diff --git a/docs/.vitepress/config.ts b/docs/.vitepress/config.ts index 4261d7efb..1ecd238c2 100644 --- a/docs/.vitepress/config.ts +++ b/docs/.vitepress/config.ts @@ -119,6 +119,7 @@ export default defineConfig({ {text: "邮箱配置", link: "/guide/use/email/index.md"}, {text: "IPv6支持", link: "/guide/use/setting/ipv6.md"}, {text: "ESXi", link: "/guide/use/ESXi/index.md"}, + {text: "宝塔动态IP白名单", link: "/guide/use/baota/white_list.md"}, {text: "子域名托管", link: "/guide/use/cert/subdomain.md"}, ] }, diff --git a/docs/guide/install/baota/index.md b/docs/guide/install/baota/index.md index ff4512451..bf173b930 100644 --- a/docs/guide/install/baota/index.md +++ b/docs/guide/install/baota/index.md @@ -21,13 +21,13 @@ #### 2.2 容器编排方式部署 -1. 打开`docker-compose.yaml`,整个内容复制下来 +1. 打开`docker-compose.yaml`,整个内容复制下来 https://gitee.com/certd/certd/raw/v2/docker/run/docker-compose.yaml -然后到宝塔里面进到docker->容器编排->添加容器编排 -![](./images/1.png) -点击确定,等待启动完成 +然后到宝塔里面进到docker->容器编排->添加容器编排 +![](./images/1.png) +点击确定,等待启动完成 ![](./images/2.png) > certd默认使用sqlite数据库,另外支持`mysql`和`postgresql`数据库,[点我了解如何切换其他数据库](../database) @@ -35,16 +35,16 @@ ## 二、访问应用 -http://ip:7001 -https://ip:7002 -默认账号密码 -admin/123456 +http://ip:7001 +https://ip:7002 +默认账号密码 +admin/123456 登录后请及时修改密码 ## 三、如何升级 宝塔升级certd非常简单 -打开容器页面: `docker`->`容器编排`->`左侧选择Certd`->`更新镜像` +打开容器页面: `docker`->`容器编排`->`左侧选择Certd`->`更新镜像` ![img.png](./images/upgrade.png) @@ -80,5 +80,8 @@ admin/123456 ### 1. 无法访问Certd 1. 确认服务器的安全规则,是否放开了对应端口 2. 确认宝塔防火墙是否放开对应端口 -3. 尝试将Certd容器加入宝塔的`bridge`网络 -![](./images/network.png) \ No newline at end of file +3. 尝试将Certd容器加入宝塔的`bridge`网络 +![](./images/network.png) + +### 2. 动态IP无法加白名单问题 +[Nginx代理解决方案](../../use/baota/white_list.md) \ No newline at end of file diff --git a/docs/guide/use/baota/images/white-1.png b/docs/guide/use/baota/images/white-1.png new file mode 100644 index 000000000..f72b7bdaa Binary files /dev/null and b/docs/guide/use/baota/images/white-1.png differ diff --git a/docs/guide/use/baota/images/white-2.png b/docs/guide/use/baota/images/white-2.png new file mode 100644 index 000000000..e23da95a6 Binary files /dev/null and b/docs/guide/use/baota/images/white-2.png differ diff --git a/docs/guide/use/baota/images/white-3.png b/docs/guide/use/baota/images/white-3.png new file mode 100644 index 000000000..33ba42630 Binary files /dev/null and b/docs/guide/use/baota/images/white-3.png differ diff --git a/docs/guide/use/baota/images/white-4.png b/docs/guide/use/baota/images/white-4.png new file mode 100644 index 000000000..db7380655 Binary files /dev/null and b/docs/guide/use/baota/images/white-4.png differ diff --git a/docs/guide/use/baota/images/white-5.png b/docs/guide/use/baota/images/white-5.png new file mode 100644 index 000000000..d151d7796 Binary files /dev/null and b/docs/guide/use/baota/images/white-5.png differ diff --git a/docs/guide/use/baota/images/white-6.png b/docs/guide/use/baota/images/white-6.png new file mode 100644 index 000000000..93fb84c8b Binary files /dev/null and b/docs/guide/use/baota/images/white-6.png differ diff --git a/docs/guide/use/baota/images/white-safe-1.png b/docs/guide/use/baota/images/white-safe-1.png new file mode 100644 index 000000000..818ee68de Binary files /dev/null and b/docs/guide/use/baota/images/white-safe-1.png differ diff --git a/docs/guide/use/baota/images/white-safe-2.png b/docs/guide/use/baota/images/white-safe-2.png new file mode 100644 index 000000000..8876a335f Binary files /dev/null and b/docs/guide/use/baota/images/white-safe-2.png differ diff --git a/docs/guide/use/baota/white_list.md b/docs/guide/use/baota/white_list.md new file mode 100644 index 000000000..e09440171 --- /dev/null +++ b/docs/guide/use/baota/white_list.md @@ -0,0 +1,69 @@ +# 宝塔IP白名单与动态IP问题 +调用宝塔接口需要添加IP白名单,但当certd部署在动态IP环境下时,IP白名单就不好添加 +本章节提供一种代理解决方案 + + +## nginx代理方案 + +通过在宝塔中配置一个nginx反向代理宝塔自己的地址,然后在nginx中配置放开certd需要的接口,缩小影响范围 + +### 1. 添加nginx反向代理 +![](./images/white-1.png) + +### 2. 域名和代理目标 +![](./images/white-2.png) + +### 3. 设置放开哪些接口 +![](./images/white-3.png) +![img.png](images/white-4.png) +将如下脚本填入上方文本域中,保存 +```nginx configuration +set $allow_access false; + + # 检查请求的URI是否在白名单中 + if ($request_uri ~* "^/(site\?action=get_site_types)") { + # 允许测试 + set $allow_access true; + } + if ($request_uri ~* "^/(config\?action=SavePanelSSL)") { + # 允许部署到宝塔面板本身证书 + set $allow_access true; + } + + if ($request_uri ~* "^/(mod/docker/com/set_ssl|site\?action=SetSSL|ssl\?action=GetSiteDomain|mod/docker/com/get_site_list)") { + # 允许部署宝塔网站证书 + set $allow_access true; + } + + if ($request_uri ~* "^/(ssl?action=remove_cloud_cert|ssl\?action=get_cert_list)") { + # 允许删除宝塔过期证书 + set $allow_access true; + } + + if ($request_uri ~* "^/(datalist/get_data_list|site/set_site_ssl)") { + set $allow_access true; + } + + # 如果不在白名单,返回403禁止访问 + if ($allow_access = false) { + return 405; + } + +``` + + +### 4. 接口IP白名单添加127.0.0.1 + ![img.png](images/white-5.png) + +### 5. certd中宝塔授权配置改成新的这个域名地址 + +![img.png](images/white-6.png) +点击测试检查是否ok ,到这里就可以正常部署证书了 + +### 6. 安全加强(将请求地址改成https) +在宝塔中配置证书部署任务,选择刚才新建的这个网站,给他部署证书 +勾选强制https +![img.png](images/white-safe-1.png) +更换443端口【可选】 +![img.png](images/white-safe-2.png) +禁止http访问