Created
September 22, 2019 15:21
-
-
Save louisguitton/6682f1190ef594b82f5804c2e81c50ac to your computer and use it in GitHub Desktop.
Nginx + HTTPS + Docker
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| version: '3' | |
| services: | |
| nginx: | |
| image: nginx:1.15-alpine | |
| ports: | |
| - "80:80" | |
| - "443:443" | |
| volumes: | |
| - ./nginx:/etc/nginx/conf.d | |
| - ./certbot/conf:/etc/letsencrypt | |
| - ./certbot/www:/var/www/certbot | |
| command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'" | |
| depends_on: | |
| - flask_app | |
| networks: | |
| - my-network | |
| certbot: | |
| image: certbot/certbot | |
| volumes: | |
| - ./certbot/conf:/etc/letsencrypt | |
| - ./certbot/www:/var/www/certbot | |
| entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'" | |
| flask_app: | |
| container_name: flask_app | |
| restart: always | |
| image: registry.gitlab.com/enpact/flask-server | |
| ports: | |
| - "8000:8000" | |
| command: gunicorn -w 4 -b 0.0.0.0:8000 run:app | |
| volumes: | |
| - ./:/code/ | |
| networks: | |
| - my-network | |
| networks: | |
| my-network: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| if ! [ -x "$(command -v docker-compose)" ]; then | |
| echo 'Error: docker-compose is not installed.' >&2 | |
| exit 1 | |
| fi | |
| domains=(startup-meter.louisguitton.com) | |
| rsa_key_size=4096 | |
| data_path="./certbot" | |
| email="admin@guitton.co" # Adding a valid address is strongly recommended | |
| staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits | |
| if [ -d "$data_path" ]; then | |
| read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision | |
| if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then | |
| exit | |
| fi | |
| fi | |
| if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then | |
| echo "### Downloading recommended TLS parameters ..." | |
| mkdir -p "$data_path/conf" | |
| curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf" | |
| curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem" | |
| echo | |
| fi | |
| echo "### Creating dummy certificate for $domains ..." | |
| path="/etc/letsencrypt/live/$domains" | |
| mkdir -p "$data_path/conf/live/$domains" | |
| docker-compose run --rm --entrypoint "\ | |
| openssl req -x509 -nodes -newkey rsa:1024 -days 1\ | |
| -keyout '$path/privkey.pem' \ | |
| -out '$path/fullchain.pem' \ | |
| -subj '/CN=localhost'" certbot | |
| echo | |
| echo "### Starting nginx ..." | |
| docker-compose up --force-recreate -d nginx | |
| echo | |
| echo "### Deleting dummy certificate for $domains ..." | |
| docker-compose run --rm --entrypoint "\ | |
| rm -Rf /etc/letsencrypt/live/$domains && \ | |
| rm -Rf /etc/letsencrypt/archive/$domains && \ | |
| rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot | |
| echo | |
| echo "### Requesting Let's Encrypt certificate for $domains ..." | |
| #Join $domains to -d args | |
| domain_args="" | |
| for domain in "${domains[@]}"; do | |
| domain_args="$domain_args -d $domain" | |
| done | |
| # Select appropriate email arg | |
| case "$email" in | |
| "") email_arg="--register-unsafely-without-email" ;; | |
| *) email_arg="--email $email" ;; | |
| esac | |
| # Enable staging mode if needed | |
| if [ $staging != "0" ]; then staging_arg="--staging"; fi | |
| docker-compose run --rm --entrypoint "\ | |
| certbot certonly --webroot -w /var/www/certbot \ | |
| $staging_arg \ | |
| $email_arg \ | |
| $domain_args \ | |
| --rsa-key-size $rsa_key_size \ | |
| --agree-tos \ | |
| --force-renewal" certbot | |
| echo | |
| echo "### Reloading nginx ..." | |
| docker-compose exec nginx nginx -s reload |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| server { | |
| listen 80; | |
| server_name startup-meter.louisguitton.com; | |
| location / { | |
| return 301 https://$host$request_uri; | |
| } | |
| location /.well-known/acme-challenge/ { | |
| root /var/www/certbot; | |
| } | |
| } | |
| server { | |
| listen 443 ssl; | |
| server_name startup-meter.louisguitton.com; | |
| location / { | |
| proxy_pass http://flask_app:8000; | |
| proxy_redirect off; | |
| proxy_set_header Host $host; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header X-Forwarded-Host $server_name; | |
| } | |
| ssl_certificate /etc/letsencrypt/live/startup-meter.louisguitton.com/fullchain.pem; | |
| ssl_certificate_key /etc/letsencrypt/live/startup-meter.louisguitton.com/privkey.pem; | |
| include /etc/letsencrypt/options-ssl-nginx.conf; | |
| ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment