262 lines
8.0 KiB
Markdown
262 lines
8.0 KiB
Markdown
# Web Proxy using Docker, NGINX and Let's Encrypt
|
||
|
||
With this repo you will be able to set up your server with multiple sites using a single NGINX proxy to manage your connections, automating your apps container (port 80 and 443) to auto renew your ssl certificates with Let´s Encrypt.
|
||
|
||
Something like:
|
||
|
||
![Web Proxy environment](https://github.com/evertramos/images/raw/master/webproxy.jpg)
|
||
|
||
|
||
## Why use it?
|
||
|
||
Using this set up you will be able start a production environment in a few seconds. For each new web project simply start the containers with the option `-e VIRTUAL_HOST=your.domain.com` and you will be ready to go. If you want to use SSL (Let's Encrypt) just add the tag `-e LETSENCRYPT_HOST=your.domain.com`. Done!
|
||
|
||
Easy and trustworthy!
|
||
|
||
|
||
## Prerequisites
|
||
|
||
In order to use this compose file (docker-compose.yml) you must have:
|
||
|
||
1. docker (https://docs.docker.com/engine/installation/)
|
||
2. docker-compose (https://docs.docker.com/compose/install/)
|
||
|
||
|
||
## How to use it
|
||
|
||
1. Clone this repository:
|
||
|
||
```bash
|
||
git clone https://github.com/evertramos/docker-compose-letsencrypt-nginx-proxy-companion.git
|
||
```
|
||
|
||
2. Make a copy of our `.env.sample` and rename it to `.env`:
|
||
|
||
Update this file with your preferences.
|
||
|
||
```
|
||
#
|
||
# docker-compose-letsencrypt-nginx-proxy-companion
|
||
#
|
||
# A Web Proxy using docker with NGINX and Let's Encrypt
|
||
# Using the great community docker-gen, nginx-proxy and docker-letsencrypt-nginx-proxy-companion
|
||
#
|
||
# This is the .env file to set up your webproxy enviornment
|
||
|
||
#
|
||
# Your local containers NAME
|
||
#
|
||
NGINX_WEB=nginx-web
|
||
DOCKER_GEN=nginx-gen
|
||
LETS_ENCRYPT=nginx-letsencrypt
|
||
|
||
#
|
||
# Set the IP address of the external access Interface
|
||
#
|
||
IP=0.0.0.0
|
||
|
||
#
|
||
# Default Network
|
||
#
|
||
NETWORK=webproxy
|
||
|
||
# If you want to customize the created network, use the following variable
|
||
#NETWORK_OPTIONS="--opt encrypted=true"
|
||
|
||
#
|
||
# Service Network (Optional)
|
||
#
|
||
# In case you decide to add a new network to your services containers you can set this
|
||
# network as a SERVICE_NETWORK
|
||
#
|
||
# [WARNING] This setting was built to use our `start.sh` script or in that special case
|
||
# you could use the docker-composer with our multiple network option, as of:
|
||
# `docker-compose -f docker-compose-multiple-networks.yml up -d`
|
||
#
|
||
#SERVICE_NETWORK=webservices
|
||
|
||
# If you want to customize the created network, use the following variable
|
||
#SERVICE_NETWORK_OPTIONS="--opt encrypted=true"
|
||
|
||
#
|
||
## NGINX file path (mount into the host)
|
||
# Here you can configure the path where nginx stores all the configurations and certificates.
|
||
# With the value ./nginx-data it creates a new sub-folder into your current path.
|
||
|
||
NGINX_FILES_PATH=./nginx-data
|
||
|
||
#
|
||
# NGINX use special conf files
|
||
#
|
||
# In case you want to add some special configuration to your NGINX Web Proxy you could
|
||
# add your files to ./conf.d/ folder as of sample file 'uploadsize.conf'
|
||
#
|
||
# [WARNING] This setting was built to use our `start.sh`.
|
||
#
|
||
# [WARNING] Once you set this options to true all your files will be copied to data
|
||
# folder (./data/conf.d). If you decide to remove this special configuration
|
||
# you must delete your files from data folder ./data/conf.d.
|
||
#
|
||
#USE_NGINX_CONF_FILES=true
|
||
|
||
#
|
||
# Docker Logging Config
|
||
#
|
||
# This section offers two options max-size and max-file, which follow the docker documentation
|
||
# as follow:
|
||
#
|
||
# logging:
|
||
# driver: "json-file"
|
||
# options:
|
||
# max-size: "200k"
|
||
# max-file: "10"
|
||
#
|
||
#NGINX_WEB_LOG_DRIVER=json-file
|
||
#NGINX_WEB_LOG_MAX_SIZE=4m
|
||
#NGINX_WEB_LOG_MAX_FILE=10
|
||
|
||
#NGINX_GEN_LOG_DRIVER=json-file
|
||
#NGINX_GEN_LOG_MAX_SIZE=2m
|
||
#NGINX_GEN_LOG_MAX_FILE=10
|
||
|
||
#NGINX_LETSENCRYPT_LOG_DRIVER=json-file
|
||
#NGINX_LETSENCRYPT_LOG_MAX_SIZE=2m
|
||
#NGINX_LETSENCRYPT_LOG_MAX_FILE=10
|
||
```
|
||
|
||
3. Run our start script
|
||
|
||
```bash
|
||
./start.sh
|
||
```
|
||
|
||
Your proxy is ready to go!
|
||
|
||
## Starting your web containers
|
||
|
||
After following the steps above you can start new web containers with port 80 open and add the option `-e VIRTUAL_HOST=your.domain.com` so proxy will automatically generate the reverse script in NGINX Proxy to forward new connections to your web/app container, as of:
|
||
|
||
```bash
|
||
docker run -d -e VIRTUAL_HOST=your.domain.com \
|
||
--network=webproxy \
|
||
--name my_app \
|
||
httpd:alpine
|
||
```
|
||
|
||
To have SSL in your web/app you just add the option `-e LETSENCRYPT_HOST=your.domain.com`, as follow:
|
||
|
||
```bash
|
||
docker run -d -e VIRTUAL_HOST=your.domain.com \
|
||
-e LETSENCRYPT_HOST=your.domain.com \
|
||
-e LETSENCRYPT_EMAIL=your.email@your.domain.com \
|
||
--network=webproxy \
|
||
--name my_app \
|
||
httpd:alpine
|
||
```
|
||
|
||
> You don´t need to open port *443* in your container, the certificate validation is managed by the web proxy.
|
||
|
||
|
||
> Please note that when running a new container to generate certificates with LetsEncrypt (`-e LETSENCRYPT_HOST=your.domain.com`), it may take a few minutes, depending on multiples circumstances.
|
||
|
||
## Further Options
|
||
|
||
1. Basic Authentication Support
|
||
|
||
In order to be able to secure your virtual host with basic authentication, you must create a htpasswd file within `${NGINX_FILES_PATH}/htpasswd/${VIRTUAL_HOST}` via:
|
||
|
||
```bash
|
||
sudo sh -c "echo -n '[username]:' >> ${NGINX_FILES_PATH}/htpasswd/${VIRTUAL_HOST}"
|
||
sudo sh -c "openssl passwd -apr1 >> ${NGINX_FILES_PATH}/htpasswd/${VIRTUAL_HOST}"
|
||
```
|
||
|
||
> Please substitute the `${NGINX_FILES_PATH}` with your path information, replace `[username]` with your username and `${VIRTUAL_HOST}` with your host's domain. You will be prompted for a password.
|
||
|
||
2. Using multiple networks
|
||
|
||
If you want to use more than one network to better organize your environment you could set the option `SERVICE_NETWORK` in our `.env.sample` or you can just create your own network and attach all your containers as of:
|
||
|
||
```bash
|
||
docker network create myownnetwork
|
||
docker network connect myownnetwork nginx-web
|
||
docker network connect myownnetwork nginx-gen
|
||
docker network connect myownnetwork nginx-letsencrypt
|
||
```
|
||
|
||
3. Using different ports to be proxied
|
||
|
||
If your service container runs on port 8545 you probably will need to add the `VIRTUAL_PORT` environment variable to your container, in the `docker-compose.yml`, as of:
|
||
|
||
```bash
|
||
parity
|
||
image: parity/parity:v1.8.9
|
||
[...]
|
||
environment:
|
||
[...]
|
||
VIRTUAL_PORT: 8545
|
||
```
|
||
|
||
Or as of below:
|
||
|
||
```bash
|
||
docker run [...] -e VIRTUAL_PORT=8545 [...]
|
||
```
|
||
|
||
## Testing your proxy with scripts preconfigured
|
||
|
||
1. Run the script `test.sh` informing your domain already configured in your DNS to point out to your server as follow:
|
||
|
||
```bash
|
||
./test_start_ssl.sh your.domain.com
|
||
```
|
||
|
||
or simply run:
|
||
|
||
```bash
|
||
docker run -dit -e VIRTUAL_HOST=your.domain.com --network=webproxy --name test-web httpd:alpine
|
||
```
|
||
|
||
Access your browser with your domain!
|
||
|
||
To stop and remove your test container run our `stop_test.sh` script:
|
||
|
||
```bash
|
||
./test_stop.sh
|
||
```
|
||
|
||
Or simply run:
|
||
|
||
```bash
|
||
docker stop test-web && docker rm test-web
|
||
```
|
||
|
||
## Running this Proxy on a Synology NAS
|
||
|
||
Please checkout this [howto](https://github.com/evertramos/docker-compose-letsencrypt-nginx-proxy-companion/blob/master/docs/HOWTO-Synlogy.md).
|
||
|
||
|
||
## Production Environment using Web Proxy and Wordpress
|
||
|
||
1. [docker-wordpress-letsencrypt](https://github.com/evertramos/docker-wordpress-letsencrypt)
|
||
2. [docker-portainer-letsencrypt](https://github.com/evertramos/docker-portainer-letsencrypt)
|
||
3. [docker-nextcloud-letsencrypt](https://github.com/evertramos/docker-nextcloud-letsencrypt)
|
||
|
||
In this repo you will find a docker-compose file to start a production environment for a new wordpress site.
|
||
|
||
## Credits
|
||
|
||
Without the repositories below this webproxy wouldn´t be possible.
|
||
|
||
Credits goes to:
|
||
- nginx-proxy [@jwilder](https://github.com/jwilder/nginx-proxy)
|
||
- docker-gen [@jwilder](https://github.com/jwilder/docker-gen)
|
||
- docker-letsencrypt-nginx-proxy-companion [@JrCs](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion)
|
||
|
||
|
||
### Special thanks to:
|
||
|
||
- [@j7an](https://github.com/j7an) - Many contributions and the ipv6 branch!
|
||
- [@buchdag](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion/pull/226#event-1145800062)
|
||
- [@fracz](https://github.com/fracz) - Many contributions!
|
||
|