@ced coincidentally, that’s exactly the setup I built for TLS/HTTPS. I’ve read that tutorial before. 
You guys are very fast with your responses. It’s greatly appreciated.
Here’s my Docker-Compose / Nginx / Let’s Encrypt / Tryton setup if anyone else is searching for exactly how to do it. If I’ve omitted any details, see the Medium article @ced mentioned here.
First the Nginx and Certbot containers in my docker-compose.yml file:
trytond:
container_name: trytond # Server
image: tryton/tryton:latest # Uses Debian 10 (buster)
restart: unless-stopped
# for the database URI to connect to AWS RDS "ijack" database
# TRYTOND_DATABASE__URI=postgresql://USERNAME:PASSWORD@tryton-postgres:5432/
env_file: .env
environment: # https://docs.tryton.org/projects/server/en/latest/topics/start_server.html
- TRYTOND_WEB__LISTEN=0.0.0.0:8000
ports:
- 8000:8000 # This is for the internet-exposed server (trytond) behind nginx
# 5432:5432 # There is no local PostgreSQL database, only AWS RDS
expose:
- 8000
# expose: 5432
networks:
- myijack-network
volumes:
- ./config.ini:/config.ini
command: ['trytond', '-c', './config.ini'] # Start the web server listening for requests on 0.0.0.0:8000
nginx:
restart: unless-stopped
image: "nginx:latest"
ports:
- "0.0.0.0:80:80"
- "0.0.0.0:443:443"
volumes:
# http://medium.com/@pentacent/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71
- ./data/nginx:/etc/nginx/conf.d
- ./data/certbot/conf:/etc/letsencrypt
- ./data/certbot/www:/var/www/certbot
networks:
- myijack-network
depends_on:
- myijack
command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
certbot:
restart: unless-stopped
image: certbot/certbot
volumes:
# http://medium.com/@pentacent/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71
- ./data/certbot/conf:/etc/letsencrypt
- ./data/certbot/www:/var/www/certbot
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
networks:
myijack-network:
# driver: bridge
external:
name: myijack-network
And here’s my actual Nginx “prod.conf” setup in “/etc/nginx/conf.d/prod.conf”:
# HTTP port 80 will redirect to HTTPS port 443
server {
listen 80; # ipv4
listen [::]:80; # ipv6
server_name myijack.com; # host
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# redirect from HTTP port 80 to HTTPS port 443
location / {
return 301 https://$host$request_uri;
}
}
# Redirected here to HTTPS on port 443
server {
listen 443 ssl; # port
server_name myijack.com; # host
ssl_certificate /etc/letsencrypt/live/myijack.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myijack.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass http://trytond:8000/; # "trytond" is the service name of another Docker container on port 8000
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
}
And the result:
