hoellen/dockerfiles
1
0
Fork 0
mirror of https://github.com/hoellen/dockerfiles.git synced 2025-04-20 04:19:18 +00:00
Code Issues Projects Releases Wiki Activity

add reverse based on xataz/reverse (temporary)

Browse Source
This commit is contained in:
root 2017-09-18 16:50:02 +02:00
parent f1d9053bb8
commit fed0136973
19 changed files with 759 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
reverse/.drone.yml Normal file
View File

@ -0,0 +1,21 @@
pipeline:
build:
image: xataz/docker-drone-plugin
repo: xataz/reverse-nginx
action: build
volumes:
- /var/run/docker.sock:/var/run/docker.sock
push:
image: xataz/docker-drone-plugin
repo: xataz/reverse-nginx
action: push
environment:
- UID=1000
- GID=991
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /home/xataz/.docker/config.json:/docker/.docker/config.json
when:
branch: master
event: [push, tag, deployment]

138
reverse/Dockerfile Normal file
View File

@ -0,0 +1,138 @@
FROM alpine:3.6
ENV UID=991 GID=991
ARG NGINX_VERSION=1.13.5
ARG OPENSSL_VERSION=1.1.0f
ARG GPG_NGINX="B0F4 2533 73F8 F6F5 10D4 2178 520A 9993 A1C0 52F8"
ARG BUILD_CORES
ARG NGINX_MODULES=" \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--with-file-aio \
--with-threads \
--with-pcre-jit \
--without-http_ssi_module \
--without-http_scgi_module \
--without-http_uwsgi_module \
--without-http_geo_module \
--without-http_autoindex_module \
--without-http_split_clients_module \
--without-http_memcached_module \
--without-http_empty_gif_module \
--without-http_browser_module"
ARG NGINX_3RD_PARTY_MODULES=" \
--add-module=/tmp/headers-more-nginx-module \
--add-module=/tmp/ngx_brotli"
RUN NB_CORES=${BUILD_CORES-$(getconf _NPROCESSORS_CONF)} \
# Update system
&& apk -U upgrade \
# Installing runtime dependencies
&& apk add \
${BUILD_DEPS} \
pcre \
zlib \
libgcc \
libstdc++ \
jemalloc \
su-exec \
s6 \
libressl \
bind-tools \
# Installing build dependencies
&& apk add -t build-dependencies \
build-base \
linux-headers \
ca-certificates \
automake \
autoconf \
git \
go \
jemalloc-dev \
tar \
libtool \
pcre-dev \
zlib-dev \
binutils \
gnupg \
cmake \
go \
# Brotli
&& cd /tmp && git clone https://github.com/bagder/libbrotli --depth=1 \
&& cd libbrotli && ./autogen.sh && ./configure && make -j ${NB_CORES} && make install \
&& cd /tmp && git clone https://github.com/google/ngx_brotli --depth=1 \
&& cd ngx_brotli && git submodule update --init \
# Headers More
&& cd /tmp && git clone https://github.com/openresty/headers-more-nginx-module --depth=1 \
# OpenSSL
&& OPENSSL_TARBALL="openssl-${OPENSSL_VERSION}.tar.gz" \
&& wget -q https://www.openssl.org/source/${OPENSSL_TARBALL} \
&& tar xzf ${OPENSSL_TARBALL} \
# Nginx tarball checking
&& NGINX_TARBALL="nginx-${NGINX_VERSION}.tar.gz" \
&& wget -q https://nginx.org/download/${NGINX_TARBALL} \
&& echo "Verifying ${NGINX_TARBALL} using GPG..." \
&& wget -q https://nginx.org/download/${NGINX_TARBALL}.asc \
&& wget -q https://nginx.org/keys/mdounin.key \
&& gpg --import mdounin.key \
&& FINGERPRINT="$(LANG=C gpg --verify ${NGINX_TARBALL}.asc ${NGINX_TARBALL} 2>&1 \
| sed -n "s#Primary key fingerprint: \(.*\)#\1#p")" \
&& if [ -z "${FINGERPRINT}" ]; then echo "Warning! Invalid GPG signature!" && exit 1; fi \
&& if [ "${FINGERPRINT}" != "${GPG_NGINX}" ]; then echo "Warning! Wrong GPG fingerprint!" && exit 1; fi \
&& echo "All seems good, now unpacking ${NGINX_TARBALL}..." \
&& tar xzf ${NGINX_TARBALL} && cd nginx-${NGINX_VERSION} \
# Nginx patch : dynamic TLS records
&& wget -q https://raw.githubusercontent.com/cujanovic/nginx-dynamic-tls-records-patch/master/nginx__dynamic_tls_records_1.13.0%2B.patch -O dynamic_records.patch \
&& patch -p1 < dynamic_records.patch \
# Nginx compilation
&& ./configure \
--prefix=/nginx \
--sbin-path=/usr/local/sbin/nginx \
--with-cc-opt="-O3 -fPIE -fstack-protector-strong -D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -Wno-deprecated-declarations -I ../boringssl/.openssl/include/" \
--with-ld-opt="-lrt -ljemalloc -Wl,-Bsymbolic-functions -Wl,-z,relro -L ../boringssl/.openssl/lib" \
--with-openssl-opt='no-async enable-ec_nistp_64_gcc_128 no-shared no-ssl2 no-ssl3 no-comp no-idea no-weak-ssl-ciphers -DOPENSSL_NO_HEARTBEATS -m64 -march=native -mtune=native -O3 -fPIE -fstack-protector-strong -D_FORTIFY_SOURCE=2' \
--with-openssl=/tmp/openssl-${OPENSSL_VERSION} \
--http-log-path=/nginx/log/nginx_access.log \
--error-log-path=/nginx/log/nginx/nginx_error.log \
--pid-path=/nginx/run/nginx.pid \
--lock-path=/nginx/run/nginx.lock \
--user=reverse --group=reverse \
${NGINX_MODULES} \
${NGINX_3RD_PARTY_MODULES} \
&& make -j ${NB_CORES} && make install && make clean \
&& strip -s /usr/local/sbin/nginx \
# Lego
&& mkdir -p /tmp/go/bin \
&& export GOPATH=/tmp/go \
&& export GOBIN=$GOPATH/bin \
&& git config --global http.https://gopkg.in.followRedirects true \
&& go get github.com/xenolf/lego \
&& mv /tmp/go/bin/lego /usr/local/bin/lego \
# Clean
&& apk del build-dependencies \
&& rm -rf /tmp/* /var/cache/apk/* /root/.gnupg
COPY rootfs /
RUN chmod +x /usr/local/bin/startup /etc/s6.d/*/*
EXPOSE 8000 8443
ENTRYPOINT ["/usr/local/bin/startup"]
CMD ["/bin/s6-svscan", "/etc/s6.d"]

116
reverse/README.md Normal file
View File

@ -0,0 +1,116 @@
![](http://nginx.org/nginx.png)
# BETA VERSION ACTUALY !!!!!
[![Build Status](https://drone.xataz.net/api/badges/xataz/docker-reverse-nginx/status.svg)](https://drone.xataz.net/xataz/docker-reverse-nginx)
[![](https://images.microbadger.com/badges/image/xataz/reverse-nginx.svg)](https://microbadger.com/images/xataz/reverse-nginx "Get your own image badge on microbadger.com")
[![](https://images.microbadger.com/badges/version/xataz/reverse-nginx.svg)](https://microbadger.com/images/xataz/reverse-nginx "Get your own version badge on microbadger.com")
> This image is build and push with [drone.io](https://github.com/drone/drone), a circle-ci like self-hosted.
> If you don't trust, you can build yourself.
## Tag available
* latest, mainline, 1.13.5, 1.13 [(Dockerfile)](https://github.com/xataz/dockerfiles/blob/master/reverse-nginx/Dockerfile)
## Features
* No ROOT process
* Automatic configuration generation
* Automatic certificate generation and renew with letsencrypt and without downtime (use lego)
* Latest nginx version
* ARG for custom build
## Description
What is [Nginx](http://nginx.org)?
nginx (engine x) is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP proxy server, originally written by Igor Sysoev. For a long time, it has been running on many heavily loaded Russian sites including Yandex, Mail.Ru, VK, and Rambler. According to Netcraft, nginx served or proxied 24.29% busiest sites in December 2015. Here are some of the success stories: Netflix, Wordpress.com, FastMail.FM.
Reverse-nginx generate for you the configuration of reverse proxy. Like traefik, it is based on the labels of containers, but it isn't dynamicly.
## Build Image
### Build arguments
* NGINX_CONF : Nginx make configure options
* NGINX_VER : Nginx version
* ARG NGINX_GPG : GPG fingerprint (default : "B0F4253373F8F6F510D42178520A9993A1C052F8")
* ARG BUILD_CORES : Number of core use for make nginx (default : All cores)
### Simply build
```shell
docker build -t xataz/reverse-nginx github.com/xataz/dockerfiles.git#master:reverse-nginx
```
### Build other version
```shell
docker build -t xataz/reverse-nginx --build-arg NGINX_VER=1.9.5 github.com/xataz/dockerfiles.git#master:reverse-nginx
```
## Configuration
### Environments
* UID : Choose uid for launch nginx (default : 991)
* GID : Choose gid for launch nginx (default : 991)
### Volumes
* /nginx/ssl : For certificate persistance
* /nginx/custom_sites : For create your own sites
### Ports
* 8080
* 8443
## Usage
### Environments
| Variable | Description | default | value |
| -------- | ----------- | ------- | ----- |
| UID | UID for launch nginx | 991 | Valid UID number |
| GID | GID for launch nginx | 991 | Valid GID number |
| EMAIL | email use for generate letsencrypt certificates | admin@mydomain.local | Valid address mail |
### Labels
| Label Name | Description | default | value |
| ---------- | ----------- | ------- | ----- |
| reverse.frontend.domain | Domain Name for this service | mydomain.local | valid domain name |
| reverse.frontend.path | Domain path (warning, no rewrite url) | / | valid path, with / |
| reverse.frontend.auth | For auth basic | none | user:encryptpassword |
| reverse.frontend.ssltype | Choose ssl type | ec384 | rsa2048, rsa4096, rsa8192, ec256 or ec384 |
| reverse.frontend.domain\_max\_body\_size | Choose max size upload | 200M | Numeric value with unit (K,M,G,T) |
| reverse.frontend.ssl | Generate letsencrypt certificate | false | true or false |
| reverse.backend.port | Port use by container | 8080 | Valid port number |
More labels soon !!!
### Launch
#### First launch another container
For exemple, I launch lutim container :
```shell
$ docker run -d \
--name lutim \
--label reverse.frontend.domain=sub.domain.com \
--label reverse.frontend.path=lutim \
--label reverse.frontend.auth=USER:$(openssl passwd -crypt PASSWORD) \
--label reverse.frontend.ssltype=ec256 \
--label reverse.frontend.ssl = true \
--label reverse.backend.port=8181 \
-v /docker/config/lutim/data:/data \
-v /docker/data/lutim:/lutim/files \
-e UID=1001 \
-e GID=1001 \
-e WEBROOT=/lutim \
-e SECRET=$(date +%s | md5sum | head -c 32) \
-e CONTACT=contact@domain.com \
-e MAX_FILE_SIZE=250000000 \
xataz/lutim
```
#### Launch reverse-nginx
```shell
docker run -d \
-p 80:8080 \
-p 443:8443 \
--name reverse \
-e EMAIL=me@mydomain.com \
-v /var/run/docker.sock:/var/run/docker.sock \
xataz/reverse-nginx
```
URI Access : https://sub.domain.com/lutim

32
reverse/auto_upgrade.sh Executable file
View File

@ -0,0 +1,32 @@
#!/bin/bash
NGINX_MAINLINE_VERSION=$(grep "NGINX_VER=" Dockerfile | cut -d"=" -f2)
NEW_NGINX_MAINLINE_VERSION=$(curl http://nginx.org/en/download.html 2> /dev/null | sed 's|>|>\n|g' | grep '^<a href="/download/nginx-' | head -1 | sed 's|.*nginx-\(.*\).tar.gz.*|\1|')
f_gen_tag() {
VERSION=$1
TAGS="latest mainline ${VERSION} $(echo ${VERSION} | cut -d'.' -f '1 2')"
}
f_maj_dockerfile() {
BUILD_VER=$(date +%Y%m%d01)
## Edit dockerfile
sed -i 's/NGINX_VER=.*/NGINX_VER='$1'/;
s/tags=".*"/tags="'"${TAGS}"'"/;
s/build_ver=".*"/build_ver="'${BUILD_VER}'"/' Dockerfile
}
f_maj_readme() {
TAGS=$(echo $TAGS | sed 's/ /, /g')
sed -i 's#\* .*/Dockerfile)#\* '"${TAGS}"' \[(Dockerfile)\](https://github.com/xataz/dockerfiles/blob/master/reverse-nginx/Dockerfile)#' README.md
}
if [ "${NGINX_MAINLINE_VERSION}" != "${NEW_NGINX_MAINLINE_VERSION}" ]; then
echo "Update nginx mainline to ${NEW_NGINX_MAINLINE_VERSION}"
f_gen_tag ${NEW_NGINX_MAINLINE_VERSION} "latest mainline"
f_maj_dockerfile ${NEW_NGINX_MAINLINE_VERSION}
f_maj_readme
fi

48
reverse/docker-compose.yml Normal file
View File

@ -0,0 +1,48 @@
version: '2'
networks:
default:
driver: bridge
services:
lutim:
image: xataz/lutim
container_name: lutim
labels:
- reverse.frontend.domain=sub.docker.local
- reverse.frontend.path=lutim
- reverse.frontend.auth=USER:zkgudxk6qOT5g
- reverse.backend.port=8181
environment:
- UID=1001
- GID=1001
- WEBROOT=/lutim
- SECRET=908de85a9809724481c8a360c90879da
- CONTACT=contact@domain.com
- MAX_FILE_SIZE=250000000
lufi:
image: xataz/lufi
container_name: lufi
labels:
- reverse.frontend.domain=sub.docker.local
- reverse.frontend.path=lufi
- reverse.frontend.auth=USER:zkgudxk6qOT5g
- reverse.backend.port=8080
environment:
- UID=1001
- GID=1001
- WEBROOT=/lufi
reverse:
image: xataz/reverse-nginx
container_name: reverse
ports:
- "80:8080"
- "443:8443"
volumes:
- /docker/nginx/ssl:/nginx/ssl
- /var/run/docker.sock:/var/run/docker.sock
depends_on:
- lufi
- lutim

3
reverse/rootfs/etc/s6.d/.s6-svscan/finish Normal file
View File

@ -0,0 +1,3 @@
#!/bin/sh
exit 0

7
reverse/rootfs/etc/s6.d/check_certs/run Normal file
View File

@ -0,0 +1,7 @@
#!/bin/sh
sleep 60
while true; do
/usr/local/bin/check_certs
sleep 86400
done

3
reverse/rootfs/etc/s6.d/nginx/run Normal file
View File

@ -0,0 +1,3 @@
#!/bin/sh
exec nginx

2
reverse/rootfs/nginx/conf.d/headers.conf Normal file
View File

@ -0,0 +1,2 @@
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

11
reverse/rootfs/nginx/conf.d/proxy.conf Normal file
View File

@ -0,0 +1,11 @@
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Remote-Port $remote_port;
proxy_redirect off;
proxy_set_header Proxy "";
proxy_pass_header Server;

10
reverse/rootfs/nginx/conf.d/ssl.conf Normal file
View File

@ -0,0 +1,10 @@
ssl_protocols TLSv1.2;
ssl_ecdh_curve X25519:P-521:P-384;
ssl_ciphers EECDH+CHACHA20:EECDH+AESGCM;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 15m;
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=31536000";

77
reverse/rootfs/nginx/conf/nginx.conf Normal file
View File

@ -0,0 +1,77 @@
#user web;
worker_processes auto;
pid /nginx/run/nginx.pid;
daemon off;
events {
worker_connections 2048;
use epoll;
}
http {
include /nginx/conf/mime.types;
default_type application/octet-stream;
access_log /nginx/log/nginx_access.log combined;
error_log /nginx/log/nginx_error.log error;
aio threads;
aio_write on;
more_set_headers 'secret';
sendfile on;
keepalive_timeout 15;
keepalive_disable msie6;
keepalive_requests 100;
tcp_nopush on;
tcp_nodelay off;
server_tokens off;
proxy_max_temp_file_size 20480m;
gzip on;
gzip_comp_level 5;
gzip_min_length 512;
gzip_buffers 4 8k;
gzip_proxied any;
gzip_vary on;
gzip_disable "msie6";
gzip_types
text/css
text/javascript
text/xml
text/plain
text/x-component
application/javascript
application/x-javascript
application/json
application/xml
application/rss+xml
application/vnd.ms-fontobject
font/truetype
font/opentype
image/svg+xml;
brotli on;
brotli_static on;
brotli_buffers 16 8k;
brotli_comp_level 6;
brotli_types
text/css
text/javascript
text/xml
text/plain
text/x-component
application/javascript
application/x-javascript
application/json
application/xml
application/rss+xml
application/vnd.ms-fontobject
font/truetype
font/opentype
image/svg+xml;
include /nginx/sites-enabled/*.conf;
include /nginx/custom_sites/*.conf;
}

5
reverse/rootfs/nginx/path.d/template Normal file
View File

@ -0,0 +1,5 @@
location <frontend_path> {
include /nginx/conf.d/proxy.conf;
client_max_body_size <frontend_domain_max_body_size>;
proxy_pass http://<backend_addr>:<backend_port>;
}

7
reverse/rootfs/nginx/path.d/template_auth Normal file
View File

@ -0,0 +1,7 @@
location <frontend_path> {
include /nginx/conf.d/proxy.conf;
auth_basic "Who's this?";
auth_basic_user_file "<auth_file>";
client_max_body_size <frontend_domain_max_body_size>;
proxy_pass http://<backend_addr>:<backend_port>;
}

6
reverse/rootfs/nginx/sites-enabled/template Normal file
View File

@ -0,0 +1,6 @@
server {
listen 8080;
server_name <frontend_domain>;
include /nginx/conf.d/headers.conf;
include /nginx/path.d/<frontend_domain>/*.conf;
}

27
reverse/rootfs/nginx/sites-enabled/template_ssl Normal file
View File

@ -0,0 +1,27 @@
server {
listen 8080;
server_name <frontend_domain>;
rewrite ^ https://<frontend_domain>:443$request_uri? permanent;
}
server {
listen 8443 ssl http2;
server_name <frontend_domain>;
index index.html index.php index.htm;
ssl_certificate /nginx/ssl/certificates/<frontend_domain>.crt;
ssl_certificate_key /nginx/ssl/certificates/<frontend_domain>.key;
ssl_trusted_certificate /nginx/ssl/certificates/<frontend_domain>.chain.pem;
include /nginx/conf.d/ssl.conf;
include /nginx/conf.d/headers.conf;
include /nginx/path.d/<frontend_domain>/*.conf;
location ~ /\.well-known/acme-challenge {
root /nginx/www/<frontend_domain>;
allow all;
}
}

0
reverse/rootfs/nginx/www/letsencrypt Normal file
View File

64
reverse/rootfs/usr/local/bin/check_certs Normal file
View File

@ -0,0 +1,64 @@
#!/bin/sh
## Variables
CSI="\033["
CEND="${CSI}0m"
CRED="${CSI}1;31m"
CGREEN="${CSI}1;32m"
CYELLOW="${CSI}1;33m"
CBLUE="${CSI}1;34m"
## Functions
f_log() {
LOG_TYPE=$1
LOG_MESSAGE=$2
case "${LOG_TYPE}" in
"INF")
echo -e "${CBLUE}=INF= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
;;
"WRN")
echo -e "${CYELLOW}=WRN= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
;;
"ERR")
echo -e "${CRED}=ERR= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
;;
esac
}
f_check_certs() {
LIST_DOMAINS=$(ls /nginx/ssl/certificates | grep .crt | grep -v issuer | sed 's|.crt||g')
RELOAD_NGINX=0
for domain in ${LIST_DOMAINS}; do
CERTFILE=/nginx/ssl/certificates/${domain}.cert.pem
KEYFILE=/nginx/ssl/certificates/${domain}.key
CHAINFILE=/nginx/ssl/certificates/${domain}.chain.pem
FULLCHAINFILE=/nginx/ssl/certificates/${domain}.crt
mkdir -p /nginx/www/${domain}
openssl x509 -checkend 864000 -noout -in "${FULLCHAINFILE}"
if [ $? == 0 ]; then
f_log INF "Certificate for ${domain} is good for another 10 days!"
else
f_log INF "Generate New Certificate for ${domain}"
/usr/local/bin/lego -a -m ${EMAIL} -d ${domain} --path /nginx/ssl --webroot /nginx/www/${domain} renew
if [ $? == 0 ]; then
if [ -e ${FULLCHAINFILE} ]; then
head -$(grep -n "END CERTIFICATE" ${FULLCHAINFILE} | head -1 | cut -d: -f1) ${FULLCHAINFILE} > ${CERTFILE}
tail -$(($(wc -l ${FULLCHAINFILE} | awk '{print $1}')-$(grep -n "END CERTIFICATE" ${FULLCHAINFILE} | head -1 | cut -d: -f1))) ${FULLCHAINFILE} > ${CHAINFILE}
RELOAD_NGINX=1
f_log INF "New Certificate for ${domain} generated"
fi
else
f_log ERR "New Certificate for ${domain} not generated"
fi
fi
done
}
f_check_certs
if [ ${RELOAD_NGINX} -eq 1 ]; then
nginx reload
fi

182
reverse/rootfs/usr/local/bin/startup Normal file
View File

@ -0,0 +1,182 @@
#!/bin/sh
## Variables
CSI="\033["
CEND="${CSI}0m"
CRED="${CSI}1;31m"
CGREEN="${CSI}1;32m"
CYELLOW="${CSI}1;33m"
CBLUE="${CSI}1;34m"
## Functions
f_log() {
LOG_TYPE=$1
LOG_MESSAGE=$2
case "${LOG_TYPE}" in
"INF")
echo -e "${CBLUE}=INF= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
;;
"SUC")
echo -e "${CGREEN}=SUC= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
;;
"WRN")
echo -e "${CYELLOW}=WRN= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
;;
"ERR")
echo -e "${CRED}=ERR= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
;;
esac
}
f_gen_sites_enabled() {
if [ "${FRONTEND_SSL}" == "true" ]; then
template_sites=/nginx/sites-enabled/template_ssl
else
template_sites=/nginx/sites-enabled/template
fi
sed -e 's|<frontend_domain>|'${FRONTEND_DOMAIN}'|' ${template_sites} > /nginx/sites-enabled/${FRONTEND_DOMAIN}.conf
}
f_gen_location() {
container_name=$1
if [ ! -d /nginx/path.d/${FRONTEND_DOMAIN} ]; then
mkdir -p /nginx/path.d/${FRONTEND_DOMAIN}
fi
if [ "${FRONTEND_PATH}" == "/" ]; then
path_file=/nginx/path.d/${FRONTEND_DOMAIN}/base.conf
auth_file=/nginx/auth/${FRONTEND_DOMAIN}/base.auth
else
path_file=/nginx/path.d/${FRONTEND_DOMAIN}/${FRONTEND_PATH}.conf
auth_file=/nginx/auth/${FRONTEND_DOMAIN}/${FRONTEND_PATH}.auth
fi
if [ ! -e ${path_file} ]; then
if [ "${FRONTEND_AUTH}" != "" ]; then
mkdir -p /nginx/auth/${FRONTEND_DOMAIN}
sed -e 's|<frontend_domain_max_body_size>|'${FRONTEND_MAX_BODY_SIZE}'|' \
-e 's|<backend_addr>|'${container_name}'|' \
-e 's|<backend_port>|'${BACKEND_PORT}'|' \
-e 's|<frontend_domain>|'${FRONTEND_DOMAIN}'|' \
-e 's|<frontend_path>|'${FRONTEND_PATH}'|' \
-e 's|<auth_file>|'${auth_file}'|' /nginx/path.d/template_auth > ${path_file}
echo "${FRONTEND_AUTH}" > ${auth_file}
else
sed -e 's|<frontend_domain_max_body_size>|'${FRONTEND_MAX_BODY_SIZE}'|' \
-e 's|<backend_addr>|'${container_name}'|' \
-e 's|<backend_port>|'${BACKEND_PORT}'|' \
-e 's|<frontend_path>|'${FRONTEND_PATH}'|' /nginx/path.d/template > ${path_file}
fi
fi
}
f_gen_certs() {
container_name=$1
if [ "${FRONTEND_SSL}" == "true" ]; then
CERTFILE=/nginx/ssl/certificates/${FRONTEND_DOMAIN}.cert.pem
KEYFILE=/nginx/ssl/certificates/${FRONTEND_DOMAIN}.key
CHAINFILE=/nginx/ssl/certificates/${FRONTEND_DOMAIN}.chain.pem
FULLCHAINFILE=/nginx/ssl/certificates/${FRONTEND_DOMAIN}.crt
if [ ! -e ${CERTFILE} ] || [ ! -e ${KEYFILE} ] || [ ! -e ${CHAINFILE} ] || [ ! -e ${FULLCHAINFILE} ]; then
mkdir -p /nginx/www/${FRONTEND_DOMAIN}
/usr/local/bin/lego -a -m ${EMAIL} -d ${FRONTEND_DOMAIN} --path /nginx/ssl --http :8080 --tls :8443 -k ${FRONTEND_SSLTYPE} run
if [ $? == 0 ]; then
head -$(grep -n "END CERTIFICATE" ${FULLCHAINFILE} | head -1 | cut -d: -f1) ${FULLCHAINFILE} > ${CERTFILE}
tail -$(($(wc -l ${FULLCHAINFILE} | awk '{print $1}')-$(grep -n "END CERTIFICATE" ${FULLCHAINFILE} | head -1 | cut -d: -f1))) ${FULLCHAINFILE} > ${CHAINFILE}
chown -R ${UID}:${GID} /nginx/ssl/
fi
[[ $? == 0 ]] && f_log INF "New Certificate for ${FRONTEND_DOMAIN} generated" || f_log ERR "New Certificate for ${FRONTEND_DOMAIN} not generated"
fi
fi
}
f_make_conf() {
FRONTEND_DOMAIN=mydomain.local
FRONTEND_MAX_BODY_SIZE=200M
FRONTEND_SSLTYPE=ec384
BACKEND_PORT=8080
FRONTEND_PATH="/"
FRONTEND_SSL=false
FRONTEND_AUTH=""
container_name=$1
IFS=$'\n'
if [ "${CONTAINER_LABELS}" != "" ]; then
for label in ${CONTAINER_LABELS}; do
case "$(echo ${label} | awk '{print $1}')" in
"reverse.frontend.domain")
FRONTEND_DOMAIN=""
FRONTEND_DOMAIN="$(echo ${label} | awk '{print $2}')"
;;
"reverse.frontend.path")
FRONTEND_PATH="$(echo ${label} | awk '{print $2}')"
;;
"reverse.frontend.auth")
FRONTEND_AUTH="$(echo ${label} | awk '{print $2}')"
;;
"reverse.frontend.ssltype")
FRONTEND_SSLTYPE="$(echo ${label} | awk '{print $2}')"
;;
"reverse.frontend.domain_max_body_size")
FRONTEND_MAX_BODY_SIZE="$(echo ${label} | awk '{print $2}')"
;;
"reverse.frontend.ssl")
FRONTEND_SSL="$(echo ${label} | awk '{print $2}')"
;;
"reverse.backend.port")
BACKEND_PORT="$(echo ${label} | awk '{print $2}')"
;;
esac
done
f_log INF "Generate files for ${FRONTEND_DOMAIN}, with path=${FRONTEND_PATH}, auth=${FRONTEND_AUTH}, ssl_type=${FRONTEND_SSLTYPE}, ssl=${FRONTEND_SSL} and port=${BACKEND_PORT}"
f_gen_location ${container_name}
f_gen_sites_enabled
f_gen_certs ${container_name}
fi
}
# Check /var/run/docker.sock
f_log INF "Check if /var/run/docker.sock exist ..."
ls /var/run/docker.sock > /dev/null 2>&1
if [ $? == 0 ]; then
f_log INF "/var/run/docker.sock exist ..."
else
f_log ERR "/var/run/docker.sock don't exist ..."
exit 1
fi
f_log INF "Start reverse configuration ..."
# Prepare container
f_log INF "Create user 'reverse'"
addgroup -g ${GID} reverse && adduser -H -s /bin/sh -D -G reverse -u ${UID} reverse
f_log INF "Create folder"
mkdir -p /nginx/sites-enabled /nginx /nginx/log /nginx/run /nginx/sites-enabled /nginx/ssl /nginx/ssl/selfsigned/dhparam
# Generate file
for container in $(curl --unix-socket /var/run/docker.sock http://localhost/containers/json 2> /dev/null | jq '.[].Names' | sed 's|.*"/\(.*\)"$|\1|;/\[/d;/\]/d'); do
CONTAINER_LABELS=$(curl --unix-socket /var/run/docker.sock http://localhost/containers/${container}/json 2> /dev/null | jq '.Config.Labels' | grep -E "reverse\." | sed 's|.*"\(.*\)": "\(.*\)".*$|\1 \2|')
f_make_conf ${container}
done
f_log INF "Apply permissions"
chown -R reverse:reverse /nginx /etc/s6.d
chmod +x /usr/local/bin/check_certs
find /etc/s6.d -name run -exec chmod +x {} \;
find /etc/s6.d -name finish -exec chmod +x {} \;
f_log SUC "End reverse configuration"
## run s6
if [ $# -gt 0 ]; then
exec su-exec reverse:reverse "$@"
else
exec su-exec reverse:reverse /bin/s6-svscan /etc/s6.d
fi