Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Below are steps to configure nginx-proxy on your docker host.  The tutorial assumes the following:



  
Docker hostdocker-01.example.com
sub-domain for virtual hostsdemo.example.com

...

Now that we have a reverse proxy, we can secure the port using HTTPS.  In this example, we are creating a wildcard certificate to match the wildcard DNS entry.  In this example, the "Common Name" is "*.demo.example.com".


Warning
A wildcard certificate only covers one level of subdomains.  For example, you cannot use *.example.com as a wildcard certificate for sampletown-usas.demo.example.com because, in this case there are two subdomain levels. The wildcard certificate needs to be *.demo.example.com.


  1. Create a certificate and CSR in the proxy's ./certs directory (this volume was mounted in the proxy's docker-compose.yml file above). 

    Code Block
    data/proxy# mkdir -p certs
    data/proxy# cd certs
    data/proxy/certs# # Create a private key:
    data/proxy/certs# openssl genrsa -out demo.example.com.key 2048
    data/proxy/certs# # Create a CSR from the new key:
    data/proxy/certs# openssl req -new -sha256 -key demo.example.com.key -out demo.example.com.csr
    -----
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:Ohio
    Locality Name (eg, city) []:Archbold
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Organization name
    Organizational Unit Name (eg, section) []:Your OU
    Common Name (e.g. server FQDN or YOUR name) []:*.demo.example.com.
    Email Address []:hostmaster@example.com
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    
    


  2. Send the CSR to your favorite signing authority, or self sign it:

    Code Block
     data/proxy/certs# openssl x509 -req -sha256 -days 3650 -in  demo.example.com.csr -signkey  demo.example.com.key -out  demo.example.com.crt


  3. Configure nginx to listen on port 443.  Add port mapping to the proxy's docker-compose.yml file: 

    Code Block
    proxy:
       image: jwilder/nginx-proxy
       restart: always
       volumes:
         - /var/run/docker.sock:/tmp/docker.sock:ro
         - ./certs:/etc/nginx/certs:ro
         - ./vhost.d:/etc/nginx/vhost.d
         - ./html:/usr/share/nginx/html
       environment:
         - DEFAULT_HOST=demo.example.com
       ports:
         - "80:80"
         - "443:443"


  4. Recreate the proxy container with: 

    Code Block
    docker-compose up -d 


...

Page properties
hiddentrue


Related issues