nginxtended

command module
v1.14.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 17, 2019 License: MIT Imports: 8 Imported by: 0

README

Nginxtended

A docker-image containing Nginx and Certbot, based on alpine-linux, wrapped into a convenient package optimized for SSL-termination use-cases.

Features

  • ~122MB small image based on alpine
  • Full versions of Nginx and Certbot
  • Drop-in replacement for the official nginx image
  • Modified Nginx root-configuration (/etc/nginx/nginx.conf) that is tweaked for use as a reverse proxy with docker and Certbot
  • Modified default settings for nginx that should give you an A+ on SSL-labs out of the box
  • Ability to configure both certbot and nginx using one, json-based configuration file
  • Un-restricted access to nginx's and certbot's normal (low-level) configuration files
  • Automatically obtains and renews the certificates you need from letsencrypt
  • Add, remove, modify V-Hosts without service interruptions

Usage

Create this docker-compose.yml:

version: "3.7"
services:
  nginxtended:
    image: "wowmuchname/nginxtended"
    volumes:
      - certs:/etc/letsencrypt
      - backends:/backends
    ports:
      - 80:80
      - 443:443
    networks:
      - proxy-net
    container_name: nginxtended      
volumes:
  certs:
    external: true
  backends:
    external: true
networks:
  proxy-net:
    external: true

Create the network/volumes that persist between restarts

docker volume create certs
docker volume create backends
docker network create proxy-net

Start the container

docker-compose up -d

Start the container you want to provide SSL-Termination for. For instance:

docker run -d --network proxy-net --name test nginx

Create your V-Host(s) /var/lib/docker/volumes/backends/_data/test.json

{
    "domain": "test.example.com",
    "url": "http:/test:80"
}

Reload nginxtended

docker exec -it nginxtended configurator reload

This will obtain a certificate for test.example.com from letsencrypt and make the container with the name test available via https://test.example.com

Nginxtended will try to renew the certificate (which is valid for 90 days) once a week. The renewal happens when the cert is valid for less than 30 days.

Note: You only need to reload when you add, remove or change V-Hosts. Always use the command as described above. This command relies on nginx's ability to reload config files WITHOUT restarting. This means you can change stuff without downtime.

Backend-Config (aka VHost-Config)

The config files reside at /backends in the container. When nginxtended starts or reloads those are parsed and config-files for nginx and certbot are created from them. This process also deletes derived config files if the backend-config was deleted. Note that you can still add nginx config-files directly to /etc/nginx/conf.d. As long as they do not start with the prefix derived_ the configurator will never modify or remove them.

example.json

{
    "version": "1.0",
    "domain": "test.example.com",
    "url": "http:/test:80",
    "admin": "admin@example.com",
    "protocol": "https",
    "port": 443,
    "aliases": ["test2.example.com"],
    "clients": [{
        "CommonName": "Jon Doe"
    }],
    "keyauth": false
}

NOTE The configurator is written in GO and uses its strict JSON parser. You cannot have unquoted property-names, trailing colons or comments in your JSON file.

Property Default Description
version 1.0 Must be 1.0 or omitted
domain required Fully qualified domain-name the vhost will be reachable at
url required Url nginx will proxy to (value for proxy_pass)
protocol https Can be https or tls. The later will create a TCP proxy
port 443 Port to to listen on
aliases empty Nginx will permanently redirect call to this domains to the main domain
clients empty Client-Keys will be created for those names if they do not exist
keyauth true if clients is not empty Nginx will require client-keys for this V-Host

Beyond Cerbot

Client-Certificates

Apart from letting certbot obtain certificates for Https/TLS-Termination, nginxtended creates a server-key and certificate for use with client authentication (if they do not already exist). They are put into /certs/live/DOMAIN, that is the same place cerbot puts its certs. If you specify clients in your config, a subdirectory is created containing a private-key, a certificate and a p12 Cryptographic storage for each client of the V-Host (they are not shared among hosts).

Perfect Forward Secrecy

Nginxtended creates individual ssl_dhparam files for each V-Host if they do not already exist. They are put into /certs/live/DOMAIN.

Low level usage

Note that while you can still use this image as a replacement for nginx's image, the automatic acquisition of certificates, perfect forward secrecy and some other features rely on the fact that you use nginxtended's config files. If you configure nginx directly you need to take care of those things yourself.

Scope of this project

This project is meant for cases where you do not want to use kubernetes or a similar technology but still have a single host that hosts many vhosts.

This means the project does not aim to cover cases where v-hosts are distributed among multiple machines. While you can still use it that way, you might be better of using the options your container-service provides.

License

All the files in the repository are licensed under MIT.

The docker-image however contains code of third-parties.

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.