Last active
September 17, 2025 14:52
-
-
Save mwpastore/0c066beba20465c9947fb7a4a0236f6a to your computer and use it in GitHub Desktop.
nginx w/ Let's Encrypt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| services: | |
| nginx: | |
| build: | |
| context: . | |
| dockerfile_inline: | | |
| FROM nginx:mainline | |
| RUN . /etc/os-release \ | |
| && echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian $${VERSION_CODENAME} nginx" | tee /etc/apt/sources.list.d/nginx.list \ | |
| && DEBIAN_FRONTEND=noninteractive apt-get update \ | |
| && DEBIAN_FRONTEND=noninteractive apt-get dist-upgrade -yqq \ | |
| && DEBIAN_FRONTEND=noninteractive apt-get install -yqq --no-install-recommends moreutils nginx-module-acme \ | |
| && rm -rf /var/lib/apt/lists/* \ | |
| && { echo "# added by custom Dockerfile\nload_module modules/ngx_http_acme_module.so;\n" ; cat /etc/nginx/nginx.conf ; } | sponge /etc/nginx/nginx.conf | |
| restart: unless-stopped | |
| ports: | |
| - "80:80" | |
| - "443:443" | |
| volumes: | |
| - "acme_letsencrypt:/var/cache/nginx/acme-letsencrypt" | |
| - "./nginx.conf:/etc/nginx/templates/default.conf.template:ro" | |
| volumes: | |
| acme_letsencrypt: ~ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| acme_issuer letsencrypt { | |
| uri https://acme-v02.api.letsencrypt.org/directory; | |
| contact [email protected]; | |
| state_path /var/cache/nginx/acme-letsencrypt; | |
| accept_terms_of_service; | |
| } | |
| map $http_upgrade $connection_upgrade_keepalive { | |
| default upgrade; | |
| "" ""; | |
| } | |
| server { | |
| listen 443 ssl; | |
| listen [::]:443 ssl; | |
| http2 on; | |
| server_name foobar.oobak.net; | |
| acme_certificate letsencrypt; | |
| ssl_certificate $acme_certificate; | |
| ssl_certificate_key $acme_certificate_key; | |
| ssl_certificate_cache max=2; | |
| add_header Strict-Transport-Security "max-age=63072000" always; | |
| location / { | |
| proxy_pass https://foobar:8443; | |
| proxy_http_version 1.1; | |
| proxy_set_header X-Forwarded-Proto $scheme; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header Host $http_host; | |
| proxy_set_header Upgrade $http_upgrade; | |
| proxy_set_header Connection $connection_upgrade_keepalive; | |
| } | |
| } | |
| # modern configuration | |
| ssl_protocols TLSv1.3; | |
| ssl_ecdh_curve X25519:prime256v1:secp384r1; | |
| ssl_prefer_server_ciphers off; | |
| # uncomment to enable if ssl_protocols includes TLSv1.2 or earlier; | |
| # see also ssl_session_ticket_key alternative to stateful session cache | |
| #ssl_session_timeout 1d; | |
| #ssl_session_cache shared:MozSSL:10m; # about 40000 sessions | |
| # OCSP stapling | |
| ssl_stapling on; | |
| ssl_stapling_verify on; | |
| # verify chain of trust of OCSP response using Root CA and Intermediate certs | |
| # TODO: this isn't quite right... | |
| ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; | |
| # replace with the IP address of your resolver; | |
| # async 'resolver' is important for proper operation of OCSP stapling | |
| resolver 127.0.0.11; | |
| # If certificates are marked OCSP Must-Staple, consider managing the | |
| # OCSP stapling cache with an external script, e.g. certbot-ocsp-fetcher | |
| # HSTS | |
| server { | |
| listen 80 default_server; | |
| listen [::]:80 default_server; | |
| return 301 https://$host$request_uri; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment