Setup of nginx reverse proxy with letsencrypt certificate

I've found many tutorials how to setup nginx reverse proxy with letsencrypt certificate in docker environment. somehow all of them were quite complex and hard to implement for me - linux noob (I'm primarily Windows server guy).

Here is the easy setup, that I've developed after going thru lot of tutorials and spent lot of try/failure cycles in my DEV docker server:


  1. create following volumes first:
       reverse_proxy_conf
       reverse_proxy_data
       certbot_cfg
       certbot_www
  2. prerequisites:
    1. port 80 (and 443) are accessible from the outside world
    2. ports are routed to the docker host
    3. created public DNS record for your planned <hostname>
  3. run the nginx:
       docker run -it --rm --name reverse-proxy \
        -p 80:80 -p 8080:8080 -p 443:443 -p 8443:8443 \
        -v reverse_proxy_conf:/etc/nginx/ \
        -v reverse_proxy_data:/usr/share/nginx/ \
        -v certbot_cfg:/etc/letsencrypt \
        -v certbot_www:/var/www/certbot \
        -d nginx:latest
  4. create following entry in the nginx server configuration in server section listening on unencrypted port 80:
       #for certbot challenges (renewal process)
       location /.well-known/acme-challenge 
          {
          allow all;
          root /var/www/certbot; 
          }

  5. run certbot in dry-run mode to prevent "too many failed authorizations" error:
        docker run -it --rm --name certbot \
        -v certbot_cfg:/etc/letsencrypt \
        -v  certbot_www:/var/www/certbot certbot/certbot \
        certonly --register-unsafely-without-email --webroot --dry-run -w /var/www/certbot -d <hostname>
  6. if all went fine, just repeat the command without --dry-run parameter.

  7. the keys will be stored here:
        /var/lib/docker/volumes/certbot_cfg/_data/archive/<hostname>
    And links to the latest are here:
        /var/lib/docker/volumes/certbot_cfg/_data/live/<hostname>

  8. adjust nginx configuration by modifying the ssl section in config file:
       server 
          {
          listen 443 ssl;
          server_name <hostname>;
         
          ssl_certificate /etc/letsencrypt/live/<hostname>/fullchain.pem;
          ssl_certificate_key /etc/letsencrypt/live/<hostname>/privkey.pem;
          }

  9. restart nginx container ant test

  10. for certificate renewal run following command:
       docker run -it --rm --name certbot \
       -v certbot_cfg:/etc/letsencrypt \
       -v certbot_www:/var/www/certbot \
       certbot/certbot renew --webroot -w /var/www/certbot
  11. after successful renewal, the nginx container has to be restarted
  12. add your services to the proxy, e.g. for Confluence (you're accessing this page via this right now ):

       #
       # Confluence
       #
       location /
          {
          client_max_body_size 100M;
          proxy_pass http://<confluence server>:8090/;
          proxy_set_header X-Forwarded-Host $host;
          proxy_set_header X-Forwarded-Server $host;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

          }
       location /synchrony 
          {
          proxy_set_header X-Forwarded-Host $host;
          proxy_set_header X-Forwarded-Server $host;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_pass http://<confluence server>:8091/synchrony;
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "Upgrade";
          }


note: I'm planning to automate the renewal process using cron sometime later (Lächeln)