Nginx as reverse proxy with acme (letsencrypt)
Introduction
This setup will allow you to have multiple servers/containers be accessible via a single IP address with the added benefit of centralized generation of letsencrypt certificates and secure https (according to ssllabs ssltest).
Installation
For this howto we need two tools, NGINX and acme-client. lets install them.
apk add nginx acme-client
Setup
NGINX
First step is to refactor our global nginx.conf
# ngnix configuration file user nginx; worker_processes 1; # use auto to use all available cores (high performance) events { worker_connections 1024; # increase if you need more connections } http { # server_names_hash_bucket_size controls the maximum length # of a virtual host entry (ie the length of the domain name). server_names_hash_bucket_size 64; server_tokens off; # hide who we are sendfile off; # can cause issues # secure nginx https://cipherli.st/ ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 ssl_session_cache shared:SSL:10m; ssl_session_tickets off; # Requires nginx >= 1.5.9 ssl_stapling on; # Requires nginx >= 1.3.7 ssl_stapling_verify on; # Requires nginx => 1.3.7 resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; ssl_dhparam dhparam.pem; # nginx will find this file in the config directory set at nginx build time include mime.types; #fallback in case we can't determine a type default_type application/octet-stream; # buffering causes issues proxy_buffering off; # include hosts include conf.d/*.conf; }acme-client