{"id":17527057,"url":"https://github.com/sebastian13/docker-compose-nginx-proxy","last_synced_at":"2025-03-06T06:31:33.050Z","repository":{"id":49179758,"uuid":"112862335","full_name":"sebastian13/docker-compose-nginx-proxy","owner":"sebastian13","description":"A docker-compose file to start NGINX as a Reverse Proxy. Let's Encrypt / Certbot Support and A+ Rating included.","archived":false,"fork":false,"pushed_at":"2024-08-23T09:38:43.000Z","size":61,"stargazers_count":58,"open_issues_count":0,"forks_count":15,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-08-23T10:49:46.501Z","etag":null,"topics":["certbot","docker","docker-compose","letsencrypt","nginx","nginx-proxy","reverse-proxy"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sebastian13.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2017-12-02T17:30:38.000Z","updated_at":"2024-08-23T09:38:46.000Z","dependencies_parsed_at":"2024-02-19T14:08:46.129Z","dependency_job_id":null,"html_url":"https://github.com/sebastian13/docker-compose-nginx-proxy","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sebastian13%2Fdocker-compose-nginx-proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sebastian13%2Fdocker-compose-nginx-proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sebastian13%2Fdocker-compose-nginx-proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sebastian13%2Fdocker-compose-nginx-proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sebastian13","download_url":"https://codeload.github.com/sebastian13/docker-compose-nginx-proxy/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":242161695,"owners_count":20081925,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certbot","docker","docker-compose","letsencrypt","nginx","nginx-proxy","reverse-proxy"],"created_at":"2024-10-20T15:03:01.369Z","updated_at":"2025-03-06T06:31:33.042Z","avatar_url":"https://github.com/sebastian13.png","language":"Shell","funding_links":[],"categories":["Shell"],"sub_categories":[],"readme":"# Nginx-Proxy\n\nThis docker-compose.yml users the **official nginx** and the **official certbot** container. It has optimized nginx configuration to be used as a https proxy together with certbot. Following my instructions you should get an \u003cspan style=\"color:green; font-weight:bold;\"\u003eA+ rating\u003c/span\u003e at [ssllabs.com](https://www.ssllabs.com/ssltest).\n\nThe container will use the network **www-network** as a proxy-tier. Add every container to this network that servers as a upstream http host.\n\n### Table of Contents\n**[How To Use](#how-to-use)**\u003cbr\u003e\n**[Docker Swarm](#docker-swarm)**\u003cbr\u003e\n**[Update](#update)**\u003cbr\u003e\n**[Nginx](#nginx)**\u003cbr\u003e\n**[Let's Encrypt SSL Certificates](#lets-encrypt-ssl-certificates)**\u003cbr\u003e\n**[Let's Encrypt SSL Certificates on Swarm Mode](#lets-encrypt-ssl-certificates-on-swarm-mode)**\u003cbr\u003e\n**[Get A+ SSL Rating](#get-a-ssl-rating)**\u003cbr\u003e\n**[Password protection](#password-protection)**\u003cbr\u003e\n**[IP-based protection](#ip-based-protection)**\u003cbr\u003e\n**[GeoIP blocking](#geoip-blocking)**\u003cbr\u003e\n\n## Directory structure\n\n```\n.\n├── conf.d                       # Site-specific configuration\n│   ├── example.com.conf\n│   ├── ...\n├── protect                      # HTTP Password Protection\n│   ├── .htpasswd\n├── snippets                     # Config we want to reuse at conf.d files\n│   ├── certbot-webroot.conf     # Serves Let's encrypt .well-known files\n│   ├── certbot-standalone.conf  # as alternative method\n│   ├── proxy.conf           \n│   ├── ssl.conf             \n\n```\n\n## How To Use\n\n### 1. Clone this repo\n\n```bash\nmkdir -p /docker/00-nginx-proxy\ncd /docker/00-nginx-proxy\ngit clone https://github.com/sebastian13/docker-compose-nginx-proxy.git .\n```\n\n### 2. Prepare for SSL\n```bash\nmkdir -p ./ssl/test\nopenssl req -x509 -nodes -days 3650 -newkey rsa:4096 \\\n\t-keyout ./ssl/test/selfsigned.key \\\n\t-out ./ssl/test/selfsigned.crt\n# Optional, run in a separate session\nscreen\nopenssl dhparam -out ssl/dhparams4096.pem 4096\n```\n\n### 3. Create your site's config\n```bash\ncp conf.d/{example.com,yoursite.com.conf}\n```\nReplace *example.com* with your domain, and set your *$upstream container*.\n\n### 4. Enable recommended http settings\n```bash\ncp conf.d/custom-nginx{,.conf}\n```\n\n### 5. Create docker network www-network\n```bash\ndocker network create www-network\n```\n\n### 6. Ready to go\n```bash\ndocker compose up -d\n```\n\n## Docker Swarm\n\nTo run this project on a docker stack, skip 5. and 6. and continue here:\n\n### 0. Network\nIf you previously used the `www-network`, stop all containers and remove the network. The stack will recreate the network in swarm scope.\n\n```bash\ndocker stop $(docker ps -q)\ndocker network remove www-network\n```\n\n### 1. Create Swarm\n```bash\ndocker swarm init\n```\n\n### 2. Deploy Stack\n```bash\ndocker stack deploy proxystack -c swarm.yml\n\n# Alternatively, run the helper script\ncd swarm-scripts\n./stack-deploy.sh\n```\n\n\n## Update\n\nTo get the most recent version of this repo run:\n\n```\ngit fetch --all \u0026\u0026 \\\ngit reset --hard origin/master \u0026\u0026 \\\ndocker compose pull \u0026\u0026 \\\ndocker compose down \u0026\u0026 \\\ndocker compose up -d\n```\n\n## Nginx\n\nI'm using the [official nginx container](https://hub.docker.com/_/nginx/) here. All volumes will be mounted read-only.\n\n### Manually reload the configuration\nAs you change site-specific configuration in *conf.d*, you should consider reloading the configuration instead of restarting the container. This is because your container will not start if the configuration contains errors.\n\n```\ndocker exec nginx-proxy nginx -s reload\n```\n\n### Amplify Agent\nYou can use the free monitoring tool [NGINX Amplify](https://amplify.nginx.com) the following way:\n\n1. Create a **amplify.env** containing\n\n ```\n AMPLIFY_IMAGENAME=example.com\n API_KEY=123456\n ```\n\n2. Start the container the following way:\n\n ```\n docker compose -f nginx-amplify.yml up -d --build\n ```\n\n## Let's Encrypt SSL Certificates\n\n*If using docker swarm, jump to [Let's Encrypt SSL Certificates on Swarm Mode](#lets-encrypt-ssl-certificates-on-swarm-mode)*\n\n### Request a new Certificate\n\n```\ndocker compose run --rm certbot certonly \\\n --agree-tos --no-eff-email --hsts --webroot -w /var/www \\\n --rsa-key-size 4096 --cert-name=example.com \\\n -m mail@example.com -d example.com\n```\n\nThen, link the certificate in your nginx site.conf + reload the nginx-proxy.\n\n\n### List existing Certificates\n```shell\ndocker compose run --rm certbot certificates\n```\n\n### Delete existing Certificates\n```shell\ndocker compose run --rm certbot delete --cert-name example.com\n```\n\n### Renew Certificates\n\nDefine a Cronjob like this, to renew the certificates periodically. Use chronic from [moreutils](https://manpages.debian.org/jessie/moreutils/chronic.1.en.html) if you like.\n\n```\n0 0 * * * cd /docker/00-nginx-proxy \u0026\u0026 chronic docker compose run --rm --use-aliases certbot renew \u0026\u0026 chronic docker exec nginx-proxy nginx -s reload\n```\n\nTo manually check your certificates for renewal run `docker compose up certbot`.\n\n## Let's Encrypt SSL Certificates on Swarm Mode\n\n### Request a new Certificate\n\n```\n./swarm-scripts/certbot-certonly.sh -m mail@example.com -d example.com -d www.example.co\n```\n\n### List existing Certificates\n```shell\n./swarm-scripts/certbot.sh certificates\n```\n\n### Delete existing Certificates\n```shell\n./swarm-scripts/certbot.sh delete --cert-name example.com\n```\n\n### Renew Certificates\n\n```shell\n./swarm-scripts/certbot-renew.sh\n```\n\nDefine a Cronjob like this, to renew the certificates periodically. Use chronic from [moreutils](https://manpages.debian.org/jessie/moreutils/chronic.1.en.html) if you like.\n\n```\n0 0 * * * chronic /docker/00-nginx-proxy/swarm-scripts/certbot-renew.sh\n```\n\n## Get A+ SSL Rating\n\n1. Generate your own Diffie-Hellman parameters. Put it inside the directory **ssl**.\n\n `openssl dhparam -out ssl/dhparams4096.pem 4096`\n\n2. Include the **ssl.conf snippet** at your site specific configuration. Also, include the **ssl\\_trusted\\_certificate**.\n\n ```\n server {\n \t\t...\n \t\tssl_trusted_certificate /etc/nginx/ssl/live/example.com/chain.pem;\n  \t\tinclude /etc/nginx/snippets/ssl.conf;\n  \t\t...\n }\n ```\n\n## Password protection\n\nTo protect your site with basic http authentication, create a .htpasswd file, spin up an apache container by running the following.\n\n```bash\ndocker run -i --rm -v /docker/00-nginx-proxy/protect:/etc/nginx/protect httpd /bin/bash\n```\n\nFor every user run the following. You will be asked to supply and confirm a password.\n\n```bash\nhtpasswd -c /etc/nginx/protect/.htpasswd first_user\nhtpasswd /etc/nginx/protect/.htpasswd another_user\n```\n\nIn the site's .conf file add the following.\n\n```\nserver {\n  ...\n  location / {\n    auth_basic \"Restricted Content\";\n    auth_basic_user_file /etc/nginx/protect/.htpasswd;\n  } \n} \n```\n\nYou can find detailed instructions at [digitalocean](https://www.digitalocean.com/community/tutorials/how-to-set-up-password-authentication-with-nginx-on-ubuntu-14-04)\n\n## IP based protection\n\nAdd your IP Address to the domain's .conf file, and deny everyone else.\n\n```\nserver {\n  ...\n  location / {\n    allow 1.2.3.4;\n    deny all;\n  } \n} \n```\n\n## GeoIP blocking\n\n```\nmkdir geoip\ncd geoip\ncurl -O https://centminmod.com/centminmodparts/geoip-legacy/GeoIP.dat.gz\ncurl -o GeoLiteCity.dat.gz https://centminmod.com/centminmodparts/geoip-legacy/GeoLiteCity.gz\ngunzip *.gz\n```\n\nadd to nginx.conf after pid ... :\n\n```\nload_module modules/ngx_http_geoip_module.so;\n```\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsebastian13%2Fdocker-compose-nginx-proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsebastian13%2Fdocker-compose-nginx-proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsebastian13%2Fdocker-compose-nginx-proxy/lists"}