Fabio/nginx-proxy-auto-docker
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge 5e927d4ac3 into defed25585

Browse source
This commit is contained in:
David Li 2015-10-17 22:57:04 +00:00
commit 8313d9f9a1
2 changed files with 34 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
README.md
View file

@ -81,9 +81,10 @@ To enable SSL:
$ docker run -d -p 80:80 -p 443:443 -v /path/to/certs:/etc/nginx/certs -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy $ docker run -d -p 80:80 -p 443:443 -v /path/to/certs:/etc/nginx/certs -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy
The contents of `/path/to/certs` should contain the certificates and private keys for any virtual The contents of `/path/to/certs` should contain the certificates and private keys for any virtual
hosts in use. The certificate and keys should be named after the virtual host with a `.crt` and hosts in use. The certificate and keys should be named after the virtual host with either a `.pem` or
`.key` extension. For example, a container with `VIRTUAL_HOST=foo.bar.com` should have a `.crt` extension for certificates, and a `.key` extension for keys. If both `.pem` and `.crt` files
`foo.bar.com.crt` and `foo.bar.com.key` file in the certs directory. exist, then the `.pem` file is used. For example, a container with `VIRTUAL_HOST=foo.bar.com` should have either a
`foo.bar.com.pem` or `foo.bar.com.crt` file, and a `foo.bar.com.key` file in the certs directory.
#### Diffie-Hellman Groups #### Diffie-Hellman Groups
@ -93,14 +94,16 @@ should have a `foo.bar.com.dhparam.pem` file in the certs directory.
#### Wildcard Certificates #### Wildcard Certificates
Wildcard certificates and keys should be name after the domain name with a `.crt` and `.key` extension. Wildcard certificates and keys should be name after the domain name with either a `.pem` or
For example `VIRTUAL_HOST=foo.bar.com` would use cert name `bar.com.crt` and `bar.com.key`. `.crt` extension for certificates, and a `.key` extension for keys. If both `.pem` and `.crt` files
exist, then the `.pem` file is used. For example `VIRTUAL_HOST=foo.bar.com` would use cert name `bar.com.pem`
and `bar.com.key`.
#### SNI #### SNI
If your certificate(s) supports multiple domain names, you can start a container with `CERT_NAME=<name>` If your certificate(s) supports multiple domain names, you can start a container with `CERT_NAME=<name>`
to identify the certificate to be used. For example, a certificate for `*.foo.com` and `*.bar.com` to identify the certificate to be used. For example, a certificate for `*.foo.com` and `*.bar.com`
could be named `shared.crt` and `shared.key`. A container running with `VIRTUAL_HOST=foo.bar.com` could be named `shared.pem` (or `shared.crt`) and `shared.key`. A container running with `VIRTUAL_HOST=foo.bar.com`
and `CERT_NAME=shared` will then use this shared cert. and `CERT_NAME=shared` will then use this shared cert.
#### How SSL Support Works #### How SSL Support Works
@ -117,9 +120,9 @@ is always preferred when available.
* If the container does not have a usable cert, a 503 will be returned. * If the container does not have a usable cert, a 503 will be returned.
Note that in the latter case, a browser may get an connection error as no certificate is available Note that in the latter case, a browser may get an connection error as no certificate is available
to establish a connection. A self-signed or generic cert named `default.crt` and `default.key` to establish a connection. A self-signed or generic cert named `default.pem` and `default.key`
will allow a client browser to make a SSL connection (likely w/ a warning) and subsequently receive will allow a client browser to make a SSL connection (likely w/ a warning) and subsequently receive
a 503. a 503. A `default.crt` file will be used if `default.pem` is not found.
### Basic Authentication Support ### Basic Authentication Support

26
nginx.tmpl
View file

@ -58,14 +58,19 @@ server {
return 503; return 503;
} }
{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }} {{ if (and (or (exists "/etc/nginx/certs/default.pem") (exists "/etc/nginx/certs/default.crt")) (exists "/etc/nginx/certs/default.key")) }}
server { server {
server_name _; # This is just an invalid value which will never trigger on a real hostname. server_name _; # This is just an invalid value which will never trigger on a real hostname.
listen 443 ssl http2; listen 443 ssl http2;
access_log /var/log/nginx/access.log vhost; access_log /var/log/nginx/access.log vhost;
return 503; return 503;
{{ if (exists "/etc/nginx/certs/default.pem") }}
ssl_certificate /etc/nginx/certs/default.pem;
{{ else }}
ssl_certificate /etc/nginx/certs/default.crt; ssl_certificate /etc/nginx/certs/default.crt;
{{ end }}
ssl_certificate_key /etc/nginx/certs/default.key; ssl_certificate_key /etc/nginx/certs/default.key;
} }
{{ end }} {{ end }}
@ -98,16 +103,17 @@ upstream {{ $host }} {
{{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }} {{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }}
{{/* Get the best matching cert by name for the vhost. */}} {{/* Get the best matching cert by name for the vhost. */}}
{{ $vhostCert := (closest (dir "/etc/nginx/certs") (printf "%s.crt" $host))}} {{ $vhostCert := (closest (dir "/etc/nginx/certs") (printf "%s.key" $host))}}
{{/* vhostCert is actually a filename so remove any suffixes since they are added later */}} {{/* vhostCert is actually a filename so remove any suffixes since they are added later. */}}
{{ $vhostCert := replace $vhostCert ".crt" "" -1 }} {{ $vhostCert := replace $vhostCert ".crt" "" -1 }}
{{ $vhostCert := replace $vhostCert ".pem" "" -1 }}
{{ $vhostCert := replace $vhostCert ".key" "" -1 }} {{ $vhostCert := replace $vhostCert ".key" "" -1 }}
{{/* Use the cert specifid on the container or fallback to the best vhost match */}} {{/* Use the cert specifid on the container or fallback to the best vhost match */}}
{{ $cert := (coalesce $certName $vhostCert) }} {{ $cert := (coalesce $certName $vhostCert) }}
{{ if (and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }} {{ if (and (ne $cert "") (or (exists (printf "/etc/nginx/certs/%s.pem" $cert)) (exists (printf "/etc/nginx/certs/%s.crt" $cert))) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}
server { server {
server_name {{ $host }}; server_name {{ $host }};
@ -128,7 +134,12 @@ server {
ssl_session_timeout 5m; ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m; ssl_session_cache shared:SSL:50m;
{{ if (exists (printf "/etc/nginx/certs/%s.pem" $cert)) }}
ssl_certificate /etc/nginx/certs/{{ (printf "%s.pem" $cert) }};
{{ else }}
ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }}; ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }};
{{ end }}
ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }}; ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }};
{{ if (exists (printf "/etc/nginx/certs/%s.dhparam.pem" $cert)) }} {{ if (exists (printf "/etc/nginx/certs/%s.dhparam.pem" $cert)) }}
@ -183,14 +194,19 @@ server {
} }
} }
{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }} {{ if (and (or (exists "/etc/nginx/certs/default.pem") (exists "/etc/nginx/certs/default.crt")) (exists "/etc/nginx/certs/default.key")) }}
server { server {
server_name {{ $host }}; server_name {{ $host }};
listen 443 ssl http2 {{ $default_server }}; listen 443 ssl http2 {{ $default_server }};
access_log /var/log/nginx/access.log vhost; access_log /var/log/nginx/access.log vhost;
return 503; return 503;
{{ if (exists "/etc/nginx/certs/default.pem") }}
ssl_certificate /etc/nginx/certs/default.pem;
{{ else }}
ssl_certificate /etc/nginx/certs/default.crt; ssl_certificate /etc/nginx/certs/default.crt;
{{ end }}
ssl_certificate_key /etc/nginx/certs/default.key; ssl_certificate_key /etc/nginx/certs/default.key;
} }
{{ end }} {{ end }}