Nginx config with Certbot

docker-compose.yaml

version: '3'
services:
  app:
    image: my_app_image_here
    logging:
      driver: "json-file"
      options:
        max-file: "5"
        max-size: "10m"
    restart: always
    environment:
      ONE_ENV: "here"
  # Requires creating the certificates first using:
  # docker run --rm -it -v /certificates:/etc/letsencrypt -p 443:443 certbot/certbot certonly --authenticator standalone
  certbot:
    image: certbot/certbot
    entrypoint: "sh -c \"while true; do certbot certonly --domains domain.com --webroot --webroot-path=/etc/letsencrypt -n; sleep 12h; done\""
    logging:
      driver: "json-file"
      options:
        max-file: "5"
        max-size: "10m"
    restart: always
    volumes:
      - letsencrypt:/etc/letsencrypt
    depends_on:
      - nginx
  # This container must be reloaded from time to time to pick the new certificates ~ 6h?
  # Possibilities:
  # - Internal script in the container refreshing the configs (its what I would do with a custom image)
  # - CRON job doing "docker kill -s HUP <container_id>"
  #
  nginx:
    image: nginx:1.17.4
    entrypoint: "sh -c \"nginx -g 'daemon off;' & sleep 5 && while true; do nginx -s reload && sleep 12h; done\""
    restart: always
    logging:
      driver: "json-file"
      options:
        max-file: "5"
        max-size: "10m"
    volumes:
      - "./nginx.conf:/etc/nginx/conf.d/default.conf"
      - "./options-ssl-nginx.conf:/options-ssl-nginx.conf"
      - letsencrypt:/etc/letsencrypt:ro
    links:
      - app
    depends_on:
      - app
    ports:
      - 80:80
      - 443:443

volumes:
  letsencrypt:
    driver: local
    driver_opts:
      type: none
      o: bind
      device: /certificates

nginx.conf

upstream app {
    server app:80;
}

server {
    listen      443 ssl;
    # listen      80;
    server_name domain.com;

    ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
    include /options-ssl-nginx.conf;

    location  ~ ^(.+)$ {
        proxy_pass   http://app$1;
        client_max_body_size 20m;
        client_body_buffer_size 16k;
        proxy_redirect     off;
        proxy_set_header   Host $host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Host $server_name;
    }

    location  ~ ^/container-route/(.*)$ {
        proxy_pass   http://container/$1;
        proxy_redirect     off;
        proxy_set_header   Host $host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Host $server_name;
    }
}

server {
    listen 80;

    server_name domain.com;

    location  ~ ^(/[.]well-known/acme-challenge/.*)$ {
        root /etc/letsencrypt;
    }
}

options-ssl-nginx.conf

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES2
56-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GC
M-SHA384:ECDHE-RSA-AES128-SHA";