Skip to content
This repository was archived by the owner on Jul 25, 2023. It is now read-only.

Add x-forwareded-port option #10

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add x-forwareded-port option #10

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ To run an SSL termination proxy you must have an existing SSL certificate and ke
-v /path/to/secrets/dhparam.pem:/etc/secrets/dhparam \
nginx-ssl-proxy
```
The really important thing here is that you map in your cert to `/etc/secrets/proxycert`, your key to `/etc/secrets/proxykey`, and your dhparam to `/etc/secrets/dhparam` as shown in the command above.
The really important thing here is that you map in your cert to `/etc/secrets/proxycert`, your key to `/etc/secrets/proxykey`, and your dhparam to `/etc/secrets/dhparam` as shown in the command above.

3. **Enable Basic Access Authentication**

Expand All @@ -58,6 +58,7 @@ To run an SSL termination proxy you must have an existing SSL certificate and ke
-e ENABLE_SSL=true \
-e ENABLE_BASIC_AUTH=true \
-e TARGET_SERVICE=THE_ADDRESS_OR_HOST_YOU_ARE_PROXYING_TO \
-e X_FORWARDED_PORT=POSSIBLY_A_PORT_FOR_THE_X_FORWARDED_PORT_HEADER \
-v /path/to/secrets/cert.crt:/etc/secrets/proxycert \
-v /path/to/secrets/key.pem:/etc/secrets/proxykey \
-v /path/to/secrets/dhparam.pem:/etc/secrets/dhparam \
Expand All @@ -79,4 +80,4 @@ To run an SSL termination proxy you must have an existing SSL certificate and ke
nginx-ssl-proxy
```

That way it is possible to setup additional proxies or modifying the nginx configuration.
That way it is possible to setup additional proxies or modifying the nginx configuration.
5 changes: 3 additions & 2 deletions nginx/proxy_nossl.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,16 @@ upstream target_service {
server {
server_name _;
listen 80;

location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
#proxy_set_header X-Forwarded-Port {{X-FORWARDED-PORT}};
proxy_pass http://target_service;
proxy_read_timeout 90;
#auth_basic "Restricted";
#auth_basic_user_file /etc/secrets/htpasswd;
#auth_basic_user_file /etc/secrets/htpasswd;
}
}
14 changes: 7 additions & 7 deletions nginx/proxy_ssl.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ server {
}

server {
server_name _;
server_name _;
listen 443;

ssl on;
Expand All @@ -20,31 +20,31 @@ server {
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:HIGH:!RC4:!MD5:!aNULL:!EDH:!CAMELLIA;
ssl_prefer_server_ciphers on;

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

add_header Strict-Transport-Security max-age=15638400;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
#proxy_set_header X-Forwarded-Port {{X-FORWARDED-PORT}};
proxy_pass http://target_service;
proxy_read_timeout 90;
proxy_redirect http:// https://;
#auth_basic "Restricted";
#auth_basic_user_file /etc/secrets/htpasswd;
#auth_basic_user_file /etc/secrets/htpasswd;
}
}

11 changes: 9 additions & 2 deletions start.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and

# Env says we're using SSL
# Env says we're using SSL
if [ -n "${ENABLE_SSL+1}" ] && [ "${ENABLE_SSL,,}" = "true" ]; then
echo "Enabling SSL..."
cp /usr/src/proxy_ssl.conf /etc/nginx/conf.d/proxy.conf
Expand All @@ -21,12 +21,19 @@ else
cp /usr/src/proxy_nossl.conf /etc/nginx/conf.d/proxy.conf
fi

# If an htpasswd file is provided, download and configure nginx
# If an htpasswd file is provided, download and configure nginx
if [ -n "${ENABLE_BASIC_AUTH+1}" ] && [ "${ENABLE_BASIC_AUTH,,}" = "true" ]; then
echo "Enabling basic auth..."
sed -i "s/#auth_basic/auth_basic/g;" /etc/nginx/conf.d/proxy.conf
fi

# If X-Forwarded-Port is provided, add it to nginx confinguration
if [ -n "${X_FORWARDED_PORT+1}" ]; then
echo "Adding X-Forwarded-Port..."
sed -i "s/#proxy_set_header X-Forwarded-Port/proxy_set_header X-Forwarded-Port/g;" /etc/nginx/conf.d/proxy.conf
sed -i "s/{{X-FORWARDED-PORT}}/${X_FORWARDED_PORT}/g;" /etc/nginx/conf.d/proxy.conf
fi

# If the SERVICE_HOST_ENV_NAME and SERVICE_PORT_ENV_NAME vars are provided,
# there are two options:
# - Option 1:
Expand Down