Initial version.

.gitignore

@@ -0,0 +1 @@
+certbot

README.md

@@ -1,5 +1,30 @@
 # docker-www
 
-www.vostan.org
-drive.vostan.org
-and etc
+Docker compose to host
+- www.vostan.org
+- drive.vostan.org
+
+## First Run
+To generate certificates first time comment all configurations other than the
+*default.conf* in docker-compose.yml and bring up the web server.
+This is because SSL servers will not start without certificates. We need to
+bring up servers for certbot challenges.
+Now launch certbot:
+```
+docker-compose run --rm certbot certonly --webroot --webroot-path /var/www/certbot/ --dry-run -d www.vostan.org  -d drive.vostan.org
+```
+If dry run is successful then generate certificates removing --dry-run.
+Make sure to uncomment configurations and restart nginx.
+```
+docker-compose restart
+```
+or
+```
+docker-compose exec www nginx -s reload
+```
+
+## Renew Certificates
+```
+docker-compose run --rm certbot renew
+```
+

docker-compose.yml

@@ -0,0 +1,24 @@
+version: "3"
+
+services:
+  www:
+    image: nginx:stable-alpine
+    container_name: www
+    restart: always
+    ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - ./certbot/www/:/var/www/certbot/:ro
+      - ./certbot/conf/live/:/etc/nginx/ssl/live/:ro
+      - ./certbot/conf/archive/:/etc/nginx/ssl/archive/:ro
+      - ./sites/default.conf:/etc/nginx/conf.d/default.conf:ro
+      - ./sites/default_ssl.conf:/etc/nginx/conf.d/default_ssl.conf:ro
+      - ./sites/www.vostan.org:/etc/nginx/conf.d/www.vostan.org:ro
+      - ./sites/drive.vostan.org:/etc/nginx/conf.d/drive.vostan.org:ro
+  certbot:
+    image: certbot/certbot:latest
+    container_name: certbot
+    volumes:
+      - ./certbot/www/:/var/www/certbot/:rw
+      - ./certbot/conf/:/etc/letsencrypt/:rw

sites/default.conf

@@ -0,0 +1,50 @@
+##
+# You should look at the following URL's in order to grasp a solid understanding
+# of Nginx configuration files in order to fully unleash the power of Nginx.
+# https://www.nginx.com/resources/wiki/start/
+# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
+# https://wiki.debian.org/Nginx/DirectoryStructure
+#
+# In most cases, administrators will remove this file from sites-enabled/ and
+# leave it as reference inside of sites-available where it will continue to be
+# updated by the nginx packaging team.
+#
+# This file will automatically load configuration files provided by other
+# applications, such as Drupal or Wordpress. These applications will be made
+# available underneath a path with that package name, such as /drupal8.
+#
+# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
+##
+
+# Default server configuration
+#
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    server_name _;
+    server_tokens off;
+
+    # Cert bot challenge
+    #
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+    # Otherwise redirect to https
+    #
+    location / {
+        return 301 https://$host$request_uri;
+    }
+
+    # If host name is not known, then simply return 404
+    #
+    set $known_host 0;
+    if ($host = www.vostan.org) {
+        set $known_host 1;
+    }
+    if ($host = drive.vostan.org) {
+        set $known_host 1;
+    }
+    if ($known_host != 1) {
+        return 404;
+    }
+}

sites/default_ssl.conf

@@ -0,0 +1,17 @@
+
+# Default SSL server configuration
+#
+server {
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+    server_name _;
+    server_tokens off;
+
+    # SSL configuration
+    #
+    ssl_certificate /etc/nginx/ssl/live/www.vostan.org/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/live/www.vostan.org/privkey.pem;
+
+    return 404;
+}
+

sites/drive.vostan.org

@@ -0,0 +1,42 @@
+##
+# You should look at the following URL's in order to grasp a solid understanding of Nginx configuration files in order to fully unleash the power of Nginx. 
+# https://www.nginx.com/resources/wiki/start/ https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ https://wiki.debian.org/Nginx/DirectoryStructure
+#
+# In most cases, administrators will remove this file from sites-enabled/ and
+# leave it as reference inside of sites-available where it will continue to be
+# updated by the nginx packaging team.
+#
+# This file will automatically load configuration files provided by other
+# applications, such as Drupal or Wordpress. These applications will be made
+# available underneath a path with that package name, such as /drupal8.
+#
+# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
+##
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name drive.vostan.org;
+
+    # SSL configuration
+    #
+    ssl on;
+    ssl_certificate /etc/nginx/ssl/live/www.vostan.org/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/live/www.vostan.org/privkey.pem;
+
+    #
+    set $upstream 192.168.11.4;
+    location / {
+       proxy_pass_header Authorization;
+           proxy_pass http://$upstream:8090;
+           proxy_set_header Host $host;
+           proxy_set_header X-Real-IP $remote_addr;
+           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+           proxy_http_version 1.1;
+           proxy_set_header Connection "";
+           proxy_buffering off;
+           client_max_body_size 0;
+           proxy_read_timeout 36000s;
+           proxy_redirect off;
+    }
+}

sites/private.vostan.org

@@ -0,0 +1,39 @@
+##
+# You should look at the following URL's in order to grasp a solid understanding
+# of Nginx configuration files in order to fully unleash the power of Nginx.
+# https://www.nginx.com/resources/wiki/start/
+# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
+# https://wiki.debian.org/Nginx/DirectoryStructure
+#
+# In most cases, administrators will remove this file from sites-enabled/ and
+# leave it as reference inside of sites-available where it will continue to be
+# updated by the nginx packaging team.
+#
+# This file will automatically load configuration files provided by other
+# applications, such as Drupal or Wordpress. These applications will be made
+# available underneath a path with that package name, such as /drupal8.
+#
+# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
+##
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name private.vostan.org;
+
+    # SSL configuration
+    #
+    ssl on;
+    ssl_certificate /etc/nginx/ssl/live/www.vostan.org/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/live/www.vostan.org/privkey.pem;
+
+    location / {
+        try_files $uri @private_flask_server;
+    }
+
+    location @private_flask_server {
+        include uwsgi_params;
+        uwsgi_pass unix:/run/uwsgi/private-vostan-org.sock;
+    }
+}
+

sites/www.vostan.org

@@ -0,0 +1,59 @@
+##
+# You should look at the following URL's in order to grasp a solid understanding
+# of Nginx configuration files in order to fully unleash the power of Nginx.
+# https://www.nginx.com/resources/wiki/start/
+# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
+# https://wiki.debian.org/Nginx/DirectoryStructure
+#
+# In most cases, administrators will remove this file from sites-enabled/ and
+# leave it as reference inside of sites-available where it will continue to be
+# updated by the nginx packaging team.
+#
+# This file will automatically load configuration files provided by other
+# applications, such as Drupal or Wordpress. These applications will be made
+# available underneath a path with that package name, such as /drupal8.
+#
+# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
+##
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name www.vostan.org;
+
+    # SSL configuration
+    #
+    ssl on;
+    ssl_certificate /etc/nginx/ssl/live/www.vostan.org/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/live/www.vostan.org/privkey.pem;
+
+    root /var/www/public/site;
+
+    # Add index.php to the list if you are using PHP
+    index index.html index.htm index.nginx-debian.html;
+
+
+    location / {
+        # First attempt to serve request as file, then
+        # as directory, then fall back to displaying a 404.
+        try_files $uri $uri/ =404;
+    }
+
+    #
+    #location ~ \.php$ {
+    #   include snippets/fastcgi-php.conf;
+    #
+    #   # With php-fpm (or other unix sockets):
+    #   fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
+    #   # With php-cgi (or other tcp sockets):
+    #   fastcgi_pass 127.0.0.1:9000;
+    #}
+
+    # deny access to .htaccess files, if Apache's document root
+    # concurs with nginx's one
+    #
+    #location ~ /\.ht {
+    #   deny all;
+    #}
+}
+