NGINX and HTTPs with Let’s Encrypt, Certbot, and Cron dockerization in production

-

Docker is a popular open source containerization platform and it frees your hands to build your applications in development and production. In this post, I'm going to walk you through how to build a production grade HTTPs secured Nginx server with Docker, Docker Compose, Let’s Encrypt(its client certbot). Let’s Encrypt certificates last 90 days and will need to be renewed after the certificate expires. So I will also provide details to script the renewal in crontab in Docker container.


1. Basic Example

In development, we need a basic Nginx container without HTTPs to fast setup our local test environment. I use Nginx official docker image and wrap up all the stuff with docker-compose.

YAML


1
version: '3.4'
2
3
services:
4
  nginx:
5
    container_name: nginx
6
    image: nginx:stable
7
    restart: always
8
    volumes:
9
      - ./nginx/config/nginx.conf:/etc/nginx/nginx.conf
10
      - ./nginx/config/conf.d/local:/etc/nginx/conf.d
11
      - /tmp/logs/nginx:/var/log/nginx
12
      - ./nginx/html:/var/www/public/content
13
    ports:
14
      - "80:80"



I choose to use nginx.conf along with conf.d folder to manage all the configurations. So nginx.conf is for generic configuration while conf.d folder is for site specific configurations like below.
Java

1
server {
2
  listen 80;
3
  server_name localhost;
4
5
  gzip              on;
6
  gzip_comp_level   2;
7
  gzip_min_length   1024;
8
  gzip_vary         on;
9
  gzip_proxied      expired no-cache no-store private auth;
10
  gzip_types        application/x-javascript application/javascript application/xml application/json text/xml text/css text$
11
12
  client_body_timeout 12;
13
  client_header_timeout 12;
14
  reset_timedout_connection on;
15
  proxy_connect_timeout       600;
16
  proxy_send_timeout          600;
17
  proxy_read_timeout          600;
18
  send_timeout                600;
19
  server_tokens off;
20
  client_max_body_size 50m;
21
22
  expires 1y;
23
  access_log off;
24
  log_not_found off;
25
  root /var/www/public/content;
26
27
28
  location / {
29
    proxy_pass       http://ui:3000;
30
    proxy_http_version 1.1;
31
    proxy_set_header X-Forwarded-Host $host;
32
    proxy_set_header X-Forwarded-Server $host;
33
    proxy_set_header X-Real-IP $remote_addr;
34
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
35
    proxy_set_header X-Forwarded-Proto $scheme;
36
    proxy_set_header Host $http_host;
37
    proxy_set_header Upgrade $http_upgrade;
38
    proxy_set_header Connection "Upgrade";
39
    proxy_pass_request_headers on;
40
  }
41
42
}



2. Configure HTTPs

2.1 Let’s Encrypt
To enable HTTPS on your website, you need to get a certificate from a Certificate Authority (CA). Let’s Encrypt is a free, automated, and open certificate authority (CA). In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain. With Let’s Encrypt, you do this using software that uses the ACME protocol which typically runs on your web host.

2.1 Certbot
we recommend using certbot-auto, which automates the process of installing Certbot on your system.The certbot-auto wrapper script installs Certbot, obtaining some dependencies from your web server OS and putting others in a python virtual environment. You can download and run it as follows. In addition, Certbot needs port 80 to be enabled, so the host firewall should allow incoming traffic on port 80 (HTTP) from anywhere. I'm using Oracle cloud, I need to open up port 80 on the security list, and also the VM firewall(as below):
Shell
1
sudo firewall-cmd --permanent --zone=public --add-port=80/tcp
2
sudo firewall-cmd --reload



2.3 Setup NGINX
We need configure ports, domain names, certificates as well as reverse proxy mappings for the servers. Here is a quick example grabbed from my project which contains two servers: one is for HTTPs and another is for HTTP that will redirect to HTTPs.
Java



1
server {
2
          listen 443 ssl default_server;
3
          server_name yourcompany.com;
4
5
          gzip              on;
6
          gzip_comp_level   2;
7
          gzip_min_length   1024;
8
          gzip_vary         on;
9
          gzip_proxied      expired no-cache no-store private auth;
10
          gzip_types        application/x-javascript application/javascript application/xml application/json text/xml text/css text$
11
12
          client_body_timeout 12;
13
          client_header_timeout 12;
14
          reset_timedout_connection on;
15
          proxy_connect_timeout       600;
16
          proxy_send_timeout          600;
17
          proxy_read_timeout          600;
18
          send_timeout                600;
19
          server_tokens off;
20
          client_max_body_size 50m;
21
22
          expires 1y;
23
          access_log off;
24
          log_not_found off;
25
          root /var/www/public/content/default;
26
          ssl_certificate    /etc/letsencrypt/live/yourcompany.com/fullchain.pem;
27
          ssl_certificate_key    /etc/letsencrypt/live/yourcompany.com/privkey.pem;
28
29
          location / {
30
            proxy_pass       http://ui:3000;
31
            proxy_http_version 1.1;
32
            proxy_set_header X-Forwarded-Host $host;
33
            proxy_set_header X-Forwarded-Server $host;
34
            proxy_set_header X-Real-IP $remote_addr;
35
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
36
            proxy_set_header X-Forwarded-Proto $scheme;
37
            proxy_set_header Host $http_host;
38
            proxy_set_header Upgrade $http_upgrade;
39
            proxy_set_header Connection "Upgrade";
40
            proxy_pass_request_headers on;
41
          }
42
}
43
server {
44
    listen 80;
45
46
    server_name yourcompany.com;
47
48
    return 301 https://$host$request_uri;
49
}



2.4 Automatically Renew Certificates
We just need to add the following script to crontab, which will run monthly to check and renew the certificate.
Shell
1
@monthly /usr/local/bin/certbot-auto renew --nginx >> /var/log/cron.log 2>&1



2.5 Wrap all in Docker
We will need a Dockerfile and docker-compose.yml. 
Dockerfile
Dockerfile




docker-compose.yml
We use network mode - host at the time of docker build so that it can share host network, which is quite tricky because the port mapping(80,443) are not ready at building phrase. Otherwise, running certbot-auto will fail due to HTTP port 80 is not reachable.
YAML

1
version: '3.4'
2
3
services:
4
  nginx:
5
    container_name: nginx
6
    build:
7
      context: ./nginx
8
      network: host
9
      args:
10
        - CERTBOT_EMAIL=hello@yourcompany.com #replace with your own email
11
        - DOMAIN_LIST=yourcompany.com,api.yourcompany.com,www.yourcompany.com #replace with your own domains
12
    restart: always
13
    volumes:
14
      - ./nginx/config/conf.d/prod:/etc/nginx/conf.d
15
      - letsencrypt:/etc/letsencrypt
16
    ports:
17
      - "80:80"
18
      - "443:443"



That's it. You're good to go. Contact me if you need whole source code.











































Comments









  1. RickJanuary 16, 2021 at 2:23 PM
    Hi Kunkka, your articles are very insightful, and I really like them. 
    Would you please expand the size of the code boxes so that the contents are fully displayed? Thanks.
    ReplyDelete
    Replies
    1. Kunkka LiJanuary 29, 2021 at 10:19 PM
      I'm not aware of that. You can check my post in DZone which should be good.
      https://dzone.com/articles/nginx-and-https-with-lets-encrypt-certbot-and-cron
      Delete
  2. UnknownFebruary 12, 2021 at 3:28 AM
    Hey Kunkka, thanks for your time, it's great article. I want to ask some question it's possible to have multiple configs inside the same nginx.conf?

    For example:
    I have 2 domain, example.com & api.example.com and I want to create SSL certificate for both. Can u provide some example with multiple websites configs inside of single nginx.conf?
    ReplyDelete
    Replies
    1. Kunkka LiFebruary 27, 2021 at 11:36 AM
      Yes you can put the two conf files inside config.d folder. Here is the folder tree of one of my NGINX in production

      ├── Dockerfile
      ├── config
      │   ├── conf.d
      │   │   ├── local
      │   │   │   ├── default.conf
      │   │   │   └── strapi.conf
      │   │   └── prod
      │   │       ├── default.conf
      │   │       └── strapi.conf
      │   └── nginx.conf
      └── html
          └── default
      Delete
  3. UnknownMarch 13, 2021 at 10:39 PM
    I have two comments:

    1. It looks like you are running nginx as a root, which is not advides. Is it correct?

    2. Nginx needs to communicate to the web server which is running in my case not on a host network, but on a network created by the docker-compose. How to not attach the nginx to the host network?
    ReplyDelete
  4. DleviathanApril 19, 2021 at 2:41 AM
    Dear Kunkka, when I used your guide, to build I have getting error
    ```
    93.17    Domain: xxxxx.com
    93.17    Type:   connection
    93.17    Detail: Fetching
    93.17    http://xxxxx.com/.well-known/acme-challenge/_jrChASDFhpV9ormavMcEOA_M2fz0MAi_NYpurs_XjI:
    93.17    Error getting validation data
    ```
    ReplyDelete
    Replies
    1. Kunkka LiApril 22, 2021 at 1:11 PM
      These errors are most probably related to firewall.
      Delete
  5. Juan Pablo TamayoOctober 7, 2021 at 10:08 PM
    similar error when building!

    Failed authorization procedure. www.example.com (http-01): urn: ietf: params: acme: error: connection :: The server could not connect to the client to verify the domain :: Fetching http://www.example.com/. well-known / acme-challenge / - 8pR7yFxZ2qm1WKURHffhMCKc7ZWKP9VX8mt6nMfh8: Connection refused

    Looking in /var/log/letsencrypt/letsencrypt.log I found:

    certbot.errors.StandaloneBindError: Problem binding to port 80: Could not bind to IPv4 or IPv6.


    I wonder how the standalone webserver for authentication is going to connect port 80 if the container is not up yet?
    ReplyDelete
    Replies
    1. Kunkka LiFebruary 10, 2022 at 10:29 PM
      Hi mate,
      you should modify www.example.com to your own domain
      Delete











Post a Comment






























Popular posts from this blog









Build J2EE micro services architecture by using Spring Boot, Spring Cloud, Spring Security OAuth2, KeyCloak






-














Image







I posted an  article  in regards to single page application(UI), but in this post I'm going to introduce how to build micro service architecture for J2EE application with Spring framework and open source SSO framework  Keycloak . This post will cover the following aspects: Keycloak setup Eureka service registration and discovery Spring Cloud API gateway Spring Security (OAuth2 login) and the integration with Keycloak Micro services The code is available in my Github and please check the docker-compose.yml at first so that you can read the rest of the post easier. One thing I need to mention here is you need to replace the ip address of keycloak server url with your own before running the docker containers. YAML   1 version : '3.4' 2 services : 3   api-gateway : 4     build : 5       context : ./api-gateway 6     ports : 7       - "8080:8080" 8     restart : on-failure 9     environment : 10        #overriding spring application.properties 11       - eureka.client.








Read more










Vault Cubbyhole authentication and its integration with Spring framework






-















  1. Background For micro service, it's essential not to bundle secrets into our code base, but to move them to an external central managed secrets store.  In this article, I'm going to introduce how to use  HashiCorp’s Vault  to externalize JAVA Spring micro service application configurations. With Vault you have a central place to manage external secret properties for applications across all environments. There are multiple authentication methods from Vault, but most of them are not suitable for Spring micro service, or not safe enough. When the application starts up I want all the properties to be automatically loaded into Spring context without interaction with human, so that the secrets can be used just like they are loaded from Spring's properties. The solution is to use single-use Vault Cubbyhole wrapping token to deliver the original token to the application. 2. Vault server We simply use docker compose to set up a Vault server. docker-compose.yml: version: '3.4








Read more