From 9711ade7a640249d99c425a10b15ed730a565779 Mon Sep 17 00:00:00 2001 From: Knapoc Date: Mon, 24 Jul 2023 11:36:17 +0200 Subject: [PATCH] feat: allow nginx / docker-gen network segregation * fix merge conflicts --- docs/README.md | 6 ++++++ nginx.tmpl | 52 +++++++++++++++++++++++++++++++++----------------- 2 files changed, 41 insertions(+), 17 deletions(-) diff --git a/docs/README.md b/docs/README.md index 3e39388..d99d8be 100644 --- a/docs/README.md +++ b/docs/README.md @@ -1157,6 +1157,12 @@ Finally, start your containers with `VIRTUAL_HOST` environment variables. docker run -e VIRTUAL_HOST=foo.bar.com ... ``` +To allow for network segregation of the nginx and docker-gen containers, the label `com.github.nginx-proxy.nginx-proxy.nginx` must be applied to the nginx container, otherwise it is assumed that nginx and docker-gen share the same network: + +```console +docker run -d -p 80:80 --name nginx -l "com.github.nginx-proxy.nginx-proxy.nginx" -v /tmp/nginx:/etc/nginx/conf.d -t nginx +``` + ⬆️ [back to table of contents](#table-of-contents) ## Docker Compose diff --git a/nginx.tmpl b/nginx.tmpl index 14e30ca..3666625 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -11,6 +11,7 @@ {{- $_ := set $globals "Env" $.Env }} {{- $_ := set $globals "Docker" $.Docker }} {{- $_ := set $globals "CurrentContainer" (where $globals.containers "ID" $globals.Docker.CurrentContainerID | first) }} +{{- $_ := set $globals "NginxContainer" (whereLabelExists $globals.containers "com.github.nginx-proxy.nginx-proxy.nginx" | first) }} {{- $config := dict }} {{- $_ := set $config "nginx_proxy_version" $.Env.NGINX_PROXY_VERSION }} @@ -44,14 +45,21 @@ {{- $_ := set $globals "vhosts" (dict) }} {{- $_ := set $globals "networks" (dict) }} -# Networks available to the container running docker-gen (which are assumed to +# Networks available to the container labeled "com.github.nginx-proxy.nginx-proxy.nginx" or the one running docker-gen (which are assumed to # match the networks available to the container running nginx): {{- /* * Note: $globals.CurrentContainer may be nil in some circumstances due to * . For more context * see . */}} -{{- if $globals.CurrentContainer }} +{{- if $globals.NginxContainer }} + {{- range sortObjectsByKeysAsc $globals.NginxContainer.Networks "Name" }} + {{- $_ := set $globals.networks .Name . }} +# {{ .Name }} + {{- else }} +# (none) + {{- end }} +{{- else if $globals.CurrentContainer }} {{- range sortObjectsByKeysAsc $globals.CurrentContainer.Networks "Name" }} {{- $_ := set $globals.networks .Name . }} # {{ .Name }} @@ -97,11 +105,21 @@ {{- $ipv4 = "127.0.0.1" }} {{- continue }} {{- end }} - {{- range sortObjectsByKeysAsc $.globals.CurrentContainer.Networks "Name" }} - {{- if and . .Gateway (not .Internal) }} + {{- if $.globals.NginxContainer }} + {{- range sortObjectsByKeysAsc $.globals.NginxContainer.Networks "Name" }} + {{- if and . .Gateway (not .Internal) }} # container is in host network mode, using {{ .Name }} gateway IP - {{- $ipv4 = .Gateway }} - {{- break }} + {{- $ipv4 = .Gateway }} + {{- break }} + {{- end }} + {{- end }} + {{- else }} + {{- range sortObjectsByKeysAsc $.globals.CurrentContainer.Networks "Name" }} + {{- if and . .Gateway (not .Internal) }} + # container is in host network mode, using {{ .Name }} gateway IP + {{- $ipv4 = .Gateway }} + {{- break }} + {{- end }} {{- end }} {{- end }} {{- if $ipv4 }} @@ -114,7 +132,7 @@ {{- end }} {{- /* * Do not emit multiple `server` directives for this container if it - * is reachable over multiple networks or multiple IP stacks. This avoids + * is reachable over multiple networks or multiple IP stacks. This avoids * accidentally inflating the effective round-robin weight of a server due * to the redundant upstream addresses that nginx sees as belonging to * distinct servers. @@ -397,7 +415,7 @@ upstream {{ $vpath.upstream }} { {{- $debug_vpath := deepCopy $vpath | merge (dict "ports" $tmp_ports) }} {{- $_ := set $debug_paths $path $debug_vpath }} {{- end }} - + {{- $debug_vhost := deepCopy .VHost }} {{- /* If it's a regexp, do not render the Hostname to the response to avoid rendering config breaking characters */}} {{- $_ := set $debug_vhost "hostname" (.VHost.is_regexp | ternary "Hostname is a regexp and unsafe to include in the debug response." .Hostname) }} @@ -606,7 +624,7 @@ proxy_set_header Proxy ""; {{- $path_port_containers := get $path_ports $port | default (list) | concat $containers }} {{- $_ := set $path_ports $port $path_port_containers }} {{- $_ := set $path_data "ports" $path_ports }} - + {{- if (not (hasKey $path_data "dest")) }} {{- $_ := set $path_data "dest" $dest }} {{- end }} @@ -614,7 +632,7 @@ proxy_set_header Proxy ""; {{- if (not (hasKey $path_data "proto")) }} {{- $_ := set $path_data "proto" $proto }} {{- end }} - + {{- $_ := set $paths $path $path_data }} {{- end }} {{- $_ := set $vhost_data "paths" $paths }} @@ -666,7 +684,7 @@ proxy_set_header Proxy ""; {{- if (not (hasKey $path_data "proto")) }} {{- $_ := set $path_data "proto" $proto }} {{- end }} - + {{- $_ := set $paths $path $path_data }} {{- end }} {{- $_ := set $vhost_data "paths" $paths }} @@ -708,7 +726,7 @@ proxy_set_header Proxy ""; {{- end }} {{- $userIdentifiedCert := groupByKeys $vhost_containers "Env.CERT_NAME" | first }} - + {{- $vhostCert := "" }} {{- if exists (printf "/etc/nginx/certs/%s.crt" $hostname) }} {{- $vhostCert = $hostname }} @@ -721,10 +739,10 @@ proxy_set_header Proxy ""; {{- $parentVhostCert = $parentHostname }} {{- end }} {{- end }} - + {{- $trust_default_cert := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.trust-default-cert" | keys | first | default $globals.config.trust_default_cert | parseBool }} {{- $defaultCert := and $trust_default_cert $globals.config.default_cert_ok | ternary "default" "" }} - + {{- $cert := or $userIdentifiedCert $vhostCert $parentVhostCert $defaultCert }} {{- $cert_ok := and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert)) }} @@ -738,10 +756,10 @@ proxy_set_header Proxy ""; {{- $https_method = "noredirect" }} {{- end }} {{- $non_get_redirect := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.non-get-redirect" | keys | first | default $globals.config.non_get_redirect }} - + {{- $http2_enabled := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http2.enable" | keys | first | default $globals.config.enable_http2 | parseBool }} {{- $http3_enabled := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http3.enable" | keys | first | default $globals.config.enable_http3 | parseBool }} - + {{- $acme_http_challenge := groupByKeys $vhost_containers "Env.ACME_HTTP_CHALLENGE_LOCATION" | first | default $globals.config.acme_http_challenge }} {{- $acme_http_challenge_legacy := eq $acme_http_challenge "legacy" }} {{- $acme_http_challenge_enabled := false }} @@ -903,7 +921,7 @@ server { break; } {{- end }} - + {{- if $vhost.enable_debug_endpoint }} {{ template "debug_location" (dict "GlobalConfig" $globals.config "Hostname" $hostname "VHost" $vhost) }} {{- end }}