Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Create a certificate and CSR in the proxy's ./certs directory (this volume was mounted in the proxy's docker-compose.yml file above). 

    Code Block
    data/proxy# mkdir -p certs
    data/proxy# cd certs
    data/proxy/certs# # Create a private key:
    data/proxy/certs# openssl genrsa -out demo.example.com.key 2048
    data/proxy/certs# # Create a CSR from the new key:
    data/proxy/certs# openssl req -new -sha256 -key demo.example.com.key -out demo.example.com.csr
    -----
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:Ohio
    Locality Name (eg, city) []:Archbold
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Organization name
    Organizational Unit Name (eg, section) []:Your OU
    Common Name (e.g. server FQDN or YOUR name) []:*.demo.example.com.
    Email Address []:hostmaster@exampplehostmaster@example.com
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    
    


  2. Send the CSR to your favorite signing authority, or self sign it:

    Code Block
     data/proxy/certs# openssl x509 -req -sha256 -days 3650 -in  demo.ssdtexample.iocom.csr -signkey  demo.ssdtexample.iocom.key -out  demo.ssdtexample.iocom.crt


  3. Configure nginx to listen on port 443.  Add port mapping to the proxy's docker-compose.yml file: 

    Code Block
    proxy:
       image: jwilder/nginx-proxy
       restart: always
       volumes:
         - /var/run/docker.sock:/tmp/docker.sock:ro
         - ./certs:/etc/nginx/certs:ro
         - ./vhost.d:/etc/nginx/vhost.d
         - ./html:/usr/share/nginx/html
       environment:
         - DEFAULT_HOST=demo.example.com
       ports:
         - "80:80"
         - "443:443"


  4. Recreate the proxy container with: 

    Code Block
    docker-compose up -d 


This exposes port 443 for SSL.  We are leaving port 80 exposed because the nginx-proxy will automatically redirect port 80 to 443.  Now we can access our application at: https://sampletown.demo.example.com/.  If the cert is self-signed, you'll get a browser warning.  It will go away when/if you have the certificate signed.  

After receiving the signed certificate from the signing authority, replace the .crt file created above with the signed certificate.  In the example above, the self-signed certificate is named demo.example.com.crt.  That file should be replaced with the file from the signing authority.  Note: The names of the certificate files are important.  The certificate file name must be must match the domain name it applies to.   Again, from the above example, the wildcard domain name is *.demo.example.com so the certificate and keys must be named demo.example.com.crt and demo.example.com.key

By convention, nginx-proxy will use the domain name to find the most specific certificate first and then drop prefixes until it finds a match.   In this case, it will look for sampletown.demo.example.com.crt and then demo.example.com.crt . This allows you to have different signed certificates for different domain names on the same proxy. 

Automatic Signed Certificates with LetsEncrypt.org

...