https://gitlab.com/tozd/docker/nginx-proxy
Available as:
tozd/base
← tozd/dinit
← tozd/nginx
← tozd/nginx-mailer
← tozd/nginx-cron
← tozd/nginx-proxy
ubuntu-xenial
ubuntu-bionic
ubuntu-focal
ubuntu-jammy
/var/log/dnsmasq
: Log files for an internal lightweight DNS resolver when one is not provided by Docker and whenLOG_TO_STDOUT
is not set to1
./var/log/dockergen
: Log files for docker-gen whenLOG_TO_STDOUT
is not set to1
./var/log/letsencrypt
: (Debug) log files for Let's encrypt service./ssl
: Volume with SSL keys for hosts, together with any optional extra configuration for them. All Let's encrypt generated keys together with Let's encrypt authentication keys are stored here as well. Persist this volume to not lose state.
DOCKER_HOST
: Where to connect to access Docker daemon to monitor for new containers. Default is/var/run/docker.sock
inside the container.LETSENCRYPT_EMAIL
: If set, enables automatic generation of SSL keys using Let's encrypt service. By setting it you agree to Let’s Encrypt Subscriber Agreement.LETSENCRYPT_ARGS
: Any additional arguments you might want to pass to Let's encrypt's certbot.LOG_TO_STDOUT
: If set to1
output logs to stdout (retrievable usingdocker logs
) instead of log volumes.
Image providing a reverse-proxy using Nginx HTTP server with support for HTTPS virtual hosts.
You can use this image as it is, or you can extend it and add configuration files for your virtual hosts.
When LOG_TO_STDOUT
is set to 1
, Docker image logs output to stdout and stderr. All stdout output is JSON.
This image uses docker-gen to dynamically generate Nginx configuration files for containers exposing HTTP virtual hosts. This works automatically even across container restarts. You configure virtual host by configuring environment variables on containers for which you want to provide a reverse proxy:
VIRTUAL_HOST
– a comma separated list of virtual hosts provided by the containerVIRTUAL_URL
– a comma separated list of URL paths provided by the container; they will be mapped to the HTTP root (/
) of the containerVIRTUAL_ALIAS
– a comma separated list of URL paths provided by the container, they will be mapped to the same HTTP path of the containerVIRTUAL_PORT
– if container exposes more than one port, or you do not want to use the default port80
, you can configure a custom port to which a reverse proxy should connect on the containerVIRTUAL_NETWORK
– if container is connected to more than one network, this variable can be used to select which network should be used (by default, the first network is used, but the order is not guaranteed)VIRTUAL_LETSENCRYPT
– if set, this image will automatically generate and enable a SSL key for the virtual host using Let's encrypt service, if Let's encrypt feature is enabled
When running a Docker image with your HTTP content, you can specify environment variables.
This will make the reverse proxy resolve http://example.com/
into the example
container:
docker run --name example ... --env VIRTUAL_HOST=example.com --env VIRTUAL_URL=/ ...
This will make the reverse proxy resolve http://example.com/foo
into the example1
container, but
This will make the reverse proxy resolve http://example.com/bar
into the example2
container.
docker run --name example1 ... --env VIRTUAL_HOST=example.com --env VIRTUAL_URL=/foo ...
docker run --name example2 ... --env VIRTUAL_HOST=example.com --env VIRTUAL_URL=/bar ...
Multiple containers can provide content for the same host and URL paths – Nginx will balance load across all of them.
A difference between VIRTUAL_URL
and VIRTUAL_ALIAS
is that VIRTUAL_URL
maps all outside paths to the internal HTTP root
(/
) of the container. This is useful when your container provides static content under the root and you want to
expose it elsewhere to the outside. But the downside is that the internal references between resources, if a container
assumes content is under /
, might not work correctly. For example, a HTML tag <img src="/foobar.png" />
, which
would from the perspective of the container, from the outside might resolve to something completely else, or not resolve
at all. This is why it is often better to serve content in containers under the same path as outside, and use
VIRTUAL_ALIAS
to map them 1:1. But this means that the container has to be configured accordingly as well.
If you want to use HTTPS for a virtual host, you should mount a /ssl
volume into the container and provide
SSL key for a virtual host.
For host example.com
you should provide /ssl/example.com.key
and /ssl/example.com.crt
files. Certificate file should contain the full chain needed to validate the certificate.
If those two files exist, the image will automatically configure the virtual host to use HTTPS and redirect any
non-HTTPS traffic to HTTPS.
If you want any extra configuration for non-HTTPS traffic, you can provide /ssl/example.com_nonssl.conf
file which
will be included for the non-HTTPS configuration. Similarly, for extra configuration for the HTTPS site, provide
/ssl/example.com_ssl.conf
file. Of course, filenames should match the hostname of your virtual host.
If you want to enable support for automatic generation of SSL keys using Let's encrypt
service, and you agree to Let’s Encrypt Subscriber Agreement, then you
can set LETSENCRYPT_EMAIL
environment variable to your e-mail address when running this image to enable it. From then
on any container having VIRTUAL_LETSENCRYPT
environment variable set will get a SSL certificate automatically
generated and enabled, and periodically renewed.
All generated keys together with Let's encrypt authentication keys are stored under /ssl
volume.
You should probably configure MAILTO
environment variable to your e-mail
address to receive reports from th daily cron job, and regularly check logs in /var/log/letsencrypt
and
/var/log/dockergen
volumes to see if there are any issues with key generation and renewal.
For e-mail sending to work you have to configure at least REMOTES
environment variable
as well.
You can list in /ssl/letsencrypt.manual.list
file additional domains you want the container to obtain SSL keys.
If extending the image, you can put sites configuration files under /etc/nginx/sites-enabled/
to add custom sites.
Alternatively, you can mount a volume into /etc/nginx/sites-volume/
directory and provide sites there.
To support static configuration files for containers which have dynamic IP addresses, this image configures (when not provided by Docker) Nginx with an internal lightweight DNS resolver which dynamically resolves container hostnames into IPs. Here is an example of site configuration using DNS resolving:
server {
listen 80;
server_name example.com;
# We want to resolve container IPs dynamically, so we use a variable to make
# Nginx resolve it again and again and not only at the start (so that it works
# if containers change their IPs).
location / {
set $example example;
proxy_pass http://$example:3000;
}
}
This assumes that you have a container with hostname example
:
docker run --name example --hostname example ...
By default, because of caching it can take up to 5 seconds for Nginx to start resolving a virtual host to a new container IP address after a change.
There is also a read-only GitHub mirror available, if you need to fork the project there.