Fabio/nginx-proxy-auto-docker
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Merge 517807dd2c into 56b4a2e182

Browse source
This commit is contained in:
wjdix 2014-12-17 02:01:18 +00:00
commit bab04a61a1
2 changed files with 28 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
README.md
View file

@ -66,6 +66,15 @@ hosts in use. The certificate and keys should be named after the virtual host w
`.key` extension. For example, a container with `VIRTUAL_HOST=foo.bar.com` should have a `.key` extension. For example, a container with `VIRTUAL_HOST=foo.bar.com` should have a
`foo.bar.com.crt` and `foo.bar.com.key` file in the certs directory. `foo.bar.com.crt` and `foo.bar.com.key` file in the certs directory.
#### Further Nginx configuration
In order to enable SSL client verification, start the containers with `SSL_VERIFY_CLIENT` environment variable and use
`CLIENT_CA_NAME` to specify the name of the SSL Client Certificate Authority file to use.
You can also specify additional configuration information to be used within the location declaration, by specifying the
`LOCATION_OPTIONS` environment variable. Directives are separated with commas.
#### Wildcard Certificates #### Wildcard Certificates
Wildcard certificates and keys should be name after the domain name with a `.crt` and `.key` extension. Wildcard certificates and keys should be name after the domain name with a `.crt` and `.key` extension.

17
nginx.tmpl
View file

@ -70,6 +70,12 @@ upstream {{ $host }} {
{{/* Get the first cert name defined by containers w/ the same vhost */}} {{/* Get the first cert name defined by containers w/ the same vhost */}}
{{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }} {{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }}
{{ $clientCAName := (first (groupByKeys $containers "Env.CLIENT_CA_NAME")) }}
{{ $locationOptions := (split (trimSuffix "]" (trimPrefix "[" (first (groupByKeys $containers "Env.LOCATION_OPTIONS")))) ",") }}
{{/* Get the first SSL_VERIFY_CLIENT defined by containers w/ the same vhost */}}
{{ $sslVerifyClient := (first (groupByKeys $containers "Env.SSL_VERIFY_CLIENT")) }}
{{/* Get the best matching cert by name for the vhost. */}} {{/* Get the best matching cert by name for the vhost. */}}
{{ $vhostCert := (closest (dir "/etc/nginx/certs") (printf "%s.crt" $host))}} {{ $vhostCert := (closest (dir "/etc/nginx/certs") (printf "%s.crt" $host))}}
@ -102,9 +108,17 @@ server {
ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }}; ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }};
ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }}; ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }};
{{ if $sslVerifyClient }}
ssl_verify_client {{ (printf "%s" $sslVerifyClient) }};
ssl_client_certificate /etc/nginx/certs/{{ (printf "%s" $clientCAName) }};
{{ end }}
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
location / { location / {
{{ range $option := $locationOptions }}
{{ (trimSuffix "'" (trimPrefix "'" (printf "%s" $option))) }};
{{ end }}
proxy_pass http://{{ $host }}; proxy_pass http://{{ $host }};
} }
} }
@ -114,6 +128,9 @@ server {
server_name {{ $host }}; server_name {{ $host }};
location / { location / {
{{ range $option := $locationOptions }}
{{ (trimSuffix "'" (trimPrefix "'" (printf "%s" $option))) }};
{{ end }}
proxy_pass http://{{ $host }}; proxy_pass http://{{ $host }};
} }
} }