Skip to content

Instantly share code, notes, and snippets.

@jakubfijalkowski
Created January 13, 2019 19:41
Show Gist options
  • Save jakubfijalkowski/983aec848857d018924cf3eeee194b24 to your computer and use it in GitHub Desktop.
Save jakubfijalkowski/983aec848857d018924cf3eeee194b24 to your computer and use it in GitHub Desktop.
Reverse-proxy yourself to the host
# HTTP -> HTTPS
server {
server_name api.local.codinginfinity.xyz;
listen 80;
return 301 https://$host$request_uri;
}
server {
server_name api.local.codinginfinity.xyz;
listen 443 ssl http2;
# Some sensible values here, tweak as necessary
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
# We need to manually specify which certificate/key to use
ssl_certificate /etc/nginx/certs/local.codinginfinity.xyz.crt;
ssl_certificate_key /etc/nginx/certs/local.codinginfinity.xyz.key;
# HSTS
add_header Strict-Transport-Security "max-age=31536000";
location / {
proxy_pass http://host.docker.internal:5000;
}
}
#!/bin/bash
docker build \
-t proxy-with-ssl-with-host \
--build-arg OVH_AK=$OVH_AK \
--build-arg OVH_AS=$OVH_AS \
--build-arg OVH_CK=$OVH_CK \
.
docker-compose up
version: "3"
services:
backend:
image: nginx
environment:
- VIRTUAL_HOST=backend.local.codinginfinity.xyz
# Why would you create separate Dockerfiles when you can abuse the
# entrypoint? ;)
entrypoint: >-
/bin/sh -c 'echo backend > /usr/share/nginx/html/index.html &&
nginx -g "daemon off;"'
frontend:
image: nginx
environment:
- VIRTUAL_HOST=local.codinginfinity.xyz
entrypoint: >-
/bin/sh -c 'echo frontend > /usr/share/nginx/html/index.html &&
nginx -g "daemon off;"'
proxy:
image: proxy-with-ssl-with-host
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro
FROM neilpang/acme.sh AS cert
ARG OVH_AK
ARG OVH_AS
ARG OVH_CK
# Re-export args as ENV
ENV OVH_AK=${OVH_AK}
ENV OVH_AS=${OVH_AS}
ENV OVH_CK=${OVH_CK}
# Issue & export the certificate
# This has to be done in a single RUN statement as the base image marks /acme.sh
# as VOLUME so it will be purged after the statement (and we cannot mount
# volumes during build phase)
RUN mkdir /export
RUN acme.sh --issue \
--dns dns_ovh \
-d 'local.codinginfinity.xyz' -d '*.local.codinginfinity.xyz' && \
\
acme.sh --install-cert -d 'local.codinginfinity.xyz' \
--key-file /export/key.pem \
--fullchain-file /export/fullchain.pem
# And the final proxy
FROM jwilder/nginx-proxy:alpine
COPY --from=cert /export/fullchain.pem /etc/nginx/certs/local.codinginfinity.xyz.crt
COPY --from=cert /export/key.pem /etc/nginx/certs/local.codinginfinity.xyz.key
COPY api.conf /etc/nginx/conf.d/
COPY entrypoint.sh /app
ENTRYPOINT ["/app/entrypoint.sh"]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment