Skip to content

MarkMarine/lets-nginx

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
entrypoint.sh
entrypoint.sh
 
 

Repository files navigation

Let's Nginx

dockerhub build

Put browser-valid TLS termination in front of any Dockerized HTTP service with one command.

docker run --detach \
  --name lets-nginx \
  --link backend:backend \
  --env [email protected] \
  --env DOMAIN=mydomain.horse \
  --env UPSTREAM=backend:8080 \
  --publish 80:80 \
  --publish 443:443 \
  smashwilson/lets-nginx

Issues certificates from letsencrypt, installs them in nginx, and schedules a cron job to reissue them monthly.

⚡ To run unattended, this container accepts the letsencrypt terms of service on your behalf. Make sure that the subscriber agreement is acceptable to you before using this container. ⚡

Prerequisites

Before you begin, you'll need:

  1. A place to run Docker containers with a public IP.
  2. A domain name with an A record pointing to your cluster.

Usage

Launch your backend container and note its name, then launch smashwilson/lets-nginx with the following parameters:

  • --link backend:backend to link your backend service's container to this one. (This may be unnecessary depending on Docker's networking configuration.)
  • -e EMAIL= your email address, used to register with letsencrypt.
  • -e DOMAIN= the domain name.
  • -e UPSTREAM= the name of your backend container and the port on which the service is listening.
  • -p 80:80 and -p 443:443 so that the letsencrypt client and nginx can bind to those ports on your public interface.
  • -e STAGING=1 uses the Let's Encrypt staging server instead of the production one. I highly recommend using this option to double check your infrastructure before you launch a real service. Let's Encrypt rate-limits the production server to issuing five certificates per domain per seven days, which (as I discovered the hard way) you can quickly exhaust by debugging unrelated problems!

Caching the Certificates and/or DH Parameters

Since --links don't survive the re-creation of the target container, you'll need to coordinate re-creating the proxy container. In this case, you can cache the certificates and Diffie-Helmlan parameters with the following procedure:

Do this once:

docker volume create --name letsencrypt
docker volume create --name letsencrypt-backups
docker volume create --name dhparam-cache

and then start the container with volume attachments:

docker run --detach \
  --name lets-nginx \
  --link backend:backend \
  --env [email protected] \
  --env DOMAIN=mydomain.horse \
  --env UPSTREAM=backend:8080 \
  --publish 80:80 \
  --publish 443:443 \
  -v letsencrypt:/etc/letsencrypt \
  -v letsencrypt-backups:/var/lib/letsencrypt \
  -v dhparam-cache:/cache \
  smashwilson/lets-nginx

About

Push button, get TLS

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Shell 100.0%