From c89540978a8ba2bf205d906fc02000d687d6a7ca Mon Sep 17 00:00:00 2001 From: christiangoeschel Date: Fri, 26 Jul 2024 18:19:09 +0000 Subject: [PATCH] Added SSL cert volume and restart policy for all containers --- Dockerfile | 3 ++- certbot/cli.ini | 34 ++++++++++++++++++++++++++++++++++ docker-compose.yml | 7 +++++-- nginx/default-nginx-proxy.conf | 18 +++++++++++++++++- src/css/style.css | 4 ++-- 5 files changed, 60 insertions(+), 6 deletions(-) create mode 100644 certbot/cli.ini diff --git a/Dockerfile b/Dockerfile index 99969cf..ad193a2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,7 +13,8 @@ RUN mkdir conf.d/ WORKDIR / FROM base AS portfolio-proxy -EXPOSE 80/tcp +RUN mkdir -p /etc/ssl/letsencrypt/ +EXPOSE 443/tcp CMD ["nginx","-g","daemon off;"] FROM base AS portfolio-web diff --git a/certbot/cli.ini b/certbot/cli.ini new file mode 100644 index 0000000..fa7a3fc --- /dev/null +++ b/certbot/cli.ini @@ -0,0 +1,34 @@ +# This is an example of the kind of things you can do in a configuration file. +# All flags used by the client can be configured here. Run Certbot with +# "--help" to learn more about the available options. +# +# Note that these options apply automatically to all use of Certbot for +# obtaining or renewing certificates, so options specific to a single +# certificate on a system with several certificates should not be placed +# here. + +# Use ECC for the private key +key-type = ecdsa +elliptic-curve = secp384r1 + +# Use a 4096 bit RSA key instead of 2048 +rsa-key-size = 4096 + +# Uncomment and update to register with the specified e-mail address +email = cndjomouo@icloud.com + +# Uncomment to use the standalone authenticator on port 443 +authenticator = standalone + +# Uncomment to use the webroot authenticator. Replace webroot-path with the +# path to the public_html / webroot folder being served by your web server. +# authenticator = webroot +# webroot-path = /usr/share/nginx/html + +# Uncomment to automatically agree to the terms of service of the ACME server +agree-tos = true + +# An example of using an alternate ACME server that uses EAB credentials +# server = https://acme.sectigo.com/v2/InCommonRSAOV +# eab-kid = somestringofstuffwithoutquotes +# eab-hmac-key = yaddayaddahexhexnotquoted diff --git a/docker-compose.yml b/docker-compose.yml index 1d17690..1bf4304 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -8,9 +8,11 @@ services: networks: - portfolio-net ports: - - "80:80/tcp" + - "443:443/tcp" volumes: + - /etc/letsencrypt/:/etc/ssl/letsencrypt/:ro - ./nginx/default-nginx-proxy.conf:/etc/nginx/conf.d/default.conf:ro + restart: unless-stopped web: build: @@ -23,6 +25,7 @@ services: volumes: - ./nginx/default-nginx-web.conf:/etc/nginx/conf.d/default.conf:ro - ./src:/www + restart: unless-stopped networks: - portfolio-net: + portfolio-net: diff --git a/nginx/default-nginx-proxy.conf b/nginx/default-nginx-proxy.conf index cf57df3..4393df7 100644 --- a/nginx/default-nginx-proxy.conf +++ b/nginx/default-nginx-proxy.conf @@ -15,9 +15,25 @@ server { location = /50x.html { root /usr/share/nginx/html; } - } +server { + listen 443 ssl; + server_name christiangoeschel.com; + ssl_certificate /etc/ssl/letsencrypt/live/christiangoeschel.com/fullchain.pem; + ssl_certificate_key /etc/ssl/letsencrypt/live/christiangoeschel.com/privkey.pem; + + location / { + proxy_pass http://portfolio-web:8080; + proxy_buffering on; + proxy_buffers 16 4k; + proxy_buffer_size 4k; + proxy_busy_buffers_size 8k; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + } +} + # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ \.php$ { diff --git a/src/css/style.css b/src/css/style.css index b26a21e..d78c836 100644 --- a/src/css/style.css +++ b/src/css/style.css @@ -117,7 +117,7 @@ input, textarea { } #right_section{ - width:55%; + width:45%; height: 100%; background-image: url("../images/gutenberg.png"); background-size: auto 100%; @@ -126,7 +126,7 @@ input, textarea { } #left_section{ - width:45%; + width:55%; height: 100%; overflow-y: scroll; overflow-x: hidden;