Nginx (Web Server) - HTTPS / SSL on Docker

A certificate can be used to encrypt the resources being transmitted to clients. In this example, a dedicated certificate will be placed on the Nginx web server so that HTTPS can be used.


A certificate from a trusted CA (certificate authority), such as, or using a self signed certificate can be used. The main difference between a certificate from a trusted CA and a self signed certificate is that web browsers will display a warning message when a self signed certificate is used. OpenSSL can be used to create the self signed public certificate and private key. 

In this example, a self signed public certificate was created for, and Chrome compalins that the root certificate is not trusted, because the certificate is not in the trusted root certificate authorities store. This is the expected behavior of a self signed certificate.



The certificate Common Name (CN) will almost always need to match the DNS hostname of the web server the certificate is being used for. For example, if the certificate will be used for SSL / HTTPS on the web server producing, then the certificates common name (CN) will need to be or *

SSL configurations will be made in the /etc/nginx/conf.d/default.conf file in the container. By default, the server block in default.conf is setup to only listen on port 80.

server {
    listen       80;
    listen  [::]:80;


Here is one possible way to setup SSL in default.conf. Notice in this example that the /usr/local/share/ca-certificates/ and /usr/local/share/ca-certificates/ files are being used.

server {
    listen              80;
    listen              [::]:80;
    listen              443 ssl;
    ssl_certificate     /etc/nginx/conf.d/;
    ssl_certificate_key /etc/nginx/conf.d/;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;


The following command can then be used to create and start the ngninx container. Let's break down this command.

  • The docker run command is used to create and start the nginx container.
  • The --detach flag is used to run the container in the background.
  • The --publish option is used both the Docker server and nginx container to listen on HTTP port 80 and HTTPS port 443, which adds a rule to iptables to allow connections between the Docker system and container on ports 80 and 443.
  • The --name option is used to name the container nginx.
  • The --restart unless-stopped option is used so that the container is started if the Docker server is restarted.
  • The --volume option is used to mount the default.conf file on the Docker system to /etc/nginx/conf.d/default.conf in the container so that the container is using your own default.conf file.
  • The --volume option is used to mount the directory on your Docker system that contains the public certificate and private key to /usr/local/share/ca-certificates in the container.
  • The nginx image is used.
docker run --detach --publish 80:80 --publish 443:443 --volume /path/to/default.conf:/etc/nginx/conf.d/default.conf --volume /path/to/certs:/usr/local/share/ca-certificates --name nginx --restart unless-stopped nginx


The docker container ls command can be used to ensure the container is running.

~]# docker container ls -a
8321dc3c0c25   nginx  "/docker-entrypoint.…"  7 minutes ago  Up 7 minutes>80/tcp, :::80->80/tcp,>443/tcp, :::443->443/tcp


The docker logs command should return something like this

~]# docker logs nginx
/ /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/ Looking for shell scripts in /docker-entrypoint.d/
/ Launching /docker-entrypoint.d/ info: Getting the checksum of /etc/nginx/conf.d/default.conf info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/ Launching /docker-entrypoint.d/
/ Launching /docker-entrypoint.d/
/ Configuration complete; ready for start up


You should then be able to access the default Nginx welcome page at http://<hostname or IP address of your Docker system> (port 80). Something like this should be displayed.


And you should also be able to access the default Nginx welcome page at https://<hostname or IP address of your Docker system> (port 443).


Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee

Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter 8b7f9 in the box below so that we can be sure you are a human.


Web design by yours truely - me, myself, and I   |   |