SSL

Dockerfile

@@ -12,7 +12,5 @@ RUN npm ci
 
 COPY . .
 
-EXPOSE 4000
-
 # Modify CMD to use tmux
 CMD npx mikro-orm-esm migration:up && npm run start

docker-compose.yml

@@ -1,10 +1,26 @@
 services:
+  nginx:
+    image: nginx:alpine
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - ./nginx.conf:/etc/nginx/nginx.conf:ro
+      - ./docker/data/certbot/conf:/etc/letsencrypt
+      - ./docker/data/certbot/www:/var/www/certbot
+    depends_on:
+      - app
+    networks:
+      - app-network
+    restart: unless-stopped
   app:
     build:
       context: .
       dockerfile: Dockerfile
-    ports:
+#    ports:
-      - "${PORT}:${PORT}"
+#      - "${PORT}:${PORT}"
+    expose:
+      - "${PORT}"
     environment:
       - ENV=${ENV}
       - HOST=${HOST}

docker/data/certbot/conf/.gitignore

@@ -0,0 +1,2 @@
+**
+!.gitignore

docker/data/certbot/www/.gitignore

@@ -0,0 +1,2 @@
+**
+!.gitignore

nginx.conf

@@ -0,0 +1,41 @@
+events {
+    worker_connections 1024;
+}
+
+http {
+    upstream socketio_backend {
+        server app:${PORT};
+    }
+
+    server {
+        listen 80;
+        server_name ${HOST};
+
+        location /.well-known/acme-challenge/ {
+            root /var/www/certbot;
+        }
+
+        location / {
+            return 301 https://$host$request_uri;
+        }
+    }
+
+    server {
+        listen 443 ssl;
+        server_name ${HOST};
+
+        ssl_certificate /etc/letsencrypt/live/${HOST}/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/${HOST}/privkey.pem;
+
+        location / {
+            proxy_pass http://socketio_backend;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+    }
+}