diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..526c8a3 --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +*.sh text eol=lf \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 936abd8..f9bc6eb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,6 +7,11 @@ ENV DIFFIE_HELLMAN='' \ FORCE_HTTPS='true' \ SITES='' \ LETSENCRYPT_URL='https://acme-v02.api.letsencrypt.org/directory' \ + STORAGE_ADAPTER='file' \ + REDIS_HOST='' \ + REDIS_PORT='6379' \ + REDIS_DB='0' \ + REDIS_KEY_PREFIX='' \ RESOLVER_ADDRESS='8.8.8.8' # Here we install open resty and generate dhparam.pem file. diff --git a/README.md b/README.md index cff3088..a50312d 100644 --- a/README.md +++ b/README.md @@ -76,8 +76,13 @@ Available configuration options: | SITES | `db.com=localhost:5432; *.app.com=localhost:8080`, `_=localhost:8080` | Shortcut for defining multiple proxies, in form of `domain1=endpoint1; domain2=endpoint2`. Default template for proxy is [here](https://github.com/Valian/docker-nginx-auto-ssl/blob/master/snippets/server-proxy.conf). Name `_` means default server, just like in nginx configuration | | FORCE_HTTPS | `true`, `false` | If `true`, automatically adds location to `resty-server-http.conf` redirecting traffic from http to https. `true` by default. | | LETSENCRYPT_URL | `https://acme-v02.api.letsencrypt.org/directory`, `https://acme-staging-v02.api.letsencrypt.org/directory` | Let's Encrypt server URL to use | - | RESOLVER_ADDRESS | `8.8.8.8`, `127.0.0.53` | DNS resolver used for OCSP stapling. `8.8.8.8` by default. | - + | RESOLVER_ADDRESS | `8.8.8.8`, `127.0.0.53` | DNS resolver used for OCSP stapling. `8.8.8.8` by default. To disable ipv6 append `ipv6=off`, eg `8.8.8.8 ipv6=off` | + | STORAGE_ADAPTER | `file`, `redis` | Location to store generated certificates. Best practice is `redis` in order to avoid I/O blocking in OpenResty and make the certs available across multiple containers (for a load balanced environment) . `file` by default | + | REDIS_HOST | `hostname`, `ip address` | The redis host name to use for cert storage. Required if `STORAGE_ADAPTER=redis`| + | REDIS_PORT | `port number` | The redis port number. `6379` by default| + | REDIS_DB | `db_number` | The Redis database number used by lua-resty-auto-ssl to save certificates. `0` by default | + | REDIS_KEY_PREFIX | `some-prefix` | Prefix all keys stored in Redis with this string. `''` by default | + If you want to proxy multiple sites (probably the most common case, that's why I've made it possible to achieve without custom configuration): diff --git a/entrypoint.sh b/entrypoint.sh index 6fed376..9f45abd 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -59,7 +59,7 @@ fi # let's substitute $ALLOWED_DOMAINS, $LETSENCRYPT_URL and $RESOLVER_ADDRESS into OpenResty configuration -envsubst '$ALLOWED_DOMAINS,$LETSENCRYPT_URL,$RESOLVER_ADDRESS' \ +envsubst '$ALLOWED_DOMAINS,$LETSENCRYPT_URL,$RESOLVER_ADDRESS,$STORAGE_ADAPTER,$REDIS_HOST,$REDIS_PORT,$REDIS_DB,$REDIS_KEY_PREFIX' \ < ${RESTY_CONF_DIR}/resty-http.conf \ > ${RESTY_CONF_DIR}/resty-http.conf.copy \ && mv ${RESTY_CONF_DIR}/resty-http.conf.copy ${RESTY_CONF_DIR}/resty-http.conf diff --git a/snippets/resty-http.conf b/snippets/resty-http.conf index 626ddad..69a3ec9 100644 --- a/snippets/resty-http.conf +++ b/snippets/resty-http.conf @@ -1,7 +1,7 @@ # The "auto_ssl" shared dict should be defined with enough storage space to # hold your certificate data. 1MB of storage holds certificates for # approximately 100 separate domains. -lua_shared_dict auto_ssl 1m; +lua_shared_dict auto_ssl 10m; # The "auto_ssl" shared dict is used to temporarily store various settings # like the secret used by the hook server on port 8999. Do not change or @@ -27,6 +27,16 @@ init_by_lua_block { return ngx.re.match(domain, '$ALLOWED_DOMAINS', 'ijo') end) + if "$STORAGE_ADAPTER" == "redis" then + auto_ssl:set("storage_adapter", "resty.auto-ssl.storage_adapters.redis") + auto_ssl:set("redis", { + host = "$REDIS_HOST", + port = "$REDIS_PORT", + db = "$REDIS_DB", + prefix = "$REDIS_KEY_PREFIX" + }) + end + auto_ssl:init() }