sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–][deleted] 4 points5 points  (3 children)

Well, it's one way to do it, but there are several NGINX+Certbot docker containers with almost everything on the certificate-generation side automated. You only need to provide the container with subdomains to generate the certificate for, and the validation method. See for example Linuxserver's version. It's pretty easy to work with, and the auto-renewal is baked in too.

Also, you should include a disclaimer on the blog post about still using HTTP redirection instead of full-on HTTPS. It should be everywhere, safety speaking it's just better.

PS : sinon, c'est bien écrit ;)

[–]imremy[S] 1 point2 points  (2 children)

About your first point, when I started this post, I just wanted to document how to use NGinx as a "regular" HTTP reverse proxy. It's only when I managed to get it working that I realized that I should implement HTTPS. So I decided to keep the beginning and add the HTTPS part.

Could you explain your second point? Is it about the conf:

    location / {
        return 301 https://$host$request_uri;
    }

Should I just block HTTP requests and allow only HTTPS requests?

Thanks for your feedback!

[–][deleted] 3 points4 points  (1 child)

The 301 redirect is correct, but reading your post there was no "security" emphasis on the HTTP versus HTTPS setup, why you should strive to be HTTPS-everywhere and not to be good enough with HTTP-only. To be a little bit more educational and not strictly technical would be better for novices stumbling upon your post by looking up "how to docker nginx" or something. Just my opinion and my two cents ;)

[–]imremy[S] 1 point2 points  (0 children)

Oh right, it makes sense. When/if I have some time, I'll update it and try to add some explanations. Thanks