From 99560da65c03189be3c1f158b68b81f889ae7693 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20L=C3=89VEIL?= Date: Fri, 9 Oct 2015 15:33:29 +0200 Subject: [PATCH 01/77] fix CircleCI badge link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 22cae63..80c4c6b 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -![nginx 1.9.5](https://img.shields.io/badge/nginx-1.9.5-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) ![Build](https://circleci.com/gh/jwilder/nginx-proxy.svg?&style=shield&circle-token=2da3ee844076a47371bd45da81cf27409ca7306a) +![nginx 1.9.5](https://img.shields.io/badge/nginx-1.9.5-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build](https://circleci.com/gh/jwilder/nginx-proxy.svg?&style=shield&circle-token=2da3ee844076a47371bd45da81cf27409ca7306a)](https://circleci.com/gh/jwilder/nginx-proxy) nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. From 5fe9411d8820e07ca2a5031828dd18f60532a894 Mon Sep 17 00:00:00 2001 From: Mike Dillon Date: Fri, 9 Oct 2015 23:07:46 -0700 Subject: [PATCH 02/77] Change line endings to Unix --- test/multiple-ports.bats | 108 +++++++++++++++---------------- test/wildcard-hosts.bats | 136 +++++++++++++++++++-------------------- 2 files changed, 122 insertions(+), 122 deletions(-) diff --git a/test/multiple-ports.bats b/test/multiple-ports.bats index a711056..a8ff314 100644 --- a/test/multiple-ports.bats +++ b/test/multiple-ports.bats @@ -1,54 +1,54 @@ -#!/usr/bin/env bats -load test_helpers -SUT_CONTAINER=bats-nginx-proxy-${TEST_FILE} - -function setup { - # make sure to stop any web container before each test so we don't - # have any unexpected contaiener running with VIRTUAL_HOST or VIRUTAL_PORT set - docker ps -q --filter "label=bats-type=web" | xargs -r docker stop >&2 -} - - -@test "[$TEST_FILE] start a nginx-proxy container" { - # GIVEN nginx-proxy - run nginxproxy $SUT_CONTAINER -v /var/run/docker.sock:/tmp/docker.sock:ro - assert_success - docker_wait_for_log $SUT_CONTAINER 3 "Watching docker events" -} - - -@test "[$TEST_FILE] nginx-proxy defaults to the service running on port 80" { - # WHEN - prepare_web_container bats-web-${TEST_FILE}-1 "80 90" -e VIRTUAL_HOST=web.bats - - # THEN - assert_response_is_from_port 80 -} - - -@test "[$TEST_FILE] VIRTUAL_PORT=90 while port 80 is also exposed" { - # GIVEN - prepare_web_container bats-web-${TEST_FILE}-2 "80 90" -e VIRTUAL_HOST=web.bats -e VIRTUAL_PORT=90 - - # THEN - assert_response_is_from_port 90 -} - - -@test "[$TEST_FILE] single exposed port != 80" { - # GIVEN - prepare_web_container bats-web-${TEST_FILE}-3 1234 -e VIRTUAL_HOST=web.bats - - # THEN - assert_response_is_from_port 1234 -} - - -# assert querying nginx-proxy provides a response from the expected port of the web container -# $1 port we are expecting an response from -function assert_response_is_from_port { - local -r port=$1 - run curl_container $SUT_CONTAINER /data --header "Host: web.bats" - assert_output "answer from port $port" -} - +#!/usr/bin/env bats +load test_helpers +SUT_CONTAINER=bats-nginx-proxy-${TEST_FILE} + +function setup { + # make sure to stop any web container before each test so we don't + # have any unexpected contaiener running with VIRTUAL_HOST or VIRUTAL_PORT set + docker ps -q --filter "label=bats-type=web" | xargs -r docker stop >&2 +} + + +@test "[$TEST_FILE] start a nginx-proxy container" { + # GIVEN nginx-proxy + run nginxproxy $SUT_CONTAINER -v /var/run/docker.sock:/tmp/docker.sock:ro + assert_success + docker_wait_for_log $SUT_CONTAINER 3 "Watching docker events" +} + + +@test "[$TEST_FILE] nginx-proxy defaults to the service running on port 80" { + # WHEN + prepare_web_container bats-web-${TEST_FILE}-1 "80 90" -e VIRTUAL_HOST=web.bats + + # THEN + assert_response_is_from_port 80 +} + + +@test "[$TEST_FILE] VIRTUAL_PORT=90 while port 80 is also exposed" { + # GIVEN + prepare_web_container bats-web-${TEST_FILE}-2 "80 90" -e VIRTUAL_HOST=web.bats -e VIRTUAL_PORT=90 + + # THEN + assert_response_is_from_port 90 +} + + +@test "[$TEST_FILE] single exposed port != 80" { + # GIVEN + prepare_web_container bats-web-${TEST_FILE}-3 1234 -e VIRTUAL_HOST=web.bats + + # THEN + assert_response_is_from_port 1234 +} + + +# assert querying nginx-proxy provides a response from the expected port of the web container +# $1 port we are expecting an response from +function assert_response_is_from_port { + local -r port=$1 + run curl_container $SUT_CONTAINER /data --header "Host: web.bats" + assert_output "answer from port $port" +} + diff --git a/test/wildcard-hosts.bats b/test/wildcard-hosts.bats index 8242fc1..4e1484f 100644 --- a/test/wildcard-hosts.bats +++ b/test/wildcard-hosts.bats @@ -1,68 +1,68 @@ -#!/usr/bin/env bats -load test_helpers -SUT_CONTAINER=bats-nginx-proxy-${TEST_FILE} - -function setup { - # make sure to stop any web container before each test so we don't - # have any unexpected contaiener running with VIRTUAL_HOST or VIRUTAL_PORT set - docker ps -q --filter "label=bats-type=web" | xargs -r docker stop >&2 -} - - -@test "[$TEST_FILE] start a nginx-proxy container" { - # GIVEN - run nginxproxy $SUT_CONTAINER -v /var/run/docker.sock:/tmp/docker.sock:ro - assert_success - docker_wait_for_log $SUT_CONTAINER 3 "Watching docker events" -} - - -@test "[$TEST_FILE] VIRTUAL_HOST=*.wildcard.bats" { - # WHEN - prepare_web_container bats-wildcard-hosts-1 80 -e VIRTUAL_HOST=*.wildcard.bats - - # THEN - assert_200 f00.wildcard.bats - assert_200 bar.wildcard.bats - assert_503 unexpected.host.bats -} - -@test "[$TEST_FILE] VIRTUAL_HOST=wildcard.bats.*" { - # WHEN - prepare_web_container bats-wildcard-hosts-2 80 -e VIRTUAL_HOST=wildcard.bats.* - - # THEN - assert_200 wildcard.bats.f00 - assert_200 wildcard.bats.bar - assert_503 unexpected.host.bats -} - -@test "[$TEST_FILE] VIRTUAL_HOST=~^foo\.bar\..*\.bats" { - # WHEN - prepare_web_container bats-wildcard-hosts-2 80 -e VIRTUAL_HOST=~^foo\.bar\..*\.bats - - # THEN - assert_200 foo.bar.whatever.bats - assert_200 foo.bar.why.not.bats - assert_503 unexpected.host.bats - -} - - -# assert that querying nginx-proxy with the given Host header produces a `HTTP 200` response -# $1 Host HTTP header to use when querying nginx-proxy -function assert_200 { - local -r host=$1 - - run curl_container $SUT_CONTAINER / --head --header "Host: $host" - assert_output -l 0 $'HTTP/1.1 200 OK\r' -} - -# assert that querying nginx-proxy with the given Host header produces a `HTTP 503` response -# $1 Host HTTP header to use when querying nginx-proxy -function assert_503 { - local -r host=$1 - - run curl_container $SUT_CONTAINER / --head --header "Host: $host" - assert_output -l 0 $'HTTP/1.1 503 Service Temporarily Unavailable\r' -} \ No newline at end of file +#!/usr/bin/env bats +load test_helpers +SUT_CONTAINER=bats-nginx-proxy-${TEST_FILE} + +function setup { + # make sure to stop any web container before each test so we don't + # have any unexpected contaiener running with VIRTUAL_HOST or VIRUTAL_PORT set + docker ps -q --filter "label=bats-type=web" | xargs -r docker stop >&2 +} + + +@test "[$TEST_FILE] start a nginx-proxy container" { + # GIVEN + run nginxproxy $SUT_CONTAINER -v /var/run/docker.sock:/tmp/docker.sock:ro + assert_success + docker_wait_for_log $SUT_CONTAINER 3 "Watching docker events" +} + + +@test "[$TEST_FILE] VIRTUAL_HOST=*.wildcard.bats" { + # WHEN + prepare_web_container bats-wildcard-hosts-1 80 -e VIRTUAL_HOST=*.wildcard.bats + + # THEN + assert_200 f00.wildcard.bats + assert_200 bar.wildcard.bats + assert_503 unexpected.host.bats +} + +@test "[$TEST_FILE] VIRTUAL_HOST=wildcard.bats.*" { + # WHEN + prepare_web_container bats-wildcard-hosts-2 80 -e VIRTUAL_HOST=wildcard.bats.* + + # THEN + assert_200 wildcard.bats.f00 + assert_200 wildcard.bats.bar + assert_503 unexpected.host.bats +} + +@test "[$TEST_FILE] VIRTUAL_HOST=~^foo\.bar\..*\.bats" { + # WHEN + prepare_web_container bats-wildcard-hosts-2 80 -e VIRTUAL_HOST=~^foo\.bar\..*\.bats + + # THEN + assert_200 foo.bar.whatever.bats + assert_200 foo.bar.why.not.bats + assert_503 unexpected.host.bats + +} + + +# assert that querying nginx-proxy with the given Host header produces a `HTTP 200` response +# $1 Host HTTP header to use when querying nginx-proxy +function assert_200 { + local -r host=$1 + + run curl_container $SUT_CONTAINER / --head --header "Host: $host" + assert_output -l 0 $'HTTP/1.1 200 OK\r' +} + +# assert that querying nginx-proxy with the given Host header produces a `HTTP 503` response +# $1 Host HTTP header to use when querying nginx-proxy +function assert_503 { + local -r host=$1 + + run curl_container $SUT_CONTAINER / --head --header "Host: $host" + assert_output -l 0 $'HTTP/1.1 503 Service Temporarily Unavailable\r' +} From 2cba8a8d5f525c1e9ba4b8c06e396d2ee14fc522 Mon Sep 17 00:00:00 2001 From: Mike Dillon Date: Fri, 9 Oct 2015 23:10:38 -0700 Subject: [PATCH 03/77] Avoid xargs -r The -r option is not available on OS X --- test/default-host.bats | 5 ++++- test/multiple-hosts.bats | 5 ++++- test/multiple-ports.bats | 5 ++++- test/wildcard-hosts.bats | 5 ++++- 4 files changed, 16 insertions(+), 4 deletions(-) diff --git a/test/default-host.bats b/test/default-host.bats index 503bb9f..4e9d84e 100644 --- a/test/default-host.bats +++ b/test/default-host.bats @@ -4,7 +4,10 @@ load test_helpers function setup { # make sure to stop any web container before each test so we don't # have any unexpected contaiener running with VIRTUAL_HOST or VIRUTAL_PORT set - docker ps -q --filter "label=bats-type=web" | xargs -r docker stop >&2 + CIDS=( $(docker ps -q --filter "label=bats-type=web") ) + if [ ${#CIDS[@]} -gt 0 ]; then + docker stop ${CIDS[@]} >&2 + fi } diff --git a/test/multiple-hosts.bats b/test/multiple-hosts.bats index c5c5749..695aec1 100644 --- a/test/multiple-hosts.bats +++ b/test/multiple-hosts.bats @@ -5,7 +5,10 @@ SUT_CONTAINER=bats-nginx-proxy-${TEST_FILE} function setup { # make sure to stop any web container before each test so we don't # have any unexpected contaiener running with VIRTUAL_HOST or VIRUTAL_PORT set - docker ps -q --filter "label=bats-type=web" | xargs -r docker stop >&2 + CIDS=( $(docker ps -q --filter "label=bats-type=web") ) + if [ ${#CIDS[@]} -gt 0 ]; then + docker stop ${CIDS[@]} >&2 + fi } diff --git a/test/multiple-ports.bats b/test/multiple-ports.bats index a8ff314..a520571 100644 --- a/test/multiple-ports.bats +++ b/test/multiple-ports.bats @@ -5,7 +5,10 @@ SUT_CONTAINER=bats-nginx-proxy-${TEST_FILE} function setup { # make sure to stop any web container before each test so we don't # have any unexpected contaiener running with VIRTUAL_HOST or VIRUTAL_PORT set - docker ps -q --filter "label=bats-type=web" | xargs -r docker stop >&2 + CIDS=( $(docker ps -q --filter "label=bats-type=web") ) + if [ ${#CIDS[@]} -gt 0 ]; then + docker stop ${CIDS[@]} >&2 + fi } diff --git a/test/wildcard-hosts.bats b/test/wildcard-hosts.bats index 4e1484f..88ca1e7 100644 --- a/test/wildcard-hosts.bats +++ b/test/wildcard-hosts.bats @@ -5,7 +5,10 @@ SUT_CONTAINER=bats-nginx-proxy-${TEST_FILE} function setup { # make sure to stop any web container before each test so we don't # have any unexpected contaiener running with VIRTUAL_HOST or VIRUTAL_PORT set - docker ps -q --filter "label=bats-type=web" | xargs -r docker stop >&2 + CIDS=( $(docker ps -q --filter "label=bats-type=web") ) + if [ ${#CIDS[@]} -gt 0 ]; then + docker stop ${CIDS[@]} >&2 + fi } From 0d2bc381791bf15746e363b8dcf9acc5a28fdd6c Mon Sep 17 00:00:00 2001 From: Mike Dillon Date: Fri, 9 Oct 2015 23:11:03 -0700 Subject: [PATCH 04/77] Run curl commands from a sibling container --- test/docker.bats | 2 +- test/test_helpers.bash | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/test/docker.bats b/test/docker.bats index 44d31b9..d5fde7c 100644 --- a/test/docker.bats +++ b/test/docker.bats @@ -62,7 +62,7 @@ load test_helpers -v /etc/nginx/certs/ \ nginx:latest assert_success - run retry 5 1s curl --silent --fail --head http://$(docker_ip bats-nginx)/ + run retry 5 1s docker run --rm appropriate/curl --silent --fail --head http://$(docker_ip bats-nginx)/ assert_output -l 0 $'HTTP/1.1 200 OK\r' # WHEN docker-gen runs on our docker host diff --git a/test/test_helpers.bash b/test/test_helpers.bash index 9063736..d4f0842 100644 --- a/test/test_helpers.bash +++ b/test/test_helpers.bash @@ -1,7 +1,7 @@ # Test if requirements are met ( type docker &>/dev/null || ( echo "docker is not available"; exit 1 ) - type curl &>/dev/null || ( echo "curl is not available"; exit 1 ) + #type curl &>/dev/null || ( echo "curl is not available"; exit 1 ) )>&2 @@ -67,7 +67,7 @@ function curl_container { local -r container=$1 local -r path=$2 shift 2 - curl --silent \ + docker run --rm appropriate/curl --silent \ --connect-timeout 5 \ --max-time 20 \ "$@" \ @@ -122,7 +122,7 @@ function prepare_web_container { # THEN querying directly port works for port in $ports; do - run retry 5 1s curl --silent --fail http://$(docker_ip $container_name):$port/data + run retry 5 1s docker run --rm appropriate/curl --silent --fail http://$(docker_ip $container_name):$port/data assert_output "answer from port $port" done } \ No newline at end of file From b1a08843da6cf2983dec7cebb490aee2cf086273 Mon Sep 17 00:00:00 2001 From: Mike Dillon Date: Sun, 11 Oct 2015 10:55:17 -0700 Subject: [PATCH 05/77] Avoid breakage from IFS being reset in "run" See https://github.com/sstephenson/bats/issues/89 --- test/test_helpers.bash | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/test_helpers.bash b/test/test_helpers.bash index d4f0842..c4a2d1c 100644 --- a/test/test_helpers.bash +++ b/test/test_helpers.bash @@ -87,6 +87,7 @@ function prepare_web_container { local -r options="$@" local expose_option="" + IFS=$' \t\n' # See https://github.com/sstephenson/bats/issues/89 for port in $ports; do expose_option="${expose_option}--expose=$port " done @@ -121,6 +122,7 @@ function prepare_web_container { assert_success # THEN querying directly port works + IFS=$' \t\n' # See https://github.com/sstephenson/bats/issues/89 for port in $ports; do run retry 5 1s docker run --rm appropriate/curl --silent --fail http://$(docker_ip $container_name):$port/data assert_output "answer from port $port" From 30e565f0ed62a2bf34ab62a356e432957f12ac10 Mon Sep 17 00:00:00 2001 From: Mike Dillon Date: Sun, 11 Oct 2015 11:04:00 -0700 Subject: [PATCH 06/77] Check "docker version" from a sibling container --- test/lib/docker_helpers.bash | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/lib/docker_helpers.bash b/test/lib/docker_helpers.bash index bbaf27e..c60c222 100644 --- a/test/lib/docker_helpers.bash +++ b/test/lib/docker_helpers.bash @@ -56,5 +56,5 @@ function docker_tcp { --expose 2375 \ -v /var/run/docker.sock:/var/run/docker.sock \ rancher/socat-docker - docker -H tcp://$(docker_ip $container_name):2375 version + docker run --rm --link "$container_name:docker" docker version } From ec393e3d180c9652bfa055d6b2bde7d96056f013 Mon Sep 17 00:00:00 2001 From: Mike Dillon Date: Sun, 11 Oct 2015 11:04:34 -0700 Subject: [PATCH 07/77] Pull additional images needed for Circle CI --- circle.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/circle.yml b/circle.yml index 8deabde..6fcd063 100644 --- a/circle.yml +++ b/circle.yml @@ -14,6 +14,8 @@ dependencies: - docker pull nginx - docker pull python:3 - docker pull rancher/socat-docker + - docker pull appropriate/curl + - docker pull docker test: override: From 6e7ff3451bcb453796b12ecb074f2f7a90321c31 Mon Sep 17 00:00:00 2001 From: Mike Dillon Date: Sun, 11 Oct 2015 11:27:38 -0700 Subject: [PATCH 08/77] Remove commented out line --- test/test_helpers.bash | 1 - 1 file changed, 1 deletion(-) diff --git a/test/test_helpers.bash b/test/test_helpers.bash index c4a2d1c..d8e7496 100644 --- a/test/test_helpers.bash +++ b/test/test_helpers.bash @@ -1,7 +1,6 @@ # Test if requirements are met ( type docker &>/dev/null || ( echo "docker is not available"; exit 1 ) - #type curl &>/dev/null || ( echo "curl is not available"; exit 1 ) )>&2 From 5c6a63568dfb32e53d8a3dee5a2c65c70090bb15 Mon Sep 17 00:00:00 2001 From: Mike Dillon Date: Mon, 12 Oct 2015 20:59:53 -0700 Subject: [PATCH 09/77] Remove --rm from docker run commands Trying to avoid "Failed to destroy btrfs snapshot" errors on CircleCI --- test/docker.bats | 2 +- test/lib/docker_helpers.bash | 2 +- test/test_helpers.bash | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/test/docker.bats b/test/docker.bats index d5fde7c..f4ec665 100644 --- a/test/docker.bats +++ b/test/docker.bats @@ -62,7 +62,7 @@ load test_helpers -v /etc/nginx/certs/ \ nginx:latest assert_success - run retry 5 1s docker run --rm appropriate/curl --silent --fail --head http://$(docker_ip bats-nginx)/ + run retry 5 1s docker run appropriate/curl --silent --fail --head http://$(docker_ip bats-nginx)/ assert_output -l 0 $'HTTP/1.1 200 OK\r' # WHEN docker-gen runs on our docker host diff --git a/test/lib/docker_helpers.bash b/test/lib/docker_helpers.bash index c60c222..ae93409 100644 --- a/test/lib/docker_helpers.bash +++ b/test/lib/docker_helpers.bash @@ -56,5 +56,5 @@ function docker_tcp { --expose 2375 \ -v /var/run/docker.sock:/var/run/docker.sock \ rancher/socat-docker - docker run --rm --link "$container_name:docker" docker version + docker run --link "$container_name:docker" docker version } diff --git a/test/test_helpers.bash b/test/test_helpers.bash index d8e7496..9e4690c 100644 --- a/test/test_helpers.bash +++ b/test/test_helpers.bash @@ -66,7 +66,7 @@ function curl_container { local -r container=$1 local -r path=$2 shift 2 - docker run --rm appropriate/curl --silent \ + docker run appropriate/curl --silent \ --connect-timeout 5 \ --max-time 20 \ "$@" \ @@ -123,7 +123,7 @@ function prepare_web_container { # THEN querying directly port works IFS=$' \t\n' # See https://github.com/sstephenson/bats/issues/89 for port in $ports; do - run retry 5 1s docker run --rm appropriate/curl --silent --fail http://$(docker_ip $container_name):$port/data + run retry 5 1s docker run appropriate/curl --silent --fail http://$(docker_ip $container_name):$port/data assert_output "answer from port $port" done -} \ No newline at end of file +} From 1d9db94535272b738d47a76f4c8dc838de0fc577 Mon Sep 17 00:00:00 2001 From: Mike Dillon Date: Mon, 12 Oct 2015 21:16:55 -0700 Subject: [PATCH 10/77] Use docker:1.7 image to match CircleCI's version --- circle.yml | 4 ++-- test/lib/docker_helpers.bash | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/circle.yml b/circle.yml index 6fcd063..d0c24ec 100644 --- a/circle.yml +++ b/circle.yml @@ -15,9 +15,9 @@ dependencies: - docker pull python:3 - docker pull rancher/socat-docker - docker pull appropriate/curl - - docker pull docker + - docker pull docker:1.7 test: override: - docker build -t jwilder/nginx-proxy:bats . - - bats test \ No newline at end of file + - bats test diff --git a/test/lib/docker_helpers.bash b/test/lib/docker_helpers.bash index ae93409..b5165af 100644 --- a/test/lib/docker_helpers.bash +++ b/test/lib/docker_helpers.bash @@ -56,5 +56,5 @@ function docker_tcp { --expose 2375 \ -v /var/run/docker.sock:/var/run/docker.sock \ rancher/socat-docker - docker run --link "$container_name:docker" docker version + docker run --link "$container_name:docker" docker:1.7 version } From 098b058b0d3455363d6fd0ac37be6e0f45fa9ff4 Mon Sep 17 00:00:00 2001 From: Mike Dillon Date: Mon, 12 Oct 2015 21:46:47 -0700 Subject: [PATCH 11/77] Trap TERM to allow quicker exit of web containers --- test/test_helpers.bash | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/test/test_helpers.bash b/test/test_helpers.bash index 9e4690c..5890677 100644 --- a/test/test_helpers.bash +++ b/test/test_helpers.bash @@ -108,15 +108,20 @@ function prepare_web_container { -w /var/www/ \ $options \ -e PYTHON_PORTS="$ports" \ - python:3 sh -c " + python:3 bash -c " + trap '[ \${#PIDS[@]} -gt 0 ] && kill -TERM \${PIDS[@]}' TERM + declare -a PIDS for port in \$PYTHON_PORTS; do echo starting a web server listening on port \$port; mkdir /var/www/\$port cd /var/www/\$port echo \"answer from port \$port\" > data python -m http.server \$port & + PIDS+=(\$!) done - wait + wait \${PIDS[@]} + trap - TERM + wait \${PIDS[@]} " assert_success From 1e0b9301747a48d7a51d5d088ac5df16bde878c0 Mon Sep 17 00:00:00 2001 From: Marius Gundersen Date: Tue, 13 Oct 2015 21:48:59 +0200 Subject: [PATCH 12/77] trim whitespace from host and port based on latest docker-gen --- nginx.tmpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nginx.tmpl b/nginx.tmpl index 6300d89..255cc35 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -144,7 +144,7 @@ server { {{ end }} location / { - proxy_pass {{ $proto }}://{{ $host }}; + proxy_pass {{ trim $proto }}://{{ trim $host }}; {{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }} auth_basic "Restricted {{ $host }}"; auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }}; @@ -170,7 +170,7 @@ server { {{ end }} location / { - proxy_pass {{ $proto }}://{{ $host }}; + proxy_pass {{ trim $proto }}://{{ trim $host }}; {{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }} auth_basic "Restricted {{ $host }}"; auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }}; From 3e530a07841a7ecbd68ab4e4102001e070d174d2 Mon Sep 17 00:00:00 2001 From: Marius Gundersen Date: Tue, 13 Oct 2015 21:49:19 +0200 Subject: [PATCH 13/77] Use latest docker-gen --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index cc80e08..c35c777 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,7 +17,7 @@ RUN echo "daemon off;" >> /etc/nginx/nginx.conf \ RUN wget -P /usr/local/bin https://godist.herokuapp.com/projects/ddollar/forego/releases/current/linux-amd64/forego \ && chmod u+x /usr/local/bin/forego -ENV DOCKER_GEN_VERSION 0.4.1 +ENV DOCKER_GEN_VERSION 0.4.2 RUN wget https://github.com/jwilder/docker-gen/releases/download/$DOCKER_GEN_VERSION/docker-gen-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \ && tar -C /usr/local/bin -xvzf docker-gen-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \ From 1786edd87d17e2bc12294bfbae5f6b45f817062b Mon Sep 17 00:00:00 2001 From: Jason Wilder Date: Wed, 14 Oct 2015 10:19:50 -0600 Subject: [PATCH 14/77] Update .dockerignore to recent file additions --- .dockerignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.dockerignore b/.dockerignore index 35cdaf3..793cc94 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,2 +1,5 @@ .git +.dockerignore README.md +test +circle.yml From e09550febb44423e40d2752fbde42d260daa691e Mon Sep 17 00:00:00 2001 From: Jason Wilder Date: Wed, 14 Oct 2015 10:29:22 -0600 Subject: [PATCH 15/77] Add Makefile Make it easier to run tests. --- .dockerignore | 3 ++- Makefile | 6 ++++++ README.md | 10 ++++++++++ 3 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 Makefile diff --git a/.dockerignore b/.dockerignore index 793cc94..8fafbb0 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,5 +1,6 @@ .git .dockerignore +circle.yml +Makefile README.md test -circle.yml diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..3eda887 --- /dev/null +++ b/Makefile @@ -0,0 +1,6 @@ +.SILENT : +.PHONY : test + +test: + docker build -t jwilder/nginx-proxy:bats . + bats test diff --git a/README.md b/README.md index 80c4c6b..e619e35 100644 --- a/README.md +++ b/README.md @@ -218,3 +218,13 @@ If you are using multiple hostnames for a single container (e.g. `VIRTUAL_HOST=e If you want most of your virtual hosts to use a default single `location` block configuration and then override on a few specific ones, add those settings to the `/etc/nginx/vhost.d/default_location` file. This file will be used on any virtual host which does not have a `/etc/nginx/vhost.d/{VIRTUAL_HOST}` file associated with it. +### Contributing + +Before submitting pull requests or issues, please check github to make sure an existing issue or pull request is not already open. + +#### Running Tests Locally + +To run tests, you'll need to install [bats 0.4.0](https://github.com/sstephenson/bats). + + make test + From db7a5ab2aeff7822fb7e5cb882d4cb170b6ca682 Mon Sep 17 00:00:00 2001 From: Jason Wilder Date: Wed, 14 Oct 2015 10:48:43 -0600 Subject: [PATCH 16/77] Use make test from circle.yml --- circle.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/circle.yml b/circle.yml index d0c24ec..e808c6e 100644 --- a/circle.yml +++ b/circle.yml @@ -19,5 +19,4 @@ dependencies: test: override: - - docker build -t jwilder/nginx-proxy:bats . - - bats test + - make test From 66d401c07566070a6c855489656783fd2fde781b Mon Sep 17 00:00:00 2001 From: Thomas LEVEIL Date: Wed, 14 Oct 2015 19:34:30 +0000 Subject: [PATCH 17/77] makefile: update docker images before running tests --- Makefile | 8 ++++++++ circle.yml | 7 +------ 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/Makefile b/Makefile index 3eda887..4eaf98a 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,14 @@ .SILENT : .PHONY : test +update-dependencies: + docker pull jwilder/docker-gen:latest + docker pull nginx:latest + docker pull python:3 + docker pull rancher/socat-docker:latest + docker pull appropriate/curl:latest + docker pull docker:1.7 + test: docker build -t jwilder/nginx-proxy:bats . bats test diff --git a/circle.yml b/circle.yml index e808c6e..424084c 100644 --- a/circle.yml +++ b/circle.yml @@ -10,12 +10,7 @@ dependencies: - sudo add-apt-repository ppa:duggan/bats --yes - sudo apt-get update -qq - sudo apt-get install -qq bats - - docker pull jwilder/docker-gen - - docker pull nginx - - docker pull python:3 - - docker pull rancher/socat-docker - - docker pull appropriate/curl - - docker pull docker:1.7 + - make update-dependencies test: override: From 54049387972ede86ce176bb8f729f411b87e5292 Mon Sep 17 00:00:00 2001 From: Mike Dillon Date: Wed, 28 Oct 2015 21:23:37 -0700 Subject: [PATCH 18/77] Update to nginx 1.9.6 --- Dockerfile | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index c35c777..50906a1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.9.5 +FROM nginx:1.9.6 MAINTAINER Jason Wilder jwilder@litl.com # Install wget and install/updates certificates diff --git a/README.md b/README.md index e619e35..c4f55eb 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -![nginx 1.9.5](https://img.shields.io/badge/nginx-1.9.5-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build](https://circleci.com/gh/jwilder/nginx-proxy.svg?&style=shield&circle-token=2da3ee844076a47371bd45da81cf27409ca7306a)](https://circleci.com/gh/jwilder/nginx-proxy) +![nginx 1.9.6](https://img.shields.io/badge/nginx-1.9.6-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build](https://circleci.com/gh/jwilder/nginx-proxy.svg?&style=shield&circle-token=2da3ee844076a47371bd45da81cf27409ca7306a)](https://circleci.com/gh/jwilder/nginx-proxy) nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. From 588cdf62669d7e5a4f72ee394747c8cb0606c924 Mon Sep 17 00:00:00 2001 From: Jason Wilder Date: Thu, 29 Oct 2015 13:32:09 -0600 Subject: [PATCH 19/77] Update email address --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 50906a1..4111003 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ FROM nginx:1.9.6 -MAINTAINER Jason Wilder jwilder@litl.com +MAINTAINER Jason Wilder mail@jasonwilder.com # Install wget and install/updates certificates RUN apt-get update \ From 8225015c85a364f78eebfc1023508da27a9a776f Mon Sep 17 00:00:00 2001 From: Travis Dart Date: Fri, 30 Oct 2015 15:48:01 -0500 Subject: [PATCH 20/77] Typo fix. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c4f55eb..9d4bb40 100644 --- a/README.md +++ b/README.md @@ -93,7 +93,7 @@ should have a `foo.bar.com.dhparam.pem` file in the certs directory. #### Wildcard Certificates -Wildcard certificates and keys should be name after the domain name with a `.crt` and `.key` extension. +Wildcard certificates and keys should be named after the domain name with a `.crt` and `.key` extension. For example `VIRTUAL_HOST=foo.bar.com` would use cert name `bar.com.crt` and `bar.com.key`. #### SNI From 9dd6ad8503cfc4b0dd9927df4dc209b7da0499f3 Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Fri, 20 Nov 2015 16:53:50 -0500 Subject: [PATCH 21/77] First try at HTTPS_METHOD --- nginx.tmpl | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/nginx.tmpl b/nginx.tmpl index 255cc35..70f8108 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -88,6 +88,8 @@ upstream {{ $host }} { {{ end }} } +{{ $https_method := or ($.Env.HTTPS_METHOD) "redirect" }} + {{ $default_host := or ($.Env.DEFAULT_HOST) "" }} {{ $default_server := index (dict $host "" $default_host "default_server") $host }} @@ -107,14 +109,18 @@ upstream {{ $host }} { {{/* Use the cert specifid on the container or fallback to the best vhost match */}} {{ $cert := (coalesce $certName $vhostCert) }} -{{ if (and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }} +{{ $is_https := (and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }} +{{ if $is_https }} + +{{ if eq $https_method "redirect" }} server { server_name {{ $host }}; listen 80 {{ $default_server }}; access_log /var/log/nginx/access.log vhost; return 301 https://$host$request_uri; } +{{ end }} server { server_name {{ $host }}; @@ -156,7 +162,10 @@ server { {{ end }} } } -{{ else }} + +{{ end }} + +{{ if or (eq $is_ssl false) (eq $https_method "noredirect") }} server { server_name {{ $host }}; From 97c6340a9fd9b8edf8fa6e18d20e1df26344de75 Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Fri, 20 Nov 2015 17:36:12 -0500 Subject: [PATCH 22/77] Implemented HTTPS noredir --- nginx.tmpl | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/nginx.tmpl b/nginx.tmpl index 70f8108..0f85fd5 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -88,14 +88,15 @@ upstream {{ $host }} { {{ end }} } -{{ $https_method := or ($.Env.HTTPS_METHOD) "redirect" }} - {{ $default_host := or ($.Env.DEFAULT_HOST) "" }} {{ $default_server := index (dict $host "" $default_host "default_server") $host }} {{/* Get the VIRTUAL_PROTO defined by containers w/ the same vhost, falling back to "http" */}} {{ $proto := or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http" }} +{{/* Get the HTTPS_METHOD defined by containers w/ the same vhost, falling back to "redirect" */}} +{{ $https_method := or (first (groupByKeys $containers "Env.HTTPS_METHOD")) "redirect" }} + {{/* Get the first cert name defined by containers w/ the same vhost */}} {{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }} @@ -165,7 +166,7 @@ server { {{ end }} -{{ if or (eq $is_ssl false) (eq $https_method "noredirect") }} +{{ if or (not $is_https) (eq $https_method "noredirect") }} server { server_name {{ $host }}; @@ -192,7 +193,7 @@ server { } } -{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }} +{{ if (and (not $is_https) (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }} server { server_name {{ $host }}; listen 443 ssl http2 {{ $default_server }}; From 4bf7f888d038dfe77d071be3195c86756982a154 Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Fri, 20 Nov 2015 17:47:08 -0500 Subject: [PATCH 23/77] Documented HTTPS_METHOD --- README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 9d4bb40..2b8dcf8 100644 --- a/README.md +++ b/README.md @@ -110,7 +110,7 @@ should provide compatibility with clients back to Firefox 1, Chrome 1, IE 7, Ope Windows XP IE8, Android 2.3, Java 7. The configuration also enables HSTS, and SSL session caches. -The behavior for the proxy when port 80 and 443 are exposed is as follows: +The default behavior for the proxy when port 80 and 443 are exposed is as follows: * If a container has a usable cert, port 80 will redirect to 443 for that container so that HTTPS is always preferred when available. @@ -121,6 +121,10 @@ to establish a connection. A self-signed or generic cert named `default.crt` an will allow a client browser to make a SSL connection (likely w/ a warning) and subsequently receive a 503. +To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the +environment variable `HTTPS_METHOD=noredirect` (the default is `HTTPS_METHOD=redirect`). You can also +disable the non-SSL site entirely with `HTTPS_METHOD=nohttp` + ### Basic Authentication Support In order to be able to secure your virtual host, you have to create a file named as its equivalent VIRTUAL_HOST variable on directory From 58fc298dead06a2c5d0f78c96b3a597e634bf450 Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Wed, 2 Dec 2015 00:29:32 -0500 Subject: [PATCH 24/77] Semantic change to trigger CI rebuild --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2b8dcf8..b2b5391 100644 --- a/README.md +++ b/README.md @@ -123,7 +123,7 @@ a 503. To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the environment variable `HTTPS_METHOD=noredirect` (the default is `HTTPS_METHOD=redirect`). You can also -disable the non-SSL site entirely with `HTTPS_METHOD=nohttp` +disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`. ### Basic Authentication Support From 4a95d84d0d3a49e967e87a4fd2798e1847dbcaed Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Wed, 2 Dec 2015 21:46:05 -0500 Subject: [PATCH 25/77] Trying to trigger CI --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b2b5391..691696d 100644 --- a/README.md +++ b/README.md @@ -123,7 +123,7 @@ a 503. To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the environment variable `HTTPS_METHOD=noredirect` (the default is `HTTPS_METHOD=redirect`). You can also -disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`. +disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`. ### Basic Authentication Support From c11af183d86c313e9b4a981da0ca23dc649d7b2c Mon Sep 17 00:00:00 2001 From: Thomas LEVEIL Date: Mon, 14 Dec 2015 09:18:17 +0100 Subject: [PATCH 26/77] CircleCI: make tests run on Docker 1.9.1 See CircleCI announcement https://discuss.circleci.com/t/docker-1-9-1-is-available/1009 --- Makefile | 2 +- circle.yml | 4 ++-- test/lib/docker_helpers.bash | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 4eaf98a..72e7984 100644 --- a/Makefile +++ b/Makefile @@ -7,7 +7,7 @@ update-dependencies: docker pull python:3 docker pull rancher/socat-docker:latest docker pull appropriate/curl:latest - docker pull docker:1.7 + docker pull docker:1.9 test: docker build -t jwilder/nginx-proxy:bats . diff --git a/circle.yml b/circle.yml index 424084c..e0ecf4d 100644 --- a/circle.yml +++ b/circle.yml @@ -1,7 +1,7 @@ machine: pre: - # install docker 1.7.1 - - sudo curl -L -o /usr/bin/docker 'https://s3-external-1.amazonaws.com/circle-downloads/docker-1.7.1-circleci'; sudo chmod 0755 /usr/bin/docker; true + - sudo curl -L -o /usr/bin/docker 'https://s3-external-1.amazonaws.com/circle-downloads/docker-1.9.1-circleci' + - sudo chmod 0755 /usr/bin/docker services: - docker diff --git a/test/lib/docker_helpers.bash b/test/lib/docker_helpers.bash index b5165af..50e1d81 100644 --- a/test/lib/docker_helpers.bash +++ b/test/lib/docker_helpers.bash @@ -56,5 +56,5 @@ function docker_tcp { --expose 2375 \ -v /var/run/docker.sock:/var/run/docker.sock \ rancher/socat-docker - docker run --link "$container_name:docker" docker:1.7 version + docker run --link "$container_name:docker" docker:1.9 version } From 51c219d651de134ba352b081d60fd33d155d9cd7 Mon Sep 17 00:00:00 2001 From: pabra Date: Tue, 22 Dec 2015 21:20:44 +0100 Subject: [PATCH 27/77] connect to uWSGI backends --- README.md | 7 ++++++- nginx.tmpl | 10 ++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 9d4bb40..7116775 100644 --- a/README.md +++ b/README.md @@ -37,6 +37,12 @@ You can also use wildcards at the beginning and the end of host name, like `*.ba If you would like to connect to your backend using HTTPS instead of HTTP, set `VIRTUAL_PROTO=https` on the backend container. +### uWSGI Backends + +If you would like to connect to uWSGI backend, set `VIRTUAL_PROTO=uwsgi` on the +backend container. Your backend container should than listen on a port rather +than a socket and expose that port. + ### Default Host To set the default host for nginx use the env var `DEFAULT_HOST=foo.bar.com` for example @@ -227,4 +233,3 @@ Before submitting pull requests or issues, please check github to make sure an e To run tests, you'll need to install [bats 0.4.0](https://github.com/sstephenson/bats). make test - diff --git a/nginx.tmpl b/nginx.tmpl index 255cc35..71ccc31 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -144,7 +144,12 @@ server { {{ end }} location / { + {{ if eq $proto "uwsgi" }} + include uwsgi_params; + uwsgi_pass {{ trim $proto }}://{{ trim $host }}; + {{ else }} proxy_pass {{ trim $proto }}://{{ trim $host }}; + {{ end }} {{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }} auth_basic "Restricted {{ $host }}"; auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }}; @@ -170,7 +175,12 @@ server { {{ end }} location / { + {{ if eq $proto "uwsgi" }} + include uwsgi_params; + uwsgi_pass {{ trim $proto }}://{{ trim $host }}; + {{ else }} proxy_pass {{ trim $proto }}://{{ trim $host }}; + {{ end }} {{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }} auth_basic "Restricted {{ $host }}"; auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }}; From deb4050fa4ac616224d1bc8b3d16d7bfcb28f83c Mon Sep 17 00:00:00 2001 From: Baptiste Donaux Date: Sun, 17 Jan 2016 12:28:59 +0100 Subject: [PATCH 28/77] UPGRADE docker-gen release from 0.4.2 to 0.5.0 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 4111003..bc9575b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,7 +17,7 @@ RUN echo "daemon off;" >> /etc/nginx/nginx.conf \ RUN wget -P /usr/local/bin https://godist.herokuapp.com/projects/ddollar/forego/releases/current/linux-amd64/forego \ && chmod u+x /usr/local/bin/forego -ENV DOCKER_GEN_VERSION 0.4.2 +ENV DOCKER_GEN_VERSION 0.5.0 RUN wget https://github.com/jwilder/docker-gen/releases/download/$DOCKER_GEN_VERSION/docker-gen-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \ && tar -C /usr/local/bin -xvzf docker-gen-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \ From a66115f560df4efd079927730675331fd769af63 Mon Sep 17 00:00:00 2001 From: Baptiste Donaux Date: Sun, 17 Jan 2016 12:29:55 +0100 Subject: [PATCH 29/77] Use new Network interface to support new overlay network --- nginx.tmpl | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/nginx.tmpl b/nginx.tmpl index 255cc35..468bbd2 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -5,13 +5,13 @@ # {{ .Container.Node.Name }}/{{ .Container.Name }} server {{ .Container.Node.Address.IP }}:{{ .Address.HostPort }}; {{/* If there is no swarm node or the port is not published on host, use container's IP:PORT */}} - {{ else }} + {{ else if .Network }} # {{ .Container.Name }} - server {{ .Address.IP }}:{{ .Address.Port }}; + server {{ .Network.IP }}:{{ .Address.Port }}; {{ end }} - {{ else }} + {{ else if .Network }} # {{ .Container.Name }} - server {{ .Container.IP }} down; + server {{ .Network.IP }} down; {{ end }} {{ end }} @@ -75,15 +75,16 @@ server { upstream {{ $host }} { {{ range $container := $containers }} {{ $addrLen := len $container.Addresses }} + {{ $network := index $container.Networks 0 }} {{/* If only 1 port exposed, use that */}} {{ if eq $addrLen 1 }} {{ $address := index $container.Addresses 0 }} - {{ template "upstream" (dict "Container" $container "Address" $address) }} + {{ template "upstream" (dict "Container" $container "Address" $address "Network" $network) }} {{/* If more than one port exposed, use the one matching VIRTUAL_PORT env var, falling back to standard web port 80 */}} {{ else }} {{ $port := coalesce $container.Env.VIRTUAL_PORT "80" }} {{ $address := where $container.Addresses "Port" $port | first }} - {{ template "upstream" (dict "Container" $container "Address" $address) }} + {{ template "upstream" (dict "Container" $container "Address" $address "Network" $network) }} {{ end }} {{ end }} } From 13bb99c4d2a531d369962176b48fa8b8facc71ad Mon Sep 17 00:00:00 2001 From: Baptiste Donaux Date: Sun, 17 Jan 2016 12:35:29 +0100 Subject: [PATCH 30/77] Update README - Nginx proxy must use host network to support overlay network --- README.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 9d4bb40..9d1da43 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ See [Automated Nginx Reverse Proxy for Docker][2] for why you might want to use To run it: - $ docker run -d -p 80:80 -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy + $ docker run -d --net=host -p 80:80 -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy Then start any containers you want proxied with an env var `VIRTUAL_HOST=subdomain.youdomain.com` @@ -41,7 +41,7 @@ If you would like to connect to your backend using HTTPS instead of HTTP, set `V To set the default host for nginx use the env var `DEFAULT_HOST=foo.bar.com` for example - $ docker run -d -p 80:80 -e DEFAULT_HOST=foo.bar.com -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy + $ docker run -d --net=host -p 80:80 -e DEFAULT_HOST=foo.bar.com -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy ### Separate Containers @@ -56,12 +56,13 @@ To run nginx proxy as a separate container you'll need to have [nginx.tmpl](http First start nginx with a volume: - $ docker run -d -p 80:80 --name nginx -v /tmp/nginx:/etc/nginx/conf.d -t nginx + $ docker run -d --net=host -p 80:80 --name nginx -v /tmp/nginx:/etc/nginx/conf.d -t nginx Then start the docker-gen container with the shared volume and template: ``` $ docker run --volumes-from nginx \ + --net=host \ -v /var/run/docker.sock:/tmp/docker.sock:ro \ -v $(pwd):/etc/docker-gen/templates \ -t jwilder/docker-gen -notify-sighup nginx -watch -only-exposed /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf @@ -78,7 +79,7 @@ certificates or optionally specifying a cert name (for SNI) as an environment va To enable SSL: - $ docker run -d -p 80:80 -p 443:443 -v /path/to/certs:/etc/nginx/certs -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy + $ docker run -d --net=host -p 80:80 -p 443:443 -v /path/to/certs:/etc/nginx/certs -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy The contents of `/path/to/certs` should contain the certificates and private keys for any virtual hosts in use. The certificate and keys should be named after the virtual host with a `.crt` and @@ -127,7 +128,7 @@ In order to be able to secure your virtual host, you have to create a file named /etc/nginx/htpasswd/$VIRTUAL_HOST ``` -$ docker run -d -p 80:80 -p 443:443 \ +$ docker run -d --net=host -p 80:80 -p 443:443 \ -v /path/to/htpasswd:/etc/nginx/htpasswd \ -v /path/to/certs:/etc/nginx/certs \ -v /var/run/docker.sock:/tmp/docker.sock:ro \ @@ -175,7 +176,7 @@ RUN { \ Or it can be done by mounting in your custom configuration in your `docker run` command: - $ docker run -d -p 80:80 -p 443:443 -v /path/to/my_proxy.conf:/etc/nginx/conf.d/my_proxy.conf:ro -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy + $ docker run -d --net=host -p 80:80 -p 443:443 -v /path/to/my_proxy.conf:/etc/nginx/conf.d/my_proxy.conf:ro -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy #### Per-VIRTUAL_HOST @@ -185,7 +186,7 @@ In order to allow virtual hosts to be dynamically configured as backends are add For example, if you have a virtual host named `app.example.com`, you could provide a custom configuration for that host as follows: - $ docker run -d -p 80:80 -p 443:443 -v /path/to/vhost.d:/etc/nginx/vhost.d:ro -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy + $ docker run -d --net=host -p 80:80 -p 443:443 -v /path/to/vhost.d:/etc/nginx/vhost.d:ro -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy $ { echo 'server_tokens off;'; echo 'client_max_body_size 100m;'; } > /path/to/vhost.d/app.example.com If you are using multiple hostnames for a single container (e.g. `VIRTUAL_HOST=example.com,www.example.com`), the virtual host configuration file must exist for each hostname. If you would like to use the same configuration for multiple virtual host names, you can use a symlink: @@ -205,7 +206,7 @@ just like the previous section except with the suffix `_location`. For example, if you have a virtual host named `app.example.com` and you have configured a proxy_cache `my-cache` in another custom file, you could tell it to use a proxy cache as follows: - $ docker run -d -p 80:80 -p 443:443 -v /path/to/vhost.d:/etc/nginx/vhost.d:ro -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy + $ docker run -d --net=host -p 80:80 -p 443:443 -v /path/to/vhost.d:/etc/nginx/vhost.d:ro -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy $ { echo 'proxy_cache my-cache;'; echo 'proxy_cache_valid 200 302 60m;'; echo 'proxy_cache_valid 404 1m;' } > /path/to/vhost.d/app.example.com_location If you are using multiple hostnames for a single container (e.g. `VIRTUAL_HOST=example.com,www.example.com`), the virtual host configuration file must exist for each hostname. If you would like to use the same configuration for multiple virtual host names, you can use a symlink: From 2eb977589c231f1fd57db5a76548d5ed7b81c11d Mon Sep 17 00:00:00 2001 From: Baptiste Donaux Date: Wed, 20 Jan 2016 08:54:57 +0100 Subject: [PATCH 31/77] Complete documentation --- README.md | 31 ++++++++++++++++++++++--------- 1 file changed, 22 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 9d1da43..157cac6 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ See [Automated Nginx Reverse Proxy for Docker][2] for why you might want to use To run it: - $ docker run -d --net=host -p 80:80 -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy + $ docker run -d -p 80:80 -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy Then start any containers you want proxied with an env var `VIRTUAL_HOST=subdomain.youdomain.com` @@ -33,6 +33,19 @@ If you need to support multiple virtual hosts for a container, you can separate You can also use wildcards at the beginning and the end of host name, like `*.bar.com` or `foo.bar.*`. Or even a regular expression, which can be very useful in conjunction with a wildcard DNS service like [xip.io](http://xip.io), using `~^foo\.bar\..*\.xip\.io` will match `foo.bar.127.0.0.1.xip.io`, `foo.bar.10.0.2.2.xip.io` and all other given IPs. More information about this topic can be found in the nginx documentation about [`server_names`](http://nginx.org/en/docs/http/server_names.html). +### Multiple Networks + +With the new overlay network, your proxy can be deal with many containers in many networks. Default, if you don't use ```--net``` flag, your proxy will be attached at ```bridge``` default network. You can define your container with ```--net=your_network``` option. + +If your proxy try to access at a container in an unattached network, the request is successful. + +#### Connect Another Network + +In current Docker release (1.9), you can create a container with only one network. To attach others networks, you can use this command. +``` +docker network connect my_network my_container +``` + ### SSL Backends If you would like to connect to your backend using HTTPS instead of HTTP, set `VIRTUAL_PROTO=https` on the backend container. @@ -41,7 +54,7 @@ If you would like to connect to your backend using HTTPS instead of HTTP, set `V To set the default host for nginx use the env var `DEFAULT_HOST=foo.bar.com` for example - $ docker run -d --net=host -p 80:80 -e DEFAULT_HOST=foo.bar.com -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy + $ docker run -d -p 80:80 -e DEFAULT_HOST=foo.bar.com -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy ### Separate Containers @@ -56,13 +69,13 @@ To run nginx proxy as a separate container you'll need to have [nginx.tmpl](http First start nginx with a volume: - $ docker run -d --net=host -p 80:80 --name nginx -v /tmp/nginx:/etc/nginx/conf.d -t nginx + $ docker run -d -p 80:80 --name nginx -v /tmp/nginx:/etc/nginx/conf.d -t nginx Then start the docker-gen container with the shared volume and template: ``` $ docker run --volumes-from nginx \ - --net=host \ + \ -v /var/run/docker.sock:/tmp/docker.sock:ro \ -v $(pwd):/etc/docker-gen/templates \ -t jwilder/docker-gen -notify-sighup nginx -watch -only-exposed /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf @@ -79,7 +92,7 @@ certificates or optionally specifying a cert name (for SNI) as an environment va To enable SSL: - $ docker run -d --net=host -p 80:80 -p 443:443 -v /path/to/certs:/etc/nginx/certs -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy + $ docker run -d -p 80:80 -p 443:443 -v /path/to/certs:/etc/nginx/certs -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy The contents of `/path/to/certs` should contain the certificates and private keys for any virtual hosts in use. The certificate and keys should be named after the virtual host with a `.crt` and @@ -128,7 +141,7 @@ In order to be able to secure your virtual host, you have to create a file named /etc/nginx/htpasswd/$VIRTUAL_HOST ``` -$ docker run -d --net=host -p 80:80 -p 443:443 \ +$ docker run -d -p 80:80 -p 443:443 \ -v /path/to/htpasswd:/etc/nginx/htpasswd \ -v /path/to/certs:/etc/nginx/certs \ -v /var/run/docker.sock:/tmp/docker.sock:ro \ @@ -176,7 +189,7 @@ RUN { \ Or it can be done by mounting in your custom configuration in your `docker run` command: - $ docker run -d --net=host -p 80:80 -p 443:443 -v /path/to/my_proxy.conf:/etc/nginx/conf.d/my_proxy.conf:ro -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy + $ docker run -d -p 80:80 -p 443:443 -v /path/to/my_proxy.conf:/etc/nginx/conf.d/my_proxy.conf:ro -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy #### Per-VIRTUAL_HOST @@ -186,7 +199,7 @@ In order to allow virtual hosts to be dynamically configured as backends are add For example, if you have a virtual host named `app.example.com`, you could provide a custom configuration for that host as follows: - $ docker run -d --net=host -p 80:80 -p 443:443 -v /path/to/vhost.d:/etc/nginx/vhost.d:ro -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy + $ docker run -d -p 80:80 -p 443:443 -v /path/to/vhost.d:/etc/nginx/vhost.d:ro -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy $ { echo 'server_tokens off;'; echo 'client_max_body_size 100m;'; } > /path/to/vhost.d/app.example.com If you are using multiple hostnames for a single container (e.g. `VIRTUAL_HOST=example.com,www.example.com`), the virtual host configuration file must exist for each hostname. If you would like to use the same configuration for multiple virtual host names, you can use a symlink: @@ -206,7 +219,7 @@ just like the previous section except with the suffix `_location`. For example, if you have a virtual host named `app.example.com` and you have configured a proxy_cache `my-cache` in another custom file, you could tell it to use a proxy cache as follows: - $ docker run -d --net=host -p 80:80 -p 443:443 -v /path/to/vhost.d:/etc/nginx/vhost.d:ro -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy + $ docker run -d -p 80:80 -p 443:443 -v /path/to/vhost.d:/etc/nginx/vhost.d:ro -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy $ { echo 'proxy_cache my-cache;'; echo 'proxy_cache_valid 200 302 60m;'; echo 'proxy_cache_valid 404 1m;' } > /path/to/vhost.d/app.example.com_location If you are using multiple hostnames for a single container (e.g. `VIRTUAL_HOST=example.com,www.example.com`), the virtual host configuration file must exist for each hostname. If you would like to use the same configuration for multiple virtual host names, you can use a symlink: From 627f789f19a7f67622f0283014ae66dd72dbd9eb Mon Sep 17 00:00:00 2001 From: Tobias Munk Date: Wed, 20 Jan 2016 23:26:21 +0100 Subject: [PATCH 32/77] updated nginx to 1.9.9 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 4111003..8cb98cd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.9.6 +FROM nginx:1.9.9 MAINTAINER Jason Wilder mail@jasonwilder.com # Install wget and install/updates certificates From 5c828cb50a0b9f1d42a1cb3882e90de491db8f6d Mon Sep 17 00:00:00 2001 From: Mike Dillon Date: Wed, 20 Jan 2016 23:30:55 -0800 Subject: [PATCH 33/77] Update README wording for overlay networking --- README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 157cac6..c805eb0 100644 --- a/README.md +++ b/README.md @@ -35,17 +35,18 @@ You can also use wildcards at the beginning and the end of host name, like `*.ba ### Multiple Networks -With the new overlay network, your proxy can be deal with many containers in many networks. Default, if you don't use ```--net``` flag, your proxy will be attached at ```bridge``` default network. You can define your container with ```--net=your_network``` option. +With the addition of [overlay networking](https://docs.docker.com/engine/userguide/networking/get-started-overlay/) in Docker 1.9, your `nginx-proxy` container may need to connect to backend containers on multiple networks. By default, if you don't pass the `--net` flag when your `nginx-proxy` container is created, it will only be attached to the default `bridge` network. This means that it will not be able to connect to containers on networks other than `bridge`. -If your proxy try to access at a container in an unattached network, the request is successful. +If you want your `nginx-proxy` container to be attached to a different network, you must pass the `--net=my-network` option in your `docker create` or `docker run` command. At the time of this writing, only a single network can be specified at container creation time. To attach to other networks, you can use the `docker network connect` command after your container is created: -#### Connect Another Network - -In current Docker release (1.9), you can create a container with only one network. To attach others networks, you can use this command. -``` -docker network connect my_network my_container +```console +$ docker run -d -p 80:80 -v /var/run/docker.sock:/tmp/docker.sock:ro \ + --name my-nginx-proxy --net my-network jwilder/nginx-proxy +$ docker network connect my-other-network my-nginx-proxy ``` +In this example, the `my-nginx-proxy` container will be connected to `my-network` and `my-other-network` and will be able to proxy to other containers attached to those networks. + ### SSL Backends If you would like to connect to your backend using HTTPS instead of HTTP, set `VIRTUAL_PROTO=https` on the backend container. @@ -75,7 +76,6 @@ Then start the docker-gen container with the shared volume and template: ``` $ docker run --volumes-from nginx \ - \ -v /var/run/docker.sock:/tmp/docker.sock:ro \ -v $(pwd):/etc/docker-gen/templates \ -t jwilder/docker-gen -notify-sighup nginx -watch -only-exposed /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf From b4e5f780e3ac0ee217e9fffd18e38d56d0fd2f06 Mon Sep 17 00:00:00 2001 From: Tobias Munk Date: Wed, 20 Jan 2016 23:28:08 +0100 Subject: [PATCH 34/77] changed error code for non-usable/default SSL cert, fixes #341 --- nginx.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx.tmpl b/nginx.tmpl index 255cc35..8733bbd 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -188,7 +188,7 @@ server { server_name {{ $host }}; listen 443 ssl http2 {{ $default_server }}; access_log /var/log/nginx/access.log vhost; - return 503; + return 500; ssl_certificate /etc/nginx/certs/default.crt; ssl_certificate_key /etc/nginx/certs/default.key; From 658e20f661ebc0f119ac21407c817c02c0777629 Mon Sep 17 00:00:00 2001 From: Baptiste Donaux Date: Fri, 5 Feb 2016 09:16:43 +0100 Subject: [PATCH 35/77] Support container in one network shared with current container --- nginx.tmpl | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/nginx.tmpl b/nginx.tmpl index 468bbd2..a8ed064 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -1,3 +1,5 @@ +{{ $CurrentContainer := where $ "ID" .CurrentContainerID | first }} + {{ define "upstream" }} {{ if .Address }} {{/* If we got the containers from swarm and this container's port is published to host, use host IP:PORT */}} @@ -75,16 +77,24 @@ server { upstream {{ $host }} { {{ range $container := $containers }} {{ $addrLen := len $container.Addresses }} - {{ $network := index $container.Networks 0 }} - {{/* If only 1 port exposed, use that */}} - {{ if eq $addrLen 1 }} - {{ $address := index $container.Addresses 0 }} - {{ template "upstream" (dict "Container" $container "Address" $address "Network" $network) }} - {{/* If more than one port exposed, use the one matching VIRTUAL_PORT env var, falling back to standard web port 80 */}} - {{ else }} - {{ $port := coalesce $container.Env.VIRTUAL_PORT "80" }} - {{ $address := where $container.Addresses "Port" $port | first }} - {{ template "upstream" (dict "Container" $container "Address" $address "Network" $network) }} + + {{ range $knownNetwork := $CurrentContainer.Networks }} + {{ range $containerNetwork := $container.Networks }} + {{ if eq $knownNetwork.Name $containerNetwork.Name }} + ## Can be connect with "{{ $containerNetwork.Name }}" network + + {{/* If only 1 port exposed, use that */}} + {{ if eq $addrLen 1 }} + {{ $address := index $container.Addresses 0 }} + {{ template "upstream" (dict "Container" $container "Address" $address "Network" $containerNetwork) }} + {{/* If more than one port exposed, use the one matching VIRTUAL_PORT env var, falling back to standard web port 80 */}} + {{ else }} + {{ $port := coalesce $container.Env.VIRTUAL_PORT "80" }} + {{ $address := where $container.Addresses "Port" $port | first }} + {{ template "upstream" (dict "Container" $container "Address" $address "Network" $containerNetwork) }} + {{ end }} + {{ end }} + {{ end }} {{ end }} {{ end }} } From 8c6ec27547fe7ac51d9f07975d7b0533558c0334 Mon Sep 17 00:00:00 2001 From: Gabriel Baker Date: Tue, 23 Feb 2016 07:23:27 +0000 Subject: [PATCH 36/77] Mention the docker-compose issues --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 9d4bb40..4be79df 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,11 @@ The containers being proxied must [expose](https://docs.docker.com/reference/run Provided your DNS is setup to forward foo.bar.com to the a host running nginx-proxy, the request will be routed to a container with the VIRTUAL_HOST env var set. +### Docker-compose + +Currently this does not work with the new v2 syntax of docker-compose (due to not being compatible with the new network overlay see #304). It does work when using the old docker-composer syntax. + + ### Multiple Ports If your container exposes multiple ports, nginx-proxy will default to the service running on port 80. If you need to specify a different port, you can set a VIRTUAL_PORT env var to select a different one. If your container only exposes one port and it has a VIRTUAL_HOST env var set, that port will be selected. From d849e5f5d04114c3cff2855a5cac4b702f98b89b Mon Sep 17 00:00:00 2001 From: Gabriel Baker Date: Tue, 23 Feb 2016 07:25:32 +0000 Subject: [PATCH 37/77] Linkify the issue ref --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4be79df..efb8ed1 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ Provided your DNS is setup to forward foo.bar.com to the a host running nginx-pr ### Docker-compose -Currently this does not work with the new v2 syntax of docker-compose (due to not being compatible with the new network overlay see #304). It does work when using the old docker-composer syntax. +Currently this does not work with the new v2 syntax of docker-compose (due to not being compatible with the new network overlay see [#304](https://github.com/jwilder/nginx-proxy/issues/304)). It does work when using the old docker-composer syntax. ### Multiple Ports From ebab7cf2b9fbea328b9ee279b8ac146a0fd8577a Mon Sep 17 00:00:00 2001 From: Baptiste Donaux Date: Tue, 23 Feb 2016 13:59:30 +0100 Subject: [PATCH 38/77] [TEMPLATE] fix variable call --- nginx.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx.tmpl b/nginx.tmpl index a8ed064..343a801 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -1,4 +1,4 @@ -{{ $CurrentContainer := where $ "ID" .CurrentContainerID | first }} +{{ $CurrentContainer := where $ "ID" .Docker.CurrentContainerID | first }} {{ define "upstream" }} {{ if .Address }} From 163d1ce174cb79844df089aeebc2c01ffe4a086c Mon Sep 17 00:00:00 2001 From: Baptiste Donaux Date: Thu, 25 Feb 2016 08:26:41 +0100 Subject: [PATCH 39/77] Upgrade docker-gen from 0.5.0 to 0.7.0 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index bc9575b..f8ef82e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,7 +17,7 @@ RUN echo "daemon off;" >> /etc/nginx/nginx.conf \ RUN wget -P /usr/local/bin https://godist.herokuapp.com/projects/ddollar/forego/releases/current/linux-amd64/forego \ && chmod u+x /usr/local/bin/forego -ENV DOCKER_GEN_VERSION 0.5.0 +ENV DOCKER_GEN_VERSION 0.7.0 RUN wget https://github.com/jwilder/docker-gen/releases/download/$DOCKER_GEN_VERSION/docker-gen-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \ && tar -C /usr/local/bin -xvzf docker-gen-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \ From 2b418319f2e22c03bedf7c3fdfb5e82626f3a74e Mon Sep 17 00:00:00 2001 From: Baptiste Donaux Date: Thu, 25 Feb 2016 09:58:17 +0100 Subject: [PATCH 40/77] Test to support overlay networks --- test/docker.bats | 8 +++++++- test/lib/docker_helpers.bash | 11 +++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/test/docker.bats b/test/docker.bats index f4ec665..fcbb756 100644 --- a/test/docker.bats +++ b/test/docker.bats @@ -54,15 +54,21 @@ load test_helpers @test "[$TEST_FILE] separated containers (nginx + docker-gen + nginx.tmpl)" { docker_clean bats-nginx docker_clean bats-docker-gen + docker_network_clean bats-docker-gen-network + + # MAKE network + run docker network create bats-docker-gen-network + assert_success # GIVEN a simple nginx container run docker run -d \ --name bats-nginx \ + --net=bats-docker-gen-network \ -v /etc/nginx/conf.d/ \ -v /etc/nginx/certs/ \ nginx:latest assert_success - run retry 5 1s docker run appropriate/curl --silent --fail --head http://$(docker_ip bats-nginx)/ + run retry 5 1s docker run --net=bats-docker-gen-network appropriate/curl --silent --fail --head http://$(docker_ips bats-nginx)/ assert_output -l 0 $'HTTP/1.1 200 OK\r' # WHEN docker-gen runs on our docker host diff --git a/test/lib/docker_helpers.bash b/test/lib/docker_helpers.bash index 50e1d81..e2749ce 100644 --- a/test/lib/docker_helpers.bash +++ b/test/lib/docker_helpers.bash @@ -8,11 +8,22 @@ function docker_clean { sleep .25s } +# Removes network $1 +function docker_network_clean { + docker network rm $1 &>/dev/null ||: + sleep .25s +} + # get the ip of docker container $1 function docker_ip { docker inspect --format '{{ .NetworkSettings.IPAddress }}' $1 } +# get the ip of docker container $1 +function docker_ips { + docker inspect --format '{{ range .NetworkSettings.Networks }}{{ .IPAddress }}{{ end }}' $1 +} + # get the running state of container $1 # → true/false # fails if the container does not exist From b42cd855708a7dd92d779ff636d647ee03ad742d Mon Sep 17 00:00:00 2001 From: Baptiste Donaux Date: Fri, 26 Feb 2016 09:12:11 +0100 Subject: [PATCH 41/77] Unit test - removed network creation --- test/docker.bats | 11 ++--------- test/lib/docker_helpers.bash | 11 ----------- 2 files changed, 2 insertions(+), 20 deletions(-) diff --git a/test/docker.bats b/test/docker.bats index fcbb756..abe7b5a 100644 --- a/test/docker.bats +++ b/test/docker.bats @@ -54,21 +54,15 @@ load test_helpers @test "[$TEST_FILE] separated containers (nginx + docker-gen + nginx.tmpl)" { docker_clean bats-nginx docker_clean bats-docker-gen - docker_network_clean bats-docker-gen-network - # MAKE network - run docker network create bats-docker-gen-network - assert_success - # GIVEN a simple nginx container run docker run -d \ --name bats-nginx \ - --net=bats-docker-gen-network \ -v /etc/nginx/conf.d/ \ -v /etc/nginx/certs/ \ nginx:latest assert_success - run retry 5 1s docker run --net=bats-docker-gen-network appropriate/curl --silent --fail --head http://$(docker_ips bats-nginx)/ + run retry 5 1s docker run appropriate/curl --silent --fail --head http://$(docker_ip bats-nginx)/ assert_output -l 0 $'HTTP/1.1 200 OK\r' # WHEN docker-gen runs on our docker host @@ -95,7 +89,7 @@ load test_helpers docker logs bats-docker-gen false } >&2 - + # THEN assert_nginxproxy_behaves bats-nginx } @@ -120,4 +114,3 @@ function assert_nginxproxy_behaves { run curl_container $container /data --header "Host: webFOO.bats" --head assert_output -l 0 $'HTTP/1.1 503 Service Temporarily Unavailable\r' } - diff --git a/test/lib/docker_helpers.bash b/test/lib/docker_helpers.bash index e2749ce..50e1d81 100644 --- a/test/lib/docker_helpers.bash +++ b/test/lib/docker_helpers.bash @@ -8,22 +8,11 @@ function docker_clean { sleep .25s } -# Removes network $1 -function docker_network_clean { - docker network rm $1 &>/dev/null ||: - sleep .25s -} - # get the ip of docker container $1 function docker_ip { docker inspect --format '{{ .NetworkSettings.IPAddress }}' $1 } -# get the ip of docker container $1 -function docker_ips { - docker inspect --format '{{ range .NetworkSettings.Networks }}{{ .IPAddress }}{{ end }}' $1 -} - # get the running state of container $1 # → true/false # fails if the container does not exist From 1f8b480365edc8b943b5482a0134badbaac3d154 Mon Sep 17 00:00:00 2001 From: Mike Rohland Date: Mon, 21 Mar 2016 22:47:01 +0100 Subject: [PATCH 42/77] moved nginx to 1.9.12 --- Dockerfile | 2 +- README.md | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 8cb98cd..ce586bd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.9.9 +FROM nginx:1.9.12 MAINTAINER Jason Wilder mail@jasonwilder.com # Install wget and install/updates certificates diff --git a/README.md b/README.md index efb8ed1..76e9987 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -![nginx 1.9.6](https://img.shields.io/badge/nginx-1.9.6-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build](https://circleci.com/gh/jwilder/nginx-proxy.svg?&style=shield&circle-token=2da3ee844076a47371bd45da81cf27409ca7306a)](https://circleci.com/gh/jwilder/nginx-proxy) +![nginx 1.9.12](https://img.shields.io/badge/nginx-1.9.12-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build](https://circleci.com/gh/jwilder/nginx-proxy.svg?&style=shield&circle-token=2da3ee844076a47371bd45da81cf27409ca7306a)](https://circleci.com/gh/jwilder/nginx-proxy) nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. @@ -232,4 +232,3 @@ Before submitting pull requests or issues, please check github to make sure an e To run tests, you'll need to install [bats 0.4.0](https://github.com/sstephenson/bats). make test - From 86aea653c82d308e1ddf19c256c94bb09f59808d Mon Sep 17 00:00:00 2001 From: Pit Kleyersburg Date: Tue, 22 Mar 2016 22:47:42 +0100 Subject: [PATCH 43/77] Update to docker-gen 0.7.0 Since [1] some timings seem to have changed. This caused the unit tests to fail intermittently, from my testings especially on Ubuntu systems (much less often on e.g. Arch). This commit adds the `dockergen_wait_for_event` helper-function to try and wait for the configuration to be generated by docker-gen before continuing on with the actual tests themselves. Additionally, at the end of every test file, all containers spun up by the bats-tests will be stopped. This required adding the `bats-type` label to every container started during the bats-tests. The stopping of the containers reduces the amount of events docker-gen has to process, thus resulting in lower wait times for the generation to happen. [1]: https://github.com/jwilder/docker-gen/commit/50435652b16b3874a5907765d33fa31150876d92 --- Dockerfile | 2 +- Makefile | 4 ++-- test/default-host.bats | 11 ++++++----- test/docker.bats | 18 ++++++++++++------ test/lib/docker_helpers.bash | 8 +++++++- test/multiple-hosts.bats | 13 ++++++++----- test/multiple-ports.bats | 17 ++++++++++++----- test/test_helpers.bash | 37 ++++++++++++++++++++++++++++++++++-- test/wildcard-hosts.bats | 17 ++++++++++++----- 9 files changed, 95 insertions(+), 32 deletions(-) diff --git a/Dockerfile b/Dockerfile index ce586bd..96602b0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,7 +17,7 @@ RUN echo "daemon off;" >> /etc/nginx/nginx.conf \ RUN wget -P /usr/local/bin https://godist.herokuapp.com/projects/ddollar/forego/releases/current/linux-amd64/forego \ && chmod u+x /usr/local/bin/forego -ENV DOCKER_GEN_VERSION 0.4.2 +ENV DOCKER_GEN_VERSION 0.7.0 RUN wget https://github.com/jwilder/docker-gen/releases/download/$DOCKER_GEN_VERSION/docker-gen-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \ && tar -C /usr/local/bin -xvzf docker-gen-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \ diff --git a/Makefile b/Makefile index 72e7984..213a441 100644 --- a/Makefile +++ b/Makefile @@ -2,8 +2,8 @@ .PHONY : test update-dependencies: - docker pull jwilder/docker-gen:latest - docker pull nginx:latest + docker pull jwilder/docker-gen:0.7.0 + docker pull nginx:1.9.12 docker pull python:3 docker pull rancher/socat-docker:latest docker pull appropriate/curl:latest diff --git a/test/default-host.bats b/test/default-host.bats index 4e9d84e..acdffc6 100644 --- a/test/default-host.bats +++ b/test/default-host.bats @@ -4,10 +4,7 @@ load test_helpers function setup { # make sure to stop any web container before each test so we don't # have any unexpected contaiener running with VIRTUAL_HOST or VIRUTAL_PORT set - CIDS=( $(docker ps -q --filter "label=bats-type=web") ) - if [ ${#CIDS[@]} -gt 0 ]; then - docker stop ${CIDS[@]} >&2 - fi + stop_bats_containers web } @@ -20,7 +17,7 @@ function setup { # WHEN nginx-proxy runs with DEFAULT_HOST set to web.bats run nginxproxy $SUT_CONTAINER -v /var/run/docker.sock:/tmp/docker.sock:ro -e DEFAULT_HOST=web.bats assert_success - docker_wait_for_log $SUT_CONTAINER 3 "Watching docker events" + docker_wait_for_log $SUT_CONTAINER 9 "Watching docker events" # THEN querying the proxy without Host header → 200 run curl_container $SUT_CONTAINER / --head @@ -30,3 +27,7 @@ function setup { run curl_container $SUT_CONTAINER / --head --header "Host: something.I.just.made.up" assert_output -l 0 $'HTTP/1.1 200 OK\r' } + +@test "[$TEST_FILE] stop all bats containers" { + stop_bats_containers +} diff --git a/test/docker.bats b/test/docker.bats index f4ec665..43be758 100644 --- a/test/docker.bats +++ b/test/docker.bats @@ -14,7 +14,7 @@ load test_helpers # WHEN nginx-proxy runs on our docker host using the default unix socket run nginxproxy $SUT_CONTAINER -v /var/run/docker.sock:/tmp/docker.sock:ro assert_success - docker_wait_for_log $SUT_CONTAINER 3 "Watching docker events" + docker_wait_for_log $SUT_CONTAINER 9 "Watching docker events" # THEN assert_nginxproxy_behaves $SUT_CONTAINER @@ -27,7 +27,7 @@ load test_helpers # WHEN nginx-proxy runs on our docker host using a custom unix socket run nginxproxy $SUT_CONTAINER -v /var/run/docker.sock:/f00.sock:ro -e DOCKER_HOST=unix:///f00.sock assert_success - docker_wait_for_log $SUT_CONTAINER 3 "Watching docker events" + docker_wait_for_log $SUT_CONTAINER 9 "Watching docker events" # THEN assert_nginxproxy_behaves $SUT_CONTAINER @@ -44,7 +44,7 @@ load test_helpers # WHEN nginx-proxy runs on our docker host using tcp to connect to our docker host run nginxproxy $SUT_CONTAINER -e DOCKER_HOST="tcp://bats-docker-tcp:2375" --link bats-docker-tcp:bats-docker-tcp assert_success - docker_wait_for_log $SUT_CONTAINER 3 "Watching docker events" + docker_wait_for_log $SUT_CONTAINER 9 "Watching docker events" # THEN assert_nginxproxy_behaves $SUT_CONTAINER @@ -57,28 +57,30 @@ load test_helpers # GIVEN a simple nginx container run docker run -d \ + --label bats-type="nginx" \ --name bats-nginx \ -v /etc/nginx/conf.d/ \ -v /etc/nginx/certs/ \ nginx:latest assert_success - run retry 5 1s docker run appropriate/curl --silent --fail --head http://$(docker_ip bats-nginx)/ + run retry 5 1s docker run --label bats-type="curl" appropriate/curl --silent --fail --head http://$(docker_ip bats-nginx)/ assert_output -l 0 $'HTTP/1.1 200 OK\r' # WHEN docker-gen runs on our docker host run docker run -d \ + --label bats-type="docker-gen" \ --name bats-docker-gen \ -v /var/run/docker.sock:/tmp/docker.sock:ro \ -v $BATS_TEST_DIRNAME/../nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro \ --volumes-from bats-nginx \ - jwilder/docker-gen:latest \ + jwilder/docker-gen:0.7.0 \ -notify-sighup bats-nginx \ -watch \ -only-exposed \ /etc/docker-gen/templates/nginx.tmpl \ /etc/nginx/conf.d/default.conf assert_success - docker_wait_for_log bats-docker-gen 6 "Watching docker events" + docker_wait_for_log bats-docker-gen 9 "Watching docker events" # Give some time to the docker-gen container to notify bats-nginx so it # reloads its config @@ -94,6 +96,10 @@ load test_helpers assert_nginxproxy_behaves bats-nginx } +@test "[$TEST_FILE] stop all bats containers" { + stop_bats_containers +} + # $1 nginx-proxy container function assert_nginxproxy_behaves { diff --git a/test/lib/docker_helpers.bash b/test/lib/docker_helpers.bash index 50e1d81..1735506 100644 --- a/test/lib/docker_helpers.bash +++ b/test/lib/docker_helpers.bash @@ -13,6 +13,11 @@ function docker_ip { docker inspect --format '{{ .NetworkSettings.IPAddress }}' $1 } +# get the ip of docker container $1 +function docker_id { + docker inspect --format '{{ .ID }}' $1 +} + # get the running state of container $1 # → true/false # fails if the container does not exist @@ -52,9 +57,10 @@ function docker_tcp { local container_name="$1" docker_clean $container_name docker run -d \ + --label bats-type="socat" \ --name $container_name \ --expose 2375 \ -v /var/run/docker.sock:/var/run/docker.sock \ rancher/socat-docker - docker run --link "$container_name:docker" docker:1.9 version + docker run --label bats-type="docker" --link "$container_name:docker" docker:1.9 version } diff --git a/test/multiple-hosts.bats b/test/multiple-hosts.bats index 695aec1..10487ae 100644 --- a/test/multiple-hosts.bats +++ b/test/multiple-hosts.bats @@ -5,22 +5,21 @@ SUT_CONTAINER=bats-nginx-proxy-${TEST_FILE} function setup { # make sure to stop any web container before each test so we don't # have any unexpected contaiener running with VIRTUAL_HOST or VIRUTAL_PORT set - CIDS=( $(docker ps -q --filter "label=bats-type=web") ) - if [ ${#CIDS[@]} -gt 0 ]; then - docker stop ${CIDS[@]} >&2 - fi + stop_bats_containers web } @test "[$TEST_FILE] start a nginx-proxy container" { run nginxproxy $SUT_CONTAINER -v /var/run/docker.sock:/tmp/docker.sock:ro assert_success - docker_wait_for_log $SUT_CONTAINER 3 "Watching docker events" + docker_wait_for_log $SUT_CONTAINER 9 "Watching docker events" } @test "[$TEST_FILE] nginx-proxy forwards requests for 2 hosts" { # WHEN a container runs a web server with VIRTUAL_HOST set for multiple hosts prepare_web_container bats-multiple-hosts-1 80 -e VIRTUAL_HOST=multiple-hosts-1-A.bats,multiple-hosts-1-B.bats + dockergen_wait_for_event $SUT_CONTAINER start bats-multiple-hosts-1 + sleep 1 # THEN querying the proxy without Host header → 503 run curl_container $SUT_CONTAINER / --head @@ -38,3 +37,7 @@ function setup { run curl_container $SUT_CONTAINER /data --header 'Host: multiple-hosts-1-B.bats' assert_output "answer from port 80" } + +@test "[$TEST_FILE] stop all bats containers" { + stop_bats_containers +} diff --git a/test/multiple-ports.bats b/test/multiple-ports.bats index a520571..a3c6fd0 100644 --- a/test/multiple-ports.bats +++ b/test/multiple-ports.bats @@ -5,10 +5,7 @@ SUT_CONTAINER=bats-nginx-proxy-${TEST_FILE} function setup { # make sure to stop any web container before each test so we don't # have any unexpected contaiener running with VIRTUAL_HOST or VIRUTAL_PORT set - CIDS=( $(docker ps -q --filter "label=bats-type=web") ) - if [ ${#CIDS[@]} -gt 0 ]; then - docker stop ${CIDS[@]} >&2 - fi + stop_bats_containers web } @@ -16,13 +13,15 @@ function setup { # GIVEN nginx-proxy run nginxproxy $SUT_CONTAINER -v /var/run/docker.sock:/tmp/docker.sock:ro assert_success - docker_wait_for_log $SUT_CONTAINER 3 "Watching docker events" + docker_wait_for_log $SUT_CONTAINER 9 "Watching docker events" } @test "[$TEST_FILE] nginx-proxy defaults to the service running on port 80" { # WHEN prepare_web_container bats-web-${TEST_FILE}-1 "80 90" -e VIRTUAL_HOST=web.bats + dockergen_wait_for_event $SUT_CONTAINER start bats-web-${TEST_FILE}-1 + sleep 1 # THEN assert_response_is_from_port 80 @@ -32,6 +31,8 @@ function setup { @test "[$TEST_FILE] VIRTUAL_PORT=90 while port 80 is also exposed" { # GIVEN prepare_web_container bats-web-${TEST_FILE}-2 "80 90" -e VIRTUAL_HOST=web.bats -e VIRTUAL_PORT=90 + dockergen_wait_for_event $SUT_CONTAINER start bats-web-${TEST_FILE}-2 + sleep 1 # THEN assert_response_is_from_port 90 @@ -41,11 +42,17 @@ function setup { @test "[$TEST_FILE] single exposed port != 80" { # GIVEN prepare_web_container bats-web-${TEST_FILE}-3 1234 -e VIRTUAL_HOST=web.bats + dockergen_wait_for_event $SUT_CONTAINER start bats-web-${TEST_FILE}-3 + sleep 1 # THEN assert_response_is_from_port 1234 } +@test "[$TEST_FILE] stop all bats containers" { + stop_bats_containers +} + # assert querying nginx-proxy provides a response from the expected port of the web container # $1 port we are expecting an response from diff --git a/test/test_helpers.bash b/test/test_helpers.bash index 5890677..2114557 100644 --- a/test/test_helpers.bash +++ b/test/test_helpers.bash @@ -33,6 +33,7 @@ function nginxproxy { shift docker_clean $container_name \ && docker run -d \ + --label bats-type="nginx-proxy" \ --name $container_name \ "$@" \ $SUT_IMAGE \ @@ -66,7 +67,7 @@ function curl_container { local -r container=$1 local -r path=$2 shift 2 - docker run appropriate/curl --silent \ + docker run --label bats-type="curl" appropriate/curl --silent \ --connect-timeout 5 \ --max-time 20 \ "$@" \ @@ -128,7 +129,39 @@ function prepare_web_container { # THEN querying directly port works IFS=$' \t\n' # See https://github.com/sstephenson/bats/issues/89 for port in $ports; do - run retry 5 1s docker run appropriate/curl --silent --fail http://$(docker_ip $container_name):$port/data + run retry 5 1s docker run --label bats-type="curl" appropriate/curl --silent --fail http://$(docker_ip $container_name):$port/data assert_output "answer from port $port" done } + +# stop all containers with the "bats-type" label (matching the optionally supplied value) +# +# $1 optional label value +function stop_bats_containers { + local -r value=$1 + + if [ -z "$value" ]; then + CIDS=( $(docker ps -q --filter "label=bats-type") ) + else + CIDS=( $(docker ps -q --filter "label=bats-type=$value") ) + fi + + if [ ${#CIDS[@]} -gt 0 ]; then + docker stop ${CIDS[@]} >&2 + fi +} + +# wait for a docker-gen container to receive a specified event from a +# container with the specified ID/name +# +# $1 docker-gen container name +# $2 event +# $3 ID/name of container to receive event from +function dockergen_wait_for_event { + local -r container=$1 + local -r event=$2 + local -r other=$3 + local -r did=$(docker_id "$other") + docker_wait_for_log "$container" 9 "Received event $event for container ${did:0:12}" +} + diff --git a/test/wildcard-hosts.bats b/test/wildcard-hosts.bats index 88ca1e7..8491e4b 100644 --- a/test/wildcard-hosts.bats +++ b/test/wildcard-hosts.bats @@ -5,10 +5,7 @@ SUT_CONTAINER=bats-nginx-proxy-${TEST_FILE} function setup { # make sure to stop any web container before each test so we don't # have any unexpected contaiener running with VIRTUAL_HOST or VIRUTAL_PORT set - CIDS=( $(docker ps -q --filter "label=bats-type=web") ) - if [ ${#CIDS[@]} -gt 0 ]; then - docker stop ${CIDS[@]} >&2 - fi + stop_bats_containers web } @@ -16,13 +13,15 @@ function setup { # GIVEN run nginxproxy $SUT_CONTAINER -v /var/run/docker.sock:/tmp/docker.sock:ro assert_success - docker_wait_for_log $SUT_CONTAINER 3 "Watching docker events" + docker_wait_for_log $SUT_CONTAINER 9 "Watching docker events" } @test "[$TEST_FILE] VIRTUAL_HOST=*.wildcard.bats" { # WHEN prepare_web_container bats-wildcard-hosts-1 80 -e VIRTUAL_HOST=*.wildcard.bats + dockergen_wait_for_event $SUT_CONTAINER start bats-wildcard-hosts-1 + sleep 1 # THEN assert_200 f00.wildcard.bats @@ -33,6 +32,8 @@ function setup { @test "[$TEST_FILE] VIRTUAL_HOST=wildcard.bats.*" { # WHEN prepare_web_container bats-wildcard-hosts-2 80 -e VIRTUAL_HOST=wildcard.bats.* + dockergen_wait_for_event $SUT_CONTAINER start bats-wildcard-hosts-2 + sleep 1 # THEN assert_200 wildcard.bats.f00 @@ -43,6 +44,8 @@ function setup { @test "[$TEST_FILE] VIRTUAL_HOST=~^foo\.bar\..*\.bats" { # WHEN prepare_web_container bats-wildcard-hosts-2 80 -e VIRTUAL_HOST=~^foo\.bar\..*\.bats + dockergen_wait_for_event $SUT_CONTAINER start bats-wildcard-hosts-2 + sleep 1 # THEN assert_200 foo.bar.whatever.bats @@ -51,6 +54,10 @@ function setup { } +@test "[$TEST_FILE] stop all bats containers" { + stop_bats_containers +} + # assert that querying nginx-proxy with the given Host header produces a `HTTP 200` response # $1 Host HTTP header to use when querying nginx-proxy From 88cc096aaf289cfc173fa947b2ab5df638a8c22f Mon Sep 17 00:00:00 2001 From: Baptiste Donaux Date: Thu, 24 Mar 2016 11:16:22 +0100 Subject: [PATCH 44/77] [FIX] expose port for separated containers test --- test/docker.bats | 1 + 1 file changed, 1 insertion(+) diff --git a/test/docker.bats b/test/docker.bats index b7a52c0..f90d270 100644 --- a/test/docker.bats +++ b/test/docker.bats @@ -73,6 +73,7 @@ load test_helpers -v /var/run/docker.sock:/tmp/docker.sock:ro \ -v $BATS_TEST_DIRNAME/../nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro \ --volumes-from bats-nginx \ + --expose 80 \ jwilder/docker-gen:0.7.0 \ -notify-sighup bats-nginx \ -watch \ From 6928d62e1ec78502a5b71088438fbf5ef45e0a25 Mon Sep 17 00:00:00 2001 From: Baptiste Donaux Date: Thu, 24 Mar 2016 14:40:50 +0100 Subject: [PATCH 45/77] Upgrade Docker dependency from 1.9 to 1.10 --- Makefile | 2 +- circle.yml | 3 +-- test/lib/docker_helpers.bash | 2 +- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 213a441..3a10ad4 100644 --- a/Makefile +++ b/Makefile @@ -7,7 +7,7 @@ update-dependencies: docker pull python:3 docker pull rancher/socat-docker:latest docker pull appropriate/curl:latest - docker pull docker:1.9 + docker pull docker:1.10 test: docker build -t jwilder/nginx-proxy:bats . diff --git a/circle.yml b/circle.yml index e0ecf4d..761684f 100644 --- a/circle.yml +++ b/circle.yml @@ -1,7 +1,6 @@ machine: pre: - - sudo curl -L -o /usr/bin/docker 'https://s3-external-1.amazonaws.com/circle-downloads/docker-1.9.1-circleci' - - sudo chmod 0755 /usr/bin/docker + - curl -sSL https://s3.amazonaws.com/circle-downloads/install-circleci-docker.sh | bash -s -- 1.10.0 services: - docker diff --git a/test/lib/docker_helpers.bash b/test/lib/docker_helpers.bash index 1735506..221234e 100644 --- a/test/lib/docker_helpers.bash +++ b/test/lib/docker_helpers.bash @@ -62,5 +62,5 @@ function docker_tcp { --expose 2375 \ -v /var/run/docker.sock:/var/run/docker.sock \ rancher/socat-docker - docker run --label bats-type="docker" --link "$container_name:docker" docker:1.9 version + docker run --label bats-type="docker" --link "$container_name:docker" docker:1.10 version } From a54af7d73bd1a716c180f8ed3bc74b94f29c0948 Mon Sep 17 00:00:00 2001 From: Jason Wilder Date: Mon, 4 Apr 2016 16:48:52 -0600 Subject: [PATCH 46/77] Switch forego downloads Official ddollar site has been down for a while and not sure if it's coming back up or not. --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 96602b0..5691ec6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,8 +14,8 @@ RUN echo "daemon off;" >> /etc/nginx/nginx.conf \ && sed -i 's/^http {/&\n server_names_hash_bucket_size 128;/g' /etc/nginx/nginx.conf # Install Forego -RUN wget -P /usr/local/bin https://godist.herokuapp.com/projects/ddollar/forego/releases/current/linux-amd64/forego \ - && chmod u+x /usr/local/bin/forego +ADD https://github.com/jwilder/forego/releases/download/v0.16.1/forego /usr/local/bin/forego +RUN chmod u+x /usr/local/bin/forego ENV DOCKER_GEN_VERSION 0.7.0 From 30e2da01e9d413adadae5b7d6069fa4750823225 Mon Sep 17 00:00:00 2001 From: Jason Wilder Date: Mon, 4 Apr 2016 17:01:47 -0600 Subject: [PATCH 47/77] Add travis.yml From #312 --- .travis.yml | 22 ++++++++++++++++++++++ README.md | 2 +- 2 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 .travis.yml diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 0000000..b6b1364 --- /dev/null +++ b/.travis.yml @@ -0,0 +1,22 @@ +sudo: required +services: + - docker + +env: + global: + - DOCKER_VERSION=1.10.1-0~trusty + +before_install: + # list docker-engine versions + - apt-cache madison docker-engine + # upgrade docker-engine to specific version + - sudo apt-get -o Dpkg::Options::="--force-confnew" install -y docker-engine=${DOCKER_VERSION} + - docker version + - docker info + - sudo add-apt-repository ppa:duggan/bats --yes + - sudo apt-get update -qq + - sudo apt-get install -qq bats + - make update-dependencies + +script: + - make test diff --git a/README.md b/README.md index 76e9987..d277421 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -![nginx 1.9.12](https://img.shields.io/badge/nginx-1.9.12-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build](https://circleci.com/gh/jwilder/nginx-proxy.svg?&style=shield&circle-token=2da3ee844076a47371bd45da81cf27409ca7306a)](https://circleci.com/gh/jwilder/nginx-proxy) +![nginx 1.9.12](https://img.shields.io/badge/nginx-1.9.12-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build](https://circleci.com/gh/jwilder/nginx-proxy.svg?&style=shield&circle-token=2da3ee844076a47371bd45da81cf27409ca7306a)](https://circleci.com/gh/jwilder/nginx-proxy) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. From 1d0a5d9194c2b1c0e82fcc3a0d438f6d2fe19ee1 Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Wed, 20 Apr 2016 12:20:08 -0400 Subject: [PATCH 48/77] Added SSL/HTTPS tests --- test/lib/ssl/nginx-proxy.bats.crt | 24 +++++++ test/lib/ssl/nginx-proxy.bats.key | 28 ++++++++ test/ssl.bats | 109 ++++++++++++++++++++++++++++++ test/test_helpers.bash | 17 +++++ 4 files changed, 178 insertions(+) create mode 100644 test/lib/ssl/nginx-proxy.bats.crt create mode 100644 test/lib/ssl/nginx-proxy.bats.key create mode 100644 test/ssl.bats diff --git a/test/lib/ssl/nginx-proxy.bats.crt b/test/lib/ssl/nginx-proxy.bats.crt new file mode 100644 index 0000000..cf42bd7 --- /dev/null +++ b/test/lib/ssl/nginx-proxy.bats.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIID7TCCAtWgAwIBAgIJAOGkf5EnexJVMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYD +VQQGEwJVUzERMA8GA1UECAwIVmlyZ2luaWExDzANBgNVBAcMBlJlc3RvbjERMA8G +A1UECgwIRmFrZSBPcmcxGzAZBgNVBAMMEioubmdpbngtcHJveHkuYmF0czEpMCcG +CSqGSIb3DQEJARYad2VibWFzdGVyQG5naW54LXByb3h5LmJhdHMwHhcNMTYwNDIw +MTUzOTUxWhcNMjYwNDE4MTUzOTUxWjCBjDELMAkGA1UEBhMCVVMxETAPBgNVBAgM +CFZpcmdpbmlhMQ8wDQYDVQQHDAZSZXN0b24xETAPBgNVBAoMCEZha2UgT3JnMRsw +GQYDVQQDDBIqLm5naW54LXByb3h5LmJhdHMxKTAnBgkqhkiG9w0BCQEWGndlYm1h +c3RlckBuZ2lueC1wcm94eS5iYXRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEA0Amkj3iaQn8Z2CW6n24zSuWu2OoLCkHZAk8eprkI4kKoPBvjusynkm8E +phq65jebToHoldfuQ0wM61DzhD15bHwS3x9CrOVbShsmdnGALz+wdR0/4Likx50I +YZdecTOAlkoZudnX5FZ4ngOxjqcym7p5T8TrSS97a0fx99gitZY0p+Nu2tip4o3t +WBMs+SoPWTlQ1SrSmL8chC8O2knyBl/w1nHmDnMuR6FGcHdhLncApw9t5spgfv7p +OrMF4tQxJQNk10TnflmEMkGmy+pfk2e0cQ1Kwp3Nmzm7ECkggxxyjU3ihKiFK+09 +8aSCi7gDAY925+mV6LZ5oLMpO3KJvQIDAQABo1AwTjAdBgNVHQ4EFgQU+NvFo37z +9Dyq8Mu82SPtV7q1gYQwHwYDVR0jBBgwFoAU+NvFo37z9Dyq8Mu82SPtV7q1gYQw +DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAI1ityDV0UsCVHSpB2LN+ +QXlk8XS0ACIJ8Q0hbOj3BmYrdAVglG4P6upDEueaaxwsaBTagkTP8nxZ9dhfZHyZ +5YLNwYsiG5iqb8e0ecHx3uJT/0YiXn/8rBvxEZna4Fl8seGdp7BjOWUAS2Nv8tn4 +EJJvRdfX/O8XgPc95DM4lwQ/dvyWmavMI4lnl0n1IQV9WPGaIQhYPU9WEQK6iMUB +o1kx8YbOJQD0ZBRfqpriNt1/8ylkkSYYav8QT9JFvQFCWEvaX71QF+cuOwC7ZYBH +4ElXwEUrYBHKiPo0q0VsTtMvLh7h/T5czrIhG/NpfVJPtQOk8aVwNScL3/n+TGU8 +6g== +-----END CERTIFICATE----- diff --git a/test/lib/ssl/nginx-proxy.bats.key b/test/lib/ssl/nginx-proxy.bats.key new file mode 100644 index 0000000..24d8dc8 --- /dev/null +++ b/test/lib/ssl/nginx-proxy.bats.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDQCaSPeJpCfxnY +JbqfbjNK5a7Y6gsKQdkCTx6muQjiQqg8G+O6zKeSbwSmGrrmN5tOgeiV1+5DTAzr +UPOEPXlsfBLfH0Ks5VtKGyZ2cYAvP7B1HT/guKTHnQhhl15xM4CWShm52dfkVnie +A7GOpzKbunlPxOtJL3trR/H32CK1ljSn427a2Knije1YEyz5Kg9ZOVDVKtKYvxyE +Lw7aSfIGX/DWceYOcy5HoUZwd2EudwCnD23mymB+/uk6swXi1DElA2TXROd+WYQy +QabL6l+TZ7RxDUrCnc2bObsQKSCDHHKNTeKEqIUr7T3xpIKLuAMBj3bn6ZXotnmg +syk7com9AgMBAAECggEAa7wCp3XqVPNjW+c1/ShhkbDeWmDhtL8i9aopkmeSbTHd +07sRtQQU56Vsf+Sp010KpZ5q52Z6cglpS1eRtHLtdbvPPhL/QXBJVVg4E/B1VIKk +DBJIqUSVuPXeiEOOWgs01R+ssO1ae1o4foQlKF33vGPWPPQacL0RKh6I9TPNzcD7 +n4rujlHk72N/bNydyK2rnyKB4vAI5TbZPLps+Xe123CmgZnW3JClcWV9B4foRmiu +a5Iq1WYAK2GYKbYwgqDRyYBC27m91a7U31pE4GQD+xQdlz6kcOlCU5hAcPK3h7j0 +fLQqn8g+YAtc0nBKKB4NZe3QEzTiVMorT0VitxI71QKBgQDnirardZaXOFzYGzB3 +j+FGB9BUW54hnHr5BxOYrfmEJ5umJjJWaGupfYrQsPArrJP1//WbqVZIPvdQParD +mQhLmSp1r/VNzGB6pISmzU1ZGDHsmBxYseh366om5YBQUFU2vmbil9VkrkM4fsJG +tcS9V/nVY/EM7Yp3PzjfLlhC1wKBgQDmA1YJmnZvIbLp3PoKqM69QiCLKztVm7nX +xpu3b3qbXEzXkt2sP5PHmr+s13hOPQFKRJ2hk4UN9WqpnFoHw5E5eWWhSa/peUZm +r10Y5XspiFtRHHiu6ABXB49eB4fen+vHEZHKyRJ4rFthKjjBHdNPC8bmwnT3jE85 +/8a26FLZiwKBgQDXEi8JZslBn9YF2oOTm28KCLoHka551AsaA+u892T8z3mxxGsf +fhD7N6TYonIEb2Jkr6OpOortwqcgvpc+5oghCJ27AX2fDUdUxDp/YdYF+wZsmQJD +lMW1lo7PYIBmmaf9mLCiq5xIz+GauYul+LNNmUl0YEgI1SC4EV63WCodswKBgDMX +GJxHd/kVViVGFTAa8NjvAEWJU8OfNHduQRZMp8IsjVDw6VYiRRP4Fo0wyyMtv8Sc +WxsRpmNEWO3VsdW5pd9LTLy3nmBQtMeIOjiWeHXwOMBaf5/yHmk2X6z2JULY6Mkt +6OFPKlAtkJqTg0m58z7Ckeqd1NdLjimG27+y+PwjAoGAFt0cbC1Ust2BE6YEspSX +ofpAnJsyKrbF9iVUyXDUP99sdqYQfPJ5uqPGkP59lJGkTLtebuitqi6FCyrsT6Fq +AWLiExbqebAqcuAZw2S+iuK27S4rrkjVGF53J7vH3rOzCBUXaRx6GKfTjUqedHdg +9Kw+LP6IFnMTb+EGLo+GqHs= +-----END PRIVATE KEY----- diff --git a/test/ssl.bats b/test/ssl.bats new file mode 100644 index 0000000..a2fdb7a --- /dev/null +++ b/test/ssl.bats @@ -0,0 +1,109 @@ +#!/usr/bin/env bats +load test_helpers +SUT_CONTAINER=bats-nginx-proxy-${TEST_FILE} + +function setup { + # make sure to stop any web container before each test so we don't + # have any unexpected contaiener running with VIRTUAL_HOST or VIRUTAL_PORT set + stop_bats_containers web +} + + +@test "[$TEST_FILE] start a nginx-proxy container" { + run nginxproxy $SUT_CONTAINER -v /var/run/docker.sock:/tmp/docker.sock:ro -v $(pwd)/lib/ssl:/etc/nginx/certs:ro + assert_success + docker_wait_for_log $SUT_CONTAINER 9 "Watching docker events" +} + +@test "[$TEST_FILE] test SSL for VIRTUAL_HOST=*.nginx-proxy.bats" { + # WHEN + prepare_web_container bats-ssl-hosts-1 "80 443" -e VIRTUAL_HOST=*.nginx-proxy.bats + dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-1 + sleep 1 + + # THEN + assert_301 test.nginx-proxy.bats + assert_200_https test.nginx-proxy.bats +} + +@test "[$TEST_FILE] test HTTPS_METHOD=nohttp" { + # WHEN + prepare_web_container bats-ssl-hosts-1 "80 443" -e VIRTUAL_HOST=*.nginx-proxy.bats -e HTTPS_METHOD=nohttp + dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-1 + sleep 1 + + # THEN + assert_503 test.nginx-proxy.bats + assert_200_https test.nginx-proxy.bats +} + +@test "[$TEST_FILE] test HTTPS_METHOD=noredirect" { + # WHEN + prepare_web_container bats-ssl-hosts-1 "80 443" -e VIRTUAL_HOST=*.nginx-proxy.bats -e HTTPS_METHOD=noredirect + dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-1 + sleep 1 + + # THEN + assert_200 test.nginx-proxy.bats + assert_200_https test.nginx-proxy.bats +} + + +@test "[$TEST_FILE] stop all bats containers" { + stop_bats_containers +} + + +# assert that querying nginx-proxy with the given Host header produces a `HTTP 200` response +# $1 Host HTTP header to use when querying nginx-proxy +function assert_200 { + local -r host=$1 + + run curl_container $SUT_CONTAINER / --head --header "Host: $host" + assert_output -l 0 $'HTTP/1.1 200 OK\r' +} + +# assert that querying nginx-proxy with the given Host header produces a `HTTP 503` response +# $1 Host HTTP header to use when querying nginx-proxy +function assert_503 { + local -r host=$1 + + run curl_container $SUT_CONTAINER / --head --header "Host: $host" + assert_output -l 0 $'HTTP/1.1 503 Service Temporarily Unavailable\r' +} + +# assert that querying nginx-proxy with the given Host header produces a `HTTP 503` response +# $1 Host HTTP header to use when querying nginx-proxy +function assert_301 { + local -r host=$1 + + run curl_container $SUT_CONTAINER / --head --header "Host: $host" + assert_output -l 0 $'HTTP/1.1 301 Moved Permanently\r' +} + +# assert that querying nginx-proxy with the given Host header produces a `HTTP 200` response +# $1 Host HTTP header to use when querying nginx-proxy +function assert_200_https { + local -r host=$1 + + run curl_container_https $SUT_CONTAINER / --head --header "Host: $host" + assert_output -l 0 $'HTTP/1.1 200 OK\r' +} + +# assert that querying nginx-proxy with the given Host header produces a `HTTP 503` response +# $1 Host HTTP header to use when querying nginx-proxy +function assert_503_https { + local -r host=$1 + + run curl_container_https $SUT_CONTAINER / --head --header "Host: $host" + assert_output -l 0 $'HTTP/1.1 503 Service Temporarily Unavailable\r' +} + +# assert that querying nginx-proxy with the given Host header produces a `HTTP 503` response +# $1 Host HTTP header to use when querying nginx-proxy +function assert_301_https { + local -r host=$1 + + run curl_container_https $SUT_CONTAINER / --head --header "Host: $host" + assert_output -l 0 $'HTTP/1.1 301 Moved Permanently\r' +} diff --git a/test/test_helpers.bash b/test/test_helpers.bash index 2114557..9b35b3c 100644 --- a/test/test_helpers.bash +++ b/test/test_helpers.bash @@ -74,6 +74,23 @@ function curl_container { http://$(docker_ip $container)${path} } +# Send a HTTPS request to container $1 for path $2 and +# Additional curl options can be passed as $@ +# +# $1 container name +# $2 HTTPS path to query +# $@ additional options to pass to the curl command +function curl_container_https { + local -r container=$1 + local -r path=$2 + shift 2 + docker run --label bats-type="curl" appropriate/curl --silent \ + --connect-timeout 5 \ + --max-time 20 \ + --insecure \ + "$@" \ + https://$(docker_ip $container)${path} +} # start a container running (one or multiple) webservers listening on given ports # From f296b273ce16064f4a77073171ec62e18c86ed85 Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Wed, 20 Apr 2016 12:33:21 -0400 Subject: [PATCH 49/77] Normalized indentation, added explicit CERT_NAME --- test/ssl.bats | 100 +++++++++++++++++++++++++++----------------------- 1 file changed, 54 insertions(+), 46 deletions(-) diff --git a/test/ssl.bats b/test/ssl.bats index a2fdb7a..b113900 100644 --- a/test/ssl.bats +++ b/test/ssl.bats @@ -3,107 +3,115 @@ load test_helpers SUT_CONTAINER=bats-nginx-proxy-${TEST_FILE} function setup { - # make sure to stop any web container before each test so we don't - # have any unexpected contaiener running with VIRTUAL_HOST or VIRUTAL_PORT set - stop_bats_containers web + # make sure to stop any web container before each test so we don't + # have any unexpected contaiener running with VIRTUAL_HOST or VIRUTAL_PORT set + stop_bats_containers web } @test "[$TEST_FILE] start a nginx-proxy container" { - run nginxproxy $SUT_CONTAINER -v /var/run/docker.sock:/tmp/docker.sock:ro -v $(pwd)/lib/ssl:/etc/nginx/certs:ro - assert_success - docker_wait_for_log $SUT_CONTAINER 9 "Watching docker events" + run nginxproxy $SUT_CONTAINER -v /var/run/docker.sock:/tmp/docker.sock:ro -v $(pwd)/lib/ssl:/etc/nginx/certs:ro + assert_success + docker_wait_for_log $SUT_CONTAINER 9 "Watching docker events" } @test "[$TEST_FILE] test SSL for VIRTUAL_HOST=*.nginx-proxy.bats" { - # WHEN - prepare_web_container bats-ssl-hosts-1 "80 443" -e VIRTUAL_HOST=*.nginx-proxy.bats - dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-1 - sleep 1 + # WHEN + prepare_web_container bats-ssl-hosts-1 "80 443" \ + -e VIRTUAL_HOST=*.nginx-proxy.bats \ + -e CERT_NAME=nginx-proxy.bats + dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-1 + sleep 1 - # THEN - assert_301 test.nginx-proxy.bats - assert_200_https test.nginx-proxy.bats + # THEN + assert_301 test.nginx-proxy.bats + assert_200_https test.nginx-proxy.bats } @test "[$TEST_FILE] test HTTPS_METHOD=nohttp" { - # WHEN - prepare_web_container bats-ssl-hosts-1 "80 443" -e VIRTUAL_HOST=*.nginx-proxy.bats -e HTTPS_METHOD=nohttp - dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-1 - sleep 1 + # WHEN + prepare_web_container bats-ssl-hosts-2 "80 443" \ + -e VIRTUAL_HOST=*.nginx-proxy.bats \ + -e CERT_NAME=nginx-proxy.bats \ + -e HTTPS_METHOD=nohttp + dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-2 + sleep 1 - # THEN - assert_503 test.nginx-proxy.bats - assert_200_https test.nginx-proxy.bats + # THEN + assert_503 test.nginx-proxy.bats + assert_200_https test.nginx-proxy.bats } @test "[$TEST_FILE] test HTTPS_METHOD=noredirect" { - # WHEN - prepare_web_container bats-ssl-hosts-1 "80 443" -e VIRTUAL_HOST=*.nginx-proxy.bats -e HTTPS_METHOD=noredirect - dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-1 - sleep 1 + # WHEN + prepare_web_container bats-ssl-hosts-3 "80 443" \ + -e VIRTUAL_HOST=*.nginx-proxy.bats \ + -e CERT_NAME=nginx-proxy.bats \ + -e HTTPS_METHOD=noredirect + dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-3 + sleep 1 - # THEN - assert_200 test.nginx-proxy.bats - assert_200_https test.nginx-proxy.bats + # THEN + assert_200 test.nginx-proxy.bats + assert_200_https test.nginx-proxy.bats } @test "[$TEST_FILE] stop all bats containers" { - stop_bats_containers + stop_bats_containers } # assert that querying nginx-proxy with the given Host header produces a `HTTP 200` response # $1 Host HTTP header to use when querying nginx-proxy function assert_200 { - local -r host=$1 + local -r host=$1 - run curl_container $SUT_CONTAINER / --head --header "Host: $host" - assert_output -l 0 $'HTTP/1.1 200 OK\r' + run curl_container $SUT_CONTAINER / --head --header "Host: $host" + assert_output -l 0 $'HTTP/1.1 200 OK\r' } # assert that querying nginx-proxy with the given Host header produces a `HTTP 503` response # $1 Host HTTP header to use when querying nginx-proxy function assert_503 { - local -r host=$1 + local -r host=$1 - run curl_container $SUT_CONTAINER / --head --header "Host: $host" - assert_output -l 0 $'HTTP/1.1 503 Service Temporarily Unavailable\r' + run curl_container $SUT_CONTAINER / --head --header "Host: $host" + assert_output -l 0 $'HTTP/1.1 503 Service Temporarily Unavailable\r' } # assert that querying nginx-proxy with the given Host header produces a `HTTP 503` response # $1 Host HTTP header to use when querying nginx-proxy function assert_301 { - local -r host=$1 + local -r host=$1 - run curl_container $SUT_CONTAINER / --head --header "Host: $host" - assert_output -l 0 $'HTTP/1.1 301 Moved Permanently\r' + run curl_container $SUT_CONTAINER / --head --header "Host: $host" + assert_output -l 0 $'HTTP/1.1 301 Moved Permanently\r' } # assert that querying nginx-proxy with the given Host header produces a `HTTP 200` response # $1 Host HTTP header to use when querying nginx-proxy function assert_200_https { - local -r host=$1 + local -r host=$1 - run curl_container_https $SUT_CONTAINER / --head --header "Host: $host" - assert_output -l 0 $'HTTP/1.1 200 OK\r' + run curl_container_https $SUT_CONTAINER / --head --header "Host: $host" + assert_output -l 0 $'HTTP/1.1 200 OK\r' } # assert that querying nginx-proxy with the given Host header produces a `HTTP 503` response # $1 Host HTTP header to use when querying nginx-proxy function assert_503_https { - local -r host=$1 + local -r host=$1 - run curl_container_https $SUT_CONTAINER / --head --header "Host: $host" - assert_output -l 0 $'HTTP/1.1 503 Service Temporarily Unavailable\r' + run curl_container_https $SUT_CONTAINER / --head --header "Host: $host" + assert_output -l 0 $'HTTP/1.1 503 Service Temporarily Unavailable\r' } # assert that querying nginx-proxy with the given Host header produces a `HTTP 503` response # $1 Host HTTP header to use when querying nginx-proxy function assert_301_https { - local -r host=$1 + local -r host=$1 - run curl_container_https $SUT_CONTAINER / --head --header "Host: $host" - assert_output -l 0 $'HTTP/1.1 301 Moved Permanently\r' + run curl_container_https $SUT_CONTAINER / --head --header "Host: $host" + assert_output -l 0 $'HTTP/1.1 301 Moved Permanently\r' } From 786a2375aa2badf5bfa10cd369dde6c1fec415c2 Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Wed, 20 Apr 2016 12:47:14 -0400 Subject: [PATCH 50/77] Using different path method to hopefully fix cert volume issue in CI systems --- test/ssl.bats | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/ssl.bats b/test/ssl.bats index b113900..b0b525f 100644 --- a/test/ssl.bats +++ b/test/ssl.bats @@ -10,7 +10,7 @@ function setup { @test "[$TEST_FILE] start a nginx-proxy container" { - run nginxproxy $SUT_CONTAINER -v /var/run/docker.sock:/tmp/docker.sock:ro -v $(pwd)/lib/ssl:/etc/nginx/certs:ro + run nginxproxy $SUT_CONTAINER -v /var/run/docker.sock:/tmp/docker.sock:ro -v ${DIR}/lib/ssl:/etc/nginx/certs:ro assert_success docker_wait_for_log $SUT_CONTAINER 9 "Watching docker events" } From a72c7e6e20df3738ca365bf6c14598f6a8017500 Mon Sep 17 00:00:00 2001 From: Jason Wilder Date: Fri, 22 Apr 2016 09:56:21 -0600 Subject: [PATCH 51/77] Add docker hub badges --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index d277421..ed082cf 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,5 @@ -![nginx 1.9.12](https://img.shields.io/badge/nginx-1.9.12-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build](https://circleci.com/gh/jwilder/nginx-proxy.svg?&style=shield&circle-token=2da3ee844076a47371bd45da81cf27409ca7306a)](https://circleci.com/gh/jwilder/nginx-proxy) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) +![nginx 1.9.12](https://img.shields.io/badge/nginx-1.9.12-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build](https://circleci.com/gh/jwilder/nginx-proxy.svg?&style=shield&circle-token=2da3ee844076a47371bd45da81cf27409ca7306a)](https://circleci.com/gh/jwilder/nginx-proxy) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') + nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. From d40d1d405290d73ef83583e56ec664f1fe91a490 Mon Sep 17 00:00:00 2001 From: Jason Wilder Date: Wed, 4 May 2016 14:51:30 -0600 Subject: [PATCH 52/77] Update to docker-gen 0.7.1 --- Dockerfile | 2 +- Makefile | 2 +- test/docker.bats | 14 +++++++------- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index 5691ec6..a3d2553 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,7 +17,7 @@ RUN echo "daemon off;" >> /etc/nginx/nginx.conf \ ADD https://github.com/jwilder/forego/releases/download/v0.16.1/forego /usr/local/bin/forego RUN chmod u+x /usr/local/bin/forego -ENV DOCKER_GEN_VERSION 0.7.0 +ENV DOCKER_GEN_VERSION 0.7.1 RUN wget https://github.com/jwilder/docker-gen/releases/download/$DOCKER_GEN_VERSION/docker-gen-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \ && tar -C /usr/local/bin -xvzf docker-gen-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \ diff --git a/Makefile b/Makefile index 3a10ad4..08f699f 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ .PHONY : test update-dependencies: - docker pull jwilder/docker-gen:0.7.0 + docker pull jwilder/docker-gen:0.7.1 docker pull nginx:1.9.12 docker pull python:3 docker pull rancher/socat-docker:latest diff --git a/test/docker.bats b/test/docker.bats index f90d270..673b24f 100644 --- a/test/docker.bats +++ b/test/docker.bats @@ -11,7 +11,7 @@ load test_helpers @test "[$TEST_FILE] -v /var/run/docker.sock:/tmp/docker.sock:ro" { SUT_CONTAINER=bats-nginx-proxy-${TEST_FILE}-1 - # WHEN nginx-proxy runs on our docker host using the default unix socket + # WHEN nginx-proxy runs on our docker host using the default unix socket run nginxproxy $SUT_CONTAINER -v /var/run/docker.sock:/tmp/docker.sock:ro assert_success docker_wait_for_log $SUT_CONTAINER 9 "Watching docker events" @@ -24,7 +24,7 @@ load test_helpers @test "[$TEST_FILE] -v /var/run/docker.sock:/f00.sock:ro -e DOCKER_HOST=unix:///f00.sock" { SUT_CONTAINER=bats-nginx-proxy-${TEST_FILE}-2 - # WHEN nginx-proxy runs on our docker host using a custom unix socket + # WHEN nginx-proxy runs on our docker host using a custom unix socket run nginxproxy $SUT_CONTAINER -v /var/run/docker.sock:/f00.sock:ro -e DOCKER_HOST=unix:///f00.sock assert_success docker_wait_for_log $SUT_CONTAINER 9 "Watching docker events" @@ -45,7 +45,7 @@ load test_helpers run nginxproxy $SUT_CONTAINER -e DOCKER_HOST="tcp://bats-docker-tcp:2375" --link bats-docker-tcp:bats-docker-tcp assert_success docker_wait_for_log $SUT_CONTAINER 9 "Watching docker events" - + # THEN assert_nginxproxy_behaves $SUT_CONTAINER } @@ -74,7 +74,7 @@ load test_helpers -v $BATS_TEST_DIRNAME/../nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro \ --volumes-from bats-nginx \ --expose 80 \ - jwilder/docker-gen:0.7.0 \ + jwilder/docker-gen:0.7.1 \ -notify-sighup bats-nginx \ -watch \ -only-exposed \ @@ -82,8 +82,8 @@ load test_helpers /etc/nginx/conf.d/default.conf assert_success docker_wait_for_log bats-docker-gen 9 "Watching docker events" - - # Give some time to the docker-gen container to notify bats-nginx so it + + # Give some time to the docker-gen container to notify bats-nginx so it # reloads its config sleep 2s @@ -116,7 +116,7 @@ function assert_nginxproxy_behaves { run curl_container $container /data --header "Host: web2.bats" assert_output "answer from port 82" - + # Querying the proxy with unknown Host header → 503 run curl_container $container /data --header "Host: webFOO.bats" --head assert_output -l 0 $'HTTP/1.1 503 Service Temporarily Unavailable\r' From c30640b024a926054bed041d8b4532c40954b4fd Mon Sep 17 00:00:00 2001 From: Jason Wilder Date: Wed, 4 May 2016 16:05:03 -0600 Subject: [PATCH 53/77] Remove circle.yml Using travis now --- circle.yml | 16 ---------------- 1 file changed, 16 deletions(-) delete mode 100644 circle.yml diff --git a/circle.yml b/circle.yml deleted file mode 100644 index 761684f..0000000 --- a/circle.yml +++ /dev/null @@ -1,16 +0,0 @@ -machine: - pre: - - curl -sSL https://s3.amazonaws.com/circle-downloads/install-circleci-docker.sh | bash -s -- 1.10.0 - services: - - docker - -dependencies: - override: - - sudo add-apt-repository ppa:duggan/bats --yes - - sudo apt-get update -qq - - sudo apt-get install -qq bats - - make update-dependencies - -test: - override: - - make test From 8c76ea9f9b4957bfa6592bdc6e142a2ba4177e43 Mon Sep 17 00:00:00 2001 From: kumy Date: Tue, 17 May 2016 01:46:46 +0200 Subject: [PATCH 54/77] Fix a typo in comment --- nginx.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx.tmpl b/nginx.tmpl index 855e90d..41a1905 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -118,7 +118,7 @@ upstream {{ $host }} { {{ $vhostCert := replace $vhostCert ".crt" "" -1 }} {{ $vhostCert := replace $vhostCert ".key" "" -1 }} -{{/* Use the cert specifid on the container or fallback to the best vhost match */}} +{{/* Use the cert specified on the container or fallback to the best vhost match */}} {{ $cert := (coalesce $certName $vhostCert) }} {{ $is_https := (and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }} From 3d77979efbaaf034d57944aafbb2616c5ec7eae9 Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Thu, 19 May 2016 23:15:25 -0400 Subject: [PATCH 55/77] Expanded documentation on HTTPS_METHOD --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 2e217be..37affdc 100644 --- a/README.md +++ b/README.md @@ -143,7 +143,8 @@ a 503. To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the environment variable `HTTPS_METHOD=noredirect` (the default is `HTTPS_METHOD=redirect`). You can also -disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`. +disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`. Note that `HTTPS_METHOD` must be specified +on each container for which you want to override the default behavior. ### Basic Authentication Support From da3e2578433566db034f54a251f1720bf2886c63 Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Thu, 19 May 2016 23:20:43 -0400 Subject: [PATCH 56/77] Removed HSTS when HTTPS_METHOD=noredirect, added tests, improved docs wrt HSTS --- README.md | 8 ++++++-- nginx.tmpl | 2 ++ test/ssl.bats | 29 +++++++++++++++++++++++++++++ 3 files changed, 37 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 37affdc..c1a431c 100644 --- a/README.md +++ b/README.md @@ -143,8 +143,12 @@ a 503. To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the environment variable `HTTPS_METHOD=noredirect` (the default is `HTTPS_METHOD=redirect`). You can also -disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`. Note that `HTTPS_METHOD` must be specified -on each container for which you want to override the default behavior. +disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`. `HTTPS_METHOD` must be specified +on each container for which you want to override the default behavior. If `HTTPS_METHOD=noredirect` is +used, Strict Transport Security (HSTS) is disabled to prevent HTTPS users from being redirected by the +client. If you cannot get to the HTTP site after changing this setting, your browser has probably cached +the HSTS policy and is automatically redirecting you back to HTTPS. You will need to clear your browser's +HSTS cache or use an incognito window / different browser. ### Basic Authentication Support diff --git a/nginx.tmpl b/nginx.tmpl index 855e90d..a276000 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -153,7 +153,9 @@ server { ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }}; {{ end }} + {{ if (ne $https_method "noredirect") }} add_header Strict-Transport-Security "max-age=31536000"; + {{ end }} {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} include {{ printf "/etc/nginx/vhost.d/%s" $host }}; diff --git a/test/ssl.bats b/test/ssl.bats index b0b525f..e7e0eae 100644 --- a/test/ssl.bats +++ b/test/ssl.bats @@ -56,6 +56,35 @@ function setup { assert_200_https test.nginx-proxy.bats } +@test "[$TEST_FILE] test SSL Strict-Transport-Security" { + # WHEN + prepare_web_container bats-ssl-hosts-4 "80 443" \ + -e VIRTUAL_HOST=*.nginx-proxy.bats \ + -e CERT_NAME=nginx-proxy.bats + dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-1 + sleep 1 + + # THEN + assert_301 test.nginx-proxy.bats + assert_200_https test.nginx-proxy.bats + assert_output -p "Strict-Transport-Security: max-age=31536000" +} + +@test "[$TEST_FILE] test HTTPS_METHOD=noredirect disables Strict-Transport-Security" { + # WHEN + prepare_web_container bats-ssl-hosts-5 "80 443" \ + -e VIRTUAL_HOST=*.nginx-proxy.bats \ + -e CERT_NAME=nginx-proxy.bats \ + -e HTTPS_METHOD=noredirect + dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-3 + sleep 1 + + # THEN + assert_200 test.nginx-proxy.bats + assert_200_https test.nginx-proxy.bats + refute_output -p "Strict-Transport-Security: max-age=31536000" +} + @test "[$TEST_FILE] stop all bats containers" { stop_bats_containers From c256f31728eba1634c42684f0abb59c028dc79c6 Mon Sep 17 00:00:00 2001 From: Jason Wilder Date: Fri, 10 Jun 2016 20:08:10 -0600 Subject: [PATCH 57/77] Update nginx 1.9.15 --- Dockerfile | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index a3d2553..0e00b7c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.9.12 +FROM nginx:1.9.15 MAINTAINER Jason Wilder mail@jasonwilder.com # Install wget and install/updates certificates diff --git a/README.md b/README.md index 2e217be..f917ea6 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -![nginx 1.9.12](https://img.shields.io/badge/nginx-1.9.12-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build](https://circleci.com/gh/jwilder/nginx-proxy.svg?&style=shield&circle-token=2da3ee844076a47371bd45da81cf27409ca7306a)](https://circleci.com/gh/jwilder/nginx-proxy) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') +![nginx 1.9.15](https://img.shields.io/badge/nginx-1.9.15-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build](https://circleci.com/gh/jwilder/nginx-proxy.svg?&style=shield&circle-token=2da3ee844076a47371bd45da81cf27409ca7306a)](https://circleci.com/gh/jwilder/nginx-proxy) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. From 9b0138f9440c4ff218b2e0d9c84e5ef7c1039d4c Mon Sep 17 00:00:00 2001 From: Jason Wilder Date: Fri, 10 Jun 2016 20:11:58 -0600 Subject: [PATCH 58/77] Remove docker compose v2 notes --- README.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/README.md b/README.md index f917ea6..9e049fe 100644 --- a/README.md +++ b/README.md @@ -19,11 +19,6 @@ The containers being proxied must [expose](https://docs.docker.com/reference/run Provided your DNS is setup to forward foo.bar.com to the a host running nginx-proxy, the request will be routed to a container with the VIRTUAL_HOST env var set. -### Docker-compose - -Currently this does not work with the new v2 syntax of docker-compose (due to not being compatible with the new network overlay see [#304](https://github.com/jwilder/nginx-proxy/issues/304)). It does work when using the old docker-composer syntax. - - ### Multiple Ports If your container exposes multiple ports, nginx-proxy will default to the service running on port 80. If you need to specify a different port, you can set a VIRTUAL_PORT env var to select a different one. If your container only exposes one port and it has a VIRTUAL_HOST env var set, that port will be selected. From adf4573de4fc90977962dc129b6ca7d61ecc7e50 Mon Sep 17 00:00:00 2001 From: Jason Wilder Date: Sun, 12 Jun 2016 10:45:59 -0600 Subject: [PATCH 59/77] Remove Circle CI badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9e049fe..6f93a19 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -![nginx 1.9.15](https://img.shields.io/badge/nginx-1.9.15-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build](https://circleci.com/gh/jwilder/nginx-proxy.svg?&style=shield&circle-token=2da3ee844076a47371bd45da81cf27409ca7306a)](https://circleci.com/gh/jwilder/nginx-proxy) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') +![nginx 1.9.15](https://img.shields.io/badge/nginx-1.9.15-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. From 9c93efaef93e07ae8e2a050390cc410d08c4eb17 Mon Sep 17 00:00:00 2001 From: Jason Wilder Date: Sun, 12 Jun 2016 13:11:45 -0600 Subject: [PATCH 60/77] Fix template error when /etc/nginx/certs does not exist --- nginx.tmpl | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/nginx.tmpl b/nginx.tmpl index 855e90d..4716b75 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -112,11 +112,13 @@ upstream {{ $host }} { {{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }} {{/* Get the best matching cert by name for the vhost. */}} +{{ $vhostCert := "" }} +{{ if exists "/etc/nginx/certs" }} {{ $vhostCert := (closest (dir "/etc/nginx/certs") (printf "%s.crt" $host))}} - -{{/* vhostCert is actually a filename so remove any suffixes since they are added later */}} -{{ $vhostCert := replace $vhostCert ".crt" "" -1 }} -{{ $vhostCert := replace $vhostCert ".key" "" -1 }} + {{/* vhostCert is actually a filename so remove any suffixes since they are added later */}} + {{ $vhostCert := replace $vhostCert ".crt" "" -1 }} + {{ $vhostCert := replace $vhostCert ".key" "" -1 }} +{{ end }} {{/* Use the cert specifid on the container or fallback to the best vhost match */}} {{ $cert := (coalesce $certName $vhostCert) }} From b325dad98d4c62f9267579e12d4f335cf5dfef25 Mon Sep 17 00:00:00 2001 From: Jason Wilder Date: Sun, 12 Jun 2016 13:54:48 -0600 Subject: [PATCH 61/77] Remove -only-exposed from Procfile --- Procfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Procfile b/Procfile index 8547156..0fa56e7 100644 --- a/Procfile +++ b/Procfile @@ -1,2 +1,2 @@ nginx: nginx -dockergen: docker-gen -watch -only-exposed -notify "nginx -s reload" /app/nginx.tmpl /etc/nginx/conf.d/default.conf +dockergen: docker-gen -watch -notify "nginx -s reload" /app/nginx.tmpl /etc/nginx/conf.d/default.conf From fdf93cafba28c2a110a1ec32472b4bce237551e3 Mon Sep 17 00:00:00 2001 From: Jason Wilder Date: Sun, 12 Jun 2016 13:55:18 -0600 Subject: [PATCH 62/77] Add docker-compose.yml v2 example --- README.md | 26 ++++++++++++++++++++++++++ docker-compose.yml | 15 +++++++++++++++ 2 files changed, 41 insertions(+) create mode 100644 docker-compose.yml diff --git a/README.md b/README.md index 6f93a19..93ea560 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,32 @@ The containers being proxied must [expose](https://docs.docker.com/reference/run Provided your DNS is setup to forward foo.bar.com to the a host running nginx-proxy, the request will be routed to a container with the VIRTUAL_HOST env var set. +### Docker Compose + +```yaml +version: '2' +services: + nginx-proxy: + image: jwilder/nginx-proxy + container_name: nginx-proxy + ports: + - "80:80" + volumes: + - /var/run/docker.sock:/tmp/docker.sock:ro + + whoami: + image: jwilder/whoami + container_name: whoami + environment: + - VIRTUAL_HOST=whoami.local +``` + +```shell +$ docker-compose up +$ curl -H "Host: whoami.local" localhost +I''m 5b129ab83266 +``` + ### Multiple Ports If your container exposes multiple ports, nginx-proxy will default to the service running on port 80. If you need to specify a different port, you can set a VIRTUAL_PORT env var to select a different one. If your container only exposes one port and it has a VIRTUAL_HOST env var set, that port will be selected. diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..044f022 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,15 @@ +version: '2' +services: + nginx-proxy: + image: jwilder/nginx-proxy + container_name: nginx-proxy + ports: + - "80:80" + volumes: + - /var/run/docker.sock:/tmp/docker.sock:ro + + whoami: + image: jwilder/whoami + environment: + - VIRTUAL_HOST=whoami.local + From a0dee5c833fc651cf77fc15a63069f0e34229cb7 Mon Sep 17 00:00:00 2001 From: Jason Wilder Date: Sun, 12 Jun 2016 15:25:32 -0600 Subject: [PATCH 63/77] Remove -only-exposed from separate container instructions --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 93ea560..5265408 100644 --- a/README.md +++ b/README.md @@ -105,7 +105,7 @@ Then start the docker-gen container with the shared volume and template: $ docker run --volumes-from nginx \ -v /var/run/docker.sock:/tmp/docker.sock:ro \ -v $(pwd):/etc/docker-gen/templates \ - -t jwilder/docker-gen -notify-sighup nginx -watch -only-exposed /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf + -t jwilder/docker-gen -notify-sighup nginx -watch /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf ``` Finally, start your containers with `VIRTUAL_HOST` environment variables. From 580517725febf392092a29f1bfce9473a558bc66 Mon Sep 17 00:00:00 2001 From: Jason Wilder Date: Mon, 13 Jun 2016 00:10:49 -0600 Subject: [PATCH 64/77] Revert 9c93efa --- nginx.tmpl | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/nginx.tmpl b/nginx.tmpl index 6104f53..eb00afe 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -112,13 +112,11 @@ upstream {{ $host }} { {{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }} {{/* Get the best matching cert by name for the vhost. */}} -{{ $vhostCert := "" }} -{{ if exists "/etc/nginx/certs" }} {{ $vhostCert := (closest (dir "/etc/nginx/certs") (printf "%s.crt" $host))}} - {{/* vhostCert is actually a filename so remove any suffixes since they are added later */}} - {{ $vhostCert := replace $vhostCert ".crt" "" -1 }} - {{ $vhostCert := replace $vhostCert ".key" "" -1 }} -{{ end }} + +{{/* vhostCert is actually a filename so remove any suffixes since they are added later */}} +{{ $vhostCert := replace $vhostCert ".crt" "" -1 }} +{{ $vhostCert := replace $vhostCert ".key" "" -1 }} {{/* Use the cert specified on the container or fallback to the best vhost match */}} {{ $cert := (coalesce $certName $vhostCert) }} From 8ed5ab38b80175642b395d439904ebad846e0266 Mon Sep 17 00:00:00 2001 From: Jason Wilder Date: Mon, 13 Jun 2016 00:22:50 -0600 Subject: [PATCH 65/77] Update to docker-gen 0.7.3 --- Dockerfile | 2 +- Makefile | 2 +- test/docker.bats | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 0e00b7c..f81ce48 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,7 +17,7 @@ RUN echo "daemon off;" >> /etc/nginx/nginx.conf \ ADD https://github.com/jwilder/forego/releases/download/v0.16.1/forego /usr/local/bin/forego RUN chmod u+x /usr/local/bin/forego -ENV DOCKER_GEN_VERSION 0.7.1 +ENV DOCKER_GEN_VERSION 0.7.3 RUN wget https://github.com/jwilder/docker-gen/releases/download/$DOCKER_GEN_VERSION/docker-gen-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \ && tar -C /usr/local/bin -xvzf docker-gen-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \ diff --git a/Makefile b/Makefile index 08f699f..7747344 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ .PHONY : test update-dependencies: - docker pull jwilder/docker-gen:0.7.1 + docker pull jwilder/docker-gen:0.7.3 docker pull nginx:1.9.12 docker pull python:3 docker pull rancher/socat-docker:latest diff --git a/test/docker.bats b/test/docker.bats index 673b24f..fc10226 100644 --- a/test/docker.bats +++ b/test/docker.bats @@ -74,7 +74,7 @@ load test_helpers -v $BATS_TEST_DIRNAME/../nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro \ --volumes-from bats-nginx \ --expose 80 \ - jwilder/docker-gen:0.7.1 \ + jwilder/docker-gen:0.7.3 \ -notify-sighup bats-nginx \ -watch \ -only-exposed \ From 5f684d4fc5b5466f351492e94fc0c4279c9b6750 Mon Sep 17 00:00:00 2001 From: ryneeverett Date: Mon, 27 Jun 2016 01:26:39 -0400 Subject: [PATCH 66/77] Add docker-compose file for separate containers. Demonstrate that this pattern works. This is based on the example at . --- README.md | 10 +++++++- docker-compose-separate-containers.yml | 33 ++++++++++++++++++++++++++ 2 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 docker-compose-separate-containers.yml diff --git a/README.md b/README.md index b12c9c2..0a9fe79 100644 --- a/README.md +++ b/README.md @@ -42,7 +42,7 @@ services: ```shell $ docker-compose up $ curl -H "Host: whoami.local" localhost -I''m 5b129ab83266 +I'm 5b129ab83266 ``` ### Multiple Ports @@ -92,6 +92,14 @@ image and the official [nginx](https://registry.hub.docker.com/_/nginx/) image. You may want to do this to prevent having the docker socket bound to a publicly exposed container service. +You can demo this pattern with docker-compose: + +```console +$ docker-compose --file docker-compose-separate-containers.yml up +$ curl -H "Host: whoami.local" localhost +I'm 5b129ab83266 +``` + To run nginx proxy as a separate container you'll need to have [nginx.tmpl](https://github.com/jwilder/nginx-proxy/blob/master/nginx.tmpl) on your host system. First start nginx with a volume: diff --git a/docker-compose-separate-containers.yml b/docker-compose-separate-containers.yml new file mode 100644 index 0000000..dc41c01 --- /dev/null +++ b/docker-compose-separate-containers.yml @@ -0,0 +1,33 @@ +version: '2' +services: + nginx: + image: nginx + container_name: nginx + ports: + - "80:80" + volumes: + - /etc/nginx/conf.d + networks: + - proxy-tier + + dockergen: + image: jwilder/docker-gen + command: -notify-sighup nginx -watch /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf + volumes_from: + - nginx + volumes: + - /var/run/docker.sock:/tmp/docker.sock:ro + - ./nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl + networks: + - proxy-tier + + whoami: + image: jwilder/whoami + environment: + - VIRTUAL_HOST=whoami.local + networks: + - proxy-tier + +networks: + proxy-tier: + driver: bridge From 357d58ad9765900a0eb3579177f3fd1d395eaeb1 Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Mon, 18 Jul 2016 13:34:37 -0400 Subject: [PATCH 67/77] Mitigate httpoxy attack (httpoxy.org, CVE-2016-(5385-5388,1000109-1000110) --- README.md | 1 + nginx.tmpl | 1 + 2 files changed, 2 insertions(+) diff --git a/README.md b/README.md index b12c9c2..f54cc0b 100644 --- a/README.md +++ b/README.md @@ -205,6 +205,7 @@ proxy_set_header Connection $proxy_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; +proxy_set_header Proxy ""; ``` ***NOTE***: If you provide this file it will replace the defaults; you may want to check the .tmpl file to make sure you have all of the needed options. diff --git a/nginx.tmpl b/nginx.tmpl index eb00afe..19a1274 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -51,6 +51,7 @@ proxy_set_header Connection $proxy_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; +proxy_set_header Proxy ""; {{ end }} server { From fd127517b9dcdfb8b98b8e2d7d4f402ba0fda416 Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Tue, 19 Jul 2016 11:03:41 -0400 Subject: [PATCH 68/77] Added comments about httpoxy --- README.md | 4 ++++ nginx.tmpl | 2 ++ 2 files changed, 6 insertions(+) diff --git a/README.md b/README.md index f54cc0b..53e8d5d 100644 --- a/README.md +++ b/README.md @@ -205,11 +205,15 @@ proxy_set_header Connection $proxy_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; + +# Mitigate httpoxy attack (see README for details) proxy_set_header Proxy ""; ``` ***NOTE***: If you provide this file it will replace the defaults; you may want to check the .tmpl file to make sure you have all of the needed options. +***NOTE***: The default configuration blocks the `Proxy` HTTP request header from being sent to downstream servers. This prevents attackers from using the so-called [httpoxy attack](http://httpoxy.org). There is no legitimate reason for a client to send this header, and there are many vulnerable languages / platforms (`CVE-2016-5385`, `CVE-2016-5386`, `CVE-2016-5387`, `CVE-2016-5388`, `CVE-2016-1000109`, `CVE-2016-1000110`, `CERT-VU#797896`). + #### Proxy-wide To add settings on a proxy-wide basis, add your configuration file under `/etc/nginx/conf.d` using a name ending in `.conf`. diff --git a/nginx.tmpl b/nginx.tmpl index 19a1274..0969564 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -51,6 +51,8 @@ proxy_set_header Connection $proxy_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; + +# Mitigate httpoxy attack (see README for details) proxy_set_header Proxy ""; {{ end }} From 86c408bbdd6c90165dc63947eea10df3a7a739e7 Mon Sep 17 00:00:00 2001 From: hwang Date: Fri, 29 Jul 2016 21:17:14 +0200 Subject: [PATCH 69/77] upgrade nginx to 1.11.0 --- Dockerfile | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index f81ce48..f67283f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.9.15 +FROM nginx:1.11.0 MAINTAINER Jason Wilder mail@jasonwilder.com # Install wget and install/updates certificates diff --git a/README.md b/README.md index 53e8d5d..101784b 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -![nginx 1.9.15](https://img.shields.io/badge/nginx-1.9.15-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') +![nginx 1.11.0](https://img.shields.io/badge/nginx-1.11.0-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. From 478ad17adb59808fecdaf1b7076d938460ba0108 Mon Sep 17 00:00:00 2001 From: ryneeverett Date: Fri, 29 Jul 2016 17:23:10 -0400 Subject: [PATCH 70/77] Remove proxy-tier network in favor of the default. As @huiwang pointed out, using a custom network is unnecessary since the default bridge network works just as well. --- docker-compose-separate-containers.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/docker-compose-separate-containers.yml b/docker-compose-separate-containers.yml index dc41c01..a4edb94 100644 --- a/docker-compose-separate-containers.yml +++ b/docker-compose-separate-containers.yml @@ -7,8 +7,6 @@ services: - "80:80" volumes: - /etc/nginx/conf.d - networks: - - proxy-tier dockergen: image: jwilder/docker-gen @@ -18,16 +16,8 @@ services: volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ./nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl - networks: - - proxy-tier whoami: image: jwilder/whoami environment: - VIRTUAL_HOST=whoami.local - networks: - - proxy-tier - -networks: - proxy-tier: - driver: bridge From 03e863d838f9ef224cd78deccef3405e424dd317 Mon Sep 17 00:00:00 2001 From: hwang Date: Thu, 25 Aug 2016 20:16:37 +0200 Subject: [PATCH 71/77] upgrade nginx to 1.11.3 --- Dockerfile | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index f67283f..6d5ce9b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.11.0 +FROM nginx:1.11.3 MAINTAINER Jason Wilder mail@jasonwilder.com # Install wget and install/updates certificates diff --git a/README.md b/README.md index 101784b..e6e5404 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -![nginx 1.11.0](https://img.shields.io/badge/nginx-1.11.0-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') +![nginx 1.11.3](https://img.shields.io/badge/nginx-1.11.3-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. From c113e7ac82c80c95fa451b6fc689c05fbc60affa Mon Sep 17 00:00:00 2001 From: Christoph Date: Thu, 25 Aug 2016 20:22:35 +0200 Subject: [PATCH 72/77] Update .travis.yml --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index b6b1364..e850f08 100644 --- a/.travis.yml +++ b/.travis.yml @@ -4,7 +4,7 @@ services: env: global: - - DOCKER_VERSION=1.10.1-0~trusty + - DOCKER_VERSION=1.12.1-0~trusty before_install: # list docker-engine versions From 176b78943e13b20dd92de4c90b345905c909f0fc Mon Sep 17 00:00:00 2001 From: hwang Date: Thu, 25 Aug 2016 21:46:57 +0200 Subject: [PATCH 73/77] upgrade nginx to 1.11.3 in makefile --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 7747344..74ae6bf 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ update-dependencies: docker pull jwilder/docker-gen:0.7.3 - docker pull nginx:1.9.12 + docker pull nginx:1.11.3 docker pull python:3 docker pull rancher/socat-docker:latest docker pull appropriate/curl:latest From 87879c1ee2f55e41f63088d478a7c57179decf51 Mon Sep 17 00:00:00 2001 From: Ruben Date: Thu, 1 Sep 2016 11:34:56 +0200 Subject: [PATCH 74/77] Update ciphers and HTST settings to get A+ rating The default config gets you an 'A' rating. Cipher settings are copied from [Mozilla SSL Configartion Generator](https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.1&openssl=1.0.1t&hsts=yes&profile=intermediate) --- nginx.tmpl | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/nginx.tmpl b/nginx.tmpl index 0969564..612decb 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -143,11 +143,12 @@ server { access_log /var/log/nginx/access.log vhost; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; + ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; ssl_prefer_server_ciphers on; ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }}; ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }}; @@ -157,7 +158,7 @@ server { {{ end }} {{ if (ne $https_method "noredirect") }} - add_header Strict-Transport-Security "max-age=31536000"; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; {{ end }} {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} From 37323320c87a392e94f3c8e8e242afd314636fa1 Mon Sep 17 00:00:00 2001 From: mplx Date: Mon, 12 Sep 2016 09:46:59 +0200 Subject: [PATCH 75/77] do not enable HSTS for subdomains --- nginx.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx.tmpl b/nginx.tmpl index 980eace..1528b43 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -158,7 +158,7 @@ server { {{ end }} {{ if (ne $https_method "noredirect") }} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Strict-Transport-Security "max-age=31536000"; {{ end }} {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} From fe9a538ec8eb1a78f828d287fdc103cd32171b58 Mon Sep 17 00:00:00 2001 From: pvlg Date: Sat, 17 Sep 2016 16:53:01 +0300 Subject: [PATCH 76/77] Replace "replace" to "trimSuffix" I have a domain key-mydomain.com. When I add domain www.key-mydomain.com with ssl cert I did not get the desired result. Function replace cut name ssl cert "www.key-mydomain.com.key" to "www-mydomain.com". --- nginx.tmpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nginx.tmpl b/nginx.tmpl index 1528b43..d2caf82 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -118,8 +118,8 @@ upstream {{ $host }} { {{ $vhostCert := (closest (dir "/etc/nginx/certs") (printf "%s.crt" $host))}} {{/* vhostCert is actually a filename so remove any suffixes since they are added later */}} -{{ $vhostCert := replace $vhostCert ".crt" "" -1 }} -{{ $vhostCert := replace $vhostCert ".key" "" -1 }} +{{ $vhostCert := trimSuffix ".crt" $vhostCert }} +{{ $vhostCert := trimSuffix ".key" $vhostCert }} {{/* Use the cert specified on the container or fallback to the best vhost match */}} {{ $cert := (coalesce $certName $vhostCert) }} From 4661bf4dd9160932f8d42c22f7619dc66949362f Mon Sep 17 00:00:00 2001 From: Chulki Lee Date: Fri, 23 Sep 2016 21:58:06 -0700 Subject: [PATCH 77/77] add ssl_session_tickets to default site Fixes #580 --- nginx.tmpl | 1 + 1 file changed, 1 insertion(+) diff --git a/nginx.tmpl b/nginx.tmpl index d2caf82..9eb9520 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -70,6 +70,7 @@ server { access_log /var/log/nginx/access.log vhost; return 503; + ssl_session_tickets off; ssl_certificate /etc/nginx/certs/default.crt; ssl_certificate_key /etc/nginx/certs/default.key; }