support question: nginx.config example for a proxied server using LetsEncrypt?

[laurencefass]

I'm using this with jwilder/nginx-proxy.

Bit stuck getting started., Do I need to transform standalone nginx.config SSL options to work in a proxied server environment? Or it is as simple as mapping the key and cert nginx config options to files on known docker volumes? If so how does that file naming convention work?

In a jwilder/proxy environment who is doing the SSL encryption? Is it the proxied server, or the jwilder/proxy?

rewrite all http requests to SSL

server {
  listen 80;
  listen [::]:80;
  server_name $hostname;
  return 301 $https://www.$host$request_uri;
}

handle all request with SSL

server {
  listen 443 ssl;
  listen [::]:443 ssl;
  ssl_certificate     /var/www/html/web/domain.crt;
  ssl_certificate_key /var/www/html/web/domain.key;
  server_name www.$hostname;
  root /var/www/html/web;
  index index.php;
}

any help and advice appreciated.
thanks

[buchdag]

In a jwilder/proxy environment who is doing the SSL encryption? Is it the proxied server, or the jwilder/proxy?

The proxy acts as an SSL termination, meaning that the TLS encryption / decryption with the outside client happens there.

The container to container connection happens over HTTP by default but you can configure nginx-proxy to use HTTPS instead.

Re-using existing certificates and private key is just a matter of putting them in the right place (/etc/nginx/certs) with the correct name:

• (subdomain.)domain.tld.crt for the certificate
• (subdomain.)domain.tld.key for the private key
• (subdomain.)domain.tld.chain.pem for the certificate chain

Further info there : https://github.com/jwilder/nginx-proxy#ssl-support

Please note that even if this project is meant to work with jwilder/nginx-proxy, it is a separate project maintained by different people. That means that question not directly related to what JrCs/docker-letsencrypt-nginx-proxy-companion does (automatic creation and naming of certificate + reloading of nginx-proxy) should be submitted to the nginx-proxy repo rather than here.

[laurencefass]

Thanks to check my understanding is it correct to assume then that i only need a single cert/key pair for an arbitrary number of proxied nginx servers - each configured in its own nginx.config to serve simple http?

If I set up nginx-proxy to connect to https backend (ref: https://github.com/jwilder/nginx-proxy#ssl-support) aren't I back in a situation having to manage indivual (proxied) ssl servers each with its own cert/pem requirement? Is there a benefit to this?

thanks

[buchdag]

I'm sorry I don't get your question about needing a single cert/key pair for an arbitrary number of proxied nginx servers, considering this container's sole goal is to automate certificate issuance for your proxied services.

[laurencefass]

Hi thank you for your help I am still trying to understand how configuration is spread throughout the different containers. Reading your previous comments I am unclear where the encryption takes place and whether I have to configure all of my proxied servers as https or if I can configure them as http and leave encryption to the proxy.

My last question is: will this container generate a single cert for the proxy which will encrypt data according to the statement: "...the proxy acts as an SSL termination, meaning that the TLS encryption / decryption with the outside client happens there"

or do I need to individually configure https for all my proxied servers according to the statement: "...this container's sole goal is to automate certificate issuance for your proxied services"

I hope that makes more sense?

Thanks

[buchdag]

The encryption / decryption with the outside world will always happens at the proxy no matter what.

The HTTPS backend communication I alluded to is entirely optional, if you have no idea what purpose it serves you probably have no use for it and should disregard this info for now.

Under normal and correct operation, the companion will attempt to issue one separate certificate for every running container that has a LETSENCRYPT_HOST environment variable configured. If correctly issued, those certificates will then automatically be picked up and used by nginx-proxy configuration.

You don't need to configure anything specific on your proxyed containers beside having them serve HTTP, which they probably already do.

I don't mean to be rude at all but you should probably read in more detail nginx-proxy documentation and then this container documentation, because you don't quite seem to grasp what they both do and how.

[laurencefass]

you are right, i am slowly getting my mind around how the two containers work together. thank you for your patience and attention. no offence taken only gratitude for your time.