This is a lightweight docker nginx image ready to use Letsencrypt. Which means that you can certify conections to this NGINX and manage free SSL certificates.
To create a container with this image you can use the following command.
docker run -d \
-p 80:80 \
-p 443:443 \
-v $PWD/nginx.conf:/etc/nginx/nginx.conf \
-v $PWD/conf.d:/etc/nginx/conf.d \
-v $PWD/letsencrypt:/etc/letsencrypt \
-v $PWD/logs:/var/log/nginx \
--name nginx \
--restart always \
mariowise/nginx-letsencrypt:latest;
The kind reader may notice that this mounts 3 volumes: /etc/nginx/nginx.conf
to configure and tune up our NGINX, the /etc/nginx/conf.d
folder to add new sites and the /etc/letsencrypt/live/
folder to backup our SSL certificates into our host.
The NGINX's servers configuration files must be placed under the ./conf.d
folder. Here's an example of a simple server that does a proxy pass operation to an upstream.
upstream some.some.com {
server 123.123.123.123:80;
}
server {
server_name some.some.com;
listen 80;
location / {
proxy_pass http://some.some.com;
}
}
Now every time our NGINX gets a request asking for the domain some.some.com
he's going to connect to 123.123.123.123 ar the port 80 and pass the response to the client.
Adding an SSL certificate it's very stright forward. Let's say we have our nginx-letsencrypt
container running by the name of nginx
. Then we must get bash access to our container.
docker exec -it nginx bash
From the inside if the container we can now excecute commands for the certbot-auto
program. With the following command we're gonna be prompted with an interface that will allow us to create the certificate for a given site.
./certbot-auto --nginx certonly
After creating the certificate, this is gonna end up in the ./live
directory (mounted to the host). There, we'll find the private key and the certificate.
Now that we have our certificate, we must do two things: redirect all the incomming traffic from the 80 port to the 443 and make sure that our NGINX knows where to find the certificate to establish a propper SSL connection.
upstream some.some.com {
server 123.123.123.123:80;
}
server {
server_name some.some.com;
listen 80;
return 301 https://www.some.com$request_uri;
}
server {
server_name some.some.com;
listen 80;
return 301 https://www.some.com$request_uri;
}
server {
server_name some.some.com;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/some.some.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/some.some.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
location / {
proxy_pass http://www.some.com;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl on; # Optional
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Host $host;
}
}