Comments (6)
Hi rb090,
There is a lot to unpack and answer in your issue, so I will go through some things I find weird and its for you to double check that it works correctly and I have understood it right.
- You should not need sudo for building a Docker image. See the post-install tips,
- The
error getting credentials
might be related to what is discussed here and here, and could probably be fixed by solving point 1 here and not using sudo. - The
redirector.conf
file is needed if you use theconf.d
folder directly, but is handled automatically if you use theuser_conf.d
folder. This config makes sure that you can get certificates. - Your
test-conf.conf
file is your actual server config which will serve your node app, so it is needed if you want your site to work :) - I don't understand your Dockerfile. You have three build stages, one where you compile your site, one default Nginx image where you copy your site to and then finally this nginx-certbot image. I probably need to see the guide you are trying to follow to understand how you actually want to assemble this.
- When you are doing your
docker run
command you are starting the nginx-certbot image from Docker Hub, not the one you have built locally, so no config files will be present inside of it. Do the suggested run command from here and report back how that went instead.
When done with these steps we can start looking at properly proxying your application through the Nginx.
from docker-nginx-certbot.
The usage of volumes will make it easier to change the Docker image without having to rebuild it and/or fetch new certificates on every update.
It depends on your setup and what is the easiest for you. I prefer the host mounted volumes for the certificates and config files, and then build a separate image that serves just my app and have the "TLS terminating proxy" just forward all requests to the next container. Did a super quick search but you can probably extract something from this.
from docker-nginx-certbot.
Very nice, thanks a lot for all the explanations, @JonasAlfredsson 🤝. Your docker image has now one more big fan 🙂.
from docker-nginx-certbot.
Hi @JonasAlfredsson,
thanks you so much for getting back here and for responding so fast on my issue 🙂👍.
Regarding 1. and 2:
I will have a look at them and fix that. This should not block for this issue. I can build the docker image on an Ubuntu Server perfectly or on my Mac with IntelliJ. But now I understand where this comes from. So thanks a lot for the explanation and sharing the links.
Regarding 3:
Okay, so now I put my test-conf.conf
into the user_conf.d
👍. I thought that when I use Dockerfile
I must use conf.d
folder. I also removed redirector.conf
as you wrote that it I handled automatically when using user_conf.d
folder.
Regarding 4:
✅ Got it, thanks a lot for clarification 👍.
Regarding 5:
What I want is:
- Compile my react app
- Copy it to Docker Nginx html folder
- web app is accessible over https
- use certbot and auto renewals within the docker container
But it is a good point, thanks a lot 🤩, according that your image jonasal/nginx-certbot:latest
already contains Nginx, I do not need anymore "Stage 2" and FROM nginx:latest
anymore. So I changed now the Dockerfile to this:
FROM node:16 as build-stage
WORKDIR /app
# Copy the package.json and package-lock.json files to the container
COPY package*.json ./
# Install the app dependencies
RUN npm install
# Copy the app source code to the container
COPY . .
# Build the production-ready app
RUN npm run build
# Nginx container with certbot management
FROM jonasal/nginx-certbot:latest
# Copy the config to the server
COPY user_conf.d/* /etc/nginx/conf.d/
# Copy the built React app from the previous stage
COPY --from=build-stage /app/build /usr/share/nginx/html
Regarding 6:
Thank you so much, it was such a happy moment for me today seeing my docker container working with https certificates ❤️. I ran successfully
sudo docker run -it -p 80:80 -p 443:443 --env [email protected] --env DEBUG=1 -v $(pwd)/nginx_secrets:/etc/letsencrypt -v $(pwd)/user_conf.d:/etc/nginx/user_conf.d:ro --name nginx-certbot jonasal/nginx-certbot:latest
I felt also in love with your nginx-certbot.env
. It is very smart and beautiful. I placed now my nginx-certbot.env
inside user_conf.d
. Can you please tell me how to pass it on docker run
? Initially I thought it gets automatically handled but when I run without the --env
sudo docker run -it -p 80:80 -p 443:443 -v $(pwd)/nginx_secrets:/etc/letsencrypt -v $(pwd)/user_conf.d:/etc/nginx/user_conf.d:ro --name nginx-certbot jonasal/nginx-certbot:latest
I get the error that CERTBOT_EMAIL
is missing and certbot is doing nothing. So it looks like the nginx-certbot.env
is not loaded because I have CERTBOT_EMAIL
inside that file (2023/07/12 17:32:28 [error] CERTBOT_EMAIL environment variable undefined; certbot will do nothing!
).
And I also want my nodejs web app on the server 🙂. That is why my Dockerfile
contains COPY --from=build-stage /app/build /usr/share/nginx/html
. But from what I see when looking into the container, the files are not copied to /usr/share/nginx/html
. Can you please tell me what I am doing wrong with that?
I also changed my server config test-conf.conf
and added location
to there:
server {
# Listen to port 443 on both IPv4 and IPv6.
listen 443 ssl default_server reuseport;
listen [::]:443 ssl default_server reuseport;
# Domain names this server should respond to.
server_name myapp.mydomain.com;
# Load the certificate files.
ssl_certificate /etc/letsencrypt/live/myapp.mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myapp.mydomain.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/myapp.mydomain.com/chain.pem;
# Load the Diffie-Hellman parameter.
ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
location / {
root /usr/share/nginx/html;
index index.html;
try_files $uri $uri/ /index.html;
}
error_page 500 502 503 504 /50x.html;
}
from docker-nginx-certbot.
Nice to see that you are making progress, good job on solving the points so quickly.
The two new issues you have now is:
- You need to provide the path to the .env file in your run command. See the
--env-file
option. - The run command you have provided use the nginx-certbot image directly from Docker Hub and not the one you have built inside your Dockerfile, thus you will not find any of the files you have copied. I think you could do something along these lines:
docker build -t nginx-certbot-app -f Dockerfile .
which builds your custom image and tags it with the name "nginx-certbot-app" that you can then start with
docker run -it -p 80:80 -p 443:443 --env-file nginx-certbot.env nginx-certbot-app
You see I also drop the volume mounts here as well since they should not be needed since we include everything needed in the build step.
I really don't want to sound condescending, but I would like to suggest you spend some more time reading and experimenting with Docker so you understand its concepts a bit better before you publish a website that will be exposed to the whole world. To give you some starting points you could probably go directly to the Docker docs or follow a tutorial here.
The internet is not very forgiving if you configure your application wrong and accidentally expose something that can be exploited. Docker is a great way to protect your computer, but it is not a silver bullet that mitigate all risks, so I just want to point that out. :)
from docker-nginx-certbot.
Thanks a lot @JonasAlfredsson for getting back here and for your answer. I tried that out and everything worked as expected with what you suggested 🙌.
Also thanks a lot for sharing some Docker insights with me 🤝.
I already went through couple of Docker docs you shared I know that there is a lot of things to improve within the Dockerfile, also fe. what is described in Docker security.
Maybe one more small question regarding the volume mounts which you drop: Would it be more secure to use volumes here for this use case because of the nginx_secrets
?
So like in your documentation, use nginx-certbot image directly from Docker Hub and pass in everything over volumes including /app/build
from the build-stage
of the Dockerfile
?
Or is it just a question of performance like described in the Docker docs regarding volumes?
from docker-nginx-certbot.
Related Issues (20)
- Handshake failed with `-alpine` nginx images HOT 8
- [bug] Empty `privekey.pem` HOT 3
- Local CA Fallback HOT 5
- NGINX started multiple times after certificate renewal check HOT 11
- Getting errors using custom config HOT 2
- Error getting validation data HOT 5
- Failed to establish a new connection: [Errno -3] Temporary failure in name resolution HOT 5
- Certificate Authority failed to download the temporary challenge files created by Certbot. HOT 4
- Feature request: Fail2ban HOT 1
- Test nginx config on SIGHUP HOT 4
- [Third-party] Cloudflare proxy DNS, SSL encryption mode must be set to "Full" (or Full strict) HOT 3
- config file not being discovered HOT 4
- Update Dockerhub Image HOT 4
- Improve Azure File Share support HOT 2
- Conflicting servername xxx on 0.0.0.0:443 HOT 2
- Speed up DH generation HOT 4
- Standard nginx "docker-entrypoint.sh" not being used HOT 7
- Renewal failed on challenge webroot HOT 5
- Add support for Bunny.net authenticator plugin for DNS-01 HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker-nginx-certbot.