mirror/ nginx-proxy
1
0
Fork 0
mirror of https://github.com/nginx-proxy/nginx-proxy synced 2024-05-28 02:16:16 +02:00
Code Issues
728 Commits 9 Branches 30 Tags 23 MiB
Commit Graph

165 Commits

Author SHA1 Message Date
Remi Pichon fff84de367 Do not bind upstream with 'ingress' network 
Merging https://github.com/jwilder/nginx-proxy/pull/774 and a8ee64b059
 2017-08-10 12:30:00 +02:00
Teoh Han Hui 065dd7f1ea
Fix build 2017-07-31 17:46:58 +08:00
Steve Kamerman 0cc71fad49
Add dynamically-computed DNS resolvers to nginx (for PR #574) 2017-07-31 17:44:27 +08:00
耐小心 2eb2ae9c93 support fastcgi 2017-06-24 14:48:05 +08:00
耐小心 29fffd6de8 Revert "support fastcgi" 
This reverts commit 8ac755e1d6.
 2017-06-24 14:05:42 +08:00
NaiXiaoXin 8ac755e1d6 support fastcgi 2017-06-24 13:51:02 +08:00
Jason Wilder 02121df3b9 Merge pull request #589 from kamermans/feature_ssl_improvement 
SSL security enhancement
 2017-06-22 11:54:51 -06:00
Jason Wilder 57a33aaf8b Merge pull request #849 from Neilpang/Branch_0.6.0 
running proxy on host network
 2017-06-22 09:50:39 -06:00
Jason Wilder c41186a3a4 Merge branch 'master' into feature_ssl_improvement 2017-06-14 16:31:12 -06:00
neilpang a8ee64b059 running proxy on host network 2017-06-10 15:07:45 +08:00
Jason Wilder 4e4733f68e Trim $host and $proto before they are used 2017-06-09 12:55:39 -06:00
Steve Kamerman ad9af2884d Merged master, fixed BATS conflict 2017-03-06 10:48:12 -05:00
Jason Wilder 985c46d8b5 Merge pull request #679 from thomasleveil/issue-677 
regexp: use sha1 for upstream only if regexp is used
 2017-02-16 12:11:06 -07:00
Thomas LEVEIL f0951df040 optional IPv6 support 
Fix #127 and fix #717 by improving #713
 2017-02-15 11:50:16 +01:00
Marc Schreiber 8b67b2182f Add IPv6 listen address 2017-02-11 13:28:34 +01:00
Steve Kamerman d320b43476 Merged conflict in BATS SSL test 2017-01-26 13:46:11 -05:00
Thomas LEVEIL 3f6381d0fa regexp: use sha1 for upstream only if regexp is used 
avoid confusions such as in #677
 2017-01-14 11:40:33 +01:00
Steve Kamerman 276b4dbe3e Merge branch 'master' into feature_nohttps 2017-01-13 13:07:03 -05:00
Steve Kamerman dfdd67f5a4 Implemented background dhparam generation 2017-01-11 22:43:09 -05:00
Steve Kamerman f186815c2d Merged upstream 2017-01-11 22:42:35 -05:00
Jason Wilder 3d20c626c8 Merge pull request #359 from sw-double/master 
Set appropriate X-Forwarded-Ssl header
 2017-01-10 09:21:19 -07:00
Konstantin L 16c9853dc2 Set appropriate X-Forwarded-Ssl header. 2017-01-10 15:44:02 +01:00
Thomas LÉVEIL 019fa89c53 add comment to ease debugging 2017-01-10 10:10:46 +01:00
Thomas LEVEIL 1bfc1c85ce fix regexp in VIRTUAL_HOST using end-of-string matching () 2017-01-08 01:49:05 +01:00
Steve Kamerman fc7653bf3d Merge branch 'master' into feature_nohttps 2016-12-05 09:06:39 -05:00
Steve Kamerman b0de80d46b Moved config edits from Dockerfile to template 2016-10-03 10:21:31 -04:00
Steve Kamerman 374b1256cd Add HTTPS_METHOD=https to disable SSL site 2016-10-01 11:22:48 -04:00
Steve Kamerman d3a0da451a TLSv1 End-of-life pushed to June 30, 2018, rolled back for compatibility 2016-09-29 21:35:37 -04:00
Steve Kamerman c51c9980cf Removed TLS 1.0 as it is considered unsafe and must be disabled for PCI compliance 2016-09-29 19:52:20 -04:00
Steve Kamerman 6f2b3f1c54 Issue #586 Removed DES-based SSL ciphers 2016-09-29 17:10:17 -04:00
Steve Kamerman 9ef0bb3356 Comment typo 2016-09-29 16:06:53 -04:00
Steve Kamerman 124b8cd757 Honor upstream forwarded port if available 2016-09-29 11:33:21 -04:00
Steve Kamerman 6ebbdb10c7 Merge branch 'master' into feature_x_forwarded_port 2016-09-29 11:26:51 -04:00
Chulki Lee 4661bf4dd9 add ssl_session_tickets to default site 
Fixes #580
 2016-09-23 21:58:09 -07:00
pvlg fe9a538ec8 Replace "replace" to "trimSuffix" 
I have a domain key-mydomain.com. When I add domain www.key-mydomain.com with ssl cert I did not get the desired result. Function replace cut name ssl cert "www.key-mydomain.com.key" to "www-mydomain.com".
 2016-09-17 16:53:01 +03:00
mplx 37323320c8 do not enable HSTS for subdomains 2016-09-12 09:46:59 +02:00
Jason Wilder ec7169c112 Merge pull request #323 from pabra/master 
connect to uWSGI backends
 2016-09-09 14:16:08 -06:00
Ruben 87879c1ee2 Update ciphers and HTST settings to get A+ rating 
The default config gets you an 'A' rating. Cipher settings are copied from [Mozilla SSL Configartion Generator](https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.1&openssl=1.0.1t&hsts=yes&profile=intermediate)
 2016-09-01 11:34:56 +02:00
Steve Kamerman 2e29168d92 Added X-Forwarded-Port 2016-07-21 11:23:35 -04:00
Steve Kamerman fd127517b9 Added comments about httpoxy 2016-07-19 11:03:41 -04:00
Steve Kamerman 357d58ad97 Mitigate httpoxy attack (httpoxy.org, CVE-2016-(5385-5388,1000109-1000110) 2016-07-18 13:34:37 -04:00
Jason Wilder 580517725f Revert 9c93efa 2016-06-13 00:10:49 -06:00
Jason Wilder d1e6e1c0be Merge pull request #344 from schmunk42/feature/error-code 
changed error code for non-usable/default SSL cert, fixes #341
 2016-06-12 15:54:40 -06:00
Jason Wilder fc619d63ad Merge pull request #460 from kumy/patch-1 
Fix a typo in comment
 2016-06-12 15:28:40 -06:00
Jason Wilder c36b42933d Merge pull request #462 from kamermans/master 
Disable HSTS when HTTPS_METHOD=noredirect
 2016-06-12 15:28:08 -06:00
Jason Wilder 9c93efaef9 Fix template error when /etc/nginx/certs does not exist 2016-06-12 14:10:40 -06:00
Steve Kamerman da3e257843 Removed HSTS when HTTPS_METHOD=noredirect, added tests, improved docs wrt HSTS 2016-05-19 23:20:43 -04:00
kumy 8c76ea9f9b Fix a typo in comment 2016-05-17 01:46:46 +02:00
Jason Wilder 5b9264d945 Merge pull request #298 from kamermans/master 
Added env var to disable SSL redirect
 2016-05-01 17:45:45 -06:00
Baptiste Donaux ebab7cf2b9 [TEMPLATE] fix variable call 2016-02-23 13:59:30 +01:00
Baptiste Donaux 658e20f661 Support container in one network shared with current container 2016-02-05 09:16:43 +01:00
Tobias Munk b4e5f780e3 changed error code for non-usable/default SSL cert, fixes #341 2016-01-21 12:31:03 +01:00
Baptiste Donaux a66115f560 Use new Network interface to support new overlay network 2016-01-17 12:29:55 +01:00
pabra 51c219d651 connect to uWSGI backends 2015-12-22 21:20:44 +01:00
Steve Kamerman 97c6340a9f Implemented HTTPS noredir 2015-11-20 17:37:06 -05:00
Steve Kamerman 9dd6ad8503 First try at HTTPS_METHOD 2015-11-20 16:53:50 -05:00
Marius Gundersen 1e0b930174 trim whitespace from host and port 
based on latest docker-gen
 2015-10-13 21:48:59 +02:00
Jonas Svatos 5c2280df84 fix condition for default config location 
Signed-off-by: Jonas Svatos <jonas.svatos@etnetera.cz>
 2015-10-08 12:03:28 +02:00
Mike Dillon 6b5e12a946 Add missing access_log statement to HTTPS fallback 2015-10-06 21:18:00 -07:00
Aleš Roubíček e06d5917a2 Use HTTP/2 instead of SPDY 2015-09-23 17:48:40 +02:00
Aleš Roubíček 249fb204f1 Use HTTP/2 instead of SPDY 2015-09-23 17:47:18 +02:00
Jason Wilder 8c193ba7e1 Merge pull request #215 from gradecam/feature/customize_improvements 
customizability improvements
 2015-09-12 15:23:53 -06:00
Jason Wilder bddb647b5f Merge pull request #230 from appropriate/remove_duplicate_access_log_entries 
Remove duplicate access log entries
 2015-09-12 15:12:31 -06:00
Mike Dillon 900a676af8 Move access_log from the http level to server 
This prevents duplicate access_log entries from being written for each request
 2015-09-03 08:33:33 -07:00
CoreOS Admin ae0da36d75 Fix bugs in config file from refactor 2015-08-29 18:38:43 -06:00
Ray Walker d066bd32e0 Fix for #188 - add SSL server block outside hosts loop 2015-08-26 18:35:47 +10:00
Ray Walker d3f56468b1 Fix for #188 - remove hostname from default SSL block 2015-08-26 12:49:59 +10:00
Mike Dillon 924fcd7984 Remove error_log setting from nginx.tmpl 
It's already set correctly in nginx.conf
 2015-08-23 09:00:23 -07:00
Richard Bateman 405f4876b9 As per pull request feedback, update names to be consistent 2015-08-14 12:26:19 -06:00
Richard Bateman d9ee7ed704 Add support for adding options to the location block of a vhost 2015-08-14 12:26:19 -06:00
Richard Bateman b131b00e19 Add support for vhosts.d/defaults file with default vhost options 
- Only used if it exists and a vhost-specific one doesn't
 2015-08-14 12:26:19 -06:00
Richard Bateman 2eff96969a Add support for overriding default proxy settings 
- If /etc/nginx/proxy.conf exists use that, otherwise use the default
 2015-08-14 12:26:07 -06:00
Wolfgang Ebner 6965b1ead4 fallback when DEFAULT_HOST is not set 2015-07-26 11:38:45 +02:00
Wolfgang Ebner b0647dd5e9 set default_server also for https 2015-07-24 10:39:56 +02:00
Viranch Mehta 4f5351265a Use define & template for re-usable blocks of upstream server template 2015-07-15 20:51:10 +05:30
Viranch Mehta 784507df1a Cascade two else blocks into one using coalesce on VIRTUAL_PORT and 80 
This also takes care of the case when VIRTUAL_PORT is not actually
exposed.
 2015-07-11 01:19:44 +05:30
Viranch Mehta c4923d1f58 Use container host's IP:port if we're connected to a swarm master 2015-07-04 18:43:52 +05:30
Mike Dillon f36ca3d7a3 Prevent generating broken config 
Fixes #115
 2015-06-23 17:05:12 -07:00
Kuo-Cheng Yeu d74a4146c8 fix indention, and file nameing 2015-05-21 23:43:09 +08:00
Kuo-Cheng Yeu a10d1b50bf add support for ssl_dhparams to prevent 'Logjam' attack 2015-05-21 15:19:58 +08:00
Jason Wilder 503072c03f Merge pull request #72 from BenHall/default_host 
Ability to set a default host for nginx
 2015-05-14 10:00:04 -06:00
Markus Kosmal b680fb003e Close marker instead of empty 2015-05-09 23:15:26 +02:00
Kuo-Cheng Yeu 4d2403b5d7 Add SPDY support 2015-04-29 14:41:25 +08:00
Jason Wilder 4a99ac5548 Remove includeSubdomains from HSTS header 
includeSubdomains can lead to issues where not all subdomains are
able to use HTTPS.  This options might be too strict for the general
case: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security.
It can be re-enabled w/ a custom template if needed.

Fixes #109
 2015-02-28 15:50:59 -07:00
Mike Dillon aa5dfdb3d5 Fix HTTP->HTTPS redirect for wildcard hosts 
Uses Nginx's $host instead of interpolating `{{ $host }}` in the template
 2015-02-25 10:29:59 -08:00
Jason Wilder d831c058f3 Merge pull request #106 from md5/per-vhost-includes 
Per VIRTUAL_HOST configuration files
 2015-02-23 12:20:55 -07:00
Jason Wilder c3534b7195 Merge pull request #91 from pirelenito/master 
fixes SSL support while mixing HTTPS and non-HTTPS hosts
 2015-02-22 15:00:48 -07:00
Mike Dillon 2010332395 Support per-VIRTUAL_HOST Nginx conf files 2015-02-22 09:25:50 -08:00
Mike Dillon 6c3b3c87be Support VIRTUAL_PROTO=https for HTTPS backends 2015-02-14 16:02:39 -08:00
Paulo Ragonha 37e4a0d00e fixes SSL support while mixing HTTPS and non-HTTPS services 
nginx was throwing the following error: `no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking`

ref: https://github.com/jwilder/nginx-proxy/issues/74
 2015-01-22 14:37:10 -02:00
Åsmund Grammeltvedt 36039f8e13 Gzip application/javascript 
As per RFC4329, nginx uses application/javascript as the default MIME
type for .js files. Nginx-proxy will now gzip these files if the client
requests it.
 2015-01-05 13:31:26 +01:00
Ben Hall 30a53fb60a Ability to set a default host for nginx 2014-12-24 12:21:40 +00:00
Albert Murillo Aguirre 6d646d92f8 Basic Authentication Support 2014-12-19 16:26:42 -07:00
Mike Dillon ac1f2d8875 Include Host or SERVER_NAME in logs 2014-12-06 17:46:25 -08:00
Mike Dillon 54b9043323 Remove redundant access_log and error_log 2014-12-06 17:45:59 -08:00
Jason Wilder 080a5157e6 Remove OCSP stapling 
Looks like it was not actually working before and failing silently
because ssl_trusted_certificate was not specified.  Will need to
revisit implementing this functionality so removing it for now
to prevent the warnings logged by nginx now.
 2014-12-03 11:06:11 -07:00
Jason Wilder 0580726415 Ensure cert exists before referencing it 2014-12-02 23:29:00 -07:00
Jason Wilder 2e43a5459b Add SSL support 
This adds SSL support for containers.  It supports single host
certificates, wildcards and SNI using naming conventions for
certificates or optionally specify a cert name (for SNI).  The SSL
cipher configuration is based on mozilla intermediate profile which
should provide compatibility with clients back to Firefox 1, Chrome 1,
IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7.  The
configuration also enables OCSP stapling, HSTS, and ssl session caches.

To enable SSL, nginx-proxy should be started w/ -p 443:443 and -v
/path/to/certs:/etc/nginx/certs.  Certificates must be named:
<virtualhost>.crt and <virtualhost>.key where <virtualhost> matches
the a value of VIRTUAL_HOST on a container.

For wildcard certificates, the certificate and private key should be
named after the wildcard domain with .crt and .key suffixes.  For example,
*.example.com should be name example.com.crt and example.com.key.

For SNI where a certificate may be used for multiple domain names, the
container can specify a CERT_NAME env var that corresponds to the base
file name of the certificate and key.  For example, if you have a cert
allowing *.example.com and *.bar.com, it can be name shared.crt and
shared.key.  A container can use that cert by having CERT_NAME=shared and
VIRTUAL_HOST=foo.example.com.  The name "shared" is arbitrary and can
be whatever makes sense.

The behavior for the proxy when port 80 and 443 is defined is as
follows:

* If a container has a usable cert, port 80 will redirect to
443 for that container to always prefer HTTPS when available.
* If the container does not have a usable cert 503 will be returned.

In the last case, a self-signed or generic cert can be defined as
"default.crt" and "default.key" which will allow a client browser to
at least make a SSL connection.
 2014-11-27 12:49:38 -07:00
Mike Dillon 0306692b31 Move gzip_types, access_log, and error_log to http 2014-11-25 16:56:16 -08:00
Mike Dillon a84aee4a84 Drop unused index variables from range statement 2014-11-25 16:56:16 -08:00