SSL-offloader for Dokku


I use Dokku as Platform As A Service (PaaS) tool, which is very convenient until you have dozen of apps deployed (like I do) and hit Let's Encrypt limits.

Enter Wildcard SSL certificate land.

It turns out that it is pretty easy to configure Nginx to act as a SSL-offloader for all Dokku apps, as simple as 1,2,3…

1. Create SSL config file

  cat /etc/nginx/conf.d/00-ssl.conf
server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name *;
  access_log  /var/log/nginx/ssl-access.log;
  error_log   /var/log/nginx/ssl-error.log;

  ssl_certificate     /etc/letsencrypt/live/;
  ssl_certificate_key /etc/letsencrypt/live/;
  ssl_protocols       TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers off;

  keepalive_timeout   70;

  location / {
    gzip on;
    gzip_min_length  1100;
    gzip_buffers  4 32k;
    gzip_types    text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml  application/rss+xml font/truetype application/x-font-ttf font/opentype application/ image/svg+xml;
    gzip_vary on;
    gzip_comp_level  6;

    proxy_pass http://localhost;
    http2_push_preload on;
    proxy_http_version 1.1;
    proxy_read_timeout 60s;
    proxy_buffer_size 4096;
    proxy_buffering on;
    proxy_buffers 8 4096;
    proxy_busy_buffers_size 8192;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Request-Start $msec;

2. Import config file

  grep -C 2 00-ssl /etc/nginx/nginx.conf
http {
   include /etc/nginx/conf.d/00-ssl.conf;
   include /home/dokku/*/nginx.conf;

3. Reload configuration

  systemctl reload nginx