How to Setup a Reverse Proxy With Let's Encrypt SSL Certificates Using Docker

Jan 8, 2020

Share on:

I think this is really important in practical docker battle field. 🙂
Let’s go for the docker-compose.yml first.

 1version: '3'
 2
 3services:
 4  nginx:
 5    image: nginx:1.15-alpine
 6    restart: unless-stopped
 7    volumes:
 8      - ./data/nginx:/etc/nginx/conf.d
 9      - ./data/certbot/conf:/etc/letsencrypt
10      - ./data/certbot/www:/var/www/certbot
11    ports:
12      - "80:80"
13      - "443:443"
14    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
15  certbot:
16    image: certbot/certbot
17    restart: unless-stopped
18    volumes:
19      - ./data/certbot/conf:/etc/letsencrypt
20      - ./data/certbot/www:/var/www/certbot
21    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"

In order to get Let’s Encrypt SSL certificates, create a shell script file (init_letsencrypt.sh) like so:

 1#!/bin/bash
 2
 3if ! [ -x "$(command -v docker-compose)" ]; then
 4  echo 'Error: docker-compose is not installed.' >&2
 5  exit 1
 6fi
 7
 8domains=(domain.com www.domain.com)
 9rsa_key_size=4096
10data_path="./data/certbot"
11email="" # Adding a valid address is strongly recommended
12staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits
13
14if [ -d "$data_path" ]; then
15  read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
16  if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
17    exit
18  fi
19fi
20
21if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
22  echo "### Downloading recommended TLS parameters ..."
23  mkdir -p "$data_path/conf"
24  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
25  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
26  echo
27fi
28
29echo "### Creating dummy certificate for $domains ..."
30path="/etc/letsencrypt/live/$domains"
31mkdir -p "$data_path/conf/live/$domains"
32docker-compose run --rm --entrypoint "\
33  openssl req -x509 -nodes -newkey rsa:1024 -days 1\
34    -keyout '$path/privkey.pem' \
35    -out '$path/fullchain.pem' \
36    -subj '/CN=localhost'" certbot
37echo
38
39
40echo "### Starting nginx ..."
41docker-compose up --force-recreate -d nginx
42echo
43
44echo "### Deleting dummy certificate for $domains ..."
45docker-compose run --rm --entrypoint "\
46  rm -Rf /etc/letsencrypt/live/$domains && \
47  rm -Rf /etc/letsencrypt/archive/$domains && \
48  rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
49echo
50
51echo "### Requesting Let's Encrypt certificate for $domains ..."
52#Join $domains to -d args
53domain_args=""
54for domain in "${domains[@]}"; do
55  domain_args="$domain_args -d $domain"
56done
57
58# Select appropriate email arg
59case "$email" in
60  "") email_arg="--register-unsafely-without-email" ;;
61  *) email_arg="--email $email" ;;
62esac
63
64# Enable staging mode if needed
65if [ $staging != "0" ]; then staging_arg="--staging"; fi
66
67docker-compose run --rm --entrypoint "\
68  certbot certonly --webroot -w /var/www/certbot \
69    $staging_arg \
70    $email_arg \
71    $domain_args \
72    --rsa-key-size $rsa_key_size \
73    --agree-tos \
74    --force-renewal" certbot
75echo
76
77echo "### Reloading nginx ..."
78docker-compose exec nginx nginx -s reload

As you can see in the docker-compose.yml file, you need a nginx config file in data/nginx/app.conf

 1server {
 2    listen 80;
 3    server_name domain.com;
 4    server_tokens off;
 5
 6    location /.well-known/acme-challenge/ {
 7        root /var/www/certbot;
 8    }
 9
10    location / {
11        return 301 https://$host$request_uri;
12    }
13}
14
15server {
16    listen 443 ssl;
17    server_name domain.com;
18    server_tokens off;
19
20    ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
21    ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
22    include /etc/letsencrypt/options-ssl-nginx.conf;
23    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
24
25    location / {
26        proxy_pass  http://server_ip(for example, localhost):app_port;
27        proxy_set_header    Host                $http_host;
28        proxy_set_header    X-Real-IP           $remote_addr;
29        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
30        proxy_set_header    X-Forwarded-Proto   $scheme;
31    }
32}

All set to start proxy server. Run the init_letsencrypt.sh first, and then as you may know,

1docker-compose up -d

Boom! Your service is now secured by Let's Encrypt SSL/TLS certificates.
Happy dockerizing, Gents! 🙂