|
@@ -11,15 +11,21 @@
|
|
|
{{- $_ := set $globals "Env" $.Env }}
|
|
|
{{- $_ := set $globals "Docker" $.Docker }}
|
|
|
{{- $_ := set $globals "CurrentContainer" (where $globals.containers "ID" $globals.Docker.CurrentContainerID | first) }}
|
|
|
-{{- $_ := set $globals "default_cert_ok" (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
|
|
|
-{{- $_ := set $globals "external_http_port" (coalesce $globals.Env.HTTP_PORT "80") }}
|
|
|
-{{- $_ := set $globals "external_https_port" (coalesce $globals.Env.HTTPS_PORT "443") }}
|
|
|
-{{- $_ := set $globals "sha1_upstream_name" (parseBool (coalesce $globals.Env.SHA1_UPSTREAM_NAME "false")) }}
|
|
|
-{{- $_ := set $globals "default_root_response" (coalesce $globals.Env.DEFAULT_ROOT "404") }}
|
|
|
-{{- $_ := set $globals "trust_downstream_proxy" (parseBool (coalesce $globals.Env.TRUST_DOWNSTREAM_PROXY "true")) }}
|
|
|
-{{- $_ := set $globals "access_log" (or (and (not $globals.Env.DISABLE_ACCESS_LOGS) "access_log /var/log/nginx/access.log vhost;") "") }}
|
|
|
-{{- $_ := set $globals "enable_ipv6" (parseBool (coalesce $globals.Env.ENABLE_IPV6 "false")) }}
|
|
|
-{{- $_ := set $globals "ssl_policy" (or ($globals.Env.SSL_POLICY) "Mozilla-Intermediate") }}
|
|
|
+
|
|
|
+{{- $config := dict }}
|
|
|
+{{- $_ := set $config "nginx_proxy_version" $.Env.NGINX_PROXY_VERSION }}
|
|
|
+{{- $_ := set $config "default_cert_ok" (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
|
|
|
+{{- $_ := set $config "external_http_port" (coalesce $globals.Env.HTTP_PORT "80") }}
|
|
|
+{{- $_ := set $config "external_https_port" (coalesce $globals.Env.HTTPS_PORT "443") }}
|
|
|
+{{- $_ := set $config "sha1_upstream_name" (parseBool (coalesce $globals.Env.SHA1_UPSTREAM_NAME "false")) }}
|
|
|
+{{- $_ := set $config "default_root_response" (coalesce $globals.Env.DEFAULT_ROOT "404") }}
|
|
|
+{{- $_ := set $config "trust_downstream_proxy" (parseBool (coalesce $globals.Env.TRUST_DOWNSTREAM_PROXY "true")) }}
|
|
|
+{{- $_ := set $config "enable_access_log" ($globals.Env.DISABLE_ACCESS_LOGS | default "false" | parseBool | not) }}
|
|
|
+{{- $_ := set $config "enable_ipv6" (parseBool (coalesce $globals.Env.ENABLE_IPV6 "false")) }}
|
|
|
+{{- $_ := set $config "ssl_policy" (or ($globals.Env.SSL_POLICY) "Mozilla-Intermediate") }}
|
|
|
+{{- $_ := set $config "enable_debug_endpoint" ($globals.Env.DEBUG_ENDPOINT | default "false") }}
|
|
|
+{{- $_ := set $globals "config" $config }}
|
|
|
+
|
|
|
{{- $_ := set $globals "vhosts" (dict) }}
|
|
|
{{- $_ := set $globals "networks" (dict) }}
|
|
|
# Networks available to the container running docker-gen (which are assumed to
|
|
@@ -344,22 +350,75 @@ upstream {{ $vpath.upstream }} {
|
|
|
}
|
|
|
{{- end }}
|
|
|
|
|
|
+{{- /* debug "endpoint" location template */}}
|
|
|
+{{- define "debug_location" }}
|
|
|
+ {{- $debug_paths := dict }}
|
|
|
+ {{- range $path, $vpath := .VHost.paths }}
|
|
|
+ {{- $tmp_port := dict }}
|
|
|
+ {{- range $port, $containers := $vpath.ports }}
|
|
|
+ {{- $tmp_containers := list }}
|
|
|
+ {{- range $container := $containers }}
|
|
|
+ {{- $tmp_containers = dict "Name" $container.Name | append $tmp_containers }}
|
|
|
+ {{- end }}
|
|
|
+ {{- $_ := dict $port $tmp_containers | set $tmp_port "ports" }}
|
|
|
+ {{- $tmp_port = deepCopy $vpath | merge $tmp_port }}
|
|
|
+ {{- end }}
|
|
|
+ {{- $_ := set $debug_paths $path $tmp_port }}
|
|
|
+ {{- end }}
|
|
|
+
|
|
|
+ {{- $debug_vhost := deepCopy .VHost }}
|
|
|
+ {{- $_ := set $debug_vhost "paths" $debug_paths }}
|
|
|
+
|
|
|
+ {{- $debug_response := dict
|
|
|
+ "global" .GlobalConfig
|
|
|
+ "hostname" .Hostname
|
|
|
+ "request" (dict
|
|
|
+ "host" "$host"
|
|
|
+ "https" "$https"
|
|
|
+ "http2" "$http2"
|
|
|
+ "http3" "$http3"
|
|
|
+ "ssl_cipher" "$ssl_cipher"
|
|
|
+ "ssl_protocol" "$ssl_protocol"
|
|
|
+ )
|
|
|
+ "vhost" $debug_vhost
|
|
|
+ }}
|
|
|
+
|
|
|
+ {{- /*
|
|
|
+ * The maximum line length in an nginx config is 4096 characters.
|
|
|
+ * If we're nearing this limit (with headroom for the rest
|
|
|
+ * of the directive), strip vhost.paths from the response.
|
|
|
+ */}}
|
|
|
+ {{- if gt (toJson $debug_response | len) 4000 }}
|
|
|
+ {{- $_ := unset $debug_vhost "paths" }}
|
|
|
+ {{- $_ := set $debug_response "warning" "Virtual paths configuration for this hostname is too large and has been stripped from response." }}
|
|
|
+ {{- end }}
|
|
|
+
|
|
|
+ location /nginx-proxy-debug {
|
|
|
+ default_type application/json;
|
|
|
+ return 200 '{{ toJson $debug_response }}';
|
|
|
+ }
|
|
|
+{{- end }}
|
|
|
+
|
|
|
+{{- define "access_log" }}
|
|
|
+ {{- when .Enable "access_log /var/log/nginx/access.log vhost;" "" }}
|
|
|
+{{- end }}
|
|
|
+
|
|
|
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
|
|
|
# scheme used to connect to this server
|
|
|
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
|
|
|
- default {{ if $globals.trust_downstream_proxy }}$http_x_forwarded_proto{{ else }}$scheme{{ end }};
|
|
|
+ default {{ if $globals.config.trust_downstream_proxy }}$http_x_forwarded_proto{{ else }}$scheme{{ end }};
|
|
|
'' $scheme;
|
|
|
}
|
|
|
|
|
|
map $http_x_forwarded_host $proxy_x_forwarded_host {
|
|
|
- default {{ if $globals.trust_downstream_proxy }}$http_x_forwarded_host{{ else }}$host{{ end }};
|
|
|
+ default {{ if $globals.config.trust_downstream_proxy }}$http_x_forwarded_host{{ else }}$host{{ end }};
|
|
|
'' $host;
|
|
|
}
|
|
|
|
|
|
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
|
|
|
# server port the client connected to
|
|
|
map $http_x_forwarded_port $proxy_x_forwarded_port {
|
|
|
- default {{ if $globals.trust_downstream_proxy }}$http_x_forwarded_port{{ else }}$server_port{{ end }};
|
|
|
+ default {{ if $globals.config.trust_downstream_proxy }}$http_x_forwarded_port{{ else }}$server_port{{ end }};
|
|
|
'' $server_port;
|
|
|
}
|
|
|
|
|
@@ -440,7 +499,7 @@ access_log off;
|
|
|
* if at least one vhost use a TLSv1 or TLSv1.1 policy
|
|
|
* so TLSv1 and TLSv1.1 can be enabled on those vhosts
|
|
|
*/}}
|
|
|
-{{- $httpContextSslPolicy := $globals.ssl_policy }}
|
|
|
+{{- $httpContextSslPolicy := $globals.config.ssl_policy }}
|
|
|
{{- $inUseSslPolicies := groupByKeys $globals.containers "Env.SSL_POLICY" }}
|
|
|
{{- range $tls1Policy := list "AWS-TLS13-1-1-2021-06" "AWS-TLS13-1-0-2021-06" "AWS-FS-1-1-2019-08" "AWS-FS-2018-06" "AWS-TLS-1-1-2017-01" "AWS-2016-08" "AWS-2015-05" "AWS-2015-03" "AWS-2015-02" "Mozilla-Old" }}
|
|
|
{{- if has $tls1Policy $inUseSslPolicies }}
|
|
@@ -518,7 +577,7 @@ proxy_set_header Proxy "";
|
|
|
{{- end }}
|
|
|
{{- $_ := set $vhost_data "paths" $paths }}
|
|
|
{{- $is_regexp := hasPrefix "~" $hostname }}
|
|
|
- {{- $_ := set $vhost_data "upstream_name" (when (or $is_regexp $globals.sha1_upstream_name) (sha1 $hostname) $hostname) }}
|
|
|
+ {{- $_ := set $vhost_data "upstream_name" (when (or $is_regexp $globals.config.sha1_upstream_name) (sha1 $hostname) $hostname) }}
|
|
|
{{- $_ := set $globals.vhosts $hostname $vhost_data }}
|
|
|
{{- end }}
|
|
|
{{- end }}
|
|
@@ -564,7 +623,7 @@ proxy_set_header Proxy "";
|
|
|
{{- end }}
|
|
|
{{- $_ := set $vhost_data "paths" $paths }}
|
|
|
{{- $is_regexp := hasPrefix "~" $hostname }}
|
|
|
- {{- $_ := set $vhost_data "upstream_name" (when (or $is_regexp $globals.sha1_upstream_name) (sha1 $hostname) $hostname) }}
|
|
|
+ {{- $_ := set $vhost_data "upstream_name" (when (or $is_regexp $globals.config.sha1_upstream_name) (sha1 $hostname) $hostname) }}
|
|
|
{{- $_ := set $globals.vhosts $hostname $vhost_data }}
|
|
|
{{- end }}
|
|
|
|
|
@@ -610,6 +669,7 @@ proxy_set_header Proxy "";
|
|
|
{{- $cert := or $certName $vhostCert }}
|
|
|
{{- $cert_ok := and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert)) }}
|
|
|
|
|
|
+ {{- $enable_debug_endpoint := coalesce (groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.debug-endpoint" | keys | first) $globals.config.enable_debug_endpoint | parseBool }}
|
|
|
{{- $default := eq $globals.Env.DEFAULT_HOST $hostname }}
|
|
|
{{- $https_method := or (first (groupByKeys $vhost_containers "Env.HTTPS_METHOD")) $globals.Env.HTTPS_METHOD "redirect" }}
|
|
|
{{- $enable_http_on_missing_cert := parseBool (or (first (groupByKeys $vhost_containers "Env.ENABLE_HTTP_ON_MISSING_CERT")) $globals.Env.ENABLE_HTTP_ON_MISSING_CERT "true") }}
|
|
@@ -641,6 +701,7 @@ proxy_set_header Proxy "";
|
|
|
{{- $vhost_data = merge $vhost_data (dict
|
|
|
"cert" $cert
|
|
|
"cert_ok" $cert_ok
|
|
|
+ "enable_debug_endpoint" $enable_debug_endpoint
|
|
|
"default" $default
|
|
|
"hsts" $hsts
|
|
|
"https_method" $https_method
|
|
@@ -700,30 +761,30 @@ proxy_set_header Proxy "";
|
|
|
server {
|
|
|
server_name _; # This is just an invalid value which will never trigger on a real hostname.
|
|
|
server_tokens off;
|
|
|
- {{ $globals.access_log }}
|
|
|
+ {{ template "access_log" (dict "Enable" $globals.config.enable_access_log) }}
|
|
|
http2 on;
|
|
|
{{- if $fallback_http }}
|
|
|
- listen {{ $globals.external_http_port }}; {{- /* Do not add `default_server` (see comment above). */}}
|
|
|
- {{- if $globals.enable_ipv6 }}
|
|
|
- listen [::]:{{ $globals.external_http_port }}; {{- /* Do not add `default_server` (see comment above). */}}
|
|
|
+ listen {{ $globals.config.external_http_port }}; {{- /* Do not add `default_server` (see comment above). */}}
|
|
|
+ {{- if $globals.config.enable_ipv6 }}
|
|
|
+ listen [::]:{{ $globals.config.external_http_port }}; {{- /* Do not add `default_server` (see comment above). */}}
|
|
|
{{- end }}
|
|
|
{{- end }}
|
|
|
{{- if $fallback_https }}
|
|
|
- listen {{ $globals.external_https_port }} ssl; {{- /* Do not add `default_server` (see comment above). */}}
|
|
|
- {{- if $globals.enable_ipv6 }}
|
|
|
- listen [::]:{{ $globals.external_https_port }} ssl; {{- /* Do not add `default_server` (see comment above). */}}
|
|
|
+ listen {{ $globals.config.external_https_port }} ssl; {{- /* Do not add `default_server` (see comment above). */}}
|
|
|
+ {{- if $globals.config.enable_ipv6 }}
|
|
|
+ listen [::]:{{ $globals.config.external_https_port }} ssl; {{- /* Do not add `default_server` (see comment above). */}}
|
|
|
{{- end }}
|
|
|
{{- if $http3_enabled }}
|
|
|
http3 on;
|
|
|
- listen {{ $globals.external_https_port }} quic reuseport; {{- /* Do not add `default_server` (see comment above). */}}
|
|
|
- {{- if $globals.enable_ipv6 }}
|
|
|
- listen [::]:{{ $globals.external_https_port }} quic reuseport; {{- /* Do not add `default_server` (see comment above). */}}
|
|
|
+ listen {{ $globals.config.external_https_port }} quic reuseport; {{- /* Do not add `default_server` (see comment above). */}}
|
|
|
+ {{- if $globals.config.enable_ipv6 }}
|
|
|
+ listen [::]:{{ $globals.config.external_https_port }} quic reuseport; {{- /* Do not add `default_server` (see comment above). */}}
|
|
|
{{- end }}
|
|
|
{{- end }}
|
|
|
ssl_session_cache shared:SSL:50m;
|
|
|
ssl_session_tickets off;
|
|
|
{{- end }}
|
|
|
- {{- if $globals.default_cert_ok }}
|
|
|
+ {{- if $globals.config.default_cert_ok }}
|
|
|
ssl_certificate /etc/nginx/certs/default.crt;
|
|
|
ssl_certificate_key /etc/nginx/certs/default.key;
|
|
|
{{- else }}
|
|
@@ -759,10 +820,10 @@ server {
|
|
|
{{- if $vhost.server_tokens }}
|
|
|
server_tokens {{ $vhost.server_tokens }};
|
|
|
{{- end }}
|
|
|
- {{ $globals.access_log }}
|
|
|
- listen {{ $globals.external_http_port }} {{ $default_server }};
|
|
|
- {{- if $globals.enable_ipv6 }}
|
|
|
- listen [::]:{{ $globals.external_http_port }} {{ $default_server }};
|
|
|
+ {{ template "access_log" (dict "Enable" $globals.config.enable_access_log) }}
|
|
|
+ listen {{ $globals.config.external_http_port }} {{ $default_server }};
|
|
|
+ {{- if $globals.config.enable_ipv6 }}
|
|
|
+ listen [::]:{{ $globals.config.external_http_port }} {{ $default_server }};
|
|
|
{{- end }}
|
|
|
|
|
|
{{- if (or $vhost.acme_http_challenge_legacy $vhost.acme_http_challenge_enabled) }}
|
|
@@ -776,12 +837,16 @@ server {
|
|
|
break;
|
|
|
}
|
|
|
{{- end }}
|
|
|
+
|
|
|
+ {{- if $vhost.enable_debug_endpoint }}
|
|
|
+ {{ template "debug_location" (dict "GlobalConfig" $globals.config "Hostname" $hostname "VHost" $vhost) }}
|
|
|
+ {{- end }}
|
|
|
|
|
|
location / {
|
|
|
- {{- if eq $globals.external_https_port "443" }}
|
|
|
+ {{- if eq $globals.config.external_https_port "443" }}
|
|
|
return 301 https://$host$request_uri;
|
|
|
{{- else }}
|
|
|
- return 301 https://$host:{{ $globals.external_https_port }}$request_uri;
|
|
|
+ return 301 https://$host:{{ $globals.config.external_https_port }}$request_uri;
|
|
|
{{- end }}
|
|
|
}
|
|
|
}
|
|
@@ -809,14 +874,14 @@ server {
|
|
|
{{- if $vhost.server_tokens }}
|
|
|
server_tokens {{ $vhost.server_tokens }};
|
|
|
{{- end }}
|
|
|
- {{ $globals.access_log }}
|
|
|
+ {{ template "access_log" (dict "Enable" $globals.config.enable_access_log) }}
|
|
|
{{- if $vhost.http2_enabled }}
|
|
|
http2 on;
|
|
|
{{- end }}
|
|
|
{{- if or (eq $vhost.https_method "nohttps") (eq $vhost.https_method "noredirect") }}
|
|
|
- listen {{ $globals.external_http_port }} {{ $default_server }};
|
|
|
- {{- if $globals.enable_ipv6 }}
|
|
|
- listen [::]:{{ $globals.external_http_port }} {{ $default_server }};
|
|
|
+ listen {{ $globals.config.external_http_port }} {{ $default_server }};
|
|
|
+ {{- if $globals.config.enable_ipv6 }}
|
|
|
+ listen [::]:{{ $globals.config.external_http_port }} {{ $default_server }};
|
|
|
{{- end }}
|
|
|
|
|
|
{{- if (and (eq $vhost.https_method "noredirect") $vhost.acme_http_challenge_enabled) }}
|
|
@@ -830,17 +895,17 @@ server {
|
|
|
{{- end }}
|
|
|
{{- end }}
|
|
|
{{- if ne $vhost.https_method "nohttps" }}
|
|
|
- listen {{ $globals.external_https_port }} ssl {{ $default_server }};
|
|
|
- {{- if $globals.enable_ipv6 }}
|
|
|
- listen [::]:{{ $globals.external_https_port }} ssl {{ $default_server }};
|
|
|
+ listen {{ $globals.config.external_https_port }} ssl {{ $default_server }};
|
|
|
+ {{- if $globals.config.enable_ipv6 }}
|
|
|
+ listen [::]:{{ $globals.config.external_https_port }} ssl {{ $default_server }};
|
|
|
{{- end }}
|
|
|
|
|
|
{{- if $vhost.http3_enabled }}
|
|
|
http3 on;
|
|
|
- add_header alt-svc 'h3=":{{ $globals.external_https_port }}"; ma=86400;';
|
|
|
- listen {{ $globals.external_https_port }} quic {{ $default_server }};
|
|
|
- {{- if $globals.enable_ipv6 }}
|
|
|
- listen [::]:{{ $globals.external_https_port }} quic {{ $default_server }};
|
|
|
+ add_header alt-svc 'h3=":{{ $globals.config.external_https_port }}"; ma=86400;';
|
|
|
+ listen {{ $globals.config.external_https_port }} quic {{ $default_server }};
|
|
|
+ {{- if $globals.config.enable_ipv6 }}
|
|
|
+ listen [::]:{{ $globals.config.external_https_port }} quic {{ $default_server }};
|
|
|
{{- end }}
|
|
|
{{- end }}
|
|
|
|
|
@@ -871,7 +936,7 @@ server {
|
|
|
}
|
|
|
add_header Strict-Transport-Security $sts_header always;
|
|
|
{{- end }}
|
|
|
- {{- else if $globals.default_cert_ok }}
|
|
|
+ {{- else if $globals.config.default_cert_ok }}
|
|
|
# No certificate found for this vhost, so use the default certificate and
|
|
|
# return an error code if the user connects via https.
|
|
|
ssl_certificate /etc/nginx/certs/default.crt;
|
|
@@ -893,6 +958,10 @@ server {
|
|
|
include /etc/nginx/vhost.d/default;
|
|
|
{{- end }}
|
|
|
|
|
|
+ {{- if $vhost.enable_debug_endpoint }}
|
|
|
+ {{ template "debug_location" (dict "GlobalConfig" $globals.config "Hostname" $hostname "VHost" $vhost) }}
|
|
|
+ {{- end }}
|
|
|
+
|
|
|
{{- range $path, $vpath := $vhost.paths }}
|
|
|
{{- template "location" (dict
|
|
|
"Path" $path
|
|
@@ -903,9 +972,9 @@ server {
|
|
|
) }}
|
|
|
{{- end }}
|
|
|
|
|
|
- {{- if and (not (contains $vhost.paths "/")) (ne $globals.default_root_response "none")}}
|
|
|
+ {{- if and (not (contains $vhost.paths "/")) (ne $globals.config.default_root_response "none")}}
|
|
|
location / {
|
|
|
- return {{ $globals.default_root_response }};
|
|
|
+ return {{ $globals.config.default_root_response }};
|
|
|
}
|
|
|
{{- end }}
|
|
|
}
|