Modified for OpenMapHub Project
Forked from: https://github.com/smashwilson/lets-nginx
- Allow proxy of port 80 for mixed mode. Web app will redirect for pages that require https
- Fixes nginx proxy permission issues
Put browser-valid TLS termination in front of any Dockerized HTTP service with one command.
docker run --detach \ --name lets-nginx \ --link backend:backend \ --env EMAILemail@example.com \ --env DOMAIN=mydomain.horse \ --env UPSTREAM=backend:8080 \ --publish 80:80 \ --publish 443:443 \ smashwilson/lets-nginx
:zap: To run unattended, this container accepts the letsencrypt terms of service on your behalf. Make sure that the subscriber agreement is acceptable to you before using this container. :zap:
Before you begin, you'll need:
- A place to run Docker containers with a public IP.
- A domain name with an A record pointing to your cluster.
Launch your backend container and note its name, then launch
smashwilson/lets-nginx with the following parameters:
--link backend:backendto link your backend service's container to this one. (This may be unnecessary depending on Docker's networking configuration.)
-e EMAIL=your email address, used to register with letsencrypt.
-e DOMAIN=the domain name.
-e UPSTREAM=the name of your backend container and the port on which the service is listening.
-p 443:443so that the letsencrypt client and nginx can bind to those ports on your public interface.
-e STAGING=1uses the Let's Encrypt staging server instead of the production one.
I highly recommend using this option to double check your infrastructure before you launch a real service. Let's Encrypt rate-limits the production server to issuing [five certificates per domain per seven days](https://community.letsencrypt.org/t/public-beta-rate-limits/4772/3), which (as I discovered the hard way) you can quickly exhaust by debugging unrelated problems!
Caching the Certificates and/or DH Parameters
--links don't survive the re-creation of the target container, you'll need to coordinate re-creating
the proxy container. In this case, you can cache the certificates and Diffie-Helmlan parameters with the following procedure:
Do this once:
docker volume create --name letsencrypt docker volume create --name letsencrypt-backups docker volume create --name dhparam-cache
and then start the container with volume attachments:
docker run --detach \ --name lets-nginx \ --link backend:backend \ --env EMAILfirstname.lastname@example.org \ --env DOMAIN=mydomain.horse \ --env UPSTREAM=backend:8080 \ --publish 80:80 \ --publish 443:443 \ -v letsencrypt:/etc/letsencrypt \ -v letsencrypt-backups:/var/lib/letsencrypt \ -v dhparam-cache:/cache \ smashwilson/lets-nginx