How to Secure Your Docker‑Hosted Nginx Site with Free Let’s Encrypt SSL
Learn step‑by‑step how to configure HTTPS for a Docker‑run Nginx website on Azure using free Let’s Encrypt certificates, including environment setup, creating HTTP site, generating and installing SSL/TLS certificates, configuring Nginx for HTTPS, and automating renewal with Dockerized Certbot.
Prepare Environment
On an Azure Ubuntu 16.04 VM, install Docker and open ports 80 and 443 in the network security group. Configure DNS for the domain.
Create a Basic HTTP Site
Pull a Node.js demo image and run it in a Docker bridge network:
$ docker pull ljfpower/nodedemo
$ docker network create -d bridge webnet
$ docker run -d --restart=always --expose=3000 \
--network=webnet --name=myweb \
ljfpower/nodedemoCreate the required directory structure for Nginx:
$ mkdir -p nginx/{conf.d,conf.crt,html}
$ mkdir -p logs/{nginx,letsencrypt}Write nginx/nginx.conf and nginx/conf.d/default.conf (HTTP only) and a simple nginx/html/index.html page.
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<title>Let's Encrypt First Time Cert Issue Site</title>
</head>
<body>
<h1>Hello HTTPS!</h1>
<p>Just used for the very first time SSL certificates are issued by Let's Encrypt's certbot.</p>
</body>
</html>Start the Nginx container (no 443 mapping yet):
$ docker run -d \
-p 80:80 \
-v $(pwd)/nginx/conf.d:/etc/nginx/conf.d:ro \
-v $(pwd)/nginx/nginx.conf:/etc/nginx/nginx.conf:ro \
-v $(pwd)/logs/nginx:/var/log/nginx \
-v $(pwd)/nginx/html:/usr/share/nginx/html \
--restart=always \
--name=gateway \
--network=webnet \
nginx:1.14Generate SSL/TLS Certificate
Build a lightweight Certbot image:
FROM alpine:3.4
RUN apk add --update bash certbot
VOLUME ["/etc/letsencrypt"]Build the image: $ docker build -t certbot:1.0 . Create renew_cert.sh to request certificates for the domains:
#!/bin/bash
WEBDIR="$1"
LIST=('filterinto.com' 'www.filterinto.com')
WWW_ROOT=/usr/share/nginx/html
for domain in ${LIST[@]}; do
docker run \
--rm \
-v ${WEBDIR}/nginx/conf.crt:/etc/letsencrypt \
-v ${WEBDIR}/logs/letsencrypt:/var/log/letsencrypt \
-v ${WEBDIR}/nginx/html:${WWW_ROOT} \
certbot:1.0 \
certbot certonly --verbose --noninteractive --quiet --agree-tos \
--webroot -w ${WWW_ROOT} \
--email="[email protected]" \
-d "${domain}"
CODE=$?
if [ $CODE -ne 0 ]; then
FAILED_LIST+=($domain)
fi
done
# output failed domains
if [ ${#FAILED_LIST[@]} -ne 0 ]; then
echo 'failed domain:'
for (( i=0; i<${#FAILED_LIST[@]}; i++ ));
do
echo ${FAILED_LIST[$i]}
done
fiRun the script (e.g., ./renew_cert.sh /home/nick) to obtain certificates stored under /home/nick/nginx/conf.crt/live for each domain.
Configure SSL/TLS for Site
Update nginx/conf.d/default.conf to redirect HTTP to HTTPS and add SSL server blocks for both domains, referencing the generated certificates:
upstream web{
server myweb:3000;
}
server {
listen 80;
listen [::]:80;
server_name filterinto.com www.filterinto.com;
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /usr/share/nginx/html;
}
location = /.well-known/acme-challenge/ { return 404; }
return 301 https://$server_name$request_uri;
}
server {
listen 443;
listen [::]:443;
server_name filterinto.com;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM ...";
ssl_certificate conf.crt/live/filterinto.com/fullchain.pem;
ssl_certificate_key conf.crt/live/filterinto.com/privkey.pem;
location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; root /usr/share/nginx/html; }
location = /.well-known/acme-challenge/ { return 404; }
location / { proxy_pass http://web; }
}
server {
listen 443;
listen [::]:443;
server_name www.filterinto.com;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM ...";
ssl_certificate conf.crt/live/www.filterinto.com/fullchain.pem;
ssl_certificate_key conf.crt/live/www.filterinto.com/privkey.pem;
location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; root /usr/share/nginx/html; }
location = /.well-known/acme-challenge/ { return 404; }
location / { proxy_pass http://web; }
}Remove the old gateway container and recreate it with both ports exposed:
$ docker run -d \
-p 80:80 \
-p 443:443 \
-v $(pwd)/nginx/conf.d:/etc/nginx/conf.d:ro \
-v $(pwd)/nginx/conf.crt:/etc/nginx/conf.crt:ro \
-v $(pwd)/nginx/nginx.conf:/etc/nginx/nginx.conf:ro \
-v $(pwd)/logs/nginx:/var/log/nginx \
-v $(pwd)/nginx/html:/usr/share/nginx/html \
--restart=always \
--name=gateway \
--network=webnet \
nginx:1.14Automate Certificate Renewal
Add the following two cron jobs to the host to renew certificates on the 1st of each month at 00:00 and reload Nginx an hour later:
0 0 1 * * /home/nick/certbot/renew_cert.sh /home/nick >> /home/nick/logs/cert.log 2>> /home/nick/logs/cert.error.log
0 1 1 * * docker exec gateway nginx -s reloadConclusion
Let’s Encrypt provides free SSL/TLS certificates that are easy to obtain for beginners and personal projects, but because anyone can get a certificate, malicious sites can also appear legitimate; therefore HTTPS alone does not guarantee overall security.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.