alex-andreiev · January 19, 2022 14:01
diff --git a/docker-compose.yml b/docker-compose.yml
 ## docker-compose.yml
 version: '3'
 services:
  web:
    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
    image: nginx
    volumes:
     - ./nginx:/etc/nginx
     - ./data/certbot/conf:/etc/letsencrypt
     - ./data/certbot/www:/var/www/certbot
    ports:
      - "80:80"
      - "443:443"
  certbot:
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
    image: certbot/certbot
    volumes:
     - ./data/certbot/conf:/etc/letsencrypt
     - ./data/certbot/www:/var/www/certbot
diff --git a/folder structure b/folder structure
 ## folder structure
 # /nginx
 #   /data
 #   /nginx
 #   /nginx/nginx.conf
 #   /init.sh
 #   /docker-compose.yml
diff --git a/init.sh b/init.sh
 ## init.sh
 #!/bin/bash

 if ! [ -x "$(command -v docker-compose)" ]; then
  echo 'Error: docker-compose is not installed.' >&2
  exit 1
 fi

 domains=(demo-app.pp.ua)
 rsa_key_size=4096
 data_path="./data/certbot"
 email="support@my-domain.com" # Adding a valid address is strongly recommended
 staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits

 if [ -d "$data_path" ]; then
  read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
  if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
    exit
  fi
 fi


 if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
  echo "### Downloading recommended TLS parameters ..."
  mkdir -p "$data_path/conf"
  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
  echo
 fi

 echo "### Creating dummy certificate for $domains ..."
 path="/etc/letsencrypt/live/$domains"
 mkdir -p "$data_path/conf/live/$domains"
 docker-compose run --rm --entrypoint "\
  openssl req -x509 -nodes -newkey rsa:1024 -days 1\
    -keyout '$path/privkey.pem' \
    -out '$path/fullchain.pem' \
    -subj '/CN=localhost'" certbot
 echo


 echo "### Starting nginx ..."
 docker-compose up --force-recreate -d web
 echo

 echo "### Deleting dummy certificate for $domains ..."
 docker-compose run --rm --entrypoint "\
  rm -Rf /etc/letsencrypt/live/$domains && \
  rm -Rf /etc/letsencrypt/archive/$domains && \
  rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
 echo


 echo "### Requesting Let's Encrypt certificate for $domains ..."
 #Join $domains to -d args
 domain_args=""
 for domain in "${domains[@]}"; do
  domain_args="$domain_args -d $domain"
 done

 # Select appropriate email arg
 case "$email" in
  "") email_arg="--register-unsafely-without-email" ;;
  *) email_arg="--email $email" ;;
 esac

 # Enable staging mode if needed
 if [ $staging != "0" ]; then staging_arg="--staging"; fi

 docker-compose run --rm --entrypoint "\
  certbot certonly --webroot -w /var/www/certbot \
    $staging_arg \
    $email_arg \
    $domain_args \
    --rsa-key-size $rsa_key_size \
    --agree-tos \
    --force-renewal" certbot
 echo

 echo "### Reloading nginx ..."
 docker-compose exec web nginx -s reload
diff --git a/nginx.conf b/nginx.conf
 ## nginx/nginx.conf
 events {  }

 http {

  upstream puma_app_1 {
    server 172.31.7.63:3000;
  }

  server {
    listen 80 default;
    server_name demo-app.pp.ua 34.244.149.37;

    location ~ ^/.well-known/acme-challenge/ {
       root /var/www/certbot;
    }

    return 301 https://$host$request_uri;

  }
  server {
    listen 443 ssl;
    server_name demo-app.pp.ua 34.244.149.37;

    #ssl cert path
    
    location ~ ^/.well-known/acme-challenge/ {
       root /var/www/certbot;
    }

    try_files $uri/index.html $uri @puma_app_1;

    location @puma_app_1 {
        add_header 'Access-Control-Max-Age' 1728000;
        add_header 'Access-Control-Allow-Credentials' 'true' always;
        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS, PATCH' always;
        add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header  X-Forwarded-Proto $scheme;
        proxy_set_header  X-Forwarded-Ssl on; # Optional
        proxy_set_header  X-Forwarded-Port $server_port;
        proxy_set_header  X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_redirect off;
        proxy_pass http://puma_app_1;
    }
  }
 }
	## docker-compose.yml
	version: '3'
	services:
	web:
	command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
	image: nginx
	volumes:
	- ./nginx:/etc/nginx
	- ./data/certbot/conf:/etc/letsencrypt
	- ./data/certbot/www:/var/www/certbot
	ports:
	- "80:80"
	- "443:443"
	certbot:
	entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
	image: certbot/certbot
	volumes:
	- ./data/certbot/conf:/etc/letsencrypt
	- ./data/certbot/www:/var/www/certbot
	## folder structure
	# /nginx
	# /data
	# /nginx
	# /nginx/nginx.conf
	# /init.sh
	# /docker-compose.yml
	## init.sh
	#!/bin/bash

	if ! [ -x "$(command -v docker-compose)" ]; then
	echo 'Error: docker-compose is not installed.' >&2
	exit 1
	fi

	domains=(demo-app.pp.ua)
	rsa_key_size=4096
	data_path="./data/certbot"
	email="support@my-domain.com" # Adding a valid address is strongly recommended
	staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits

	if [ -d "$data_path" ]; then
	read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
	if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
	exit
	fi
	fi


	if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] \|\| [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
	echo "### Downloading recommended TLS parameters ..."
	mkdir -p "$data_path/conf"
	curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
	curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
	echo
	fi

	echo "### Creating dummy certificate for $domains ..."
	path="/etc/letsencrypt/live/$domains"
	mkdir -p "$data_path/conf/live/$domains"
	docker-compose run --rm --entrypoint "\
	openssl req -x509 -nodes -newkey rsa:1024 -days 1\
	-keyout '$path/privkey.pem' \
	-out '$path/fullchain.pem' \
	-subj '/CN=localhost'" certbot
	echo


	echo "### Starting nginx ..."
	docker-compose up --force-recreate -d web
	echo

	echo "### Deleting dummy certificate for $domains ..."
	docker-compose run --rm --entrypoint "\
	rm -Rf /etc/letsencrypt/live/$domains && \
	rm -Rf /etc/letsencrypt/archive/$domains && \
	rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
	echo


	echo "### Requesting Let's Encrypt certificate for $domains ..."
	#Join $domains to -d args
	domain_args=""
	for domain in "${domains[@]}"; do
	domain_args="$domain_args -d $domain"
	done

	# Select appropriate email arg
	case "$email" in
	"") email_arg="--register-unsafely-without-email" ;;
	*) email_arg="--email $email" ;;
	esac

	# Enable staging mode if needed
	if [ $staging != "0" ]; then staging_arg="--staging"; fi

	docker-compose run --rm --entrypoint "\
	certbot certonly --webroot -w /var/www/certbot \
	$staging_arg \
	$email_arg \
	$domain_args \
	--rsa-key-size $rsa_key_size \
	--agree-tos \
	--force-renewal" certbot
	echo

	echo "### Reloading nginx ..."
	docker-compose exec web nginx -s reload
	## nginx/nginx.conf
	events { }

	http {

	upstream puma_app_1 {
	server 172.31.7.63:3000;
	}

	server {
	listen 80 default;
	server_name demo-app.pp.ua 34.244.149.37;

	location ~ ^/.well-known/acme-challenge/ {
	root /var/www/certbot;
	}

	return 301 https://$host$request_uri;

	}
	server {
	listen 443 ssl;
	server_name demo-app.pp.ua 34.244.149.37;

	#ssl cert path

	location ~ ^/.well-known/acme-challenge/ {
	root /var/www/certbot;
	}

	try_files $uri/index.html $uri @puma_app_1;

	location @puma_app_1 {
	add_header 'Access-Control-Max-Age' 1728000;
	add_header 'Access-Control-Allow-Credentials' 'true' always;
	add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS, PATCH' always;
	add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header X-Forwarded-Ssl on; # Optional
	proxy_set_header X-Forwarded-Port $server_port;
	proxy_set_header X-Forwarded-Host $host;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_redirect off;
	proxy_pass http://puma_app_1;
	}
	}
	}