From bda229cab8db349bfb8d93b733243095ca387630 Mon Sep 17 00:00:00 2001 From: Karl Fathi Date: Wed, 19 Jun 2019 12:32:32 -0300 Subject: [PATCH] Tweak: Switched to docker-compose v3 syntax Tweak: Now using latest versions of docker-gen and companion Tweak: Now using nginx image with mozilla's boilerplate config Add: Readme --- nginx-proxy/.gitignore | 20 +- nginx-proxy/README.md | 46 +++ nginx-proxy/docker-compose.yml | 87 +++-- .../docker-gen}/templates/nginx.tmpl | 309 +++++++----------- .../volumes/{certs => nginx/html}/.gitkeep | 0 .../{vhost.d => nginx/htpasswd}/.gitkeep | 0 nginx-proxy/volumes/nginx/vhost.d/.gitkeep | 0 7 files changed, 222 insertions(+), 240 deletions(-) create mode 100644 nginx-proxy/README.md rename nginx-proxy/{data => volumes/docker-gen}/templates/nginx.tmpl (50%) rename nginx-proxy/volumes/{certs => nginx/html}/.gitkeep (100%) rename nginx-proxy/volumes/{vhost.d => nginx/htpasswd}/.gitkeep (100%) create mode 100644 nginx-proxy/volumes/nginx/vhost.d/.gitkeep diff --git a/nginx-proxy/.gitignore b/nginx-proxy/.gitignore index fe4e8a7..3b2db14 100644 --- a/nginx-proxy/.gitignore +++ b/nginx-proxy/.gitignore @@ -10,11 +10,19 @@ Thumbs.db .idea/ ### nginx-proxy -volumes/certs/* -!volumes/certs/.gitkeep +volumes/nginx/certs/* +!volumes/nginx/certs/.gitkeep -volumes/conf.d/* -!volumes/conf.d/.gitkeep +volumes/nginx/conf.d/* +!volumes/nginx/conf.d/.gitkeep -volumes/vhost.d/* -!volumes/vhost.d/.gitkeep +volumes/nginx/vhost.d/* +!volumes/nginx/vhost.d/.gitkeep + +volumes/nginx/html/* +!volumes/nginx/html/.gitkeep + +volumes/nginx/htpasswd/* +!volumes/nginx/htpasswd/.gitkeep + +.env diff --git a/nginx-proxy/README.md b/nginx-proxy/README.md new file mode 100644 index 0000000..d73923e --- /dev/null +++ b/nginx-proxy/README.md @@ -0,0 +1,46 @@ +# Pixelcloud nginx-proxy + +This docker-based service uses [nginx-proxy](https://github.com/jwilder/nginx-proxy), [docker-gen](https://github.com/jwilder/docker-gen) and [docker-letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion). + +## Description + +Based on nginx-proxy, this service uses nginx (modified with config inspired from mozilla's boilerplate) and monitors other docker services having ``VIRTUAL_HOST`` environment variable to automatically proxy them. + +Moreover, if said services also have ``LETSENCRYPT_HOST`` variable, it will automatically generate a Let's Encrypt SSL certificate, provided the requirements are met. + +## Usage + +### Environment Variables + + +#### Ports + +You should create a ``.env`` file, located in nginx-proxy's directory root and declare the necessary variables needed in ``docker-compose.yml`` + +Production example: + +``` +HTTP_PORT=80 +HTTPS_PORT=443 +``` + +Development example: + +``` +HTTP_PORT=8080:80 +HTTPS_PORT=8443:443 +``` + +#### no-www + +If the variable ``WWW`` is set to ``no-www`` inside your proxied service, nginx-proxy will automatically create a www.domain.com to domain.com redirection. You should add www.domain.com to ``LETSENCRYPT_HOST`` variable to get an SSL certificate as well. + +#### ACME CA + +By default, this spin of nginx-proxy ships with the staging version of Let's Encrypt service enabled. + +To switch to production certificates, remove or comment this line in ``docker-compose.yml`` + +``` + ACME_CA_URI: https://acme-staging.api.letsencrypt.org/directory +``` diff --git a/nginx-proxy/docker-compose.yml b/nginx-proxy/docker-compose.yml index f929f5f..282b9ea 100644 --- a/nginx-proxy/docker-compose.yml +++ b/nginx-proxy/docker-compose.yml @@ -1,54 +1,69 @@ -version: "2" +version: '3' services: - nginx: - image: pixelfordinner/nginx - container_name: pixelcloud-nginx_proxy-nginx + nginx-web: + image: pixelfordinner/nginx:test + labels: + com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true" + container_name: app-pixelcloud-nginx_proxy-nginx restart: unless-stopped ports: - - "80:80" - - "443:443" + - '${HTTP_PORT}' + - '${HTTPS_PORT}' volumes: - - "./volumes/conf.d:/etc/nginx/conf.d:ro" - - "./volumes/vhost.d:/etc/nginx/vhost.d:ro" - - "./volumes/certs:/etc/nginx/certs:ro" - - "/usr/share/nginx/html" + - ./volumes/nginx/conf.d:/etc/nginx/conf.d:ro + - ./volumes/nginx/vhost.d:/etc/nginx/vhost.d:ro + - ./volumes/nginx/certs:/etc/nginx/certs:ro + - ./volumes/nginx/htpasswd:/etc/nginx/htpasswd:ro + - ./volumes/nginx/html:/usr/share/nginx/html:ro networks: - proxy-tier - docker-gen: - image: jwilder/docker-gen:0.7.3 - container_name: pixelcloud-nginx_proxy-docker_gen + logging: + options: + max-size: '4m' + max-file: '10' + + nginx-gen: + image: jwilder/docker-gen + command: -notify-sighup app-pixelcloud-nginx_proxy-nginx -watch -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf + container_name: app-pixelcloud-nginx_proxy-nginx_gen restart: unless-stopped - depends_on: - - nginx - volumes_from: - - nginx volumes: - - "/var/run/docker.sock:/tmp/docker.sock:ro" - - "./data/templates:/etc/docker-gen/templates:ro" - - "./volumes/conf.d:/etc/nginx/conf.d:rw" + - ./volumes/nginx/conf.d:/etc/nginx/conf.d + - ./volumes/nginx/vhost.d:/etc/nginx/vhost.d + - ./volumes/nginx/certs:/etc/nginx/certs:ro + - ./volumes/nginx/htpasswd:/etc/nginx/htpasswd:ro + - /var/run/docker.sock:/tmp/docker.sock:ro + - ./volumes/docker-gen/templates/nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro networks: - proxy-tier - entrypoint: /usr/local/bin/docker-gen -notify-sighup pixelcloud-nginx_proxy-nginx -watch -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf - lets-encrypt-companion: - image: jrcs/letsencrypt-nginx-proxy-companion:v1.6 - container_name: pixelcloud-nginx_proxy-lets_encrypt + logging: + options: + max-size: '4m' + max-file: '10' + + nginx-letsencrypt: + image: jrcs/letsencrypt-nginx-proxy-companion + container_name: app-pixelcloud-nginx_proxy-letsencrypt restart: unless-stopped - depends_on: - - nginx - - docker-gen - volumes_from: - - nginx volumes: - - "/var/run/docker.sock:/var/run/docker.sock:ro" - - "./volumes/vhost.d:/etc/nginx/vhost.d:rw" - - "./volumes/certs:/etc/nginx/certs:rw" + - ./volumes/nginx/conf.d:/etc/nginx/conf.d + - ./volumes/nginx/vhost.d:/etc/nginx/vhost.d + - ./volumes/nginx/html:/usr/share/nginx/html + - ./volumes/nginx/certs:/etc/nginx/certs:rw + - /var/run/docker.sock:/var/run/docker.sock:ro environment: - - "NGINX_DOCKER_GEN_CONTAINER=pixelcloud-nginx_proxy-docker_gen" - # - "ACME_CA_URI=https://acme-staging.api.letsencrypt.org/directory" - # - "DEBUG=true" + NGINX_DOCKER_GEN_CONTAINER: app-pixelcloud-nginx_proxy-nginx_gen + NGINX_PROXY_CONTAINER: app-pixelcloud-nginx_proxy-nginx + ACME_CA_URI: https://acme-staging.api.letsencrypt.org/directory + networks: + - proxy-tier + logging: + options: + max-size: '4m' + max-file: '10' networks: proxy-tier: external: - name: "nginx-proxy" + name: nginx-proxy diff --git a/nginx-proxy/data/templates/nginx.tmpl b/nginx-proxy/volumes/docker-gen/templates/nginx.tmpl similarity index 50% rename from nginx-proxy/data/templates/nginx.tmpl rename to nginx-proxy/volumes/docker-gen/templates/nginx.tmpl index 7f6db1e..f6d84fc 100644 --- a/nginx-proxy/data/templates/nginx.tmpl +++ b/nginx-proxy/volumes/docker-gen/templates/nginx.tmpl @@ -13,68 +13,54 @@ {{ end }} {{ else if .Network }} # {{ .Container.Name }} - server {{ .Network.IP }} down; + {{ if .Network.IP }} + server {{ .Network.IP }} down; + {{ else }} + server 127.0.0.1 down; + {{ end }} {{ end }} {{ end }} # If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the # scheme used to connect to this server map $http_x_forwarded_proto $proxy_x_forwarded_proto { - default $http_x_forwarded_proto; - '' $scheme; + default $http_x_forwarded_proto; + '' $scheme; } # If we receive X-Forwarded-Port, pass it through; otherwise, pass along the # server port the client connected to map $http_x_forwarded_port $proxy_x_forwarded_port { - default $http_x_forwarded_port; - '' $server_port; + default $http_x_forwarded_port; + '' $server_port; } # If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any # Connection header that may have been passed to this server map $http_upgrade $proxy_connection { - default upgrade; - '' close; + default upgrade; + '' close; } # Set appropriate X-Forwarded-Ssl header map $scheme $proxy_x_forwarded_ssl { - default off; - https on; + default off; + https on; } -log_format vhost '$host $remote_addr - $remote_user [$time_local] ' - '"$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent"'; - -access_log off; - {{ if (exists "/etc/nginx/proxy.conf") }} include /etc/nginx/proxy.conf; -{{ else }} -# HTTP 1.1 support -proxy_http_version 1.1; -proxy_buffering off; -proxy_set_header Host $http_host; -proxy_set_header Upgrade $http_upgrade; -proxy_set_header Connection $proxy_connection; -proxy_set_header X-Real-IP $remote_addr; -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; -proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl; -proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port; - -# Mitigate httpoxy attack (see README for details) -proxy_set_header Proxy ""; {{ end }} +{{ $enable_ipv6 := eq (or ($.Env.ENABLE_IPV6) "") "true" }} server { server_name _; # This is just an invalid value which will never trigger on a real hostname. listen 80 deferred; + {{ if $enable_ipv6 }} listen [::]:80 deferred; - access_log /var/log/nginx/access.log vhost; + {{ end }} + access_log /dev/stdout vhost; return 503; } @@ -82,27 +68,34 @@ server { server { server_name _; # This is just an invalid value which will never trigger on a real hostname. listen 443 ssl http2 deferred; + {{ if $enable_ipv6 }} listen [::]:443 ssl http2 deferred; - access_log /var/log/nginx/access.log vhost; + {{ end }} + access_log /dev/stdout vhost; return 503; - include /etc/nginx/boilerplate/enable/ssl.conf; + include /etc/nginx/config/nginx-proxy.conf; ssl_certificate /etc/nginx/certs/default.crt; ssl_certificate_key /etc/nginx/certs/default.key; } {{ end }} {{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }} -{{ $upstream_name := sha1 $host }} + +{{ $host := trim $host }} +{{ $is_regexp := hasPrefix "~" $host }} +{{ $upstream_name := when $is_regexp (sha1 $host) $host }} + # {{ $host }} upstream {{ $upstream_name }} { + {{ range $container := $containers }} {{ $addrLen := len $container.Addresses }} {{ range $knownNetwork := $CurrentContainer.Networks }} {{ range $containerNetwork := $container.Networks }} - {{ if eq $knownNetwork.Name $containerNetwork.Name }} - ## Can be connect with "{{ $containerNetwork.Name }}" network + {{ if (and (ne $containerNetwork.Name "ingress") (or (eq $knownNetwork.Name $containerNetwork.Name) (eq $knownNetwork.Name "host"))) }} + ## Can be connected with "{{ $containerNetwork.Name }}" network {{/* If only 1 port exposed, use that */}} {{ if eq $addrLen 1 }} @@ -114,6 +107,9 @@ upstream {{ $upstream_name }} { {{ $address := where $container.Addresses "Port" $port | first }} {{ template "upstream" (dict "Container" $container "Address" $address "Network" $containerNetwork) }} {{ end }} + {{ else }} + # Cannot connect to network of this container + server 127.0.0.1 down; {{ end }} {{ end }} {{ end }} @@ -124,11 +120,17 @@ upstream {{ $upstream_name }} { {{ $default_server := index (dict $host "" $default_host "default_server") $host }} {{/* Get the VIRTUAL_PROTO defined by containers w/ the same vhost, falling back to "http" */}} -{{ $proto := or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http" }} +{{ $proto := trim (or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http") }} + +{{/* Get the NETWORK_ACCESS defined by containers w/ the same vhost, falling back to "external" */}} +{{ $network_tag := or (first (groupByKeys $containers "Env.NETWORK_ACCESS")) "external" }} {{/* Get the HTTPS_METHOD defined by containers w/ the same vhost, falling back to "redirect" */}} {{ $https_method := or (first (groupByKeys $containers "Env.HTTPS_METHOD")) "redirect" }} +{{/* Get the VIRTUAL_ROOT By containers w/ use fastcgi root */}} +{{ $vhost_root := or (first (groupByKeys $containers "Env.VIRTUAL_ROOT")) "/var/www/public" }} + {{/* Get the first cert name defined by containers w/ the same vhost */}} {{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }} @@ -153,15 +155,10 @@ upstream {{ $upstream_name }} { server { server_name {{ $host }}; listen 80 {{ $default_server }}; + {{ if $enable_ipv6 }} listen [::]:80 {{ $default_server }}; - access_log /var/log/nginx/access.log vhost; - - {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} - include {{ printf "/etc/nginx/vhost.d/%s" $host }}; - {{ else if (exists "/etc/nginx/vhost.d/default") }} - include /etc/nginx/vhost.d/default; {{ end }} - + access_log /dev/stdout vhost; return 301 https://$host$request_uri; } {{ end }} @@ -169,18 +166,27 @@ server { server { server_name {{ $host }}; listen 443 ssl http2 {{ $default_server }}; + {{ if $enable_ipv6 }} listen [::]:443 ssl http2 {{ $default_server }}; - access_log /var/log/nginx/access.log vhost; + {{ end }} + access_log /dev/stdout vhost; - include /etc/nginx/boilerplate/enable/ssl.conf; + {{ if eq $network_tag "internal" }} + # Only allow traffic from internal clients + include /etc/nginx/network_internal.conf; + {{ end }} + + include /etc/nginx/config/nginx-proxy.conf; ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }}; ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }}; {{ if (exists (printf "/etc/nginx/certs/%s.dhparam.pem" $cert)) }} ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }}; - {{ else if (exists ("/etc/nginx/certs/dhparam.pem")) }} - ssl_dhparam /etc/nginx/certs/dhparam.pem; + {{ end }} + + {{ if (exists (printf "/etc/nginx/certs/%s.chain.pem" $cert)) }} + ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.pem" $cert }}; {{ end }} @@ -194,101 +200,66 @@ server { {{ if eq $proto "uwsgi" }} include uwsgi_params; uwsgi_pass {{ trim $proto }}://{{ trim $upstream_name }}; + {{ else if eq $proto "fastcgi" }} + root {{ trim $vhost_root }}; + include fastcgi.conf; + fastcgi_pass {{ trim $upstream_name }}; {{ else }} proxy_pass {{ trim $proto }}://{{ trim $upstream_name }}; {{ end }} + {{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }} auth_basic "Restricted {{ $host }}"; auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }}; {{ end }} - {{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }} - include {{ printf "/etc/nginx/vhost.d/%s_location" $host}}; - {{ else if (exists "/etc/nginx/vhost.d/default_location") }} - include /etc/nginx/vhost.d/default_location; - {{ end }} + {{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }} + include {{ printf "/etc/nginx/vhost.d/%s_location" $host}}; + {{ else if (exists "/etc/nginx/vhost.d/default_location") }} + include /etc/nginx/vhost.d/default_location; + {{ end }} } } +{{/* no-WWW */}} {{ if (eq $www "no-www") }} - -{{ if and (exists (printf "/etc/nginx/certs/www.%s.crt" $cert)) (exists (printf "/etc/nginx/certs/www.%s.key" $cert)) }} - server { - server_name www.{{ $host }}; - listen 80 {{ $default_server }}; - listen [::]:80 {{ $default_server }}; - access_log /var/log/nginx/access.log vhost; - - {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} - include {{ printf "/etc/nginx/vhost.d/%s" $host }}; - {{ else if (exists "/etc/nginx/vhost.d/default") }} - include /etc/nginx/vhost.d/default; - {{ end }} - - return 301 https://{{$host}}$request_uri; -} - -server { - server_name www.{{ $host }}; - listen 443 ssl http2 {{ $default_server }}; - listen [::]:443 ssl http2 {{ $default_server }}; - access_log /var/log/nginx/access.log vhost; - - include /etc/nginx/boilerplate/enable/ssl.conf; - - ssl_certificate /etc/nginx/certs/{{ (printf "www.%s.crt" $cert) }}; - ssl_certificate_key /etc/nginx/certs/{{ (printf "www.%s.key" $cert) }}; - - {{ if (exists (printf "/etc/nginx/certs/www.%s.dhparam.pem" $cert)) }} - ssl_dhparam {{ printf "/etc/nginx/certs/www.%s.dhparam.pem" $cert }}; - {{ else if (exists ("/etc/nginx/certs/dhparam.pem")) }} - ssl_dhparam /etc/nginx/certs/dhparam.pem; - {{ end }} + server_name www.{{ $host }}; + listen 80 {{ $default_server }}; + {{ if $enable_ipv6 }} + listen [::]:80 {{ $default_server }}; + {{ end }} + access_log /dev/stdout vhost; - return 301 https://{{$host}}$request_uri; + return 301 https://{{ $host }}$request_uri; } -{{ end }} - -{{ else if (eq $www "www") }} - -{{ $nowwwhost := replace $host "www." "" -1 }} -{{ $nowwwcert := replace $cert "www." "" -1 }} - -{{ if and (exists (printf "/etc/nginx/certs/%s.crt" $nowwwcert)) (exists (printf "/etc/nginx/certs/%s.key" $nowwwcert)) }} - +{{ if and (exists (printf "/etc/nginx/certs/www.%s.crt" $cert)) (exists (printf "/etc/nginx/certs/www.%s.key" $cert)) }} server { - server_name {{ $nowwwhost }}; - listen 80 {{ $default_server }}; - listen [::]:80 {{ $default_server }}; - access_log /var/log/nginx/access.log vhost; - return 301 https://{{$host}}$request_uri; -} + server_name www.{{ $host }}; + listen 443 ssl http2 {{ $default_server }}; + {{ if $enable_ipv6 }} + listen [::]:443 ssl http2 {{ $default_server }}; + {{ end }} + access_log /dev/stdout vhost; -server { - server_name {{ $nowwwhost }}; - listen 443 ssl http2 {{ $default_server }}; - listen [::]:443 ssl http2 {{ $default_server }}; - access_log /var/log/nginx/access.log vhost; + include /etc/nginx/config/nginx-proxy.conf; - include /etc/nginx/boilerplate/enable/ssl.conf; + ssl_certificate /etc/nginx/certs/{{ (printf "www.%s.crt" $cert) }}; + ssl_certificate_key /etc/nginx/certs/{{ (printf "www.%s.key" $cert) }}; - ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $nowwwcert) }}; - ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $nowwwcert) }}; + {{ if (exists (printf "/etc/nginx/certs/www.%s.dhparam.pem" $cert)) }} + ssl_dhparam {{ printf "/etc/nginx/certs/www.%s.dhparam.pem" $cert }}; + {{ end }} - {{ if (exists (printf "/etc/nginx/certs/%s.dhparam.pem" $nowwwcert)) }} - ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $nowwwcert }}; - {{ else if (exists ("/etc/nginx/certs/dhparam.pem")) }} - ssl_dhparam /etc/nginx/certs/dhparam.pem; - {{ end }} + {{ if (exists (printf "/etc/nginx/certs/www.%s.chain.pem" $cert)) }} + ssl_trusted_certificate {{ printf "/etc/nginx/certs/www.%s.chain.pem" $cert }}; + {{ end }} - return 301 https://{{$host}}$request_uri; + return 301 https://{{ $host }}$request_uri; } - {{ end }} - {{ end }} - +{{/* End WWW / no-WWW */}} {{ end }} {{ if or (not $is_https) (eq $https_method "noredirect") }} @@ -296,8 +267,15 @@ server { server { server_name {{ $host }}; listen 80 {{ $default_server }}; + {{ if $enable_ipv6 }} listen [::]:80 {{ $default_server }}; - access_log /var/log/nginx/access.log vhost; + {{ end }} + access_log /dev/stdout vhost; + + {{ if eq $network_tag "internal" }} + # Only allow traffic from internal clients + include /etc/nginx/network_internal.conf; + {{ end }} {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} include {{ printf "/etc/nginx/vhost.d/%s" $host }}; @@ -309,6 +287,10 @@ server { {{ if eq $proto "uwsgi" }} include uwsgi_params; uwsgi_pass {{ trim $proto }}://{{ trim $upstream_name }}; + {{ else if eq $proto "fastcgi" }} + root {{ trim $vhost_root }}; + include fastcgi.conf; + fastcgi_pass {{ trim $upstream_name }}; {{ else }} proxy_pass {{ trim $proto }}://{{ trim $upstream_name }}; {{ end }} @@ -316,97 +298,28 @@ server { auth_basic "Restricted {{ $host }}"; auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }}; {{ end }} - {{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }} - include {{ printf "/etc/nginx/vhost.d/%s_location" $host}}; - {{ else if (exists "/etc/nginx/vhost.d/default_location") }} - include /etc/nginx/vhost.d/default_location; - {{ end }} - } -} - -{{ if (eq $www "no-www") }} - -server { - server_name www.{{ $host }}; - listen 80 {{ $default_server }}; - listen [::]:80 {{ $default_server }}; - access_log /var/log/nginx/access.log vhost; - - {{ if (exists (printf "/etc/nginx/vhost.d/www.%s" $host)) }} - include {{ printf "/etc/nginx/vhost.d/www.%s" $host }}; - {{ else if (exists "/etc/nginx/vhost.d/default") }} - include /etc/nginx/vhost.d/default; - {{ end }} - - location / { - {{ if eq $proto "uwsgi" }} - include uwsgi_params; - uwsgi_pass {{ trim $proto }}://{{ trim $upstream_name }}; - {{ else }} - proxy_pass {{ trim $proto }}://{{ trim $upstream_name }}; - {{ end }} - {{ if (exists (printf "/etc/nginx/htpasswd/www.%s" $host)) }} - auth_basic "Restricted {{ $host }}"; - auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/www.%s" $host) }}; + {{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }} + include {{ printf "/etc/nginx/vhost.d/%s_location" $host}}; + {{ else if (exists "/etc/nginx/vhost.d/default_location") }} + include /etc/nginx/vhost.d/default_location; {{ end }} - {{ if (exists (printf "/etc/nginx/vhost.d/www.%s_location" $host)) }} - include {{ printf "/etc/nginx/vhost.d/www.%s_location" $host}}; - {{ else if (exists "/etc/nginx/vhost.d/default_location") }} - include /etc/nginx/vhost.d/default_location; - {{ end }} } } -{{ else if (eq $www "www") }} - -{{ $nowwwhost := replace $host "www." "" -1 }} - -server { - server_name {{ $nowwwhost }}; - listen 80 {{ $default_server }}; - listen [::]:80 {{ $default_server }}; - access_log /var/log/nginx/access.log vhost; - - {{ if (exists (printf "/etc/nginx/vhost.d/%s" $nowwwhost)) }} - include {{ printf "/etc/nginx/vhost.d/%s" $nowwwhost }}; - {{ else if (exists "/etc/nginx/vhost.d/default") }} - include /etc/nginx/vhost.d/default; - {{ end }} - - location / { - {{ if eq $proto "uwsgi" }} - include uwsgi_params; - uwsgi_pass {{ trim $proto }}://{{ trim $upstream_name }}; - {{ else }} - proxy_pass {{ trim $proto }}://{{ trim $upstream_name }}; - {{ end }} - {{ if (exists (printf "/etc/nginx/htpasswd/%s" $nowwwhost)) }} - auth_basic "Restricted {{ $nowwwhost }}"; - auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $nowwwhost) }}; - {{ end }} - {{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $nowwwhost)) }} - include {{ printf "/etc/nginx/vhost.d/%s_location" $nowwwhost}}; - {{ else if (exists "/etc/nginx/vhost.d/default_location") }} - include /etc/nginx/vhost.d/default_location; - {{ end }} - } -} - -{{ end }} - {{ if (and (not $is_https) (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }} server { server_name {{ $host }}; listen 443 ssl http2 {{ $default_server }}; + {{ if $enable_ipv6 }} listen [::]:443 ssl http2 {{ $default_server }}; - access_log /var/log/nginx/access.log vhost; + {{ end }} + access_log /dev/stdout vhost; return 500; + include /etc/nginx/config/nginx-proxy.conf; + ssl_certificate /etc/nginx/certs/default.crt; ssl_certificate_key /etc/nginx/certs/default.key; - {{ if (exists ("/etc/nginx/certs/dhparam.pem")) }} - ssl_dhparam /etc/nginx/certs/dhparam.pem; - {{ end }} } {{ end }} diff --git a/nginx-proxy/volumes/certs/.gitkeep b/nginx-proxy/volumes/nginx/html/.gitkeep similarity index 100% rename from nginx-proxy/volumes/certs/.gitkeep rename to nginx-proxy/volumes/nginx/html/.gitkeep diff --git a/nginx-proxy/volumes/vhost.d/.gitkeep b/nginx-proxy/volumes/nginx/htpasswd/.gitkeep similarity index 100% rename from nginx-proxy/volumes/vhost.d/.gitkeep rename to nginx-proxy/volumes/nginx/htpasswd/.gitkeep diff --git a/nginx-proxy/volumes/nginx/vhost.d/.gitkeep b/nginx-proxy/volumes/nginx/vhost.d/.gitkeep new file mode 100644 index 0000000..e69de29