/reverse-proxy

Nginx as a reverse proxy and Certbot for automatically using Let’s Encrypt certificates to enable HTTPS for webservice connections to the web running in a Docker container:whale:. This repo is monitored by drone for test:heavy_check_mark:, build🔨 and deploy🚀

Primary LanguageShell

reverse-proxy

Build Status GitHub repo size GitHub commit activity GitHub last commit (branch)

NGINX: using this a reverse proxy which takes the client request, passes it on to one or more servers, and subsequently delivers the server's response back to the clients.

Certbot: a free, open source software tool for automatically using Let’s Encrypt certificates on manually-administrated websites and services to enable HTTPS. If a certificate expires in less than from Let's encrypt defined renewal period, the certificate will be automatically renewed.

Setup

  1. Install docker-compose.
  2. Clone this repository: git clone https://github.com/theautomation/reverse-proxy.git .
  3. Replace the NGINX config files with "public_" prefix with yours.
  4. Check SSL paths in the NGINX config files. e.g.
    ssl_certificate /etc/letsencrypt/live/myservice.mydomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/myservice.mydomain.com/privkey.pem;
  1. Fill in the your variables in "letsencrypt.ini"
    • TEST set this to 1 when testing your configuration it avoid hitting request limits.
    • EMAIL_ADDRESS it is recommended that you fill in an email address so certbot can automatically send you expiration emails when your certificate is coming up for renewal.
    • CONFIG_DIR Directory where to put your NGINX configuration files.
    • RSA_KEY_SIZE leaving this empty will create a 4096 rsa key size, optionally set it to 2048.
    • CERTBOT_IMAGE leaving this empty will use the latest version of the certbot docker image, you can optionally choose a specific docker image version e.g. certbot/certbot:v1.22.0
  2. Run the bash script letsencrypt.sh.
    • it creates a Diffie-Hellman parameter file if it doesn't exist.
    • it retrieves certificates based on the NGINX configuration filenames. It is important that each NGINX configuration file has a "public_" prefix followed by a fully qualified domain name (FQDN). letsencrypt.sh looks for these files in the CONFIG_DIR and creates a certificate if it doesn't already exist. filename example public_myservice.mydomain.com.conf -> create a myservice.mydomain.com certificate.

Delete (test)certificate

To replace the test certificate with a real certificate you need to remove it first. This is needed if you have set (TEST=1 in the ini file)

  1. Go to repository directory where docker-compose.yml lives.
  2. Change certname in below command and run it.
docker-compose run --rm --entrypoint "certbot delete --cert-name myservice.mydomain.com" prd-certbot-app
  1. Enter 'Y' or 'Yes'

Docker network

The docker-compose.yml specifies the network for NGINX. It is recommended that you place your services that you want to expose to the public internet on the same network as the NGINX container so that the container's hostname can be used in the upstream section in the NGINX config file and that you don't have to expose the port(s) to your docker host. Ofcourse you can change the subnet to your needs.

networks:
  reverse-proxy:
    driver: bridge
    name: reverse-proxy
    ipam:
      config:
        - subnet: 172.22.0.0/16

Other

This repo is inspired on https://github.com/bloodhunterd/Certbot and https://github.com/wmnnd/nginx-certbot