first commit | nginx configs | compose files | ssl scripts

README.md

@@ -0,0 +1,24 @@
+### Production Container Helpers
+
+Nginx container
+
+Nodejs Application container
+
+
+Nginx serves the application as a reverse proxy.
+
+host-machine:8001 -> nginx:80 -> nodejs:3001
+
+
+#### Usage
+Change the configuration files labelled <CHANGE ME> with your domain
+
+Start containers: docker-compose up
+
+Stop and remove containers: ./kill_production.sh
+
+Generate new keys with certbot:
+    -Check using `sudo certbot renew --dry-run`
+    -Run the commands inside the `generatekeys.sh`
+    -DO NOT run `generatekeys.sh` as a script
+    -Run the `./rebuild.sh` script to use the new keys

docker-compose.yml

@@ -0,0 +1,12 @@
+version: '3'
+
+services:
+    nginx:
+        build:
+            context: .
+            dockerfile: ./nginx/Dockerfile
+        image: proxy-nginx
+        ports:
+            - "80:80"
+            - "443:443"
+        restart: always

kill_production.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+### Stops and removes the nginx proxy
+docker stop production_nginx_1 && docker rm production_nginx_1
+
+### Stops and removes the nodejs app container
+# docker stop production_nodejs_1 && docker rm production_nodejs_1

nginx/Dockerfile

@@ -0,0 +1,21 @@
+FROM nginx
+
+### Copy files from the temp build
+COPY ./nginx/temp/index.html /opt/<CHANGE_ME>/public/index.html
+
+### Setup SSL
+RUN mkdir -p /etc/ssl/private && chmod 700 /etc/ssl/private
+RUN mkdir -p /etc/ssl/certs && chmod 700 /etc/ssl/certs
+
+### Copy the SSL Certificate and Key
+COPY ./nginx/keys/letsencrypt.key /etc/ssl/private/letsencrypt.key
+COPY ./nginx/keys/letsencrypt.crt /etc/ssl/certs/letsencrypt.crt
+
+### Configure Nginx to Use SSL
+RUN mkdir -p /etc/nginx/snippets
+COPY ./nginx/configs/letsencrypt.conf /etc/nginx/snippets/letsencrypt.conf
+COPY ./nginx/configs/ssl-params.conf /etc/nginx/snippets/ssl-params.conf
+
+### Move over the nginx.conf and default.config server configs
+COPY ./nginx/configs/default.conf /etc/nginx/conf.d/default.conf
+COPY ./nginx/configs/nginx.conf /etc/nginx/nginx.conf

nginx/configs/default.conf

@@ -0,0 +1,63 @@
+# Upstream sites for proxy-ing
+upstream wp {
+     server <CHANGE_ME>:8082;
+}
+
+### Redirect regular traffic to SSL
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    server_name <CHANGE_ME> www.<CHANGE_ME>;
+
+    # return 301 https://$host$request_uri;
+
+    # root /opt/app/public/;
+    # WP Test
+    root /var/www/html;
+    index index.html index.htm index.php index.nginx-debian.html;
+
+    location / {
+        proxy_set_header    Host                 $host;
+        proxy_set_header    X-Real-IP            $remote_addr;
+        proxy_set_header    X-Forwarded-For      $proxy_add_x_forwarded_for;
+        proxy_set_header    X-Forwarded-Proto    $scheme;
+
+        proxy_pass          http://wp;
+        proxy_redirect      off;
+    }
+}
+
+### SSL Stuff
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name <CHANGE_ME> www.<CHANGE_ME>;
+
+    include snippets/letsencrypt.conf;
+    include snippets/ssl-params.conf;
+
+    root /var/www/html;
+    index index.html index.htm index.php index.nginx-debian.html;
+
+    # location / {
+    #    try_files $uri $uri/ /index.php;
+    # }
+
+    location / {
+        proxy_set_header        Host              $host;
+        proxy_set_header        X-Real-IP         $remote_addr;
+        proxy_set_header        X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header        X-Forwarded-Proto $scheme;
+        proxy_set_header        Accept-Encoding   "";
+        proxy_set_header        Proxy             "";
+
+        proxy_pass          http://wp;
+        proxy_redirect      off;
+    }
+
+    location ~/\.ht {
+        deny all;
+    }
+}

nginx/configs/letsencrypt.conf

@@ -0,0 +1,2 @@
+ssl_certificate /etc/ssl/certs/letsencrypt.crt;
+ssl_certificate_key /etc/ssl/private/letsencrypt.key;

nginx/configs/nginx.conf

@@ -0,0 +1,32 @@
+user  nginx;
+worker_processes  4;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    # Bring over default server config
+    include /etc/nginx/conf.d/default.conf;
+}

nginx/configs/ssl-params.conf

@@ -0,0 +1,21 @@
+# from https://cipherli.st/
+# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_prefer_server_ciphers on;
+ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+ssl_ecdh_curve secp384r1;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver 8.8.8.8 8.8.4.4 valid=300s;
+resolver_timeout 5s;
+# Disable preloading HSTS for now.  You can use the commented out header line that includes
+# the "preload" directive if you understand the implications.
+#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
+add_header X-Frame-Options DENY;
+add_header X-Content-Type-Options nosniff;
+
+# ssl_dhparam /etc/ssl/certs/dhparam.pem;

nginx/temp/index.html

@@ -0,0 +1,11 @@
+<html>
+
+<head>
+    <title>Test Page</title>
+</head>
+
+<body>
+    <p>temp nginx folder</p>
+</body>
+
+</html>

rebuild_production.sh

@@ -0,0 +1,2 @@
+#!/bin/sh
+docker-compose build --no-cache && docker-compose up

renew_keys.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+docker stop production_nginx_1
+
+### Get new keys
+sudo certbot renew
+
+### Remove the old keys
+rm ~/production/nginx/keys/letsencrypt/old/letsencrypt.*
+
+### Deprecate and back up the current keys
+mv ~/production/nginx/keys/letsencrypt.* ~/production/nginx/keys/old
+
+### Copy over the new keys
+sudo cat /etc/letsencrypt/live/<CHANGE_ME>/fullchain.pem > ~/production/nginx/keys/letsencrypt.crt
+sudo cat /etc/letsencrypt/live/<CHANGE_ME>/privkey.pem > ~/production/nginx/keys/letsencrypt.key
+
+echo "RUN the ./rebuild.sh script now to move over the newly generated keys and restart the container"