From 2f401447c7d1b60b1a7df1a634cb1770adf35dfd Mon Sep 17 00:00:00 2001
From: neilpang <github@byneil.com>
Date: Sat, 3 Jun 2017 15:30:33 +0800
Subject: [PATCH 01/16] generate single server section for one container with
 multiple vhost domains.

---
 nginx.tmpl | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/nginx.tmpl b/nginx.tmpl
index a5b1d32..20a4e6d 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -98,7 +98,9 @@ server {
 }
 {{ end }}
 
-{{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }}
+{{ range $host_list, $containers := groupBy $ "Env.VIRTUAL_HOST" }}
+{{ $sl := split $host_list "," }}
+{{ $host := index $sl 0 }}
 {{ $is_regexp := hasPrefix "~" $host }}
 {{ $upstream_name := when $is_regexp (sha1 $host) $host }}
 # {{ $host }}
@@ -155,7 +157,7 @@ upstream {{ $upstream_name }} {
 
 {{ if eq $https_method "redirect" }}
 server {
-	server_name {{ $host }};
+	server_name {{ replace $host_list "," " " -1 }};
 	listen 80 {{ $default_server }};
 	{{ if $enable_ipv6 }}
 	listen [::]:80 {{ $default_server }};
@@ -166,7 +168,7 @@ server {
 {{ end }}
 
 server {
-	server_name {{ $host }};
+	server_name {{ replace $host_list "," " " -1 }};
 	listen 443 ssl http2 {{ $default_server }};
 	{{ if $enable_ipv6 }}
 	listen [::]:443 ssl http2 {{ $default_server }};
@@ -222,7 +224,7 @@ server {
 {{ if or (not $is_https) (eq $https_method "noredirect") }}
 
 server {
-	server_name {{ $host }};
+	server_name {{ replace $host_list "," " " -1 }};
 	listen 80 {{ $default_server }};
 	{{ if $enable_ipv6 }}
 	listen [::]:80 {{ $default_server }};
@@ -256,7 +258,7 @@ server {
 
 {{ if (and (not $is_https) (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
 server {
-	server_name {{ $host }};
+	server_name {{ replace $host_list "," " " -1 }};
 	listen 443 ssl http2 {{ $default_server }};
 	{{ if $enable_ipv6 }}
 	listen [::]:443 ssl http2 {{ $default_server }};

From 76233f2032435b45ce6c6890d735c858ce4f1a97 Mon Sep 17 00:00:00 2001
From: neilpang <github@byneil.com>
Date: Sat, 3 Jun 2017 16:31:21 +0800
Subject: [PATCH 02/16] add acme.sh to support auto ssl

---
 Dockerfile   |  5 +++++
 Procfile     |  4 +++-
 nginx.tmpl   |  7 +++++++
 updatessl.sh | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 65 insertions(+), 1 deletion(-)
 create mode 100644 updatessl.sh

diff --git a/Dockerfile b/Dockerfile
index f8f76a1..f815a86 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -6,9 +6,12 @@ RUN apt-get update \
  && apt-get install -y -q --no-install-recommends \
     ca-certificates \
     wget \
+    cron \
  && apt-get clean \
  && rm -r /var/lib/apt/lists/*
 
+RUN AUTOUPGRADE=1 LE_WORKING_DIR=/acme.sh LE_CONFIG_HOME /acmecerts wget -O- https://get.acme.sh | sh
+
 # Configure Nginx and apply fix for very long server names
 RUN echo "daemon off;" >> /etc/nginx/nginx.conf \
  && sed -i 's/^http {/&\n    server_names_hash_bucket_size 128;/g' /etc/nginx/nginx.conf
@@ -30,5 +33,7 @@ ENV DOCKER_HOST unix:///tmp/docker.sock
 
 VOLUME ["/etc/nginx/certs"]
 
+VOLUME ["/acmecerts"]
+
 ENTRYPOINT ["/app/docker-entrypoint.sh"]
 CMD ["forego", "start", "-r"]
diff --git a/Procfile b/Procfile
index 29fe166..f2b293a 100644
--- a/Procfile
+++ b/Procfile
@@ -1,2 +1,4 @@
-dockergen: docker-gen -watch -notify "nginx -s reload" /app/nginx.tmpl /etc/nginx/conf.d/default.conf
+dockergen: docker-gen -watch -notify "/app/updatessl.sh updatessl" /app/nginx.tmpl /etc/nginx/conf.d/default.conf
 nginx: nginx
+cron: cron
+
diff --git a/nginx.tmpl b/nginx.tmpl
index 20a4e6d..22583dc 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -103,6 +103,11 @@ server {
 {{ $host := index $sl 0 }}
 {{ $is_regexp := hasPrefix "~" $host }}
 {{ $upstream_name := when $is_regexp (sha1 $host) $host }}
+
+{{ $enable_acme := eq (or ($.Env.ENABLE_ACME) "") "true" }}
+{{ if $enable_acme }}
+#{{ACMD_DOMAINS $host_list}}
+{{ end }}
 # {{ $host }}
 upstream {{ $upstream_name }} {
 {{ range $container := $containers }}
@@ -159,6 +164,7 @@ upstream {{ $upstream_name }} {
 server {
 	server_name {{ replace $host_list "," " " -1 }};
 	listen 80 {{ $default_server }};
+#location ^~ /.well-known/acme-challenge/ {default_type "text/plain";root html;} location = /.well-known/acme-challenge/ {try_files $uri =404;} #acme
 	{{ if $enable_ipv6 }}
 	listen [::]:80 {{ $default_server }};
 	{{ end }}
@@ -226,6 +232,7 @@ server {
 server {
 	server_name {{ replace $host_list "," " " -1 }};
 	listen 80 {{ $default_server }};
+#location ^~ /.well-known/acme-challenge/ {default_type "text/plain";root html;} location = /.well-known/acme-challenge/ {try_files $uri =404;} #acme
 	{{ if $enable_ipv6 }}
 	listen [::]:80 {{ $default_server }};
 	{{ end }}
diff --git a/updatessl.sh b/updatessl.sh
new file mode 100644
index 0000000..882fa9c
--- /dev/null
+++ b/updatessl.sh
@@ -0,0 +1,50 @@
+#!/usr/bin/env sh
+
+_SCRIPT_="$0"
+
+ACME_BIN="/acme.sh/acme.sh --home /acme.sh --config-home /acmecerts"
+
+DEFAULT_CONF="/etc/nginx/conf.d/default.conf"
+
+NGINX_HOME="/etc/nginx"
+
+CERTS="/etc/nginx/certs"
+
+
+updatessl() {
+
+  for d_list in $(grep ACMD_DOMAINS $DEFAULT_CONF | cut -d ' ' -f 2);
+  do
+    d=$(echo "$d_list" | cut -d , -f 1)
+    $ACME_BIN --issue \
+    -d $d_list \
+    -w $NGINX_HOME/html \
+    --pre-hook "$_SCRIPT_ pre_hook $DEFAULT_CONF" \
+    --post-hook "$_SCRIPT_ post_hook $DEFAULT_CONF" \
+    --fullchain-file "$CERTS\$d.crt" \
+    --key-file "$CERTS\$d.crt" \
+    --reloadcmd "service nginx configtest && service force-reload"
+  done
+
+  #generate nginx conf again.
+  docker-gen /app/nginx.tmpl /etc/nginx/conf.d/default.conf
+  service nginx configtest && service force-reload
+}
+
+
+
+pre_hook() {
+  _d_conf="$1"
+  sed -i "s|#\(location.*#acme\)|\\1|" $_d_conf && service nginx configtest && service force-reload
+}
+
+post_hook() {
+  _d_conf="$1"
+  sed -i "s|\(location.*#acme\)|#\\1|"  $_d_conf 
+}
+
+
+"$@"
+
+
+

From 508bbf7d020eada57c34f7999321efbc48b7587a Mon Sep 17 00:00:00 2001
From: root <root@ed.firstvm.net>
Date: Sat, 3 Jun 2017 16:33:31 +0800
Subject: [PATCH 03/16] exmode

---
 updatessl.sh | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 mode change 100644 => 100755 updatessl.sh

diff --git a/updatessl.sh b/updatessl.sh
old mode 100644
new mode 100755

From 9ee4d49cb7a9b5619e4a4bec6b33e4841fefb4e1 Mon Sep 17 00:00:00 2001
From: neilpang <github@byneil.com>
Date: Sat, 3 Jun 2017 16:52:12 +0800
Subject: [PATCH 04/16] fix typos

---
 Dockerfile   |  2 +-
 nginx.tmpl   |  2 +-
 updatessl.sh | 34 +++++++++++++++++++---------------
 3 files changed, 21 insertions(+), 17 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index f815a86..ead0378 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,7 +10,7 @@ RUN apt-get update \
  && apt-get clean \
  && rm -r /var/lib/apt/lists/*
 
-RUN AUTOUPGRADE=1 LE_WORKING_DIR=/acme.sh LE_CONFIG_HOME /acmecerts wget -O- https://get.acme.sh | sh
+RUN AUTOUPGRADE=1 LE_WORKING_DIR=/acme.sh LE_CONFIG_HOME=/acmecerts wget -O- https://get.acme.sh | sh
 
 # Configure Nginx and apply fix for very long server names
 RUN echo "daemon off;" >> /etc/nginx/nginx.conf \
diff --git a/nginx.tmpl b/nginx.tmpl
index 22583dc..904e108 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -106,7 +106,7 @@ server {
 
 {{ $enable_acme := eq (or ($.Env.ENABLE_ACME) "") "true" }}
 {{ if $enable_acme }}
-#{{ACMD_DOMAINS $host_list}}
+#ACME_DOMAINS{{$host_list}}
 {{ end }}
 # {{ $host }}
 upstream {{ $upstream_name }} {
diff --git a/updatessl.sh b/updatessl.sh
index 882fa9c..92791da 100644
--- a/updatessl.sh
+++ b/updatessl.sh
@@ -13,22 +13,26 @@ CERTS="/etc/nginx/certs"
 
 updatessl() {
 
-  for d_list in $(grep ACMD_DOMAINS $DEFAULT_CONF | cut -d ' ' -f 2);
-  do
-    d=$(echo "$d_list" | cut -d , -f 1)
-    $ACME_BIN --issue \
-    -d $d_list \
-    -w $NGINX_HOME/html \
-    --pre-hook "$_SCRIPT_ pre_hook $DEFAULT_CONF" \
-    --post-hook "$_SCRIPT_ post_hook $DEFAULT_CONF" \
-    --fullchain-file "$CERTS\$d.crt" \
-    --key-file "$CERTS\$d.crt" \
-    --reloadcmd "service nginx configtest && service force-reload"
-  done
+  if grep ACME_DOMAINS $DEFAULT_CONF ; then
+    for d_list in $(grep ACME_DOMAINS $DEFAULT_CONF | cut -d ' ' -f 2);
+    do
+      d=$(echo "$d_list" | cut -d , -f 1)
+      $ACME_BIN --issue \
+      -d $d_list \
+      -w $NGINX_HOME/html \
+      --pre-hook "$_SCRIPT_ pre_hook $DEFAULT_CONF" \
+      --post-hook "$_SCRIPT_ post_hook $DEFAULT_CONF" \
+      --fullchain-file "$CERTS\$d.crt" \
+      --key-file "$CERTS\$d.crt" \
+      --reloadcmd "service nginx configtest && service force-reload"
+    done
 
-  #generate nginx conf again.
-  docker-gen /app/nginx.tmpl /etc/nginx/conf.d/default.conf
-  service nginx configtest && service force-reload
+    #generate nginx conf again.
+    docker-gen /app/nginx.tmpl /etc/nginx/conf.d/default.conf
+    service nginx configtest && service force-reload
+  else
+    echo "skip updatessl"
+  fi
 }
 
 

From ecb0e29a2c3e372f60261b12fe0551d8de5b9dcb Mon Sep 17 00:00:00 2001
From: neilpang <github@byneil.com>
Date: Sat, 3 Jun 2017 17:21:23 +0800
Subject: [PATCH 05/16] fix acme

---
 Dockerfile   |  5 ++++-
 nginx.tmpl   | 13 +++++++------
 updatessl.sh | 16 +---------------
 3 files changed, 12 insertions(+), 22 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index ead0378..08dd554 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,7 +10,10 @@ RUN apt-get update \
  && apt-get clean \
  && rm -r /var/lib/apt/lists/*
 
-RUN AUTOUPGRADE=1 LE_WORKING_DIR=/acme.sh LE_CONFIG_HOME=/acmecerts wget -O- https://get.acme.sh | sh
+ENV AUTOUPGRADE=1
+ENV LE_WORKING_DIR=/acme.sh
+ENV LE_CONFIG_HOME=/acmecerts
+RUN wget -O- https://get.acme.sh | sh
 
 # Configure Nginx and apply fix for very long server names
 RUN echo "daemon off;" >> /etc/nginx/nginx.conf \
diff --git a/nginx.tmpl b/nginx.tmpl
index 904e108..33addb2 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -104,13 +104,16 @@ server {
 {{ $is_regexp := hasPrefix "~" $host }}
 {{ $upstream_name := when $is_regexp (sha1 $host) $host }}
 
-{{ $enable_acme := eq (or ($.Env.ENABLE_ACME) "") "true" }}
-{{ if $enable_acme }}
-#ACME_DOMAINS{{$host_list}}
-{{ end }}
+
 # {{ $host }}
 upstream {{ $upstream_name }} {
 {{ range $container := $containers }}
+
+{{ $enable_acme := eq (or ($container.Env.ENABLE_ACME) "") "true" }}
+{{ if $enable_acme }}
+#ACME_DOMAINS{{$host_list}}
+{{ end }}
+
 	{{ $addrLen := len $container.Addresses }}
 
 	{{ range $knownNetwork := $CurrentContainer.Networks }}
@@ -164,7 +167,6 @@ upstream {{ $upstream_name }} {
 server {
 	server_name {{ replace $host_list "," " " -1 }};
 	listen 80 {{ $default_server }};
-#location ^~ /.well-known/acme-challenge/ {default_type "text/plain";root html;} location = /.well-known/acme-challenge/ {try_files $uri =404;} #acme
 	{{ if $enable_ipv6 }}
 	listen [::]:80 {{ $default_server }};
 	{{ end }}
@@ -232,7 +234,6 @@ server {
 server {
 	server_name {{ replace $host_list "," " " -1 }};
 	listen 80 {{ $default_server }};
-#location ^~ /.well-known/acme-challenge/ {default_type "text/plain";root html;} location = /.well-known/acme-challenge/ {try_files $uri =404;} #acme
 	{{ if $enable_ipv6 }}
 	listen [::]:80 {{ $default_server }};
 	{{ end }}
diff --git a/updatessl.sh b/updatessl.sh
index 92791da..deb7e53 100755
--- a/updatessl.sh
+++ b/updatessl.sh
@@ -6,7 +6,6 @@ ACME_BIN="/acme.sh/acme.sh --home /acme.sh --config-home /acmecerts"
 
 DEFAULT_CONF="/etc/nginx/conf.d/default.conf"
 
-NGINX_HOME="/etc/nginx"
 
 CERTS="/etc/nginx/certs"
 
@@ -19,9 +18,7 @@ updatessl() {
       d=$(echo "$d_list" | cut -d , -f 1)
       $ACME_BIN --issue \
       -d $d_list \
-      -w $NGINX_HOME/html \
-      --pre-hook "$_SCRIPT_ pre_hook $DEFAULT_CONF" \
-      --post-hook "$_SCRIPT_ post_hook $DEFAULT_CONF" \
+      --nginx \
       --fullchain-file "$CERTS\$d.crt" \
       --key-file "$CERTS\$d.crt" \
       --reloadcmd "service nginx configtest && service force-reload"
@@ -37,17 +34,6 @@ updatessl() {
 
 
 
-pre_hook() {
-  _d_conf="$1"
-  sed -i "s|#\(location.*#acme\)|\\1|" $_d_conf && service nginx configtest && service force-reload
-}
-
-post_hook() {
-  _d_conf="$1"
-  sed -i "s|\(location.*#acme\)|#\\1|"  $_d_conf 
-}
-
-
 "$@"
 
 

From ceec29af2029ee273b3b38753dddb8852ff77341 Mon Sep 17 00:00:00 2001
From: neilpang <github@byneil.com>
Date: Sat, 3 Jun 2017 17:26:53 +0800
Subject: [PATCH 06/16] minor

---
 nginx.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nginx.tmpl b/nginx.tmpl
index 33addb2..8a8de27 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -111,7 +111,7 @@ upstream {{ $upstream_name }} {
 
 {{ $enable_acme := eq (or ($container.Env.ENABLE_ACME) "") "true" }}
 {{ if $enable_acme }}
-#ACME_DOMAINS{{$host_list}}
+#ACME_DOMAINS {{$host_list}}
 {{ end }}
 
 	{{ $addrLen := len $container.Addresses }}

From 7facc23dc013b5687134d2655d7735c932d34aaa Mon Sep 17 00:00:00 2001
From: neilpang <github@byneil.com>
Date: Sat, 3 Jun 2017 18:07:57 +0800
Subject: [PATCH 07/16] move listen 80 to the first line.

---
 nginx.tmpl | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/nginx.tmpl b/nginx.tmpl
index 8a8de27..31ffd9b 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -73,22 +73,22 @@ proxy_set_header Proxy "";
 
 {{ $enable_ipv6 := eq (or ($.Env.ENABLE_IPV6) "") "true" }}
 server {
-	server_name _; # This is just an invalid value which will never trigger on a real hostname.
 	listen 80;
 	{{ if $enable_ipv6 }}
 	listen [::]:80;
 	{{ end }}
+	server_name _; # This is just an invalid value which will never trigger on a real hostname.
 	access_log /var/log/nginx/access.log vhost;
 	return 503;
 }
 
 {{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
 server {
-	server_name _; # This is just an invalid value which will never trigger on a real hostname.
 	listen 443 ssl http2;
 	{{ if $enable_ipv6 }}
 	listen [::]:443 ssl http2;
 	{{ end }}
+	server_name _; # This is just an invalid value which will never trigger on a real hostname.
 	access_log /var/log/nginx/access.log vhost;
 	return 503;
 
@@ -165,22 +165,22 @@ upstream {{ $upstream_name }} {
 
 {{ if eq $https_method "redirect" }}
 server {
-	server_name {{ replace $host_list "," " " -1 }};
 	listen 80 {{ $default_server }};
 	{{ if $enable_ipv6 }}
 	listen [::]:80 {{ $default_server }};
 	{{ end }}
+	server_name {{ replace $host_list "," " " -1 }};
 	access_log /var/log/nginx/access.log vhost;
 	return 301 https://$host$request_uri;
 }
 {{ end }}
 
 server {
-	server_name {{ replace $host_list "," " " -1 }};
-	listen 443 ssl http2 {{ $default_server }};
+  listen 443 ssl http2 {{ $default_server }};
 	{{ if $enable_ipv6 }}
 	listen [::]:443 ssl http2 {{ $default_server }};
 	{{ end }}
+	server_name {{ replace $host_list "," " " -1 }};
 	access_log /var/log/nginx/access.log vhost;
 
 	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
@@ -232,11 +232,11 @@ server {
 {{ if or (not $is_https) (eq $https_method "noredirect") }}
 
 server {
-	server_name {{ replace $host_list "," " " -1 }};
 	listen 80 {{ $default_server }};
 	{{ if $enable_ipv6 }}
 	listen [::]:80 {{ $default_server }};
 	{{ end }}
+	server_name {{ replace $host_list "," " " -1 }};
 	access_log /var/log/nginx/access.log vhost;
 
 	{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
@@ -266,11 +266,11 @@ server {
 
 {{ if (and (not $is_https) (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
 server {
-	server_name {{ replace $host_list "," " " -1 }};
 	listen 443 ssl http2 {{ $default_server }};
 	{{ if $enable_ipv6 }}
 	listen [::]:443 ssl http2 {{ $default_server }};
 	{{ end }}
+	server_name {{ replace $host_list "," " " -1 }};
 	access_log /var/log/nginx/access.log vhost;
 	return 500;
 

From d511153ee4da121ae5928d69b23870f4f3977315 Mon Sep 17 00:00:00 2001
From: neilpang <github@byneil.com>
Date: Sat, 3 Jun 2017 18:38:17 +0800
Subject: [PATCH 08/16] fix cron

---
 Procfile     | 2 +-
 updatessl.sh | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Procfile b/Procfile
index f2b293a..14b25ad 100644
--- a/Procfile
+++ b/Procfile
@@ -1,4 +1,4 @@
 dockergen: docker-gen -watch -notify "/app/updatessl.sh updatessl" /app/nginx.tmpl /etc/nginx/conf.d/default.conf
 nginx: nginx
-cron: cron
+cron: cron && tail -f /dev/null
 
diff --git a/updatessl.sh b/updatessl.sh
index deb7e53..5ebd831 100755
--- a/updatessl.sh
+++ b/updatessl.sh
@@ -19,8 +19,8 @@ updatessl() {
       $ACME_BIN --issue \
       -d $d_list \
       --nginx \
-      --fullchain-file "$CERTS\$d.crt" \
-      --key-file "$CERTS\$d.crt" \
+      --fullchain-file "$CERTS/$d.crt" \
+      --key-file "$CERTS/$d.key" \
       --reloadcmd "service nginx configtest && service force-reload"
     done
 

From c2c069bd8f888821ae89da57374678bf916a5e49 Mon Sep 17 00:00:00 2001
From: neilpang <github@byneil.com>
Date: Sat, 3 Jun 2017 18:51:02 +0800
Subject: [PATCH 09/16] fix reload cmd

---
 updatessl.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/updatessl.sh b/updatessl.sh
index 5ebd831..86c13d4 100755
--- a/updatessl.sh
+++ b/updatessl.sh
@@ -26,7 +26,7 @@ updatessl() {
 
     #generate nginx conf again.
     docker-gen /app/nginx.tmpl /etc/nginx/conf.d/default.conf
-    service nginx configtest && service force-reload
+    service nginx configtest && service nginx force-reload
   else
     echo "skip updatessl"
   fi

From 0bf5903602c78c3f51f51bb2ebddfd265f8a00a4 Mon Sep 17 00:00:00 2001
From: neilpang <github@byneil.com>
Date: Sat, 3 Jun 2017 18:54:10 +0800
Subject: [PATCH 10/16] fix reload

---
 updatessl.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/updatessl.sh b/updatessl.sh
index 86c13d4..0c964c4 100755
--- a/updatessl.sh
+++ b/updatessl.sh
@@ -21,7 +21,7 @@ updatessl() {
       --nginx \
       --fullchain-file "$CERTS/$d.crt" \
       --key-file "$CERTS/$d.key" \
-      --reloadcmd "service nginx configtest && service force-reload"
+      --reloadcmd "service nginx configtest && service nginx force-reload"
     done
 
     #generate nginx conf again.

From ac19d7387dabaa8f1d17ddc66c66adf5c346e6de Mon Sep 17 00:00:00 2001
From: neilpang <github@byneil.com>
Date: Sat, 3 Jun 2017 19:32:29 +0800
Subject: [PATCH 11/16] Revert "move listen 80 to the first line."

---
 nginx.tmpl | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/nginx.tmpl b/nginx.tmpl
index 31ffd9b..8a8de27 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -73,22 +73,22 @@ proxy_set_header Proxy "";
 
 {{ $enable_ipv6 := eq (or ($.Env.ENABLE_IPV6) "") "true" }}
 server {
+	server_name _; # This is just an invalid value which will never trigger on a real hostname.
 	listen 80;
 	{{ if $enable_ipv6 }}
 	listen [::]:80;
 	{{ end }}
-	server_name _; # This is just an invalid value which will never trigger on a real hostname.
 	access_log /var/log/nginx/access.log vhost;
 	return 503;
 }
 
 {{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
 server {
+	server_name _; # This is just an invalid value which will never trigger on a real hostname.
 	listen 443 ssl http2;
 	{{ if $enable_ipv6 }}
 	listen [::]:443 ssl http2;
 	{{ end }}
-	server_name _; # This is just an invalid value which will never trigger on a real hostname.
 	access_log /var/log/nginx/access.log vhost;
 	return 503;
 
@@ -165,22 +165,22 @@ upstream {{ $upstream_name }} {
 
 {{ if eq $https_method "redirect" }}
 server {
+	server_name {{ replace $host_list "," " " -1 }};
 	listen 80 {{ $default_server }};
 	{{ if $enable_ipv6 }}
 	listen [::]:80 {{ $default_server }};
 	{{ end }}
-	server_name {{ replace $host_list "," " " -1 }};
 	access_log /var/log/nginx/access.log vhost;
 	return 301 https://$host$request_uri;
 }
 {{ end }}
 
 server {
-  listen 443 ssl http2 {{ $default_server }};
+	server_name {{ replace $host_list "," " " -1 }};
+	listen 443 ssl http2 {{ $default_server }};
 	{{ if $enable_ipv6 }}
 	listen [::]:443 ssl http2 {{ $default_server }};
 	{{ end }}
-	server_name {{ replace $host_list "," " " -1 }};
 	access_log /var/log/nginx/access.log vhost;
 
 	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
@@ -232,11 +232,11 @@ server {
 {{ if or (not $is_https) (eq $https_method "noredirect") }}
 
 server {
+	server_name {{ replace $host_list "," " " -1 }};
 	listen 80 {{ $default_server }};
 	{{ if $enable_ipv6 }}
 	listen [::]:80 {{ $default_server }};
 	{{ end }}
-	server_name {{ replace $host_list "," " " -1 }};
 	access_log /var/log/nginx/access.log vhost;
 
 	{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
@@ -266,11 +266,11 @@ server {
 
 {{ if (and (not $is_https) (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
 server {
+	server_name {{ replace $host_list "," " " -1 }};
 	listen 443 ssl http2 {{ $default_server }};
 	{{ if $enable_ipv6 }}
 	listen [::]:443 ssl http2 {{ $default_server }};
 	{{ end }}
-	server_name {{ replace $host_list "," " " -1 }};
 	access_log /var/log/nginx/access.log vhost;
 	return 500;
 

From f4c77d13ddf136ed1bea4e2cbdc0f47b55739fae Mon Sep 17 00:00:00 2001
From: neilpang <github@byneil.com>
Date: Sat, 3 Jun 2017 19:54:42 +0800
Subject: [PATCH 12/16] fix reload

---
 nginx.tmpl   | 14 +++++++-------
 updatessl.sh |  2 +-
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/nginx.tmpl b/nginx.tmpl
index 8a8de27..31ffd9b 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -73,22 +73,22 @@ proxy_set_header Proxy "";
 
 {{ $enable_ipv6 := eq (or ($.Env.ENABLE_IPV6) "") "true" }}
 server {
-	server_name _; # This is just an invalid value which will never trigger on a real hostname.
 	listen 80;
 	{{ if $enable_ipv6 }}
 	listen [::]:80;
 	{{ end }}
+	server_name _; # This is just an invalid value which will never trigger on a real hostname.
 	access_log /var/log/nginx/access.log vhost;
 	return 503;
 }
 
 {{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
 server {
-	server_name _; # This is just an invalid value which will never trigger on a real hostname.
 	listen 443 ssl http2;
 	{{ if $enable_ipv6 }}
 	listen [::]:443 ssl http2;
 	{{ end }}
+	server_name _; # This is just an invalid value which will never trigger on a real hostname.
 	access_log /var/log/nginx/access.log vhost;
 	return 503;
 
@@ -165,22 +165,22 @@ upstream {{ $upstream_name }} {
 
 {{ if eq $https_method "redirect" }}
 server {
-	server_name {{ replace $host_list "," " " -1 }};
 	listen 80 {{ $default_server }};
 	{{ if $enable_ipv6 }}
 	listen [::]:80 {{ $default_server }};
 	{{ end }}
+	server_name {{ replace $host_list "," " " -1 }};
 	access_log /var/log/nginx/access.log vhost;
 	return 301 https://$host$request_uri;
 }
 {{ end }}
 
 server {
-	server_name {{ replace $host_list "," " " -1 }};
-	listen 443 ssl http2 {{ $default_server }};
+  listen 443 ssl http2 {{ $default_server }};
 	{{ if $enable_ipv6 }}
 	listen [::]:443 ssl http2 {{ $default_server }};
 	{{ end }}
+	server_name {{ replace $host_list "," " " -1 }};
 	access_log /var/log/nginx/access.log vhost;
 
 	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
@@ -232,11 +232,11 @@ server {
 {{ if or (not $is_https) (eq $https_method "noredirect") }}
 
 server {
-	server_name {{ replace $host_list "," " " -1 }};
 	listen 80 {{ $default_server }};
 	{{ if $enable_ipv6 }}
 	listen [::]:80 {{ $default_server }};
 	{{ end }}
+	server_name {{ replace $host_list "," " " -1 }};
 	access_log /var/log/nginx/access.log vhost;
 
 	{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
@@ -266,11 +266,11 @@ server {
 
 {{ if (and (not $is_https) (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
 server {
-	server_name {{ replace $host_list "," " " -1 }};
 	listen 443 ssl http2 {{ $default_server }};
 	{{ if $enable_ipv6 }}
 	listen [::]:443 ssl http2 {{ $default_server }};
 	{{ end }}
+	server_name {{ replace $host_list "," " " -1 }};
 	access_log /var/log/nginx/access.log vhost;
 	return 500;
 
diff --git a/updatessl.sh b/updatessl.sh
index 0c964c4..f939967 100755
--- a/updatessl.sh
+++ b/updatessl.sh
@@ -26,10 +26,10 @@ updatessl() {
 
     #generate nginx conf again.
     docker-gen /app/nginx.tmpl /etc/nginx/conf.d/default.conf
-    service nginx configtest && service nginx force-reload
   else
     echo "skip updatessl"
   fi
+  service nginx configtest && service nginx force-reload
 }
 
 

From a333e242ff17f7427fe4a745ba06403398ba5cf0 Mon Sep 17 00:00:00 2001
From: neilpang <github@byneil.com>
Date: Sat, 3 Jun 2017 20:31:56 +0800
Subject: [PATCH 13/16] move server name back

---
 nginx.tmpl | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/nginx.tmpl b/nginx.tmpl
index 31ffd9b..8a8de27 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -73,22 +73,22 @@ proxy_set_header Proxy "";
 
 {{ $enable_ipv6 := eq (or ($.Env.ENABLE_IPV6) "") "true" }}
 server {
+	server_name _; # This is just an invalid value which will never trigger on a real hostname.
 	listen 80;
 	{{ if $enable_ipv6 }}
 	listen [::]:80;
 	{{ end }}
-	server_name _; # This is just an invalid value which will never trigger on a real hostname.
 	access_log /var/log/nginx/access.log vhost;
 	return 503;
 }
 
 {{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
 server {
+	server_name _; # This is just an invalid value which will never trigger on a real hostname.
 	listen 443 ssl http2;
 	{{ if $enable_ipv6 }}
 	listen [::]:443 ssl http2;
 	{{ end }}
-	server_name _; # This is just an invalid value which will never trigger on a real hostname.
 	access_log /var/log/nginx/access.log vhost;
 	return 503;
 
@@ -165,22 +165,22 @@ upstream {{ $upstream_name }} {
 
 {{ if eq $https_method "redirect" }}
 server {
+	server_name {{ replace $host_list "," " " -1 }};
 	listen 80 {{ $default_server }};
 	{{ if $enable_ipv6 }}
 	listen [::]:80 {{ $default_server }};
 	{{ end }}
-	server_name {{ replace $host_list "," " " -1 }};
 	access_log /var/log/nginx/access.log vhost;
 	return 301 https://$host$request_uri;
 }
 {{ end }}
 
 server {
-  listen 443 ssl http2 {{ $default_server }};
+	server_name {{ replace $host_list "," " " -1 }};
+	listen 443 ssl http2 {{ $default_server }};
 	{{ if $enable_ipv6 }}
 	listen [::]:443 ssl http2 {{ $default_server }};
 	{{ end }}
-	server_name {{ replace $host_list "," " " -1 }};
 	access_log /var/log/nginx/access.log vhost;
 
 	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
@@ -232,11 +232,11 @@ server {
 {{ if or (not $is_https) (eq $https_method "noredirect") }}
 
 server {
+	server_name {{ replace $host_list "," " " -1 }};
 	listen 80 {{ $default_server }};
 	{{ if $enable_ipv6 }}
 	listen [::]:80 {{ $default_server }};
 	{{ end }}
-	server_name {{ replace $host_list "," " " -1 }};
 	access_log /var/log/nginx/access.log vhost;
 
 	{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
@@ -266,11 +266,11 @@ server {
 
 {{ if (and (not $is_https) (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
 server {
+	server_name {{ replace $host_list "," " " -1 }};
 	listen 443 ssl http2 {{ $default_server }};
 	{{ if $enable_ipv6 }}
 	listen [::]:443 ssl http2 {{ $default_server }};
 	{{ end }}
-	server_name {{ replace $host_list "," " " -1 }};
 	access_log /var/log/nginx/access.log vhost;
 	return 500;
 

From f8542b6515bec3bac460c0a5b09b9ceec15ad461 Mon Sep 17 00:00:00 2001
From: neilpang <github@byneil.com>
Date: Sat, 3 Jun 2017 20:48:18 +0800
Subject: [PATCH 14/16] EXPOSE 443

---
 Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Dockerfile b/Dockerfile
index 08dd554..af68e17 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -37,6 +37,7 @@ ENV DOCKER_HOST unix:///tmp/docker.sock
 VOLUME ["/etc/nginx/certs"]
 
 VOLUME ["/acmecerts"]
+EXPOSE 443
 
 ENTRYPOINT ["/app/docker-entrypoint.sh"]
 CMD ["forego", "start", "-r"]

From cd1e368128b265785fb380a64fb9c398c3e80f70 Mon Sep 17 00:00:00 2001
From: neilpang <github@byneil.com>
Date: Sat, 3 Jun 2017 21:32:15 +0800
Subject: [PATCH 15/16] update doc for letsencrypt

---
 README.md | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 34ef8fb..a5858ed 100644
--- a/README.md
+++ b/README.md
@@ -149,7 +149,14 @@ Finally, start your containers with `VIRTUAL_HOST` environment variables.
     $ docker run -e VIRTUAL_HOST=foo.bar.com  ...
 ### SSL Support using letsencrypt
 
-[letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion) is a lightweight companion container for the nginx-proxy. It allow the creation/renewal of Let's Encrypt certificates automatically. 
+Just set `ENABLE_ACME` to `true`:
+
+```
+docker run -e VIRTUAL_HOST=foo.bar.com  -e ENABLE_ACME=true ...
+
+```
+
+It will generate the certs from letsencrypt and renew the cert in future automatically.
 
 ### SSL Support
 

From 4e884e2258e6be2e5196771ca35a27c87959fa45 Mon Sep 17 00:00:00 2001
From: neilpang <github@byneil.com>
Date: Sun, 4 Jun 2017 21:37:41 +0800
Subject: [PATCH 16/16] fix typo

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index af68e17..4ef2c70 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,7 +10,7 @@ RUN apt-get update \
  && apt-get clean \
  && rm -r /var/lib/apt/lists/*
 
-ENV AUTOUPGRADE=1
+ENV AUTO_UPGRADE=1
 ENV LE_WORKING_DIR=/acme.sh
 ENV LE_CONFIG_HOME=/acmecerts
 RUN wget -O- https://get.acme.sh | sh