rpi-docker-letsencrypt-nginx-proxy-companion

rpi-docker-letsencrypt-nginx-proxy-companion copied to clipboard

This is a fork that enables usage on a armhf architecture (tested on RPI 3). Have a look at Yves Blusseau's original repository and README. The following part does not include all available options of the original project.

Why do you want to use this?

Reasons and examples for using a reverse proxy are discussed by Jason Wilder or here. With this companion container for automatically creating/renewing Let's Encrypt certificates you can host and expose your dockerized TLS-secured applications on a Raspberry Pi. Examples:

• Home Assistant with a custom nginx template for your sweet home automation (tested)
• Nextcloud with Passman extension and MySQL (tested)
• Nginx hosting your web sites (tested)
• Own Mailserver, e.g. tomav/docker-mailserver, hardware/mailserver or Poste.io (not tested)

How to use

Built image is hosted on Dockerhub. Declare three writable volumes for the rpi-nginx-proxy container:

• /etc/nginx/certs to create/renew Let's Encrypt certificates
• /etc/nginx/vhost.d to change the configuration of vhosts (needed by Let's Encrypt)
• /usr/share/nginx/html to write challenge files.

Exemplary usage:

• First start nginx with the 3 volumes declared (you need to build this image as shown in the respective repository):

$ docker run -d -p 80:80 -p 443:443 \
    --name nginx-proxy \
    -v /path/to/certs:/etc/nginx/certs:ro \
    -v /etc/nginx/vhost.d \
    -v /usr/share/nginx/html \
    -v /var/run/docker.sock:/tmp/docker.sock:ro \
    --label com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy \
    alexanderkrause/rpi-nginx-proxy

The "com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy" label is needed so that the letsencrypt container knows which nginx proxy container to use.

• Second start this container:

$ docker run -d \
    --name nginx-letsencrypt \
    -v /usr/ssl:/etc/nginx/certs:rw \
    -v /var/run/docker.sock:/var/run/docker.sock:ro \
    --volumes-from nginx-proxy \
    alexanderkrause/rpi-letsencrypt-nginx-proxy-companion

Then start any containers you want proxied with a env var VIRTUAL_HOST=yourdomain.com, e.g.

$ docker run -d \
    --name example-app \
    -e "VIRTUAL_HOST=example.com" \
    -e "LETSENCRYPT_HOST=example.com" \
    -e "[email protected]" \
    tutum/apache-php

Regarding Certificate Aquiring

The acquiring of a certificate requires a nginx-reverse-proxy container with a mapping of the default ports, i.e., '80:80' and '443:443', as shown above. If you don't want to expose those ports, you need to apply a workaround:

Initially start a nginx-reverse-proxy container as shown below with those port mappings, then shutdown all three containers (reverse-proxy, companion and your application). Remove the reverse-proxy container and start a new one with your desired port mappings, e.g. '5050:80' and '5060:443'. Finally, start the companion and your application container.

How to build the image yourself

1. Clone this repository $ git clone https://github.com/Alexander-Krause/rpi-docker-letsencrypt-nginx-proxy-companion.git
2. $ cd rpi-docker-letsencrypt-nginx-proxy-companion
3. $ docker build -t alexanderkrause/rpi-docker-letsencrypt-nginx-proxy-companion:latest .

DynDNS

Tested with duckdns as DynDNS provider. Configure the update url in your router or device (with ddclient) and (!) enable port forwarding (e.g. 443 of your Pi / docker container) in your router. Do the steps from above and enter yourducksubdomain.duckdns.org in VIRTUAL_HOST and LETSENCRYPT_HOST.