DEV Community

Dhiraj Patra
Dhiraj Patra

Posted on

How to setup SSL with Docker

I am trying to tell you the easiest way to set up SSL for your domain on any server. I have used this test

googlecloudplatform

Create your instance [https://cloud.google.com/ai-platform/deep-learning-vm/docs/quickstart-cli]

Setup your domain name to instance [https://cloud.google.com/dns/docs/tutorials/create-domain-tutorial]

Log in to your instance with SSH or similar facilities
Go to the root of your application folder. Create a network by
docker network create nginx

Update your docker-compose file similar to this however nginx-prod and certbot is require

version: "3.4"
services:

Nginx reverse proxy

nginx-prod:
container_name: nginx-prod
restart: always
build:
context: ./nginx
dockerfile: Dockerfile
ports:
- 80:80 # for production
- 443:443
volumes:
- ./nginx/public_html:/public_html
- ./nginx/dhparam:/etc/nginx/dhparam
- ./certbot/conf/:/etc/nginx/ssl/
- ./certbot/data:/usr/share/nginx/html/letsencrypt
networks:
- nginx

certbot to create ssl certificate

certbot:
image: certbot/certbot
volumes:
- ./certbot/conf/:/etc/letsencrypt
- ./certbot/logs/:/var/log/letsencrypt
- ./certbot/data:/usr/share/nginx/html/letsencrypt

your web application it may differ for you

web:
build:
context: ./api
dockerfile: Dockerfile
container_name: web
image: orderbot
restart: always
env_file:
- ./.env
ports:
- "5000:5000"
networks:
nginx:
external: true
Hope you have already the nginx folder in the root with this structure
nginx/
conf.d/

Now create these folders at the root

dhparam
public_html

Add configuration file below to nginx/local.conf

server {
listen 80;
server_name YOUR_DOMAIN;
root /public_html/;

location ~ /.well-known/acme-challenge{
  allow all;
  root /usr/share/nginx/html/letsencrypt;
}
Enter fullscreen mode Exit fullscreen mode

}

Go to dhparam folder and run the command below
openssl dhparam -out ~/nginx/dhparam/dhparam-2048.pem 2048
Now fire up the docker-compose

docker-compose up --build -d

Now run the certbot container [kindly replace YOUR_EMAIL and YOUR_DOMAIN]

docker-compose run certbot certonly --webroot --webroot-path=/usr/share/nginx/html/letsencrypt --email YOUR_EMAIL --agree-tos --no-eff-email -d YOUR_DOMAIN

Now stop/down the docker-compose by

docker-compose down

Modify your nginx/conf.d/local.conf [replace YOUR_DOMAIN]

server {
listen 80;
server_name YOUR_DOMAIN;

location ~ /.well-known/acme-challenge{
  allow all;
  root /usr/share/nginx/html/letsencrypt;
}

location / {
  return 301 https://YOUR_DOMAIN$request_uri;
}
Enter fullscreen mode Exit fullscreen mode

}

server {
listen 443 ssl http2;
server_name YOUR_DOMAIN;

 ssl on;
 server_tokens off;
 ssl_certificate /etc/nginx/ssl/live/YOUR_DOMAIN/fullchain.pem;
 ssl_certificate_key /etc/nginx/ssl/live/YOUR_DOMAIN/privkey.pem;
 ssl_dhparam /etc/nginx/dhparam/dhparam-2048.pem;

 ssl_buffer_size 8k;
 ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
 ssl_prefer_server_ciphers on;
 ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

location / {
    proxy_pass http://frontend:3000;
}
Enter fullscreen mode Exit fullscreen mode

}

Now fire up the docker-compose along with your other application containers. Now you can comment out the whole certbot section in the docker-compose.yml file and then run

docker-compose up --build -d
docker ps

Now you can run your domain with
https://

More help here
https://cloud.google.com/community/tutorials/nginx-reverse-proxy-docker

About: I am a Technical Architect and Social Entrepreneur. You can find out more on https://dhirajpatra.github.io/

Discussion (0)