As a DevOps enthusiast, I’m always on the lookout for ways to enhance the security and performance of web applications.
NGINX — a powerful essential tool, an open-source web server that can also work as a reverse proxy, load balancer, and HTTP cache.
In this blog post, I’ll be sharing how to set up NGINX with a self-signed SSL/TLS certificate on Docker, so you can ensure your web apps are safe with HTTPS.
Self-signed certificates are an excellent tool for testing and development purposes, but should not be the best to use in production environments.
Instead, you should use a trusted SSL/TLS certificate issued by a Certificate Authority (CA) to ensure the security of your website.
Prerequisites:
Before we begin, make sure you have the following installed on your system:
What is Docker-Compose:
Docker-compose is a tool docker utility that simplifies the deployment and management of multiple containers in a single application.
It allows you to define the configuration of each container in a YAML file, automating the creation, startup, and shutdown of containers. With docker-compose, you can easily run multiple containers and their dependencies together.
Let’s Configure Nginx Conf File:
you can use any Simple nginx.conf file with reverse proxy to the 443 Port. For that you should have basic knowledge of nginx.
Basically while configuring nginx with docker you should manually add SSL Configurations in the nginx.conf file.
Here is One Nginx.conf file that you can use for demonstrations:
This Nginx configuration file sets up a web server for the domain test.demo.in. It listens on both HTTP and HTTPS ports, which are ports 80 and 443 respectively.
The ssl_certificate and ssl_certificate_key directives specify the SSL/TLS certificates and keys for the domain name test.demo.in. This is because uses a Certbot to obtain and manage the SSL certificates.
The final location /.well-known/acme-challenge/ block specifies the root directory where Certbot can store challenge-response files during the certificate issuance process. It is necessary to verify the SSL Certification in Containers.
Overall, this configuration file sets up a basic HTTPS server with SSL certificates obtained using Certbot, which proxies all requests to another web server.
Setting Up docker-compose.yaml:
Let’s create basic docker-compose.yml file that defines nginx and certbot containers for our Requirements.
Before Applying this docker file edit the certbot commands at the Last Lines of the File, you need to change the mail id and domain name in that command.
Please Edit this Command before Applying the docker-compose file.
certonly --webroot --webroot-path=/var/www/certbot --email test.demo@gmail.com --agree-tos -d test.demo.in -d www.test.demo.in
The Last One Entrypoint we used to automatically renew our SSL Certificate from our certbot container.
entrypoint: /bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'
here we attached 3 volumes for Our nginx container. It’s because we need to give nginx.conf and SSL certificates from Our Local System.
WorkArounds to Run Container Successfully:
After Doing All Such things here is one WorkAround you need to do Because Before Submitting Certificate files to Nginx it won’t run.
So to Run the Nginx Server Successfully we need to Create a Certificate before Getting started with the docker-compose.
This is because Let’s Encrypt needs to perform an ACME Challenge Request to verify your domain ownership and issue a certificate.
Here is One Shell Script we have which will do all the work for us: LetsEncrypt-init.ssh
Please change your domain name and Preferable script Before Getting Started with the Script.
How certbot SSL Works in Docker Container:
Certbot is a free, open-source tool that simplifies the process of obtaining and renewing SSL/TLS certificates for your website.
Before running the Certbot command to install a new SSL/TLS certificate, it’s necessary to set up a basic instance of Nginx to make your domain accessible over HTTP.
The web root directory is mounted as a volume in the Docker Compose file, so Certbot can write files to the directory and the NGINX service can serve those files to Let’s Encrypt for verification.
Once the Certbot service has generated the SSL/TLS certificate, it will be saved in the Certbot configuration directory, which is mounted as a volume in the Docker Compose file.
In summary, Certbot works by interacting with Let’s Encrypt to generate SSL/TLS certificates for your website, and the Docker Compose file and their volume sets up a complete system for using Certbot to secure your website with HTTPS.
Top comments (0)