Running with Dockerfile about docker-nginx-certbot HOT 6 CLOSED

Hi rb090,

There is a lot to unpack and answer in your issue, so I will go through some things I find weird and its for you to double check that it works correctly and I have understood it right.

1. You should not need sudo for building a Docker image. See the post-install tips,
2. The error getting credentials might be related to what is discussed here and here, and could probably be fixed by solving point 1 here and not using sudo.
3. The redirector.conf file is needed if you use the conf.d folder directly, but is handled automatically if you use the user_conf.d folder. This config makes sure that you can get certificates.
4. Your test-conf.conf file is your actual server config which will serve your node app, so it is needed if you want your site to work :)
5. I don't understand your Dockerfile. You have three build stages, one where you compile your site, one default Nginx image where you copy your site to and then finally this nginx-certbot image. I probably need to see the guide you are trying to follow to understand how you actually want to assemble this.
6. When you are doing your docker run command you are starting the nginx-certbot image from Docker Hub, not the one you have built locally, so no config files will be present inside of it. Do the suggested run command from here and report back how that went instead.

When done with these steps we can start looking at properly proxying your application through the Nginx.

from docker-nginx-certbot.

The usage of volumes will make it easier to change the Docker image without having to rebuild it and/or fetch new certificates on every update.
It depends on your setup and what is the easiest for you. I prefer the host mounted volumes for the certificates and config files, and then build a separate image that serves just my app and have the "TLS terminating proxy" just forward all requests to the next container. Did a super quick search but you can probably extract something from this.

from docker-nginx-certbot.

Very nice, thanks a lot for all the explanations, @JonasAlfredsson 🤝. Your docker image has now one more big fan 🙂.

from docker-nginx-certbot.

Hi @JonasAlfredsson,

thanks you so much for getting back here and for responding so fast on my issue 🙂👍.

Regarding 1. and 2:
I will have a look at them and fix that. This should not block for this issue. I can build the docker image on an Ubuntu Server perfectly or on my Mac with IntelliJ. But now I understand where this comes from. So thanks a lot for the explanation and sharing the links.

Regarding 3:
Okay, so now I put my test-conf.conf into the user_conf.d 👍. I thought that when I use Dockerfile I must use conf.d folder. I also removed redirector.conf as you wrote that it I handled automatically when using user_conf.d folder.

Regarding 4:
✅ Got it, thanks a lot for clarification 👍.

Regarding 5:
What I want is:

• Compile my react app
• Copy it to Docker Nginx html folder
• web app is accessible over https
• use certbot and auto renewals within the docker container

But it is a good point, thanks a lot 🤩, according that your image jonasal/nginx-certbot:latest already contains Nginx, I do not need anymore "Stage 2" and FROM nginx:latest anymore. So I changed now the Dockerfile to this:

FROM node:16 as build-stage

WORKDIR /app

# Copy the package.json and package-lock.json files to the container
COPY package*.json ./

# Install the app dependencies
RUN npm install

# Copy the app source code to the container
COPY . .

# Build the production-ready app
RUN npm run build

# Nginx container with certbot management
FROM jonasal/nginx-certbot:latest

# Copy the config to the server
COPY user_conf.d/* /etc/nginx/conf.d/

# Copy the built React app from the previous stage
COPY --from=build-stage /app/build /usr/share/nginx/html

Regarding 6:

Thank you so much, it was such a happy moment for me today seeing my docker container working with https certificates ❤️. I ran successfully

sudo docker run -it -p 80:80 -p 443:443 --env [email protected] --env DEBUG=1 -v $(pwd)/nginx_secrets:/etc/letsencrypt -v $(pwd)/user_conf.d:/etc/nginx/user_conf.d:ro --name nginx-certbot jonasal/nginx-certbot:latest

I felt also in love with your nginx-certbot.env. It is very smart and beautiful. I placed now my nginx-certbot.env inside user_conf.d. Can you please tell me how to pass it on docker run? Initially I thought it gets automatically handled but when I run without the --env

sudo docker run -it -p 80:80 -p 443:443 -v $(pwd)/nginx_secrets:/etc/letsencrypt -v $(pwd)/user_conf.d:/etc/nginx/user_conf.d:ro --name nginx-certbot jonasal/nginx-certbot:latest

I get the error that CERTBOT_EMAIL is missing and certbot is doing nothing. So it looks like the nginx-certbot.env is not loaded because I have CERTBOT_EMAIL inside that file (2023/07/12 17:32:28 [error] CERTBOT_EMAIL environment variable undefined; certbot will do nothing!).

And I also want my nodejs web app on the server 🙂. That is why my Dockerfile contains COPY --from=build-stage /app/build /usr/share/nginx/html. But from what I see when looking into the container, the files are not copied to /usr/share/nginx/html. Can you please tell me what I am doing wrong with that?

I also changed my server config test-conf.conf and added location to there:

server {
    # Listen to port 443 on both IPv4 and IPv6.
    listen 443 ssl default_server reuseport;
    listen [::]:443 ssl default_server reuseport;

    # Domain names this server should respond to.
    server_name myapp.mydomain.com;

    # Load the certificate files.
    ssl_certificate         /etc/letsencrypt/live/myapp.mydomain.com/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/myapp.mydomain.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/myapp.mydomain.com/chain.pem;

    # Load the Diffie-Hellman parameter.
    ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;

    location / {
    	root /usr/share/nginx/html;
        index index.html;
        try_files $uri $uri/ /index.html;
    }

    error_page   500 502 503 504  /50x.html;
}

from docker-nginx-certbot.

Nice to see that you are making progress, good job on solving the points so quickly.

The two new issues you have now is:

1. You need to provide the path to the .env file in your run command. See the --env-file option.
2. The run command you have provided use the nginx-certbot image directly from Docker Hub and not the one you have built inside your Dockerfile, thus you will not find any of the files you have copied. I think you could do something along these lines:

docker build -t nginx-certbot-app -f Dockerfile .

which builds your custom image and tags it with the name "nginx-certbot-app" that you can then start with

docker run -it -p 80:80 -p 443:443 --env-file nginx-certbot.env nginx-certbot-app

You see I also drop the volume mounts here as well since they should not be needed since we include everything needed in the build step.

I really don't want to sound condescending, but I would like to suggest you spend some more time reading and experimenting with Docker so you understand its concepts a bit better before you publish a website that will be exposed to the whole world. To give you some starting points you could probably go directly to the Docker docs or follow a tutorial here.
The internet is not very forgiving if you configure your application wrong and accidentally expose something that can be exploited. Docker is a great way to protect your computer, but it is not a silver bullet that mitigate all risks, so I just want to point that out. :)

from docker-nginx-certbot.

Thanks a lot @JonasAlfredsson for getting back here and for your answer. I tried that out and everything worked as expected with what you suggested 🙌.

Also thanks a lot for sharing some Docker insights with me 🤝.

I already went through couple of Docker docs you shared I know that there is a lot of things to improve within the Dockerfile, also fe. what is described in Docker security.

Maybe one more small question regarding the volume mounts which you drop: Would it be more secure to use volumes here for this use case because of the nginx_secrets?

So like in your documentation, use nginx-certbot image directly from Docker Hub and pass in everything over volumes including /app/build from the build-stage of the Dockerfile?

Or is it just a question of performance like described in the Docker docs regarding volumes?

from docker-nginx-certbot.