docker-compose example for offloading SSL with NGINX and Lets Encrypt certificates for services not running on docker like BlueIris

README.md

Update environment and volume sections in docker-compose.yaml

To get a valid certificate but not allow external access to the service see https://github.com/jwilder/nginx-proxy#internet-vs-local-network-access

Requirements docker-compose.yaml:

• nginx-proxy must be publicly reachable on both port 80 and 443.
• Check your firewall rules/port forwards and do not attempt to block port 80 as that will prevent http-01 challenges from completing.
• For the same reason, you can't use nginx-proxy's HTTPS_METHOD=nohttp.
• The (sub)domains you want to issue certificates for must correctly resolve to the host.
• Your DNS provider must answer correctly to CAA record requests.
• If your (sub)domains have AAAA records set, the host must be publicly reachable over IPv6 on port 80 and 443.

IMAGES

• gibby/dummy - 738 KB image that just runs for ever by tailing /dev/null
• gibby/nginx-proxy:alpine - container is a fork of https://github.com/jwilder/nginx-proxy that supports VIRTUAL_IP for non docker services. PR here - nginx-proxy/nginx-proxy#1219
• jrcs/letsencrypt-nginx-proxy-companion:v1.11 - https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion

For service running on docker, just add the following ENV variables to the container

VIRTUAL_PORT: # Needed if more than 1 port is exposed VIRTUAL_HOST: # URL you want to use, must be publicly accessbile LETSENCRYPT_HOST: # URL you want to use, must be publicly accessbile

docker-compose.yml

version: '3.7'
services:
  # Just replace blueiris below with any other service not on docker if you want a valid SSL for it.
  # In BlueIris under Web Server change Remote to the same as VIRTUAL_HOST/LETSENCRYPT_HOST below
  # In BlueIris under Web Server check Stunnel and set to port 443
  blueiris-cert:
    container_name: blueiris-cert
    hostname: blueiris-cert
    image: gibby/dummy
    restart: always
    environment:
      TZ: America/New_York
      VIRTUAL_IP: x.x.x.x # BlueIris IP Address
      VIRTUAL_PORT: 80 # BlueIris Web Port Number
      VIRTUAL_HOST: blueiris.mydomain.com # URL you want to use, must be publicly accessbile
      LETSENCRYPT_HOST: blueiris.mydomain.com # URL you want to use, must be publicly accessbile
    
  nginx-proxy:
    container_name: nginx-proxy
    hostname: nginx-proxy
    image: gibby/nginx-proxy:alpine
    restart: always
    ports:
      - "80:80"
      - "443:443"
    environment:
      TZ: America/New_York
    volumes:
      - nginx-proxy/etc/nginx/proxy.conf:/etc/nginx/proxy.conf
      - nginx-proxy/etc/nginx/certs:/etc/nginx/certs
      - nginx-proxy/etc/nginx/conf.d:/etc/nginx/conf.d
      - nginx-proxy/etc/nginx/vhost.d:/etc/nginx/vhost.d:ro
      - nginx-proxy/usr/share/nginx/html:/usr/share/nginx/html
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      
  nginx-proxy-le:
    container_name: nginx-proxy-le
    hostname: nginx-proxy-le
    image: jrcs/letsencrypt-nginx-proxy-companion:v1.11
    restart: always
    environment:
      DEFAULT_EMAIL: [email protected]
      NGINX_PROXY_CONTAINER: nginx-proxy
      TZ: America/New_York
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - nginx-proxy/etc/nginx/certs:/etc/nginx/certs
      - nginx-proxy/etc/nginx/conf.d:/etc/nginx/conf.d
      - nginx-proxy/etc/nginx/vhost.d:/etc/nginx/vhost.d
      - nginx-proxy/usr/share/nginx/html:/usr/share/nginx/html