YET ANOTHER docker-ized nginx proxy with let's encrypt certbot for ssl certz; based on alpine!

By default it does not try to get certs, you need to define $LETSENCRYPT environment variable for this to happen.

on start this image will check if installed certs for the list of DOMAINS exist and if they do not then run certbot in standalone (so nginx doesn't exit complaining about non-existing files). this image also uses a daily cron to check/update ssl certificates and (if new certs are generated) reload nginx. all-in-one container; w00t!

this container will only request certificates after certbot --dry-run runs successfully; helping to avoid burning through certificate requests.

docker-compose.yml

notes

1. make sure dir ./letsencrypt exists
2. set EMAIL environment var to your email address
3. DOMAINS var can be semicolon (;) and comma (,) seperated (for example: DOMAINS=www.example.net,example.net;api.foobar.site,assets.foobar.site)
4. bind mount /etc/nginx/snippets/ssl.conf with your implementation to improve cipher suite (and use TLS 1.3!)

version: "2"
services:
  nginx-certbot:
    image: 3dwardsharp/nginx-certbot:0.0.1
    environment:
      - DOMAINS=demo.youoke.party,youoke.party
      - [email protected]
      - BASE_SERVER=youoke.party
      - BASE_SERVER_PROXY=helloworld
      - BASE_SERVER_PORT=80
      - ADMIN_SERVER=demo.youoke.party
      - ADMIN_SERVER_PROXY=demo
      - ADMIN_SERVER_PORT=80
    volumes:
      - ./letsencrypt:/etc/letsencrypt
      - ./nginx.template:/etc/nginx/conf.d/nginx.template
    ports:
      - "80:80"
      - "443:443"
    command: /bin/bash -c "envsubst '$${BASE_SERVER},$${ADMIN_SERVER}' < /etc/nginx/conf.d/nginx.template > /etc/nginx/conf.d/default.conf && nginx -g 'daemon off;'"
  helloworld: 
    image: 3dwardsharp/helloworld
  demo: 
    image: 3dwardsharp/helloworld

nginx.template

do as your nginx-configuration-heart desires, just a simple example using envsubst:

note: the comand for the nginx-certbot (3dwardsharp/nginx-certbot) instance in docker-compose.yml: command: /bin/bash -c "envsubst '$${BASE_SERVER},$${ADMIN_SERVER}' < /etc/nginx/conf.d/nginx.template > /etc/nginx/conf.d/default.conf && nginx -g 'daemon off;'" you need to explicitly tell envsubst about the variables to substitute like '$${BASE_SERVER},$${ADMIN_SERVER}' note the $$. otherwise envsubst will replace other $ variables in nginx.template with blank strings.

server {
  listen 80;
  server_name ${BASE_SERVER};
  
  include /etc/nginx/snippets/letsencrypt.conf;

  location / {
    return 301 https://${BASE_SERVER};
  }
}
server {
  listen 80;
  server_name ${ADMIN_SERVER};

  include /etc/nginx/snippets/letsencrypt.conf;

  location / {
    return 301 https://${ADMIN_SERVER};
  }
}

server {
  server_name ${BASE_SERVER};
  listen 443 ssl http2;

  ssl_certificate /etc/letsencrypt/live/${BASE_SERVER}/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/${BASE_SERVER}/privkey.pem;
  ssl_trusted_certificate /etc/letsencrypt/live/${BASE_SERVER}/fullchain.pem;
  include /etc/nginx/snippets/ssl.conf;

  location / {
    proxy_pass http://${BASE_SERVER_PROXY}:${BASE_SERVER_PORT};
    client_max_body_size 100m;
    proxy_buffering off;
  }
}
server {
  server_name ${ADMIN_SERVER};
  listen 443 ssl http2;

  ssl_certificate /etc/letsencrypt/live/${ADMIN_SERVER}/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/${ADMIN_SERVER}/privkey.pem;
  ssl_trusted_certificate /etc/letsencrypt/live/${ADMIN_SERVER}/fullchain.pem;
  include /etc/nginx/snippets/ssl.conf;

  location / {
    proxy_pass http://${ADMIN_SERVER_PROXY}:${ADMIN_SERVER_PORT};
    client_max_body_size 100m;
    proxy_buffering off;
  }
}