certbot docker nginx selfhost

Go to file

Mageas 270d51afc9 Refactor scripts (#1 ) Co-authored-by: Mageas <gpg@mageas.net> Reviewed-on: #1		2023-02-03 16:15:54 +01:00
certbot	Refactor scripts (#1 )	2023-02-03 16:15:54 +01:00
nginx/conf.d	Initial commit	2021-09-02 12:45:50 +02:00
LICENSE	Add LICENSE	2021-09-02 10:49:33 +00:00
README.md	Refactor scripts (#1 )	2023-02-03 16:15:54 +01:00
docker-compose.yml	Remove permissions	2021-09-16 15:21:02 +02:00

README.md

Certginx

Certginx is a helper tool to generate certbot certificates. It is compatible with multiple domains and support multiple applications.

This project is neither affiliated with cerbot nor nginx.

How to use certginx

Configuring firewall

Make sure your firewall allows the incoming 80 and 443 ports.

Open ports with iptables:

iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT

Configuring nginx

./nginx/conf.d/subdomain.domain.com.conf

./nginx/conf.d/subdomain.domain.com.conf
Replace all the occurrences of subdomain.domain.com with your domain name. Rename `up-app` with `up-<app-name>`, it may create conflicts if you use the same name between files. Rename `./nginx/conf.d/subdomain.domain.com.conf` with `./nginx/conf.d/<your-domain>.conf`.

Replace all the occurrences of subdomain.domain.com with your domain name.

Rename up-app with up-<app-name>, it may create conflicts if you use the same name between files.

Rename ./nginx/conf.d/subdomain.domain.com.conf with ./nginx/conf.d/<your-domain>.conf.

Configuring certbot

Every time you want to add a new domain. You need to configure the file below.

./certbot/add_domain.sh
Update DOMAINS and EMAIL variables to begin the installation. If you are testing, put STAGING to 1 to avoid hitting request limits.

Executing the script

Run the script with ./certbot/add_domain.sh.

Configuring after script

Update ./nginx/conf.d/<your-domain>.conf to suit your needs.

./nginx/conf.d/.conf
Update localhost in `up-<app-name>` section with the name of your docker container.

Communicating between certginx and your app

I will use example-app as network, you may rename it.

./docker-compose.yml

./docker-compose.yml
At the end of `nginx` service, add: `networks: - example-app` At the end of the file, add: `networks: example-app: external: true` External networks are not automatically created by docker-compose. To do so, just run the command below: `docker network create example-app`

At the end of nginx service, add:

networks:
    - example-app

At the end of the file, add:

networks:
    example-app:
        external: true

External networks are not automatically created by docker-compose. To do so, just run the command below:

docker network create example-app

You need to do the same thing in your docker-compose.yml app, but instead of nginx service, it will be your communicating service.

Best practice to deploy

The best way to deploy your app with certginx is to create a user per application (eg. user certginx for certgins and user website for your website).

Secure your nginx

Use the latest ssl protocols.

./nginx/conf.d/00_tls-cipher.conf
`ssl_protocols TLSv1.3; ssl_prefer_server_ciphers off;`

Catch bad sni (replace dummy-certificate with a dummy certificate).

./nginx/conf.d/01_catch-bad-sni.conf

./nginx/conf.d/01_catch-bad-sni.conf
`server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name _; ssl_certificate /etc/letsencrypt/live/dummy-certificate/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/dummy-certificate/privkey.pem; return 444; }`

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name _;

    ssl_certificate /etc/letsencrypt/live/dummy-certificate/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/dummy-certificate/privkey.pem;

    return 444;
}

Catch bad vhost.

./nginx/conf.d/01_catch-bad-vhost.conf
`server { listen 80; listen [::]:80; server_name _; return 444; }`

Credits

nginx-certbot the base of the add_domain script.