first commit

This commit is contained in:
root 2017-11-03 19:40:15 +00:00
commit e02f17166a
22 changed files with 944 additions and 0 deletions

BIN
.Dockerfile.swp Normal file

Binary file not shown.

21
.drone.yml Normal file
View File

@ -0,0 +1,21 @@
pipeline:
build:
image: xataz/docker-drone-plugin
repo: xataz/reverse-nginx
action: build
volumes:
- /var/run/docker.sock:/var/run/docker.sock
push:
image: xataz/docker-drone-plugin
repo: xataz/reverse-nginx
action: push
environment:
- UID=1000
- GID=991
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /home/xataz/.docker/config.json:/docker/.docker/config.json
when:
branch: master
event: [push, tag, deployment]

104
Dockerfile Normal file
View File

@ -0,0 +1,104 @@
FROM xataz/alpine:3.6
LABEL Description="reverse with nginx based on alpine" \
tags="latest mainline 1.13.5 1.13" \
maintainer="xataz <https://github.com/xataz>" \
build_ver="2017090601"
ARG NGINX_VER=1.13.5
ARG NGINX_GPG="B0F4253373F8F6F510D42178520A9993A1C052F8"
ARG TOR_GPG="2133BC600AB133E1D826D173FE43009C4607B1FB"
ARG BUILD_CORES
ARG NGINX_CONF="--prefix=/nginx \
--sbin-path=/usr/local/sbin/nginx \
--http-log-path=/nginx/log/nginx_access.log \
--error-log-path=/nginx/log/nginx_error.log \
--pid-path=/nginx/run/nginx.pid \
--lock-path=/nginx/run/nginx.lock \
--user=reverse --group=reverse \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--with-threads \
--with-pcre-jit \
--with-ipv6 \
--without-http_ssi_module \
--without-http_scgi_module \
--without-http_uwsgi_module \
--without-http_geo_module \
--without-http_autoindex_module \
--without-http_split_clients_module \
--without-http_memcached_module \
--without-http_empty_gif_module \
--add-module=/tmp/headers-more-nginx-module \
--without-http_browser_module"
ARG TOR_VER=0.3.1.7
ENV UID=991 \
GID=991 \
EMAIL=admin@mydomain.local
RUN export BUILD_DEPS="build-base \
libressl-dev \
pcre-dev \
zlib-dev \
libc-dev \
wget \
gnupg \
go \
libevent-dev \
git" \
&& NB_CORES=${BUILD_CORES-$(grep -c "processor" /proc/cpuinfo)} \
&& apk add -U ${BUILD_DEPS} \
s6 \
su-exec \
ca-certificates \
curl \
jq \
libressl \
pcre \
zlib \
libevent \
&& cd /tmp \
&& git clone https://github.com/openresty/headers-more-nginx-module --depth=1 \
&& wget http://nginx.org/download/nginx-${NGINX_VER}.tar.gz \
&& wget http://nginx.org/download/nginx-${NGINX_VER}.tar.gz.asc \
&& gpg --keyserver pgp.mit.edu --recv-keys "$NGINX_GPG" || \
gpg --keyserver keyserver.pgp.com --recv-keys "$NGINX_GPG" || \
gpg --keyserver ha.pool.sks-keyservers.net --recv-keys "$NGINX_GPG" \
&& gpg --batch --verify nginx-${NGINX_VER}.tar.gz.asc nginx-${NGINX_VER}.tar.gz \
&& tar xzf nginx-${NGINX_VER}.tar.gz \
&& cd /tmp/nginx-${NGINX_VER} \
&& ./configure ${NGINX_CONF} \
&& make -j ${NB_CORES} \
&& make install \
&& mkdir -p /tmp/go/bin \
&& export GOPATH=/tmp/go \
&& export GOBIN=$GOPATH/bin \
&& git config --global http.https://gopkg.in.followRedirects true \
&& go get github.com/xenolf/lego \
&& mv /tmp/go/bin/lego /usr/local/bin/lego \
&& cd /tmp \
&& wget https://www.torproject.org/dist/tor-${TOR_VER}.tar.gz \
&& wget https://www.torproject.org/dist/tor-${TOR_VER}.tar.gz.asc \
&& gpg --keyserver pgp.mit.edu --recv-keys "$TOR_GPG" || \
gpg --keyserver keyserver.pgp.com --recv-keys "$TOR_GPG" || \
gpg --keyserver ha.pool.sks-keyservers.net --recv-keys "$TOR_GPG" \
&& gpg --batch --verify tor-${TOR_VER}.tar.gz.asc tor-${TOR_VER}.tar.gz \
&& tar xzf tor-${TOR_VER}.tar.gz \
&& cd tor-${TOR_VER} \
&& ./configure \
&& make -j ${NB_CORES} \
&& make install \
&& mv /usr/local/etc/tor/torrc.sample /usr/local/etc/tor/torrc \
&& apk del ${BUILD_DEPS} \
&& rm -rf /tmp/* /var/cache/apk/*
COPY rootfs /
RUN chmod +x /usr/local/bin/startup /etc/s6.d/*/*
EXPOSE 80 443
ENTRYPOINT ["/usr/local/bin/startup"]
CMD ["/bin/s6-svscan", "/etc/s6.d"]

119
README.md Normal file
View File

@ -0,0 +1,119 @@
![](http://nginx.org/nginx.png)
# BETA VERSION ACTUALY !!!!!
[![Build Status](https://drone.xataz.net/api/badges/xataz/docker-reverse-nginx/status.svg)](https://drone.xataz.net/xataz/docker-reverse-nginx)
[![](https://images.microbadger.com/badges/image/xataz/reverse-nginx.svg)](https://microbadger.com/images/xataz/reverse-nginx "Get your own image badge on microbadger.com")
[![](https://images.microbadger.com/badges/version/xataz/reverse-nginx.svg)](https://microbadger.com/images/xataz/reverse-nginx "Get your own version badge on microbadger.com")
> This image is build and push with [drone.io](https://github.com/drone/drone), a circle-ci like self-hosted.
> If you don't trust, you can build yourself.
## Tag available
* latest, mainline, 1.13.5, 1.13 [(Dockerfile)](https://github.com/xataz/dockerfiles/blob/master/reverse-nginx/Dockerfile)
## Features
* No ROOT process
* Automatic configuration generation
* Automatic certificate generation and renew with letsencrypt and without downtime (use lego)
* Latest nginx version
* ARG for custom build
## Description
What is [Nginx](http://nginx.org)?
nginx (engine x) is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP proxy server, originally written by Igor Sysoev. For a long time, it has been running on many heavily loaded Russian sites including Yandex, Mail.Ru, VK, and Rambler. According to Netcraft, nginx served or proxied 24.29% busiest sites in December 2015. Here are some of the success stories: Netflix, Wordpress.com, FastMail.FM.
Reverse-nginx generate for you the configuration of reverse proxy. Like traefik, it is based on the labels of containers, but it isn't dynamicly.
## Build Image
### Build arguments
* NGINX_CONF : Nginx make configure options
* NGINX_VER : Nginx version
* ARG NGINX_GPG : GPG fingerprint (default : "B0F4253373F8F6F510D42178520A9993A1C052F8")
* ARG BUILD_CORES : Number of core use for make nginx (default : All cores)
### Simply build
```shell
docker build -t xataz/reverse-nginx github.com/xataz/dockerfiles.git#master:reverse-nginx
```
### Build other version
```shell
docker build -t xataz/reverse-nginx --build-arg NGINX_VER=1.9.5 github.com/xataz/dockerfiles.git#master:reverse-nginx
```
## Configuration
### Environments
* UID : Choose uid for launch nginx (default : 991)
* GID : Choose gid for launch nginx (default : 991)
### Volumes
* /nginx/ssl : For certificate persistance
* /nginx/custom_sites : For create your own sites
* /tor/ : For tor address
### Ports
* 8080
* 8443
## Usage
### Environments
| Variable | Description | default | value |
| -------- | ----------- | ------- | ----- |
| UID | UID for launch nginx | 991 | Valid UID number |
| GID | GID for launch nginx | 991 | Valid GID number |
| EMAIL | email use for generate letsencrypt certificates | admin@mydomain.local | Valid address mail |
### Labels
| Label Name | Description | default | value |
| ---------- | ----------- | ------- | ----- |
| reverse.frontend.domain | Domain Name for this service | mydomain.local | valid domain name |
| reverse.frontend.path | Domain path (warning, no rewrite url) | / | valid path, with / |
| reverse.frontend.auth | For auth basic | none | user:encryptpassword |
| reverse.frontend.ssltype | Choose ssl type | ec384 | rsa2048, rsa4096, rsa8192, ec256 or ec384 |
| reverse.frontend.domain\_max\_body\_size | Choose max size upload | 200M | Numeric value with unit (K,M,G,T) |
| reverse.frontend.ssl | Generate letsencrypt certificate | false | true or false |
| reverse.frontend.tor | If container is an hidden service | false | boolean (true / false) |
| reverse.backend.port | Port use by container | 8080 | Valid port number |
More labels soon !!!
### Launch
#### First launch another container
For exemple, I launch lutim container :
```shell
$ docker run -d \
--name lutim \
--label reverse.frontend.domain=sub.domain.com \
--label reverse.frontend.path=lutim \
--label reverse.frontend.auth=USER:$(openssl passwd -crypt PASSWORD) \
--label reverse.frontend.ssltype=ec256 \
--label reverse.frontend.ssl = true \
--label reverse.backend.port=8181 \
-v /docker/config/lutim/data:/data \
-v /docker/data/lutim:/lutim/files \
-e UID=1001 \
-e GID=1001 \
-e WEBROOT=/lutim \
-e SECRET=$(date +%s | md5sum | head -c 32) \
-e CONTACT=contact@domain.com \
-e MAX_FILE_SIZE=250000000 \
xataz/lutim
```
#### Launch reverse-nginx
```shell
docker run -d \
-p 80:8080 \
-p 443:8443 \
--name reverse \
-e EMAIL=me@mydomain.com \
-v /var/run/docker.sock:/var/run/docker.sock \
xataz/reverse-nginx
```
URI Access : https://sub.domain.com/lutim

32
auto_upgrade.sh Executable file
View File

@ -0,0 +1,32 @@
#!/bin/bash
NGINX_MAINLINE_VERSION=$(grep "NGINX_VER=" Dockerfile | cut -d"=" -f2)
NEW_NGINX_MAINLINE_VERSION=$(curl http://nginx.org/en/download.html 2> /dev/null | sed 's|>|>\n|g' | grep '^<a href="/download/nginx-' | head -1 | sed 's|.*nginx-\(.*\).tar.gz.*|\1|')
f_gen_tag() {
VERSION=$1
TAGS="latest mainline ${VERSION} $(echo ${VERSION} | cut -d'.' -f '1 2')"
}
f_maj_dockerfile() {
BUILD_VER=$(date +%Y%m%d01)
## Edit dockerfile
sed -i 's/NGINX_VER=.*/NGINX_VER='$1'/;
s/tags=".*"/tags="'"${TAGS}"'"/;
s/build_ver=".*"/build_ver="'${BUILD_VER}'"/' Dockerfile
}
f_maj_readme() {
TAGS=$(echo $TAGS | sed 's/ /, /g')
sed -i 's#\* .*/Dockerfile)#\* '"${TAGS}"' \[(Dockerfile)\](https://github.com/xataz/dockerfiles/blob/master/reverse-nginx/Dockerfile)#' README.md
}
if [ "${NGINX_MAINLINE_VERSION}" != "${NEW_NGINX_MAINLINE_VERSION}" ]; then
echo "Update nginx mainline to ${NEW_NGINX_MAINLINE_VERSION}"
f_gen_tag ${NEW_NGINX_MAINLINE_VERSION} "latest mainline"
f_maj_dockerfile ${NEW_NGINX_MAINLINE_VERSION}
f_maj_readme
fi

48
docker-compose.yml Normal file
View File

@ -0,0 +1,48 @@
version: '2'
networks:
default:
driver: bridge
services:
lutim:
image: xataz/lutim
container_name: lutim
labels:
- reverse.frontend.domain=sub.docker.local
- reverse.frontend.path=lutim
- reverse.frontend.auth=USER:zkgudxk6qOT5g
- reverse.backend.port=8181
environment:
- UID=1001
- GID=1001
- WEBROOT=/lutim
- SECRET=908de85a9809724481c8a360c90879da
- CONTACT=contact@domain.com
- MAX_FILE_SIZE=250000000
lufi:
image: xataz/lufi
container_name: lufi
labels:
- reverse.frontend.domain=sub.docker.local
- reverse.frontend.path=lufi
- reverse.frontend.auth=USER:zkgudxk6qOT5g
- reverse.backend.port=8080
environment:
- UID=1001
- GID=1001
- WEBROOT=/lufi
reverse:
image: xataz/reverse-nginx
container_name: reverse
ports:
- "80:8080"
- "443:8443"
volumes:
- /docker/nginx/ssl:/nginx/ssl
- /var/run/docker.sock:/var/run/docker.sock
depends_on:
- lufi
- lutim

View File

@ -0,0 +1,3 @@
#!/bin/sh
exit 0

View File

@ -0,0 +1,7 @@
#!/bin/sh
sleep 60
while true; do
/usr/local/bin/check_certs
sleep 86400
done

View File

@ -0,0 +1,3 @@
#!/bin/sh
exec nginx

3
rootfs/etc/s6.d/tor/run Normal file
View File

@ -0,0 +1,3 @@
#!/bin/sh
#exec tor -f /etc/tor/torrc

220
rootfs/etc/tor/torrc Normal file
View File

@ -0,0 +1,220 @@
## Configuration file for a typical Tor user
## Last updated 22 September 2015 for Tor 0.2.7.3-alpha.
## (may or may not work for much older or much newer versions of Tor.)
##
## Lines that begin with "## " try to explain what's going on. Lines
## that begin with just "#" are disabled commands: you can enable them
## by removing the "#" symbol.
##
## See 'man tor', or https://www.torproject.org/docs/tor-manual.html,
## for more options you can use in this file.
##
## Tor will look for this file in various places based on your platform:
## https://www.torproject.org/docs/faq#torrc
## Tor opens a SOCKS proxy on port 9050 by default -- even if you don't
## configure one below. Set "SOCKSPort 0" if you plan to run Tor only
## as a relay, and not make any local application connections yourself.
#SOCKSPort 9050 # Default: Bind to localhost:9050 for local connections.
#SOCKSPort 192.168.0.1:9100 # Bind to this address:port too.
## Entry policies to allow/deny SOCKS requests based on IP address.
## First entry that matches wins. If no SOCKSPolicy is set, we accept
## all (and only) requests that reach a SOCKSPort. Untrusted users who
## can access your SOCKSPort may be able to learn about the connections
## you make.
#SOCKSPolicy accept 192.168.0.0/16
#SOCKSPolicy accept6 FC00::/7
#SOCKSPolicy reject *
## Logs go to stdout at level "notice" unless redirected by something
## else, like one of the below lines. You can have as many Log lines as
## you want.
##
## We advise using "notice" in most cases, since anything more verbose
## may provide sensitive information to an attacker who obtains the logs.
##
## Send all messages of level 'notice' or higher to /usr/local/var/log/tor/notices.log
#Log notice file /usr/local/var/log/tor/notices.log
## Send every possible message to /usr/local/var/log/tor/debug.log
#Log debug file /usr/local/var/log/tor/debug.log
## Use the system log instead of Tor's logfiles
#Log notice syslog
## To send all messages to stderr:
#Log debug stderr
## Uncomment this to start the process in the background... or use
## --runasdaemon 1 on the command line. This is ignored on Windows;
## see the FAQ entry if you want Tor to run as an NT service.
RunAsDaemon 1
## The directory for keeping all the keys/etc. By default, we store
## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
#DataDirectory /usr/local/var/lib/tor
## The port on which Tor will listen for local connections from Tor
## controller applications, as documented in control-spec.txt.
#ControlPort 9051
## If you enable the controlport, be sure to enable one of these
## authentication methods, to prevent attackers from accessing it.
#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C
#CookieAuthentication 1
############### This section is just for location-hidden services ###
## Once you have configured a hidden service, you can look at the
## contents of the file ".../hidden_service/hostname" for the address
## to tell people.
##
## HiddenServicePort x y:z says to redirect requests on port x to the
## address y:z.
#HiddenServiceDir /usr/local/var/lib/tor/hidden_service/
#HiddenServicePort 80 127.0.0.1:80
#HiddenServiceDir /usr/local/var/lib/tor/other_hidden_service/
#HiddenServicePort 80 127.0.0.1:80
#HiddenServicePort 22 127.0.0.1:22
################ This section is just for relays #####################
#
## See https://www.torproject.org/docs/tor-doc-relay for details.
## Required: what port to advertise for incoming Tor connections.
#ORPort 9001
## If you want to listen on a port other than the one advertised in
## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as
## follows. You'll need to do ipchains or other port forwarding
## yourself to make this work.
#ORPort 443 NoListen
#ORPort 127.0.0.1:9090 NoAdvertise
## The IP address or full DNS name for incoming connections to your
## relay. Leave commented out and Tor will guess.
#Address noname.example.com
## If you have multiple network interfaces, you can specify one for
## outgoing traffic to use.
## OutboundBindAddressExit will be used for all exit traffic, while
## OutboundBindAddressOR will be used for all other connections.
## If you do not wish to differentiate, use OutboundBindAddress to
## specify the same address for both in a single line.
#OutboundBindAddressExit 10.0.0.4
#OutboundBindAddressOR 10.0.0.5
## A handle for your relay, so people don't have to refer to it by key.
## Nicknames must be between 1 and 19 characters inclusive, and must
## contain only the characters [a-zA-Z0-9].
#Nickname ididnteditheconfig
## Define these to limit how much relayed traffic you will allow. Your
## own traffic is still unthrottled. Note that RelayBandwidthRate must
## be at least 75 kilobytes per second.
## Note that units for these config options are bytes (per second), not
## bits (per second), and that prefixes are binary prefixes, i.e. 2^10,
## 2^20, etc.
#RelayBandwidthRate 100 KBytes # Throttle traffic to 100KB/s (800Kbps)
#RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB (1600Kb)
## Use these to restrict the maximum traffic per day, week, or month.
## Note that this threshold applies separately to sent and received bytes,
## not to their sum: setting "40 GB" may allow up to 80 GB total before
## hibernating.
##
## Set a maximum of 40 gigabytes each way per period.
#AccountingMax 40 GBytes
## Each period starts daily at midnight (AccountingMax is per day)
#AccountingStart day 00:00
## Each period starts on the 3rd of the month at 15:00 (AccountingMax
## is per month)
#AccountingStart month 3 15:00
## Administrative contact information for this relay or bridge. This line
## can be used to contact you if your relay or bridge is misconfigured or
## something else goes wrong. Note that we archive and publish all
## descriptors containing these lines and that Google indexes them, so
## spammers might also collect them. You may want to obscure the fact that
## it's an email address and/or generate a new address for this purpose.
#ContactInfo Random Person <nobody AT example dot com>
## You might also include your PGP or GPG fingerprint if you have one:
#ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com>
## Uncomment this to mirror directory information for others. Please do
## if you have enough bandwidth.
#DirPort 9030 # what port to advertise for directory connections
## If you want to listen on a port other than the one advertised in
## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as
## follows. below too. You'll need to do ipchains or other port
## forwarding yourself to make this work.
#DirPort 80 NoListen
#DirPort 127.0.0.1:9091 NoAdvertise
## Uncomment to return an arbitrary blob of html on your DirPort. Now you
## can explain what Tor is if anybody wonders why your IP address is
## contacting them. See contrib/tor-exit-notice.html in Tor's source
## distribution for a sample.
#DirPortFrontPage /usr/local/etc/tor/tor-exit-notice.html
## Uncomment this if you run more than one Tor relay, and add the identity
## key fingerprint of each Tor relay you control, even if they're on
## different networks. You declare it here so Tor clients can avoid
## using more than one of your relays in a single circuit. See
## https://www.torproject.org/docs/faq#MultipleRelays
## However, you should never include a bridge's fingerprint here, as it would
## break its concealability and potentially reveal its IP/TCP address.
#MyFamily $keyid,$keyid,...
## A comma-separated list of exit policies. They're considered first
## to last, and the first match wins.
##
## If you want to allow the same ports on IPv4 and IPv6, write your rules
## using accept/reject *. If you want to allow different ports on IPv4 and
## IPv6, write your IPv6 rules using accept6/reject6 *6, and your IPv4 rules
## using accept/reject *4.
##
## If you want to _replace_ the default exit policy, end this with either a
## reject *:* or an accept *:*. Otherwise, you're _augmenting_ (prepending to)
## the default exit policy. Leave commented to just use the default, which is
## described in the man page or at
## https://www.torproject.org/documentation.html
##
## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses
## for issues you might encounter if you use the default exit policy.
##
## If certain IPs and ports are blocked externally, e.g. by your firewall,
## you should update your exit policy to reflect this -- otherwise Tor
## users will be told that those destinations are down.
##
## For security, by default Tor rejects connections to private (local)
## networks, including to the configured primary public IPv4 and IPv6 addresses,
## and any public IPv4 and IPv6 addresses on any interface on the relay.
## See the man page entry for ExitPolicyRejectPrivate if you want to allow
## "exit enclaving".
##
#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports on IPv4 and IPv6 but no more
#ExitPolicy accept *:119 # accept nntp ports on IPv4 and IPv6 as well as default exit policy
#ExitPolicy accept *4:119 # accept nntp ports on IPv4 only as well as default exit policy
#ExitPolicy accept6 *6:119 # accept nntp ports on IPv6 only as well as default exit policy
#ExitPolicy reject *:* # no exits allowed
## Bridge relays (or "bridges") are Tor relays that aren't listed in the
## main directory. Since there is no complete public list of them, even an
## ISP that filters connections to all the known Tor relays probably
## won't be able to block all the bridges. Also, websites won't treat you
## differently because they won't know you're running Tor. If you can
## be a real relay, please do; but if not, be a bridge!
#BridgeRelay 1
## By default, Tor will advertise your bridge to users through various
## mechanisms like https://bridges.torproject.org/. If you want to run
## a private bridge, for example because you'll give out your bridge
## address manually to your friends, uncomment this line:
#PublishServerDescriptor 0
## Configuration options can be imported from files or folders using the %include
## option with the value being a path. If the path is a file, the options from the
## file will be parsed as if they were written where the %include option is. If
## the path is a folder, all files on that folder will be parsed following lexical
## order. Files starting with a dot are ignored. Files on subfolders are ignored.
## The %include option can be used recursively.
#%include /etc/torrc.d/
#%include /etc/torrc.custom

View File

@ -0,0 +1,2 @@
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

View File

@ -0,0 +1,9 @@
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Remote-Port $remote_port;
proxy_redirect off;

View File

@ -0,0 +1,11 @@
ssl_protocols TLSv1.2;
ssl_ecdh_curve secp384r1;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-D:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 15m;
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=31536000";

View File

@ -0,0 +1,52 @@
#user web;
worker_processes auto;
pid /nginx/run/nginx.pid;
daemon off;
events {
worker_connections 1024;
use epoll;
}
http {
include /nginx/conf/mime.types;
default_type application/octet-stream;
access_log /nginx/log/nginx_access.log combined;
error_log /nginx/log/nginx_error.log error;
sendfile on;
keepalive_timeout 15;
keepalive_disable msie6;
keepalive_requests 100;
tcp_nopush on;
tcp_nodelay off;
server_tokens off;
proxy_max_temp_file_size 20480m;
gzip on;
gzip_comp_level 5;
gzip_min_length 512;
gzip_buffers 4 8k;
gzip_proxied any;
gzip_vary on;
gzip_disable "msie6";
gzip_types
text/css
text/javascript
text/xml
text/plain
text/x-component
application/javascript
application/x-javascript
application/json
application/xml
application/rss+xml
application/vnd.ms-fontobject
font/truetype
font/opentype
image/svg+xml;
include /nginx/sites-enabled/*.conf;
include /nginx/custom_sites/*.conf;
}

View File

@ -0,0 +1,5 @@
location <frontend_path> {
include /nginx/conf.d/proxy.conf;
client_max_body_size <frontend_domain_max_body_size>;
proxy_pass http://<backend_addr>:<backend_port>;
}

View File

@ -0,0 +1,7 @@
location <frontend_path> {
include /nginx/conf.d/proxy.conf;
auth_basic "Who's this?";
auth_basic_user_file "<auth_file>";
client_max_body_size <frontend_domain_max_body_size>;
proxy_pass http://<backend_addr>:<backend_port>;
}

View File

@ -0,0 +1,6 @@
server {
listen 80;
server_name <frontend_domain>;
include /nginx/conf.d/headers.conf;
include /nginx/path.d/<frontend_domain>/*.conf;
}

View File

@ -0,0 +1,27 @@
server {
listen 80;
server_name <frontend_domain> <onion_domain>;
rewrite ^ https://<frontend_domain>:443$request_uri? permanent;
}
server {
listen 443 ssl http2;
server_name <frontend_domain> <onion_domain>;
index index.html index.php index.htm;
ssl_certificate /nginx/ssl/certificates/<frontend_domain>.crt;
ssl_certificate_key /nginx/ssl/certificates/<frontend_domain>.key;
ssl_trusted_certificate /nginx/ssl/certificates/<frontend_domain>.chain.pem;
include /nginx/conf.d/ssl.conf;
include /nginx/conf.d/headers.conf;
include /nginx/path.d/<frontend_domain>/*.conf;
location ~ /\.well-known/acme-challenge {
root /nginx/www/<frontend_domain>;
allow all;
}
}

View File

View File

@ -0,0 +1,64 @@
#!/bin/sh
## Variables
CSI="\033["
CEND="${CSI}0m"
CRED="${CSI}1;31m"
CGREEN="${CSI}1;32m"
CYELLOW="${CSI}1;33m"
CBLUE="${CSI}1;34m"
## Functions
f_log() {
LOG_TYPE=$1
LOG_MESSAGE=$2
case "${LOG_TYPE}" in
"INF")
echo -e "${CBLUE}=INF= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
;;
"WRN")
echo -e "${CYELLOW}=WRN= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
;;
"ERR")
echo -e "${CRED}=ERR= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
;;
esac
}
f_check_certs() {
LIST_DOMAINS=$(ls /nginx/ssl/certificates | grep .crt | grep -v issuer | sed 's|.crt||g')
RELOAD_NGINX=0
for domain in ${LIST_DOMAINS}; do
CERTFILE=/nginx/ssl/certificates/${domain}.cert.pem
KEYFILE=/nginx/ssl/certificates/${domain}.key
CHAINFILE=/nginx/ssl/certificates/${domain}.chain.pem
FULLCHAINFILE=/nginx/ssl/certificates/${domain}.crt
mkdir -p /nginx/www/${domain}
openssl x509 -checkend 864000 -noout -in "${FULLCHAINFILE}"
if [ $? == 0 ]; then
f_log INF "Certificate for ${domain} is good for another 10 days!"
else
f_log INF "Generate New Certificate for ${domain}"
/usr/local/bin/lego -a -m ${EMAIL} -d ${domain} --path /nginx/ssl --webroot /nginx/www/${domain} renew
if [ $? == 0 ]; then
if [ -e ${FULLCHAINFILE} ]; then
head -$(grep -n "END CERTIFICATE" ${FULLCHAINFILE} | head -1 | cut -d: -f1) ${FULLCHAINFILE} > ${CERTFILE}
tail -$(($(wc -l ${FULLCHAINFILE} | awk '{print $1}')-$(grep -n "END CERTIFICATE" ${FULLCHAINFILE} | head -1 | cut -d: -f1))) ${FULLCHAINFILE} > ${CHAINFILE}
RELOAD_NGINX=1
f_log INF "New Certificate for ${domain} generated"
fi
else
f_log ERR "New Certificate for ${domain} not generated"
fi
fi
done
}
f_check_certs
if [ ${RELOAD_NGINX} -eq 1 ]; then
nginx reload
fi

View File

@ -0,0 +1,201 @@
#!/bin/sh
## Variables
CSI="\033["
CEND="${CSI}0m"
CRED="${CSI}1;31m"
CGREEN="${CSI}1;32m"
CYELLOW="${CSI}1;33m"
CBLUE="${CSI}1;34m"
## Functions
f_log() {
LOG_TYPE=$1
LOG_MESSAGE=$2
case "${LOG_TYPE}" in
"INF")
echo -e "${CBLUE}=INF= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
;;
"SUC")
echo -e "${CGREEN}=SUC= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
;;
"WRN")
echo -e "${CYELLOW}=WRN= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
;;
"ERR")
echo -e "${CRED}=ERR= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
;;
esac
}
f_gen_sites_enabled() {
if [ "${FRONTEND_SSL}" == "true" ]; then
template_sites=/nginx/sites-enabled/template_ssl
else
template_sites=/nginx/sites-enabled/template
fi
if [ "${FRONTEND_TOR}" == "true" ]; then
if [ -d /tor/${FRONTEND_DOMAIN}/ ]; then
ONION_DOMAIN=$(cat /tor/${FRONTEND_DOMAIN}/hostname)
echo "HiddenServiceDir /tor/"${FRONTEND_DOMAIN}"/" >> /etc/tor/torrc
echo "HiddenServicePort 443 127.0.0.1:443" >> /etc/tor/torrc
sed -e 's|<frontend_domain>|'${FRONTEND_DOMAIN}'|' \
-e 's|<onion_domain>|'${ONION_DOMAIN}'|' ${template_sites} > /nginx/sites-enabled/${FRONTEND_DOMAIN}.conf
else
echo "HiddenServiceDir /tor/"${FRONTEND_DOMAIN}"/" >> /etc/tor/torrc
echo "HiddenServicePort 443 127.0.0.1:443" >> /etc/tor/torrc
echo "Please restard your container"
sed -e 's|<frontend_domain>|'${FRONTEND_DOMAIN}'|' ${template_sites} > /nginx/sites-enabled/${FRONTEND_DOMAIN}.conf
fi
else
sed -e 's|<frontend_domain>|'${FRONTEND_DOMAIN}'|' \
-e 's|<onion_domain>| |' ${template_sites} > /nginx/sites-enabled/${FRONTEND_DOMAIN}.conf
fi
}
f_gen_location() {
container_name=$1
if [ ! -d /nginx/path.d/${FRONTEND_DOMAIN} ]; then
mkdir -p /nginx/path.d/${FRONTEND_DOMAIN}
fi
if [ "${FRONTEND_PATH}" == "/" ]; then
path_file=/nginx/path.d/${FRONTEND_DOMAIN}/base.conf
auth_file=/nginx/auth/${FRONTEND_DOMAIN}/base.auth
else
path_file=/nginx/path.d/${FRONTEND_DOMAIN}/${FRONTEND_PATH}.conf
auth_file=/nginx/auth/${FRONTEND_DOMAIN}/${FRONTEND_PATH}.auth
fi
if [ ! -e ${path_file} ]; then
if [ "${FRONTEND_AUTH}" != "" ]; then
mkdir -p /nginx/auth/${FRONTEND_DOMAIN}
sed -e 's|<frontend_domain_max_body_size>|'${FRONTEND_MAX_BODY_SIZE}'|' \
-e 's|<backend_addr>|'${container_name}'|' \
-e 's|<backend_port>|'${BACKEND_PORT}'|' \
-e 's|<frontend_domain>|'${FRONTEND_DOMAIN}'|' \
-e 's|<frontend_path>|'${FRONTEND_PATH}'|' \
-e 's|<auth_file>|'${auth_file}'|' /nginx/path.d/template_auth > ${path_file}
echo "${FRONTEND_AUTH}" > ${auth_file}
else
sed -e 's|<frontend_domain_max_body_size>|'${FRONTEND_MAX_BODY_SIZE}'|' \
-e 's|<backend_addr>|'${container_name}'|' \
-e 's|<backend_port>|'${BACKEND_PORT}'|' \
-e 's|<frontend_path>|'${FRONTEND_PATH}'|' /nginx/path.d/template > ${path_file}
fi
fi
}
f_gen_certs() {
container_name=$1
if [ "${FRONTEND_SSL}" == "true" ]; then
CERTFILE=/nginx/ssl/certificates/${FRONTEND_DOMAIN}.cert.pem
KEYFILE=/nginx/ssl/certificates/${FRONTEND_DOMAIN}.key
CHAINFILE=/nginx/ssl/certificates/${FRONTEND_DOMAIN}.chain.pem
FULLCHAINFILE=/nginx/ssl/certificates/${FRONTEND_DOMAIN}.crt
if [ ! -e ${CERTFILE} ] || [ ! -e ${KEYFILE} ] || [ ! -e ${CHAINFILE} ] || [ ! -e ${FULLCHAINFILE} ]; then
mkdir -p /nginx/www/${FRONTEND_DOMAIN}
/usr/local/bin/lego -a -m ${EMAIL} -d ${FRONTEND_DOMAIN} --path /nginx/ssl --http :8080 --tls :8443 -k ${FRONTEND_SSLTYPE} run
if [ $? == 0 ]; then
head -$(grep -n "END CERTIFICATE" ${FULLCHAINFILE} | head -1 | cut -d: -f1) ${FULLCHAINFILE} > ${CERTFILE}
tail -$(($(wc -l ${FULLCHAINFILE} | awk '{print $1}')-$(grep -n "END CERTIFICATE" ${FULLCHAINFILE} | head -1 | cut -d: -f1))) ${FULLCHAINFILE} > ${CHAINFILE}
chown -R ${UID}:${GID} /nginx/ssl/
fi
[[ $? == 0 ]] && f_log INF "New Certificate for ${FRONTEND_DOMAIN} generated" || f_log ERR "New Certificate for ${FRONTEND_DOMAIN} not generated"
fi
fi
}
f_make_conf() {
FRONTEND_DOMAIN=mydomain.local
FRONTEND_MAX_BODY_SIZE=200M
FRONTEND_SSLTYPE=ec384
BACKEND_PORT=8080
FRONTEND_PATH="/"
FRONTEND_SSL=false
FRONTEND_AUTH=""
FRONTEND_TOR=false
container_name=$1
IFS=$'\n'
if [ "${CONTAINER_LABELS}" != "" ]; then
for label in ${CONTAINER_LABELS}; do
case "$(echo ${label} | awk '{print $1}')" in
"reverse.frontend.domain")
FRONTEND_DOMAIN=""
FRONTEND_DOMAIN="$(echo ${label} | awk '{print $2}')"
;;
"reverse.frontend.path")
FRONTEND_PATH="$(echo ${label} | awk '{print $2}')"
;;
"reverse.frontend.auth")
FRONTEND_AUTH="$(echo ${label} | awk '{print $2}')"
;;
"reverse.frontend.ssltype")
FRONTEND_SSLTYPE="$(echo ${label} | awk '{print $2}')"
;;
"reverse.frontend.domain_max_body_size")
FRONTEND_MAX_BODY_SIZE="$(echo ${label} | awk '{print $2}')"
;;
"reverse.frontend.ssl")
FRONTEND_SSL="$(echo ${label} | awk '{print $2}')"
;;
"reverse.frontend.tor")
FRONTEND_TOR="$(echo ${label} | awk '{print $2}')"
;;
"reverse.backend.port")
BACKEND_PORT="$(echo ${label} | awk '{print $2}')"
;;
esac
done
f_log INF "Generate files for ${FRONTEND_DOMAIN}, with path=${FRONTEND_PATH}, auth=${FRONTEND_AUTH}, ssl_type=${FRONTEND_SSLTYPE}, ssl=${FRONTEND_SSL} and port=${BACKEND_PORT}"
f_gen_location ${container_name}
f_gen_sites_enabled
f_gen_certs ${container_name}
fi
}
# Check /var/run/docker.sock
f_log INF "Check if /var/run/docker.sock exist ..."
ls /var/run/docker.sock > /dev/null 2>&1
if [ $? == 0 ]; then
f_log INF "/var/run/docker.sock exist ..."
else
f_log ERR "/var/run/docker.sock don't exist ..."
exit 1
fi
f_log INF "Start reverse configuration ..."
# Prepare container
f_log INF "Create user 'reverse'"
addgroup -g ${GID} reverse && adduser -H -s /bin/sh -D -G reverse -u ${UID} reverse
f_log INF "Create folder"
mkdir -p /nginx/sites-enabled /nginx /nginx/log /nginx/run /nginx/sites-enabled /nginx/ssl /nginx/ssl/selfsigned/dhparam
mkdir -p /home/reverse/.tor
# Generate file
for container in $(curl --unix-socket /var/run/docker.sock http://localhost/containers/json 2> /dev/null | jq '.[].Names' | sed 's|.*"/\(.*\)"$|\1|;/\[/d;/\]/d'); do
CONTAINER_LABELS=$(curl --unix-socket /var/run/docker.sock http://localhost/containers/${container}/json 2> /dev/null | jq '.Config.Labels' | grep -E "reverse\." | sed 's|.*"\(.*\)": "\(.*\)".*$|\1 \2|')
f_make_conf ${container}
done
f_log INF "Apply permissions"
chown -R reverse:reverse /nginx /etc/s6.d /tor/ /home/reverse/.tor
chmod +x /usr/local/bin/check_certs
find /etc/s6.d -name run -exec chmod +x {} \;
find /etc/s6.d -name finish -exec chmod +x {} \;
f_log SUC "End reverse configuration"
## run s6
if [ $# -gt 0 ]; then
exec su-exec reverse:reverse "$@"
else
exec su-exec reverse:reverse /bin/s6-svscan /etc/s6.d
fi