Fabio/nginx-proxy-auto-docker
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'master' of https://github.com/christhomas/nginx-proxy

Browse source
This commit is contained in:
Chris Thomas 2019-03-28 14:14:30 +01:00
commit a55e253a67
11 changed files with 50 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Dockerfile
View file

@ -1,4 +1,4 @@
FROM nginx:1.14 FROM nginx:1.14.1
LABEL maintainer="Jason Wilder mail@jasonwilder.com" LABEL maintainer="Jason Wilder mail@jasonwilder.com"
# Install wget and install/updates certificates # Install wget and install/updates certificates

2
Dockerfile.alpine
View file

@ -1,4 +1,4 @@
FROM nginx:1.14-alpine FROM nginx:1.14.1-alpine
LABEL maintainer="Jason Wilder mail@jasonwilder.com" LABEL maintainer="Jason Wilder mail@jasonwilder.com"
# Install wget and install/updates certificates # Install wget and install/updates certificates

26
README.md
View file

@ -1,5 +1,5 @@
![latest 0.7.0](https://img.shields.io/badge/latest-0.7.0-green.svg?style=flat) ![latest 0.7.0](https://img.shields.io/badge/latest-0.7.0-green.svg?style=flat)
![nginx 1.14](https://img.shields.io/badge/nginx-1.14-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') ![nginx 1.14.1](https://img.shields.io/badge/nginx-1.14-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub')
nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped.
@ -181,8 +181,12 @@ Finally, start your containers with `VIRTUAL_HOST` environment variables.
$ docker run -e VIRTUAL_HOST=foo.bar.com ... $ docker run -e VIRTUAL_HOST=foo.bar.com ...
### SSL Support using letsencrypt ### SSL Support using letsencrypt
[letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion) is a lightweight companion container for the nginx-proxy. It allow the creation/renewal of Let's Encrypt certificates automatically. [letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion) is a lightweight companion container for the nginx-proxy. It allow the creation/renewal of Let's Encrypt certificates automatically.
Set `DHPARAM_GENERATION` environment variable to `false` to disabled Diffie-Hellman parameters completely. This will also ignore auto-generation made by `nginx-proxy`.
The default value is `true`
$ docker run -e DHPARAM_GENERATION=false ....
### SSL Support ### SSL Support
SSL is supported using single host, wildcard and SNI certificates using naming conventions for SSL is supported using single host, wildcard and SNI certificates using naming conventions for
@ -214,7 +218,7 @@ at startup. Since it can take minutes to generate a new `dhparam.pem`, it is do
background. Once generation is complete, the `dhparam.pem` is saved on a persistent volume and nginx background. Once generation is complete, the `dhparam.pem` is saved on a persistent volume and nginx
is reloaded. This generation process only occurs the first time you start `nginx-proxy`. is reloaded. This generation process only occurs the first time you start `nginx-proxy`.
> COMPATIBILITY WARNING: The default generated `dhparam.pem` key is 2048 bits for A+ security. Some > COMPATIBILITY WARNING: The default generated `dhparam.pem` key is 2048 bits for A+ security. Some
> older clients (like Java 6 and 7) do not support DH keys with over 1024 bits. In order to support these > older clients (like Java 6 and 7) do not support DH keys with over 1024 bits. In order to support these
> clients, you must either provide your own `dhparam.pem`, or tell `nginx-proxy` to generate a 1024-bit > clients, you must either provide your own `dhparam.pem`, or tell `nginx-proxy` to generate a 1024-bit
> key on startup by passing `-e DHPARAM_BITS=1024`. > key on startup by passing `-e DHPARAM_BITS=1024`.
@ -282,12 +286,12 @@ a 500.
To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the
environment variable `HTTPS_METHOD=noredirect` (the default is `HTTPS_METHOD=redirect`). You can also environment variable `HTTPS_METHOD=noredirect` (the default is `HTTPS_METHOD=redirect`). You can also
disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`, or disable the HTTPS site with disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`, or disable the HTTPS site with
`HTTPS_METHOD=nohttps`. `HTTPS_METHOD` must be specified on each container for which you want to `HTTPS_METHOD=nohttps`. `HTTPS_METHOD` must be specified on each container for which you want to
override the default behavior. If `HTTPS_METHOD=noredirect` is used, Strict Transport Security (HSTS) override the default behavior. If `HTTPS_METHOD=noredirect` is used, Strict Transport Security (HSTS)
is disabled to prevent HTTPS users from being redirected by the client. If you cannot get to the HTTP is disabled to prevent HTTPS users from being redirected by the client. If you cannot get to the HTTP
site after changing this setting, your browser has probably cached the HSTS policy and is automatically site after changing this setting, your browser has probably cached the HSTS policy and is automatically
redirecting you back to HTTPS. You will need to clear your browser's HSTS cache or use an incognito redirecting you back to HTTPS. You will need to clear your browser's HSTS cache or use an incognito
window / different browser. window / different browser.
By default, [HTTP Strict Transport Security (HSTS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) By default, [HTTP Strict Transport Security (HSTS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security)
@ -410,7 +414,7 @@ Before submitting pull requests or issues, please check github to make sure an e
To run tests, you need to prepare the docker image to test which must be tagged `jwilder/nginx-proxy:test`: To run tests, you need to prepare the docker image to test which must be tagged `jwilder/nginx-proxy:test`:
docker build -t jwilder/nginx-proxy:test . # build the Debian variant image docker build -t jwilder/nginx-proxy:test . # build the Debian variant image
and call the [test/pytest.sh](test/pytest.sh) script. and call the [test/pytest.sh](test/pytest.sh) script.
Then build the Alpine variant of the image: Then build the Alpine variant of the image:
@ -423,7 +427,7 @@ and call the [test/pytest.sh](test/pytest.sh) script again.
If your system has the `make` command, you can automate those tasks by calling: If your system has the `make` command, you can automate those tasks by calling:
make test make test
You can learn more about how the test suite works and how to write new tests in the [test/README.md](test/README.md) file. You can learn more about how the test suite works and how to write new tests in the [test/README.md](test/README.md) file.

3
docker-entrypoint.sh
View file

@ -16,7 +16,8 @@ fi
# Generate dhparam file if required # Generate dhparam file if required
# Note: if $DHPARAM_BITS is not defined, generate-dhparam.sh will use 2048 as a default # Note: if $DHPARAM_BITS is not defined, generate-dhparam.sh will use 2048 as a default
/app/generate-dhparam.sh $DHPARAM_BITS # Note2: if $DHPARAM_GENERATION is set to false in environment variable, dh param generator will skip completely
/app/generate-dhparam.sh $DHPARAM_BITS $DHPARAM_GENERATION
# Compute the DNS resolvers for use in the templates - if the IP contains ":", it's IPv6 and must be enclosed in [] # Compute the DNS resolvers for use in the templates - if the IP contains ":", it's IPv6 and must be enclosed in []
export RESOLVERS=$(awk '$1 == "nameserver" {print ($2 ~ ":")? "["$2"]": $2}' ORS=' ' /etc/resolv.conf | sed 's/ *$//g') export RESOLVERS=$(awk '$1 == "nameserver" {print ($2 ~ ":")? "["$2"]": $2}' ORS=' ' /etc/resolv.conf | sed 's/ *$//g')

9
generate-dhparam.sh
View file

@ -2,6 +2,7 @@
# The first argument is the bit depth of the dhparam, or 2048 if unspecified # The first argument is the bit depth of the dhparam, or 2048 if unspecified
DHPARAM_BITS=${1:-2048} DHPARAM_BITS=${1:-2048}
GENERATE_DHPARAM=${2:-true}
# If a dhparam file is not available, use the pre-generated one and generate a new one in the background. # If a dhparam file is not available, use the pre-generated one and generate a new one in the background.
# Note that /etc/nginx/dhparam is a volume, so this dhparam will persist restarts. # Note that /etc/nginx/dhparam is a volume, so this dhparam will persist restarts.
@ -25,6 +26,11 @@ if [[ -f $DHPARAM_FILE ]]; then
fi fi
fi fi
if [[ $GENERATE_DHPARAM =~ ^[Ff][Aa][Ll][Ss][Ee]$ ]]; then
echo "Skipping Diffie-Hellman parameters generation and Ignoring pre-generated dhparam.pem"
exit 0
fi
cat >&2 <<-EOT cat >&2 <<-EOT
WARNING: $DHPARAM_FILE was not found. A pre-generated dhparam.pem will be used for now while a new one WARNING: $DHPARAM_FILE was not found. A pre-generated dhparam.pem will be used for now while a new one
is being generated in the background. Once the new dhparam.pem is in place, nginx will be reloaded. is being generated in the background. Once the new dhparam.pem is in place, nginx will be reloaded.
@ -37,7 +43,8 @@ touch $GEN_LOCKFILE
# Generate a new dhparam in the background in a low priority and reload nginx when finished (grep removes the progress indicator). # Generate a new dhparam in the background in a low priority and reload nginx when finished (grep removes the progress indicator).
( (
( (
nice -n +5 openssl dhparam -out $DHPARAM_FILE $DHPARAM_BITS 2>&1 \ nice -n +5 openssl dhparam -out $DHPARAM_FILE.tmp $DHPARAM_BITS 2>&1 \
&& mv $DHPARAM_FILE.tmp $DHPARAM_FILE \
&& echo "dhparam generation complete, reloading nginx" \ && echo "dhparam generation complete, reloading nginx" \
&& nginx -s reload && nginx -s reload
) | grep -vE '^[\.+]+' ) | grep -vE '^[\.+]+'

4
nginx.tmpl
View file

@ -19,7 +19,7 @@
server 127.0.0.1 down; server 127.0.0.1 down;
{{ end }} {{ end }}
{{ end }} {{ end }}
{{ end }} {{ end }}
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the # If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
@ -261,7 +261,7 @@ server {
ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.pem" $cert }}; ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.pem" $cert }};
{{ end }} {{ end }}
{{ if (and (ne $https_method "noredirect") (ne $hsts "off")) }} {{ if (not (or (eq $https_method "noredirect") (eq $hsts "off"))) }}
add_header Strict-Transport-Security "{{ trim $hsts }}" always; add_header Strict-Transport-Security "{{ trim $hsts }}" always;
{{ end }} {{ end }}

2
test/certs/create_server_certificate.sh
View file

@ -24,7 +24,7 @@ fi
# Create a nginx container (which conveniently provides the `openssl` command) # Create a nginx container (which conveniently provides the `openssl` command)
############################################################################### ###############################################################################
CONTAINER=$(docker run -d -v $DIR:/work -w /work -e SAN="$ALTERNATE_DOMAINS" nginx:1.14) CONTAINER=$(docker run -d -v $DIR:/work -w /work -e SAN="$ALTERNATE_DOMAINS" nginx:1.14.1)
# Configure openssl # Configure openssl
docker exec $CONTAINER bash -c ' docker exec $CONTAINER bash -c '
mkdir -p /ca/{certs,crl,private,newcerts} 2>/dev/null mkdir -p /ca/{certs,crl,private,newcerts} 2>/dev/null

7
test/test_ssl/test_hsts.py
View file

@ -24,3 +24,10 @@ def test_web3_HSTS_custom(docker_compose, nginxproxy):
assert "answer from port 81\n" in r.text assert "answer from port 81\n" in r.text
assert "Strict-Transport-Security" in r.headers assert "Strict-Transport-Security" in r.headers
assert "max-age=86400; includeSubDomains; preload" == r.headers["Strict-Transport-Security"] assert "max-age=86400; includeSubDomains; preload" == r.headers["Strict-Transport-Security"]
# Regression test for issue 1080
# https://github.com/jwilder/nginx-proxy/issues/1080
def test_web4_HSTS_off_noredirect(docker_compose, nginxproxy):
r = nginxproxy.get("https://web4.nginx-proxy.tld/port", allow_redirects=False)
assert "answer from port 81\n" in r.text
assert "Strict-Transport-Security" not in r.headers

10
test/test_ssl/test_hsts.yml
View file

@ -24,6 +24,16 @@ web3:
VIRTUAL_HOST: "web3.nginx-proxy.tld" VIRTUAL_HOST: "web3.nginx-proxy.tld"
HSTS: "max-age=86400; includeSubDomains; preload" HSTS: "max-age=86400; includeSubDomains; preload"
web4:
image: web
expose:
- "81"
environment:
WEB_PORTS: "81"
VIRTUAL_HOST: "web4.nginx-proxy.tld"
HSTS: "off"
HTTPS_METHOD: "noredirect"
sut: sut:
image: jwilder/nginx-proxy:test image: jwilder/nginx-proxy:test
volumes: volumes:

3
test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml
View file

@ -7,6 +7,7 @@ services:
volumes: volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro - /var/run/docker.sock:/tmp/docker.sock:ro
- ./certs:/etc/nginx/certs:ro - ./certs:/etc/nginx/certs:ro
- ../../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
web1: web1:
image: web image: web
@ -30,4 +31,4 @@ services:
environment: environment:
WEB_PORTS: "83" WEB_PORTS: "83"
VIRTUAL_HOST: "3.web.nginx-proxy.tld" VIRTUAL_HOST: "3.web.nginx-proxy.tld"
HTTPS_METHOD: nohttps HTTPS_METHOD: nohttps

1
test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py
View file

@ -11,6 +11,7 @@ from requests.exceptions import SSLError
def test_http_redirects_to_https(docker_compose, nginxproxy, subdomain, should_redirect_to_https): def test_http_redirects_to_https(docker_compose, nginxproxy, subdomain, should_redirect_to_https):
r = nginxproxy.get("http://%s.web.nginx-proxy.tld/port" % subdomain) r = nginxproxy.get("http://%s.web.nginx-proxy.tld/port" % subdomain)
if should_redirect_to_https: if should_redirect_to_https:
assert len(r.history) > 0
assert r.history[0].is_redirect assert r.history[0].is_redirect
assert r.history[0].headers.get("Location") == "https://%s.web.nginx-proxy.tld/port" % subdomain assert r.history[0].headers.get("Location") == "https://%s.web.nginx-proxy.tld/port" % subdomain
assert "answer from port 8%s\n" % subdomain == r.text assert "answer from port 8%s\n" % subdomain == r.text