From bf5e0314d40719809abd9d934b50c4baee4e1988 Mon Sep 17 00:00:00 2001 From: Pascal Vizeli Date: Thu, 18 May 2017 13:42:59 +0200 Subject: [PATCH] Nginx proxy (#70) Nginx proxy --- nginx_proxy/Dockerfile | 15 +++++++++++++ nginx_proxy/config.json | 25 ++++++++++++++++++++++ nginx_proxy/nginx.conf | 47 +++++++++++++++++++++++++++++++++++++++++ nginx_proxy/run.sh | 25 ++++++++++++++++++++++ 4 files changed, 112 insertions(+) create mode 100644 nginx_proxy/Dockerfile create mode 100644 nginx_proxy/config.json create mode 100644 nginx_proxy/nginx.conf create mode 100644 nginx_proxy/run.sh diff --git a/nginx_proxy/Dockerfile b/nginx_proxy/Dockerfile new file mode 100644 index 0000000..4304212 --- /dev/null +++ b/nginx_proxy/Dockerfile @@ -0,0 +1,15 @@ +FROM %%BASE_IMAGE%% + +# Add env +ENV LANG C.UTF-8 + +# Setup base +RUN apk add --no-cache jq nginx libressl + +# Copy data +COPY run.sh / +COPY nginx.conf /etc/ + +RUN chmod a+x /run.sh + +CMD [ "/run.sh" ] diff --git a/nginx_proxy/config.json b/nginx_proxy/config.json new file mode 100644 index 0000000..43547e4 --- /dev/null +++ b/nginx_proxy/config.json @@ -0,0 +1,25 @@ +{ + "name": "Nginx HomeAssistant SSL proxy", + "version": "0.1", + "slug": "nginx_proxy", + "description": "Use nginx as SSL proxy to HomeAssistant instance", + "url": "https://home-assistant.io/addons/nginx_proxy/", + "startup": "after", + "boot": "auto", + "ports": { + "80/tcp": 80, + "443/tcp": 443 + }, + "map": ["ssl"], + "options": { + "domain": "domain", + "certfile": "fullchain.pem", + "keyfile": "privkey.pem" + }, + "schema": { + "domain": "str", + "certfile": "str", + "keyfile": "str" + }, + "image": "homeassistant/{arch}-addon-nginx_proxy" +} diff --git a/nginx_proxy/nginx.conf b/nginx_proxy/nginx.conf new file mode 100644 index 0000000..1f6ce2d --- /dev/null +++ b/nginx_proxy/nginx.conf @@ -0,0 +1,47 @@ +daemon off; +error_log stderr; + +http { + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + server { + server_name %%DOMAIN%%; + + # These shouldn't need to be changed + listen [::]:80 default_server ipv6only=off; + return 301 https://$host$request_uri; + } + + server { + server_name %%DOMAIN%%; + + ssl_certificate /ssl/%%FULLCHAIN%%; + ssl_certificate_key /ssl/%%PRIVKEY%%; + + # dhparams file + ssl_dhparam /data/dhparams.pem; + + listen [::]:443 http2 default_server ipv6only=off; + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; + ssl on; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + proxy_buffering off; + + location / { + proxy_pass http://172.17.0.1:8123; + proxy_set_header Host $host; + proxy_redirect http:// https://; + proxy_http_version 1.1; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } + } +} diff --git a/nginx_proxy/run.sh b/nginx_proxy/run.sh new file mode 100644 index 0000000..85893b4 --- /dev/null +++ b/nginx_proxy/run.sh @@ -0,0 +1,25 @@ +#!/bin/bash +set -e + +CONFIG_PATH=/data/options.json +DHPARAMS_PATH=/data/dhparams.pem + +DOMAIN=$(jq --raw-output ".domain" $CONFIG_PATH) +KEYFILE=$(jq --raw-output ".keyfile" $CONFIG_PATH) +CERTFILE=$(jq --raw-output ".certfile" $CONFIG_PATH) + + +# Generate dhparams +if [ ! -f "$DHPARAMS_PATH" ]; then + echo "[INFO] Generate dhparams..." + openssl dhparam -dsaparam -out "$DHPARAMS_PATH" 4096 > /dev/null +fi + +# Prepare config file +sed -i "s/%%FULLCHAIN%%/$CERTFILE/g" /etc/nginx.conf +sed -i "s/%%PRIVKEY%%/$KEYFILE/g" /etc/nginx.conf +sed -i "s/%%DOMAIN%%/$DOMAIN/g" /etc/nginx.conf + +# start server +echo "[INFO] Run nginx" +exec nginx -c /etc/nginx.conf < /dev/null