diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..2c20a24 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,11 @@ +FROM alpine:3.3 +MAINTAINER Andrey Arapov + +RUN echo '@testing http://dl-cdn.alpinelinux.org/alpine/edge/testing' >> /etc/apk/repositories && \ + apk update && \ + apk add nginx-naxsi@testing inotify-tools && \ + mkdir /tmp/nginx + +COPY nginx.conf /etc/nginx/nginx.conf +COPY launch /launch +ENTRYPOINT /launch diff --git a/README.md b/README.md new file mode 100644 index 0000000..d2bf822 --- /dev/null +++ b/README.md @@ -0,0 +1,64 @@ +# nginx simple semi-automated reverse proxy + +Simply mount your volume or a directory as `/etc/nginx/conf.d` to the container, +it will automatically detect the differences in there and load-up the new configuration! + + +**docker-compose.yml** file example +``` +version '2' +services: + nginx: + image: andrey01/nginx + networks: + - backend + - frontend + volumes: + - /home/docker/configs/letsencrypt:/etc/letsencrypt:ro + - /home/docker/configs/nginx:/etc/nginx/conf.d:ro + ports: + - 80:80 + - 443:443 + restart: always +``` + +Then you can add some configuration to the `/home/docker/configs/nginx` directory, +for example you may add the following config: + +**webmail.conf** file example +``` +server { + listen 80; + server_name webmail.mydomain.com; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl http2; + server_name webmail.mydomain.com; + ssl on; + ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem; + + # enable HSTS (HTTP Strict Transport Security) to avoid SSL stripping + add_header Strict-Transport-Security "max-age=15768000; includeSubdomains" always; + + # Built-in Docker's DNS server + resolver 127.0.0.11:53 ipv6=off valid=10s; + set $upstream_endpoint http://webmail:8080; + + location / { + proxy_pass $upstream_endpoint; + proxy_redirect off; + proxy_buffering off; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } +} +``` + +You can have your `webmail` service running in the `backend` network, of which the nginx will take care of and pass it to the frontend. + diff --git a/launch b/launch new file mode 100755 index 0000000..0605795 --- /dev/null +++ b/launch @@ -0,0 +1,12 @@ +#!/bin/sh +# debug +# set -x + +while true; do + inotifywait -e close_write,moved_to,create,delete /etc/nginx/conf.d + sleep 2 + echo "INFO: nginx configuration change detected, attempting to load the new configuration ..." + nginx -t && nginx -s reload || echo "ERROR: nginx configuration has problems, thus cannot be reloaded." +done & + +/usr/sbin/nginx diff --git a/nginx.conf b/nginx.conf new file mode 100644 index 0000000..891820e --- /dev/null +++ b/nginx.conf @@ -0,0 +1,25 @@ +daemon off; +error_log stderr info; +user nginx; +worker_processes 1; +pid /var/run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + access_log /var/log/nginx/access.log main; + + sendfile on; + keepalive_timeout 65; + gzip on; + server_tokens off; + include conf.d/*.conf; +}