Reverse Proxy Certbot
Reverse proxy + TLS (Nginx + Certbot)
Goal
- Terminate TLS in one place.
- Route by hostname to app containers.
- Use Certbot with the webroot challenge.
Folder layout
Create these folders and files next to your docker-compose.yml:
certbot/conf/certbot/www/nginx/conf.d/apps.confinitdb/(optional)
{% hint style="info" %}
I use initdb/ for optional Postgres init scripts (users, databases).
{% endhint %}
Nginx + Postgres config
Paste this into docker-compose.yml:
version: "3.9" services: certbot: image: certbot/certbot:latest container_name: certbot volumes: - ./certbot/www:/var/www/certbot - ./certbot/conf:/etc/letsencrypt nginx: image: nginx:alpine container_name: nginx restart: unless-stopped depends_on: - freshrss - wallabag ports: - "80:80" - "443:443" volumes: - ./nginx/conf.d:/etc/nginx/conf.d:ro - ./certbot/www:/var/www/certbot:ro - ./certbot/conf:/etc/letsencrypt:ro postgres: image: postgres:16 container_name: postgres restart: unless-stopped environment: POSTGRES_USER: postgres POSTGRES_PASSWORD: change_this_admin_password volumes: - ./postgres_data:/var/lib/postgresql/data - ./initdb:/docker-entrypoint-initdb.d ports: - "5432:5432"
Certbot command
Use this when you add a new subdomain under manxialiu.org:
docker compose run --rm certbot certonly \ --webroot -w /var/www/certbot \ -d wallabag.manxialiu.org \ -d freshrss.manxialiu.org \ -d monica.manxialiu.org \ -d woeditor.manxialiu.org \ --email you@example.com \ --agree-tos \ --no-eff-email