Setup of automatic docker proxy

README.md

Setting up a semi-automated TLS proxy

At home I use Fedora's Project Atomic to run containers for services I use in my home. I only have one IPv4 address, so it has to be shared between all the services. This solution makes my life simple because I just add a new hostname into DNS with a CNAME pointing to my single IPv4, wait a few minutes, and then bring up the service with a SystemD .service file.

Special setup for Docker

Since many people have moved off of Docker to other container solutions, this might not apply to the current situation. However, I use a binary called systemd-docker to launch all my docker containers to make some .service file setup more pleasant. Instead of adding "-e ENVVAR=value" in the ExecStart line of the .service file, I can add a line that simply says ENVIRONMENT=ENVVAR=value by itself.

This part is not that important and may be removed from the below files because it's sensitive to how your Distribution sets up cgroups.

Initial setup

1. Create a docker network for the proxy: docker network create reverse-proxy
2. Create a volume for the nginx template:
3. docker volume create nginx-tmpl
4. cd /var/lib/docker/volumes/nginx-tmpl/_data/
5. wget https://raw.githubusercontent.com/jwilder/nginx-proxy/master/nginx.tmpl
6. Add the below .service files.

Adding a service that uses the proxy

You need to have nginx.service, nginx-gen.service, and nginx-letsencrypt.service running to create a service that uses the proxy.

nginx-gen.service

[Unit]
Description=nginx-gen
Requires=docker.service
After=docker.service

[Service]
Restart=on-failure
RestartSec=10
ExecStartPre=/usr/bin/docker run --rm -v /opt/bin:/var/opt/bin ibuildthecloud/systemd-docker:v0.2.1
ExecStartPre=-/usr/bin/docker pull jwilder/docker-gen
ExecStart=/var/opt/bin/systemd-docker --env --cgroups name=systemd run --rm --name %p --volumes-from nginx -v nginx-templates:/etc/docker-gen/templates:ro,z -v /var/run/docker.sock:/tmp/docker.sock:ro --label com.github.jrcs.letsencrypt_nginx_proxy_companion.docker_gen --network reverse-proxy jwilder/docker-gen -notify-sighup nginx -watch -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
Restart=always
RestartSec=10
Type=notify
NotifyAccess=all
TimeoutStartSec=120
TimeoutStopSec=15

[Install]
WantedBy=multi-user.target

nginx-letsencrypt.service

[Unit]
Description=nginx-letsencrypt
Requires=docker.service
After=docker.service

[Service]
Restart=on-failure
RestartSec=10
ExecStartPre=/usr/bin/docker run --rm -v /opt/bin:/var/opt/bin ibuildthecloud/systemd-docker:v0.2.1
ExecStartPre=-/usr/bin/docker pull jrcs/letsencrypt-nginx-proxy-companion
ExecStart=/var/opt/bin/systemd-docker --env --cgroups name=systemd run --rm --name %p --volumes-from nginx -v nginx-certs:/etc/nginx/certs:rw,z -v /var/run/docker.sock:/var/run/docker.sock:ro jrcs/letsencrypt-nginx-proxy-companion
Restart=always
RestartSec=10
Type=notify
NotifyAccess=all
TimeoutStartSec=120
TimeoutStopSec=15

[Install]
WantedBy=multi-user.target

nginx.service

[Unit]
Description=nginx
Requires=docker.service
After=docker.service

[Service]
ExecStartPre=/usr/bin/docker run --rm -v /opt/bin:/var/opt/bin ibuildthecloud/systemd-docker:v0.2.1
ExecStartPre=-/usr/bin/docker pull nginx
ExecStart=/var/opt/bin/systemd-docker --env --cgroups name=systemd run --rm --name %p -p 7080:80 -p 7443:443 -v nginx-certs:/etc/nginx/certs:ro,z -v nginx-confd:/etc/nginx/conf.d:z -v nginx-vhostd:/etc/nginx/vhost.d:z -v nginx-html:/usr/share/nginx/html:z --label com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy --network reverse-proxy nginx                                                          
Restart=always
RestartSec=10
Type=notify
NotifyAccess=all
TimeoutStartSec=120
TimeoutStopSec=15

[Install]
WantedBy=multi-user.target