feat: enhance SSL configuration by making Certbot optional in Docker setup

Author: iconben

Dockerfile

@@ -6,6 +6,7 @@ FROM php:$PHP_VERSION-fpm-$DEBIAN_VERSION
 # Add environment variables for domain and port
 ENV SERVER_NAME="localhost"
 ENV SSL_ENABLED="false"
+ENV CERTBOT_ENABLED="true"
 
 ENV WP_DB_HOST="hub.docker.internal"
 ENV WP_DB_USER="wordpress"
@@ -129,11 +130,15 @@ RUN chown -R www-data /var/www/html
 
 # Copy default configuration files of nginx
 RUN mkdir /usr/src/nginx-defaults
-COPY ./nginx/default.conf /etc/nginx/conf.d/default.conf
-COPY ./nginx/wordpress.conf.include /etc/nginx/conf.d/wordpress.conf.include
-# COPY ./nginx/default_ssl.conf /usr/src/nginx-defaults/default_ssl.conf
-# COPY ./nginx/options-ssl-nginx.conf /usr/src/nginx-defaults/options-ssl-nginx.conf
-# RUN mkdir "/var/ssl";
+COPY ./nginx/default.conf /usr/src/nginx-defaults/default.conf
+COPY ./nginx/default_ssl.conf /usr/src/nginx-defaults/default_ssl.conf
+COPY ./nginx/wordpress.conf.include /usr/src/nginx-defaults/wordpress.conf.include
+RUN mkdir -p /etc/nginx/ssl
+COPY ./nginx/options-ssl-nginx.conf /etc/nginx/ssl/options-ssl-nginx.conf
+# Generate the Diffie-Hellman certificate
+RUN openssl dhparam -out /etc/nginx/ssl/ssl-dhparams.pem 2048
+# Create a directory for SSL certificates when certbot is disabled
+RUN mkdir "/var/ssl";
 
 # Expose the default Nginx ports
 EXPOSE 80

README.md

@@ -90,6 +90,7 @@ services:
         environment:
             - SERVER_NAME=example.com
             - SSL_ENABLED=true
+            - CERTBOT_ENABLED=true
             - WP_DB_HOST=db
             - WP_DB_USER=wordpress
             - WP_DB_PASSWORD=password
@@ -113,12 +114,7 @@ services:
 
 Note that we use letsencrypt's certbot to generate SSL certificates for you, you need to prove the domain is controlled by you, in most case your domain name should already resolved to the host you run this container, otherwise the certbot will fail, and the container will not be able to serve.
 
-~~We highly recommend using lets-encrypt as your SSL solution. You need to use tools such as certbot to generate SSL in the host, then copy the cert files from /etc/letsencrypt/live/{yourdomain.com} to the volume. Please note the options-ssl-nginx.conf and ssl-dhparams.pem files from /etc/letsencrypt of the host are also needed to be placed in the same volume. The typical content of this ssl volume should contain such files:~~
-
-~~cert.pem  chain.pem  fullchain.pem  options-ssl-nginx.conf  privkey.pem  README  ssl  ssl-dhparams.pem~~
-
-~~Or you can directly mount /etc/letsencrypt/live/{yourdomain.com} to the /var/ssl volume.~~
-
+However, if you want to use your own certificate or if your environment does not support certbot to automatically generate certificate, you can set CERTBOT_ENABLED to false, and mount a volumn to /var/ssl, then put your own fullchain.pem and privkey.pem to this folder.
 
 ## Develop
 Feel free to visit the repository site on Github: [https://github.com/augwit/wordpress/](https://github.com/augwit/wordpress/)

entrypoint.sh

@@ -1,17 +1,23 @@
 #!/bin/bash
 
-# if [ "$SSL_ENABLED" = "true" ]; then 
-#     cp /usr/src/nginx-defaults/options-ssl-nginx.conf /var/ssl;
-#     cp /usr/src/nginx-defaults/default_ssl.conf /etc/nginx/conf.d/;
-# fi
-
-# Update entrypoint to configure Nginx and acquire SSL certificates
-sed -i "s/server_name localhost;/server_name $SERVER_NAME;/" /etc/nginx/conf.d/default.conf
-
-if [ "$SSL_ENABLED" = "true" ]; then
-    certbot --nginx -d $SERVER_NAME --non-interactive --agree-tos --register-unsafely-without-email -m admin@$SERVER_NAME
-    # cerrtbot started nginx but we need to stop it for now. Later we will start it in the foreground.
-    service nginx stop
+if [ -z "$(ls -A /etc/nginx/conf.d)" ]; then
+    cp /usr/src/nginx-defaults/default.conf /etc/nginx/conf.d/;
+    cp /usr/src/nginx-defaults/wordpress.conf.include /etc/nginx/conf.d/wordpress.conf.include
+
+    # Update entrypoint to configure Nginx and configure SSL certificates
+    sed -i "s/server_name localhost;/server_name $SERVER_NAME;/" /etc/nginx/conf.d/default.conf
+
+    # If SSL is enabled and Certbot is not enabled, copy the default SSL configuration
+    if [ "$SSL_ENABLED" = "true" ] && [ "$CERTBOT_ENABLED" = "false" ]; then 
+        cp /usr/src/nginx-defaults/default_ssl.conf /etc/nginx/conf.d/;
+    fi
+
+    # If SSL is enabled and Certbot is enabled, run Certbot to obtain SSL certificates
+    if [ "$SSL_ENABLED" = "true" ] && [ "$CERTBOT_ENABLED" = "true" ]; then
+        certbot --nginx -d $SERVER_NAME --non-interactive --agree-tos --register-unsafely-without-email -m admin@$SERVER_NAME
+        # cerrtbot started nginx but we need to stop it for now. Later we will start it in the foreground.
+        service nginx stop
+    fi
 fi
 
 # Download the latest wordpress
@@ -24,7 +30,7 @@ if [ ! -f /var/www/html/index.php ]; then
 fi
 
 # If wp-config.php does not exist and wp-config-sample.php exists, copy wp-config-sample.php to wp-config.php and update database configuration
-if [ ! -f /var/www/html//wp-config.php ] && [ -f /var/www/html/wp-config-sample.php ]; then
+if [ ! -f /var/www/html/wp-config.php ] && [ -f /var/www/html/wp-config-sample.php ]; then
     cp /var/www/html/wp-config-sample.php /var/www/html/wp-config.php
     sed -i "s/database_name_here/${WP_DB_NAME}/" /var/www/html/wp-config.php
     sed -i "s/username_here/${WP_DB_USER}/" /var/www/html/wp-config.php

nginx/default_ssl.conf

@@ -6,6 +6,6 @@ server {
     listen 443 ssl; 
     ssl_certificate /var/ssl/fullchain.pem; 
     ssl_certificate_key /var/ssl/privkey.pem; 
-    include /var/ssl/options-ssl-nginx.conf; 
-    ssl_dhparam /var/ssl/ssl-dhparams.pem; 
+    include /etc/nginx/ssl/options-ssl-nginx.conf; 
+    ssl_dhparam /etc/nginx/ssl/ssl-dhparams.pem; 
 }