Skip to content
Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


The purpose of this repository is to create an easy to use Nginx reverse proxy, which can generate certificates using letsencrypt letsencrypt, and also give you a nice shiny a+ on observatory.


Automatic certificate generation

When the container boots, if no certificates are found, it will do the following:

  • First create a self signed certificate for the domain in question (so we can start nginx, and letsencrypt can do it's host checks).
  • Use simp_le to generate, or update the letsencrypt certificates for the domain.

It's important that the letsencrypt servers can contact your selected domain in order to do validation, and this container is running on the server that hosts that doman. Basically, this is the flow of events:

Container Boots
  -> Self Signed certificates generated for given domain(s)
  -> Triggers LetsEncrypt for given domain(s)
  -> LetsEncrypt servers try and talk to<secret>
  -> LetsEncrypt servers return certificate
  -> Self signed replaced with LetsEncrypt certs
  -> Container restarts NGINX

Multiple domains, no configuration

You can host multiple domains on the same NGINX:443 host (see the example below).

The default server part is important, as we're hosting multiple SSL certificates on the same IP, Nginx will use SNI to serve up the relevant endpoint. If the client doesn't support SNI (for example, my curl client on macosx?!) then you'll get the default server.

Config file

IMPORTANT: Breaking change in 1.11.10-5, we now use a configuration file, rather than loads of environment variables, this allows for more configuration. You need to make sure you mount /config/config.js.

This is an example of a two host configuration, one is, which upstreams to app:2368, and then the other, which just redirects to It's actually the configuration I use on my blog

You can add as many hosts as you want.

module.exports = {
  karlstoney: {
    fqdn: '',
    redirectInsecure: true,
    useHsts: true,
    useCsp: true,
    usePagespeed: true,
    csp: "default-src 'self' wss: 'nonce-$cspNonce'",
    default: true,
    upstreams: {
      root: 'app:2368'
    paths: {
      '/': 'root'
  www: {
    fqdn: '',
    redirect: ''

And then have a docker-compose file like this:

version: '2'

    image: stono/docker-nginx-letsencrypt
    restart: always
      - ./certs:/etc/letsencrypt/live
      - ./config.js:/config/config.js
      - LETSENCRYPT=true
      - 443
      - 80

Configuration options

There are some mandatory paramters on a site:

  • fqdn: The FQDN of your domain
  • upstreams: The definition of the site upstreams
  • paths: the paths to send to the upstreams

There are some optional paramters:

  • default: Should this be the default site for none FQDN matches
  • redirectInsecure: Should we send port 80 requests to 443
  • useHsts: Should the https site send a HSTS header
  • useCsp: Will enable the Content-Security-Policy header with the reccomended default policy "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'"
  • csp: Override the csp string
  • other_server: Arbitary lines to add to the server block
  • usePagespeed: If we should enable auto page speed improvements using googles PageSpeed module

Notes about Content Security Policy

Nginx has been compiled to generate a Content Security Policy nonce, this is expose in the nginx configuration as $cspNonce. Nginx will look through your upstream and effectively find and replace a **CSP_NONCE** string, with the actual nonce. This will allow you to use inline blocks and styles if you need to, for example:

This would not execute:


Whereas this would:

<script nonce='**CSP_NONCE**'>


You need to persist your certificates, so mount the /etc/letsencrypt folder!


This is a docker container which automatically generates letsencrypt SSL certificates for you too.





No releases published


No packages published