After installing NextCloud on Raspberry Pi using container you may notice that it has no sertificate. In browser you will see message "Your connection is not private". Of cource you can the find the way how to install sertificate inside container, but there is more simple way. We can use another container that works as a proxy. It will contain all needed sertificates inside. There are several images on docker hub that offer this service. I have tried to use linuxserver/letsencrypt.
letsencrypt image
Usually sertificates cost money, https://letsencrypt.org/ offers them for free. After creating container using linuxserver/letsencrypt image it will do all necessary actions to receive sertificate. Image contains Nginx that will be used as web server. There is Docker Compose setings that can be used:
services:
letsencrypt:
image: linuxserver/letsencrypt
container_name: letsencrypt
cap_add:
- NET_ADMIN
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Riga
- URL=eizvertins.com
- SUBDOMAINS=subdomain1,subdomain2,subdomain3
- VALIDATION=http
- EMAIL=some_email@gmail.com
volumes:
- /home/pi/docker-volumes/letsencrypt/config:/config
ports:
- 443:443
- 80:80
restart: unless-stopped
Parameters:
- PUID, PGID - user id and group id. If you are using pi user, then specify 1000 for both parameters
- URL - need to specify to get sertificate
- SUBDOMAINS - specify all subdomains, it is required to get sertificate for them all
- volumes - directory where letsencrypt container will store settings
- ports - port that will be opened for container. 443 if for https request and 80 for http.
Run container
After creating docker compose yml file run it with command
docker-compose up -d
And check run process
docker logs letsencrypt
Generating sertificates can take several minutes on Raspbery Pi. Note that you should open and redirect 443 and 80 ports on your router, otherwise letsencrypt will not be able to generate sertificates. If there were no erorr you can open type url in browser: your_domain.com. Domain name shoud be the same URL parameter in docker compose file. You should see this web page:
There is no sertificate error now! Now this letsencrypt container can be used as proxy server to other containers - for example for NextCloud application.
Proxy configuration
letsencrypt has configuration file in volume directory that is specified in yml file settings, in my case in
/home/pi/docker-volumes/letsencrypt/config/nginx/site-confs/default
It already has default settings. Edit it with text editor and add one more server block
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
root /config/www;
index index.html index.htm index.php;
server_name cloud.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
location / {
include /config/nginx/proxy.conf;
proxy_pass https://web-server:1500;
}
}
Parameters:
- server_name - application path you want to redirect. In my case I have specified subdomain. Subdomain should be specified in docker compose file in SUBDOMAINS parameter
- proxy_pass - address where application is located, also specify port. In my case NextClooud is using 1500 port.
Conclusion
Now when you enter address in browser using specified subdomain, Nginx will redirected to NextCloud application. There will be no error about missing sertificate. In config file can add multiple redirection rules that will lead to multiple applications. For using applications from outside local network should open only two ports 443 and 80 and Raspberry Pi will be able to host several web applications.