From c66cedaf97c84de1e16e9205631db1454b7d68c6 Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Thu, 30 May 2024 22:30:21 +0200 Subject: [PATCH 1/2] feat: disable location configuration by default --- app/entrypoint.sh | 7 +++++-- app/letsencrypt_service | 6 ++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/app/entrypoint.sh b/app/entrypoint.sh index d9a836ae..75553f81 100755 --- a/app/entrypoint.sh +++ b/app/entrypoint.sh @@ -167,10 +167,13 @@ if [[ "$*" == "/bin/bash /app/start.sh" ]]; then exit 1 fi check_writable_directory '/etc/nginx/certs' - check_writable_directory '/etc/nginx/vhost.d' + parse_true "${ACME_HTTP_CHALLENGE_LOCATION:=false}" && check_writable_directory '/etc/nginx/vhost.d' check_writable_directory '/etc/acme.sh' check_writable_directory '/usr/share/nginx/html' - [[ -f /app/letsencrypt_user_data ]] && check_writable_directory '/etc/nginx/conf.d' + if [[ -f /app/letsencrypt_user_data ]]; then + check_writable_directory '/etc/nginx/vhost.d' + check_writable_directory '/etc/nginx/conf.d' + fi check_default_cert_key check_dh_group reload_nginx diff --git a/app/letsencrypt_service b/app/letsencrypt_service index b5d01859..451f3121 100755 --- a/app/letsencrypt_service +++ b/app/letsencrypt_service @@ -348,8 +348,10 @@ function update_cert { for domain in "${hosts_array[@]}"; do # Add all the domains to certificate params_issue_arr+=(--domain "$domain") - # Add location configuration for the domain - add_location_configuration "$domain" || reload_nginx + # If enabled, add location configuration for the domain + if parse_true "${ACME_HTTP_CHALLENGE_LOCATION:=false}"; then + add_location_configuration "$domain" || reload_nginx + fi done params_issue_arr=("${params_base_arr[@]}" "${params_issue_arr[@]}") From 28bdc6b8322d8b199e47aa5a34b345ad65182d71 Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Thu, 30 May 2024 23:17:21 +0200 Subject: [PATCH 2/2] docs: ACME_HTTP_CHALLENGE_LOCATION --- README.md | 2 -- docs/Advanced-usage.md | 1 - docs/Basic-usage.md | 4 +--- docs/Container-configuration.md | 4 +++- docs/Docker-Compose.md | 20 ++++++++++++-------- docs/Persistent-data.md | 4 ---- docs/Standalone-certificates.md | 3 ++- 7 files changed, 18 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index e7a6fe6a..934dea05 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,6 @@ It handles the automated creation, renewal and use of SSL certificates for proxi Three writable volumes must be declared on the **nginx-proxy** container so that they can be shared with the **acme-companion** container: * `/etc/nginx/certs` to store certificates and private keys (readonly for the **nginx-proxy** container). -* `/etc/nginx/vhost.d` to change the configuration of vhosts (required so the CA may access `http-01` challenge files). * `/usr/share/nginx/html` to write `http-01` challenge files. Additionally, a fourth volume must be declared on the **acme-companion** container to store `acme.sh` configuration and state: `/etc/acme.sh`. @@ -50,7 +49,6 @@ $ docker run --detach \ --publish 80:80 \ --publish 443:443 \ --volume certs:/etc/nginx/certs \ - --volume vhost:/etc/nginx/vhost.d \ --volume html:/usr/share/nginx/html \ --volume /var/run/docker.sock:/tmp/docker.sock:ro \ nginxproxy/nginx-proxy diff --git a/docs/Advanced-usage.md b/docs/Advanced-usage.md index d2038e84..5b36d862 100644 --- a/docs/Advanced-usage.md +++ b/docs/Advanced-usage.md @@ -26,7 +26,6 @@ $ docker run --detach \ --publish 80:80 \ --publish 443:443 \ --volume conf:/etc/nginx/conf.d \ - --volume vhost:/etc/nginx/vhost.d \ --volume html:/usr/share/nginx/html \ --volume certs:/etc/nginx/certs \ nginx diff --git a/docs/Basic-usage.md b/docs/Basic-usage.md index e9303a17..ade1cc91 100644 --- a/docs/Basic-usage.md +++ b/docs/Basic-usage.md @@ -1,9 +1,8 @@ ## Basic usage (with the nginx-proxy container) -Three writable volumes must be declared on the **nginx-proxy** container so that they can be shared with the **acme-companion** container: +Two writable volumes must be declared on the **nginx-proxy** container so that they can be shared with the **acme-companion** container: * `/etc/nginx/certs` to store certificates and private keys (readonly for the **nginx-proxy** container). -* `/etc/nginx/vhost.d` to change the configuration of vhosts (required so the CA may access `http-01` challenge files). * `/usr/share/nginx/html` to write `http-01` challenge files. Additionally, a fourth volume must be declared on the **acme-companion** container to store `acme.sh` configuration and state: `/etc/acme.sh`. @@ -22,7 +21,6 @@ $ docker run --detach \ --publish 80:80 \ --publish 443:443 \ --volume certs:/etc/nginx/certs \ - --volume vhost:/etc/nginx/vhost.d \ --volume html:/usr/share/nginx/html \ --volume /var/run/docker.sock:/tmp/docker.sock:ro \ nginxproxy/nginx-proxy diff --git a/docs/Container-configuration.md b/docs/Container-configuration.md index dba47e59..d4312053 100644 --- a/docs/Container-configuration.md +++ b/docs/Container-configuration.md @@ -32,4 +32,6 @@ You can also create test certificates per container (see [Test certificates](./L * `ACME_PRE_HOOK` - The provided command will be run before every certificate issuance. The action is limited to the commands available inside the **acme-companion** container. For example `--env "ACME_PRE_HOOK=echo 'start'"`. For more information see [Pre- and Post-Hook](./Hooks.md) -* `ACME_POST_HOOK` - The provided command will be run after every certificate issuance. The action is limited to the commands available inside the **acme-companion** container. For example `--env "ACME_POST_HOOK=echo 'end'"`. For more information see [Pre- and Post-Hook](./Hooks.md) \ No newline at end of file +* `ACME_POST_HOOK` - The provided command will be run after every certificate issuance. The action is limited to the commands available inside the **acme-companion** container. For example `--env "ACME_POST_HOOK=echo 'end'"`. For more information see [Pre- and Post-Hook](./Hooks.md) + +* `ACME_HTTP_CHALLENGE_LOCATION` - Previously **acme-companion** automatically added the ACME HTTP challenge location to the nginx configuration through files generated in `/etc/nginx/vhost.d`. Recent versions of **nginx-proxy** (>= `1.6`) already include the required location configuration, which remove the need for **acme-companion** to attempt to dynamically add them. If you're running and older version of **nginx-proxy** (or **docker-gen** with an older version of the `nginx.tmpl` file), you can re-enable this behaviour by setting `ACME_HTTP_CHALLENGE_LOCATION` to `true`. diff --git a/docs/Docker-Compose.md b/docs/Docker-Compose.md index 67bb9a62..f5ac5d0e 100644 --- a/docs/Docker-Compose.md +++ b/docs/Docker-Compose.md @@ -15,7 +15,7 @@ The use of named containers and volume is not required but helps keeping everyth ### Two containers example ```yaml -version: '2' +version: "2" services: nginx-proxy: @@ -25,8 +25,10 @@ services: - "80:80" - "443:443" volumes: - - conf:/etc/nginx/conf.d - - vhost:/etc/nginx/vhost.d + # The vhost and conf volumes are only required + # if you plan to obtain standalone certificates + # - vhost:/etc/nginx/vhost.d + # - conf:/etc/nginx/conf.d - html:/usr/share/nginx/html - certs:/etc/nginx/certs:ro - /var/run/docker.sock:/tmp/docker.sock:ro @@ -46,8 +48,8 @@ services: network_mode: bridge volumes: - conf: - vhost: + # vhost: + # conf: html: certs: acme: @@ -56,7 +58,7 @@ volumes: ### Three containers example ```yaml -version: '2' +version: "2" services: nginx-proxy: @@ -66,8 +68,10 @@ services: - "80:80" - "443:443" volumes: + # The vhost volume is only required if you + # plan to obtain standalone certificates + # - vhost:/etc/nginx/vhost.d - conf:/etc/nginx/conf.d - - vhost:/etc/nginx/vhost.d - html:/usr/share/nginx/html - certs:/etc/nginx/certs:ro network_mode: bridge @@ -99,8 +103,8 @@ services: network_mode: bridge volumes: + # vhost: conf: - vhost: html: certs: acme: diff --git a/docs/Persistent-data.md b/docs/Persistent-data.md index 16ff94b6..d2c16f32 100644 --- a/docs/Persistent-data.md +++ b/docs/Persistent-data.md @@ -10,7 +10,6 @@ $ docker run -d \ -p 80:80 \ -p 443:443 \ -v certs:/etc/nginx/certs \ - -v vhost:/etc/nginx/vhost.d \ -v html:/usr/share/nginx/html \ -v /var/run/docker.sock:/tmp/docker.sock:ro \ nginxproxy/nginx-proxy @@ -18,7 +17,6 @@ $ docker run -d \ $ docker volume ls DRIVER VOLUME NAME local certs -local vhost local html ``` @@ -32,7 +30,6 @@ $ docker run -d \ -p 80:80 \ -p 443:443 \ -v /etc/nginx/certs \ - -v /etc/nginx/vhost.d \ -v /usr/share/nginx/html \ -v /var/run/docker.sock:/tmp/docker.sock:ro \ nginxproxy/nginx-proxy @@ -40,7 +37,6 @@ $ docker run -d \ $ docker volume ls DRIVER VOLUME NAME local 287be3abd610e5566500d719ceb8b952952f12c9324ef02d05785d4ee9737ae9 -local 6530b1b40cf89efb71aa7fd19bddec927fa2bcae59b04b9c1c850af72ffe0123 local f260f71fefadcdfc311d285d69151f2312915174d3fb1fab89949ec5ec871a54 ``` diff --git a/docs/Standalone-certificates.md b/docs/Standalone-certificates.md index c17fb568..846df636 100644 --- a/docs/Standalone-certificates.md +++ b/docs/Standalone-certificates.md @@ -1,6 +1,6 @@ ## Standalone certificates -You can generate certificate that are not tied to containers environment variable by mounting a user configuration file inside the container at `/app/letsencrypt_user_data`. This feature also require sharing the `/etc/nginx/conf.d` folder between the **nginx-proxy** and **acme-companion** container (and the **docker-gen** container if you are running a [three container setup](./Advanced-usage.md)): +You can generate certificate that are not tied to containers environment variable by mounting a user configuration file inside the container at `/app/letsencrypt_user_data`. This feature also require sharing the `/etc/nginx/vhost.d` and `/etc/nginx/conf.d` folder between the **nginx-proxy** and **acme-companion** container (and the **docker-gen** container if you are running a [three container setup](./Advanced-usage.md)): ```bash $ docker run --detach \ @@ -14,6 +14,7 @@ $ docker run --detach \ --volume /var/run/docker.sock:/tmp/docker.sock:ro \ nginxproxy/nginx-proxy ``` + ```bash $ docker run --detach \ --name nginx-proxy-acme \