- Includes nginx, fail2ban, and watchtower
- Relies on externally created
webdocker network - see docker-compose.yml- Can be created using
docker network create web
- Can be created using
- All sites this should proxy to should be attached to the
webnetwork- This can be done in several ways:
- setting
networks: default: name: 'web' external: truein adocker-compose.ymlfile at the top level - Running the docker service using
docker run -d --network="web"or similar
- setting
- This can be done in several ways:
- Get a domain name and set up DNS for it
- Cloudflare is free, good, and makes it easy to get wildcard SSL certificates from LetsEncrypt
- Other DNS providers are available
- It's easiest to just set up a wildcard A record for your domain
- Obtain wildcard cert for nginx, put into nginx/ssl folder.
- Cert can be obtained through LetsEncrypt, provided one is using a supported DNS provider.
- nginx needs the following certificate files:
chain.pemfullchain.pemprivkey.pem
- Check watchtower config, it's set to update everything at 4AM every day.
- The included docker-compose.yml file uses the TZ environment variable to set the timezone for watchtower
- See nginx/templates for Docker site config templates (and also weechat)
- Configs for individual sites should be in nginx/sites folder on nginx container startup
- Config files can be named whatever they wish, but the included nginx.conf file only loads
*.conf
- Create an .env file, for TZ env var and other handy things
- Create docker network using
docker network create web - Get some services up and attached to
web - Create nginx configs for services and store them in nginx/sites folder
- Start up nginx and its friends with
docker-compose up -d
- Add
Content-Security-Policyheader to each site config, usingadd_header Content-Security-Policyconfig option- This will likely need testing and tweaking to find out what works and what doesn't
- See https://infosec.mozilla.org/guidelines/web_security#content-security-policy for more information