Skip to content
Shell Nginx
Branch: master
Clone or download
Pull request Compare This branch is 17 commits ahead, 8 commits behind GoogleCloudPlatform:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

#nginx-ssl-proxy This repository is used to build a Docker image that acts as an HTTP reverse proxy with optional (but strongly encouraged) support for acting as an SSL termination proxy. The proxy can also be configured to enforce HTTP basic access authentication. Nginx is the HTTP server, and its SSL configuration is included (and may be modified to suit your needs) at nginx/proxy_ssl.conf in this repository.

It is available on docker hub as ployst/nginx-ssl-proxy

Building the Image

Build the image yourself by cloning this repository then running:

docker build -t nginx-ssl-proxy .

Using with Kubernetes

This image is optimized for use in a Kubernetes cluster to provide SSL termination for other services in the cluster. It should be deployed as a Kubernetes replication controller with a service and public load balancer in front of it. SSL certificates, keys, and other secrets are managed via the Kubernetes Secrets API.

Generating test certificates

Use the script to generate test certificates. It will create your own Certificate Authority and use that to self sign a certificate.

./ /path/to/certs/folder


Run an SSL Termination Proxy from the CLI

To run an SSL termination proxy you must have an existing SSL certificate and key. These instructions assume they are stored at /path/to/secrets/ and named cert.crt and key.pem. You'll need to change those values based on your actual file path and names.

  1. Create a DHE Param

    The nginx SSL configuration for this image also requires that you generate your own DHE parameter. It's easy and takes just a few minutes to complete:

    openssl dhparam -out /path/to/secrets/dhparam.pem 2048
  2. Launch a Container

    Modify the below command to include the actual address or host name you want to proxy to, as well as the correct /path/to/secrets for your certificate, key, and dhparam:

    docker run \
      -e ENABLE_SSL=true \
      -v /path/to/secrets/cert.crt:/etc/secrets/proxycert \
      -v /path/to/secrets/key.pem:/etc/secrets/proxykey \
      -v /path/to/secrets/dhparam.pem:/etc/secrets/dhparam \

    The really important thing here is that you map in your cert to /etc/secrets/proxycert, your key to /etc/secrets/proxykey, and your dhparam to /etc/secrets/dhparam as shown in the command above.

  3. Enable Basic Access Authentication

    Create an htpaddwd file:

    htpasswd -nb YOUR_USERNAME SUPER_SECRET_PASSWORD > /path/to/secrets/htpasswd

    Launch the container, enabling the feature and mapping in the htpasswd file:

    docker run \
      -e ENABLE_SSL=true \
      -e ENABLE_BASIC_AUTH=true \
      -v /path/to/secrets/cert.crt:/etc/secrets/proxycert \
      -v /path/to/secrets/key.pem:/etc/secrets/proxykey \
      -v /path/to/secrets/dhparam.pem:/etc/secrets/dhparam \
      -v /path/to/secrets/htpasswd:/etc/secrets/htpasswd \

Connecting to a certification service

The nginx file supports proxying /.well-known/acme-challenge requests. The destination should be defined using the CERT_SERVICE env variable.

The CERT_SERVICE will receive all requests to /.well-known/acme-challenge

Other env vars:

  • SERVER_NAME If set, this must be provided and will be set as the value in the server_name directive.
  • WEB_SOCKETS If set, Connection and Upgrade headers will be set on the request to the proxy.
You can’t perform that action at this time.