From 51c219d651de134ba352b081d60fd33d155d9cd7 Mon Sep 17 00:00:00 2001 From: pabra Date: Tue, 22 Dec 2015 21:20:44 +0100 Subject: [PATCH 01/11] connect to uWSGI backends --- README.md | 7 ++++++- nginx.tmpl | 10 ++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 9d4bb40..7116775 100644 --- a/README.md +++ b/README.md @@ -37,6 +37,12 @@ You can also use wildcards at the beginning and the end of host name, like `*.ba If you would like to connect to your backend using HTTPS instead of HTTP, set `VIRTUAL_PROTO=https` on the backend container. +### uWSGI Backends + +If you would like to connect to uWSGI backend, set `VIRTUAL_PROTO=uwsgi` on the +backend container. Your backend container should than listen on a port rather +than a socket and expose that port. + ### Default Host To set the default host for nginx use the env var `DEFAULT_HOST=foo.bar.com` for example @@ -227,4 +233,3 @@ Before submitting pull requests or issues, please check github to make sure an e To run tests, you'll need to install [bats 0.4.0](https://github.com/sstephenson/bats). make test - diff --git a/nginx.tmpl b/nginx.tmpl index 255cc35..71ccc31 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -144,7 +144,12 @@ server { {{ end }} location / { + {{ if eq $proto "uwsgi" }} + include uwsgi_params; + uwsgi_pass {{ trim $proto }}://{{ trim $host }}; + {{ else }} proxy_pass {{ trim $proto }}://{{ trim $host }}; + {{ end }} {{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }} auth_basic "Restricted {{ $host }}"; auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }}; @@ -170,7 +175,12 @@ server { {{ end }} location / { + {{ if eq $proto "uwsgi" }} + include uwsgi_params; + uwsgi_pass {{ trim $proto }}://{{ trim $host }}; + {{ else }} proxy_pass {{ trim $proto }}://{{ trim $host }}; + {{ end }} {{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }} auth_basic "Restricted {{ $host }}"; auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }}; From 5f684d4fc5b5466f351492e94fc0c4279c9b6750 Mon Sep 17 00:00:00 2001 From: ryneeverett Date: Mon, 27 Jun 2016 01:26:39 -0400 Subject: [PATCH 02/11] Add docker-compose file for separate containers. Demonstrate that this pattern works. This is based on the example at . --- README.md | 10 +++++++- docker-compose-separate-containers.yml | 33 ++++++++++++++++++++++++++ 2 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 docker-compose-separate-containers.yml diff --git a/README.md b/README.md index b12c9c2..0a9fe79 100644 --- a/README.md +++ b/README.md @@ -42,7 +42,7 @@ services: ```shell $ docker-compose up $ curl -H "Host: whoami.local" localhost -I''m 5b129ab83266 +I'm 5b129ab83266 ``` ### Multiple Ports @@ -92,6 +92,14 @@ image and the official [nginx](https://registry.hub.docker.com/_/nginx/) image. You may want to do this to prevent having the docker socket bound to a publicly exposed container service. +You can demo this pattern with docker-compose: + +```console +$ docker-compose --file docker-compose-separate-containers.yml up +$ curl -H "Host: whoami.local" localhost +I'm 5b129ab83266 +``` + To run nginx proxy as a separate container you'll need to have [nginx.tmpl](https://github.com/jwilder/nginx-proxy/blob/master/nginx.tmpl) on your host system. First start nginx with a volume: diff --git a/docker-compose-separate-containers.yml b/docker-compose-separate-containers.yml new file mode 100644 index 0000000..dc41c01 --- /dev/null +++ b/docker-compose-separate-containers.yml @@ -0,0 +1,33 @@ +version: '2' +services: + nginx: + image: nginx + container_name: nginx + ports: + - "80:80" + volumes: + - /etc/nginx/conf.d + networks: + - proxy-tier + + dockergen: + image: jwilder/docker-gen + command: -notify-sighup nginx -watch /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf + volumes_from: + - nginx + volumes: + - /var/run/docker.sock:/tmp/docker.sock:ro + - ./nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl + networks: + - proxy-tier + + whoami: + image: jwilder/whoami + environment: + - VIRTUAL_HOST=whoami.local + networks: + - proxy-tier + +networks: + proxy-tier: + driver: bridge From 86c408bbdd6c90165dc63947eea10df3a7a739e7 Mon Sep 17 00:00:00 2001 From: hwang Date: Fri, 29 Jul 2016 21:17:14 +0200 Subject: [PATCH 03/11] upgrade nginx to 1.11.0 --- Dockerfile | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index f81ce48..f67283f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.9.15 +FROM nginx:1.11.0 MAINTAINER Jason Wilder mail@jasonwilder.com # Install wget and install/updates certificates diff --git a/README.md b/README.md index 53e8d5d..101784b 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -![nginx 1.9.15](https://img.shields.io/badge/nginx-1.9.15-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') +![nginx 1.11.0](https://img.shields.io/badge/nginx-1.11.0-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. From 478ad17adb59808fecdaf1b7076d938460ba0108 Mon Sep 17 00:00:00 2001 From: ryneeverett Date: Fri, 29 Jul 2016 17:23:10 -0400 Subject: [PATCH 04/11] Remove proxy-tier network in favor of the default. As @huiwang pointed out, using a custom network is unnecessary since the default bridge network works just as well. --- docker-compose-separate-containers.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/docker-compose-separate-containers.yml b/docker-compose-separate-containers.yml index dc41c01..a4edb94 100644 --- a/docker-compose-separate-containers.yml +++ b/docker-compose-separate-containers.yml @@ -7,8 +7,6 @@ services: - "80:80" volumes: - /etc/nginx/conf.d - networks: - - proxy-tier dockergen: image: jwilder/docker-gen @@ -18,16 +16,8 @@ services: volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ./nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl - networks: - - proxy-tier whoami: image: jwilder/whoami environment: - VIRTUAL_HOST=whoami.local - networks: - - proxy-tier - -networks: - proxy-tier: - driver: bridge From 03e863d838f9ef224cd78deccef3405e424dd317 Mon Sep 17 00:00:00 2001 From: hwang Date: Thu, 25 Aug 2016 20:16:37 +0200 Subject: [PATCH 05/11] upgrade nginx to 1.11.3 --- Dockerfile | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index f67283f..6d5ce9b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.11.0 +FROM nginx:1.11.3 MAINTAINER Jason Wilder mail@jasonwilder.com # Install wget and install/updates certificates diff --git a/README.md b/README.md index 101784b..e6e5404 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -![nginx 1.11.0](https://img.shields.io/badge/nginx-1.11.0-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') +![nginx 1.11.3](https://img.shields.io/badge/nginx-1.11.3-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. From c113e7ac82c80c95fa451b6fc689c05fbc60affa Mon Sep 17 00:00:00 2001 From: Christoph Date: Thu, 25 Aug 2016 20:22:35 +0200 Subject: [PATCH 06/11] Update .travis.yml --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index b6b1364..e850f08 100644 --- a/.travis.yml +++ b/.travis.yml @@ -4,7 +4,7 @@ services: env: global: - - DOCKER_VERSION=1.10.1-0~trusty + - DOCKER_VERSION=1.12.1-0~trusty before_install: # list docker-engine versions From 176b78943e13b20dd92de4c90b345905c909f0fc Mon Sep 17 00:00:00 2001 From: hwang Date: Thu, 25 Aug 2016 21:46:57 +0200 Subject: [PATCH 07/11] upgrade nginx to 1.11.3 in makefile --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 7747344..74ae6bf 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ update-dependencies: docker pull jwilder/docker-gen:0.7.3 - docker pull nginx:1.9.12 + docker pull nginx:1.11.3 docker pull python:3 docker pull rancher/socat-docker:latest docker pull appropriate/curl:latest From 87879c1ee2f55e41f63088d478a7c57179decf51 Mon Sep 17 00:00:00 2001 From: Ruben Date: Thu, 1 Sep 2016 11:34:56 +0200 Subject: [PATCH 08/11] Update ciphers and HTST settings to get A+ rating The default config gets you an 'A' rating. Cipher settings are copied from [Mozilla SSL Configartion Generator](https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.1&openssl=1.0.1t&hsts=yes&profile=intermediate) --- nginx.tmpl | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/nginx.tmpl b/nginx.tmpl index 0969564..612decb 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -143,11 +143,12 @@ server { access_log /var/log/nginx/access.log vhost; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; + ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; ssl_prefer_server_ciphers on; ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }}; ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }}; @@ -157,7 +158,7 @@ server { {{ end }} {{ if (ne $https_method "noredirect") }} - add_header Strict-Transport-Security "max-age=31536000"; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; {{ end }} {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} From 37323320c87a392e94f3c8e8e242afd314636fa1 Mon Sep 17 00:00:00 2001 From: mplx Date: Mon, 12 Sep 2016 09:46:59 +0200 Subject: [PATCH 09/11] do not enable HSTS for subdomains --- nginx.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx.tmpl b/nginx.tmpl index 980eace..1528b43 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -158,7 +158,7 @@ server { {{ end }} {{ if (ne $https_method "noredirect") }} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Strict-Transport-Security "max-age=31536000"; {{ end }} {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} From fe9a538ec8eb1a78f828d287fdc103cd32171b58 Mon Sep 17 00:00:00 2001 From: pvlg Date: Sat, 17 Sep 2016 16:53:01 +0300 Subject: [PATCH 10/11] Replace "replace" to "trimSuffix" I have a domain key-mydomain.com. When I add domain www.key-mydomain.com with ssl cert I did not get the desired result. Function replace cut name ssl cert "www.key-mydomain.com.key" to "www-mydomain.com". --- nginx.tmpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nginx.tmpl b/nginx.tmpl index 1528b43..d2caf82 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -118,8 +118,8 @@ upstream {{ $host }} { {{ $vhostCert := (closest (dir "/etc/nginx/certs") (printf "%s.crt" $host))}} {{/* vhostCert is actually a filename so remove any suffixes since they are added later */}} -{{ $vhostCert := replace $vhostCert ".crt" "" -1 }} -{{ $vhostCert := replace $vhostCert ".key" "" -1 }} +{{ $vhostCert := trimSuffix ".crt" $vhostCert }} +{{ $vhostCert := trimSuffix ".key" $vhostCert }} {{/* Use the cert specified on the container or fallback to the best vhost match */}} {{ $cert := (coalesce $certName $vhostCert) }} From 4661bf4dd9160932f8d42c22f7619dc66949362f Mon Sep 17 00:00:00 2001 From: Chulki Lee Date: Fri, 23 Sep 2016 21:58:06 -0700 Subject: [PATCH 11/11] add ssl_session_tickets to default site Fixes #580 --- nginx.tmpl | 1 + 1 file changed, 1 insertion(+) diff --git a/nginx.tmpl b/nginx.tmpl index d2caf82..9eb9520 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -70,6 +70,7 @@ server { access_log /var/log/nginx/access.log vhost; return 503; + ssl_session_tickets off; ssl_certificate /etc/nginx/certs/default.crt; ssl_certificate_key /etc/nginx/certs/default.key; }