Reverse Proxy for Docker services

The Docker containers are deployed and accessible from the outside world - nice! But opening pages of certain services in the internet browser reporting "Your connection is not secure". This happens because of missing SSL certificates. A reverse proxy in front of multiple docker services allows a mapping from subdomains to IP/ports in your local network. Furthermore the needed SSL certificates can be automatically requested from the free certifcate authority "Let's Encrypt". All the jobs are managed by "nginx proxy manager" and it could also be deployed to a Docker container.

The Docker image jc21/nginx-proxy-manager is prepared for use as a reverse proxy. Additionally Let's Encrypt certificates can be requested.

Here the section for the docker-compose.yml, which also creates two volumes for storing the settings and the certificates:

services:
  npm:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    ports:
      - '80:80'
      - '81:81'
      - '443:443'
    volumes:
      - npm_data:/data
      - npm_cert:/etc/letsencrypt 

volumes:
  npm_data:
  npm_cert:

After a sudo docker-compose up -d the service for managing the reverse proxy is reachable with localhost:81 on the docker host machine. Login with default email address admin@example.com and password changeme.

Bildschirmfoto%20vom%202022-09-21%2013-39-21

After changing email and password, which is used as login credentials, go to the tab SSL Certificates and Add SSL Certificate. In the appearing window

Add your DNS resolvable subdomain+domain
Add your email address
Agree to the terms of service
Hit Save.

Bildschirmfoto%20vom%202022-09-21%2014-11-18

After successful creation of a certificate for the domain, got to tab Hosts->Proxy Hosts and press Add Proxy. In the opening window

Add the domain name to proxy
Select http as scheme, this is used for internal communication to docker container
Fill in the forwarded hostname or IP, which is the container reachable internally
Fill in the port, which is exposed by the container

The Nginx-Proxy-Manager also forwards between an externally resolvable IPv6 domain name to an internal resolvable IPv4 hostname in Docker.

Bildschirmfoto%20vom%202022-09-21%2014-17-46

Please note, that the forwared hostname must be resolvable in the local network. The exposed port of the container must be bound to a docker network bridge. In the tab SSL select the certificate created before.

Bildschirmfoto%20vom%202022-09-21%2014-21-00

Hit Save.

Try to browse the subdomain.domain.org from internet and check if website is certified by Let's Encrypt.