Owner: Sammy Teillet
{% hint style='success' %}
If, as an expert of docker, you want to adapt the standard to the context of your project, you have to check that:
{% endhint %}
- server listen port
80and443 - server redirect port
80to443with301: Moved Permanently - proxy should renew certificates automatically before they expire (letsencrypt certificates have 90 days of validity)
- you should get at least
Awhen checking https://www.ssllabs.com/ssltest/ - you should check in the report of https://www.ssllabs.com/ssltest/ that the server devices range cover your definition of DONE: eg, if you need to support old IE or old android, you have to lower the security enough for compatibility
- You have a staging environment with docker
- You can ssh to the server
- Make sure you have the docker rights
sudo usermod -aG docker $YOUR_USER_NAME
- Connect to your server
ssh [email protected] - Clone the nginx-proxy-companion project on the server at the root of the server.
git clone [email protected]:evertramos/docker-compose-letsencrypt-nginx-proxy-companion.git- Create a
.envfile
cd docker-compose-letsencrypt-nginx-proxy-companion
cp ./.env.sample .env- Set the
NGINX_FILES_PATH=/srv/nginx/datain the.envvim ./.env- line 41 replace
NGINX_FILES_PATH=/srv/nginx/data(or a different path if you prefer)
{% hint style='success' %} CHECK
Try to launch the companion by running:
./start.shYou should have the following error because the port 80 is already used by your app docker:
ERROR: for nginx-web Cannot start service nginx-web: driver failed programming external connectivity on endpoint nginx-web (4c0105fe57d370c99c0a143c967d1b8737006a4138618e1defebc4bab4e42d11): Bind for 0.0.0.0:80 failed: port is already allocated
{% endhint %}
- Remove the binding 80 port command, but expose it
version: '3'
services:
your-web-app: #It should contain port: "80:80"
# ...
- ports:
- - "80:80"
+ expose:
+ - 80- Configure the app to use the network created by the companion (
webproxyis the default name)
version: '3'
services:
# ...
+networks:
+ default:
+ external:
+ name: webproxy{% hint style='info' %} GO FURTHER
https://blog.docker.com/2016/12/understanding-docker-networking-drivers-use-cases/
{% endhint %}
- In your project set 3 environment variable:
VIRTUAL_HOST,LETSENCRYPT_HOST,LETSENCRYPT_EMAIL. The email will be used by Letsencrypt to notify you if the certificate expire.There are 2 ways:- In the docker-compose file
- In your prod.env file that is read by your Dockerfile.
{% hint style='info' %} RECOMENDED WAY
Update the .env file of your web-app docker
{% endhint %}
- In the
./env/prod.envadd the following:
#... other env variable
+ VIRTUAL_HOST=my.domain.cloud.bam.tech
+ LETSENCRYPT_HOST=my.domain.cloud.bam.tech
+ [email protected]{% hint style='warning' %} OTHER solution
If you have no .env file you an also Update the docker-compose-prod file
version: '3'
services:
your-web-app: #It should contain port: "80:80"
# ...
environment:
+ - VIRTUAL_HOST=my.domain.cloud.bam.tech
+ - LETSENCRYPT_HOST=my.domain.cloud.bam.tech
+ - [email protected]{% endhint %}
{% hint style='danger' %} BUSINESS INTERRUPTION
You will have to shut down your docker (so the port 80 is available), so during this step your domain won't be accessible.
{% endhint %}
- Cut your app docker:
cd your-project-directory
docker-compose -f docker-compose-prod.yml down- Start the companion (go to the companion directory):
cd ../docker-compose-letsencrypt-nginx-proxy-companion
./start.sh- Launch your project docker again:
cd -
docker-compose -f docker-compose-prod.yml up -d{% hint style='success' %} CHECK
- Check the validity of your domain, go to https://your.domain
- Go there and check your domain. Useful tip: go to the Handshake Simulation section and check the supported devices.
{% endhint %}