Docker image for a https-safe reverse proxy, powered by nginx and lets encrypt.
IMPORTANT: Please read informations about Let's Encrypt at the end of this document.
To create the image
lerenn/lets-encrypt-reverse-proxy, execute the following command on the reverse-proxy project folder:
docker build -t lerenn/lets-encrypt-reverse-proxy .
If you want to use a reverse-proxy on HTTP and/or HTTPS websites, here is the basic command :
docker run -d -p 80:80 -p 443:443 -v /path/in/host:/etc/letsencrypt -v /path/in/host:/etc/nginx/sites-enabled -e CERT1="example.com;subdomain.example.com" lerenn/nginx-reverse-proxy
- /etc/nginx/sites-enabled : [Mandatory] Should contains nginx configurations for redirections to websites/web apps.
- /etc/letsencrypt : [Optional] Should contains lets encrypt. Mount it should avoid regeneration of certifcates.
- 80: [Optional] HTTP port.
- 443: [Mandatory] HTTPS port.
- CERT[X]: [Mandatory] domain and subdomains, separated by
;that will be generated by Let's Encrypt ([X] should be replaced by a number). Example:
-e CERT1="example.com;subdom.example.com;subdom2.example.com -e CERT2="example2.com;subdom.example2.com"
- LETSENCRYPT_EMAIL: [Mandatory] E-mail that will be given to lets encrypt in order to generate certificates. Defaults to
- RSA_KEY_SIZE: [Optional] Size of RSA keys that will be generated or renewed. Defaults to
- STARTUP_WAIT: [Optional] Seconds to wait before launching LetsEncrypt and then Nginx. Defaults to
[Mandatory] Add links to other container with
--link source-container-name:alias-container-name as an argument.
Then, you'll have to add
http://alias-container-name into your nginx website/webapp configuration to redirect flux.
/!\ Warnings /!\
There is some limits to certificates generation. At the time of writing, it's 20 certificates by week.
To avoid certificate regeneration at each container creation, please consider mounting volume
/etc/letsencrypt in the container.
For more informations: https://letsencrypt.org/docs/rate-limits/.
Certificates generation and renewal
Certificates specified in arguments are created when the container is (re)started.
Same goes for certificates renewal: certbot will try to renew present certificates
(even those that are not in arguments) if they will expire in less than 30 days or
if they are already expired.
Maybe one day, I will add the possibility of a cron job that will check if there is
a need for renewal (but not now, I have "Aqua-pony").
Use of certificates
After the generation of the certificates, you can find them at
The certificate will be generated as
fullchain.pem and the private key as
Every subdomain is registered within the same certificate.
example.com, you'll find the :
- Certificate at
- Private key at
If you like Let's Encrypt, please consider making a donation at https://letsencrypt.org/donate/.
We're making it possible for everyone to experience a secure and privacy-respecting Web.
We make it easy to get certificates for HTTPS, because ease of use is critical for adoption.
We provide certificates free of charge, because cost excludes people.
Our certificates are available in every country in the world, because the secure Web is for everyone.
We strive to be open and transparent, because these values are essential for trust.
Your support makes this possible.