Add letsencrypt support in the nginx container

master
kaiyou 7 years ago
parent a57096e613
commit 808809b37a

@ -1,8 +1,8 @@
FROM alpine:edge FROM alpine:edge
RUN apk add --no-cache nginx nginx-mod-mail python py-jinja2 RUN apk add --no-cache nginx nginx-mod-mail python py-jinja2 certbot openssl
COPY conf /conf COPY conf /conf
COPY start.py /start.py COPY *.py /
CMD /start.py CMD /start.py

@ -21,7 +21,8 @@ http {
server { server {
listen 80; listen 80;
{% if TLS_FLAVOR != 'notls' %} # TLS configuration
{% if TLS and not TLS_ERROR %}
listen 443 ssl; listen 443 ssl;
ssl_protocols TLSv1.1 TLSv1.2; ssl_protocols TLSv1.1 TLSv1.2;
@ -29,8 +30,8 @@ http {
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_session_timeout 5m; ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m; ssl_session_cache shared:SSL:50m;
ssl_certificate /certs/cert.pem; ssl_certificate {{ TLS[0] }};
ssl_certificate_key /certs/key.pem; ssl_certificate_key {{ TLS[1] }};
add_header Strict-Transport-Security max-age=15768000; add_header Strict-Transport-Security max-age=15768000;
@ -39,7 +40,18 @@ http {
} }
{% endif %} {% endif %}
{% if TLS_FLAVOR == 'letsencrypt' %}
location ^~ /.well-known/acme-challenge/ {
proxy_pass http://localhost:8000;
}
{% endif %}
# Actual logic # Actual logic
{% if TLS_ERROR %}
location / {
return 403
}
{% else %}
{% if WEBMAIL != 'none' %} {% if WEBMAIL != 'none' %}
location / { location / {
return 301 $scheme://$host/webmail/; return 301 $scheme://$host/webmail/;
@ -52,6 +64,9 @@ http {
{% endif %} {% endif %}
{% if ADMIN == 'true' %} {% if ADMIN == 'true' %}
location /admin {
return 301 $scheme://$host/admin/ui;
}
location /admin/ui { location /admin/ui {
rewrite ^/admin/(.*) /$1 break; rewrite ^/admin/(.*) /$1 break;
proxy_pass http://admin; proxy_pass http://admin;
@ -64,11 +79,12 @@ http {
proxy_pass http://webdav:5232; proxy_pass http://webdav:5232;
} }
{% endif %} {% endif %}
{% endif %}
} }
} }
mail { mail {
server_name {{ HOSTNAME }}; server_name {{ HOSTNAMES.split(",")[0] }};
auth_http http://{{ ADMIN_ADDRESS }}/internal/nginx; auth_http http://{{ ADMIN_ADDRESS }}/internal/nginx;
proxy_pass_error_message on; proxy_pass_error_message on;

@ -0,0 +1,27 @@
#!/usr/bin/python
import jinja2
import os
import socket
convert = lambda src, dst, args: open(dst, "w").write(jinja2.Template(open(src).read()).render(**args))
args = os.environ.copy()
if "ADMIN_ADDRESS" not in os.environ:
args["ADMIN_ADDRESS"] = socket.gethostbyname("admin")
args["TLS"] = {
"cert": ("/certs/cert.pem", "/certs/key.pem"),
"letsencrypt": ("/certs/letsencrypt/live/mailu/fullchain.pem",
"/certs/letsencrypt/live/mailu/privkey.pem"),
"notls": None
}[args["TLS_FLAVOR"]]
if args["TLS"] and not all(os.path.exists(file_path) for file_path in args["TLS"]):
print("Missing cert or key file, disabling TLS")
args["TLS_ERROR"] = "yes"
convert("/conf/nginx.conf", "/etc/nginx/nginx.conf", args)
os.system("nginx -s reload")

@ -0,0 +1,29 @@
#!/usr/bin/python
import os
import time
import subprocess
command = [
"certbot",
"-n", "--agree-tos", # non-interactive
"-d", os.environ["HOSTNAMES"],
"-m", "{}@{}".format(os.environ["POSTMASTER"], os.environ["DOMAIN"]),
"certonly", "--standalone",
"--cert-name", "mailu",
"--preferred-challenges", "http", "--http-01-port", "8000",
"--keep-until-expiring",
"--rsa-key-size", "4096",
"--config-dir", "/certs/letsencrypt",
"--post-hook", "/config.py"
]
# Wait for nginx to start
time.sleep(5)
# Run certbot every hour
while True:
subprocess.call(command)
time.sleep(3600)

@ -1,13 +1,15 @@
#!/usr/bin/python #!/usr/bin/python
import jinja2
import os import os
import socket import subprocess
convert = lambda src, dst: open(dst, "w").write(jinja2.Template(open(src).read()).render(**os.environ))
# Actual startup script # Actual startup script
if "ADMIN_ADDRESS" not in os.environ: if not os.path.exists("/certs/dhparam.pem") and os.environ["TLS_FLAVOR"] != "notls":
os.environ["ADMIN_ADDRESS"] = socket.gethostbyname("admin") os.system("openssl dhparam -out /certs/dhparam.pem 4096")
convert("/conf/nginx.conf", "/etc/nginx/nginx.conf")
if os.environ["TLS_FLAVOR"] == "letsencrypt":
subprocess.Popen(["/letsencrypt.py"])
subprocess.call(["/config.py"])
os.execv("/usr/sbin/nginx", ["nginx", "-g", "daemon off;"]) os.execv("/usr/sbin/nginx", ["nginx", "-g", "daemon off;"])

Loading…
Cancel
Save