Public | Automated Build

Last pushed: 4 months ago
Short Description
Docker nginx:alpine with letsencrypt ssl
Full Description

nginx-proxy-ssl

Based on https://github.com/solsson/ssl-proxy-letsencrypt

Uses :

  • nginx:alpine
  • python to run LetsEncrypt certbot and generate Nginx configuration files

Python installation in Alpine taken from https://github.com/jfloff/alpine-python/blob/master/2.7/Dockerfile

The proxy container itself requests a cert from https://letsencrypt.org/ upon startup.
Schedule restart of the container/pod within 90 days to renew before cert expiry.

Run :

sudo docker run -p 80:80 -p 443:443 --name my-proxy-ssl \
        -e TARGET_SERVICE="my-actual-service:80" \
        -e CERT_DOMAINS="my1.example.net" \
        -e CERT_EMAIL="webmaster@example.net" \
        -e ENABLE_SSL=true \
        -e LETSENCRYPT_MODE="prod" \
pixelfactory/nginx-ssl-proxy

Run on Kubernetes / Openshift Origin :

  • A service could look like this:
---
kind: Service
apiVersion: v1
metadata:
  name: nginx-proxy-ssl
  labels:
    role: ssl-proxy
spec:
  ports:
  - name: http
    port: 80
    targetPort: http
    protocol: TCP
  - name: https
    port: 443
    targetPort: https
    protocol: TCP
  selector:
    role: ssl-proxy
  type: LoadBalancer
  • And the proxy pod like this:
---
kind: ReplicationController
apiVersion: v1
metadata:
  name: nginx-proxy-ssl
  labels:
    role: ssl-proxy
spec:
  replicas: 1
  selector:
    role: ssl-proxy
  template:
    metadata:
      name: nginx-proxy-ssl
      labels:
        role: ssl-proxy
    spec:
      containers:
      - name: nginx-proxy-ssl
        image: pixelfactory/nginx-proxy-ssl:latest
        env:
        - name: TARGET_SERVICE
          value: my-actual-service:80
        - name: ENABLE_SSL
          value: 'true'
        - name: CERT_EMAIL
          value: webmaster@example.net
        # List of domains comma separated
        - name: CERT_DOMAINS
          value: my.example.net,my2.example.net
        # Default challenge is http-01 but you can use tls-sni-01
        - LETSENCRYPT_CHALLENGE
          value: http-01
        # Uncomment to generate real Certs
        #- name: LETSENCRYPT_MODE
        #  value: mode 
        ports:
        - name: http
          containerPort: 80
        - name: https
          containerPort: 443

Make sure to create the k8s service before the pod, so letsencrypt validation can get through on startup.
On openshift v3 you will also need to setup the correct routes before running the pod.

Docker Pull Command
Owner
pixelfactory
Source Repository

Comments (0)