From 3c5843264ef87ee3c0a31f79f68bc12a9fd635f2 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 26 Nov 2014 23:53:35 +0100 Subject: [PATCH 01/34] Switch to official nginx base-image. This changes the base-image to the official nginx image, reducing the virtual size of the image by approx 50%. Signed-off-by: Sebastiaan van Stijn --- Dockerfile | 11 +++-------- Procfile | 2 +- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4186212..718a735 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,14 +1,10 @@ -FROM ubuntu:14.04 +FROM nginx:1.7 MAINTAINER Jason Wilder jwilder@litl.com -# Install Nginx. -RUN echo "deb http://ppa.launchpad.net/nginx/stable/ubuntu trusty main" > /etc/apt/sources.list.d/nginx-stable-trusty.list \ - && echo "deb-src http://ppa.launchpad.net/nginx/stable/ubuntu trusty main" >> /etc/apt/sources.list.d/nginx-stable-trusty.list \ - && apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C300EE8C \ - && apt-get update \ +# Install wget and install/updates certificates +RUN apt-get update \ && apt-get install -y -q --no-install-recommends \ ca-certificates \ - nginx \ wget \ && apt-get clean \ && rm -r /var/lib/apt/lists/* @@ -30,7 +26,6 @@ RUN wget https://github.com/jwilder/docker-gen/releases/download/$DOCKER_GEN_VER COPY . /app/ WORKDIR /app/ -EXPOSE 80 443 ENV DOCKER_HOST unix:///tmp/docker.sock VOLUME ["/etc/nginx/certs"] diff --git a/Procfile b/Procfile index 7a22293..8547156 100644 --- a/Procfile +++ b/Procfile @@ -1,2 +1,2 @@ nginx: nginx -dockergen: docker-gen -watch -only-exposed -notify "nginx -s reload" /app/nginx.tmpl /etc/nginx/sites-enabled/default +dockergen: docker-gen -watch -only-exposed -notify "nginx -s reload" /app/nginx.tmpl /etc/nginx/conf.d/default.conf From 080a5157e6b1de3637e339a7cf54105f0316cfa7 Mon Sep 17 00:00:00 2001 From: Jason Wilder Date: Wed, 3 Dec 2014 11:06:11 -0700 Subject: [PATCH 02/34] Remove OCSP stapling Looks like it was not actually working before and failing silently because ssl_trusted_certificate was not specified. Will need to revisit implementing this functionality so removing it for now to prevent the warnings logged by nginx now. --- README.md | 2 +- nginx.tmpl | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/README.md b/README.md index 6a27951..e520322 100644 --- a/README.md +++ b/README.md @@ -82,7 +82,7 @@ and `CERT_NAME=shared` will then use this shared cert. The SSL cipher configuration is based on [mozilla nginx intermediate profile](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx) which should provide compatibility with clients back to Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, -Windows XP IE8, Android 2.3, Java 7. The configuration also enables OCSP stapling, HSTS, and SSL +Windows XP IE8, Android 2.3, Java 7. The configuration also enables HSTS, and SSL session caches. The behavior for the proxy when port 80 and 443 are exposed is as follows: diff --git a/nginx.tmpl b/nginx.tmpl index 3de1843..3aa28f4 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -96,8 +96,6 @@ server { ssl_prefer_server_ciphers on; ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; - ssl_stapling on; - ssl_stapling_verify on; ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }}; ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }}; From db924dba769508cfb48edf9a7ec5e774537b2abf Mon Sep 17 00:00:00 2001 From: Jason Wilder Date: Wed, 3 Dec 2014 11:12:01 -0700 Subject: [PATCH 03/34] Use nginx:1.7.7 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 718a735..fdd5c82 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.7 +FROM nginx:1.7.7 MAINTAINER Jason Wilder jwilder@litl.com # Install wget and install/updates certificates From 54b9043323ad23950c5e1ebe132f7e1fb45a4dc8 Mon Sep 17 00:00:00 2001 From: Mike Dillon Date: Sat, 6 Dec 2014 17:45:59 -0800 Subject: [PATCH 04/34] Remove redundant access_log and error_log --- nginx.tmpl | 2 -- 1 file changed, 2 deletions(-) diff --git a/nginx.tmpl b/nginx.tmpl index 3aa28f4..ca372c9 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -30,8 +30,6 @@ proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; server { listen 80 default_server; server_name _; # This is just an invalid value which will never trigger on a real hostname. - error_log /proc/self/fd/2; - access_log /proc/self/fd/1; return 503; } From ac1f2d88752a785db45ae66862dd19b2204f3899 Mon Sep 17 00:00:00 2001 From: Mike Dillon Date: Sat, 6 Dec 2014 17:46:25 -0800 Subject: [PATCH 05/34] Include Host or SERVER_NAME in logs --- nginx.tmpl | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/nginx.tmpl b/nginx.tmpl index ca372c9..3747678 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -14,7 +14,11 @@ map $http_upgrade $proxy_connection { gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; -access_log /proc/self/fd/1; +log_format vhost '$host $remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + +access_log /proc/self/fd/1 vhost; error_log /proc/self/fd/2; # HTTP 1.1 support From a668579392a7c7cf140f3abe11a74e6121ec505e Mon Sep 17 00:00:00 2001 From: Joseph Page Date: Wed, 10 Dec 2014 11:37:44 +0100 Subject: [PATCH 06/34] Bump to nginx 1.7.8 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index fdd5c82..9d8968d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.7.7 +FROM nginx:1.7.8 MAINTAINER Jason Wilder jwilder@litl.com # Install wget and install/updates certificates From 10bc94f6db89f54c03e962f7e9a35718182680ce Mon Sep 17 00:00:00 2001 From: Max Claus Nunes Date: Sat, 13 Dec 2014 10:00:45 -0200 Subject: [PATCH 07/34] =?UTF-8?q?fixes=20problem=20to=20set=20server=20nam?= =?UTF-8?q?e=20max=20length=E2=80=A6=20current=20base=20image=20does=20not?= =?UTF-8?q?=20have=20commented=20configurations=20which=20means=20is=20imp?= =?UTF-8?q?ossible=20to=20use=20the=20previous=20configuration=20to=20set?= =?UTF-8?q?=20the=20server=20name=20max=20length?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index fdd5c82..92bad5a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,7 +11,7 @@ RUN apt-get update \ # Configure Nginx and apply fix for long server names RUN echo "daemon off;" >> /etc/nginx/nginx.conf \ - && sed -i 's/# server_names_hash_bucket/server_names_hash_bucket/g' /etc/nginx/nginx.conf + && sed -i 's/^http {/&\n server_names_hash_bucket_size 64;/g' /etc/nginx/nginx.conf # Install Forego RUN wget -P /usr/local/bin https://godist.herokuapp.com/projects/ddollar/forego/releases/current/linux-amd64/forego \ From 56b4a2e182003296a920ffbfaca7978dbeac93a2 Mon Sep 17 00:00:00 2001 From: Jason Wilder Date: Mon, 15 Dec 2014 12:30:58 -0700 Subject: [PATCH 08/34] Fix README grammar --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e520322..1371fba 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generate reverse proxy configs for nginx and reloads nginx when containers they are started and stopped. +nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generate reverse proxy configs for nginx and reloads nginx when containers are started and stopped. See [Automated Nginx Reverse Proxy for Docker][2] for why you might want to use this. From 6d646d92f8d2e7fea8aee54c07c730d948b67c6e Mon Sep 17 00:00:00 2001 From: Albert Murillo Aguirre Date: Tue, 16 Dec 2014 20:19:49 +0100 Subject: [PATCH 09/34] Basic Authentication Support --- README.md | 9 +++++++++ nginx.tmpl | 8 ++++++++ 2 files changed, 17 insertions(+) diff --git a/README.md b/README.md index 1371fba..f50796d 100644 --- a/README.md +++ b/README.md @@ -95,3 +95,12 @@ Note that in the latter case, a browser may get an connection error as no certif to establish a connection. A self-signed or generic cert named `default.crt` and `default.key` will allow a client browser to make a SSL connection (likely w/ a warning) and subsequently receive a 503. + +### Basic Authentication Support + +In order to be able to securize your virtual host, you have to create a file named as its equivalent VIRTUAL_HOST variable on directory +/etc/nginx/htpasswd/$VIRTUAL_HOST + + $ docker run -d -p 80:80 -p 443:443 -v /path/to/htpasswd:/etc/nginx/htpasswd -v /path/to/certs:/etc/nginx/certs -v /var/run/docker.sock:/tmp/docker.sock jwilder/nginx-proxy + +You'll need apache2-utils on the machine you plan to create de htpasswd file. Follow these [instructions](http://httpd.apache.org/docs/2.2/programs/htpasswd.html) diff --git a/nginx.tmpl b/nginx.tmpl index 3747678..fd5d2e9 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -106,6 +106,10 @@ server { location / { proxy_pass http://{{ $host }}; + {{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }} + auth_basic "Restricted {{ $host }}"; + auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }}; + {{ end }} } } {{ else }} @@ -115,6 +119,10 @@ server { location / { proxy_pass http://{{ $host }}; + {{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }} + auth_basic "Restricted {{ $host }}"; + auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }}; + {{ end }} } } From d7e499e4e63d9bbd39f885e2e2be6a7fb6a7671b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julien=20Pervill=C3=A9?= Date: Fri, 2 Jan 2015 10:45:40 +0630 Subject: [PATCH 10/34] Allow for even longer virtual host names (should work to at least 50 chars). --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index d3f29c5..48a6949 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,9 +9,9 @@ RUN apt-get update \ && apt-get clean \ && rm -r /var/lib/apt/lists/* -# Configure Nginx and apply fix for long server names +# Configure Nginx and apply fix for very long server names RUN echo "daemon off;" >> /etc/nginx/nginx.conf \ - && sed -i 's/^http {/&\n server_names_hash_bucket_size 64;/g' /etc/nginx/nginx.conf + && sed -i 's/^http {/&\n server_names_hash_bucket_size 128;/g' /etc/nginx/nginx.conf # Install Forego RUN wget -P /usr/local/bin https://godist.herokuapp.com/projects/ddollar/forego/releases/current/linux-amd64/forego \ From 36039f8e13c8ca7c9a4f54370840b42be7bc881c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=85smund=20Grammeltvedt?= Date: Mon, 5 Jan 2015 13:31:26 +0100 Subject: [PATCH 11/34] Gzip application/javascript As per RFC4329, nginx uses application/javascript as the default MIME type for .js files. Nginx-proxy will now gzip these files if the client requests it. --- nginx.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx.tmpl b/nginx.tmpl index fd5d2e9..d373ce3 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -12,7 +12,7 @@ map $http_upgrade $proxy_connection { '' ''; } -gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; +gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; log_format vhost '$host $remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' From 231fe01c81e0d4750fcaa436ca6ad87ef16fc09f Mon Sep 17 00:00:00 2001 From: Edward Raigosa Date: Thu, 8 Jan 2015 11:29:04 -0800 Subject: [PATCH 12/34] Adding license for usage Adding a license so we can use it with other projects. --- LICENSE | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 LICENSE diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..fc926a8 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2014 Jason Wilder + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. From 450ecf23ede87366855e201b0bb43f80d8549850 Mon Sep 17 00:00:00 2001 From: Jason Wilder Date: Wed, 14 Jan 2015 09:51:21 -0700 Subject: [PATCH 13/34] Add nginx/license badges --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index f50796d..2815508 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,5 @@ +![nginx 1.7.8](https://img.shields.io/badge/nginx-1.7.8-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) + nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generate reverse proxy configs for nginx and reloads nginx when containers are started and stopped. See [Automated Nginx Reverse Proxy for Docker][2] for why you might want to use this. From 134e037d4888631a1b8c420262b7b2c6323ba897 Mon Sep 17 00:00:00 2001 From: Tobias Munk Date: Thu, 22 Jan 2015 02:46:51 +0100 Subject: [PATCH 14/34] added wildcard hosts, fixes #89 --- README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 2815508..2f4972f 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,11 @@ If your container exposes multiple ports, nginx-proxy will default to the servic ### Multiple Hosts -If you need to support multipe virtual hosts for a container, you can separate each entry with commas. For example, `foo.bar.com,baz.bar.com,bar.com` and each host will be setup the same. +If you need to support multiple virtual hosts for a container, you can separate each entry with commas. For example, `foo.bar.com,baz.bar.com,bar.com` and each host will be setup the same. + +### Wildcard Hosts + +You can also use wildcards at the beginning and the end of host name, like `*.bar.com` or `foo.bar.*`. Or even a regular expression, which can be very useful in conjunction with a wildcard DNS service like [xip.io](http://xip.io), using `~^foo\.bar\..*\.xip\.io` will match `foo.bar.127.0.0.1.xip.io`, `foo.bar.10.0.2.2.xip.io` and all other given IPs. More information about this topic can be found in the nginx documentation about [`server_names`](http://nginx.org/en/docs/http/server_names.html). ### Separate Containers From 37e4a0d00ec26f57d608c5b9b6645b4bde6968d6 Mon Sep 17 00:00:00 2001 From: Paulo Ragonha Date: Thu, 22 Jan 2015 14:37:10 -0200 Subject: [PATCH 15/34] fixes SSL support while mixing HTTPS and non-HTTPS services nginx was throwing the following error: `no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking` ref: https://github.com/jwilder/nginx-proxy/issues/74 --- nginx.tmpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nginx.tmpl b/nginx.tmpl index d373ce3..9d1f43c 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -126,16 +126,16 @@ server { } } +{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }} server { server_name {{ $host }}; listen 443 ssl; return 503; - {{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }} ssl_certificate /etc/nginx/certs/default.crt; ssl_certificate_key /etc/nginx/certs/default.key; - {{ end }} } +{{ end }} {{ end }} {{ end }} From 71a17c127f8f336fbe821705790049ce7fb054d9 Mon Sep 17 00:00:00 2001 From: Jason Wilder Date: Thu, 29 Jan 2015 09:42:58 -0700 Subject: [PATCH 16/34] Update SSL doc grammar --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 2f4972f..6b11b65 100644 --- a/README.md +++ b/README.md @@ -60,8 +60,8 @@ Finally, start your containers with `VIRTUAL_HOST` environment variables. ### SSL Support -SSL is supported single host, wildcards and SNI certificates using naming conventions for -certificates or optionally specify a cert name (for SNI) as an environment variable. +SSL is supported using single host, wildcard and SNI certificates using naming conventions for +certificates or optionally specifying a cert name (for SNI) as an environment variable. To enable SSL: From 93ee4acb23444886e42a79625801cfefc0cd5861 Mon Sep 17 00:00:00 2001 From: Jason Wilder Date: Tue, 3 Feb 2015 14:55:14 -0700 Subject: [PATCH 17/34] Fix grammar --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6b11b65..d80e828 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ ![nginx 1.7.8](https://img.shields.io/badge/nginx-1.7.8-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) -nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generate reverse proxy configs for nginx and reloads nginx when containers are started and stopped. +nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. See [Automated Nginx Reverse Proxy for Docker][2] for why you might want to use this. From 6c3b3c87befefdb181e3ca212bcaacb69ecb9e21 Mon Sep 17 00:00:00 2001 From: Mike Dillon Date: Sat, 14 Feb 2015 16:02:39 -0800 Subject: [PATCH 18/34] Support VIRTUAL_PROTO=https for HTTPS backends --- nginx.tmpl | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/nginx.tmpl b/nginx.tmpl index d373ce3..b694a31 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -68,6 +68,9 @@ upstream {{ $host }} { {{ end }} } +{{/* Get the VIRTUAL_PROTO defined by containers w/ the same vhost, falling back to "http" */}} +{{ $proto := or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http" }} + {{/* Get the first cert name defined by containers w/ the same vhost */}} {{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }} @@ -105,7 +108,7 @@ server { add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; location / { - proxy_pass http://{{ $host }}; + proxy_pass {{ $proto }}://{{ $host }}; {{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }} auth_basic "Restricted {{ $host }}"; auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }}; @@ -118,7 +121,7 @@ server { server_name {{ $host }}; location / { - proxy_pass http://{{ $host }}; + proxy_pass {{ $proto }}://{{ $host }}; {{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }} auth_basic "Restricted {{ $host }}"; auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }}; From 3f199d56c114b187d837656eadad91098e757111 Mon Sep 17 00:00:00 2001 From: Mike Dillon Date: Sat, 14 Feb 2015 16:19:27 -0800 Subject: [PATCH 19/34] Add VIRTUAL_PROTO to README.md --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index d80e828..4799666 100644 --- a/README.md +++ b/README.md @@ -31,6 +31,10 @@ If you need to support multiple virtual hosts for a container, you can separate You can also use wildcards at the beginning and the end of host name, like `*.bar.com` or `foo.bar.*`. Or even a regular expression, which can be very useful in conjunction with a wildcard DNS service like [xip.io](http://xip.io), using `~^foo\.bar\..*\.xip\.io` will match `foo.bar.127.0.0.1.xip.io`, `foo.bar.10.0.2.2.xip.io` and all other given IPs. More information about this topic can be found in the nginx documentation about [`server_names`](http://nginx.org/en/docs/http/server_names.html). +### SSL Backends + +If you would like to connect to your backend using HTTPS instead of HTTP, set `VIRTUAL_PROTO=https` on the backend container. + ### Separate Containers nginx-proxy can also be run as two separate containers using the [jwilder/docker-gen](https://index.docker.io/u/jwilder/docker-gen/) From 2010332395cfb54121bb4597051ab8463c4be550 Mon Sep 17 00:00:00 2001 From: Mike Dillon Date: Sun, 22 Feb 2015 09:25:50 -0800 Subject: [PATCH 20/34] Support per-VIRTUAL_HOST Nginx conf files --- nginx.tmpl | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/nginx.tmpl b/nginx.tmpl index b694a31..62a6d4b 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -107,6 +107,10 @@ server { add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; + {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} + include {{ printf "/etc/nginx/vhost.d/%s" $host }}; + {{ end }} + location / { proxy_pass {{ $proto }}://{{ $host }}; {{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }} @@ -120,6 +124,10 @@ server { server { server_name {{ $host }}; + {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} + include {{ printf "/etc/nginx/vhost.d/%s" $host }}; + {{ end }} + location / { proxy_pass {{ $proto }}://{{ $host }}; {{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }} From d4d9755a42395f507182dab1a34ce739eed89a97 Mon Sep 17 00:00:00 2001 From: Mike Dillon Date: Sun, 22 Feb 2015 09:50:19 -0800 Subject: [PATCH 21/34] Document custom Nginx configuration in README.md --- README.md | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/README.md b/README.md index 4799666..a46e494 100644 --- a/README.md +++ b/README.md @@ -114,3 +114,36 @@ In order to be able to securize your virtual host, you have to create a file nam $ docker run -d -p 80:80 -p 443:443 -v /path/to/htpasswd:/etc/nginx/htpasswd -v /path/to/certs:/etc/nginx/certs -v /var/run/docker.sock:/tmp/docker.sock jwilder/nginx-proxy You'll need apache2-utils on the machine you plan to create de htpasswd file. Follow these [instructions](http://httpd.apache.org/docs/2.2/programs/htpasswd.html) + +### Custom Nginx Configuration + +If you need to configure Nginx beyond what is possible using environment variables, you can provide custom configuration files on either a proxy-wide or per-`VIRTUAL_HOST` basis. + +#### Proxy-wide + +To add settings on a proxy-wide basis, add your configuration file under `/etc/nginx/conf.d` using a name ending in `.conf`. + +This can be done in a derived image by creating the file in a `RUN` command or by `COPY`ing the file into `conf.d`: + +```Dockerfile +FROM jwilder/nginx-proxy +RUN { \ + echo 'server_tokens off;'; \ + echo 'client_max_body_size 100m;'; \ + } > /etc/nginx/conf.d/my_custom_proxy.conf +``` + +Or it can be done by mounting in your custom configuration in your `docker run` command: + + $ docker run -d -p 80:80 -p 443:443 -v /path/to/my_custom_proxy.conf:/etc/nginx/conf.d/my_custom_proxy.conf:ro -v /var/run/docker.sock:/tmp/docker.sock jwilder/nginx-proxy + +#### Per-VIRTUAL_HOST + +To add settings on a per-`VIRTUAL_HOST` basis, add your configuration file under `/etc/nginx/vhost.d`. Unlike in the proxy-wide case, which allows mutliple config files with any name ending in `.conf`, the per-`VIRTUAL_HOST` file must be named exactly after the `VIRTUAL_HOST`. + +In order to allow virtual hosts to be dynamically configured as backends are added and removed, it makes the most sense to mount an external directory as `/etc/nginx/vhost.d` as oppposed to using derived images or mounting individual configuration files. + +For example, if you have a virtual host named `app.example.com`, you could provide a custom configuration for that host as follows: + + $ docker run -d -p 80:80 -p 443:443 -v /path/to/vhost.d:/etc/nginx/vhost.d:ro -v /var/run/docker.sock:/tmp/docker.sock jwilder/nginx-proxy + $ { echo 'server_tokens off;'; echo 'client_max_body_size 100m;'; } > /path/to/vhost.d/app.example.com From c4b3955ab91c7e5e3bf93574dd47c6ffd3adca35 Mon Sep 17 00:00:00 2001 From: Mike Dillon Date: Sun, 22 Feb 2015 10:02:13 -0800 Subject: [PATCH 22/34] Fix typo; shorten example conf file name --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index a46e494..40f8169 100644 --- a/README.md +++ b/README.md @@ -130,18 +130,18 @@ FROM jwilder/nginx-proxy RUN { \ echo 'server_tokens off;'; \ echo 'client_max_body_size 100m;'; \ - } > /etc/nginx/conf.d/my_custom_proxy.conf + } > /etc/nginx/conf.d/my_proxy.conf ``` Or it can be done by mounting in your custom configuration in your `docker run` command: - $ docker run -d -p 80:80 -p 443:443 -v /path/to/my_custom_proxy.conf:/etc/nginx/conf.d/my_custom_proxy.conf:ro -v /var/run/docker.sock:/tmp/docker.sock jwilder/nginx-proxy + $ docker run -d -p 80:80 -p 443:443 -v /path/to/my_proxy.conf:/etc/nginx/conf.d/my_proxy.conf:ro -v /var/run/docker.sock:/tmp/docker.sock jwilder/nginx-proxy #### Per-VIRTUAL_HOST To add settings on a per-`VIRTUAL_HOST` basis, add your configuration file under `/etc/nginx/vhost.d`. Unlike in the proxy-wide case, which allows mutliple config files with any name ending in `.conf`, the per-`VIRTUAL_HOST` file must be named exactly after the `VIRTUAL_HOST`. -In order to allow virtual hosts to be dynamically configured as backends are added and removed, it makes the most sense to mount an external directory as `/etc/nginx/vhost.d` as oppposed to using derived images or mounting individual configuration files. +In order to allow virtual hosts to be dynamically configured as backends are added and removed, it makes the most sense to mount an external directory as `/etc/nginx/vhost.d` as opposed to using derived images or mounting individual configuration files. For example, if you have a virtual host named `app.example.com`, you could provide a custom configuration for that host as follows: From 927e583f6a250903944bc5458814d4bc55833a6d Mon Sep 17 00:00:00 2001 From: Mike Dillon Date: Sun, 22 Feb 2015 11:19:33 -0800 Subject: [PATCH 23/34] Document custom config for multi-host VIRTUAL_HOST --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 40f8169..b074909 100644 --- a/README.md +++ b/README.md @@ -147,3 +147,8 @@ For example, if you have a virtual host named `app.example.com`, you could provi $ docker run -d -p 80:80 -p 443:443 -v /path/to/vhost.d:/etc/nginx/vhost.d:ro -v /var/run/docker.sock:/tmp/docker.sock jwilder/nginx-proxy $ { echo 'server_tokens off;'; echo 'client_max_body_size 100m;'; } > /path/to/vhost.d/app.example.com + +If you are using multiple hostnames for a single container (e.g. `VIRTUAL_HOST=example.com,www.example.com`), the virtual host configuration file must exist for each hostname. If you would like to use the same configuration for multiple virtual host names, you can use a symlink: + + $ { echo 'server_tokens off;'; echo 'client_max_body_size 100m;'; } > /path/to/vhost.d/www.example.com + $ ln -s www.example.com /path/to/vhost.d/example.com From aa5dfdb3d5d5f08d0c1d2d4f5dd3664eac700309 Mon Sep 17 00:00:00 2001 From: Mike Dillon Date: Wed, 25 Feb 2015 10:29:59 -0800 Subject: [PATCH 24/34] Fix HTTP->HTTPS redirect for wildcard hosts Uses Nginx's $host instead of interpolating `{{ $host }}` in the template --- nginx.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx.tmpl b/nginx.tmpl index 40d441a..fdb319c 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -88,7 +88,7 @@ upstream {{ $host }} { server { server_name {{ $host }}; - rewrite ^(.*) https://{{ $host }}$1 permanent; + return 301 https://$host$request_uri; } server { From 4a99ac554824cde8be34cc173abc7cf1ef69dd7a Mon Sep 17 00:00:00 2001 From: Jason Wilder Date: Sat, 28 Feb 2015 15:50:59 -0700 Subject: [PATCH 25/34] Remove includeSubdomains from HSTS header includeSubdomains can lead to issues where not all subdomains are able to use HTTPS. This options might be too strict for the general case: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security. It can be re-enabled w/ a custom template if needed. Fixes #109 --- nginx.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx.tmpl b/nginx.tmpl index fdb319c..446ec31 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -105,7 +105,7 @@ server { ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }}; ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }}; - add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; + add_header Strict-Transport-Security "max-age=31536000"; {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} include {{ printf "/etc/nginx/vhost.d/%s" $host }}; From 8d885aac1a55d583b8de71117056ffa204f4949d Mon Sep 17 00:00:00 2001 From: Mike Dillon Date: Tue, 10 Mar 2015 21:15:42 -0700 Subject: [PATCH 26/34] Update to `nginx:1.7.10` --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 48a6949..19ee3a7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.7.8 +FROM nginx:1.7.10 MAINTAINER Jason Wilder jwilder@litl.com # Install wget and install/updates certificates From 1f426a6e61c944334b411add01e55636996b384e Mon Sep 17 00:00:00 2001 From: Bernardo Farah Date: Fri, 13 Mar 2015 14:53:40 -0700 Subject: [PATCH 27/34] Updated docker-gen version to 0.3.8 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 19ee3a7..c3b3b0f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,7 +17,7 @@ RUN echo "daemon off;" >> /etc/nginx/nginx.conf \ RUN wget -P /usr/local/bin https://godist.herokuapp.com/projects/ddollar/forego/releases/current/linux-amd64/forego \ && chmod u+x /usr/local/bin/forego -ENV DOCKER_GEN_VERSION 0.3.6 +ENV DOCKER_GEN_VERSION 0.3.8 RUN wget https://github.com/jwilder/docker-gen/releases/download/$DOCKER_GEN_VERSION/docker-gen-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \ && tar -C /usr/local/bin -xvzf docker-gen-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \ From 95df1d225ecbdd6c631392a8e04fee7c68d2db11 Mon Sep 17 00:00:00 2001 From: Jason Wilder Date: Fri, 13 Mar 2015 17:25:53 -0600 Subject: [PATCH 28/34] Update to docker-gen 0.3.9 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index c3b3b0f..caf1227 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,7 +17,7 @@ RUN echo "daemon off;" >> /etc/nginx/nginx.conf \ RUN wget -P /usr/local/bin https://godist.herokuapp.com/projects/ddollar/forego/releases/current/linux-amd64/forego \ && chmod u+x /usr/local/bin/forego -ENV DOCKER_GEN_VERSION 0.3.8 +ENV DOCKER_GEN_VERSION 0.3.9 RUN wget https://github.com/jwilder/docker-gen/releases/download/$DOCKER_GEN_VERSION/docker-gen-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \ && tar -C /usr/local/bin -xvzf docker-gen-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \ From ead1912590fdcdca4fb0a60d8ebcdde561df4b0c Mon Sep 17 00:00:00 2001 From: Mike Dillon Date: Fri, 27 Mar 2015 10:11:54 -0700 Subject: [PATCH 29/34] Update to Nginx 1.7.11 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index caf1227..4cc047f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.7.10 +FROM nginx:1.7.11 MAINTAINER Jason Wilder jwilder@litl.com # Install wget and install/updates certificates From e4a5d9a5107f52f6d3437b76d7d548bbcc72f3cf Mon Sep 17 00:00:00 2001 From: David Wisner Date: Tue, 31 Mar 2015 21:28:02 -0700 Subject: [PATCH 30/34] update --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b074909..93e3dd7 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -![nginx 1.7.8](https://img.shields.io/badge/nginx-1.7.8-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) +![nginx 1.7.11](https://img.shields.io/badge/nginx-1.7.11-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. From ce3f1fa7ca0ac9eb517340bbd3638b24797259d7 Mon Sep 17 00:00:00 2001 From: Tobias Munk Date: Thu, 9 Apr 2015 22:08:59 +0200 Subject: [PATCH 31/34] show command on multiple lines, increased readability --- README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 93e3dd7..2312b25 100644 --- a/README.md +++ b/README.md @@ -111,7 +111,13 @@ a 503. In order to be able to securize your virtual host, you have to create a file named as its equivalent VIRTUAL_HOST variable on directory /etc/nginx/htpasswd/$VIRTUAL_HOST - $ docker run -d -p 80:80 -p 443:443 -v /path/to/htpasswd:/etc/nginx/htpasswd -v /path/to/certs:/etc/nginx/certs -v /var/run/docker.sock:/tmp/docker.sock jwilder/nginx-proxy +``` +$ docker run -d -p 80:80 -p 443:443 \ + -v /path/to/htpasswd:/etc/nginx/htpasswd \ + -v /path/to/certs:/etc/nginx/certs \ + -v /var/run/docker.sock:/tmp/docker.sock \ + jwilder/nginx-proxy +``` You'll need apache2-utils on the machine you plan to create de htpasswd file. Follow these [instructions](http://httpd.apache.org/docs/2.2/programs/htpasswd.html) From 4d2403b5d7d93c9704e52ea9400f21fc5ca40373 Mon Sep 17 00:00:00 2001 From: Kuo-Cheng Yeu Date: Wed, 29 Apr 2015 14:41:25 +0800 Subject: [PATCH 32/34] Add SPDY support --- nginx.tmpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nginx.tmpl b/nginx.tmpl index 446ec31..02d936a 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -93,7 +93,7 @@ server { server { server_name {{ $host }}; - listen 443 ssl; + listen 443 ssl spdy; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; @@ -140,7 +140,7 @@ server { {{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }} server { server_name {{ $host }}; - listen 443 ssl; + listen 443 ssl spdy; return 503; ssl_certificate /etc/nginx/certs/default.crt; From 7eb785cec584843fb4ab0d0db9016f7ba1bb37c3 Mon Sep 17 00:00:00 2001 From: Mike Dillon Date: Fri, 1 May 2015 14:01:30 -0700 Subject: [PATCH 33/34] Update base image to nginx:1.9.0 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 4cc047f..571817c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.7.11 +FROM nginx:1.9.0 MAINTAINER Jason Wilder jwilder@litl.com # Install wget and install/updates certificates From 94fd06b98cc0de72aafde05d0ea62089ddaf4b80 Mon Sep 17 00:00:00 2001 From: Mike Dillon Date: Sat, 2 May 2015 15:57:48 -0700 Subject: [PATCH 34/34] Update README.md to refer to nginx 1.9.0 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2312b25..230181a 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -![nginx 1.7.11](https://img.shields.io/badge/nginx-1.7.11-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) +![nginx 1.9.0](https://img.shields.io/badge/nginx-1.9.0-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped.