commit e02f17166ab80578d453d5b9c4bb5ae533a92af9
Author: root <root@ns333570.ip-188-165-217.eu>
Date:   Fri Nov 3 19:40:15 2017 +0000

    first commit

diff --git a/.Dockerfile.swp b/.Dockerfile.swp
new file mode 100644
index 0000000..8c2135d
Binary files /dev/null and b/.Dockerfile.swp differ
diff --git a/.drone.yml b/.drone.yml
new file mode 100644
index 0000000..cf74e8d
--- /dev/null
+++ b/.drone.yml
@@ -0,0 +1,21 @@
+pipeline:
+  build:
+    image: xataz/docker-drone-plugin
+    repo: xataz/reverse-nginx
+    action: build
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+
+  push:
+    image: xataz/docker-drone-plugin
+    repo: xataz/reverse-nginx
+    action: push
+    environment:
+      - UID=1000
+      - GID=991
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /home/xataz/.docker/config.json:/docker/.docker/config.json
+    when:
+      branch: master
+      event: [push, tag, deployment]
\ No newline at end of file
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..a959a4f
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,104 @@
+FROM xataz/alpine:3.6
+
+LABEL Description="reverse with nginx based on alpine" \
+      tags="latest mainline 1.13.5 1.13" \
+      maintainer="xataz <https://github.com/xataz>" \
+      build_ver="2017090601"
+
+ARG NGINX_VER=1.13.5
+ARG NGINX_GPG="B0F4253373F8F6F510D42178520A9993A1C052F8"
+ARG TOR_GPG="2133BC600AB133E1D826D173FE43009C4607B1FB"
+ARG BUILD_CORES
+ARG NGINX_CONF="--prefix=/nginx \
+                --sbin-path=/usr/local/sbin/nginx \
+                --http-log-path=/nginx/log/nginx_access.log \
+                --error-log-path=/nginx/log/nginx_error.log \
+                --pid-path=/nginx/run/nginx.pid \
+                --lock-path=/nginx/run/nginx.lock \
+                --user=reverse --group=reverse \
+                --with-http_ssl_module \
+                --with-http_v2_module \
+                --with-http_gzip_static_module \
+                --with-http_stub_status_module \
+                --with-threads \
+                --with-pcre-jit \
+                --with-ipv6 \
+                --without-http_ssi_module \
+                --without-http_scgi_module \
+                --without-http_uwsgi_module \
+                --without-http_geo_module \
+                --without-http_autoindex_module \
+                --without-http_split_clients_module \
+                --without-http_memcached_module \
+                --without-http_empty_gif_module \
+                --add-module=/tmp/headers-more-nginx-module \
+                --without-http_browser_module"
+ARG TOR_VER=0.3.1.7
+
+ENV UID=991 \
+    GID=991 \
+    EMAIL=admin@mydomain.local
+
+RUN export BUILD_DEPS="build-base \
+                    libressl-dev \
+                    pcre-dev \
+                    zlib-dev \
+                    libc-dev \
+                    wget \
+                    gnupg \
+                    go \
+                    libevent-dev \
+                    git" \
+    && NB_CORES=${BUILD_CORES-$(grep -c "processor" /proc/cpuinfo)} \
+    && apk add -U ${BUILD_DEPS} \
+                s6 \
+                su-exec \
+                ca-certificates \
+                curl \
+                jq \
+                libressl \
+                pcre \
+                zlib \
+                libevent \
+    && cd /tmp \
+    && git clone https://github.com/openresty/headers-more-nginx-module --depth=1 \
+    && wget http://nginx.org/download/nginx-${NGINX_VER}.tar.gz \
+    && wget http://nginx.org/download/nginx-${NGINX_VER}.tar.gz.asc \
+    && gpg --keyserver pgp.mit.edu --recv-keys "$NGINX_GPG" || \
+       gpg --keyserver keyserver.pgp.com --recv-keys "$NGINX_GPG" || \
+       gpg --keyserver ha.pool.sks-keyservers.net --recv-keys "$NGINX_GPG" \
+    && gpg --batch --verify nginx-${NGINX_VER}.tar.gz.asc nginx-${NGINX_VER}.tar.gz \
+    && tar xzf nginx-${NGINX_VER}.tar.gz \
+    && cd /tmp/nginx-${NGINX_VER} \
+    && ./configure ${NGINX_CONF} \            
+    && make -j ${NB_CORES} \
+    && make install \
+    && mkdir -p /tmp/go/bin \
+    && export GOPATH=/tmp/go \
+    && export GOBIN=$GOPATH/bin \
+    && git config --global http.https://gopkg.in.followRedirects true \
+    && go get github.com/xenolf/lego \
+    && mv /tmp/go/bin/lego /usr/local/bin/lego \
+    && cd /tmp \
+    && wget https://www.torproject.org/dist/tor-${TOR_VER}.tar.gz \
+    && wget https://www.torproject.org/dist/tor-${TOR_VER}.tar.gz.asc \
+	&& gpg --keyserver pgp.mit.edu --recv-keys "$TOR_GPG" || \
+       gpg --keyserver keyserver.pgp.com --recv-keys "$TOR_GPG" || \
+       gpg --keyserver ha.pool.sks-keyservers.net --recv-keys "$TOR_GPG" \
+    && gpg --batch --verify tor-${TOR_VER}.tar.gz.asc tor-${TOR_VER}.tar.gz \
+    && tar xzf tor-${TOR_VER}.tar.gz \
+    && cd tor-${TOR_VER} \
+    && ./configure  \
+    && make -j ${NB_CORES} \
+    && make install \
+    && mv /usr/local/etc/tor/torrc.sample /usr/local/etc/tor/torrc \
+    && apk del ${BUILD_DEPS} \
+    && rm -rf /tmp/* /var/cache/apk/*
+
+COPY rootfs /
+RUN chmod +x /usr/local/bin/startup /etc/s6.d/*/*
+
+EXPOSE 80 443
+
+ENTRYPOINT ["/usr/local/bin/startup"]
+CMD ["/bin/s6-svscan", "/etc/s6.d"]
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..ff78ca9
--- /dev/null
+++ b/README.md
@@ -0,0 +1,119 @@
+![](http://nginx.org/nginx.png)
+
+# BETA VERSION ACTUALY !!!!!
+[![Build Status](https://drone.xataz.net/api/badges/xataz/docker-reverse-nginx/status.svg)](https://drone.xataz.net/xataz/docker-reverse-nginx)
+[![](https://images.microbadger.com/badges/image/xataz/reverse-nginx.svg)](https://microbadger.com/images/xataz/reverse-nginx "Get your own image badge on microbadger.com")
+[![](https://images.microbadger.com/badges/version/xataz/reverse-nginx.svg)](https://microbadger.com/images/xataz/reverse-nginx "Get your own version badge on microbadger.com")
+
+> This image is build and push with [drone.io](https://github.com/drone/drone), a circle-ci like self-hosted.
+> If you don't trust, you can build yourself.
+
+## Tag available
+* latest, mainline, 1.13.5, 1.13 [(Dockerfile)](https://github.com/xataz/dockerfiles/blob/master/reverse-nginx/Dockerfile)
+
+## Features
+* No ROOT process
+* Automatic configuration generation
+* Automatic certificate generation and renew with letsencrypt and without downtime (use lego)
+* Latest nginx version
+* ARG for custom build
+
+## Description
+What is [Nginx](http://nginx.org)?
+
+nginx (engine x) is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP proxy server, originally written by Igor Sysoev. For a long time, it has been running on many heavily loaded Russian sites including Yandex, Mail.Ru, VK, and Rambler. According to Netcraft, nginx served or proxied 24.29% busiest sites in December 2015. Here are some of the success stories: Netflix, Wordpress.com, FastMail.FM.
+
+Reverse-nginx generate for you the configuration of reverse proxy. Like traefik, it is based on the labels of containers, but it isn't dynamicly.
+
+## Build Image
+### Build arguments
+* NGINX_CONF : Nginx make configure options
+* NGINX_VER : Nginx version
+* ARG NGINX_GPG : GPG fingerprint (default : "B0F4253373F8F6F510D42178520A9993A1C052F8")
+* ARG BUILD_CORES : Number of core use for make nginx (default : All cores)
+
+### Simply build
+```shell
+docker build -t xataz/reverse-nginx github.com/xataz/dockerfiles.git#master:reverse-nginx
+```
+### Build other version
+```shell
+docker build -t xataz/reverse-nginx --build-arg NGINX_VER=1.9.5 github.com/xataz/dockerfiles.git#master:reverse-nginx
+```
+
+## Configuration
+### Environments
+* UID : Choose uid for launch nginx (default : 991)
+* GID : Choose gid for launch nginx (default : 991)
+
+### Volumes
+* /nginx/ssl : For certificate persistance
+* /nginx/custom_sites : For create your own sites
+* /tor/ : For tor address
+
+### Ports
+* 8080
+* 8443
+
+## Usage
+### Environments
+| Variable | Description | default | value |
+| -------- | ----------- | ------- | ----- |
+| UID | UID for launch nginx | 991 | Valid UID number |
+| GID | GID for launch nginx | 991 | Valid GID number |
+| EMAIL | email use for generate letsencrypt certificates | admin@mydomain.local | Valid address mail |
+
+### Labels
+| Label Name | Description | default | value |
+| ---------- | ----------- | ------- | ----- |
+| reverse.frontend.domain | Domain Name for this service | mydomain.local | valid domain name |
+| reverse.frontend.path | Domain path (warning, no rewrite url) | / | valid path, with / |
+| reverse.frontend.auth | For auth basic | none | user:encryptpassword |
+| reverse.frontend.ssltype | Choose ssl type | ec384 | rsa2048, rsa4096, rsa8192, ec256 or ec384 |
+| reverse.frontend.domain\_max\_body\_size | Choose max size upload | 200M | Numeric value with unit (K,M,G,T) |
+| reverse.frontend.ssl | Generate letsencrypt certificate | false | true or false |
+| reverse.frontend.tor | If container is an hidden service | false | boolean (true / false) |
+| reverse.backend.port | Port use by container | 8080 | Valid port number |
+
+
+More labels soon !!!
+
+### Launch
+#### First launch another container
+For exemple, I launch lutim container :
+```shell
+$ docker run -d \
+    --name lutim \
+    --label reverse.frontend.domain=sub.domain.com \
+    --label reverse.frontend.path=lutim \
+    --label reverse.frontend.auth=USER:$(openssl passwd -crypt PASSWORD) \
+    --label reverse.frontend.ssltype=ec256 \
+    --label reverse.frontend.ssl = true \
+    --label reverse.backend.port=8181 \
+    -v /docker/config/lutim/data:/data \
+    -v /docker/data/lutim:/lutim/files \
+    -e UID=1001 \
+    -e GID=1001 \
+    -e WEBROOT=/lutim \
+    -e SECRET=$(date +%s | md5sum | head -c 32) \
+    -e CONTACT=contact@domain.com \
+    -e MAX_FILE_SIZE=250000000 \
+    xataz/lutim
+```
+
+
+#### Launch reverse-nginx
+```shell
+docker run -d \
+	-p 80:8080 \
+	-p 443:8443 \
+    --name reverse \
+    -e EMAIL=me@mydomain.com \
+    -v /var/run/docker.sock:/var/run/docker.sock \
+	xataz/reverse-nginx
+```
+
+URI Access : https://sub.domain.com/lutim
+
+
+
diff --git a/auto_upgrade.sh b/auto_upgrade.sh
new file mode 100755
index 0000000..200243e
--- /dev/null
+++ b/auto_upgrade.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+NGINX_MAINLINE_VERSION=$(grep "NGINX_VER=" Dockerfile | cut -d"=" -f2)
+NEW_NGINX_MAINLINE_VERSION=$(curl http://nginx.org/en/download.html 2> /dev/null | sed 's|>|>\n|g' | grep '^<a href="/download/nginx-' | head -1 | sed 's|.*nginx-\(.*\).tar.gz.*|\1|')
+
+f_gen_tag() {
+    VERSION=$1
+
+    TAGS="latest mainline ${VERSION} $(echo ${VERSION} | cut -d'.' -f '1 2')"
+}
+
+f_maj_dockerfile() {
+    BUILD_VER=$(date +%Y%m%d01)
+
+    ## Edit dockerfile
+    sed -i 's/NGINX_VER=.*/NGINX_VER='$1'/;
+        s/tags=".*"/tags="'"${TAGS}"'"/;
+        s/build_ver=".*"/build_ver="'${BUILD_VER}'"/' Dockerfile
+}
+
+f_maj_readme() {
+    TAGS=$(echo $TAGS | sed 's/ /, /g')
+
+    sed -i 's#\* .*/Dockerfile)#\* '"${TAGS}"' \[(Dockerfile)\](https://github.com/xataz/dockerfiles/blob/master/reverse-nginx/Dockerfile)#' README.md
+}
+
+if [ "${NGINX_MAINLINE_VERSION}" != "${NEW_NGINX_MAINLINE_VERSION}" ]; then
+    echo "Update nginx mainline to ${NEW_NGINX_MAINLINE_VERSION}"
+    f_gen_tag ${NEW_NGINX_MAINLINE_VERSION} "latest mainline"
+    f_maj_dockerfile ${NEW_NGINX_MAINLINE_VERSION}
+    f_maj_readme
+fi
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..94828be
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,48 @@
+version: '2'
+
+networks:
+  default:
+    driver: bridge
+
+services:
+  lutim:
+    image: xataz/lutim
+    container_name: lutim
+    labels:
+      - reverse.frontend.domain=sub.docker.local
+      - reverse.frontend.path=lutim
+      - reverse.frontend.auth=USER:zkgudxk6qOT5g
+      - reverse.backend.port=8181
+    environment: 
+      - UID=1001
+      - GID=1001
+      - WEBROOT=/lutim
+      - SECRET=908de85a9809724481c8a360c90879da
+      - CONTACT=contact@domain.com
+      - MAX_FILE_SIZE=250000000
+
+  lufi:
+    image: xataz/lufi
+    container_name: lufi
+    labels:
+      - reverse.frontend.domain=sub.docker.local
+      - reverse.frontend.path=lufi
+      - reverse.frontend.auth=USER:zkgudxk6qOT5g
+      - reverse.backend.port=8080
+    environment:
+      - UID=1001
+      - GID=1001
+      - WEBROOT=/lufi
+
+  reverse:
+    image: xataz/reverse-nginx
+    container_name: reverse
+    ports:
+      - "80:8080"
+      - "443:8443"
+    volumes:
+      - /docker/nginx/ssl:/nginx/ssl
+      - /var/run/docker.sock:/var/run/docker.sock
+    depends_on: 
+      - lufi
+      - lutim
\ No newline at end of file
diff --git a/rootfs/etc/s6.d/.s6-svscan/finish b/rootfs/etc/s6.d/.s6-svscan/finish
new file mode 100644
index 0000000..92b94c4
--- /dev/null
+++ b/rootfs/etc/s6.d/.s6-svscan/finish
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exit 0
\ No newline at end of file
diff --git a/rootfs/etc/s6.d/check_certs/run b/rootfs/etc/s6.d/check_certs/run
new file mode 100644
index 0000000..0c104f4
--- /dev/null
+++ b/rootfs/etc/s6.d/check_certs/run
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+sleep 60
+while true; do
+    /usr/local/bin/check_certs
+    sleep 86400
+done
\ No newline at end of file
diff --git a/rootfs/etc/s6.d/nginx/run b/rootfs/etc/s6.d/nginx/run
new file mode 100644
index 0000000..4766ddb
--- /dev/null
+++ b/rootfs/etc/s6.d/nginx/run
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exec nginx
\ No newline at end of file
diff --git a/rootfs/etc/s6.d/tor/run b/rootfs/etc/s6.d/tor/run
new file mode 100644
index 0000000..cfc2fcb
--- /dev/null
+++ b/rootfs/etc/s6.d/tor/run
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+#exec tor -f /etc/tor/torrc
diff --git a/rootfs/etc/tor/torrc b/rootfs/etc/tor/torrc
new file mode 100644
index 0000000..fa19da5
--- /dev/null
+++ b/rootfs/etc/tor/torrc
@@ -0,0 +1,220 @@
+## Configuration file for a typical Tor user
+## Last updated 22 September 2015 for Tor 0.2.7.3-alpha.
+## (may or may not work for much older or much newer versions of Tor.)
+##
+## Lines that begin with "## " try to explain what's going on. Lines
+## that begin with just "#" are disabled commands: you can enable them
+## by removing the "#" symbol.
+##
+## See 'man tor', or https://www.torproject.org/docs/tor-manual.html,
+## for more options you can use in this file.
+##
+## Tor will look for this file in various places based on your platform:
+## https://www.torproject.org/docs/faq#torrc
+
+## Tor opens a SOCKS proxy on port 9050 by default -- even if you don't
+## configure one below. Set "SOCKSPort 0" if you plan to run Tor only
+## as a relay, and not make any local application connections yourself.
+#SOCKSPort 9050 # Default: Bind to localhost:9050 for local connections.
+#SOCKSPort 192.168.0.1:9100 # Bind to this address:port too.
+
+## Entry policies to allow/deny SOCKS requests based on IP address.
+## First entry that matches wins. If no SOCKSPolicy is set, we accept
+## all (and only) requests that reach a SOCKSPort. Untrusted users who
+## can access your SOCKSPort may be able to learn about the connections
+## you make.
+#SOCKSPolicy accept 192.168.0.0/16
+#SOCKSPolicy accept6 FC00::/7
+#SOCKSPolicy reject *
+
+## Logs go to stdout at level "notice" unless redirected by something
+## else, like one of the below lines. You can have as many Log lines as
+## you want.
+##
+## We advise using "notice" in most cases, since anything more verbose
+## may provide sensitive information to an attacker who obtains the logs.
+##
+## Send all messages of level 'notice' or higher to /usr/local/var/log/tor/notices.log
+#Log notice file /usr/local/var/log/tor/notices.log
+## Send every possible message to /usr/local/var/log/tor/debug.log
+#Log debug file /usr/local/var/log/tor/debug.log
+## Use the system log instead of Tor's logfiles
+#Log notice syslog
+## To send all messages to stderr:
+#Log debug stderr
+
+## Uncomment this to start the process in the background... or use
+## --runasdaemon 1 on the command line. This is ignored on Windows;
+## see the FAQ entry if you want Tor to run as an NT service.
+RunAsDaemon 1
+
+## The directory for keeping all the keys/etc. By default, we store
+## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
+#DataDirectory /usr/local/var/lib/tor
+
+## The port on which Tor will listen for local connections from Tor
+## controller applications, as documented in control-spec.txt.
+#ControlPort 9051
+## If you enable the controlport, be sure to enable one of these
+## authentication methods, to prevent attackers from accessing it.
+#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C
+#CookieAuthentication 1
+
+############### This section is just for location-hidden services ###
+
+## Once you have configured a hidden service, you can look at the
+## contents of the file ".../hidden_service/hostname" for the address
+## to tell people.
+##
+## HiddenServicePort x y:z says to redirect requests on port x to the
+## address y:z.
+
+#HiddenServiceDir /usr/local/var/lib/tor/hidden_service/
+#HiddenServicePort 80 127.0.0.1:80
+
+#HiddenServiceDir /usr/local/var/lib/tor/other_hidden_service/
+#HiddenServicePort 80 127.0.0.1:80
+#HiddenServicePort 22 127.0.0.1:22
+
+################ This section is just for relays #####################
+#
+## See https://www.torproject.org/docs/tor-doc-relay for details.
+
+## Required: what port to advertise for incoming Tor connections.
+#ORPort 9001
+## If you want to listen on a port other than the one advertised in
+## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as
+## follows.  You'll need to do ipchains or other port forwarding
+## yourself to make this work.
+#ORPort 443 NoListen
+#ORPort 127.0.0.1:9090 NoAdvertise
+
+## The IP address or full DNS name for incoming connections to your
+## relay. Leave commented out and Tor will guess.
+#Address noname.example.com
+
+## If you have multiple network interfaces, you can specify one for
+## outgoing traffic to use.
+## OutboundBindAddressExit will be used for all exit traffic, while
+## OutboundBindAddressOR will be used for all other connections.
+## If you do not wish to differentiate, use OutboundBindAddress to
+## specify the same address for both in a single line.
+#OutboundBindAddressExit 10.0.0.4
+#OutboundBindAddressOR 10.0.0.5
+
+## A handle for your relay, so people don't have to refer to it by key.
+## Nicknames must be between 1 and 19 characters inclusive, and must
+## contain only the characters [a-zA-Z0-9].
+#Nickname ididnteditheconfig
+
+## Define these to limit how much relayed traffic you will allow. Your
+## own traffic is still unthrottled. Note that RelayBandwidthRate must
+## be at least 75 kilobytes per second.
+## Note that units for these config options are bytes (per second), not
+## bits (per second), and that prefixes are binary prefixes, i.e. 2^10,
+## 2^20, etc.
+#RelayBandwidthRate 100 KBytes  # Throttle traffic to 100KB/s (800Kbps)
+#RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB (1600Kb)
+
+## Use these to restrict the maximum traffic per day, week, or month.
+## Note that this threshold applies separately to sent and received bytes,
+## not to their sum: setting "40 GB" may allow up to 80 GB total before
+## hibernating.
+##
+## Set a maximum of 40 gigabytes each way per period.
+#AccountingMax 40 GBytes
+## Each period starts daily at midnight (AccountingMax is per day)
+#AccountingStart day 00:00
+## Each period starts on the 3rd of the month at 15:00 (AccountingMax
+## is per month)
+#AccountingStart month 3 15:00
+
+## Administrative contact information for this relay or bridge. This line
+## can be used to contact you if your relay or bridge is misconfigured or
+## something else goes wrong. Note that we archive and publish all
+## descriptors containing these lines and that Google indexes them, so
+## spammers might also collect them. You may want to obscure the fact that
+## it's an email address and/or generate a new address for this purpose.
+#ContactInfo Random Person <nobody AT example dot com>
+## You might also include your PGP or GPG fingerprint if you have one:
+#ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com>
+
+## Uncomment this to mirror directory information for others. Please do
+## if you have enough bandwidth.
+#DirPort 9030 # what port to advertise for directory connections
+## If you want to listen on a port other than the one advertised in
+## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as
+## follows.  below too. You'll need to do ipchains or other port
+## forwarding yourself to make this work.
+#DirPort 80 NoListen
+#DirPort 127.0.0.1:9091 NoAdvertise
+## Uncomment to return an arbitrary blob of html on your DirPort. Now you
+## can explain what Tor is if anybody wonders why your IP address is
+## contacting them. See contrib/tor-exit-notice.html in Tor's source
+## distribution for a sample.
+#DirPortFrontPage /usr/local/etc/tor/tor-exit-notice.html
+
+## Uncomment this if you run more than one Tor relay, and add the identity
+## key fingerprint of each Tor relay you control, even if they're on
+## different networks. You declare it here so Tor clients can avoid
+## using more than one of your relays in a single circuit. See
+## https://www.torproject.org/docs/faq#MultipleRelays
+## However, you should never include a bridge's fingerprint here, as it would
+## break its concealability and potentially reveal its IP/TCP address.
+#MyFamily $keyid,$keyid,...
+
+## A comma-separated list of exit policies. They're considered first
+## to last, and the first match wins.
+##
+## If you want to allow the same ports on IPv4 and IPv6, write your rules
+## using accept/reject *. If you want to allow different ports on IPv4 and
+## IPv6, write your IPv6 rules using accept6/reject6 *6, and your IPv4 rules
+## using accept/reject *4.
+##
+## If you want to _replace_ the default exit policy, end this with either a
+## reject *:* or an accept *:*. Otherwise, you're _augmenting_ (prepending to)
+## the default exit policy. Leave commented to just use the default, which is
+## described in the man page or at
+## https://www.torproject.org/documentation.html
+##
+## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses
+## for issues you might encounter if you use the default exit policy.
+##
+## If certain IPs and ports are blocked externally, e.g. by your firewall,
+## you should update your exit policy to reflect this -- otherwise Tor
+## users will be told that those destinations are down.
+##
+## For security, by default Tor rejects connections to private (local)
+## networks, including to the configured primary public IPv4 and IPv6 addresses,
+## and any public IPv4 and IPv6 addresses on any interface on the relay.
+## See the man page entry for ExitPolicyRejectPrivate if you want to allow
+## "exit enclaving".
+##
+#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports on IPv4 and IPv6 but no more
+#ExitPolicy accept *:119 # accept nntp ports on IPv4 and IPv6 as well as default exit policy
+#ExitPolicy accept *4:119 # accept nntp ports on IPv4 only as well as default exit policy
+#ExitPolicy accept6 *6:119 # accept nntp ports on IPv6 only as well as default exit policy
+#ExitPolicy reject *:* # no exits allowed
+
+## Bridge relays (or "bridges") are Tor relays that aren't listed in the
+## main directory. Since there is no complete public list of them, even an
+## ISP that filters connections to all the known Tor relays probably
+## won't be able to block all the bridges. Also, websites won't treat you
+## differently because they won't know you're running Tor. If you can
+## be a real relay, please do; but if not, be a bridge!
+#BridgeRelay 1
+## By default, Tor will advertise your bridge to users through various
+## mechanisms like https://bridges.torproject.org/. If you want to run
+## a private bridge, for example because you'll give out your bridge
+## address manually to your friends, uncomment this line:
+#PublishServerDescriptor 0
+
+## Configuration options can be imported from files or folders using the %include
+## option with the value being a path. If the path is a file, the options from the
+## file will be parsed as if they were written where the %include option is. If
+## the path is a folder, all files on that folder will be parsed following lexical
+## order. Files starting with a dot are ignored. Files on subfolders are ignored.
+## The %include option can be used recursively.
+#%include /etc/torrc.d/
+#%include /etc/torrc.custom
+
diff --git a/rootfs/nginx/conf.d/headers.conf b/rootfs/nginx/conf.d/headers.conf
new file mode 100644
index 0000000..d19d961
--- /dev/null
+++ b/rootfs/nginx/conf.d/headers.conf
@@ -0,0 +1,2 @@
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";
\ No newline at end of file
diff --git a/rootfs/nginx/conf.d/proxy.conf b/rootfs/nginx/conf.d/proxy.conf
new file mode 100644
index 0000000..a763208
--- /dev/null
+++ b/rootfs/nginx/conf.d/proxy.conf
@@ -0,0 +1,9 @@
+  proxy_http_version 1.1;
+  proxy_set_header Upgrade $http_upgrade;
+  proxy_set_header Connection "upgrade";
+  proxy_set_header Host $host;
+  proxy_set_header X-Real-IP $remote_addr;
+  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+  proxy_set_header X-Forwarded-Proto $scheme;
+  proxy_set_header X-Remote-Port $remote_port;
+  proxy_redirect off;
\ No newline at end of file
diff --git a/rootfs/nginx/conf.d/ssl.conf b/rootfs/nginx/conf.d/ssl.conf
new file mode 100644
index 0000000..98e9627
--- /dev/null
+++ b/rootfs/nginx/conf.d/ssl.conf
@@ -0,0 +1,11 @@
+ssl_protocols TLSv1.2;
+ssl_ecdh_curve secp384r1;
+ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-D:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256";
+ssl_prefer_server_ciphers on;
+
+
+ssl_session_cache shared:SSL:20m;
+ssl_session_timeout 15m;
+ssl_session_tickets off;
+
+add_header Strict-Transport-Security "max-age=31536000";
\ No newline at end of file
diff --git a/rootfs/nginx/conf/nginx.conf b/rootfs/nginx/conf/nginx.conf
new file mode 100644
index 0000000..7b6329a
--- /dev/null
+++ b/rootfs/nginx/conf/nginx.conf
@@ -0,0 +1,52 @@
+#user web;
+worker_processes auto;
+pid /nginx/run/nginx.pid;
+daemon off;
+
+events {
+    worker_connections 1024; 
+    use epoll;
+}
+
+http {
+    include /nginx/conf/mime.types;
+    default_type  application/octet-stream;
+
+    access_log /nginx/log/nginx_access.log combined;
+    error_log /nginx/log/nginx_error.log error;
+    
+    sendfile on;
+    keepalive_timeout 15;
+    keepalive_disable msie6;
+    keepalive_requests 100;
+    tcp_nopush on;
+    tcp_nodelay off;
+    server_tokens off;
+    proxy_max_temp_file_size 20480m;
+    
+    gzip on;
+    gzip_comp_level 5;
+    gzip_min_length 512;
+    gzip_buffers 4 8k;
+    gzip_proxied any;
+    gzip_vary on;
+    gzip_disable "msie6";
+    gzip_types
+        text/css
+        text/javascript
+        text/xml
+        text/plain
+        text/x-component
+        application/javascript
+        application/x-javascript
+        application/json
+        application/xml
+        application/rss+xml
+        application/vnd.ms-fontobject
+        font/truetype
+        font/opentype
+        image/svg+xml;
+
+    include /nginx/sites-enabled/*.conf;
+    include /nginx/custom_sites/*.conf;
+}
diff --git a/rootfs/nginx/path.d/template b/rootfs/nginx/path.d/template
new file mode 100644
index 0000000..10b2600
--- /dev/null
+++ b/rootfs/nginx/path.d/template
@@ -0,0 +1,5 @@
+  location <frontend_path> {
+    include /nginx/conf.d/proxy.conf;
+    client_max_body_size <frontend_domain_max_body_size>;
+    proxy_pass http://<backend_addr>:<backend_port>;
+  }
\ No newline at end of file
diff --git a/rootfs/nginx/path.d/template_auth b/rootfs/nginx/path.d/template_auth
new file mode 100644
index 0000000..eea9bf7
--- /dev/null
+++ b/rootfs/nginx/path.d/template_auth
@@ -0,0 +1,7 @@
+  location <frontend_path> {
+    include /nginx/conf.d/proxy.conf;
+    auth_basic "Who's this?";
+    auth_basic_user_file "<auth_file>";
+    client_max_body_size <frontend_domain_max_body_size>;
+    proxy_pass http://<backend_addr>:<backend_port>;
+  }
\ No newline at end of file
diff --git a/rootfs/nginx/sites-enabled/template b/rootfs/nginx/sites-enabled/template
new file mode 100644
index 0000000..9577f8b
--- /dev/null
+++ b/rootfs/nginx/sites-enabled/template
@@ -0,0 +1,6 @@
+server {
+  listen 80;
+  server_name <frontend_domain>;
+  include /nginx/conf.d/headers.conf;
+  include /nginx/path.d/<frontend_domain>/*.conf;
+}
diff --git a/rootfs/nginx/sites-enabled/template_ssl b/rootfs/nginx/sites-enabled/template_ssl
new file mode 100644
index 0000000..5434f93
--- /dev/null
+++ b/rootfs/nginx/sites-enabled/template_ssl
@@ -0,0 +1,27 @@
+server {
+  listen 80;
+  server_name <frontend_domain> <onion_domain>;
+
+  rewrite ^ https://<frontend_domain>:443$request_uri? permanent;
+}
+
+
+server {
+
+  listen 443 ssl http2;
+  server_name <frontend_domain> <onion_domain>;
+  index index.html index.php index.htm;
+
+  ssl_certificate /nginx/ssl/certificates/<frontend_domain>.crt;
+  ssl_certificate_key /nginx/ssl/certificates/<frontend_domain>.key;
+  ssl_trusted_certificate /nginx/ssl/certificates/<frontend_domain>.chain.pem;
+  include /nginx/conf.d/ssl.conf;
+  include /nginx/conf.d/headers.conf;
+
+  include /nginx/path.d/<frontend_domain>/*.conf;
+
+  location ~ /\.well-known/acme-challenge {
+    root /nginx/www/<frontend_domain>;
+    allow all;
+  }
+}
diff --git a/rootfs/nginx/www/letsencrypt b/rootfs/nginx/www/letsencrypt
new file mode 100644
index 0000000..e69de29
diff --git a/rootfs/usr/local/bin/check_certs b/rootfs/usr/local/bin/check_certs
new file mode 100644
index 0000000..8054b3a
--- /dev/null
+++ b/rootfs/usr/local/bin/check_certs
@@ -0,0 +1,64 @@
+#!/bin/sh
+
+## Variables
+CSI="\033["
+CEND="${CSI}0m"
+CRED="${CSI}1;31m"
+CGREEN="${CSI}1;32m"
+CYELLOW="${CSI}1;33m"
+CBLUE="${CSI}1;34m"
+
+## Functions
+f_log() {
+    LOG_TYPE=$1
+    LOG_MESSAGE=$2
+
+    case "${LOG_TYPE}" in
+    "INF")
+        echo -e "${CBLUE}=INF= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
+    ;;
+    "WRN")
+        echo -e "${CYELLOW}=WRN= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
+    ;;
+    "ERR")
+        echo -e "${CRED}=ERR= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
+    ;;
+    esac
+}
+
+f_check_certs() {
+    LIST_DOMAINS=$(ls /nginx/ssl/certificates | grep .crt | grep -v issuer | sed 's|.crt||g')
+    RELOAD_NGINX=0
+
+    for domain in ${LIST_DOMAINS}; do 
+        CERTFILE=/nginx/ssl/certificates/${domain}.cert.pem
+        KEYFILE=/nginx/ssl/certificates/${domain}.key
+        CHAINFILE=/nginx/ssl/certificates/${domain}.chain.pem
+        FULLCHAINFILE=/nginx/ssl/certificates/${domain}.crt
+        
+        mkdir -p /nginx/www/${domain}
+        openssl x509 -checkend 864000 -noout -in "${FULLCHAINFILE}"
+        if [ $? == 0 ]; then
+            f_log INF "Certificate for ${domain} is good for another 10 days!"
+        else
+            f_log INF "Generate New Certificate for ${domain}"
+            /usr/local/bin/lego -a -m ${EMAIL} -d ${domain} --path /nginx/ssl --webroot /nginx/www/${domain} renew
+            if [ $? == 0 ]; then
+                if [ -e ${FULLCHAINFILE} ]; then
+                    head -$(grep -n "END CERTIFICATE" ${FULLCHAINFILE} | head -1 | cut -d: -f1) ${FULLCHAINFILE} > ${CERTFILE}
+                    tail -$(($(wc -l ${FULLCHAINFILE} | awk '{print $1}')-$(grep -n "END CERTIFICATE" ${FULLCHAINFILE} | head -1 | cut -d: -f1))) ${FULLCHAINFILE} > ${CHAINFILE}
+                    RELOAD_NGINX=1
+                    f_log INF "New Certificate for ${domain} generated" 
+                fi
+            else 
+                f_log ERR "New Certificate for ${domain} not generated"
+            fi
+        fi             
+    done
+}
+
+f_check_certs
+
+if [ ${RELOAD_NGINX} -eq 1 ]; then
+    nginx reload
+fi
diff --git a/rootfs/usr/local/bin/startup b/rootfs/usr/local/bin/startup
new file mode 100644
index 0000000..a444b7c
--- /dev/null
+++ b/rootfs/usr/local/bin/startup
@@ -0,0 +1,201 @@
+#!/bin/sh
+
+## Variables
+CSI="\033["
+CEND="${CSI}0m"
+CRED="${CSI}1;31m"
+CGREEN="${CSI}1;32m"
+CYELLOW="${CSI}1;33m"
+CBLUE="${CSI}1;34m"
+
+## Functions
+f_log() {
+    LOG_TYPE=$1
+    LOG_MESSAGE=$2
+
+    case "${LOG_TYPE}" in
+    "INF")
+        echo -e "${CBLUE}=INF= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
+    ;;
+    "SUC")
+        echo -e "${CGREEN}=SUC= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
+    ;;
+    "WRN")
+        echo -e "${CYELLOW}=WRN= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
+    ;;
+    "ERR")
+        echo -e "${CRED}=ERR= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
+    ;;
+    esac
+}
+
+f_gen_sites_enabled() {
+    if [ "${FRONTEND_SSL}" == "true" ]; then
+        template_sites=/nginx/sites-enabled/template_ssl
+    else
+        template_sites=/nginx/sites-enabled/template
+    fi
+	if [ "${FRONTEND_TOR}" == "true" ]; then
+		if [ -d /tor/${FRONTEND_DOMAIN}/ ]; then
+                        ONION_DOMAIN=$(cat /tor/${FRONTEND_DOMAIN}/hostname)
+                        echo "HiddenServiceDir /tor/"${FRONTEND_DOMAIN}"/" >> /etc/tor/torrc
+                        echo "HiddenServicePort 443 127.0.0.1:443" >> /etc/tor/torrc
+			sed -e 's|<frontend_domain>|'${FRONTEND_DOMAIN}'|' \
+                            -e 's|<onion_domain>|'${ONION_DOMAIN}'|' ${template_sites} > /nginx/sites-enabled/${FRONTEND_DOMAIN}.conf
+		else
+			echo "HiddenServiceDir /tor/"${FRONTEND_DOMAIN}"/" >> /etc/tor/torrc 
+			echo "HiddenServicePort 443 127.0.0.1:443" >> /etc/tor/torrc 
+                        echo "Please restard your container"
+			sed -e 's|<frontend_domain>|'${FRONTEND_DOMAIN}'|' ${template_sites} > /nginx/sites-enabled/${FRONTEND_DOMAIN}.conf
+                fi     
+    else
+        sed -e 's|<frontend_domain>|'${FRONTEND_DOMAIN}'|' \
+            -e 's|<onion_domain>| |' ${template_sites} > /nginx/sites-enabled/${FRONTEND_DOMAIN}.conf
+    fi
+}
+
+f_gen_location() {
+    container_name=$1
+    if [ ! -d /nginx/path.d/${FRONTEND_DOMAIN} ]; then
+        mkdir -p /nginx/path.d/${FRONTEND_DOMAIN}
+    fi
+
+    if [ "${FRONTEND_PATH}" == "/" ]; then
+        path_file=/nginx/path.d/${FRONTEND_DOMAIN}/base.conf
+        auth_file=/nginx/auth/${FRONTEND_DOMAIN}/base.auth
+    else
+        path_file=/nginx/path.d/${FRONTEND_DOMAIN}/${FRONTEND_PATH}.conf
+        auth_file=/nginx/auth/${FRONTEND_DOMAIN}/${FRONTEND_PATH}.auth
+    fi
+    if [ ! -e ${path_file} ]; then
+        if [ "${FRONTEND_AUTH}" != "" ]; then
+            mkdir -p /nginx/auth/${FRONTEND_DOMAIN}
+            sed -e 's|<frontend_domain_max_body_size>|'${FRONTEND_MAX_BODY_SIZE}'|' \
+                -e 's|<backend_addr>|'${container_name}'|' \
+                -e 's|<backend_port>|'${BACKEND_PORT}'|' \
+                -e 's|<frontend_domain>|'${FRONTEND_DOMAIN}'|' \
+                -e 's|<frontend_path>|'${FRONTEND_PATH}'|' \
+                -e 's|<auth_file>|'${auth_file}'|' /nginx/path.d/template_auth > ${path_file}
+            echo "${FRONTEND_AUTH}" > ${auth_file}
+        else
+            sed -e 's|<frontend_domain_max_body_size>|'${FRONTEND_MAX_BODY_SIZE}'|' \
+                -e 's|<backend_addr>|'${container_name}'|' \
+                -e 's|<backend_port>|'${BACKEND_PORT}'|' \
+                -e 's|<frontend_path>|'${FRONTEND_PATH}'|' /nginx/path.d/template > ${path_file}
+        fi
+    fi
+}
+
+f_gen_certs() {
+    container_name=$1
+    if [ "${FRONTEND_SSL}" == "true" ]; then
+        CERTFILE=/nginx/ssl/certificates/${FRONTEND_DOMAIN}.cert.pem
+        KEYFILE=/nginx/ssl/certificates/${FRONTEND_DOMAIN}.key
+        CHAINFILE=/nginx/ssl/certificates/${FRONTEND_DOMAIN}.chain.pem
+        FULLCHAINFILE=/nginx/ssl/certificates/${FRONTEND_DOMAIN}.crt
+        if [ ! -e ${CERTFILE} ] || [ ! -e ${KEYFILE} ] || [ ! -e ${CHAINFILE} ] || [ ! -e ${FULLCHAINFILE} ]; then
+            mkdir -p /nginx/www/${FRONTEND_DOMAIN}
+            /usr/local/bin/lego -a -m ${EMAIL} -d ${FRONTEND_DOMAIN} --path /nginx/ssl --http :8080 --tls :8443 -k ${FRONTEND_SSLTYPE} run
+            if [ $? == 0 ]; then
+                head -$(grep -n "END CERTIFICATE" ${FULLCHAINFILE} | head -1 | cut -d: -f1) ${FULLCHAINFILE} > ${CERTFILE}
+                tail -$(($(wc -l ${FULLCHAINFILE} | awk '{print $1}')-$(grep -n "END CERTIFICATE" ${FULLCHAINFILE} | head -1 | cut -d: -f1))) ${FULLCHAINFILE} > ${CHAINFILE}
+                chown -R ${UID}:${GID} /nginx/ssl/
+            fi
+            [[ $? == 0 ]] && f_log INF "New Certificate for ${FRONTEND_DOMAIN} generated" || f_log ERR "New Certificate for ${FRONTEND_DOMAIN} not generated"
+        fi
+    fi
+}
+
+
+
+f_make_conf() {
+
+    FRONTEND_DOMAIN=mydomain.local
+    FRONTEND_MAX_BODY_SIZE=200M
+    FRONTEND_SSLTYPE=ec384
+    BACKEND_PORT=8080
+    FRONTEND_PATH="/"
+    FRONTEND_SSL=false
+    FRONTEND_AUTH=""
+    FRONTEND_TOR=false
+    container_name=$1
+    IFS=$'\n' 
+    if [ "${CONTAINER_LABELS}" != "" ]; then
+        for label in ${CONTAINER_LABELS}; do
+            case "$(echo ${label} | awk '{print $1}')" in
+                "reverse.frontend.domain")
+                    FRONTEND_DOMAIN=""
+                    FRONTEND_DOMAIN="$(echo ${label} | awk '{print $2}')"
+                ;;
+                "reverse.frontend.path")
+                    FRONTEND_PATH="$(echo ${label} | awk '{print $2}')"
+                ;;
+                "reverse.frontend.auth")
+                    FRONTEND_AUTH="$(echo ${label} | awk '{print $2}')"
+                ;;
+                "reverse.frontend.ssltype")
+                    FRONTEND_SSLTYPE="$(echo ${label} | awk '{print $2}')"
+                ;;
+                "reverse.frontend.domain_max_body_size")
+                    FRONTEND_MAX_BODY_SIZE="$(echo ${label} | awk '{print $2}')"
+                ;;
+                "reverse.frontend.ssl")
+                    FRONTEND_SSL="$(echo ${label} | awk '{print $2}')"
+                ;;
+                "reverse.frontend.tor")
+                    FRONTEND_TOR="$(echo ${label} | awk '{print $2}')"
+                ;;
+                "reverse.backend.port")
+                    BACKEND_PORT="$(echo ${label} | awk '{print $2}')"
+                ;;
+            esac
+        done
+        f_log INF "Generate files for ${FRONTEND_DOMAIN}, with path=${FRONTEND_PATH}, auth=${FRONTEND_AUTH}, ssl_type=${FRONTEND_SSLTYPE}, ssl=${FRONTEND_SSL} and port=${BACKEND_PORT}"
+        f_gen_location ${container_name}
+        f_gen_sites_enabled
+        f_gen_certs ${container_name}
+    fi
+}
+
+
+# Check /var/run/docker.sock
+f_log INF "Check if /var/run/docker.sock exist ..."
+ls /var/run/docker.sock > /dev/null 2>&1
+if [ $? == 0 ]; then
+    f_log INF "/var/run/docker.sock exist ..."
+else
+    f_log ERR "/var/run/docker.sock don't exist ..."
+    exit 1
+fi
+
+
+f_log INF "Start reverse configuration ..."
+
+# Prepare container
+f_log INF "Create user 'reverse'"
+addgroup -g ${GID} reverse && adduser -H -s /bin/sh -D -G reverse -u ${UID} reverse
+f_log INF "Create folder"
+mkdir -p /nginx/sites-enabled /nginx /nginx/log /nginx/run /nginx/sites-enabled /nginx/ssl /nginx/ssl/selfsigned/dhparam
+mkdir -p /home/reverse/.tor
+# Generate file
+for container in $(curl --unix-socket /var/run/docker.sock http://localhost/containers/json 2> /dev/null | jq '.[].Names' | sed 's|.*"/\(.*\)"$|\1|;/\[/d;/\]/d'); do 
+    CONTAINER_LABELS=$(curl --unix-socket /var/run/docker.sock http://localhost/containers/${container}/json 2> /dev/null | jq '.Config.Labels' | grep -E "reverse\." | sed 's|.*"\(.*\)": "\(.*\)".*$|\1 \2|')
+    f_make_conf ${container}
+done
+
+f_log INF "Apply permissions"
+chown -R reverse:reverse /nginx /etc/s6.d /tor/ /home/reverse/.tor
+chmod +x /usr/local/bin/check_certs
+find /etc/s6.d -name run -exec chmod +x {} \;
+find /etc/s6.d -name finish -exec chmod +x {} \;
+
+f_log SUC "End reverse configuration"
+
+
+## run s6
+if [ $# -gt 0 ]; then
+    exec su-exec reverse:reverse "$@"
+else
+    exec su-exec reverse:reverse /bin/s6-svscan /etc/s6.d      
+fi
+