安装 Portainer

安装docker就不再赘述了。

创建 Portainer Server 用于存储其数据库的卷:

docker volume create portainer_data

然后,下载并安装 Portainer Server 容器:

docker run -d -p 8000:8000 -p 9443:9443 --name portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:2.21.4

Nginx 反代

HestiaCP 反代离不开模板,下面的模板仅供参考:

.tpl

#=========================================================================
# Default Web Domain Template
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS
# https://hestiacp.com/docs/server-administration/web-templates.html
#=========================================================================

server {
	listen      %ip%:%proxy_port%;
	server_name %domain_idn% %alias_idn%;
	error_log   /var/log/%web_system%/domains/%domain%.error.log error;

	include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*;

    location ~ /.well-known {
        allow all;
    }

    location / {
      proxy_pass https://127.0.0.1:9443;   
      rewrite ^/(.*)$ /$1 break;
      proxy_redirect off;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Upgrade-Insecure-Requests 1;
      proxy_set_header X-Forwarded-Proto https;
    }



	include %home%/%user%/conf/web/%domain%/nginx.conf_*;
}

.stpl

#=========================================================================
# Default Web Domain Template
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS
# https://hestiacp.com/docs/server-administration/web-templates.html
#=========================================================================

server {
	listen      %ip%:%proxy_ssl_port% ssl;
	server_name %domain_idn% %alias_idn%;
	error_log   /var/log/%web_system%/domains/%domain%.error.log error;

	ssl_certificate     %ssl_pem%;
	ssl_certificate_key %ssl_key%;
	ssl_stapling        on;
	ssl_stapling_verify on;

	# TLS 1.3 0-RTT anti-replay
	if ($anti_replay = 307) { return 307 https://$host$request_uri; }
	if ($anti_replay = 425) { return 425; }

	include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*;

    location ~ /.well-known {
        allow all;
    }

    location / {
      proxy_pass https://127.0.0.1:9443;       
      rewrite ^/(.*)$ /$1 break;
      proxy_redirect off;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Upgrade-Insecure-Requests 1;
      proxy_set_header X-Forwarded-Proto https;
    }


	proxy_hide_header Upgrade;

	include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*;
}

记得在防火墙放行端口。

Docker 应用连接宿主机服务

如之前部署的 Vaultwarden 想要连接宿主机 MySQL 怎么办?

  1. MySQL 监听所有 IP 地址
    修改 MySQL 配置文件,确保它监听所有网卡上的连接,而不仅仅是 localhost。这通常在 MySQL 的配置文件(如 /etc/mysql/my.cnf/etc/mysql/mysql.conf.d/mysqld.cnf)中进行。你需要找到类似 bind-address 的设置,将其从 127.0.0.1 改为 0.0.0.0,以允许来自 Docker 容器的连接。

bind-address = 0.0.0.0 之后,重启 MySQL 服务。

  1. HestiaCP 防火墙设置
    为了安全起见,你可以使用防火墙限制只允许 Docker 容器的 IP 访问 MySQL 端口(通常是 3306),同时屏蔽其他外部 IP 的访问。在HestiaCP的防火墙设置中只允许Docker 网络的子网范围,比如 172.17.0.0/16,这样就设置了只允许本地网络或 Docker 容器访问 MySQL。

还记得 Vaultwarden 的docker compose配置吗?

   
      - "DATABASE_URL=mysql://<vaultwarden_user>:<VAULTWARDEN_MYSQL_PASSWORD>@<宿主机ip地址:端口>/vaultwarden"

我们现在只需要改成


      - "DATABASE_URL=mysql://<vaultwarden_user>:<VAULTWARDEN_MYSQL_PASSWORD>@172.17.0.1:3306/vaultwarden"

待更新...

其他使用教程和注意事项我会逐步更新这篇文章,敬请期待。

在此之前,你可以先参考官方文档,深入学习相关内容。

Home | Portainer Documentation

包含的标签:

教程, HestiaCP

最后更新: October 29, 2024