Docker nginx ssl reverse proxy wildcard cert
OK, so here is how you can run nginx in docker and configure it to terminate SSL and handle wildcard cert and multiple related domain names.
Create Folders
The first order of business is to create folders on the host machine that we will map to the docker container for config files and logs.
$ mkdir -p ~/etc/nginx/conf.d
$ mkdir -p ~/var/log/nginx
After you have created all the config files and everything is up and running you will end up with files like this.
~$ find etc/nginx/*
etc/nginx/woohoo-wildcard.key
etc/nginx/common
etc/nginx/conf.d
etc/nginx/conf.d/ratfoo.conf
etc/nginx/gd79_bundle.crt
~$ find var/*
var/log
var/log/nginx
var/log/nginx/foo.access.log
var/log/nginx/access.log
var/log/nginx/rat.access.log
var/log/nginx/error.log
Create Config Files
Next create your config files like so (we just catted them out for display).
~$ cat etc/nginx/common
ssl_certificate gd79_bundle.crt;
ssl_certificate_key wohoo-wildcard.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
~$ cat etc/nginx/conf.d/ratfoo.conf
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443;
server_name rat.woohoo.com;
include common;
access_log /var/log/nginx/rat.access.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the “It appears that your reverse proxy set up is broken" error.
proxy_pass http://localhost:1919;
proxy_read_timeout 90;
proxy_redirect http://localhost:1919 https://rat.woohoo.com;
}
}
server {
listen 443;
server_name foo.woohoo.com;
include common;
access_log /var/log/nginx/foo.access.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the “It appears that your reverse proxy set up is broken" error.
proxy_pass http://localhost:1919;
proxy_read_timeout 90;
proxy_redirect http://localhost:1919 https://foo.woohoo.com;
}
}
Spin Up Hello World Dockers
Here we spin up two dockers that just display hello world in response to HTTP request.
docker run -d -p 1919:80 tutum/hello-world
docker run -d -p 2020:80 tutum/hello-world
Spin up nginx Docker
Finally spin up your nginx docker
docker run -d \
--net=host \
-v /home/ubuntu/etc/nginx/conf.d:/etc/nginx/conf.d \
-v /home/ubuntu/etc/nginx/common:/etc/nginx/common \
-v /home/ubuntu/etc/nginx/gd79_bundle.crt:/etc/nginx/gd79_bundle.crt \
-v /home/ubuntu/etc/nginx/woohoo-wildcard.key:/etc/nginx/woohoo-wildcard.key \
-v /home/ubuntu/var/log/nginx:/var/log/nginx \
nginx
That's All
Assuming foo.woohoo.com and rat.woohoo.com map to the public IP of your server . . .
And assuming port 443 is not blocked by firewalls or AWS security groups . . .
You should be able to browse to https://foo.woohoo.com and https://rat.woohoo.com, and see a lovely hello world page.
The only other trick is getting your ssl_certificate and ssl_certificate_key correct. That's a topic for another time.
References
http://serverfault.com/questions/538803/nginx-reverse-ssl-proxy-with-multiple-subdomains