Upgrading the reverse proxy to serve your app securely at https://immai.acintia.com using NGINX + Let’s Encrypt (Certbot).
We’ll use docker-compose with a dedicated reverse proxy container and automatic SSL certificate management.
🔹 Step 1: Update NGINX Config for SSL
Replace your nginx/nginx.conf with this:
server {
listen 80;
server_name immai.acintia.com;
# Redirect all HTTP traffic to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name immai.acintia.com;
# SSL Certificates (managed by certbot)
ssl_certificate /etc/letsencrypt/live/immai.acintia.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/immai.acintia.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
# Serve frontend Angular app
location / {
proxy_pass http://frontend:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Proxy backend FastAPI
location /api/ {
proxy_pass http://backend:8000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Proxy Ollama (optional)
location /ollama/ {
proxy_pass http://ollama:11434/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
🔹 Step 2: Extend docker-compose.yml
Here’s the updated file with nginx + certbot:
version: "3.9"
services:
backend:
build: .
container_name: company-recommender-backend
expose:
- "8000"
environment:
- OLLAMA_URL=http://ollama:11434
depends_on:
- ollama
ollama:
image: ollama/ollama:latest
container_name: ollama
expose:
- "11434"
volumes:
- ollama_data:/root/.ollama
frontend:
build: ./frontend
container_name: company-recommender-frontend
expose:
- "80"
environment:
- API_URL=/api
depends_on:
- backend
proxy:
image: nginx:alpine
container_name: reverse-proxy
restart: always
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx/nginx.conf:/etc/nginx/conf.d/default.conf:ro
- certbot-etc:/etc/letsencrypt
- certbot-var:/var/lib/letsencrypt
depends_on:
- frontend
- backend
- ollama
certbot:
image: certbot/certbot
container_name: certbot
volumes:
- certbot-etc:/etc/letsencrypt
- certbot-var:/var/lib/letsencrypt
- ./nginx/nginx.conf:/etc/nginx/conf.d/default.conf:ro
entrypoint: >
sh -c "trap exit TERM; while :; do certbot renew --quiet; sleep 12h & wait $${!}; done"
volumes:
ollama_data:
certbot-etc:
certbot-var:
🔹 Step 3: Issue the SSL Certificate
Before starting everything, you need to request the certificate once:
docker run -it --rm \
-v certbot-etc:/etc/letsencrypt \
-v certbot-var:/var/lib/letsencrypt \
-v ./nginx/nginx.conf:/etc/nginx/conf.d/default.conf \
certbot/certbot certonly --webroot \
--webroot-path=/var/lib/letsencrypt \
--agree-tos --no-eff-email \
-m youremail@example.com \
-d immai.acintia.com
Replace youremail@example.com with your real email (for renewal notices).
🔹 Step 4: Start the Stack
docker-compose up --build -d
Now:
-
Frontend served at → https://immai.acintia.com
-
Backend API → https://immai.acintia.com/api/
-
Ollama → https://immai.acintia.com/ollama/
Certbot will auto-renew every 12 hours.
🔹 Step 5: Verify HTTPS
Open:
curl -I https://immai.acintia.com
You should see HTTP/1.1 200 OK with a valid SSL certificate.
👉 Do you want me to also configure auto-redirect of /api requests inside Angular (so your Angular code never needs to know /api explicitly), or keep it like this (frontend calls /api/...)?
No comments:
Post a Comment