feat: add nginx reverse proxy on ports 80/443 with certbot SSL support

Syntax-Error-1337 · claude · Syntax-Error-1337 · commit cafa30beaaa6 · 2026-03-10T13:30:40.000+08:00
- Add nginx service proxying HTTP traffic to radar:3001
- Add certbot service for automated Let's Encrypt certificate renewal
- Include ACME challenge path for initial cert issuance
- HTTPS 443 block pre-configured and commented out, ready to enable after certbot

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -24,16 +24,28 @@ services:
     # volumes:
     #   - ./server/src/Data:/app/Data:ro
 
-  # Optional: Add a reverse proxy (nginx)
-  # nginx:
-  #   image: nginx:alpine
-  #   container_name: radar-proxy
-  #   ports:
-  #     - "80:80"
-  #     - "443:443"
-  #   volumes:
-  #     - ./nginx.conf:/etc/nginx/nginx.conf:ro
-  #     - ./ssl:/etc/nginx/ssl:ro
-  #   depends_on:
-  #     - radar
-  #   restart: unless-stopped
+  nginx:
+    image: nginx:alpine
+    container_name: radar-nginx
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - ./nginx.conf:/etc/nginx/nginx.conf:ro
+      - certbot-www:/var/www/certbot:ro
+      - certbot-certs:/etc/letsencrypt:ro
+    depends_on:
+      - radar
+    restart: unless-stopped
+
+  certbot:
+    image: certbot/certbot
+    container_name: radar-certbot
+    volumes:
+      - certbot-www:/var/www/certbot
+      - certbot-certs:/etc/letsencrypt
+    entrypoint: /bin/sh -c "trap exit TERM; while :; do certbot renew --webroot -w /var/www/certbot --quiet; sleep 12h & wait $${!}; done"
+
+volumes:
+  certbot-www:
+  certbot-certs:
diff --git a/nginx.conf b/nginx.conf
@@ -0,0 +1,76 @@
+worker_processes auto;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    sendfile        on;
+    keepalive_timeout 65;
+    client_max_body_size 10M;
+
+    # Gzip compression
+    gzip on;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+    # HTTP — redirect to HTTPS if SSL is configured, otherwise proxy directly
+    server {
+        listen 80;
+        server_name _;
+
+        # Let's Encrypt ACME challenge (needed for SSL certificate issuance)
+        location /.well-known/acme-challenge/ {
+            root /var/www/certbot;
+        }
+
+        # Redirect all HTTP traffic to HTTPS once certs are in place
+        # Uncomment the line below and remove the location / block after running certbot
+        # return 301 https://$host$request_uri;
+
+        location / {
+            proxy_pass         http://radar:3001;
+            proxy_http_version 1.1;
+            proxy_set_header   Upgrade $http_upgrade;
+            proxy_set_header   Connection 'upgrade';
+            proxy_set_header   Host $host;
+            proxy_set_header   X-Real-IP $remote_addr;
+            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header   X-Forwarded-Proto $scheme;
+            proxy_cache_bypass $http_upgrade;
+            proxy_read_timeout 90s;
+        }
+    }
+
+    # HTTPS — uncomment this block after running certbot
+    # Replace radar.army with your actual domain
+    #
+    # server {
+    #     listen 443 ssl;
+    #     server_name radar.army www.radar.army;
+    #
+    #     ssl_certificate     /etc/letsencrypt/live/radar.army/fullchain.pem;
+    #     ssl_certificate_key /etc/letsencrypt/live/radar.army/privkey.pem;
+    #     ssl_protocols       TLSv1.2 TLSv1.3;
+    #     ssl_ciphers         HIGH:!aNULL:!MD5;
+    #
+    #     location /.well-known/acme-challenge/ {
+    #         root /var/www/certbot;
+    #     }
+    #
+    #     location / {
+    #         proxy_pass         http://radar:3001;
+    #         proxy_http_version 1.1;
+    #         proxy_set_header   Upgrade $http_upgrade;
+    #         proxy_set_header   Connection 'upgrade';
+    #         proxy_set_header   Host $host;
+    #         proxy_set_header   X-Real-IP $remote_addr;
+    #         proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+    #         proxy_set_header   X-Forwarded-Proto $scheme;
+    #         proxy_cache_bypass $http_upgrade;
+    #         proxy_read_timeout 90s;
+    #     }
+    # }
+}
