Docker nginx ssl reverse proxy wildcard cert

Published on:

OK, so here is how you can run nginx in docker and configure it to terminate SSL and handle wildcard cert and multiple related domain names.

Create Folders

The first order of business is to create folders on the host machine that we will map to the docker container for config files and logs.

$ mkdir -p ~/etc/nginx/conf.d
$ mkdir -p ~/var/log/nginx

After you have created all the config files and everything is up and running you will end up with files like this.

~$ find etc/nginx/*
etc/nginx/woohoo-wildcard.key
etc/nginx/common
etc/nginx/conf.d
etc/nginx/conf.d/ratfoo.conf
etc/nginx/gd79_bundle.crt

~$ find var/*
var/log
var/log/nginx
var/log/nginx/foo.access.log
var/log/nginx/access.log
var/log/nginx/rat.access.log
var/log/nginx/error.log

Create Config Files

Next create your config files like so (we just catted them out for display).

~$ cat etc/nginx/common
ssl_certificate           gd79_bundle.crt;
ssl_certificate_key       wohoo-wildcard.key;
ssl on;
ssl_session_cache  builtin:1000  shared:SSL:10m;
ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
~$ cat etc/nginx/conf.d/ratfoo.conf
server {
    listen 80;
    return 301 https://$host$request_uri;
}

server {

    listen 443;
    server_name rat.woohoo.com;

    include common;

    access_log            /var/log/nginx/rat.access.log;

    location / {

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

      # Fix the “It appears that your reverse proxy set up is broken" error.
      proxy_pass          http://localhost:1919;
      proxy_read_timeout  90;

      proxy_redirect      http://localhost:1919 https://rat.woohoo.com;
    }
}

server {

    listen 443;
    server_name foo.woohoo.com;

    include common;

    access_log            /var/log/nginx/foo.access.log;

    location / {

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

      # Fix the “It appears that your reverse proxy set up is broken" error.
      proxy_pass          http://localhost:1919;
      proxy_read_timeout  90;

      proxy_redirect      http://localhost:1919 https://foo.woohoo.com;
    }
}

Spin Up Hello World Dockers

Here we spin up two dockers that just display hello world in response to HTTP request.

docker run -d -p 1919:80 tutum/hello-world 
docker run -d -p 2020:80 tutum/hello-world 

Spin up nginx Docker

Finally spin up your nginx docker

docker run -d \
 --net=host \
 -v /home/ubuntu/etc/nginx/conf.d:/etc/nginx/conf.d \
 -v /home/ubuntu/etc/nginx/common:/etc/nginx/common \
 -v /home/ubuntu/etc/nginx/gd79_bundle.crt:/etc/nginx/gd79_bundle.crt \
 -v /home/ubuntu/etc/nginx/woohoo-wildcard.key:/etc/nginx/woohoo-wildcard.key \
 -v /home/ubuntu/var/log/nginx:/var/log/nginx \
 nginx

That's All

Assuming foo.woohoo.com and rat.woohoo.com map to the public IP of your server . . .

And assuming port 443 is not blocked by firewalls or AWS security groups . . .

You should be able to browse to https://foo.woohoo.com and https://rat.woohoo.com, and see a lovely hello world page.

The only other trick is getting your ssl_certificate and ssl_certificate_key correct. That's a topic for another time.

References

http://serverfault.com/questions/538803/nginx-reverse-ssl-proxy-with-multiple-subdomains