https://gitlab.com/tozd/docker/nginx-proxy
Available as:
tozd/base ← tozd/dinit ← tozd/nginx ← tozd/nginx-mailer ← tozd/nginx-cron ← tozd/nginx-proxy
ubuntu-xenialubuntu-bionicubuntu-focalubuntu-jammyubuntu-noble
/var/log/dnsmasq: Log files for an internal lightweight DNS resolver when one is not provided by Docker and whenLOG_TO_STDOUTis not set to1./var/log/dockergen: Log files for docker-gen whenLOG_TO_STDOUTis not set to1./var/log/letsencrypt: (Debug) log files for Let's encrypt service./ssl: Volume with SSL keys for hosts, together with any optional extra configuration for them. All Let's encrypt generated keys together with Let's encrypt authentication keys are stored here as well. Persist this volume to not lose state.
DOCKER_HOST: Where to connect to access Docker daemon to monitor for new containers. Default is/var/run/docker.sockinside the container.LETSENCRYPT_EMAIL: If set, enables automatic generation of SSL keys using Let's encrypt service. By setting it you agree to Let’s Encrypt Subscriber Agreement.LETSENCRYPT_ARGS: Any additional arguments you might want to pass to Let's encrypt's certbot.LOG_TO_STDOUT: If set to1output logs to stdout (retrievable usingdocker logs) instead of log volumes.NGINX_HTTPS_PORT: If set, listen on this port for HTTPS traffic instead of the default443.NGINX_HTTPS_PROTOCOLS: Sets SSL protocols for HTTPS virtual hosts. Default isTLSv1.2 TLSv1.3.NGINX_HTTPS_CIPHERS: Sets SSL ciphers for HTTPS virtual hosts. Default isHIGH:!aNULL:!MD5.
Image providing a reverse-proxy using Nginx HTTP server with support for HTTPS virtual hosts.
You can use this image as it is, or you can extend it and add configuration files for your virtual hosts.
When LOG_TO_STDOUT is set to 1, Docker image logs output to stdout and stderr. All stdout output is JSON.
This image uses docker-gen to dynamically generate Nginx configuration files for containers exposing HTTP virtual hosts. This works automatically even across container restarts. You configure virtual host by configuring environment variables on containers for which you want to provide a reverse proxy:
VIRTUAL_HOST– a comma separated list of virtual hosts provided by the containerVIRTUAL_URL– a comma separated list of URL paths provided by the container; they will be mapped to the HTTP root (/) of the containerVIRTUAL_ALIAS– a comma separated list of URL paths provided by the container, they will be mapped to the same HTTP path of the containerVIRTUAL_PORT– if container exposes more than one port, or you do not want to use the default port80, you can configure a custom port to which a reverse proxy should connect on the containerVIRTUAL_NETWORK– if container is connected to more than one network, this variable can be used to select which network should be used (by default, the first network is used, but the order is not guaranteed)VIRTUAL_LETSENCRYPT– if set, this image will automatically generate and enable a SSL key for the virtual host using Let's encrypt service, if Let's encrypt feature is enabled
When running a Docker image with your HTTP content, you can specify environment variables.
This will make the reverse proxy resolve http://example.com/ into the example container:
docker run --name example ... --env VIRTUAL_HOST=example.com --env VIRTUAL_URL=/ ...This will make the reverse proxy resolve http://example.com/foo into the example1 container, but
This will make the reverse proxy resolve http://example.com/bar into the example2 container.
docker run --name example1 ... --env VIRTUAL_HOST=example.com --env VIRTUAL_URL=/foo ...
docker run --name example2 ... --env VIRTUAL_HOST=example.com --env VIRTUAL_URL=/bar ...Multiple containers can provide content for the same host and URL paths – Nginx will balance load across all of them.
A difference between VIRTUAL_URL and VIRTUAL_ALIAS is that VIRTUAL_URL maps all outside paths to the internal HTTP root
(/) of the container. This is useful when your container provides static content under the root and you want to
expose it elsewhere to the outside. But the downside is that the internal references between resources, if a container
assumes content is under /, might not work correctly. For example, a HTML tag <img src="https://github.com/foobar.png" />, which
would from the perspective of the container, from the outside might resolve to something completely else, or not resolve
at all. This is why it is often better to serve content in containers under the same path as outside, and use
VIRTUAL_ALIAS to map them 1:1. But this means that the container has to be configured accordingly as well.
If you want to use HTTPS for a virtual host, you should mount a /ssl volume into the container and provide
SSL key for a virtual host.
For host example.com you should provide /ssl/example.com.key and /ssl/example.com.crt
files. Certificate file should contain the full chain needed to validate the certificate.
If those two files exist, the image will automatically configure the virtual host to use HTTPS and redirect any
non-HTTPS traffic to HTTPS.
If you want any extra configuration for non-HTTPS traffic, you can provide /ssl/example.com_nonssl.conf file which
will be included for the non-HTTPS configuration. Similarly, for extra configuration for the HTTPS site, provide
/ssl/example.com_ssl.conf file. Of course, filenames should match the hostname of your virtual host.
If you want to enable support for automatic generation of SSL keys using Let's encrypt
service, and you agree to Let’s Encrypt Subscriber Agreement, then you
can set LETSENCRYPT_EMAIL environment variable to your e-mail address when running this image to enable it. From then
on any container having VIRTUAL_LETSENCRYPT environment variable set will get a SSL certificate automatically
generated and enabled, and periodically renewed.
All generated keys together with Let's encrypt authentication keys are stored under /ssl volume.
You should probably configure MAILTO environment variable to your e-mail
address to receive reports from th daily cron job, and regularly check logs in /var/log/letsencrypt and
/var/log/dockergen volumes to see if there are any issues with key generation and renewal.
For e-mail sending to work you have to configure at least REMOTES environment variable
as well.
You can list in /ssl/letsencrypt.manual.list file additional domains you want the container to obtain SSL keys.
If extending the image, you can put sites configuration files under /etc/nginx/sites-enabled/ to add custom sites.
Alternatively, you can mount a volume into /etc/nginx/sites-volume/ directory and provide sites there.
To support static configuration files for containers which have dynamic IP addresses, this image configures (when not provided by Docker) Nginx with an internal lightweight DNS resolver which dynamically resolves container hostnames into IPs. Here is an example of site configuration using DNS resolving:
server {
listen 80;
server_name example.com;
# We want to resolve container IPs dynamically, so we use a variable to make
# Nginx resolve it again and again and not only at the start (so that it works
# if containers change their IPs).
location / {
set $example example;
proxy_pass http://$example:3000;
}
}
This assumes that you have a container with hostname example:
docker run --name example --hostname example ...By default, because of caching it can take up to 5 seconds for Nginx to start resolving a virtual host to a new container IP address after a change.
There is also a read-only GitHub mirror available, if you need to fork the project there.