Merge pull request #3 from wmnnd/develop

Merge develop branch in master
2023-04-20 18:47:46 +08:00 · 2019-01-01 22:47:10 +01:00 · 2019-01-01 22:47:10 +01:00 · 8335f83c61
commit 8335f83c61
parent 8ef8ac4a89 a939c9f5de
5 changed files with 61 additions and 38 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+/data/certbot
--- a/README.md
+++ b/README.md
@ -1,9 +1,16 @@
 # Boilerplate for nginx with Let’s Encrypt on docker-compose

-This repository is accompanied by a [step-by-step guide](https://medium.com/@pentacent/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71).
+> This repository is accompanied by a [step-by-step guide on how to
+set up nginx and Let’s Encrypt with Docker](https://medium.com/@pentacent/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71).
+
+`init-letsencrypt.sh` fetches and ensures the renewal of a Let’s
+Encrypt certificate for one or multiple domains in a docker-compose
+setup with nginx.
+This is useful when you need to set up nginx as a reverse proxy for an
+application.

 ## Installation
-1. [Install docker-compose](https://docs.docker.com/compose/install/#install-compose)
+1. [Install docker-compose](https://docs.docker.com/compose/install/#install-compose).

 2. Clone this repository: `git clone https://github.com/wmnnd/nginx-certbot.git .`

@ -11,13 +18,13 @@ This repository is accompanied by a [step-by-step guide](https://medium.com/@pen
 - Add domains and email addresses to init-letsencrypt.sh
 - Replace all occurrences of example.org with primary domain (the first one you added to init-letsencrypt.sh) in data/nginx/app.conf

-4. Run init the script
+4. Run init the script:
 ```
 chmod +x ./init-letsencrypt.sh
-sudo ./init-letsencrypt.sh
+./init-letsencrypt.sh
 ```

-5. Run server
+5. Run server:
 `docker-compose up`

 ## Got questions?
--- a/data/nginx/app.conf
+++ b/data/nginx/app.conf
@ -1,6 +1,7 @@
 server {
    listen 80;
    server_name example.org;
+    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
@ -14,6 +15,7 @@ server {
 server {
    listen 443 ssl;
    server_name example.org;
+    server_tokens off;

    ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
@ -21,6 +23,9 @@ server {
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
-        proxy_pass http://example.org;
+        proxy_pass  http://example.org;
+        proxy_set_header    Host                $http_host;
+        proxy_set_header    X-Real-IP           $remote_addr;
+        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    }
 }
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -1,7 +1,9 @@
 version: '3'
+
 services:
  nginx:
    image: nginx:1.15-alpine
+    restart: unless-stopped
    volumes:
      - ./data/nginx:/etc/nginx/conf.d
      - ./data/certbot/conf:/etc/letsencrypt
@ -12,6 +14,7 @@ services:
    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
  certbot:
    image: certbot/certbot
+    restart: unless-stopped
    volumes:
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot
--- a/init-letsencrypt.sh
+++ b/init-letsencrypt.sh
@ -1,59 +1,64 @@
 #!/bin/bash

-domains=( "example.org" "example.com" )
+domains=(example.com www.example.com)
 rsa_key_size=4096
 data_path="./data/certbot"
-email="" #Adding a valid address is strongly recommended 
-staging=0 #Set to 1 if you're just testing your setup to avoid hitting request limits
+email="" # Adding a valid address is strongly recommended
+staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits

-echo "### Preparing directories in $data_path ..."
-rm -Rf "$data_path"
-mkdir -p "$data_path/www"
-mkdir -p "$data_path/conf/live/$domains"
+if [ -d "$data_path" ]; then
+  read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
+  if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
+    exit
+  fi
+fi


-echo "### Creating dummy certificate ..."
+if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
+  echo "### Downloading recommended TLS parameters ..."
+  mkdir -p "$data_path/conf"
+  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
+  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
+  echo
+fi
+
+echo "### Creating dummy certificate for $domains ..."
 path="/etc/letsencrypt/live/$domains"
-mkdir -p "$path"
+mkdir -p "$data_path/conf/live/$domains"
 docker-compose run --rm --entrypoint "\
-    openssl req -x509 -nodes -newkey rsa:1024 -days 1\
-      -keyout '$path/privkey.pem' \
-      -out '$path/fullchain.pem' \
-      -subj '/CN=localhost'" certbot
-
-
-echo "### Downloading recommended HTTPS parameters ..."
-curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
-curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
+  openssl req -x509 -nodes -newkey rsa:1024 -days 1\
+    -keyout '$path/privkey.pem' \
+    -out '$path/fullchain.pem' \
+    -subj '/CN=localhost'" certbot
+echo


 echo "### Starting nginx ..."
-docker-compose up -d nginx
+docker-compose up --force-recreate -d nginx
+echo
+
+echo "### Deleting dummy certificate for $domains ..."
+docker-compose run --rm --entrypoint "\
+  rm -Rf /etc/letsencrypt/live/$domains && \
+  rm -Rf /etc/letsencrypt/archive/$domains && \
+  rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
+echo


-echo "### Deleting dummy certificate ..."
-sudo rm -Rf "$data_path/conf/live"
-
-echo "### Downloading recommended TLS options ..."
-curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
-curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
-
-
-echo "### Requesting initial certificate ..."
-
+echo "### Requesting Let's Encrypt certificate for $domains ..."
 #Join $domains to -d args
 domain_args=""
 for domain in "${domains[@]}"; do
  domain_args="$domain_args -d $domain"
 done

-#Select appropriate email arg
+# Select appropriate email arg
 case "$email" in
  "") email_arg="--register-unsafely-without-email" ;;
  *) email_arg="--email $email" ;;
 esac

-#Enable staging mode if needed
+# Enable staging mode if needed
 if [ $staging != "0" ]; then staging_arg="--staging"; fi

 docker-compose run --rm --entrypoint "\
@ -64,5 +69,7 @@ docker-compose run --rm --entrypoint "\
    --rsa-key-size $rsa_key_size \
    --agree-tos \
    --force-renewal" certbot
+echo

-docker-compose stop nginx
+echo "### Reloading nginx ..."
+docker-compose exec nginx nginx -s reload