Skip to content
This repository was archived by the owner on Aug 10, 2022. It is now read-only.

Commit bae1be3

Browse files
committed
docs: add Let's Encrypt docker example
This change adds an auto-renewing configuration of Let's Encrypt used with the wrapper.
1 parent 3977b27 commit bae1be3

File tree

6 files changed

+248
-0
lines changed

6 files changed

+248
-0
lines changed

recipes/letsencrypt/Dockerfile

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
FROM nginx:1.19.3
2+
3+
ENV LETS_ENCRYPT_DIR /etc/letsencrypt/live
4+
ENV NGINX_CONF_DIR /etc/nginx
5+
ENV NGINX_WRAPPER_VERSION v0.0.2
6+
ENV NGINX_WRAPPER_CHECKSUM baad2c58df709688fed24c345e05d647c669aa025273f192f445c73869353f79
7+
8+
COPY opt /opt
9+
10+
RUN set -eux \
11+
export DEBIAN_FRONTEND=noninteractive; \
12+
rm /etc/machine-id; \
13+
curl --retry 6 -Ls -o "${NGINX_CONF_DIR}/options-ssl-nginx.conf" \
14+
"https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf"; \
15+
curl --retry 6 -Ls -o "${NGINX_CONF_DIR}/ssl-dhparams.pem" \
16+
"https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem"; \
17+
mkdir -p /opt/nginx-wrapper/bin /opt/nginx-wrapper/plugins /opt/nginx-wrapper/run; \
18+
curl -o /opt/nginx-wrapper/bin/nginx-wrapper.gz --retry 6 -Ls "https://github.com/nginxinc/nginx-wrapper/releases/download/${NGINX_WRAPPER_VERSION}/nginx-wrapper-linux_amd64-${NGINX_WRAPPER_VERSION}.gz"; \
19+
echo "${NGINX_WRAPPER_CHECKSUM} /opt/nginx-wrapper/bin/nginx-wrapper.gz" | sha256sum -c; \
20+
gunzip /opt/nginx-wrapper/bin/nginx-wrapper.gz; \
21+
chmod +x /opt/nginx-wrapper/bin/*; \
22+
apt-get update -qq; \
23+
apt-get install -y -qq uuid certbot python3-certbot-nginx; \
24+
rm -rf /var/lib/apt/lists/* /var/tmp/* /tmp/*
25+
26+
WORKDIR /opt/nginx-wrapper
27+
28+
CMD [ "bin/launch_wrapper.sh" ]
29+
30+
EXPOSE 80
31+
EXPOSE 443
Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
#!/usr/bin/env bash
2+
3+
# Exit the script and an error is encountered
4+
set -o errexit
5+
# Exit the script when a pipe operation fails
6+
set -o pipefail
7+
8+
if [ -z "${TLS_HOSTNAME}" ]; then
9+
>&2 echo "TLS_HOSTNAME must be set to the domain you wish to use with Let's Encrypt"
10+
exit 1
11+
fi
12+
13+
if [ -z "${LETS_ENCRYPT_EMAIL}" ]; then
14+
>&2 echo "LETS_ENCRYPT_EMAIL must be set to the email that you wish to use with Let's Encrypt"
15+
exit 1
16+
fi
17+
18+
if [ -z "${DNS_RESOLVER}" ]; then
19+
>&2 echo "DNS_RESOLVER was not set - using default of 1.1.1.1"
20+
export DNS_RESOLVER="1.1.1.1"
21+
fi
22+
23+
# Path to the Let's Encrypt TLS certificates
24+
export CERT_DIR="/etc/letsencrypt/live/${TLS_HOSTNAME}"
25+
export PATH="${PATH}:/opt/nginx-wrapper/bin"
26+
27+
if [ "" = "${LETS_ENCRYPT_STAGING:-}" ] || [ "0" = "${LETS_ENCRYPT_STAGING}" ]; then
28+
CERTBOT_STAGING_FLAG=""
29+
else
30+
CERTBOT_STAGING_FLAG="--staging"
31+
fi
32+
33+
# Exit the script when there are undeclared variables
34+
set -o nounset
35+
36+
if [ ! -f "${CERT_DIR}/fullchain.pem" ]; then
37+
echo "Generating certificates with Let's Encrypt"
38+
certbot certonly --standalone \
39+
-m "${LETS_ENCRYPT_EMAIL}" \
40+
${CERTBOT_STAGING_FLAG} \
41+
--agree-tos --force-renewal --non-interactive \
42+
-d "${TLS_HOSTNAME}"
43+
fi
44+
45+
# Assigns a unique machine ID that can be read by the wrapper
46+
if [ ! -f /etc/machine-id ]; then
47+
uuid -F STR | tr -d '-' > /etc/machine-id
48+
fi
49+
50+
# Start up the wrapper
51+
exec /opt/nginx-wrapper/bin/nginx-wrapper \
52+
--config /opt/nginx-wrapper/nginx-wrapper.toml \
53+
run
Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
#!/usr/bin/env sh
2+
3+
# Issue a NGINX reload signal (SIGUSR2 indicates to the wrapper to ONLY reload
4+
# NGINX and not other configuration) to the nginx-wrapper.
5+
WRAPPER_PID="$(cat /opt/nginx-wrapper/run/nginx-wrapper.pid)"
6+
kill -s SIGUSR2 "${WRAPPER_PID}"
Lines changed: 82 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,82 @@
1+
# Core configuration
2+
3+
# By default searches $PATH for the binary "nginx".
4+
# Absolute and relative paths are also acceptable.
5+
nginx_binary = "nginx"
6+
7+
# The runtime directory of the nginx process. Configuration and other
8+
# related files will be copied into this directory.
9+
# By default assigns the value of os.TempDir() + '/nginx-wrapper'.
10+
run_path = "/opt/nginx-wrapper/run"
11+
12+
# Uses the value of --modules_path as returned by "nginx -V" by default.
13+
modules_path = "/usr/lib/nginx/modules"
14+
15+
# Path to read nginx-wrapper plugins from.
16+
# Default value is: ./plugins/
17+
plugin_path = "./plugins"
18+
19+
# Array of plugins that are enabled to run in the NGINX Wrapper.
20+
# By default no plugins are enabled.
21+
enabled_plugins = [ "coprocess", "template" ]
22+
23+
# Logging configuration
24+
[log]
25+
# Log verbosity for output. Default value is INFO.
26+
# Valid values are: TRACE, DEBUG, INFO, WARN, ERROR, PANIC, FATAL
27+
level = "INFO"
28+
29+
# Log output destination. Default value is STDOUT.
30+
# Valid values are: STDOUT, STDERR, file path
31+
destination = "STDOUT"
32+
33+
# Log format for output. Default value is TextFormatter
34+
# Valid values are: TextFormatter, JSONFormatter
35+
formatter_name = "TextFormatter"
36+
37+
# Section containing options for the log formatter.
38+
# Reference https://github.com/sirupsen/logrus for valid values
39+
# Both snake case and title case are acceptable
40+
[log.formatter_options]
41+
full_timestamp = true
42+
pad_level_text = true
43+
44+
# Plugin configuration configuration occurs in its own block named after the
45+
# plugin.
46+
[template]
47+
# Subdirectories to create under the run_path.
48+
# Default values are: "client_body", "proxy", "fastcgi", "uswsgi", "scgi"
49+
run_path_subdirs = [ "client_body", "conf", "proxy", "fastcgi", "uswsgi", "scgi" ]
50+
51+
# By default we look in the current directory for the file
52+
# 'nginx.conf.' + template_suffix. A directory path is also acceptable.
53+
conf_template_path = "template"
54+
55+
# The suffix that for all files that will undergo templating. By default
56+
# the value is: .tmpl
57+
template_suffix = ".tmpl"
58+
59+
# The substitution characters used in templating. By default NGINX Wrapper
60+
# uses two square brackets surrounding the templating directive. This differs
61+
# from the default for go templates.
62+
template_var_left_delim = "[["
63+
template_var_right_delim = "]]"
64+
65+
# Flag indicating if we want to delete the templated configuration output
66+
# when the wrapper exits.
67+
# Default value: true
68+
delete_templated_conf_on_exit = true
69+
70+
# Flag indicating if we want to delete the nginx run directory when the
71+
# wrapper exits.
72+
# Default value: false
73+
delete_run_path_on_exit = false
74+
75+
[coprocess.certbot_renew]
76+
name = "certbot_renew"
77+
exec = [ "certbot", "renew", "--nginx", "--post-hook", "nginx_reload.sh" ]
78+
restarts = "unlimited"
79+
time_between_restarts = "24h"
80+
background = true
81+
exec_event = "pre-start"
82+
stop_event = "exit"
Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
server {
2+
listen 80;
3+
listen [::]:80;
4+
5+
# ACME-challenge used by CertBot for Let's Encrypt
6+
location ^~ /.well-known/acme-challenge/ {
7+
root /var/www/certbot;
8+
}
9+
10+
location / {
11+
return 301 https://[[index .env "TLS_HOSTNAME"]]\$request_uri;
12+
}
13+
}
14+
15+
server {
16+
listen 443 ssl http2;
17+
listen [::]:443 ssl http2;
18+
server_name [[index .env "TLS_HOSTNAME"]];
19+
20+
# Let's Encrypt configuration
21+
ssl_certificate [[index .env "CERT_DIR"]]/fullchain.pem;
22+
ssl_certificate_key [[index .env "CERT_DIR"]]/privkey.pem;
23+
ssl_trusted_certificate [[index .env "CERT_DIR"]]/chain.pem;
24+
25+
include [[index .env "NGINX_CONF_DIR"]]/options-ssl-nginx.conf;
26+
ssl_dhparam [[index .env "NGINX_CONF_DIR"]]/ssl-dhparams.pem;
27+
28+
# OCSP Stapling
29+
ssl_stapling on;
30+
ssl_stapling_verify on;
31+
32+
location / {
33+
root /usr/share/nginx/html;
34+
index index.html index.htm;
35+
}
36+
37+
error_page 500 502 503 504 /50x.html;
38+
location = /50x.html {
39+
root /usr/share/nginx/html;
40+
}
41+
}
Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
# Last reloaded: [[.last_reload_time]]
2+
3+
daemon off;
4+
master_process on;
5+
pid [[.run_path]]/nginx.pid;
6+
error_log /dev/stdout info;
7+
worker_processes 1;
8+
9+
events {
10+
worker_connections 1024;
11+
}
12+
13+
http {
14+
include [[index .env "NGINX_CONF_DIR"]]/mime.types;
15+
default_type application/octet-stream;
16+
17+
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
18+
'$status $body_bytes_sent "$http_referer" '
19+
'"$http_user_agent" "$http_x_forwarded_for"';
20+
21+
access_log /dev/stdout main;
22+
23+
client_body_temp_path [[.run_path]]/client_body;
24+
proxy_temp_path [[.run_path]]/proxy;
25+
fastcgi_temp_path [[.run_path]]/fastcgi;
26+
uwsgi_temp_path [[.run_path]]/uwsgi;
27+
scgi_temp_path [[.run_path]]/scgi;
28+
29+
sendfile on;
30+
keepalive_timeout 65;
31+
32+
resolver [[index .env "DNS_RESOLVER"]];
33+
34+
include [[.template_conf_output_path]]/conf.d/*.conf;
35+
}

0 commit comments

Comments
 (0)