Deployment Overview of Nginx-Certbot on Server¶

Prerequisites and Basic Requirements¶

• Operating System: Linux-based server capable of running Docker and Docker Compose.

• Privileges: Root or sudo access is required to manage services, configure the firewall, and mount volumes.

• Domain: A domain name assigned to the hostkey.in zone is required for the FQDN.

• Ports: Ports 80 and 443 must be open on the server to handle HTTP and HTTPS traffic respectively.

FQDN of the Final Panel¶

The application is accessible via the following Fully Qualified Domain Name (FQDN) format: nginx-certbot<Server ID>.hostkey.in:443

Note: Replace <Server ID> with the specific identifier for your server instance.

File and Directory Structure¶

The deployment utilizes the following directory structure for configuration and data:

Application Installation Process¶

The application is deployed using Docker Compose. The installation relies on the jonasal/nginx-certbot container image.

• Container Image: jonasal/nginx-certbot:latest

• Restart Policy: unless-stopped

The deployment uses a docker-compose.yml file (or compose.yml) to orchestrate the service. The service pulls the latest version of the image and configures the necessary environment variables and volume mounts.

Docker Containers and Their Deployment¶

The system deploys a single Nginx service configured to handle SSL termination and certificate renewal.

Service Definition:

• Name: nginx

• Image: jonasal/nginx-certbot:latest

• Restart Policy: unless-stopped

• Environment Variables:

  • CERTBOT_EMAIL: Set to [email protected]

• Ports Mapping:

  • Host port 80 mapped to Container port 80

  • Host port 443 mapped to Container port 443

• Volumes:

  • nginx_secrets mounted to /etc/letsencrypt (External volume)

  • ./user_conf.d mounted to /etc/nginx/user_conf.d

• Environment File: The service loads configuration from ./nginx-certbot.env.

Proxy Servers¶

The Nginx container acts as the reverse proxy and SSL terminator. It is configured to listen on ports 80 and 443 for IPv4 and IPv6.

SSL Configuration:

• Certificate: Loaded from /etc/letsencrypt/live/<fqdn>/fullchain.pem

• Private Key: Loaded from /etc/letsencrypt/live/<fqdn>/privkey.pem

• Chain: Loaded from /etc/letsencrypt/live/<fqdn>/chain.pem

• DH Params: Loaded from /etc/letsencrypt/dhparams/dhparam.pem

Server Block Settings:

• Server Name: Configured dynamically to match the FQDN (nginx-certbot<Server ID>.hostkey.in).

• Response: The default configuration returns a 200 status code with the message: Let's Encrypt certificate successfully installed!

• Content-Type: Set to text/plain.

Permission Settings¶

The deployment assumes that the docker-compose.yml file and the user_conf.d directory are owned by a user with sufficient privileges to start Docker services. The nginx_secrets volume is managed as an external Docker volume, abstracting the underlying file system permissions required for the certificates.

Location of Configuration Files and Data¶

• Compose File: Located at the root of the deployment directory (e.g., ./compose.yml or ./docker-compose.yml).

• Environment Variables: Stored in ./nginx-certbot.env.

• Nginx Configuration: Custom server configurations are stored in the local ./user_conf.d directory, which is mounted into the container.

• Certificates: Stored within the external Docker volume named nginx_secrets.

Available Ports for Connection¶

The following ports are exposed on the host server for client connections:

Starting, Stopping, and Updating¶

Service management is performed using Docker Compose commands.

• Start Service:

  docker compose up -d
  

• Stop Service:

  docker compose down
  

• Update Service: To pull the latest image and restart the container:

  docker compose pull nginx
  docker compose up -d