NGINX-LE - Nginx web and proxy with automatic let's encrypt

Simple nginx image (alpine based) with integrated Let's Encrypt support.

How to use

get docker-compose.yml and change things:
- set timezone to your local, for example TZ=UTC. For more timezone values check /usr/share/zoneinfo directory
- set LETSENCRYPT=true if you want an automatic certificate install and renewal
- LE_EMAIL should be your email and LE_FQDN for domain
- for multiple FQDNs you can pass comma-separated list, like LE_FQDN=aaa.example.com,bbb.example.com
- alternatively set LETSENCRYPT to false and pass your own cert in SSL_CERT, key in SSL_KEY and SSL_CHAIN_CERT
- use provided etc/service-example.conf to make your own etc/service.conf. Keep ssl directives as is:
```
ssl_certificate SSL_CERT;
ssl_certificate_key SSL_KEY;
ssl_trusted_certificate SSL_CHAIN_CERT;
```
make sure volumes in docker-compose.yml changed to your service config
you can map multiple custom config files to in compose using service*.conf filename pattern, see service2.conf in docker-compose.yml file for reference
pull image - docker-compose pull
if you don't want pre-built image, make you own. docker-compose build will do it
start it docker-compose up

Configuration files variables replacement

On start of the container all following text matches in custom configuration files you mounted will be replaced, variable with dollar sign ($, like $LE_FQDN) will be taken from environment, please see next table for their list.

Matching pattern	Value	nginx usage	Description
SSL_CERT	`/etc/nginx/ssl/$SSL_CERT`	`ssl_certificate`	Public SSL certificate, sent to client
SSL_KEY	`/etc/nginx/ssl/$SSL_KEY`	`ssl_certificate_key`	SSL private key, not sent to client
SSL_CHAIN_CERT	`/etc/nginx/ssl/$SSL_CHAIN_CERT`	`ssl_trusted_certificate`	Trusted SSL certificates, not sent to client
LE_FQDN	`$LE_FQDN`	`server_name`	List of domains, useful for configuration with single `server` block

Environment variables list

Variable	Default value	Description
SSL_CERT	`le-key.pem`	certbot `privkey.pem` new filename
SSL_KEY	`le-crt.pem`	certbot `fullchain.pem` new filename
SSL_CHAIN_CERT	`le-chain-crt.pem`	certbot `chain.pem` new filename
LETSENCRYPT	`false`	Enables Let's Encrypt certificate retrieval and renewal
LE_FQDN		comma-separated list of domains for Let's Encrypt certificate, required if `LETSENCRYPT` is `true`
LE_EMAIL		comma-separated list of emails for Let's Encrypt certificate, required if `LETSENCRYPT` is `true`
TZ		Timezone, if set will be written to container's `/etc/timezone`

Some implementation details

Important: provided nginx.conf handles http->https redirect automatically, no need to add it into your custom service.conf. In case if you need a custom server on http (:80) port, make sure you handle /.well-known/ path needed for LE challenge.

image uses alpine's certbot package.
script/entrypoint.sh requests LE certificate and will refresh every 10 days in case if certificate is close to expiration (30day)
script/le.sh gets SSL
nginx-le on docker-hub
A+ overall rating on ssllabs

Alternatives

Træfik HTTP reverse proxy and load balancer. Supports Let's Encrypt directly.
Caddy supports Let's Encrypt directly.
leproxy small and nice (stand alone) https reverse proxy with automatic Letsencrypt
bunch of others

Examples

Reverse proxy for WebRTC solutions, where you need multiple ports on one domain to reach different services behind your nginx-le container.

shvgn / nginx-le