bringnow/docker-nginx-letsencrypt

nginx docker image with some TLS preconfiguration intended for use with letsencrypt.

docker-nginx-letsencrypt

nginx docker image based on the official nginx image with built-in config snippets for ACME webroot authentication support (for Let’s Encrypt) and zero-downtime auto-reload on configuration or certificate changes. Furthermore it comes with a config snippet for SSL/TLS which achieves an A+ rating at Qualys SSL Server Test. This image was created for use with letsencrypt-manager.

Supported tags and respective Dockerfile links

• latest (Dockerfile)
• alpine (Dockerfile)
• stable (Dockerfile)
• stable-alpine (Dockerfile)

Usage

There are currently two snippets available:

• snippets/letsencryptauth.conf: Provide the ACME webroot via HTTP (port 80). Redirect all other traffic to HTTPS pendant.
• snippets/sslconfig.conf: SSL config directives for enabling an A+ rating on Qualys SSL Server Test.

The recommended use of this image is via docker-compose. An example docker-compose.yml looks like that:

nginx:
  image: bringnow/nginx-letsencrypt
  volumes:
    - ./nginx.conf:/etc/nginx/nginx.conf
    - /etc/letsencrypt:/etc/letsencrypt
    - /var/acme-webroot:/var/acme-webroot
    - /srv/docker/nginx/dhparam:/etc/nginx/dhparam
  ports:
    - "80:80"
    - "443:443"
  net: "host"
  dns_search:
    - "example.com"

For using the configuration snippets, you can just include them in your nginx.conf. A complete example config looks like that:

events {
  worker_connections 1024;
}

http {

  include snippets/letsencryptauth.conf;
  include snippets/sslconfig.conf;

  server {
    listen 443 ssl default_server;
    server_name example.com www.example.com

    ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;

    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains" always;

    location / {
      # Just return a blank response
      return 200;
    }
  }
}

HTTP Strict Transport Security

Note: To achieve an A+ rating (not "only" A), you need to explicetely set the Strict-Transport-Security header in each server block (see example above). This will enable HTTP Strict Transport Security.

Volumes

letsencrypt authentication

For letsencrypt (e.g. via letsencrypt-manager) to work, you should mount the following directories to the appropriate place of your host:

• /etc/letsencrypt: The configuration directory of the letsencrypt client.
• /var/acme-webroot: This is the directory where letsencrypt puts data for ACME webroot validation.

DH parameters

In order to achieve an A+ rating one must also use 4096 bit DH parameters. This image helps you by creating these parameters on startup (if not already present). This takes a whole bunch of time! So if this container is running but nginx not responding, check the log if it is still generating those parameters.

Because this process is so time-consuming, you can ensure to preserve the generated parameters file by mounting the /etc/nginx/dhparam volume to some persistent directory on your host.