├── Dockerfile
├── LICENSE
├── README.md
└── nginx.conf


/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM openresty/openresty:latest-xenial
 2 | 
 3 | RUN /usr/local/openresty/luajit/bin/luarocks install lua-resty-auto-ssl
 4 | 
 5 | RUN openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -subj '/CN=sni-support-required-for-valid-ssl' -keyout /etc/ssl/resty-auto-ssl-fallback.key -out /etc/ssl/resty-auto-ssl-fallback.crt
 6 | 
 7 | ADD nginx.conf /usr/local/openresty/nginx/conf/nginx.conf
 8 | 
 9 | ENTRYPOINT ["/usr/local/openresty/nginx/sbin/nginx", "-g", "daemon off;"]
10 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2016 Mat Sumpter
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # docker-lua-resty-auto-ssl
 2 | Docker file to launch OpenResty with automatic SSL generation provided by lua-resty-auto-ssl
 3 | 
 4 | All of the heavy lifting has been done here: https://github.com/GUI/lua-resty-auto-ssl
 5 | 
 6 | Getting started
 7 | ------------
 8 | ~~~
 9 | [mats@node0 projects]$ git clone https://github.com/msumpter/docker-lua-resty-auto-ssl.git
10 | Cloning into 'docker-lua-resty-auto-ssl'...
11 | remote: Counting objects: 10, done.
12 | remote: Compressing objects: 100% (9/9), done.
13 | remote: Total 10 (delta 1), reused 6 (delta 1), pack-reused 0
14 | Unpacking objects: 100% (10/10), done.
15 | [mats@node0 projects]$ cd docker-lua-resty-auto-ssl/
16 | [mats@node0 docker-lua-resty-auto-ssl]$ ls
17 | Dockerfile  LICENSE  nginx.conf  README.md
18 | [mats@node0 docker-lua-resty-auto-ssl]$ docker build .
19 | Sending build context to Docker daemon 65.54 kB
20 | Step 1 : FROM openresty/openresty:latest-xenial
21 |  ---> b66a65e18fc6
22 | Step 2 : RUN /usr/local/openresty/luajit/bin/luarocks install lua-resty-auto-ssl
23 |  ---> Using cache
24 |  ---> f16591575aee
25 | Step 3 : RUN openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -subj '/CN=sni-support-required-for-valid-ssl' -keyout /etc/ssl/resty-auto-ssl-fallback.key -out /etc/ssl/resty-auto-ssl-fallback.crt
26 |  ---> Running in 1dec579e51f5
27 | Generating a 2048 bit RSA private key
28 | ..........................................................................................................................+++
29 | ..............+++
30 | writing new private key to '/etc/ssl/resty-auto-ssl-fallback.key'
31 | -----
32 |  ---> 30eeea0304ac
33 | Removing intermediate container 1dec579e51f5
34 | Step 4 : ADD nginx.conf /usr/local/openresty/nginx/conf/nginx.conf
35 |  ---> 2fd0b693f93c
36 | Removing intermediate container d1f8adc5de16
37 | Step 5 : ENTRYPOINT /usr/local/openresty/nginx/sbin/nginx -g daemon off;
38 |  ---> Running in 9261b5df84e3
39 |  ---> 61ccf7b04c8c
40 | Removing intermediate container 9261b5df84e3
41 | Successfully built 61ccf7b04c8c
42 | [mats@node0 docker-lua-resty-auto-ssl]$ docker run -p 80:80 -p 443:443 61ccf7b04c8c    
43 | ~~~
44 | 


--------------------------------------------------------------------------------
/nginx.conf:
--------------------------------------------------------------------------------
 1 | events {
 2 |   worker_connections 1024;
 3 | }
 4 | 
 5 | http {
 6 |   # The "auto_ssl" shared dict must be defined with enough storage space to
 7 |   # hold your certificate data.
 8 |   lua_shared_dict auto_ssl 1m;
 9 | 
10 |   # A DNS resolver must be defined for OSCP stapling to function.
11 |   resolver 8.8.8.8;
12 | 
13 |   # Initial setup tasks.
14 |   init_by_lua_block {
15 |     auto_ssl = (require "resty.auto-ssl").new()
16 | 
17 |     -- Define a function to determine which SNI domains to automatically handle
18 |     -- and register new certificates for. Defaults to not allowing any domains,
19 |     -- so this must be configured.
20 |     auto_ssl:set("allow_domain", function(domain)
21 |       return true
22 |     end)
23 |     auto_ssl:set("dir", "/tmp")
24 | 
25 |     auto_ssl:init()
26 |   }
27 | 
28 |   init_worker_by_lua_block {
29 |     auto_ssl:init_worker()
30 |   }
31 | 
32 |   # HTTPS server
33 |   server {
34 |     listen 443 ssl;
35 | 
36 |     # Dynamic handler for issuing or returning certs for SNI domains.
37 |     ssl_certificate_by_lua_block {
38 |       auto_ssl:ssl_certificate()
39 |     }
40 | 
41 |     # You must still define a static ssl_certificate file for nginx to start.
42 |     #
43 |     # You may generate a self-signed fallback with:
44 |     #
45 |     # openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
46 |     #   -subj '/CN=sni-support-required-for-valid-ssl' \
47 |     #   -keyout /etc/ssl/resty-auto-ssl-fallback.key \
48 |     #   -out /etc/ssl/resty-auto-ssl-fallback.crt
49 |     ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
50 |     ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;
51 |   }
52 | 
53 |   # HTTP server
54 |   server {
55 |     listen 80;
56 | 
57 |     # Endpoint used for performing domain verification with Let's Encrypt.
58 |     location /.well-known/acme-challenge/ {
59 |       content_by_lua_block {
60 |         auto_ssl:challenge_server()
61 |       }
62 |     }
63 |   }
64 | 
65 |   # Internal server running on port 8999 for handling certificate tasks.
66 |   server {
67 |     listen 127.0.0.1:8999;
68 |     location / {
69 |       content_by_lua_block {
70 |         auto_ssl:hook_server()
71 |       }
72 |     }
73 |   }
74 | }
75 | 


--------------------------------------------------------------------------------