Configuring automatic receipt of letsencrypt certificates using docker in linux
I recently changed a virtual server, and I had to configure everything anew. I prefer the site to be accessible via https and letsencrypt certificates are obtained and renewed automatically. This can be achieved by using two docker images, nginx-proxy and nginx-proxy-companion.
This is a guide to setting up a site on docker, with a proxy that automatically receives SSL certificates. The CentOS 7 virtual server is used.
I assume that the server has already been purchased, configured, logged on to it by key, fail2ban installed, etc.
First you need to install docker.
- First you need to install the dependencies
$ sudo yum install -y yum-utils device-mapper-persistent-data lvm2
- Connect repository
$ sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
- Then install the community edition docker
$ sudo yum install docker-ce docker-ce-cli containerd.io
- Add docker to autoload and run
$ sudo systemctl enable docker $ sudo systemctl start docker
- Add a user to the docker group in order to be able to run docker without sudo
$ usermod -aG docker user
The next step is to install docker-compose. The utility can be installed in several ways, but I prefer to install through pip manager and virtualenv, so as not to clog the system with unnecessary packages.
- Install pip
$ sudo yum install python-pip
- Install virtualenv
$ pip install virtualenv
- Next, you need to create a folder with the project and initialize it. The folder with everything you need for package management will be called ve.
$ mkdir docker $ cd docker $ virtualenv ve
- To start using the virtual environment, you need to run the following command in the project folder.
$ source ve/bin/activate
- You can install docker-compose.
pip install docker-compose
In order for the containers to see each other, create a network. By default, the bridge driver is used.
$ docker network create network
Next, you need to configure docker-compose, the proxy will be in the proxy folder, the test site in the test folder. For example, I use the domain name example.com
$ mkdir proxy $ mkdir test $ touch proxy/docker-compose.yml $ touch test/docker-compose.yml
Content proxy / docker-compose.yml
version: '3' networks: default: external: name: network services: nginx-proxy: container_name: nginx-proxy image: jwilder/nginx-proxy ports: - 80:80 - 443:443 volumes: - certs:/etc/nginx/certs - vhost.d:/etc/nginx/vhost.d - html:/usr/share/nginx/html - /var/run/docker.sock:/tmp/docker.sock:ro nginx-proxy-letsencrypt: container_name: nginx-proxy-letsencrypt image: jrcs/letsencrypt-nginx-proxy-companion volumes: - certs:/etc/nginx/certs - vhost.d:/etc/nginx/vhost.d - html:/usr/share/nginx/html - /var/run/docker.sock:/var/run/docker.sock:ro environment: - NGINX_PROXY_CONTAINER=nginx-proxy volumes: certs: vhost.d: html:
The environment variable NGINX_PROXY_CONTAINER is needed so that letsencrypt container sees the proxy container. The / etc / nginx / certs /etc/nginx/vhost.d and / usr / share / nginx / html folders must be shared by both. For the letsencrypt container to work correctly, the application must be available on both port 80 and 443.
Contents of test / docker-compose.yml
version: '3' networks: default: external: name: network services: nginx: container_name: nginx image: nginx:latest environment: - VIRTUAL_HOST=example.com - LETSENCRYPT_HOST=example.com - LETSENCRYPT_EMAILemail@example.com
Here, environment variables are needed for the proxy to correctly process the request to the server and request a certificate for the correct domain name.
It remains only to run docker-compose
$ cd proxy $ docker-compose up -d $ cd ../test $ docker-compose up -d