Nested servers with Let's Encrypt Certbot

By Fabian Stanke — 16. Feb. 2025

To optionally proxy ACME challenge requests from an docker.io/jonasal/nginx-certbot instance to a Mailu front container or serve them directly, I use the following Nginx configuration:

# HTTP server for ACME challenge
server {
  listen 80;
  server_name {{ tld }};

  # ACME challenge
  location /.well-known/acme-challenge/ {
    resolver 10.89.0.1 valid=10s ipv6=off;
    set $mailu_front front:80;
    proxy_pass http://$mailu_front;
    proxy_intercept_errors
    error_page 404 = @fallback;
  }

  location @fallback {
    default_type "text/plain";
    root /var/www/letsencrypt;
  }

  location / {
    # Redirect all HTTP requests to HTTPS
    return 301 https://$host$request_uri;
  }
}