eforce21 / letsencrypt-nginx-proxy Goto Github PK
View Code? Open in Web Editor NEWreverse proxy with automated vHost and SSL-cert generation
License: MIT License
reverse proxy with automated vHost and SSL-cert generation
License: MIT License
Our createSSL.sh is failing to run. It appears that every time certbot-auto runs, it is attempting to self-update and that self update is running into issues changing the filesystem. We are seeing errors like:
rm: cannot remove '/root/.local/share/letsencrypt/lib/python2.7/site-packages/enum': Directory not empty
Should we be running certbot-auto with --no-self-update
to make sure this doesn't happen?
I had some issues with docker-compose files in version 2, since there doesn't seem to be a IP address exposed.
The process literally just dies doe to an invalid forward syntax in the nginx default.conf.
Something like this:
upstream somedomain.tld {
# composecontext_nginx_1
server :80;
}
Currently this image persists the keys and lets encrypt information in the container. This isn't ideal if the container is removed, as key generation for all the hosts must happen again.
Is there a convenient directory in the container that can be mounted as a volume to provide persistence?
If so, that would be a nice addition to the readme.
Hi,
I've been playing around with the whole thingy for some hours, but I am just able to have a http not no https proxy setup running.
I am doing this by a docker-compose file like this:
rproxy :
image: eforce21/letsencrypt-nginx-proxy:1.0.2
ports:
- "{{IP}}:80:80"
- "{{IP}}:443:443"
volumes:
- "/var/run/docker.sock:/tmp/docker.sock:ro"
restart: always
environment:
- [email protected]
wordpress:
image: wordpress
links:
- mariadb:mysql
volumes:
- ./wordpress-data:/var/www/html
environment:
- VIRTUAL_HOST=blog.myhost.addrress
mariadb:
image: mariadb
environment:
- MYSQL_ROOT_PASSWORD={{secret}}
volumes:
- ./mariadb-data:/var/lib/mysql
I would appreciate any hint - I am stuck here.
We have a setup using this for a pretty large environment (50+ containers) and only a few of them are meant to be "public" and would require an SSL cert. Given that the current rate limits are 5 certificates per domain every 7 days it would take us weeks to get all the certs (and we dont even really need them). It would be fantastic if we could use Docker labels on containers to identify them as a container we want to request a certificate for. Something simple like letsencrypt.cert=true
. I would be happy to look into providing a PR around this, but it appears that createSSL.sh is an executable and not a shell script that I could look at modifying.
Happy to help though, but the opportunity appears to be limited.
ssllabs.com:
This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.
jwilder/nginx-proxy supports openssl generated DH key groups
https://github.com/jwilder/nginx-proxy#diffie-hellman-groups
VIRTUAL_HOST=foo.bar.com should have a foo.bar.com.dhparam.pem
JrCs/docker-letsencrypt-nginx-proxy-companion's build generates one on the first start
https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion/blob/master/app/entrypoint.sh
function check_dh_group {
if [[ ! -f /etc/nginx/certs/dhparam.pem ]]; then
"echo ""Creating Diffie-Hellman group (can take several minutes...)"""
openssl dhparam -out /etc/nginx/certs/.dhparam.pem.tmp 2048
mv /etc/nginx/certs/.dhparam.pem.tmp /etc/nginx/certs/dhparam.pem || exit 1
fi
}
Along with the above, editing ssl.tmpl to symlink dhparam.pem to foo.bar.com.dhparam.pem would also be needed. But I'm not skilled in the git enough to create a PR
It would be nice to have a configuration option for the email address that is passed to letsencrypt.
Suggestion: Environment variable LETSENCRYPT_EMAIL
, configured in docker-compose.yml
. The current value info@{{host}}
can be used as a default.
Hello and Thank you for your great work!
I am facing some issues with the cert requests.
It does work as a virtual host proxy when i apply the nocert label though..
edu:
environment:
- 'NODE_ENV=production'
- 'PORT=80'
- 'VIRTUAL_HOST=edu.test.carre-project.eu'
expose:
- '80'
image: 'carre/educational-aggregator:latest'
labels:
letsencrypt.nocert: 'true'
restart: 'always'
entry:
environment:
- 'NODE_ENV=production'
- 'PORT=80'
- 'VIRTUAL_HOST=entry.test.carre-project.eu'
expose:
- '80'
image: 'carre/risk-entry-system:latest'
labels:
letsencrypt.nocert: 'true'
restart: 'always'
proxy:
environment:
- '[email protected]'
image: 'eforce21/letsencrypt-nginx-proxy:latest'
links:
- 'edu'
- 'entry'
ports:
- '80:80'
restart: 'always'
volumes:
- '/var/run/docker.sock:/tmp/docker.sock:ro'
eforce21/letsencrypt-nginx-proxy:latest "/app/docker-entrypoi" 10 minutes ago Up 10 minutes 0.0.0.0:80->80/tcp, 443/tcp proxy-1.test4.09c4dcd3
carre/risk-entry-system:latest "node server.js" 10 minutes ago Up 10 minutes 80/tcp entry-1.test4.6ff9df72
carre/educational-aggregator:latest "npm start" 10 minutes ago Up 10 minutes 80/tcp edu-1.test4.ee12a5eb
proxy-1 | 2016-06-16T20:04:47.276860204Z forego | starting nginx.1 on port 5000
proxy-1 | 2016-06-16T20:04:47.285017483Z forego | starting confgen.1 on port 5100
proxy-1 | 2016-06-16T20:04:47.294697027Z forego | starting sslgen.1 on port 5300
proxy-1 | 2016-06-16T20:04:47.306455524Z forego | starting cron.1 on port 5600
proxy-1 | 2016-06-16T20:04:47.580207350Z sslgen.1 | 2016/06/16 20:04:47 Generated '/createSSL.sh' from 3 containers
proxy-1 | 2016-06-16T20:04:47.584037007Z sslgen.1 | 2016/06/16 20:04:47 Running '/createSSL.sh'
proxy-1 | 2016-06-16T20:04:47.624114454Z confgen.1 | 2016/06/16 20:04:47 Generated '/etc/nginx/conf.d/default.conf' from 3 containers
proxy-1 | 2016-06-16T20:04:47.628955211Z confgen.1 | 2016/06/16 20:04:47 Running 'nginx -s reload'
proxy-1 | 2016-06-16T20:04:47.717094977Z confgen.1 | 2016/06/16 20:04:47 [nginx -s reload]: 2016/06/16 20:04:47 [notice] 38#38: signal process started
proxy-1 | 2016-06-16T20:04:47.770139391Z confgen.1 | 2016/06/16 20:04:47 Watching docker events
proxy-1 | 2016-06-16T20:04:47.816308666Z confgen.1 | 2016/06/16 20:04:47 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification 'nginx -s reload'
proxy-1 | 2016-06-16T20:04:53.193949403Z nginx.1 | edu.test.carre-project.eu 66.133.109.36 - - [16/Jun/2016:20:04:53 +0000] "GET /.well-known/acme-challenge/VhrA90oV9L9xsgIraUrefpMlq3it6hChUqqOTNLLyWY HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
proxy-1 | 2016-06-16T20:05:05.132478599Z nginx.1 | entry.test.carre-project.eu 212.251.18.83 - - [16/Jun/2016:20:05:05 +0000] "GET / HTTP/1.1" 200 742 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"
proxy-1 | 2016-06-16T20:05:05.464320366Z nginx.1 | entry.test.carre-project.eu 212.251.18.83 - - [16/Jun/2016:20:05:05 +0000] "GET /config.js HTTP/1.1" 200 214 "http://entry.test.carre-project.eu/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"
proxy-1 | 2016-06-16T20:05:05.547591838Z nginx.1 | entry.test.carre-project.eu 212.251.18.83 - - [16/Jun/2016:20:05:05 +0000] "GET /styles/app-64e21ab698.css HTTP/1.1" 200 5465 "http://entry.test.carre-project.eu/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"
proxy-1 | 2016-06-16T20:05:05.571256586Z nginx.1 | entry.test.carre-project.eu 212.251.18.83 - - [16/Jun/2016:20:05:05 +0000] "GET /styles/vendor-8184b27656.css HTTP/1.1" 200 49146 "http://entry.test.carre-project.eu/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"
proxy-1 | 2016-06-16T20:05:05.628708156Z nginx.1 | entry.test.carre-project.eu 212.251.18.83 - - [16/Jun/2016:20:05:05 +0000] "GET /scripts/app-d02e74115a.js HTTP/1.1" 200 41442 "http://entry.test.carre-project.eu/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"
proxy-1 | 2016-06-16T20:05:05.848328843Z nginx.1 | entry.test.carre-project.eu 212.251.18.83 - - [16/Jun/2016:20:05:05 +0000] "GET /scripts/vendor-e868f00ec3.js HTTP/1.1" 200 464840 "http://entry.test.carre-project.eu/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"
proxy-1 | 2016-06-16T20:05:06.656756710Z nginx.1 | entry.test.carre-project.eu 212.251.18.83 - - [16/Jun/2016:20:05:06 +0000] "GET /fonts/fontawesome-webfont.woff2?v=4.4.0 HTTP/1.1" 200 64464 "http://entry.test.carre-project.eu/styles/vendor-8184b27656.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"
proxy-1 | 2016-06-16T20:05:06.730425213Z nginx.1 | entry.test.carre-project.eu 212.251.18.83 - - [16/Jun/2016:20:05:06 +0000] "GET /assets/images/carre_logo.png HTTP/1.1" 200 3958 "http://entry.test.carre-project.eu/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"
proxy-1 | 2016-06-16T20:05:06.803201251Z nginx.1 | entry.test.carre-project.eu 212.251.18.83 - - [16/Jun/2016:20:05:06 +0000] "GET /assets/images/model.jpg HTTP/1.1" 200 222008 "http://entry.test.carre-project.eu/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"
proxy-1 | 2016-06-16T20:05:06.840664216Z nginx.1 | entry.test.carre-project.eu 212.251.18.83 - - [16/Jun/2016:20:05:06 +0000] "GET /api/carreapi/public_en_count_all/https%3A%2F%2Fcarre.kmi.open.ac.uk%2Fws%2Fquery/PREFIX%20xsd%3A%20%3Chttp%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23%3E%20%0APREFIX%20rdf%3A%20%3Chttp%3A%2F%2Fwww.w3.org%2F1999%2F02%2F22-rdf-syntax-ns%23%3E%20%0APREFIX%20carreUsers%3A%20%3Chttps%3A%2F%2Fcarre.kmi.open.ac.uk%2Fusers%2F%3E%20%0APREFIX%20risk%3A%20%3Chttp%3A%2F%2Fcarre.kmi.open.ac.uk%2Fontology%2Frisk.owl%23%3E%20%0APREFIX%20ME%3A%20%3Chttp%3A%2F%2Fcarre.kmi.open.ac.uk%2Fmeasurement_types%2F%3E%20%0APREFIX%20OB%3A%20%3Chttp%3A%2F%2Fcarre.kmi.open.ac.uk%2Fobservables%2F%3E%20%0APREFIX%20RL%3A%20%3Chttp%3A%2F%2Fcarre.kmi.open.ac.uk%2Frisk_elements%2F%3E%20%0APREFIX%20RV%3A%20%3Chttp%3A%2F%2Fcarre.kmi.open.ac.uk%2Frisk_evidences%2F%3E%20%0APREFIX%20RF%3A%20%3Chttp%3A%2F%2Fcarre.kmi.open.ac.uk%2Frisk_factors%2F%3E%20%0APREFIX%20RW%3A%20%3Chttp%3A%2F%2Fcarre.kmi.open.ac.uk%2Frisk_r
proxy-1 | 2016-06-16T20:05:07.158855011Z nginx.1 | entry.test.carre-project.eu 212.251.18.83 - - [16/Jun/2016:20:05:07 +0000] "GET /favicon.ico HTTP/1.1" 200 732 "http://entry.test.carre-project.eu/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"
proxy-1 | 2016-06-16T20:05:08.314884103Z nginx.1 | entry.test.carre-project.eu 66.133.109.36 - - [16/Jun/2016:20:05:08 +0000] "GET /.well-known/acme-challenge/Y3vYw3K_tZM9jWLXIu8_VqjJzeDnsRY1s3C76gut61c HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
proxy-1 | 2016-06-16T20:05:13.114120993Z sslgen.1 | 2016/06/16 20:05:13 [/createSSL.sh]: IMPORTANT NOTES:
proxy-1 | 2016-06-16T20:05:13.114468824Z sslgen.1 | e a
proxy-1 | 2016-06-16T20:05:13.114726076Z sslgen.1 | rsion of this certificate in the future, simply run certbot-auto
proxy-1 | 2016-06-16T20:05:13.176715292Z sslgen.1 | 2016/06/16 20:05:13 Watching docker events
proxy-1 | 2016-06-16T20:05:13.207077203Z sslgen.1 | 2016/06/16 20:05:13 Contents of /createSSL.sh did not change. Skipping notification '/createSSL.sh'
proxy-1 | 2016-06-16T20:06:01.173913593Z nginx.1 | entry.test.carre-project.eu 212.251.18.83 - - [16/Jun/2016:20:06:01 +0000] "GET / HTTP/1.1" 301 185 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"
proxy-1 | 2016-06-16T20:06:24.053291110Z nginx.1 | edu.test.carre-project.eu 212.251.18.83 - - [16/Jun/2016:20:06:24 +0000] "GET / HTTP/1.1" 301 185 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"
fix all those little typos and maybe add some more detailled information on how that actually works with the ssl certs
There seems to be a blank in the shell script template: The --email
parameter should be info@{{ host }}
, not info@ {{ host }}
.
Currently, info@
is used as email parameter, while {{ host }}
is passed to letsencrypt as an argument.
I have a reproducible issue, When I add something like environment: - VIRTUAL_HOST=tkaefer.de,www.tkaefer.de
I'll get a strange setup in the nginx-proxy:
root@45389f38fcdc:/app# ls -lh /etc/nginx/certs/tkaefer.de,www.tkaefer.de.*
lrwxrwxrwx 1 root root 61 May 28 14:23 /etc/nginx/certs/tkaefer.de,www.tkaefer.de.crt -> /etc/letsencrypt/live/tkaefer.de,www.tkaefer.de/fullchain.pem
lrwxrwxrwx 1 root root 59 May 28 14:23 /etc/nginx/certs/tkaefer.de,www.tkaefer.de.key -> /etc/letsencrypt/live/tkaefer.de,www.tkaefer.de/privkey.pem
BUT the linked file is not present:
root@45389f38fcdc:/app# ls -lh /etc/letsencrypt/live/tkaefer.de,www.tkaefer.de/fullchain.pem
ls: cannot access /etc/letsencrypt/live/tkaefer.de,www.tkaefer.de/fullchain.pem: No such file or directory
I am just able to resolve this by linking them correct:
root@45389f38fcdc:/app# ls -lh /etc/nginx/certs/{www.,}tkaefer.de.*
lrwxrwxrwx 1 root root 46 May 28 14:20 /etc/nginx/certs/tkaefer.de.crt -> /etc/letsencrypt/live/tkaefer.de/fullchain.pem
lrwxrwxrwx 1 root root 44 May 28 14:20 /etc/nginx/certs/tkaefer.de.key -> /etc/letsencrypt/live/tkaefer.de/privkey.pem
lrwxrwxrwx 1 root root 46 May 28 14:20 /etc/nginx/certs/www.tkaefer.de.crt -> /etc/letsencrypt/live/tkaefer.de/fullchain.pem
lrwxrwxrwx 1 root root 44 May 28 14:21 /etc/nginx/certs/www.tkaefer.de.key -> /etc/letsencrypt/live/tkaefer.de/privkey.pem
The SSL certificate seems to the created right:
[] % openssl s_client -connect tkaefer.de:443 -servername tkaefer.de | openssl x509 -noout -text | grep DNS:
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = tkaefer.de
verify return:1
DNS:tkaefer.de, DNS:www.tkaefer.de
Any hint why this happens?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.