Nginx with docker and letsencrypt

Troubleshooting
1

Hi,
i would like to use the docker engine to host a nextcloud container with external maria database and use the jwilder/nginx-proxy image as reverse proxy in combination with jrcs/letsencrypt-nginx-proxy-companion which allows me to use a https connection.

On my opensuse testsystem this combination of docker containers, connected by a docker network, and https does work.
Now I would like to use the same combination here with Rockstor. The problem i am facing is that I can’t get a letsencrypt certificate.
As far as I understand, letsencrypt needs to reach the jwilder/nginx-proxy container on Port 80 and 443. Since Rockstor itself uses nginx which listens on port 443, my idea was to forward these ports from the “Rockstor nginx” to the jwilder/nginx-proxy container and the jwilder/nginx-proxy container does the certificate “magic”.
Is this a good idea and a feasible solution to put the jwilder/nginx-proxy behind the “Rockstor nginx”?
Well obviously not with my skills and my understanding of nginx, because that’s where I am stuck. I tried various configuration of the “Rockstor nginx” to forward ports 80 and 443
e.g.

server {
    listen 80;
    server_name my.ddns.org;
    location / {
        proxy_pass http://localhost:5080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

server {
    listen 443;
    server_name my.ddns.org;
    location / {
        proxy_pass http://localhost:5443;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

or

stream {
  server {
    listen     444;
    proxy_pass my.ddns.org:444;
  }
}

but nothing worked. How can I use a docker nginx container behind the Rockstor nginx?

Or is it simply not possible to use two nginx proxys with letsencrypt? Would it be then possible to configure the Rockstor nginx to work with the docker containers and letsencrypt?

Any help appreciated, Bert

2

Hi @Bert,

Are you wanting to expose port 80/443 of your Rockstor server to the internet? I’d strongly recommend not exposing the Rockstor UI to the internet.

Hopefully your Rockstor server is sitting behind some sort of network device that has a firewall, that you can instead forward port 80/443 to the port your jwilder/nginx-proxy proxy is running on.

3

Hi @Bert
I would second @vesper1978’s wise advice on not exposing Rockstor’s webUI if you don’t have to.
I do understand that jwilder’s nginx images do require ports 80 and/or 443 (or at least used to?) so as an alternative, you can change the port used by Rockstor’s webUI from 443 to whatever else is not used.
To do so, go to “System > Services” and click on the little wrench icon next to the Rockstor service to configure it. There, simply use the port of your choice for the “HTTPS Port” (see below), but note of course that you will need to use that new port when you need to access Rockstor’s webUI from now on.
image

Regarding Nextcloud setup, you will find a few resources on this forum, from users who wrote nice “how-to” guides with similar apps. Feel free to have a look at them:

Of course, you can also use an Nginx Rock-on to do the same thing, which would allow you to leave Rockstor’s nginx config alone.
You may also be interested to know that I’m currently working on implementing an easy way to do just what you need and are apparently doing on your openSUSE system:

We indeed have a pending pull-request on Github that would add support for docker labels to Rock-ons, followed by a current work in progress to implement docker networks into Rockstor and the Rock-ons system (see below).
https://github.com/rockstor/rockstor-core/pull/1999

Main discussion on docker networks, with reference to more focused individual issues therein:
https://github.com/rockstor/rockstor-core/issues/1982

Hope this helps,