安装 Portainer
安装docker就不再赘述了。
创建 Portainer Server 用于存储其数据库的卷:
docker volume create portainer_data
然后,下载并安装 Portainer Server 容器:
docker run -d -p 8000:8000 -p 9443:9443 --name portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:2.21.4Nginx 反代
HestiaCP 反代离不开模板,下面的模板仅供参考:
.tpl
#=========================================================================
# Default Web Domain Template
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS
# https://hestiacp.com/docs/server-administration/web-templates.html
#=========================================================================
server {
listen %ip%:%proxy_port%;
server_name %domain_idn% %alias_idn%;
error_log /var/log/%web_system%/domains/%domain%.error.log error;
include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*;
location ~ /.well-known {
allow all;
}
location / {
proxy_pass https://127.0.0.1:9443;
rewrite ^/(.*)$ /$1 break;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade-Insecure-Requests 1;
proxy_set_header X-Forwarded-Proto https;
}
include %home%/%user%/conf/web/%domain%/nginx.conf_*;
}
.stpl
#=========================================================================
# Default Web Domain Template
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS
# https://hestiacp.com/docs/server-administration/web-templates.html
#=========================================================================
server {
listen %ip%:%proxy_ssl_port% ssl;
server_name %domain_idn% %alias_idn%;
error_log /var/log/%web_system%/domains/%domain%.error.log error;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
ssl_stapling on;
ssl_stapling_verify on;
# TLS 1.3 0-RTT anti-replay
if ($anti_replay = 307) { return 307 https://$host$request_uri; }
if ($anti_replay = 425) { return 425; }
include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*;
location ~ /.well-known {
allow all;
}
location / {
proxy_pass https://127.0.0.1:9443;
rewrite ^/(.*)$ /$1 break;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade-Insecure-Requests 1;
proxy_set_header X-Forwarded-Proto https;
}
proxy_hide_header Upgrade;
include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*;
}
记得在防火墙放行端口。
Docker 应用连接宿主机服务
如之前部署的 Vaultwarden 想要连接宿主机 MySQL 怎么办?
- MySQL 监听所有 IP 地址
修改 MySQL 配置文件,确保它监听所有网卡上的连接,而不仅仅是localhost。这通常在 MySQL 的配置文件(如/etc/mysql/my.cnf或/etc/mysql/mysql.conf.d/mysqld.cnf)中进行。你需要找到类似bind-address的设置,将其从127.0.0.1改为0.0.0.0,以允许来自 Docker 容器的连接。
bind-address = 0.0.0.0 之后,重启 MySQL 服务。
- HestiaCP 防火墙设置
为了安全起见,你可以使用防火墙限制只允许 Docker 容器的 IP 访问 MySQL 端口(通常是 3306),同时屏蔽其他外部 IP 的访问。在HestiaCP的防火墙设置中只允许Docker 网络的子网范围,比如172.17.0.0/16,这样就设置了只允许本地网络或 Docker 容器访问 MySQL。
还记得 Vaultwarden 的docker compose配置吗?
- "DATABASE_URL=mysql://<vaultwarden_user>:<VAULTWARDEN_MYSQL_PASSWORD>@<宿主机ip地址:端口>/vaultwarden"
我们现在只需要改成
- "DATABASE_URL=mysql://<vaultwarden_user>:<VAULTWARDEN_MYSQL_PASSWORD>@172.17.0.1:3306/vaultwarden"
待更新...
其他使用教程和注意事项我会逐步更新这篇文章,敬请期待。
在此之前,你可以先参考官方文档,深入学习相关内容。
Home | Portainer Documentation
