Add nginx reverse proxy with Let's Encrypt SSL

- nginx as reverse proxy for dawarich frontend - Let's Encrypt certificate support with automatic renewal - HTTP to HTTPS redirect, gzip compression - Bootstrap config for initial certificate request Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-14 11:19:07 +01:00
commit ab278da5fe
6 changed files with 329 additions and 0 deletions
--- a/nginx/Dockerfile
+++ b/nginx/Dockerfile
@@ -0,0 +1,7 @@
+FROM nginx:alpine
+RUN apk add --no-cache certbot
+COPY nginx.conf /etc/nginx/templates/nginx.conf
+COPY nginx-bootstrap.conf /etc/nginx/templates/nginx-bootstrap.conf
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]
--- a/nginx/entrypoint.sh
+++ b/nginx/entrypoint.sh
@@ -0,0 +1,50 @@
+#!/bin/sh
+set -e
+
+DOMAIN="location.butenostfreesen.de"
+EMAIL="${CERTBOT_EMAIL:-}"
+
+# Entferne Standard-Config
+rm -f /etc/nginx/conf.d/default.conf
+
+# Bootstrap-Config verwenden, wenn Zertifikate noch nicht existieren
+if [ ! -f "/etc/letsencrypt/live/${DOMAIN}/fullchain.pem" ]; then
+  echo "Zertifikate nicht gefunden. Starte mit Bootstrap-Config..."
+  cp /etc/nginx/templates/nginx-bootstrap.conf /etc/nginx/conf.d/default.conf
+  nginx -g "daemon off;" &
+  NGINX_PID=$!
+
+  # Warte auf Backend
+  echo "Warte auf Backend..."
+  sleep 10
+
+  if [ -n "$EMAIL" ]; then
+    echo "Fordere Let's Encrypt Zertifikat an..."
+    if certbot certonly --webroot -w /var/www/certbot \
+      --email "$EMAIL" \
+      --agree-tos \
+      --no-eff-email \
+      --non-interactive \
+      -d "$DOMAIN"; then
+      echo "Zertifikat erfolgreich erstellt. Starte nginx mit HTTPS..."
+      kill $NGINX_PID 2>/dev/null || true
+      sleep 2
+      cp /etc/nginx/templates/nginx.conf /etc/nginx/conf.d/default.conf
+    else
+      echo "Zertifikatsanforderung fehlgeschlagen. Laeufe mit HTTP (Port 80)."
+      echo "Stelle sicher, dass location.butenostfreesen.de auf diesen Server zeigt."
+      exec wait $NGINX_PID
+    fi
+  else
+    echo "HINWEIS: CERTBOT_EMAIL nicht gesetzt. Starte ohne SSL."
+    echo "Fuer Let's Encrypt: CERTBOT_EMAIL=deine@email.de setzen und Container neu starten."
+    exec wait $NGINX_PID
+  fi
+else
+  cp /etc/nginx/templates/nginx.conf /etc/nginx/conf.d/default.conf
+fi
+
+# Zertifikatserneuerung alle 12 Stunden im Hintergrund
+(while true; do sleep 12h; certbot renew --webroot -w /var/www/certbot --deploy-hook "nginx -s reload" 2>&1 | tee -a /var/log/certbot-renew.log; done) &
+
+exec nginx -g "daemon off;"
--- a/nginx/nginx-bootstrap.conf
+++ b/nginx/nginx-bootstrap.conf
@@ -0,0 +1,19 @@
+# Bootstrap-Konfiguration für initiale Zertifikatsanforderung (ohne SSL)
+server {
+	listen 80;
+	listen [::]:80;
+	server_name location.butenostfreesen.de;
+
+	location /.well-known/acme-challenge/ {
+		root /var/www/certbot;
+	}
+
+	location / {
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header Host $http_host;
+		proxy_redirect off;
+		proxy_pass http://dawarich_app:3000/;
+	}
+}
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -0,0 +1,72 @@
+server {
+	listen 80;
+	listen [::]:80;
+	server_name location.butenostfreesen.de;
+
+	# ACME-Challenge für Let's Encrypt Zertifikatserneuerung
+	location /.well-known/acme-challenge/ {
+		root /var/www/certbot;
+	}
+
+	location / {
+		return 301 https://$host$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl;
+	listen [::]:443 ssl;
+	http2 on;
+	server_name location.butenostfreesen.de;
+
+	# Let's Encrypt Zertifikate
+	ssl_certificate /etc/letsencrypt/live/location.butenostfreesen.de/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/location.butenostfreesen.de/privkey.pem;
+	ssl_protocols TLSv1.2 TLSv1.3;
+	ssl_prefer_server_ciphers off;
+	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
+	ssl_session_cache shared:SSL:10m;
+	ssl_session_timeout 1d;
+
+	gzip on;
+	gzip_vary on;
+	gzip_proxied any;
+	gzip_comp_level 6;
+	gzip_types
+		text/css
+		text/plain
+		text/xml
+		text/x-component
+		text/javascript
+		application/x-javascript
+		application/javascript
+		application/json
+		application/manifest+json
+		application/vnd.api+json
+		application/xml
+		application/xhtml+xml
+		application/rss+xml
+		application/atom+xml
+		application/vnd.ms-fontobject
+		application/x-font-ttf
+		application/x-font-opentype
+		application/x-font-truetype
+		image/svg+xml
+		image/x-icon
+		image/vnd.microsoft.icon
+		font/ttf
+		font/eot
+		font/otf
+		font/opentype;
+
+	location / {
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto https;
+		proxy_set_header X-Forwarded-Server $host;
+		proxy_set_header Host $http_host;
+		proxy_redirect off;
+
+		proxy_pass http://dawarich_app:3000/;
+	}
+}