Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Self-cert SSL for local https #7

Merged
merged 12 commits into from
Oct 23, 2024
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# Ignore mkcert generated files (certificates and keys)
certs/
localhost+*.pem
28 changes: 19 additions & 9 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
# Nginx/LetsEncrypt Reverse Proxy
The goal of this repository is to make it easy to [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) one or more website services on a Virtual Private Server (VPS). **Note: Services must be started with Docker.**

[Here](https://github.com/MattHalloran/NLN) is a project that uses this.
# Nginx Reverse Proxy with SSL Certificate
The goal of this repository is to make it easy to set up a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) and [SSL certificate](https://www.cloudflare.com/learning/ssl/what-is-an-ssl-certificate/) for a website running locally or on a VPS. When running locally, the SSL certificate is self-signed. When running on a VPS, the SSL certificate is provided by [LetsEncrypt](https://letsencrypt.org/).

Heavily inspired by [this article](https://olex.biz/2019/09/hosting-with-docker-nginx-reverse-proxy-letsencrypt/). If you're looking for someone to thank, it is them!

Expand All @@ -14,18 +12,28 @@ Heavily inspired by [this article](https://olex.biz/2019/09/hosting-with-docker-
| [Docker](https://www.docker.com/) | Container handler | latest |

## Prerequisites
1. Must have a website name, with access to its DNS settings. If you're not sure where to get started, I like using [Google Domains](https://domains.google/).
2. Must have access to a Virtual Private Server (VPS). They can be as little as $5 a month. Here are some good sites:
1. If not running locally, must have a website name and access to its DNS settings
2. If not running locally, must have access to a Virtual Private Server (VPS). Here are some good sites:
* [DigitalOcean](https://m.do.co/c/eb48adcdd2cb) (Referral link)
* [Vultr](https://www.vultr.com/)
* [Linode](https://www.linode.com/)
3. Must have Dockerfiles or docker-compose files to start your website's services. Each service that interfaces with Nginx (i.e. is connected to with a port) can be configured with the following environment variables:
3. Must have Dockerfiles or docker-compose files to start your website's services. Each service that interfaces with Nginx (i.e. is connected to with a port) can be configured using the following environment variables:
- *VIRTUAL_HOST* - the website's name(s), separated by a comma with no spaces (e.g. `examplesite.com,www.examplesite.com`)
- *VIRTUAL_PORT* - the container's port
- *LETSENCRYPT_HOST* - website name used by LetsEncrypt. Most likely the same as *VIRTUAL_HOST*
- *LETSENCRYPT_EMAIL* - the email address to be associated with the LetsEncrypt process

## Getting started

### Running locally
1. Clone repository:
`git clone https://github.com/MattHalloran/NginxSSLReverseProxy && cd NginxSSLReverseProxy`
2. Run setup script:
`chmod +x ./scripts/fullSetup.sh && ./scripts/fullSetup.sh`
3. Start docker:
a. `sudo docker-compose -f docker-compose.local.yml up -d`

### Running on a VPS
1. Set up VPS ([example](https://www.youtube.com/watch?v=Dwlqa6NJdMo&t=142s)).
2. Edit DNS settings to point to the VPS. Here is an example:
| Host Name | Type | TTL | Data |
Expand All @@ -39,7 +47,7 @@ Heavily inspired by [this article](https://olex.biz/2019/09/hosting-with-docker-
5. Run setup script:
`chmod +x ./scripts/fullSetup.sh && ./scripts/fullSetup.sh`
6. Start docker:
`sudo docker-compose up -d`
a. `sudo docker-compose -f docker-compose.remote.yml up -d`


## Common commands
Expand All @@ -48,6 +56,8 @@ Heavily inspired by [this article](https://olex.biz/2019/09/hosting-with-docker-


## Custom proxy
Custom proxy configurations can be put in the `my_proxy.conf` file. By default, this only contains one line: `client_max_body_size 100m;`. This raises the maximum payload size for uploading files. This is useful if you'd like users to have the ability to upload multiple images in one request, for example.
Custom proxy configurations can be put in the `nginx/conf.d/local.conf` or `nginx/conf.d/remote.conf` file, depending on if this will be running locally or remotely.

By default, the local version contains the standard configuration for self-signed SSL setup. Both versions also contain `client_max_body_size 100m;`. This raises the maximum payload size for uploading files. This is useful if you'd like users to have the ability to upload multiple images in one request, for example.

If you are not using custom configurations, you can remove the docker-compose line `- ./my_proxy.conf:/etc/nginx/conf.d/my_proxy.conf:ro`.
22 changes: 22 additions & 0 deletions docker-compose-local.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
version: '3.8'

services:
nginx-local:
image: nginx:latest
container_name: nginx-local-dev
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx/conf.d/local.conf:/etc/nginx/conf.d/local.conf:ro
- ./certs/localhost+2.pem:/etc/nginx/certs/localhost+2.pem
- ./certs/localhost+2-key.pem:/etc/nginx/certs/localhost+2-key.pem
# Remove default config
- /dev/null:/etc/nginx/conf.d/default.conf:ro
networks:
- proxy

networks:
proxy:
name: nginx-proxy
external: true
6 changes: 3 additions & 3 deletions docker-compose.yml → docker-compose-remote.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ services:
- dhparam:/etc/nginx/dhparam
- certs:/etc/nginx/certs:ro
- /var/run/docker.sock:/tmp/docker.sock:ro
- ./my_proxy.conf:/etc/nginx/conf.d/my_proxy.conf:ro
- ./nginx/conf.d/remote.conf:/etc/nginx/conf.d/remote.conf:ro
- ./50x.html:/usr/share/nginx/html/errors/50x.html:ro
networks:
- proxy
Expand Down Expand Up @@ -48,5 +48,5 @@ volumes:

networks:
proxy:
external:
name: nginx-proxy
name: nginx-proxy
external: true
68 changes: 68 additions & 0 deletions nginx/conf.d/local.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
client_max_body_size 100m;

resolver 127.0.0.11 valid=30s;

# Enable HTTP/2 globally
http2 on;

server {
listen 80;
listen [::]:80;
server_name localhost;

# Redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}

server {
listen 443 ssl;
listen [::]:443 ssl;
server_name localhost;

ssl_certificate /etc/nginx/certs/localhost+2.pem;
ssl_certificate_key /etc/nginx/certs/localhost+2-key.pem;

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

# Use variables to defer DNS resolution
set $ui_upstream ui:3000; # Change to match your UI server's name and port
set $api_upstream server:5329; # Change to match your API server's name and port

# UI Server Proxy
location / {
# proxy_pass http://$ui_upstream;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_http_version 1.1;
# proxy_set_header Connection "";
# proxy_buffering off; # For WebSocket support
# proxy_request_buffering off;
proxy_pass http://$ui_upstream;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}

# API Server Proxy
location /api/ {
proxy_pass http://$api_upstream;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_http_version 1.1;
proxy_set_header Connection "";
}

# Support for WebSocket connections
location /sockjs-node {
proxy_pass http://$ui_upstream/sockjs-node;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
File renamed without changes.
Loading
Loading