NGINX + Docker + AWS: The 'Set & Forget' HTTPS Reverse Proxy

When most people think web server, they think 'serves HTML.' NGINX thinks bigger — and it’s been quietly powering some of the fastest, most reliable apps on the internet.

Today, I’ll show you how to make NGINX:

• Handle load balancing
• Cache static assets
• Run in Docker for easy deployments
• Auto-renew HTTPS certificates with zero downtime
• Scale cleanly on AWS

Why NGINX Still Wins in 2025

• Blazing fast: Beats Apache for static content in most benchmarks.
• Security-ready: TLS, HTTP/2, mTLS — all in a few config lines.
• Scalable by design: Native load balancing means horizontal scaling without headaches.
• Reverse proxy magic: Perfect for microservices, APIs, and containerised workloads.
• Docker-native: docker run nginx and you’re serving traffic.

Basic Setup Flow

• Serve static sites.
• Reverse proxy API traffic.
• Cache what’s cacheable.
• Enable HTTPS early — start with self-signed locally, then switch to Let’s Encrypt in prod.

Production-Ready NGINX + Certbot + Docker Setup

docker-compose.yml (zero-downtime SSL renewal)

version: "3.9"
services:
  nginx:
    image: nginx:stable
    container_name: nginx_server
    volumes:
      - ./data/nginx/default.conf:/etc/nginx/conf.d/default.conf:ro
      - ./html:/usr/share/nginx/html:ro
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot
    ports:
      - "80:80"
      - "443:443"
    depends_on:
      - certbot

  certbot:
    image: certbot/certbot
    container_name: certbot_renewal
    volumes:
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot
    entrypoint: sh -c "
      trap exit TERM;
      while :; do
        certbot renew --webroot -w /var/www/certbot --quiet --deploy-hook 'touch /etc/letsencrypt/live/reload.flag';
        sleep 12h;
      done
    "

  nginx-reloader:
    image: alpine:latest
    container_name: nginx_reloader
    volumes:
      - ./data/certbot/conf:/etc/letsencrypt
    depends_on:
      - nginx
    entrypoint: sh -c "
      apk add --no-cache inotify-tools;
      while true; do
        inotifywait -e create /etc/letsencrypt/live;
        echo '📢 SSL certs changed — reloading NGINX...';
        docker exec nginx_server nginx -s reload;
      done
    "

  backend:
    image: node:18
    container_name: backend_app
    working_dir: /app
    command: sh -c 'npx http-server -p 3000'
    volumes:
      - ./html:/app
        

How Auto-Renew Works

• Certbot renews certs if needed every 12 hours.
• Deploy hook drops a reload.flag file.
• Nginx-reloader sidecar sees the change and reloads NGINX without downtime.

AWS Deployment Tips

• EC2: Open ports 80/443, attach Elastic IP for stable DNS, run via docker compose up -d.
• ECS/Fargate: Bind ports in task definition, use public ALB for incoming traffic.
• CloudFront: Optional global cache + DDoS protection. Origin can be ALB or EC2 public DNS.

Architecture Diagram

Key Takeaway

With this setup, you get:

• Hands-off SSL (no manual renewals).
• Zero-downtime reloads.
• AWS-ready scaling.
• Consistent environments from dev to prod with Docker.

NGINX isn’t just a web server. In 2025, it’s your traffic conductor, performance booster, and security gatekeeper — all in a few containers.