├── Dockerfile ├── LICENSE ├── README.md ├── entrypoint.sh └── rancher.conf /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM marvambass/nginx-ssl-secure 2 | MAINTAINER codedevote 3 | 4 | # Set this to rancher url via docker option '-e RANCHER_URL=myrancher.example.org' 5 | ENV RANCHER_URL localhost 6 | ENV RANCHER_PORT 8080 7 | ENV RANCHER_CONTAINER_NAME rancher 8 | 9 | # add nginx config for rancher server 10 | ADD rancher.conf /etc/nginx/conf.d/rancher.conf 11 | 12 | # overwrite entrypoint script 13 | ADD entrypoint.sh /opt/entrypoint.sh 14 | RUN chmod a+x /opt/entrypoint.sh 15 | 16 | EXPOSE 80 443 -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2016 Florian Fordermaier 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Nginx reverse proxy with ssl termination for rancher server 2 | _maintained by codedevote_ 3 | 4 | ## Overview 5 | This Dockerfile gives you a secured nginx reverse proxy that terminates ssl and proxy passes to a rancher server. 6 | This image is based on [marvambass/docker-nginx-ssl-secure](https://github.com/MarvAmBass/docker-nginx-ssl-secure) and adds a nginx configuration file for rancher server ([rancher/rancher](https://github.com/rancher/rancher)). 7 | 8 | View in Docker Hub [codedevote/nginx-ssl-proxy-rancher](https://hub.docker.com/r/codedevote/nginx-ssl-proxy-rancher/) 9 | 10 | View in GitHub [codedevote/docker-nginx-ssl-proxy-rancher](https://github.com/codedevote/docker-nginx-ssl-proxy-rancher) 11 | 12 | ## Environment variables and defaults 13 | 14 | #### Inherited from base image 15 | * __DH\_SIZE__ 16 | * default: 2048 (which takes a long time to create), for demo or unsecure applications you can use smaller values like 512 17 | 18 | #### Required by this image 19 | * __RANCHER\_URL__ 20 | * default: localhost 21 | 22 | * __RANCHER\_PORT__ 23 | * default: 8080 24 | 25 | * __RANCHER\_CONTAINER_NAME__ 26 | * default: rancher 27 | 28 | 29 | ## Running codedevote/nginx-ssl-proxy-rancher container 30 | All the information on running the base image also applies to this container. 31 | 32 | #### Assumptions 33 | * Since the nginx container needs to communicate with the rancher container, you need to make sure, there is a link between those two containers. You can either use the (deprecated) --link option to link the rancher container to the nginx container or you put both containers on a docker network (by creating one useing *docker network create*). There seems to be an issue (see #2) using the default docker bridge network, so make sure, you create a dedicated network and hook both containers to this network by adding the *--net* option to your *docker run* command. 34 | * The rancher server can be reached from nginx container on the docker network at __http://$RANCHER\_CONTAINER_NAME:$RANCHER\_PORT__ (for information on how to setup a rancher server refer to [https://github.com/rancher/rancher](https://github.com/rancher/rancher)). 35 | * You bind-mount a directory to __/etc/nginx/external__ with the following minimum contents: 36 | * SSL certificate (chained for intermediate CAs) in a file called __cert.pem__ 37 | * Private key in a file called __key.pem__ 38 | * You can also put a dh.pem file here (see base image docs). If not, one will be created on first start. 39 | 40 | #### Run command 41 | To run this image you can use the following command: 42 | 43 | docker run -d \ 44 | -p 80:80 -p 443:443 \ 45 | -e 'RANCHER_URL=rancher.example.org' \ 46 | -e 'RANCHER_CONTAINER_NAME=rancher' \ 47 | -e 'RANCHER_PORT=8080' \ 48 | -v $EXT_DIR:/etc/nginx/external/ \ 49 | codedevote/nginx-ssl-proxy-rancher 50 | 51 | 52 | -------------------------------------------------------------------------------- /entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cat <&2 echo ">> no \$DH_SIZE specified using default" 16 | DH_SIZE="2048" 17 | fi 18 | 19 | DH="/etc/nginx/external/dh.pem" 20 | 21 | if [ ! -e "$DH" ] 22 | then 23 | echo ">> seems like the first start of nginx" 24 | echo ">> doing some preparations..." 25 | echo "" 26 | 27 | echo ">> generating $DH with size: $DH_SIZE" 28 | openssl dhparam -out "$DH" $DH_SIZE 29 | fi 30 | 31 | if [ ! -e "/etc/nginx/external/cert.pem" ] || [ ! -e "/etc/nginx/external/key.pem" ] 32 | then 33 | echo ">> generating self signed cert" 34 | openssl req -x509 -newkey rsa:4086 \ 35 | -subj "/C=XX/ST=XXXX/L=XXXX/O=XXXX/CN=$RANCHER_URL" \ 36 | -keyout "/etc/nginx/external/key.pem" \ 37 | -out "/etc/nginx/external/cert.pem" \ 38 | -days 3650 -nodes -sha256 39 | fi 40 | 41 | echo ">> setting rancher url to $RANCHER_URL" 42 | sed -i "s/\${RANCHER_URL}/$RANCHER_URL/" /etc/nginx/conf.d/rancher.conf 43 | sed -i "s/\${RANCHER_PORT}/$RANCHER_PORT/" /etc/nginx/conf.d/rancher.conf 44 | sed -i "s/\${RANCHER_CONTAINER_NAME}/$RANCHER_CONTAINER_NAME/" /etc/nginx/conf.d/rancher.conf 45 | 46 | echo ">> copy /etc/nginx/external/*.conf files to /etc/nginx/conf.d/" 47 | cp /etc/nginx/external/*.conf /etc/nginx/conf.d/ 2> /dev/null > /dev/null 48 | 49 | # exec CMD 50 | echo ">> exec docker CMD" 51 | echo "$@" 52 | exec "$@" 53 | 54 | -------------------------------------------------------------------------------- /rancher.conf: -------------------------------------------------------------------------------- 1 | # HTTPS Configuration for rancher server 2 | # terminates ssl at the proxy and proxy passes to rancher server 3 | 4 | upstream rancherserver { 5 | server ${RANCHER_CONTAINER_NAME}:${RANCHER_PORT}; 6 | } 7 | 8 | server { 9 | listen 443 ssl; 10 | server_name ${RANCHER_URL}; 11 | 12 | ssl_certificate external/cert.pem; 13 | ssl_certificate_key external/key.pem; 14 | 15 | add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; 16 | 17 | location / { 18 | proxy_set_header Host $host; 19 | proxy_set_header X-Forwarded-Proto $scheme; 20 | proxy_set_header X-Forwarded-Port $server_port; 21 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 22 | proxy_pass http://rancherserver; 23 | proxy_http_version 1.1; 24 | proxy_set_header Upgrade $http_upgrade; 25 | proxy_set_header Connection "upgrade"; 26 | # This allows the ability for the execute shell window to remain open for up to 15 minutes. Without this parameter, the default is 1 minute and will automatically close. 27 | proxy_read_timeout 900s; 28 | } 29 | } 30 | 31 | server { 32 | listen 80; 33 | server_name ${RANCHER_URL}; 34 | return 301 https://$server_name$request_uri; 35 | } --------------------------------------------------------------------------------