Simple, statically configurable NGINX proxy container with Let's Encrypt automatic certificate renewal inspired by docker-letsencrypt-nginx-proxy-companion.
Still in testing
- Proxies can be configured using environment variables
- Automatic certificate request and renewal using Simp_le
- Automatic NGINX reload upon configuration change
- Multiple proxies can be defined for a single virtual host with different locations
version: '2'
services:
nginx:
image: nginx
container_name: nginx-proxy
ports:
- "80:80"
- "443:443"
volumes:
- nginx_certs:/etc/nginx/certs
- nginx_confd:/etc/nginx/conf.d
- nginx_vhostd:/etc/nginx/vhost.d
- nginx_html:/usr/share/nginx/html
config-gen:
image: szazo/letsencrypt-nginx-proxy-generator
environment:
- NGINX_CONTAINER=nginx-proxy
- PROXY_1=https://apple.example.com->http://1.2.3.4:80
- PROXY_2=https://banana.example.com->https://11.22.33.44:443
- PROXY_3=https://banana.example.com/pear->http://22.33.44.55:80/cherry
- DEBUG=*
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- nginx_certs:/output/nginx_certs
- nginx_confd:/output/nginx_confd
- nginx_vhostd:/output/nginx_vhostd
- nginx_html:/output/nginx_html
volumes:
nginx_certs:
nginx_confd:
nginx_vhostd:
nginx_html:Proxies can be defined with PROXY_* environment variables:
- The format:
PROTO://source.domain.name/optional-path->PROTO://target.host:PORT/optional-path(currently onlyhttpssource PROTO supported) - Example:
https://apple.example.com/path->http://1.2.3.4:80/target-path
It is possible to run secondary letsencrypt clients on the proxied destinations by using an optional fallback proxy_pass for the ./well-known/acme-challenge location.
To opt in define ACME_CHALLENGE_PROXY_* environment variables the same way you would any other proxy. Remember to not set any source path for this to work!
In order for the container to be able to reload the NGINX using Docker API:
- pass the NGINX's container name using
NGINX_CONTAINERenvironment variable, - map the host's
/var/run/docker.socksocket file into the container with the same path.
In order to allow the container to store generated configurations and certificates, map the following volumes:
- NGINX
/etc/nginx/certsdirectory ⟷nginx_certsvolume ⟷/output/nginx_certsdirectory for generated certificates. - NGINX
/etc/nginx/conf.ddirectory ⟷nginx_confdvolume ⟷/output/nginx_confddirectory for generated configurations. - NGINX
/etc/nginx/vhost.ddirectory ⟷nginx_vhostdvolume ⟷/output/nginx_vhostddirectory for common includes. - NGINX
/usr/share/nginx/htmldirectory ⟷nginx_htmlvolume ⟷/output/nginx_htmldirectory for Let's Encrypt challenge files.
Debug messages can be enabled using DEBUG environment variable: DEBUG=*
The following diagrams shows the connection between the elements.
.------------------------.
| Let's Encrypt server |
.---------------------| |
| '------------------------'
.--------------------|---------------. ^
| NGINX v | |
| .---------------------------. | |
| | .wellknown/acme-challenge | | |
| | | | |
| | | | |
| '---------------------------' | |
| | |
'------------------------------------' |
| |
| |
| .-----------------------------------. |
| | letsencrypt-nginx-proxy-generator | |
| | |-'
| '-----------------------------------'
| |
| |
v |
.------------------. |
| Volumes | |
|------------------| |
| nginx_certs | |
| nginx_confd |<-------------'
| nginx_vhostd |
| nginx_html |
'------------------'