Răsfoiți Sursa

feat: allow nginx / docker-gen network segregation

* fix merge conflicts
Knapoc 1 an în urmă
părinte
comite
9711ade7a6
2 a modificat fișierele cu 41 adăugiri și 17 ștergeri
  1. 6 0
      docs/README.md
  2. 35 17
      nginx.tmpl

+ 6 - 0
docs/README.md

@@ -1157,6 +1157,12 @@ Finally, start your containers with `VIRTUAL_HOST` environment variables.
 docker run -e VIRTUAL_HOST=foo.bar.com  ...
 ```
 
+To allow for network segregation of the nginx and docker-gen containers, the label `com.github.nginx-proxy.nginx-proxy.nginx` must be applied to the nginx container, otherwise it is assumed that nginx and docker-gen share the same network:
+
+```console
+docker run -d -p 80:80 --name nginx -l "com.github.nginx-proxy.nginx-proxy.nginx" -v /tmp/nginx:/etc/nginx/conf.d -t nginx
+```
+
 ⬆️ [back to table of contents](#table-of-contents)
 
 ## Docker Compose

+ 35 - 17
nginx.tmpl

@@ -11,6 +11,7 @@
 {{- $_ := set $globals "Env" $.Env }}
 {{- $_ := set $globals "Docker" $.Docker }}
 {{- $_ := set $globals "CurrentContainer" (where $globals.containers "ID" $globals.Docker.CurrentContainerID | first) }}
+{{- $_ := set $globals "NginxContainer" (whereLabelExists $globals.containers "com.github.nginx-proxy.nginx-proxy.nginx" | first) }}
 
 {{- $config := dict }}
 {{- $_ := set $config "nginx_proxy_version" $.Env.NGINX_PROXY_VERSION }}
@@ -44,14 +45,21 @@
 
 {{- $_ := set $globals "vhosts" (dict) }}
 {{- $_ := set $globals "networks" (dict) }}
-# Networks available to the container running docker-gen (which are assumed to
+# Networks available to the container labeled "com.github.nginx-proxy.nginx-proxy.nginx" or the one running docker-gen (which are assumed to
 # match the networks available to the container running nginx):
 {{- /*
      * Note: $globals.CurrentContainer may be nil in some circumstances due to
      * <https://github.com/nginx-proxy/docker-gen/issues/458>.  For more context
      * see <https://github.com/nginx-proxy/nginx-proxy/issues/2189>.
      */}}
-{{- if $globals.CurrentContainer }}
+{{- if $globals.NginxContainer }}
+    {{- range sortObjectsByKeysAsc $globals.NginxContainer.Networks "Name" }}
+        {{- $_ := set $globals.networks .Name . }}
+#     {{ .Name }}
+    {{- else }}
+#     (none)
+    {{- end }}
+{{- else if $globals.CurrentContainer }}
     {{- range sortObjectsByKeysAsc $globals.CurrentContainer.Networks "Name" }}
         {{- $_ := set $globals.networks .Name . }}
 #     {{ .Name }}
@@ -97,11 +105,21 @@
                 {{- $ipv4 = "127.0.0.1" }}
                 {{- continue }}
             {{- end }}
-            {{- range sortObjectsByKeysAsc $.globals.CurrentContainer.Networks "Name" }}
-                {{- if and . .Gateway (not .Internal) }}
+            {{- if $.globals.NginxContainer }}
+                {{- range sortObjectsByKeysAsc $.globals.NginxContainer.Networks "Name" }}
+                    {{- if and . .Gateway (not .Internal) }}
     #         container is in host network mode, using {{ .Name }} gateway IP
-                    {{- $ipv4 = .Gateway }}
-                    {{- break }}
+                        {{- $ipv4 = .Gateway }}
+                        {{- break }}
+                    {{- end }}
+                {{- end }}
+            {{- else }}
+                {{- range sortObjectsByKeysAsc $.globals.CurrentContainer.Networks "Name" }}
+                    {{- if and . .Gateway (not .Internal) }}
+    #         container is in host network mode, using {{ .Name }} gateway IP
+                        {{- $ipv4 = .Gateway }}
+                        {{- break }}
+                    {{- end }}
                 {{- end }}
             {{- end }}
             {{- if $ipv4 }}
@@ -114,7 +132,7 @@
         {{- end }}
         {{- /*
              * Do not emit multiple `server` directives for this container if it
-             * is reachable over multiple networks or multiple IP stacks. This avoids 
+             * is reachable over multiple networks or multiple IP stacks. This avoids
              * accidentally inflating the effective round-robin weight of a server due
              * to the redundant upstream addresses that nginx sees as belonging to
              * distinct servers.
@@ -397,7 +415,7 @@ upstream {{ $vpath.upstream }} {
         {{- $debug_vpath := deepCopy $vpath | merge (dict "ports" $tmp_ports) }}
         {{- $_ := set $debug_paths $path $debug_vpath }}
     {{- end }}
-    
+
     {{- $debug_vhost := deepCopy .VHost }}
     {{- /* If it's a regexp, do not render the Hostname to the response to avoid rendering config breaking characters */}}
     {{- $_ := set $debug_vhost "hostname" (.VHost.is_regexp | ternary "Hostname is a regexp and unsafe to include in the debug response." .Hostname) }}
@@ -606,7 +624,7 @@ proxy_set_header Proxy "";
             {{- $path_port_containers := get $path_ports $port | default (list) | concat $containers }}
             {{- $_ := set $path_ports $port $path_port_containers }}
             {{- $_ := set $path_data "ports" $path_ports }}
-            
+
             {{- if (not (hasKey $path_data "dest")) }}
                 {{- $_ := set $path_data "dest" $dest }}
             {{- end }}
@@ -614,7 +632,7 @@ proxy_set_header Proxy "";
             {{- if (not (hasKey $path_data "proto")) }}
                 {{- $_ := set $path_data "proto" $proto }}
             {{- end }}
-            
+
             {{- $_ := set $paths $path $path_data }}
         {{- end }}
         {{- $_ := set $vhost_data "paths" $paths }}
@@ -666,7 +684,7 @@ proxy_set_header Proxy "";
         {{- if (not (hasKey $path_data "proto")) }}
             {{- $_ := set $path_data "proto" $proto }}
         {{- end }}
-        
+
         {{- $_ := set $paths $path $path_data }}
     {{- end }}
     {{- $_ := set $vhost_data "paths" $paths }}
@@ -708,7 +726,7 @@ proxy_set_header Proxy "";
     {{- end }}
 
     {{- $userIdentifiedCert := groupByKeys $vhost_containers "Env.CERT_NAME" | first }}
-    
+
     {{- $vhostCert := "" }}
     {{- if exists (printf "/etc/nginx/certs/%s.crt" $hostname) }}
         {{- $vhostCert = $hostname }}
@@ -721,10 +739,10 @@ proxy_set_header Proxy "";
             {{- $parentVhostCert = $parentHostname }}
         {{- end }}
     {{- end }}
-    
+
     {{- $trust_default_cert := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.trust-default-cert" | keys | first | default $globals.config.trust_default_cert | parseBool }}
     {{- $defaultCert := and $trust_default_cert $globals.config.default_cert_ok | ternary "default" "" }}
-    
+
     {{- $cert := or $userIdentifiedCert $vhostCert $parentVhostCert $defaultCert }}
     {{- $cert_ok := and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert)) }}
 
@@ -738,10 +756,10 @@ proxy_set_header Proxy "";
         {{- $https_method = "noredirect" }}
     {{- end }}
     {{- $non_get_redirect := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.non-get-redirect" | keys | first | default $globals.config.non_get_redirect }}
-    
+
     {{- $http2_enabled := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http2.enable" | keys | first | default $globals.config.enable_http2 | parseBool }}
     {{- $http3_enabled := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http3.enable" | keys | first | default $globals.config.enable_http3 | parseBool }}
-    
+
     {{- $acme_http_challenge := groupByKeys $vhost_containers "Env.ACME_HTTP_CHALLENGE_LOCATION" | first | default $globals.config.acme_http_challenge }}
     {{- $acme_http_challenge_legacy := eq $acme_http_challenge "legacy" }}
     {{- $acme_http_challenge_enabled := false }}
@@ -903,7 +921,7 @@ server {
         break;
     }
         {{- end }}
-    
+
         {{- if $vhost.enable_debug_endpoint }}
             {{ template "debug_location" (dict "GlobalConfig" $globals.config "Hostname" $hostname "VHost" $vhost) }}
         {{- end }}