Coder Social home page Coder Social logo

docker-reverse-nginx's Introduction

BETA VERSION ACTUALY !!!!!

Build Status

This image is build and push with drone.io, a circle-ci like self-hosted. If you don't trust, you can build yourself.

Tag available

I've created new version rules, Before, I used nginx version, but now I will use [MAJOR-VERSION].[MINOR-VERSION].[BUG-FIXES]. I will use both notations

Features

  • No ROOT process
  • Automatic configuration generation
  • Automatic certificate generation and renew with letsencrypt and without downtime (use lego)
  • Latest nginx version
  • ARG for custom build
  • Latest openSSL version
  • OCSP Support
  • HSTS Support
  • CT Support

Description

What is Nginx?

nginx (engine x) is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP proxy server, originally written by Igor Sysoev. For a long time, it has been running on many heavily loaded Russian sites including Yandex, Mail.Ru, VK, and Rambler. According to Netcraft, nginx served or proxied 24.29% busiest sites in December 2015. Here are some of the success stories: Netflix, Wordpress.com, FastMail.FM.

Reverse-nginx generate for you the configuration of reverse proxy. Like traefik, it is based on the labels of containers, but it isn't dynamicly.

Build Image

Build arguments

  • NGINX_CONF : Nginx make configure options
  • NGINX_VER : Nginx version
  • ARG NGINX_GPG : GPG fingerprint (default : "B0F4253373F8F6F510D42178520A9993A1C052F8")
  • ARG BUILD_CORES : Number of core use for make nginx (default : All cores)
  • OPENSSL_VER : OpenSSL version
  • LEGO_VER : Lego version

Simply build

docker build -t xataz/reverse-nginx github.com/xataz/dockerfiles.git#master:reverse-nginx

Build other version

docker build -t xataz/reverse-nginx --build-arg NGINX_VER=1.9.5 github.com/xataz/dockerfiles.git#master:reverse-nginx

Configuration

Environments

  • UID : Choose uid for launch nginx (default : 991)
  • GID : Choose gid for launch nginx (default : 991) (Use local docker group id)
  • EMAIL : Mail address for letsencrypt
  • SWARM : enable if use this reverse with docker swarm mode (default : disable)
  • TLS_VERSIONS : Choose tls version separate by space (default : "TLSv1.1 TLSv1.2")
  • CIPHER_SUITE : Choose cipher suite (default : "EECDH+CHACHA20:EECDH+AESGCM")
  • ECDH_CURVE : Choose ecdh curve (default : "X25519:P-521:P-384")

Volumes

  • /nginx/ssl : For certificate persistance
  • /nginx/sites-enabled : Warning, this file can be delete if restart container
  • /nginx/path.d : Warning, this file can be delete if restart container
  • /nginx/custom_sites : For create your own sites

Ports

  • 8080
  • 8443

Usage

Labels

Label Name Description default value
reverse.frontend.domain Domain Name for this service mydomain.local valid domain name (For multiple domains, separate by comma)
reverse.frontend.path Domain path (warning, no rewrite url) / valid path, with /
reverse.frontend.auth For auth basic none user:encryptpassword (For multiple auth, separate by comma)
reverse.frontend.ssltype Choose ssl type ec384 rsa2048, rsa4096, rsa8192, ec256 or ec384
reverse.frontend.domain_max_body_size Choose max size upload 200M Numeric value with unit (K,M,G,T)
reverse.frontend.hsts Enable HSTS enable enable or disable
reverse.frontend.ocsp Enable OCSP enable enable or disable
reverse.frontend.ct Generate CT for certificate disable enable or disable
reverse.frontend.ssl Generate letsencrypt certificate disable enable or disable
reverse.backend.port Port use by container 8080 Valid port number

More labels soon !!!

Gen manuel cert

$ docker exec -ti container_name gen_manuel_ssl sub.domain.tld rsa4096

Launch

First launch another container

For exemple, I launch lutim container :

$ docker run -d \
    --name lutim \
    --label reverse.frontend.domain=sub.domain.com \
    --label reverse.frontend.path=lutim \
    --label reverse.frontend.auth=USER:$(openssl passwd -crypt PASSWORD) \
    --label reverse.frontend.ssltype=ec256 \
    --label reverse.frontend.ssl=enable \
    --label reverse.backend.port=8181 \
    -v /docker/config/lutim/data:/data \
    -v /docker/data/lutim:/lutim/files \
    -e UID=1001 \
    -e GID=1001 \
    -e WEBROOT=/lutim \
    -e SECRET=$(date +%s | md5sum | head -c 32) \
    -e [email protected] \
    -e MAX_FILE_SIZE=250000000 \
    xataz/lutim

Launch reverse-nginx

docker run -d \
	-p 80:8080 \
	-p 443:8443 \
    --name reverse \
    -e [email protected] \
    -v /var/run/docker.sock:/var/run/docker.sock \
	xataz/reverse-nginx

URI Access : https://sub.domain.com/lutim

docker-reverse-nginx's People

Contributors

xataz avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

pierexmachina moimemeici iambigz pixibixi alainperry

docker-reverse-nginx's Issues

MAJ Auto des reverse

Plop

Le titre n'est pas très compréhensible, donc je vais essayer de l'être ici :p

Avant de passer sous ton image reverse-proxy qui est très sympa, je fais quelques tests

  • J'ai donc fais une stack basique ruTorrent + Ton reverse proxy, tout va bien ok problème
  • J'ai voulu rajouter un nouveau container et le proxyfier via ton container, et il m'a semblé que celui-ci n'a pas généré automatiquement la conf de mon nouveau container, est-ce le cas ?

++ Un bug que je viens de m'apercevoir

J'ai modifié le reverse.backend.port et je viens de m'apercevoir que le port n'a pas changé le fichier de conf, c'est problématique :p

A+ passe sur le Slack si tu veux en parler o/

Possible to front end rtorrent-rutorrent with this container?

Hi there,

I've been trying to get a nginx reverse proxy working with docker containers that have rutorrent/nginx built in.

I've been messing around with your docker-rtorrent-rutorrent container (https://github.com/xataz/docker-rtorrent-rutorrent) with the container working locallly on http://debian.local:9080/rutorrent

Now I'd like to be able to be able to remove the port so the request URL just looks like http://debian.local/rutorrent so I can run multiple instances with different locations ie /rutorrent1, /rutorrent2, /rutorrent3, etc...

I've been messing around with this container for a bit and can't seem to get it to work natively.

Here's what I'm running

docker run -dt \
    -p 6881:6881 \
    -p 6881:6881/udp \
    --net="rtorrent" \
    --name=rutorrent \
    --hostname=rutorrent \
    --net-alias=rutorrent \
    --label reverse.frontend.domain=debian.local \
    --label reverse.frontend.path="/rutorrent" \
    --label reverse.backend.port=9080 \
    -e WEBROOT=/rutorrent \
    -e DHT_RTORRENT=on \
    -e PORT_RTORRENT=6881  \
    -e UID=1001 \
    -e GID=1001 \
    -v rutorrent-data-volume:/data \
    -v /docker/config:/config \
    xataz/rtorrent-rutorrent

docker run -d \
	-p 80:8080 \
	-p 443:8443 \
    --name reverse \
    --net="rtorrent" \
    --hostname=reverse \
    --net-alias=reverse \
    -v /var/run/docker.sock:/var/run/docker.sock \
	xataz/reverse-nginx

Note: If in my rutorrent container I specify "rutorrent" as the label.reverse.frontend.path value, I get a 404 not found when navigating to http://debian.local/rutorrent
If I specify "/rutorrent" I get a 502 Bad Gateway page

Also the net/hostname/net-alias stuff is to get the containers talking to each other on the "rtorrent" network I set up. Otherwise the docker-reverse-nginx container doesn't find rutorrent container.

Any ideas to get this working?

Thanks much!

Unknown host exposes other hosted sites

Scenario:

  • site1.com with https enabled
  • Visit the ip of the server directly OR
  • Create an A record for site2.com to the same ip address and then visit site2.com

Result:

This may be undesirable to some users as it exposes that you run site1.com at this address. Especially nasty because it creates a permanent redirect from site2.com to site1.com.

Easy fix:

Add a default.conf to sites-enabled for requests that have no matching host (yet), e.g.:

server {
    listen 8080 default_server;
    server_name _;
    return 405;
}

If a user explicitly does NOT want this behaviour he can overwrite the default.conf manually.

Créer un label access log

Créer un label access log on ou off pour ne pas logger les sites qui n'ont pas besoin d'être loggué (enfin ça me semble une bonne idée ^^ )

Dryusdan

Label pour spécifier un certificat custom

Salut @xataz

Est-ce que c'est possible d'ajouter un label pour spécifier un certificat personnalisé sans passer par /nginx/custom_sites ? Pour mondedie.fr par exemple, on utilise Let's Encrypt pour tous les sous-domaines publics et un certificat auto-signé pour les sous-domaines privés (avec un certificat client pour l'authentification).

Je vois bien un truc du genre :

reverse.frontend.ssl_certificate=/nginx/ssl/certificates/sub.domain.tld.crt
reverse.frontend.ssl_certificate_key=/nginx/ssl/certificates/sub.domain.tld.key
reverse.frontend.ssl_client_certificate=/nginx/ssl/certificates/ca.crt
reverse.frontend.auth=client_certificate

Et en ajoutant dans le vhost :

ssl_certificate /nginx/ssl/certificates/sub.domain.tld.crt;
ssl_certificate_key /nginx/ssl/certificates/sub.domain.tld.key;
ssl_client_certificate /nginx/ssl/certificates/ca.crt;
ssl_verify_client on;

Qu'en dis-tu ?

Mise à jours des certificats impossible

Salut,
Quand le container ce lance il lance le regen des certificats mais j'ai cette erreurs sur certain

error presenting token: could not start HTTPS server for challenge -> listen tcp :443: bind: permission denied

J'ai pas trouvé de où ça pouvais venir.

Erreur lors de la création d'un nouveau container avec un certificat

Salut :)

EN voulant génerer un nouveau certificat, il y a un soucis de génération d'un certificat car le port 8443 est déjà écouté.
Je te laisse les logs

2017/12/16 22:13:29 [INFO][monitoring.dryusdan.fr] acme: Trying to solve TLS-SNI-01
2017/12/16 22:13:29 [monitoring.dryusdan.fr] Could not obtain certificates
	[monitoring.dryusdan.fr] error presenting token: Could not start HTTPS server for challenge -> listen tcp :8443: bind: address already in use
=ERR= 2017/12/16-22:13:29 New Certificate for monitoring.dryusdan.fr not generated
=INF= 2017/12/16-22:13:29 New Certificate for monitoring.dryusdan.fr generated
=INF= 2017/12/16-22:13:29 Container monitoring created

Bonne soirée

Le script gen_manuel_ssl crée un mauvais template

Le template généré par gucci n'est pas bon la variable .domain_name est remplacé par 

server {
    listen 8080;
    server_name <no value>;

    location ~ /\.well-known/acme-challenge {
        root /nginx/www/<no value>;
        allow all;
    }
}

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.