After a long afternoon, I found docker’s solution.
github：https://github.com/JrCs/docke …

Pick out the important key parts

Separate Containers (recommended method)

nginx proxy can also be run as two separate containers using thejwilder/docker-gen
image and the officialnginximage.

You may want to do this to prevent having the docker socket bound to a publicly exposed container service (avoid to mount the docker socket in the ngin x exposed container). It’s better in a security point of view.

To run nginx proxy as a separate container you’ll need:

1) To mount the template filenginx.tmplinto the docker-gen container. You can get the latest officialnginx.tmplwith a command like:

curl https://raw.githubusercontent.com/jwilder/nginx-proxy/master/nginx.tmpl > /path/to/nginx.tmpl

2) Set theNGINX_DOCKER_GEN_CONTAINERenvironment variable to the name or id of the docker-gen container.

Examples:

• First start nginx (official image) with volumes:

$ docker run -d -p 80:80 -p 443:443 \
 --name nginx \
 -v /etc/nginx/conf.d  \
 -v /etc/nginx/vhost.d \
 -v /usr/share/nginx/html \
 -v /path/to/certs:/etc/nginx/certs:ro \
 --label com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy=true \
 nginx

• Second start the docker-gen container with the shared volumes and the template file:

$ docker run -d \
 --name nginx-gen \
 --volumes-from nginx \
 -v /path/to/nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro \
 -v /var/run/docker.sock:/tmp/docker.sock:ro \
 jwilder/docker-gen \
 -notify-sighup nginx -watch -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf

• Then start this container (NGINX_DOCKER_GEN_CONTAINER variable must contain the docker-gen container name or id):

$ docker run -d \
 --name nginx-letsencrypt \
 -e "NGINX_DOCKER_GEN_CONTAINER=nginx-gen" \
 --volumes-from nginx \
 -v /path/to/certs:/etc/nginx/certs:rw \
 -v /var/run/docker.sock:/var/run/docker.sock:ro \
 jrcs/letsencrypt-nginx-proxy-companion

Then start any containers to be proxied as described previously.

• If for some reason you can’t use the docker –volumes-from option, you can specify the name or id of the nginx container withNGINX_PROXY_CONTAINERvariable.

Let’s Encrypt

To use the Let’s Encrypt service to automatically create a valid certificate for virtual host(s).

Set the following environment variables to enable Let’s Encrypt support for a container being proxied. This environment variables need to be declared in each to-be-proxied application containers.

• LETSENCRYPT_HOST

• LETSENCRYPT_EMAIL

TheLETSENCRYPT_HOSTvariable most likely needs to be the same as theVIRTUAL_HOSTvariable and must be publicly reachable domains. Specify multiple hosts with a comma delimiter.

The following environment variables are optional and parameterize the way the Let’s Encrypt client works.

• LETSENCRYPT_KEYSIZE

TheLETSENCRYPT_KEYSIZEvariable determines the size of the requested key (in bit, defaults to 4096).

multi-domain (SAN) certificates

If you want to create multi-domain (SAN) certificates add the base domain as the first domain of theLETSENCRYPT_HOSTenvironment variable.

test certificates

If you want to create test certificates that don’t have the 5 certs/week/domain limits define theLETSENCRYPT_TESTenvironment variable with a value oftrue(in the containers where you request certificates with LETSENCRYPT_HOST). If you want to do this globally for all containers, set ACME_CA_URI as described below.

Automatic certificate renewal

Every hour (3600 seconds) the certificates are checked and every certificate that will expire in the next30 days(90 days / 3) are renewed.

Example:

$ docker run -d \
 --name example-app \
 -e "VIRTUAL_HOST=example.com,www.example.com,mail.example.com" \
 -e "LETSENCRYPT_HOST=example.com,www.example.com,mail.example.com" \
 -e "LETSENCRYPT_EMAIL=foo@bar.com" \
 tutum/apache-php

Optional container environment variables

Optional letsencrypt-nginx-proxy-companion container environment variables for custom configuration.

• ACME_CA_URI– Directory URI for the CA ACME API endpoint (default:https://acme-v01.api.letsencrypt.org/directory). If you set it’s value tohttps://acme-staging.api.letsencrypt.org/directoryletsencrypt will use test servers that don’t have the 5 certs/week/domain limits. You can also create test certificates per container (seelet’s encrypt test certificates)

For example

$ docker run -d \
 -e "ACME_CA_URI=https://acme-staging.api.letsencrypt.org/directory" \
 -v /path/to/certs:/etc/nginx/certs:rw \
 --volumes-from nginx-proxy \
 -v /var/run/docker.sock:/var/run/docker.sock:ro \
 jrcs/letsencrypt-nginx-proxy-companion

• DEBUG– Set it totrueto enable debugging of the entrypoint script and generation of LetsEncrypt certificates, which could help you pin point any configuration issues.

• The “com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy=true” label – set this label on the nginx-proxy container to tell the docker-letsenc rypt-nginx-proxy-companion container to use it as the proxy.

• ACME_TOS_HASH– Let´s you pass an alternative TOS hash to simp_le, to support other CA´s ACME implentation.

Examples:

If you want other examples how to use this container, look at:

• Karl Fathi’s Examples

• More examples from Karl

• George Ilyes’ Examples

• Dmitry’s simple docker-compose example

Note that there is a pit here, and I blame myself for not seeing it clearly. If the mirror has already exposed the port, set VIRTUAL_HOST, LETSENCRYPT_HOST, and LETSENCRYPT_EMAIL. If not, then I have to add myself after setting the three environment variables-the application service port parameter in the expose container is started. If the container is discourse, you have to set the environment variable in app.yml and change the port mapping from 80:80 to unoccupied port: 80, then save the rebuild and start.