docker開啟遠程訪問端口，防止非法訪問

• 配置證書認證
• 配置防火墻或安全策略

?

#!/bin/bash # docker.tls.sh # 環(huán)境centos 7 ,root # 創(chuàng)建 Docker TLS 證書##########配置信息Port=2376 Node=$(hostname) IP=$(ip add|sed -nr 's#^.*inet (.*)/[1-9].*(ens|eth).*$#\1#gp') PASSWORD="88888888" COUNTRY="CN" STATE="Shanghai" CITY="Shanghai" ORGANIZATION="Elven" ORGANIZATIONAL_UNIT="Dev" COMMON_NAME="$IP" EMAIL="228@elven.vip"##########生成證書# Generate CA key openssl genrsa -aes256 -passout "pass:$PASSWORD" -out "ca-key_$Node.pem" 4096 &>/dev/null # Generate CA openssl req -new -x509 -days 730 -key "ca-key_$Node.pem" -sha256 -out "ca_$Node.pem" -passin "pass:$PASSWORD" -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$COMMON_NAME/emailAddress=$EMAIL" &>/dev/nullecho "#Server" # Generate Server key openssl genrsa -out "server-key_$Node.pem" 4096 &>/dev/null # Generate Server Certs. openssl req -subj "/CN=$COMMON_NAME" -sha256 -new -key "server-key_$Node.pem" -out server.csr echo "subjectAltName = IP:$IP,IP:127.0.0.1" >> extfile.cnf echo "extendedKeyUsage = serverAuth" >> extfile.cnf openssl x509 -req -days 730 -sha256 -in server.csr -passin "pass:$PASSWORD" -CA "ca_$Node.pem" -CAkey "ca-key_$Node.pem" -CAcreateserial -out "server-cert_$Node.pem" -extfile extfile.cnfecho "#Client" openssl genrsa -out "client-key_$Node.pem" 4096 &>/dev/null openssl req -subj '/CN=client' -new -key "client-key_$Node.pem" -out client.csr echo extendedKeyUsage = clientAuth >> extfile.cnf openssl x509 -req -days 730 -sha256 -in client.csr -passin "pass:$PASSWORD" -CA "ca_$Node.pem" -CAkey "ca-key_$Node.pem" -CAcreateserial -out "client-cert_$Node.pem" -extfile extfile.cnfchmod 0400 "client-key_$Node.pem" "server-key_$Node.pem" chmod 0444 "ca_$Node.pem" "server-cert_$Node.pem" "client-cert_$Node.pem"##########docker配置 echo echo "#拷貝證書" #服務(wù)端證書 mkdir -p ~/.docker cp -avf "ca_$Node.pem" "server-cert_$Node.pem" "server-key_$Node.pem" ~/.docker #客戶端證書文件 cp -avf "client-cert_$Node.pem" "client-key_$Node.pem" ~/.docker/ # 打包客戶端證書 tar -zcf docker-tls-client_$Node.tar.gz ca_$Node.pem client-cert_$Node.pem client-key_$Node.pem cp -af docker-tls-client_$Node.tar.gz ~/.docker/ ls -hl $(pwd)/docker-tls*echo echo "#修改docker啟動項 /lib/systemd/system/docker.service" SetOPTS=" --tls \ --tlscacert=$HOME/.docker/ca_${Node}.pem \ --tlscert=$HOME/.docker/server-cert_${Node}.pem \ --tlskey=$HOME/.docker/server-key_${Node}.pem \ -H 0.0.0.0:${Port} " sed -i "s#^ExecStart.*#& $SetOPTS #" /lib/systemd/system/docker.service grep '^ExecStart' /lib/systemd/system/docker.service systemctl daemon-reloadecho echo "#客戶端遠程連接" echo "docker -H $IP:${Port} --tlsverify --tlscacert ~/.docker/ca_$Node.pem --tlscert ~/.docker/client-cert_$Node.pem --tlskey ~/.docker/client-key_$Node.pem ps -a" echo "#客戶端使用curl連接" echo "curl --cacert ~/.docker/ca_$Node.pem --cert ~/.docker/client-cert_$Node.pem --key ~/.docker/client-key_$Node.pem https://$IP:${Port}/containers/json"#clean rm -f ca*.srl *.pem *.cnf *.csrecho echo -e "\e[1;32m#重啟docker生效 systemctl restart docker \e[0m" #

　　

轉(zhuǎn)載于:https://www.cnblogs.com/elvi/p/10959232.html

總結(jié)

以上是生活随笔為你收集整理的docker远程访问TLS证书认证shell的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。