Enabling SSL on docker compose

[eizanendoso]

Hi there, I've tried #350 and #359, this, and numerous articles, to no avail after very many hours. I've run into both too many redirects as well as an internal 500 server error. Honestly, I am new to Docker/Nginx/Doccano, and thought it would be good to get SSL going. I've changed to the following variables (with the actual domain replacing your.domain.com in my code).

my environment variables, under backend:

      SESSION_COOKIE_SECURE: "True"
      CSRF_COOKIE_SECURE: "True"
      CSRF_TRUSTED_ORIGINS: "your.domain.com"

nginx.conf:

server {
    listen 80;

    server_name your.domain.com;
    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name your.domain.com;
    server_tokens off;

    ssl_certificate /etc/letsencrypt/live/your.domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your.domain.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    root /var/www/html;
    try_files $uri /index.html;

    location / {
        proxy_pass  your.domain.com;
        proxy_set_header    Host                $http_host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    }

}

Would be super appreciative of some help - thanks in advance!
Your Environment

• Operating System: GCP Compute Engine Ubuntu 20.04
• When you install doccano: yesterday
• How did you install doccano (Heroku button etc): docker compose

[eizanendoso]

Made modest progress by using jwilder/nginx-proxy and the companion LE container. The domain is now SSL-enabled but I now run into a 500 error.

I think this is the relevant error:
[warn] 18#18: no resolver defined to resolve r3.o.lencr.org while requesting c
ertificate status, responder: r3.o.lencr.org, certificate: "/etc/nginx/certs/your.domain.com.crt"

version: "3.7"
services:

  backend:
    build: ./app
    command: ["/app/tools/run.sh"]
    volumes:
      - static_volume:/app/staticfiles
    environment:
      ADMIN_USERNAME: "admin"
      ADMIN_PASSWORD: "pw"
      ADMIN_EMAIL: "example@gmail.com"
      DATABASE_URL: "postgres://doccano:doccano@postgres:5432/doccano?sslmode=disable"
      ALLOW_SIGNUP: "False"
      DEBUG: "False"
      SESSION_COOKIE_SECURE: "True"
      CSRF_COOKIE_SECURE: "True"
      CSRF_TRUSTED_ORIGINS: "your.domain.com"
      VIRTUAL_HOST: "your.domain.com"
      VIRTUAL_PORT: 8000
      LETSENCRYPT_HOST: "your.domain.com"
      LETSENCRYPT_EMAIL: "example@gmail.com"
    depends_on:
      - postgres
    expose:
      - 80
      - 8000
    networks:
      - network-backend
      - network-frontend

  frontend:
    build: ./frontend
    environment:
      API_URL: "http://backend:8000"
      GOOGLE_TRACKING_ID: ""
    volumes:
      - www:/app/dist

  nginx-proxy:
    build: nginx
    container_name: nginx-proxy
    volumes:
      - www:/var/www/html:ro
      - static_volume:/static
      - vhost:/etc/nginx/vhost.d
      - html:/usr/share/nginx/html
      - certs:/etc/nginx/certs:ro
      - conf:/etc/nginx/conf.d
    labels:
      - "com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy"
    ports:
      - 80:80
      - 443:443
    depends_on:
      - backend
    networks:
      - network-frontend
      - proxy-tier

  docker-gen:
    image: jwilder/docker-gen
    container_name: nginx-proxy-gen
    command: -notify-sighup nginx-proxy -watch /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
    volumes_from:
      - nginx-proxy
    volumes:
      - ./nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro
      - /var/run/docker.sock:/tmp/docker.sock:ro
    labels:
      - "com.github.jrcs.letsencrypt_nginx_proxy_companion.docker_gen"
    environment:
      NGINX_PROXY_CONTAINER: "nginx-proxy"
    networks:
      - network-frontend
      - proxy-tier

  letsencrypt:
    image: jrcs/letsencrypt-nginx-proxy-companion
    container_name: nginx-proxy-le
    volumes_from:
      - nginx-proxy
    volumes:
      - certs:/etc/nginx/certs:rw
      - acme:/etc/acme.sh
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      NGINX_DOCKER_GEN_CONTAINER: "nginx-proxy-gen"
      LETSENCRYPT_TEST: "False"
      DEBUG: 1
    networks:
      - proxy-tier


  postgres:
    image: postgres:13.1-alpine
    volumes:
      - postgres_data:/var/lib/postgresql/data/
    environment:
      POSTGRES_USER: "doccano"
      POSTGRES_PASSWORD: "doccano"
      POSTGRES_DB: "doccano"
    networks:
      - network-backend

volumes:
  postgres_data:
  static_volume:
  www:
  vhost:
  html:
  certs:
  acme:
  conf:

networks:
  network-backend:
  network-frontend:
  proxy-tier:
    external:

Thanks!

[eizanendoso]

For anyone googling in future: finally solved by putting traefik in front of nginx. Traefik has SSL enabled by default, just needs a few more settings, and nginx does the routing with the default config file.

[kuraga]

@eizanendoso let's add to FAQ?