I have been trying to setup SSL on my Docker Nginx server to no avail.
Backstory: I have a VPS on which i run multiple dockerized websites. On the front i have the jwilder nginx reverse proxy server with a network. All websites are linked to that network. For those websites that use the Cloudflare flexible certificate, everything is working fine but i have one the MUST be on the Full setting. The best i managed to achieve is a 525: SSL Handshake failed
As a certificate i use the Cloudflare Origin Server Certificate (pem/key).
Here is my setup:
Nginx Proxy:
nginx-proxy:
image: jwilder/nginx-proxy
container_name: nginx-proxy
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro
environment:
- VIRTUAL_PROTO=https
networks:
default:
external: true
name: nginx-proxy
The website:
website-php-fpm:
build:
context: ./php-fpm
volumes:
- ../src:/var/www
website-nginx:
build:
context: ./nginx
volumes:
- ../src:/var/www
- ./nginx/nginx.conf:/etc/nginx/nginx.conf
- ./nginx/sites/:/etc/nginx/sites-available
- ./nginx/conf.d/:/etc/nginx/conf.d
- ./nginx/ssl/:/etc/ssl
depends_on:
- website-php-fpm
expose:
- 80
- 443
container_name: websitenginx
environment:
VIRTUAL_HOST: domain.com,
networks:
default:
external: true
name: nginx-proxy
The NGINX config:
worker_processes 4;
daemon off;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
sendfile on;
keepalive_timeout 65;
upstream php-upstream {
server website-php-fpm:9000;
}
server {
listen 80;
listen [::]:80;
server_name domain.com www.domain.com;
return 302 https://$server_name$request_uri;
}
server {
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_send_timeout 300;
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/ssl/origin.com.pem; // The one created by CloudFlare Origin
ssl_certificate_key /etc/ssl/origin.com.key; // The one created by CloudFlare Origin
ssl_client_certificate /etc/ssl/origin_ca_rsa_root.pem; // The one that Cloudflare provides
ssl_verify_client on;
server_name domain.com www.domain.com;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
ssl_prefer_server_ciphers on;
root /var/www;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ .php$ {
try_files $uri /index.php =404;
fastcgi_pass php-upstream;
fastcgi_index index.php;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
#fixes timeouts
fastcgi_read_timeout 600;
include fastcgi_params;
}
location ~ /.ht {
deny all;
}
}
}
Would really appreciate any hints. Thank you all!
PS: i tried at least a dozen combinations that didn’t work, sorry I can’t remember them to list them here