped
    depends_on:
      - certbot

  certbot:
    image: certbot/certbot:latest
    container_name: certbot
    volumes:
      - ./cert:/etc/letsencrypt
      - certbot_www:/var/www/certbot
    command: >
      sh -c '
      # 首次運(yùn)行獲取證書
      if [ ! -f "/etc/letsencrypt/live/example.com/fullchain.pem" ]; then
        certbot certonly --webroot -w /var/www/certbot -d example.com -d www.example.com 
          --email your-email@example.com --agree-tos --noninteractive;
      fi;
      
      # 每12小時(shí)檢查續(xù)期
      while :; do
        sleep 12h
        certbot renew
      done'
    restart: unless-stopped

volumes:
  certbot_www:

docker-compose up -d

curl -I https://yourdomain.com
# 應(yīng)返回 200 OK

docker-compose down
docker-compose up -d

# 修改配置后
docker-compose down
docker-compose up -d --force-recreate

docker-compose exec nginx openssl x509 -in /etc/letsencrypt/live/yourdomain.com/fullchain.pem -noout -dates

command: >
  sh -c '
  if [ ! -f "/etc/letsencrypt/live/example.com/fullchain.pem" ]; then
    certbot certonly --webroot -w /var/www/certbot -d example.com 
      --email your-email@example.com 
      --agree-tos 
      --noninteractive
      --rsa-key-size 4096; # 密鑰大小
  fi;
  while :; do sleep 12h; certbot renew; done'

command: >
  sh -c '
  if [ ! -f "/etc/letsencrypt/live/example.com/fullchain.pem" ]; then
    certbot certonly --webroot -w /var/www/certbot 
      -d example.com 
      -d www.example.com 
      -d api.example.com; # 添加更多域名
  fi;
  while :; do sleep 12h; certbot renew; done'

command: >
  sh -c '
  if [ ! -f "/etc/letsencrypt/live/example.com/fullchain.pem" ]; then
    certbot certonly --webroot -w /var/www/certbot -d example.com 
      --staging; # 使用測試環(huán)境
  fi;
  while :; do sleep 12h; certbot renew; done'