diff --git a/Dockerfile b/Dockerfile index f8f76a1..4ef2c70 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,9 +6,15 @@ RUN apt-get update \ && apt-get install -y -q --no-install-recommends \ ca-certificates \ wget \ + cron \ && apt-get clean \ && rm -r /var/lib/apt/lists/* +ENV AUTO_UPGRADE=1 +ENV LE_WORKING_DIR=/acme.sh +ENV LE_CONFIG_HOME=/acmecerts +RUN wget -O- https://get.acme.sh | sh + # Configure Nginx and apply fix for very long server names RUN echo "daemon off;" >> /etc/nginx/nginx.conf \ && sed -i 's/^http {/&\n server_names_hash_bucket_size 128;/g' /etc/nginx/nginx.conf @@ -30,5 +36,8 @@ ENV DOCKER_HOST unix:///tmp/docker.sock VOLUME ["/etc/nginx/certs"] +VOLUME ["/acmecerts"] +EXPOSE 443 + ENTRYPOINT ["/app/docker-entrypoint.sh"] CMD ["forego", "start", "-r"] diff --git a/Procfile b/Procfile index 29fe166..14b25ad 100644 --- a/Procfile +++ b/Procfile @@ -1,2 +1,4 @@ -dockergen: docker-gen -watch -notify "nginx -s reload" /app/nginx.tmpl /etc/nginx/conf.d/default.conf +dockergen: docker-gen -watch -notify "/app/updatessl.sh updatessl" /app/nginx.tmpl /etc/nginx/conf.d/default.conf nginx: nginx +cron: cron && tail -f /dev/null + diff --git a/README.md b/README.md index 34ef8fb..a5858ed 100644 --- a/README.md +++ b/README.md @@ -149,7 +149,14 @@ Finally, start your containers with `VIRTUAL_HOST` environment variables. $ docker run -e VIRTUAL_HOST=foo.bar.com ... ### SSL Support using letsencrypt -[letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion) is a lightweight companion container for the nginx-proxy. It allow the creation/renewal of Let's Encrypt certificates automatically. +Just set `ENABLE_ACME` to `true`: + +``` +docker run -e VIRTUAL_HOST=foo.bar.com -e ENABLE_ACME=true ... + +``` + +It will generate the certs from letsencrypt and renew the cert in future automatically. ### SSL Support diff --git a/nginx.tmpl b/nginx.tmpl index a5b1d32..8a8de27 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -98,12 +98,22 @@ server { } {{ end }} -{{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }} +{{ range $host_list, $containers := groupBy $ "Env.VIRTUAL_HOST" }} +{{ $sl := split $host_list "," }} +{{ $host := index $sl 0 }} {{ $is_regexp := hasPrefix "~" $host }} {{ $upstream_name := when $is_regexp (sha1 $host) $host }} + + # {{ $host }} upstream {{ $upstream_name }} { {{ range $container := $containers }} + +{{ $enable_acme := eq (or ($container.Env.ENABLE_ACME) "") "true" }} +{{ if $enable_acme }} +#ACME_DOMAINS {{$host_list}} +{{ end }} + {{ $addrLen := len $container.Addresses }} {{ range $knownNetwork := $CurrentContainer.Networks }} @@ -155,7 +165,7 @@ upstream {{ $upstream_name }} { {{ if eq $https_method "redirect" }} server { - server_name {{ $host }}; + server_name {{ replace $host_list "," " " -1 }}; listen 80 {{ $default_server }}; {{ if $enable_ipv6 }} listen [::]:80 {{ $default_server }}; @@ -166,7 +176,7 @@ server { {{ end }} server { - server_name {{ $host }}; + server_name {{ replace $host_list "," " " -1 }}; listen 443 ssl http2 {{ $default_server }}; {{ if $enable_ipv6 }} listen [::]:443 ssl http2 {{ $default_server }}; @@ -222,7 +232,7 @@ server { {{ if or (not $is_https) (eq $https_method "noredirect") }} server { - server_name {{ $host }}; + server_name {{ replace $host_list "," " " -1 }}; listen 80 {{ $default_server }}; {{ if $enable_ipv6 }} listen [::]:80 {{ $default_server }}; @@ -256,7 +266,7 @@ server { {{ if (and (not $is_https) (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }} server { - server_name {{ $host }}; + server_name {{ replace $host_list "," " " -1 }}; listen 443 ssl http2 {{ $default_server }}; {{ if $enable_ipv6 }} listen [::]:443 ssl http2 {{ $default_server }}; diff --git a/updatessl.sh b/updatessl.sh new file mode 100755 index 0000000..f939967 --- /dev/null +++ b/updatessl.sh @@ -0,0 +1,40 @@ +#!/usr/bin/env sh + +_SCRIPT_="$0" + +ACME_BIN="/acme.sh/acme.sh --home /acme.sh --config-home /acmecerts" + +DEFAULT_CONF="/etc/nginx/conf.d/default.conf" + + +CERTS="/etc/nginx/certs" + + +updatessl() { + + if grep ACME_DOMAINS $DEFAULT_CONF ; then + for d_list in $(grep ACME_DOMAINS $DEFAULT_CONF | cut -d ' ' -f 2); + do + d=$(echo "$d_list" | cut -d , -f 1) + $ACME_BIN --issue \ + -d $d_list \ + --nginx \ + --fullchain-file "$CERTS/$d.crt" \ + --key-file "$CERTS/$d.key" \ + --reloadcmd "service nginx configtest && service nginx force-reload" + done + + #generate nginx conf again. + docker-gen /app/nginx.tmpl /etc/nginx/conf.d/default.conf + else + echo "skip updatessl" + fi + service nginx configtest && service nginx force-reload +} + + + +"$@" + + +