Skip to content

Commit

Permalink
Merge pull request #1123 from nginx-proxy/disable-location-config-2
Browse files Browse the repository at this point in the history
feat: disable automatic ACME HTTP challenge location configuration
  • Loading branch information
buchdag authored Jun 6, 2024
2 parents dba1f82 + 28bdc6b commit e021800
Show file tree
Hide file tree
Showing 9 changed files with 27 additions and 24 deletions.
2 changes: 0 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,6 @@ It handles the automated creation, renewal and use of SSL certificates for proxi
Three writable volumes must be declared on the **nginx-proxy** container so that they can be shared with the **acme-companion** container:

* `/etc/nginx/certs` to store certificates and private keys (readonly for the **nginx-proxy** container).
* `/etc/nginx/vhost.d` to change the configuration of vhosts (required so the CA may access `http-01` challenge files).
* `/usr/share/nginx/html` to write `http-01` challenge files.

Additionally, a fourth volume must be declared on the **acme-companion** container to store `acme.sh` configuration and state: `/etc/acme.sh`.
Expand All @@ -50,7 +49,6 @@ $ docker run --detach \
--publish 80:80 \
--publish 443:443 \
--volume certs:/etc/nginx/certs \
--volume vhost:/etc/nginx/vhost.d \
--volume html:/usr/share/nginx/html \
--volume /var/run/docker.sock:/tmp/docker.sock:ro \
nginxproxy/nginx-proxy
Expand Down
7 changes: 5 additions & 2 deletions app/entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -167,10 +167,13 @@ if [[ "$*" == "/bin/bash /app/start.sh" ]]; then
exit 1
fi
check_writable_directory '/etc/nginx/certs'
check_writable_directory '/etc/nginx/vhost.d'
parse_true "${ACME_HTTP_CHALLENGE_LOCATION:=false}" && check_writable_directory '/etc/nginx/vhost.d'
check_writable_directory '/etc/acme.sh'
check_writable_directory '/usr/share/nginx/html'
[[ -f /app/letsencrypt_user_data ]] && check_writable_directory '/etc/nginx/conf.d'
if [[ -f /app/letsencrypt_user_data ]]; then
check_writable_directory '/etc/nginx/vhost.d'
check_writable_directory '/etc/nginx/conf.d'
fi
check_default_cert_key
check_dh_group
reload_nginx
Expand Down
6 changes: 4 additions & 2 deletions app/letsencrypt_service
Original file line number Diff line number Diff line change
Expand Up @@ -348,8 +348,10 @@ function update_cert {
for domain in "${hosts_array[@]}"; do
# Add all the domains to certificate
params_issue_arr+=(--domain "$domain")
# Add location configuration for the domain
add_location_configuration "$domain" || reload_nginx
# If enabled, add location configuration for the domain
if parse_true "${ACME_HTTP_CHALLENGE_LOCATION:=false}"; then
add_location_configuration "$domain" || reload_nginx
fi
done

params_issue_arr=("${params_base_arr[@]}" "${params_issue_arr[@]}")
Expand Down
1 change: 0 additions & 1 deletion docs/Advanced-usage.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@ $ docker run --detach \
--publish 80:80 \
--publish 443:443 \
--volume conf:/etc/nginx/conf.d \
--volume vhost:/etc/nginx/vhost.d \
--volume html:/usr/share/nginx/html \
--volume certs:/etc/nginx/certs \
nginx
Expand Down
4 changes: 1 addition & 3 deletions docs/Basic-usage.md
Original file line number Diff line number Diff line change
@@ -1,9 +1,8 @@
## Basic usage (with the nginx-proxy container)

Three writable volumes must be declared on the **nginx-proxy** container so that they can be shared with the **acme-companion** container:
Two writable volumes must be declared on the **nginx-proxy** container so that they can be shared with the **acme-companion** container:

* `/etc/nginx/certs` to store certificates and private keys (readonly for the **nginx-proxy** container).
* `/etc/nginx/vhost.d` to change the configuration of vhosts (required so the CA may access `http-01` challenge files).
* `/usr/share/nginx/html` to write `http-01` challenge files.

Additionally, a fourth volume must be declared on the **acme-companion** container to store `acme.sh` configuration and state: `/etc/acme.sh`.
Expand All @@ -22,7 +21,6 @@ $ docker run --detach \
--publish 80:80 \
--publish 443:443 \
--volume certs:/etc/nginx/certs \
--volume vhost:/etc/nginx/vhost.d \
--volume html:/usr/share/nginx/html \
--volume /var/run/docker.sock:/tmp/docker.sock:ro \
nginxproxy/nginx-proxy
Expand Down
4 changes: 3 additions & 1 deletion docs/Container-configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -32,4 +32,6 @@ You can also create test certificates per container (see [Test certificates](./L

* `ACME_PRE_HOOK` - The provided command will be run before every certificate issuance. The action is limited to the commands available inside the **acme-companion** container. For example `--env "ACME_PRE_HOOK=echo 'start'"`. For more information see [Pre- and Post-Hook](./Hooks.md)

* `ACME_POST_HOOK` - The provided command will be run after every certificate issuance. The action is limited to the commands available inside the **acme-companion** container. For example `--env "ACME_POST_HOOK=echo 'end'"`. For more information see [Pre- and Post-Hook](./Hooks.md)
* `ACME_POST_HOOK` - The provided command will be run after every certificate issuance. The action is limited to the commands available inside the **acme-companion** container. For example `--env "ACME_POST_HOOK=echo 'end'"`. For more information see [Pre- and Post-Hook](./Hooks.md)

* `ACME_HTTP_CHALLENGE_LOCATION` - Previously **acme-companion** automatically added the ACME HTTP challenge location to the nginx configuration through files generated in `/etc/nginx/vhost.d`. Recent versions of **nginx-proxy** (>= `1.6`) already include the required location configuration, which remove the need for **acme-companion** to attempt to dynamically add them. If you're running and older version of **nginx-proxy** (or **docker-gen** with an older version of the `nginx.tmpl` file), you can re-enable this behaviour by setting `ACME_HTTP_CHALLENGE_LOCATION` to `true`.
20 changes: 12 additions & 8 deletions docs/Docker-Compose.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ The use of named containers and volume is not required but helps keeping everyth
### Two containers example

```yaml
version: '2'
version: "2"

services:
nginx-proxy:
Expand All @@ -25,8 +25,10 @@ services:
- "80:80"
- "443:443"
volumes:
- conf:/etc/nginx/conf.d
- vhost:/etc/nginx/vhost.d
# The vhost and conf volumes are only required
# if you plan to obtain standalone certificates
# - vhost:/etc/nginx/vhost.d
# - conf:/etc/nginx/conf.d
- html:/usr/share/nginx/html
- certs:/etc/nginx/certs:ro
- /var/run/docker.sock:/tmp/docker.sock:ro
Expand All @@ -46,8 +48,8 @@ services:
network_mode: bridge

volumes:
conf:
vhost:
# vhost:
# conf:
html:
certs:
acme:
Expand All @@ -56,7 +58,7 @@ volumes:
### Three containers example
```yaml
version: '2'
version: "2"

services:
nginx-proxy:
Expand All @@ -66,8 +68,10 @@ services:
- "80:80"
- "443:443"
volumes:
# The vhost volume is only required if you
# plan to obtain standalone certificates
# - vhost:/etc/nginx/vhost.d
- conf:/etc/nginx/conf.d
- vhost:/etc/nginx/vhost.d
- html:/usr/share/nginx/html
- certs:/etc/nginx/certs:ro
network_mode: bridge
Expand Down Expand Up @@ -99,8 +103,8 @@ services:
network_mode: bridge

volumes:
# vhost:
conf:
vhost:
html:
certs:
acme:
Expand Down
4 changes: 0 additions & 4 deletions docs/Persistent-data.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,15 +10,13 @@ $ docker run -d \
-p 80:80 \
-p 443:443 \
-v certs:/etc/nginx/certs \
-v vhost:/etc/nginx/vhost.d \
-v html:/usr/share/nginx/html \
-v /var/run/docker.sock:/tmp/docker.sock:ro \
nginxproxy/nginx-proxy

$ docker volume ls
DRIVER VOLUME NAME
local certs
local vhost
local html
```

Expand All @@ -32,15 +30,13 @@ $ docker run -d \
-p 80:80 \
-p 443:443 \
-v /etc/nginx/certs \
-v /etc/nginx/vhost.d \
-v /usr/share/nginx/html \
-v /var/run/docker.sock:/tmp/docker.sock:ro \
nginxproxy/nginx-proxy

$ docker volume ls
DRIVER VOLUME NAME
local 287be3abd610e5566500d719ceb8b952952f12c9324ef02d05785d4ee9737ae9
local 6530b1b40cf89efb71aa7fd19bddec927fa2bcae59b04b9c1c850af72ffe0123
local f260f71fefadcdfc311d285d69151f2312915174d3fb1fab89949ec5ec871a54
```

Expand Down
3 changes: 2 additions & 1 deletion docs/Standalone-certificates.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
## Standalone certificates

You can generate certificate that are not tied to containers environment variable by mounting a user configuration file inside the container at `/app/letsencrypt_user_data`. This feature also require sharing the `/etc/nginx/conf.d` folder between the **nginx-proxy** and **acme-companion** container (and the **docker-gen** container if you are running a [three container setup](./Advanced-usage.md)):
You can generate certificate that are not tied to containers environment variable by mounting a user configuration file inside the container at `/app/letsencrypt_user_data`. This feature also require sharing the `/etc/nginx/vhost.d` and `/etc/nginx/conf.d` folder between the **nginx-proxy** and **acme-companion** container (and the **docker-gen** container if you are running a [three container setup](./Advanced-usage.md)):

```bash
$ docker run --detach \
Expand All @@ -14,6 +14,7 @@ $ docker run --detach \
--volume /var/run/docker.sock:/tmp/docker.sock:ro \
nginxproxy/nginx-proxy
```

```bash
$ docker run --detach \
--name nginx-proxy-acme \
Expand Down

0 comments on commit e021800

Please sign in to comment.