From 4b22ccdc81248969e007d295a4bf989bd5170065 Mon Sep 17 00:00:00 2001 From: Pan Teparak Date: Sun, 27 Aug 2017 04:40:35 +0700 Subject: [PATCH 01/83] Add ability to opt-out dh param auto generation --- docker-entrypoint.sh | 3 ++- generate-dhparam.sh | 6 ++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 2afd5bf..ed0750f 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -16,7 +16,8 @@ fi # Generate dhparam file if required # Note: if $DHPARAM_BITS is not defined, generate-dhparam.sh will use 2048 as a default -/app/generate-dhparam.sh $DHPARAM_BITS +# Note2: if $GENERATE_DHPARAM is set to false in environment variable, dh param generator will skip completely +/app/generate-dhparam.sh $DHPARAM_BITS $GENERATE_DHPARAM # Compute the DNS resolvers for use in the templates export RESOLVERS=$(awk '$1 == "nameserver" {print $2}' ORS=' ' /etc/resolv.conf | sed 's/ *$//g') diff --git a/generate-dhparam.sh b/generate-dhparam.sh index 3fdc77c..67319a4 100755 --- a/generate-dhparam.sh +++ b/generate-dhparam.sh @@ -2,6 +2,7 @@ # The first argument is the bit depth of the dhparam, or 2048 if unspecified DHPARAM_BITS=${1:-2048} +GENERATE_DHPARAM=${2:-true} # If a dhparam file is not available, use the pre-generated one and generate a new one in the background. # Note that /etc/nginx/dhparam is a volume, so this dhparam will persist restarts. @@ -25,6 +26,11 @@ if [[ -f $DHPARAM_FILE ]]; then fi fi +if [[ $GENERATE_DHPARAM =~ ^[Ff][Aa][Ll][Ss][Ee]$ ]]; then + echo "Skipping Diffie-Hellman parameters generation and Ignoring pre-generated dhparam.pem" + exit 0 +fi + cat >&2 <<-EOT WARNING: $DHPARAM_FILE was not found. A pre-generated dhparam.pem will be used for now while a new one is being generated in the background. Once the new dhparam.pem is in place, nginx will be reloaded. From 09271a333ae8be4f3bee6ddf54dc2c0876ab0e91 Mon Sep 17 00:00:00 2001 From: Pan Teparak Date: Sun, 27 Aug 2017 04:40:47 +0700 Subject: [PATCH 02/83] Update Readme --- README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 639289c..91229c4 100644 --- a/README.md +++ b/README.md @@ -152,6 +152,10 @@ Finally, start your containers with `VIRTUAL_HOST` environment variables. [letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion) is a lightweight companion container for the nginx-proxy. It allow the creation/renewal of Let's Encrypt certificates automatically. +Set `GENERATE_DHPARAM` environment variable to `false` to disabled Diffie-Hellman parameters completely. This will also ignore auto-generation made by `nginx-proxy`. +The default value is `true` + + $ docker run -e GENERATE_DHPARAM=false .... ### SSL Support SSL is supported using single host, wildcard and SNI certificates using naming conventions for @@ -359,4 +363,4 @@ If your system has the `make` command, you can automate those tasks by calling: make test -You can learn more about how the test suite works and how to write new tests in the [test/README.md](test/README.md) file. +You can learn more about how the test suite works and how to write new tests in the [test/README.md](test/README.md) file. \ No newline at end of file From a3b1d5b7ab6788c4d1d4fc62a841cf1e0c9b2774 Mon Sep 17 00:00:00 2001 From: Pan Teparak Date: Sun, 27 Aug 2017 13:19:29 +0700 Subject: [PATCH 03/83] Trigger Build From 31d2ed172b2f306e0662b6d84caf486f10866089 Mon Sep 17 00:00:00 2001 From: Pan Teparak Date: Sun, 24 Sep 2017 15:13:24 +0700 Subject: [PATCH 04/83] Change ENV variable from GENERATE_DHPARAM to DHPARAM_GENERATION --- docker-entrypoint.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index ed0750f..ea10d4e 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -16,8 +16,8 @@ fi # Generate dhparam file if required # Note: if $DHPARAM_BITS is not defined, generate-dhparam.sh will use 2048 as a default -# Note2: if $GENERATE_DHPARAM is set to false in environment variable, dh param generator will skip completely -/app/generate-dhparam.sh $DHPARAM_BITS $GENERATE_DHPARAM +# Note2: if $DHPARAM_GENERATION is set to false in environment variable, dh param generator will skip completely +/app/generate-dhparam.sh $DHPARAM_BITS $DHPARAM_GENERATION # Compute the DNS resolvers for use in the templates export RESOLVERS=$(awk '$1 == "nameserver" {print $2}' ORS=' ' /etc/resolv.conf | sed 's/ *$//g') From 92379d8131191fc2787df07a1d9938f4973fe753 Mon Sep 17 00:00:00 2001 From: Pan Teparak Date: Sun, 24 Sep 2017 15:15:00 +0700 Subject: [PATCH 05/83] Update Readme --- README.md | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 91229c4..fa90955 100644 --- a/README.md +++ b/README.md @@ -150,12 +150,12 @@ Finally, start your containers with `VIRTUAL_HOST` environment variables. $ docker run -e VIRTUAL_HOST=foo.bar.com ... ### SSL Support using letsencrypt -[letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion) is a lightweight companion container for the nginx-proxy. It allow the creation/renewal of Let's Encrypt certificates automatically. +[letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion) is a lightweight companion container for the nginx-proxy. It allow the creation/renewal of Let's Encrypt certificates automatically. -Set `GENERATE_DHPARAM` environment variable to `false` to disabled Diffie-Hellman parameters completely. This will also ignore auto-generation made by `nginx-proxy`. +Set `DHPARAM_GENERATION` environment variable to `false` to disabled Diffie-Hellman parameters completely. This will also ignore auto-generation made by `nginx-proxy`. The default value is `true` - $ docker run -e GENERATE_DHPARAM=false .... + $ docker run -e DHPARAM_GENERATION=false .... ### SSL Support SSL is supported using single host, wildcard and SNI certificates using naming conventions for @@ -187,7 +187,7 @@ at startup. Since it can take minutes to generate a new `dhparam.pem`, it is do background. Once generation is complete, the `dhparams.pem` is saved on a persistent volume and nginx is reloaded. This generation process only occurs the first time you start `nginx-proxy`. -> COMPATIBILITY WARNING: The default generated `dhparam.pem` key is 2048 bits for A+ security. Some +> COMPATIBILITY WARNING: The default generated `dhparam.pem` key is 2048 bits for A+ security. Some > older clients (like Java 6 and 7) do not support DH keys with over 1024 bits. In order to support these > clients, you must either provide your own `dhparam.pem`, or tell `nginx-proxy` to generate a 1024-bit > key on startup by passing `-e DHPARAM_BITS=1024`. @@ -210,7 +210,7 @@ The SSL cipher configuration is based on the [Mozilla nginx intermediate profile should provide compatibility with clients back to Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7. Note that the DES-based TLS ciphers were removed for security. The configuration also enables HSTS, PFS, OCSP stapling and SSL session caches. Currently TLS 1.0, 1.1 and 1.2 -are supported. TLS 1.0 is deprecated but its end of life is not until June 30, 2018. It is being +are supported. TLS 1.0 is deprecated but its end of life is not until June 30, 2018. It is being included because the following browsers will stop working when it is removed: Chrome < 22, Firefox < 27, IE < 11, Safari < 7, iOS < 5, Android Browser < 5. @@ -227,12 +227,12 @@ a 500. To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the environment variable `HTTPS_METHOD=noredirect` (the default is `HTTPS_METHOD=redirect`). You can also -disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`, or disable the HTTPS site with -`HTTPS_METHOD=nohttps`. `HTTPS_METHOD` must be specified on each container for which you want to -override the default behavior. If `HTTPS_METHOD=noredirect` is used, Strict Transport Security (HSTS) -is disabled to prevent HTTPS users from being redirected by the client. If you cannot get to the HTTP -site after changing this setting, your browser has probably cached the HSTS policy and is automatically -redirecting you back to HTTPS. You will need to clear your browser's HSTS cache or use an incognito +disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`, or disable the HTTPS site with +`HTTPS_METHOD=nohttps`. `HTTPS_METHOD` must be specified on each container for which you want to +override the default behavior. If `HTTPS_METHOD=noredirect` is used, Strict Transport Security (HSTS) +is disabled to prevent HTTPS users from being redirected by the client. If you cannot get to the HTTP +site after changing this setting, your browser has probably cached the HSTS policy and is automatically +redirecting you back to HTTPS. You will need to clear your browser's HSTS cache or use an incognito window / different browser. ### Basic Authentication Support @@ -348,7 +348,7 @@ Before submitting pull requests or issues, please check github to make sure an e To run tests, you need to prepare the docker image to test which must be tagged `jwilder/nginx-proxy:test`: docker build -t jwilder/nginx-proxy:test . # build the Debian variant image - + and call the [test/pytest.sh](test/pytest.sh) script. Then build the Alpine variant of the image: @@ -361,6 +361,6 @@ and call the [test/pytest.sh](test/pytest.sh) script again. If your system has the `make` command, you can automate those tasks by calling: make test - -You can learn more about how the test suite works and how to write new tests in the [test/README.md](test/README.md) file. \ No newline at end of file + +You can learn more about how the test suite works and how to write new tests in the [test/README.md](test/README.md) file. From 4932ef30360f2a8baf78fb0f8f3efc92b8a06179 Mon Sep 17 00:00:00 2001 From: C-A de Salaberry Date: Fri, 10 Nov 2017 18:36:03 +0100 Subject: [PATCH 06/83] Upd: Boost worker_connections from 1024 to 10240. --- Dockerfile | 3 ++- Dockerfile.alpine | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 149fb90..584040e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,7 +12,8 @@ RUN apt-get update \ # Configure Nginx and apply fix for very long server names RUN echo "daemon off;" >> /etc/nginx/nginx.conf \ - && sed -i 's/worker_processes 1/worker_processes auto/' /etc/nginx/nginx.conf + && sed -i 's/worker_processes 1/worker_processes auto/' /etc/nginx/nginx.conf \ + && sed -i 's/worker_connections 1024/worker_connections 10240/' /etc/nginx/nginx.conf # Install Forego ADD https://github.com/jwilder/forego/releases/download/v0.16.1/forego /usr/local/bin/forego diff --git a/Dockerfile.alpine b/Dockerfile.alpine index fce6aae..5294e59 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -9,7 +9,8 @@ RUN apk add --no-cache --virtual .run-deps \ # Configure Nginx and apply fix for very long server names RUN echo "daemon off;" >> /etc/nginx/nginx.conf \ - && sed -i 's/worker_processes 1/worker_processes auto/' /etc/nginx/nginx.conf + && sed -i 's/worker_processes 1/worker_processes auto/' /etc/nginx/nginx.conf \ + && sed -i 's/worker_connections 1024/worker_connections 10240/' /etc/nginx/nginx.conf # Install Forego ADD https://github.com/jwilder/forego/releases/download/v0.16.1/forego /usr/local/bin/forego From 0f27ed800c442ddaaa4494e19b1ad7c5de0142a4 Mon Sep 17 00:00:00 2001 From: Ivo von Putzer Reibegg Date: Wed, 14 Feb 2018 21:14:25 +0100 Subject: [PATCH 07/83] fixes typo spotted a typo within the readme ;) cheers --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c44bf80..d472ca3 100644 --- a/README.md +++ b/README.md @@ -132,7 +132,7 @@ If you would like to connect to FastCGI backend, set `VIRTUAL_PROTO=fastcgi` on backend container. Your backend container should then listen on a port rather than a socket and expose that port. -### FastCGI Filr Root Directory +### FastCGI File Root Directory If you use fastcgi,you can set `VIRTUAL_ROOT=xxx` for your root directory From f68383add91a57ec06757bba4787447181298be2 Mon Sep 17 00:00:00 2001 From: Mario Carbajal Date: Tue, 27 Mar 2018 21:18:45 -0300 Subject: [PATCH 08/83] Set DISABLE_ACCESS_LOGS to disable access logs --- nginx.tmpl | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/nginx.tmpl b/nginx.tmpl index bdb2de8..c64ac3d 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -88,6 +88,8 @@ proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port; proxy_set_header Proxy ""; {{ end }} +{{ $access_log := (or (and (not $.Env.DISABLE_ACCESS_LOGS) "access_log /var/log/nginx/access.log vhost;") "") }} + {{ $enable_ipv6 := eq (or ($.Env.ENABLE_IPV6) "") "true" }} server { server_name _; # This is just an invalid value which will never trigger on a real hostname. @@ -95,7 +97,7 @@ server { {{ if $enable_ipv6 }} listen [::]:80; {{ end }} - access_log /var/log/nginx/access.log vhost; + {{ $access_log }} return 503; } @@ -106,7 +108,7 @@ server { {{ if $enable_ipv6 }} listen [::]:443 ssl http2; {{ end }} - access_log /var/log/nginx/access.log vhost; + {{ $access_log }} return 503; ssl_session_tickets off; @@ -197,7 +199,7 @@ server { {{ if $enable_ipv6 }} listen [::]:80 {{ $default_server }}; {{ end }} - access_log /var/log/nginx/access.log vhost; + {{ $access_log }} return 301 https://$host$request_uri; } {{ end }} @@ -208,7 +210,7 @@ server { {{ if $enable_ipv6 }} listen [::]:443 ssl http2 {{ $default_server }}; {{ end }} - access_log /var/log/nginx/access.log vhost; + {{ $access_log }} {{ if eq $network_tag "internal" }} # Only allow traffic from internal clients @@ -306,7 +308,7 @@ server { {{ if $enable_ipv6 }} listen [::]:80 {{ $default_server }}; {{ end }} - access_log /var/log/nginx/access.log vhost; + {{ $access_log }} {{ if eq $network_tag "internal" }} # Only allow traffic from internal clients @@ -349,7 +351,7 @@ server { {{ if $enable_ipv6 }} listen [::]:443 ssl http2 {{ $default_server }}; {{ end }} - access_log /var/log/nginx/access.log vhost; + {{ $access_log }} return 500; ssl_certificate /etc/nginx/certs/default.crt; From 1c7ccc473f9be71981e9c05a9869212318132c7d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=80=90=E5=B0=8F=E5=BF=83?= Date: Fri, 30 Mar 2018 09:47:57 +0800 Subject: [PATCH 09/83] fix fastcgi bug --- nginx.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx.tmpl b/nginx.tmpl index bdb2de8..5df0dd8 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -278,7 +278,7 @@ server { uwsgi_pass {{ trim $proto }}://{{ trim $upstream_name }}; {{ else if eq $proto "fastcgi" }} root {{ trim $vhost_root }}; - include fastcgi.conf; + include fastcgi_params; fastcgi_pass {{ trim $upstream_name }}; {{ else }} proxy_pass {{ trim $proto }}://{{ trim $upstream_name }}; From 59aa78a4a6914f35b0ccbb6d1b77112cb1dabb83 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=80=90=E5=B0=8F=E5=BF=83?= Date: Tue, 17 Apr 2018 21:52:58 +0800 Subject: [PATCH 10/83] fix fastcgi bug --- nginx.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx.tmpl b/nginx.tmpl index 5df0dd8..674be5c 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -325,7 +325,7 @@ server { uwsgi_pass {{ trim $proto }}://{{ trim $upstream_name }}; {{ else if eq $proto "fastcgi" }} root {{ trim $vhost_root }}; - include fastcgi.conf; + include fastcgi_params; fastcgi_pass {{ trim $upstream_name }}; {{ else }} proxy_pass {{ trim $proto }}://{{ trim $upstream_name }}; From cb2b0e2bd33d85cb16ac11e144d6b6f4fc38f5a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matthias=20Do=CC=88ring?= Date: Wed, 6 Jun 2018 00:56:47 +0200 Subject: [PATCH 11/83] Upgrade to nginx 1.14 stable --- Dockerfile | 2 +- Dockerfile.alpine | 2 +- README.md | 2 +- test/certs/create_server_certificate.sh | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 60f3b5b..295c06b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.13 +FROM nginx:1.14 LABEL maintainer="Jason Wilder mail@jasonwilder.com" # Install wget and install/updates certificates diff --git a/Dockerfile.alpine b/Dockerfile.alpine index c65f88c..ba93de7 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -1,4 +1,4 @@ -FROM nginx:1.13-alpine +FROM nginx:1.14-alpine LABEL maintainer="Jason Wilder mail@jasonwilder.com" # Install wget and install/updates certificates diff --git a/README.md b/README.md index 054b4d1..5c83548 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ ![latest 0.7.0](https://img.shields.io/badge/latest-0.7.0-green.svg?style=flat) -![nginx 1.13](https://img.shields.io/badge/nginx-1.13-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') +![nginx 1.14](https://img.shields.io/badge/nginx-1.14-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. diff --git a/test/certs/create_server_certificate.sh b/test/certs/create_server_certificate.sh index bffc27e..7473552 100755 --- a/test/certs/create_server_certificate.sh +++ b/test/certs/create_server_certificate.sh @@ -24,7 +24,7 @@ fi # Create a nginx container (which conveniently provides the `openssl` command) ############################################################################### -CONTAINER=$(docker run -d -v $DIR:/work -w /work -e SAN="$ALTERNATE_DOMAINS" nginx:1.13) +CONTAINER=$(docker run -d -v $DIR:/work -w /work -e SAN="$ALTERNATE_DOMAINS" nginx:1.14) # Configure openssl docker exec $CONTAINER bash -c ' mkdir -p /ca/{certs,crl,private,newcerts} 2>/dev/null From 07f4c66ee952ec5b05426dd253e8b74d2fa9aaf3 Mon Sep 17 00:00:00 2001 From: "Kevin F. Konrad" Date: Fri, 22 Jun 2018 19:48:53 +0200 Subject: [PATCH 12/83] clarify default host usage --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 054b4d1..210ee7d 100644 --- a/README.md +++ b/README.md @@ -144,6 +144,9 @@ To set the default host for nginx use the env var `DEFAULT_HOST=foo.bar.com` for $ docker run -d -p 80:80 -e DEFAULT_HOST=foo.bar.com -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy +nginx-proxy will then redirect all requests to a container where `VIRTUAL_HOST` is set to `DEFAULT_HOST`, if they don't match any (other) `VIRTUAL_HOST`. Using the example above requests without matching `VIRTUAL_HOST` will be redirected to a plain nginx instance after running the following command: + + $ docker run -d -e VIRTUAL_HOST=foo.bar.com nginx ### Separate Containers From 936e57a6de5a3e12043ab51492bf795537afe4f2 Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Mon, 26 Mar 2018 13:27:30 -0400 Subject: [PATCH 13/83] Fixed #1080, can't disable HSTS with noredirect --- nginx.tmpl | 4 ++-- test/test_ssl/test_hsts.py | 7 +++++++ test/test_ssl/test_hsts.yml | 10 ++++++++++ 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/nginx.tmpl b/nginx.tmpl index d861050..a9fc479 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -19,7 +19,7 @@ server 127.0.0.1 down; {{ end }} {{ end }} - + {{ end }} # If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the @@ -262,7 +262,7 @@ server { ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.pem" $cert }}; {{ end }} - {{ if (and (ne $https_method "noredirect") (ne $hsts "off")) }} + {{ if (not (or (eq $https_method "noredirect") (eq $hsts "off"))) }} add_header Strict-Transport-Security "{{ trim $hsts }}" always; {{ end }} diff --git a/test/test_ssl/test_hsts.py b/test/test_ssl/test_hsts.py index 554d79a..12bbcc4 100644 --- a/test/test_ssl/test_hsts.py +++ b/test/test_ssl/test_hsts.py @@ -24,3 +24,10 @@ def test_web3_HSTS_custom(docker_compose, nginxproxy): assert "answer from port 81\n" in r.text assert "Strict-Transport-Security" in r.headers assert "max-age=86400; includeSubDomains; preload" == r.headers["Strict-Transport-Security"] + +# Regression test for issue 1080 +# https://github.com/jwilder/nginx-proxy/issues/1080 +def test_web4_HSTS_off_noredirect(docker_compose, nginxproxy): + r = nginxproxy.get("https://web4.nginx-proxy.tld/port", allow_redirects=False) + assert "answer from port 81\n" in r.text + assert "Strict-Transport-Security" not in r.headers diff --git a/test/test_ssl/test_hsts.yml b/test/test_ssl/test_hsts.yml index 5c04cf0..f6f39a7 100644 --- a/test/test_ssl/test_hsts.yml +++ b/test/test_ssl/test_hsts.yml @@ -24,6 +24,16 @@ web3: VIRTUAL_HOST: "web3.nginx-proxy.tld" HSTS: "max-age=86400; includeSubDomains; preload" +web4: + image: web + expose: + - "81" + environment: + WEB_PORTS: "81" + VIRTUAL_HOST: "web4.nginx-proxy.tld" + HSTS: "off" + HTTPS_METHOD: "noredirect" + sut: image: jwilder/nginx-proxy:test volumes: From e014065d9ecb96da5b3557d65ec782e2049d4c4b Mon Sep 17 00:00:00 2001 From: kylegoetz Date: Wed, 24 Oct 2018 09:50:28 -0500 Subject: [PATCH 14/83] Update README.md - sample yml needed expose option Example docker-compose.yml does not work without defining an exposed port for whoami service. --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 5c83548..6f7fc8d 100644 --- a/README.md +++ b/README.md @@ -51,6 +51,8 @@ services: whoami: image: jwilder/whoami + expose: + - "8000" environment: - VIRTUAL_HOST=whoami.local ``` From 330d2cdc0e73f23884f152dfa200f3c336ac5836 Mon Sep 17 00:00:00 2001 From: Sergey Besedin Date: Wed, 24 Oct 2018 19:10:24 +0300 Subject: [PATCH 15/83] Set proper X-Forwarded-Ssl for SSL-terminated setups --- nginx.tmpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nginx.tmpl b/nginx.tmpl index d861050..7a65c72 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -51,8 +51,8 @@ server_names_hash_bucket_size 128; ssl_dhparam /etc/nginx/dhparam/dhparam.pem; {{ end }} -# Set appropriate X-Forwarded-Ssl header -map $scheme $proxy_x_forwarded_ssl { +# Set appropriate X-Forwarded-Ssl header based on $proxy_x_forwarded_proto +map $proxy_x_forwarded_proto $proxy_x_forwarded_ssl { default off; https on; } From 58c1fe360687a3a005ff9eae23ac3b6c4c4c3123 Mon Sep 17 00:00:00 2001 From: Gpkfr Date: Fri, 9 Nov 2018 15:26:01 +0100 Subject: [PATCH 16/83] Upgrade to nginx 1.14.1 stable version --- Dockerfile | 2 +- Dockerfile.alpine | 2 +- README.md | 2 +- test/certs/create_server_certificate.sh | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 295c06b..45a09e3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.14 +FROM nginx:1.14.1 LABEL maintainer="Jason Wilder mail@jasonwilder.com" # Install wget and install/updates certificates diff --git a/Dockerfile.alpine b/Dockerfile.alpine index ba93de7..23459a3 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -1,4 +1,4 @@ -FROM nginx:1.14-alpine +FROM nginx:1.14.1-alpine LABEL maintainer="Jason Wilder mail@jasonwilder.com" # Install wget and install/updates certificates diff --git a/README.md b/README.md index 5c83548..a6504cd 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ ![latest 0.7.0](https://img.shields.io/badge/latest-0.7.0-green.svg?style=flat) -![nginx 1.14](https://img.shields.io/badge/nginx-1.14-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') +![nginx 1.14.1](https://img.shields.io/badge/nginx-1.14-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. diff --git a/test/certs/create_server_certificate.sh b/test/certs/create_server_certificate.sh index 7473552..ae51280 100755 --- a/test/certs/create_server_certificate.sh +++ b/test/certs/create_server_certificate.sh @@ -24,7 +24,7 @@ fi # Create a nginx container (which conveniently provides the `openssl` command) ############################################################################### -CONTAINER=$(docker run -d -v $DIR:/work -w /work -e SAN="$ALTERNATE_DOMAINS" nginx:1.14) +CONTAINER=$(docker run -d -v $DIR:/work -w /work -e SAN="$ALTERNATE_DOMAINS" nginx:1.14.1) # Configure openssl docker exec $CONTAINER bash -c ' mkdir -p /ca/{certs,crl,private,newcerts} 2>/dev/null From 62d51562b5bcd40fb2a8ce378c6cc9e0f53f3930 Mon Sep 17 00:00:00 2001 From: umevoshi Date: Thu, 15 Nov 2018 01:02:57 +0900 Subject: [PATCH 17/83] Add gRPC protocol support --- nginx.tmpl | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nginx.tmpl b/nginx.tmpl index d861050..9c9e0aa 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -280,6 +280,8 @@ server { root {{ trim $vhost_root }}; include fastcgi.conf; fastcgi_pass {{ trim $upstream_name }}; + {{ else if eq $proto "grpc" }} + grpc_pass {{ trim $proto }}://{{ trim $upstream_name }}; {{ else }} proxy_pass {{ trim $proto }}://{{ trim $upstream_name }}; {{ end }} @@ -327,6 +329,8 @@ server { root {{ trim $vhost_root }}; include fastcgi.conf; fastcgi_pass {{ trim $upstream_name }}; + {{ else if eq $proto "grpc" }} + grpc_pass {{ trim $proto }}://{{ trim $upstream_name }}; {{ else }} proxy_pass {{ trim $proto }}://{{ trim $upstream_name }}; {{ end }} From 6a1a518fec5507ba1115468e1e70dc410ed53b2f Mon Sep 17 00:00:00 2001 From: Kenichi HIROSE Date: Tue, 18 Dec 2018 14:05:17 +0000 Subject: [PATCH 18/83] Fix empty dhparam.pem --- generate-dhparam.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/generate-dhparam.sh b/generate-dhparam.sh index 3fdc77c..27b6432 100755 --- a/generate-dhparam.sh +++ b/generate-dhparam.sh @@ -37,7 +37,8 @@ touch $GEN_LOCKFILE # Generate a new dhparam in the background in a low priority and reload nginx when finished (grep removes the progress indicator). ( ( - nice -n +5 openssl dhparam -out $DHPARAM_FILE $DHPARAM_BITS 2>&1 \ + nice -n +5 openssl dhparam -out $DHPARAM_FILE.tmp $DHPARAM_BITS 2>&1 \ + && mv $DHPARAM_FILE.tmp $DHPARAM_FILE \ && echo "dhparam generation complete, reloading nginx" \ && nginx -s reload ) | grep -vE '^[\.+]+' From ad4117803690042e446aa7f7b25d25bebecf843a Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Mon, 4 Feb 2019 15:15:04 -0500 Subject: [PATCH 19/83] Fixed tests that are now failing due to the dhparam clearing command beating the nginx startup. This is fixed permanently in #1213, but this PR fixes the test so as not to rely on the dhparam autogen, which is tested elsewhere. --- test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml | 3 ++- .../wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml b/test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml index bffffc1..20cd1b2 100644 --- a/test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml +++ b/test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml @@ -7,6 +7,7 @@ services: volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ./certs:/etc/nginx/certs:ro + - ../../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro web1: image: web @@ -30,4 +31,4 @@ services: environment: WEB_PORTS: "83" VIRTUAL_HOST: "3.web.nginx-proxy.tld" - HTTPS_METHOD: nohttps \ No newline at end of file + HTTPS_METHOD: nohttps diff --git a/test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py b/test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py index de4b298..2808dee 100644 --- a/test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py +++ b/test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py @@ -11,6 +11,7 @@ from requests.exceptions import SSLError def test_http_redirects_to_https(docker_compose, nginxproxy, subdomain, should_redirect_to_https): r = nginxproxy.get("http://%s.web.nginx-proxy.tld/port" % subdomain) if should_redirect_to_https: + assert len(r.history) > 0 assert r.history[0].is_redirect assert r.history[0].headers.get("Location") == "https://%s.web.nginx-proxy.tld/port" % subdomain assert "answer from port 8%s\n" % subdomain == r.text From afa2dc53c7e431e86961d1b03d811338ae0a7c9c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20Pomyka=C5=82a?= Date: Sat, 23 Mar 2019 12:23:12 +0100 Subject: [PATCH 20/83] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f27c467..f873ddd 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ Then start any containers you want proxied with an env var `VIRTUAL_HOST=subdoma $ docker run -e VIRTUAL_HOST=foo.bar.com ... -The containers being proxied must [expose](https://docs.docker.com/engine/reference/run/#expose-incoming-ports) the port to be proxied, either by using the `EXPOSE` directive in their `Dockerfile` or by using the `--expose` flag to `docker run` or `docker create`. +The containers being proxied must [expose](https://docs.docker.com/engine/reference/run/#expose-incoming-ports) the port to be proxied, either by using the `EXPOSE` directive in their `Dockerfile` or by using the `--expose` flag to `docker run` or `docker create` and be in the same network. By default, if you don't pass the --net flag when your nginx-proxy container is created, it will only be attached to the default bridge network. This means that it will not be able to connect to containers on networks other than bridge. Provided your DNS is setup to forward foo.bar.com to the host running nginx-proxy, the request will be routed to a container with the VIRTUAL_HOST env var set. From 16169a0f74d2191049cbce807dc072eb4f546ee3 Mon Sep 17 00:00:00 2001 From: Jiazhen Xie Date: Wed, 7 Aug 2019 17:32:52 +0100 Subject: [PATCH 21/83] Use nginx latest version --- Dockerfile | 2 +- Dockerfile.alpine | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 45a09e3..fc977c1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.14.1 +FROM nginx:1.17.2 LABEL maintainer="Jason Wilder mail@jasonwilder.com" # Install wget and install/updates certificates diff --git a/Dockerfile.alpine b/Dockerfile.alpine index 23459a3..e4c486a 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -1,4 +1,4 @@ -FROM nginx:1.14.1-alpine +FROM nginx:1.17.2-alpine LABEL maintainer="Jason Wilder mail@jasonwilder.com" # Install wget and install/updates certificates From 23823c4b21a7d56d88229be311a1a1339dd91aba Mon Sep 17 00:00:00 2001 From: Jiazhen Xie Date: Wed, 7 Aug 2019 17:33:02 +0100 Subject: [PATCH 22/83] Fix the test --- test/test_ssl/test_dhparam.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/test_ssl/test_dhparam.py b/test/test_ssl/test_dhparam.py index fd60217..40339a1 100644 --- a/test/test_ssl/test_dhparam.py +++ b/test/test_ssl/test_dhparam.py @@ -90,4 +90,4 @@ def test_web5_dhparam_is_used(docker_compose): host = "%s:443" % sut_container.attrs["NetworkSettings"]["IPAddress"] r = subprocess.check_output( "echo '' | openssl s_client -connect %s -cipher 'EDH' | grep 'Server Temp Key'" % host, shell=True) - assert "Server Temp Key: DH, 2048 bits\n" == r + assert "Server Temp Key: X25519, 253 bits\n" == r From a4cc2686280b130d42f4e562afa57cb500c751f7 Mon Sep 17 00:00:00 2001 From: Lorenzo Cameroni Date: Sun, 18 Aug 2019 11:20:05 +0200 Subject: [PATCH 23/83] Use nginx 1.17.3 --- Dockerfile | 2 +- Dockerfile.alpine | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index fc977c1..0a1616b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.17.2 +FROM nginx:1.17.3 LABEL maintainer="Jason Wilder mail@jasonwilder.com" # Install wget and install/updates certificates diff --git a/Dockerfile.alpine b/Dockerfile.alpine index e4c486a..03877c8 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -1,4 +1,4 @@ -FROM nginx:1.17.2-alpine +FROM nginx:1.17.3-alpine LABEL maintainer="Jason Wilder mail@jasonwilder.com" # Install wget and install/updates certificates From 26e764950f02417b759e20290c6c1bbc1eb59e54 Mon Sep 17 00:00:00 2001 From: Lorenzo Cameroni Date: Thu, 29 Aug 2019 22:14:14 +0200 Subject: [PATCH 24/83] Update ssl configuration --- README.md | 18 ++++++------ nginx.tmpl | 81 +++++++++++++++++++++++++++++++++--------------------- 2 files changed, 58 insertions(+), 41 deletions(-) diff --git a/README.md b/README.md index f27c467..daa5875 100644 --- a/README.md +++ b/README.md @@ -252,18 +252,16 @@ and OCSP Stapling is enabled. #### How SSL Support Works -The default SSL cipher configuration is based on the [Mozilla intermediate profile](https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29) which -should provide compatibility with clients back to Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, -Windows XP IE8, Android 2.3, Java 7. Note that the DES-based TLS ciphers were removed for security. -The configuration also enables HSTS, PFS, OCSP stapling and SSL session caches. Currently TLS 1.0, 1.1 and 1.2 -are supported. TLS 1.0 is deprecated but its end of life is not until June 30, 2018. It is being -included because the following browsers will stop working when it is removed: Chrome < 22, Firefox < 27, -IE < 11, Safari < 7, iOS < 5, Android Browser < 5. +The default SSL cipher configuration is based on the [Mozilla intermediate profile](https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29) version 5.0 which +should provide compatibility with clients back to Firefox 27, Android 4.4.2, Chrome 31, Edge, IE 11 on Windows 7, +Java 8u31, OpenSSL 1.0.1, Opera 20, and Safari 9. Note that the DES-based TLS ciphers were removed for security. +The configuration also enables HSTS, PFS, OCSP stapling and SSL session caches. Currently TLS 1.2 and 1.3 +are supported. If you don't require backward compatibility, you can use the [Mozilla modern profile](https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility) -profile instead by including the environment variable `SSL_POLICY=Mozilla-Modern` to your container. -This profile is compatible with clients back to Firefox 27, Chrome 30, IE 11 on Windows 7, -Edge, Opera 17, Safari 9, Android 5.0, and Java 8. +profile instead by including the environment variable `SSL_POLICY=Mozilla-Modern` to the nginx-proxy container or to your container. +This profile is compatible with clients back to Firefox 63, Android 10.0, Chrome 70, Edge 75, Java 11, +OpenSSL 1.1.1, Opera 57, and Safari 12.1. Note that this profile is **not** compatible with any version of Internet Explorer. Other policies available through the `SSL_POLICY` environment variable are [`Mozilla-Old`](https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility) and the [AWS ELB Security Policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html) diff --git a/nginx.tmpl b/nginx.tmpl index a9fc479..ee286fe 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -22,6 +22,48 @@ {{ end }} +{{ define "ssl_policy" }} + {{ if eq .ssl_policy "Mozilla-Modern" }} + ssl_protocols TLSv1.3; + {{/* ssl_ciphers is undefined in the Mozilla-Modern policy /*}} + {{/* explicitly set ngnix default value in order to allow single servers to override the global http value */}} + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers off; + {{ else if eq .ssl_policy "Mozilla-Intermediate" }} + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; + ssl_prefer_server_ciphers off; + {{ else if eq .ssl_policy "Mozilla-Old" }} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA'; + ssl_prefer_server_ciphers on; + {{ else if eq .ssl_policy "AWS-TLS-1-2-2017-01" }} + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256'; + ssl_prefer_server_ciphers on; + {{ else if eq .ssl_policy "AWS-TLS-1-1-2017-01" }} + ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA'; + ssl_prefer_server_ciphers on; + {{ else if eq .ssl_policy "AWS-2016-08" }} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA'; + ssl_prefer_server_ciphers on; + {{ else if eq .ssl_policy "AWS-2015-05" }} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DES-CBC3-SHA'; + ssl_prefer_server_ciphers on; + {{ else if eq .ssl_policy "AWS-2015-03" }} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA'; + ssl_prefer_server_ciphers on; + {{ else if eq .ssl_policy "AWS-2015-02" }} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA'; + ssl_prefer_server_ciphers on; + {{ end }} +{{ end }} + # If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the # scheme used to connect to this server map $http_x_forwarded_proto $proxy_x_forwarded_proto { @@ -65,6 +107,10 @@ log_format vhost '$host $remote_addr - $remote_user [$time_local] ' access_log off; +{{/* Get the SSL_POLICY defined by this container, falling back to "Mozilla-Intermediate" */}} +{{ $ssl_policy := or ($.Env.SSL_POLICY) "Mozilla-Intermediate" }} +{{ template "ssl_policy" (dict "ssl_policy" $ssl_policy) }} + {{ if $.Env.RESOLVERS }} resolver {{ $.Env.RESOLVERS }}; {{ end }} @@ -109,6 +155,7 @@ server { access_log /var/log/nginx/access.log vhost; return 503; + ssl_session_cache shared:SSL:50m; ssl_session_tickets off; ssl_certificate /etc/nginx/certs/default.crt; ssl_certificate_key /etc/nginx/certs/default.key; @@ -163,8 +210,8 @@ upstream {{ $upstream_name }} { {{/* Get the HTTPS_METHOD defined by containers w/ the same vhost, falling back to "redirect" */}} {{ $https_method := or (first (groupByKeys $containers "Env.HTTPS_METHOD")) "redirect" }} -{{/* Get the SSL_POLICY defined by containers w/ the same vhost, falling back to "Mozilla-Intermediate" */}} -{{ $ssl_policy := or (first (groupByKeys $containers "Env.SSL_POLICY")) "Mozilla-Intermediate" }} +{{/* Get the SSL_POLICY defined by containers w/ the same vhost, falling back to empty string (use default) */}} +{{ $ssl_policy := or (first (groupByKeys $containers "Env.SSL_POLICY")) "" }} {{/* Get the HSTS defined by containers w/ the same vhost, falling back to "max-age=31536000" */}} {{ $hsts := or (first (groupByKeys $containers "Env.HSTS")) "max-age=31536000" }} @@ -215,36 +262,8 @@ server { include /etc/nginx/network_internal.conf; {{ end }} - {{ if eq $ssl_policy "Mozilla-Modern" }} - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; - {{ else if eq $ssl_policy "Mozilla-Intermediate" }} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS'; - {{ else if eq $ssl_policy "Mozilla-Old" }} - ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP'; - {{ else if eq $ssl_policy "AWS-TLS-1-2-2017-01" }} - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256'; - {{ else if eq $ssl_policy "AWS-TLS-1-1-2017-01" }} - ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA'; - {{ else if eq $ssl_policy "AWS-2016-08" }} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA'; - {{ else if eq $ssl_policy "AWS-2015-05" }} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DES-CBC3-SHA'; - {{ else if eq $ssl_policy "AWS-2015-03" }} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA'; - {{ else if eq $ssl_policy "AWS-2015-02" }} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA'; - {{ end }} + {{ template "ssl_policy" (dict "ssl_policy" $ssl_policy) }} - ssl_prefer_server_ciphers on; ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; From ede9f9ec25c561f1aad301b3fddabff83e79f4ff Mon Sep 17 00:00:00 2001 From: Lorenzo Cameroni Date: Thu, 29 Aug 2019 22:59:43 +0200 Subject: [PATCH 25/83] README.md: fix version in nginx banner --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f27c467..9ae7404 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ ![latest 0.7.0](https://img.shields.io/badge/latest-0.7.0-green.svg?style=flat) -![nginx 1.14.1](https://img.shields.io/badge/nginx-1.14-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') +![nginx 1.17.3](https://img.shields.io/badge/nginx-1.17.3-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. From d8c04f666ffa34da32f5e7df19bd7143966d8513 Mon Sep 17 00:00:00 2001 From: Dick Visser Date: Mon, 9 Sep 2019 07:22:58 +0200 Subject: [PATCH 26/83] Typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f27c467..b909345 100644 --- a/README.md +++ b/README.md @@ -181,7 +181,7 @@ Finally, start your containers with `VIRTUAL_HOST` environment variables. $ docker run -e VIRTUAL_HOST=foo.bar.com ... ### SSL Support using letsencrypt -[letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion) is a lightweight companion container for the nginx-proxy. It allow the creation/renewal of Let's Encrypt certificates automatically. +[letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion) is a lightweight companion container for the nginx-proxy. It allows the creation/renewal of Let's Encrypt certificates automatically. Set `DHPARAM_GENERATION` environment variable to `false` to disabled Diffie-Hellman parameters completely. This will also ignore auto-generation made by `nginx-proxy`. The default value is `true` From eba7d8af7756455de45d36dec85aaeea0657998f Mon Sep 17 00:00:00 2001 From: came88 Date: Mon, 9 Sep 2019 12:45:20 +0200 Subject: [PATCH 27/83] Fix comment about Mozilla Modern Policy and TLS1.3 Thanks to @deAtog for pointing it out --- nginx.tmpl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nginx.tmpl b/nginx.tmpl index ee286fe..a59cd54 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -25,7 +25,8 @@ {{ define "ssl_policy" }} {{ if eq .ssl_policy "Mozilla-Modern" }} ssl_protocols TLSv1.3; - {{/* ssl_ciphers is undefined in the Mozilla-Modern policy /*}} + {{/* nginx currently lacks ability to choose ciphers in TLS 1.3 in configuration, see https://trac.nginx.org/nginx/ticket/1529 /*}} + {{/* a possible workaround can be modify /etc/ssl/openssl.cnf to change it globally (see https://trac.nginx.org/nginx/ticket/1529#comment:12 ) /*}} {{/* explicitly set ngnix default value in order to allow single servers to override the global http value */}} ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers off; From 45690ee0444e72f9810bb0300f4215c706fb83b7 Mon Sep 17 00:00:00 2001 From: Marcel Sinn Date: Thu, 19 Sep 2019 07:55:43 +0200 Subject: [PATCH 28/83] Will fix spelling Just read the documentation and found this spelling issue. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index daa5875..611cd9c 100644 --- a/README.md +++ b/README.md @@ -111,7 +111,7 @@ allow 172.16.0.0/12; deny all; ``` -When internal-only access is enabled, external clients with be denied with an `HTTP 403 Forbidden` +When internal-only access is enabled, external clients will be denied with an `HTTP 403 Forbidden` > If there is a load-balancer / reverse proxy in front of `nginx-proxy` that hides the client IP (example: AWS Application/Elastic Load Balancer), you will need to use the nginx `realip` module (already installed) to extract the client's IP from the HTTP request headers. Please see the [nginx realip module configuration](http://nginx.org/en/docs/http/ngx_http_realip_module.html) for more details. This configuration can be added to a new config file and mounted in `/etc/nginx/conf.d/`. From 3ce7d99aeaf511957b7bb5d23c0e45453aa463aa Mon Sep 17 00:00:00 2001 From: Ioannis Cherouvim <743305+cherouvim@users.noreply.github.com> Date: Wed, 25 Sep 2019 13:21:33 +0300 Subject: [PATCH 29/83] typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index daa5875..18ed270 100644 --- a/README.md +++ b/README.md @@ -181,7 +181,7 @@ Finally, start your containers with `VIRTUAL_HOST` environment variables. $ docker run -e VIRTUAL_HOST=foo.bar.com ... ### SSL Support using letsencrypt -[letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion) is a lightweight companion container for the nginx-proxy. It allow the creation/renewal of Let's Encrypt certificates automatically. +[letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion) is a lightweight companion container for the nginx-proxy. It allows the creation/renewal of Let's Encrypt certificates automatically. Set `DHPARAM_GENERATION` environment variable to `false` to disabled Diffie-Hellman parameters completely. This will also ignore auto-generation made by `nginx-proxy`. The default value is `true` From 11d644d645a89dfde5af1c3fbdc755442122ed7b Mon Sep 17 00:00:00 2001 From: Maurits van Mastrigt Date: Tue, 1 Oct 2019 16:00:41 +0200 Subject: [PATCH 30/83] Do not HTTPS redirect Let'sEncrypt ACME challenge The auto renewal of Let'sEncrypt certificates fails due to the HTTPS redirect of the ACME challenge. This workaround resolves the issue: https://gist.github.com/codekitchen/2c519eb7572002afab6a5f979cd42913#file-letsencrypt-diff Found through this comment: https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion/issues/526#issuecomment-476253642 --- nginx.tmpl | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/nginx.tmpl b/nginx.tmpl index c1383c6..5b3b2dd 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -246,7 +246,19 @@ server { listen [::]:80 {{ $default_server }}; {{ end }} access_log /var/log/nginx/access.log vhost; - return 301 https://$host$request_uri; + + # Do not HTTPS redirect Let'sEncrypt ACME challenge + location /.well-known/acme-challenge/ { + auth_basic off; + allow all; + root /usr/share/nginx/html; + try_files $uri =404; + break; + } + + location / { + return 301 https://$host$request_uri; + } } {{ end }} From a3e64a94336d8b9ae140816b0774151632e03efb Mon Sep 17 00:00:00 2001 From: nanawel Date: Sun, 3 Nov 2019 14:48:16 +0100 Subject: [PATCH 31/83] Add support for custom external HTTP/HTTPS ports (see https://groups.google.com/forum/#!topic/nginx-proxy/0I2jevmgTLI) --- nginx.tmpl | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/nginx.tmpl b/nginx.tmpl index c1383c6..336b2d9 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -1,5 +1,8 @@ {{ $CurrentContainer := where $ "ID" .Docker.CurrentContainerID | first }} +{{ $external_http_port := coalesce $.Env.HTTP_PORT "80" }} +{{ $external_https_port := coalesce $.Env.HTTPS_PORT "443" }} + {{ define "upstream" }} {{ if .Address }} {{/* If we got the containers from swarm and this container's port is published to host, use host IP:PORT */}} @@ -138,9 +141,9 @@ proxy_set_header Proxy ""; {{ $enable_ipv6 := eq (or ($.Env.ENABLE_IPV6) "") "true" }} server { server_name _; # This is just an invalid value which will never trigger on a real hostname. - listen 80; + listen {{ $external_http_port }}; {{ if $enable_ipv6 }} - listen [::]:80; + listen [::]:{{ $external_http_port }}; {{ end }} access_log /var/log/nginx/access.log vhost; return 503; @@ -149,9 +152,9 @@ server { {{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }} server { server_name _; # This is just an invalid value which will never trigger on a real hostname. - listen 443 ssl http2; + listen {{ $external_https_port }} ssl http2; {{ if $enable_ipv6 }} - listen [::]:443 ssl http2; + listen [::]:{{ $external_https_port }} ssl http2; {{ end }} access_log /var/log/nginx/access.log vhost; return 503; @@ -241,9 +244,9 @@ upstream {{ $upstream_name }} { {{ if eq $https_method "redirect" }} server { server_name {{ $host }}; - listen 80 {{ $default_server }}; + listen {{ $external_http_port }} {{ $default_server }}; {{ if $enable_ipv6 }} - listen [::]:80 {{ $default_server }}; + listen [::]:{{ $external_http_port }} {{ $default_server }}; {{ end }} access_log /var/log/nginx/access.log vhost; return 301 https://$host$request_uri; @@ -252,9 +255,9 @@ server { server { server_name {{ $host }}; - listen 443 ssl http2 {{ $default_server }}; + listen {{ $external_https_port }} ssl http2 {{ $default_server }}; {{ if $enable_ipv6 }} - listen [::]:443 ssl http2 {{ $default_server }}; + listen [::]:{{ $external_https_port }} ssl http2 {{ $default_server }}; {{ end }} access_log /var/log/nginx/access.log vhost; @@ -322,7 +325,7 @@ server { server { server_name {{ $host }}; - listen 80 {{ $default_server }}; + listen {{ $external_http_port }} {{ $default_server }}; {{ if $enable_ipv6 }} listen [::]:80 {{ $default_server }}; {{ end }} @@ -365,9 +368,9 @@ server { {{ if (and (not $is_https) (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }} server { server_name {{ $host }}; - listen 443 ssl http2 {{ $default_server }}; + listen {{ $external_https_port }} ssl http2 {{ $default_server }}; {{ if $enable_ipv6 }} - listen [::]:443 ssl http2 {{ $default_server }}; + listen [::]:{{ $external_https_port }} ssl http2 {{ $default_server }}; {{ end }} access_log /var/log/nginx/access.log vhost; return 500; From cf911d950a37f33d98bc93109bb5144e8547a2f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matthias=20Do=CC=88ring?= Date: Fri, 8 Nov 2019 14:11:17 +0100 Subject: [PATCH 32/83] Upgrade to 1.17.5 closes #1337, resolves #1355 --- Dockerfile | 2 +- Dockerfile.alpine | 2 +- README.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 0a1616b..0a8fdef 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.17.3 +FROM nginx:1.17.5 LABEL maintainer="Jason Wilder mail@jasonwilder.com" # Install wget and install/updates certificates diff --git a/Dockerfile.alpine b/Dockerfile.alpine index 03877c8..33b4793 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -1,4 +1,4 @@ -FROM nginx:1.17.3-alpine +FROM nginx:1.17.5-alpine LABEL maintainer="Jason Wilder mail@jasonwilder.com" # Install wget and install/updates certificates diff --git a/README.md b/README.md index 92aee31..ad8678a 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ ![latest 0.7.0](https://img.shields.io/badge/latest-0.7.0-green.svg?style=flat) -![nginx 1.17.3](https://img.shields.io/badge/nginx-1.17.3-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') +![nginx 1.17.5](https://img.shields.io/badge/nginx-1.17.5-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. From 77227f869161e6a4434f8cfb0b2b65414e6e9fa5 Mon Sep 17 00:00:00 2001 From: Jake Jarvis Date: Wed, 4 Dec 2019 10:19:17 -0500 Subject: [PATCH 33/83] Upgrade nginx to 1.17.6 --- Dockerfile | 2 +- Dockerfile.alpine | 2 +- README.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 0a8fdef..6aad66d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.17.5 +FROM nginx:1.17.6 LABEL maintainer="Jason Wilder mail@jasonwilder.com" # Install wget and install/updates certificates diff --git a/Dockerfile.alpine b/Dockerfile.alpine index 33b4793..2a8b9bb 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -1,4 +1,4 @@ -FROM nginx:1.17.5-alpine +FROM nginx:1.17.6-alpine LABEL maintainer="Jason Wilder mail@jasonwilder.com" # Install wget and install/updates certificates diff --git a/README.md b/README.md index ad8678a..eb66ef1 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ ![latest 0.7.0](https://img.shields.io/badge/latest-0.7.0-green.svg?style=flat) -![nginx 1.17.5](https://img.shields.io/badge/nginx-1.17.5-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') +![nginx 1.17.6](https://img.shields.io/badge/nginx-1.17.6-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. From f8b4553eee032ad296150f0d213cf2e7f267763d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julius=20H=C3=A4rtl?= Date: Thu, 30 Jan 2020 08:24:38 +0100 Subject: [PATCH 34/83] Add fallback to the proxy containers env for HTTPS_METHOD and HSTS MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Julius Härtl --- README.md | 4 ++-- nginx.tmpl | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index ad8678a..44a20d1 100644 --- a/README.md +++ b/README.md @@ -285,8 +285,8 @@ a 500. To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the environment variable `HTTPS_METHOD=noredirect` (the default is `HTTPS_METHOD=redirect`). You can also disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`, or disable the HTTPS site with -`HTTPS_METHOD=nohttps`. `HTTPS_METHOD` must be specified on each container for which you want to -override the default behavior. If `HTTPS_METHOD=noredirect` is used, Strict Transport Security (HSTS) +`HTTPS_METHOD=nohttps`. `HTTPS_METHOD` can be specified on each container for which you want to +override the default behavior or on the proxy container to set it globally. If `HTTPS_METHOD=noredirect` is used, Strict Transport Security (HSTS) is disabled to prevent HTTPS users from being redirected by the client. If you cannot get to the HTTP site after changing this setting, your browser has probably cached the HSTS policy and is automatically redirecting you back to HTTPS. You will need to clear your browser's HSTS cache or use an incognito diff --git a/nginx.tmpl b/nginx.tmpl index c1383c6..85773ee 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -209,13 +209,13 @@ upstream {{ $upstream_name }} { {{ $network_tag := or (first (groupByKeys $containers "Env.NETWORK_ACCESS")) "external" }} {{/* Get the HTTPS_METHOD defined by containers w/ the same vhost, falling back to "redirect" */}} -{{ $https_method := or (first (groupByKeys $containers "Env.HTTPS_METHOD")) "redirect" }} +{{ $https_method := or (first (groupByKeys $containers "Env.HTTPS_METHOD")) (or $.Env.HTTPS_METHOD "redirect") }} {{/* Get the SSL_POLICY defined by containers w/ the same vhost, falling back to empty string (use default) */}} {{ $ssl_policy := or (first (groupByKeys $containers "Env.SSL_POLICY")) "" }} {{/* Get the HSTS defined by containers w/ the same vhost, falling back to "max-age=31536000" */}} -{{ $hsts := or (first (groupByKeys $containers "Env.HSTS")) "max-age=31536000" }} +{{ $hsts := or (first (groupByKeys $containers "Env.HSTS")) (or $.Env.HSTS "max-age=31536000") }} {{/* Get the VIRTUAL_ROOT By containers w/ use fastcgi root */}} {{ $vhost_root := or (first (groupByKeys $containers "Env.VIRTUAL_ROOT")) "/var/www/public" }} From 6798a6b800e064a5615808167e80e563b47fd401 Mon Sep 17 00:00:00 2001 From: sgabe Date: Fri, 28 Feb 2020 16:36:36 +0100 Subject: [PATCH 35/83] Upgrade to 1.17.8 --- Dockerfile | 2 +- Dockerfile.alpine | 2 +- README.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6aad66d..e4fa49c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.17.6 +FROM nginx:1.17.8 LABEL maintainer="Jason Wilder mail@jasonwilder.com" # Install wget and install/updates certificates diff --git a/Dockerfile.alpine b/Dockerfile.alpine index 2a8b9bb..847c848 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -1,4 +1,4 @@ -FROM nginx:1.17.6-alpine +FROM nginx:1.17.8-alpine LABEL maintainer="Jason Wilder mail@jasonwilder.com" # Install wget and install/updates certificates diff --git a/README.md b/README.md index eb66ef1..9a0a177 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ ![latest 0.7.0](https://img.shields.io/badge/latest-0.7.0-green.svg?style=flat) -![nginx 1.17.6](https://img.shields.io/badge/nginx-1.17.6-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') +![nginx 1.17.8](https://img.shields.io/badge/nginx-1.17.8-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. From 944163d70d5f1df6f999d3c1fe952fd46bba0c84 Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Fri, 20 Mar 2020 22:28:15 +0100 Subject: [PATCH 36/83] Bring ACME no redirection inline with companion Add the following to the Let's Encrypt ACME challenge "no redirection to HTTPS" https://github.com/nginx-proxy/docker-letsencrypt-nginx-proxy-companion/pull/570 https://github.com/nginx-proxy/docker-letsencrypt-nginx-proxy-companion/pull/335 --- nginx.tmpl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nginx.tmpl b/nginx.tmpl index 18f943a..2c3f36c 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -251,8 +251,9 @@ server { access_log /var/log/nginx/access.log vhost; # Do not HTTPS redirect Let'sEncrypt ACME challenge - location /.well-known/acme-challenge/ { + location ^~ /.well-known/acme-challenge/ { auth_basic off; + auth_request off; allow all; root /usr/share/nginx/html; try_files $uri =404; From e8b68e5f419138e98211ed13eb90f3973cee2e32 Mon Sep 17 00:00:00 2001 From: Brad King Date: Fri, 8 May 2020 19:09:42 -0700 Subject: [PATCH 37/83] Fix docker-gen Docker Hub URL --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b5e0825..2e74ba8 100644 --- a/README.md +++ b/README.md @@ -147,7 +147,7 @@ To set the default host for nginx use the env var `DEFAULT_HOST=foo.bar.com` for ### Separate Containers -nginx-proxy can also be run as two separate containers using the [jwilder/docker-gen](https://index.docker.io/u/jwilder/docker-gen/) +nginx-proxy can also be run as two separate containers using the [jwilder/docker-gen](https://hub.docker.com/r/jwilder/docker-gen) image and the official [nginx](https://registry.hub.docker.com/_/nginx/) image. You may want to do this to prevent having the docker socket bound to a publicly exposed container service. @@ -224,7 +224,7 @@ is reloaded. This generation process only occurs the first time you start `ngin > key on startup by passing `-e DHPARAM_BITS=1024`. In the separate container setup, no pregenerated key will be available and neither the -[jwilder/docker-gen](https://index.docker.io/u/jwilder/docker-gen/) image nor the offical +[jwilder/docker-gen](https://hub.docker.com/r/jwilder/docker-gen) image nor the offical [nginx](https://registry.hub.docker.com/_/nginx/) image will generate one. If you still want A+ security in a separate container setup, you'll have to generate a 2048 bits DH key file manually and mount it on the nginx container, at `/etc/nginx/dhparam/dhparam.pem`. From be107963a7dc931322ba90f7d40d5feb46dd13b2 Mon Sep 17 00:00:00 2001 From: Benjamin Freitag Date: Mon, 15 Jun 2020 04:22:58 +0200 Subject: [PATCH 38/83] update key length , speed up dhparam generation --- generate-dhparam.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/generate-dhparam.sh b/generate-dhparam.sh index 4099dde..03b828c 100755 --- a/generate-dhparam.sh +++ b/generate-dhparam.sh @@ -1,7 +1,7 @@ #!/bin/bash -e -# The first argument is the bit depth of the dhparam, or 2048 if unspecified -DHPARAM_BITS=${1:-2048} +# The first argument is the bit depth of the dhparam, or 4096 if unspecified +DHPARAM_BITS=${1:-4096} GENERATE_DHPARAM=${2:-true} # If a dhparam file is not available, use the pre-generated one and generate a new one in the background. @@ -43,7 +43,7 @@ touch $GEN_LOCKFILE # Generate a new dhparam in the background in a low priority and reload nginx when finished (grep removes the progress indicator). ( ( - nice -n +5 openssl dhparam -out $DHPARAM_FILE.tmp $DHPARAM_BITS 2>&1 \ + nice -n +5 openssl dhparam -dsaparam -out $DHPARAM_FILE.tmp $DHPARAM_BITS 2>&1 \ && mv $DHPARAM_FILE.tmp $DHPARAM_FILE \ && echo "dhparam generation complete, reloading nginx" \ && nginx -s reload From 5c252001a50cb8225426cc91fbf7d4ca828a8499 Mon Sep 17 00:00:00 2001 From: Esteban Cerutti Date: Sat, 3 Oct 2020 21:08:12 -0300 Subject: [PATCH 39/83] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 4c680ad..0b0e05b 100644 --- a/README.md +++ b/README.md @@ -53,6 +53,7 @@ services: image: jwilder/whoami environment: - VIRTUAL_HOST=whoami.local + - VIRTUAL_PORT=8000 ``` ```shell From ea28f2f32faa9c84b84b64610d43e532d2272c9d Mon Sep 17 00:00:00 2001 From: lemker Date: Thu, 8 Oct 2020 19:05:47 -0700 Subject: [PATCH 40/83] Upgrade Nginx to 1.19.3 --- Dockerfile | 2 +- Dockerfile.alpine | 2 +- README.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index e4fa49c..c528481 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.17.8 +FROM nginx:1.19.3 LABEL maintainer="Jason Wilder mail@jasonwilder.com" # Install wget and install/updates certificates diff --git a/Dockerfile.alpine b/Dockerfile.alpine index 847c848..4b5545b 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -1,4 +1,4 @@ -FROM nginx:1.17.8-alpine +FROM nginx:1.19.3-alpine LABEL maintainer="Jason Wilder mail@jasonwilder.com" # Install wget and install/updates certificates diff --git a/README.md b/README.md index 4c680ad..39a9b78 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ ![latest 0.7.0](https://img.shields.io/badge/latest-0.7.0-green.svg?style=flat) -![nginx 1.17.8](https://img.shields.io/badge/nginx-1.17.8-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') +![nginx 1.19.3](https://img.shields.io/badge/nginx-1.19.3-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. From c8a6785898e1ac860f5734a1eac6d395158a777f Mon Sep 17 00:00:00 2001 From: Jason Wilder Date: Fri, 30 Oct 2020 10:19:56 -0600 Subject: [PATCH 41/83] Update version to 0.8.0 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 39a9b78..0c62a10 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -![latest 0.7.0](https://img.shields.io/badge/latest-0.7.0-green.svg?style=flat) +![latest 0.8.0](https://img.shields.io/badge/latest-0.8.0-green.svg?style=flat) ![nginx 1.19.3](https://img.shields.io/badge/nginx-1.19.3-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') From aba100ff7b27251aceb20d80d7e6abeff0b42665 Mon Sep 17 00:00:00 2001 From: Thibault Soubiran Date: Wed, 2 Dec 2020 13:18:32 +0100 Subject: [PATCH 42/83] Update docker-entrypoint.sh Default key size is not 2048 anymore but 4096, reference : https://github.com/nginx-proxy/nginx-proxy/blob/master/generate-dhparam.sh#L4 --- docker-entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index b425dfe..b5ed3c6 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -15,7 +15,7 @@ if [[ $DOCKER_HOST = unix://* ]]; then fi # Generate dhparam file if required -# Note: if $DHPARAM_BITS is not defined, generate-dhparam.sh will use 2048 as a default +# Note: if $DHPARAM_BITS is not defined, generate-dhparam.sh will use 4096 as a default # Note2: if $DHPARAM_GENERATION is set to false in environment variable, dh param generator will skip completely /app/generate-dhparam.sh $DHPARAM_BITS $DHPARAM_GENERATION From 8d0ab905360f8671951023336a36b112f43061e5 Mon Sep 17 00:00:00 2001 From: Thibault Soubiran Date: Sun, 6 Dec 2020 19:09:55 +0100 Subject: [PATCH 43/83] Update README for DHParam default size --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 0c62a10..3709ec5 100644 --- a/README.md +++ b/README.md @@ -218,7 +218,7 @@ at startup. Since it can take minutes to generate a new `dhparam.pem`, it is do background. Once generation is complete, the `dhparam.pem` is saved on a persistent volume and nginx is reloaded. This generation process only occurs the first time you start `nginx-proxy`. -> COMPATIBILITY WARNING: The default generated `dhparam.pem` key is 2048 bits for A+ security. Some +> COMPATIBILITY WARNING: The default generated `dhparam.pem` key is 4096 bits for A+ security. Some > older clients (like Java 6 and 7) do not support DH keys with over 1024 bits. In order to support these > clients, you must either provide your own `dhparam.pem`, or tell `nginx-proxy` to generate a 1024-bit > key on startup by passing `-e DHPARAM_BITS=1024`. @@ -226,7 +226,7 @@ is reloaded. This generation process only occurs the first time you start `ngin In the separate container setup, no pregenerated key will be available and neither the [jwilder/docker-gen](https://hub.docker.com/r/jwilder/docker-gen) image nor the offical [nginx](https://registry.hub.docker.com/_/nginx/) image will generate one. If you still want A+ security -in a separate container setup, you'll have to generate a 2048 bits DH key file manually and mount it on the +in a separate container setup, you'll have to generate a 2048 or 4096 bits DH key file manually and mount it on the nginx container, at `/etc/nginx/dhparam/dhparam.pem`. #### Wildcard Certificates @@ -268,7 +268,7 @@ and the [AWS ELB Security Policies](https://docs.aws.amazon.com/elasticloadbalan `AWS-TLS-1-2-2017-01`, `AWS-TLS-1-1-2017-01`, `AWS-2016-08`, `AWS-2015-05`, `AWS-2015-03` and `AWS-2015-02`. Note that the `Mozilla-Old` policy should use a 1024 bits DH key for compatibility but this container generates -a 2048 bits key. The [Diffie-Hellman Groups](#diffie-hellman-groups) section details different methods of bypassing +a 4096 bits key. The [Diffie-Hellman Groups](#diffie-hellman-groups) section details different methods of bypassing this, either globally or per virtual-host. The default behavior for the proxy when port 80 and 443 are exposed is as follows: From 2bde43c6e94c9f9cb818636b1c84858537830300 Mon Sep 17 00:00:00 2001 From: Joe Polny Date: Fri, 5 Feb 2021 19:56:56 +0000 Subject: [PATCH 44/83] remove scoped ipv6 resolvers --- docker-entrypoint.sh | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index b425dfe..6eeada9 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -21,9 +21,16 @@ fi # Compute the DNS resolvers for use in the templates - if the IP contains ":", it's IPv6 and must be enclosed in [] export RESOLVERS=$(awk '$1 == "nameserver" {print ($2 ~ ":")? "["$2"]": $2}' ORS=' ' /etc/resolv.conf | sed 's/ *$//g') + +SCOPED_IPV6_REGEX="\[fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}\]" + if [ "x$RESOLVERS" = "x" ]; then - echo "Warning: unable to determine DNS resolvers for nginx" >&2 - unset RESOLVERS + echo "Warning: unable to determine DNS resolvers for nginx" >&2 + unset RESOLVERS +elif [[ $RESOLVERS =~ $SCOPED_IPV6_REGEX ]]; then + echo -n "Warning: Scoped IPv6 addresses removed from resolvers: " >&2 + echo $RESOLVERS | grep -Eo $SCOPED_IPV6_REGEX | paste -s -d ' ' >&2 + export RESOLVERS=$(echo $RESOLVERS | sed -r "s/$SCOPED_IPV6_REGEX//g" | xargs echo -n) fi # If the user has run the default command and the socket doesn't exist, fail From 1a0d0d822ef1b07d1100b1af0cac231d94c35880 Mon Sep 17 00:00:00 2001 From: Joe Polny Date: Sat, 6 Feb 2021 18:47:01 +0000 Subject: [PATCH 45/83] update IPv6 section in README --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index 0c62a10..595b461 100644 --- a/README.md +++ b/README.md @@ -67,6 +67,14 @@ You can activate the IPv6 support for the nginx-proxy container by passing the v $ docker run -d -p 80:80 -e ENABLE_IPV6=true -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy +#### Scoped IPv6 Resolvers + +NginX does not support scoped IPv6 resolvers. In [docker-entrypoint.sh](./docker-entrypoint.sh) the resolvers are parsed from resolv.conf, but any scoped IPv6 addreses will be removed. + +#### IPv6 NAT + +By default, docker uses IPv6-to-IPv4 NAT. This means all client connections from IPv6 addresses will show docker's internal IPv4 host address. To see true IPv6 client IP addresses, you must [enable IPv6](https://docs.docker.com/config/daemon/ipv6/) and use [ipv6nat](https://github.com/robbertkl/docker-ipv6nat). You must also disable the userland proxy by adding `"userland-proxy": false` to `/etc/docker/daemon.json` and restarting the daemon. + ### Multiple Ports If your container exposes multiple ports, nginx-proxy will default to the service running on port 80. If you need to specify a different port, you can set a VIRTUAL_PORT env var to select a different one. If your container only exposes one port and it has a VIRTUAL_HOST env var set, that port will be selected. From 886dd04b62a300c70b77e4b4519868f5f88addb7 Mon Sep 17 00:00:00 2001 From: Tom Wiesing Date: Fri, 10 Jul 2020 14:26:03 +0200 Subject: [PATCH 46/83] Enable multi-architecture docker image builds Previously, the Dockerfile downloaded 'docker-gen' and 'forego' binaries during build time. This caused a problem as it hard-coded the amd64 architecture for the images. This commit updates both 'Dockerfile' and 'Dockerfile.alpine' to build the `forego` and `docker-gen` executables from scratch instead of downloading binaries directly. This is achieved using multi-stage builds [1]. Two seperate stages first build the binaries, and are then copied over to the final stage. The advantage of this change is two-fold: First, it enables building this image on architectures other than amd64. Secondly it adds trust by not adding external binaries to the docker image. This modified version passes the test both a linux desktop (amd64) as well as a raspberry pi (armv7) with some caveats: - On armv7, a modified version of the `jwilder/docker-gen` image is required. See a seperate PR at [2]. - The 'test_dhparam_is_generated_if_missing' test fails. This also doesn't currently pass on master. [1] https://docs.docker.com/develop/develop-images/multistage-build/ [2] https://github.com/jwilder/docker-gen/pull/327 --- Dockerfile | 63 +++++++++++++++++++++++++++++++++++++++------- Dockerfile.alpine | 64 ++++++++++++++++++++++++++++++++++++++++------- 2 files changed, 109 insertions(+), 18 deletions(-) diff --git a/Dockerfile b/Dockerfile index c528481..c3e9b41 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,50 @@ -FROM nginx:1.19.3 +# setup build arguments for version of dependencies to use +ARG NGINX_VERSION=1.19.3 +ARG GO_VERSION=1.14 + +ARG DOCKER_GEN_VERSION=0.7.4 +ARG FOREGO_VERSION=0.16.1 + +# Use a specific version of golang to build both binaries +FROM golang:$GO_VERSION as gobuilder + +# Build docker-gen from scratch +FROM gobuilder as dockergen + +# Download the sources for the given version +ARG DOCKER_GEN_VERSION +ADD https://github.com/jwilder/docker-gen/archive/${DOCKER_GEN_VERSION}.tar.gz sources.tar.gz + +# Move the sources into the right directory +RUN tar -xzf sources.tar.gz && \ + mkdir -p /go/src/github.com/jwilder/ && \ + mv docker-gen-* /go/src/github.com/jwilder/docker-gen + +# Install the dependencies and make the docker-gen executable +WORKDIR /go/src/github.com/jwilder/docker-gen +RUN go get -v ./... && \ + CGO_ENABLED=0 GOOS=linux go build -ldflags "-X main.buildVersion=${DOCKER_GEN_VERSION}" ./cmd/docker-gen + +# Build forego from scratch +# Because this relies on golang workspaces, we need to use go < 1.8. +FROM gobuilder as forego + +# Download the sources for the given version +ARG FOREGO_VERSION +ADD https://github.com/jwilder/forego/archive/v${FOREGO_VERSION}.tar.gz sources.tar.gz + +# Move the sources into the right directory +RUN tar -xzf sources.tar.gz && \ + mkdir -p /go/src/github.com/ddollar/ && \ + mv forego-* /go/src/github.com/ddollar/forego + +# Install the dependencies and make the forego executable +WORKDIR /go/src/github.com/ddollar/forego/ +RUN go get -v ./... && \ + CGO_ENABLED=0 GOOS=linux go build -o forego . + +# Build the final image +FROM nginx:$NGINX_VERSION LABEL maintainer="Jason Wilder mail@jasonwilder.com" # Install wget and install/updates certificates @@ -14,15 +60,14 @@ RUN apt-get update \ RUN echo "daemon off;" >> /etc/nginx/nginx.conf \ && sed -i 's/worker_processes 1/worker_processes auto/' /etc/nginx/nginx.conf -# Install Forego -ADD https://github.com/jwilder/forego/releases/download/v0.16.1/forego /usr/local/bin/forego -RUN chmod u+x /usr/local/bin/forego +# Install Forego + docker-gen +COPY --from=forego /go/src/github.com/ddollar/forego/forego /usr/local/bin/forego +COPY --from=dockergen /go/src/github.com/jwilder/docker-gen/docker-gen /usr/local/bin/docker-gen -ENV DOCKER_GEN_VERSION 0.7.4 - -RUN wget https://github.com/jwilder/docker-gen/releases/download/$DOCKER_GEN_VERSION/docker-gen-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \ - && tar -C /usr/local/bin -xvzf docker-gen-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \ - && rm /docker-gen-linux-amd64-$DOCKER_GEN_VERSION.tar.gz +# Add DOCKER_GEN_VERSION environment variable +# Because some external projects rely on it +ARG DOCKER_GEN_VERSION +ENV DOCKER_GEN_VERSION=${DOCKER_GEN_VERSION} COPY network_internal.conf /etc/nginx/ diff --git a/Dockerfile.alpine b/Dockerfile.alpine index 4b5545b..af4e9a0 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -1,4 +1,51 @@ -FROM nginx:1.19.3-alpine +# setup build arguments for version of dependencies to use +ARG NGINX_VERSION=1.19.3-alpine +ARG GO_VERSION=1.14-alpine + +ARG DOCKER_GEN_VERSION=0.7.4 +ARG FOREGO_VERSION=0.16.1 + +# Use a specific version of golang to build both binaries +FROM golang:$GO_VERSION as gobuilder +RUN apk add --no-cache git + +# Build docker-gen from scratch +FROM gobuilder as dockergen + +# Download the sources for the given version +ARG DOCKER_GEN_VERSION +ADD https://github.com/jwilder/docker-gen/archive/${DOCKER_GEN_VERSION}.tar.gz sources.tar.gz + +# Move the sources into the right directory +RUN tar -xzf sources.tar.gz && \ + mkdir -p /go/src/github.com/jwilder/ && \ + mv docker-gen-* /go/src/github.com/jwilder/docker-gen + +# Install the dependencies and make the docker-gen executable +WORKDIR /go/src/github.com/jwilder/docker-gen +RUN go get -v ./... && \ + CGO_ENABLED=0 GOOS=linux go build -ldflags "-X main.buildVersion=${DOCKER_GEN_VERSION}" ./cmd/docker-gen + +# Build forego from scratch +# Because this relies on golang workspaces, we need to use go < 1.8. +FROM gobuilder as forego + +# Download the sources for the given version +ARG FOREGO_VERSION +ADD https://github.com/jwilder/forego/archive/v${FOREGO_VERSION}.tar.gz sources.tar.gz + +# Move the sources into the right directory +RUN tar -xzf sources.tar.gz && \ + mkdir -p /go/src/github.com/ddollar/ && \ + mv forego-* /go/src/github.com/ddollar/forego + +# Install the dependencies and make the forego executable +WORKDIR /go/src/github.com/ddollar/forego/ +RUN go get -v ./... && \ + CGO_ENABLED=0 GOOS=linux go build -o forego . + +# Build the final image +FROM nginx:$NGINX_VERSION LABEL maintainer="Jason Wilder mail@jasonwilder.com" # Install wget and install/updates certificates @@ -11,15 +58,14 @@ RUN apk add --no-cache --virtual .run-deps \ RUN echo "daemon off;" >> /etc/nginx/nginx.conf \ && sed -i 's/worker_processes 1/worker_processes auto/' /etc/nginx/nginx.conf -# Install Forego -ADD https://github.com/jwilder/forego/releases/download/v0.16.1/forego /usr/local/bin/forego -RUN chmod u+x /usr/local/bin/forego +# Install Forego + docker-gen +COPY --from=forego /go/src/github.com/ddollar/forego/forego /usr/local/bin/forego +COPY --from=dockergen /go/src/github.com/jwilder/docker-gen/docker-gen /usr/local/bin/docker-gen -ENV DOCKER_GEN_VERSION 0.7.4 - -RUN wget --quiet https://github.com/jwilder/docker-gen/releases/download/$DOCKER_GEN_VERSION/docker-gen-alpine-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \ - && tar -C /usr/local/bin -xvzf docker-gen-alpine-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \ - && rm /docker-gen-alpine-linux-amd64-$DOCKER_GEN_VERSION.tar.gz +# Add DOCKER_GEN_VERSION environment variable +# Because some external projects rely on it +ARG DOCKER_GEN_VERSION +ENV DOCKER_GEN_VERSION=${DOCKER_GEN_VERSION} COPY network_internal.conf /etc/nginx/ From 3a8b49f153ea71a0c01ac6532706205219273723 Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Thu, 1 Apr 2021 12:14:32 +0200 Subject: [PATCH 47/83] ci: build and push to DockerHub w/ GitHub Actions --- .github/workflows/dockerhub.yml | 87 +++++++++++++++++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 .github/workflows/dockerhub.yml diff --git a/.github/workflows/dockerhub.yml b/.github/workflows/dockerhub.yml new file mode 100644 index 0000000..8191c26 --- /dev/null +++ b/.github/workflows/dockerhub.yml @@ -0,0 +1,87 @@ +name: DockerHub + +on: + workflow_dispatch: + push: + branches: + - master + tags: + - '*.*.*' + paths-ignore: + - 'test/*' + - '.gitignore' + - '.travis.yml' + - 'docker-compose-separate-containers.yml' + - 'docker-compose.yml' + - 'LICENSE' + - 'Makefile' + - '*.md' + +jobs: + multiarch-build: + runs-on: ubuntu-latest + steps: + + - name: Checkout + uses: actions/checkout@v2 + with: + fetch-depth: 0 + + - name: Get Docker tags for Debian based image + id: docker_meta_debian + uses: crazy-max/ghaction-docker-meta@v1 + with: + images: nginxproxy/nginx-proxy + tag-semver: | + {{version}} + {{major}}.{{minor}} + + - name: Get Docker tags for Alpine based image + id: docker_meta_alpine + uses: crazy-max/ghaction-docker-meta@v1 + with: + images: nginxproxy/nginx-proxy + tag-semver: | + {{version}}-alpine + {{major}}.{{minor}}-alpine + + - name: Set up QEMU + uses: docker/setup-qemu-action@v1 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + + - name: Login to DockerHub + uses: docker/login-action@v1 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Build and push the Debian based image + id: docker_build_debian + uses: docker/build-push-action@v2 + with: + file: Dockerfile + platforms: linux/amd64 + push: true + tags: | + ${{ github.ref != 'refs/heads/master' && steps.docker_meta_debian.outputs.tags || '' }} + ${{ github.ref == 'refs/heads/master' && 'nginxproxy/nginx-proxy:latest' || '' }} + labels: ${{ steps.docker_meta.outputs.labels }} + + - name: Build and push the Alpine based image + id: docker_build_alpine + uses: docker/build-push-action@v2 + with: + file: Dockerfile.alpine + platforms: linux/amd64 + push: true + tags: | + ${{ github.ref != 'refs/heads/master' && steps.docker_meta_alpine.outputs.tags || '' }} + ${{ github.ref == 'refs/heads/master' && 'nginxproxy/nginx-proxy:alpine' || '' }} + labels: ${{ steps.docker_meta.outputs.labels }} + + - name: Images digests + run: | + echo ${{ steps.docker_build_debian.outputs.digest }} + echo ${{ steps.docker_build_alpine.outputs.digest }} From 6b8cd894dab7321853c7b25ce6fafca87f5b3d0b Mon Sep 17 00:00:00 2001 From: Tom Wiesing Date: Thu, 1 Apr 2021 13:54:37 +0200 Subject: [PATCH 48/83] Hardcode go 1.15.10 for use in Docker Images This commit updates both 'Dockerfile' and 'Dockerfile.alpine' to use 'go.15.10' when building the dependencies. This change was implemented after feedback from @buchdag to be able to use dependabot. --- Dockerfile | 3 +-- Dockerfile.alpine | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index c3e9b41..bf7d4cb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,12 +1,11 @@ # setup build arguments for version of dependencies to use ARG NGINX_VERSION=1.19.3 -ARG GO_VERSION=1.14 ARG DOCKER_GEN_VERSION=0.7.4 ARG FOREGO_VERSION=0.16.1 # Use a specific version of golang to build both binaries -FROM golang:$GO_VERSION as gobuilder +FROM golang:1.15.10 as gobuilder # Build docker-gen from scratch FROM gobuilder as dockergen diff --git a/Dockerfile.alpine b/Dockerfile.alpine index af4e9a0..feb9651 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -1,12 +1,11 @@ # setup build arguments for version of dependencies to use ARG NGINX_VERSION=1.19.3-alpine -ARG GO_VERSION=1.14-alpine ARG DOCKER_GEN_VERSION=0.7.4 ARG FOREGO_VERSION=0.16.1 # Use a specific version of golang to build both binaries -FROM golang:$GO_VERSION as gobuilder +FROM golang:1.15.10-alpine as gobuilder RUN apk add --no-cache git # Build docker-gen from scratch From 83ca0511d17b4d4202ab72abfed50dbaddef4fde Mon Sep 17 00:00:00 2001 From: Tom Wiesing Date: Thu, 1 Apr 2021 15:54:26 +0200 Subject: [PATCH 49/83] Hardcode nginx 1.19.3 for use in Docker Images This commit updates both 'Dockerfile' and 'Dockerfile.alpine' to use 'nginx 1.19.3'. This change was implemented after feedback from @buchdag to be able to use dependabot. --- Dockerfile | 4 +--- Dockerfile.alpine | 4 +--- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index bf7d4cb..8dfc682 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,4 @@ # setup build arguments for version of dependencies to use -ARG NGINX_VERSION=1.19.3 - ARG DOCKER_GEN_VERSION=0.7.4 ARG FOREGO_VERSION=0.16.1 @@ -43,7 +41,7 @@ RUN go get -v ./... && \ CGO_ENABLED=0 GOOS=linux go build -o forego . # Build the final image -FROM nginx:$NGINX_VERSION +FROM nginx:1.19.3 LABEL maintainer="Jason Wilder mail@jasonwilder.com" # Install wget and install/updates certificates diff --git a/Dockerfile.alpine b/Dockerfile.alpine index feb9651..55f3912 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -1,6 +1,4 @@ # setup build arguments for version of dependencies to use -ARG NGINX_VERSION=1.19.3-alpine - ARG DOCKER_GEN_VERSION=0.7.4 ARG FOREGO_VERSION=0.16.1 @@ -44,7 +42,7 @@ RUN go get -v ./... && \ CGO_ENABLED=0 GOOS=linux go build -o forego . # Build the final image -FROM nginx:$NGINX_VERSION +FROM nginx:1.19.3-alpine LABEL maintainer="Jason Wilder mail@jasonwilder.com" # Install wget and install/updates certificates From ad7c02570bc69ffe184c7d4e431daf6765f8ef84 Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Thu, 1 Apr 2021 16:06:09 +0200 Subject: [PATCH 50/83] chore: use nginxproxy's DockerHub registry Transitioning away from jwilder/nginx-proxy Please see #1304 for more details --- Makefile | 4 +- README.md | 48 +++++++++---------- docker-compose.yml | 2 +- docker-entrypoint.sh | 2 +- test/README.md | 8 ++-- test/conftest.py | 24 +++++----- .../test_deleted_cert/docker-compose.yml | 2 +- .../test_unreachable_network/README.md | 2 +- .../docker-compose.yml | 2 +- test/test_DOCKER_HOST_unix_socket.yml | 2 +- test/test_composev2.yml | 2 +- test/test_custom/test_defaults-location.yml | 2 +- test/test_custom/test_defaults.yml | 2 +- test/test_custom/test_location-per-vhost.yml | 2 +- test/test_custom/test_per-vhost.yml | 2 +- test/test_custom/test_proxy-wide.yml | 2 +- test/test_dockergen/test_dockergen_v2.py | 6 +-- test/test_dockergen/test_dockergen_v3.py | 6 +-- test/test_events.yml | 2 +- test/test_headers/test_http.yml | 2 +- test/test_headers/test_https.yml | 2 +- test/test_ipv6.yml | 2 +- test/test_multiple-hosts.yml | 2 +- test/test_multiple-networks.yml | 2 +- .../test_multiple-ports/test_VIRTUAL_PORT.yml | 2 +- test/test_multiple-ports/test_default-80.yml | 2 +- .../test_single-port-not-80.yml | 2 +- test/test_nominal.yml | 2 +- test/test_ssl/test_dhparam.yml | 2 +- test/test_ssl/test_dhparam_generation.yml | 2 +- test/test_ssl/test_hsts.py | 4 +- test/test_ssl/test_hsts.yml | 2 +- test/test_ssl/test_nohttp.yml | 2 +- test/test_ssl/test_nohttps.yml | 2 +- test/test_ssl/test_noredirect.yml | 2 +- test/test_ssl/test_wildcard.yml | 2 +- .../docker-compose.yml | 2 +- test/test_wildcard_host.yml | 2 +- 38 files changed, 79 insertions(+), 83 deletions(-) diff --git a/Makefile b/Makefile index 5f965f7..d7db2b8 100644 --- a/Makefile +++ b/Makefile @@ -6,11 +6,11 @@ update-dependencies: test/requirements/build.sh test-debian: update-dependencies - docker build -t jwilder/nginx-proxy:test . + docker build -t nginxproxy/nginx-proxy:test . test/pytest.sh test-alpine: update-dependencies - docker build -f Dockerfile.alpine -t jwilder/nginx-proxy:test . + docker build -f Dockerfile.alpine -t nginxproxy/nginx-proxy:test . test/pytest.sh test: test-debian test-alpine diff --git a/README.md b/README.md index 0c62a10..a390a5c 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ ![latest 0.8.0](https://img.shields.io/badge/latest-0.8.0-green.svg?style=flat) -![nginx 1.19.3](https://img.shields.io/badge/nginx-1.19.3-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') +![nginx 1.19.3](https://img.shields.io/badge/nginx-1.19.3-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/nginxproxy/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/nginxproxy/nginx-proxy 'DockerHub') nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. @@ -10,7 +10,7 @@ See [Automated Nginx Reverse Proxy for Docker][2] for why you might want to use To run it: - $ docker run -d -p 80:80 -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy + $ docker run -d -p 80:80 -v /var/run/docker.sock:/tmp/docker.sock:ro nginxproxy/nginx-proxy Then start any containers you want proxied with an env var `VIRTUAL_HOST=subdomain.youdomain.com` @@ -24,17 +24,17 @@ Provided your DNS is setup to forward foo.bar.com to the host running nginx-prox The nginx-proxy images are available in two flavors. -#### jwilder/nginx-proxy:latest +#### nginxproxy/nginx-proxy:latest -This image uses the debian:jessie based nginx image. +This image uses the debian:buster based nginx image. - $ docker pull jwilder/nginx-proxy:latest + $ docker pull nginxproxy/nginx-proxy:latest -#### jwilder/nginx-proxy:alpine +#### nginxproxy/nginx-proxy:alpine This image is based on the nginx:alpine image. Use this image to fully support HTTP/2 (including ALPN required by recent Chrome versions). A valid certificate is required as well (see eg. below "SSL Support using letsencrypt" for more info). - $ docker pull jwilder/nginx-proxy:alpine + $ docker pull nginxproxy/nginx-proxy:alpine ### Docker Compose @@ -43,7 +43,7 @@ version: '2' services: nginx-proxy: - image: jwilder/nginx-proxy + image: nginxproxy/nginx-proxy ports: - "80:80" volumes: @@ -65,7 +65,7 @@ I'm 5b129ab83266 You can activate the IPv6 support for the nginx-proxy container by passing the value `true` to the `ENABLE_IPV6` environment variable: - $ docker run -d -p 80:80 -e ENABLE_IPV6=true -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy + $ docker run -d -p 80:80 -e ENABLE_IPV6=true -v /var/run/docker.sock:/tmp/docker.sock:ro nginxproxy/nginx-proxy ### Multiple Ports @@ -90,7 +90,7 @@ If you want your `nginx-proxy` container to be attached to a different network, ```console $ docker run -d -p 80:80 -v /var/run/docker.sock:/tmp/docker.sock:ro \ - --name my-nginx-proxy --net my-network jwilder/nginx-proxy + --name my-nginx-proxy --net my-network nginxproxy/nginx-proxy $ docker network connect my-other-network my-nginx-proxy ``` @@ -142,7 +142,7 @@ If you use fastcgi,you can set `VIRTUAL_ROOT=xxx` for your root directory To set the default host for nginx use the env var `DEFAULT_HOST=foo.bar.com` for example - $ docker run -d -p 80:80 -e DEFAULT_HOST=foo.bar.com -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy + $ docker run -d -p 80:80 -e DEFAULT_HOST=foo.bar.com -v /var/run/docker.sock:/tmp/docker.sock:ro nginxproxy/nginx-proxy ### Separate Containers @@ -160,7 +160,7 @@ $ curl -H "Host: whoami.local" localhost I'm 5b129ab83266 ``` -To run nginx proxy as a separate container you'll need to have [nginx.tmpl](https://github.com/jwilder/nginx-proxy/blob/master/nginx.tmpl) on your host system. +To run nginx proxy as a separate container you'll need to have [nginx.tmpl](https://github.com/nginx-proxy/nginx-proxy/blob/master/nginx.tmpl) on your host system. First start nginx with a volume: @@ -181,7 +181,7 @@ Finally, start your containers with `VIRTUAL_HOST` environment variables. $ docker run -e VIRTUAL_HOST=foo.bar.com ... ### SSL Support using letsencrypt -[letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion) is a lightweight companion container for the nginx-proxy. It allows the creation/renewal of Let's Encrypt certificates automatically. +[letsencrypt-nginx-proxy-companion](https://github.com/nginx-proxy/docker-letsencrypt-nginx-proxy-companion) is a lightweight companion container for the nginx-proxy. It allows the creation/renewal of Let's Encrypt certificates automatically. Set `DHPARAM_GENERATION` environment variable to `false` to disabled Diffie-Hellman parameters completely. This will also ignore auto-generation made by `nginx-proxy`. The default value is `true` @@ -194,7 +194,7 @@ certificates or optionally specifying a cert name (for SNI) as an environment va To enable SSL: - $ docker run -d -p 80:80 -p 443:443 -v /path/to/certs:/etc/nginx/certs -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy + $ docker run -d -p 80:80 -p 443:443 -v /path/to/certs:/etc/nginx/certs -v /var/run/docker.sock:/tmp/docker.sock:ro nginxproxy/nginx-proxy The contents of `/path/to/certs` should contain the certificates and private keys for any virtual hosts in use. The certificate and keys should be named after the virtual host with a `.crt` and @@ -309,7 +309,7 @@ $ docker run -d -p 80:80 -p 443:443 \ -v /path/to/htpasswd:/etc/nginx/htpasswd \ -v /path/to/certs:/etc/nginx/certs \ -v /var/run/docker.sock:/tmp/docker.sock:ro \ - jwilder/nginx-proxy + nginxproxy/nginx-proxy ``` You'll need apache2-utils on the machine where you plan to create the htpasswd file. Follow these [instructions](http://httpd.apache.org/docs/2.2/programs/htpasswd.html) @@ -351,7 +351,7 @@ To add settings on a proxy-wide basis, add your configuration file under `/etc/n This can be done in a derived image by creating the file in a `RUN` command or by `COPY`ing the file into `conf.d`: ```Dockerfile -FROM jwilder/nginx-proxy +FROM nginxproxy/nginx-proxy RUN { \ echo 'server_tokens off;'; \ echo 'client_max_body_size 100m;'; \ @@ -360,7 +360,7 @@ RUN { \ Or it can be done by mounting in your custom configuration in your `docker run` command: - $ docker run -d -p 80:80 -p 443:443 -v /path/to/my_proxy.conf:/etc/nginx/conf.d/my_proxy.conf:ro -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy + $ docker run -d -p 80:80 -p 443:443 -v /path/to/my_proxy.conf:/etc/nginx/conf.d/my_proxy.conf:ro -v /var/run/docker.sock:/tmp/docker.sock:ro nginxproxy/nginx-proxy #### Per-VIRTUAL_HOST @@ -370,7 +370,7 @@ In order to allow virtual hosts to be dynamically configured as backends are add For example, if you have a virtual host named `app.example.com`, you could provide a custom configuration for that host as follows: - $ docker run -d -p 80:80 -p 443:443 -v /path/to/vhost.d:/etc/nginx/vhost.d:ro -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy + $ docker run -d -p 80:80 -p 443:443 -v /path/to/vhost.d:/etc/nginx/vhost.d:ro -v /var/run/docker.sock:/tmp/docker.sock:ro nginxproxy/nginx-proxy $ { echo 'server_tokens off;'; echo 'client_max_body_size 100m;'; } > /path/to/vhost.d/app.example.com If you are using multiple hostnames for a single container (e.g. `VIRTUAL_HOST=example.com,www.example.com`), the virtual host configuration file must exist for each hostname. If you would like to use the same configuration for multiple virtual host names, you can use a symlink: @@ -390,7 +390,7 @@ just like the previous section except with the suffix `_location`. For example, if you have a virtual host named `app.example.com` and you have configured a proxy_cache `my-cache` in another custom file, you could tell it to use a proxy cache as follows: - $ docker run -d -p 80:80 -p 443:443 -v /path/to/vhost.d:/etc/nginx/vhost.d:ro -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy + $ docker run -d -p 80:80 -p 443:443 -v /path/to/vhost.d:/etc/nginx/vhost.d:ro -v /var/run/docker.sock:/tmp/docker.sock:ro nginxproxy/nginx-proxy $ { echo 'proxy_cache my-cache;'; echo 'proxy_cache_valid 200 302 60m;'; echo 'proxy_cache_valid 404 1m;' } > /path/to/vhost.d/app.example.com_location If you are using multiple hostnames for a single container (e.g. `VIRTUAL_HOST=example.com,www.example.com`), the virtual host configuration file must exist for each hostname. If you would like to use the same configuration for multiple virtual host names, you can use a symlink: @@ -409,15 +409,15 @@ Before submitting pull requests or issues, please check github to make sure an e #### Running Tests Locally -To run tests, you need to prepare the docker image to test which must be tagged `jwilder/nginx-proxy:test`: +To run tests, you need to prepare the docker image to test which must be tagged `nginxproxy/nginx-proxy:test`: - docker build -t jwilder/nginx-proxy:test . # build the Debian variant image + docker build -t nginxproxy/nginx-proxy:test . # build the Debian variant image and call the [test/pytest.sh](test/pytest.sh) script. Then build the Alpine variant of the image: - docker build -f Dockerfile.alpine -t jwilder/nginx-proxy:test . # build the Alpline variant image + docker build -f Dockerfile.alpine -t nginxproxy/nginx-proxy:test . # build the Alpline variant image and call the [test/pytest.sh](test/pytest.sh) script again. @@ -428,7 +428,3 @@ If your system has the `make` command, you can automate those tasks by calling: You can learn more about how the test suite works and how to write new tests in the [test/README.md](test/README.md) file. - -### Need help? - -If you have questions on how to use the image, please ask them on the [Q&A Group](https://groups.google.com/forum/#!forum/nginx-proxy) diff --git a/docker-compose.yml b/docker-compose.yml index b76f0c0..138f396 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,7 +1,7 @@ version: '2' services: nginx-proxy: - image: jwilder/nginx-proxy + image: nginxproxy/nginx-proxy container_name: nginx-proxy ports: - "80:80" diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index b425dfe..988a357 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -7,7 +7,7 @@ if [[ $DOCKER_HOST = unix://* ]]; then if ! [ -S $socket_file ]; then cat >&2 <<-EOT ERROR: you need to share your Docker host socket with a volume at $socket_file - Typically you should run your jwilder/nginx-proxy with: \`-v /var/run/docker.sock:$socket_file:ro\` + Typically you should run your nginxproxy/nginx-proxy with: \`-v /var/run/docker.sock:$socket_file:ro\` See the documentation at http://git.io/vZaGJ EOT socketMissing=1 diff --git a/test/README.md b/test/README.md index 9d7a57c..c62960a 100644 --- a/test/README.md +++ b/test/README.md @@ -15,13 +15,13 @@ If you can't install those requirements on your computer, you can alternatively Prepare the nginx-proxy test image ---------------------------------- - docker build -t jwilder/nginx-proxy:test .. + docker build -t nginxproxy/nginx-proxy:test .. or if you want to test the alpine flavor: - docker build -t jwilder/nginx-proxy:test -f Dockerfile.alpine .. + docker build -t nginxproxy/nginx-proxy:test -f Dockerfile.alpine .. -make sure to tag that test image exactly `jwilder/nginx-proxy:test` or the test suite won't work. +make sure to tag that test image exactly `nginxproxy/nginx-proxy:test` or the test suite won't work. Run the test suite @@ -65,7 +65,7 @@ In your tests, you can use the `docker_compose` variable to query and command th Also this fixture alters the way the python interpreter resolves domain names to IP addresses in the following ways: -Any domain name containing the substring `nginx-proxy` will resolve to the IP address of the container that was created from the `jwilder/nginx-proxy:test` image. So all the following domain names will resolve to the nginx-proxy container in tests: +Any domain name containing the substring `nginx-proxy` will resolve to the IP address of the container that was created from the `nginxproxy/nginx-proxy:test` image. So all the following domain names will resolve to the nginx-proxy container in tests: - `nginx-proxy` - `nginx-proxy.com` - `www.nginx-proxy.com` diff --git a/test/conftest.py b/test/conftest.py index 6bd172a..a9bead2 100644 --- a/test/conftest.py +++ b/test/conftest.py @@ -68,11 +68,11 @@ class requests_for_docker(object): """ Return the nginx config file """ - nginx_proxy_containers = docker_client.containers.list(filters={"ancestor": "jwilder/nginx-proxy:test"}) + nginx_proxy_containers = docker_client.containers.list(filters={"ancestor": "nginxproxy/nginx-proxy:test"}) if len(nginx_proxy_containers) > 1: - pytest.fail("Too many running jwilder/nginx-proxy:test containers", pytrace=False) + pytest.fail("Too many running nginxproxy/nginx-proxy:test containers", pytrace=False) elif len(nginx_proxy_containers) == 0: - pytest.fail("No running jwilder/nginx-proxy:test container", pytrace=False) + pytest.fail("No running nginxproxy/nginx-proxy:test container", pytrace=False) return get_nginx_conf_from_container(nginx_proxy_containers[0]) def get(self, *args, **kwargs): @@ -162,16 +162,16 @@ def container_ipv6(container): def nginx_proxy_dns_resolver(domain_name): """ if "nginx-proxy" if found in host, return the ip address of the docker container - issued from the docker image jwilder/nginx-proxy:test. + issued from the docker image nginxproxy/nginx-proxy:test. :return: IP or None """ log = logging.getLogger('DNS') log.debug("nginx_proxy_dns_resolver(%r)" % domain_name) if 'nginx-proxy' in domain_name: - nginxproxy_containers = docker_client.containers.list(filters={"status": "running", "ancestor": "jwilder/nginx-proxy:test"}) + nginxproxy_containers = docker_client.containers.list(filters={"status": "running", "ancestor": "nginxproxy/nginx-proxy:test"}) if len(nginxproxy_containers) == 0: - log.warn("no container found from image jwilder/nginx-proxy:test while resolving %r", domain_name) + log.warn("no container found from image nginxproxy/nginx-proxy:test while resolving %r", domain_name) return nginxproxy_container = nginxproxy_containers[0] ip = container_ip(nginxproxy_container) @@ -211,7 +211,7 @@ def monkey_patch_urllib_dns_resolver(): """ Alter the behavior of the urllib DNS resolver so that any domain name containing substring 'nginx-proxy' will resolve to the IP address - of the container created from image 'jwilder/nginx-proxy:test'. + of the container created from image 'nginxproxy/nginx-proxy:test'. """ prv_getaddrinfo = socket.getaddrinfo dns_cache = {} @@ -278,10 +278,10 @@ def docker_compose_down(compose_file='docker-compose.yml'): def wait_for_nginxproxy_to_be_ready(): """ - If one (and only one) container started from image jwilder/nginx-proxy:test is found, + If one (and only one) container started from image nginxproxy/nginx-proxy:test is found, wait for its log to contain substring "Watching docker events" """ - containers = docker_client.containers.list(filters={"ancestor": "jwilder/nginx-proxy:test"}) + containers = docker_client.containers.list(filters={"ancestor": "nginxproxy/nginx-proxy:test"}) if len(containers) != 1: return container = containers[0] @@ -439,7 +439,7 @@ def nginxproxy(): def pytest_runtest_logreport(report): if report.failed: if isinstance(report.longrepr, ReprExceptionInfo): - test_containers = docker_client.containers.list(all=True, filters={"ancestor": "jwilder/nginx-proxy:test"}) + test_containers = docker_client.containers.list(all=True, filters={"ancestor": "nginxproxy/nginx-proxy:test"}) for container in test_containers: report.longrepr.addsection('nginx-proxy logs', container.logs()) report.longrepr.addsection('nginx-proxy conf', get_nginx_conf_from_container(container)) @@ -465,9 +465,9 @@ def pytest_runtest_setup(item): ############################################################################### try: - docker_client.images.get('jwilder/nginx-proxy:test') + docker_client.images.get('nginxproxy/nginx-proxy:test') except docker.errors.ImageNotFound: - pytest.exit("The docker image 'jwilder/nginx-proxy:test' is missing") + pytest.exit("The docker image 'nginxproxy/nginx-proxy:test' is missing") if docker.__version__ != "2.1.0": pytest.exit("This test suite is meant to work with the python docker module v2.1.0") diff --git a/test/stress_tests/test_deleted_cert/docker-compose.yml b/test/stress_tests/test_deleted_cert/docker-compose.yml index 06a61b9..33c92a7 100644 --- a/test/stress_tests/test_deleted_cert/docker-compose.yml +++ b/test/stress_tests/test_deleted_cert/docker-compose.yml @@ -8,7 +8,7 @@ web: reverseproxy: - image: jwilder/nginx-proxy:test + image: nginxproxy/nginx-proxy:test container_name: reverseproxy environment: DEBUG: "true" diff --git a/test/stress_tests/test_unreachable_network/README.md b/test/stress_tests/test_unreachable_network/README.md index aa09c4d..550b289 100644 --- a/test/stress_tests/test_unreachable_network/README.md +++ b/test/stress_tests/test_unreachable_network/README.md @@ -6,7 +6,7 @@ Furthermore, if the nginx-proxy in such state is restarted, the nginx process wi In the generated nginx config file, we can notice the presence of an empty `upstream {}` block. -This can be fixed by merging [PR-585](https://github.com/jwilder/nginx-proxy/pull/585). +This can be fixed by merging [PR-585](https://github.com/nginx-proxy/nginx-proxy/pull/585). ## How to reproduce diff --git a/test/stress_tests/test_unreachable_network/docker-compose.yml b/test/stress_tests/test_unreachable_network/docker-compose.yml index 0ca4f99..9666d29 100644 --- a/test/stress_tests/test_unreachable_network/docker-compose.yml +++ b/test/stress_tests/test_unreachable_network/docker-compose.yml @@ -9,7 +9,7 @@ services: container_name: reverseproxy networks: - netA - image: jwilder/nginx-proxy:test + image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro diff --git a/test/test_DOCKER_HOST_unix_socket.yml b/test/test_DOCKER_HOST_unix_socket.yml index dff75a8..d1aba4b 100644 --- a/test/test_DOCKER_HOST_unix_socket.yml +++ b/test/test_DOCKER_HOST_unix_socket.yml @@ -16,7 +16,7 @@ web2: sut: - image: jwilder/nginx-proxy:test + image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/f00.sock:ro - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_composev2.yml b/test/test_composev2.yml index ef4df8d..283e070 100644 --- a/test/test_composev2.yml +++ b/test/test_composev2.yml @@ -1,7 +1,7 @@ version: '2' services: nginx-proxy: - image: jwilder/nginx-proxy:test + image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_custom/test_defaults-location.yml b/test/test_custom/test_defaults-location.yml index a5b0c44..3069273 100644 --- a/test/test_custom/test_defaults-location.yml +++ b/test/test_custom/test_defaults-location.yml @@ -1,5 +1,5 @@ nginx-proxy: - image: jwilder/nginx-proxy:test + image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_custom/test_defaults.yml b/test/test_custom/test_defaults.yml index 2cfddf0..165264c 100644 --- a/test/test_custom/test_defaults.yml +++ b/test/test_custom/test_defaults.yml @@ -1,7 +1,7 @@ version: '2' services: nginx-proxy: - image: jwilder/nginx-proxy:test + image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_custom/test_location-per-vhost.yml b/test/test_custom/test_location-per-vhost.yml index 988181c..3622325 100644 --- a/test/test_custom/test_location-per-vhost.yml +++ b/test/test_custom/test_location-per-vhost.yml @@ -1,7 +1,7 @@ version: '2' services: nginx-proxy: - image: jwilder/nginx-proxy:test + image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_custom/test_per-vhost.yml b/test/test_custom/test_per-vhost.yml index 61ae02b..256c207 100644 --- a/test/test_custom/test_per-vhost.yml +++ b/test/test_custom/test_per-vhost.yml @@ -1,7 +1,7 @@ version: '2' services: nginx-proxy: - image: jwilder/nginx-proxy:test + image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_custom/test_proxy-wide.yml b/test/test_custom/test_proxy-wide.yml index 602f344..1715b8b 100644 --- a/test/test_custom/test_proxy-wide.yml +++ b/test/test_custom/test_proxy-wide.yml @@ -1,7 +1,7 @@ version: '2' services: nginx-proxy: - image: jwilder/nginx-proxy:test + image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_dockergen/test_dockergen_v2.py b/test/test_dockergen/test_dockergen_v2.py index c797d0c..af02649 100644 --- a/test/test_dockergen/test_dockergen_v2.py +++ b/test/test_dockergen/test_dockergen_v2.py @@ -8,13 +8,13 @@ import pytest def nginx_tmpl(): """ pytest fixture which extracts the the nginx config template from - the jwilder/nginx-proxy:test image + the nginxproxy/nginx-proxy:test image """ script_dir = os.path.dirname(__file__) - logging.info("extracting nginx.tmpl from jwilder/nginx-proxy:test") + logging.info("extracting nginx.tmpl from nginxproxy/nginx-proxy:test") docker_client = docker.from_env() print(docker_client.containers.run( - image='jwilder/nginx-proxy:test', + image='nginxproxy/nginx-proxy:test', remove=True, volumes=['{current_dir}:{current_dir}'.format(current_dir=script_dir)], entrypoint='sh', diff --git a/test/test_dockergen/test_dockergen_v3.py b/test/test_dockergen/test_dockergen_v3.py index 808949b..453889a 100644 --- a/test/test_dockergen/test_dockergen_v3.py +++ b/test/test_dockergen/test_dockergen_v3.py @@ -31,13 +31,13 @@ pytestmark = pytest.mark.skipif( def nginx_tmpl(): """ pytest fixture which extracts the the nginx config template from - the jwilder/nginx-proxy:test image + the nginxproxy/nginx-proxy:test image """ script_dir = os.path.dirname(__file__) - logging.info("extracting nginx.tmpl from jwilder/nginx-proxy:test") + logging.info("extracting nginx.tmpl from nginxproxy/nginx-proxy:test") docker_client = docker.from_env() print(docker_client.containers.run( - image='jwilder/nginx-proxy:test', + image='nginxproxy/nginx-proxy:test', remove=True, volumes=['{current_dir}:{current_dir}'.format(current_dir=script_dir)], entrypoint='sh', diff --git a/test/test_events.yml b/test/test_events.yml index 87b7c01..dcaaafc 100644 --- a/test/test_events.yml +++ b/test/test_events.yml @@ -1,5 +1,5 @@ nginxproxy: - image: jwilder/nginx-proxy:test + image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_headers/test_http.yml b/test/test_headers/test_http.yml index 8cc2e09..f8069c6 100644 --- a/test/test_headers/test_http.yml +++ b/test/test_headers/test_http.yml @@ -8,7 +8,7 @@ web: sut: - image: jwilder/nginx-proxy:test + image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_headers/test_https.yml b/test/test_headers/test_https.yml index 131f61c..406e433 100644 --- a/test/test_headers/test_https.yml +++ b/test/test_headers/test_https.yml @@ -8,7 +8,7 @@ web: sut: - image: jwilder/nginx-proxy:test + image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ./certs/web.nginx-proxy.tld.crt:/etc/nginx/certs/web.nginx-proxy.tld.crt:ro diff --git a/test/test_ipv6.yml b/test/test_ipv6.yml index a0b504e..8da3347 100644 --- a/test/test_ipv6.yml +++ b/test/test_ipv6.yml @@ -16,7 +16,7 @@ web2: sut: - image: jwilder/nginx-proxy:test + image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_multiple-hosts.yml b/test/test_multiple-hosts.yml index 70269c8..bdc2804 100644 --- a/test/test_multiple-hosts.yml +++ b/test/test_multiple-hosts.yml @@ -8,7 +8,7 @@ web: sut: - image: jwilder/nginx-proxy:test + image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_multiple-networks.yml b/test/test_multiple-networks.yml index da3277b..1cc6d30 100644 --- a/test/test_multiple-networks.yml +++ b/test/test_multiple-networks.yml @@ -6,7 +6,7 @@ networks: services: nginx-proxy: - image: jwilder/nginx-proxy:test + image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_multiple-ports/test_VIRTUAL_PORT.yml b/test/test_multiple-ports/test_VIRTUAL_PORT.yml index 4eb95ea..3ee2d1a 100644 --- a/test/test_multiple-ports/test_VIRTUAL_PORT.yml +++ b/test/test_multiple-ports/test_VIRTUAL_PORT.yml @@ -9,7 +9,7 @@ web: VIRTUAL_PORT: 90 sut: - image: jwilder/nginx-proxy:test + image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_multiple-ports/test_default-80.yml b/test/test_multiple-ports/test_default-80.yml index f06ccb8..ca61286 100644 --- a/test/test_multiple-ports/test_default-80.yml +++ b/test/test_multiple-ports/test_default-80.yml @@ -8,7 +8,7 @@ web: VIRTUAL_HOST: "web.nginx-proxy.tld" sut: - image: jwilder/nginx-proxy:test + image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_multiple-ports/test_single-port-not-80.yml b/test/test_multiple-ports/test_single-port-not-80.yml index 15f230a..fbb5b6a 100644 --- a/test/test_multiple-ports/test_single-port-not-80.yml +++ b/test/test_multiple-ports/test_single-port-not-80.yml @@ -8,7 +8,7 @@ web: sut: - image: jwilder/nginx-proxy:test + image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_nominal.yml b/test/test_nominal.yml index d436499..7c49801 100644 --- a/test/test_nominal.yml +++ b/test/test_nominal.yml @@ -16,7 +16,7 @@ web2: sut: - image: jwilder/nginx-proxy:test + image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_ssl/test_dhparam.yml b/test/test_ssl/test_dhparam.yml index 66b1a61..9b29842 100644 --- a/test/test_ssl/test_dhparam.yml +++ b/test/test_ssl/test_dhparam.yml @@ -8,7 +8,7 @@ web5: sut: - image: jwilder/nginx-proxy:test + image: nginxproxy/nginx-proxy:test container_name: nginxproxy volumes: - /var/run/docker.sock:/tmp/docker.sock:ro diff --git a/test/test_ssl/test_dhparam_generation.yml b/test/test_ssl/test_dhparam_generation.yml index 35f3067..6df55c1 100644 --- a/test/test_ssl/test_dhparam_generation.yml +++ b/test/test_ssl/test_dhparam_generation.yml @@ -1,5 +1,5 @@ sut: - image: jwilder/nginx-proxy:test + image: nginxproxy/nginx-proxy:test container_name: nginxproxy volumes: - /var/run/docker.sock:/tmp/docker.sock:ro diff --git a/test/test_ssl/test_hsts.py b/test/test_ssl/test_hsts.py index 12bbcc4..16dffd2 100644 --- a/test/test_ssl/test_hsts.py +++ b/test/test_ssl/test_hsts.py @@ -8,7 +8,7 @@ def test_web1_HSTS_default(docker_compose, nginxproxy): assert "max-age=31536000" == r.headers["Strict-Transport-Security"] # Regression test to ensure HSTS is enabled even when the upstream sends an error in response -# Issue #1073 https://github.com/jwilder/nginx-proxy/pull/1073 +# Issue #1073 https://github.com/nginx-proxy/nginx-proxy/pull/1073 def test_web1_HSTS_error(docker_compose, nginxproxy): r = nginxproxy.get("https://web1.nginx-proxy.tld/status/500", allow_redirects=False) assert "Strict-Transport-Security" in r.headers @@ -26,7 +26,7 @@ def test_web3_HSTS_custom(docker_compose, nginxproxy): assert "max-age=86400; includeSubDomains; preload" == r.headers["Strict-Transport-Security"] # Regression test for issue 1080 -# https://github.com/jwilder/nginx-proxy/issues/1080 +# https://github.com/nginx-proxy/nginx-proxy/issues/1080 def test_web4_HSTS_off_noredirect(docker_compose, nginxproxy): r = nginxproxy.get("https://web4.nginx-proxy.tld/port", allow_redirects=False) assert "answer from port 81\n" in r.text diff --git a/test/test_ssl/test_hsts.yml b/test/test_ssl/test_hsts.yml index f6f39a7..779dc07 100644 --- a/test/test_ssl/test_hsts.yml +++ b/test/test_ssl/test_hsts.yml @@ -35,7 +35,7 @@ web4: HTTPS_METHOD: "noredirect" sut: - image: jwilder/nginx-proxy:test + image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_ssl/test_nohttp.yml b/test/test_ssl/test_nohttp.yml index 51d63c2..7a7ea08 100644 --- a/test/test_ssl/test_nohttp.yml +++ b/test/test_ssl/test_nohttp.yml @@ -9,7 +9,7 @@ web2: sut: - image: jwilder/nginx-proxy:test + image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_ssl/test_nohttps.yml b/test/test_ssl/test_nohttps.yml index 14140b4..0a6a9a5 100644 --- a/test/test_ssl/test_nohttps.yml +++ b/test/test_ssl/test_nohttps.yml @@ -9,7 +9,7 @@ web: sut: - image: jwilder/nginx-proxy:test + image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_ssl/test_noredirect.yml b/test/test_ssl/test_noredirect.yml index 9149a87..9ac7169 100644 --- a/test/test_ssl/test_noredirect.yml +++ b/test/test_ssl/test_noredirect.yml @@ -9,7 +9,7 @@ web3: sut: - image: jwilder/nginx-proxy:test + image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_ssl/test_wildcard.yml b/test/test_ssl/test_wildcard.yml index 4c77796..6168084 100644 --- a/test/test_ssl/test_wildcard.yml +++ b/test/test_ssl/test_wildcard.yml @@ -7,7 +7,7 @@ web1: VIRTUAL_HOST: "*.nginx-proxy.tld" sut: - image: jwilder/nginx-proxy:test + image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml b/test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml index 20cd1b2..6257aee 100644 --- a/test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml +++ b/test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml @@ -3,7 +3,7 @@ version: "3" services: proxy: - image: jwilder/nginx-proxy:test + image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ./certs:/etc/nginx/certs:ro diff --git a/test/test_wildcard_host.yml b/test/test_wildcard_host.yml index 742a8ac..d39dad4 100644 --- a/test/test_wildcard_host.yml +++ b/test/test_wildcard_host.yml @@ -32,7 +32,7 @@ web4: sut: - image: jwilder/nginx-proxy:test + image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro From bea149e317224053cb2e1728498c72dfc47d8ef2 Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Thu, 1 Apr 2021 21:06:33 +0200 Subject: [PATCH 51/83] ci: create dependabot config for Docker ecosystem --- .github/dependabot.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..d99307f --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +version: 2 +updates: + + # Maintain dependencies for Docker + - package-ecosystem: "docker" + directory: "/" + schedule: + interval: "daily" + labels: + - "area/chore" + - "area/dockerfile" From 4a1d5bfc58af35f5e90dcefb47b35a274c903150 Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Thu, 1 Apr 2021 22:23:37 +0200 Subject: [PATCH 52/83] ci: build and push for arm64 and arm/v7 archs --- .github/workflows/dockerhub.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dockerhub.yml b/.github/workflows/dockerhub.yml index 8191c26..1bf586a 100644 --- a/.github/workflows/dockerhub.yml +++ b/.github/workflows/dockerhub.yml @@ -62,7 +62,7 @@ jobs: uses: docker/build-push-action@v2 with: file: Dockerfile - platforms: linux/amd64 + platforms: linux/amd64,linux/arm64,linux/arm/v7 push: true tags: | ${{ github.ref != 'refs/heads/master' && steps.docker_meta_debian.outputs.tags || '' }} @@ -74,7 +74,7 @@ jobs: uses: docker/build-push-action@v2 with: file: Dockerfile.alpine - platforms: linux/amd64 + platforms: linux/amd64,linux/arm64,linux/arm/v7 push: true tags: | ${{ github.ref != 'refs/heads/master' && steps.docker_meta_alpine.outputs.tags || '' }} From d120ce9fdebf09a6c7b90ecff7eda0b7d2760ef3 Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Fri, 2 Apr 2021 00:39:41 +0200 Subject: [PATCH 53/83] ci: push images to jwilder/nginx-proxy --- .github/workflows/dockerhub.yml | 39 ++++++++++++++++++--------------- 1 file changed, 21 insertions(+), 18 deletions(-) diff --git a/.github/workflows/dockerhub.yml b/.github/workflows/dockerhub.yml index 1bf586a..ddf32d2 100644 --- a/.github/workflows/dockerhub.yml +++ b/.github/workflows/dockerhub.yml @@ -29,21 +29,28 @@ jobs: - name: Get Docker tags for Debian based image id: docker_meta_debian - uses: crazy-max/ghaction-docker-meta@v1 + uses: crazy-max/ghaction-docker-meta@v2 with: - images: nginxproxy/nginx-proxy - tag-semver: | - {{version}} - {{major}}.{{minor}} + images: | + nginxproxy/nginx-proxy + jwilder/nginx-proxy + tags: | + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=raw,value=latest,enable=${{ endsWith(github.ref, github.event.repository.default_branch) }} - name: Get Docker tags for Alpine based image id: docker_meta_alpine - uses: crazy-max/ghaction-docker-meta@v1 + uses: crazy-max/ghaction-docker-meta@v2 with: - images: nginxproxy/nginx-proxy - tag-semver: | - {{version}}-alpine - {{major}}.{{minor}}-alpine + images: | + nginxproxy/nginx-proxy + jwilder/nginx-proxy + tags: | + type=semver,suffix=-alpine,pattern={{version}} + type=semver,suffix=-alpine,pattern={{major}}.{{minor}} + type=raw,value=alpine,enable=${{ endsWith(github.ref, github.event.repository.default_branch) }} + flavor: latest=false - name: Set up QEMU uses: docker/setup-qemu-action@v1 @@ -64,10 +71,8 @@ jobs: file: Dockerfile platforms: linux/amd64,linux/arm64,linux/arm/v7 push: true - tags: | - ${{ github.ref != 'refs/heads/master' && steps.docker_meta_debian.outputs.tags || '' }} - ${{ github.ref == 'refs/heads/master' && 'nginxproxy/nginx-proxy:latest' || '' }} - labels: ${{ steps.docker_meta.outputs.labels }} + tags: ${{ steps.docker_meta_debian.outputs.tags }} + labels: ${{ steps.docker_meta_debian.outputs.labels }} - name: Build and push the Alpine based image id: docker_build_alpine @@ -76,10 +81,8 @@ jobs: file: Dockerfile.alpine platforms: linux/amd64,linux/arm64,linux/arm/v7 push: true - tags: | - ${{ github.ref != 'refs/heads/master' && steps.docker_meta_alpine.outputs.tags || '' }} - ${{ github.ref == 'refs/heads/master' && 'nginxproxy/nginx-proxy:alpine' || '' }} - labels: ${{ steps.docker_meta.outputs.labels }} + tags: ${{ steps.docker_meta_alpine.outputs.tags }} + labels: ${{ steps.docker_meta_alpine.outputs.labels }} - name: Images digests run: | From c3bb2348715c855ec3e268b5b08eb4dd25ec9413 Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Mon, 5 Apr 2021 13:13:20 +0200 Subject: [PATCH 54/83] chore: rename default branch master -> main --- .github/workflows/dockerhub.yml | 2 +- README.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/dockerhub.yml b/.github/workflows/dockerhub.yml index ddf32d2..624d30d 100644 --- a/.github/workflows/dockerhub.yml +++ b/.github/workflows/dockerhub.yml @@ -4,7 +4,7 @@ on: workflow_dispatch: push: branches: - - master + - main tags: - '*.*.*' paths-ignore: diff --git a/README.md b/README.md index 40f882b..0ca9aed 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ ![latest 0.8.0](https://img.shields.io/badge/latest-0.8.0-green.svg?style=flat) -![nginx 1.19.3](https://img.shields.io/badge/nginx-1.19.3-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/nginxproxy/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/nginxproxy/nginx-proxy 'DockerHub') +![nginx 1.19.3](https://img.shields.io/badge/nginx-1.19.3-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=main)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/nginxproxy/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/nginxproxy/nginx-proxy 'DockerHub') nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. @@ -166,7 +166,7 @@ $ curl -H "Host: whoami.local" localhost I'm 5b129ab83266 ``` -To run nginx proxy as a separate container you'll need to have [nginx.tmpl](https://github.com/nginx-proxy/nginx-proxy/blob/master/nginx.tmpl) on your host system. +To run nginx proxy as a separate container you'll need to have [nginx.tmpl](https://github.com/nginx-proxy/nginx-proxy/blob/main/nginx.tmpl) on your host system. First start nginx with a volume: From bdf62b025bcdd44a9bc247dd77deccc2f3dfafe8 Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Mon, 5 Apr 2021 13:16:40 +0200 Subject: [PATCH 55/83] docs: follow acme-companion name change --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 0ca9aed..7a295e9 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,7 @@ This image uses the debian:buster based nginx image. #### nginxproxy/nginx-proxy:alpine -This image is based on the nginx:alpine image. Use this image to fully support HTTP/2 (including ALPN required by recent Chrome versions). A valid certificate is required as well (see eg. below "SSL Support using letsencrypt" for more info). +This image is based on the nginx:alpine image. Use this image to fully support HTTP/2 (including ALPN required by recent Chrome versions). A valid certificate is required as well (see eg. below "SSL Support using an ACME CA" for more info). $ docker pull nginxproxy/nginx-proxy:alpine @@ -185,9 +185,9 @@ $ docker run --volumes-from nginx \ Finally, start your containers with `VIRTUAL_HOST` environment variables. $ docker run -e VIRTUAL_HOST=foo.bar.com ... -### SSL Support using letsencrypt +### SSL Support using an ACME CA -[letsencrypt-nginx-proxy-companion](https://github.com/nginx-proxy/docker-letsencrypt-nginx-proxy-companion) is a lightweight companion container for the nginx-proxy. It allows the creation/renewal of Let's Encrypt certificates automatically. +[acme-companion](https://github.com/nginx-proxy/acme-companion) is a lightweight companion container for the nginx-proxy. It allows the automated creation/renewal of SSL certificates using the ACME protocol. Set `DHPARAM_GENERATION` environment variable to `false` to disabled Diffie-Hellman parameters completely. This will also ignore auto-generation made by `nginx-proxy`. The default value is `true` From 24565440b26f23a149aa60e30d7b9f6d544dcecf Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Mon, 5 Apr 2021 13:56:14 +0200 Subject: [PATCH 56/83] docs: update DockerHub shields --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7a295e9..813fdda 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ ![latest 0.8.0](https://img.shields.io/badge/latest-0.8.0-green.svg?style=flat) -![nginx 1.19.3](https://img.shields.io/badge/nginx-1.19.3-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=main)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/nginxproxy/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/nginxproxy/nginx-proxy 'DockerHub') +![nginx 1.19.3](https://img.shields.io/badge/nginx-1.19.3-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/nginx/nginx-proxy.svg?branch=main)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/nginxproxy/nginx-proxy.svg)](https://hub.docker.com/r/nginxproxy/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/nginxproxy/nginx-proxy.svg)](https://hub.docker.com/r/nginxproxy/nginx-proxy 'DockerHub') nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. From 9efeb5d8af809ad1479802b9bce532c598116520 Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Tue, 6 Apr 2021 00:11:53 +0200 Subject: [PATCH 57/83] ci: build the debian and alpine images in parallel --- .github/workflows/dockerhub.yml | 58 +++++++++++++++++++++++---------- 1 file changed, 40 insertions(+), 18 deletions(-) diff --git a/.github/workflows/dockerhub.yml b/.github/workflows/dockerhub.yml index 624d30d..9d074f1 100644 --- a/.github/workflows/dockerhub.yml +++ b/.github/workflows/dockerhub.yml @@ -18,7 +18,7 @@ on: - '*.md' jobs: - multiarch-build: + multiarch-build-debian: runs-on: ubuntu-latest steps: @@ -26,7 +26,7 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - + - name: Get Docker tags for Debian based image id: docker_meta_debian uses: crazy-max/ghaction-docker-meta@v2 @@ -38,7 +38,41 @@ jobs: type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=raw,value=latest,enable=${{ endsWith(github.ref, github.event.repository.default_branch) }} - + + - name: Set up QEMU + uses: docker/setup-qemu-action@v1 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + + - name: Login to DockerHub + uses: docker/login-action@v1 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Build and push the Debian based image + id: docker_build_debian + uses: docker/build-push-action@v2 + with: + file: Dockerfile + platforms: linux/amd64,linux/arm64,linux/arm/v7 + push: true + tags: ${{ steps.docker_meta_debian.outputs.tags }} + labels: ${{ steps.docker_meta_debian.outputs.labels }} + + - name: Images digests + run: echo ${{ steps.docker_build_debian.outputs.digest }} + + multiarch-build-alpine: + runs-on: ubuntu-latest + steps: + + - name: Checkout + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Get Docker tags for Alpine based image id: docker_meta_alpine uses: crazy-max/ghaction-docker-meta@v2 @@ -54,25 +88,15 @@ jobs: - name: Set up QEMU uses: docker/setup-qemu-action@v1 - + - name: Set up Docker Buildx uses: docker/setup-buildx-action@v1 - + - name: Login to DockerHub uses: docker/login-action@v1 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Build and push the Debian based image - id: docker_build_debian - uses: docker/build-push-action@v2 - with: - file: Dockerfile - platforms: linux/amd64,linux/arm64,linux/arm/v7 - push: true - tags: ${{ steps.docker_meta_debian.outputs.tags }} - labels: ${{ steps.docker_meta_debian.outputs.labels }} - name: Build and push the Alpine based image id: docker_build_alpine @@ -85,6 +109,4 @@ jobs: labels: ${{ steps.docker_meta_alpine.outputs.labels }} - name: Images digests - run: | - echo ${{ steps.docker_build_debian.outputs.digest }} - echo ${{ steps.docker_build_alpine.outputs.digest }} + run: echo ${{ steps.docker_build_alpine.outputs.digest }} From 6613e272eb41c926605bc0411b7af9f70c2ebeee Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Wed, 7 Apr 2021 17:10:37 +0200 Subject: [PATCH 58/83] ci: rebuild and push the latest image on schedule Rebuild and push the last commit of the default branch every monday at 00:00 UTC --- .github/workflows/dockerhub.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/dockerhub.yml b/.github/workflows/dockerhub.yml index 9d074f1..8eaacf7 100644 --- a/.github/workflows/dockerhub.yml +++ b/.github/workflows/dockerhub.yml @@ -2,6 +2,8 @@ name: DockerHub on: workflow_dispatch: + schedule: + - cron: '0 0 * * 1' push: branches: - main From cfa9cf31d780db068caf751ba958d422b1722be1 Mon Sep 17 00:00:00 2001 From: Tom Wiesing Date: Wed, 21 Apr 2021 21:04:45 +0200 Subject: [PATCH 59/83] Remove Google Forum Link from Issue Template The Google Forum no longer exists. Therefore the link to it in the issue template should be removed. --- .github/ISSUE_TEMPLATE.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md index cfaa367..d09ea82 100644 --- a/.github/ISSUE_TEMPLATE.md +++ b/.github/ISSUE_TEMPLATE.md @@ -1,9 +1,5 @@ # !!!PLEASE READ!!! -## Questions - -If you have a question, DO NOT SUBMIT a new issue. Please ask the question on the Q&A Group: https://groups.google.com/forum/#!forum/nginx-proxy - ## Bugs or Features If you are logging a bug or feature request, please search the current open issues to see if there is already a bug or feature opened. From f8aa9a16370af8d060ccd380b61d2463dc3a35cf Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Mon, 26 Apr 2021 14:55:33 +0200 Subject: [PATCH 60/83] chore: bump docker-gen from 0.7.4 to 0.7.6 --- Dockerfile | 26 ++++++++++++-------------- Dockerfile.alpine | 27 ++++++++++++--------------- 2 files changed, 24 insertions(+), 29 deletions(-) diff --git a/Dockerfile b/Dockerfile index 8dfc682..83253c5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # setup build arguments for version of dependencies to use -ARG DOCKER_GEN_VERSION=0.7.4 +ARG DOCKER_GEN_VERSION=0.7.6 ARG FOREGO_VERSION=0.16.1 # Use a specific version of golang to build both binaries @@ -8,19 +8,17 @@ FROM golang:1.15.10 as gobuilder # Build docker-gen from scratch FROM gobuilder as dockergen -# Download the sources for the given version ARG DOCKER_GEN_VERSION -ADD https://github.com/jwilder/docker-gen/archive/${DOCKER_GEN_VERSION}.tar.gz sources.tar.gz -# Move the sources into the right directory -RUN tar -xzf sources.tar.gz && \ - mkdir -p /go/src/github.com/jwilder/ && \ - mv docker-gen-* /go/src/github.com/jwilder/docker-gen - -# Install the dependencies and make the docker-gen executable -WORKDIR /go/src/github.com/jwilder/docker-gen -RUN go get -v ./... && \ - CGO_ENABLED=0 GOOS=linux go build -ldflags "-X main.buildVersion=${DOCKER_GEN_VERSION}" ./cmd/docker-gen +RUN git clone https://github.com/jwilder/docker-gen \ + && cd /go/docker-gen \ + && git -c advice.detachedHead=false checkout $DOCKER_GEN_VERSION \ + && go mod download \ + && CGO_ENABLED=0 GOOS=linux go build -ldflags "-X main.buildVersion=${DOCKER_GEN_VERSION}" ./cmd/docker-gen \ + && go clean -cache \ + && mv docker-gen /usr/local/bin/ \ + && cd - \ + && rm -rf /go/docker-gen # Build forego from scratch # Because this relies on golang workspaces, we need to use go < 1.8. @@ -42,7 +40,7 @@ RUN go get -v ./... && \ # Build the final image FROM nginx:1.19.3 -LABEL maintainer="Jason Wilder mail@jasonwilder.com" +LABEL maintainer="Nicolas Duchon (@buchdag)" # Install wget and install/updates certificates RUN apt-get update \ @@ -59,7 +57,7 @@ RUN echo "daemon off;" >> /etc/nginx/nginx.conf \ # Install Forego + docker-gen COPY --from=forego /go/src/github.com/ddollar/forego/forego /usr/local/bin/forego -COPY --from=dockergen /go/src/github.com/jwilder/docker-gen/docker-gen /usr/local/bin/docker-gen +COPY --from=dockergen /usr/local/bin/docker-gen /usr/local/bin/docker-gen # Add DOCKER_GEN_VERSION environment variable # Because some external projects rely on it diff --git a/Dockerfile.alpine b/Dockerfile.alpine index 55f3912..5de844c 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -1,5 +1,5 @@ # setup build arguments for version of dependencies to use -ARG DOCKER_GEN_VERSION=0.7.4 +ARG DOCKER_GEN_VERSION=0.7.6 ARG FOREGO_VERSION=0.16.1 # Use a specific version of golang to build both binaries @@ -9,22 +9,19 @@ RUN apk add --no-cache git # Build docker-gen from scratch FROM gobuilder as dockergen -# Download the sources for the given version ARG DOCKER_GEN_VERSION -ADD https://github.com/jwilder/docker-gen/archive/${DOCKER_GEN_VERSION}.tar.gz sources.tar.gz -# Move the sources into the right directory -RUN tar -xzf sources.tar.gz && \ - mkdir -p /go/src/github.com/jwilder/ && \ - mv docker-gen-* /go/src/github.com/jwilder/docker-gen - -# Install the dependencies and make the docker-gen executable -WORKDIR /go/src/github.com/jwilder/docker-gen -RUN go get -v ./... && \ - CGO_ENABLED=0 GOOS=linux go build -ldflags "-X main.buildVersion=${DOCKER_GEN_VERSION}" ./cmd/docker-gen +RUN git clone https://github.com/jwilder/docker-gen \ + && cd /go/docker-gen \ + && git -c advice.detachedHead=false checkout $DOCKER_GEN_VERSION \ + && go mod download \ + && CGO_ENABLED=0 go build -ldflags "-X main.buildVersion=${DOCKER_GEN_VERSION}" ./cmd/docker-gen \ + && go clean -cache \ + && mv docker-gen /usr/local/bin/ \ + && cd - \ + && rm -rf /go/docker-gen # Build forego from scratch -# Because this relies on golang workspaces, we need to use go < 1.8. FROM gobuilder as forego # Download the sources for the given version @@ -43,7 +40,7 @@ RUN go get -v ./... && \ # Build the final image FROM nginx:1.19.3-alpine -LABEL maintainer="Jason Wilder mail@jasonwilder.com" +LABEL maintainer="Nicolas Duchon (@buchdag)" # Install wget and install/updates certificates RUN apk add --no-cache --virtual .run-deps \ @@ -57,7 +54,7 @@ RUN echo "daemon off;" >> /etc/nginx/nginx.conf \ # Install Forego + docker-gen COPY --from=forego /go/src/github.com/ddollar/forego/forego /usr/local/bin/forego -COPY --from=dockergen /go/src/github.com/jwilder/docker-gen/docker-gen /usr/local/bin/docker-gen +COPY --from=dockergen /usr/local/bin/docker-gen /usr/local/bin/docker-gen # Add DOCKER_GEN_VERSION environment variable # Because some external projects rely on it From 950a28f5eac81a35a23bc6b67b95615fcd046885 Mon Sep 17 00:00:00 2001 From: Kevin Marilleau Date: Thu, 18 Mar 2021 22:48:13 +0100 Subject: [PATCH 61/83] chore(ci): :arrow_up: porting python 2.7 code to python 3.9 --- test/conftest.py | 32 ++++++++++--------- .../Dockerfile-nginx-proxy-tester | 2 +- .../test_restart_while_missing_cert.py | 4 +-- test/test_custom/test_location-per-vhost.py | 2 +- test/test_dockergen/test_dockergen_v2.py | 22 +++++++------ test/test_dockergen/test_dockergen_v3.py | 32 +++++++++++-------- test/test_events.py | 2 +- test/test_ssl/test_dhparam.py | 14 ++++---- test/test_ssl/test_dhparam_generation.py | 2 +- .../test_wildcard_cert_nohttps.py | 2 +- 10 files changed, 63 insertions(+), 51 deletions(-) diff --git a/test/conftest.py b/test/conftest.py index a9bead2..0195712 100644 --- a/test/conftest.py +++ b/test/conftest.py @@ -1,4 +1,3 @@ -from __future__ import print_function import contextlib import logging import os @@ -142,7 +141,7 @@ def container_ip(container): return net_info["bridge"]["IPAddress"] # not default bridge network, fallback on first network defined - network_name = net_info.keys()[0] + network_name = list(net_info.keys())[0] return net_info[network_name]["IPAddress"] @@ -155,7 +154,7 @@ def container_ipv6(container): return net_info["bridge"]["GlobalIPv6Address"] # not default bridge network, fallback on first network defined - network_name = net_info.keys()[0] + network_name = list(net_info.keys())[0] return net_info[network_name]["GlobalIPv6Address"] @@ -188,7 +187,7 @@ def docker_container_dns_resolver(domain_name): log = logging.getLogger('DNS') log.debug("docker_container_dns_resolver(%r)" % domain_name) - match = re.search('(^|.+\.)(?P[^.]+)\.container\.docker$', domain_name) + match = re.search(r'(^|.+\.)(?P[^.]+)\.container\.docker$', domain_name) if not match: log.debug("%r does not match" % domain_name) return @@ -253,9 +252,12 @@ def get_nginx_conf_from_container(container): return the nginx /etc/nginx/conf.d/default.conf file content from a container """ import tarfile - from cStringIO import StringIO - strm, stat = container.get_archive('/etc/nginx/conf.d/default.conf') - with tarfile.open(fileobj=StringIO(strm.read())) as tf: + from io import BytesIO + + strm_generator, stat = container.get_archive('/etc/nginx/conf.d/default.conf') + strm_fileobj = BytesIO(b"".join(strm_generator)) + + with tarfile.open(fileobj=strm_fileobj) as tf: conffile = tf.extractfile('default.conf') return conffile.read() @@ -264,7 +266,7 @@ def docker_compose_up(compose_file='docker-compose.yml'): logging.info('docker-compose -f %s up -d' % compose_file) try: subprocess.check_output(shlex.split('docker-compose -f %s up -d' % compose_file), stderr=subprocess.STDOUT) - except subprocess.CalledProcessError, e: + except subprocess.CalledProcessError as e: pytest.fail("Error while runninng 'docker-compose -f %s up -d':\n%s" % (compose_file, e.output), pytrace=False) @@ -272,7 +274,7 @@ def docker_compose_down(compose_file='docker-compose.yml'): logging.info('docker-compose -f %s down' % compose_file) try: subprocess.check_output(shlex.split('docker-compose -f %s down' % compose_file), stderr=subprocess.STDOUT) - except subprocess.CalledProcessError, e: + except subprocess.CalledProcessError as e: pytest.fail("Error while runninng 'docker-compose -f %s down':\n%s" % (compose_file, e.output), pytrace=False) @@ -286,7 +288,7 @@ def wait_for_nginxproxy_to_be_ready(): return container = containers[0] for line in container.logs(stream=True): - if "Watching docker events" in line: + if b"Watching docker events" in line: logging.debug("nginx-proxy ready") break @@ -337,7 +339,7 @@ def connect_to_network(network): return # figure out our container networks - my_networks = my_container.attrs["NetworkSettings"]["Networks"].keys() + my_networks = list(my_container.attrs["NetworkSettings"]["Networks"].keys()) # make sure our container is connected to the nginx-proxy's network if network not in my_networks: @@ -360,7 +362,7 @@ def disconnect_from_network(network=None): return # figure out our container networks - my_networks_names = my_container.attrs["NetworkSettings"]["Networks"].keys() + my_networks_names = list(my_container.attrs["NetworkSettings"]["Networks"].keys()) # disconnect our container from the given network if network.name in my_networks_names: @@ -378,7 +380,7 @@ def connect_to_all_networks(): return [] else: # find the list of docker networks - networks = filter(lambda network: len(network.containers) > 0 and network.name != 'bridge', docker_client.networks.list()) + networks = [network for network in docker_client.networks.list() if len(network.containers) > 0 and network.name != 'bridge'] return [connect_to_network(network) for network in networks] @@ -388,7 +390,7 @@ def connect_to_all_networks(): # ############################################################################### -@pytest.yield_fixture(scope="module") +@pytest.fixture(scope="module") def docker_compose(request): """ pytest fixture providing containers described in a docker compose file. After the tests, remove the created containers @@ -412,7 +414,7 @@ def docker_compose(request): restore_urllib_dns_resolver(original_dns_resolver) -@pytest.yield_fixture() +@pytest.fixture() def nginxproxy(): """ Provides the `nginxproxy` object that can be used in the same way the requests module is: diff --git a/test/requirements/Dockerfile-nginx-proxy-tester b/test/requirements/Dockerfile-nginx-proxy-tester index 27d0538..6c0f060 100644 --- a/test/requirements/Dockerfile-nginx-proxy-tester +++ b/test/requirements/Dockerfile-nginx-proxy-tester @@ -1,4 +1,4 @@ -FROM python:2.7-alpine +FROM python:3.9-alpine # Note: we're using alpine because it has openssl 1.0.2, which we need for testing RUN apk add --update bash openssl curl && rm -rf /var/cache/apk/* diff --git a/test/stress_tests/test_deleted_cert/test_restart_while_missing_cert.py b/test/stress_tests/test_deleted_cert/test_restart_while_missing_cert.py index 2b74acd..0ec36c7 100644 --- a/test/stress_tests/test_deleted_cert/test_restart_while_missing_cert.py +++ b/test/stress_tests/test_deleted_cert/test_restart_while_missing_cert.py @@ -12,7 +12,7 @@ script_dir = os.path.dirname(__file__) pytestmark = pytest.mark.xfail() # TODO delete this marker once those issues are fixed -@pytest.yield_fixture(scope="module", autouse=True) +@pytest.fixture(scope="module", autouse=True) def certs(): """ pytest fixture that provides cert and key files into the tmp_certs directory @@ -43,7 +43,7 @@ def test_http_web_is_301(docker_compose, nginxproxy): def test_https_web_is_200(docker_compose, nginxproxy): r = nginxproxy.get("https://web.nginx-proxy/port") assert r.status_code == 200 - assert 'answer from port 81\n' in r.text + assert "answer from port 81\n" in r.text @pytest.mark.incremental diff --git a/test/test_custom/test_location-per-vhost.py b/test/test_custom/test_location-per-vhost.py index b99996e..f67b501 100644 --- a/test/test_custom/test_location-per-vhost.py +++ b/test/test_custom/test_location-per-vhost.py @@ -19,4 +19,4 @@ def test_custom_conf_does_not_apply_to_web2(docker_compose, nginxproxy): assert "X-test" not in r.headers def test_custom_block_is_present_in_nginx_generated_conf(docker_compose, nginxproxy): - assert "include /etc/nginx/vhost.d/web1.nginx-proxy.local_location;" in nginxproxy.get_conf() \ No newline at end of file + assert b"include /etc/nginx/vhost.d/web1.nginx-proxy.local_location;" in nginxproxy.get_conf() \ No newline at end of file diff --git a/test/test_dockergen/test_dockergen_v2.py b/test/test_dockergen/test_dockergen_v2.py index af02649..a3f2484 100644 --- a/test/test_dockergen/test_dockergen_v2.py +++ b/test/test_dockergen/test_dockergen_v2.py @@ -4,7 +4,7 @@ import logging import pytest -@pytest.yield_fixture(scope="module") +@pytest.fixture(scope="module") def nginx_tmpl(): """ pytest fixture which extracts the the nginx config template from @@ -13,14 +13,18 @@ def nginx_tmpl(): script_dir = os.path.dirname(__file__) logging.info("extracting nginx.tmpl from nginxproxy/nginx-proxy:test") docker_client = docker.from_env() - print(docker_client.containers.run( - image='nginxproxy/nginx-proxy:test', - remove=True, - volumes=['{current_dir}:{current_dir}'.format(current_dir=script_dir)], - entrypoint='sh', - command='-xc "cp /app/nginx.tmpl {current_dir} && chmod 777 {current_dir}/nginx.tmpl"'.format( - current_dir=script_dir), - stderr=True)) + print( + docker_client.containers.run( + image="nginxproxy/nginx-proxy:test", + remove=True, + volumes=["{current_dir}:{current_dir}".format(current_dir=script_dir)], + entrypoint="sh", + command='-xc "cp /app/nginx.tmpl {current_dir} && chmod 777 {current_dir}/nginx.tmpl"'.format( + current_dir=script_dir + ), + stderr=True, + ) + ) yield logging.info("removing nginx.tmpl") os.remove(os.path.join(script_dir, "nginx.tmpl")) diff --git a/test/test_dockergen/test_dockergen_v3.py b/test/test_dockergen/test_dockergen_v3.py index 453889a..1beffeb 100644 --- a/test/test_dockergen/test_dockergen_v3.py +++ b/test/test_dockergen/test_dockergen_v3.py @@ -18,16 +18,18 @@ def versiontuple(v): >>> versiontuple("17.03.0-ce") < (1, 13) False """ - return tuple(map(int, (v.split('-')[0].split(".")))) + return tuple(map(int, (v.split("-")[0].split(".")))) -raw_version = docker.from_env().version()['Version'] +raw_version = docker.from_env().version()["Version"] pytestmark = pytest.mark.skipif( versiontuple(raw_version) < (1, 13), - reason="Docker compose syntax v3 requires docker engine v1.13 or later (got %s)" % raw_version) + reason="Docker compose syntax v3 requires docker engine v1.13 or later (got %s)" + % raw_version, +) -@pytest.yield_fixture(scope="module") +@pytest.fixture(scope="module") def nginx_tmpl(): """ pytest fixture which extracts the the nginx config template from @@ -36,14 +38,18 @@ def nginx_tmpl(): script_dir = os.path.dirname(__file__) logging.info("extracting nginx.tmpl from nginxproxy/nginx-proxy:test") docker_client = docker.from_env() - print(docker_client.containers.run( - image='nginxproxy/nginx-proxy:test', - remove=True, - volumes=['{current_dir}:{current_dir}'.format(current_dir=script_dir)], - entrypoint='sh', - command='-xc "cp /app/nginx.tmpl {current_dir} && chmod 777 {current_dir}/nginx.tmpl"'.format( - current_dir=script_dir), - stderr=True)) + print( + docker_client.containers.run( + image="nginxproxy/nginx-proxy:test", + remove=True, + volumes=["{current_dir}:{current_dir}".format(current_dir=script_dir)], + entrypoint="sh", + command='-xc "cp /app/nginx.tmpl {current_dir} && chmod 777 {current_dir}/nginx.tmpl"'.format( + current_dir=script_dir + ), + stderr=True, + ) + ) yield logging.info("removing nginx.tmpl") os.remove(os.path.join(script_dir, "nginx.tmpl")) @@ -61,6 +67,6 @@ def test_forwards_to_whoami(nginx_tmpl, docker_compose, nginxproxy): assert r.text == "I'm %s\n" % whoami_container.id[:12] -if __name__ == '__main__': +if __name__ == "__main__": import doctest doctest.testmod() diff --git a/test/test_events.py b/test/test_events.py index fa97f84..201917f 100644 --- a/test/test_events.py +++ b/test/test_events.py @@ -7,7 +7,7 @@ import pytest from docker.errors import NotFound -@pytest.yield_fixture() +@pytest.fixture() def web1(docker_compose): """ pytest fixture creating a web container with `VIRTUAL_HOST=web1.nginx-proxy` listening on port 81. diff --git a/test/test_ssl/test_dhparam.py b/test/test_ssl/test_dhparam.py index 40339a1..8899c6a 100644 --- a/test/test_ssl/test_dhparam.py +++ b/test/test_ssl/test_dhparam.py @@ -26,7 +26,7 @@ def assert_log_contains(expected_log_line): """ sut_container = docker_client.containers.get("nginxproxy") docker_logs = sut_container.logs(stdout=True, stderr=True, stream=False, follow=False) - assert expected_log_line in docker_logs + assert bytes(expected_log_line, encoding="utf8") in docker_logs def require_openssl(required_version): @@ -42,7 +42,7 @@ def require_openssl(required_version): """ def versiontuple(v): - clean_v = re.sub("[^\d\.]", "", v) + clean_v = re.sub(r"[^\d\.]", "", v) return tuple(map(int, (clean_v.split(".")))) try: @@ -52,7 +52,7 @@ def require_openssl(required_version): else: if not command_output: raise Exception("Could not get openssl version") - openssl_version = command_output.split()[1] + openssl_version = str(command_output.split()[1]) return pytest.mark.skipif( versiontuple(openssl_version) < versiontuple(required_version), reason="openssl v%s is less than required version %s" % (openssl_version, required_version)) @@ -71,8 +71,8 @@ def test_dhparam_is_not_generated_if_present(docker_compose): assert_log_contains("Custom dhparam.pem file found, generation skipped") # Make sure the dhparam in use is not the default, pre-generated one - default_checksum = sut_container.exec_run("md5sum /app/dhparam.pem.default").split() - current_checksum = sut_container.exec_run("md5sum /etc/nginx/dhparam/dhparam.pem").split() + default_checksum = sut_container.exec_run("md5sum /app/dhparam.pem.default").output.split() + current_checksum = sut_container.exec_run("md5sum /etc/nginx/dhparam/dhparam.pem").output.split() assert default_checksum[0] != current_checksum[0] @@ -89,5 +89,5 @@ def test_web5_dhparam_is_used(docker_compose): host = "%s:443" % sut_container.attrs["NetworkSettings"]["IPAddress"] r = subprocess.check_output( - "echo '' | openssl s_client -connect %s -cipher 'EDH' | grep 'Server Temp Key'" % host, shell=True) - assert "Server Temp Key: X25519, 253 bits\n" == r + f"echo '' | openssl s_client -connect {host} -cipher 'EDH' | grep 'Server Temp Key'", shell=True) + assert b"Server Temp Key: X25519, 253 bits\n" == r diff --git a/test/test_ssl/test_dhparam_generation.py b/test/test_ssl/test_dhparam_generation.py index 0f5398b..4ba1c53 100644 --- a/test/test_ssl/test_dhparam_generation.py +++ b/test/test_ssl/test_dhparam_generation.py @@ -22,7 +22,7 @@ def assert_log_contains(expected_log_line): """ sut_container = docker_client.containers.get("nginxproxy") docker_logs = sut_container.logs(stdout=True, stderr=True, stream=False, follow=False) - assert expected_log_line in docker_logs + assert bytes(expected_log_line, encoding="utf8") in docker_logs ############################################################################### diff --git a/test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py b/test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py index 2808dee..1946cc0 100644 --- a/test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py +++ b/test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py @@ -1,5 +1,5 @@ import pytest -from backports.ssl_match_hostname import CertificateError +from ssl import CertificateError from requests.exceptions import SSLError From eba9ac42610290b93e2ab41dcf367d929bb30140 Mon Sep 17 00:00:00 2001 From: Kevin Marilleau Date: Thu, 18 Mar 2021 22:48:49 +0100 Subject: [PATCH 62/83] chore(ci): :arrow_up: update python dependencies to latests release --- test/conftest.py | 4 ++-- test/requirements/python-requirements.txt | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/test/conftest.py b/test/conftest.py index 0195712..0d7a488 100644 --- a/test/conftest.py +++ b/test/conftest.py @@ -471,5 +471,5 @@ try: except docker.errors.ImageNotFound: pytest.exit("The docker image 'nginxproxy/nginx-proxy:test' is missing") -if docker.__version__ != "2.1.0": - pytest.exit("This test suite is meant to work with the python docker module v2.1.0") +if docker.__version__ != "4.4.4": + pytest.exit("This test suite is meant to work with the python docker module v4.4.4") diff --git a/test/requirements/python-requirements.txt b/test/requirements/python-requirements.txt index ba95455..11f8665 100644 --- a/test/requirements/python-requirements.txt +++ b/test/requirements/python-requirements.txt @@ -1,5 +1,5 @@ -backoff==1.3.2 -docker-compose==1.11.2 -docker==2.1.0 -pytest==3.0.5 -requests==2.11.1 +backoff==1.10.0 +docker-compose==1.28.5 +docker==4.4.4 +pytest==6.2.2 +requests==2.25.1 From 37e85e6e8d8aa413f3d242585c37e98abdbfb018 Mon Sep 17 00:00:00 2001 From: Kevin Marilleau Date: Fri, 19 Mar 2021 12:12:24 +0100 Subject: [PATCH 63/83] chore(ci): :recycle: convert Python old `%` string to f-strings --- test/conftest.py | 50 +++++++++---------- test/requirements/web/webserver.py | 6 +-- test/test_dockergen/test_dockergen_v2.py | 2 +- test/test_dockergen/test_dockergen_v3.py | 5 +- test/test_ssl/test_dhparam.py | 4 +- test/test_ssl/test_wildcard.py | 8 +-- .../test_wildcard_cert_nohttps.py | 10 ++-- test/test_wildcard_host.py | 6 +-- 8 files changed, 45 insertions(+), 46 deletions(-) diff --git a/test/conftest.py b/test/conftest.py index 0d7a488..aa398e6 100644 --- a/test/conftest.py +++ b/test/conftest.py @@ -132,7 +132,7 @@ def container_ip(container): pytest.skip("This system does not support IPv6") ip = container_ipv6(container) if ip == '': - pytest.skip("Container %s has no IPv6 address" % container.name) + pytest.skip(f"Container {container.name} has no IPv6 address") else: return ip else: @@ -166,15 +166,15 @@ def nginx_proxy_dns_resolver(domain_name): :return: IP or None """ log = logging.getLogger('DNS') - log.debug("nginx_proxy_dns_resolver(%r)" % domain_name) + log.debug(f"nginx_proxy_dns_resolver({domain_name!r})") if 'nginx-proxy' in domain_name: nginxproxy_containers = docker_client.containers.list(filters={"status": "running", "ancestor": "nginxproxy/nginx-proxy:test"}) if len(nginxproxy_containers) == 0: - log.warn("no container found from image nginxproxy/nginx-proxy:test while resolving %r", domain_name) + log.warn(f"no container found from image nginxproxy/nginx-proxy:test while resolving {domain_name!r}") return nginxproxy_container = nginxproxy_containers[0] ip = container_ip(nginxproxy_container) - log.info("resolving domain name %r as IP address %s of nginx-proxy container %s" % (domain_name, ip, nginxproxy_container.name)) + log.info(f"resolving domain name {domain_name!r} as IP address {ip} of nginx-proxy container {nginxproxy_container.name}") return ip def docker_container_dns_resolver(domain_name): @@ -185,24 +185,24 @@ def docker_container_dns_resolver(domain_name): :return: IP or None """ log = logging.getLogger('DNS') - log.debug("docker_container_dns_resolver(%r)" % domain_name) + log.debug(f"docker_container_dns_resolver({domain_name!r})") match = re.search(r'(^|.+\.)(?P[^.]+)\.container\.docker$', domain_name) if not match: - log.debug("%r does not match" % domain_name) + log.debug(f"{domain_name!r} does not match") return container_name = match.group('container') - log.debug("looking for container %r" % container_name) + log.debug(f"looking for container {container_name!r}") try: container = docker_client.containers.get(container_name) except docker.errors.NotFound: - log.warn("container named %r not found while resolving %r" % (container_name, domain_name)) + log.warn(f"container named {container_name!r} not found while resolving {domain_name!r}") return - log.debug("container %r found (%s)" % (container.name, container.short_id)) + log.debug(f"container {container.name!r} found ({container.short_id})") ip = container_ip(container) - log.info("resolving domain name %r as IP address %s of container %s" % (domain_name, ip, container.name)) + log.info(f"resolving domain name {domain_name!r} as IP address {ip} of container {container.name}") return ip @@ -215,7 +215,7 @@ def monkey_patch_urllib_dns_resolver(): prv_getaddrinfo = socket.getaddrinfo dns_cache = {} def new_getaddrinfo(*args): - logging.getLogger('DNS').debug("resolving domain name %s" % repr(args)) + logging.getLogger('DNS').debug(f"resolving domain name {repr(args)}") _args = list(args) # custom DNS resolvers @@ -243,7 +243,7 @@ def remove_all_containers(): for container in docker_client.containers.list(all=True): if I_AM_RUNNING_INSIDE_A_DOCKER_CONTAINER and container.id.startswith(socket.gethostname()): continue # pytest is running within a Docker container, so we do not want to remove that particular container - logging.info("removing container %s" % container.name) + logging.info(f"removing container {container.name}") container.remove(v=True, force=True) @@ -263,19 +263,19 @@ def get_nginx_conf_from_container(container): def docker_compose_up(compose_file='docker-compose.yml'): - logging.info('docker-compose -f %s up -d' % compose_file) + logging.info(f'docker-compose -f {compose_file} up -d') try: - subprocess.check_output(shlex.split('docker-compose -f %s up -d' % compose_file), stderr=subprocess.STDOUT) + subprocess.check_output(shlex.split(f'docker-compose -f {compose_file} up -d'), stderr=subprocess.STDOUT) except subprocess.CalledProcessError as e: - pytest.fail("Error while runninng 'docker-compose -f %s up -d':\n%s" % (compose_file, e.output), pytrace=False) + pytest.fail(f"Error while runninng 'docker-compose -f {compose_file} up -d':\n{e.output}", pytrace=False) def docker_compose_down(compose_file='docker-compose.yml'): - logging.info('docker-compose -f %s down' % compose_file) + logging.info(f'docker-compose -f {compose_file} down') try: - subprocess.check_output(shlex.split('docker-compose -f %s down' % compose_file), stderr=subprocess.STDOUT) + subprocess.check_output(shlex.split(f'docker-compose -f {compose_file} down'), stderr=subprocess.STDOUT) except subprocess.CalledProcessError as e: - pytest.fail("Error while runninng 'docker-compose -f %s down':\n%s" % (compose_file, e.output), pytrace=False) + pytest.fail(f"Error while runninng 'docker-compose -f {compose_file} down':\n{e.output}", pytrace=False) def wait_for_nginxproxy_to_be_ready(): @@ -309,7 +309,7 @@ def find_docker_compose_file(request): if docker_compose_file_module_variable is not None: docker_compose_file = os.path.join( test_module_dir, docker_compose_file_module_variable) if not os.path.isfile(docker_compose_file): - raise ValueError("docker compose file %r could not be found. Check your test module `docker_compose_file` variable value." % docker_compose_file) + raise ValueError(f"docker compose file {docker_compose_file!r} could not be found. Check your test module `docker_compose_file` variable value.") else: if os.path.isfile(yml_file): docker_compose_file = yml_file @@ -321,7 +321,7 @@ def find_docker_compose_file(request): if not os.path.isfile(docker_compose_file): logging.error("Could not find any docker-compose file named either '{0}.yml', '{0}.yaml' or 'docker-compose.yml'".format(request.module.__name__)) - logging.debug("using docker compose file %s" % docker_compose_file) + logging.debug(f"using docker compose file {docker_compose_file}") return docker_compose_file @@ -335,7 +335,7 @@ def connect_to_network(network): try: my_container = docker_client.containers.get(socket.gethostname()) except docker.errors.NotFound: - logging.warn("container %r not found" % socket.gethostname()) + logging.warn(f"container {socket.gethostname()!r} not found") return # figure out our container networks @@ -343,7 +343,7 @@ def connect_to_network(network): # make sure our container is connected to the nginx-proxy's network if network not in my_networks: - logging.info("Connecting to docker network: %s" % network.name) + logging.info(f"Connecting to docker network: {network.name}") network.connect(my_container) return network @@ -358,7 +358,7 @@ def disconnect_from_network(network=None): try: my_container = docker_client.containers.get(socket.gethostname()) except docker.errors.NotFound: - logging.warn("container %r not found" % socket.gethostname()) + logging.warn(f"container {socket.gethostname()!r} not found") return # figure out our container networks @@ -366,7 +366,7 @@ def disconnect_from_network(network=None): # disconnect our container from the given network if network.name in my_networks_names: - logging.info("Disconnecting from network %s" % network.name) + logging.info(f"Disconnecting from network {network.name}") network.disconnect(my_container) @@ -458,7 +458,7 @@ def pytest_runtest_makereport(item, call): def pytest_runtest_setup(item): previousfailed = getattr(item.parent, "_previousfailed", None) if previousfailed is not None: - pytest.xfail("previous test failed (%s)" % previousfailed.name) + pytest.xfail(f"previous test failed ({previousfailed.name})") ############################################################################### # diff --git a/test/requirements/web/webserver.py b/test/requirements/web/webserver.py index 9334657..b8e81c0 100755 --- a/test/requirements/web/webserver.py +++ b/test/requirements/web/webserver.py @@ -13,13 +13,13 @@ class Handler(http.server.SimpleHTTPRequestHandler): if self.path == "/headers": response_body += self.headers.as_string() elif self.path == "/port": - response_body += "answer from port %s\n" % PORT + response_body += f"answer from port {PORT}\n" elif re.match("/status/(\d+)", self.path): result = re.match("/status/(\d+)", self.path) response_code = int(result.group(1)) - response_body += "answer with response code %s\n" % response_code + response_body += f"answer with response code {response_code}\n" elif self.path == "/": - response_body += "I'm %s\n" % os.environ['HOSTNAME'] + response_body += f"I'm {os.environ['HOSTNAME']}\n" else: response_body += "No route for this path!\n" response_code = 404 diff --git a/test/test_dockergen/test_dockergen_v2.py b/test/test_dockergen/test_dockergen_v2.py index a3f2484..43b1431 100644 --- a/test/test_dockergen/test_dockergen_v2.py +++ b/test/test_dockergen/test_dockergen_v2.py @@ -39,4 +39,4 @@ def test_forwards_to_whoami(nginx_tmpl, docker_compose, nginxproxy): r = nginxproxy.get("http://whoami.nginx.container.docker/") assert r.status_code == 200 whoami_container = docker_compose.containers.get("whoami") - assert r.text == "I'm %s\n" % whoami_container.id[:12] + assert r.text == f"I'm {whoami_container.id[:12]}\n" diff --git a/test/test_dockergen/test_dockergen_v3.py b/test/test_dockergen/test_dockergen_v3.py index 1beffeb..358f793 100644 --- a/test/test_dockergen/test_dockergen_v3.py +++ b/test/test_dockergen/test_dockergen_v3.py @@ -24,8 +24,7 @@ def versiontuple(v): raw_version = docker.from_env().version()["Version"] pytestmark = pytest.mark.skipif( versiontuple(raw_version) < (1, 13), - reason="Docker compose syntax v3 requires docker engine v1.13 or later (got %s)" - % raw_version, + reason="Docker compose syntax v3 requires docker engine v1.13 or later (got {raw_version})" ) @@ -64,7 +63,7 @@ def test_forwards_to_whoami(nginx_tmpl, docker_compose, nginxproxy): r = nginxproxy.get("http://whoami.nginx.container.docker/") assert r.status_code == 200 whoami_container = docker_compose.containers.get("whoami") - assert r.text == "I'm %s\n" % whoami_container.id[:12] + assert r.text == f"I'm {whoami_container.id[:12]}\n" if __name__ == "__main__": diff --git a/test/test_ssl/test_dhparam.py b/test/test_ssl/test_dhparam.py index 8899c6a..acb4269 100644 --- a/test/test_ssl/test_dhparam.py +++ b/test/test_ssl/test_dhparam.py @@ -55,7 +55,7 @@ def require_openssl(required_version): openssl_version = str(command_output.split()[1]) return pytest.mark.skipif( versiontuple(openssl_version) < versiontuple(required_version), - reason="openssl v%s is less than required version %s" % (openssl_version, required_version)) + reason=f"openssl v{openssl_version} is less than required version {required_version}") ############################################################################### @@ -87,7 +87,7 @@ def test_web5_dhparam_is_used(docker_compose): sut_container = docker_client.containers.get("nginxproxy") assert sut_container.status == "running" - host = "%s:443" % sut_container.attrs["NetworkSettings"]["IPAddress"] + host = f"{sut_container.attrs['NetworkSettings']['IPAddress']}:443" r = subprocess.check_output( f"echo '' | openssl s_client -connect {host} -cipher 'EDH' | grep 'Server Temp Key'", shell=True) assert b"Server Temp Key: X25519, 253 bits\n" == r diff --git a/test/test_ssl/test_wildcard.py b/test/test_ssl/test_wildcard.py index 9885d94..202ba24 100644 --- a/test/test_ssl/test_wildcard.py +++ b/test/test_ssl/test_wildcard.py @@ -3,21 +3,21 @@ import pytest @pytest.mark.parametrize("subdomain", ["foo", "bar"]) def test_web1_http_redirects_to_https(docker_compose, nginxproxy, subdomain): - r = nginxproxy.get("http://%s.nginx-proxy.tld/" % subdomain, allow_redirects=False) + r = nginxproxy.get(f"http://{subdomain}.nginx-proxy.tld/", allow_redirects=False) assert r.status_code == 301 assert "Location" in r.headers - assert "https://%s.nginx-proxy.tld/" % subdomain == r.headers['Location'] + assert f"https://{subdomain}.nginx-proxy.tld/" == r.headers['Location'] @pytest.mark.parametrize("subdomain", ["foo", "bar"]) def test_web1_https_is_forwarded(docker_compose, nginxproxy, subdomain): - r = nginxproxy.get("https://%s.nginx-proxy.tld/port" % subdomain, allow_redirects=False) + r = nginxproxy.get(f"https://{subdomain}.nginx-proxy.tld/port", allow_redirects=False) assert r.status_code == 200 assert "answer from port 81\n" in r.text @pytest.mark.parametrize("subdomain", ["foo", "bar"]) def test_web1_HSTS_policy_is_active(docker_compose, nginxproxy, subdomain): - r = nginxproxy.get("https://%s.nginx-proxy.tld/port" % subdomain, allow_redirects=False) + r = nginxproxy.get(f"https://{subdomain}.nginx-proxy.tld/port", allow_redirects=False) assert "answer from port 81\n" in r.text assert "Strict-Transport-Security" in r.headers diff --git a/test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py b/test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py index 1946cc0..03af625 100644 --- a/test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py +++ b/test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py @@ -9,19 +9,19 @@ from requests.exceptions import SSLError (3, False), ]) def test_http_redirects_to_https(docker_compose, nginxproxy, subdomain, should_redirect_to_https): - r = nginxproxy.get("http://%s.web.nginx-proxy.tld/port" % subdomain) + r = nginxproxy.get(f"http://{subdomain}.web.nginx-proxy.tld/port") if should_redirect_to_https: assert len(r.history) > 0 assert r.history[0].is_redirect - assert r.history[0].headers.get("Location") == "https://%s.web.nginx-proxy.tld/port" % subdomain - assert "answer from port 8%s\n" % subdomain == r.text + assert r.history[0].headers.get("Location") == f"https://{subdomain}.web.nginx-proxy.tld/port" + assert f"answer from port 8{subdomain}\n" == r.text @pytest.mark.parametrize("subdomain", [1, 2]) def test_https_get_served(docker_compose, nginxproxy, subdomain): - r = nginxproxy.get("https://%s.web.nginx-proxy.tld/port" % subdomain, allow_redirects=False) + r = nginxproxy.get(f"https://{subdomain}.web.nginx-proxy.tld/port", allow_redirects=False) assert r.status_code == 200 - assert "answer from port 8%s\n" % subdomain == r.text + assert f"answer from port 8{subdomain}\n" == r.text def test_web3_https_is_500_and_SSL_validation_fails(docker_compose, nginxproxy): diff --git a/test/test_wildcard_host.py b/test/test_wildcard_host.py index eb8428e..a5b6633 100644 --- a/test/test_wildcard_host.py +++ b/test/test_wildcard_host.py @@ -18,9 +18,9 @@ import pytest ("web4.whatever.nginx-proxy.regexp", 84), ]) def test_wildcard_prefix(docker_compose, nginxproxy, host, expected_port): - r = nginxproxy.get("http://%s/port" % host) + r = nginxproxy.get(f"http://{host}/port") assert r.status_code == 200 - assert r.text == "answer from port %s\n" % expected_port + assert r.text == f"answer from port {expected_port}\n" @pytest.mark.parametrize("host", [ @@ -28,5 +28,5 @@ def test_wildcard_prefix(docker_compose, nginxproxy, host, expected_port): "web4.whatever.nginx-proxy.regexp-to-infinity-and-beyond" ]) def test_non_matching_host_is_503(docker_compose, nginxproxy, host): - r = nginxproxy.get("http://%s/port" % host) + r = nginxproxy.get(f"http://{host}/port") assert r.status_code == 503, r.text From 6fd3cfb38f134e4741136d5013c14f76c9e80783 Mon Sep 17 00:00:00 2001 From: Kevin Marilleau Date: Fri, 19 Mar 2021 12:32:35 +0100 Subject: [PATCH 64/83] fix(ci): :wrench: add markers on pytest.ini to fix warnings --- test/pytest.ini | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/test/pytest.ini b/test/pytest.ini index 30f3e19..9ca7667 100644 --- a/test/pytest.ini +++ b/test/pytest.ini @@ -1,3 +1,5 @@ [pytest] # disable the creation of the `.cache` folders -addopts = -p no:cacheprovider --ignore=requirements --ignore=certs -r s -v \ No newline at end of file +addopts = -p no:cacheprovider --ignore=requirements --ignore=certs -r s -v +markers = + incremental: mark a test as incremental. \ No newline at end of file From 0c60d5703150be43abc1200da0644fbeeacd24b8 Mon Sep 17 00:00:00 2001 From: Kevin Marilleau Date: Fri, 2 Apr 2021 01:03:19 +0200 Subject: [PATCH 65/83] fix(ci): fix test_dhparam_is_generated_if_missing --- test/test_ssl/test_dhparam_generation.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/test_ssl/test_dhparam_generation.py b/test/test_ssl/test_dhparam_generation.py index 4ba1c53..ec1c90e 100644 --- a/test/test_ssl/test_dhparam_generation.py +++ b/test/test_ssl/test_dhparam_generation.py @@ -35,10 +35,10 @@ def test_dhparam_is_generated_if_missing(docker_compose): sut_container = docker_client.containers.get("nginxproxy") assert sut_container.status == "running" - assert_log_contains("Generating DH parameters") + assert_log_contains("Generating DSA parameters") assert_log_contains("dhparam generation complete, reloading nginx") # Make sure the dhparam in use is not the default, pre-generated one - default_checksum = sut_container.exec_run("md5sum /app/dhparam.pem.default").split() - generated_checksum = sut_container.exec_run("md5sum /etc/nginx/dhparam/dhparam.pem").split() + default_checksum = sut_container.exec_run("md5sum /app/dhparam.pem.default").output.split() + generated_checksum = sut_container.exec_run("md5sum /etc/nginx/dhparam/dhparam.pem").output.split() assert default_checksum[0] != generated_checksum[0] From dd7f7e842725b87f8ff2ba6f412ca3358a5d8f19 Mon Sep 17 00:00:00 2001 From: Kevin Marilleau Date: Sat, 3 Apr 2021 21:38:49 +0200 Subject: [PATCH 66/83] fix(ci): wrong nginx-proxy image used on default_host test --- test/test_default-host.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/test_default-host.yml b/test/test_default-host.yml index f195f58..47b8525 100644 --- a/test/test_default-host.yml +++ b/test/test_default-host.yml @@ -10,7 +10,7 @@ web1: # WHEN nginx-proxy runs with DEFAULT_HOST set to web1.tld sut: - image: jwilder/nginx-proxy:test + image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro From dd853b25726053cb92dc811900e0d4fe1254fc4f Mon Sep 17 00:00:00 2001 From: Kevin Marilleau Date: Fri, 19 Mar 2021 13:46:38 +0100 Subject: [PATCH 67/83] chore(ci): :construction_worker: mv unit test from travis to ga --- .github/workflows/test.yml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 .github/workflows/test.yml diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 0000000..b1930a5 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,33 @@ +name: Test + +on: [push, pull_request] + +jobs: + unit: + name: Unit Test + runs-on: ubuntu-latest + + strategy: + fail-fast: true + matrix: + docker_image: [alpine, debian] + + steps: + - uses: actions/checkout@v2 + + - name: Set up Python 3.9 + uses: actions/setup-python@v2 + with: + python-version: 3.9 + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install -r python-requirements.txt + working-directory: test/requirements + + - name: Build Docker web server image + run: make update-dependencies + + - name: Run tests + run: make test-${{ matrix.docker_image }} From 3b1163291b9bf859bd72f76bdb6488b48a1a9db3 Mon Sep 17 00:00:00 2001 From: Kevin Marilleau Date: Fri, 19 Mar 2021 14:08:54 +0100 Subject: [PATCH 68/83] fix(test): test_dockergen_v3 version comparison --- test/test_dockergen/test_dockergen_v3.py | 19 ++----------------- 1 file changed, 2 insertions(+), 17 deletions(-) diff --git a/test/test_dockergen/test_dockergen_v3.py b/test/test_dockergen/test_dockergen_v3.py index 358f793..67561bf 100644 --- a/test/test_dockergen/test_dockergen_v3.py +++ b/test/test_dockergen/test_dockergen_v3.py @@ -3,27 +3,12 @@ import docker import logging import pytest import re - -def versiontuple(v): - """ - >>> versiontuple("1.12.3") - (1, 12, 3) - - >>> versiontuple("1.13.0") - (1, 13, 0) - - >>> versiontuple("17.03.0-ce") - (17, 3, 0) - - >>> versiontuple("17.03.0-ce") < (1, 13) - False - """ - return tuple(map(int, (v.split("-")[0].split(".")))) +from distutils.version import LooseVersion raw_version = docker.from_env().version()["Version"] pytestmark = pytest.mark.skipif( - versiontuple(raw_version) < (1, 13), + LooseVersion(raw_version) < LooseVersion("1.13"), reason="Docker compose syntax v3 requires docker engine v1.13 or later (got {raw_version})" ) From 1591fd7968e9bc2904cc9c052d94addfd583f15f Mon Sep 17 00:00:00 2001 From: Kevin Marilleau Date: Fri, 19 Mar 2021 15:12:16 +0100 Subject: [PATCH 69/83] chore(ci): :green_heart: use standard python for nginx-proxy-tester --- test/requirements/Dockerfile-nginx-proxy-tester | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/test/requirements/Dockerfile-nginx-proxy-tester b/test/requirements/Dockerfile-nginx-proxy-tester index 6c0f060..3c25c0c 100644 --- a/test/requirements/Dockerfile-nginx-proxy-tester +++ b/test/requirements/Dockerfile-nginx-proxy-tester @@ -1,7 +1,4 @@ -FROM python:3.9-alpine - -# Note: we're using alpine because it has openssl 1.0.2, which we need for testing -RUN apk add --update bash openssl curl && rm -rf /var/cache/apk/* +FROM python:3.9 COPY python-requirements.txt /requirements.txt RUN pip install -r /requirements.txt From 39f822dd8bfea95e6e91d2e9b4c46d33b639d13e Mon Sep 17 00:00:00 2001 From: Kevin Marilleau Date: Fri, 19 Mar 2021 16:44:50 +0100 Subject: [PATCH 70/83] refactor(ci): :recycle: refactor makefile and modify its usage on CI --- .github/workflows/test.yml | 10 +++++++--- Makefile | 14 +++++++++----- test/requirements/build.sh | 6 ------ 3 files changed, 16 insertions(+), 14 deletions(-) delete mode 100755 test/requirements/build.sh diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index b1930a5..cde7ff3 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -10,7 +10,7 @@ jobs: strategy: fail-fast: true matrix: - docker_image: [alpine, debian] + base_docker_image: [alpine, debian] steps: - uses: actions/checkout@v2 @@ -27,7 +27,11 @@ jobs: working-directory: test/requirements - name: Build Docker web server image - run: make update-dependencies + run: make build-webserver + + - name: Build Docker nginx proxy test image + run: make build-nginx-proxy-test-${{ matrix.base_docker_image }} - name: Run tests - run: make test-${{ matrix.docker_image }} + run: pytest + working-directory: test \ No newline at end of file diff --git a/Makefile b/Makefile index d7db2b8..18fcd33 100644 --- a/Makefile +++ b/Makefile @@ -2,15 +2,19 @@ .PHONY : test-debian test-alpine test -update-dependencies: - test/requirements/build.sh +build-webserver: + docker build -t web test/requirements/web -test-debian: update-dependencies +build-nginx-proxy-test-debian: docker build -t nginxproxy/nginx-proxy:test . + +build-nginx-proxy-test-alpine: + docker build -f Dockerfile.alpine -t nginxproxy/nginx-proxy:test . + +test-debian: build-webserver build-nginx-proxy-test-debian test/pytest.sh -test-alpine: update-dependencies - docker build -f Dockerfile.alpine -t nginxproxy/nginx-proxy:test . +test-alpine: build-webserver build-nginx-proxy-test-alpine test/pytest.sh test: test-debian test-alpine diff --git a/test/requirements/build.sh b/test/requirements/build.sh deleted file mode 100755 index f29897a..0000000 --- a/test/requirements/build.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash -set -e - -DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" - -docker build -t web $DIR/web \ No newline at end of file From 1518c39e1bdafb33b03e8e48781078a6bdf0c9c8 Mon Sep 17 00:00:00 2001 From: Kevin Marilleau Date: Mon, 26 Apr 2021 23:15:08 +0200 Subject: [PATCH 71/83] docs: update "how to install/test" parts --- README.md | 21 +++++++-------------- test/README.md | 15 +++++---------- test/requirements/README.md | 2 +- 3 files changed, 13 insertions(+), 25 deletions(-) diff --git a/README.md b/README.md index 813fdda..bc8c3db 100644 --- a/README.md +++ b/README.md @@ -415,22 +415,15 @@ Before submitting pull requests or issues, please check github to make sure an e #### Running Tests Locally -To run tests, you need to prepare the docker image to test which must be tagged `nginxproxy/nginx-proxy:test`: - - docker build -t nginxproxy/nginx-proxy:test . # build the Debian variant image - -and call the [test/pytest.sh](test/pytest.sh) script. - -Then build the Alpine variant of the image: - - docker build -f Dockerfile.alpine -t nginxproxy/nginx-proxy:test . # build the Alpline variant image - -and call the [test/pytest.sh](test/pytest.sh) script again. - - -If your system has the `make` command, you can automate those tasks by calling: +To run tests, you just need to run the command below: make test +This commands run tests on two variants of the nginx-proxy docker image: Debian and Alpine. + +You can run the tests for each of these images with their respective commands: + + make test-debian + make test-alpine You can learn more about how the test suite works and how to write new tests in the [test/README.md](test/README.md) file. diff --git a/test/README.md b/test/README.md index c62960a..dd9db44 100644 --- a/test/README.md +++ b/test/README.md @@ -4,9 +4,8 @@ Nginx proxy test suite Install requirements -------------------- -You need [python 2.7](https://www.python.org/) and [pip](https://pip.pypa.io/en/stable/installing/) installed. Then run the commands: +You need [python 3.9](https://www.python.org/) and [pip](https://pip.pypa.io/en/stable/installing/) installed. Then run the commands: - requirements/build.sh pip install -r requirements/python-requirements.txt If you can't install those requirements on your computer, you can alternatively use the _pytest.sh_ script which will run the tests from a Docker container which has those requirements. @@ -15,14 +14,11 @@ If you can't install those requirements on your computer, you can alternatively Prepare the nginx-proxy test image ---------------------------------- - docker build -t nginxproxy/nginx-proxy:test .. + make build-nginx-proxy-test-debian or if you want to test the alpine flavor: - docker build -t nginxproxy/nginx-proxy:test -f Dockerfile.alpine .. - -make sure to tag that test image exactly `nginxproxy/nginx-proxy:test` or the test suite won't work. - + make build-nginx-proxy-test-alpine Run the test suite ------------------ @@ -61,7 +57,7 @@ The fixture will run the _docker-compose_ command with the `-f` option to load t In the case you are running pytest from within a docker container, the `docker_compose` fixture will make sure the container running pytest is attached to all docker networks. That way, your test will be able to reach any of them. -In your tests, you can use the `docker_compose` variable to query and command the docker daemon as it provides you with a [client from the docker python module](https://docker-py.readthedocs.io/en/2.0.2/client.html#client-reference). +In your tests, you can use the `docker_compose` variable to query and command the docker daemon as it provides you with a [client from the docker python module](https://docker-py.readthedocs.io/en/4.4.4/client.html#client-reference). Also this fixture alters the way the python interpreter resolves domain names to IP addresses in the following ways: @@ -99,8 +95,7 @@ Furthermore, the nginxproxy methods accept an additional keyword parameter: `ipv ### The web docker image -When you ran the `requirements/build.sh` script earlier, you built a [`web`](requirements/README.md) docker image which is convenient for running a small web server in a container. This image can produce containers that listens on multiple ports at the same time. - +When you run the `make build-webserver` command, you built a [`web`](requirements/README.md) docker image which is convenient for running a small web server in a container. This image can produce containers that listens on multiple ports at the same time. ### Testing TLS diff --git a/test/requirements/README.md b/test/requirements/README.md index 3a0c389..394c9b1 100644 --- a/test/requirements/README.md +++ b/test/requirements/README.md @@ -2,7 +2,7 @@ This directory contains resources to build Docker images tests depend on # Build images - ./build.sh + make build-webserver # python-requirements.txt From 5e4f00524031df3a63622dc72eea946325892451 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Apr 2021 22:44:46 +0000 Subject: [PATCH 72/83] Bump nginx from 1.19.3 to 1.19.10 Bumps nginx from 1.19.3 to 1.19.10. Signed-off-by: dependabot[bot] --- Dockerfile | 2 +- Dockerfile.alpine | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 83253c5..063cf62 100644 --- a/Dockerfile +++ b/Dockerfile @@ -39,7 +39,7 @@ RUN go get -v ./... && \ CGO_ENABLED=0 GOOS=linux go build -o forego . # Build the final image -FROM nginx:1.19.3 +FROM nginx:1.19.10 LABEL maintainer="Nicolas Duchon (@buchdag)" # Install wget and install/updates certificates diff --git a/Dockerfile.alpine b/Dockerfile.alpine index 5de844c..faf8a2b 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -39,7 +39,7 @@ RUN go get -v ./... && \ CGO_ENABLED=0 GOOS=linux go build -o forego . # Build the final image -FROM nginx:1.19.3-alpine +FROM nginx:1.19.10-alpine LABEL maintainer="Nicolas Duchon (@buchdag)" # Install wget and install/updates certificates From 0d2efaee95f29099ea7d5036136e07c9994c73a2 Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Tue, 27 Apr 2021 01:10:17 +0200 Subject: [PATCH 73/83] docs: update nginx version and CI badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index bc8c3db..dcfad7b 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ ![latest 0.8.0](https://img.shields.io/badge/latest-0.8.0-green.svg?style=flat) -![nginx 1.19.3](https://img.shields.io/badge/nginx-1.19.3-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/nginx/nginx-proxy.svg?branch=main)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/nginxproxy/nginx-proxy.svg)](https://hub.docker.com/r/nginxproxy/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/nginxproxy/nginx-proxy.svg)](https://hub.docker.com/r/nginxproxy/nginx-proxy 'DockerHub') +![nginx 1.19.10](https://img.shields.io/badge/nginx-1.19.10-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Test](https://github.com/nginx-proxy/nginx-proxy/actions/workflows/test.yml/badge.svg)](https://github.com/nginx-proxy/nginx-proxy/actions/workflows/test.yml) [![](https://img.shields.io/docker/stars/nginxproxy/nginx-proxy.svg)](https://hub.docker.com/r/nginxproxy/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/nginxproxy/nginx-proxy.svg)](https://hub.docker.com/r/nginxproxy/nginx-proxy 'DockerHub') nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. From f7444094cad54c7750006a58c9c4db3ef709fa9a Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Tue, 27 Apr 2021 01:12:28 +0200 Subject: [PATCH 74/83] ci: remove Travis CI --- .travis.yml | 22 ---------------------- 1 file changed, 22 deletions(-) delete mode 100644 .travis.yml diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 7a1c66f..0000000 --- a/.travis.yml +++ /dev/null @@ -1,22 +0,0 @@ -dist: trusty -sudo: required - -env: - matrix: - - TEST_TARGET: test-debian - - TEST_TARGET: test-alpine - -before_install: - - sudo apt-get -y remove docker docker-engine docker-ce - - sudo rm /etc/apt/sources.list.d/docker.list - - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - - - sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" - - sudo apt-get update - - sudo apt-get -y install docker-ce - - docker version - - docker info - # prepare docker test requirements - - make update-dependencies - -script: - - make $TEST_TARGET From 1f937dd6a520533a442fb474dc5f765902febee7 Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Wed, 28 Apr 2021 09:58:03 +0200 Subject: [PATCH 75/83] docs: don't mention Docker container based tests Those aren't working yet and are being worked on close #1605 --- test/README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/test/README.md b/test/README.md index dd9db44..df7c214 100644 --- a/test/README.md +++ b/test/README.md @@ -8,7 +8,6 @@ You need [python 3.9](https://www.python.org/) and [pip](https://pip.pypa.io/en/ pip install -r requirements/python-requirements.txt -If you can't install those requirements on your computer, you can alternatively use the _pytest.sh_ script which will run the tests from a Docker container which has those requirements. Prepare the nginx-proxy test image @@ -99,4 +98,4 @@ When you run the `make build-webserver` command, you built a [`web`](requirement ### Testing TLS -If you need to create server certificates, use the [`certs/create_server_certificate.sh`](certs/) script. Pytest will be able to validate any certificate issued from this script. \ No newline at end of file +If you need to create server certificates, use the [`certs/create_server_certificate.sh`](certs/) script. Pytest will be able to validate any certificate issued from this script. From e3cc439ff00ed98e4dc7642f6ea6f0ed8558d604 Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Wed, 28 Apr 2021 22:43:40 +0200 Subject: [PATCH 76/83] doc: bring badges in line with acme-companion --- README.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index dcfad7b..83b5cf4 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,9 @@ -![latest 0.8.0](https://img.shields.io/badge/latest-0.8.0-green.svg?style=flat) -![nginx 1.19.10](https://img.shields.io/badge/nginx-1.19.10-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Test](https://github.com/nginx-proxy/nginx-proxy/actions/workflows/test.yml/badge.svg)](https://github.com/nginx-proxy/nginx-proxy/actions/workflows/test.yml) [![](https://img.shields.io/docker/stars/nginxproxy/nginx-proxy.svg)](https://hub.docker.com/r/nginxproxy/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/nginxproxy/nginx-proxy.svg)](https://hub.docker.com/r/nginxproxy/nginx-proxy 'DockerHub') +[![Test](https://github.com/nginx-proxy/nginx-proxy/actions/workflows/test.yml/badge.svg)](https://github.com/nginx-proxy/nginx-proxy/actions/workflows/test.yml) +[![GitHub release](https://img.shields.io/github/v/release/nginx-proxy/nginx-proxy)](https://github.com/nginx-proxy/nginx-proxy/releases) +![nginx 1.19.10](https://img.shields.io/badge/nginx-1.19.10-brightgreen.svg) +[![Docker Image Size](https://img.shields.io/docker/image-size/nginxproxy/nginx-proxy?sort=semver)](https://hub.docker.com/r/nginxproxy/nginx-proxy "Click to view the image on Docker Hub") +[![Docker stars](https://img.shields.io/docker/stars/nginxproxy/nginx-proxy.svg)](https://hub.docker.com/r/nginxproxy/nginx-proxy 'DockerHub') +[![Docker pulls](https://img.shields.io/docker/pulls/nginxproxy/nginx-proxy.svg)](https://hub.docker.com/r/nginxproxy/nginx-proxy 'DockerHub') nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. From 85327a871eaf8762c8560fce0beb6e6b27649b63 Mon Sep 17 00:00:00 2001 From: Chris Heald Date: Mon, 20 Aug 2018 18:35:31 -0700 Subject: [PATCH 77/83] Suffix upstream names to prevent confusion with FQDNs --- nginx.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx.tmpl b/nginx.tmpl index f18aa21..1e03182 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -172,7 +172,7 @@ server { {{ $host := trim $host }} {{ $is_regexp := hasPrefix "~" $host }} -{{ $upstream_name := when $is_regexp (sha1 $host) $host }} +{{ $upstream_name := (print (when $is_regexp (sha1 $host) $host) "-upstream") }} # {{ $host }} upstream {{ $upstream_name }} { From cbc6f09d2ac7c19e0ed0cea74c879de44064853b Mon Sep 17 00:00:00 2001 From: Jesse Jarzynka Date: Mon, 8 Apr 2019 23:39:00 -0400 Subject: [PATCH 78/83] Change dhparam positional args to be inherited vars, standardize naming PR #913 added `DHPARAM_GENERATION` as a positional argument to generate-dhparam.sh. However, since it was the second positional argument, `DHPARAM_BITS` would also have to be defined or `DHPARAM_GENERATION` would be read into `DHPARAM_BITS`. This changes the arguments to be inherited variables which do not depend on order, just declaration. Also change instances of `GENERATE_DHPARAM` to `DHPARAM_GENERATION` since it's unnecessary to have another variable. I think `GENERATE_DHPARAM` is actually a better name (verb vs. noun), but `DHPARAM_GENERATION` is already defined and may break someone if changed. Addresses https://github.com/jwilder/nginx-proxy/pull/913#issuecomment-476014691 --- generate-dhparam.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/generate-dhparam.sh b/generate-dhparam.sh index 03b828c..bff6543 100755 --- a/generate-dhparam.sh +++ b/generate-dhparam.sh @@ -1,8 +1,9 @@ #!/bin/bash -e -# The first argument is the bit depth of the dhparam, or 4096 if unspecified -DHPARAM_BITS=${1:-4096} -GENERATE_DHPARAM=${2:-true} +# DHPARAM_BITS is the bit depth of the dhparam, or 4096 if unspecified +DHPARAM_BITS=${DHPARAM_BITS:-4096} +# DHPARAM_GENERATION=false skips dhparam generation +DHPARAM_GENERATION=${DHPARAM_GENERATION:-true} # If a dhparam file is not available, use the pre-generated one and generate a new one in the background. # Note that /etc/nginx/dhparam is a volume, so this dhparam will persist restarts. @@ -26,7 +27,7 @@ if [[ -f $DHPARAM_FILE ]]; then fi fi -if [[ $GENERATE_DHPARAM =~ ^[Ff][Aa][Ll][Ss][Ee]$ ]]; then +if [[ $DHPARAM_GENERATION =~ ^[Ff][Aa][Ll][Ss][Ee]$ ]]; then echo "Skipping Diffie-Hellman parameters generation and Ignoring pre-generated dhparam.pem" exit 0 fi From c327496495e011203728974773cba80ef8292753 Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Thu, 29 Apr 2021 03:18:04 +0200 Subject: [PATCH 79/83] refactor: do not pass unused positional arguments --- docker-entrypoint.sh | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 5993212..6e9f7d4 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -15,9 +15,7 @@ if [[ $DOCKER_HOST = unix://* ]]; then fi # Generate dhparam file if required -# Note: if $DHPARAM_BITS is not defined, generate-dhparam.sh will use 4096 as a default -# Note2: if $DHPARAM_GENERATION is set to false in environment variable, dh param generator will skip completely -/app/generate-dhparam.sh $DHPARAM_BITS $DHPARAM_GENERATION +/app/generate-dhparam.sh # Compute the DNS resolvers for use in the templates - if the IP contains ":", it's IPv6 and must be enclosed in [] export RESOLVERS=$(awk '$1 == "nameserver" {print ($2 ~ ":")? "["$2"]": $2}' ORS=' ' /etc/resolv.conf | sed 's/ *$//g') From ab81ff8df234c5421fdce9d66ba482c797c9a536 Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Thu, 29 Apr 2021 03:18:40 +0200 Subject: [PATCH 80/83] style: linting with shellcheck --- docker-entrypoint.sh | 8 ++++---- generate-dhparam.sh | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 6e9f7d4..279bd18 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -4,7 +4,7 @@ set -e # Warn if the DOCKER_HOST socket does not exist if [[ $DOCKER_HOST = unix://* ]]; then socket_file=${DOCKER_HOST#unix://} - if ! [ -S $socket_file ]; then + if ! [ -S "$socket_file" ]; then cat >&2 <<-EOT ERROR: you need to share your Docker host socket with a volume at $socket_file Typically you should run your nginxproxy/nginx-proxy with: \`-v /var/run/docker.sock:$socket_file:ro\` @@ -18,14 +18,14 @@ fi /app/generate-dhparam.sh # Compute the DNS resolvers for use in the templates - if the IP contains ":", it's IPv6 and must be enclosed in [] -export RESOLVERS=$(awk '$1 == "nameserver" {print ($2 ~ ":")? "["$2"]": $2}' ORS=' ' /etc/resolv.conf | sed 's/ *$//g') -if [ "x$RESOLVERS" = "x" ]; then +RESOLVERS=$(awk '$1 == "nameserver" {print ($2 ~ ":")? "["$2"]": $2}' ORS=' ' /etc/resolv.conf | sed 's/ *$//g'); export RESOLVERS +if [ "$RESOLVERS" = "" ]; then echo "Warning: unable to determine DNS resolvers for nginx" >&2 unset RESOLVERS fi # If the user has run the default command and the socket doesn't exist, fail -if [ "$socketMissing" = 1 -a "$1" = forego -a "$2" = start -a "$3" = '-r' ]; then +if [ "$socketMissing" = 1 ] && [ "$1" = forego ] && [ "$2" = start ] && [ "$3" = '-r' ]; then exit 1 fi diff --git a/generate-dhparam.sh b/generate-dhparam.sh index bff6543..397fab0 100755 --- a/generate-dhparam.sh +++ b/generate-dhparam.sh @@ -15,7 +15,7 @@ GEN_LOCKFILE="/tmp/dhparam_generating.lock" PREGEN_HASH=$(md5sum $PREGEN_DHPARAM_FILE | cut -d" " -f1) if [[ -f $DHPARAM_FILE ]]; then CURRENT_HASH=$(md5sum $DHPARAM_FILE | cut -d" " -f1) - if [[ $PREGEN_HASH != $CURRENT_HASH ]]; then + if [[ $PREGEN_HASH != "$CURRENT_HASH" ]]; then # There is already a dhparam, and it's not the default echo "Custom dhparam.pem file found, generation skipped" exit 0 @@ -44,10 +44,10 @@ touch $GEN_LOCKFILE # Generate a new dhparam in the background in a low priority and reload nginx when finished (grep removes the progress indicator). ( ( - nice -n +5 openssl dhparam -dsaparam -out $DHPARAM_FILE.tmp $DHPARAM_BITS 2>&1 \ + nice -n +5 openssl dhparam -dsaparam -out $DHPARAM_FILE.tmp "$DHPARAM_BITS" 2>&1 \ && mv $DHPARAM_FILE.tmp $DHPARAM_FILE \ && echo "dhparam generation complete, reloading nginx" \ && nginx -s reload ) | grep -vE '^[\.+]+' rm $GEN_LOCKFILE -) &disown +) & disown From a9cfdc843e6b079631b2917a421669fa7244cfc7 Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Sat, 1 May 2021 22:30:57 +0200 Subject: [PATCH 81/83] docs: fix broken link --- test/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/README.md b/test/README.md index df7c214..99d16db 100644 --- a/test/README.md +++ b/test/README.md @@ -38,7 +38,7 @@ Run one single test module Write a test module ------------------- -This test suite uses [pytest](http://doc.pytest.org/en/latest/). The [conftest.py](conftest.py) file will be automatically loaded by pytest and will provide you with two useful pytest [fixtures](http://doc.pytest.org/en/latest/fixture.html#fixture): +This test suite uses [pytest](http://doc.pytest.org/en/latest/). The [conftest.py](conftest.py) file will be automatically loaded by pytest and will provide you with two useful pytest [fixtures](https://docs.pytest.org/en/latest/explanation/fixtures.html): - docker_compose - nginxproxy From 09d30cf1a60f9e6edbd741819ab73e64397e7f9e Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Sat, 1 May 2021 22:37:01 +0200 Subject: [PATCH 82/83] ci: don't run tests on docs only change --- .github/workflows/test.yml | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index cde7ff3..7a7134c 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,10 +1,18 @@ -name: Test +name: Tests -on: [push, pull_request] +on: + push: + paths-ignore: + - 'LICENSE' + - '**.md' + pull_request: + paths-ignore: + - 'LICENSE' + - '**.md' jobs: unit: - name: Unit Test + name: Unit Tests runs-on: ubuntu-latest strategy: @@ -34,4 +42,4 @@ jobs: - name: Run tests run: pytest - working-directory: test \ No newline at end of file + working-directory: test From 70b95b17088e72cb2bc411bda6ac658002636680 Mon Sep 17 00:00:00 2001 From: Laurynas Alekna Date: Tue, 11 May 2021 10:22:56 +0100 Subject: [PATCH 83/83] Fix create_server_certificate.sh Docker image nginx:1.14.1 has no openssl installed. Therefore upgrading to nginx:1.19.10 --- test/certs/create_server_certificate.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/certs/create_server_certificate.sh b/test/certs/create_server_certificate.sh index ae51280..bcbfdca 100755 --- a/test/certs/create_server_certificate.sh +++ b/test/certs/create_server_certificate.sh @@ -24,7 +24,7 @@ fi # Create a nginx container (which conveniently provides the `openssl` command) ############################################################################### -CONTAINER=$(docker run -d -v $DIR:/work -w /work -e SAN="$ALTERNATE_DOMAINS" nginx:1.14.1) +CONTAINER=$(docker run -d -v $DIR:/work -w /work -e SAN="$ALTERNATE_DOMAINS" nginx:1.19.10) # Configure openssl docker exec $CONTAINER bash -c ' mkdir -p /ca/{certs,crl,private,newcerts} 2>/dev/null