The original post: /r/nginx by /u/flutter_dart_dev on 2024-09-01 13:47:06.

My goal is to have a nginx server that auto-renews certificates which is installed via docker container, so I need to create a dockerfile besides the nginx.conf file.

I am not sure if I should make 2 container (1 nginx image and other certbot image) and make them communicate with each other via shared volume or if i should make it all in 1 container with nginx image with certbot dependency install etc.

I am a newbie and honestly, my goal here is to have a basic gninx server that rate limites and allows me to use https.

i tried to figure this out and also asked ai and i got this:

note: i feel like there are mistakes in this code, per example the nginx server listens port 80 and then tries to redirect to certbot container which also listens at port 80? does that make sense?

if someone can help me correct nginx.conf file and also enlighten me how to build the dockerfile i would appretiate alot

server {
    listen 80;
    server_name main;

    location /.well-known/acme-challenge {
        # Proxy requests to Certbot container
        proxy_pass http://letsencrypt:80;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto
        https;
    }

    location
    / {
        # Force HTTPS redirect
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name main;

    # Use strong ciphers and protocols (adjust based on your needs)
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'EECDH+AESGCM: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:AES256+EECDH:AES256+ECDH:AES128+CBC:RSA+AES128-CBC-SHA';
    ssl_prefer_server_ciphers on;

    # Read certificates from Certbot's location
    ssl_certificate /etc/letsencrypt/live/default/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/default/privkey.pem;

    # HSTS (Strict Transport Security)
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

    # Enable HPKP (HTTP Public Key Pinning) - Consider security implications before uncommenting
    # add_header Public-Key-Pins "pin-sha256=\"your_pin_hash\"";

    # X-Frame-Options header (prevents clickjacking)
    add_header X-Frame-Options SAMEORIGIN;

    # X-Content-Type-Options header (prevents MIME sniffing)
    add_header X-Content-Type-Options nosniff;

    # X-XSS-Protection header (prevents XSS attacks)
    add_header X-XSS-Protection "1; mode=block";

    # Content-Security-Policy header (advanced protection - research before use)
    # add_header Content-Security-Policy "..."

    # Rate Limiting using IP address
    limit_req_zone $binary_remote_addr zone=perip:10m rate=5r/s;

    # Enable request limiting
    limit_req zone=perip burst=10 nodelay;

    location / {
        # Proxy requests to your Go server
        proxy_pass http://golangs:8020;

        # Proxy headers for proper routing
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto
        $scheme;
    }
}