From 2e29168d923d424d656c17fa4568e169bdf65d76 Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Thu, 21 Jul 2016 11:23:35 -0400 Subject: [PATCH 01/22] Added X-Forwarded-Port --- README.md | 1 + nginx.tmpl | 1 + 2 files changed, 2 insertions(+) diff --git a/README.md b/README.md index 53e8d5d..dddea56 100644 --- a/README.md +++ b/README.md @@ -205,6 +205,7 @@ proxy_set_header Connection $proxy_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; +proxy_set_header X-Forwarded-Port $server_port; # Mitigate httpoxy attack (see README for details) proxy_set_header Proxy ""; diff --git a/nginx.tmpl b/nginx.tmpl index 0969564..b168bc5 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -51,6 +51,7 @@ proxy_set_header Connection $proxy_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; +proxy_set_header X-Forwarded-Port $server_port; # Mitigate httpoxy attack (see README for details) proxy_set_header Proxy ""; From ba55d1a0b6236e97218a1ed79dfa19a2633e56cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matthias=20Do=CC=88ring?= Date: Thu, 1 Sep 2016 17:29:25 +0200 Subject: [PATCH 02/22] Add alpine base image - Inspired by #408 - Possible solution for #543 --- Dockerfile.alpine | 31 +++++++++++++++++++++++++++++++ Makefile | 8 +++++++- 2 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 Dockerfile.alpine diff --git a/Dockerfile.alpine b/Dockerfile.alpine new file mode 100644 index 0000000..5dfcdee --- /dev/null +++ b/Dockerfile.alpine @@ -0,0 +1,31 @@ +FROM nginx:1.11.3-alpine +MAINTAINER Jason Wilder mail@jasonwilder.com + +# Install wget and install/updates certificates +RUN apk add --no-cache --virtual .run-deps \ + ca-certificates bash wget \ + && update-ca-certificates + +# Configure Nginx and apply fix for very long server names +RUN echo "daemon off;" >> /etc/nginx/nginx.conf \ + && sed -i 's/^http {/&\n server_names_hash_bucket_size 128;/g' /etc/nginx/nginx.conf + +# Install Forego +ADD https://github.com/jwilder/forego/releases/download/v0.16.1/forego /usr/local/bin/forego +RUN chmod u+x /usr/local/bin/forego + +ENV DOCKER_GEN_VERSION 0.7.3 + +RUN wget --quiet https://github.com/jwilder/docker-gen/releases/download/$DOCKER_GEN_VERSION/docker-gen-alpine-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \ + && tar -C /usr/local/bin -xvzf docker-gen-alpine-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \ + && rm /docker-gen-alpine-linux-amd64-$DOCKER_GEN_VERSION.tar.gz + +COPY . /app/ +WORKDIR /app/ + +ENV DOCKER_HOST unix:///tmp/docker.sock + +VOLUME ["/etc/nginx/certs"] + +ENTRYPOINT ["/app/docker-entrypoint.sh"] +CMD ["forego", "start", "-r"] diff --git a/Makefile b/Makefile index 74ae6bf..1a50fbd 100644 --- a/Makefile +++ b/Makefile @@ -9,6 +9,12 @@ update-dependencies: docker pull appropriate/curl:latest docker pull docker:1.10 -test: +test-debian: docker build -t jwilder/nginx-proxy:bats . bats test + +test-alpine: + docker build -f Dockerfile.alpine -t jwilder/nginx-proxy:bats . + bats test + +test: test-debian test-alpine From 7d05f0d924ac8e59dadfaa0d4e99a08e7e2a4f20 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matthias=20D=C3=B6ring?= Date: Sat, 3 Sep 2016 12:05:27 +0200 Subject: [PATCH 03/22] Add nginx alpine to update-dependencies task --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index 1a50fbd..0e802b3 100644 --- a/Makefile +++ b/Makefile @@ -4,6 +4,7 @@ update-dependencies: docker pull jwilder/docker-gen:0.7.3 docker pull nginx:1.11.3 + docker pull nginx:1.11.3-alpine docker pull python:3 docker pull rancher/socat-docker:latest docker pull appropriate/curl:latest From 124b8cd757c7d99c83048ea08b96722403c887b4 Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Thu, 29 Sep 2016 11:33:21 -0400 Subject: [PATCH 04/22] Honor upstream forwarded port if available --- nginx.tmpl | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/nginx.tmpl b/nginx.tmpl index c0936d7..7262968 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -24,6 +24,13 @@ map $http_x_forwarded_proto $proxy_x_forwarded_proto { '' $scheme; } +# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the +# server port the client connect to +map $http_x_forwarded_port $proxy_x_forwarded_port { + default $http_x_forwarded_port; + '' $server_port; +} + # If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any # Connection header that may have been passed to this server map $http_upgrade $proxy_connection { @@ -51,7 +58,7 @@ proxy_set_header Connection $proxy_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; -proxy_set_header X-Forwarded-Port $server_port; +proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port; # Mitigate httpoxy attack (see README for details) proxy_set_header Proxy ""; From 112aad39b6654cec497672fec0d7682ddf59e5db Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Thu, 29 Sep 2016 15:36:01 -0400 Subject: [PATCH 05/22] Implemented more advanced webserver with routing and request header echoing, added header tests --- test/docker.bats | 6 +- test/headers.bats | 128 ++++++++++++++++++++++++++++++++++ test/multiple-hosts.bats | 6 +- test/multiple-ports.bats | 2 +- test/test_helpers.bash | 8 +-- test/web_helpers/webserver.py | 27 +++++++ 6 files changed, 165 insertions(+), 12 deletions(-) create mode 100644 test/headers.bats create mode 100755 test/web_helpers/webserver.py diff --git a/test/docker.bats b/test/docker.bats index fc10226..0569dcb 100644 --- a/test/docker.bats +++ b/test/docker.bats @@ -111,13 +111,13 @@ function assert_nginxproxy_behaves { assert_output -l 0 $'HTTP/1.1 503 Service Temporarily Unavailable\r' # Querying the proxy with Host header → 200 - run curl_container $container /data --header "Host: web1.bats" + run curl_container $container /port --header "Host: web1.bats" assert_output "answer from port 81" - run curl_container $container /data --header "Host: web2.bats" + run curl_container $container /port --header "Host: web2.bats" assert_output "answer from port 82" # Querying the proxy with unknown Host header → 503 - run curl_container $container /data --header "Host: webFOO.bats" --head + run curl_container $container /port --header "Host: webFOO.bats" --head assert_output -l 0 $'HTTP/1.1 503 Service Temporarily Unavailable\r' } diff --git a/test/headers.bats b/test/headers.bats new file mode 100644 index 0000000..6bcd4ed --- /dev/null +++ b/test/headers.bats @@ -0,0 +1,128 @@ +#!/usr/bin/env bats +load test_helpers +SUT_CONTAINER=bats-nginx-proxy-${TEST_FILE} + +function setup { + # make sure to stop any web container before each test so we don't + # have any unexpected container running with VIRTUAL_HOST or VIRUTAL_PORT set + stop_bats_containers web +} + + +@test "[$TEST_FILE] start a nginx-proxy container" { + # GIVEN + run nginxproxy $SUT_CONTAINER -v /var/run/docker.sock:/tmp/docker.sock:ro + assert_success + docker_wait_for_log $SUT_CONTAINER 9 "Watching docker events" +} + +@test "[$TEST_FILE] nginx-proxy passes arbitrary header" { + # WHEN + prepare_web_container bats-host-1 80 -e VIRTUAL_HOST=web.bats + dockergen_wait_for_event $SUT_CONTAINER start bats-host-1 + sleep 1 + + # THEN + run curl_container $SUT_CONTAINER /headers -H "Foo: Bar" -H "Host: web.bats" + assert_output -l 'Foo: Bar' +} + +##### Testing the handling of X-Forwarded-For ##### + +@test "[$TEST_FILE] nginx-proxy generates X-Forwarded-For" { + # WHEN + prepare_web_container bats-host-2 80 -e VIRTUAL_HOST=web.bats + dockergen_wait_for_event $SUT_CONTAINER start bats-host-2 + sleep 1 + + # THEN + run curl_container $SUT_CONTAINER /headers -H "Host: web.bats" + assert_output -p 'X-Forwarded-For:' +} + +@test "[$TEST_FILE] nginx-proxy passes X-Forwarded-For" { + # WHEN + prepare_web_container bats-host-3 80 -e VIRTUAL_HOST=web.bats + dockergen_wait_for_event $SUT_CONTAINER start bats-host-3 + sleep 1 + + # THEN + run curl_container $SUT_CONTAINER /headers -H "X-Forwarded-For: 1.2.3.4" -H "Host: web.bats" + assert_output -p 'X-Forwarded-For: 1.2.3.4, ' +} + +##### Testing the handling of X-Forwarded-Proto ##### + +@test "[$TEST_FILE] nginx-proxy generates X-Forwarded-Proto" { + # WHEN + prepare_web_container bats-host-4 80 -e VIRTUAL_HOST=web.bats + dockergen_wait_for_event $SUT_CONTAINER start bats-host-4 + sleep 1 + + # THEN + run curl_container $SUT_CONTAINER /headers -H "Host: web.bats" + assert_output -l 'X-Forwarded-Proto: http' +} + +@test "[$TEST_FILE] nginx-proxy passes X-Forwarded-Proto" { + # WHEN + prepare_web_container bats-host-5 80 -e VIRTUAL_HOST=web.bats + dockergen_wait_for_event $SUT_CONTAINER start bats-host-5 + sleep 1 + + # THEN + run curl_container $SUT_CONTAINER /headers -H "X-Forwarded-Proto: https" -H "Host: web.bats" + assert_output -l 'X-Forwarded-Proto: https' +} + +##### Testing the handling of X-Forwarded-Port ##### + +@test "[$TEST_FILE] nginx-proxy generates X-Forwarded-Port" { + # WHEN + prepare_web_container bats-host-6 80 -e VIRTUAL_HOST=web.bats + dockergen_wait_for_event $SUT_CONTAINER start bats-host-6 + sleep 1 + + # THEN + run curl_container $SUT_CONTAINER /headers -H "Host: web.bats" + assert_output -l 'X-Forwarded-Port: 80' +} + +@test "[$TEST_FILE] nginx-proxy passes X-Forwarded-Port" { + # WHEN + prepare_web_container bats-host-7 80 -e VIRTUAL_HOST=web.bats + dockergen_wait_for_event $SUT_CONTAINER start bats-host-7 + sleep 1 + + # THEN + run curl_container $SUT_CONTAINER /headers -H "X-Forwarded-Port: 1234" -H "Host: web.bats" + assert_output -l 'X-Forwarded-Port: 1234' +} + +##### Other headers + +@test "[$TEST_FILE] nginx-proxy generates X-Real-IP" { + # WHEN + prepare_web_container bats-host-8 80 -e VIRTUAL_HOST=web.bats + dockergen_wait_for_event $SUT_CONTAINER start bats-host-8 + sleep 1 + + # THEN + run curl_container $SUT_CONTAINER /headers -H "Host: web.bats" + assert_output -p 'X-Real-IP: ' +} + +@test "[$TEST_FILE] nginx-proxy passes Host" { + # WHEN + prepare_web_container bats-host-9 80 -e VIRTUAL_HOST=web.bats + dockergen_wait_for_event $SUT_CONTAINER start bats-host-9 + sleep 1 + + # THEN + run curl_container $SUT_CONTAINER /headers -H "Host: web.bats" + assert_output -l 'Host: web.bats' +} + +@test "[$TEST_FILE] stop all bats containers" { + stop_bats_containers +} diff --git a/test/multiple-hosts.bats b/test/multiple-hosts.bats index 10487ae..8e14c11 100644 --- a/test/multiple-hosts.bats +++ b/test/multiple-hosts.bats @@ -26,15 +26,15 @@ function setup { assert_output -l 0 $'HTTP/1.1 503 Service Temporarily Unavailable\r' # THEN querying the proxy with unknown Host header → 503 - run curl_container $SUT_CONTAINER /data --header "Host: webFOO.bats" --head + run curl_container $SUT_CONTAINER /port --header "Host: webFOO.bats" --head assert_output -l 0 $'HTTP/1.1 503 Service Temporarily Unavailable\r' # THEN - run curl_container $SUT_CONTAINER /data --header 'Host: multiple-hosts-1-A.bats' + run curl_container $SUT_CONTAINER /port --header 'Host: multiple-hosts-1-A.bats' assert_output "answer from port 80" # THEN - run curl_container $SUT_CONTAINER /data --header 'Host: multiple-hosts-1-B.bats' + run curl_container $SUT_CONTAINER /port --header 'Host: multiple-hosts-1-B.bats' assert_output "answer from port 80" } diff --git a/test/multiple-ports.bats b/test/multiple-ports.bats index a3c6fd0..f3e670b 100644 --- a/test/multiple-ports.bats +++ b/test/multiple-ports.bats @@ -58,7 +58,7 @@ function setup { # $1 port we are expecting an response from function assert_response_is_from_port { local -r port=$1 - run curl_container $SUT_CONTAINER /data --header "Host: web.bats" + run curl_container $SUT_CONTAINER /port --header "Host: web.bats" assert_output "answer from port $port" } diff --git a/test/test_helpers.bash b/test/test_helpers.bash index 9b35b3c..0fd9532 100644 --- a/test/test_helpers.bash +++ b/test/test_helpers.bash @@ -124,6 +124,7 @@ function prepare_web_container { --name $container_name \ $expose_option \ -w /var/www/ \ + -v $DIR/web_helpers:/var/www:ro \ $options \ -e PYTHON_PORTS="$ports" \ python:3 bash -c " @@ -131,10 +132,7 @@ function prepare_web_container { declare -a PIDS for port in \$PYTHON_PORTS; do echo starting a web server listening on port \$port; - mkdir /var/www/\$port - cd /var/www/\$port - echo \"answer from port \$port\" > data - python -m http.server \$port & + ./webserver.py \$port & PIDS+=(\$!) done wait \${PIDS[@]} @@ -146,7 +144,7 @@ function prepare_web_container { # THEN querying directly port works IFS=$' \t\n' # See https://github.com/sstephenson/bats/issues/89 for port in $ports; do - run retry 5 1s docker run --label bats-type="curl" appropriate/curl --silent --fail http://$(docker_ip $container_name):$port/data + run retry 5 1s docker run --label bats-type="curl" appropriate/curl --silent --fail http://$(docker_ip $container_name):$port/port assert_output "answer from port $port" done } diff --git a/test/web_helpers/webserver.py b/test/web_helpers/webserver.py new file mode 100755 index 0000000..d94ed89 --- /dev/null +++ b/test/web_helpers/webserver.py @@ -0,0 +1,27 @@ +#!/usr/bin/env python3 + +import os, sys +import http.server +import socketserver + +class BatsHandler(http.server.SimpleHTTPRequestHandler): + def do_GET(self): + root = os.getcwd() + + self.send_response(200) + self.send_header("Content-Type", "text/plain") + self.end_headers() + + if self.path == "/headers": + self.wfile.write(self.headers.as_string().encode()) + elif self.path == "/port": + response = "answer from port %s\n" % PORT + self.wfile.write(response.encode()) + else: + self.wfile.write("No route for this path!\n".encode()) + +if __name__ == '__main__': + PORT = int(sys.argv[1]) + socketserver.TCPServer.allow_reuse_address = True + httpd = socketserver.TCPServer(('0.0.0.0', PORT), BatsHandler) + httpd.serve_forever() From 7422539f2063cfa3c0c7cf3c46b00d8f6bcbe316 Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Thu, 29 Sep 2016 15:42:49 -0400 Subject: [PATCH 06/22] Updated README to reflect X-Forwarded-Port --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c9cd2a5..acda916 100644 --- a/README.md +++ b/README.md @@ -219,7 +219,7 @@ proxy_set_header Connection $proxy_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; -proxy_set_header X-Forwarded-Port $server_port; +proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port; # Mitigate httpoxy attack (see README for details) proxy_set_header Proxy ""; From b9bf183df2866c69dafbb04399e8c089baf3697e Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Thu, 29 Sep 2016 15:43:07 -0400 Subject: [PATCH 07/22] Added httpoxy test --- test/headers.bats | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/test/headers.bats b/test/headers.bats index 6bcd4ed..bc401fd 100644 --- a/test/headers.bats +++ b/test/headers.bats @@ -123,6 +123,17 @@ function setup { assert_output -l 'Host: web.bats' } +@test "[$TEST_FILE] nginx-proxy supresses Proxy for httpoxy protection" { + # WHEN + prepare_web_container bats-host-10 80 -e VIRTUAL_HOST=web.bats + dockergen_wait_for_event $SUT_CONTAINER start bats-host-10 + sleep 1 + + # THEN + run curl_container $SUT_CONTAINER /headers -H "Proxy: tcp://foo.com" -H "Host: web.bats" + refute_output -l 'Proxy: tcp://foo.com' +} + @test "[$TEST_FILE] stop all bats containers" { stop_bats_containers } From 9ef0bb3356417f5632842a9951a690fea1b2c498 Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Thu, 29 Sep 2016 16:06:53 -0400 Subject: [PATCH 08/22] Comment typo --- nginx.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx.tmpl b/nginx.tmpl index 7262968..20688da 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -25,7 +25,7 @@ map $http_x_forwarded_proto $proxy_x_forwarded_proto { } # If we receive X-Forwarded-Port, pass it through; otherwise, pass along the -# server port the client connect to +# server port the client connected to map $http_x_forwarded_port $proxy_x_forwarded_port { default $http_x_forwarded_port; '' $server_port; From 1a608eaefbb3ad443a2f324b98271ce48ea84df9 Mon Sep 17 00:00:00 2001 From: Michael Date: Sat, 22 Oct 2016 14:31:57 +0200 Subject: [PATCH 09/22] add link to letsencrypt-nginx-proxy-companion --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 52ab6e4..355003e 100644 --- a/README.md +++ b/README.md @@ -125,6 +125,9 @@ $ docker run --volumes-from nginx \ Finally, start your containers with `VIRTUAL_HOST` environment variables. $ docker run -e VIRTUAL_HOST=foo.bar.com ... +### SSL Support using letsencrypt + +[letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion)is a lightweight companion container for the nginx-proxy. It allow the creation/renewal of Let's Encrypt certificates automatically. ### SSL Support From fddae94ed89cce27d699896935fb9f044b654b4c Mon Sep 17 00:00:00 2001 From: Max Wilkinson Date: Fri, 28 Oct 2016 14:46:37 -0400 Subject: [PATCH 10/22] Clarified a couple parts in the README --- README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 52ab6e4..81ee351 100644 --- a/README.md +++ b/README.md @@ -76,7 +76,7 @@ In this example, the `my-nginx-proxy` container will be connected to `my-network ### SSL Backends -If you would like to connect to your backend using HTTPS instead of HTTP, set `VIRTUAL_PROTO=https` on the backend container. +If you would like the reverse proxy to connect to your backend using HTTPS instead of HTTP, set `VIRTUAL_PROTO=https` on the backend container. ### uWSGI Backends @@ -140,6 +140,10 @@ hosts in use. The certificate and keys should be named after the virtual host w `.key` extension. For example, a container with `VIRTUAL_HOST=foo.bar.com` should have a `foo.bar.com.crt` and `foo.bar.com.key` file in the certs directory. +If you are running the container in a virtualized environment (Hyper-V, VirtualBox, etc...), +/path/to/certs must exist in that environment or be made accessible to that environment. +By default, Docker is not able to mount directories on the host machine to containers running in a virtual machine. + #### Diffie-Hellman Groups If you have Diffie-Hellman groups enabled, the files should be named after the virtual host with a From dc910107cfc4cb5332ddaabd9d295e4c36e88c85 Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Mon, 5 Dec 2016 09:21:39 -0500 Subject: [PATCH 11/22] Upgrade docker-engine and allow downgrades --- .travis.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index e850f08..ea2de37 100644 --- a/.travis.yml +++ b/.travis.yml @@ -4,13 +4,13 @@ services: env: global: - - DOCKER_VERSION=1.12.1-0~trusty + - DOCKER_VERSION=1.12.3-0~trusty before_install: # list docker-engine versions - apt-cache madison docker-engine # upgrade docker-engine to specific version - - sudo apt-get -o Dpkg::Options::="--force-confnew" install -y docker-engine=${DOCKER_VERSION} + - sudo apt-get -o Dpkg::Options::="--force-confnew" install -y --allow-downgrades docker-engine=${DOCKER_VERSION} - docker version - docker info - sudo add-apt-repository ppa:duggan/bats --yes From 271729aaaa201209f8a10395fcb7a7b9715d3f34 Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Mon, 5 Dec 2016 09:29:08 -0500 Subject: [PATCH 12/22] Put --allow-downgrades in the right place --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index ea2de37..18ac9d9 100644 --- a/.travis.yml +++ b/.travis.yml @@ -10,7 +10,7 @@ before_install: # list docker-engine versions - apt-cache madison docker-engine # upgrade docker-engine to specific version - - sudo apt-get -o Dpkg::Options::="--force-confnew" install -y --allow-downgrades docker-engine=${DOCKER_VERSION} + - sudo apt-get -o Dpkg::Options::="--force-confnew" --allow-downgrades install -y docker-engine=${DOCKER_VERSION} - docker version - docker info - sudo add-apt-repository ppa:duggan/bats --yes From 59b88068596a40f5eb42a339c9a53064dbb6733d Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Mon, 5 Dec 2016 09:33:44 -0500 Subject: [PATCH 13/22] Travis-CI's apt-get doesn't have --allow-downgrades yet, which is annoying because --force-yes is deprecated --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 18ac9d9..5386261 100644 --- a/.travis.yml +++ b/.travis.yml @@ -10,7 +10,7 @@ before_install: # list docker-engine versions - apt-cache madison docker-engine # upgrade docker-engine to specific version - - sudo apt-get -o Dpkg::Options::="--force-confnew" --allow-downgrades install -y docker-engine=${DOCKER_VERSION} + - sudo apt-get -o Dpkg::Options::="--force-confnew" install -y --force-yes docker-engine=${DOCKER_VERSION} - docker version - docker info - sudo add-apt-repository ppa:duggan/bats --yes From b66398d1bfd0b88caa00d7439cc2adee723642ff Mon Sep 17 00:00:00 2001 From: Cody Ramaker Date: Thu, 8 Dec 2016 13:24:49 -0600 Subject: [PATCH 14/22] Updated nginx to 1.11.6 --- Dockerfile | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6d5ce9b..afa564c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.11.3 +FROM nginx:1.11.6 MAINTAINER Jason Wilder mail@jasonwilder.com # Install wget and install/updates certificates diff --git a/README.md b/README.md index dc09923..1ff2ef2 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -![nginx 1.11.3](https://img.shields.io/badge/nginx-1.11.3-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') +![nginx 1.11.6](https://img.shields.io/badge/nginx-1.11.6-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. From 004cc3cb8c421cbb2715ae1565725e4617131392 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matthias=20D=C3=B6ring?= Date: Wed, 28 Dec 2016 23:38:47 +0100 Subject: [PATCH 15/22] Upgrade to nginx 1.11.8 --- Dockerfile | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index afa564c..bf604e6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.11.6 +FROM nginx:1.11.8 MAINTAINER Jason Wilder mail@jasonwilder.com # Install wget and install/updates certificates diff --git a/README.md b/README.md index 1ff2ef2..12c36f6 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -![nginx 1.11.6](https://img.shields.io/badge/nginx-1.11.6-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') +![nginx 1.11.8](https://img.shields.io/badge/nginx-1.11.8-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. From c1d93d112a7720fd3c13e3087e199ad056aa2ef4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matthias=20D=C3=B6ring?= Date: Thu, 29 Dec 2016 00:18:06 +0100 Subject: [PATCH 16/22] Upgrade nginx-alpine to 1.11.8 --- Dockerfile.alpine | 2 +- Makefile | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile.alpine b/Dockerfile.alpine index 5dfcdee..4ce9561 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -1,4 +1,4 @@ -FROM nginx:1.11.3-alpine +FROM nginx:1.11.8-alpine MAINTAINER Jason Wilder mail@jasonwilder.com # Install wget and install/updates certificates diff --git a/Makefile b/Makefile index 0e802b3..acb3386 100644 --- a/Makefile +++ b/Makefile @@ -3,8 +3,8 @@ update-dependencies: docker pull jwilder/docker-gen:0.7.3 - docker pull nginx:1.11.3 - docker pull nginx:1.11.3-alpine + docker pull nginx:1.11.6 + docker pull nginx:1.11.8-alpine docker pull python:3 docker pull rancher/socat-docker:latest docker pull appropriate/curl:latest From 8d017504c012db70d6179b97ec3473d7a6f30e38 Mon Sep 17 00:00:00 2001 From: Thomas LEVEIL Date: Sat, 7 Jan 2017 20:57:19 +0100 Subject: [PATCH 17/22] TRAVIS: run debian and alpine tests in parallel --- .travis.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 5386261..6bc9cd6 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,3 +1,4 @@ +dist: trusty sudo: required services: - docker @@ -18,5 +19,10 @@ before_install: - sudo apt-get install -qq bats - make update-dependencies +matrix: + include: + - env: TEST_ID=test-debian + - env: TEST_ID=test-alpine + script: - - make test + - make $TEST_ID From a3c6a272f1df482f530ec3d778c8315903e77897 Mon Sep 17 00:00:00 2001 From: Thomas LEVEIL Date: Sat, 7 Jan 2017 23:33:54 +0100 Subject: [PATCH 18/22] TEST: wildcards-hosts.bats - showcase http://foo.bar.why.not.bats-to-infinity-and-beyond/ --- test/wildcard-hosts.bats | 1 + 1 file changed, 1 insertion(+) diff --git a/test/wildcard-hosts.bats b/test/wildcard-hosts.bats index 8491e4b..ce9e3aa 100644 --- a/test/wildcard-hosts.bats +++ b/test/wildcard-hosts.bats @@ -50,6 +50,7 @@ function setup { # THEN assert_200 foo.bar.whatever.bats assert_200 foo.bar.why.not.bats + assert_200 foo.bar.why.not.bats-to-infinity-and-beyond assert_503 unexpected.host.bats } From d8658bd8d9825e7f9dc0c183b76e8b85610b07c8 Mon Sep 17 00:00:00 2001 From: Thomas LEVEIL Date: Sat, 7 Jan 2017 23:50:54 +0100 Subject: [PATCH 19/22] TEST: wildcards-hosts.bats - add a test which uses regexp end-of-string --- test/wildcard-hosts.bats | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/test/wildcard-hosts.bats b/test/wildcard-hosts.bats index ce9e3aa..826009e 100644 --- a/test/wildcard-hosts.bats +++ b/test/wildcard-hosts.bats @@ -43,8 +43,8 @@ function setup { @test "[$TEST_FILE] VIRTUAL_HOST=~^foo\.bar\..*\.bats" { # WHEN - prepare_web_container bats-wildcard-hosts-2 80 -e VIRTUAL_HOST=~^foo\.bar\..*\.bats - dockergen_wait_for_event $SUT_CONTAINER start bats-wildcard-hosts-2 + prepare_web_container bats-wildcard-hosts-3 80 -e VIRTUAL_HOST=~^foo\.bar\..*\.bats + dockergen_wait_for_event $SUT_CONTAINER start bats-wildcard-hosts-3 sleep 1 # THEN @@ -55,6 +55,20 @@ function setup { } +@test "[$TEST_FILE] VIRTUAL_HOST=~^foo\.bar\..*\.bats$" { + # WHEN + prepare_web_container bats-wildcard-hosts-4 80 -e VIRTUAL_HOST=~^foo\.bar\..*\.bats$ + dockergen_wait_for_event $SUT_CONTAINER start bats-wildcard-hosts-4 + sleep 1 + + # THEN + assert_200 foo.bar.whatever.bats + assert_200 foo.bar.why.not.bats + assert_503 foo.bar.why.not.bats-to-infinity-and-beyond + assert_503 unexpected.host.bats + +} + @test "[$TEST_FILE] stop all bats containers" { stop_bats_containers } From 1bfc1c85ce26ef652616236561d6cbf61778e445 Mon Sep 17 00:00:00 2001 From: Thomas LEVEIL Date: Sun, 8 Jan 2017 01:49:05 +0100 Subject: [PATCH 20/22] fix regexp in VIRTUAL_HOST using end-of-string matching () --- nginx.tmpl | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/nginx.tmpl b/nginx.tmpl index 20688da..cab57e5 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -85,8 +85,8 @@ server { {{ end }} {{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }} - -upstream {{ $host }} { +{{ $upstream_name := sha1 $host }} +upstream {{ $upstream_name }} { {{ range $container := $containers }} {{ $addrLen := len $container.Addresses }} @@ -179,9 +179,9 @@ server { location / { {{ if eq $proto "uwsgi" }} include uwsgi_params; - uwsgi_pass {{ trim $proto }}://{{ trim $host }}; + uwsgi_pass {{ trim $proto }}://{{ trim $upstream_name }}; {{ else }} - proxy_pass {{ trim $proto }}://{{ trim $host }}; + proxy_pass {{ trim $proto }}://{{ trim $upstream_name }}; {{ end }} {{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }} auth_basic "Restricted {{ $host }}"; @@ -213,9 +213,9 @@ server { location / { {{ if eq $proto "uwsgi" }} include uwsgi_params; - uwsgi_pass {{ trim $proto }}://{{ trim $host }}; + uwsgi_pass {{ trim $proto }}://{{ trim $upstream_name }}; {{ else }} - proxy_pass {{ trim $proto }}://{{ trim $host }}; + proxy_pass {{ trim $proto }}://{{ trim $upstream_name }}; {{ end }} {{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }} auth_basic "Restricted {{ $host }}"; From 019fa89c536b16135b6cdc01298022e31dbbafae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20L=C3=89VEIL?= Date: Tue, 10 Jan 2017 10:10:46 +0100 Subject: [PATCH 21/22] add comment to ease debugging --- nginx.tmpl | 1 + 1 file changed, 1 insertion(+) diff --git a/nginx.tmpl b/nginx.tmpl index cab57e5..4a5e76b 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -86,6 +86,7 @@ server { {{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }} {{ $upstream_name := sha1 $host }} +# {{ $host }} upstream {{ $upstream_name }} { {{ range $container := $containers }} {{ $addrLen := len $container.Addresses }} From 16c9853dc22ce2d3ebe3a6d0afdb631620cac79e Mon Sep 17 00:00:00 2001 From: Konstantin L Date: Thu, 11 Feb 2016 23:54:32 +0300 Subject: [PATCH 22/22] Set appropriate X-Forwarded-Ssl header. --- README.md | 1 + nginx.tmpl | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/README.md b/README.md index 282010d..18e6fa3 100644 --- a/README.md +++ b/README.md @@ -226,6 +226,7 @@ proxy_set_header Connection $proxy_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; +proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl; proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port; # Mitigate httpoxy attack (see README for details) diff --git a/nginx.tmpl b/nginx.tmpl index 20688da..3c6d4fc 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -38,6 +38,12 @@ map $http_upgrade $proxy_connection { '' close; } +# Set appropriate X-Forwarded-Ssl header +map $scheme $proxy_x_forwarded_ssl { + default off; + https on; +} + gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; log_format vhost '$host $remote_addr - $remote_user [$time_local] ' @@ -58,6 +64,7 @@ proxy_set_header Connection $proxy_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; +proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl; proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port; # Mitigate httpoxy attack (see README for details)