nginx-proxy/nginx-proxy with SSL

Question

I'm really new to all this reverse proxy stuff and I hoped I could get around learning how it works by using this quite popular docker container: https://github.com/nginx-proxy/nginx-proxy

I'm trying to set up a few docker instances with the nginx proxy. The domains are accessable without https but for some reason SSL does not seem to work. You can try that:

http://foundry.hahn-webdesign.de/ => works https://foundry.hahn-webdesign.de/ => 500 - Internal Server Error

Here is my example project which I can't get to work.

Docker Compose File:

version: "3.8"
services:
    nginx-proxy:
        image: nginxproxy/nginx-proxy
        container_name: nginx-proxy
        restart: unless-stopped
        ports:
          - "80:80"
          - "443:443"
        volumes:
          - ./nginx-proxy/certs:/etc/nginx/certs/:ro
          - ./nginx-proxy/vhost:/etc/nginx/vhost.d/
          - ./nginx-proxy/html:/usr/share/nginx/html/
          - /var/run/docker.sock:/tmp/docker.sock:ro
          - dhparam:/etc/nginx/dhparam

    acme-companion:
        image: nginxproxy/acme-companion
        container_name: acme-companion
        restart: unless-stopped
        volumes:
          - ./nginx-proxy/html:/usr/share/nginx/html/
          - ./nginx-proxy/vhost:/etc/nginx/vhost.d/
          - ./nginx-proxy/certs:/etc/nginx/certs/:rw
          - ./nginx-proxy/acme:/etc/acme.sh
          - /var/run/docker.sock:/var/run/docker.sock:ro
        environment:
          - DEFAULT_EMAIL=admin@hahn-webdesign.de
          - NGINX_PROXY_CONTAINER=nginx-proxy

    whoami:
        image: jwilder/whoami
        container_name: foundry
        restart: unless-stopped
        hostname: foundry
        domainname: hahn-webdesign.de
        volumes:
          - /var/run/docker.sock:/var/run/docker.sock:ro
          - ./nginx-proxy/certs:/etc/nginx/certs
        expose:
          - "8000"
        environment:
          - VIRTUAL_HOST=foundry.hahn-webdesign.de
          - VIRTUAL_PORT=8000

I find the documentation lacking a lot of input when it comes to SSL samples. Maybe it's because I'm lacking knowledge of how the nginx reverse proxy works in it's basics.

Directories are all working fine and are accessable. Certificates are valid and created by the acme-companion.

Can someone please tell me what I have to do to make SSL work in this configuration?

Logs from the docker container when accessing both protocols (http -> https):

nginx.1     | foundry.hahn-webdesign.de 95.90.215.63 - - [29/Dec/2021:11:25:43 +0000] "GET / HTTP/1.1" 200 12 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0" "172.22.0.6:8000",    
nginx.1     | foundry.hahn-webdesign.de 95.90.215.63 - - [29/Dec/2021:11:25:48 +0000] "GET / HTTP/2.0" 500 177 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0" "-"

Answer 1

I found the reason:

version: "3.8"
services:
    whoami:
        image: jwilder/whoami
        container_name: foundry
        restart: unless-stopped
        hostname: foundry
        domainname: hahn-webdesign.de
        volumes:
          - /var/run/docker.sock:/var/run/docker.sock:ro
          - ./nginx-proxy/certs:/etc/nginx/certs
        expose:
          - "8000"
        environment:
          - VIRTUAL_HOST=foundry.hahn-webdesign.de
          - VIRTUAL_PORT=8000
          - LETSENCRYPT_HOST=foundry.hahn-webdesign.de

An existing certificate is not sufficient. If you create a valid certificate but remove the container which created the certificate the symlinks will vanish. So if you use a dummy container like suggested in the documentation it will result in this behaviour.

Adding the LETSENCRYPT_HOST will add the symlinks again. So if the containers are accessable you don't even have to use the dummies.

This Environment Variable will actually tell the nginx-proxy to call a certificate if neccessary.