Skip to content

hartwork/docker-ssl-reverse-proxy

BranchesTags

Repository files navigation

About docker-ssl-reverse-proxy

My situation was this: I had multiple Docker containers serving websites on port 80. I wanted a single reverse proxy with SSL powered by Let's Encrypt in front of them that keeps certificates fresh and supports multiple domain names per website (e.g. with www. subdomain and without). Plain HTTP should be redirected to HTTPS on the master domain for each website, alias domains should redirect to the master domain for both HTTP and HTTPS. And that reverse proxy should also run in a Docker container.

This repository has all of that. The heavy lifting is done by Caddy and there's a small tool to generate Caddy configuration from a minimal ini-like sites.cfg file for you (see example).

Thanks to Abiola Ibrahim (@abiosoft) for sharing his Caddy 1.x.x Docker images that I build upon prior to switching to official Caddy 2.x.x Docker images.

Getting Started

  1. Create a simple sites.cfg file manually as seen in the example.

  2. Run ./Caddyfile.generate to generate Caddyfile from sites.cfg for you.

  3. Create Docker network ssl-reverse-proxy for the reverse proxy and its backends to talk:
    docker network create --internal ssl-reverse-proxy

  4. Spin up the container:
    docker-compose up -d --build

  5. Have backend containers join network ssl-reverse-proxy, e.g. as done in the proxy's own docker-compose.yml file.

  6. Enjoy.

How to write the sites.cfg file

The format is rather simple and has four options only. Let's look at this example:

[example.org]
backend = example-org:80
aliases =
    www.example.org
        example.net
    www.example.net

Section name example.org sets the master domain name that all alias domains redirect to. backend points to the hostname and port that serves actual content. Here, example-org is the name of the Docker container that Docker DNS will let us access because we made both containers join external network ssl-reverse-proxy in their docker-compose.yml files. aliases is an optional list of domain names to have both HTTP and HTTPS redirect to master domain example.org. Adding hsts_preload = true is optional, defaults to false, and extends the HSTS response headers to unlock addition to the browser preload list at https://hstspreload.org/. That's it.

The Caddyfile generated from that very sites.cfg would read:

# NOTE: This file has been generated, do not edit
(common) {
    encode zstd gzip
    log {
        output stdout
    }
}

example.org {
    import common
    reverse_proxy example-org:80 {
        header_down +Strict-Transport-Security "max-age=63072000; includeSubDomains"
    }
}

example.net {
    import common
    redir https://example.org{uri}
}

www.example.net {
    import common
    redir https://example.org{uri}
}

www.example.org {
    import common
    redir https://example.org{uri}
}

Support and Contributing

If you run into issues or have questions, please open an issue ticket for that.

Please know that sites.cfg and Caddyfile.generate are not meant to cover much more than they already do. If it grows as powerful as Caddyfile we have failed.

About

🔒 Easy-to-use auto-SSL reverse proxy as a Docker container based on Caddy and Let’s Encrypt

Topics

python letsencrypt docker tls ssl docker-compose https proxy docker-image python3 reverse-proxy caddy python-3 reverseproxy ssl-proxy lets-encrypt tls-proxy

Resources

Readme
Activity

Stars

25 stars

Watchers

4 watching

Forks

4 forks
Report repository

Contributors 4

  •  
  •  
  •  
  •  

Languages