Docker
Docker 安装和使用指南
安装 Docker 环境
在 Ubuntu 系统上安装 Docker 和 Docker Compose。
Docker Compose V2 已集成为 Docker CLI 插件,命令格式为
docker compose(空格),而非旧版的 docker-compose(连字符)。方式一:官方源安装
sh
sudo apt-get update
sudo apt-get install -y ca-certificates curl gnupg
# 添加 Docker 官方 GPG key
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | \
sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg
# 添加 Docker 官方稳定源
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] \
https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# 更新软件包索引
sudo apt-get update
# 安装 Docker 相关组件
sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
# 测试 Docker 是否正常
docker --version
sudo docker run hello-world
方式二:国内镜像源安装(推荐)
适用于国内服务器,使用腾讯云镜像源加速安装。
sh
# 1. 卸载旧版本(如果有,报错可忽略)
sudo apt remove docker docker-engine docker.io containerd runc
# 2. 更新系统并安装必要依赖
sudo apt update
sudo apt install -y ca-certificates curl gnupg lsb-release
# 3. 创建密钥目录
sudo install -m 0755 -d /etc/apt/keyrings
# 4. 添加 Docker GPG 密钥(腾讯云镜像)
curl -fsSL https://mirrors.cloud.tencent.com/docker-ce/linux/ubuntu/gpg | \
sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg
# 5. 添加 Docker APT 仓库
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] \
https://mirrors.cloud.tencent.com/docker-ce/linux/ubuntu \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# 6. 更新包索引并安装
sudo apt update
sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
# 7. 启动 Docker 服务
sudo systemctl start docker
sudo systemctl enable docker
# 8. 验证安装
sudo docker --version
sudo docker compose version
sudo docker run hello-world
配置用户权限
sh
# 将当前用户加入 docker 用户组(避免每次都要 sudo)
sudo usermod -aG docker $USER
# 应用用户组变更(需要重新登录或执行)
newgrp docker
# 验证权限
docker ps
docker compose version
执行
usermod 后需要退出终端并重新登录才能使 docker 组权限生效。或者执行 newgrp docker 临时激活。配置镜像加速(可选)
国内服务器建议配置镜像加速,提升拉取速度:
sh
sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": [
"https://docker.mirrors.ustc.edu.cn",
"https://mirror.ccs.tencentyun.com"
]
}
EOF
# 重启 Docker 服务使配置生效
sudo systemctl daemon-reload
sudo systemctl restart docker
# 验证镜像加速配置
sudo docker info | grep -A 5 "Registry Mirrors"
Nginx Docker 部署
创建项目结构
sh
mkdir -p ~/nginx/{conf,html,logs,ssl}
cd ~/nginx
配置文件
docker-compose.yml
services:
nginx:
image: nginx:latest
container_name: nginx
restart: always
ports:
- "80:80"
- "443:443"
volumes:
- ./conf/nginx.conf:/etc/nginx/nginx.conf:ro
- ./conf/default.conf:/etc/nginx/conf.d/default.conf:ro
- ./html:/usr/share/nginx/html:ro
- ./ssl:/etc/nginx/ssl:ro
- ./logs:/var/log/nginx
networks:
- webnet
networks:
webnet:
driver: bridge
启动服务
sh
cd ~/nginx
docker compose up -d
# 查看容器状态
docker compose ps
# 查看日志
docker compose logs -f nginx
# 测试配置
docker exec nginx nginx -t
访问 http://your_server_ip 验证部署成功。
Cloudflare SSL 配置
添加 DNS 记录
在 Cloudflare 控制台添加 DNS 记录:
- 登录 Cloudflare Dashboard
- 选择域名 → DNS → Records → Add record
- 配置:
- Type:
A - Name:
server(或其他子域名) - IPv4 address: 服务器公网 IP
- Proxy status: 🟠 Proxied(推荐)
- TTL: Auto
- Type:
创建 Origin 证书
进入证书管理
Cloudflare Dashboard → SSL/TLS → Origin Server → Create Certificate
配置证书选项
- Private key type:
RSA (2048) - Hostnames:
example.com和*.example.com - Certificate Validity:
15 years
保存证书文件
将证书和私钥保存到服务器 ~/nginx/ssl/ 目录:
sh
# 创建证书文件
cat > ~/nginx/ssl/example.com.pem << 'EOF'
-----BEGIN CERTIFICATE-----
[粘贴 Origin Certificate 内容]
-----END CERTIFICATE-----
EOF
# 创建私钥文件
cat > ~/nginx/ssl/example.com.key << 'EOF'
-----BEGIN PRIVATE KEY-----
[粘贴 Private Key 内容]
-----END PRIVATE KEY-----
EOF
# 设置权限
chmod 600 ~/nginx/ssl/*.key
chmod 644 ~/nginx/ssl/*.pem
配置 Nginx SSL
创建 SSL 站点配置:
conf/server.example.com.conf
server {
listen 80;
server_name server.example.com;
# 强制 HTTPS
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name server.example.com;
# SSL 证书配置
ssl_certificate /etc/nginx/ssl/example.com.pem;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
# SSL 优化配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# 安全头
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
# 网站根目录
root /usr/share/nginx/html;
index index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
# 日志
access_log /var/log/nginx/server.example.com.access.log;
error_log /var/log/nginx/server.example.com.error.log;
}
更新 docker-compose.yml 添加配置挂载:
docker-compose.yml
services:
nginx:
image: nginx:latest
container_name: nginx
restart: always
ports:
- "80:80"
- "443:443"
volumes:
- ./conf/nginx.conf:/etc/nginx/nginx.conf:ro
- ./conf/default.conf:/etc/nginx/conf.d/default.conf:ro
+ - ./conf/server.example.com.conf:/etc/nginx/conf.d/server.example.com.conf:ro
- ./html:/usr/share/nginx/html:ro
- ./ssl:/etc/nginx/ssl:ro
- ./logs:/var/log/nginx
networks:
- webnet
networks:
webnet:
driver: bridge
重启服务:
sh
docker compose down
docker compose up -d
docker exec nginx nginx -t
设置 SSL/TLS 模式
必须在 Cloudflare 控制台设置正确的 SSL/TLS 模式,否则会出现错误。
在 Cloudflare Dashboard → SSL/TLS → Overview 中选择:
| 模式 | 说明 | 推荐 |
|---|---|---|
| Off | 不加密 | ❌ |
| Flexible | Cloudflare 到源站用 HTTP | ❌ 会导致重定向循环 |
| Full | Cloudflare 到源站用 HTTPS | ✅ |
| Full (strict) | 验证源站证书有效性 | ✅ 推荐 |
验证配置
sh
# 测试 HTTPS
curl -I https://server.example.com
# 查看证书信息
curl -vI https://server.example.com 2>&1 | grep -E "(subject|issuer|expire)"
常用命令
sh
# 容器管理
docker compose up -d # 启动
docker compose down # 停止
docker compose restart # 重启
docker compose ps # 查看状态
docker compose logs -f nginx # 查看日志
# Nginx 操作
docker exec nginx nginx -t # 测试配置
docker exec nginx nginx -s reload # 重载配置
# 进入容器
docker exec -it nginx /bin/sh
完整项目结构
~/nginx/
├── docker-compose.yml
├── conf/
│ ├── nginx.conf
│ ├── default.conf
│ └── server.example.com.conf
├── html/
│ └── index.html
├── ssl/
│ ├── example.com.pem
│ └── example.com.key
└── logs/
├── access.log
└── error.log