From 9711ade7a640249d99c425a10b15ed730a565779 Mon Sep 17 00:00:00 2001
From: Knapoc <Knapoc@users.noreply.github.com>
Date: Mon, 24 Jul 2023 11:36:17 +0200
Subject: [PATCH 1/7] feat: allow nginx / docker-gen network segregation

* fix merge conflicts
---
 docs/README.md |  6 ++++++
 nginx.tmpl     | 52 +++++++++++++++++++++++++++++++++-----------------
 2 files changed, 41 insertions(+), 17 deletions(-)

diff --git a/docs/README.md b/docs/README.md
index 3e39388..d99d8be 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -1157,6 +1157,12 @@ Finally, start your containers with `VIRTUAL_HOST` environment variables.
 docker run -e VIRTUAL_HOST=foo.bar.com  ...
 ```
 
+To allow for network segregation of the nginx and docker-gen containers, the label `com.github.nginx-proxy.nginx-proxy.nginx` must be applied to the nginx container, otherwise it is assumed that nginx and docker-gen share the same network:
+
+```console
+docker run -d -p 80:80 --name nginx -l "com.github.nginx-proxy.nginx-proxy.nginx" -v /tmp/nginx:/etc/nginx/conf.d -t nginx
+```
+
 ⬆️ [back to table of contents](#table-of-contents)
 
 ## Docker Compose
diff --git a/nginx.tmpl b/nginx.tmpl
index 14e30ca..3666625 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -11,6 +11,7 @@
 {{- $_ := set $globals "Env" $.Env }}
 {{- $_ := set $globals "Docker" $.Docker }}
 {{- $_ := set $globals "CurrentContainer" (where $globals.containers "ID" $globals.Docker.CurrentContainerID | first) }}
+{{- $_ := set $globals "NginxContainer" (whereLabelExists $globals.containers "com.github.nginx-proxy.nginx-proxy.nginx" | first) }}
 
 {{- $config := dict }}
 {{- $_ := set $config "nginx_proxy_version" $.Env.NGINX_PROXY_VERSION }}
@@ -44,14 +45,21 @@
 
 {{- $_ := set $globals "vhosts" (dict) }}
 {{- $_ := set $globals "networks" (dict) }}
-# Networks available to the container running docker-gen (which are assumed to
+# Networks available to the container labeled "com.github.nginx-proxy.nginx-proxy.nginx" or the one running docker-gen (which are assumed to
 # match the networks available to the container running nginx):
 {{- /*
      * Note: $globals.CurrentContainer may be nil in some circumstances due to
      * <https://github.com/nginx-proxy/docker-gen/issues/458>.  For more context
      * see <https://github.com/nginx-proxy/nginx-proxy/issues/2189>.
      */}}
-{{- if $globals.CurrentContainer }}
+{{- if $globals.NginxContainer }}
+    {{- range sortObjectsByKeysAsc $globals.NginxContainer.Networks "Name" }}
+        {{- $_ := set $globals.networks .Name . }}
+#     {{ .Name }}
+    {{- else }}
+#     (none)
+    {{- end }}
+{{- else if $globals.CurrentContainer }}
     {{- range sortObjectsByKeysAsc $globals.CurrentContainer.Networks "Name" }}
         {{- $_ := set $globals.networks .Name . }}
 #     {{ .Name }}
@@ -97,11 +105,21 @@
                 {{- $ipv4 = "127.0.0.1" }}
                 {{- continue }}
             {{- end }}
-            {{- range sortObjectsByKeysAsc $.globals.CurrentContainer.Networks "Name" }}
-                {{- if and . .Gateway (not .Internal) }}
+            {{- if $.globals.NginxContainer }}
+                {{- range sortObjectsByKeysAsc $.globals.NginxContainer.Networks "Name" }}
+                    {{- if and . .Gateway (not .Internal) }}
     #         container is in host network mode, using {{ .Name }} gateway IP
-                    {{- $ipv4 = .Gateway }}
-                    {{- break }}
+                        {{- $ipv4 = .Gateway }}
+                        {{- break }}
+                    {{- end }}
+                {{- end }}
+            {{- else }}
+                {{- range sortObjectsByKeysAsc $.globals.CurrentContainer.Networks "Name" }}
+                    {{- if and . .Gateway (not .Internal) }}
+    #         container is in host network mode, using {{ .Name }} gateway IP
+                        {{- $ipv4 = .Gateway }}
+                        {{- break }}
+                    {{- end }}
                 {{- end }}
             {{- end }}
             {{- if $ipv4 }}
@@ -114,7 +132,7 @@
         {{- end }}
         {{- /*
              * Do not emit multiple `server` directives for this container if it
-             * is reachable over multiple networks or multiple IP stacks. This avoids 
+             * is reachable over multiple networks or multiple IP stacks. This avoids
              * accidentally inflating the effective round-robin weight of a server due
              * to the redundant upstream addresses that nginx sees as belonging to
              * distinct servers.
@@ -397,7 +415,7 @@ upstream {{ $vpath.upstream }} {
         {{- $debug_vpath := deepCopy $vpath | merge (dict "ports" $tmp_ports) }}
         {{- $_ := set $debug_paths $path $debug_vpath }}
     {{- end }}
-    
+
     {{- $debug_vhost := deepCopy .VHost }}
     {{- /* If it's a regexp, do not render the Hostname to the response to avoid rendering config breaking characters */}}
     {{- $_ := set $debug_vhost "hostname" (.VHost.is_regexp | ternary "Hostname is a regexp and unsafe to include in the debug response." .Hostname) }}
@@ -606,7 +624,7 @@ proxy_set_header Proxy "";
             {{- $path_port_containers := get $path_ports $port | default (list) | concat $containers }}
             {{- $_ := set $path_ports $port $path_port_containers }}
             {{- $_ := set $path_data "ports" $path_ports }}
-            
+
             {{- if (not (hasKey $path_data "dest")) }}
                 {{- $_ := set $path_data "dest" $dest }}
             {{- end }}
@@ -614,7 +632,7 @@ proxy_set_header Proxy "";
             {{- if (not (hasKey $path_data "proto")) }}
                 {{- $_ := set $path_data "proto" $proto }}
             {{- end }}
-            
+
             {{- $_ := set $paths $path $path_data }}
         {{- end }}
         {{- $_ := set $vhost_data "paths" $paths }}
@@ -666,7 +684,7 @@ proxy_set_header Proxy "";
         {{- if (not (hasKey $path_data "proto")) }}
             {{- $_ := set $path_data "proto" $proto }}
         {{- end }}
-        
+
         {{- $_ := set $paths $path $path_data }}
     {{- end }}
     {{- $_ := set $vhost_data "paths" $paths }}
@@ -708,7 +726,7 @@ proxy_set_header Proxy "";
     {{- end }}
 
     {{- $userIdentifiedCert := groupByKeys $vhost_containers "Env.CERT_NAME" | first }}
-    
+
     {{- $vhostCert := "" }}
     {{- if exists (printf "/etc/nginx/certs/%s.crt" $hostname) }}
         {{- $vhostCert = $hostname }}
@@ -721,10 +739,10 @@ proxy_set_header Proxy "";
             {{- $parentVhostCert = $parentHostname }}
         {{- end }}
     {{- end }}
-    
+
     {{- $trust_default_cert := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.trust-default-cert" | keys | first | default $globals.config.trust_default_cert | parseBool }}
     {{- $defaultCert := and $trust_default_cert $globals.config.default_cert_ok | ternary "default" "" }}
-    
+
     {{- $cert := or $userIdentifiedCert $vhostCert $parentVhostCert $defaultCert }}
     {{- $cert_ok := and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert)) }}
 
@@ -738,10 +756,10 @@ proxy_set_header Proxy "";
         {{- $https_method = "noredirect" }}
     {{- end }}
     {{- $non_get_redirect := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.non-get-redirect" | keys | first | default $globals.config.non_get_redirect }}
-    
+
     {{- $http2_enabled := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http2.enable" | keys | first | default $globals.config.enable_http2 | parseBool }}
     {{- $http3_enabled := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http3.enable" | keys | first | default $globals.config.enable_http3 | parseBool }}
-    
+
     {{- $acme_http_challenge := groupByKeys $vhost_containers "Env.ACME_HTTP_CHALLENGE_LOCATION" | first | default $globals.config.acme_http_challenge }}
     {{- $acme_http_challenge_legacy := eq $acme_http_challenge "legacy" }}
     {{- $acme_http_challenge_enabled := false }}
@@ -903,7 +921,7 @@ server {
         break;
     }
         {{- end }}
-    
+
         {{- if $vhost.enable_debug_endpoint }}
             {{ template "debug_location" (dict "GlobalConfig" $globals.config "Hostname" $hostname "VHost" $vhost) }}
         {{- end }}

From ded6f89c56ee0737e3eb3f04b3afd8ed4e996aef Mon Sep 17 00:00:00 2001
From: Knapoc <21982227+Knapoc@users.noreply.github.com>
Date: Tue, 22 Apr 2025 12:04:04 +0200
Subject: [PATCH 2/7] test: check docker-gen network segregation

---
 .../test_dockergen_network_segregation_v2.py  | 10 +++++
 .../test_dockergen_network_segregation_v2.yml | 38 ++++++++++++++++++
 .../test_dockergen_network_segregation_v3.py  | 27 +++++++++++++
 .../test_dockergen_network_segregation_v3.yml | 40 +++++++++++++++++++
 4 files changed, 115 insertions(+)
 create mode 100644 test/test_dockergen/test_dockergen_network_segregation_v2.py
 create mode 100644 test/test_dockergen/test_dockergen_network_segregation_v2.yml
 create mode 100644 test/test_dockergen/test_dockergen_network_segregation_v3.py
 create mode 100644 test/test_dockergen/test_dockergen_network_segregation_v3.yml

diff --git a/test/test_dockergen/test_dockergen_network_segregation_v2.py b/test/test_dockergen/test_dockergen_network_segregation_v2.py
new file mode 100644
index 0000000..dbb15d4
--- /dev/null
+++ b/test/test_dockergen/test_dockergen_network_segregation_v2.py
@@ -0,0 +1,10 @@
+def test_unknown_virtual_host_is_503(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://unknown.nginx.container.docker/")
+    assert r.status_code == 503
+
+
+def test_forwards_to_whoami(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://whoami.nginx.container.docker/")
+    assert r.status_code == 200
+    whoami_container = docker_compose.containers.get("whoami")
+    assert r.text == f"I'm {whoami_container.id[:12]}\n"
diff --git a/test/test_dockergen/test_dockergen_network_segregation_v2.yml b/test/test_dockergen/test_dockergen_network_segregation_v2.yml
new file mode 100644
index 0000000..949e282
--- /dev/null
+++ b/test/test_dockergen/test_dockergen_network_segregation_v2.yml
@@ -0,0 +1,38 @@
+version: '2'
+
+services:
+  nginx:
+    image: nginx
+    container_name: nginx
+    volumes:
+      - "/etc/nginx/conf.d"
+    labels:
+      - "com.github.nginx-proxy.nginx-proxy.nginx"
+    networks:
+      - proxy
+
+  dockergen:
+    image: nginxproxy/docker-gen
+    command: -notify-sighup nginx -watch /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
+    volumes_from:
+      - nginx
+    volumes:
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+      - ../../nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl
+    networks:
+      - internal
+
+  web:
+    image: web
+    container_name: whoami
+    expose:
+      - "80"
+    environment:
+      WEB_PORTS: "80"
+      VIRTUAL_HOST: "whoami.nginx.container.docker"
+    networks:
+      - proxy
+
+networks:
+  proxy:
+  internal:
diff --git a/test/test_dockergen/test_dockergen_network_segregation_v3.py b/test/test_dockergen/test_dockergen_network_segregation_v3.py
new file mode 100644
index 0000000..b696e6c
--- /dev/null
+++ b/test/test_dockergen/test_dockergen_network_segregation_v3.py
@@ -0,0 +1,27 @@
+import docker
+import pytest
+from distutils.version import LooseVersion
+
+
+raw_version = docker.from_env().version()["Version"]
+pytestmark = pytest.mark.skipif(
+    LooseVersion(raw_version) < LooseVersion("1.13"),
+    reason="Docker compose syntax v3 requires docker engine v1.13 or later (got {raw_version})"
+)
+
+
+def test_unknown_virtual_host_is_503(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://unknown.nginx.container.docker/")
+    assert r.status_code == 503
+
+
+def test_forwards_to_whoami(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://whoami.nginx.container.docker/")
+    assert r.status_code == 200
+    whoami_container = docker_compose.containers.get("whoami")
+    assert r.text == f"I'm {whoami_container.id[:12]}\n"
+
+
+if __name__ == "__main__":
+    import doctest
+    doctest.testmod()
diff --git a/test/test_dockergen/test_dockergen_network_segregation_v3.yml b/test/test_dockergen/test_dockergen_network_segregation_v3.yml
new file mode 100644
index 0000000..c873c31
--- /dev/null
+++ b/test/test_dockergen/test_dockergen_network_segregation_v3.yml
@@ -0,0 +1,40 @@
+version: '3'
+
+services:
+  nginx:
+    image: nginx
+    container_name: nginx
+    volumes:
+      - "nginx_conf:/etc/nginx/conf.d"
+    labels:
+      - "com.github.nginx-proxy.nginx-proxy.nginx"
+    networks:
+      - proxy
+
+  dockergen:
+    image: nginxproxy/docker-gen
+    command: -notify-sighup nginx -watch /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
+    volumes:
+      - "/var/run/docker.sock:/tmp/docker.sock:ro"
+      - "../../nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl"
+      - "nginx_conf:/etc/nginx/conf.d"
+    networks:
+      - internal
+
+  web:
+    image: web
+    container_name: whoami
+    expose:
+      - "80"
+    environment:
+      WEB_PORTS: "80"
+      VIRTUAL_HOST: "whoami.nginx.container.docker"
+    networks:
+      - proxy
+
+networks:
+  proxy:
+  internal:
+
+volumes:
+  nginx_conf: {}

From c338e1bcdfdf56d939005dde1b2cecc7f9c7ac68 Mon Sep 17 00:00:00 2001
From: Knapoc <21982227+Knapoc@users.noreply.github.com>
Date: Tue, 22 Apr 2025 12:31:09 +0200
Subject: [PATCH 3/7] test: docker-gen network segregation

* fix tests
* remove obsolete compose version
---
 ...st_dockergen_network_segregation.base.yml} | 25 +++++++-----
 ... => test_dockergen_network_segregation.py} |  8 ++--
 .../test_dockergen_network_segregation_v2.py  | 10 -----
 .../test_dockergen_network_segregation_v3.yml | 40 -------------------
 4 files changed, 18 insertions(+), 65 deletions(-)
 rename test/test_dockergen/{test_dockergen_network_segregation_v2.yml => test_dockergen_network_segregation.base.yml} (69%)
 rename test/test_dockergen/{test_dockergen_network_segregation_v3.py => test_dockergen_network_segregation.py} (72%)
 delete mode 100644 test/test_dockergen/test_dockergen_network_segregation_v2.py
 delete mode 100644 test/test_dockergen/test_dockergen_network_segregation_v3.yml

diff --git a/test/test_dockergen/test_dockergen_network_segregation_v2.yml b/test/test_dockergen/test_dockergen_network_segregation.base.yml
similarity index 69%
rename from test/test_dockergen/test_dockergen_network_segregation_v2.yml
rename to test/test_dockergen/test_dockergen_network_segregation.base.yml
index 949e282..8040b47 100644
--- a/test/test_dockergen/test_dockergen_network_segregation_v2.yml
+++ b/test/test_dockergen/test_dockergen_network_segregation.base.yml
@@ -1,38 +1,41 @@
-version: '2'
-
 services:
-  nginx:
+  nginx-proxy-nginx:
     image: nginx
     container_name: nginx
     volumes:
-      - "/etc/nginx/conf.d"
-    labels:
-      - "com.github.nginx-proxy.nginx-proxy.nginx"
+      - nginx_conf:/etc/nginx/conf.d:ro
+    ports:
+      - "80:80"
+      - "443:443"
     networks:
       - proxy
+    labels:
+      - "com.github.nginx-proxy.nginx-proxy.nginx"
 
-  dockergen:
+  nginx-proxy-dockergen:
     image: nginxproxy/docker-gen
     command: -notify-sighup nginx -watch /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
-    volumes_from:
-      - nginx
     volumes:
       - /var/run/docker.sock:/tmp/docker.sock:ro
       - ../../nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl
+      - nginx_conf:/etc/nginx/conf.d
     networks:
       - internal
 
   web:
     image: web
-    container_name: whoami
+    container_name: whoami2
     expose:
       - "80"
     environment:
       WEB_PORTS: "80"
-      VIRTUAL_HOST: "whoami.nginx.container.docker"
+      VIRTUAL_HOST: whoami2.nginx.container.docker
     networks:
       - proxy
 
 networks:
   proxy:
   internal:
+
+volumes:
+  nginx_conf:
diff --git a/test/test_dockergen/test_dockergen_network_segregation_v3.py b/test/test_dockergen/test_dockergen_network_segregation.py
similarity index 72%
rename from test/test_dockergen/test_dockergen_network_segregation_v3.py
rename to test/test_dockergen/test_dockergen_network_segregation.py
index b696e6c..ad487d9 100644
--- a/test/test_dockergen/test_dockergen_network_segregation_v3.py
+++ b/test/test_dockergen/test_dockergen_network_segregation.py
@@ -1,11 +1,11 @@
 import docker
 import pytest
-from distutils.version import LooseVersion
+from packaging.version import Version
 
 
 raw_version = docker.from_env().version()["Version"]
 pytestmark = pytest.mark.skipif(
-    LooseVersion(raw_version) < LooseVersion("1.13"),
+    Version(raw_version) < Version("1.13"),
     reason="Docker compose syntax v3 requires docker engine v1.13 or later (got {raw_version})"
 )
 
@@ -16,9 +16,9 @@ def test_unknown_virtual_host_is_503(docker_compose, nginxproxy):
 
 
 def test_forwards_to_whoami(docker_compose, nginxproxy):
-    r = nginxproxy.get("http://whoami.nginx.container.docker/")
+    r = nginxproxy.get("http://whoami2.nginx.container.docker/")
     assert r.status_code == 200
-    whoami_container = docker_compose.containers.get("whoami")
+    whoami_container = docker_compose.containers.get("whoami2")
     assert r.text == f"I'm {whoami_container.id[:12]}\n"
 
 
diff --git a/test/test_dockergen/test_dockergen_network_segregation_v2.py b/test/test_dockergen/test_dockergen_network_segregation_v2.py
deleted file mode 100644
index dbb15d4..0000000
--- a/test/test_dockergen/test_dockergen_network_segregation_v2.py
+++ /dev/null
@@ -1,10 +0,0 @@
-def test_unknown_virtual_host_is_503(docker_compose, nginxproxy):
-    r = nginxproxy.get("http://unknown.nginx.container.docker/")
-    assert r.status_code == 503
-
-
-def test_forwards_to_whoami(docker_compose, nginxproxy):
-    r = nginxproxy.get("http://whoami.nginx.container.docker/")
-    assert r.status_code == 200
-    whoami_container = docker_compose.containers.get("whoami")
-    assert r.text == f"I'm {whoami_container.id[:12]}\n"
diff --git a/test/test_dockergen/test_dockergen_network_segregation_v3.yml b/test/test_dockergen/test_dockergen_network_segregation_v3.yml
deleted file mode 100644
index c873c31..0000000
--- a/test/test_dockergen/test_dockergen_network_segregation_v3.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-version: '3'
-
-services:
-  nginx:
-    image: nginx
-    container_name: nginx
-    volumes:
-      - "nginx_conf:/etc/nginx/conf.d"
-    labels:
-      - "com.github.nginx-proxy.nginx-proxy.nginx"
-    networks:
-      - proxy
-
-  dockergen:
-    image: nginxproxy/docker-gen
-    command: -notify-sighup nginx -watch /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
-    volumes:
-      - "/var/run/docker.sock:/tmp/docker.sock:ro"
-      - "../../nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl"
-      - "nginx_conf:/etc/nginx/conf.d"
-    networks:
-      - internal
-
-  web:
-    image: web
-    container_name: whoami
-    expose:
-      - "80"
-    environment:
-      WEB_PORTS: "80"
-      VIRTUAL_HOST: "whoami.nginx.container.docker"
-    networks:
-      - proxy
-
-networks:
-  proxy:
-  internal:
-
-volumes:
-  nginx_conf: {}

From 40744f6f413399d5aedb081a3e39ef9d4875d8d9 Mon Sep 17 00:00:00 2001
From: Nicolas Duchon <nicolas.duchon@gmail.com>
Date: Sun, 11 May 2025 12:26:24 +0200
Subject: [PATCH 4/7] refactor: deduplicate code

---
 nginx.tmpl | 55 ++++++++++++++++++++----------------------------------
 1 file changed, 20 insertions(+), 35 deletions(-)

diff --git a/nginx.tmpl b/nginx.tmpl
index 3666625..dd1c444 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -10,11 +10,10 @@
 {{- $_ := set $globals "containers" $ }}
 {{- $_ := set $globals "Env" $.Env }}
 {{- $_ := set $globals "Docker" $.Docker }}
-{{- $_ := set $globals "CurrentContainer" (where $globals.containers "ID" $globals.Docker.CurrentContainerID | first) }}
-{{- $_ := set $globals "NginxContainer" (whereLabelExists $globals.containers "com.github.nginx-proxy.nginx-proxy.nginx" | first) }}
 
 {{- $config := dict }}
 {{- $_ := set $config "nginx_proxy_version" $.Env.NGINX_PROXY_VERSION }}
+{{- $_ := set $config "nginx_container_label" ($.Env.NGINX_CONTAINER_LABEL | default "com.github.nginx-proxy.nginx-proxy.nginx") }}
 {{- $_ := set $config "default_cert_ok" (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
 {{- $_ := set $config "external_http_port" ($globals.Env.HTTP_PORT | default "80") }}
 {{- $_ := set $config "external_https_port" ($globals.Env.HTTPS_PORT | default "443") }}
@@ -45,33 +44,29 @@
 
 {{- $_ := set $globals "vhosts" (dict) }}
 {{- $_ := set $globals "networks" (dict) }}
-# Networks available to the container labeled "com.github.nginx-proxy.nginx-proxy.nginx" or the one running docker-gen (which are assumed to
-# match the networks available to the container running nginx):
+
+{{- $currentContainer := where $globals.containers "ID" $globals.Docker.CurrentContainerID | first }}
+{{- $labeledContainer := whereLabelExists $globals.containers $globals.config.nginx_container_label | first }}
+{{- $_ := set $globals "NetworkContainer" ($labeledContainer | default $currentContainer) }}
+# Networks available to the container labeled "{{ $globals.config.nginx_container_label }}" or the one running docker-gen
+# (which are assumed to match the networks available to the container running nginx):
 {{- /*
-     * Note: $globals.CurrentContainer may be nil in some circumstances due to
-     * <https://github.com/nginx-proxy/docker-gen/issues/458>.  For more context
-     * see <https://github.com/nginx-proxy/nginx-proxy/issues/2189>.
+     * Note:
+     * $globals.NetworkContainer may be nil in some circumstances due to https://github.com/nginx-proxy/docker-gen/issues/458.
+     * For more context see https://github.com/nginx-proxy/nginx-proxy/issues/2189.
      */}}
-{{- if $globals.NginxContainer }}
-    {{- range sortObjectsByKeysAsc $globals.NginxContainer.Networks "Name" }}
-        {{- $_ := set $globals.networks .Name . }}
-#     {{ .Name }}
-    {{- else }}
-#     (none)
-    {{- end }}
-{{- else if $globals.CurrentContainer }}
-    {{- range sortObjectsByKeysAsc $globals.CurrentContainer.Networks "Name" }}
+{{- if $globals.NetworkContainer }}
+    {{- range sortObjectsByKeysAsc $globals.NetworkContainer.Networks "Name" }}
         {{- $_ := set $globals.networks .Name . }}
 #     {{ .Name }}
     {{- else }}
 #     (none)
     {{- end }}
 {{- else }}
-# /!\ WARNING: Failed to find the Docker container running docker-gen.  All
-#              upstream (backend) application containers will appear to be
-#              unreachable.  Try removing the -only-exposed and -only-published
-#              arguments to docker-gen if you pass either of those.  See
-#              <https://github.com/nginx-proxy/docker-gen/issues/458>.
+# /!\ WARNING: Failed to find the Docker container labeled "{{ $globals.config.nginx_container_label }}" or the one running docker-gen. 
+#              All upstream (backend) application containers will appear to be unreachable.
+#              Try removing the -only-exposed and -only-published arguments to docker-gen if you pass either of those. 
+#              See https://github.com/nginx-proxy/docker-gen/issues/458.
 {{- end }}
 
 {{- /*
@@ -105,21 +100,11 @@
                 {{- $ipv4 = "127.0.0.1" }}
                 {{- continue }}
             {{- end }}
-            {{- if $.globals.NginxContainer }}
-                {{- range sortObjectsByKeysAsc $.globals.NginxContainer.Networks "Name" }}
-                    {{- if and . .Gateway (not .Internal) }}
+            {{- range sortObjectsByKeysAsc $.globals.NetworkContainer.Networks "Name" }}
+                {{- if and . .Gateway (not .Internal) }}
     #         container is in host network mode, using {{ .Name }} gateway IP
-                        {{- $ipv4 = .Gateway }}
-                        {{- break }}
-                    {{- end }}
-                {{- end }}
-            {{- else }}
-                {{- range sortObjectsByKeysAsc $.globals.CurrentContainer.Networks "Name" }}
-                    {{- if and . .Gateway (not .Internal) }}
-    #         container is in host network mode, using {{ .Name }} gateway IP
-                        {{- $ipv4 = .Gateway }}
-                        {{- break }}
-                    {{- end }}
+                    {{- $ipv4 = .Gateway }}
+                    {{- break }}
                 {{- end }}
             {{- end }}
             {{- if $ipv4 }}

From bfabd460548816244da650d29f76ff80bc069a16 Mon Sep 17 00:00:00 2001
From: Nicolas Duchon <nicolas.duchon@gmail.com>
Date: Sun, 11 May 2025 12:40:11 +0200
Subject: [PATCH 5/7] test: network segregation w/ internal Docker network

---
 ...test_dockergen_network_segregation.base.yml | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/test/test_dockergen/test_dockergen_network_segregation.base.yml b/test/test_dockergen/test_dockergen_network_segregation.base.yml
index 8040b47..c0e85ac 100644
--- a/test/test_dockergen/test_dockergen_network_segregation.base.yml
+++ b/test/test_dockergen/test_dockergen_network_segregation.base.yml
@@ -1,3 +1,12 @@
+networks:
+  proxy:
+  private:
+    internal: true
+
+volumes:
+  nginx_conf:
+
+
 services:
   nginx-proxy-nginx:
     image: nginx
@@ -20,7 +29,7 @@ services:
       - ../../nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl
       - nginx_conf:/etc/nginx/conf.d
     networks:
-      - internal
+      - private
 
   web:
     image: web
@@ -32,10 +41,3 @@ services:
       VIRTUAL_HOST: whoami2.nginx.container.docker
     networks:
       - proxy
-
-networks:
-  proxy:
-  internal:
-
-volumes:
-  nginx_conf:

From db51154175d7f3b3b8d603634f81446ea46abca7 Mon Sep 17 00:00:00 2001
From: Nicolas Duchon <nicolas.duchon@gmail.com>
Date: Sun, 11 May 2025 12:46:45 +0200
Subject: [PATCH 6/7] test: custom nginx network segregation label

---
 ..._network_segregation-custom-label.base.yml | 45 +++++++++++++++++++
 ...kergen_network_segregation-custom-label.py | 27 +++++++++++
 2 files changed, 72 insertions(+)
 create mode 100644 test/test_dockergen/test_dockergen_network_segregation-custom-label.base.yml
 create mode 100644 test/test_dockergen/test_dockergen_network_segregation-custom-label.py

diff --git a/test/test_dockergen/test_dockergen_network_segregation-custom-label.base.yml b/test/test_dockergen/test_dockergen_network_segregation-custom-label.base.yml
new file mode 100644
index 0000000..1429e9f
--- /dev/null
+++ b/test/test_dockergen/test_dockergen_network_segregation-custom-label.base.yml
@@ -0,0 +1,45 @@
+networks:
+  proxy:
+  private:
+    internal: true
+
+volumes:
+  nginx_conf:
+
+
+services:
+  nginx-proxy-nginx:
+    image: nginx
+    container_name: nginx
+    volumes:
+      - nginx_conf:/etc/nginx/conf.d:ro
+    ports:
+      - "80:80"
+      - "443:443"
+    networks:
+      - proxy
+    labels:
+      - "com.github.nginx-proxy.nginx-proxy.foobarbuzz"
+
+  nginx-proxy-dockergen:
+    image: nginxproxy/docker-gen
+    command: -notify-sighup nginx -watch /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
+    volumes:
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+      - ../../nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl
+      - nginx_conf:/etc/nginx/conf.d
+    environment:
+      NGINX_CONTAINER_LABEL: "com.github.nginx-proxy.nginx-proxy.foobarbuzz"
+    networks:
+      - private
+
+  web:
+    image: web
+    container_name: whoami2
+    expose:
+      - "80"
+    environment:
+      WEB_PORTS: "80"
+      VIRTUAL_HOST: whoami2.nginx.container.docker
+    networks:
+      - proxy
diff --git a/test/test_dockergen/test_dockergen_network_segregation-custom-label.py b/test/test_dockergen/test_dockergen_network_segregation-custom-label.py
new file mode 100644
index 0000000..ad487d9
--- /dev/null
+++ b/test/test_dockergen/test_dockergen_network_segregation-custom-label.py
@@ -0,0 +1,27 @@
+import docker
+import pytest
+from packaging.version import Version
+
+
+raw_version = docker.from_env().version()["Version"]
+pytestmark = pytest.mark.skipif(
+    Version(raw_version) < Version("1.13"),
+    reason="Docker compose syntax v3 requires docker engine v1.13 or later (got {raw_version})"
+)
+
+
+def test_unknown_virtual_host_is_503(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://unknown.nginx.container.docker/")
+    assert r.status_code == 503
+
+
+def test_forwards_to_whoami(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://whoami2.nginx.container.docker/")
+    assert r.status_code == 200
+    whoami_container = docker_compose.containers.get("whoami2")
+    assert r.text == f"I'm {whoami_container.id[:12]}\n"
+
+
+if __name__ == "__main__":
+    import doctest
+    doctest.testmod()

From eb9f0f31d702381919bec10d39dbc7f6a3f7b80e Mon Sep 17 00:00:00 2001
From: Nicolas Duchon <nicolas.duchon@gmail.com>
Date: Sun, 11 May 2025 13:05:12 +0200
Subject: [PATCH 7/7] docs: add NGINX_CONTAINER_LABEL to docs

---
 docs/README.md | 50 ++++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 42 insertions(+), 8 deletions(-)

diff --git a/docs/README.md b/docs/README.md
index d99d8be..95d9b27 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -1136,31 +1136,65 @@ I'm 5b129ab83266
 
 To run nginx proxy as a separate container you'll need to have [nginx.tmpl](https://github.com/nginx-proxy/nginx-proxy/blob/main/nginx.tmpl) on your host system.
 
-First start nginx with a volume:
+First start nginx with a volume mounted to `/etc/nginx/conf.d`:
 
 ```console
-docker run -d -p 80:80 --name nginx -v /tmp/nginx:/etc/nginx/conf.d -t nginx
+docker run --detach \
+    --name nginx \
+    --publish 80:80 \
+    --volume /tmp/nginx:/etc/nginx/conf.d \
+    nginx
 ```
 
 Then start the docker-gen container with the shared volume and template:
 
 ```console
-docker run --volumes-from nginx \
-    -v /var/run/docker.sock:/tmp/docker.sock:ro \
-    -v $(pwd):/etc/docker-gen/templates \
-    -t nginxproxy/docker-gen -notify-sighup nginx -watch /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
+docker run --detach \
+    --name docker-gen \
+    --volumes-from nginx \
+    --volume /var/run/docker.sock:/tmp/docker.sock:ro \
+    --volume $(pwd):/etc/docker-gen/templates \
+    nginxproxy/docker-gen -notify-sighup nginx -watch /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
 ```
 
 Finally, start your containers with `VIRTUAL_HOST` environment variables.
 
 ```console
-docker run -e VIRTUAL_HOST=foo.bar.com  ...
+docker run --env VIRTUAL_HOST=foo.bar.com  ...
 ```
 
+### Network segregation
+
 To allow for network segregation of the nginx and docker-gen containers, the label `com.github.nginx-proxy.nginx-proxy.nginx` must be applied to the nginx container, otherwise it is assumed that nginx and docker-gen share the same network:
 
 ```console
-docker run -d -p 80:80 --name nginx -l "com.github.nginx-proxy.nginx-proxy.nginx" -v /tmp/nginx:/etc/nginx/conf.d -t nginx
+docker run --detach \
+    --name nginx \
+    --publish 80:80 \
+    --label "com.github.nginx-proxy.nginx-proxy.nginx" \
+    --volume /tmp/nginx:/etc/nginx/conf.d \
+    nginx
+```
+
+Network segregation make it possible to run the docker-gen container in an [internal network](https://docs.docker.com/reference/cli/docker/network/create/#internal), unreachable from the outside.
+
+You can also customise the label being used by docker-gen to find the nginx container with the `NGINX_CONTAINER_LABEL`environment variable (on the docker-gen container):
+
+```console
+docker run --detach \
+    --name docker-gen \
+    --volumes-from nginx \
+    --volume /var/run/docker.sock:/tmp/docker.sock:ro \
+    --volume $(pwd):/etc/docker-gen/templates \
+    --env "NGINX_CONTAINER_LABEL=com.github.foobarbuzz" \
+    nginxproxy/docker-gen -notify-sighup nginx -watch /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
+
+docker run --detach \
+    --name nginx \
+    --publish 80:80 \
+    --label "com.github.foobarbuzz" \
+    --volume "/tmp/nginx:/etc/nginx/conf.d" \
+    nginx
 ```
 
 ⬆️ [back to table of contents](#table-of-contents)