Very often one machine hosts multiple Docker containers with multiple web services requiring access via common protocols (HTTP/HTTPS) from the public Internet. Such services can't acquire ports 80 and 443 simultaneously on one machine. This Docker image helps to create a container with Nginx to proxy requests from external clients to internal containers using internal ports.
In addition, this image includes Let's Encrypt's Certbot which allows to create and manage free SSL certificates. Auto-renewal feature is included.
Alpine Linux + Nginx + Certbot + Cronie + a bunch of shell scripts (see folder scripts).
- amd64
- arm64
Docker images are available at ghcr.io. Provided images have Nginx versions and platform architecture (arm64 | amd64). E.g. ghcr.io/kozhin/arm64/nginx:1.26.2 has Nginx 1.26.2 inside and this image will work on arm64 devices. Versions of Certbot and other packages are expected to be latest to the moment of image creation (see image creation date).
- Latest Docker installed
- Docker Compose available
To use this Docker image some manual configuration is required.
- Copy
docker-compose.example.yamlto any folder on your host machine, e.g./apps - Adjust file for your needs and rename it to
docker-compose.yaml - Run
docker compose up -d - Open
http://YOUR_IP_ADDRESS/in browser. If all goes well, you will see 404 error
- Add new services to
docker-compose.yaml(examples included) - Spin up a new services with
docker compose up -dand make sure they are up and running on specific ports - Exec to the running container
web:docker exec -it web sh - Open
/etc/nginx/conf.d/default.confand add new virtual host for you domain name using example in the file - Open
/etc/nginx/conf.d/upstreams.conf - Add a new virtual host by creating new
upstreamdirective with required virtual host name likewww.example.com - Point new upstream to a container for a service using internal port
- Verify nginx configuration with
nginx -T - Reload nginx configuration with
nginx -s reload - Point your domain name to the created virtual host and wait DNS to propagate
- Exec to running container
web:docker exec -it web sh - Remove your virtual host from
/etc/nginx/conf.d/default.confif exists, so Certbot could manage this for you - Adjust and run
/scripts/letsencrypt_add_cert.sh - Open
/etc/nginx/conf.d/default.confand add the following line to virtual host'sserversection with SSL:include /etc/nginx/conf.d/upstream.conf; - Verify nginx configuration with
nginx -T - Reload nginx configuration with
nginx -s reload - Check that your new virtual host is accessible using HTTPS
This is handled automatically on a daily basis for all certificates. If you need to adjust time of certificates checkup:
- Exec to running container
web:docker exec -it web sh - Run
crontab -ecommand - Modify the schedule and save changes
When nginx stands behind CloudFlare it can't properly acquire IP addresses of clients connecting to web apps. To solve this issue:
- Exec to running container
web:docker exec -it web sh - Uncomment line with CloudFlare config (L66) in
/etc/nginx/nginx.conf - Reload nginx with
nginx -s reload
Simply run the following commands from your folder with docker-compose.yaml file:
docker compose stopdocker compose rm
NOTE: container volumes will be preserved with all data inside. To delete them use docker volume rm %VOLUME NAMES%. Also you may want to remove networks with docker network rm %NETWORK NAMES%
- Use steps mentioned in
Shutting downsection - Then run
docker compose pull - And finally
docker compose up -d
NOTE: use docker image prune to remove unused images. BE CAREFUL! This command may remove other unused images.
- Remove certificate from the container (
docker exec -it web sh):certbot delete --cert-name example.com - Remove virtual host upstream from
conf.d/upstreams.conf - Check
conf.d/default.confand remove unnecessary virtual host
MIT