<![CDATA[Timon's Blog]]>https://blog.timongartung.comRSS for NodeWed, 15 Apr 2026 16:32:40 GMT60<![CDATA[A Step-by-Step Guide to Implementing SSL for Your ASP.NET API.]]>https://blog.timongartung.com/a-step-by-step-guide-to-implementing-ssl-for-your-aspnet-apihttps://blog.timongartung.com/a-step-by-step-guide-to-implementing-ssl-for-your-aspnet-apiTue, 02 Jul 2024 04:27:38 GMTCreating an ASP.NET API is straightforward, but securing it with HTTPS requires additional steps. In this blog, I’ll walk you through setting up SSL for your ASP.NET API to ensure secure communication.

Table of Content

  • Containerize your ASP.NET API (with Docker)

  • Set up Nginx (HTTP)

  • Create a Certificate with Certbot

  • Set Up SSL on Nginx (HTTPS)

  • Automate Certificate Renewal (for Ubuntu)

  • Summary

Containerize your ASP.NET API

If you have the Docker extension installed in Visual Studio, it will automatically create a container image for your ASP.NET API. You can then upload this image to a registry, such as DockerHub. Here’s how you can use Docker Compose to configure and run your container:

services:
  yourapiname:
    image: yourusername/yourapi
    ports: 
      - 5556:5000

The Standard Port for the ASP.netAPI is 5000 and is only accessible inside the Container or a Container Network. So, in the configuration, port 5000 is published to port 5556. This means port 5556 should be accessible from the browser. Let's check that by running the command docker-compose up and verifying if the Swagger file is accessible.

If the Swagger file is accessible, we can proceed to set up Nginx.

Set up Nginx (HTTP)

Nginx is a high-performance web server that can also be used as a reverse proxy, load balancer, mail proxy, and HTTP cache. In this setup, we will use Nginx as a reverse proxy to route HTTP requests to our ASP.NET API container.

Our goal is to access the Swagger file over HTTP on the standard port 80. We’ll set up an Nginx server to listen on port 80 and configure it to proxy requests to our API container on internal port 5000. Here’s how you can configure Nginx:

events {
    worker_connections 1024;
}

http {
    server_tokens off;
    charset utf-8;
    server {
        listen 80;

        server_name _;

        location /swagger/ {
            proxy_pass http://yourapiname:5000/swagger/;
            index  index.html index.htm;
        } 
    }
}

Save the file and name it nginx.conf.

Now we can update the Docker Compose file:

services:
  yourapiname:
    image: yourusername/yourapi

  nginx:
    restart: unless-stopped
    image: nginx
    ports: 
      - 80:80
    volumes:
      - ./nginx/nginx.conf:/etc/nginx/nginx.conf

I have removed the port mapping from stoicquotesmailregistrator and added a new container nginx. For the new container, we have exposed port 80 and mapped the config file into the container. When we now run docker-compose up -d, the Swagger file should be available on port 80. Let's check.

The old Page is not accessible anymore:

Port 80 is now working:

Create a Certificate with Certbot

Certbot is a free, open-source tool for automatically using Let’s Encrypt certificates on manually-administrated websites. We need to configure Nginx to serve the challenge files that Certbot will use to verify our domain ownership. Here’s how to set up Certbot with Docker Compose.

Add a challenge location for Certbot in the nginx.conf file:

location ~ /.well-known/acme-challenge/ {
    root /var/www/certbot;
}

Also, add two volumes to the Nginx container. These are needed so Certbot can communicate with the Nginx server and manage the SSL certificate:

- ./certbot/conf:/etc/letsencrypt
- ./certbot/www:/var/www/certbot

Then we can add Certbot to the Docker Compose file. Please add your email and your domain in the command:

certbot:
    image: certbot/certbot
    volumes: 
      - ./certbot/conf:/etc/letsencrypt
      - ./certbot/www:/var/www/certbot
    command: certonly --webroot -w /var/www/certbot --force-renewal --email {mail} -d {domain} --agree-tos

When you run docker-compose up -d, a certificate should be created.

Set Up SSL on Nginx (HTTPS)

o set up the SSL connection, we add a new server block with port 443. We also add the path to the certificates and the location with the link we want to publish.

    server {
        listen 443 ssl;
        # use the certificates
        ssl_certificate /etc/letsencrypt/live/{domain}/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/{domain}/privkey.pem;
        server_name {domain};

        location /swagger/ {
            proxy_pass http://containerName:5000/swagger/;
            index  index.html index.htm;
        }
    }

Replace {domain} with your domain.

This should be it. Run docker-compose up -d and open the site with HTTPS. The certificate should be visible in the browser now.

Automate Certificate Renewal

Let’s Encrypt certificates are only valid for 90 days. To ensure continuous security, we need to automate the renewal process. Add the following command to your crontab to schedule automatic renewals (open with crontab -e):

/usr/bin/docker compose -f /root/projects/reverseProxy-nginx-ssl/docker-compose.yml restart

To change the certificate properly we need to restart the nginx after the certificate was newly created. For that we can add a dependency between nginx and certbot with the depends_on parameter.

  nginx:
    restart: unless-stopped
    depends_on: 
      certbot:
        condition: service_completed_successfully
    image: nginx
    ports: 
      - 80:80
    volumes:
      - ./nginx/nginx.conf:/etc/nginx/nginx.conf

Summary

In this guide, we’ve walked through setting up a secure ASP.NET API using Docker, Nginx, and Certbot. We configured Nginx to proxy HTTP and HTTPS requests to our API container and set up automatic certificate renewal. Here are the final configurations for Nginx and Docker Compose:

Nginx Configuration

events {
    worker_connections 1024;
}

http {
    server_tokens off;
    charset utf-8;

      access_log  /var/log/nginx/access.log;

    server {
        listen 80;

        server_name _;

        location /swagger/ {
            proxy_pass http://containerName:5000/swagger/;
            index  index.html index.htm;
        }

        location / {
            root   /usr/share/nginx/html;
            index  index.html index.htm;
        }

        location ~ /.well-known/acme-challenge/ {
            root /var/www/certbot;
        } 
    }

    server {
        listen 443 ssl;
        # use the certificates
        ssl_certificate /etc/letsencrypt/live/{domain}/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/{domain}/privkey.pem;
        server_name {domain};

        location /swagger/ {
            proxy_pass http://containerName:5000/swagger/;
            index  index.html index.htm;
        }
    }
}

Docker Compose Configuration

services:
  yourapiname:
    image: yourusername/yourapi

  nginx:
    restart: unless-stopped
    depends_on: 
      certbot:
        condition: service_completed_successfully
    image: nginx
    ports: 
      - 80:80
      - 443:443
    volumes:
      - /root/projects/reverseProxy-nginx-ssl/nginx/nginx.conf:/etc/nginx/nginx.conf
      - ./certbot/conf:/etc/letsencrypt
      - ./certbot/www:/var/www/certbot

  certbot:
    image: certbot/certbot
    volumes: 
      - ./certbot/conf:/etc/letsencrypt
      - ./certbot/www:/var/www/certbot
    command: certonly --webroot -w /var/www/certbot --force-renewal --email <mail> -d <domain> --agree-tos

This is my first blog, so please give me feedback! :)

]]>