mirror/nginx-certbot
1
0
Fork 0
mirror of https://github.com/wmnnd/nginx-certbot synced 2023-04-20 18:47:46 +08:00
Code Issues Projects Releases Wiki Activity

Merge pull request #3 from wmnnd/develop

Browse Source 
Merge develop branch in master
This commit is contained in:
Philipp 2019-01-01 22:47:10 +01:00 committed by GitHub
commit 8335f83c61
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 61 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
/data/certbot

17
README.md
View File

@ -1,9 +1,16 @@
# Boilerplate for nginx with Lets Encrypt on docker-compose # Boilerplate for nginx with Lets Encrypt on docker-compose
This repository is accompanied by a [step-by-step guide](https://medium.com/@pentacent/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71). > This repository is accompanied by a [step-by-step guide on how to
set up nginx and Lets Encrypt with Docker](https://medium.com/@pentacent/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71).
`init-letsencrypt.sh` fetches and ensures the renewal of a Lets
Encrypt certificate for one or multiple domains in a docker-compose
setup with nginx.
This is useful when you need to set up nginx as a reverse proxy for an
application.
## Installation ## Installation
1. [Install docker-compose](https://docs.docker.com/compose/install/#install-compose) 1. [Install docker-compose](https://docs.docker.com/compose/install/#install-compose).
2. Clone this repository: `git clone https://github.com/wmnnd/nginx-certbot.git .` 2. Clone this repository: `git clone https://github.com/wmnnd/nginx-certbot.git .`
@ -11,13 +18,13 @@ This repository is accompanied by a [step-by-step guide](https://medium.com/@pen
- Add domains and email addresses to init-letsencrypt.sh - Add domains and email addresses to init-letsencrypt.sh
- Replace all occurrences of example.org with primary domain (the first one you added to init-letsencrypt.sh) in data/nginx/app.conf - Replace all occurrences of example.org with primary domain (the first one you added to init-letsencrypt.sh) in data/nginx/app.conf
4. Run init the script 4. Run init the script:
``` ```
chmod +x ./init-letsencrypt.sh chmod +x ./init-letsencrypt.sh
sudo ./init-letsencrypt.sh ./init-letsencrypt.sh
``` ```
5. Run server 5. Run server:
`docker-compose up` `docker-compose up`
## Got questions? ## Got questions?

5
data/nginx/app.conf
View File

@ -1,6 +1,7 @@
server { server {
listen 80; listen 80;
server_name example.org; server_name example.org;
server_tokens off;
location /.well-known/acme-challenge/ { location /.well-known/acme-challenge/ {
root /var/www/certbot; root /var/www/certbot;
@ -14,6 +15,7 @@ server {
server { server {
listen 443 ssl; listen 443 ssl;
server_name example.org; server_name example.org;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem; ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
@ -22,5 +24,8 @@ server {
location / { location / {
proxy_pass http://example.org; proxy_pass http://example.org;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
} }
} }

3
docker-compose.yml
View File

@ -1,7 +1,9 @@
version: '3' version: '3'
services: services:
nginx: nginx:
image: nginx:1.15-alpine image: nginx:1.15-alpine
restart: unless-stopped
volumes: volumes:
- ./data/nginx:/etc/nginx/conf.d - ./data/nginx:/etc/nginx/conf.d
- ./data/certbot/conf:/etc/letsencrypt - ./data/certbot/conf:/etc/letsencrypt
@ -12,6 +14,7 @@ services:
command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'" command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
certbot: certbot:
image: certbot/certbot image: certbot/certbot
restart: unless-stopped
volumes: volumes:
- ./data/certbot/conf:/etc/letsencrypt - ./data/certbot/conf:/etc/letsencrypt
- ./data/certbot/www:/var/www/certbot - ./data/certbot/www:/var/www/certbot

57
init-letsencrypt.sh
View File

@ -1,46 +1,51 @@
#!/bin/bash #!/bin/bash
domains=( "example.org" "example.com" ) domains=(example.com www.example.com)
rsa_key_size=4096 rsa_key_size=4096
data_path="./data/certbot" data_path="./data/certbot"
email="" # Adding a valid address is strongly recommended email="" # Adding a valid address is strongly recommended
staging=0 #Set to 1 if you're just testing your setup to avoid hitting request limits staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits
echo "### Preparing directories in $data_path ..." if [ -d "$data_path" ]; then
rm -Rf "$data_path" read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
mkdir -p "$data_path/www" if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
mkdir -p "$data_path/conf/live/$domains" exit
fi
fi
echo "### Creating dummy certificate ..." if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
echo "### Downloading recommended TLS parameters ..."
mkdir -p "$data_path/conf"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
echo
fi
echo "### Creating dummy certificate for $domains ..."
path="/etc/letsencrypt/live/$domains" path="/etc/letsencrypt/live/$domains"
mkdir -p "$path" mkdir -p "$data_path/conf/live/$domains"
docker-compose run --rm --entrypoint "\ docker-compose run --rm --entrypoint "\
openssl req -x509 -nodes -newkey rsa:1024 -days 1\ openssl req -x509 -nodes -newkey rsa:1024 -days 1\
-keyout '$path/privkey.pem' \ -keyout '$path/privkey.pem' \
-out '$path/fullchain.pem' \ -out '$path/fullchain.pem' \
-subj '/CN=localhost'" certbot -subj '/CN=localhost'" certbot
echo
echo "### Downloading recommended HTTPS parameters ..."
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
echo "### Starting nginx ..." echo "### Starting nginx ..."
docker-compose up -d nginx docker-compose up --force-recreate -d nginx
echo
echo "### Deleting dummy certificate for $domains ..."
docker-compose run --rm --entrypoint "\
rm -Rf /etc/letsencrypt/live/$domains && \
rm -Rf /etc/letsencrypt/archive/$domains && \
rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
echo
echo "### Deleting dummy certificate ..." echo "### Requesting Let's Encrypt certificate for $domains ..."
sudo rm -Rf "$data_path/conf/live"
echo "### Downloading recommended TLS options ..."
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
echo "### Requesting initial certificate ..."
#Join $domains to -d args #Join $domains to -d args
domain_args="" domain_args=""
for domain in "${domains[@]}"; do for domain in "${domains[@]}"; do
@ -64,5 +69,7 @@ docker-compose run --rm --entrypoint "\
--rsa-key-size $rsa_key_size \ --rsa-key-size $rsa_key_size \
--agree-tos \ --agree-tos \
--force-renewal" certbot --force-renewal" certbot
echo
docker-compose stop nginx echo "### Reloading nginx ..."
docker-compose exec nginx nginx -s reload