Owner: Sammy Teillet

Control points

If, as an expert of docker, you want to adapt the standard to the context of your project, you have to check that:
  • server listen port 80 and 443
  • server redirect port 80 to 443 with 301: Moved Permanently
  • proxy should renew certificates automatically before they expire (letsencrypt certificates have 90 days of validity)
  • you should get at least A when checking
  • you should check in the report of that the server devices range cover your definition of DONE: eg, if you need to support old IE or old android, you have to lower the security enough for compatibility


  • You have a staging environment with docker
  • You can ssh to the server
  • Make sure you have the docker rights sudo usermod -aG docker $YOUR_USER_NAME

Steps (~15 min)

Install the nginx-proxy companion (~5 min)

  • Connect to your server ssh [email protected]
  • Clone the nginx-proxy-companion project on the server at the root of the server.
git clone [email protected]:evertramos/docker-compose-letsencrypt-nginx-proxy-companion.git
  • Create a .env file
cd docker-compose-letsencrypt-nginx-proxy-companion
cp ./.env.sample .env
  • Set the NGINX_FILES_PATH=/srv/nginx/data in the .env
    • vim ./.env
    • line 41 replace NGINX_FILES_PATH=/srv/nginx/data(or a different path if you prefer)
Try to launch the companion by running:
You should have the following error because the port 80 is already used by your app docker:
ERROR: for nginx-web Cannot start service nginx-web: driver failed programming external connectivity on endpoint nginx-web (4c0105fe57d370c99c0a143c967d1b8737006a4138618e1defebc4bab4e42d11): Bind for failed: port is already allocated

Configure your project to use the companion (~5 min)

  • Remove the binding 80 port command, but expose it
version: '3'
your-web-app: #It should contain port: "80:80"
# ...
- ports:
- - "80:80"
+ expose:
+ - 80
  • Configure the app to use the network created by the companion (webproxy is the default name)
version: '3'
# ...
+ default:
+ external:
+ name: webproxy
  • In your project set 3 environment variable: VIRTUAL_HOST, LETSENCRYPT_HOST, LETSENCRYPT_EMAIL. The email will be used by Letsencrypt to notify you if the certificate expire.There are 2 ways:
    • In the docker-compose file
    • In your prod.env file that is read by your Dockerfile.
Update the .env file of your web-app docker
  • In the ./env/prod.env add the following:
#... other env variable
OTHER solution
If you have no .env file you an also Update the docker-compose-prod file
version: '3'
your-web-app: #It should contain port: "80:80"
# ...
+ -
+ -

Make the switch (~5 min)

You will have to shut down your docker (so the port 80 is available), so during this step your domain won't be accessible.
  • Cut your app docker:
cd your-project-directory
docker-compose -f docker-compose-prod.yml down
  • Start the companion (go to the companion directory):
cd ../docker-compose-letsencrypt-nginx-proxy-companion
  • Launch your project docker again:
cd -
docker-compose -f docker-compose-prod.yml up -d
  • Check the validity of your domain, go to https://your.domain
  • Go there and check your domain. Useful tip: go to the Handshake Simulation section and check the supported devices.
Last modified 5yr ago