Public | Automated Build

Last pushed: 4 months ago
Short Description
Reverse proxy with HTTPS (Certificate issue by Let's Encrypt)
Full Description

1) Copy default configuration files
1.1) docker run --name temp-nginx -d nginx
1.2) docker cp temp-nginx:/etc/nginx/nginx.conf .
1.3) docker cp temp-nginx:/etc/nginx/conf.d/default.conf .
1.4) docker rm -f temp-nginx

2) Start container
docker run --restart=always --name reverse_proxy -v /home/ubuntu/docker/nginx/html:/usr/share/nginx/html:rw -v /home/ubuntu/docker/nginx/config/nginx.conf:/etc/nginx/nginx.conf:ro -v /home/ubuntu/docker/nginx/config/conf.d:/etc/nginx/conf.d:ro -d -p 80:80 nginx

3) Goto container shell
docker exec -it reverse_proxy bash

4) Create user, group and folder
4.1) groupadd -g 1000 ubuntu
4.2) useradd -g ubuntu -u 1000 -m -s /bin/bash ubuntu
4.3) mkdir -p /etc/nginx/snippets

5) Set timezone
mv /etc/localtime /etc/localtime.old; ln -s /usr/share/zoneinfo/Asia/Bangkok /etc/localtime

6) Add package repository
6.1) echo 'deb http://ftp.debian.org/debian stretch main' | tee /etc/apt/sources.list.d/stretch.list
6.2) apt-get update
6.3) apt-get install certbot -t stretch

7) Modify configuration files as below
default.conf:
server {
listen 80;
server_name localhost;

    #charset koi8-r;

    #access_log  /var/log/nginx/log/host.access.log  main;
    root   /usr/share/nginx/html;
    index  index.html index.htm;

    location / {
    }

    location ~ /.well-known {
        allow all;
    }
...

8) Restart NGINX
8.1) docker stop reverse_proxy
8.2) docker start reverse_proxy

9) Request Certificate
9.1 certbot certonly -a webroot --webroot-path=/usr/share/nginx/html -d things.dataascii.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):nutthaphon@gmail.com


Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at

https://acme-v01.api.letsencrypt.org/directory

(A)gree/(C)ancel: A
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for things.dataascii.com
Using the webroot path /usr/share/nginx/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Unable to clean up challenge directory /usr/share/nginx/html/.well-known/acme-challenge
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/things.dataascii.com/fullchain.pem. Your cert
    will expire on 2017-09-23. To obtain a new or tweaked version of
    this certificate in the future, simply run certbot again. To
    non-interactively renew all of your certificates, run "certbot
    renew"
  • If you lose your account credentials, you can recover through
    e-mails sent to nutthaphon@gmail.com.
  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.
  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

    9.2) certbot renew

10) Create new Cipher groupset
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

11) Copy folder and commit container to keep stage
11.1) docker cp reverse_proxy:/etc/letsencrypt .
11.1) docker stop reverse_proxy
11.2) docker commit reverse_proxy my_nginx:1.0
11.3) docker rm reverse_proxy

12) Modify configuration files as below
default.conf:
server {
listen 80;
listen 443 ssl;

    server_name  things.dataascii.com;
    include snippets/ssl-things.dataascii.com.conf;
    include snippets/ssl-params.conf;

    charset utf-8;

    #access_log  /var/log/nginx/log/host.access.log  main;

    root   /usr/share/nginx/html;
    index  index.html index.htm;

    location / {
    }

    location ~ /.well-known {
        allow all;
    }

    if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }
...

ssl-params.conf:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
...
ssl-things.dataascii.com.conf:
ssl_certificate /etc/letsencrypt/live/things.dataascii.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/things.dataascii.com/privkey.pem;

13) Start from your image
12.1) docker run --restart=always --name reverse_proxy -v /home/ubuntu/docker/nginx/html:/usr/share/nginx/html:rw -v /home/ubuntu/docker/nginx/config/nginx.conf:/etc/nginx/nginx.conf:ro -v /home/ubuntu/docker/nginx/config/conf.d:/etc/nginx/conf.d:ro -v /home/ubuntu/docker/nginx/config/letsencrypt:/etc/letsencrypt:rw -v /home/ubuntu/docker/nginx/config/snippets:/etc/nginx/snippets:ro -d -p 80:80 -p 443:443 my_nginx:1.0

14) Commit and push to Docker Hub
14.1) docker stop reverse_proxy
14.2) docker commit reverse_proxy nutthaphon/nginx:1.13.1
14.3) docker push nutthaphon/nginx:1.13.1

Docker Pull Command
Owner
nutthaphon
Source Repository

Comments (0)