Merge pull request #44 from sebastianmacarescu/redis-storage

Redis storage

.gitattributes

@@ -0,0 +1 @@
+*.sh text eol=lf

Dockerfile

@@ -7,6 +7,11 @@ ENV DIFFIE_HELLMAN='' \
     FORCE_HTTPS='true' \
     SITES='' \
     LETSENCRYPT_URL='https://acme-v02.api.letsencrypt.org/directory' \
+    STORAGE_ADAPTER='file' \
+    REDIS_HOST='' \
+    REDIS_PORT='6379' \
+    REDIS_DB='0' \
+    REDIS_KEY_PREFIX='' \
     RESOLVER_ADDRESS='8.8.8.8'
 
 # Here we install open resty and generate dhparam.pem file.

README.md

@@ -76,8 +76,13 @@ Available configuration options:
  | SITES | `db.com=localhost:5432; *.app.com=localhost:8080`, `_=localhost:8080` | Shortcut for defining multiple proxies, in form of `domain1=endpoint1; domain2=endpoint2`. Default template for proxy is [here](https://github.com/Valian/docker-nginx-auto-ssl/blob/master/snippets/server-proxy.conf). Name `_` means default server, just like in nginx configuration |
  | FORCE_HTTPS | `true`, `false` | If `true`, automatically adds location to `resty-server-http.conf` redirecting traffic from http to https. `true` by default. |
  | LETSENCRYPT_URL | `https://acme-v02.api.letsencrypt.org/directory`, `https://acme-staging-v02.api.letsencrypt.org/directory` | Let's Encrypt server URL to use |
- | RESOLVER_ADDRESS | `8.8.8.8`, `127.0.0.53` | DNS resolver used for OCSP stapling. `8.8.8.8` by default. |
-
+ | RESOLVER_ADDRESS | `8.8.8.8`, `127.0.0.53` | DNS resolver used for OCSP stapling. `8.8.8.8` by default. To disable ipv6 append `ipv6=off`, eg `8.8.8.8 ipv6=off` |
+ | STORAGE_ADAPTER | `file`, `redis` | Location to store generated certificates. Best practice is `redis` in order to avoid I/O blocking in OpenResty and make the certs available across multiple containers (for a load balanced environment) . `file` by default |
+ | REDIS_HOST | `hostname`, `ip address` | The redis host name to use for cert storage. Required if  `STORAGE_ADAPTER=redis`|
+ | REDIS_PORT | `port number` | The redis port number. `6379` by default|
+ | REDIS_DB | `db_number` | The Redis database number used by lua-resty-auto-ssl to save certificates. `0` by default |
+ | REDIS_KEY_PREFIX | `some-prefix` | Prefix all keys stored in Redis with this string. `''` by default |
+
 
 If you want to proxy multiple sites (probably the most common case, that's why I've made it possible to achieve without custom configuration):
 

entrypoint.sh

@@ -59,7 +59,7 @@ fi
 
 
 # let's substitute $ALLOWED_DOMAINS, $LETSENCRYPT_URL and $RESOLVER_ADDRESS into OpenResty configuration
-envsubst '$ALLOWED_DOMAINS,$LETSENCRYPT_URL,$RESOLVER_ADDRESS' \
+envsubst '$ALLOWED_DOMAINS,$LETSENCRYPT_URL,$RESOLVER_ADDRESS,$STORAGE_ADAPTER,$REDIS_HOST,$REDIS_PORT,$REDIS_DB,$REDIS_KEY_PREFIX' \
   < ${RESTY_CONF_DIR}/resty-http.conf \
   > ${RESTY_CONF_DIR}/resty-http.conf.copy \
   && mv ${RESTY_CONF_DIR}/resty-http.conf.copy ${RESTY_CONF_DIR}/resty-http.conf

snippets/resty-http.conf

@@ -1,7 +1,7 @@
 # The "auto_ssl" shared dict should be defined with enough storage space to
 # hold your certificate data. 1MB of storage holds certificates for
 # approximately 100 separate domains.
-lua_shared_dict auto_ssl 1m;
+lua_shared_dict auto_ssl 10m;
 
 # The "auto_ssl" shared dict is used to temporarily store various settings
 # like the secret used by the hook server on port 8999. Do not change or
@@ -27,6 +27,16 @@ init_by_lua_block {
       return ngx.re.match(domain, '$ALLOWED_DOMAINS', 'ijo')
     end)
 
+    if "$STORAGE_ADAPTER" == "redis" then
+        auto_ssl:set("storage_adapter", "resty.auto-ssl.storage_adapters.redis")
+        auto_ssl:set("redis", {
+          host = "$REDIS_HOST",
+          port = "$REDIS_PORT",
+          db = "$REDIS_DB",
+          prefix = "$REDIS_KEY_PREFIX"
+        })
+    end
+
     auto_ssl:init()
 }