# Reverse Proxy Certbot


# Reverse proxy + TLS (Nginx + Certbot)

### Goal

* Terminate TLS in one place.
* Route by hostname to app containers.
* Use Certbot with the webroot challenge.

### Folder layout

Create these folders and files next to your `docker-compose.yml`:

* `certbot/conf/`
* `certbot/www/`
* `nginx/conf.d/apps.conf`
* `initdb/` (optional)

{% hint style="info" %}
I use `initdb/` for optional Postgres init scripts (users, databases).
{% endhint %}

### Nginx + Postgres config

Paste this into  `docker-compose.yml`:

```yaml
version: "3.9"

services:
  certbot:
    image: certbot/certbot:latest
    container_name: certbot
    volumes:
      - ./certbot/www:/var/www/certbot
      - ./certbot/conf:/etc/letsencrypt

  nginx:
    image: nginx:alpine
    container_name: nginx
    restart: unless-stopped
    depends_on:
      - freshrss
      - wallabag
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./nginx/conf.d:/etc/nginx/conf.d:ro
      - ./certbot/www:/var/www/certbot:ro
      - ./certbot/conf:/etc/letsencrypt:ro

  postgres:
    image: postgres:16
    container_name: postgres
    restart: unless-stopped
    environment:
      POSTGRES_USER: postgres
      POSTGRES_PASSWORD: change_this_admin_password
    volumes:
      - ./postgres_data:/var/lib/postgresql/data
      - ./initdb:/docker-entrypoint-initdb.d
    ports:
      - "5432:5432"
```

### Certbot command

Use this when you add a new subdomain under `manxialiu.org`:

```bash
docker compose run --rm certbot certonly \
  --webroot -w /var/www/certbot \
  -d wallabag.manxialiu.org \
  -d freshrss.manxialiu.org \
  -d monica.manxialiu.org \
  -d woeditor.manxialiu.org \
  --email you@example.com \
  --agree-tos \
  --no-eff-email
```