2014-05-05 20:15:18 +00:00
nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generate reverse proxy configs for nginx and reloads nginx when containers they are started and stopped.
2014-05-05 17:01:40 +00:00
2014-05-05 20:13:51 +00:00
See [Automated Nginx Reverse Proxy for Docker][2] for why you might want to use this.
2014-05-20 15:39:08 +00:00
### Usage
2014-05-05 20:13:51 +00:00
To run it:
2014-09-04 23:34:49 +00:00
$ docker run -d -p 80:80 -v /var/run/docker.sock:/tmp/docker.sock jwilder/nginx-proxy
2014-05-05 20:13:51 +00:00
2014-10-22 02:39:34 +00:00
Then start any containers you want proxied with an env var `VIRTUAL_HOST=subdomain.youdomain.com`
2014-05-05 20:13:51 +00:00
2014-09-04 23:34:49 +00:00
$ docker run -e VIRTUAL_HOST=foo.bar.com ...
2014-05-05 20:13:51 +00:00
Provided your DNS is setup to forward foo.bar.com to the a host running nginx-proxy, the request will be routed to a container with the VIRTUAL_HOST env var set.
2014-05-20 15:39:08 +00:00
### Multiple Ports
If your container exposes multiple ports, nginx-proxy will default to the service running on port 80. If you need to specify a different port, you can set a VIRTUAL_PORT env var to select a different one. If your container only exposes one port and it has a VIRTUAL_HOST env var set, that port will be selected.
2014-05-05 20:13:51 +00:00
[1]: https://github.com/jwilder/docker-gen
[2]: http://jasonwilder.com/blog/2014/03/25/automated-nginx-reverse-proxy-for-docker/
2014-08-19 15:42:43 +00:00
### Multiple Hosts
2014-11-16 04:47:38 +00:00
If you need to support multipe virtual hosts for a container, you can separate each entry with commas. For example, `foo.bar.com,baz.bar.com,bar.com` and each host will be setup the same.
2014-10-22 00:21:05 +00:00
### Separate Containers
nginx-proxy can also be run as two separate containers using the [jwilder/docker-gen ](https://index.docker.io/u/jwilder/docker-gen/ )
image and the official [nginx ](https://registry.hub.docker.com/_/nginx/ ) image.
You may want to do this to prevent having the docker socket bound to a publicly exposed container service.
To run nginx proxy as a separate container you'll need to have [nginx.tmpl ](https://github.com/jwilder/nginx-proxy/blob/master/nginx.tmpl ) on your host system.
First start nginx with a volume:
$ docker run -d -p 80:80 --name nginx -v /tmp/nginx:/etc/nginx/conf.d -t nginx
Then start the docker-gen container with the shared volume and template:
```
$ docker run --volumes-from nginx \
-v /var/run/docker.sock:/tmp/docker.sock \
2014-10-22 00:29:31 +00:00
-v $(pwd):/etc/docker-gen/templates \
2014-12-02 23:17:58 +00:00
-t docker-gen -notify-sighup nginx -watch -only-published /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
2014-10-22 00:21:05 +00:00
```
Finally, start your containers with `VIRTUAL_HOST` environment variables.
$ docker run -e VIRTUAL_HOST=foo.bar.com ...
2014-11-26 22:46:07 +00:00
### SSL Support
SSL is supported single host, wildcards and SNI certificates using naming conventions for
certificates or optionally specify a cert name (for SNI) as an environment variable.
To enable SSL:
$ docker run -d -p 80:80 -p 443:443 -v /path/to/certs:/etc/nginx/certs -v /var/run/docker.sock:/tmp/docker.sock jwilder/nginx-proxy
The contents of `/path/to/certs` should contain the certificates and private keys for any virtual
hosts in use. The certificate and keys should be named after the virtual host with a `.crt` and
`.key` extension. For example, a container with `VIRTUAL_HOST=foo.bar.com` should have a
2014-12-02 21:43:50 +00:00
`foo.bar.com.crt` and `foo.bar.com.key` file in the certs directory.
2014-11-26 22:46:07 +00:00
#### Wildcard Certificates
2014-12-02 21:43:50 +00:00
Wildcard certificates and keys should be name after the domain name with a `.crt` and `.key` extension.
For example `VIRTUAL_HOST=foo.bar.com` would use cert name `bar.com.crt` and `bar.com.key` .
2014-11-26 22:46:07 +00:00
#### SNI
If your certificate(s) supports multiple domain names, you can start a container with `CERT_NAME=<name>`
to identify the certificate to be used. For example, a certificate for `*.foo.com` and `*.bar.com`
2014-12-02 21:43:50 +00:00
could be named `shared.crt` and `shared.key` . A container running with `VIRTUAL_HOST=foo.bar.com`
2014-11-26 22:46:07 +00:00
and `CERT_NAME=shared` will then use this shared cert.
#### How SSL Support Works
The SSL cipher configuration is based on [mozilla nginx intermediate profile ](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx ) which
should provide compatibility with clients back to Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1,
2014-12-03 18:06:11 +00:00
Windows XP IE8, Android 2.3, Java 7. The configuration also enables HSTS, and SSL
2014-11-26 22:46:07 +00:00
session caches.
The behavior for the proxy when port 80 and 443 are exposed is as follows:
* If a container has a usable cert, port 80 will redirect to 443 for that container so that HTTPS
is always preferred when available.
* If the container does not have a usable cert, a 503 will be returned.
Note that in the latter case, a browser may get an connection error as no certificate is available
2014-12-02 21:43:50 +00:00
to establish a connection. A self-signed or generic cert named `default.crt` and `default.key`
will allow a client browser to make a SSL connection (likely w/ a warning) and subsequently receive
a 503.