I love self-hosting personal applications. I spun a machine on cloud and started hosting my applications. As I wanted to host my second application, I got struck routing both the application's request to the same machine without needing to specify a port number in the URL. Specifying a port number in the URL like http://miniflux.ganesshkumar.com:5000 and http://blog.ganesshkumar.com:4000 made the URL look ugly.
After searching for a while, I found that reverse proxy using nginx can come in handy. At this point, I also wanted to enforce SSL to the applications as my application needed login. Let's Encrypt provides free SSL certificates. Now I needed to put together nginx, certificates and my applications to work together. To reduce setup procedures, I opted to use Docker. In this post let's see how I put all the pieces together.
The first application I want to host in miniflux, a minimalist feed reader.
Let's create two folders in the home directory. data
to hold all the volumes that will be mounted in docker and docker-compose
to hold docker-compose files to launch the services and applications.
$ mkdir data docker-compose
1. Let's start our first application
Create the folders for data and docker-compose
$ mkdir data/miniflux docker-compose/miniflux
Then create docker-compose.yml file in the docker-compose/miniflux folder with the following content
version: '3'
services:
miniflux:
image: miniflux/miniflux:latest
ports:
- "8000:8080"
depends_on:
- db
environment:
- DATABASE_URL=postgres://<username>:<password>@db/miniflux?sslmode=disable
db:
image: postgres:10.1
environment:
- POSTGRES_USER=<username>
- POSTGRES_PASSWORD=<password>
volumes:
- ${HOME}/data/miniflux:/var/lib/postgresql/data
Now running docker-compose up -d
in the docker-compose folder will run this application in the background. We can reach the server on localhost:8000. Our first application is up and running now.
2. Starting nginx
Create the folders for data and docker-compose
$ mkdir data/nginx docker-compose/nginx
We will be mounting SSL certificates in nginx container, so that our applications will be served over a secured layer. Create folders for holding the certificates
$ mkdir -p data/letsencrypt/certs data/letsencrypt/certs-data
Then create docker-compose.yml file with the following contents
version: '3'
services:
nginx:
image: nginx:alpine
container_name: nginx
restart: always
network_mode: host
volumes:
- ${HOME}/data/letsencrypt/certs:/etc/letsencrypt
- ${HOME}/data/letsencrypt/certs-data:/data/letsencrypt
- ${HOME}/data/nginx:/etc/nginx
ports:
- 80:80
- 443:443
Before string the ngix container, we have to create a config file for nginx. Create data/nginx/nginx.conf
file with the following content
events {
}
http {
server {
listen 80;
listen [::]:80;
server_name miniflux.ganesshkumar.com;
location / {
rewrite ^ https://$host$request_uri? permanent;
}
location ^~ /.well-known {
allow all;
root /data/letsencrypt/;
}
}
}
This config dictates to redirect any request to miniflux.ganesshkumar.com
to https://ganesshkumar.com
. Also serve the request to /.well-known to be served from /data/letscrypt directory. This .well-known endpoint will be used by Let's Encrypt to verify our DNS entry for miniflux.
Now, we can run docker-compose up -d
from the docker-compose directory to start the nginx server. The request to miniflux will not reach the application yet, as we haven't routed it to localhost:8000 but still the nginx server will help set up the SSL certificates for the miniflux domain.
3. Setting up SSL certificates
Let's Encrypt provides to tool certbot to create our SSL certificates. Let's use the docker image of certbot to do that. Run the following docker command.
$ docker run -it --rm \
-v certs:/etc/letsencrypt \
-v certs-data:/data/letsencrypt \
deliverous/certbot \
certonly \
--webroot --webroot-path=/data/letsencrypt
-d miniflux.ganesshkumar.com
The above command will generate a challage and tries to solve it at miniflux.ganesshkumar.com/.well-known
. Our nginx server has enough configuration to host the contents of .well-known folder generated by the certbot.
On successful execution of the above command, you will have your certificates generated at data/letsencrypt/certs-data directory.
4. Routing the request to the application
Now let's modify the contents of nginx.conf file, to route the requests to miniflux.ganesshkumar.com to localhost:8000.
Add the following code to the http section of nginx.conf
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name miniflux.ganesshkumar.com;
ssl on;
add_header Strict-Transport-Security "max-age=31536000" always;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;";
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
ssl_certificate /etc/letsencrypt/live/miniflux.ganesshkumar.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/miniflux.ganesshkumar.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/miniflux.ganesshkumar.com/chain.pem;
access_log /dev/stdout;
error_log /dev/stderr info;
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
We are almost done. Restart the nginx server to use the latest configuration. Run the following command in nginx's docker-compose directory.
$ docker-compose down
$ docker-compose up -d
That all. Our request to http://miniflux.ganesshkumar.com will be redirected to https://miniflux.ganesshkumar.com which will be served from localhost:8000, making sure that all the requests are being served over SSL.
To add a second application, just repeat all the four steps. You will be serving both the applications from the same machine using nginx reverse proxy.
5. Renewing SSL certificate
After few months your SSL certificate will expire. You can run the following command to renew the certificate.
$ docker run -t --rm \
-v certs:/etc/letsencrypt \
-v certs-data:/data/letsencrypt \
deliverous/certbot \
renew \
--webroot --webroot-path=/data/letsencrypt
$ docker-compose kill -s HUP nginx
This set up has made the process of deploying any new application to the server simple :)
Top comments (2)
How come for some reason, docker isn't able to access my keys?
nginx_1 | nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/example.org/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/example.org/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
Check if the mounted volumes has right access permissions.