Merge pull request #1123 from nginx-proxy/disable-location-config-2

feat: disable automatic ACME HTTP challenge location configuration
2024-11-08 10:49:22 +01:00 · 2024-06-06 08:38:30 +02:00 · 2024-06-06 08:38:30 +02:00 · e021800138
commit e021800138
parent dba1f82ee4 28bdc6b832
9 changed files with 27 additions and 24 deletions
--- a/README.md
+++ b/README.md
@ -31,7 +31,6 @@ It handles the automated creation, renewal and use of SSL certificates for proxi
 Three writable volumes must be declared on the **nginx-proxy** container so that they can be shared with the **acme-companion** container:

 * `/etc/nginx/certs` to store certificates and private keys (readonly for the **nginx-proxy** container).
-* `/etc/nginx/vhost.d` to change the configuration of vhosts (required so the CA may access `http-01` challenge files).
 * `/usr/share/nginx/html` to write `http-01` challenge files.

 Additionally, a fourth volume must be declared on the **acme-companion** container to store `acme.sh` configuration and state: `/etc/acme.sh`.
@ -50,7 +49,6 @@ $ docker run --detach \
    --publish 80:80 \
    --publish 443:443 \
    --volume certs:/etc/nginx/certs \
-    --volume vhost:/etc/nginx/vhost.d \
    --volume html:/usr/share/nginx/html \
    --volume /var/run/docker.sock:/tmp/docker.sock:ro \
    nginxproxy/nginx-proxy
--- a/app/entrypoint.sh
+++ b/app/entrypoint.sh
@ -167,10 +167,13 @@ if [[ "$*" == "/bin/bash /app/start.sh" ]]; then
        exit 1
    fi
    check_writable_directory '/etc/nginx/certs'
-    check_writable_directory '/etc/nginx/vhost.d'
+    parse_true "${ACME_HTTP_CHALLENGE_LOCATION:=false}" && check_writable_directory '/etc/nginx/vhost.d'
    check_writable_directory '/etc/acme.sh'
    check_writable_directory '/usr/share/nginx/html'
-    [[ -f /app/letsencrypt_user_data ]] && check_writable_directory '/etc/nginx/conf.d'
+    if [[ -f /app/letsencrypt_user_data ]]; then
+        check_writable_directory '/etc/nginx/vhost.d'
+        check_writable_directory '/etc/nginx/conf.d'
+    fi
    check_default_cert_key
    check_dh_group
    reload_nginx
--- a/app/letsencrypt_service
+++ b/app/letsencrypt_service
@ -348,8 +348,10 @@ function update_cert {
    for domain in "${hosts_array[@]}"; do
        # Add all the domains to certificate
        params_issue_arr+=(--domain "$domain")
-        # Add location configuration for the domain
-        add_location_configuration "$domain" || reload_nginx
+        # If enabled, add location configuration for the domain
+        if parse_true "${ACME_HTTP_CHALLENGE_LOCATION:=false}"; then
+            add_location_configuration "$domain" || reload_nginx
+        fi
    done

    params_issue_arr=("${params_base_arr[@]}" "${params_issue_arr[@]}")
--- a/docs/Advanced-usage.md
+++ b/docs/Advanced-usage.md
@ -26,7 +26,6 @@ $ docker run --detach \
    --publish 80:80 \
    --publish 443:443 \
    --volume conf:/etc/nginx/conf.d  \
-    --volume vhost:/etc/nginx/vhost.d \
    --volume html:/usr/share/nginx/html \
    --volume certs:/etc/nginx/certs \
    nginx
--- a/docs/Basic-usage.md
+++ b/docs/Basic-usage.md
@ -1,9 +1,8 @@
 ## Basic usage (with the nginx-proxy container)

-Three writable volumes must be declared on the **nginx-proxy** container so that they can be shared with the **acme-companion** container:
+Two writable volumes must be declared on the **nginx-proxy** container so that they can be shared with the **acme-companion** container:

 * `/etc/nginx/certs` to store certificates and private keys (readonly for the **nginx-proxy** container).
-* `/etc/nginx/vhost.d` to change the configuration of vhosts (required so the CA may access `http-01` challenge files).
 * `/usr/share/nginx/html` to write `http-01` challenge files.

 Additionally, a fourth volume must be declared on the **acme-companion** container to store `acme.sh` configuration and state: `/etc/acme.sh`.
@ -22,7 +21,6 @@ $ docker run --detach \
    --publish 80:80 \
    --publish 443:443 \
    --volume certs:/etc/nginx/certs \
-    --volume vhost:/etc/nginx/vhost.d \
    --volume html:/usr/share/nginx/html \
    --volume /var/run/docker.sock:/tmp/docker.sock:ro \
    nginxproxy/nginx-proxy
--- a/docs/Container-configuration.md
+++ b/docs/Container-configuration.md
@ -33,3 +33,5 @@ You can also create test certificates per container (see [Test certificates](./L
 * `ACME_PRE_HOOK` - The provided command will be run before every certificate issuance. The action is limited to the commands available inside the **acme-companion** container. For example `--env "ACME_PRE_HOOK=echo 'start'"`. For more information see [Pre- and Post-Hook](./Hooks.md)

 * `ACME_POST_HOOK` - The provided command will be run after every certificate issuance. The action is limited to the commands available inside the **acme-companion** container. For example `--env "ACME_POST_HOOK=echo 'end'"`. For more information see [Pre- and Post-Hook](./Hooks.md)
+
+* `ACME_HTTP_CHALLENGE_LOCATION` - Previously **acme-companion** automatically added the ACME HTTP challenge location to the nginx configuration through files generated in `/etc/nginx/vhost.d`. Recent versions of **nginx-proxy** (>= `1.6`) already include the required location configuration, which remove the need for **acme-companion** to attempt to dynamically add them. If you're running and older version of **nginx-proxy** (or **docker-gen** with an older version of the `nginx.tmpl` file), you can re-enable this behaviour by setting `ACME_HTTP_CHALLENGE_LOCATION` to `true`.
--- a/docs/Docker-Compose.md
+++ b/docs/Docker-Compose.md
@ -15,7 +15,7 @@ The use of named containers and volume is not required but helps keeping everyth
 ### Two containers example

 ```yaml
-version: '2'
+version: "2"

 services:
  nginx-proxy:
@ -25,8 +25,10 @@ services:
      - "80:80"
      - "443:443"
    volumes:
-      - conf:/etc/nginx/conf.d
-      - vhost:/etc/nginx/vhost.d
+      # The vhost and conf volumes are only required
+      # if you plan to obtain standalone certificates
+      # - vhost:/etc/nginx/vhost.d
+      # - conf:/etc/nginx/conf.d
      - html:/usr/share/nginx/html
      - certs:/etc/nginx/certs:ro
      - /var/run/docker.sock:/tmp/docker.sock:ro
@ -46,8 +48,8 @@ services:
    network_mode: bridge

 volumes:
-  conf:
-  vhost:
+  # vhost:
+  # conf:
  html:
  certs:
  acme:
@ -56,7 +58,7 @@ volumes:
 ### Three containers example

 ```yaml
-version: '2'
+version: "2"

 services:
  nginx-proxy:
@ -66,8 +68,10 @@ services:
      - "80:80"
      - "443:443"
    volumes:
+      # The vhost volume is only required if you
+      # plan to obtain standalone certificates
+      # - vhost:/etc/nginx/vhost.d
      - conf:/etc/nginx/conf.d
-      - vhost:/etc/nginx/vhost.d
      - html:/usr/share/nginx/html
      - certs:/etc/nginx/certs:ro
    network_mode: bridge
@ -99,8 +103,8 @@ services:
    network_mode: bridge

 volumes:
+  # vhost:
  conf:
-  vhost:
  html:
  certs:
  acme:
--- a/docs/Persistent-data.md
+++ b/docs/Persistent-data.md
@ -10,7 +10,6 @@ $ docker run -d \
    -p 80:80 \
    -p 443:443 \
    -v certs:/etc/nginx/certs \
-    -v vhost:/etc/nginx/vhost.d \
    -v html:/usr/share/nginx/html \
    -v /var/run/docker.sock:/tmp/docker.sock:ro \
    nginxproxy/nginx-proxy
@ -18,7 +17,6 @@ $ docker run -d \
 $ docker volume ls
 DRIVER              VOLUME NAME
 local               certs
-local               vhost
 local               html
 ```

@ -32,7 +30,6 @@ $ docker run -d \
    -p 80:80 \
    -p 443:443 \
    -v /etc/nginx/certs \
-    -v /etc/nginx/vhost.d \
    -v /usr/share/nginx/html \
    -v /var/run/docker.sock:/tmp/docker.sock:ro \
    nginxproxy/nginx-proxy
@ -40,7 +37,6 @@ $ docker run -d \
 $ docker volume ls
 DRIVER              VOLUME NAME
 local               287be3abd610e5566500d719ceb8b952952f12c9324ef02d05785d4ee9737ae9
-local               6530b1b40cf89efb71aa7fd19bddec927fa2bcae59b04b9c1c850af72ffe0123
 local               f260f71fefadcdfc311d285d69151f2312915174d3fb1fab89949ec5ec871a54
 ```

--- a/docs/Standalone-certificates.md
+++ b/docs/Standalone-certificates.md
@ -1,6 +1,6 @@
 ## Standalone certificates

-You can generate certificate that are not tied to containers environment variable by mounting a user configuration file inside the container at `/app/letsencrypt_user_data`. This feature also require sharing the `/etc/nginx/conf.d` folder between the **nginx-proxy** and **acme-companion** container (and the **docker-gen** container if you are running a [three container setup](./Advanced-usage.md)):
+You can generate certificate that are not tied to containers environment variable by mounting a user configuration file inside the container at `/app/letsencrypt_user_data`. This feature also require sharing the `/etc/nginx/vhost.d` and `/etc/nginx/conf.d` folder between the **nginx-proxy** and **acme-companion** container (and the **docker-gen** container if you are running a [three container setup](./Advanced-usage.md)):

 ```bash
 $ docker run --detach \
@ -14,6 +14,7 @@ $ docker run --detach \
    --volume /var/run/docker.sock:/tmp/docker.sock:ro \
    nginxproxy/nginx-proxy
 ```
+
 ```bash
 $ docker run --detach \
    --name nginx-proxy-acme \