From ba13e8bb5dce7fae318fa66e2513ba59bd9da4a4 Mon Sep 17 00:00:00 2001
From: mko <code@m-ko-x.de>
Date: Tue, 10 Feb 2015 22:52:04 +0100
Subject: [PATCH 1/6] added rewrite for 'www'-prefixed requests
---
README.md | 8 ++++++++
nginx.tmpl | 10 ++++++++++
2 files changed, 18 insertions(+)
diff --git a/README.md b/README.md
index d80e828..61fc8e6 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,13 @@
 
+##Modifications
+
+To make Jason's nginx-proxy work for me, I changed:
+
+- added rewrite of 'www'-prefixed domains to 301 without prefix for both https and http protocol
+
+##Original
+
nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped.
See [Automated Nginx Reverse Proxy for Docker][2] for why you might want to use this.
diff --git a/nginx.tmpl b/nginx.tmpl
index d373ce3..d473290 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -83,6 +83,11 @@ upstream {{ $host }} {
{{ if (and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}
+server {
+ server_name www.{{ $host }};
+ rewrite ^(.*) https://{{ $host }}$1 permanent;
+}
+
server {
server_name {{ $host }};
rewrite ^(.*) https://{{ $host }}$1 permanent;
@@ -114,6 +119,11 @@ server {
}
{{ else }}
+server {
+ server_name www.{{ $host }};
+ rewrite ^(.*) http://{{ $host }}$1 permanent;
+}
+
server {
server_name {{ $host }};
From 613b517f6ffdc91feea26b400938d0c961dc5443 Mon Sep 17 00:00:00 2001
From: mko <code@m-ko-x.de>
Date: Tue, 17 Feb 2015 22:01:57 +0100
Subject: [PATCH 2/6] Increase client max body size to 10MB
---
Dockerfile | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/Dockerfile b/Dockerfile
index 48a6949..2936e4a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,7 @@
FROM nginx:1.7.8
-MAINTAINER Jason Wilder jwilder@litl.com
+MAINTAINER https://m-ko-x.de Markus Kosmal <code@m-ko-x.de>
-# Install wget and install/updates certificates
+# install packages
RUN apt-get update \
&& apt-get install -y -q --no-install-recommends \
ca-certificates \
@@ -12,7 +12,8 @@ RUN apt-get update \
# Configure Nginx and apply fix for very long server names
RUN echo "daemon off;" >> /etc/nginx/nginx.conf \
&& sed -i 's/^http {/&\n server_names_hash_bucket_size 128;/g' /etc/nginx/nginx.conf
-
+ && sed -i 's/^http {/&\n client_max_body_size 10m;/g' /etc/nginx/nginx.conf
+
# Install Forego
RUN wget -P /usr/local/bin https://godist.herokuapp.com/projects/ddollar/forego/releases/current/linux-amd64/forego \
&& chmod u+x /usr/local/bin/forego
From b15900b28b640ba6c4a2f700386630f93ccc702a Mon Sep 17 00:00:00 2001
From: mko <code@m-ko-x.de>
Date: Tue, 17 Feb 2015 22:27:18 +0100
Subject: [PATCH 3/6] fix replace
---
Dockerfile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Dockerfile b/Dockerfile
index 2936e4a..6c3d6c4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,7 +12,7 @@ RUN apt-get update \
# Configure Nginx and apply fix for very long server names
RUN echo "daemon off;" >> /etc/nginx/nginx.conf \
&& sed -i 's/^http {/&\n server_names_hash_bucket_size 128;/g' /etc/nginx/nginx.conf
- && sed -i 's/^http {/&\n client_max_body_size 10m;/g' /etc/nginx/nginx.conf
+ && sed -i 's/#gzip on;/&\n client_max_body_size 10m;/g' /etc/nginx/nginx.conf
# Install Forego
RUN wget -P /usr/local/bin https://godist.herokuapp.com/projects/ddollar/forego/releases/current/linux-amd64/forego \
From 4c3122effe1130a3a6ca02d9a568f5b9c713630a Mon Sep 17 00:00:00 2001
From: mko <code@m-ko-x.de>
Date: Tue, 17 Feb 2015 23:00:22 +0100
Subject: [PATCH 4/6] hard coded max size
---
Dockerfile | 1 -
nginx.tmpl | 5 +++++
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/Dockerfile b/Dockerfile
index 6c3d6c4..221a0a1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,7 +12,6 @@ RUN apt-get update \
# Configure Nginx and apply fix for very long server names
RUN echo "daemon off;" >> /etc/nginx/nginx.conf \
&& sed -i 's/^http {/&\n server_names_hash_bucket_size 128;/g' /etc/nginx/nginx.conf
- && sed -i 's/#gzip on;/&\n client_max_body_size 10m;/g' /etc/nginx/nginx.conf
# Install Forego
RUN wget -P /usr/local/bin https://godist.herokuapp.com/projects/ddollar/forego/releases/current/linux-amd64/forego \
diff --git a/nginx.tmpl b/nginx.tmpl
index d473290..9ad9791 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -84,16 +84,19 @@ upstream {{ $host }} {
{{ if (and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}
server {
+ client_max_body_size 1000m;
server_name www.{{ $host }};
rewrite ^(.*) https://{{ $host }}$1 permanent;
}
server {
+ client_max_body_size 1000m;
server_name {{ $host }};
rewrite ^(.*) https://{{ $host }}$1 permanent;
}
server {
+ client_max_body_size 1000m;
server_name {{ $host }};
listen 443 ssl;
@@ -120,11 +123,13 @@ server {
{{ else }}
server {
+ client_max_body_size 1000m;
server_name www.{{ $host }};
rewrite ^(.*) http://{{ $host }}$1 permanent;
}
server {
+ client_max_body_size 1000m;
server_name {{ $host }};
location / {
From 7984b7a7627ee8f22caee661177131a84406c89c Mon Sep 17 00:00:00 2001
From: mko <code@m-ko-x.de>
Date: Sun, 22 Feb 2015 10:31:23 +0100
Subject: [PATCH 5/6] extended configuration options
Optionally configure via new env vars:
- max client body size
- basic authentication message in prompt
- ssl session timeout
- http no service status code
- auto redirect according to prefixes
- set the prefix to auto aim at
- set redirect direction from prefixed to without-prefix and vice-versa
default behaviour stays as before
---
Dockerfile | 18 +++++++++++++++++
nginx.tmpl | 59 +++++++++++++++++++++++++++++++++++++-----------------
2 files changed, 59 insertions(+), 18 deletions(-)
diff --git a/Dockerfile b/Dockerfile
index 221a0a1..a02c5bc 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,24 @@
FROM nginx:1.7.8
MAINTAINER https://m-ko-x.de Markus Kosmal <code@m-ko-x.de>
+# set max size within a body
+ENV GLOB_MAX_BODY_SIZE "10m"
+# set default msg set within basic auth msg
+ENV GLOB_AUTH_MSG "Restricted :"
+# set default session timeout
+ENV GLOB_SSL_SESSION_TIMEOUT "5m"
+# default return code for errors
+ENV GLOB_HTTP_NO_SERVICE "503"
+
+# enable some kind of prefix redirection
+ENV AUTO_REDIRECT_WITH_PREFIX_ENABLED false
+# set prefix to be used for auto redirect
+ENV AUTO_REDIRECT_PREFIX "www"
+# set direction
+# - 0: redirect from prefix to non-prefix
+# - 1: redirect from non-prefix to prefix
+ENV AUTO_REDIRECT_DIRECTION 0
+
# install packages
RUN apt-get update \
&& apt-get install -y -q --no-install-recommends \
diff --git a/nginx.tmpl b/nginx.tmpl
index 9ad9791..bf3125e 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -21,6 +21,8 @@ log_format vhost '$host $remote_addr - $remote_user [$time_local] '
access_log /proc/self/fd/1 vhost;
error_log /proc/self/fd/2;
+client_max_body_size {{ "Env.MAX_BODY_SIZE" }};
+
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
@@ -34,7 +36,7 @@ proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
server {
listen 80 default_server;
server_name _; # This is just an invalid value which will never trigger on a real hostname.
- return 503;
+ return "Env.GLOB_HTTP_NO_SERVICE";
}
{{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }}
@@ -83,20 +85,34 @@ upstream {{ $host }} {
{{ if (and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}
-server {
- client_max_body_size 1000m;
- server_name www.{{ $host }};
- rewrite ^(.*) https://{{ $host }}$1 permanent;
-}
+
+{{ if (eq "Env.AUTO_REDIRECT_WITH_PREFIX_ENABLED" true) }}
server {
- client_max_body_size 1000m;
+
+{{ if (eq "Env.AUTO_REDIRECT_DIRECTION" 0) }}
+
+ server_name {{ "Env.AUTO_REDIRECT_PREFIX" }}.{{ $host }};
+ rewrite ^(.*) https://{{ $host }}$1 permanent;
+
+{{ else }}
+
+ server_name {{ $host }};
+ rewrite ^(.*) https://{{ "Env.AUTO_REDIRECT_PREFIX" }}.{{ $host }}$1 permanent;
+
+{{ end }} # AUTO_REDIRECT_DIRECTION end
+
+}
+
+{{ end }} # AUTO_REDIRECT_TARGET end
+
+# enforce ssl if enabled
+server {
server_name {{ $host }};
rewrite ^(.*) https://{{ $host }}$1 permanent;
}
server {
- client_max_body_size 1000m;
server_name {{ $host }};
listen 443 ssl;
@@ -104,7 +120,7 @@ server {
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
ssl_prefer_server_ciphers on;
- ssl_session_timeout 5m;
+ ssl_session_timeout {{ "Env.GLOB_SSL_SESSION_TIMEOUT" }};
ssl_session_cache shared:SSL:50m;
ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }};
@@ -115,27 +131,34 @@ server {
location / {
proxy_pass http://{{ $host }};
{{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}
- auth_basic "Restricted {{ $host }}";
+ auth_basic '{{ "Env.GLOB_AUTH_MSG" }} {{ $host }}';
auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }};
{{ end }}
}
}
{{ else }}
-server {
- client_max_body_size 1000m;
- server_name www.{{ $host }};
- rewrite ^(.*) http://{{ $host }}$1 permanent;
-}
+{{ if (eq "Env.AUTO_REDIRECT_WITH_PREFIX_ENABLED" true) }}
+
+server {
+ {{ if (eq "Env.AUTO_REDIRECT_DIRECTION" 0) }}
+ server_name {{ "Env.AUTO_REDIRECT_PREFIX" }}.{{ $host }};
+ rewrite ^(.*) http://{{ $host }}$1 permanent;
+ {{ else }}
+ server_name {{ $host }};
+ rewrite ^(.*) http://{{ "Env.AUTO_REDIRECT_PREFIX" }}.{{ $host }}$1 permanent;
+ {{ end }} # AUTO_REDIRECT_DIRECTION end
+}
+
+{{ end }} # AUTO_REDIRECT_WITH_PREFIX_ENABLED end
server {
- client_max_body_size 1000m;
server_name {{ $host }};
location / {
proxy_pass http://{{ $host }};
{{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}
- auth_basic "Restricted {{ $host }}";
+ auth_basic '{{ "Env.GLOB_AUTH_MSG" }} {{ $host }}';
auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }};
{{ end }}
}
@@ -144,7 +167,7 @@ server {
server {
server_name {{ $host }};
listen 443 ssl;
- return 503;
+ return "Env.GLOB_HTTP_NO_SERVICE";
{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
ssl_certificate /etc/nginx/certs/default.crt;
From b1322d8771fefe3fbc78d9466277b7430e69453c Mon Sep 17 00:00:00 2001
From: mko <code@m-ko-x.de>
Date: Sun, 22 Feb 2015 10:38:06 +0100
Subject: [PATCH 6/6] Revert "extended configuration options"
This reverts commit 7984b7a7627ee8f22caee661177131a84406c89c.
---
Dockerfile | 18 ------------------
nginx.tmpl | 47 ++++++++++++-----------------------------------
2 files changed, 12 insertions(+), 53 deletions(-)
diff --git a/Dockerfile b/Dockerfile
index a02c5bc..221a0a1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,24 +1,6 @@
FROM nginx:1.7.8
MAINTAINER https://m-ko-x.de Markus Kosmal <code@m-ko-x.de>
-# set max size within a body
-ENV GLOB_MAX_BODY_SIZE "10m"
-# set default msg set within basic auth msg
-ENV GLOB_AUTH_MSG "Restricted :"
-# set default session timeout
-ENV GLOB_SSL_SESSION_TIMEOUT "5m"
-# default return code for errors
-ENV GLOB_HTTP_NO_SERVICE "503"
-
-# enable some kind of prefix redirection
-ENV AUTO_REDIRECT_WITH_PREFIX_ENABLED false
-# set prefix to be used for auto redirect
-ENV AUTO_REDIRECT_PREFIX "www"
-# set direction
-# - 0: redirect from prefix to non-prefix
-# - 1: redirect from non-prefix to prefix
-ENV AUTO_REDIRECT_DIRECTION 0
-
# install packages
RUN apt-get update \
&& apt-get install -y -q --no-install-recommends \
diff --git a/nginx.tmpl b/nginx.tmpl
index bf3125e..9ad9791 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -21,8 +21,6 @@ log_format vhost '$host $remote_addr - $remote_user [$time_local] '
access_log /proc/self/fd/1 vhost;
error_log /proc/self/fd/2;
-client_max_body_size {{ "Env.MAX_BODY_SIZE" }};
-
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
@@ -36,7 +34,7 @@ proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
server {
listen 80 default_server;
server_name _; # This is just an invalid value which will never trigger on a real hostname.
- return "Env.GLOB_HTTP_NO_SERVICE";
+ return 503;
}
{{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }}
@@ -85,34 +83,20 @@ upstream {{ $host }} {
{{ if (and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}
-
-{{ if (eq "Env.AUTO_REDIRECT_WITH_PREFIX_ENABLED" true) }}
-
server {
-
-{{ if (eq "Env.AUTO_REDIRECT_DIRECTION" 0) }}
-
- server_name {{ "Env.AUTO_REDIRECT_PREFIX" }}.{{ $host }};
+ client_max_body_size 1000m;
+ server_name www.{{ $host }};
rewrite ^(.*) https://{{ $host }}$1 permanent;
-
-{{ else }}
-
- server_name {{ $host }};
- rewrite ^(.*) https://{{ "Env.AUTO_REDIRECT_PREFIX" }}.{{ $host }}$1 permanent;
-
-{{ end }} # AUTO_REDIRECT_DIRECTION end
-
}
-{{ end }} # AUTO_REDIRECT_TARGET end
-
-# enforce ssl if enabled
server {
+ client_max_body_size 1000m;
server_name {{ $host }};
rewrite ^(.*) https://{{ $host }}$1 permanent;
}
server {
+ client_max_body_size 1000m;
server_name {{ $host }};
listen 443 ssl;
@@ -120,7 +104,7 @@ server {
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
ssl_prefer_server_ciphers on;
- ssl_session_timeout {{ "Env.GLOB_SSL_SESSION_TIMEOUT" }};
+ ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }};
@@ -131,34 +115,27 @@ server {
location / {
proxy_pass http://{{ $host }};
{{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}
- auth_basic '{{ "Env.GLOB_AUTH_MSG" }} {{ $host }}';
+ auth_basic "Restricted {{ $host }}";
auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }};
{{ end }}
}
}
{{ else }}
-{{ if (eq "Env.AUTO_REDIRECT_WITH_PREFIX_ENABLED" true) }}
-
server {
- {{ if (eq "Env.AUTO_REDIRECT_DIRECTION" 0) }}
- server_name {{ "Env.AUTO_REDIRECT_PREFIX" }}.{{ $host }};
+ client_max_body_size 1000m;
+ server_name www.{{ $host }};
rewrite ^(.*) http://{{ $host }}$1 permanent;
- {{ else }}
- server_name {{ $host }};
- rewrite ^(.*) http://{{ "Env.AUTO_REDIRECT_PREFIX" }}.{{ $host }}$1 permanent;
- {{ end }} # AUTO_REDIRECT_DIRECTION end
}
-{{ end }} # AUTO_REDIRECT_WITH_PREFIX_ENABLED end
-
server {
+ client_max_body_size 1000m;
server_name {{ $host }};
location / {
proxy_pass http://{{ $host }};
{{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}
- auth_basic '{{ "Env.GLOB_AUTH_MSG" }} {{ $host }}';
+ auth_basic "Restricted {{ $host }}";
auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }};
{{ end }}
}
@@ -167,7 +144,7 @@ server {
server {
server_name {{ $host }};
listen 443 ssl;
- return "Env.GLOB_HTTP_NO_SERVICE";
+ return 503;
{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
ssl_certificate /etc/nginx/certs/default.crt;