├── Dockerfile ├── LICENSE ├── README.md └── nginx.conf /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM openresty/openresty:latest-xenial 2 | 3 | RUN /usr/local/openresty/luajit/bin/luarocks install lua-resty-auto-ssl 4 | 5 | RUN openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -subj '/CN=sni-support-required-for-valid-ssl' -keyout /etc/ssl/resty-auto-ssl-fallback.key -out /etc/ssl/resty-auto-ssl-fallback.crt 6 | 7 | ADD nginx.conf /usr/local/openresty/nginx/conf/nginx.conf 8 | 9 | ENTRYPOINT ["/usr/local/openresty/nginx/sbin/nginx", "-g", "daemon off;"] 10 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2016 Mat Sumpter 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # docker-lua-resty-auto-ssl 2 | Docker file to launch OpenResty with automatic SSL generation provided by lua-resty-auto-ssl 3 | 4 | All of the heavy lifting has been done here: https://github.com/GUI/lua-resty-auto-ssl 5 | 6 | Getting started 7 | ------------ 8 | ~~~ 9 | [mats@node0 projects]$ git clone https://github.com/msumpter/docker-lua-resty-auto-ssl.git 10 | Cloning into 'docker-lua-resty-auto-ssl'... 11 | remote: Counting objects: 10, done. 12 | remote: Compressing objects: 100% (9/9), done. 13 | remote: Total 10 (delta 1), reused 6 (delta 1), pack-reused 0 14 | Unpacking objects: 100% (10/10), done. 15 | [mats@node0 projects]$ cd docker-lua-resty-auto-ssl/ 16 | [mats@node0 docker-lua-resty-auto-ssl]$ ls 17 | Dockerfile LICENSE nginx.conf README.md 18 | [mats@node0 docker-lua-resty-auto-ssl]$ docker build . 19 | Sending build context to Docker daemon 65.54 kB 20 | Step 1 : FROM openresty/openresty:latest-xenial 21 | ---> b66a65e18fc6 22 | Step 2 : RUN /usr/local/openresty/luajit/bin/luarocks install lua-resty-auto-ssl 23 | ---> Using cache 24 | ---> f16591575aee 25 | Step 3 : RUN openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -subj '/CN=sni-support-required-for-valid-ssl' -keyout /etc/ssl/resty-auto-ssl-fallback.key -out /etc/ssl/resty-auto-ssl-fallback.crt 26 | ---> Running in 1dec579e51f5 27 | Generating a 2048 bit RSA private key 28 | ..........................................................................................................................+++ 29 | ..............+++ 30 | writing new private key to '/etc/ssl/resty-auto-ssl-fallback.key' 31 | ----- 32 | ---> 30eeea0304ac 33 | Removing intermediate container 1dec579e51f5 34 | Step 4 : ADD nginx.conf /usr/local/openresty/nginx/conf/nginx.conf 35 | ---> 2fd0b693f93c 36 | Removing intermediate container d1f8adc5de16 37 | Step 5 : ENTRYPOINT /usr/local/openresty/nginx/sbin/nginx -g daemon off; 38 | ---> Running in 9261b5df84e3 39 | ---> 61ccf7b04c8c 40 | Removing intermediate container 9261b5df84e3 41 | Successfully built 61ccf7b04c8c 42 | [mats@node0 docker-lua-resty-auto-ssl]$ docker run -p 80:80 -p 443:443 61ccf7b04c8c 43 | ~~~ 44 | -------------------------------------------------------------------------------- /nginx.conf: -------------------------------------------------------------------------------- 1 | events { 2 | worker_connections 1024; 3 | } 4 | 5 | http { 6 | # The "auto_ssl" shared dict must be defined with enough storage space to 7 | # hold your certificate data. 8 | lua_shared_dict auto_ssl 1m; 9 | 10 | # A DNS resolver must be defined for OSCP stapling to function. 11 | resolver 8.8.8.8; 12 | 13 | # Initial setup tasks. 14 | init_by_lua_block { 15 | auto_ssl = (require "resty.auto-ssl").new() 16 | 17 | -- Define a function to determine which SNI domains to automatically handle 18 | -- and register new certificates for. Defaults to not allowing any domains, 19 | -- so this must be configured. 20 | auto_ssl:set("allow_domain", function(domain) 21 | return true 22 | end) 23 | auto_ssl:set("dir", "/tmp") 24 | 25 | auto_ssl:init() 26 | } 27 | 28 | init_worker_by_lua_block { 29 | auto_ssl:init_worker() 30 | } 31 | 32 | # HTTPS server 33 | server { 34 | listen 443 ssl; 35 | 36 | # Dynamic handler for issuing or returning certs for SNI domains. 37 | ssl_certificate_by_lua_block { 38 | auto_ssl:ssl_certificate() 39 | } 40 | 41 | # You must still define a static ssl_certificate file for nginx to start. 42 | # 43 | # You may generate a self-signed fallback with: 44 | # 45 | # openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \ 46 | # -subj '/CN=sni-support-required-for-valid-ssl' \ 47 | # -keyout /etc/ssl/resty-auto-ssl-fallback.key \ 48 | # -out /etc/ssl/resty-auto-ssl-fallback.crt 49 | ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt; 50 | ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key; 51 | } 52 | 53 | # HTTP server 54 | server { 55 | listen 80; 56 | 57 | # Endpoint used for performing domain verification with Let's Encrypt. 58 | location /.well-known/acme-challenge/ { 59 | content_by_lua_block { 60 | auto_ssl:challenge_server() 61 | } 62 | } 63 | } 64 | 65 | # Internal server running on port 8999 for handling certificate tasks. 66 | server { 67 | listen 127.0.0.1:8999; 68 | location / { 69 | content_by_lua_block { 70 | auto_ssl:hook_server() 71 | } 72 | } 73 | } 74 | } 75 | --------------------------------------------------------------------------------