diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml index d1c0070..ff61b30 100644 --- a/docker-compose.prod.yml +++ b/docker-compose.prod.yml @@ -114,7 +114,8 @@ services: volumes: - ./nginx/nginx.prod.conf:/etc/nginx/conf.d/default.conf:ro - frontend_build:/usr/share/nginx/html:ro - - ./nginx/ssl:/etc/nginx/ssl:ro + - ./certbot/conf:/etc/letsencrypt:ro + - ./certbot/www:/var/www/certbot:ro depends_on: - backend - frontend_build_step diff --git a/nginx/nginx.prod.conf b/nginx/nginx.prod.conf index 95519d1..26f612a 100644 --- a/nginx/nginx.prod.conf +++ b/nginx/nginx.prod.conf @@ -7,31 +7,40 @@ server { server_name dociva.io www.dociva.io; client_max_body_size 100M; + # ACME challenge for Let's Encrypt renewal + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + # Redirect HTTP to HTTPS - return 308 https://dociva.io$request_uri; + location / { + return 308 https://dociva.io$request_uri; + } } # Redirect www to non-www server { - listen 443 ssl http2; + listen 443 ssl; + http2 on; server_name www.dociva.io; client_max_body_size 100M; - ssl_certificate /etc/nginx/ssl/fullchain.pem; - ssl_certificate_key /etc/nginx/ssl/privkey.pem; + ssl_certificate /etc/letsencrypt/live/dociva.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/dociva.io/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; return 308 https://dociva.io$request_uri; } server { - listen 443 ssl http2; + listen 443 ssl; + http2 on; server_name dociva.io; client_max_body_size 100M; - # SSL certificates (mount via certbot / Let's Encrypt) - ssl_certificate /etc/nginx/ssl/fullchain.pem; - ssl_certificate_key /etc/nginx/ssl/privkey.pem; + # SSL certificates (Let's Encrypt via certbot) + ssl_certificate /etc/letsencrypt/live/dociva.io/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/dociva.io/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;