基于Docker Compose的Spring Boot全自动HTTPS/WSS部署方案在当今云原生技术快速发展的背景下传统的手动配置Nginx和证书管理方式已经无法满足现代DevOps对效率和可靠性的要求。本文将介绍如何利用Docker Compose实现Spring Boot应用的一键式部署并自动完成Nginx反向代理、HTTPS证书配置以及WebSocket安全连接(WSS)的全套解决方案。1. 环境准备与架构设计1.1 技术栈选择我们的自动化部署方案将基于以下核心技术组件Docker Compose作为容器编排工具管理多个服务间的依赖关系和网络配置Nginx作为反向代理服务器处理HTTPS/WSS请求并转发到后端应用Spring Boot作为核心应用框架提供业务逻辑和WebSocket支持Certbot用于自动获取和续期Lets Encrypt免费SSL证书1.2 系统架构概览整个系统的架构分为三个主要层次前端接入层由Nginx容器构成负责处理外部HTTPS请求和WSS连接应用服务层运行Spring Boot应用的容器证书管理层通过Certbot自动获取和管理SSL证书services: nginx: image: nginx:latest ports: - 80:80 - 443:443 volumes: - ./nginx/conf:/etc/nginx/conf.d - ./certbot/www:/var/www/certbot - ./certbot/conf:/etc/letsencrypt depends_on: - app - certbot2. Docker Compose编排配置2.1 基础服务定义首先创建一个docker-compose.yml文件定义我们的核心服务version: 3.8 services: app: build: . image: springboot-app container_name: springboot-app restart: unless-stopped environment: - SPRING_PROFILES_ACTIVEprod expose: - 8080 nginx: image: nginx:1.21-alpine ports: - 80:80 - 443:443 volumes: - ./nginx/conf:/etc/nginx/conf.d - ./certbot/conf:/etc/letsencrypt - ./certbot/www:/var/www/certbot depends_on: - app restart: unless-stopped certbot: image: certbot/certbot volumes: - ./certbot/conf:/etc/letsencrypt - ./certbot/www:/var/www/certbot entrypoint: /bin/sh -c trap exit TERM; while :; do certbot renew; sleep 12h wait $${!}; done;2.2 关键配置说明应用服务使用自定义构建的Spring Boot应用镜像暴露8080端口供Nginx内部访问设置生产环境profileNginx服务映射80和443端口到宿主机挂载配置目录和证书目录依赖应用服务和Certbot服务Certbot服务配置自动续期证书的脚本每12小时检查一次证书是否需要续期3. Nginx高级配置3.1 HTTPS反向代理配置创建nginx/conf/app.conf文件配置HTTPS反向代理server { listen 80; server_name yourdomain.com; location /.well-known/acme-challenge/ { root /var/www/certbot; } location / { return 301 https://$host$request_uri; } } server { listen 443 ssl; server_name yourdomain.com; ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem; location / { proxy_pass http://app:8080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }3.2 WSS支持配置在同一个配置文件中添加WebSocket支持server { # ... 其他配置保持不变 ... location /ws { proxy_pass http://app:8080; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection upgrade; proxy_set_header Host $host; proxy_read_timeout 86400s; proxy_send_timeout 86400s; } }4. 证书自动化管理4.1 初始证书获取创建一个初始化脚本来获取首次证书#!/bin/bash docker-compose run --rm certbot certonly --webroot --webroot-path /var/www/certbot -d yourdomain.com4.2 证书自动续期Docker Compose中已经配置了Certbot服务自动续期但我们需要确保Nginx在证书更新后重新加载配置#!/bin/bash docker-compose exec nginx nginx -s reload可以将此命令添加到crontab中每天执行一次0 0 * * * /path/to/reload-nginx.sh /dev/null 215. Spring Boot应用适配5.1 WebSocket安全配置在Spring Boot应用中确保WebSocket端点支持WSSConfiguration EnableWebSocketMessageBroker public class WebSocketConfig implements WebSocketMessageBrokerConfigurer { Override public void registerStompEndpoints(StompEndpointRegistry registry) { registry.addEndpoint(/ws) .setAllowedOrigins(*) .withSockJS(); } Override public void configureMessageBroker(MessageBrokerRegistry registry) { registry.enableSimpleBroker(/topic); registry.setApplicationDestinationPrefixes(/app); } }5.2 安全头部配置添加必要的安全头部确保通过HTTPS访问Configuration public class SecurityConfig extends WebSecurityConfigurerAdapter { Override protected void configure(HttpSecurity http) throws Exception { http .headers() .httpStrictTransportSecurity() .includeSubDomains(true) .maxAgeInSeconds(31536000); } }6. 部署与验证6.1 一键部署流程完整的部署流程只需几个简单命令# 构建应用镜像 docker-compose build # 启动所有服务 docker-compose up -d # 获取初始证书首次部署需要 ./init-cert.sh6.2 系统验证验证HTTPS和WSS是否正常工作HTTPS验证访问https://yourdomain.com检查浏览器地址栏的锁标志使用SSL Labs测试工具验证证书配置WSS验证使用WebSocket客户端工具连接wss://yourdomain.com/ws测试消息发送和接收功能7. 高级优化与扩展7.1 性能调优Nginx针对WebSocket的优化配置proxy_buffers 8 32k; proxy_buffer_size 64k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k;7.2 多环境支持通过环境变量区分不同环境的配置services: app: environment: - SPRING_PROFILES_ACTIVE${ENV:-prod}然后在.env文件中定义环境变量ENVprod DOMAINyourdomain.com7.3 监控与日志添加Prometheus和Grafana进行监控services: prometheus: image: prom/prometheus ports: - 9090:9090 volumes: - ./prometheus.yml:/etc/prometheus/prometheus.yml grafana: image: grafana/grafana ports: - 3000:3000
别再手动改Nginx配置了!用Docker Compose一键部署Spring Boot应用并自动配置HTTPS/WSS证书
发布时间:2026/6/4 5:33:03
基于Docker Compose的Spring Boot全自动HTTPS/WSS部署方案在当今云原生技术快速发展的背景下传统的手动配置Nginx和证书管理方式已经无法满足现代DevOps对效率和可靠性的要求。本文将介绍如何利用Docker Compose实现Spring Boot应用的一键式部署并自动完成Nginx反向代理、HTTPS证书配置以及WebSocket安全连接(WSS)的全套解决方案。1. 环境准备与架构设计1.1 技术栈选择我们的自动化部署方案将基于以下核心技术组件Docker Compose作为容器编排工具管理多个服务间的依赖关系和网络配置Nginx作为反向代理服务器处理HTTPS/WSS请求并转发到后端应用Spring Boot作为核心应用框架提供业务逻辑和WebSocket支持Certbot用于自动获取和续期Lets Encrypt免费SSL证书1.2 系统架构概览整个系统的架构分为三个主要层次前端接入层由Nginx容器构成负责处理外部HTTPS请求和WSS连接应用服务层运行Spring Boot应用的容器证书管理层通过Certbot自动获取和管理SSL证书services: nginx: image: nginx:latest ports: - 80:80 - 443:443 volumes: - ./nginx/conf:/etc/nginx/conf.d - ./certbot/www:/var/www/certbot - ./certbot/conf:/etc/letsencrypt depends_on: - app - certbot2. Docker Compose编排配置2.1 基础服务定义首先创建一个docker-compose.yml文件定义我们的核心服务version: 3.8 services: app: build: . image: springboot-app container_name: springboot-app restart: unless-stopped environment: - SPRING_PROFILES_ACTIVEprod expose: - 8080 nginx: image: nginx:1.21-alpine ports: - 80:80 - 443:443 volumes: - ./nginx/conf:/etc/nginx/conf.d - ./certbot/conf:/etc/letsencrypt - ./certbot/www:/var/www/certbot depends_on: - app restart: unless-stopped certbot: image: certbot/certbot volumes: - ./certbot/conf:/etc/letsencrypt - ./certbot/www:/var/www/certbot entrypoint: /bin/sh -c trap exit TERM; while :; do certbot renew; sleep 12h wait $${!}; done;2.2 关键配置说明应用服务使用自定义构建的Spring Boot应用镜像暴露8080端口供Nginx内部访问设置生产环境profileNginx服务映射80和443端口到宿主机挂载配置目录和证书目录依赖应用服务和Certbot服务Certbot服务配置自动续期证书的脚本每12小时检查一次证书是否需要续期3. Nginx高级配置3.1 HTTPS反向代理配置创建nginx/conf/app.conf文件配置HTTPS反向代理server { listen 80; server_name yourdomain.com; location /.well-known/acme-challenge/ { root /var/www/certbot; } location / { return 301 https://$host$request_uri; } } server { listen 443 ssl; server_name yourdomain.com; ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem; location / { proxy_pass http://app:8080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }3.2 WSS支持配置在同一个配置文件中添加WebSocket支持server { # ... 其他配置保持不变 ... location /ws { proxy_pass http://app:8080; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection upgrade; proxy_set_header Host $host; proxy_read_timeout 86400s; proxy_send_timeout 86400s; } }4. 证书自动化管理4.1 初始证书获取创建一个初始化脚本来获取首次证书#!/bin/bash docker-compose run --rm certbot certonly --webroot --webroot-path /var/www/certbot -d yourdomain.com4.2 证书自动续期Docker Compose中已经配置了Certbot服务自动续期但我们需要确保Nginx在证书更新后重新加载配置#!/bin/bash docker-compose exec nginx nginx -s reload可以将此命令添加到crontab中每天执行一次0 0 * * * /path/to/reload-nginx.sh /dev/null 215. Spring Boot应用适配5.1 WebSocket安全配置在Spring Boot应用中确保WebSocket端点支持WSSConfiguration EnableWebSocketMessageBroker public class WebSocketConfig implements WebSocketMessageBrokerConfigurer { Override public void registerStompEndpoints(StompEndpointRegistry registry) { registry.addEndpoint(/ws) .setAllowedOrigins(*) .withSockJS(); } Override public void configureMessageBroker(MessageBrokerRegistry registry) { registry.enableSimpleBroker(/topic); registry.setApplicationDestinationPrefixes(/app); } }5.2 安全头部配置添加必要的安全头部确保通过HTTPS访问Configuration public class SecurityConfig extends WebSecurityConfigurerAdapter { Override protected void configure(HttpSecurity http) throws Exception { http .headers() .httpStrictTransportSecurity() .includeSubDomains(true) .maxAgeInSeconds(31536000); } }6. 部署与验证6.1 一键部署流程完整的部署流程只需几个简单命令# 构建应用镜像 docker-compose build # 启动所有服务 docker-compose up -d # 获取初始证书首次部署需要 ./init-cert.sh6.2 系统验证验证HTTPS和WSS是否正常工作HTTPS验证访问https://yourdomain.com检查浏览器地址栏的锁标志使用SSL Labs测试工具验证证书配置WSS验证使用WebSocket客户端工具连接wss://yourdomain.com/ws测试消息发送和接收功能7. 高级优化与扩展7.1 性能调优Nginx针对WebSocket的优化配置proxy_buffers 8 32k; proxy_buffer_size 64k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k;7.2 多环境支持通过环境变量区分不同环境的配置services: app: environment: - SPRING_PROFILES_ACTIVE${ENV:-prod}然后在.env文件中定义环境变量ENVprod DOMAINyourdomain.com7.3 监控与日志添加Prometheus和Grafana进行监控services: prometheus: image: prom/prometheus ports: - 9090:9090 volumes: - ./prometheus.yml:/etc/prometheus/prometheus.yml grafana: image: grafana/grafana ports: - 3000:3000
)
)
)
)
