Commit graph

61 commits

Author SHA1 Message Date
Jason Wilder
db924dba76 Use nginx:1.7.7 2014-12-03 11:12:01 -07:00
Jason Wilder
080a5157e6 Remove OCSP stapling
Looks like it was not actually working before and failing silently
because ssl_trusted_certificate was not specified.  Will need to
revisit implementing this functionality so removing it for now
to prevent the warnings logged by nginx now.
2014-12-03 11:06:11 -07:00
Sebastiaan van Stijn
3c5843264e Switch to official nginx base-image.
This changes the base-image to the official nginx image,
reducing the virtual size of the image by approx 50%.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2014-12-03 10:20:58 +01:00
Jason Wilder
0580726415 Ensure cert exists before referencing it 2014-12-02 23:29:00 -07:00
Jason Wilder
35b81f5092 Fix separate containers instructions 2014-12-02 16:17:58 -07:00
Jason Wilder
50839742f2 Grammar/formatting 2014-12-02 14:43:50 -07:00
Jason Wilder
61c3933e0e Merge pull request #56 from jwilder/jw-https
Add SSL Support
2014-12-01 17:40:44 -07:00
Jason Wilder
51c5c172ee Update README w/ SSL docs 2014-11-27 12:49:44 -07:00
Jason Wilder
2e43a5459b Add SSL support
This adds SSL support for containers.  It supports single host
certificates, wildcards and SNI using naming conventions for
certificates or optionally specify a cert name (for SNI).  The SSL
cipher configuration is based on mozilla intermediate profile which
should provide compatibility with clients back to Firefox 1, Chrome 1,
IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7.  The
configuration also enables OCSP stapling, HSTS, and ssl session caches.

To enable SSL, nginx-proxy should be started w/ -p 443:443 and -v
/path/to/certs:/etc/nginx/certs.  Certificates must be named:
<virtualhost>.crt and <virtualhost>.key where <virtualhost> matches
the a value of VIRTUAL_HOST on a container.

For wildcard certificates, the certificate and private key should be
named after the wildcard domain with .crt and .key suffixes.  For example,
*.example.com should be name example.com.crt and example.com.key.

For SNI where a certificate may be used for multiple domain names, the
container can specify a CERT_NAME env var that corresponds to the base
file name of the certificate and key.  For example, if you have a cert
allowing *.example.com and *.bar.com, it can be name shared.crt and
shared.key.  A container can use that cert by having CERT_NAME=shared and
VIRTUAL_HOST=foo.example.com.  The name "shared" is arbitrary and can
be whatever makes sense.

The behavior for the proxy when port 80 and 443 is defined is as
follows:

* If a container has a usable cert, port 80 will redirect to
443 for that container to always prefer HTTPS when available.
* If the container does not have a usable cert 503 will be returned.

In the last case, a self-signed or generic cert can be defined as
"default.crt" and "default.key" which will allow a client browser to
at least make a SSL connection.
2014-11-27 12:49:38 -07:00
Jason Wilder
7c4d0d22ac upgrade to docker-gen 0.3.6 2014-11-26 15:48:17 -07:00
Jason Wilder
20093a1f83 Merge pull request #52 from thaJeztah/optimize-dockerfile
Optimize Dockerfile.
2014-11-26 10:38:23 -07:00
Sebastiaan van Stijn
d68be71a3f Optimize Dockerfile.
This optimizes the Dockerfile by;

- Combining RUN statements so that files are removed in the
  same layer as they are added.
- Removing the downloaded .tar.gz of the docker-gen binary
  after expanding
- Adding `--no-install-recommends` (but explicitly installing
  ca-certificates)
- Replacing `ADD` with `COPY` (recommended if no unpacking is
  required)

Also added a `.dockerignore` file to prevent the `.git` directory
and README.md being added to the image.

These changes reduce the size of the image with 34 MB (was 268.4 MB,
now 233.9 MB), and results in less layers being produced.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2014-11-26 11:00:01 +01:00
Jason Wilder
1a03ac35c6 Merge pull request #49 from md5/reduce-redundancy
Simplify template output
2014-11-25 17:58:57 -07:00
Mike Dillon
0306692b31 Move gzip_types, access_log, and error_log to http 2014-11-25 16:56:16 -08:00
Mike Dillon
a84aee4a84 Drop unused index variables from range statement 2014-11-25 16:56:16 -08:00
Mike Dillon
3414a02edf Make template more readable
* $value -> $container
2014-11-25 16:56:16 -08:00
Mike Dillon
e1bbe8cde0 Raise proxy_buffering statement to http level 2014-11-25 16:56:16 -08:00
Mike Dillon
5b9e8c4554 Move settings that don't differ per container to the top level 2014-11-25 16:56:16 -08:00
Jason Wilder
a912287461 Merge pull request #50 from bettse/master
Typo in readme
2014-11-16 08:45:12 -08:00
Eric Betts
f117bfa5f3 Typo in readme 2014-11-15 20:47:38 -08:00
Jason Wilder
55878cd36c Merge pull request #46 from md5/connection-upgrade
Send "Connection: upgrade" when "Upgrade" header is received
2014-10-30 10:23:16 -06:00
Mike Dillon
6c2221bdcc Set "Connection: upgrade" when we receive an "Upgrade" header
Fixes #37
2014-10-25 17:13:17 -07:00
Mike Dillon
0028cdafe9 Add comment about X-Forwarded-Proto mapping 2014-10-25 17:13:04 -07:00
Jason Wilder
2c9d9ab74a Merge pull request #44 from synctree/docker-gen-0.3.4
Update to docker-gen 0.3.4
2014-10-22 17:50:05 -06:00
Mike Dillon
ddfd8ef8f4 Update to docker-gen 0.3.4 2014-10-22 16:32:50 -07:00
Jason Wilder
d7ffc052ab Merge pull request #41 from synctree/pass-through-x-forwarded-proto
Pass through X-Forwarded-Proto
2014-10-22 16:37:20 -06:00
Mike Dillon
199f18da07 Pass through X-Forwarded-Proto
* Creates a $proxy_x_forwarded_proto variable that is set to the
  X-Forwarded-Proto header passed by the client or else the $scheme
2014-10-22 15:18:46 -07:00
Jason Wilder
94f3d9849f Inline /etc/nginx/proxy_params
/etc/nginx/proxy_params does not exist in the official nginx image.
2014-10-22 10:42:22 -06:00
Jason Wilder
935aee2f91 Merge pull request #43 from mrmayfield/patch-1
Update README.md
2014-10-21 21:20:54 -06:00
Anthony Mayfield
1699879271 Update README.md
Fix typo
2014-10-21 20:39:34 -06:00
Jason Wilder
b71c45abc0 Fix command line usage 2014-10-21 18:29:31 -06:00
Jason Wilder
e0bf18f041 Add separate container instructions
Fixes #34
Fixes #5
2014-10-21 18:21:05 -06:00
Jason Wilder
941f3cc9d2 Merge pull request #35 from vegasbrianc/master
Added the updated Bash
2014-09-25 08:30:37 -06:00
Brian Christner
1404ecacf9 Upgrade Bash
Updated Dockerfile in order to update/upgrade bash to fix the security bug found by Red Hat https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
2014-09-25 12:59:36 +02:00
Brian Christner
d8f579b1e2 Update Dockerfile 2014-09-25 12:53:13 +02:00
Jason Wilder
158508413a Upgrade to docker-gen 0.3.3 2014-09-19 14:57:36 -06:00
Jason Wilder
f459b143b9 Merge pull request #32 from shopa/faster-build
Only add source after dependency download
2014-09-17 15:12:17 -06:00
Andrew Vos
61bb0a62fb Only add source after dependency download
This lets docker cache the ADD instruction, giving us a faster build.
Also, install docker-gen directly to /usr/local/bin.
2014-09-17 20:23:27 +01:00
Jason Wilder
6024b7bdf3 Merge pull request #26 from frank-dspeed/patch-1
Updated Readme Syntax
2014-09-04 20:49:54 -06:00
Frank Lemanschik
ac5738dacd Updated Readme Syntax 2014-09-05 01:34:49 +02:00
Jason Wilder
34afde73e0 Document multiple host support 2014-08-19 09:42:43 -06:00
Jason Wilder
711a7b3852 Upgrade to docker-gen 0.3.2
* Adds exists template tag
* Fixes generating files to volumes
* Fixes inconsistency w/ -watch/-endpoint
2014-07-11 12:24:24 -06:00
Jason Wilder
6f7ac47a42 Use Ubuntu Trusty 14.04 as base image 2014-07-11 09:59:45 -06:00
Jason Wilder
b9d7bde5cd Support multiple VIRTUAL_HOSTs per container.
Fixes #3
2014-06-08 10:14:51 -06:00
Jason Wilder
ebce30e761 Use ddollar/forego v0.9.0 2014-06-08 10:10:59 -06:00
Jason Wilder
de8fbeb27c Merge pull request #13 from paimpozhil/master
Fix for long server names
2014-06-08 09:47:36 -06:00
Paim pozhil
d3f4efaa83 Fix for long server names 2014-06-08 01:23:16 +05:30
Jason Wilder
4f3d690cd3 Stream logs to stdout/err
Nginx and docker-gen logs can now be seen via docker logs.
2014-06-03 16:30:05 -06:00
Jason Wilder
95d4f67a59 Merge pull request #11 from thomasleveil/patch-1
add HTTP 1.1 support
2014-06-03 16:04:44 -06:00
Jason Wilder
d178ef8dcd Merge pull request #12 from thomasleveil/patch-2
define a default virtual host
2014-06-03 16:01:43 -06:00