Setting up nginxletsencrypt as a reverse proxy

# nginx-ingress-http.confevents {}http {  include mime.types;  server {    listen 80;    listen [::]:80;    server_name sg.horlick.me;    location /.well-known/acme-challenge/ {      root /var/www/certbot;    }    location / {      return 301 https://$host$request_uri;    }      }}

# nginx-ingress-https.confevents {}http {  include mime.types;  server {    listen 443 ssl;    listen [::]:443 ssl;    server_name sg.horlick.me;    ssl_certificate /etc/letsencrypt/live/sg.horlick.me/fullchain.pem;    ssl_certificate_key /etc/letsencrypt/live/sg.horlick.me/privkey.pem;    # taken from https://github.com/certbot/certbot/blob/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf    ssl_session_cache shared:le_nginx_SSL:10m;    ssl_session_timeout 1440m;    ssl_session_tickets off;    ssl_protocols TLSv1.2 TLSv1.3;    ssl_prefer_server_ciphers off;    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";    ssl_dhparam /etc/ssl/certs/dhparam.pem;    sendfile on;    tcp_nopush on;    tcp_nodelay on;    location / {      proxy_pass http://backend:8080/;      proxy_http_version  1.1;      proxy_cache_bypass  $http_upgrade;      proxy_set_header Host              $host;      proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;      proxy_set_header X-Real-IP         $remote_addr;      proxy_set_header X-Forwarded-Host  $host;      proxy_set_header X-Forwarded-Proto $scheme;      proxy_set_header X-Forwarded-Port  $server_port;    }  }}

mkdir -p /etc/nginxcp nginx-ingress-http.conf /etc/nginx/nginx-ingress-http.confcp nginx-ingress-https.conf /etc/nginx/nginx-ingress-https.conf

# nginx-ingress-http.service[Unit]Description=http server that serves letsencrypt ACME challenges and 301 redirects to https After=docker.serviceRequires=docker.service[Service]TimeoutStartSec=0Restart=alwaysExecStartPre=-/usr/bin/docker stop nginx-ingress-httpExecStartPre=-/usr/bin/docker rm nginx-ingress-httpExecStartPre=/usr/bin/docker pull nginxExecStart=/usr/bin/docker run -i --rm \  --name nginx-ingress-http \  --publish=80:80 \  --volume /etc/letsencrypt:/etc/letsencrypt \  --volume /var/www/certbot:/var/www/certbot \  --volume /etc/nginx/nginx-ingress-http.conf:/etc/nginx/nginx.conf:ro \  nginx[Install]WantedBy=multi-user.target

cp nginx-ingress-http.service /etc/systemd/system/nginx-ingress-http.servicesystemctl enable nginx-ingress-http.servicesystemctl start nginx-ingress-http.servicejournalctl -u nginx-ingress-http.service

# letsencrypt-generate-cert.service[Unit]Description=letsencrypt cert generation oneshotRequires=docker.service[Service]Type=oneshotExecStart=/usr/bin/docker run -i --rm \  --volume=/etc/letsencrypt:/etc/letsencrypt \  --volume=/var/www/certbot:/var/www/certbot \  certbot/certbot \  certonly \  --webroot \  --register-unsafely-without-email \  --agree-tos \  --webroot-path=/var/www/certbot \  -d sg.horlick.me

cp letsencrypt-generate-cert.service /etc/systemd/system/letsencrypt-generate-cert.servicesystemctl start letsencrypt-generate-cert.servicejournalctl -u letsencrypt-generate-cert.service

# letsencrypt-renew-cert.service[Unit]Description=letsencrypt cert update oneshotRequires=docker.service[Service]Type=oneshotExecStart=/usr/bin/docker run -i --rm \  --volume=/etc/letsencrypt:/etc/letsencrypt \  --volume=/var/www/certbot:/var/www/certbot \  certbot/certbot \  renewExecStartPost=/usr/bin/docker exec \  nginx-ingress-https \  /bin/bash -c "nginx -s reload"

# letsencrypt-renew-cert.timer[Unit]Description=letsencrypt oneshot timerRequires=docker.service[Timer]OnCalendar=daily[Install]WantedBy=timers.target

cp letsencrypt-renew-cert.service letsencrypt-renew-cert.timer /etc/systemd/system/systemctl enable letsencrypt-renew-cert.timersystemctl list-timers --all

# nginx-ingress-https.service[Unit]Description=reverse proxy for api and static asset serverAfter=docker.serviceRequires=docker.service[Service]TimeoutStartSec=0Restart=alwaysExecStartPre=-/usr/bin/docker stop nginx-ingress-httpsExecStartPre=-/usr/bin/docker rm nginx-ingress-httpsExecStartPre=/usr/bin/docker pull nginxExecStart=/usr/bin/docker run -i --rm \  --name nginx-ingress-https \  --publish=443:443 \  --link=backend \  --add-host=host.docker.internal:host-gateway \  --volume /etc/nginx/nginx-ingress-https.conf:/etc/nginx/nginx.conf:ro \  --volume /etc/letsencrypt:/etc/letsencrypt:ro \  --volume /etc/ssl/certs/dhparam.pem:/etc/ssl/certs/dhparam.pem:ro \  nginx[Install]WantedBy=multi-user.target

# create the DiffieHellman parametersopenssl dhparam -out /etc/ssl/certs/dhparam.pem 2048# create the https servercp nginx-ingress-https.service /etc/systemd/system/nginx-ingress-https.servicesystemctl enable nginx-ingress-https.servicesystemctl start nginx-ingress-https.servicejournalctl -u nginx-ingress-https.service