Motivation When setting up a virtualized environment for a home lab, I encountered the following problems: Certificate management is a pain and can become dirty in a matter of seconds. I do not want to have client-server communication via unencrypted channels using HTTP. Preparing your environment Everything you can find under this post has been developed using the following tools: Windows 11 Desktop Docker PyCharm CE Diagrams.net TLS offloading TLS offloading is a technique where the task of handling encryption at the transport level is centralized to one point of your network (single, HA it does not matter) to relieve the backend server from encryption tasks and setups. From my point of view, this concept eases the setup for encryption at the transport layer because you just need to set it up in one single point instead of several. What TLS offloading provides to my scenario is that: I just need to set up TLS for the proxy. Only one server will expose the desired ports. Implementation I will be using to build and create my docker images because I will have several services running and it eases my work. docker-compose Phase 1. Certificates I want to use a valid certificate provided by a trusted CA so that I am not in charge of manually creating the certificates and later having to add the CA certificate to each device I work with. The tool I chose to go with is certbot [1] and Let´s Encrypt [2]. I want a wildcard certificate because I will have several servers in the backend. I learned that Google Domains [3] does not have an official plugin and certificate renewal was not as easy as it looked at first sight using certbot for wildcard certificates. Taking a look at Google's help I found a community plugin [4] that gives me what I need, a way to automatically renew wildcard certificates. I just wanted the proxy to include the tasks for certificate renewal, so I ran a docker image (using Debian-slim) to install certbot with the community plugin and create my certificate. It is important to include the dns_google_domains_credentials.ini file, populated, and under the directory mentioned in the official documentation. docker run -v '<LOCAL_MOUNT>:/var/lib/letsencrypt' -v '<LOCAL_MOUNT>:/etc/letsencrypt' debian:stable-slimapt update apt install python3 python3-venv libaugeas0 snapd -y python3 -m venv /opt/certbot/ /opt/certbot/bin/pip install --upgrade pip /opt/certbot/bin/pip install certbot certbot-nginx certbot-dns-google-domains ln -s /opt/certbot/bin/certbot /usr/bin/certbot certbot certonly \ --authenticator 'dns-google-domains' \ --dns-google-domains-credentials '/var/lib/letsencrypt/dns_google_domains_credentials.ini' \ --server 'https://acme-v02.api.letsencrypt.org/directory' \ --non-interactive \ --dns-google-domains-zone '<YOUR_DOMAIN>' \ -d '<YOUR_WILCARD_NAME' \ --agree-tos \ --email <YOUR_EMAIL> Phase 2. Proxy I wanted to combine nginx and certbot, so I created my own docker image that runs those two services. You can find it here: https://hub.docker.com/r/ddeuterio/proxy_element0 Once I have my image and my certificates, I just need to create my file, exposing the ports I want, and mounting the volumes for the certificates. I created my own file with the configuration I needed and mounted it with ro rights. compose.yml nginx.conf You can see all examples and code under my repositories: proxy_element0_docker References [1] https://certbot.eff.org/ [2] https://letsencrypt.org/ [3] https://domains.google/ [4] https://github.com/aaomidi/certbot-dns-google-domains Also published here.
