New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL Support using Let's Encrypt #1
Comments
Here is an example of a docker compose file I have for installing minio with SSL support using Let's Encrypt, I guess this will be as easy as just replacing the minio service with an xnat service ;) version: '2'
services:
nginx: # This is the official nginx container and not the popular jwilder nginx_proxy container
restart: always
image: nginx
container_name: nginx
ports:
- "80:80"
- "443:443"
volumes:
- "/etc/nginx/conf.d"
- "./volumes/proxy/vhost.d:/etc/nginx/vhost.d:ro"
- "/usr/share/nginx/html"
- "./volumes/proxy/certs:/etc/nginx/certs:ro"
networks:
- proxy-tier
nginx-gen: # This container generates the nginx configs
restart: always
image: jwilder/docker-gen
container_name: nginx-gen
volumes:
- "/var/run/docker.sock:/tmp/docker.sock:ro"
- "./volumes/proxy/templates/nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro"
volumes_from:
- nginx
entrypoint: /usr/local/bin/docker-gen -notify-sighup nginx -watch -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
networks:
- proxy-tier
depends_on:
- nginx
letsencrypt-nginx-proxy-companion: # This companion container makes sure to configure the nginx correctly for Let's Encrypt and makes sure to renew the certificate if needed
restart: always
image: jrcs/letsencrypt-nginx-proxy-companion
container_name: letsencrypt-nginx-proxy-companion
volumes_from:
- nginx
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./volumes/proxy/certs:/etc/nginx/certs:rw"
environment:
- NGINX_DOCKER_GEN_CONTAINER=nginx-gen
depends_on:
- nginx-gen
minio: # This should become the xnat-web service
restart: always
image: minio/minio
container_name: minio
ports:
- "9000:9000"
volumes:
- /data/minio:/export
environment:
- "VIRTUAL_NETWORK=nginx-proxy"
- "VIRTUAL_HOST=some.host.io" # This should go in a docker-compose.override.yml
- "LETSENCRYPT_HOST=some.host.io" # This should go in a docker-compose.override.yml
- "LETSENCRYPT_EMAIL=your_admin@email.org" # This should go in a docker-compose.override.yml
command: server /export
networks:
- proxy-tier
depends_on:
- letsencrypt-nginx-proxy-companion
networks:
proxy-tier:
external:
name: nginx-proxy |
Thanks for that! Could you explain a little more about how this configuration works? For instance, I see from reading the |
I have put some inline comments in my code snippet above. This is by no means something I designed myself, I based this on: https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion#separate-containers-recommended-method For the rest, you need to have the jwilder nginx template file: https://github.com/jwilder/nginx-proxy/blob/master/nginx.tmpl Here is a directory structure from the root of this repo where, amongst other files, this nginx.tmpl should sit, I could make a PR for setting this structure up if we are going this way.
|
The jwilder/docker-gen image that resolves the nginx template file looks interesting. I don’t quite understand what it is doing, though. If all it does is fill out the template values and write a file, it seems to me that it could just run and then be finished. Instead, it appears that it needs to continue running alongside nginx. I don’t know why. |
The docker-gen container is listening to container start and stop events and collects the meta data of these containers (This is why it needs the docker.sock). If there are special variables set in the meta data, like VIRTUAL_HOST=some.host.io, and the container is started, it will configure a reverse proxy for it. If the container was stopped, it will put down the reverse proxy config. In this way you could configure a zero-downtime deployment for instance. This is why it needs to keep running on the side. Here is blog post from jwilder: http://jasonwilder.com/blog/2014/03/25/automated-nginx-reverse-proxy-for-docker/ |
We are planning to add support for SSL to the docker compose script using Let's Encrypt
The text was updated successfully, but these errors were encountered: