Welcome to the Envoy-SSL template repository. This template provides an easy setup for integrating Envoy with automatic SSL renewals using Certbot. By using this, you can set up a reliable SSL-secured environment for your applications without the regular overhead of managing certificate renewals.
Here's a high-level overview of how this setup works:
- We utilize Jonasal's
jonasal/nginx-certbotDocker image to run an automated NGINX+Certbot renewal container. - The Envoy and Certbot containers are created, sharing the volume where the certificates will reside.
- Envoy is set up with a HTTP configuration to route
/.well-known/paths to the Certbot container. In addition to this, Envoy has an HTTPS configuration designed to work with the secured certificate. This HTTPS setup is what you'll integrate with your application. - Once you initiate everything using
docker-compose, Certbot will communicate with Let's Encrypt's servers to procure the certificates. Once done, Envoy will have access to these certificates, empowering it to serve SSL. Certbot will periodically check for and handle certificate renewals.
We also use Jinja2 templates for replacing variables.
The intent behind this project is that you can clone it then repurpose it to your needs. What makes this most useful is that it comes with a Certbot + Envoy setup which provisions SSL certificates, you just need to give it the right configurations.
With this, you can set this up to provision certificates for most use-cases. This setup only works with the HTTP-01 challenge, so you won't be able to provision wildcard certificates.
Ensure you have Docker and Docker-Compose installed on your system.
We utilize a .env file for configuration settings.
Check the .env file in this repository for an example and explanations of each of the values that are used by this setup.
Values from the .env file are used to replace values in the Envoy configuration files, which use Jinja2.
Also, you can pass any configuration from Jonas Alfredsson's Nginx-Certbot's documentation to the Certbot container, since it's the same image. So, you could use a local CA, toggle ECDSA, etc.
The setup below presumes you already have your DNS records pointing to the endpoint you're provisioning the SSL certificates from. For instance, that you have already created an A record that points to the VPS where you're running this.
-
Clone this repository.
-
Modify the
.envfile with your configurations. -
Navigate to the root directory and run:
docker-compose up -d -
Once set up, Certbot will request Let's Encrypt for the necessary certificates, and your Envoy proxy will be secured with SSL.
This template offers an efficient way to set up Envoy with SSL, backed by Certbot for automatic renewals. Feel free to use this as a base for your projects and contribute any improvements or suggestions you may have.
Shoutout and gratitude to Jonasal for their invaluable Nginx-Certbot Docker image. Their dedication to providing and maintaining such a crucial tool has significantly simplified the process of certificate management for many developers, including us. This project wouldn't be as seamless without their contribution. We encourage everyone to check out and support their work.
Thank you, Jonasal, for your dedication and for contributing to the open-source community!