diff --git a/README.md b/README.md index 1371fba..008ce23 100644 --- a/README.md +++ b/README.md @@ -66,6 +66,15 @@ hosts in use. The certificate and keys should be named after the virtual host w `.key` extension. For example, a container with `VIRTUAL_HOST=foo.bar.com` should have a `foo.bar.com.crt` and `foo.bar.com.key` file in the certs directory. +#### Further Nginx configuration + +In order to enable SSL client verification, start the containers with `SSL_VERIFY_CLIENT` environment variable and use +`CLIENT_CA_NAME` to specify the name of the SSL Client Certificate Authority file to use. + +You can also specify additional configuration information to be used within the location declaration, by specifying the +`LOCATION_OPTIONS` environment variable. Directives are separated with commas. + + #### Wildcard Certificates Wildcard certificates and keys should be name after the domain name with a `.crt` and `.key` extension. diff --git a/nginx.tmpl b/nginx.tmpl index 3747678..e1a6570 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -70,6 +70,12 @@ upstream {{ $host }} { {{/* Get the first cert name defined by containers w/ the same vhost */}} {{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }} +{{ $clientCAName := (first (groupByKeys $containers "Env.CLIENT_CA_NAME")) }} + +{{ $locationOptions := (split (trimSuffix "]" (trimPrefix "[" (first (groupByKeys $containers "Env.LOCATION_OPTIONS")))) ",") }} + +{{/* Get the first SSL_VERIFY_CLIENT defined by containers w/ the same vhost */}} +{{ $sslVerifyClient := (first (groupByKeys $containers "Env.SSL_VERIFY_CLIENT")) }} {{/* Get the best matching cert by name for the vhost. */}} {{ $vhostCert := (closest (dir "/etc/nginx/certs") (printf "%s.crt" $host))}} @@ -102,10 +108,18 @@ server { ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }}; ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }}; + {{ if $sslVerifyClient }} + ssl_verify_client {{ (printf "%s" $sslVerifyClient) }}; + ssl_client_certificate /etc/nginx/certs/{{ (printf "%s" $clientCAName) }}; + {{ end }} + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; location / { - proxy_pass http://{{ $host }}; + {{ range $option := $locationOptions }} + {{ (trimSuffix "'" (trimPrefix "'" (printf "%s" $option))) }}; + {{ end }} + proxy_pass http://{{ $host }}; } } {{ else }} @@ -114,7 +128,10 @@ server { server_name {{ $host }}; location / { - proxy_pass http://{{ $host }}; + {{ range $option := $locationOptions }} + {{ (trimSuffix "'" (trimPrefix "'" (printf "%s" $option))) }}; + {{ end }} + proxy_pass http://{{ $host }}; } }