From 7984b7a7627ee8f22caee661177131a84406c89c Mon Sep 17 00:00:00 2001 From: mko Date: Sun, 22 Feb 2015 10:31:23 +0100 Subject: [PATCH] extended configuration options Optionally configure via new env vars: - max client body size - basic authentication message in prompt - ssl session timeout - http no service status code - auto redirect according to prefixes - set the prefix to auto aim at - set redirect direction from prefixed to without-prefix and vice-versa default behaviour stays as before --- Dockerfile | 18 +++++++++++++++++ nginx.tmpl | 59 +++++++++++++++++++++++++++++++++++++----------------- 2 files changed, 59 insertions(+), 18 deletions(-) diff --git a/Dockerfile b/Dockerfile index 221a0a1..a02c5bc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,24 @@ FROM nginx:1.7.8 MAINTAINER https://m-ko-x.de Markus Kosmal +# set max size within a body +ENV GLOB_MAX_BODY_SIZE "10m" +# set default msg set within basic auth msg +ENV GLOB_AUTH_MSG "Restricted :" +# set default session timeout +ENV GLOB_SSL_SESSION_TIMEOUT "5m" +# default return code for errors +ENV GLOB_HTTP_NO_SERVICE "503" + +# enable some kind of prefix redirection +ENV AUTO_REDIRECT_WITH_PREFIX_ENABLED false +# set prefix to be used for auto redirect +ENV AUTO_REDIRECT_PREFIX "www" +# set direction +# - 0: redirect from prefix to non-prefix +# - 1: redirect from non-prefix to prefix +ENV AUTO_REDIRECT_DIRECTION 0 + # install packages RUN apt-get update \ && apt-get install -y -q --no-install-recommends \ diff --git a/nginx.tmpl b/nginx.tmpl index 9ad9791..bf3125e 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -21,6 +21,8 @@ log_format vhost '$host $remote_addr - $remote_user [$time_local] ' access_log /proc/self/fd/1 vhost; error_log /proc/self/fd/2; +client_max_body_size {{ "Env.MAX_BODY_SIZE" }}; + # HTTP 1.1 support proxy_http_version 1.1; proxy_buffering off; @@ -34,7 +36,7 @@ proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; server { listen 80 default_server; server_name _; # This is just an invalid value which will never trigger on a real hostname. - return 503; + return "Env.GLOB_HTTP_NO_SERVICE"; } {{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }} @@ -83,20 +85,34 @@ upstream {{ $host }} { {{ if (and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }} -server { - client_max_body_size 1000m; - server_name www.{{ $host }}; - rewrite ^(.*) https://{{ $host }}$1 permanent; -} + +{{ if (eq "Env.AUTO_REDIRECT_WITH_PREFIX_ENABLED" true) }} server { - client_max_body_size 1000m; + +{{ if (eq "Env.AUTO_REDIRECT_DIRECTION" 0) }} + + server_name {{ "Env.AUTO_REDIRECT_PREFIX" }}.{{ $host }}; + rewrite ^(.*) https://{{ $host }}$1 permanent; + +{{ else }} + + server_name {{ $host }}; + rewrite ^(.*) https://{{ "Env.AUTO_REDIRECT_PREFIX" }}.{{ $host }}$1 permanent; + +{{ end }} # AUTO_REDIRECT_DIRECTION end + +} + +{{ end }} # AUTO_REDIRECT_TARGET end + +# enforce ssl if enabled +server { server_name {{ $host }}; rewrite ^(.*) https://{{ $host }}$1 permanent; } server { - client_max_body_size 1000m; server_name {{ $host }}; listen 443 ssl; @@ -104,7 +120,7 @@ server { ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; ssl_prefer_server_ciphers on; - ssl_session_timeout 5m; + ssl_session_timeout {{ "Env.GLOB_SSL_SESSION_TIMEOUT" }}; ssl_session_cache shared:SSL:50m; ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }}; @@ -115,27 +131,34 @@ server { location / { proxy_pass http://{{ $host }}; {{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }} - auth_basic "Restricted {{ $host }}"; + auth_basic '{{ "Env.GLOB_AUTH_MSG" }} {{ $host }}'; auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }}; {{ end }} } } {{ else }} -server { - client_max_body_size 1000m; - server_name www.{{ $host }}; - rewrite ^(.*) http://{{ $host }}$1 permanent; -} +{{ if (eq "Env.AUTO_REDIRECT_WITH_PREFIX_ENABLED" true) }} + +server { + {{ if (eq "Env.AUTO_REDIRECT_DIRECTION" 0) }} + server_name {{ "Env.AUTO_REDIRECT_PREFIX" }}.{{ $host }}; + rewrite ^(.*) http://{{ $host }}$1 permanent; + {{ else }} + server_name {{ $host }}; + rewrite ^(.*) http://{{ "Env.AUTO_REDIRECT_PREFIX" }}.{{ $host }}$1 permanent; + {{ end }} # AUTO_REDIRECT_DIRECTION end +} + +{{ end }} # AUTO_REDIRECT_WITH_PREFIX_ENABLED end server { - client_max_body_size 1000m; server_name {{ $host }}; location / { proxy_pass http://{{ $host }}; {{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }} - auth_basic "Restricted {{ $host }}"; + auth_basic '{{ "Env.GLOB_AUTH_MSG" }} {{ $host }}'; auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }}; {{ end }} } @@ -144,7 +167,7 @@ server { server { server_name {{ $host }}; listen 443 ssl; - return 503; + return "Env.GLOB_HTTP_NO_SERVICE"; {{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }} ssl_certificate /etc/nginx/certs/default.crt;