使用 Docker over HTTPS 裝載 ASP.NET Core 映射Hosting ASP.NET Core images with Docker over HTTPS

作者:Rick AndersonBy Rick Anderson

ASP.NET Core 預設會使用 HTTPSASP.NET Core uses HTTPS by default. HTTPS 依賴 憑證 來進行信任、身分識別和加密。HTTPS relies on certificates for trust, identity, and encryption.

本檔說明如何使用 HTTPS 執行預先建立的容器映射。This document explains how to run pre-built container images with HTTPS.

請參閱 使用 Docker OVER HTTPS 開發 適用于開發案例的 ASP.NET Core 應用程式。See Developing ASP.NET Core Applications with Docker over HTTPS for development scenarios.

此範例需要 docker 17.06 或更新版本的 docker 用戶端This sample requires Docker 17.06 or later of the Docker client.

PrerequisitesPrerequisites

本檔中的部分指示需要 .Net Core 2.2 SDK 或更新版本。The .NET Core 2.2 SDK or later is required for some of the instructions in this document.

憑證Certificates

網域的生產環境裝載需要證書頒發機構單位的憑證。A certificate from a certificate authority is required for production hosting for a domain. Let's Encrypt 是提供免費憑證的憑證授權單位單位。Let's Encrypt is a certificate authority that offers free certificates.

本檔使用 自我簽署的開發憑證 來裝載預先建立的映射 localhostThis document uses self-signed development certificates for hosting pre-built images over localhost. 這些指示與使用生產憑證類似。The instructions are similar to using production certificates.

針對生產憑證:For production certs:

  • dotnet dev-certs這是不必要的工具。The dotnet dev-certs tool is not required.
  • 憑證不需要儲存在指示中所使用的位置。Certificates do not need to be stored in the location used in the instructions. 任何位置都應該可以運作,但不建議將憑證儲存在您的網站目錄中。Any location should work, although storing certs within your site directory is not recommended.

下列章節中包含的指示會使用 Docker 的命令列選項,將憑證掛接到容器中 -vThe instructions contained in the following section volume mount certificates into containers using Docker's -v command-line option. 您可以使用 Dockerfile 中的命令,將憑證新增至容器映射中 COPY ,但不建議這麼做。 DockerfileYou could add certificates into container images with a COPY command in a Dockerfile, but it's not recommended. 基於下列原因,不建議將憑證複製到映射:Copying certificates into an image isn't recommended for the following reasons:

  • 使用相同的映射測試開發人員憑證會很困難。It makes difficult to use the same image for testing with developer certificates.
  • 使用相同的映射來裝載生產憑證會很困難。It makes difficult to use the same image for Hosting with production certificates.
  • 憑證洩漏有很大的風險。There is significant risk of certificate disclosure.

使用 HTTPS 執行預先建立的容器映射Running pre-built container images with HTTPS

針對您的作業系統設定,請使用下列指示。Use the following instructions for your operating system configuration.

使用 Linux 容器的 WindowsWindows using Linux containers

產生憑證並設定本機電腦:Generate certificate and configure local machine:

dotnet dev-certs https -ep %USERPROFILE%\.aspnet\https\aspnetapp.pfx -p { password here }
dotnet dev-certs https --trust

在上述命令中,以 { password here } 密碼取代。In the preceding commands, replace { password here } with a password.

使用命令 shell 中針對 HTTPS 設定的 ASP.NET Core 來執行容器映射:Run the container image with ASP.NET Core configured for HTTPS in a command shell:

docker pull mcr.microsoft.com/dotnet/core/samples:aspnetapp
docker run --rm -it -p 8000:80 -p 8001:443 -e ASPNETCORE_URLS="https://+;http://+" -e ASPNETCORE_HTTPS_PORT=8001 -e ASPNETCORE_Kestrel__Certificates__Default__Password="password" -e ASPNETCORE_Kestrel__Certificates__Default__Path=/https/aspnetapp.pfx -v %USERPROFILE%\.aspnet\https:/https/ mcr.microsoft.com/dotnet/core/samples:aspnetapp

使用 PowerShell時,請將取代 %USERPROFILE%$env:USERPROFILEWhen using PowerShell, replace %USERPROFILE% with $env:USERPROFILE.

密碼必須符合憑證所用的密碼。The password must match the password used for the certificate.

macOS 或 LinuxmacOS or Linux

產生憑證並設定本機電腦:Generate certificate and configure local machine:

dotnet dev-certs https -ep ${HOME}/.aspnet/https/aspnetapp.pfx -p { password here }
dotnet dev-certs https --trust

dotnet dev-certs https --trust 只有在 macOS 和 Windows 上才支援。dotnet dev-certs https --trust is only supported on macOS and Windows. 您必須以散發套件支援的方式來信任 Linux 上的憑證。You need to trust certs on Linux in the way that is supported by your distribution. 您很可能需要信任您瀏覽器中的憑證。It is likely that you need to trust the certificate in your browser.

在上述命令中,以 { password here } 密碼取代。In the preceding commands, replace { password here } with a password.

使用針對 HTTPS 設定的 ASP.NET Core 來執行容器映射:Run the container image with ASP.NET Core configured for HTTPS:

docker pull mcr.microsoft.com/dotnet/core/samples:aspnetapp
docker run --rm -it -p 8000:80 -p 8001:443 -e ASPNETCORE_URLS="https://+;http://+" -e ASPNETCORE_HTTPS_PORT=8001 -e ASPNETCORE_Kestrel__Certificates__Default__Password="password" -e ASPNETCORE_Kestrel__Certificates__Default__Path=/https/aspnetapp.pfx -v ${HOME}/.aspnet/https:/https/ mcr.microsoft.com/dotnet/core/samples:aspnetapp

密碼必須符合憑證所用的密碼。The password must match the password used for the certificate.

使用 Windows 容器的 windowsWindows using Windows containers

產生憑證並設定本機電腦:Generate certificate and configure local machine:

dotnet dev-certs https -ep %USERPROFILE%\.aspnet\https\aspnetapp.pfx -p { password here }
dotnet dev-certs https --trust

在上述命令中,以 { password here } 密碼取代。In the preceding commands, replace { password here } with a password. 使用 PowerShell時,請將取代 %USERPROFILE%$env:USERPROFILEWhen using PowerShell, replace %USERPROFILE% with $env:USERPROFILE.

使用針對 HTTPS 設定的 ASP.NET Core 來執行容器映射:Run the container image with ASP.NET Core configured for HTTPS:

docker pull mcr.microsoft.com/dotnet/core/samples:aspnetapp
docker run --rm -it -p 8000:80 -p 8001:443 -e ASPNETCORE_URLS="https://+;http://+" -e ASPNETCORE_HTTPS_PORT=8001 -e ASPNETCORE_Kestrel__Certificates__Default__Password="password" -e ASPNETCORE_Kestrel__Certificates__Default__Path=\https\aspnetapp.pfx -v %USERPROFILE%\.aspnet\https:C:\https\ mcr.microsoft.com/dotnet/core/samples:aspnetapp

密碼必須符合憑證所用的密碼。The password must match the password used for the certificate. 使用 PowerShell時,請將取代 %USERPROFILE%$env:USERPROFILEWhen using PowerShell, replace %USERPROFILE% with $env:USERPROFILE.