docker.recipes

NGINX + Let's Encrypt

intermediate

NGINX web server with automatic SSL certificate generation and renewal using Certbot.

Overview

NGINX is a high-performance HTTP server, reverse proxy, and load balancer originally developed by Igor Sysoev in 2004 to solve the C10K problem of handling 10,000 concurrent connections. Built on an event-driven, asynchronous architecture, NGINX excels at serving static content, handling SSL/TLS termination, and managing high-traffic loads with minimal resource consumption compared to traditional process-based web servers. This stack combines NGINX with Certbot, the Electronic Frontier Foundation's ACME client for Let's Encrypt, creating an automated SSL certificate management solution. The two containers work in tandem where NGINX serves web traffic and handles HTTPS termination, while Certbot runs continuously to obtain initial certificates via HTTP-01 challenge validation and automatically renews them every 12 hours. This configuration eliminates the manual overhead of SSL certificate management while providing enterprise-grade web serving capabilities. This stack is ideal for system administrators running production websites, developers deploying applications that require HTTPS, and organizations needing cost-effective SSL certificates with zero-downtime renewals. The combination provides immediate HTTPS capability for any domain while maintaining NGINX's superior performance characteristics for high-traffic scenarios.

Key Features

  • Event-driven asynchronous architecture handling thousands of concurrent connections with minimal memory overhead
  • Automatic SSL certificate issuance and renewal through Let's Encrypt ACME protocol integration
  • HTTP/2 and HTTP/3 support for improved page load performance and multiplexed connections
  • Built-in rate limiting and connection limiting to prevent abuse and DDoS attacks
  • Zero-downtime certificate renewals with continuous Certbot monitoring every 12 hours
  • WebSocket proxying support for real-time applications and bidirectional communication
  • Advanced load balancing algorithms including round-robin, least-connections, and IP hash methods
  • SSL/TLS termination with modern cipher suite support and security headers configuration

Common Use Cases

  • 1Production websites requiring HTTPS with automated certificate management and high availability
  • 2E-commerce platforms needing SSL encryption for payment processing and customer data protection
  • 3API endpoints serving mobile applications or third-party integrations requiring secure HTTPS communication
  • 4Blog and content management systems with high traffic volumes and strict uptime requirements
  • 5Development and staging environments that mirror production HTTPS configurations for testing
  • 6Small business websites transitioning from HTTP to HTTPS for SEO benefits and browser security warnings
  • 7Multi-domain hosting environments where each site needs individual SSL certificates with automated renewal

Prerequisites

  • Domain name with DNS A record pointing to your server's public IP address for certificate validation
  • Server with minimum 256MB RAM for NGINX plus additional 128MB for Certbot operations
  • Open ports 80 and 443 on firewall for HTTP challenge validation and HTTPS traffic
  • Basic understanding of NGINX server block configuration and SSL certificate concepts
  • Docker and Docker Compose installed with sufficient disk space for certificate storage (approximately 100MB per domain)

For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms

docker-compose.yml

docker-compose.yml
1services: 
2  nginx: 
3    image: nginx:alpine
4    container_name: nginx
5    restart: unless-stopped
6    ports: 
7      - "80:80"
8      - "443:443"
9    volumes: 
10      - ./nginx/conf.d:/etc/nginx/conf.d:ro
11      - ./certbot/conf:/etc/letsencrypt:ro
12      - ./certbot/www:/var/www/certbot:ro
13    networks: 
14      - web
15
16  certbot: 
17    image: certbot/certbot
18    container_name: certbot
19    volumes: 
20      - ./certbot/conf:/etc/letsencrypt
21      - ./certbot/www:/var/www/certbot
22    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
23    networks: 
24      - web
25
26networks: 
27  web: 
28    driver: bridge

.env Template

.env
1# Domain Configuration
2DOMAIN=example.com
3EMAIL=admin@example.com

Usage Notes

  1. 1Docs: https://nginx.org/en/docs/ and https://certbot.eff.org/docs/
  2. 2Create nginx/conf.d/default.conf with server blocks before starting
  3. 3Initial cert: docker compose run --rm certbot certonly --webroot -w /var/www/certbot -d yourdomain.com
  4. 4Certbot auto-renews every 12 hours - nginx reloads needed for new certs
  5. 5Add location /.well-known/acme-challenge/ { root /var/www/certbot; } for validation
  6. 6Test config: docker exec nginx nginx -t

Individual Services(2 services)

Copy individual services to mix and match with your existing compose files.

nginx
nginx:
  image: nginx:alpine
  container_name: nginx
  restart: unless-stopped
  ports:
    - "80:80"
    - "443:443"
  volumes:
    - ./nginx/conf.d:/etc/nginx/conf.d:ro
    - ./certbot/conf:/etc/letsencrypt:ro
    - ./certbot/www:/var/www/certbot:ro
  networks:
    - web
certbot
certbot:
  image: certbot/certbot
  container_name: certbot
  volumes:
    - ./certbot/conf:/etc/letsencrypt
    - ./certbot/www:/var/www/certbot
  entrypoint: /bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'
  networks:
    - web

Quick Start

terminal
1# 1. Create the compose file
2cat > docker-compose.yml << 'EOF'
3services:
4  nginx:
5    image: nginx:alpine
6    container_name: nginx
7    restart: unless-stopped
8    ports:
9      - "80:80"
10      - "443:443"
11    volumes:
12      - ./nginx/conf.d:/etc/nginx/conf.d:ro
13      - ./certbot/conf:/etc/letsencrypt:ro
14      - ./certbot/www:/var/www/certbot:ro
15    networks:
16      - web
17
18  certbot:
19    image: certbot/certbot
20    container_name: certbot
21    volumes:
22      - ./certbot/conf:/etc/letsencrypt
23      - ./certbot/www:/var/www/certbot
24    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
25    networks:
26      - web
27
28networks:
29  web:
30    driver: bridge
31EOF
32
33# 2. Create the .env file
34cat > .env << 'EOF'
35# Domain Configuration
36DOMAIN=example.com
37EMAIL=admin@example.com
38EOF
39
40# 3. Start the services
41docker compose up -d
42
43# 4. View logs
44docker compose logs -f

One-Liner

Run this command to download and set up the recipe in one step:

terminal
1curl -fsSL https://docker.recipes/api/recipes/nginx-letsencrypt/run | bash

Troubleshooting

  • Certificate validation failed: Ensure domain DNS points to server IP and port 80 is accessible for HTTP-01 challenge
  • NGINX fails to start with SSL errors: Run initial certificate generation before enabling HTTPS server blocks in configuration
  • Browser shows certificate warnings: Check that NGINX is loading certificates from correct /etc/letsencrypt/live/ directory path
  • Certbot renewal fails with rate limiting: Let's Encrypt allows 50 certificates per registered domain per week, wait or use staging environment
  • NGINX configuration test fails: Run 'docker exec nginx nginx -t' to validate syntax before restarting containers
  • Mixed content warnings in browser: Update application URLs to use HTTPS and enable HSTS headers in NGINX configuration

Community Notes

Loading...
Loading notes...

Download Recipe Kit

Get all files in a ready-to-deploy package

Includes docker-compose.yml, .env template, README, and license

Components

nginxcertbot

Tags

#nginx#ssl#https#certbot#letsencrypt

Category

Web Servers & Reverse Proxies

Related Recipes

Ad Space