docker-compose-letsencrypt-.../README.md

262 lines
8.0 KiB
Markdown
Raw Permalink Normal View History

2019-01-02 11:08:16 +01:00
# Web Proxy using Docker, NGINX and Let's Encrypt
With this repo you will be able to set up your server with multiple sites using a single NGINX proxy to manage your connections, automating your apps container (port 80 and 443) to auto renew your ssl certificates with Let´s Encrypt.
Something like:
![Web Proxy environment](https://github.com/evertramos/images/raw/master/webproxy.jpg)
## Why use it?
Using this set up you will be able start a production environment in a few seconds. For each new web project simply start the containers with the option `-e VIRTUAL_HOST=your.domain.com` and you will be ready to go. If you want to use SSL (Let's Encrypt) just add the tag `-e LETSENCRYPT_HOST=your.domain.com`. Done!
Easy and trustworthy!
## Prerequisites
In order to use this compose file (docker-compose.yml) you must have:
1. docker (https://docs.docker.com/engine/installation/)
2. docker-compose (https://docs.docker.com/compose/install/)
## How to use it
1. Clone this repository:
```bash
git clone https://github.com/evertramos/docker-compose-letsencrypt-nginx-proxy-companion.git
```
2. Make a copy of our `.env.sample` and rename it to `.env`:
Update this file with your preferences.
```
#
# docker-compose-letsencrypt-nginx-proxy-companion
#
# A Web Proxy using docker with NGINX and Let's Encrypt
# Using the great community docker-gen, nginx-proxy and docker-letsencrypt-nginx-proxy-companion
#
# This is the .env file to set up your webproxy enviornment
#
# Your local containers NAME
#
NGINX_WEB=nginx-web
DOCKER_GEN=nginx-gen
LETS_ENCRYPT=nginx-letsencrypt
#
# Set the IP address of the external access Interface
#
IP=0.0.0.0
#
# Default Network
#
NETWORK=webproxy
# If you want to customize the created network, use the following variable
#NETWORK_OPTIONS="--opt encrypted=true"
#
# Service Network (Optional)
#
# In case you decide to add a new network to your services containers you can set this
# network as a SERVICE_NETWORK
#
# [WARNING] This setting was built to use our `start.sh` script or in that special case
# you could use the docker-composer with our multiple network option, as of:
# `docker-compose -f docker-compose-multiple-networks.yml up -d`
#
#SERVICE_NETWORK=webservices
# If you want to customize the created network, use the following variable
#SERVICE_NETWORK_OPTIONS="--opt encrypted=true"
#
## NGINX file path (mount into the host)
# Here you can configure the path where nginx stores all the configurations and certificates.
# With the value ./nginx-data it creates a new sub-folder into your current path.
NGINX_FILES_PATH=./nginx-data
#
# NGINX use special conf files
#
# In case you want to add some special configuration to your NGINX Web Proxy you could
# add your files to ./conf.d/ folder as of sample file 'uploadsize.conf'
#
# [WARNING] This setting was built to use our `start.sh`.
#
# [WARNING] Once you set this options to true all your files will be copied to data
# folder (./data/conf.d). If you decide to remove this special configuration
# you must delete your files from data folder ./data/conf.d.
#
#USE_NGINX_CONF_FILES=true
#
# Docker Logging Config
#
# This section offers two options max-size and max-file, which follow the docker documentation
# as follow:
#
# logging:
# driver: "json-file"
# options:
# max-size: "200k"
# max-file: "10"
#
#NGINX_WEB_LOG_DRIVER=json-file
#NGINX_WEB_LOG_MAX_SIZE=4m
#NGINX_WEB_LOG_MAX_FILE=10
#NGINX_GEN_LOG_DRIVER=json-file
#NGINX_GEN_LOG_MAX_SIZE=2m
#NGINX_GEN_LOG_MAX_FILE=10
#NGINX_LETSENCRYPT_LOG_DRIVER=json-file
#NGINX_LETSENCRYPT_LOG_MAX_SIZE=2m
#NGINX_LETSENCRYPT_LOG_MAX_FILE=10
```
3. Run our start script
```bash
./start.sh
```
Your proxy is ready to go!
## Starting your web containers
After following the steps above you can start new web containers with port 80 open and add the option `-e VIRTUAL_HOST=your.domain.com` so proxy will automatically generate the reverse script in NGINX Proxy to forward new connections to your web/app container, as of:
```bash
docker run -d -e VIRTUAL_HOST=your.domain.com \
--network=webproxy \
--name my_app \
httpd:alpine
```
To have SSL in your web/app you just add the option `-e LETSENCRYPT_HOST=your.domain.com`, as follow:
```bash
docker run -d -e VIRTUAL_HOST=your.domain.com \
-e LETSENCRYPT_HOST=your.domain.com \
-e LETSENCRYPT_EMAIL=your.email@your.domain.com \
--network=webproxy \
--name my_app \
httpd:alpine
```
> You don´t need to open port *443* in your container, the certificate validation is managed by the web proxy.
> Please note that when running a new container to generate certificates with LetsEncrypt (`-e LETSENCRYPT_HOST=your.domain.com`), it may take a few minutes, depending on multiples circumstances.
## Further Options
1. Basic Authentication Support
In order to be able to secure your virtual host with basic authentication, you must create a htpasswd file within `${NGINX_FILES_PATH}/htpasswd/${VIRTUAL_HOST}` via:
```bash
sudo sh -c "echo -n '[username]:' >> ${NGINX_FILES_PATH}/htpasswd/${VIRTUAL_HOST}"
sudo sh -c "openssl passwd -apr1 >> ${NGINX_FILES_PATH}/htpasswd/${VIRTUAL_HOST}"
```
> Please substitute the `${NGINX_FILES_PATH}` with your path information, replace `[username]` with your username and `${VIRTUAL_HOST}` with your host's domain. You will be prompted for a password.
2. Using multiple networks
If you want to use more than one network to better organize your environment you could set the option `SERVICE_NETWORK` in our `.env.sample` or you can just create your own network and attach all your containers as of:
```bash
docker network create myownnetwork
docker network connect myownnetwork nginx-web
docker network connect myownnetwork nginx-gen
docker network connect myownnetwork nginx-letsencrypt
```
3. Using different ports to be proxied
If your service container runs on port 8545 you probably will need to add the `VIRTUAL_PORT` environment variable to your container, in the `docker-compose.yml`, as of:
```bash
parity
image: parity/parity:v1.8.9
[...]
environment:
[...]
VIRTUAL_PORT: 8545
```
Or as of below:
```bash
docker run [...] -e VIRTUAL_PORT=8545 [...]
```
## Testing your proxy with scripts preconfigured
1. Run the script `test.sh` informing your domain already configured in your DNS to point out to your server as follow:
```bash
./test_start_ssl.sh your.domain.com
```
or simply run:
```bash
docker run -dit -e VIRTUAL_HOST=your.domain.com --network=webproxy --name test-web httpd:alpine
```
Access your browser with your domain!
To stop and remove your test container run our `stop_test.sh` script:
```bash
./test_stop.sh
```
Or simply run:
```bash
docker stop test-web && docker rm test-web
```
## Running this Proxy on a Synology NAS
Please checkout this [howto](https://github.com/evertramos/docker-compose-letsencrypt-nginx-proxy-companion/blob/master/docs/HOWTO-Synlogy.md).
## Production Environment using Web Proxy and Wordpress
1. [docker-wordpress-letsencrypt](https://github.com/evertramos/docker-wordpress-letsencrypt)
2. [docker-portainer-letsencrypt](https://github.com/evertramos/docker-portainer-letsencrypt)
3. [docker-nextcloud-letsencrypt](https://github.com/evertramos/docker-nextcloud-letsencrypt)
In this repo you will find a docker-compose file to start a production environment for a new wordpress site.
## Credits
Without the repositories below this webproxy wouldn´t be possible.
Credits goes to:
- nginx-proxy [@jwilder](https://github.com/jwilder/nginx-proxy)
- docker-gen [@jwilder](https://github.com/jwilder/docker-gen)
- docker-letsencrypt-nginx-proxy-companion [@JrCs](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion)
### Special thanks to:
- [@j7an](https://github.com/j7an) - Many contributions and the ipv6 branch!
- [@buchdag](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion/pull/226#event-1145800062)
- [@fracz](https://github.com/fracz) - Many contributions!