diff --git a/.travis.yml b/.travis.yml index e850f08..6bc9cd6 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,16 +1,17 @@ +dist: trusty sudo: required services: - docker env: global: - - DOCKER_VERSION=1.12.1-0~trusty + - DOCKER_VERSION=1.12.3-0~trusty before_install: # list docker-engine versions - apt-cache madison docker-engine # upgrade docker-engine to specific version - - sudo apt-get -o Dpkg::Options::="--force-confnew" install -y docker-engine=${DOCKER_VERSION} + - sudo apt-get -o Dpkg::Options::="--force-confnew" install -y --force-yes docker-engine=${DOCKER_VERSION} - docker version - docker info - sudo add-apt-repository ppa:duggan/bats --yes @@ -18,5 +19,10 @@ before_install: - sudo apt-get install -qq bats - make update-dependencies +matrix: + include: + - env: TEST_ID=test-debian + - env: TEST_ID=test-alpine + script: - - make test + - make $TEST_ID diff --git a/Dockerfile b/Dockerfile index 6d5ce9b..bf604e6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.11.3 +FROM nginx:1.11.8 MAINTAINER Jason Wilder mail@jasonwilder.com # Install wget and install/updates certificates diff --git a/Dockerfile.alpine b/Dockerfile.alpine new file mode 100644 index 0000000..4ce9561 --- /dev/null +++ b/Dockerfile.alpine @@ -0,0 +1,31 @@ +FROM nginx:1.11.8-alpine +MAINTAINER Jason Wilder mail@jasonwilder.com + +# Install wget and install/updates certificates +RUN apk add --no-cache --virtual .run-deps \ + ca-certificates bash wget \ + && update-ca-certificates + +# Configure Nginx and apply fix for very long server names +RUN echo "daemon off;" >> /etc/nginx/nginx.conf \ + && sed -i 's/^http {/&\n server_names_hash_bucket_size 128;/g' /etc/nginx/nginx.conf + +# Install Forego +ADD https://github.com/jwilder/forego/releases/download/v0.16.1/forego /usr/local/bin/forego +RUN chmod u+x /usr/local/bin/forego + +ENV DOCKER_GEN_VERSION 0.7.3 + +RUN wget --quiet https://github.com/jwilder/docker-gen/releases/download/$DOCKER_GEN_VERSION/docker-gen-alpine-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \ + && tar -C /usr/local/bin -xvzf docker-gen-alpine-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \ + && rm /docker-gen-alpine-linux-amd64-$DOCKER_GEN_VERSION.tar.gz + +COPY . /app/ +WORKDIR /app/ + +ENV DOCKER_HOST unix:///tmp/docker.sock + +VOLUME ["/etc/nginx/certs"] + +ENTRYPOINT ["/app/docker-entrypoint.sh"] +CMD ["forego", "start", "-r"] diff --git a/Makefile b/Makefile index 74ae6bf..acb3386 100644 --- a/Makefile +++ b/Makefile @@ -3,12 +3,19 @@ update-dependencies: docker pull jwilder/docker-gen:0.7.3 - docker pull nginx:1.11.3 + docker pull nginx:1.11.6 + docker pull nginx:1.11.8-alpine docker pull python:3 docker pull rancher/socat-docker:latest docker pull appropriate/curl:latest docker pull docker:1.10 -test: +test-debian: docker build -t jwilder/nginx-proxy:bats . bats test + +test-alpine: + docker build -f Dockerfile.alpine -t jwilder/nginx-proxy:bats . + bats test + +test: test-debian test-alpine diff --git a/README.md b/README.md index f918e99..9d3c527 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -![nginx 1.11.3](https://img.shields.io/badge/nginx-1.11.3-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') +![nginx 1.11.8](https://img.shields.io/badge/nginx-1.11.8-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. @@ -125,6 +125,9 @@ $ docker run --volumes-from nginx \ Finally, start your containers with `VIRTUAL_HOST` environment variables. $ docker run -e VIRTUAL_HOST=foo.bar.com ... +### SSL Support using letsencrypt + +[letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion)is a lightweight companion container for the nginx-proxy. It allow the creation/renewal of Let's Encrypt certificates automatically. ### SSL Support @@ -224,6 +227,7 @@ proxy_set_header Connection $proxy_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; +proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl; proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port; # Mitigate httpoxy attack (see README for details) diff --git a/nginx.tmpl b/nginx.tmpl index 9e2ca08..a6a45e6 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -38,6 +38,12 @@ map $http_upgrade $proxy_connection { '' close; } +# Set appropriate X-Forwarded-Ssl header +map $scheme $proxy_x_forwarded_ssl { + default off; + https on; +} + gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; log_format vhost '$host $remote_addr - $remote_user [$time_local] ' @@ -58,6 +64,7 @@ proxy_set_header Connection $proxy_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; +proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl; proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port; # Mitigate httpoxy attack (see README for details) @@ -85,8 +92,9 @@ server { {{ end }} {{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }} - -upstream {{ $host }} { +{{ $upstream_name := sha1 $host }} +# {{ $host }} +upstream {{ $upstream_name }} { {{ range $container := $containers }} {{ $addrLen := len $container.Addresses }} @@ -179,9 +187,9 @@ server { location / { {{ if eq $proto "uwsgi" }} include uwsgi_params; - uwsgi_pass {{ trim $proto }}://{{ trim $host }}; + uwsgi_pass {{ trim $proto }}://{{ trim $upstream_name }}; {{ else }} - proxy_pass {{ trim $proto }}://{{ trim $host }}; + proxy_pass {{ trim $proto }}://{{ trim $upstream_name }}; {{ end }} {{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }} auth_basic "Restricted {{ $host }}"; @@ -213,9 +221,9 @@ server { location / { {{ if eq $proto "uwsgi" }} include uwsgi_params; - uwsgi_pass {{ trim $proto }}://{{ trim $host }}; + uwsgi_pass {{ trim $proto }}://{{ trim $upstream_name }}; {{ else }} - proxy_pass {{ trim $proto }}://{{ trim $host }}; + proxy_pass {{ trim $proto }}://{{ trim $upstream_name }}; {{ end }} {{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }} auth_basic "Restricted {{ $host }}"; diff --git a/test/wildcard-hosts.bats b/test/wildcard-hosts.bats index 8491e4b..826009e 100644 --- a/test/wildcard-hosts.bats +++ b/test/wildcard-hosts.bats @@ -43,13 +43,28 @@ function setup { @test "[$TEST_FILE] VIRTUAL_HOST=~^foo\.bar\..*\.bats" { # WHEN - prepare_web_container bats-wildcard-hosts-2 80 -e VIRTUAL_HOST=~^foo\.bar\..*\.bats - dockergen_wait_for_event $SUT_CONTAINER start bats-wildcard-hosts-2 + prepare_web_container bats-wildcard-hosts-3 80 -e VIRTUAL_HOST=~^foo\.bar\..*\.bats + dockergen_wait_for_event $SUT_CONTAINER start bats-wildcard-hosts-3 sleep 1 # THEN assert_200 foo.bar.whatever.bats assert_200 foo.bar.why.not.bats + assert_200 foo.bar.why.not.bats-to-infinity-and-beyond + assert_503 unexpected.host.bats + +} + +@test "[$TEST_FILE] VIRTUAL_HOST=~^foo\.bar\..*\.bats$" { + # WHEN + prepare_web_container bats-wildcard-hosts-4 80 -e VIRTUAL_HOST=~^foo\.bar\..*\.bats$ + dockergen_wait_for_event $SUT_CONTAINER start bats-wildcard-hosts-4 + sleep 1 + + # THEN + assert_200 foo.bar.whatever.bats + assert_200 foo.bar.why.not.bats + assert_503 foo.bar.why.not.bats-to-infinity-and-beyond assert_503 unexpected.host.bats }