在 Ubuntu 上部署 Docker 并安装 Portainer 进行管理

安装 Nginx

1	apt install nginx

安装 Nginx UI

安装

1	bash -c "$(curl -L https://cloud.nginxui.com/install.sh)" @ install

删除（配置，数据库除外）

1	bash -c "$(curl -L https://cloud.nginxui.com/install.sh)" @ remove

帮助

1	bash -c "$(curl -L https://cloud.nginxui.com/install.sh)" @ help

启用 Stream

# 或者安装完整模块包
apt install libnginx-mod-stream

# 创建所需目录
mkdir -p /etc/nginx/streams-available
mkdir -p /etc/nginx/streams-enabled

nginx -t
systemctl reload nginx
systemctl restart nginx-ui

进入 Nginx UI 后会提示修复 Streams 目录,点击修复


### 反向代理例子

```nginx
server {
    listen          80;
    listen          [::]:80;

    server_name     <your_server_name>;
    rewrite ^(.*)$  https://$host$1 permanent;
}

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
    listen  443       ssl;
    listen  [::]:443  ssl;
    http2   on;

    server_name         <your_server_name>;

    ssl_certificate     /path/to/ssl_cert;
    ssl_certificate_key /path/to/ssl_cert_key;

    location / {
        proxy_set_header    Host                $host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto   $scheme;
        proxy_http_version  1.1;
        proxy_set_header    Upgrade             $http_upgrade;
        proxy_set_header    Connection          $connection_upgrade;
        proxy_pass          http://127.0.0.1:9000/;
    }
}

部署 Docker 并安装 Portainer

系统准备

1 2	sudo apt update && sudo apt upgrade -y sudo apt install -y ca-certificates curl gnupg lsb-release

添加 Docker 官方仓库

# 创建 keyrings 目录
sudo install -m 0755 -d /etc/apt/keyrings

# 下载 GPG 密钥
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
  -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

# 添加 apt 软件源
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] \
  https://download.docker.com/linux/ubuntu \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

# 或者使用南京大学源
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] \
  https://mirrors.nju.edu.cn/docker-ce/linux/debian \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" \
  | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
  
sudo apt update

安装 Docker Engine

1 2	sudo apt install -y docker-ce docker-ce-cli containerd.io \ docker-buildx-plugin docker-compose-plugin

验证安装：

1 2	docker --version sudo docker run hello-world

启动服务 & 配置免 sudo 权限

1
2
3

# 设置开机自启
sudo systemctl enable docker
sudo systemctl start docker

创建 Portainer 数据卷

1	docker volume create portainer_data

运行 Portainer 容器

docker run -d \
  --name portainer \
  --restart=always \
  -p 8000:8000 \
  -p 9443:9443 \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v portainer_data:/data \
  portainer/portainer-ce:latest

访问 Portainer Web 界面

1	https://<你的服务器IP>:9443

常用管理命令

docker stop portainer      # 停止
docker start portainer     # 启动
docker logs portainer      # 查看日志
docker pull portainer/portainer-ce:latest && \
  docker stop portainer && docker rm portainer  # 更新（再重新执行 run 命令）

升级 Portainer

# 拉取最新镜像
docker pull portainer/portainer-ce:latest

# 停止并删除旧容器
docker stop portainer
docker rm portainer

# 重新运行容器
docker run -d \
  --name portainer \
  --restart=always \
  -p 8000:8000 \
  -p 9443:9443 \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v portainer_data:/data \
  portainer/portainer-ce:latest

安装 Webmin

# 安装 Webmin
curl -o setup-repos.sh https://raw.githubusercontent.com/webmin/webmin/master/setup-repos.sh
sh setup-repos.sh
apt install -y webmin

systemctl restart webmin

# 访问地址
https://IP:10000

# 登录用户名密码为 Linux 系统用户及密码

安装 ufw

1 2	apt install -y ufw ufw enable

UFW 常用命令对比

ufw version           #查看版本信息
ufw enable            #启用防火墙
ufw disable           #禁用防火墙
ufw reload            #重载防火墙
ufw reset             #重新设置防火墙 (注意：这将禁用UFW并删除之前定义的任何规则)
ufw verbose           #查看防火墙策略

#设置UFW默认策略
ufw default allow outgoing
ufw deault deny incoming

#按照范围开通端口
ufw allow 9000:9002/tcp
ufw allow 9000:9002/udp

#只允许或者拒绝某IP访问
ufw allow from 192.168.29.36 #允许
ufw deny from 192.168.29.36  #拒绝
ufw allow from 192.168.1.0/24 #允许
ufw deny from 192.168.1.0/24 #拒绝

#指定IP地址连接特定的端口
ufw allow from 192.168.29.36 to any port 80 #允许
ufw deny from 192.168.29.36 to any port 80 #

#指定IP地址连接特定的端口某协议
#允许
ufw allow from 192.168.29.36 to any port 80 proto tcp
ufw allow from 192.168.29.36 to any port 80 proto udp
#拒绝
ufw deny from 192.168.29.36 to any port 80 proto tcp
ufw deny from 192.168.29.36 to any port 80 proto udp

# 查看所有规则（直观）
ufw status verbose

# 开端口
ufw allow 443/tcp

# 关端口  
ufw deny 80/tcp

# 删除规则
ufw status numbered
ufw delete 2    # 删除第2条
ufw delete allow 80/tcp   # 删除规则

问题:无论怎样设置都无法使用 ACME 自动更新证书

解决方案: 使用 acme.sh

安装 acme.sh

# 安装 acme.sh
curl https://get.acme.sh | sh -s email=solin.zhan@gmail.com

# 让环境变量生效
source ~/.bashrc

# 验证安装成功
acme.sh --version

修改站点配置，添加以下内容：

server {
    listen 80;
    server_name blog.120528.xyz;

    location /.well-known/acme-challenge/ {
        root /var/www/html;
        try_files $uri =404;
    }
}

1
2
3

systemctl restart nginx-ui

ls ~/.acme.sh/acme.sh

申请证书

1	acme.sh --issue -d blog.120528.xyz --webroot /var/www/html --server letsencrypt

安装证书并设置自动更新

1
2
3

mkdir /etc/nginx/ssl/blog.120528.xyz

acme.sh --install-cert -d blog.120528.xyz --fullchain-file /etc/nginx/ssl/blog.120528.xyz/fullchain.pem --key-file /etc/nginx/ssl/blog.120528.xyz/key.pem --reloadcmd "systemctl reload nginx"