http://prntscr.com/nv1ciu

I am having this issue not sure what seems to be the reason. I tried the fixes suggested here:
docker/for-win#611
But not being able to fix the issue. I am using Ubuntu 18.04 bionic 64 bit

Now I need to have an ssl connection/certificate for two (sub)domains each running in a separate container on a single docker host machine. This is not possible, since port conflicts cause the container run to fail. This happens in spite of specifying distinct ports (8443 and 8080) in the second container build. It's like these ports are ignored in the setup.

Hi,
Because ISPs restrict access to the local port 80,

Can I configure the access certificate through DNS? thank you

Is it possible to set an environment variable for a desired port for the ACME http challenge?

Im somewhat having issues with a failing challenge due to the redirects im using because my port 80 is already used.

certbot/certbot#5616

I just started using this and it's great. Thanks for putting it together.

Just a quick question... I can't find the part of your coded that handles the auto renewal that you talk about in the readme. Where is it at? I'm sure I'm just missing something.

This is my first time messing with SSL and letsencrypt so please forgive me if this was a dumb question.

This image always uses the same /etc/nginx/dhparams.pem without regenerating them. This seems like a potential easy to miss security hole for all people that used this to host a webside.

I was unable to get the proxy pass working with my app container until I added the service to my existing docker-compose.yml and specified the app service name as the UPSTREAM: target (where target is the name of the docker container that is running the proxied app. Not 127.0.0.1, the local IP, LAN IP, nor even the docker IP that is randomly generated worked. Perhaps the network needs to be specified in the docker-compose.yml service description, perhaps there is some other nuance. None of this is documented.

The error I was getting was 502: Bad gateway

Docker logs on app were empty, logs on proxy read something like (I have obscured actual domains):

2022/10/06 19:03:13 [error] 145#145: *28 connect() failed (113: No route to host) while connecting to upstream, client: [redacted_request_ip], server: [redacted_domain], request: "GET / HTTP/2.0", upstream: "http://[redacted_lan_ip]:[redacted_app_port]/", host: "[redacted_domain]"
[redacted_request_ip] - - [06/Oct/2022:19:03:13 +0000] "GET / HTTP/2.0" 502 552 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/104.0.5112.101 Safari/537.36" "-"
10.0.18.17 - - [06/Oct/2022:19:03:23 +0000] "\x16\x03\x01\x00\xA3\x01\x00\x00\x9F\x03\x03\xDE\xBE\xD8ho" 400 150 "-" "-" "-"

I must not use the default http ports 80 and 443 (it is preserved by macOS Server).
So I've chosen different ports but LetsEncrypt does call port 80: sslproxy_1 | http://example.org/.well-known/acme-challenge/aQUorM87vM7pFCRxidfmFFzs_n_MqODBW2tFivinYhk:

services:
  sslproxy:
    image: danieldent/nginx-ssl-proxy
    restart: always
    environment:
      UPSTREAM: 127.0.0.1:8882
      SERVERNAME: example.org
    ports:
      - "89:80"
      - "442:443"
    volumes:
      - …/docker/nextcloud/nginx-conf:/etc/nginx/conf.d

How can i conf proxy.conf for multy fomains?

How can I stop certbot from requesting new cert if it's already requested before. Each time I reran my docker container it will rerequest again. And each domain name have a limit of attached cert

https://hub.docker.com/r/danieldent/nginx-ssl-proxy/builds/

Seems like not compatible with aarch64(?) Tried on Odroid C2 running Ubuntu 18.04:
Linux server 3.16.58-26 #1 SMP PREEMPT Sun Sep 30 23:40:07 -03 2018 aarch64 aarch64 aarch64 GNU/Linux

getting:
standard_init_linux.go:190: exec user process caused "exec format error"

first and foremost: I am not a docker expert, so apologies if this request is mislaid.

Looking at jetbrain's products, most suggest that you can (but do not have to) create volumes for logs and configuration, such that you can optionally supply additional configuration or persist logs on the host. I found this very convenient since it effectively makes their docker images parametric on some configuration files and the images "output" logs.

I want your image to do the same:

I'm looking at doing some configuration of the nginx proxy for a teamcity front-end, as described here, so that I can have some large files going up into the service proxy'd by your container.

The problem I'm having as a non-docker-expert is getting my configuration to stick.

• simply volumes: [ /etc/nginx:/etc/nginx ] is no good because docker will create blank mount over the needed existing configuration
• you cant mount something inside /etc/nginx because include rules aren't recursive on folder structure --meaning simply that the existing nginx.conf would have to be modified, which isn't possible without modifying your dockerfile.
• and lastly I cant seem to make an anonymous volume, modify the existing nginx.conf file there to point to a new volumes, then add files to that new volume for a reason I dont understand

TL;DR: I would really appreciate it if you would update the dockerfile to contain something to the effect of

echo "include /etc/nginx/extra-conf/*.conf" >> /etc/nginx/nginx.conf

in your docker file, along with a suggestion in the configuration section that you

add a volume /etc/nginx/extra-conf and place relevant nginx *.conf files there to have them loaded.

In my container log im getting this:

Registering without email!
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for <container.TLD>
Using the webroot path /usr/share/nginx/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. <container.TLD> (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://<container.TLD>/.well-known/acme-challenge/APFKTsJaIIypGdk5vbaVdDcqeArpigY51jTpsGqhEXo: "                                                 
                                                 
                            "

I was wondering why its failing. I was able to verify that my redirects are working fine when running a vanilla httpd container on the same port, its reachable from <container.TLD>

Upon doing a docker exec I noticed that the target location is blank.

root@b777f672b92f:/usr/share/nginx/html/.well-known# ls -lah
total 0
drwxr-xr-x. 2 root root  6 Aug  2 12:48 .
drwxr-xr-x. 1 root root 25 Aug  2 12:48 ..

Is this normal?

Your image is perfect for Amazon's Elastic Container Service (ECS) because it requires no local bindings/files. Unfortunately, it's hard to provision a static IP on ECS unless you use (and pay for) a load balancer.

I don't need/want to pay for a load balancer so I must manually update my DNS (+time to propagate) each time I deploy a new container. As a result, I'm running afoul of Let's Encrypt's rate limits, specifically a Failed Validation limit of 5 failures per account, per hostname, per hour.

Given that hard cap, I'd like to suggest adjusting the retry interval to something like minute 0, 1, 5, 15, (and every 15 minutes after that i.e. 30, 45, 60, 75). In theory, min 45 (and probably 60) will rate limit, but this provides a simple rule-of-thumb that is otherwise rate-friendly.

EDIT: Per the discussion in #23, the long-term goal is to simulate the acme check:

• Create a small file in a random (but known) location
• Ensure that the connection can be made and finds this file (possibly multiple times)

PR #23 (merged) is a first step in this direction, providing a simple check that a server (but not necessarily this one) responds with 200 to a call to the domain name. This issue has been left open to track potential improvements.

looks like nginx was not picking up the certificates it had already created.

nginx-ssl-proxy_1 | Saving debug log to /var/log/letsencrypt/letsencrypt.log
nginx-ssl-proxy_1 | Obtaining a new certificate
nginx-ssl-proxy_1 | Performing the following challenges:
nginx-ssl-proxy_1 | http-01 challenge for maker.gifts
nginx-ssl-proxy_1 | Using the webroot path /usr/share/nginx/html for all unmatched domains.
nginx-ssl-proxy_1 | Waiting for verification...
nginx-ssl-proxy_1 | Cleaning up challenges
nginx-ssl-proxy_1 | Generating key (2048 bits): /etc/letsencrypt/keys/0003_key-certbot.pem
nginx-ssl-proxy_1 | Creating CSR: /etc/letsencrypt/csr/0003_csr-certbot.pem
nginx-ssl-proxy_1 | An unexpected error occurred:
nginx-ssl-proxy_1 | There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: DOMAIN.TLD: see https://letsencrypt.org/docs/rate-limits/
nginx-ssl-proxy_1 | Please see the logfiles in /var/log/letsencrypt for more details.

what am I missing?

Sorry for the noob question. I'm having problems and I was told I need:

proxy_set_header  X-Forwarded-Proto $scheme;

Where and how do I set this?

I see it is set in the default.conf, but something is wrong. Is X-Forwarded-Proto deprecated? Is there a better way now? https://support.cocoatech.com is the site I'm trying to fix. My css files aren't loading because they are referenced with http://. I was told that I need X-Forwarded-Proto to make that work.

Thanks

Is it possible to import the default /etc/nginx/sites-enabled/default file into the container so one can add custom error pages as needed. The idea is that one would manually add custom error pages like 404.html into /usr/share/nginx/html and then add something like the below to /etc/nginx/sites-enabled/default file:

server {
        listen 80 default_server;
        listen [::]:80 default_server ipv6only=on;

        . . .

        **error_page 404 /custom_404.html;
        location = /custom_404.html {
                root /usr/share/nginx/html;
                internal;**
        }
}

Im getting 400 bad request on all my post requests. The requests never reaches my upstream server. Is this to be expected?

Get requests works like a charm.

Otherwise, great project! 👍

READ.me needs to be edited to provide instructions to edit the default.conf and replace proxy_pass http://origin; with proxy_pass http://domain.name:port;

all my verification calls return a 404, so I started looking into the container wwwroot and I saw that the acme challenge is created under /usr/share/nginx/html/.well-known/acme-challenge/ but it is removed before the verification call on it is made.
Is this some configuration? I'm not overriding any defaults.

error I get is:

13:10:10 Obtaining a new certificate
13:10:11 Performing the following challenges:
13:10:11 http-01 challenge for <MyDomaon>
13:10:11 Using the webroot path /usr/share/nginx/html for all unmatched domains.
13:10:11 Waiting for verification...
13:10:11 <IP> - - [11/Jan/2019:18:10:11 +0000] "GET /.well-known/acme-challenge/<ChallengeKey> HTTP/1.1" 404 162 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
13:10:58 Cleaning up challenges
13:10:58 Incomplete authorizations

Hey there! I was able to get this working with docker-compose on my ubuntu system to the point where I could reach my landing page from outside my network with SSL enabled. Super cool! I'm running into an issue with adding another config file and setting up a reverse proxy for the services running in other docker containers. I can navigate all of the other containers on my local network, so I know they are running, but I can't see them from outside the network.

Here is a grab from my docker-compose.yml file:

services:
    sslproxy:
        container_name: sslproxy
        image: danieldent/nginx-ssl-proxy
        restart: always
        depends_on:
            - organizr
        environment:
            UPSTREAM: organizr
            SERVERNAME: [myserver]
            #EXTRANAMES:
        ports:
            - "88:80"
            - "443:443"
        volumes:
            - ./letsencrypt/organizr.conf:/etc/nginx/conf.d/organizr.conf

    organizr:
        container_name: organizr
        image: lsiocommunity/organizr
        volumes:
            - ./organizr/config:/organizr/config
            - ./organizr/db-files:/db-files
            - ./organizr/images:/images
        privileged: true
        ports:
            - "8585:80"

    ombi:
        container_name: ombi
        image: linuxserver/ombi
        privileged: true
        environment:
            - TZ=America/New_York
        depends_on:
            - organizr
        ports:
            - "3579:3579"
        volumes:
            - ./ombi:/ombi/config

If I comment out the volume call for my custom config file, I land on the organizr page. Whenever I try to add proxy calls to my other containers and include the volume call, the whole things breaks and I can't see the organizr landing page.

Here is my ombi.conf file for reference:

server {
        listen 88 default_server;
        server_name [myserver];
        proxy_pass http://127.0.0.1:88;
        include /etc/nginx/proxy.conf
        }

server {
        listen 443 ssl http2 default_server;
        server_name [myserver];
        root /var/www/Organizr/;
        access_log /var/log/nginx/organizr.access.log main;
        error_log /var/log/nginx/organizr.error.log warn;
        allow all;
        log_not_found off;
        access_log off;
        }

#############################
# Block access without host #
#############################

if ($http_host != "[myserver]") {
       return 444;
       }

########################
# Organizr Error Pages #
########################

error_page 400 401 403 404 405 408 500 502 503 504 /error.php?error=status;

#########################
# Organizr server block #
#########################

client_max_body_size 1M;
location / { }
try_files $uri $uri/ =404;
index index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_index index.php;
include fastcgi_params;
include php_optimization.conf;
fastcgi_pass php-handler;
fastcgi_param HTTPS on;
access_log off;
proxy_cookie_path / "/; secure; HttpOnly";
}

location ~ \.(log|db|json|check)$ {
deny all;
}

location ^~ /check.php {
deny all;
}

location ~ /\.ht {
deny all;
}

location /auth-admin {
        internal;
        #rewrite ^ /auth.php?admin&ban=someone,thisperson;
        proxy_pass http://127.0.0.1:8585/auth.php?admin;
        proxy_set_header Content-Length "";
}

location /auth-user {
        internal;
        proxy_pass http://127.0.0.1:8585/auth.php?user;
        proxy_set_header Content-Length "";
}

server {

        listen 80;
        server_name [myserver]

        ############################
        # Organizr Proxy Locations #
        ############################
        # ombi
        location /ombi {
                auth_request /auth-admin;
                proxy_pass http://127.0.0.1:3579/ombi;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                #proxy_redirect off;
                #proxy_buffering off;
                #access_log off;
        }
}

Do you have any thoughts you would be willing to share with me? Thank you kindly!

The documentation should wrap that docker-compose.yml file under services: like so:

services:
  nginx-ssl-proxy:
    image: danieldent/nginx-ssl-proxy
    restart: always
    environment:
      UPSTREAM: 127.0.0.1:8080
      SERVERNAME: test.example.com
      EXTRANAMES: www.test.example.com,test2.example.com
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/etc/letsencrypt"

If you don't, you'll get an error such as:
(root) Additional property nginx-ssl-proxy is not allowed

Also, docker-compose up is deprecated, now it's docker compose up

I've tried using SERVERNAME: *.example.com but it doesnt seem to work.

Someone recommended removing the host?

https://stackoverflow.com/questions/32362396/nginx-reverse-proxy-causing-infinite-loop

I have no idea.

Hi,

Your docker is working perfect. But Exchange 2016 Outlook Anywhere is not working. It seems that
more_set_input_headers is missing and can be installed with nginx-extras module. But how can i accomplish this with the Docker Compose?

Thanks

Martin

I'm getting CERTIFICATE-FILE-NOT-LOADED in the certificate's Common Name instead of the environment variable I set in SERVERNAME. Am I missing a configuration?

In the logs I do see the correct SERVERNAME:

2018/07/23 14:22:38 [ DEBUG ] Parsing environment references in '/etc/nginx/conf.d/default.conf'
2018/07/23 14:22:38 [ DEBUG ] Expanding reference to 'UPSTREAM' to value '<my-upstream>'
2018/07/23 14:22:38 [ DEBUG ] Expanding reference to 'SERVERNAME' to value '<my-servername>'
2018/07/23 14:22:38 [ DEBUG ] Expanding reference to 'SERVERNAME' to value '<my-servername>'

I'm trying to use this docker image likes this:

  nginx-ssl-proxy:
    image: danieldent/nginx-ssl-proxy
    environment:
      UPSTREAM: 127.0.0.1:5000
      SERVERNAME: x.app
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/etc/letsencrypt"

but for my x.app domain I get:

Failed authorization procedure. x.app (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://x.app/.well-known/acme-challenge/Uutj...

I have a feeling this is because .app is one of the first TLDs domains with HTTPs "baked in".

Is this true? If so, what can I do to make it work?

Running this docker-image I get this error...
How can I agree to a the subscriber?

Nginx has arrived.                                                                                                                    
2016-11-21 16:27:19,607:INFO:requests.packages.urllib3.connectionpool:805: Starting new HTTPS connection (1): acme-v01.api.letsencrypt
.org                                                                                                                                  
2016-11-21 16:27:19,837:INFO:requests.packages.urllib3.connectionpool:805: Starting new HTTPS connection (1): acme-v01.api.letsencrypt
.org                                                                                                                                  
2016-11-21 16:27:20,115:INFO:requests.packages.urllib3.connectionpool:805: Starting new HTTPS connection (1): acme-v01.api.letsencrypt
.org                                                                                                                                  
2016-11-21 16:27:20,415:INFO:requests.packages.urllib3.connectionpool:805: Starting new HTTPS connection (1): acme-v01.api.letsencrypt
.org                                                                                                                                  
2016-11-21 16:27:20,645:ERROR:simp_le:879: ACME server returned an error: urn:acme:error:unauthorized :: The client lacks sufficient a
uthorization :: Must agree to subscriber agreement before any further actions.

First off, thanks for a great project!

I have a question about the customization topic in the readme. How come creating a new Dockerfile and copying in the proxy.conf is the preferred way over say a volume? Is there a downside to using a volume or is it just preference?

It should be noted in the docs that the SSL issuance uses HTTP for authentication, so you'll need to have your domain pointing at the server and DNS resolved before SSL certs can be issued. Also, if your target app is running on port 80 you'll need to move it to another port, otherwise the proxy won't be able to load on port 80 to do the SSL install.

Hi, I have copied the docker-compose configuration from here and started a working nginx upstream server on my host mapped to port 8080,
put it in the UPSTREAM, I always get the 404 in the logs:

nginx-ssl-proxy_1 | [s6-init] making user provided files available at /var/run/s6/etc...exited 0.
nginx-ssl-proxy_1 | [s6-init] ensuring user provided files have correct perms...exited 0.
nginx-ssl-proxy_1 | [fix-attrs.d] applying ownership & permissions fixes...
nginx-ssl-proxy_1 | [fix-attrs.d] done.
nginx-ssl-proxy_1 | [cont-init.d] executing container initialization scripts...
nginx-ssl-proxy_1 | [cont-init.d] done.
nginx-ssl-proxy_1 | [services.d] starting services
nginx-ssl-proxy_1 | [services.d] done.
nginx-ssl-proxy_1 | Waiting for Nginx to come up...
nginx-ssl-proxy_1 | 2018/02/04 09:43:08 [ DEBUG ] Parsing environment references in '/etc/nginx/conf.d/default.conf'
nginx-ssl-proxy_1 | 2018/02/04 09:43:08 [ DEBUG ] Expanding reference to 'UPSTREAM' to value '139.59.191.99:8080'
nginx-ssl-proxy_1 | 2018/02/04 09:43:08 [ DEBUG ] Expanding reference to 'SERVERNAME' to value 'commetoo.com'
nginx-ssl-proxy_1 | 2018/02/04 09:43:08 [ DEBUG ] Expanding reference to 'SERVERNAME' to value 'commetoo.com'
nginx-ssl-proxy_1 | % Total % Received % Xferd Average Speed Time Time Time Current
nginx-ssl-proxy_1 | Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (7) Failed to connect to 127.0.0.1 port 80: Connection refused
nginx-ssl-proxy_1 | 2018/02/04 09:43:08 [warn] 129#129: "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/letsencrypt/fullchain-copy.pem"
nginx-ssl-proxy_1 | nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/letsencrypt/fullchain-copy.pem"
nginx-ssl-proxy_1 | % Total % Received % Xferd Average Speed Time Time Time Current
nginx-ssl-proxy_1 | Dload Upload Total Spent Left Speed
100 178 100 178 0 0 269k 0 --:--:-- --:--:-- --:--:-- 173k
nginx-ssl-proxy_1 | 127.0.0.1 - - [04/Feb/2018:09:43:09 +0000] "GET / HTTP/1.1" 301 178 "-" "curl/7.52.1" "-"
nginx-ssl-proxy_1 |
nginx-ssl-proxy_1 | <title>301 Moved Permanently</title>
nginx-ssl-proxy_1 |
nginx-ssl-proxy_1 |

301 Moved Permanently

nginx-ssl-proxy_1 |

---

nginx
nginx-ssl-proxy_1 |
nginx-ssl-proxy_1 |
nginx-ssl-proxy_1 | Nginx has arrived.
nginx-ssl-proxy_1 | Saving debug log to /var/log/letsencrypt/letsencrypt.log
nginx-ssl-proxy_1 | Registering without email!
nginx-ssl-proxy_1 | Obtaining a new certificate
nginx-ssl-proxy_1 | Performing the following challenges:
nginx-ssl-proxy_1 | http-01 challenge for commetoo.com
nginx-ssl-proxy_1 | http-01 challenge for www.commetoo.com
nginx-ssl-proxy_1 | Using the webroot path /usr/share/nginx/html for all unmatched domains.
nginx-ssl-proxy_1 | Waiting for verification...
nginx-ssl-proxy_1 | 66.133.109.36 - - [04/Feb/2018:09:43:13 +0000] "GET /.well-known/acme-challenge/wR-HDKHnam4jxDtGQUko_qAruI4d-iZfKPfaifdsV7w HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
nginx-ssl-proxy_1 | Cleaning up challenges
nginx-ssl-proxy_1 | Failed authorization procedure. www.commetoo.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.commetoo.com/.well-known/acme-challenge/wFJAz-30KN23usg8KIy-9FRz91pObi9dv4-1K3Ygr58: "
nginx-ssl-proxy_1 |
nginx-ssl-proxy_1 | <title>404 Not Found</title>
nginx-ssl-proxy_1 |
nginx-ssl-proxy_1 |

Not Found

nginx-ssl-proxy_1 | <p"
nginx-ssl-proxy_1 | IMPORTANT NOTES:
nginx-ssl-proxy_1 | - The following errors were reported by the server:
nginx-ssl-proxy_1 |
nginx-ssl-proxy_1 | Domain: www.commetoo.com
nginx-ssl-proxy_1 | Type: unauthorized
nginx-ssl-proxy_1 | Detail: Invalid response from
nginx-ssl-proxy_1 | http://www.commetoo.com/.well-known/acme-challenge/wFJAz-30KN23usg8KIy-9FRz91pObi9dv4-1K3Ygr58:
nginx-ssl-proxy_1 | "
nginx-ssl-proxy_1 |
nginx-ssl-proxy_1 | <title>404 Not Found</title>
nginx-ssl-proxy_1 |
nginx-ssl-proxy_1 |

Not Found

nginx-ssl-proxy_1 | <p"
nginx-ssl-proxy_1 |
nginx-ssl-proxy_1 | To fix these errors, please make sure that your domain name was
nginx-ssl-proxy_1 | entered correctly and the DNS A record(s) for that domain
nginx-ssl-proxy_1 | contain(s) the right IP address.
nginx-ssl-proxy_1 | - Your account credentials have been saved in your Certbot
nginx-ssl-proxy_1 | configuration directory at /etc/letsencrypt. You should make a
nginx-ssl-proxy_1 | secure backup of this folder now. This configuration directory will
nginx-ssl-proxy_1 | also contain certificates and private keys obtained by Certbot so
nginx-ssl-proxy_1 | making regular backups of this folder is ideal.

I can ping my domain commetoo.com and get the correct ip.
The compose file:

nginx-ssl-proxy:
image: danieldent/nginx-ssl-proxy
restart: always
environment:
UPSTREAM: 139.59.191.99:8080
SERVERNAME: commetoo.com
EXTRANAMES: www.commetoo.com
ports:
- "80:80"
- "443:443"
volumes:
- "/etc/letsencrypt"
networks:
- backend

Any Ideas?

Hi there, and thanks for a great image. That said, I do have a smaller problem where I can't seem to get my security headers to pick up.

in proxy.conf I have the following:

add_header Strict-Transport-Security "max-age=10886400";
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";

Been googling around for a while now, but kind of stuck. Have the feeling it is a minor thing I am missing, but who knows.

Ideas would very much be appreciated.

Is there a way to pass the email (and other meta data) certbot shall be use for the certificate?

As a docker-compose author looking to setup a cron-job in a container I want to be able to relatively easily view logs from hours ago by ssh/screen-ing into my docker host's docker-compose up output, so that I can better view the status of my cron jobs.

nginx's verbosity is too much. nginx outputs every successful GET call made against it to standard-output. When using a modest webserver upstream, in my case teamcity, which polls itself a fair amount, this means that the output from docker-compose up is flooded with GET /something/somethingElse OK.

Ideally I'd like nginx to only log things with 400-599 http codes, but if nginx doesn't want to make that kind of semantic logging decision, then I'd really rather it only output things it deems worthy of std-err, like nginx has arrived.

I've been looking into nginx logging configuration and all I can find is where to pipe it. I'm not so concerned about that as I am its verbosity.

Can you add an environment parameter that gives me some control on the volume of output your nginx front-end puts to standard-output/standard-error?

many thanks!