Browse Source

first commit

Christoph Haas 3 months ago
commit
5e3dcd47ca
17 changed files with 1156 additions and 0 deletions
  1. 95
    0
      .env.sample
  2. 4
    0
      .gitignore
  3. 21
    0
      LICENSE
  4. 261
    0
      README.md
  5. 50
    0
      conf.d/realip.conf
  6. 7
    0
      conf.d/servertokens.conf
  7. 7
    0
      conf.d/uploadsize.conf
  8. 77
    0
      docker-compose-multiple-networks.yml
  9. 65
    0
      docker-compose.yml
  10. 27
    0
      docs/HOWTO-Synlogy.md
  11. 361
    0
      nginx.tmpl
  12. 18
    0
      scripts/base.sh
  13. 42
    0
      scripts/update.sh
  14. 68
    0
      start.sh
  15. 22
    0
      test_start.sh
  16. 25
    0
      test_start_ssl.sh
  17. 6
    0
      test_stop.sh

+ 95
- 0
.env.sample View File

@@ -0,0 +1,95 @@
1
+#
2
+# docker-compose-letsencrypt-nginx-proxy-companion
3
+#
4
+# A Web Proxy using docker with NGINX and Let's Encrypt
5
+# Using the great community docker-gen, nginx-proxy and docker-letsencrypt-nginx-proxy-companion
6
+#
7
+# This is the .env file to set up your webproxy enviornment
8
+
9
+#
10
+# Your local containers NAME
11
+#
12
+NGINX_WEB=nginx-web
13
+DOCKER_GEN=nginx-gen
14
+LETS_ENCRYPT=nginx-letsencrypt
15
+
16
+#
17
+# Set the IP address of the external access Interface
18
+#
19
+IP=0.0.0.0
20
+
21
+#
22
+# Default Network
23
+#
24
+NETWORK=webproxy
25
+
26
+# If you want to customize the created network, use the following variable
27
+#NETWORK_OPTIONS="--opt encrypted=true"
28
+
29
+#
30
+# Service Network (Optional)
31
+#
32
+# In case you decide to add a new network to your services containers you can set this
33
+# network as a SERVICE_NETWORK
34
+#
35
+# [WARNING] This setting was built to use our `start.sh` script or in that special case
36
+#           you could use the docker-composer with our multiple network option, as of:
37
+#           `docker-compose -f docker-compose-multiple-networks.yml up -d`
38
+#
39
+#SERVICE_NETWORK=webservices
40
+
41
+# If you want to customize the created network, use the following variable
42
+#SERVICE_NETWORK_OPTIONS="--opt encrypted=true"
43
+
44
+#
45
+## NGINX file path (mount into the host)
46
+# Here you can configure the path where nginx stores all the configurations and certificates.
47
+# With the value ./nginx-data it creates a new sub-folder into your current path.
48
+
49
+NGINX_FILES_PATH=./nginx-data
50
+
51
+#
52
+# NGINX use special conf files
53
+#
54
+# In case you want to add some special configuration to your NGINX Web Proxy you could
55
+# add your files to ./conf.d/ folder as of sample file 'uploadsize.conf'
56
+#
57
+# [WARNING] This setting was built to use our `start.sh`.
58
+#
59
+# [WARNING] Once you set this options to true all your files will be copied to data
60
+#           folder (./data/conf.d). If you decide to remove this special configuration
61
+#           you must delete your files from data folder ./data/conf.d.
62
+#
63
+#USE_NGINX_CONF_FILES=true
64
+
65
+#
66
+# Docker Logging Config
67
+#
68
+# This section offers two options max-size and max-file, which follow the docker documentation
69
+# as follow:
70
+#
71
+# logging:
72
+#      driver: "json-file"
73
+#      options:
74
+#        max-size: "200k"
75
+#        max-file: "10"
76
+#
77
+#NGINX_WEB_LOG_DRIVER=json-file
78
+#NGINX_WEB_LOG_MAX_SIZE=4m
79
+#NGINX_WEB_LOG_MAX_FILE=10
80
+
81
+#NGINX_GEN_LOG_DRIVER=json-file
82
+#NGINX_GEN_LOG_MAX_SIZE=2m
83
+#NGINX_GEN_LOG_MAX_FILE=10
84
+
85
+#NGINX_LETSENCRYPT_LOG_DRIVER=json-file
86
+#NGINX_LETSENCRYPT_LOG_MAX_SIZE=2m
87
+#NGINX_LETSENCRYPT_LOG_MAX_FILE=10
88
+
89
+#
90
+# Set the local exposed ports for http and https on the Host
91
+#
92
+# NOTE: The default values are 80 and 443, only change this options if you really know what you are doing
93
+#
94
+#DOCKER_HTTP=80
95
+#DOCKER_HTTPS=443

+ 4
- 0
.gitignore View File

@@ -0,0 +1,4 @@
1
+data
2
+.env*
3
+!.env.sample
4
+.DS_Store

+ 21
- 0
LICENSE View File

@@ -0,0 +1,21 @@
1
+MIT License
2
+
3
+Copyright (c) 2017 Evert Ramos
4
+
5
+Permission is hereby granted, free of charge, to any person obtaining a copy
6
+of this software and associated documentation files (the "Software"), to deal
7
+in the Software without restriction, including without limitation the rights
8
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+copies of the Software, and to permit persons to whom the Software is
10
+furnished to do so, subject to the following conditions:
11
+
12
+The above copyright notice and this permission notice shall be included in all
13
+copies or substantial portions of the Software.
14
+
15
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+SOFTWARE.

+ 261
- 0
README.md View File

@@ -0,0 +1,261 @@
1
+# Web Proxy using Docker, NGINX and Let's Encrypt
2
+
3
+With this repo you will be able to set up your server with multiple sites using a single NGINX proxy to manage your connections, automating your apps container (port 80 and 443) to auto renew your ssl certificates with Let´s Encrypt.
4
+
5
+Something like:
6
+
7
+![Web Proxy environment](https://github.com/evertramos/images/raw/master/webproxy.jpg)
8
+
9
+
10
+## Why use it?
11
+
12
+Using this set up you will be able start a production environment in a few seconds. For each new web project simply start the containers with the option `-e VIRTUAL_HOST=your.domain.com` and you will be ready to go. If you want to use SSL (Let's Encrypt) just add the tag `-e LETSENCRYPT_HOST=your.domain.com`. Done!
13
+
14
+Easy and trustworthy!
15
+
16
+
17
+## Prerequisites
18
+
19
+In order to use this compose file (docker-compose.yml) you must have:
20
+
21
+1. docker (https://docs.docker.com/engine/installation/)
22
+2. docker-compose (https://docs.docker.com/compose/install/)
23
+
24
+
25
+## How to use it
26
+
27
+1. Clone this repository:
28
+
29
+```bash
30
+git clone https://github.com/evertramos/docker-compose-letsencrypt-nginx-proxy-companion.git
31
+```
32
+
33
+2. Make a copy of our `.env.sample` and rename it to `.env`:
34
+
35
+Update this file with your preferences.
36
+
37
+```
38
+#
39
+# docker-compose-letsencrypt-nginx-proxy-companion
40
+#
41
+# A Web Proxy using docker with NGINX and Let's Encrypt
42
+# Using the great community docker-gen, nginx-proxy and docker-letsencrypt-nginx-proxy-companion
43
+#
44
+# This is the .env file to set up your webproxy enviornment
45
+
46
+#
47
+# Your local containers NAME
48
+#
49
+NGINX_WEB=nginx-web
50
+DOCKER_GEN=nginx-gen
51
+LETS_ENCRYPT=nginx-letsencrypt
52
+
53
+#
54
+# Set the IP address of the external access Interface
55
+#
56
+IP=0.0.0.0
57
+
58
+#
59
+# Default Network
60
+#
61
+NETWORK=webproxy
62
+
63
+# If you want to customize the created network, use the following variable
64
+#NETWORK_OPTIONS="--opt encrypted=true"
65
+
66
+#
67
+# Service Network (Optional)
68
+#
69
+# In case you decide to add a new network to your services containers you can set this
70
+# network as a SERVICE_NETWORK
71
+#
72
+# [WARNING] This setting was built to use our `start.sh` script or in that special case
73
+#           you could use the docker-composer with our multiple network option, as of:
74
+#           `docker-compose -f docker-compose-multiple-networks.yml up -d`
75
+#
76
+#SERVICE_NETWORK=webservices
77
+
78
+# If you want to customize the created network, use the following variable
79
+#SERVICE_NETWORK_OPTIONS="--opt encrypted=true"
80
+
81
+#
82
+## NGINX file path (mount into the host)
83
+# Here you can configure the path where nginx stores all the configurations and certificates.
84
+# With the value ./nginx-data it creates a new sub-folder into your current path.
85
+
86
+NGINX_FILES_PATH=./nginx-data
87
+
88
+#
89
+# NGINX use special conf files
90
+#
91
+# In case you want to add some special configuration to your NGINX Web Proxy you could
92
+# add your files to ./conf.d/ folder as of sample file 'uploadsize.conf'
93
+#
94
+# [WARNING] This setting was built to use our `start.sh`.
95
+#
96
+# [WARNING] Once you set this options to true all your files will be copied to data
97
+#           folder (./data/conf.d). If you decide to remove this special configuration
98
+#           you must delete your files from data folder ./data/conf.d.
99
+#
100
+#USE_NGINX_CONF_FILES=true
101
+
102
+#
103
+# Docker Logging Config
104
+#
105
+# This section offers two options max-size and max-file, which follow the docker documentation
106
+# as follow:
107
+#
108
+# logging:
109
+#      driver: "json-file"
110
+#      options:
111
+#        max-size: "200k"
112
+#        max-file: "10"
113
+#
114
+#NGINX_WEB_LOG_DRIVER=json-file
115
+#NGINX_WEB_LOG_MAX_SIZE=4m
116
+#NGINX_WEB_LOG_MAX_FILE=10
117
+
118
+#NGINX_GEN_LOG_DRIVER=json-file
119
+#NGINX_GEN_LOG_MAX_SIZE=2m
120
+#NGINX_GEN_LOG_MAX_FILE=10
121
+
122
+#NGINX_LETSENCRYPT_LOG_DRIVER=json-file
123
+#NGINX_LETSENCRYPT_LOG_MAX_SIZE=2m
124
+#NGINX_LETSENCRYPT_LOG_MAX_FILE=10
125
+```
126
+
127
+3. Run our start script
128
+
129
+```bash
130
+./start.sh
131
+```
132
+
133
+Your proxy is ready to go!
134
+
135
+## Starting your web containers
136
+
137
+After following the steps above you can start new web containers with port 80 open and add the option `-e VIRTUAL_HOST=your.domain.com` so proxy will automatically generate the reverse script in NGINX Proxy to forward new connections to your web/app container, as of:
138
+
139
+```bash
140
+docker run -d -e VIRTUAL_HOST=your.domain.com \
141
+              --network=webproxy \
142
+              --name my_app \
143
+              httpd:alpine
144
+```
145
+
146
+To have SSL in your web/app you just add the option `-e LETSENCRYPT_HOST=your.domain.com`, as follow:
147
+
148
+```bash
149
+docker run -d -e VIRTUAL_HOST=your.domain.com \
150
+              -e LETSENCRYPT_HOST=your.domain.com \
151
+              -e LETSENCRYPT_EMAIL=your.email@your.domain.com \
152
+              --network=webproxy \
153
+              --name my_app \
154
+              httpd:alpine
155
+```
156
+
157
+> You don´t need to open port *443* in your container, the certificate validation is managed by the web proxy.
158
+
159
+
160
+> Please note that when running a new container to generate certificates with LetsEncrypt (`-e LETSENCRYPT_HOST=your.domain.com`), it may take a few minutes, depending on multiples circumstances.
161
+
162
+## Further Options
163
+
164
+1. Basic Authentication Support
165
+
166
+In order to be able to secure your virtual host with basic authentication, you must create a htpasswd file within `${NGINX_FILES_PATH}/htpasswd/${VIRTUAL_HOST}` via:
167
+
168
+```bash
169
+sudo sh -c "echo -n '[username]:' >> ${NGINX_FILES_PATH}/htpasswd/${VIRTUAL_HOST}"
170
+sudo sh -c "openssl passwd -apr1 >> ${NGINX_FILES_PATH}/htpasswd/${VIRTUAL_HOST}"
171
+```
172
+
173
+> Please substitute the `${NGINX_FILES_PATH}` with your path information, replace `[username]` with your username and `${VIRTUAL_HOST}` with your host's domain. You will be prompted for a password.
174
+
175
+2. Using multiple networks
176
+
177
+If you want to use more than one network to better organize your environment you could set the option `SERVICE_NETWORK` in our `.env.sample` or you can just create your own network and attach all your containers as of:
178
+
179
+```bash
180
+docker network create myownnetwork
181
+docker network connect myownnetwork nginx-web
182
+docker network connect myownnetwork nginx-gen
183
+docker network connect myownnetwork nginx-letsencrypt
184
+```
185
+
186
+3. Using different ports to be proxied
187
+
188
+If your service container runs on port 8545 you probably will need to add the `VIRTUAL_PORT` environment variable to your container, in the `docker-compose.yml`, as of:
189
+
190
+```bash
191
+parity
192
+    image: parity/parity:v1.8.9
193
+    [...]
194
+    environment:
195
+      [...]
196
+      VIRTUAL_PORT: 8545
197
+```
198
+
199
+Or as of below:
200
+
201
+```bash
202
+docker run [...] -e VIRTUAL_PORT=8545 [...]
203
+```
204
+
205
+## Testing your proxy with scripts preconfigured 
206
+
207
+1. Run the script `test.sh` informing your domain already configured in your DNS to point out to your server as follow:
208
+
209
+```bash
210
+./test_start_ssl.sh your.domain.com
211
+```
212
+
213
+or simply run:
214
+
215
+```bash
216
+docker run -dit -e VIRTUAL_HOST=your.domain.com --network=webproxy --name test-web httpd:alpine
217
+```
218
+
219
+Access your browser with your domain!
220
+
221
+To stop and remove your test container run our `stop_test.sh` script:
222
+
223
+```bash
224
+./test_stop.sh
225
+```
226
+
227
+Or simply run:
228
+
229
+```bash
230
+docker stop test-web && docker rm test-web 
231
+```
232
+
233
+## Running this Proxy on a Synology NAS
234
+
235
+Please checkout this [howto](https://github.com/evertramos/docker-compose-letsencrypt-nginx-proxy-companion/blob/master/docs/HOWTO-Synlogy.md).
236
+
237
+
238
+## Production Environment using Web Proxy and Wordpress
239
+
240
+1. [docker-wordpress-letsencrypt](https://github.com/evertramos/docker-wordpress-letsencrypt)
241
+2. [docker-portainer-letsencrypt](https://github.com/evertramos/docker-portainer-letsencrypt)
242
+3. [docker-nextcloud-letsencrypt](https://github.com/evertramos/docker-nextcloud-letsencrypt)
243
+
244
+In this repo you will find a docker-compose file to start a production environment for a new wordpress site.
245
+
246
+## Credits
247
+
248
+Without the repositories below this webproxy wouldn´t be possible.
249
+
250
+Credits goes to:
251
+- nginx-proxy [@jwilder](https://github.com/jwilder/nginx-proxy)
252
+- docker-gen [@jwilder](https://github.com/jwilder/docker-gen)
253
+- docker-letsencrypt-nginx-proxy-companion [@JrCs](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion)
254
+
255
+
256
+### Special thanks to:
257
+
258
+- [@j7an](https://github.com/j7an) - Many contributions and the ipv6 branch!
259
+- [@buchdag](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion/pull/226#event-1145800062)
260
+- [@fracz](https://github.com/fracz) - Many contributions!
261
+

+ 50
- 0
conf.d/realip.conf View File

@@ -0,0 +1,50 @@
1
+#
2
+# [WARNING] To enable this files you need to uncomment USE_NGINX_CONF_FILES=true in .env file
3
+#
4
+# [WARNING] Also, read all the comments in .env about NGINX use special conf files
5
+#
6
+
7
+#
8
+# Real IP Settings
9
+#
10
+# This option get user's real ip address
11
+# to be fowared to your service container
12
+
13
+#
14
+# Basic settings
15
+#
16
+# The option 'set_real_ip_from'
17
+# must correspont to your docker network address
18
+set_real_ip_from  172.18.0.0/32;
19
+real_ip_header    X-Real-IP;
20
+real_ip_recursive on;
21
+
22
+#
23
+# CloudFlare settings
24
+#
25
+# If you CloudFlare and want to forward the
26
+# user's real IP to your app services you 
27
+# must uncomment all lines below and be sure
28
+# to comment the lines of the "Basic settings"
29
+#set_real_ip_from 103.21.244.0/22;
30
+#set_real_ip_from 103.22.200.0/22;
31
+#set_real_ip_from 103.31.4.0/22;
32
+#set_real_ip_from 104.16.0.0/12;
33
+#set_real_ip_from 108.162.192.0/18;
34
+#set_real_ip_from 131.0.72.0/22;
35
+#set_real_ip_from 141.101.64.0/18;
36
+#set_real_ip_from 162.158.0.0/15;
37
+#set_real_ip_from 172.64.0.0/13;
38
+#set_real_ip_from 173.245.48.0/20;
39
+#set_real_ip_from 188.114.96.0/20;
40
+#set_real_ip_from 190.93.240.0/20;
41
+#set_real_ip_from 197.234.240.0/22;
42
+#set_real_ip_from 198.41.128.0/17;
43
+#set_real_ip_from 2400:cb00::/32;
44
+#set_real_ip_from 2606:4700::/32;
45
+#set_real_ip_from 2803:f800::/32;
46
+#set_real_ip_from 2405:b500::/32;
47
+#set_real_ip_from 2405:8100::/32;
48
+#set_real_ip_from 2c0f:f248::/32;
49
+#set_real_ip_from 2a06:98c0::/29;
50
+#real_ip_header X-Forwarded-For;

+ 7
- 0
conf.d/servertokens.conf View File

@@ -0,0 +1,7 @@
1
+#
2
+# [WARNING] To enable this files you need to uncomment USE_NGINX_CONF_FILES=true in .env file
3
+#
4
+# [WARNING] Also, read all the comments in .env about NGINX use special conf files
5
+#
6
+
7
+server_tokens off;

+ 7
- 0
conf.d/uploadsize.conf View File

@@ -0,0 +1,7 @@
1
+#
2
+# [WARNING] To enable this files you need to uncomment USE_NGINX_CONF_FILES=true in .env file
3
+#
4
+# [WARNING] Also, read all the comments in .env about NGINX use special conf files
5
+#
6
+
7
+client_max_body_size 100m;

+ 77
- 0
docker-compose-multiple-networks.yml View File

@@ -0,0 +1,77 @@
1
+version: '3'
2
+services:
3
+  nginx-web:
4
+    image: nginx
5
+    labels:
6
+        com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
7
+    container_name: ${NGINX_WEB:-nginx-web}
8
+    restart: always
9
+    ports:
10
+      - "${IP:-0.0.0.0}:${DOCKER_HTTP:-80}:80"
11
+      - "${IP:-0.0.0.0}:${DOCKER_HTTPS:-443}:443"
12
+     volumes:
13
+      - ${NGINX_FILES_PATH:-./data}/conf.d:/etc/nginx/conf.d
14
+      - ${NGINX_FILES_PATH:-./data}/vhost.d:/etc/nginx/vhost.d
15
+      - ${NGINX_FILES_PATH:-./data}/html:/usr/share/nginx/html
16
+      - ${NGINX_FILES_PATH:-./data}/certs:/etc/nginx/certs:ro
17
+      - ${NGINX_FILES_PATH:-./data}/htpasswd:/etc/nginx/htpasswd:ro
18
+    networks:
19
+      - default
20
+      - outside
21
+    logging:
22
+      driver: ${NGINX_WEB_LOG_DRIVER:-json-file}
23
+      options:
24
+        max-size: ${NGINX_WEB_LOG_MAX_SIZE:-4m}
25
+        max-file: ${NGINX_WEB_LOG_MAX_FILE:-10}
26
+
27
+  nginx-gen:
28
+    image: jwilder/docker-gen
29
+    command: -notify-sighup ${NGINX_WEB:-nginx-web} -watch -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
30
+    container_name: ${DOCKER_GEN:-nginx-gen}
31
+    restart: always
32
+    volumes:
33
+      - ${NGINX_FILES_PATH:-./data}/conf.d:/etc/nginx/conf.d
34
+      - ${NGINX_FILES_PATH:-./data}/vhost.d:/etc/nginx/vhost.d
35
+      - ${NGINX_FILES_PATH:-./data}/html:/usr/share/nginx/html
36
+      - ${NGINX_FILES_PATH:-./data}/certs:/etc/nginx/certs:ro
37
+      - ${NGINX_FILES_PATH:-./data}/htpasswd:/etc/nginx/htpasswd:ro
38
+      - /var/run/docker.sock:/tmp/docker.sock:ro
39
+      - ./nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro
40
+    networks:
41
+      - default
42
+      - outside
43
+    logging:
44
+      driver: ${NGINX_GEN_LOG_DRIVER:-json-file}
45
+      options:
46
+        max-size: ${NGINX_GEN_LOG_MAX_SIZE:-2m}
47
+        max-file: ${NGINX_GEN_LOG_MAX_FILE:-10}
48
+
49
+  nginx-letsencrypt:
50
+    image: jrcs/letsencrypt-nginx-proxy-companion
51
+    container_name: ${LETS_ENCRYPT:-nginx-letsencrypt}
52
+    restart: always
53
+    volumes:
54
+      - ${NGINX_FILES_PATH:-./data}/conf.d:/etc/nginx/conf.d
55
+      - ${NGINX_FILES_PATH:-./data}/vhost.d:/etc/nginx/vhost.d
56
+      - ${NGINX_FILES_PATH:-./data}/html:/usr/share/nginx/html
57
+      - ${NGINX_FILES_PATH:-./data}/certs:/etc/nginx/certs:rw
58
+      - /var/run/docker.sock:/var/run/docker.sock:ro
59
+    environment:
60
+      NGINX_DOCKER_GEN_CONTAINER: ${DOCKER_GEN:-nginx-gen}
61
+      NGINX_PROXY_CONTAINER: ${NGINX_WEB:-nginx-web}
62
+    networks:
63
+      - default
64
+      - outside
65
+    logging:
66
+      driver: ${NGINX_LETSENCRYPT_LOG_DRIVER:-json-file}
67
+      options:
68
+        max-size: ${NGINX_LETSENCRYPT_LOG_MAX_SIZE:-2m}
69
+        max-file: ${NGINX_LETSENCRYPT_LOG_MAX_FILE:-10}
70
+
71
+networks:
72
+  default:
73
+    external:
74
+      name: ${NETWORK:-webproxy}
75
+  outside:
76
+    external:
77
+      name: ${SERVICE_NETWORK:-webservices}

+ 65
- 0
docker-compose.yml View File

@@ -0,0 +1,65 @@
1
+version: '3'
2
+services:
3
+  nginx-web:
4
+    image: nginx
5
+    labels:
6
+        com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
7
+    container_name: ${NGINX_WEB:-nginx-web}
8
+    restart: always
9
+    ports:
10
+      - "${IP:-0.0.0.0}:${DOCKER_HTTP:-80}:80"
11
+      - "${IP:-0.0.0.0}:${DOCKER_HTTPS:-443}:443"
12
+    volumes:
13
+      - ${NGINX_FILES_PATH:-./data}/conf.d:/etc/nginx/conf.d
14
+      - ${NGINX_FILES_PATH:-./data}/vhost.d:/etc/nginx/vhost.d
15
+      - ${NGINX_FILES_PATH:-./data}/html:/usr/share/nginx/html
16
+      - ${NGINX_FILES_PATH:-./data}/certs:/etc/nginx/certs:ro
17
+      - ${NGINX_FILES_PATH:-./data}/htpasswd:/etc/nginx/htpasswd:ro
18
+    logging:
19
+      driver: ${NGINX_WEB_LOG_DRIVER:-json-file}
20
+      options:
21
+        max-size: ${NGINX_WEB_LOG_MAX_SIZE:-4m}
22
+        max-file: ${NGINX_WEB_LOG_MAX_FILE:-10}
23
+
24
+  nginx-gen:
25
+    image: jwilder/docker-gen
26
+    command: -notify-sighup ${NGINX_WEB:-nginx-web} -watch -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
27
+    container_name: ${DOCKER_GEN:-nginx-gen}
28
+    restart: always
29
+    volumes:
30
+      - ${NGINX_FILES_PATH:-./data}/conf.d:/etc/nginx/conf.d
31
+      - ${NGINX_FILES_PATH:-./data}/vhost.d:/etc/nginx/vhost.d
32
+      - ${NGINX_FILES_PATH:-./data}/html:/usr/share/nginx/html
33
+      - ${NGINX_FILES_PATH:-./data}/certs:/etc/nginx/certs:ro
34
+      - ${NGINX_FILES_PATH:-./data}/htpasswd:/etc/nginx/htpasswd:ro
35
+      - /var/run/docker.sock:/tmp/docker.sock:ro
36
+      - ./nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro
37
+    logging:
38
+      driver: ${NGINX_GEN_LOG_DRIVER:-json-file}
39
+      options:
40
+        max-size: ${NGINX_GEN_LOG_MAX_SIZE:-2m}
41
+        max-file: ${NGINX_GEN_LOG_MAX_FILE:-10}
42
+
43
+  nginx-letsencrypt:
44
+    image: jrcs/letsencrypt-nginx-proxy-companion
45
+    container_name: ${LETS_ENCRYPT:-nginx-letsencrypt}
46
+    restart: always
47
+    volumes:
48
+      - ${NGINX_FILES_PATH:-./data}/conf.d:/etc/nginx/conf.d
49
+      - ${NGINX_FILES_PATH:-./data}/vhost.d:/etc/nginx/vhost.d
50
+      - ${NGINX_FILES_PATH:-./data}/html:/usr/share/nginx/html
51
+      - ${NGINX_FILES_PATH:-./data}/certs:/etc/nginx/certs:rw
52
+      - /var/run/docker.sock:/var/run/docker.sock:ro
53
+    environment:
54
+      NGINX_DOCKER_GEN_CONTAINER: ${DOCKER_GEN:-nginx-gen}
55
+      NGINX_PROXY_CONTAINER: ${NGINX_WEB:-nginx-web}
56
+    logging:
57
+      driver: ${NGINX_LETSENCRYPT_LOG_DRIVER:-json-file}
58
+      options:
59
+        max-size: ${NGINX_LETSENCRYPT_LOG_MAX_SIZE:-2m}
60
+        max-file: ${NGINX_LETSENCRYPT_LOG_MAX_FILE:-10}
61
+
62
+networks:
63
+  default:
64
+    external:
65
+      name: ${NETWORK:-webproxy}

+ 27
- 0
docs/HOWTO-Synlogy.md View File

@@ -0,0 +1,27 @@
1
+## Port mapping
2
+Synology default installs a web server on port 80 blocking certificate generation. 
3
+
4
+To circumvent this - if you do not need external access to the default web server (and you should not expose it anyway) configure your .env to use alternative ports and your router to forward the external official port to the alternative internal ports:
5
+
6
+#
7
+# Set the local exposed ports for http and https - this will allow you to run with a legacy web 
8
+# server already installed for local use
9
+#
10
+# NOTE: For this to function your internet router must forward the official ports to the mapped ports - 
11
+#       in this example external port 80 to docker host 81 and external port 443 to docker host 444
12
+#
13
+DOCKER_HTTP=81
14
+DOCKER_HTTPS=444
15
+
16
+## File permissions
17
+To setup the needed configuration directoties and proper permissions run the below commands (assuming default ./data is where you have your catalog for persistent files)
18
+
19
+mkdir -p data/certs
20
+mkdir data/htpasswd
21
+mkdir data/conf.d
22
+mkdir data/vhost.d
23
+mkdir data/html
24
+chgrp -R 101 data
25
+chmod -R g+rwx data
26
+
27
+Contributed by https://github.com/nicolailang/

+ 361
- 0
nginx.tmpl View File

@@ -0,0 +1,361 @@
1
+{{ $CurrentContainer := where $ "ID" .Docker.CurrentContainerID | first }}
2
+
3
+{{ define "upstream" }}
4
+	{{ if .Address }}
5
+		{{/* If we got the containers from swarm and this container's port is published to host, use host IP:PORT */}}
6
+		{{ if and .Container.Node.ID .Address.HostPort }}
7
+			# {{ .Container.Node.Name }}/{{ .Container.Name }}
8
+			server {{ .Container.Node.Address.IP }}:{{ .Address.HostPort }};
9
+		{{/* If there is no swarm node or the port is not published on host, use container's IP:PORT */}}
10
+		{{ else if .Network }}
11
+			# {{ .Container.Name }}
12
+			server {{ .Network.IP }}:{{ .Address.Port }};
13
+		{{ end }}
14
+	{{ else if .Network }}
15
+		# {{ .Container.Name }}
16
+		{{ if .Network.IP }}
17
+			server {{ .Network.IP }} down;
18
+		{{ else }}
19
+			server 127.0.0.1 down;
20
+		{{ end }}
21
+	{{ end }}
22
+	
23
+{{ end }}
24
+
25
+# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
26
+# scheme used to connect to this server
27
+map $http_x_forwarded_proto $proxy_x_forwarded_proto {
28
+  default $http_x_forwarded_proto;
29
+  ''      $scheme;
30
+}
31
+
32
+# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
33
+# server port the client connected to
34
+map $http_x_forwarded_port $proxy_x_forwarded_port {
35
+  default $http_x_forwarded_port;
36
+  ''      $server_port;
37
+}
38
+
39
+# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
40
+# Connection header that may have been passed to this server
41
+map $http_upgrade $proxy_connection {
42
+  default upgrade;
43
+  '' close;
44
+}
45
+
46
+# Apply fix for very long server names
47
+server_names_hash_bucket_size 128;
48
+
49
+# Default dhparam
50
+{{ if (exists "/etc/nginx/dhparam/dhparam.pem") }}
51
+ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
52
+{{ end }}
53
+
54
+# Set appropriate X-Forwarded-Ssl header
55
+map $scheme $proxy_x_forwarded_ssl {
56
+  default off;
57
+  https on;
58
+}
59
+
60
+gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
61
+
62
+log_format vhost '$host $remote_addr - $remote_user [$time_local] '
63
+                 '"$request" $status $body_bytes_sent '
64
+                 '"$http_referer" "$http_user_agent"';
65
+
66
+access_log off;
67
+
68
+{{ if $.Env.RESOLVERS }}
69
+resolver {{ $.Env.RESOLVERS }};
70
+{{ end }}
71
+
72
+{{ if (exists "/etc/nginx/proxy.conf") }}
73
+include /etc/nginx/proxy.conf;
74
+{{ else }}
75
+# HTTP 1.1 support
76
+proxy_http_version 1.1;
77
+proxy_buffering off;
78
+proxy_set_header Host $http_host;
79
+proxy_set_header Upgrade $http_upgrade;
80
+proxy_set_header Connection $proxy_connection;
81
+proxy_set_header X-Real-IP $remote_addr;
82
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
83
+proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
84
+proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
85
+proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
86
+
87
+# Mitigate httpoxy attack (see README for details)
88
+proxy_set_header Proxy "";
89
+{{ end }}
90
+
91
+{{ $enable_ipv6 := eq (or ($.Env.ENABLE_IPV6) "") "true" }}
92
+server {
93
+	server_name _; # This is just an invalid value which will never trigger on a real hostname.
94
+	listen 80;
95
+	{{ if $enable_ipv6 }}
96
+	listen [::]:80;
97
+	{{ end }}
98
+	access_log /var/log/nginx/access.log vhost;
99
+	return 503;
100
+}
101
+
102
+{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
103
+server {
104
+	server_name _; # This is just an invalid value which will never trigger on a real hostname.
105
+	listen 443 ssl http2;
106
+	{{ if $enable_ipv6 }}
107
+	listen [::]:443 ssl http2;
108
+	{{ end }}
109
+	access_log /var/log/nginx/access.log vhost;
110
+	return 503;
111
+
112
+	ssl_session_tickets off;
113
+	ssl_certificate /etc/nginx/certs/default.crt;
114
+	ssl_certificate_key /etc/nginx/certs/default.key;
115
+}
116
+{{ end }}
117
+
118
+{{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }}
119
+
120
+{{ $host := trim $host }}
121
+{{ $is_regexp := hasPrefix "~" $host }}
122
+{{ $upstream_name := when $is_regexp (sha1 $host) $host }}
123
+
124
+# {{ $host }}
125
+upstream {{ $upstream_name }} {
126
+
127
+{{ range $container := $containers }}
128
+	{{ $addrLen := len $container.Addresses }}
129
+
130
+	{{ range $knownNetwork := $CurrentContainer.Networks }}
131
+		{{ range $containerNetwork := $container.Networks }}
132
+			{{ if (and (ne $containerNetwork.Name "ingress") (or (eq $knownNetwork.Name $containerNetwork.Name) (eq $knownNetwork.Name "host"))) }}
133
+				## Can be connected with "{{ $containerNetwork.Name }}" network
134
+
135
+				{{/* If only 1 port exposed, use that */}}
136
+				{{ if eq $addrLen 1 }}
137
+					{{ $address := index $container.Addresses 0 }}
138
+					{{ template "upstream" (dict "Container" $container "Address" $address "Network" $containerNetwork) }}
139
+				{{/* If more than one port exposed, use the one matching VIRTUAL_PORT env var, falling back to standard web port 80 */}}
140
+				{{ else }}
141
+					{{ $port := coalesce $container.Env.VIRTUAL_PORT "80" }}
142
+					{{ $address := where $container.Addresses "Port" $port | first }}
143
+					{{ template "upstream" (dict "Container" $container "Address" $address "Network" $containerNetwork) }}
144
+				{{ end }}
145
+			{{ else }}
146
+				# Cannot connect to network of this container
147
+				server 127.0.0.1 down;
148
+			{{ end }}
149
+		{{ end }}
150
+	{{ end }}
151
+{{ end }}
152
+}
153
+
154
+{{ $default_host := or ($.Env.DEFAULT_HOST) "" }}
155
+{{ $default_server := index (dict $host "" $default_host "default_server") $host }}
156
+
157
+{{/* Get the VIRTUAL_PROTO defined by containers w/ the same vhost, falling back to "http" */}}
158
+{{ $proto := trim (or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http") }}
159
+
160
+{{/* Get the NETWORK_ACCESS defined by containers w/ the same vhost, falling back to "external" */}}
161
+{{ $network_tag := or (first (groupByKeys $containers "Env.NETWORK_ACCESS")) "external" }}
162
+
163
+{{/* Get the HTTPS_METHOD defined by containers w/ the same vhost, falling back to "redirect" */}}
164
+{{ $https_method := or (first (groupByKeys $containers "Env.HTTPS_METHOD")) "redirect" }}
165
+
166
+{{/* Get the SSL_POLICY defined by containers w/ the same vhost, falling back to "Mozilla-Intermediate" */}}
167
+{{ $ssl_policy := or (first (groupByKeys $containers "Env.SSL_POLICY")) "Mozilla-Intermediate" }}
168
+
169
+{{/* Get the HSTS defined by containers w/ the same vhost, falling back to "max-age=31536000" */}}
170
+{{ $hsts := or (first (groupByKeys $containers "Env.HSTS")) "max-age=31536000" }}
171
+
172
+{{/* Get the VIRTUAL_ROOT By containers w/ use fastcgi root */}}
173
+{{ $vhost_root := or (first (groupByKeys $containers "Env.VIRTUAL_ROOT")) "/var/www/public" }}
174
+
175
+
176
+{{/* Get the first cert name defined by containers w/ the same vhost */}}
177
+{{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }}
178
+
179
+{{/* Get the best matching cert  by name for the vhost. */}}
180
+{{ $vhostCert := (closest (dir "/etc/nginx/certs") (printf "%s.crt" $host))}}
181
+
182
+{{/* vhostCert is actually a filename so remove any suffixes since they are added later */}}
183
+{{ $vhostCert := trimSuffix ".crt" $vhostCert }}
184
+{{ $vhostCert := trimSuffix ".key" $vhostCert }}
185
+
186
+{{/* Use the cert specified on the container or fallback to the best vhost match */}}
187
+{{ $cert := (coalesce $certName $vhostCert) }}
188
+
189
+{{ $is_https := (and (ne $https_method "nohttps") (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}
190
+
191
+{{ if $is_https }}
192
+
193
+{{ if eq $https_method "redirect" }}
194
+server {
195
+	server_name {{ $host }};
196
+	listen 80 {{ $default_server }};
197
+	{{ if $enable_ipv6 }}
198
+	listen [::]:80 {{ $default_server }};
199
+	{{ end }}
200
+	access_log /var/log/nginx/access.log vhost;
201
+	return 301 https://$host$request_uri;
202
+}
203
+{{ end }}
204
+
205
+server {
206
+	server_name {{ $host }};
207
+	listen 443 ssl http2 {{ $default_server }};
208
+	{{ if $enable_ipv6 }}
209
+	listen [::]:443 ssl http2 {{ $default_server }};
210
+	{{ end }}
211
+	access_log /var/log/nginx/access.log vhost;
212
+
213
+	{{ if eq $network_tag "internal" }}
214
+	# Only allow traffic from internal clients
215
+	include /etc/nginx/network_internal.conf;
216
+	{{ end }}
217
+
218
+	{{ if eq $ssl_policy "Mozilla-Modern" }}
219
+	ssl_protocols TLSv1.2 TLSv1.3;
220
+	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
221
+	{{ else if eq $ssl_policy "Mozilla-Intermediate" }}
222
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
223
+	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
224
+	{{ else if eq $ssl_policy "Mozilla-Old" }}
225
+	ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
226
+	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP';
227
+	{{ else if eq $ssl_policy "AWS-TLS-1-2-2017-01" }}
228
+	ssl_protocols TLSv1.2 TLSv1.3;
229
+	ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256';
230
+	{{ else if eq $ssl_policy "AWS-TLS-1-1-2017-01" }}
231
+	ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
232
+	ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
233
+	{{ else if eq $ssl_policy "AWS-2016-08" }}
234
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
235
+	ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
236
+	{{ else if eq $ssl_policy "AWS-2015-05" }}
237
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
238
+	ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DES-CBC3-SHA';
239
+	{{ else if eq $ssl_policy "AWS-2015-03" }}
240
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
241
+	ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA';
242
+	{{ else if eq $ssl_policy "AWS-2015-02" }}
243
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
244
+	ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA';
245
+	{{ end }}
246
+
247
+	ssl_prefer_server_ciphers on;
248
+	ssl_session_timeout 5m;
249
+	ssl_session_cache shared:SSL:50m;
250
+	ssl_session_tickets off;
251
+
252
+	ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }};
253
+	ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }};
254
+
255
+	{{ if (exists (printf "/etc/nginx/certs/%s.dhparam.pem" $cert)) }}
256
+	ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }};
257
+	{{ end }}
258
+
259
+	{{ if (exists (printf "/etc/nginx/certs/%s.chain.pem" $cert)) }}
260
+	ssl_stapling on;
261
+	ssl_stapling_verify on;
262
+	ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.pem" $cert }};
263
+	{{ end }}
264
+
265
+	{{ if (and (ne $https_method "noredirect") (ne $hsts "off")) }}
266
+	add_header Strict-Transport-Security "{{ trim $hsts }}" always;
267
+	{{ end }}
268
+
269
+	{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
270
+	include {{ printf "/etc/nginx/vhost.d/%s" $host }};
271
+	{{ else if (exists "/etc/nginx/vhost.d/default") }}
272
+	include /etc/nginx/vhost.d/default;
273
+	{{ end }}
274
+
275
+	location / {
276
+		{{ if eq $proto "uwsgi" }}
277
+		include uwsgi_params;
278
+		uwsgi_pass {{ trim $proto }}://{{ trim $upstream_name }};
279
+		{{ else if eq $proto "fastcgi" }}
280
+		root   {{ trim $vhost_root }};
281
+		include fastcgi.conf;
282
+		fastcgi_pass {{ trim $upstream_name }};
283
+		{{ else }}
284
+		proxy_pass {{ trim $proto }}://{{ trim $upstream_name }};
285
+		{{ end }}
286
+
287
+		{{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}
288
+		auth_basic	"Restricted {{ $host }}";
289
+		auth_basic_user_file	{{ (printf "/etc/nginx/htpasswd/%s" $host) }};
290
+		{{ end }}
291
+		{{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }}
292
+		include {{ printf "/etc/nginx/vhost.d/%s_location" $host}};
293
+		{{ else if (exists "/etc/nginx/vhost.d/default_location") }}
294
+		include /etc/nginx/vhost.d/default_location;
295
+		{{ end }}
296
+	}
297
+}
298
+
299
+{{ end }}
300
+
301
+{{ if or (not $is_https) (eq $https_method "noredirect") }}
302
+
303
+server {
304
+	server_name {{ $host }};
305
+	listen 80 {{ $default_server }};
306
+	{{ if $enable_ipv6 }}
307
+	listen [::]:80 {{ $default_server }};
308
+	{{ end }}
309
+	access_log /var/log/nginx/access.log vhost;
310
+
311
+	{{ if eq $network_tag "internal" }}
312
+	# Only allow traffic from internal clients
313
+	include /etc/nginx/network_internal.conf;
314
+	{{ end }}
315
+
316
+	{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
317
+	include {{ printf "/etc/nginx/vhost.d/%s" $host }};
318
+	{{ else if (exists "/etc/nginx/vhost.d/default") }}
319
+	include /etc/nginx/vhost.d/default;
320
+	{{ end }}
321
+
322
+	location / {
323
+		{{ if eq $proto "uwsgi" }}
324
+		include uwsgi_params;
325
+		uwsgi_pass {{ trim $proto }}://{{ trim $upstream_name }};
326
+		{{ else if eq $proto "fastcgi" }}
327
+		root   {{ trim $vhost_root }};
328
+		include fastcgi.conf;
329
+		fastcgi_pass {{ trim $upstream_name }};
330
+		{{ else }}
331
+		proxy_pass {{ trim $proto }}://{{ trim $upstream_name }};
332
+		{{ end }}
333
+		{{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}
334
+		auth_basic	"Restricted {{ $host }}";
335
+		auth_basic_user_file	{{ (printf "/etc/nginx/htpasswd/%s" $host) }};
336
+		{{ end }}
337
+		{{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }}
338
+		include {{ printf "/etc/nginx/vhost.d/%s_location" $host}};
339
+		{{ else if (exists "/etc/nginx/vhost.d/default_location") }}
340
+		include /etc/nginx/vhost.d/default_location;
341
+		{{ end }}
342
+	}
343
+}
344
+
345
+{{ if (and (not $is_https) (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
346
+server {
347
+	server_name {{ $host }};
348
+	listen 443 ssl http2 {{ $default_server }};
349
+	{{ if $enable_ipv6 }}
350
+	listen [::]:443 ssl http2 {{ $default_server }};
351
+	{{ end }}
352
+	access_log /var/log/nginx/access.log vhost;
353
+	return 500;
354
+
355
+	ssl_certificate /etc/nginx/certs/default.crt;
356
+	ssl_certificate_key /etc/nginx/certs/default.key;
357
+}
358
+{{ end }}
359
+
360
+{{ end }}
361
+{{ end }}

+ 18
- 0
scripts/base.sh View File

@@ -0,0 +1,18 @@
1
+#!/bin/bash
2
+#
3
+# Basic scripts
4
+#
5
+
6
+# 1. Check if .env file exists
7
+check_env_file() {
8
+    if [ -e .env ]; then
9
+        source .env
10
+    else
11
+        echo
12
+        echo "Please set up your .env file before starting your enviornment."
13
+        echo
14
+        exit 1
15
+    fi
16
+}
17
+
18
+

+ 42
- 0
scripts/update.sh View File

@@ -0,0 +1,42 @@
1
+#!/bin/bash
2
+
3
+#
4
+# This scrip update the web proxy without downtime
5
+#
6
+# Source: https://github.com/evertramos/docker-compose-letsencrypt-nginx-proxy-companion
7
+#
8
+
9
+# 1. Check if .env file exists
10
+if [ -e .env ]; then
11
+    source .env
12
+else 
13
+    echo 
14
+    echo "Please set up your .env file before starting your enviornment."
15
+    echo 
16
+    exit 1
17
+fi
18
+
19
+# 2. Update your repo
20
+git pull
21
+git checkout master
22
+
23
+# 3. Check if your env files has the same line numbers
24
+if [ "$(wc -l .env | cut -f1 -d' ')" != "$(wc -l .env.sample | cut -f1 -d' ')" ]; then
25
+    echo
26
+    echo "The sample .env are different from the your current .env file."
27
+    echo "Please update your .env file to continue."
28
+    echo "It must has the same lines of the sample env file."
29
+    echo
30
+    echo "If you keep receiving this message please check the number of line of both files"
31
+    echo
32
+fi
33
+
34
+# 3. Download the latest version of nginx.tmpl
35
+curl https://raw.githubusercontent.com/jwilder/nginx-proxy/master/nginx.tmpl > nginx.tmpl
36
+
37
+# 4. Update containers without downtime
38
+docker-compose up -d --no-deps --build nginx-web
39
+docker-compose up -d --no-deps --build nginx-gen
40
+docker-compose up -d --no-deps --build nginx-letsencrypt
41
+
42
+exit 0

+ 68
- 0
start.sh View File

@@ -0,0 +1,68 @@
1
+#!/bin/bash
2
+
3
+#
4
+# This file should be used to prepare and run your WebProxy after set up your .env file
5
+# Source: https://github.com/evertramos/docker-compose-letsencrypt-nginx-proxy-companion
6
+#
7
+
8
+# 1. Check if .env file exists
9
+if [ -e .env ]; then
10
+    source .env
11
+else 
12
+    echo "Please set up your .env file before starting your environment."
13
+    exit 1
14
+fi
15
+
16
+# 2. Create docker network
17
+docker network create $NETWORK $NETWORK_OPTIONS
18
+
19
+# 3. Verify if second network is configured
20
+if [ ! -z ${SERVICE_NETWORK+X} ]; then
21
+    docker network create $SERVICE_NETWORK $SERVICE_NETWORK_OPTIONS
22
+fi
23
+
24
+# 4. Download the latest version of nginx.tmpl
25
+curl https://raw.githubusercontent.com/jwilder/nginx-proxy/master/nginx.tmpl > nginx.tmpl
26
+
27
+# 5. Update local images
28
+docker-compose pull
29
+
30
+# 6. Add any special configuration if it's set in .env file
31
+
32
+# Check if user set to use Special Conf Files
33
+if [ ! -z ${USE_NGINX_CONF_FILES+X} ] && [ "$USE_NGINX_CONF_FILES" = true ]; then
34
+
35
+    # Create the conf folder if it does not exists
36
+    mkdir -p $NGINX_FILES_PATH/conf.d
37
+
38
+    # Copy the special configurations to the nginx conf folder
39
+    cp -R ./conf.d/* $NGINX_FILES_PATH/conf.d
40
+
41
+    # Check if there was an error and try with sudo
42
+    if [ $? -ne 0 ]; then
43
+        sudo cp -R ./conf.d/* $NGINX_FILES_PATH/conf.d
44
+    fi
45
+
46
+    # If there was any errors inform the user
47
+    if [ $? -ne 0 ]; then
48
+        echo
49
+        echo "#######################################################"
50
+        echo
51
+        echo "There was an error trying to copy the nginx conf files."
52
+        echo "The webproxy will still work, your custom configuration"
53
+        echo "will not be loaded."
54
+        echo 
55
+        echo "#######################################################"
56
+    fi
57
+fi 
58
+
59
+# 7. Start proxy
60
+
61
+# Check if you have multiple network
62
+if [ -z ${SERVICE_NETWORK+X} ]; then
63
+    docker-compose up -d
64
+else
65
+    docker-compose -f docker-compose-multiple-networks.yml up -d
66
+fi
67
+
68
+exit 0

+ 22
- 0
test_start.sh View File

@@ -0,0 +1,22 @@
1
+#!/bin/bash
2
+
3
+# Set up your DOMAIN
4
+if [ $# -eq 0 ]; then
5
+    echo "Please inform your domain name to test your proxy."
6
+    echo "./test_start.sh $1"
7
+    exit 1
8
+else
9
+    DOMAIN=$1
10
+fi
11
+
12
+# Read your .env file
13
+source .env
14
+
15
+# Testing your proxy
16
+if [ -z ${SERVICE_NETWORK+X} ]; then
17
+    docker run -d -e VIRTUAL_HOST=$DOMAIN --network=$NETWORK --name test-web httpd:alpine
18
+else
19
+    docker run -d -e VIRTUAL_HOST=$DOMAIN --network=$SERVICE_NETWORK --name test-web httpd:alpine
20
+fi
21
+
22
+exit 0

+ 25
- 0
test_start_ssl.sh View File

@@ -0,0 +1,25 @@
1
+#!/bin/bash
2
+
3
+NAME=test-web
4
+
5
+
6
+# Set up your DOMAIN
7
+if [ $# -eq 0 ]; then
8
+    echo "Please inform your domain name to test your proxy."
9
+    echo "./test_start_ssl.sh $1"
10
+    exit 1
11
+else
12
+    DOMAIN=$1
13
+fi
14
+
15
+# Read your .env file
16
+source .env
17
+
18
+# Testing your proxy
19
+if [ -z ${SERVICE_NETWORK+X} ]; then
20
+    docker run -d -e VIRTUAL_HOST=$DOMAIN -e LETSENCRYPT_HOST=$DOMAIN --network=$NETWORK --name $NAME httpd:alpine
21
+else
22
+    docker run -d -e VIRTUAL_HOST=$DOMAIN -e LETSENCRYPT_HOST=$DOMAIN --network=$SERVICE_NETWORK --name $NAME httpd:alpine
23
+fi
24
+
25
+exit 0

+ 6
- 0
test_stop.sh View File

@@ -0,0 +1,6 @@
1
+#!/bin/bash
2
+
3
+# Stop and remove test enviornment
4
+docker stop test-web && docker rm test-web 
5
+
6
+exit 0

Loading…
Cancel
Save