├── .gitattributes ├── Dockerfile ├── LICENSE ├── README.md ├── entrypoint.sh ├── nginx.conf └── snippets ├── force-https.conf ├── resty-http.conf ├── resty-server-http.conf ├── resty-server-https.conf ├── server-default.conf ├── server-gzip.conf ├── server-proxy.conf └── ssl.conf /.gitattributes: -------------------------------------------------------------------------------- 1 | *.sh text eol=lf -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM openresty/openresty:alpine-fat 2 | 3 | # allowed domains should be lua match pattern 4 | ENV DIFFIE_HELLMAN='' \ 5 | ALLOWED_DOMAINS='.*' \ 6 | AUTO_SSL_VERSION='0.13.1' \ 7 | FORCE_HTTPS='true' \ 8 | SITES='' \ 9 | LETSENCRYPT_URL='https://acme-v02.api.letsencrypt.org/directory' \ 10 | STORAGE_ADAPTER='file' \ 11 | REDIS_HOST='' \ 12 | REDIS_PORT='6379' \ 13 | REDIS_DB='0' \ 14 | REDIS_KEY_PREFIX='' \ 15 | RESOLVER_ADDRESS='8.8.8.8' 16 | 17 | # Here we install open resty and generate dhparam.pem file. 18 | # You can specify DIFFIE_HELLMAN=true to force regeneration of that file on first run 19 | # also we create fallback ssl keys 20 | RUN apk --no-cache add bash openssl \ 21 | && /usr/local/openresty/luajit/bin/luarocks install lua-resty-auto-ssl $AUTO_SSL_VERSION \ 22 | && openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \ 23 | -subj '/CN=sni-support-required-for-valid-ssl' \ 24 | -keyout /etc/ssl/resty-auto-ssl-fallback.key \ 25 | -out /etc/ssl/resty-auto-ssl-fallback.crt \ 26 | && openssl dhparam -out /usr/local/openresty/nginx/conf/dhparam.pem 2048 \ 27 | # let's remove default open resty configuration, we'll conditionally add modified version in entrypoint.sh 28 | && rm /etc/nginx/conf.d/default.conf 29 | 30 | COPY nginx.conf snippets /usr/local/openresty/nginx/conf/ 31 | COPY entrypoint.sh /entrypoint.sh 32 | 33 | VOLUME /etc/resty-auto-ssl 34 | 35 | ENTRYPOINT ["/entrypoint.sh"] 36 | CMD ["/usr/local/openresty/bin/openresty", "-g", "daemon off;"] 37 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 Jakub Skałecki 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # docker-nginx-auto-ssl 2 | *The simpliest solution to add SSL cert to your site* 3 | 4 | ![build](https://img.shields.io/docker/cloud/build/valian/docker-nginx-auto-ssl.svg) 5 | ![build](https://img.shields.io/docker/pulls/valian/docker-nginx-auto-ssl.svg) 6 | 7 | Docker image for automatic generation of SSL certs using Let's encrypt and Open Resty, with reasonable SSL settings, HTTP/2 and WebSockets support out-of-the-box. 8 | You can specify allowed domains and simple proxies using ENV variables, and easily override `nginx.conf` to your needs. 9 | 10 | This is possible thanks to [OpenResty](https://github.com/openresty/openresty) and [lua-resty-auto-ssl](https://github.com/GUI/lua-resty-auto-ssl). 11 | 12 | **Image status**: used in production. Some backward-compatible changes may be added in the future. 13 | 14 | # Usage 15 | 16 | Quick start to generate and auto-renew certs for your blog / application: 17 | 18 | ```Bash 19 | # replace these values 20 | export DOMAIN=yourdomain.com 21 | export APP_ADDRESS=localhost:8080 22 | 23 | # install docker first, and then run following command 24 | docker run -d \ 25 | --name nginx-auto-ssl \ 26 | --restart on-failure \ 27 | --network host \ 28 | -e ALLOWED_DOMAINS="$DOMAIN" \ 29 | -e SITES="$DOMAIN=$APP_ADDRESS" \ 30 | -v ssl-data:/etc/resty-auto-ssl \ 31 | valian/docker-nginx-auto-ssl 32 | 33 | # display logs from container, to check if everything is fine. 34 | docker logs nginx-auto-ssl 35 | ``` 36 | 37 | [Docker-compose](https://docs.docker.com/compose/) example: 38 | 39 | ```yaml 40 | # docker-compose.yml 41 | version: '2' 42 | services: 43 | nginx: 44 | image: valian/docker-nginx-auto-ssl 45 | restart: on-failure 46 | ports: 47 | - 80:80 48 | - 443:443 49 | volumes: 50 | - ssl_data:/etc/resty-auto-ssl 51 | environment: 52 | ALLOWED_DOMAINS: 'yourdomain.com' 53 | SITES: 'yourdomain.com=myapp:80' 54 | 55 | # your application, listening on port specified in `SITES` env variable 56 | myapp: 57 | image: nginx 58 | 59 | volumes: 60 | ssl_data: 61 | ``` 62 | 63 | start using 64 | ```Bash 65 | docker-compose up -d 66 | ``` 67 | 68 | Both cases will work when request to `yourdomain.com` will reach just-deployed nginx (so when it will be running on your server, with correctly defined DNS entry). 69 | 70 | Available configuration options: 71 | 72 | | Variable | Example | Description 73 | | --- | --- | ---| 74 | | ALLOWED_DOMAINS | `(www\|api).example.com`, `example.com`, `([a-z]+.)?example.com` | Regex pattern of allowed domains. Internally, we're using [ngx.re.match](https://github.com/openresty/lua-nginx-module#ngxrematch). By default we accept all domains | 75 | | DIFFIE_HELLMAN | `true` | Force regeneration of `dhparam.pem`. If not specified, default one is used. | 76 | | SITES | `db.com=localhost:5432; *.app.com=localhost:8080`, `_=localhost:8080` | Shortcut for defining multiple proxies, in form of `domain1=endpoint1; domain2=endpoint2`. Default template for proxy is [here](https://github.com/Valian/docker-nginx-auto-ssl/blob/master/snippets/server-proxy.conf). Name `_` means default server, just like in nginx configuration | 77 | | FORCE_HTTPS | `true`, `false` | If `true`, automatically adds location to `resty-server-http.conf` redirecting traffic from http to https. `true` by default. | 78 | | LETSENCRYPT_URL | `https://acme-v02.api.letsencrypt.org/directory`, `https://acme-staging-v02.api.letsencrypt.org/directory` | Let's Encrypt server URL to use | 79 | | RESOLVER_ADDRESS | `8.8.8.8`, `127.0.0.53` | DNS resolver used for OCSP stapling. `8.8.8.8` by default. To disable ipv6 append `ipv6=off`, eg `8.8.8.8 ipv6=off` | 80 | | STORAGE_ADAPTER | `file`, `redis` | Location to store generated certificates. Best practice is `redis` in order to avoid I/O blocking in OpenResty and make the certs available across multiple containers (for a load balanced environment) . `file` by default | 81 | | REDIS_HOST | `hostname`, `ip address` | The redis host name to use for cert storage. Required if `STORAGE_ADAPTER=redis`| 82 | | REDIS_PORT | `port number` | The redis port number. `6379` by default| 83 | | REDIS_DB | `db_number` | The Redis database number used by lua-resty-auto-ssl to save certificates. `0` by default | 84 | | REDIS_KEY_PREFIX | `some-prefix` | Prefix all keys stored in Redis with this string. `''` by default | 85 | 86 | 87 | If you want to proxy multiple sites (probably the most common case, that's why I've made it possible to achieve without custom configuration): 88 | 89 | ```Bash 90 | docker run -d \ 91 | --name nginx-auto-ssl \ 92 | --restart on-failure \ 93 | -p 80:80 \ 94 | -p 443:443 \ 95 | -e ALLOWED_DOMAINS=example.com \ 96 | -e SITES='example.com=localhost:5432;*.example.com=localhost:8080' \ 97 | valian/docker-nginx-auto-ssl 98 | ``` 99 | 100 | # Customization 101 | 102 | ## Includes from `/etc/nginx/conf.d/*.conf` 103 | 104 | Additional server blocks are automatically loaded from `/etc/nginx/conf.d/*.conf`. If you want to provide your own configuration, you can either use volumes or create custom image. 105 | 106 | Example server configuration (for example, named `server.conf`) 107 | 108 | ```nginx 109 | server { 110 | listen 443 ssl default_server; 111 | 112 | # remember about this line! 113 | include resty-server-https.conf; 114 | 115 | location / { 116 | proxy_pass http://app; 117 | } 118 | 119 | location /api { 120 | proxy_pass http://api; 121 | } 122 | } 123 | ``` 124 | 125 | Volumes way 126 | 127 | ```Bash 128 | # instead of $PWD, use directory with your custom configurations 129 | docker run -d \ 130 | --name nginx-auto-ssl \ 131 | --restart on-failure \ 132 | -p 80:80 \ 133 | -p 443:443 \ 134 | -v $PWD:/etc/nginx/conf.d 135 | valian/docker-nginx-auto-ssl 136 | ``` 137 | 138 | Custom image way 139 | 140 | ```Dockerfile 141 | FROM valian/docker-nginx-auto-ssl 142 | 143 | # instead of . use directory with your configurations 144 | COPY . /etc/nginx/conf.d 145 | ``` 146 | 147 | ```Bash 148 | docker build -t docker-nginx-auto-ssl . 149 | docker run [YOUR_OPTIONS] docker-nginx-auto-ssl 150 | ``` 151 | 152 | 153 | ## Using `$SITES` with your own template 154 | 155 | You have to override `/usr/local/openresty/nginx/conf/server-proxy.conf` either using volume or custom image. Basic templating is implemented for variables `$SERVER_NAME` and `$SERVER_ENDPOINT`. 156 | 157 | Example template: 158 | 159 | ```nginx 160 | server { 161 | listen 443 ssl; 162 | server_name $SERVER_NAME; 163 | 164 | include resty-server-https.conf; 165 | 166 | location / { 167 | proxy_pass http://$SERVER_ENDPOINT; 168 | } 169 | } 170 | ``` 171 | 172 | 173 | ## Your own `nginx.conf` 174 | 175 | If you have custom requirements and other customization options are not enough, you can easily provide your own configuration. 176 | 177 | Example `Dockerfile`: 178 | ```Dockerfile 179 | FROM valian/docker-nginx-auto-ssl 180 | 181 | COPY nginx.conf /usr/local/openresty/nginx/conf/ 182 | ``` 183 | 184 | Minimal working `nginx.conf`: 185 | ```nginx 186 | events { 187 | worker_connections 1024; 188 | } 189 | 190 | http { 191 | 192 | # required 193 | include resty-http.conf; 194 | 195 | server { 196 | listen 443 ssl; 197 | 198 | # required 199 | include resty-server-https.conf; 200 | 201 | # you should add your own locations here 202 | } 203 | 204 | server { 205 | listen 80 default_server; 206 | 207 | # required 208 | include resty-server-http.conf; 209 | } 210 | } 211 | ``` 212 | 213 | Minimal `nginx.conf` with support for `$SITES` and `conf.d` includes 214 | 215 | ```nginx 216 | events { 217 | worker_connections 1024; 218 | } 219 | 220 | http { 221 | 222 | include resty-http.conf; 223 | 224 | server { 225 | listen 80 default_server; 226 | include resty-server-http.conf; 227 | } 228 | 229 | # you can insert your blocks here or inside conf.d 230 | 231 | include /etc/nginx/conf.d/*.conf; 232 | } 233 | ``` 234 | 235 | Build and run it using 236 | ```Bash 237 | docker build -t docker-nginx-auto-ssl . 238 | docker run [YOUR_OPTIONS] docker-nginx-auto-ssl 239 | ``` 240 | 241 | ## How does it work? 242 | 243 | A short walktrough of what's going on here. 244 | 245 | - [The docker entrypoint](https://github.com/Valian/docker-nginx-auto-ssl/blob/master/entrypoint.sh#L29) is responsible for preparing a location block for each site declared in `SITES` env variable. [This file is used as a template](https://github.com/Valian/docker-nginx-auto-ssl/blob/master/snippets/server-proxy.conf). 246 | - when request comes to port 80, it's by default redirected to 443 (HTTP -> HTTPS redirection) 247 | - when request comes to port 443, HTTPS certificate is resolved by lua code (relevant [file in this repo](https://github.com/Valian/docker-nginx-auto-ssl/blob/master/snippets/resty-server-https.conf) and [source code from lua-resty-auto-ssl](https://github.com/auto-ssl/lua-resty-auto-ssl/blob/master/lib/resty/auto-ssl/ssl_certificate.lua)). If certificate exists for a given domain and is valid, it's returned. Otherwise, a process of generating new certificate starts. It's initialized [here](https://github.com/auto-ssl/lua-resty-auto-ssl/blob/master/lib/resty/auto-ssl/ssl_providers/lets_encrypt.lua) and uses https://github.com/dehydrated-io/dehydrated for all the Let's Encrypt-related communication. It starts challenge process, prepares files for challenge and receives certificates. All of that is done in a couple of seconds, while the original request waits for the response. 248 | - challenge files are prepared and served under `/.well-known/acme-challenge/` ([relevant file from this repo ](https://github.com/Valian/docker-nginx-auto-ssl/blob/master/snippets/resty-server-http.conf) and source code from [lua-resty-auto-ssl](https://github.com/auto-ssl/lua-resty-auto-ssl/blob/71259605a3868b287ac0501d5850594b3f1b9cbb/lib/resty/auto-ssl/servers/challenge.lua)) 249 | 250 | There's more to it, eg locks across all workers to only generate one certificate for a domain at a time, upload of the certificate to shared storage if configured, checking if domain is whitelisted, communication with Let's Encrypt etc. All in all, it's fairly efficient and shouldn't add any noticeable overhead to nginx. 251 | 252 | # CHANGELOG 253 | 254 | * **11-11-2019** - Added gzip support and dropped TLS 1.0 and 1.1 #33 255 | * **18-04-2019** - Added WebSocket support #22 256 | * **29-05-2017** - Fixed duplicate redirect location after container restart #2 257 | * **19-12-2017** - Support for `$SITES` variable 258 | * **2-12-2017** - Dropped HSTS by default 259 | * **25-11-2017** - Initial release 260 | 261 | 262 | # LICENCE 263 | 264 | MIT 265 | -------------------------------------------------------------------------------- /entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | RESTY_CONF_DIR="/usr/local/openresty/nginx/conf" 4 | NGINX_CONF_DIR="/etc/nginx/conf.d" 5 | 6 | # openresty will change it later on his own, right now we're just giving it access 7 | chmod 777 /etc/resty-auto-ssl 8 | 9 | # we want to keep dhparam.pem in volume, to generate just one time 10 | if [ ! -f "/etc/resty-auto-ssl/dhparam.pem" ]; then 11 | if [ -n "$DIFFIE_HELLMAN" ]; then 12 | openssl dhparam -out /etc/resty-auto-ssl/dhparam.pem 2048 13 | else 14 | cp ${RESTY_CONF_DIR}/dhparam.pem /etc/resty-auto-ssl/dhparam.pem 15 | fi 16 | fi 17 | 18 | 19 | # if $SITES is defined, we should prepare configuration files 20 | # example usage: 21 | # 22 | # -e SITES="db.example.com=localhost:5432;app.example.com=http://localhost:8080" 23 | # 24 | # it will create 2 files: 25 | # 26 | # 1. /etc/nginx/conf.d/db.example.com.conf using $SERVER_ENDPOINT=localhost:5432 and $SERVER_NAME=db.example.com 27 | # 2. /etc/nginx/conf.d/app.example.com.conf using $SERVER_ENDPOINT=localhost:8080 and $SERVER_NAME=app.example.com 28 | 29 | if [ -n "$SITES" ]; then 30 | # lets read all backends, separated by ';' 31 | IFS=\; read -a SITES_SEPARATED <<<"$SITES" 32 | 33 | # for each backend (in form of server_name=endpoint:port) we create proper file 34 | for NAME_EQ_ENDPOINT in "${SITES_SEPARATED[@]}"; do 35 | RAW_SERVER_ENDPOINT=${NAME_EQ_ENDPOINT#*=} 36 | export SERVER_NAME=${NAME_EQ_ENDPOINT%=*} 37 | export SERVER_ENDPOINT=${RAW_SERVER_ENDPOINT#*//} # it clears url scheme, like http:// or https:// 38 | envsubst '$SERVER_NAME $SERVER_ENDPOINT' \ 39 | < ${RESTY_CONF_DIR}/server-proxy.conf \ 40 | > ${NGINX_CONF_DIR}/${SERVER_NAME}.conf 41 | done 42 | unset SERVER_NAME SERVER_ENDPOINT 43 | 44 | 45 | # if $SITES isn't defined, let's check if $NGINX_CONF_DIR is empty 46 | elif [ ! "$(ls -A ${NGINX_CONF_DIR})" ]; then 47 | # if yes, just copy default server (similar to default from docker-openresty, but using https) 48 | cp ${RESTY_CONF_DIR}/server-default.conf ${NGINX_CONF_DIR}/default.conf 49 | fi 50 | 51 | 52 | if [ "$FORCE_HTTPS" == "true" ]; then 53 | # only do this, if it's first run 54 | if ! grep -q "force-https.conf" ${RESTY_CONF_DIR}/resty-server-http.conf 55 | then 56 | echo "include force-https.conf;" >> ${RESTY_CONF_DIR}/resty-server-http.conf 57 | fi 58 | fi 59 | 60 | 61 | # let's substitute $ALLOWED_DOMAINS, $LETSENCRYPT_URL and $RESOLVER_ADDRESS into OpenResty configuration 62 | envsubst '$ALLOWED_DOMAINS,$LETSENCRYPT_URL,$RESOLVER_ADDRESS,$STORAGE_ADAPTER,$REDIS_HOST,$REDIS_PORT,$REDIS_DB,$REDIS_KEY_PREFIX' \ 63 | < ${RESTY_CONF_DIR}/resty-http.conf \ 64 | > ${RESTY_CONF_DIR}/resty-http.conf.copy \ 65 | && mv ${RESTY_CONF_DIR}/resty-http.conf.copy ${RESTY_CONF_DIR}/resty-http.conf 66 | 67 | exec "$@" -------------------------------------------------------------------------------- /nginx.conf: -------------------------------------------------------------------------------- 1 | worker_processes auto; 2 | 3 | worker_rlimit_nofile 100000; 4 | 5 | events { 6 | worker_connections 4000; 7 | } 8 | 9 | http { 10 | include mime.types; 11 | default_type application/octet-stream; 12 | sendfile on; 13 | tcp_nopush on; 14 | tcp_nodelay on; 15 | server_tokens off; 16 | 17 | # reasonable default, as 1MB is almost always not enough 18 | client_max_body_size 100M; 19 | 20 | # enable gzip support 21 | include server-gzip.conf; 22 | 23 | # auto-ssl lua magic for automatic generation of certs 24 | include resty-http.conf; 25 | 26 | server { 27 | listen 80 default_server; 28 | 29 | include resty-server-http.conf; 30 | } 31 | 32 | include /etc/nginx/conf.d/*.conf; 33 | } 34 | -------------------------------------------------------------------------------- /snippets/force-https.conf: -------------------------------------------------------------------------------- 1 | location / { 2 | return 301 https://$host$request_uri; 3 | } 4 | -------------------------------------------------------------------------------- /snippets/resty-http.conf: -------------------------------------------------------------------------------- 1 | # The "auto_ssl" shared dict should be defined with enough storage space to 2 | # hold your certificate data. 1MB of storage holds certificates for 3 | # approximately 100 separate domains. 4 | lua_shared_dict auto_ssl 10m; 5 | 6 | # The "auto_ssl" shared dict is used to temporarily store various settings 7 | # like the secret used by the hook server on port 8999. Do not change or 8 | # omit it. 9 | lua_shared_dict auto_ssl_settings 64k; 10 | 11 | # A DNS resolver must be defined for OCSP stapling to function. 12 | # 13 | # This example uses Google's DNS server. You may want to use your system's 14 | # default DNS servers, which can be found in /etc/resolv.conf. If your network 15 | # is not IPv6 compatible, you may wish to disable IPv6 results by using the 16 | # "ipv6=off" flag (like "resolver 8.8.8.8 ipv6=off"). 17 | resolver $RESOLVER_ADDRESS; 18 | 19 | # Initial setup tasks. 20 | init_by_lua_block { 21 | auto_ssl = (require "resty.auto-ssl").new() 22 | auto_ssl:set("ca", '$LETSENCRYPT_URL') 23 | -- Define a function to determine which SNI domains to automatically handle 24 | -- and register new certificates for. Defaults to not allowing any domains, 25 | -- so this must be configured. 26 | auto_ssl:set("allow_domain", function(domain) 27 | return ngx.re.match(domain, '$ALLOWED_DOMAINS', 'ijo') 28 | end) 29 | 30 | if "$STORAGE_ADAPTER" == "redis" then 31 | auto_ssl:set("storage_adapter", "resty.auto-ssl.storage_adapters.redis") 32 | auto_ssl:set("redis", { 33 | host = "$REDIS_HOST", 34 | port = "$REDIS_PORT", 35 | db = "$REDIS_DB", 36 | prefix = "$REDIS_KEY_PREFIX" 37 | }) 38 | end 39 | 40 | auto_ssl:init() 41 | } 42 | 43 | init_worker_by_lua_block { 44 | auto_ssl:init_worker() 45 | } 46 | 47 | server { 48 | listen 127.0.0.1:8999; 49 | 50 | # Increase the body buffer size, to ensure the internal POSTs can always 51 | # parse the full POST contents into memory. 52 | client_body_buffer_size 128k; 53 | client_max_body_size 128k; 54 | 55 | location / { 56 | content_by_lua_block { 57 | auto_ssl:hook_server() 58 | } 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /snippets/resty-server-http.conf: -------------------------------------------------------------------------------- 1 | location /.well-known/acme-challenge/ { 2 | auth_basic off; 3 | content_by_lua_block { 4 | auto_ssl:challenge_server() 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /snippets/resty-server-https.conf: -------------------------------------------------------------------------------- 1 | # Dynamic handler for issuing or returning certs for SNI domains. 2 | ssl_certificate_by_lua_block { 3 | auto_ssl:ssl_certificate() 4 | } 5 | 6 | ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt; 7 | ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key; 8 | 9 | include ssl.conf; 10 | -------------------------------------------------------------------------------- /snippets/server-default.conf: -------------------------------------------------------------------------------- 1 | # default open resty blank configuration, just to show that it's working 2 | 3 | server { 4 | listen 443 ssl http2 default_server; 5 | 6 | include resty-server-https.conf; 7 | 8 | error_page 500 502 503 504 /50x.html; 9 | 10 | location / { 11 | root /usr/local/openresty/nginx/html; 12 | index index.html index.htm; 13 | } 14 | 15 | location = /50x.html { 16 | root /usr/local/openresty/nginx/html; 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /snippets/server-gzip.conf: -------------------------------------------------------------------------------- 1 | gzip on; 2 | gzip_disable "msie6"; 3 | gzip_vary on; 4 | gzip_proxied any; 5 | gzip_comp_level 6; 6 | gzip_buffers 16 8k; 7 | gzip_http_version 1.1; 8 | gzip_types 9 | application/javascript 10 | application/rss+xml 11 | application/vnd.ms-fontobject 12 | application/x-font 13 | application/x-font-opentype 14 | application/x-font-otf 15 | application/x-font-truetype 16 | application/x-font-ttf 17 | application/x-javascript 18 | application/xhtml+xml 19 | application/xml 20 | font/opentype 21 | font/otf 22 | font/ttf 23 | image/svg+xml 24 | image/x-icon 25 | text/css 26 | text/javascript 27 | text/plain 28 | text/xml; -------------------------------------------------------------------------------- /snippets/server-proxy.conf: -------------------------------------------------------------------------------- 1 | # this configuration will be used for each server 2 | # specified using $SITES variable 3 | # more in README 4 | 5 | map $http_upgrade $connection_upgrade { 6 | default upgrade; 7 | '' close; 8 | } 9 | 10 | server { 11 | listen 443 ssl http2; 12 | server_name $SERVER_NAME; 13 | 14 | include resty-server-https.conf; 15 | 16 | location / { 17 | proxy_http_version 1.1; 18 | proxy_pass http://$SERVER_ENDPOINT; 19 | proxy_set_header Host $host; 20 | proxy_set_header X-Real-IP $remote_addr; 21 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 22 | proxy_set_header X-Forwarded-Proto $scheme; 23 | proxy_set_header Upgrade $http_upgrade; 24 | proxy_set_header Connection $connection_upgrade; 25 | proxy_cache_bypass $http_upgrade; 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /snippets/ssl.conf: -------------------------------------------------------------------------------- 1 | # generated by https://mozilla.github.io/server-side-tls/ssl-config-generator/ 2 | 3 | # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate 4 | ssl_session_timeout 1d; 5 | ssl_session_cache shared:SSL:50m; 6 | ssl_session_tickets off; 7 | 8 | # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits 9 | ssl_dhparam /etc/resty-auto-ssl/dhparam.pem; 10 | 11 | # intermediate configuration. tweak to your needs. 12 | ssl_protocols TLSv1.2 TLSv1.3; 13 | ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; 14 | ssl_prefer_server_ciphers on; 15 | 16 | # HSTS (uses headers-more-nginx-module included with openresty) (15768000 seconds = 6 months) 17 | # uncomment if you are sure you'll never drop HTTPS support 18 | # more_set_headers Strict-Transport-Security max-age=15768000; 19 | --------------------------------------------------------------------------------