Hey Guys,
i’m new to docker and actually trying to setup my own little swarm which should later handle my own website with validated lets encrypt certificate.
I was reading the documentation and reading some how to’s - thats what i got:
ct-ws-tg-ext-1 (directory)
-> src (directory)
—>letsencrypt (directory)
------>docker-compose.yml (file)
------>nginx.conf (file)
------>sub1.foo.bar (directory)
--------->favicon.ico (file)
--------->index.html (file)
--------->styles (directory)
------------>style.css (file)
------>sub2.foo.bar (directory)
--------->favicon.ico (file)
--------->index.html (file)
--------->styles (directory)
------------>style.css (file)
------>sub3.foo.bar (directory)
--------->favicon.ico (file)
--------->index.html (file)
--------->styles (directory)
------------>style.css (file)
------>sub4.foo.bar (directory)
--------->favicon.ico (file)
--------->index.html (file)
--------->styles (directory)
------------>style.css (file)
—>production (directory)
------>docker-compose.yml (file)
------>production.conf (file)
------>sub1.foo.bar (directory)
--------->my website content from sub1.foo.bar (files and directorys)
------>sub2.foo.bar (directory)
--------->my website content from sub2.foo.bar (files and directorys)
------>sub3.foo.bar (directory)
--------->my website content from sub3.foo.bar (files and directorys)
------>sub4.foo.bar (directory)
--------->my website content from sub4.foo.bar (files and directorys)
------>dh-param (directory)
--------->dhparam-2048.pem (file)
Here the docker-compose.yml from the letsencrypt folder:
version: '3.1'
services:
ct-ws-tg-ext-1-letsencrypt:
container_name: 'ct-ws-tg-ext-1-letsencrypt'
image: nginx:latest
ports:
- "80:80"
volumes:
- ./sub1.foo.bar:/usr/share/nginx/html/sub1.foo.bar/
- ./sub2.foo.bar:/usr/share/nginx/html/sub2.foo.bar/
- ./sub3.foo.bar:/usr/share/nginx/html/sub3.foo.bar/
- ./sub4.foo.bar:/usr/share/nginx/html/sub4.foo.bar/
- ./nginx.conf:/etc/nginx/conf.d/default.conf
networks:
- docker-network
networks:
docker-network:
driver: bridge
Here from the production folder:
version: '3.1'
services:
ct-ws-tg-ext-1-production:
container_name: 'ct-ws-tg-ext-1-production'
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./production.conf:/etc/nginx/conf.d/default.conf
- ./sub1.foo.bar:/usr/share/nginx/html/sub1.foo.bar
- ./sub2.foo.bar:/usr/share/nginx/html/sub2.foo.bar
- ./sub3.foo.bar:/usr/share/nginx/html/sub3.foo.bar
- ./sub4.foo.bar:/usr/share/nginx/html/sub4.foo.bar
- ./dh-param/dhparam-2048.pem:/etc/ssl/certs/dhparam-2048.pem
- /docker-volumes/etc/letsencrypt/live/foo.bar/fullchain.pem:/etc/letsencrypt/live/foo.bar/fullchain.pem
- /docker-volumes/etc/letsencrypt/live/foo.bar/privkey.pem:/etc/letsencrypt/live/foo.bar/privkey.pem
networks:
- docker-network
networks:
docker-network:
driver: bridge
Here the nginx.conf (from letsencrypt folder):
#http://foo.bar
server {
listen 80;
listen [::]:80;
server_name foo.bar;
location ~ /.well-known/acme-challenge {
allow all;
root /usr/share/nginx/html/sub1.foo.bar/;
}
root /usr/share/nginx/html/sub1.foo.bar/;
index index.html;
}
#http://sub1.foo.bar
server {
listen 80;
listen [::]:80;
server_name sub1.foo.bar;
location ~ /.well-known/acme-challenge {
allow all;
root /usr/share/nginx/html/sub1.foo.bar/;
}
root /usr/share/nginx/html/sub1.foo.bar/;
index index.html;
}
#http://sub2.foo.bar
server {
listen 80;
listen [::]:80;
server_name sub2.foo.bar;
location ~ /.well-known/acme-challenge {
allow all;
root /usr/share/nginx/html/sub2.foo.bar/;
}
root /usr/share/nginx/html/sub2.foo.bar/;
index index.html;
}
#http://sub3.foo.bar
server {
listen 80;
listen [::]:80;
server_name sub3.foo.bar;
location ~ /.well-known/acme-challenge {
allow all;
root /usr/share/nginx/html/sub3.foo.bar/;
}
root /usr/share/nginx/html/sub3.foo.bar/;
index index.html;
}
#http://sub4.foo.bar
server {
listen 80;
listen [::]:80;
server_name sub4.foo.bar;
location ~ /.well-known/acme-challenge {
allow all;
root /usr/share/nginx/html/sub4.foo.bar/;
}
root /usr/share/nginx/html/sub4.foo.bar/;
index index.html;
}
Here the production.conf:
server {
listen 80;
listen [::]:80;
server_name foo.bar sub2.foo.bar sub1.foo.bar sub3.foo.bar sub4.foo.bar;
location / {
rewrite ^ https://$host$request_uri? permanent;
}
#for certbot challenges (renewal process)
location ~ /.well-known/acme-challenge {
allow all;
root /data/letsencrypt;
}
}
#https://foo.bar
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name foo.bar;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/foo.bar/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/foo.bar/privkey.pem;
ssl_buffer_size 8k;
ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;
return 301 https://sub1.foo.bar$request_uri;
location / {
#security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
#CSP
add_header Content-Security-Policy "frame-src 'self'; default-src 'self'; script-src 'self' 'unsafe-inline' https://maxcdn.bootstrapcdn.com https://ajax.googleapis.com; img-src 'self'; style-src 'self' https://maxcdn.bootstrapcdn.com; font-src 'self' data: https://maxcdn.bootstrapcdn.com; form-action 'self'; upgrade-insecure-requests;" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
}
}
#https://sub1.foo.bar
server {
server_name sub1.foo.bar;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_tokens off;
ssl_buffer_size 8k;
ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
ssl_certificate /etc/letsencrypt/live/foo.bar/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/foo.bar/privkey.pem;
location / {
#security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
#CSP
add_header Content-Security-Policy "frame-src 'self'; default-src 'self'; script-src 'self' 'unsafe-inline' https://maxcdn.bootstrapcdn.com https://ajax.googleapis.com; img-src 'self'; style-src 'self' https://maxcdn.bootstrapcdn.com; font-src 'self' data: https://maxcdn.bootstrapcdn.com; form-action 'self'; upgrade-insecure-requests;" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
}
root /usr/share/nginx/html/sub1.foo.bar/;
index index.html;
}
#https://sub2.foo.bar
server {
server_name sub2.foo.bar;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_tokens off;
ssl_buffer_size 8k;
ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
ssl_certificate /etc/letsencrypt/live/foo.bar/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/foo.bar/privkey.pem;
location / {
#security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
#CSP
add_header Content-Security-Policy "frame-src 'self'; default-src 'self'; script-src 'self' 'unsafe-inline' https://maxcdn.bootstrapcdn.com https://ajax.googleapis.com; img-src 'self'; style-src 'self' https://maxcdn.bootstrapcdn.com; font-src 'self' data: https://maxcdn.bootstrapcdn.com; form-action 'self'; upgrade-insecure-requests;" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
}
root /usr/share/nginx/html/sub2.foo.bar/;
index index.html;
}
#https://sub3.foo.bar
server {
server_name sub3.foo.bar;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_tokens off;
ssl_buffer_size 8k;
ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
ssl_certificate /etc/letsencrypt/live/foo.bar/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/foo.bar/privkey.pem;
location / {
#security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
#CSP
add_header Content-Security-Policy "frame-src 'self'; default-src 'self'; script-src 'self' 'unsafe-inline' https://maxcdn.bootstrapcdn.com https://ajax.googleapis.com; img-src 'self'; style-src 'self' https://maxcdn.bootstrapcdn.com; font-src 'self' data: https://maxcdn.bootstrapcdn.com; form-action 'self'; upgrade-insecure-requests;" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
}
root /usr/share/nginx/html/sub3.foo.bar/;
index index.html;
}
#https://sub4.foo.bar
server {
server_name sub4.foo.bar;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_tokens off;
ssl_buffer_size 8k;
ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
ssl_certificate /etc/letsencrypt/live/foo.bar/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/foo.bar/privkey.pem;
location / {
#security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
#CSP
add_header Content-Security-Policy "frame-src 'self'; default-src 'self'; script-src 'self' 'unsafe-inline' https://maxcdn.bootstrapcdn.com https://ajax.googleapis.com; img-src 'self'; style-src 'self' https://maxcdn.bootstrapcdn.com; font-src 'self' data: https://maxcdn.bootstrapcdn.com; form-action 'self'; upgrade-insecure-requests;" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
}
root /usr/share/nginx/html/sub4.foo.bar/;
index index.html;
}
Before I ask my right question - how do I integrate PHP-FPM and is this a clean solution at all?
My real question to you now - how do I make an image of it, which I can then put on my repo? I really want to be able to use it in my swarm (based on a 4 machine cluster (1 manager, 3 workers).
And at best … How can I deploy this container then on the swarm?
On what must the DNS records of the individual subdomains look, so that always the right host is addressed? ^^
I would be very happy about your help. Of course, you can also like to quote explicit areas from the documentary ^ ^