Thomas LEVEIL
1bfc1c85ce
fix regexp in VIRTUAL_HOST using end-of-string matching ()
2017-01-08 01:49:05 +01:00
Steve Kamerman
fc7653bf3d
Merge branch 'master' into feature_nohttps
2016-12-05 09:06:39 -05:00
Steve Kamerman
b0de80d46b
Moved config edits from Dockerfile to template
2016-10-03 10:21:31 -04:00
Steve Kamerman
374b1256cd
Add HTTPS_METHOD=https to disable SSL site
2016-10-01 11:22:48 -04:00
Steve Kamerman
d3a0da451a
TLSv1 End-of-life pushed to June 30, 2018, rolled back for compatibility
2016-09-29 21:35:37 -04:00
Steve Kamerman
c51c9980cf
Removed TLS 1.0 as it is considered unsafe and must be disabled for PCI compliance
2016-09-29 19:52:20 -04:00
Steve Kamerman
6f2b3f1c54
Issue #586 Removed DES-based SSL ciphers
2016-09-29 17:10:17 -04:00
Steve Kamerman
9ef0bb3356
Comment typo
2016-09-29 16:06:53 -04:00
Steve Kamerman
124b8cd757
Honor upstream forwarded port if available
2016-09-29 11:33:21 -04:00
Steve Kamerman
6ebbdb10c7
Merge branch 'master' into feature_x_forwarded_port
2016-09-29 11:26:51 -04:00
Chulki Lee
4661bf4dd9
add ssl_session_tickets to default site
...
Fixes #580
2016-09-23 21:58:09 -07:00
pvlg
fe9a538ec8
Replace "replace" to "trimSuffix"
...
I have a domain key-mydomain.com. When I add domain www.key-mydomain.com with ssl cert I did not get the desired result. Function replace cut name ssl cert "www.key-mydomain.com.key" to "www-mydomain.com".
2016-09-17 16:53:01 +03:00
mplx
37323320c8
do not enable HSTS for subdomains
2016-09-12 09:46:59 +02:00
Jason Wilder
ec7169c112
Merge pull request #323 from pabra/master
...
connect to uWSGI backends
2016-09-09 14:16:08 -06:00
Ruben
87879c1ee2
Update ciphers and HTST settings to get A+ rating
...
The default config gets you an 'A' rating. Cipher settings are copied from [Mozilla SSL Configartion Generator](https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.1&openssl=1.0.1t&hsts=yes&profile=intermediate )
2016-09-01 11:34:56 +02:00
Steve Kamerman
2e29168d92
Added X-Forwarded-Port
2016-07-21 11:23:35 -04:00
Steve Kamerman
fd127517b9
Added comments about httpoxy
2016-07-19 11:03:41 -04:00
Steve Kamerman
357d58ad97
Mitigate httpoxy attack (httpoxy.org, CVE-2016-(5385-5388,1000109-1000110)
2016-07-18 13:34:37 -04:00
Jason Wilder
580517725f
Revert 9c93efa
2016-06-13 00:10:49 -06:00
Jason Wilder
d1e6e1c0be
Merge pull request #344 from schmunk42/feature/error-code
...
changed error code for non-usable/default SSL cert, fixes #341
2016-06-12 15:54:40 -06:00
Jason Wilder
fc619d63ad
Merge pull request #460 from kumy/patch-1
...
Fix a typo in comment
2016-06-12 15:28:40 -06:00
Jason Wilder
c36b42933d
Merge pull request #462 from kamermans/master
...
Disable HSTS when HTTPS_METHOD=noredirect
2016-06-12 15:28:08 -06:00
Jason Wilder
9c93efaef9
Fix template error when /etc/nginx/certs does not exist
2016-06-12 14:10:40 -06:00
Steve Kamerman
da3e257843
Removed HSTS when HTTPS_METHOD=noredirect, added tests, improved docs wrt HSTS
2016-05-19 23:20:43 -04:00
kumy
8c76ea9f9b
Fix a typo in comment
2016-05-17 01:46:46 +02:00
Jason Wilder
5b9264d945
Merge pull request #298 from kamermans/master
...
Added env var to disable SSL redirect
2016-05-01 17:45:45 -06:00
Baptiste Donaux
ebab7cf2b9
[TEMPLATE] fix variable call
2016-02-23 13:59:30 +01:00
Baptiste Donaux
658e20f661
Support container in one network shared with current container
2016-02-05 09:16:43 +01:00
Tobias Munk
b4e5f780e3
changed error code for non-usable/default SSL cert, fixes #341
2016-01-21 12:31:03 +01:00
Baptiste Donaux
a66115f560
Use new Network interface to support new overlay network
2016-01-17 12:29:55 +01:00
pabra
51c219d651
connect to uWSGI backends
2015-12-22 21:20:44 +01:00
Steve Kamerman
97c6340a9f
Implemented HTTPS noredir
2015-11-20 17:37:06 -05:00
Steve Kamerman
9dd6ad8503
First try at HTTPS_METHOD
2015-11-20 16:53:50 -05:00
Marius Gundersen
1e0b930174
trim whitespace from host and port
...
based on latest docker-gen
2015-10-13 21:48:59 +02:00
Jonas Svatos
5c2280df84
fix condition for default config location
...
Signed-off-by: Jonas Svatos <jonas.svatos@etnetera.cz>
2015-10-08 12:03:28 +02:00
Mike Dillon
6b5e12a946
Add missing access_log statement to HTTPS fallback
2015-10-06 21:18:00 -07:00
Aleš Roubíček
e06d5917a2
Use HTTP/2 instead of SPDY
2015-09-23 17:48:40 +02:00
Aleš Roubíček
249fb204f1
Use HTTP/2 instead of SPDY
2015-09-23 17:47:18 +02:00
Jason Wilder
8c193ba7e1
Merge pull request #215 from gradecam/feature/customize_improvements
...
customizability improvements
2015-09-12 15:23:53 -06:00
Jason Wilder
bddb647b5f
Merge pull request #230 from appropriate/remove_duplicate_access_log_entries
...
Remove duplicate access log entries
2015-09-12 15:12:31 -06:00
Mike Dillon
900a676af8
Move access_log from the http level to server
...
This prevents duplicate access_log entries from being written for each request
2015-09-03 08:33:33 -07:00
CoreOS Admin
ae0da36d75
Fix bugs in config file from refactor
2015-08-29 18:38:43 -06:00
Ray Walker
d066bd32e0
Fix for #188 - add SSL server block outside hosts loop
2015-08-26 18:35:47 +10:00
Ray Walker
d3f56468b1
Fix for #188 - remove hostname from default SSL block
2015-08-26 12:49:59 +10:00
Mike Dillon
924fcd7984
Remove error_log setting from nginx.tmpl
...
It's already set correctly in nginx.conf
2015-08-23 09:00:23 -07:00
Richard Bateman
405f4876b9
As per pull request feedback, update names to be consistent
2015-08-14 12:26:19 -06:00
Richard Bateman
d9ee7ed704
Add support for adding options to the location block of a vhost
2015-08-14 12:26:19 -06:00
Richard Bateman
b131b00e19
Add support for vhosts.d/defaults file with default vhost options
...
- Only used if it exists and a vhost-specific one doesn't
2015-08-14 12:26:19 -06:00
Richard Bateman
2eff96969a
Add support for overriding default proxy settings
...
- If /etc/nginx/proxy.conf exists use that, otherwise use the default
2015-08-14 12:26:07 -06:00
Wolfgang Ebner
6965b1ead4
fallback when DEFAULT_HOST is not set
2015-07-26 11:38:45 +02:00
Wolfgang Ebner
b0647dd5e9
set default_server also for https
2015-07-24 10:39:56 +02:00
Viranch Mehta
4f5351265a
Use define & template for re-usable blocks of upstream server template
2015-07-15 20:51:10 +05:30
Viranch Mehta
784507df1a
Cascade two else blocks into one using coalesce on VIRTUAL_PORT and 80
...
This also takes care of the case when VIRTUAL_PORT is not actually
exposed.
2015-07-11 01:19:44 +05:30
Viranch Mehta
c4923d1f58
Use container host's IP:port if we're connected to a swarm master
2015-07-04 18:43:52 +05:30
Mike Dillon
f36ca3d7a3
Prevent generating broken config
...
Fixes #115
2015-06-23 17:05:12 -07:00
Kuo-Cheng Yeu
d74a4146c8
fix indention, and file nameing
2015-05-21 23:43:09 +08:00
Kuo-Cheng Yeu
a10d1b50bf
add support for ssl_dhparams to prevent 'Logjam' attack
2015-05-21 15:19:58 +08:00
Jason Wilder
503072c03f
Merge pull request #72 from BenHall/default_host
...
Ability to set a default host for nginx
2015-05-14 10:00:04 -06:00
Markus Kosmal
b680fb003e
Close marker instead of empty
2015-05-09 23:15:26 +02:00
Kuo-Cheng Yeu
4d2403b5d7
Add SPDY support
2015-04-29 14:41:25 +08:00
Jason Wilder
4a99ac5548
Remove includeSubdomains from HSTS header
...
includeSubdomains can lead to issues where not all subdomains are
able to use HTTPS. This options might be too strict for the general
case: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security .
It can be re-enabled w/ a custom template if needed.
Fixes #109
2015-02-28 15:50:59 -07:00
Mike Dillon
aa5dfdb3d5
Fix HTTP->HTTPS redirect for wildcard hosts
...
Uses Nginx's $host instead of interpolating `{{ $host }}` in the template
2015-02-25 10:29:59 -08:00
Jason Wilder
d831c058f3
Merge pull request #106 from md5/per-vhost-includes
...
Per VIRTUAL_HOST configuration files
2015-02-23 12:20:55 -07:00
Jason Wilder
c3534b7195
Merge pull request #91 from pirelenito/master
...
fixes SSL support while mixing HTTPS and non-HTTPS hosts
2015-02-22 15:00:48 -07:00
Mike Dillon
2010332395
Support per-VIRTUAL_HOST Nginx conf files
2015-02-22 09:25:50 -08:00
Mike Dillon
6c3b3c87be
Support VIRTUAL_PROTO=https for HTTPS backends
2015-02-14 16:02:39 -08:00
Paulo Ragonha
37e4a0d00e
fixes SSL support while mixing HTTPS and non-HTTPS services
...
nginx was throwing the following error: `no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking`
ref: https://github.com/jwilder/nginx-proxy/issues/74
2015-01-22 14:37:10 -02:00
Åsmund Grammeltvedt
36039f8e13
Gzip application/javascript
...
As per RFC4329, nginx uses application/javascript as the default MIME
type for .js files. Nginx-proxy will now gzip these files if the client
requests it.
2015-01-05 13:31:26 +01:00
Ben Hall
30a53fb60a
Ability to set a default host for nginx
2014-12-24 12:21:40 +00:00
Albert Murillo Aguirre
6d646d92f8
Basic Authentication Support
2014-12-19 16:26:42 -07:00
Mike Dillon
ac1f2d8875
Include Host or SERVER_NAME in logs
2014-12-06 17:46:25 -08:00
Mike Dillon
54b9043323
Remove redundant access_log and error_log
2014-12-06 17:45:59 -08:00
Jason Wilder
080a5157e6
Remove OCSP stapling
...
Looks like it was not actually working before and failing silently
because ssl_trusted_certificate was not specified. Will need to
revisit implementing this functionality so removing it for now
to prevent the warnings logged by nginx now.
2014-12-03 11:06:11 -07:00
Jason Wilder
0580726415
Ensure cert exists before referencing it
2014-12-02 23:29:00 -07:00
Jason Wilder
2e43a5459b
Add SSL support
...
This adds SSL support for containers. It supports single host
certificates, wildcards and SNI using naming conventions for
certificates or optionally specify a cert name (for SNI). The SSL
cipher configuration is based on mozilla intermediate profile which
should provide compatibility with clients back to Firefox 1, Chrome 1,
IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7. The
configuration also enables OCSP stapling, HSTS, and ssl session caches.
To enable SSL, nginx-proxy should be started w/ -p 443:443 and -v
/path/to/certs:/etc/nginx/certs. Certificates must be named:
<virtualhost>.crt and <virtualhost>.key where <virtualhost> matches
the a value of VIRTUAL_HOST on a container.
For wildcard certificates, the certificate and private key should be
named after the wildcard domain with .crt and .key suffixes. For example,
*.example.com should be name example.com.crt and example.com.key.
For SNI where a certificate may be used for multiple domain names, the
container can specify a CERT_NAME env var that corresponds to the base
file name of the certificate and key. For example, if you have a cert
allowing *.example.com and *.bar.com, it can be name shared.crt and
shared.key. A container can use that cert by having CERT_NAME=shared and
VIRTUAL_HOST=foo.example.com. The name "shared" is arbitrary and can
be whatever makes sense.
The behavior for the proxy when port 80 and 443 is defined is as
follows:
* If a container has a usable cert, port 80 will redirect to
443 for that container to always prefer HTTPS when available.
* If the container does not have a usable cert 503 will be returned.
In the last case, a self-signed or generic cert can be defined as
"default.crt" and "default.key" which will allow a client browser to
at least make a SSL connection.
2014-11-27 12:49:38 -07:00
Mike Dillon
0306692b31
Move gzip_types, access_log, and error_log to http
2014-11-25 16:56:16 -08:00
Mike Dillon
a84aee4a84
Drop unused index variables from range statement
2014-11-25 16:56:16 -08:00
Mike Dillon
3414a02edf
Make template more readable
...
* $value -> $container
2014-11-25 16:56:16 -08:00
Mike Dillon
e1bbe8cde0
Raise proxy_buffering statement to http level
2014-11-25 16:56:16 -08:00
Mike Dillon
5b9e8c4554
Move settings that don't differ per container to the top level
2014-11-25 16:56:16 -08:00
Mike Dillon
6c2221bdcc
Set "Connection: upgrade" when we receive an "Upgrade" header
...
Fixes #37
2014-10-25 17:13:17 -07:00
Mike Dillon
0028cdafe9
Add comment about X-Forwarded-Proto mapping
2014-10-25 17:13:04 -07:00
Mike Dillon
199f18da07
Pass through X-Forwarded-Proto
...
* Creates a $proxy_x_forwarded_proto variable that is set to the
X-Forwarded-Proto header passed by the client or else the $scheme
2014-10-22 15:18:46 -07:00
Jason Wilder
94f3d9849f
Inline /etc/nginx/proxy_params
...
/etc/nginx/proxy_params does not exist in the official nginx image.
2014-10-22 10:42:22 -06:00
Jason Wilder
b9d7bde5cd
Support multiple VIRTUAL_HOSTs per container.
...
Fixes #3
2014-06-08 10:14:51 -06:00
Jason Wilder
4f3d690cd3
Stream logs to stdout/err
...
Nginx and docker-gen logs can now be seen via docker logs.
2014-06-03 16:30:05 -06:00
Jason Wilder
95d4f67a59
Merge pull request #11 from thomasleveil/patch-1
...
add HTTP 1.1 support
2014-06-03 16:04:44 -06:00
Thomas LÉVEIL
2d8d15d606
define a default virtual host
...
which replies with HTTP code `503 Service Temporarily Unavailable`
2014-06-03 23:32:29 +02:00
Thomas LÉVEIL
175a1ab077
add HTTP 1.1 support
2014-06-03 23:29:30 +02:00
Jason Wilder
592ed499d7
Improve port configuration
...
Should address #6 .
The port selection now works as follows:
* If there is only 1 port exposed by the container, that port is used.
* If there is a VIRTUAL_PORT env variable defined, that port is used.
* Otherwise, default to port 80, if exposed.
2014-05-19 21:10:53 -06:00
Jason Wilder
11faa5f240
Disable proxy buffering
...
For #1
2014-05-07 13:46:28 -06:00
Jason Wilder
3d25e3da57
Initial commit
2014-05-05 11:02:01 -06:00