diff --git a/README.md b/README.md index e619e35..35a906b 100644 --- a/README.md +++ b/README.md @@ -81,9 +81,10 @@ To enable SSL: $ docker run -d -p 80:80 -p 443:443 -v /path/to/certs:/etc/nginx/certs -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy The contents of `/path/to/certs` should contain the certificates and private keys for any virtual -hosts in use. The certificate and keys should be named after the virtual host with a `.crt` and -`.key` extension. For example, a container with `VIRTUAL_HOST=foo.bar.com` should have a -`foo.bar.com.crt` and `foo.bar.com.key` file in the certs directory. +hosts in use. The certificate and keys should be named after the virtual host with either a `.pem` or +`.crt` extension for certificates, and a `.key` extension for keys. If both `.pem` and `.crt` files +exist, then the `.pem` file is used. For example, a container with `VIRTUAL_HOST=foo.bar.com` should have either a +`foo.bar.com.pem` or `foo.bar.com.crt` file, and a `foo.bar.com.key` file in the certs directory. #### Diffie-Hellman Groups @@ -93,14 +94,16 @@ should have a `foo.bar.com.dhparam.pem` file in the certs directory. #### Wildcard Certificates -Wildcard certificates and keys should be name after the domain name with a `.crt` and `.key` extension. -For example `VIRTUAL_HOST=foo.bar.com` would use cert name `bar.com.crt` and `bar.com.key`. +Wildcard certificates and keys should be name after the domain name with either a `.pem` or +`.crt` extension for certificates, and a `.key` extension for keys. If both `.pem` and `.crt` files +exist, then the `.pem` file is used. For example `VIRTUAL_HOST=foo.bar.com` would use cert name `bar.com.pem` +and `bar.com.key`. #### SNI If your certificate(s) supports multiple domain names, you can start a container with `CERT_NAME=` to identify the certificate to be used. For example, a certificate for `*.foo.com` and `*.bar.com` -could be named `shared.crt` and `shared.key`. A container running with `VIRTUAL_HOST=foo.bar.com` +could be named `shared.pem` (or `shared.crt`) and `shared.key`. A container running with `VIRTUAL_HOST=foo.bar.com` and `CERT_NAME=shared` will then use this shared cert. #### How SSL Support Works @@ -117,9 +120,9 @@ is always preferred when available. * If the container does not have a usable cert, a 503 will be returned. Note that in the latter case, a browser may get an connection error as no certificate is available -to establish a connection. A self-signed or generic cert named `default.crt` and `default.key` +to establish a connection. A self-signed or generic cert named `default.pem` and `default.key` will allow a client browser to make a SSL connection (likely w/ a warning) and subsequently receive -a 503. +a 503. A `default.crt` file will be used if `default.pem` is not found. ### Basic Authentication Support diff --git a/nginx.tmpl b/nginx.tmpl index 255cc35..4b13c49 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -58,14 +58,19 @@ server { return 503; } -{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }} +{{ if (and (or (exists "/etc/nginx/certs/default.pem") (exists "/etc/nginx/certs/default.crt")) (exists "/etc/nginx/certs/default.key")) }} server { server_name _; # This is just an invalid value which will never trigger on a real hostname. listen 443 ssl http2; access_log /var/log/nginx/access.log vhost; return 503; - ssl_certificate /etc/nginx/certs/default.crt; + {{ if (exists "/etc/nginx/certs/default.pem") }} + ssl_certificate /etc/nginx/certs/default.pem; + {{ else }} + ssl_certificate /etc/nginx/certs/default.crt; + {{ end }} + ssl_certificate_key /etc/nginx/certs/default.key; } {{ end }} @@ -98,16 +103,17 @@ upstream {{ $host }} { {{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }} {{/* Get the best matching cert by name for the vhost. */}} -{{ $vhostCert := (closest (dir "/etc/nginx/certs") (printf "%s.crt" $host))}} +{{ $vhostCert := (closest (dir "/etc/nginx/certs") (printf "%s.key" $host))}} -{{/* vhostCert is actually a filename so remove any suffixes since they are added later */}} +{{/* vhostCert is actually a filename so remove any suffixes since they are added later. */}} {{ $vhostCert := replace $vhostCert ".crt" "" -1 }} +{{ $vhostCert := replace $vhostCert ".pem" "" -1 }} {{ $vhostCert := replace $vhostCert ".key" "" -1 }} {{/* Use the cert specifid on the container or fallback to the best vhost match */}} {{ $cert := (coalesce $certName $vhostCert) }} -{{ if (and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }} +{{ if (and (ne $cert "") (or (exists (printf "/etc/nginx/certs/%s.pem" $cert)) (exists (printf "/etc/nginx/certs/%s.crt" $cert))) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }} server { server_name {{ $host }}; @@ -128,7 +134,12 @@ server { ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; + {{ if (exists (printf "/etc/nginx/certs/%s.pem" $cert)) }} + ssl_certificate /etc/nginx/certs/{{ (printf "%s.pem" $cert) }}; + {{ else }} ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }}; + {{ end }} + ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }}; {{ if (exists (printf "/etc/nginx/certs/%s.dhparam.pem" $cert)) }} @@ -183,14 +194,19 @@ server { } } -{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }} +{{ if (and (or (exists "/etc/nginx/certs/default.pem") (exists "/etc/nginx/certs/default.crt")) (exists "/etc/nginx/certs/default.key")) }} server { server_name {{ $host }}; listen 443 ssl http2 {{ $default_server }}; access_log /var/log/nginx/access.log vhost; return 503; - ssl_certificate /etc/nginx/certs/default.crt; + {{ if (exists "/etc/nginx/certs/default.pem") }} + ssl_certificate /etc/nginx/certs/default.pem; + {{ else }} + ssl_certificate /etc/nginx/certs/default.crt; + {{ end }} + ssl_certificate_key /etc/nginx/certs/default.key; } {{ end }}