Docker image for automatic generation of SSL certs using Let's encrypt and Open Resty
Home Page: https://hub.docker.com/r/valian/docker-nginx-auto-ssl/
License: MIT License
When sending a request to the container, it redirects me from HTTP to HTTPS and then this error comes up 400 The plain HTTP request was sent to HTTPS port
It happens on every single request and i'm not able to get further.
Nginx.conf
worker_processes auto;
worker_rlimit_nofile 100000;
events {
worker_connections 4000;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
# reasonable default, as 1MB is almost always not enough
client_max_body_size 100M;
# enable gzip support
include server-gzip.conf;
# auto-ssl lua magic for automatic generation of certs
include resty-http.conf;
server {
listen 80 default_server;
proxy_set_header Host $host;
include resty-server-http.conf;
}
include /etc/nginx/conf.d/*.conf;
}
Sample config inside conf.d
# this configuration will be used for each server
# specified using $SITES variable
# more in README
server {
listen 443 ssl;
server_name golemgrid.dev;
include resty-server-https.conf;
location / {
proxy_pass http://django:8002;
}
}
Any clue as to why this might happen?
What would be a good way to use this, while having several containers on different nodes in a cluster of the same image?
The error I encounter while using this repo with SSL turned on:
nginx: [emerg] duplicate location "/" in /usr/local/openresty/nginx/conf/force-https.conf:1
When force-https.conf file is cleared, everything works fine (except for the removed redirect).
Hi,
Thanks for a great Docker image! 🐳
I noticed that the https://github.com/GUI/lua-resty-auto-ssl library has built in Redis support, we are running this image on AWS and are looking into storing the certificates in an Elasticache Redis. We could of course make our own image and override the configs, however I thought I would ask if you would be interested in a PR adding it to the parameters?
I'm thinking something like this:
docker run -d \
--name nginx-auto-ssl \
--restart on-failure \
--network host \
-e ALLOWED_DOMAINS="$DOMAIN" \
-e SITES="$DOMAIN=$APP_ADDRESS" \
-e STORAGE_ADAPTER="redis" \
-e REDIS_HOST="127.0.0.1" \
-e REDIS_PORT="6379" \
-v ssl-data:/etc/resty-auto-ssl \
valian/docker-nginx-auto-ssl
Best regards,
Johannes
What do you think about enabling HSTS as the default?
Is it possible to add host header as boolean (enable/disable) parameter ?
Is there a way to add custom response headers to the nginx conf in the running container? In the docs I see you can add extra server configs, but I would like to modify the one being used. Is there a way to do it without rebuilding the whole image, I mean, using volumes? I would like to have Access-Control-Allow-Origin in the response headers.
Great work!
Hello. Thanks for making this project.
I'm trying to configure it to support multiple domains via nginx.conf's, and i'm facing the issue that when I send a request to the container, then it fails due to too many redirects (HTTP 301).
This is the config I have
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 443 ssl http2;
server_name testgolemgrid.tk;
include resty-server-https.conf;
location / {
proxy_http_version 1.1;
proxy_pass http://django:8002;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_cache_bypass $http_upgrade;
}
}
I tried remove the include resty-server-https.conf line, but that resulted in nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/conf.d/testgolemgrid.tk.conf:10.
Do you have any idea as to why this might happen? The request cycle looks like the following: Traefik ---> nginx-auto-ssl container ---> Docker container with hostname django:8002 (not resolved by traefik)
Auto-ssl container logs
deploy_catch-all.1.k3k0fff19lzl@GolemGrid | 10.0.35.18 - - [04/Nov/2022:19:35:11 +0100] "GET / HTTP/1.1" 301 166 "-" "PostmanRuntime/7.29.2"
deploy_catch-all.1.k3k0fff19lzl@GolemGrid | 10.0.35.18 - - [04/Nov/2022:19:35:11 +0100] "GET / HTTP/1.1" 301 166 "https://testgolemgrid.tk/" "PostmanRuntime/7.29.2"
deploy_catch-all.1.k3k0fff19lzl@GolemGrid | 10.0.35.18 - - [04/Nov/2022:19:35:11 +0100] "GET / HTTP/1.1" 301 166 "https://testgolemgrid.tk/" "PostmanRuntime/7.29.2"
deploy_catch-all.1.k3k0fff19lzl@GolemGrid | 10.0.35.18 - - [04/Nov/2022:19:35:11 +0100] "GET / HTTP/1.1" 301 166 "https://testgolemgrid.tk/" "PostmanRuntime/7.29.2"
deploy_catch-all.1.k3k0fff19lzl@GolemGrid | 10.0.35.18 - - [04/Nov/2022:19:35:11 +0100] "GET / HTTP/1.1" 301 166 "https://testgolemgrid.tk/" "PostmanRuntime/7.29.2"
deploy_catch-all.1.k3k0fff19lzl@GolemGrid | 10.0.35.18 - - [04/Nov/2022:19:35:11 +0100] "GET / HTTP/1.1" 301 166 "https://testgolemgrid.tk/" "PostmanRuntime/7.29.2"
deploy_catch-all.1.k3k0fff19lzl@GolemGrid | 10.0.35.18 - - [04/Nov/2022:19:35:11 +0100] "GET / HTTP/1.1" 301 166 "https://testgolemgrid.tk/" "PostmanRuntime/7.29.2"
deploy_catch-all.1.k3k0fff19lzl@GolemGrid | 10.0.35.18 - - [04/Nov/2022:19:35:11 +0100] "GET / HTTP/1.1" 301 166 "https://testgolemgrid.tk/" "PostmanRuntime/7.29.2"
deploy_catch-all.1.k3k0fff19lzl@GolemGrid | 10.0.35.18 - - [04/Nov/2022:19:35:11 +0100] "GET / HTTP/1.1" 301 166 "https://testgolemgrid.tk/" "PostmanRuntime/7.29.2"
deploy_catch-all.1.k3k0fff19lzl@GolemGrid | 10.0.35.18 - - [04/Nov/2022:19:35:11 +0100] "GET / HTTP/1.1" 301 166 "https://testgolemgrid.tk/" "PostmanRuntime/7.29.2"
deploy_catch-all.1.k3k0fff19lzl@GolemGrid | 10.0.35.18 - - [04/Nov/2022:19:35:11 +0100] "GET / HTTP/1.1" 301 166 "https://testgolemgrid.tk/" "PostmanRuntime/7.29.2"
This log is a single request made on my end. As you can see it results in an infinite loop
I would propose better domain regexp as one presented in README .*example.com could match any-example.com or suffix that really does not fit domain based hierarchy.
Usually people would use exact domains and subdomains, or wildcard.
domain ALLOWED_DOMAINS=example.com
subdomains ALLOWED_DOMAINS=(www|api).example.com
wildcard ALLOWED_DOMAINS=([a-z]+.)?example.com
Also it would be good to explain how lua handles unicode strings. From http://lua-users.org/wiki/LuaUnicode you can get that it would be better to replace .* with [a-z]+
I have have two Ubuntu machines:
I provide access to Internet on machine A I would like to setup HTTP/HTTPS proxy on machine B and configure curl and apt-get to use this proxy.
On B I have set up nginx from docker image as follows:
docker run -d \
--name nginx-auto-ssl \
--restart on-failure \
-p 80:80 \
-p 443:443 \
-e ALLOWED_DOMAINS=* \
-e FORCE_HTTPS=false \
valian/docker-nginx-auto-ssl
On A I set proxies
export http_proxy=http://machine.b.com:80/
export https_proxy=https://machine.b.com:443/
However, when I request Internet resource from A, I get information proxy is not configured:
curl http://www.facebook.com/ -v
* Hostname was NOT found in DNS cache
* Trying 172.25.10.202...
* Connected to machine.b.com (172.x.x.x) port 80 (#0)
> GET http://www.facebook.com/ HTTP/1.1
> User-Agent: curl/7.35.0
> Host: www.facebook.com
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 OK
* Server openresty/1.13.6.1 is not blacklisted
< Server: openresty/1.13.6.1
< Date: Tue, 29 May 2018 12:52:38 GMT
< Content-Type: text/html
< Content-Length: 562
< Last-Modified: Fri, 20 Apr 2018 14:42:38 GMT
< Connection: keep-alive
< ETag: "5ad9fc5e-232"
< Accept-Ranges: bytes
<
<!DOCTYPE html>
<html>
<head>
<title>Welcome to OpenResty!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to OpenResty!</h1>
<p>If you see this page, the OpenResty web platform is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="https://openresty.org/">openresty.org</a>.<br/></p>
<p><em>Thank you for flying OpenResty.</em></p>
</body>
</html>
Hi,
I'm trying to use your docker with the command
docker run -d --name main-nginx \
--restart on-failure \
-p 80:80 -p 443:443 \
-e ALLOWED_DOMAINS=www.scaniat.io,dev.scaniat.io,www.dev.scaniat.io,scaniat.io \
-e SITES='scaniat.io=scaniat-frontend-master;dev.scaniat.io=scaniat-frontend-develop' \
--network custom \
valian/docker-nginx-auto-ssl
but I keep getting that the website is not secured, and the certificate I see is the fallback one.
I have no logs of the certificate creation with let's encrypt.
Do you see something I'm doing wrong?
(ps: scaniat-frontend-master and scaniat-frontend-develop are dockers on the same network (custom) with nginx running in, listening on the port 80, serving static websites.
I add docker-compose.yml as follows. And then I run "docker-compose up -d" command. But Firefox Browser can connect to https://localhost and can't connect to https://autossl.com/
version: '2'
services:
nginx:
image: valian/docker-nginx-auto-ssl
restart: on-failure
ports:
- 80:80
- 443:443
volumes:
- ssl_data:/etc/resty-auto-ssl
environment:
ALLOWED_DOMAINS: 'autossl.com'
SITES: 'autossl.com=myapp:80'
SITES env variablemyapp:
image: nginx
volumes:
ssl_data:
How would you go about adding multiple domains?
I have tried with:
ALLOWED_DOMAINS: "(example.com)|(www.example.com)|(example.net)"
And it doesn't work.
It might be nice for dev purposes to do a temp redirect instead of a perm redirect in case you mess something up locally.
Hi guys! Has anyone faced this error yet?
I ran this command:
docker run -d
--name nginx-auto-ssl \
--restart on-failure
-p 80:80
-p 443:443
-e ALLOWED_DOMAINS=uni8.tech
-e LETSENCRYPT_URL='https://acme-staging-v02.api.letsencrypt.org/directory' \
-e SITES='uni8.tech=localhost:3000'
valian/docker-nginx-auto-ssl
...And I got the logs:
Processing www.uni8.tech
Hi,
I am novice with Docker as Well as nginx.
I used your image to auto generate SSL Certs but getting the following error
nginx_1 | + Generating account key...
nginx_1 | + Registering account key with ACME server...
nginx_1 | Processing cheappr.io
nginx_1 | + Signing domains...
nginx_1 | + Creating new directory /etc/resty-auto-ssl/letsencrypt/certs/cheappr.io ...
nginx_1 | + Generating private key...
nginx_1 | + Generating signing request...
nginx_1 | + Requesting challenge for cheappr.io...
nginx_1 | + Responding to challenge for cheappr.io...
nginx_1 | Invalid challenge: DOMAIN=cheappr.io RESPONSE={
nginx_1 | "type": "http-01",
nginx_1 | "status": "invalid",
nginx_1 | "error": {
nginx_1 | "type": "urn:acme:error:unauthorized",
nginx_1 | "detail": "Invalid response from http://cheappr.io/.well-known/acme-challenge/ovvIn18cLW8VCTLH1yL0ZZH72wBl576klHM4DI0LweE: \"\u003c!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\"\u003e\\n\u003chtml\u003e\u003chead\u003e\\n\u003ctitle\u003e404 Not Found\u003c/title\u003e\\n\u003c/head\u003e\u003cbody\u003e\\n\u003ch1\u003eNot Found\u003c/h1\u003e\\n\u003cp\"",
nginx_1 | "status": 403
nginx_1 | },
nginx_1 | "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/YTBjeRSdSsmRCcs2WFWWK7FlscgtlVp-mu0dRujAZXQ/223605224",
nginx_1 | "token": "ovvIn18cLW8VCTLH1yL0ZZH72wBl576klHM4DI0LweE",
nginx_1 | "validationRecord": [
nginx_1 | {
nginx_1 | "url": "http://cheappr.io/.well-known/acme-challenge/ovvIn18cLW8VCTLH1yL0ZZH72wBl576klHM4DI0LweE",
nginx_1 | "hostname": "cheappr.io",
nginx_1 | "port": "80",
nginx_1 | "addressesResolved": [
nginx_1 | "174.138.120.19",
nginx_1 | "2400:6180:100:d0::292:2001"
nginx_1 | ],
nginx_1 | "addressUsed": "2400:6180:100:d0::292:2001"
nginx_1 | }
nginx_1 | ]
nginx_1 | }
nginx_1 | err: # !! WARNING !! Extra configuration directory /etc/resty-auto-ssl/letsencrypt/conf.d exists, but no configuration found in it.
nginx_1 | , context: ssl_certificate_by_lua*, client: 49.207.56.253, server: 0.0.0.0:443
nginx_1 | 2019/01/17 07:59:19 [error] 23#23: *4 [lua] ssl_certificate.lua:92: issue_cert(): auto-ssl: issuing new certificate failed: dehydrated failure, context: ssl_certificate_by_lua*, client: 49.207.56.253, server: 0.0.0.0:443
My Docker-Compose.yml
version: "2.2"
services:
nginx:
image: valian/docker-nginx-auto-ssl
restart: on-failure
volumes:
- ssl_data:/etc/resty-auto-ssl
- ./nginx:/etc/nginx/conf.d
- ./www:/etc/nginx/data/www
ports:
- 80:80
- 443:443
depends_on:
- app
environment:
ALLOWED_DOMAINS: "cheappr.io"
LETSENCRYPT_URL: "https://acme-staging.api.letsencrypt.org/directory"
And my nginx file
upstream app {
server app:3000;
}
server {
listen 443 ssl http2;
server_name cheappr.io;
# remember about this line!
include resty-server-https.conf;
location / {
root /etc/nginx/data/www;
try_files $uri /index.html;
expires -1;
}
location /api {
try_files $uri $uri/ @backend;
}
location @backend {
proxy_pass http://app;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
Do you see any issues with Configuration?
Any help would be much appreciated.
Thanks
When running the container with FORCE_HTTPS=false all requests over regular http result in 404 Not Found response while requests over https are still working fine. Looking at docker logs openresty I see the following:
2019/04/04 12:54:49 [error] 22#22: *13 open() "/usr/local/openresty/nginx/html/some/path" failed (2: No such file or directory), client: 83.145.8.46, server: , request: "HEAD /some/path HTTP/1.1", host: "openresty.mnd-static.com" 83.145.8.46 - - [04/Apr/2019:12:54:49 +0000] "HEAD /some/path HTTP/1.1" 404 0 "-" "curl/7.54.0"
I'm guessing this might be because https://github.com/Valian/docker-nginx-auto-ssl/blob/master/snippets/server-proxy.conf isn't actually configured to listen to port 80? Is that by design? If so what is the point of the ENV variable?
This is more of a question rather than an issue If the certificate is used in my app and cert expires. How will it affect the app [ app requests won't work], But if docker-nginx-auto-ssl to renew the certificate or generate a new one, which will not work with old app build?
How does this work?
This isn't an issue per se, I was just wondering what the exact method is for increasing the timeout for the nginx server?
Hi everybody,
I got error to generate certs
Has anyone got this error before?
My docker-compose is same as the sample in your document.
Thanks for help!
This is an example from README:
version: '2'
services:
nginx:
image: valian/docker-nginx-auto-ssl
restart: on-failure
ports:
- 80:80
- 443:443
volumes:
- ssl_data:/etc/resty-auto-ssl
environment:
ALLOWED_DOMAINS: 'yourdomain.com'
SITES: 'yourdomain.com=myapp:80'
# your application, listening on port specified in `SITES` env variable
myapp:
image: nginx
volumes:
ssl_data:
Here I can see yourdomain.com=myapp:80 will map yourdomain to frontend container my app (port 80), now if I want to use backend container with the same server, how can I make it works?
I have tried but it seems not work:
version: '2'
services:
nginx:
image: valian/docker-nginx-auto-ssl
restart: on-failure
ports:
- 80:80
- 443:443
volumes:
- ssl_data:/etc/resty-auto-ssl
environment:
ALLOWED_DOMAINS: 'yourdomain.com'
SITES: 'yourdomain.com=myapp:80; yourdomain.com:8080=mybackendapp:8080'
# your application, listening on port specified in `SITES` env variable
myapp:
image: nginx
mybackendapp:
image: myimage
volumes:
ssl_data:
Could we somehow have a fix for the above?
This is a great solution. I will be using it all over the place.
Any chance of adding brotli support?
Hello, thank you for your work on this project! I find it by far the simplest way to manage my web servers. I wondered if it would be possible to build the docker image for linux/arm64/v8? It looks like the base image (openresty/openresty:alpine-fat) image is available for this architecture so I'm hoping it would be straightforward. Thanks in advance!
Maybe I am doing something wrong, but it seems like ALLOWED_DOMAINS is actually not implemented by default. The snippet doesn't match the config used in the image.
Here is the implementation in the image:
auto_ssl:set("allow_domain", function(domain)
return ngx.re.match(domain, '.*', 'ijo')
end)
Hello
Certificates failed renew after expiration because of OCSP failed
[lua] ssl_certificate.lua:260: set_response_cert():
auto-ssl: failed to set ocsp stapling for www.domain.com - continuing anyway -
failed to get ocsp response: failed to validate OCSP response (http://ocsp.int-x3.letsencrypt.org):
OCSP response not successful (6: unauthorized),
context: ssl_certificate_by_lua*, client: xxx.xxx.xxx, server: 0.0.0.0:443
I found on Internet that Certbot 0.39.0 will also prevent this error from appearing in the future ; it was updated to not send OCSP requests for certificates that are expired.
I'm having trouble generating a certificate. Not sure what's wrong because the app works fine with the fallback self-signed cert.
Here's the error log:
nginx_1 | 127.0.0.1 - - [10/Jan/2019:18:06:30 +0000] "POST /clean-challenge HTTP/1.1" 200 5 "-" "curl/7.61.1"
nginx_1 | 2019/01/10 18:06:30 [error] 23#23: *139 [lua] lets_encrypt.lua:41: issue_cert(): auto-ssl: dehydrated failed: env HOOK_SECRET=XXX HOOK_SERVER_PORT=8999 /usr/local/openresty/luajit/bin/resty-auto-ssl/dehydrated --cron --accept-terms --no-lock --domain influencers.cloud --challenge http-01 --config /etc/resty-auto-ssl/letsencrypt/config --hook /usr/local/openresty/luajit/bin/resty-auto-ssl/letsencrypt_hooks status: 256 out: # INFO: Using main config file /etc/resty-auto-ssl/letsencrypt/config
nginx_1 | Processing influencers.cloud
nginx_1 | + Signing domains...
nginx_1 | + Generating private key...
nginx_1 | + Generating signing request...
nginx_1 | + Requesting challenge for influencers.cloud...
nginx_1 | + Responding to challenge for influencers.cloud...
nginx_1 | Invalid challenge: DOMAIN=influencers.cloud RESPONSE={
nginx_1 | "type": "http-01",
nginx_1 | "status": "invalid",
nginx_1 | "error": {
nginx_1 | "type": "urn:acme:error:connection",
nginx_1 | "detail": "Fetching https://influencers.cloud/.well-known/acme-challenge/YYY: Timeout after connect (your server may be slow or overloaded)",
nginx_1 | "status": 400
nginx_1 | },
nginx_1 | "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/ZZZ",
nginx_1 | "token": "YYY",
nginx_1 | "validationRecord": [
nginx_1 | {
nginx_1 | "url": "http://influencers.cloud/.well-known/acme-challenge/YYY",
nginx_1 | "hostname": "influencers.cloud",
nginx_1 | "port": "80",
nginx_1 | "addressesResolved": [
nginx_1 | "34.73.89.237"
nginx_1 | ],
nginx_1 | "addressUsed": "34.73.89.237"
nginx_1 | },
nginx_1 | {
nginx_1 | "url": "https://influencers.cloud/.well-known/acme-challenge/YYY",
nginx_1 | "hostname": "influencers.cloud",
nginx_1 | "port": "443",
nginx_1 | "addressesResolved": [
nginx_1 | "34.73.89.237"
nginx_1 | ],
nginx_1 | "addressUsed": "34.73.89.237"
nginx_1 | }
nginx_1 | ]
nginx_1 | }
nginx_1 | err: # !! WARNING !! Extra configuration directory /etc/resty-auto-ssl/letsencrypt/conf.d exists, but no configuration found in it.
nginx_1 | , context: ssl_certificate_by_lua*, client: 34.73.89.237, server: 0.0.0.0:443
nginx_1 | 2019/01/10 18:06:30 [error] 23#23: *139 [lua] ssl_certificate.lua:92: issue_cert(): auto-ssl: issuing new certificate failed: dehydrated failure, context: ssl_certificate_by_lua*, client: 34.73.89.237, server: 0.0.0.0:443
nginx_1 | 2019/01/10 18:06:30 [error] 23#23: *139 [lua] ssl_certificate.lua:256: auto-ssl: could not get certificate for influencers.cloud - using fallback - failed to get or issue certificate, context: ssl_certificate_by_lua*, client: 34.73.89.237, server: 0.0.0.0:443
nginx_1 | 2019/01/10 18:06:32 [error] 23#23: *144 [lua] lets_encrypt.lua:41: issue_cert(): auto-ssl: dehydrated failed: env HOOK_SECRET=XXX HOOK_SERVER_PORT=8999 /usr/local/openresty/luajit/bin/resty-auto-ssl/dehydrated --cron --accept-terms --no-lock --domain influencers.cloud --challenge http-01 --config /etc/resty-auto-ssl/letsencrypt/config --hook /usr/local/openresty/luajit/bin/resty-auto-ssl/letsencrypt_hooks status: 256 out: # INFO: Using main config file /etc/resty-auto-ssl/letsencrypt/config
Here's my nginx config, based on the minimal example from readme:
events {
worker_connections 1024;
}
http {
include resty-http.conf;
server {
listen 443 ssl;
server_name influencers.cloud;
include resty-server-https.conf;
location / {
proxy_read_timeout 120;
proxy_set_header Host $http_host;
proxy_set_header Authorization "";
proxy_set_header User-Agent $http_user_agent;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://frontend:8000;
}
location /api/static {
gzip on;
alias /www/data/static/;
}
location /media {
gzip on;
alias /www/data/media/;
}
}
server {
listen 443 ssl;
server_name www.influencers.cloud;
include resty-server-https.conf;
return 301 https://influencers.cloud$request_uri;
}
server {
listen 80 default_server;
server_name ~^(www\.)?influencers.cloud$;
include resty-server-http.conf;
return 301 https://influencers.cloud$request_uri;
}
}
Here's nginx service configuration in docker-compose.yml:
nginx:
build: nginx
environment:
ALLOWED_DOMAINS: 'influencers.cloud'
volumes:
- ./backend/.media:/www/data/media
- ./backend/.static:/www/data/static
Can I get some advice on troubleshooting this?
Hello,
When auto-ssl tries to generate SSL certificate I get this error:
{
"type": "urn:acme:error:unauthorized",
"detail": "Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.",
"status": 403
}
Action may be required to prevent your Let's Encrypt certificate renewals
from breaking.
If you already received a similar e-mail, this one contains updated
information.
Your Let's Encrypt client used ACME TLS-SNI-01 domain validation to issue
a certificate in the past 60 days. Below is a list of names and IP
addresses validated (max of one per account):
The above is sent by LetsEncrypt. I have used the auto ssl docker, so how do i fix this error.
Hi,
I want to up redis and docker-nginx-auto-ssl with docker-compose and connect them to work together.
I tried to use this configuration:
version: '3'
services:
redis:
container_name: redis
image: redis
nginx:
container_name: nginx
image: valian/docker-nginx-auto-ssl
restart: on-failure
ports:
- 80:80
- 443:443
environment:
STORAGE_ADAPTER: redis
REDIS_HOST: redis
REDIS_PORT: 6379
however i'm not sure it's valid:
REDIS_HOST: redis
REDIS_PORT: 6379
docker-nginx-auto-ssl/snippets/resty-http.conf
Contains a resolver statement which should not be added like that as I have faced today 8.8.8.8 was not available from my machine.
Hi,
First of all, thank you for this great image!
A question:
Is it possible to add a fallback to a self-signed certificate, like running it on a LAN or in a dev environment for example?
Hi, thanks for your work on this docker image.
I can't get secure certificates to be issued.
Chrome indicates the certificate is a self-signed non-3rd-party issued certificate
From my docker-compose
version: "3"
services:
nginx_ssl:
image: valian/docker-nginx-auto-ssl
restart: on-failure
ports:
- "443:443"
- "80:80"
environment:
- ALLOWED_DOMAINS=site1.com,site2.com
- SITES=site1.com=other_nginx:8181;site2.com=other_nginx:8080
- FORCE_HTTPS=true
links:
- "other_nginx:other_nginx"
Am I using docker-nginx-auto-ssl correctly?
Hi, i'm running a wordpress installation using this https://github.com/nezhar/wordpress-docker-compose
My wordpress-docker-compose is using 80 on my server.
So, if i understood well, if i run your docker with this parameter:
export DOMAIN=yourdomain.com export APP_ADDRESS=localhost:**80** docker run -d \ --name nginx-auto-ssl \ --restart on-failure \ --network host \ -e ALLOWED_DOMAINS="$DOMAIN" \ -e SITES="$DOMAIN=$APP_ADDRESS" \ -v ssl-data:/etc/resty-auto-ssl \ valian/docker-nginx-auto-ssl
It should work, isn't it? What do you think?
Thanks
P.S. do you have a "buy me a coffee" thing or similar? If it works i would like to say thank you in some way
It would be great if we could configure the storage_adapter through env vars to use redis and not local file
Hello, thanks for your work in this image.
I was trying to add some fail2ban filters to a custom image. I found the acces.log file under /usr/local/openresty/nginx/conf/logs/ but I can't see its content. Using vim to read the file outputs 'access.log' is not a regular file. And I can't find any other log files inside the container.
Any help is really appreciated.
Raz.
I'm using docker-compose and attempting to enable STS by using a volume-based override in my docker-compose.yml
nginx:
image: valian/docker-nginx-auto-ssl
restart: on-failure
ports:
- 80:80
- 443:443
volumes:
- ssl_data:/etc/resty-auto-ssl
- ./docker/nginx/ssl.conf:/usr/local/openresty/nginx/conf/ssl.conf
env_file:
- ./.env.nginx
My local version of ssl.conf has the following line uncommented, and is otherwise unchanged:
add_header Strict-Transport-Security max-age=15768000;
However, after I run my docker-compose build, this setting does not appear to be applied.
I can docker-compose exec nginx sh and check that file in my container, and it does indeed contain the uncommented line.
However, this header is not set when I check via the Firefox devtools.
Am I missing something here? I'd like to make this change as surgically as possible.
Thanks
Hi,
Thanks for the wonderful docker image.
How to use it for FastCGI for php app(laravel in my case).
I tried to overwrite the server-proxy.conf with FastCGI, but it does show only default openresty page.
version: '3.7'
services:
app:
build: ./docker/php/prod
depends_on:
- mongodb
- cache
- queue
volumes:
- ./:/var/www/
- $HOME/.composer/:$HOME/.composer/
env_file:
- .env
web:
image: valian/docker-nginx-auto-ssl
restart: on-failure
volumes:
- ssl_data:/etc/resty-auto-ssl
- ./:/var/www/
environment:
FORCE_HTTPS: true
ALLOWED_DOMAINS: '(www|admin).parttimeworks.in'
SITES: 'www.parttimeworks.in=app:9000,admin.parttimeworks.in=app:9000'
ports:
- 80:80
- 443:443
depends_on:
- app
env_file:6
- .env
mariadb-master:
image: 'bitnami/mariadb:10.2.17-debian-9-r36'
container_name: mariadb-master
volumes:
- 'db-master-data:/bitnami/mariadb'
ports:
- 32797:3306
environment:
- MARIADB_REPLICATION_MODE=master
- "MARIADB_REPLICATION_USER=${REPLICATION_USER}"
- "MARIADB_REPLICATION_PASSWORD=${REPLICATION_PASSWORD}"
- "MARIADB_ROOT_PASSWORD=${ROOT_PASSWORD}"
- "MARIADB_USER=${DB_USERNAME}"
- "MARIADB_PASSWORD=${DB_PASSWORD}"
- "MARIADB_DATABASE=${DB_DATABASE}"
env_file:
- .env
mariadb-slave:
image: 'bitnami/mariadb:10.2.17-debian-9-r36'
container_name: mariadb-slave
ports:
- 32796:3306
depends_on:
- mariadb-master
environment:
- MARIADB_REPLICATION_MODE=slave
- "MARIADB_REPLICATION_USER=${REPLICATION_USER}"
- "MARIADB_REPLICATION_PASSWORD=${REPLICATION_PASSWORD}"
- MARIADB_MASTER_HOST=mariadb-master
- "MARIADB_MASTER_ROOT_PASSWORD=${ROOT_PASSWORD}"
env_file:
- .env
mongodb:
image: mongo:latest
container_name: dailyonline_mongodb
environment:
- "MONGO_INITDB_DATABASE=${MONGO_DATABASE}"
- "MONGO_INITDB_ROOT_USERNAME=${MONGO_USERNAME}"
- "MONGO_INITDB_ROOT_PASSWORD=${MONGO_PASSWORD}"
volumes:
- mongodb:/data/db
ports:
- 27017
command: mongod --auth --storageEngine wiredTiger
#laravel cron
cron:
build: ./docker/crontab
#container_name: cron
volumes:
- ./:/var/www/
depends_on:
- app
env_file:
- .env
#laravel worker
worker:
build: ./docker/worker
#container_name: worker
volumes:
- ./:/var/www/
depends_on:
- queue
- cache
- mongodb
env_file:
- .env
cache:
image: redis:4.0-alpine
command: redis-server --appendonly yes --requirepass "${REDIS_PASSWORD}"
ports:
- 9081:6379
env_file:
- .env
echo:
build: ./docker/echo-server
ports:
- '6001:6001'
depends_on:
- app
- web
links:
- web
- cache
volumes:
- ./docker/echo-server/prod/laravel-echo-server.json:/app/laravel-echo-server.json:ro
- ./storage/certs:/app/storage/certs:ro
queue:
image: schickling/beanstalkd
nodejs:
build: ./docker/nodejs
volumes:
- ./:/var/www/
volumes:
db-master-data:
driver: local
mongodb:
ssl_data:
networks:
default:
external:
name: nginx-proxy
Best Regards,
sathish
#!/usr/bin/env bash
ALLOWED_DOMAINS=tel.app.domain.com,api.app.domain.com,app.domain.com
SITES="tel.app.domain.com=http://127.0.0.1:8090;api.app.domain.com=http://127.0.0.1:8080;app.domain.com=http://127.0.0.1:8000"
LETSENCRYPT_URL=https://acme-v01.api.letsencrypt.org/directory
docker run -d --name nginx-auto-ssl --restart on-failure \
--net=host \
-e ALLOWED_DOMAINS=${ALLOWED_DOMAINS} \
-e SITES=${SITES} \
-e FORCE_HTTPS=true \
-e LETSENCRYPT_URL=$LETSENCRYPT_URL \
valian/docker-nginx-auto-ssl
I am not getting any errors on docker logs nginx-auto-ssl but, seems like no ssl certificate is being issued. Can you help me
root@docker-s-1vcpu-2gb-sgp1-01:/var/discourse# docker run -d \
> --name nginx-auto-ssl \
> --restart on-failure \
> -p 80:80 \
> -p 443:443 \
> -e FORCE_HTTPS=true \
> -e RESOLVER_ADDRESS=julio.ns.cloudflare.com,paislee.ns.cloudflare.com \
> -e ALLOWED_DOMAINS=antivte.com \
> -e SITES='bbs.antivte.com=unix:/var/discourse/shared/bbs/nginx.http.sock:;ytb.antivte.com=unix:/var/discourse/shared/ytb/nginx.http.sock:;cp.antivte.com=lunix:/var/discourse/shared/cp/nginx.http.sock:' \
> valian/docker-nginx-auto-ssl
here i got 3 docker container running and using the special file instead of listen 80 port.
for cloudlfare dns i set resolver address.
Is there anything I need to config
I believe this sits as a proxy nGinx instance in front of my own images, and once HTTPS is requested, automatically retrieves a LetsEncrypt/certbot/acme SSL certificate/key for me. However, I would love to get more information about my assumptions, such as did somebody ever go through and analyse what it does - Such as for instance overhead of this approach, compared to having the site exposed directly (over nGinx), instead of this tunnelling approach, etc, etc, etc ...
What happens to the original IP address, is it lost - If so, how do I add it?
Adorable work though I must confess - There should have been a "debug switch" in it though, allowing me to use the same docker-compose file when debugging (minus one switch) as I use during deployments ...
However, the latter may just be me not having configured my docker-compose file correctly ...
I've gone through the process of adding certbot to existing nGinx sites and other sites running Docker, and it's simply ridiculously complex. If this works the way I think it works, it's really quite brilliant I must confess :)
Hi, sure, it is not your fault, but Capital letters in domain names won't work.
Curl output:
curl -v https://a.caddy.tanatos.orG
* Rebuilt URL to: https://a.caddy.tanatos.orG/
* Trying 35.231.206.108...
* Connected to a.caddy.tanatos.orG (35.231.206.108) port 443 (#0)
* found 150 certificates in /etc/ssl/certs/ca-certificates.crt
* found 614 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
* Closing connection 0
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
Docker container output:
2019/05/11 13:11:57 [error] 24#24: *18 lua entry thread aborted: runtime error: ...sty/luajit/share/lua/5.1/resty/auto-ssl/servers/hook.lua:40: assertion failed!
stack traceback:
coroutine 0:
[C]: in function 'assert'
...sty/luajit/share/lua/5.1/resty/auto-ssl/servers/hook.lua:40: in function 'server'
.../local/openresty/luajit/share/lua/5.1/resty/auto-ssl.lua:84: in function 'hook_server'
content_by_lua(resty-http.conf:48):2: in main chunk, client: 127.0.0.1, server: , request: "POST /deploy-cert HTTP/1.1", host: "127.0.0.1:8999"
127.0.0.1 - - [11/May/2019:13:11:57 +0000] "POST /deploy-cert HTTP/1.1" 500 186 "-" "curl/7.61.1"
2019/05/11 13:11:57 [error] 24#24: *15 [lua] lets_encrypt.lua:71: issue_cert(): auto-ssl: dehydrated manual hook.sh failed: env HOOK_SECRET=2aa77d26bcb8c553c7ff0e10604bd286dcdc5a1ab8ac7d988f1c234b65075dcb HOOK_SERVER_PORT=8999 /usr/local/openresty/luajit/bin/resty-auto-ssl/letsencrypt_hooks deploy_cert a.caddy.tanatos.orG /etc/resty-auto-ssl/letsencrypt/certs/a.caddy.tanatos.orG/privkey.pem /etc/resty-auto-ssl/letsencrypt/certs/a.caddy.tanatos.orG/cert.pem /etc/resty-auto-ssl/letsencrypt/certs/a.caddy.tanatos.orG/fullchain.pem /etc/resty-auto-ssl/letsencrypt/certs/a.caddy.tanatos.orG/chain.pem 1557580317 status: 256 out: nil err: curl: (22) The requested URL returned error: 500 Internal Server Error
hook request (deploy_cert) failed
, context: ssl_certificate_by_lua*, client: 80.211.246.107, server: 0.0.0.0:443
2019/05/11 13:11:57 [error] 24#24: *15 [lua] ssl_certificate.lua:92: issue_cert(): auto-ssl: issuing new certificate failed: dehydrated failure, context: ssl_certificate_by_lua*, client: 80.211.246.107, server: 0.0.0.0:443
2019/05/11 13:11:57 [error] 24#24: *15 [lua] ssl_certificate.lua:256: auto-ssl: could not get certificate for a.caddy.tanatos.orG - using fallback - failed to get or issue certificate, context: ssl_certificate_by_lua*, client: 80.211.246.107, server: 0.0.0.0:443
Docker run :
docker run --rm -it -p 80:80 -p 443:443 valian/docker-nginx-auto-ssl
hello
i have studied dockerfile and other things.
in documentation mention auto renew will work.
but i can't see anything related how ot will auto renew.
can u please describe more in details about it please
Thanks
EN:
After using the container I get ERR_CERT_AUTHORITY_INVALID is there way to fix it?
PL:
Po użyciu kontenera dostaje błąd ERR_CERT_AUTHORITY_INVALID, czy da się jakoś to naprawić?
Thank you for this nice project. I've setup a custom .conf file to forward port 35997 over SSL to a back end server
here is the docker-compose.yml file:
version: '2'
services:
nginx:
image: valian/docker-nginx-auto-ssl
container_name: nginx
restart: on-failure
ports:
- 80:80
- 443:443
- 35997:35997
- 35998:35998
volumes:
- ssl_data:/etc/resty-auto-ssl
- ./conf:/etc/nginx/conf.d
environment:
ALLOWED_DOMAINS: '00.deeznnutz.com'
#SITES: 'yourdomain.com=myapp:80'
znnd:
build: .
container_name: znnd
ports:
- "35995:35995"
restart: always
volumes:
- data:/root/.znn
volumes:
data:
ssl_data:
and here is the 35997.conf file under ./conf
server {
listen 35997 ssl default_server;
include resty-server-https.conf;
location / {
proxy_pass http://znnd:35997;
}
}
I'm getting a 403 error when I query the endpoint: https://reqbin.com/sqq4defa
Can you see what I'm doing wrong? Thank you.
curl -X GET https://00.deeznnutz.com:35997 -H "content-type: application/json" -d '{"jsonrpc": "2.0", "id": 40, "method": "stats.networkInfo", "params": []}'
Hello
Thanks a lot for your really great docker image.
I could not find how to increase openresty gateway time-out ? When used with small VM I got error "504 Gateway Time-out, openresty/1.15.8.1"
Cheers.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.