Nginx as reverse proxy with acme (letsencrypt)

From Alpine Linux

Introduction

This setup will allow you to have multiple servers/containers be accessible via a single IP address with the added benefit of centralized generation of letsencrypt certificates and secure https (according to ssllabs ssltest).

Installation

For this howto we need two tools, NGINX and acme-client. lets install them.

apk add nginx acme-client

Setup

NGINX

First step is to refactor our global nginx.conf

# ngnix configuration file
user  nginx;
worker_processes  1; # use "auto" to use all available cores (high performance)

events {
    worker_connections  1024; # increase if you need more connections
}

http {
    # server_names_hash_bucket_size controls the maximum length
    # of a virtual host entry (ie the length of the domain name).
    server_names_hash_bucket_size   64;
    server_tokens                   off; # hide who we are
    sendfile                        off; # can cause issues

    # secure nginx https://cipherli.st/
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off; # Requires nginx >= 1.5.9
    ssl_stapling on; # Requires nginx >= 1.3.7
    ssl_stapling_verify on; # Requires nginx => 1.3.7
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    ssl_dhparam dhparam.pem;

    # nginx will find this file in the config directory set at nginx build time
    include mime.types;

    #fallback in case we can't determine a type
    default_type application/octet-stream;

    # buffering causes issues
    proxy_buffering off;

    # include hosts
    include conf.d/*.conf;
}

acme-client