This repository contains a Docker container which embeds an Nginx as reverse-proxy, linked with Let's Encrypt (using acme.sh) for SSL/TLS certificates.
You can find it on Docker Hub: bh42/nginx-reverseproxy-letsencrypt
The Nginx configuration is purposedly user-defined, so you can set it just the way you want.
However, you can find an example below.
This image is based upon the official Nginx repository, using the alpine version (nginx:alpine).
acme.sh is installed, and certificates are generated/requested during the first start.
First of all, self-signed certificates are generated, so Nginx can start with your SSL/TLS configuration.
Then, acme.sh is used to requested LE-signed certificates, which will replace the self-signed ones.
Two volumes are used :
/certs: all the certificates will be stored here (including dhparam.pem). You do not need to put anything by yourself, the container will do it itself./conf: place your Nginx configuration file(s) here. Annginx.confis required, the rest is up to you.
The following variables can be set:
DRYRUN: set it to whatever value to use the staging Let's Encrypt environment during your tests.KEYLENGTH: defines the key length of your Let's Encrypt certificates (1024, 2048, 4096, ec-256, ec-384, ec-521 [not supported by LE yet], etc). Default is set to 4096.EMAIL: e-mail address used to register with ZeroSSL (acme.sh wiki)DHPARAM: defines the Diffie-Hellman parameters key length. Default is set to 2048. Be aware that it can take much time, way more than just a couple minutes.SERVICE_HOST_x/SERVICE_PROXY_x/SERVICE_PROXY_x_y/SERVICE_LOCATION_x_y: Matched entries per domain. (Note that if you supply bothSERVICE_PROXY_xandSERVICE_PROXY_x_ythenSERVICE_PROXY_x_ywill be ignored)SERVICE_HOST_x: The domain for which you want certificatesSERVICE_HOST_WEBSITE,SERVICE_HOST_API,SERVICE_HOST_REPOSITORIES
SERVICE_PROXY_x: defines the hostname, URL, or IP Address of your proxy service (for example, if you have a website atwebsite.mydomain.com, set it towebsite.mydomain.com). UseSERVICE_PROXY_1forSERVICE_HOST_1, etc.SERVICE_PROXY_WEBSITE,SERVICE_PROXY_API
SERVICE_PROXY_x_y: defines the hostname, URL, or IP Address of one of your colocated proxy services (for example, if you have a website atnuget.mydomain.com, set it tonuget.mydomain.com). UseSERVICE_PROXY_1_yforSERVICE_HOST_1, etc.SERVICE_PROXY_REPOSITORIES_DOCKER,SERVICE_PROXY_REPOSITORIES_NUGET,SERVICE_PROXY_REPOSITORIES_NPM
SERVICE_LOCATION_x_y: defines the location of one of your colocated services (for example, if you want a NuGet repository atrepo.mydomain.com/nuget, set it to/nuget, or, for the root website, do not setSERVICE_LOCATION_x_y). UseSERVICE_LOCATION_1_yforSERVICE_HOST_1, etc.SERVICE_LOCATION_REPOSITORIES_NUGET,SERVICE_LOCATION_REPOSITORIES_NPM
SERVICE_SUBJ_x: the self-signed certificate subject ofSERVICE_HOST_x. The expected format is the following:/C=Country code/ST=State/L=City/O=Company/OU=Organization/CN=your.domain.tld. It's not really useful, but still, it's there. UseSERVICE_SUBJ_1forSERVICE_HOST_1, etc.
Note regarding SERVICE_PROXY_x: these environment variables will automatically generate an nginx conf file named x.conf (x being lowercase'd), based on service.conf.template.
WARNING: Note that if your proxy services are reachable on the internet without the proxy, then your services are not protected by your proxy's TLS certificate.
Here is an example with two domains:
docker run \
-p 80:80 \
-p 443:443 \
-v /home/user/my_nginx_conf:/conf \
-v /home/user/my_certs:/certs \
-e KEYLENGTH=ec-384 \
-e [email protected] \
-e DHPARAM=4096 \
-e SERVICE_HOST_WEBSITE=www.mydomain.com \
-e SERVICE_HOST_API=subdomain.mydomain.com \
-e SERVICE_HOST_REPOSITORIES=repo.mydomain.com \
-e SERVICE_PROXY_WEBSITE=website.mydomain.com \
-e SERVICE_PROXY_API=api.mydomain.com \
-e SERVICE_PROXY_REPOSITORIES_DOCKER=docker.mydomain.com \
-e SERVICE_PROXY_REPOSITORIES_NUGET=nuget.mydomain.com \
-e SERVICE_PROXY_REPOSITORIES_NPM=npm.mydomain.com \
-e SERVICE_LOCATION_REPOSITORIES_NUGET=nuget \
-e SERVICE_LOCATION_REPOSITORIES_NPM=npm \
--name reverse-proxy \
-t -d
version: '3.7'
services:
proxy:
container_name: "proxy"
image: bh42/nginx-reverseproxy-letsencrypt:latest
environment:
- KEYLENGTH=ec-384
- [email protected]
- DHPARAM=4096
- SERVICE_HOST_WEBSITE=www.mydomain.com
- SERVICE_HOST_API=subdomain.mydomain.com
- SERVICE_HOST_REPOSITORIES=repo.mydomain.com
- SERVICE_PROXY_WEBSITE=website.mydomain.com
- SERVICE_PROXY_API=api.mydomain.com
- SERVICE_PROXY_REPOSITORIES_DOCKER=docker.mydomain.com
- SERVICE_PROXY_REPOSITORIES_NUGET=nuget.mydomain.com
- SERVICE_PROXY_REPOSITORIES_NPM=npm.mydomain.com
- SERVICE_LOCATION_REPOSITORIES_NUGET=nuget
- SERVICE_LOCATION_REPOSITORIES_NPM=npm
restart: unless-stopped
tty: true
ports:
- "80:80"
- "443:443"
volumes:
- /home/user/my_certs:/certs
- /home/user/my_nginx_conf:/confSince the certificates will be stored in /certs, be sure to write your Nginx configuration file(s) accordingly!
The configuration files in /conf will be placed in /etc/nginx/conf.d in the container.
If you do not use any SERVICE_PROXY_x environment variables, you can set the conf volume in read only (:ro) mode.