Attempting to add rudimentary SSL support.

Proof of concept for SSL support using self signed certs.
2014-05-29 00:04:29 -04:00 · 2014-05-29 00:04:29 -04:00 · 094a7642f1
commit 094a7642f1
parent a794d6db46
3 changed files with 61 additions and 2 deletions
--- a/6
+++ b/6
@ -10,6 +10,12 @@ RUN apt-get update
 RUN apt-get install -y nginx
 RUN echo "daemon off;" >> /etc/nginx/nginx.conf

+RUN mkdir /etc/nginx/ssl
+WORKDIR /etc/nginx/ssl
+RUN openssl genrsa  -out server.key 2048
+RUN openssl req -new -batch -key server.key -out server.csr
+RUN openssl x509 -req -days 10000 -in server.csr -signkey server.key -out server.crt
+
 RUN mkdir /app
 WORKDIR /app
 ADD . /app
--- a/README.md
+++ b/README.md
@ -1,4 +1,4 @@
-nginx-proxy sets up a container running nginx and [docker-gen][1].  docker-gen generate reverse proxy configs for nginx and reloads nginx when containers they are started and stopped.
+nginx-proxy sets up a container running nginx and [docker-gen][1].  docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped.

 See [Automated Nginx Reverse Proxy for Docker][2] for why you might want to use this.

@ -18,5 +18,15 @@ Provided your DNS is setup to forward foo.bar.com to the a host running nginx-pr

 If your container exposes multiple ports, nginx-proxy will default to the service running on port 80.  If you need to specify a different port, you can set a VIRTUAL_PORT env var to select a different one.  If your container only exposes one port and it has a VIRTUAL_HOST env var set, that port will be selected.

+### SSL Support
+
+You can enable SSL by setting VIRTUAL_SSL_HOST on your container:
+
+    $ docker run -e VIRTUAL_HOST=foo.bar.com -e VIRTUAL_SSL_HOST=foo.bar.com -t ...
+
+VIRTUAL_SSL_PORT can also be set on your container to override the default port, 443.
+
+Self signed certs are generated on docker build, please replace them with your own for production use.
+
  [1]: https://github.com/jwilder/docker-gen
  [2]: http://jasonwilder.com/blog/2014/03/25/automated-nginx-reverse-proxy-for-docker/
--- a/nginx.tmpl
+++ b/nginx.tmpl
@ -28,7 +28,7 @@ upstream {{ $host }} {
 		   server {{ $address.IP }}:{{ $address.Port }};
 		   {{ end }}
 		{{ end }}
-    {{ end }}
+        {{ end }}
 {{ end }}
 }

@ -44,3 +44,46 @@ server {
 	}
 }
 {{ end }}
+
+{{ range $host, $containers := groupBy $ "Env.VIRTUAL_SSL_HOST" }}
+upstream ssl-{{ $host }} {
+
+{{ range $index, $value := $containers }}
+        {{ if $value.Env.VIRTUAL_SSL_PORT }}
+                {{ range $i, $address := $value.Addresses }}
+                   {{ if eq $address.Port $value.Env.VIRTUAL_SSL_PORT }}
+                   # {{$value.Name}}
+                   server {{ $address.IP }}:{{ $address.Port }};
+                   {{end}}
+                {{end}}
+        {{ else }}
+                {{ range $i, $address := $value.Addresses }}
+                   {{ if eq $address.Port "443" }}
+                   # {{$value.Name}}
+                   server {{ $address.IP }}:{{ $address.Port }};
+                   {{ end }}
+                {{ end }}
+        {{ end }}
+{{ end }}
+}
+
+server {
+        listen 443 ssl;
+
+        server_name {{ $host }};
+        proxy_buffering off;
+
+        location / {
+            proxy_pass https://ssl-{{ $host }};
+            include /etc/nginx/proxy_params;
+        }
+}
+{{ end }}
+
+{{/* Should consider retrieving proper certs from a remote server, keyed by $VIRTUAL_SSL_HOST */}}
+ssl_certificate /etc/nginx/ssl/server.crt;
+ssl_certificate_key /etc/nginx/ssl/server.key;
+ssl_session_timeout  5m;
+ssl_protocols        SSLv3 TLSv1;
+ssl_ciphers          ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+EXP;
+ssl_prefer_server_ciphers   on;