Public | Automated Build

Last pushed: 10 months ago
Short Description
Reverse proxy with HTTPS (Certificate issue by Let's Encrypt)
Full Description

1) Copy default configuration files
1.1) docker run --name temp-nginx -d nginx
1.2) docker cp temp-nginx:/etc/nginx/nginx.conf .
1.3) docker cp temp-nginx:/etc/nginx/conf.d/default.conf .
1.4) docker rm -f temp-nginx

2) Start container
docker run --restart=always --name reverse_proxy -v /home/ubuntu/docker/nginx/html:/usr/share/nginx/html:rw -v /home/ubuntu/docker/nginx/config/nginx.conf:/etc/nginx/nginx.conf:ro -v /home/ubuntu/docker/nginx/config/conf.d:/etc/nginx/conf.d:ro -d -p 80:80 nginx

3) Goto container shell
docker exec -it reverse_proxy bash

4) Create user, group and folder
4.1) groupadd -g 1000 ubuntu
4.2) useradd -g ubuntu -u 1000 -m -s /bin/bash ubuntu
4.3) mkdir -p /etc/nginx/snippets

5) Set timezone
mv /etc/localtime /etc/localtime.old; ln -s /usr/share/zoneinfo/Asia/Bangkok /etc/localtime

6) Add package repository
6.1) echo 'deb stretch main' | tee /etc/apt/sources.list.d/stretch.list
6.2) apt-get update
6.3) apt-get install certbot -t stretch

7) Modify configuration files as below
server {
listen 80;
server_name localhost;

    #charset koi8-r;

    #access_log  /var/log/nginx/log/host.access.log  main;
    root   /usr/share/nginx/html;
    index  index.html index.htm;

    location / {

    location ~ /.well-known {
        allow all;

8) Restart NGINX
8.1) docker stop reverse_proxy
8.2) docker start reverse_proxy

9) Request Certificate
9.1 certbot certonly -a webroot --webroot-path=/usr/share/nginx/html -d
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter 'c' to

Please read the Terms of Service at You must agree
in order to register with the ACME server at

(A)gree/(C)ancel: A
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Using the webroot path /usr/share/nginx/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Unable to clean up challenge directory /usr/share/nginx/html/.well-known/acme-challenge
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem


  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/ Your cert
    will expire on 2017-09-23. To obtain a new or tweaked version of
    this certificate in the future, simply run certbot again. To
    non-interactively renew all of your certificates, run "certbot
  • If you lose your account credentials, you can recover through
    e-mails sent to
  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.
  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt:
    Donating to EFF:

    9.2) certbot renew

10) Create new Cipher groupset
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

11) Copy folder and commit container to keep stage
11.1) docker cp reverse_proxy:/etc/letsencrypt .
11.1) docker stop reverse_proxy
11.2) docker commit reverse_proxy my_nginx:1.0
11.3) docker rm reverse_proxy

12) Modify configuration files as below
server {
listen 80;
listen 443 ssl;

    include snippets/;
    include snippets/ssl-params.conf;

    charset utf-8;

    #access_log  /var/log/nginx/log/host.access.log  main;

    root   /usr/share/nginx/html;
    index  index.html index.htm;

    location / {

    location ~ /.well-known {
        allow all;

    if ($scheme = http) {
        return 301 https://$server_name$request_uri;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_certificate /etc/letsencrypt/live/;
ssl_certificate_key /etc/letsencrypt/live/;

13) Start from your image
12.1) docker run --restart=always --name reverse_proxy -v /home/ubuntu/docker/nginx/html:/usr/share/nginx/html:rw -v /home/ubuntu/docker/nginx/config/nginx.conf:/etc/nginx/nginx.conf:ro -v /home/ubuntu/docker/nginx/config/conf.d:/etc/nginx/conf.d:ro -v /home/ubuntu/docker/nginx/config/letsencrypt:/etc/letsencrypt:rw -v /home/ubuntu/docker/nginx/config/snippets:/etc/nginx/snippets:ro -d -p 80:80 -p 443:443 my_nginx:1.0

14) Commit and push to Docker Hub
14.1) docker stop reverse_proxy
14.2) docker commit reverse_proxy nutthaphon/nginx:1.13.1
14.3) docker push nutthaphon/nginx:1.13.1

Docker Pull Command
Source Repository