diff --git a/docker-compose.yml b/docker-compose.yml index fa350a2..9515395 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -5,22 +5,15 @@ services: restart: unless-stopped nginx: - image: jonasal/nginx-certbot:latest + image: nginx:alpine # Switch to plain Nginx (no Certbot) container_name: demo-nginx restart: unless-stopped ports: - 8008:80 - 4433:443 - environment: - - CERTBOT_EMAIL=the.dark.mist23@gmail.com - - ENVSUBST_TEMPLATE_SUFFIX=.tmpl # Enables template processing if needed volumes: - ./nginx_user_conf.d:/etc/nginx/conf.d/ - - letsencrypt:/etc/letsencrypt - - /home/devroot/demo/certs/fullchain.pem:/etc/nginx/ssl/origin_cert.pem:ro # Mount cert - - /home/devroot/demo/certs/prvkey.pem:/etc/nginx/ssl/origin_key.key:ro # Mount key + - /home/devroot/demo/certs/fullchain.pem:/etc/nginx/ssl/fullchain.pem:ro # Mount cert + - /home/devroot/demo/certs/prvkey.pem:/etc/nginx/ssl/privkey.pem:ro # Mount key depends_on: - app - -volumes: - letsencrypt: diff --git a/nginx_user_conf.d/server.conf b/nginx_user_conf.d/server.conf index 583e641..981e5ef 100644 --- a/nginx_user_conf.d/server.conf +++ b/nginx_user_conf.d/server.conf @@ -1,9 +1,23 @@ server { listen 80; + server_name demo.networkwizard.xyz; + + # Optional: Redirect HTTP to HTTPS (access via external port 8008 redirects to 4433) + location / { + return 301 https://$host:4433$request_uri; + } +} + +server { listen 443 ssl; server_name demo.networkwizard.xyz; - # SSL config handled by the container image + ssl_certificate /etc/nginx/ssl/fullchain.pem; + ssl_certificate_key /etc/nginx/ssl/privkey.pem; + + # Optional: Enhance security + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; location / { proxy_pass http://app:5000; @@ -12,6 +26,4 @@ server { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } - - # Redirect HTTP to HTTPS (handled automatically by the image after certs are obtained) }