From 76233f2032435b45ce6c6890d735c858ce4f1a97 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 3 Jun 2017 16:31:21 +0800 Subject: [PATCH] add acme.sh to support auto ssl --- Dockerfile | 5 +++++ Procfile | 4 +++- nginx.tmpl | 7 +++++++ updatessl.sh | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 updatessl.sh diff --git a/Dockerfile b/Dockerfile index f8f76a1..f815a86 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,9 +6,12 @@ RUN apt-get update \ && apt-get install -y -q --no-install-recommends \ ca-certificates \ wget \ + cron \ && apt-get clean \ && rm -r /var/lib/apt/lists/* +RUN AUTOUPGRADE=1 LE_WORKING_DIR=/acme.sh LE_CONFIG_HOME /acmecerts wget -O- https://get.acme.sh | sh + # Configure Nginx and apply fix for very long server names RUN echo "daemon off;" >> /etc/nginx/nginx.conf \ && sed -i 's/^http {/&\n server_names_hash_bucket_size 128;/g' /etc/nginx/nginx.conf @@ -30,5 +33,7 @@ ENV DOCKER_HOST unix:///tmp/docker.sock VOLUME ["/etc/nginx/certs"] +VOLUME ["/acmecerts"] + ENTRYPOINT ["/app/docker-entrypoint.sh"] CMD ["forego", "start", "-r"] diff --git a/Procfile b/Procfile index 29fe166..f2b293a 100644 --- a/Procfile +++ b/Procfile @@ -1,2 +1,4 @@ -dockergen: docker-gen -watch -notify "nginx -s reload" /app/nginx.tmpl /etc/nginx/conf.d/default.conf +dockergen: docker-gen -watch -notify "/app/updatessl.sh updatessl" /app/nginx.tmpl /etc/nginx/conf.d/default.conf nginx: nginx +cron: cron + diff --git a/nginx.tmpl b/nginx.tmpl index 20a4e6d..22583dc 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -103,6 +103,11 @@ server { {{ $host := index $sl 0 }} {{ $is_regexp := hasPrefix "~" $host }} {{ $upstream_name := when $is_regexp (sha1 $host) $host }} + +{{ $enable_acme := eq (or ($.Env.ENABLE_ACME) "") "true" }} +{{ if $enable_acme }} +#{{ACMD_DOMAINS $host_list}} +{{ end }} # {{ $host }} upstream {{ $upstream_name }} { {{ range $container := $containers }} @@ -159,6 +164,7 @@ upstream {{ $upstream_name }} { server { server_name {{ replace $host_list "," " " -1 }}; listen 80 {{ $default_server }}; +#location ^~ /.well-known/acme-challenge/ {default_type "text/plain";root html;} location = /.well-known/acme-challenge/ {try_files $uri =404;} #acme {{ if $enable_ipv6 }} listen [::]:80 {{ $default_server }}; {{ end }} @@ -226,6 +232,7 @@ server { server { server_name {{ replace $host_list "," " " -1 }}; listen 80 {{ $default_server }}; +#location ^~ /.well-known/acme-challenge/ {default_type "text/plain";root html;} location = /.well-known/acme-challenge/ {try_files $uri =404;} #acme {{ if $enable_ipv6 }} listen [::]:80 {{ $default_server }}; {{ end }} diff --git a/updatessl.sh b/updatessl.sh new file mode 100644 index 0000000..882fa9c --- /dev/null +++ b/updatessl.sh @@ -0,0 +1,50 @@ +#!/usr/bin/env sh + +_SCRIPT_="$0" + +ACME_BIN="/acme.sh/acme.sh --home /acme.sh --config-home /acmecerts" + +DEFAULT_CONF="/etc/nginx/conf.d/default.conf" + +NGINX_HOME="/etc/nginx" + +CERTS="/etc/nginx/certs" + + +updatessl() { + + for d_list in $(grep ACMD_DOMAINS $DEFAULT_CONF | cut -d ' ' -f 2); + do + d=$(echo "$d_list" | cut -d , -f 1) + $ACME_BIN --issue \ + -d $d_list \ + -w $NGINX_HOME/html \ + --pre-hook "$_SCRIPT_ pre_hook $DEFAULT_CONF" \ + --post-hook "$_SCRIPT_ post_hook $DEFAULT_CONF" \ + --fullchain-file "$CERTS\$d.crt" \ + --key-file "$CERTS\$d.crt" \ + --reloadcmd "service nginx configtest && service force-reload" + done + + #generate nginx conf again. + docker-gen /app/nginx.tmpl /etc/nginx/conf.d/default.conf + service nginx configtest && service force-reload +} + + + +pre_hook() { + _d_conf="$1" + sed -i "s|#\(location.*#acme\)|\\1|" $_d_conf && service nginx configtest && service force-reload +} + +post_hook() { + _d_conf="$1" + sed -i "s|\(location.*#acme\)|#\\1|" $_d_conf +} + + +"$@" + + +