#1585 - Update nginx.md

docs/content/examples/tutorials/nginx.md

@@ -2,4 +2,115 @@
 title: NGINX
 ---
 
-TODO
+This is an example on how to use WireGuard Easy with nginx, to access it on a HTTPS domain (e.g. `https://wg-easy.myhomelab.com`).
+
+## Generate the admin password crypt you will need to provide as PASSWORD_HASH
+```
+docker run --rm -it ghcr.io/wg-easy/wg-easy wgpw '⚠️password'
+```
+
+## `docker-compose.yml`:
+
+```yaml
+volumes:
+  etc_wireguard:
+
+services:
+  wg-easy:
+    environment:
+      - LANG=en
+      # ⚠️ Change the server's hostname (clients will connect to):
+      - WG_HOST=wg-easy.myhomelab.com
+      # ⚠️ Change the Web UI Password.  Must be a valid bcrypt hash.  Note link below.
+      # You must find any single $ in your hash nd change it to $$ due to Docker 
+      # environment variable interpolation 
+      - PASSWORD_HASH=$$....
+      # Optional:
+      # - PASSWORD_HASH=$$2y$$10$$hBCoykrB95WSzuV4fafBzOHWKu9sbyVa34GJr8VV5R/pIelfEMYyG # (needs double $$, hash of 'foobar123'; see "How_to_generate_an_bcrypt_hash.md" for generate the hash)
+      # - PORT=51821
+      # - WG_PORT=51820
+      # - WG_CONFIG_PORT=92820
+      # - WG_DEFAULT_ADDRESS=10.8.0.x
+      # - WG_DEFAULT_DNS=1.1.1.1
+      # - WG_MTU=1420
+      # - WG_ALLOWED_IPS=192.168.15.0/24, 10.0.1.0/24
+      # - WG_PERSISTENT_KEEPALIVE=25
+      # - WG_PRE_UP=echo "Pre Up" > /etc/wireguard/pre-up.txt
+      # - WG_POST_UP=echo "Post Up" > /etc/wireguard/post-up.txt
+      # - WG_PRE_DOWN=echo "Pre Down" > /etc/wireguard/pre-down.txt
+      # - WG_POST_DOWN=echo "Post Down" > /etc/wireguard/post-down.txt
+      # - UI_TRAFFIC_STATS=true
+      # - UI_CHART_TYPE=0 # (0 Charts disabled, 1 # Line chart, 2 # Area chart, 3 # Bar chart)
+      # - WG_ENABLE_ONE_TIME_LINKS=true
+      # - UI_ENABLE_SORT_CLIENTS=true
+      # - WG_ENABLE_EXPIRES_TIME=true
+      # - ENABLE_PROMETHEUS_METRICS=false
+      # - PROMETHEUS_METRICS_PASSWORD=$$2a$$12$$vkvKpeEAHD78gasyawIod.1leBMKg8sBwKW.pQyNsq78bXV3INf2G # (needs double $$, hash of 'prometheus_password'; see "How_to_generate_an_bcrypt_hash.md" for generate the hash)
+
+    image: ghcr.io/wg-easy/wg-easy
+    container_name: wg-easy
+    hostname: wg-easy
+    volumes:
+      - etc_wireguard:/etc/wireguard
+    ports:
+      - "51820:51820/udp"
+      - "51821:51821/tcp"
+    restart: unless-stopped
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+        # uncomment for Podman use
+        # - NET_RAW
+    sysctls:
+      - net.ipv4.ip_forward=1
+      - net.ipv4.conf.all.src_valid_mark=1
+
+  nginx:
+    image: weejewel/nginx-with-certbot
+    container_name: nginx
+    hostname: nginx
+    volumes:
+      - ./nginx/servers/:/etc/nginx/servers/
+      - ./nginx/letsencrypt/:/etc/letsencrypt/
+    ports:
+      - "80:80/tcp"
+      - "443:443/tcp"
+    restart: unless-stopped
+```
+
+- make subdirectory for nginx configuration file
+```
+mkdir -p nginx/servers
+mkdir nginx/letsencrypt
+```
+- create this file in the nginx/servers directory
+## nginx/servers/wg-easy.conf
+```
+server {
+    server_name ⚠️wg-easy.myhomelab.com;
+
+    location / {
+        proxy_pass http://wg-easy:51821/;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_set_header Host $host;
+    }
+}
+```
+
+Save these files, edit the variables marked with `⚠️` and run `docker-compose up -d` in the same directory.
+
+Then run once:
+
+```bash
+$ docker exec -it nginx /bin/sh
+$ cp /etc/nginx/servers/wg-easy.conf /etc/nginx/conf.d/.
+$ certbot --nginx --non-interactive --agree-tos -m ⚠️your@email.com -d ⚠️wg-easy.myhomelab.com
+$ nginx -s reload
+$ exit
+```
+
+Of course, make sure to point `wg-easy.myhomelab.com` to your server's IP address with a DNS A record or DynamicDNS or any other method. Ensure ports `80`, `443`, `51820` are available (e.g. by forwarding them in your router).
+
+That's it!