Skip to content

Instantly share code, notes, and snippets.

@Glendragon

Glendragon/README.md

Last active May 27, 2021 17:44
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save Glendragon/b319915c3d16578703754016e0c421ac to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save Glendragon/b319915c3d16578703754016e0c421ac to your computer and use it in GitHub Desktop.
Download ZIP
Docker Nginx Proxy + LetsEncrypt with examples
Raw
README.md

Nginx Proxy Containers

This approach lets you do a few really powerful things:

  1. Give non-SSL enabled applications SSL capabilities using a proxy
  2. Automate signing up and renewing LetsEncrypt certificates
  3. Allow multiple containers to exist on a single host and not worry about configuring a webserver

Use docker-letsencrypt-nginx-proxy with nginx-proxy in a single docker-compose.yml. Here's what it's doing:

  • The host ports 80 and 443 go into the nginx-proxy container
  • The volumes certs, vhostd, and html are persistent (important for certs!)
  • The docker sockets is what the container watches for new additions
  • The nginx-proxy private network registers new containers and gives them a certificate if they don't have one (define this information in each container's Dockerfile or docker-compose.yml)
  • Nginx specific settings can be added to the vhost.d directory with the virtual host name as the file name

A container can specify a few optional parameters that are understood by the docker-letsencrypt-ngingx-proxy setup:

  • VIRTUAL_HOST is the host name that nginx will use for the container
  • VIRTUAL_PORT is the port that will be mapped to the host name provided
  • LETSENCRYPT_HOST is the name used for the LetsEncrypt certificate
  • LETSENCRYPT_EMAIL is the address used for LetsEncrypt e-mail
  • "networks" must be specified to ensure that nginx-proxy knows about the container
  • "expose" rather than map ports if you want that container to be proxied using the hostname
Raw
app.yml
# docker-compose.yml for application wtih frontend/backend/database
version: '3'
services:
db:
image: postgres
environment:
POSTGRES_PASSWORD: password
restart: always
backend:
build: ./backend
volumes:
- ./backend:/site/backend
ports:
- "8000:8000"
depends_on:
- db
restart: always
frontend:
build: ./frontend
volumes:
- ./frontend:/site/frontend
- /site/frontend/node_modules
expose:
- "3000"
environment:
- NODE_ENV=development
- LETSENCRYPT_HOST=app.example.com
- LETSENCRYPT_EMAIL=support@example.com
- VIRTUAL_HOST=app.example.com,app.corp.example.com,app
- VIRTUAL_PORT=3000
command: npm start
depends_on:
- backend
restart: always
frontend-test:
build:
context: ./frontend
environment:
- CI=true
command: npm test
networks:
default:
external:
name: nginx-proxy
Raw
docker-compose.yml
version: "3"
services:
nginx-proxy:
image: jwilder/nginx-proxy
container_name: nginxproxy
ports:
- "80:80"
- "443:443"
volumes:
- certs:/etc/nginx/certs
- vhostd:/etc/nginx/vhost.d
- html:/usr/share/nginx/html
- /var/run/docker.sock:/tmp/docker.sock:ro
restart: always
nginx-proxy-letsencrypt:
image: jrcs/letsencrypt-nginx-proxy-companion
volumes:
- certs:/etc/nginx/certs
- vhostd:/etc/nginx/vhost.d
- html:/usr/share/nginx/html
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- DEFAULT_EMAIL=support@example.com
- NGINX_PROXY_CONTAINER=nginxproxy
restart: always
volumes:
certs:
html:
vhostd:
networks:
default:
external:
name: nginx-proxy
Raw
osticket.yml
# docker-compose.yml for osticket
version: '3'
services:
osticket:
image: campbellsoftwaresolutions/osticket
expose:
- "80"
environment:
- MYSQL_HOST=mysql
- MYSQL_DATABASE=osticket
- MYSQL_USER=osticket
- MYSQL_PASSWORD=secret
# CHANGE ME
- INSTALL_SECRET=1qazXSW23edc
- VIRTUAL_HOST=support.example.com
- LETSENCRYPT_HOST=support.example.com
- LETSENCRYPT_EMAIL=support@example.com
links:
- osticket_mysql:mysql
depends_on:
- osticket_mysql
restart: always
osticket_mysql:
image: mariadb
environment:
- MYSQL_ROOT_PASSWORD=secret
- MYSQL_DATABASE=osticket
- MYSQL_USER=osticket
- MYSQL_PASSWORD=secret
volumes:
- /opt/volumes/osticket_mysql:/var/lib/mysql
restart: always
networks:
default:
external:
name: nginx-proxy
Raw
source.example.com
# vhost.d/source.example.com
# Optional: Use an nginx config file to manage upstream port forwarding
# Listen on port 80 and relay to port 8022
stream {
upstream ssh {
server localhost:8022;
}
server {
listen 80;
proxy_pass ssh;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment