Commit graph

36 commits

Author SHA1 Message Date
Kuo-Cheng Yeu
a10d1b50bf add support for ssl_dhparams to prevent 'Logjam' attack 2015-05-21 15:19:58 +08:00
Jason Wilder
503072c03f Merge pull request #72 from BenHall/default_host
Ability to set a default host for nginx
2015-05-14 10:00:04 -06:00
Markus Kosmal
b680fb003e Close marker instead of empty 2015-05-09 23:15:26 +02:00
Kuo-Cheng Yeu
4d2403b5d7 Add SPDY support 2015-04-29 14:41:25 +08:00
Jason Wilder
4a99ac5548 Remove includeSubdomains from HSTS header
includeSubdomains can lead to issues where not all subdomains are
able to use HTTPS.  This options might be too strict for the general
case: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security.
It can be re-enabled w/ a custom template if needed.

Fixes #109
2015-02-28 15:50:59 -07:00
Mike Dillon
aa5dfdb3d5 Fix HTTP->HTTPS redirect for wildcard hosts
Uses Nginx's $host instead of interpolating `{{ $host }}` in the template
2015-02-25 10:29:59 -08:00
Jason Wilder
d831c058f3 Merge pull request #106 from md5/per-vhost-includes
Per VIRTUAL_HOST configuration files
2015-02-23 12:20:55 -07:00
Jason Wilder
c3534b7195 Merge pull request #91 from pirelenito/master
fixes SSL support while mixing HTTPS and non-HTTPS hosts
2015-02-22 15:00:48 -07:00
Mike Dillon
2010332395 Support per-VIRTUAL_HOST Nginx conf files 2015-02-22 09:25:50 -08:00
Mike Dillon
6c3b3c87be Support VIRTUAL_PROTO=https for HTTPS backends 2015-02-14 16:02:39 -08:00
Paulo Ragonha
37e4a0d00e fixes SSL support while mixing HTTPS and non-HTTPS services
nginx was throwing the following error: `no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking`

ref: https://github.com/jwilder/nginx-proxy/issues/74
2015-01-22 14:37:10 -02:00
Åsmund Grammeltvedt
36039f8e13 Gzip application/javascript
As per RFC4329, nginx uses application/javascript as the default MIME
type for .js files. Nginx-proxy will now gzip these files if the client
requests it.
2015-01-05 13:31:26 +01:00
Ben Hall
30a53fb60a Ability to set a default host for nginx 2014-12-24 12:21:40 +00:00
Albert Murillo Aguirre
6d646d92f8 Basic Authentication Support 2014-12-19 16:26:42 -07:00
Mike Dillon
ac1f2d8875 Include Host or SERVER_NAME in logs 2014-12-06 17:46:25 -08:00
Mike Dillon
54b9043323 Remove redundant access_log and error_log 2014-12-06 17:45:59 -08:00
Jason Wilder
080a5157e6 Remove OCSP stapling
Looks like it was not actually working before and failing silently
because ssl_trusted_certificate was not specified.  Will need to
revisit implementing this functionality so removing it for now
to prevent the warnings logged by nginx now.
2014-12-03 11:06:11 -07:00
Jason Wilder
0580726415 Ensure cert exists before referencing it 2014-12-02 23:29:00 -07:00
Jason Wilder
2e43a5459b Add SSL support
This adds SSL support for containers.  It supports single host
certificates, wildcards and SNI using naming conventions for
certificates or optionally specify a cert name (for SNI).  The SSL
cipher configuration is based on mozilla intermediate profile which
should provide compatibility with clients back to Firefox 1, Chrome 1,
IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7.  The
configuration also enables OCSP stapling, HSTS, and ssl session caches.

To enable SSL, nginx-proxy should be started w/ -p 443:443 and -v
/path/to/certs:/etc/nginx/certs.  Certificates must be named:
<virtualhost>.crt and <virtualhost>.key where <virtualhost> matches
the a value of VIRTUAL_HOST on a container.

For wildcard certificates, the certificate and private key should be
named after the wildcard domain with .crt and .key suffixes.  For example,
*.example.com should be name example.com.crt and example.com.key.

For SNI where a certificate may be used for multiple domain names, the
container can specify a CERT_NAME env var that corresponds to the base
file name of the certificate and key.  For example, if you have a cert
allowing *.example.com and *.bar.com, it can be name shared.crt and
shared.key.  A container can use that cert by having CERT_NAME=shared and
VIRTUAL_HOST=foo.example.com.  The name "shared" is arbitrary and can
be whatever makes sense.

The behavior for the proxy when port 80 and 443 is defined is as
follows:

* If a container has a usable cert, port 80 will redirect to
443 for that container to always prefer HTTPS when available.
* If the container does not have a usable cert 503 will be returned.

In the last case, a self-signed or generic cert can be defined as
"default.crt" and "default.key" which will allow a client browser to
at least make a SSL connection.
2014-11-27 12:49:38 -07:00
Mike Dillon
0306692b31 Move gzip_types, access_log, and error_log to http 2014-11-25 16:56:16 -08:00
Mike Dillon
a84aee4a84 Drop unused index variables from range statement 2014-11-25 16:56:16 -08:00
Mike Dillon
3414a02edf Make template more readable
* $value -> $container
2014-11-25 16:56:16 -08:00
Mike Dillon
e1bbe8cde0 Raise proxy_buffering statement to http level 2014-11-25 16:56:16 -08:00
Mike Dillon
5b9e8c4554 Move settings that don't differ per container to the top level 2014-11-25 16:56:16 -08:00
Mike Dillon
6c2221bdcc Set "Connection: upgrade" when we receive an "Upgrade" header
Fixes #37
2014-10-25 17:13:17 -07:00
Mike Dillon
0028cdafe9 Add comment about X-Forwarded-Proto mapping 2014-10-25 17:13:04 -07:00
Mike Dillon
199f18da07 Pass through X-Forwarded-Proto
* Creates a $proxy_x_forwarded_proto variable that is set to the
  X-Forwarded-Proto header passed by the client or else the $scheme
2014-10-22 15:18:46 -07:00
Jason Wilder
94f3d9849f Inline /etc/nginx/proxy_params
/etc/nginx/proxy_params does not exist in the official nginx image.
2014-10-22 10:42:22 -06:00
Jason Wilder
b9d7bde5cd Support multiple VIRTUAL_HOSTs per container.
Fixes #3
2014-06-08 10:14:51 -06:00
Jason Wilder
4f3d690cd3 Stream logs to stdout/err
Nginx and docker-gen logs can now be seen via docker logs.
2014-06-03 16:30:05 -06:00
Jason Wilder
95d4f67a59 Merge pull request #11 from thomasleveil/patch-1
add HTTP 1.1 support
2014-06-03 16:04:44 -06:00
Thomas LÉVEIL
2d8d15d606 define a default virtual host
which replies with HTTP code `503 Service Temporarily Unavailable`
2014-06-03 23:32:29 +02:00
Thomas LÉVEIL
175a1ab077 add HTTP 1.1 support 2014-06-03 23:29:30 +02:00
Jason Wilder
592ed499d7 Improve port configuration
Should address #6.

The port selection now works as follows:

* If there is only 1 port exposed by the container, that port is used.
* If there is a VIRTUAL_PORT env variable defined, that port is used.
* Otherwise, default to port 80, if exposed.
2014-05-19 21:10:53 -06:00
Jason Wilder
11faa5f240 Disable proxy buffering
For #1
2014-05-07 13:46:28 -06:00
Jason Wilder
3d25e3da57 Initial commit 2014-05-05 11:02:01 -06:00