How to configure https for nginx in docker

Websites without https support will gradually be marked as insecure by browsers, so adding https to websites has become urgent. For commercial websites, spending money on SSL/TLS certificates is not a problem. But for individual users, it would be a blessing if free SSL/TLS certificates were available! Let's Encrypt is a website that provides free SSL/TLS certificates. Since the certificate is valid for only three months, we need to renew the certificate in an automated way. This article will introduce how to add https support to the site in nginx running through docker and automatically complete the certificate renewal. The demonstration environment of this article is: Ubuntu 16.04 host running on Azure (this picture comes from the Internet):

Prepare the environment

It is very easy to create an Ubuntu virtual machine on Azure, and installing Docker is also a no-brainer. What is often overlooked is configuring appropriate network security group rules, such as opening ports 80 and 443:

There is also the configuration of DNS:

Create a normal http site

For simplicity, we will use a nodejs application in a mirror as a web site:

$ docker pull ljfpower/nodedemo
$ docker network create -d bridge webnet
$ docker run -d --restart=always --expose=3000 \
   --network=webnet --name=myweb \
   ljfpower/nodedemo

Create the nginx directory and its subdirectories conf.d, conf.crt, and html in the user's home directory, and create the logs directory and its subdirectories nginx and letsencrypt:

$ mkdir -p nginx/{conf.d,conf.crt,html}
$ mkdir -p logs/{nginx,letsencrypt}

Note that the files and directory structures that we need to manually create in the examples demonstrated in this article are as follows:

Create the nginx/nginx.conf file with the following content:

user nginx;
worker_processes auto;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
 worker_connections 2048;
}

http {
 include /etc/nginx/mime.types;
 default_type application/octet-stream;

 sendfile on;
 keepalive_timeout 65;
 client_max_body_size 10M;

 include /etc/nginx/conf.d/*.conf;
}

Then create the nginx/conf.d/default.conf file with the following content:

upstream web{
 server myweb:3000;
}
server {
 listen 80;
 listen [::]:80;
 server_name filterinto.com www.filterinto.com;

 location ^~ /.well-known/acme-challenge/ {
  default_type "text/plain";
  root /usr/share/nginx/html;
 }
 location = /.well-known/acme-challenge/ {
  return 404;
 }
 location / {
  proxy_pass http://web;
 }
}

The /.well-known/acme-challenge/ directory is created by the certbot tool when generating the certificate. Next, create the file nginx/html/index.html with the following content:

<!DOCTYPE html>
<html>
<head>
 <meta charset="utf-8" />
 <title>Let's Encrypt First Time Cert Issue Site</title>
</head>
<body>
 <h1>Hello HTTPS!</h1>
 <p>
  Just used for the very first time SSL certificates are issued by Let's Encrypt's
  certbot.
 </p>
</body>
</html>

This page is also what certbot needs to use when generating certificates. Finally, let's start the container (execute the following command in the user's home directory):

$ docker run -d \
 -p 80:80 \
 -v $(pwd)/nginx/conf.d:/etc/nginx/conf.d:ro \
 -v $(pwd)/nginx/nginx.conf:/etc/nginx/nginx.conf:ro \
 -v $(pwd)/logs/nginx:/var/log/nginx \
 -v $(pwd)/nginx/html:/usr/share/nginx/html \
 --restart=always \
 --name=gateway \
 --network=webnet \
 nginx:1.14

Note: At this time, port 443 is not mapped and the directory storing the certificates is not mounted. Our site can only be accessed via http:

Generate an SSL/TLS certificate for your site

Let's Encrypt is a website that provides free SSL/TLS certificates. It provides users with the certbot tool to generate SSL/TLS certificates. For convenience, we simply encapsulate certbot into a container. Create a certbot directory in the user's home directory, enter the certbot directory and save the following content to the Dockerfile file:

FROM alpine:3.4
RUN apk add --update bash certbot
VOLUME ["/etc/letsencrypt"]

Then execute the following command to create the certbot image:

$ docker build -t certbot:1.0 .

Then create a script called renew_cert.sh in the certbot directory to automatically update the certificate. The content is as follows:

#!/bin/bash
WEBDIR="$1"
LIST=('filterinto.com' 'www.filterinto.com')
LED_LIST=()
WWW_ROOT=/usr/share/nginx/html
for domain in ${LIST[@]};do
 docker run \
  --rm \
  -v ${WEBDIR}/nginx/conf.crt:/etc/letsencrypt \
  -v ${WEBDIR}/logs/letsencrypt:/var/log/letsencrypt \
  -v ${WEBDIR}/nginx/html:${WWW_ROOT} \
  certbot:1.0 \
  certbot certonly --verbose --noninteractive --quiet --agree-tos \
  --webroot -w ${WWW_ROOT} \
  --email="[email protected]" \
  -d "$domain"
 CODE=$?
 if [ $CODE -ne 0 ]; then
  FAILED_LIST+=($domain)
 fi
done

# output failed domains
if [ ${#FAILED_LIST[@]} -ne 0 ];then
 echo 'failed domain:'
 for (( i=0; i<${#FAILED_LIST[@]}; i++ ));
 do
  echo ${FAILED_LIST[$i]}
 done
fi

Execute the ./renew_cert.sh /home/nick command in the user's home directory to generate a new certificate (/home/nick is the current user's home directory). The generated certificate is saved in the /home/nick/nginx/conf.crt/live directory. The certificate for the domain name is saved in the directory named after the domain name:

Then check the nginx/html directory and find a hidden .well-known directory. This directory is created when the certificate is generated:

With the SSL/TLS certificate, we can then configure the https site.

Configure an SSL/TLS certificate for your site

With the SSL/TLS certificate, the next step is to update the nginx configuration file. Update the content of nginx/conf.d/default.conf as follows:

upstream web{
 server myweb:3000;
}

server {
 listen 80;
 listen [::]:80;
 server_name filterinto.com www.filterinto.com;

 location ^~ /.well-known/acme-challenge/ {
  default_type "text/plain";
  root /usr/share/nginx/html;
 }
 location = /.well-known/acme-challenge/ {
  return 404;
 }
 return 301 https://$server_name$request_uri;
}
server {
 listen 443;
 listen [::]:443;
 server_name filterinto.com;

 # enable ssl
 ssl on;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
 ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";

 # config ssl certificate
 ssl_certificate conf.crt/live/filterinto.com/fullchain.pem;
 ssl_certificate_key conf.crt/live/filterinto.com/privkey.pem;

 location ^~ /.well-known/acme-challenge/ {
  default_type "text/plain";
  root /usr/share/nginx/html;
 }
 location = /.well-known/acme-challenge/ {
   return 404;
 }
 location / {
  proxy_pass http://web;
 }
}
server {
 listen 443;
 listen [::]:443;
 server_name www.filterinto.com;

 # enable ssl
 ssl on;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
 ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";

 # config ssl certificate
 ssl_certificate conf.crt/live/www.filterinto.com/fullchain.pem;
 ssl_certificate_key conf.crt/live/www.filterinto.com/privkey.pem;

 location ^~ /.well-known/acme-challenge/ {
  default_type "text/plain";
  root /usr/share/nginx/html;
 }
 location = /.well-known/acme-challenge/ {
   return 404;
 }
 location / {
  proxy_pass http://web;
 }
}

Then delete the gateway container and recreate it using the following script:

$ docker run -d \
 -p 80:80 \
 -p 443:443 \
 -v $(pwd)/nginx/conf.d:/etc/nginx/conf.d:ro \
 -v $(pwd)/nginx/conf.crt:/etc/nginx/conf.crt:ro \
 -v $(pwd)/nginx/nginx.conf:/etc/nginx/nginx.conf:ro \
 -v $(pwd)/logs/nginx:/var/log/nginx \
 -v $(pwd)/nginx/html:/usr/share/nginx/html \
 --restart=always \
 --name=gateway \
 --network=webnet \
 nginx:1.14

Now the site can only be accessed via https:

Automatic certificate renewal

The validity period of the SSL/TLS certificates provided by Let's Encrypt is only three months. It is quite difficult to manually renew the certificates every three months. Here we introduce the method of automatically renewing the certificates.

In fact, our configuration has provided the greatest convenience for automatic certificate renewal (actually, it is the convenience brought by using Docker). Just add the following two records in the scheduled task:

0 0 1 * * /home/nick/certbot/renew_cert.sh /home/nick >> /home/nick/logs/cert.log 2>> /home/nick/logs/cert.error.log
0 1 1 * * docker exec gateway nginx -s reload

Renew the certificate at 0:00 on the 1st of each month and reload the nginx configuration one hour later.

Summarize

Let's Encrypt is a great website that can help beginners and individuals easily implement HTTPS sites (for free)! While it is convenient, its hidden dangers are also obvious: since anyone can obtain an SSL/TLS certificate without any barriers, illegal websites can also use it to disguise themselves as legitimate sites. So don’t just assume that HTTPS sites are safe!

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.