Create notes on docker + nginx + let's encrypt

docker_nginx_lets_encrypt.md

@@ -0,0 +1,109 @@
+---
+author: Alvie Rahman
+date: \today
+title: Setting Up Nginx and Let's Encrypt in Docker
+---
+
+# Setting Up Nginx and Let's Encrypt in Docker
+
+This turned out to be way harder than I thought it would be.
+I tried to follow
+[this](https://pentacent.medium.com/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71)
+post here but the `init-letsencrypt.sh` script didn't work for me.
+
+Most of the content here is from that post.
+
+## Create the Necessary Files
+
+### `docker-compose.yaml`
+
+Notice how `certbot`'s `entrypoint` field is commented out?
+Yeah, that's one of the things that tripped me up.
+When the autorenew entrypoint is specified, you can't perform one of the future steps.
+
+```yaml
+version: '3'
+
+services:
+  nginx:
+    image: nginx:1.15-alpine
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - ./data/nginx:/etc/nginx/conf.d
+      - ./data/certbot/conf:/etc/letsencrypt
+      - ./data/certbot/www:/var/www/certbot
+  certbot:
+    image: certbot/certbot
+    # entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
+    volumes:
+      - ./data/certbot/conf:/etc/letsencrypt
+      - ./data/certbot/www:/var/www/certbot
+```
+
+### `data/nginx/app.conf`
+
+Again, things are commented out in this file.
+The SSL section is commented out as Nginx cannot start an SSL server without first having SSL
+certificates but certbot won't give us SSL certificates unless we have a webserver (the certbot
+Docker image supports hosting a standalone server for this purpose but that would mean changing
+around the ports in `docker-compose.yaml`).
+
+Also the 301 redirect in the port 80 section is commented out as we don't want to immediately
+redirect certbot to a https URL we aren't listening for.
+
+```
+server {
+    listen 80;
+    server_name DOMAIN.NAME;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        #return 301 https://$host$request_uri;
+        proxy_pass http://example.com;
+    }    
+}
+
+# server {
+#     listen 443 ssl;
+#     server_name DOMAIN.NAME;
+#     
+#     location / {
+#         # anything you want can go in here, of course
+#         proxy_pass http://example.com;
+#     }
+#     ssl_certificate /etc/letsencrypt/live/DOMAIN.NAME/fullchain.pem;
+#     ssl_certificate_key /etc/letsencrypt/live/DOMAIN.NAME/privkey.pem;
+#     include /etc/letsencrypt/options-ssl-nginx.conf;
+#     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+# }
+```
+
+## Set Your Domain
+
+Run the following command, replacing `REPLACEME` with your domain name:
+
+```
+sed -i 's/DOMAIN.NAME/REPLACEME/g data/nginx/app.conf'
+```
+
+## Get Your First Certificates
+
+Run the following commands:
+
+    docker-compose up -d nginx
+    docker-compose run certbot certonly --webroot /var/www/certbot
+
+Enter the information your are prompted for.
+
+## Enable HTTPS on Nginx and Auto Renew Certificates
+
+1. Uncomment the commented out server block in `data/nginx/app.conf`.
+2. Remove the `proxy_pass` line in the port 80 server block.
+3. Uncomment the line starting with `return 301`
+4. Restart Nginx (`docker-compose restart nginx`)
+5. Uncomment line beginning with `entrypoint` in `docker-compose.yaml`