v1.3.1 (#17)

bfren · web-flow · commit f38688d1f94e · 2021-02-09T12:26:59.000Z
Major updates
* Using latest Nginx base image
* Adding required PROXY_URI environment variable
* Add default server configuration
* Namespacing helper configuration files
* Adding maintenance page for HTTP 502/503/504 errors
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,4 @@
-#FROM bcgdesign/nginx:alpine-3.13-1.3.0
-FROM bcgdesign/nginx:dev
+FROM bcgdesign/nginx:alpine-3.13-1.3.2
 
 LABEL maintainer="Ben Green <ben@bcgdesign.com>" \
     org.label-schema.name="Nginx Proxy" \
@@ -13,6 +12,8 @@ EXPOSE 443
 ENV \
     # used for renewal notification emails
     LETS_ENCRYPT_EMAIL= \
+    # the base URI of the proxy server (will be used when SSL bindings fail)
+    PROXY_URI= \
     # clean all config and certificates before doing anything else
     CLEAN_INSTALL=0 \
     # set to 1 to use live instead of staging server
@@ -33,7 +34,6 @@ RUN apk -U upgrade \
         curl \
         gomplate=${GOMPLATE_VERSION} \
         openssl \
-    && mv /etc/nginx/sites/localhost.conf /etc/nginx/http.d/default.conf \
     && rm -rf /var/cache/apk/* /etc/nginx/sites /tmp/*
 
 COPY ./overlay /
diff --git a/Dockerfile-automated b/Dockerfile-automated
@@ -12,6 +12,8 @@ EXPOSE 443
 ENV \
     # used for renewal notification emails
     LETS_ENCRYPT_EMAIL= \
+    # the base URI of the proxy server (will be used when SSL bindings fail)
+    PROXY_URI= \
     # clean all config and certificates before doing anything else
     CLEAN_INSTALL=0 \
     # set to 1 to use live instead of staging server
@@ -32,7 +34,6 @@ RUN apk -U upgrade \
         curl \
         gomplate=${GOMPLATE_VERSION} \
         openssl \
-    && mv /etc/nginx/sites/localhost.conf /etc/nginx/http.d/default.conf \
     && rm -rf /var/cache/apk/* /etc/nginx/sites /tmp/*
 
 COPY ./overlay /
diff --git a/README.md b/README.md
@@ -35,6 +35,7 @@ For SSL certificate requests to work correctly, ports 80 and 443 need mapping fr
 | Variable                       | Values                | Description                                                                                                                                  | Default               |
 | ------------------------------ | --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
 | `LETS_ENCRYPT_EMAIL`           | A valid email address | Used by Lets Encrypt for notification emails.                                                                                                | *None* - **required** |
+| `PROXY_URI`                    | URI                   | The base URI of the proxy server - will be used to handle unbound requests.                                                                  | *None* - **required** |
 | `CLEAN_INSTALL`                | 0 or 1                | If 1, all Nginx and SSL configuration and certificates will be deleted and regenerated.                                                      | 0                     |
 | `LETS_ENCRYPT_LIVE`            | 0 or 1                | Only set to 1 (to request live certificates) when your config is correct - Lets Encrypt rate limit certificate requests.                     | 0                     |
 | `SSL_DHPARAM_BITS`             | A valid integer       | The size of your DHPARAM variables - adjust down only if you have limited processing resources.                                              | 4096                  |
@@ -54,14 +55,14 @@ For SSL certificate requests to work correctly, ports 80 and 443 need mapping fr
 
 ## Nginx Configuration Helpers
 
-The image contains a handful of useful Nginx configuration 'helper' files, which you can find in `/overlay/etc/nginx/helpers`.
+The image contains a handful of useful Nginx configuration 'helper' files, which you can find in `/overlay/etc/nginx/helpers`.  They all begin with the prefix 'proxy':
 
-| Helper                            | Description                                                                                                      |
-| --------------------------------- | ---------------------------------------------------------------------------------------------------------------- |
-| `proxy-params.conf`               | Headers commonly required when proxying a site.                                                                  |
-| `proxy-params-websockets.conf`    | Headers required to use websockets.                                                                              |
-| `secure-headers.conf`             | Standard secure headers - see [Mozilla SSL Configuration Generator](https://ssl-config.mozilla.org/).            |
-| `tls1_3-only.conf`                | If you want to be ultra-secure (and not support older browsers), this will disable all TLS protocols except 1.3. |
+| Helper                    | Description                                                                                                      |
+| ------------------------- | ---------------------------------------------------------------------------------------------------------------- |
+| `-params.conf`            | Headers commonly required when proxying a site.                                                                  |
+| `-params-websockets.conf` | Headers required to use websockets.                                                                              |
+| `-secure-headers.conf`    | Standard secure headers - see [Mozilla SSL Configuration Generator](https://ssl-config.mozilla.org/).            |
+| `-tls1_3-only.conf`       | If you want to be ultra-secure (and not support older browsers), this will disable all TLS protocols except 1.3. |
 
 ## Authors
 
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.3.0
+1.3.1
diff --git a/overlay/etc/nginx/helpers/proxy-maintenance.conf b/overlay/etc/nginx/helpers/proxy-maintenance.conf
@@ -0,0 +1,3 @@
+location = /maintenance.html {
+    root                                /www;
+}
diff --git a/overlay/etc/nginx/helpers/proxy-secure-headers.conf b/overlay/etc/nginx/helpers/proxy-secure-headers.conf
diff --git a/overlay/etc/nginx/helpers/proxy-tls1_3-only.conf b/overlay/etc/nginx/helpers/proxy-tls1_3-only.conf
diff --git a/overlay/etc/ssl/inc/setup-nginx.sh b/overlay/etc/ssl/inc/setup-nginx.sh
@@ -11,10 +11,11 @@
 setup_nginx () {
 
     # give arguments friendly names
-    export DOMAIN_NAME=${1}
-    export UPSTREAM=${2}
-    local -n DOMAIN_ALIASES=${3}
-    export DOMAIN_NGXCONF=${4}
+    export IS_DEFAULT=${1}
+    export DOMAIN_NAME=${2}
+    export UPSTREAM=${3}
+    local -n DOMAIN_ALIASES=${4}
+    export DOMAIN_NGXCONF=${5}
 
     # paths to site configuration and custom config directory
     local SITE="${SITES}/${DOMAIN_NAME}"
@@ -50,8 +51,14 @@ setup_nginx () {
     export SERVER_NAMES=$(echo "${TMP}" | xargs)
 
     # generate site configuration
+    if [ "${IS_DEFAULT}" = "1" ] ; then
+        NGINX_CONF="default"
+    else
+        NGINX_CONF="site"
+    fi
+
     gomplate \
         -o ${CONF} \
-        -f ${TEMPLATES}/nginx-site.conf.tmpl
+        -f ${TEMPLATES}/nginx-${NGINX_CONF}.conf.tmpl
 
 }
diff --git a/overlay/etc/ssl/init b/overlay/etc/ssl/init
@@ -26,6 +26,24 @@ setup_global
 _done
 
 
+#======================================================================================================================
+# Check for PROXY_URI
+#======================================================================================================================
+
+[[ -z "${PROXY_URI-}" ]] && _error "PROXY_URI must be set."
+
+_echo "Setting up default server ${PROXY_URI}..."
+declare -a BLANK_ALIAS=()
+
+_echo "  . Nginx..."
+setup_nginx 1 ${PROXY_URI} "http://localhost" BLANK_ALIAS ""
+
+_echo "  . SSL..."
+setup_ssl ${PROXY_URI} BLANK_ALIAS
+
+_ok "  . done."
+
+
 #======================================================================================================================
 # Set up Nginx and SSL for each primary domain
 #======================================================================================================================
@@ -40,7 +58,7 @@ for DN in "${!DOMAINS[@]}" ; do
     _echo " .. ${DN}"
 
     _echo "  . Nginx..."
-    setup_nginx ${DN} ${UP} AL ${CF}
+    setup_nginx 0 ${DN} ${UP} AL ${CF}
 
     _echo "  . SSL..."
     setup_ssl ${DN} AL
diff --git a/overlay/etc/ssl/request b/overlay/etc/ssl/request
@@ -13,9 +13,12 @@ source ${INC}/check.sh
 #   -w set working directory
 #======================================================================================================================
 
+request() { /etc/ssl/getssl -U -w ${SSL_CERTS} ${1} ; }
+
 _echo "Requesting SSL certificates..."
-for D in "${!DOMAINS[@]}" ; do
-    _echo " .. ${D}"
-    /etc/ssl/getssl -U -w ${SSL_CERTS} ${D}
+request "${PROXY_URI}"
+for DN in "${!DOMAINS[@]}" ; do
+    _echo " .. ${DN}"
+    request ${DN}
 done
 _done
diff --git a/overlay/etc/templates/nginx-default.conf.tmpl b/overlay/etc/templates/nginx-default.conf.tmpl
@@ -0,0 +1,44 @@
+#======================================================================================================================
+# WARNING: This file is generated. Do not make changes to this file.
+# Changes will be overwritten the next time the container is started.
+#
+# Use environment variable PROXY_URI to change this file.
+#
+# Copyright (c) 2021 Ben Green <https://bcgdesign.com>
+#======================================================================================================================
+
+server {
+    listen                              80 default_server;
+    listen                              [::]:80 default_server;
+
+    location ^~ /{{ getenv "ACME_CHALLENGE" }} {
+        allow                           all;
+        root                            {{ getenv "WWW" }};
+    }
+
+    location / {
+        {{ if eq (getenv "SSL_REDIRECT_INSECURE") "1" }}
+        return                          301 https://{{ getenv "DOMAIN_NAME" }}$request_uri;
+        {{ else }}
+        root                            {{ getenv "WWW" }};
+        {{ end }}
+    }
+}
+
+server {
+    listen                              443 ssl http2 default_server;
+    listen                              [::]:443 ssl http2 default_server;
+
+    add_header                          X-Clacks-Overhead "GNU Terry Pratchett";
+
+    location / {
+        root                            {{ getenv "WWW" }};
+        include                         helpers/proxy-secure-headers.conf;
+        include                         {{ getenv "CUSTOM_CONF" }}/*.conf;
+    }
+
+    ssl_certificate                     {{ getenv "SSL_CERTS" }}/{{ getenv "DOMAIN_NAME" }}/fullchain.crt;
+    ssl_certificate_key                 {{ getenv "SSL_CERTS" }}/{{ getenv "DOMAIN_NAME" }}.key;
+    ssl_trusted_certificate             {{ getenv "SSL_CERTS" }}/{{ getenv "DOMAIN_NAME" }}/chain.crt;
+    ssl_dhparam                         {{ getenv "SSL_DHPARAM" }};
+}
diff --git a/overlay/etc/templates/nginx-site.conf.tmpl b/overlay/etc/templates/nginx-site.conf.tmpl
@@ -2,7 +2,7 @@
 # WARNING: This file is generated. Do not make changes to this file.
 # Changes will be overwritten the next time the container is started.
 #
-# To add server names or aliases please use /ssl/conf.sh
+# To add server names or aliases please use /ssl/conf.sh.
 #
 # If you need a fully custom configuration then add the following to /ssl/conf.sh:
 #   NGXCONF["{{ getenv "DOMAIN_NAME" }}"]="custom"
@@ -13,8 +13,8 @@
 
 {{ end }}server {
     server_name                         {{ getenv "SERVER_NAMES" }};
-    listen                              80;
-    listen                              [::]:80;
+    listen                              80{{ if eq (getenv "IS_DEFAULT") "1" }} default_server{{ end }};
+    listen                              [::]:80{{ if eq (getenv "IS_DEFAULT") "1" }} default_server{{ end }};
 
     location ^~ /{{ getenv "ACME_CHALLENGE" }} {
         allow                           all;
@@ -33,8 +33,8 @@
 
 server {
     server_name                         {{ getenv "SERVER_NAMES" }};
-    listen                              443 ssl http2;
-    listen                              [::]:443 ssl http2;
+    listen                              443 ssl http2{{ if eq (getenv "IS_DEFAULT") "1" }} default_server{{ end }};
+    listen                              [::]:443 ssl http2{{ if eq (getenv "IS_DEFAULT") "1" }} default_server{{ end }};
 
     add_header                          X-Clacks-Overhead "GNU Terry Pratchett";
 
@@ -45,10 +45,13 @@ server {
     location / {
         proxy_pass                      {{ getenv "UPSTREAM" }};
         include                         helpers/proxy-params.conf;
-        include                         helpers/secure-headers.conf;
+        include                         helpers/proxy-secure-headers.conf;
+        error_page                      502 503 504 /maintenance.html;
         include                         {{ getenv "CUSTOM_CONF" }}/*.conf;
     }
 
+    include                             helpers/proxy-maintenance.conf;
+
     ssl_certificate                     {{ getenv "SSL_CERTS" }}/{{ getenv "DOMAIN_NAME" }}/fullchain.crt;
     ssl_certificate_key                 {{ getenv "SSL_CERTS" }}/{{ getenv "DOMAIN_NAME" }}.key;
     ssl_trusted_certificate             {{ getenv "SSL_CERTS" }}/{{ getenv "DOMAIN_NAME" }}/chain.crt;
diff --git a/overlay/www/maintenance.html b/overlay/www/maintenance.html
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Maintenance</title>
+</head>
+<body>
+<p>The site you requested is temporarily down for maintenance.  Please try again later.</p>
+<script type="text/javascript">
+    setTimeout("location.reload(true);", 10000);
+</script>
+</body>
+</html>

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+location = /maintenance.html {`
	`2`	`+ root /www;`
	`3`	`+}`