diff --git a/certbot/Dockerfile b/certbot/Dockerfile new file mode 100644 index 00000000..c62405e9 --- /dev/null +++ b/certbot/Dockerfile @@ -0,0 +1,8 @@ +FROM phusion/baseimage:latest + +COPY run-certbot.sh /root/certbot/run-certbot.sh + +RUN apt-get update +RUN apt-get install -y letsencrypt + +ENTRYPOINT bash -c "bash /root/certbot/run-certbot.sh && sleep infinity" diff --git a/certbot/letsencrypt/.gitkeep b/certbot/letsencrypt/.gitkeep new file mode 100644 index 00000000..e69de29b diff --git a/certbot/letsencrypt/.well-known/.gitkeep b/certbot/letsencrypt/.well-known/.gitkeep new file mode 100644 index 00000000..e69de29b diff --git a/certbot/run-certbot.sh b/certbot/run-certbot.sh new file mode 100644 index 00000000..26be75c7 --- /dev/null +++ b/certbot/run-certbot.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +letsencrypt certonly --webroot -w /var/www/letsencrypt -d "$CN" --agree-tos --email "$EMAIL" --non-interactive --text + +cp /etc/letsencrypt/archive/"$CN"/cert1.pem /var/certs/cert1.pem +cp /etc/letsencrypt/archive/"$CN"/privkey1.pem /var/certs/privkey1.pem diff --git a/docker-compose.yml b/docker-compose.yml index c16d0ed4..83b78209 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -343,6 +343,18 @@ services: - "9300:9300" links: - php-fpm + +### Certbot Container ################################## + + certbot: + build: + context: ./certbot + volumes: + - ./data/certbot/certs/:/var/certs + - ./certbot/letsencrypt/:/var/www/letsencrypt + environment: + CN: "fake.domain.com" + EMAIL: "fake.email@gmail.com" ### Mailhog Container ######################################### diff --git a/nginx/nginx.conf b/nginx/nginx.conf index 88bc7609..25829c42 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -23,6 +23,10 @@ http { error_log /var/log/nginx/error.log; gzip on; gzip_disable "msie6"; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; + include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-available/*; open_file_cache off; # Disabled for issue 619 diff --git a/nginx/sites/default.conf b/nginx/sites/default.conf index 2ce47b56..59e4e2da 100644 --- a/nginx/sites/default.conf +++ b/nginx/sites/default.conf @@ -24,6 +24,11 @@ server { location ~ /\.ht { deny all; } + + location /.well-known/acme-challenge/ { + root /var/www/letsencrypt/; + log_not_found off; + } } diff --git a/nginx/sites/laravel-https.conf b/nginx/sites/laravel-https.conf new file mode 100644 index 00000000..0704dbf8 --- /dev/null +++ b/nginx/sites/laravel-https.conf @@ -0,0 +1,30 @@ +server { + + listen 443 default_server; + listen [::]:443 default_server ipv6only=on; + + ssl on; + ssl_certificate /var/certs/cert1.pem; + ssl_certificate_key /var/certs/privkey1.pem; + + server_name laravel; + root /var/www/laravel/public; + index index.php index.html index.htm; + + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + + location ~ \.php$ { + try_files $uri /index.php =404; + fastcgi_pass php-upstream; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + } + + location ~ /\.ht { + deny all; + } + +}