Docker + Nginx + Let's Encrypt

This post shows how to set up multiple websites running behind a dockerized Nginx reverse proxy and served via HTTPS using free Let’s Encrypt certificates. New sites can be added on the fly by just modifying docker-compose.yml and then running docker-compose up as the main Nginx config is automatically updated and certificates (if needed) are automatically acquired.

Some of the configuration is derived from with some simplifications and updates to work with current nginx.tmpl from nginx-proxy and docker-compose v2 files.

Running the example

The repository for this is at


  • docker (>= 1.10)
  • docker-compose (>= 1.8.1)
  • access to (sub)domain(s) pointing to a publicly accessible server (required for TLS)


  • Clone the repository on the server pointed to by your domain.
  • In docker-compose.yml:
    • Change the VIRTUAL_HOST and LETSENCRYPT_HOST entries from and to your domains.
    • Change LETSENCRYPT_EMAIL entries to the email address you want to be associated with the certificates.
  • In volumes/config/sample-website/config.js change apiUrl to your API endpoint as set up in the previous point in docker-compose.yml.


In the main directory run:

docker-compose up

This will perform the following steps:

  • Download the required images from Docker Hub (nginx, docker-gen, docker-letsencrypt-nginx-proxy-companion).
  • Create containers from them.
  • Build and create containers for the two sites located in sample-websites.
  • Start up the containers.
    • docker-letsencrypt-nginx-proxy-companion inspects containers’ metadata and tries to acquire certificates as needed (if successful then saving them in a volume shared with the host and the Nginx container).
    • docker-gen also inspects containers’ metadata and generates the configuration file for the main Nginx reverse proxy

If everything went well then you should now be able to access your website at the provided address.


  • To view logs run docker-compose logs.
  • To view the generated Nginx configuration run docker exec -ti nginx cat /etc/nginx/conf.d/default.conf

How does it work

The system consists of 4 main parts:

  • Main Nginx reverse proxy container.
  • Container that generates the main Nginx config based on container metadata.
  • Container that automatically handles the acquisition and renewal of Let’s Encrypt TLS certificates.
  • The actual websites living in their own containers. In this example, a very simple website, talking to a very simple API.

The main Nginx reverse proxy container

This is the only publicly exposed container, routes traffic to the backend servers and provides TLS termination.

Uses the official nginx Docker image.

It is defined in docker-compose.yml under the nginx service block:

    restart: always
    image: nginx
    container_name: nginx
      - "80:80"
      - "443:443"
      - "/etc/nginx/conf.d"
      - "/etc/nginx/vhost.d"
      - "/usr/share/nginx/html"
      - "./volumes/proxy/certs:/etc/nginx/certs:ro"

As you can see it shares a few volumes:

  • Configuration folder: used by the container that generates the configuration file.
  • Default Nginx root folder: used by the Let’s Encrypt container for challenges from the CA.
  • Certificates folder: written to by the Let’s Encrypt container, this is where the TLS certificates are maintained.

The configuration generator container

This container inspects the other running containers and based on their metadata (like VIRTUAL_HOST environment variable) and a template file it generates the Nginx configuration file for the main Nginx container. When a new container is spinning up this container detects that, generates the appropriate configuration entries and restarts Nginx.

Uses the jwilder/docker-gen Docker image.

It is defined in docker-compose.yml under the nginx-gen service block:


    restart: always
    image: jwilder/docker-gen
    container_name: nginx-gen
      - "/var/run/docker.sock:/tmp/docker.sock:ro"
      - "./volumes/proxy/templates/nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro"
      - nginx
    entrypoint: /usr/local/bin/docker-gen -notify-sighup nginx -watch -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf

The container reads the nginx.tmpl template file (source: jwilder/nginx-proxy) via a volume shared with the host.

It also mounts the Docker socket into the container in order to be able to inspect the other containers (the "/var/run/docker.sock:/tmp/docker.sock:ro" line). Security warning: mounting the Docker socket is usually discouraged because the container getting (even read-only) access to it can get root access to the host. In our case, this container is not exposed to the world so if you trust the code running inside it the risks are probably fairly low. But definitely something to take into account. See e.g. The Dangers of Docker.sock for further details.

NOTE: it would be preferrable to have docker-gen only handle containers with exposed ports (via -only-exposed flag in the entrypoint script above) but currently that does not work, see e.g.

The Let’s Encrypt container

This container also inspects the other containers and acquires Let’s Encrypt TLS certificates based on the LETSENCRYPT_HOST and LETSENCRYPT_EMAIL environment variables. At regular intervals it checks and renews certificates as needed.

Uses the jrcs/letsencrypt-nginx-proxy-companion Docker image.

It is defined in docker-compose.yml under the letsencrypt-nginx-proxy-companion service block:


    restart: always
    image: jrcs/letsencrypt-nginx-proxy-companion
    container_name: letsencrypt-nginx-proxy-companion
      - nginx
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./volumes/proxy/certs:/etc/nginx/certs:rw"

The container uses a volume shared with the host and the Nginx container to maintain the certificates.

It also mounts the Docker socket in order to inspect the other containers. See the security warning above in the docker-gen section about the risks of that.

The sample website and the sample API

These two very simple samples are running in their own respective containers. They are defined in docker-compose.yml under the sample-api and sample-website service blocks:


    restart: always
    image: sample-api
    build: ./samples/api
    container_name: sample-api
      - VIRTUAL_NETWORK=nginx-proxy
      - VIRTUAL_PORT=3000
      - [email protected]

    restart: always
    image: sample-website
    build: ./samples/website
    container_name: sample-website
      - "./volumes/nginx-sample-website/conf.d/:/etc/nginx/conf.d"
      - "./volumes/config/sample-website/config.js:/usr/share/nginx/html/config.js"
      - VIRTUAL_NETWORK=nginx-proxy
      - VIRTUAL_PORT=80
      - [email protected]

The important part here are the environment variables. These are used by the config generator and certificate maintainer containers to set up the system.

The source code for these two images is in the samples subfolder, the images are built from there. In a real-world scenario these images would likely come from a Docker registry.


This can be a fairly simple way to have easy, reproducible deploys for websites with free, auto-renewing TLS certificates.

Installing Arch Linux with LVM

Recently I decided to give Arch Linux a try. This is a quick overview of the steps I followed to get up and running on an old Thinkpad T400.

This is mostly a reference for myself, but hopefully it will be somewhat useful for someone out there as well. It is mainly based on the excellent ArchWiki with additional stuff from here and there.

Getting Arch

This guide assumes you already have a bootable Arch installation media. See here on how to get it.


Start with booting into the Arch live CD/USB.

Connecting to Wi-Fi

Internet connection will be required during install, so let’s do that as the first step (for wired connection see e.g. here).


Select wireless network, type in the password and if everything went well you should now be connected to the Internet.

Update the system clock

timedatectl set-ntp true

Set up LVM

To view details about the available storage devices:


Determine the drive(s)/partition(s) you want to use. In this example I am creating a single LVM physical volume using a full drive.

First, create a Linux LVM partition spanning the whole disk:

fdisk /dev/sdX
n (to add a new partition)
p (for primary partition)
1 (default partition number)
(accept default start)
(accept default end)
t (to change partition type)
8e (for LVM partition when using MBR)
i (to verify)
w (save and quit)

Create an LVM physical volume on the new partition:

pvcreate /dev/sdX1

Create a volume group:

vgcreate vg1 /dev/sdX1

Create logical volumes for boot, root, swap and home.

lvcreate -L 200M -n boot vg1
lvcreate -L 20G -n root vg1
lvcreate -L 4G -n swap vg1
lvcreate -l 100%FREE -n home vg1

Note: instead of -l 100%FREE you may want to leave some unused space for snapshots.

Format the logical volumes:

mkfs.ext4 /dev/vg1/boot
mkfs.ext4 /dev/vg1/root
mkfs.ext4 /dev/vg1/home
mkswap /dev/vg1/swap
swapon /dev/vg1/swap

Then finally mount them under the live system’s /mnt:

mount /dev/vg1/root /mnt
mkdir /mnt/boot
mount /dev/vg1/boot /mnt/boot
mkdir /mnt/home
mount /dev/vg1/home /mnt/home

Install base packages

pacstrap /mnt base base-devel

Generate fstab

genfstab -U /mnt >> /mnt/etc/fstab

Change root to new system

arch-chroot /mnt /bin/bash

Set up locale

In /etc/locale.gen uncomment en_US.UTF-8 UTF-8 or whatever else locale you need then generate the new locale(s):


Create /etc/locale.conf:

# /etc/locale.conf

Setup time

Set time zone:

ln -s /usr/share/zoneinfo/Zone/SubZone /etc/localtime

Adjust the time skew, and set the time standard to UTC:

hwclock --systohc --utc

Update initramfs

Add LVM2 hook to /etc/mkinitcpio.conf:

# /etc/mkinitcpio.conf
HOOKS="...lvm2 filesystems..."

Re-generate the initramfs image:

mkinitcpio -p linux


In this example we are using MBR with grub. Install grub:

pacman -S grub

Install the bootloader to the drive Arch was installed to:

grub-install --target=i386-pc /dev/sdX

Generate configuration file:

grub-mkconfig -o /boot/grub/grub.cfg

Configure network

Set hostname:

# /etc/hostname

Install packages for wireless support:

pacman -S iw wpa_supplicant dialog

Set root password


Reboot to new system

Exit the chroot environment, unmount partitions, remove live media and reboot:

umount -R /mnt

Setup automatic Wi-Fi connection

wifi-menu -o
netctl start profileName
netctl enable profileName

Install desktop environment

For desktop environment let’s install Cinnamon. First, X:

pacman -S xorg-server xorg-xinit xorg-utils xorg-server-utils mesa xorg-twm xterm

Touchpad support:

pacman -S xf86-input-synaptics

Detemine the video card:

lspci | grep VGA

Search for video driver packages:

pacman –Ss | grep xf86-video

In this machine I have an Intel integrated video card, so installing driver for that:

pacman -S xf86-video-intel

Install Cinnamon:

pacman -S cinnamon nemo-fileroller

Install and start display manager:

pacman –S gdm
systemctl enable gdm
systemctl start gdm

Note: On password entry click the gear icon and select Cinnamon.

And done, a barebones Arch Linux installation with a desktop environment is now complete.


Logging Operation Details in WCF Service

This post describes a custom server-side logging solution for WCF services. The basic requirements:

  • Log call details such as:
    • Operation name
    • Operation parameters
    • Caller’s identity
    • Client machine address
    • etc.
  • Ability to exclude specific parameters (e.g. password) from logging.
  • Turn on/off logging at the operation level.
  • No code changes in service methods.

The solution takes advantage of WCF’s extensibility points by injecting an IParameterInspector into the operation’s execution pipeline. This is achieved via a custom IServiceBehavior, configured in web.config with the help of a BehaviorExtensionElement.

Binaries are available on nuget at and the source code is at


After adding a reference to the OperationLogger.Wcf.dll (e.g. via nuget), logging can be enabled with one simple code change and a bit of configuration.

Wiring up logging function

On service initialization (for example in custom ServiceHost’s OnOpening method) setup the OperationLogBehavior.LogAction static function, this will be called with OperationDetails whenever an operation is about to execute:

OperationLogBehavior.LogAction = operationDetails => { /*TODO: log to db/file/whatever*/ }


First enable the use of the service behavior by defining the behavior extension element:

            <add name="operationLog" 
                 type="OperationLogger.Wcf.OperationLogBehaviorElement, OperationLogger.Wcf" />

Then add this behavior to the service’s behavior definition:

        <behavior name="MyServiceBehavior">
                    <add actionPattern=".*" />

The above configuration example enables logging for all actions. To restrict logging to specific services/actions, add as many pattern entries as needed with the actionPattern set to a regular expression that needs to be matched for logging to be applied. For example:

        <add actionPattern=".*IPatientService/FindPatients" />
        <add actionPattern=".*IPatientService/GetPatient" />
        <add actionPattern=".*IExamService/.*" />

Parameter logging can be controlled similarly, using the parameterPattern attribute. By default it is turned on for all parameters, but it can be turned off altogether:

        <add actionPattern=".*IAuthenticationService/Authenticate" 
             parameterPattern="^$" />

Or it could be disabled for specific parameters:

        <add actionPattern=".*IAuthenticationService/Authenticate"
             parameterPattern="^((?!password).)*$" />

Error handling

Exceptions during logging are swallowed, but the service can get notified of exceptions by setting up the OperationLogBehavior.OnError static function:

OperationLogBehavior.OnError = (e, message) => { /*handle error*/ };


Parameter inspector

ParameterInspector implements IParameterInspector. The BeforeCall method is executed before every operation, so that is where we extract operation details from current OperationContext, ServiceSecurityContext, operation inputs, etc then call the log action.

public object BeforeCall(string operationName, object[] inputs)
    if (LogAction == null)
        return null;

        var operationContext = OperationContext.Current;
        var securityContext = ServiceSecurityContext.Current;
        var remoteEndpoint = OperationContext.Current.IncomingMessageProperties[RemoteEndpointMessageProperty.Name] 
                                as RemoteEndpointMessageProperty;

        var operationData = 
            new OperationDetails
                OperationName = operationName,
                Action = operationContext.IncomingMessageHeaders.Action,
                ServiceUri = operationContext.Channel.LocalAddress.Uri,
                ClientAddress = remoteEndpoint != null ? remoteEndpoint.Address : "",
                UserName = securityContext != null ? securityContext.PrimaryIdentity.Name : "",
                Identity = securityContext != null ? securityContext.PrimaryIdentity : null,
                IsAnonymous = securityContext == null || securityContext.IsAnonymous

        if (inputs != null)
            // get parameter names
            var parameterInfos = _operationDescription.SyncMethod.GetParameters();

            // add enabled parameters
            int i = 0;
            foreach (var parameterInfo in parameterInfos.Where(x => IsParameterLoggingEnabled(x.Name)))
                operationData.Parameters.Add(parameterInfo.Name, i < inputs.Length ? inputs[i] : null);

    catch (Exception e)
        // logging failed, try notifying the service
        var onError = OnError;
        if (onError != null)
            onError(e, string.Format("Operation logging failed for '{0}'", operationName));

    return null;

Service behavior

OperationLogBehavior implements IServiceBehavior and adds a parameter inspector for all operations that are enabled in the configuration.

public class OperationLogBehavior : IServiceBehavior
    public OperationLogBehavior()
        IsEnabledForOperation = operation => true;
        IsParameterLoggingEnabled = (operation, parameterName) => true;

    public static Action<OperationDetails> LogAction { get; set; }
    public static Action<Exception, string> OnError { get; set; }
    public Func<DispatchOperation, bool> IsEnabledForOperation { get; set; }
    public Func<DispatchOperation, string, bool> IsParameterLoggingEnabled { get; set; }

    void IServiceBehavior.AddBindingParameters(ServiceDescription serviceDescription,
                                               ServiceHostBase serviceHostBase,
                                               Collection<ServiceEndpoint> endpoints,
                                               BindingParameterCollection bindingParameters)

    void IServiceBehavior.ApplyDispatchBehavior(ServiceDescription serviceDescription,
                                                ServiceHostBase serviceHostBase)
        // add parameter inspector for all enabled operations in the service
        foreach (var channelDispatcher in serviceHostBase.ChannelDispatchers.OfType<ChannelDispatcher>())
            foreach (var endpointDispatcher in channelDispatcher.Endpoints)
                var endpoint = serviceHostBase.Description.Endpoints.Find(endpointDispatcher.EndpointAddress.Uri);
                foreach (var dispatchOperation in endpointDispatcher.DispatchRuntime.Operations.Where(IsEnabledForOperation))
                    var operationDescription = endpoint != null
                                                   ? GetOperationDescription(endpoint, dispatchOperation)
                                                   : null;
                    AddParameterInspector(dispatchOperation, operationDescription);

    void IServiceBehavior.Validate(ServiceDescription serviceDescription, ServiceHostBase serviceHostBase)

    private static OperationDescription GetOperationDescription(ServiceEndpoint endpoint,
                                                                DispatchOperation dispatchOperation)
        return endpoint.Contract.Operations.Find(dispatchOperation.Name);

    private void AddParameterInspector(DispatchOperation dispatchOperation,
                                       OperationDescription operationDescription)
        var parameterInspector = new ParameterInspector(operationDescription)
                                     LogAction = LogAction,
                                     OnError = OnError,
                                     IsParameterLoggingEnabled = parameterName => IsParameterLoggingEnabled(dispatchOperation, parameterName)

Behavior extension element

OperationLogBehaviorElement implements BehaviorExtensionElement and it allows OperationLogBehavior to be configured and associated with services in web.config.

public class OperationLogBehaviorElement : BehaviorExtensionElement
    private const string PatternsPropertyName = "patterns";

    public override Type BehaviorType
        get { return typeof (OperationLogBehavior); }

    // Define the <patterns> section to be used in the configuration.
    [ConfigurationCollection(typeof (OperationLogPatternCollection),
        AddItemName = "add", ClearItemsName = "clear", RemoveItemName = "remove")]
    public OperationLogPatternCollection Patterns
        get { return (OperationLogPatternCollection) base[PatternsPropertyName]; }
        set { base[PatternsPropertyName] = value; }

    protected override object CreateBehavior()
        return new OperationLogBehavior
            IsEnabledForOperation = IsEnabledForOperation,
            IsParameterLoggingEnabled = IsParameterLoggingEnabled

OperationLogPatternCollection defines the pattern collection in the configuration by implementing a ConfigurationElementCollection:

public class OperationLogPatternCollection : ConfigurationElementCollection
    public override ConfigurationElementCollectionType CollectionType
        get { return ConfigurationElementCollectionType.AddRemoveClearMap; }

    public OperationLogPatternElement this[int index]
        get { return (OperationLogPatternElement) BaseGet(index); }
            if (BaseGet(index) != null)
            BaseAdd(index, value);

    public new OperationLogPatternElement this[string Name]
        get { return (OperationLogPatternElement) BaseGet(Name); }

    protected override ConfigurationElement CreateNewElement()
        return new OperationLogPatternElement();

    protected override object GetElementKey(ConfigurationElement element)
        return ((OperationLogPatternElement) element).ActionPattern;

    public int IndexOf(OperationLogPatternElement patternElement)
        return BaseIndexOf(patternElement);

    public void Add(OperationLogPatternElement patternElement)

    protected override void BaseAdd(ConfigurationElement element)
        BaseAdd(element, false);

    public void Remove(OperationLogPatternElement patternElement)
        if (BaseIndexOf(patternElement) >= 0)

    public void RemoveAt(int index)

    public void Remove(string name)

    public void Clear()

And finally, OperationLogPatternElement is a ConfigurationElement and it defines the actionPattern and parameterPattern item attributes:

public class OperationLogPatternElement : ConfigurationElement
    private const string ActionPropertyName = "actionPattern";
    private const string ParameterPatternPropertyName = "parameterPattern";

    [ConfigurationProperty(ActionPropertyName, DefaultValue = null, IsRequired = true, IsKey = false)]
    public string ActionPattern
        get { return (string) this[ActionPropertyName]; }
        set { this[ActionPropertyName] = value; }

    [ConfigurationProperty(ParameterPatternPropertyName, DefaultValue = ".*", IsRequired = false, IsKey = false)]
    public string ParameterPattern
        get { return (string) this[ParameterPatternPropertyName]; }
        set { this[ParameterPatternPropertyName] = value; }

Raspberry Pi Shutdown/Reset/Start Button

Shutting down a Raspberry Pi by cutting the power while it is still running is not recommended and it can lead to data corruption. The Raspberry Pi does not have a built-in shutdown/reset button, but thankfully it is fairly simple to wire one up.

Wiring up the pushbutton

Note: info below applies to B+ and probably rev 2 A/B boards.

Take a pushbutton and simply wire it up as seen in the diagram below, one leg going via the red wire to pin 5 (GPIO3) and the other side going to ground at pin 6 (GND). A pull-up resistor is also needed on the wire connected to pin 5 (see e.g. here for reason) but the same can be achieved by just enabling the built-in pull-up resistor in code (see below).

Wiring the pushbutton

Pins other than number 5 could also be used, however a side benefit of using it is that when the Pi is powered off, shorting pin 5 with ground causes the Raspberry Pi to power on. So the same button can be used for shutdown/reboot and also for power-on.


The code to control the button is fairly simple. First set up the GPIO pin:

GPIO.setup(5, GPIO.IN, pull_up_down=GPIO.PUD_UP)

Then, subscribe to button up/down events:

GPIO.add_event_detect(5, GPIO.BOTH, callback=buttonStateChanged)

Finally, in the event handler act on the button press:

def buttonStateChanged(pin):
    global buttonPressedTime

    if not (GPIO.input(pin)):
        # button is down
        buttonPressedTime =
        # button is up
        if buttonPressedTime is not None:
            if ( - buttonPressedTime).total_seconds() >= shutdownMinSeconds:
                # button pressed for more than specified time, shutdown
                call(['shutdown', '-h', 'now'], shell=False)
                # button pressed for a shorter time, reboot
                call(['shutdown', '-r', 'now'], shell=False)

Using this code, if the button is pressed for more than a few seconds then the Raspberry Pi shuts down, otherwise it reboots.

The full script is available at

Run the script

sudo python

Autostart the script

If you’re using systemd then create a file called pishutdown.service in /etc/systemd/system/ (replace path\_to\_pishutdown with appropriate path):

ExecStart=/usr/bin/python /path_to_pishutdown/


Enable service:

sudo systemctl enable pishutdown.service

Run service (will be automatically started on next reboot):

sudo systemctl start pishutdown.service

Building a Touch Squeezebox Using Raspberry Pi

This post gives a brief overview of the process of building a touchscreen Squeezebox replacement. There may be a future post on building an enclosure for the player.

The system will run on a Raspberry Pi, using SqueezePlug, a customized version of Raspbian specifically tailored for Squeezebox player/server installations. For the player it will use Squeezelite (included with SqueezePlug) and for the UI JiveLite. Depending on the touchscreen the kernel needs to be rebuilt to include touch drivers (there is a link at the bottom of this post where this is described in detail).

Setup SqueezePlug

Download latest version from

Extract the .img file from the downloaded .zip file then using an imager such as Win32DiskImager write it to your SD card.

Boot up the Raspberry Pi and configure the system (setup networking, configure squeezelite, etc, might expand on this later…).

Install JiveLite

Install required libraries:

sudo apt-get install git libsdl1.2-dev libsdl-ttf2.0-dev libsdl-image1.2-dev libsdl-gfx1.2-dev libexpat1-dev

Get and build luajit:

git clone
cd luajit-2.0
sudo make install
sudo ldconfig

Get and build JiveLite:

git clone
cd jivelite
make PREFIX=/usr

To run JiveLite:


Setup auto-login

In /etc/inittab comment out the following line:

1:2345:respawn:/sbin/getty 115200 tty1

and add in the following line instead (replace your_username with appropriate user name, for SqueezePlug this is root by default):

1:2345:respawn:/bin/login -f your_username tty1 </dev/tty1 >/dev/tty1 2>&1

Auto-start X and JiveLite

In /etc/rc.local, above the exit 0 line, add the following:

su -s /bin/bash -c startx your_user&

If not running as root then edit /etc/X11/Xwrapper.config and change allowed_users=console to allowed_users=anybody to allow non-interactive processes to launch an X server (more info here)

Edit ~/.xinitrc and add the following (replace path_to_jivelite_bin with appropriate path):


Alternatively, if for some reason you want to boot into the desktop and then launch JiveLite then you may do this:

In /etc/rc.local, above the exit 0 line, add the following:

su -l root -c startx

Then create a jivelite.destop file in ~/.config/autostart/ (see e.g. here for details).

Hide mouse cursor

JiveLite seems to hide the mouse cursor automatically depending on how it is launched, but if it is started via the first method above then it does not hide it.

So, if needed, you may add the -nocursor option in /etc/X11/xinit/xserverrc (this will fully disable mouse cursor), or alternatively, sudo apt-get install unclutter and put the following in .xinitrc (above the jivelite command): unclutter -idle 1 -grab -noevents -display :0& (this will hide mouse cursor if idle for 1 second, lower numbers seem not to work).

Calibrating touchscreen

Andrew Fraser has written a great guide for eGalax devices. It involves rebuilding the kernel to include the touch drivers. Worked great for my Sainsmart 7” 800x480 panel.