无法在Docker容器中使用SSL

Question

首先让我说我不是服务器管理员,而且还有很多我不知道的事情.因此,我确信我在设置我的Docker容器时犯了一个错误,因为SSL不起作用.

该容器在Ubuntu 14.04上运行带有PHP 5.6的Apache 2.4,并链接到MySQL 5.6 Docker容器.

我从Docker开始使用这个基本设置 - 官方PHP Repo.以下是相关文件:

Dockefile

FROM php:5.6-apache

RUN apt-get update
RUN apt-get install -y net-tools
RUN docker-php-ext-install pdo pdo_mysql
RUN docker-php-ext-install sockets

RUN a2enmod rewrite
RUN a2enmod ssl

ADD 000-default.conf /etc/apache2/sites-enabled/
ADD default-ssl.conf /etc/apache2/sites-anabled/
ADD apache2.conf /etc/apache2/
ADD www-server/ www-server/

EXPOSE 443

000-default.conf

<VirtualHost *:80>

    ServerAdmin webmaster@localhost
    DocumentRoot /www-server/

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

<Directory /home/www-server/>
    # allow .htaccess overrides to work
    AllowOverride All
    DirectoryIndex login.html index.html index.php
</Directory>

<Directory /home/www-server/client>
    DirectoryIndex home.html
    Options All
    AllowOverride All
    Require all granted
</Directory>

默认的ssl.conf

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerAdmin webmaster@localhost
        DocumentRoot /home/www-server

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # Enable/Disable SSL for this virtual host.
        SSLEngine on

        SSLCertificateFile /etc/ssl/certs/site.crt
        SSLCertificateKeyFile /etc/ssl/certs/site.key
        SSLCACertificatePath /etc/ssl/certs/digicert/

     </VirtualHost>
</IfModule>

apache2.conf

Mutex file:/var/lock/apache2 default
PidFile /var/run/apache2/apache2.pid
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User www-data
Group www-data
HostnameLookups Off
ErrorLog /proc/self/fd/2
LogLevel warn

IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf

# ports.conf
Listen 80
<IfModule ssl_module>
        Listen 443
</IfModule>
<IfModule mod_gnutls.c>
        Listen 443
</IfModule>

<Directory />
        Options FollowSymLinks
        AllowOverride None
        Require all denied
</Directory>

<Directory /home/www-server/>
    Options Indexes FollowSymLinks Includes ExecCGI
    AllowOverride All
    Require all granted
</Directory>

DocumentRoot /home/www-server

AccessFileName .htaccess
<FilesMatch "^\.ht">
        Require all denied
</FilesMatch>

LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

CustomLog /proc/self/fd/1 combined

<FilesMatch \.php$>
        SetHandler application/x-httpd-php
</FilesMatch>

# Multiple DirectoryIndex directives within the same context will add
# to the list of resources to look for rather than replace
# https://httpd.apache.org/docs/current/mod/mod_dir.html#directoryindex
DirectoryIndex disabled
DirectoryIndex index.php index.html

IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf

注意:我删除了这些文件的不相关部分.

要运行Docker容器,我使用:

sudo docker run -v /home/src/ssl-cert:/etc/ssl/certs --name app-gateway --link mysql56:mysql -p 80:80 -p 443:443 -d  app-image

以下是日志文件的一部分:

::1 - - [10/Nov/2015:19:26:19 +0000] "OPTIONS * HTTP/1.0" 200 152 "-" "Apache/2.4.10 (Debian) PHP/5.6.15 OpenSSL/1.0.1k (internal dummy connection)"
::1 - - [10/Nov/2015:19:26:20 +0000] "OPTIONS * HTTP/1.0" 200 152 "-" "Apache/2.4.10 (Debian) PHP/5.6.15 OpenSSL/1.0.1k (internal dummy connection)"
72.5.190.136 - - [10/Nov/2015:19:26:21 +0000] "\x16\x03\x01" 400 0 "-" "-"
72.5.190.136 - - [10/Nov/2015:19:26:21 +0000] "\x16\x03\x01" 400 0 "-" "-"
72.5.190.136 - - [10/Nov/2015:19:26:21 +0000] "\x16\x03\x01" 400 0 "-" "-"

在浏览器中出现此错误:

ERR_SSL_PROTOCOL_ERROR

TL; DR 我已经按照我在网上找到的所有步骤在Docker容器中安装和使用我的SSL证书,但我没有成功使其工作.有没有明显的东西让我忽略了在Docker容器中使SSL工作？

Answer 1

有时候,特别是当你试图长时间解决问题而你在命令行的控制台窗口编码时,你会错过最简单的事情.看看Dockerfile中的这两行:

ADD 000-default.conf /etc/apache2/sites-enabled/
ADD default-ssl.conf /etc/apache2/sites-anabled/

该a是从几乎没有区别e,使得拼写错误很难发现.Dockerfile正确构建映像并在容器中添加新目录,然后将配置文件放在该目录中.

drwxr-xr-x  2 www www  4096 Nov 11 15:56 sites-anabled
drwxr-xr-x  2 www www  4096 Oct 23 20:19 sites-available
drwxr-xr-x  2 www www  4096 Nov 11 15:56 sites-enabled

由于未知目录没有引发错误并且映像构建成功,因此它将运行,但在这种情况下,SSL将无法正常工作.