Docker Installation: NGINX Secure Conf with full SSL Labs A+ and Reverse Proxy

README.md

Docker Installation: NGINX Secure Conf with full SSL Labs A+ and Reverse Proxy

This guide shows how to install and configure NGINX Docker with reverse proxy configurations and full grade A+ SSL Labs while also obtaining a LetsEncrypt cert via acme.sh client and CloudFlare DNS API.

To learn how to obtain CloudFlare DNS token check here or check acme.sh docs if you want to use a different method but you need to edit the script on your own.

# Variables {edit here}
export DOMAIN=
export ACME_EMAIL=
export CF_Zone_ID=""
export CF_Account_ID=""
export CF_Token=""
export PROXYADDRESS="http://proxy"
# End Variables {end edit}

# ACME.SH Installtion and Cert Issue  {Paste in the terminal beginning from here}
cd /opt
git clone https://github.com/acmesh-official/acme.sh.git
cd ./acme.sh
./acme.sh --install -m ${ACME_EMAIL}
./acme.sh --upgrade --auto-upgrade
./acme.sh --set-default-ca --server letsencrypt
./acme.sh --issue --dns dns_cf -d ${DOMAIN} --keylength ec-384 --ocsp

# Docker Installtion and Configuration
curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
add-apt-repository "deb [arch=$(dpkg --print-architecture)] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
apt update -y
apt install -y docker-ce docker-ce-cli containerd.io
systemctl start docker
systemctl enable docker

# NGINX Configurations
mkdir -p /opt/nginx/conf.d/${DOMAIN}
wget -O /opt/nginx/conf.d/${DOMAIN}.conf https://gist.githubusercontent.com/DonSYS91/be70f2a49776ab0eb1622a015cbcab51/raw/7256444dbfa86f6ea9fc9a416368adfa2ffd8d35/web.conf
sed -i "s/DOMAIN/$DOMAIN/" /opt/nginx/conf.d/${DOMAIN}.conf
sed -i "s|PROXY_ADDRESS|$PROXY_ADDRESS|" /opt/nginx/conf.d/${DOMAIN}.conf

# Docker NGINX + MariaDB Installation
docker network create --driver bridge --subnet 172.18.0.0/16 --gateway 172.18.0.1 DockerBridge01
docker run -d --restart unless-stopped --name nginx-mainline --ip 172.18.0.2 --net DockerBridge01 -v /opt/nginx/conf.d/:/etc/nginx/conf.d/ -p 80:80 -p 443:443 nginx:mainline
# Install Cert and reload NGINX
./acme.sh --install-cert -d ${DOMAIN} --ecc --key-file /opt/nginx/conf.d/${DOMAIN}/web.key --fullchain-file /opt/nginx/conf.d/${DOMAIN}/web.crt --reloadcmd "docker exec nginx-mainline nginx -s reload"

web.conf

server {
    listen 80;
    listen [::]:80;
    server_name DOMAIN;

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name DOMAIN;

    ssl_certificate /etc/nginx/conf.d/DOMAIN/web.crt;
    ssl_certificate_key /etc/nginx/conf.d/DOMAIN/web.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    # intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384";
    ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256;
    ssl_conf_command Options ServerPreference,PrioritizeChaCha,NoRenegotiation,NoResumptionOnRenegotiation;
    ssl_ecdh_curve secp521r1:secp384r1;

    # HSTS (ngx_http_headers_module is required) (31536000 seconds)
    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;

    location / {
        proxy_pass PROXY_ADDRESS;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # CloudFlare DNS
    resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001];
}