This repository contains a Docker container which embeds an Nginx as reverse-proxy, linked with Let's Encrypt (using https://acme.sh) for SSL/TLS certificates.
You can find it on Docker Hub: bh42/nginx-reverseproxy-letsencrypt
The Nginx configuration is purposedly user-defined, so you can set it just the way you want.
However, you can find an example below.
This image is based upon the official Nginx repository, using the alpine version (nginx:alpine).
https://acme.sh is installed, and certificates are generated/requested during the first start.
First of all, self-signed certificates are generated, so Nginx can start with your SSL/TLS configuration.
Then, https://acme.sh is used to requested LE-signed certificates, which will replace the self-signed ones.
Two volumes are used :
/certs: all the certificates will be stored here (including dhparam.pem). You do not need to put anything by yourself, the container will do it itself./conf: place your Nginx configuration file(s) here. Annginx.confis required, the rest is up to you.
The following variables can be set:
DRYRUN: set it to whatever value to use the staging Let's Encrypt environment during your tests.KEYLENGTH: defines the key length of your Let's Encrypt certificates (1024, 2048, 4096, ec-256, ec-384, ec-521 [not supported by LE yet], etc). Default is set to 4096.EMAIL: e-mail address used to register with ZeroSSL ([https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA](acme.sh wiki))DHPARAM: defines the Diffie-Hellman parameters key length. Default is set to 2048. Be aware that it can take much time, way more than just a couple minutes.SERVICE_HOST_x/SERVICE_PROXY_x: the domain you want certificates for. Set one per domain:SERVICE_HOST_1,SERVICE_HOST_2,SERVICE_PROXY_WEBSITE,SERVICE_PROXY_API, etc.SERVICE_SUBJ_x: the self-signed certificate subject ofSERVICE_HOST_x. The expected format is the following:/C=Country code/ST=State/L=City/O=Company/OU=Organization/CN=your.domain.tld. It's not really useful, but still, it's there. UseSERVICE_SUBJ_1forSERVICE_HOST_1, etc.
Note regarding SERVICE_PROXY_x: these environment variables will automatically generate an nginx conf file named x.conf (x being lowercase'd), based on service.conf.template.
Here is an example with two domains:
docker run \
-p 80:80 \
-p 443:443 \
-v /home/user/my_nginx_conf:/conf \
-v /home/user/my_certs:/certs \
-e KEYLENGTH=ec-384 \
-e EMAIL=johndoe@gmail.com \
-e DHPARAM=4096 \
-e SERVICE_HOST_1=www.mydomain.com \
-e SERVICE_HOST_2=subdomain.mydomain.com \
-e SERVICE_PROXY_WEBSITE=website.mydomain.com \
-e SERVICE_PROXY_API=api.mydomain.com \
--name reverse-proxy \
-t -d
version: '3.7'
services:
proxy:
container_name: "proxy"
image: bh42/nginx-reverseproxy-letsencrypt:latest
environment:
- KEYLENGTH=ec-384
- EMAIL=johndoe@gmail.com
- DHPARAM=4096
- SERVICE_HOST_1=www.mydomain.com
- SERVICE_HOST_2=subdomain.mydomain.com
- SERVICE_PROXY_WEBSITE=website.mydomain.com
- SERVICE_PROXY_API=api.mydomain.com
restart: unless-stopped
tty: true
ports:
- "80:80"
- "443:443"
volumes:
- /home/user/my_certs:/certs
- /home/user/my_nginx_conf:/confSince the certificates will be stored in /certs, be sure to write your Nginx configuration file(s) accordingly!
The configuration files in /conf will be placed in /etc/nginx/conf.d in the container.
If you do not use any SERVICE_PROXY_x environment variables, you can set the conf volume in read only (:ro) mode.