Just a little suggestion, why install Nginx on the host where you can run it in a docker container and increase isolation? Since you've already containerize your app just add the reverse proxy as a container and all you'll need on your host is the docker runtime. :)
Another thing regarding firewalling: if you are using DigitalOcean like you wrote, I suggest using their cloud firewall directly. It's much easier to use and you can share firewall configuration for multiple hosts. Using UFW on a Docker host can by painful BTW and it won't works by default! Docker network isolation works by playing a LOT with iptables, and therefore UFW rules are bypassed.
RAM consumption for Nginx isn't that high, an HA instance may consumes <30MB RAM, see this link for more details.
For the port issue, what you can do is have a single Nginx instance running with privilege mode to bind in :80, :443. This way you still have process isolation and are covered in case someones exploit your web-server.
This article is pretty good nice job!
Just a little suggestion, why install Nginx on the host where you can run it in a docker container and increase isolation? Since you've already containerize your app just add the reverse proxy as a container and all you'll need on your host is the docker runtime. :)
Another thing regarding firewalling: if you are using DigitalOcean like you wrote, I suggest using their cloud firewall directly. It's much easier to use and you can share firewall configuration for multiple hosts. Using UFW on a Docker host can by painful BTW and it won't works by default! Docker network isolation works by playing a LOT with iptables, and therefore UFW rules are bypassed.
If you still want to use ufw, I suggest taking a look at: github.com/chaifeng/ufw-docker wich fix this issue.
Other than that great article, keep going!
RAM consumption for Nginx isn't that high, an HA instance may consumes <30MB RAM, see this link for more details.
For the port issue, what you can do is have a single Nginx instance running with privilege mode to bind in :80, :443. This way you still have process isolation and are covered in case someones exploit your web-server.
I agree