fossilfranv/acme-companion
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
fossilfranv 2023-11-17 12:36:09 -08:00
parent f89d904463
commit e1ece26767
1 changed files with 171 additions and 166 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

337
README.md
View File

@ -1,166 +1,171 @@
Conigure fail2ban for docker: THIS IS THE OLD VERSION.
1 - Create volume for nginx in -volumes For the new version clone from github and modify the Dockerfile to point to user docker socket.
"./log:/var/log/nginx/"
Then add following lines to /etc/fail2ban/jail.local Conigure fail2ban for docker:
[nginx-http-auth] 1 - Create volume for nginx in -volumes
enabled = true "./log:/var/log/nginx/"
port = http,https
logpath = /opt/container_webservice/logs/error.log Then add following lines to /etc/fail2ban/jail.local
banaction = iptables-multiport-forward
[nginx-http-auth]
[nginx-limit-req] enabled = true
enabled = true port = http,https
port = http,https logpath = /opt/container_webservice/logs/error.log
logpath = /opt/container_webservice/logs/error.log banaction = iptables-multiport-forward
banaction = iptables-multiport-forward
[nginx-limit-req]
[nginx-botsearch] enabled = true
enabled = true port = http,https
port = http,https logpath = /opt/container_webservice/logs/error.log
maxretry = 2 banaction = iptables-multiport-forward
logpath = /opt/container_webservice/logs/error.log
banaction = iptables-multiport-forward [nginx-botsearch]
enabled = true
[php-url-fopen] port = http,https
enabled = true maxretry = 2
port = http,https logpath = /opt/container_webservice/logs/error.log
logpath = /opt/container_webservice/logs/access.log banaction = iptables-multiport-forward
banaction = iptables-multiport-forward
[php-url-fopen]
Adjust logpath (usually /home/user/acme-companion/log/error.log) enabled = true
port = http,https
Then: logpath = /opt/container_webservice/logs/access.log
banaction = iptables-multiport-forward
cd /etc/fail2ban/action.d
cat iptables-common.conf > iptables-common-forward.conf Adjust logpath (usually /home/user/acme-companion/log/error.log)
sed -i 's/INPUT/FORWARD/g' iptables-common-forward.conf
Then:
cat iptables-multiport.conf > iptables-multiport-forward.conf
sed -i 's/iptables-common.conf/iptables-common-forward.conf/g' iptables-multiport-forward.conf cd /etc/fail2ban/action.d
cat iptables-common.conf > iptables-common-forward.conf
Restart fai2ban and verify (systemctl status fail2ban) sed -i 's/INPUT/FORWARD/g' iptables-common-forward.conf
cat iptables-multiport.conf > iptables-multiport-forward.conf
sed -i 's/iptables-common.conf/iptables-common-forward.conf/g' iptables-multiport-forward.conf
Restart fai2ban and verify (systemctl status fail2ban)
![Tests](https://github.com/nginx-proxy/acme-companion/workflows/Tests/badge.svg)
[![GitHub release](https://img.shields.io/github/release/nginx-proxy/acme-companion.svg)](https://github.com/nginx-proxy/acme-companion/releases)
[![Docker Image Size](https://img.shields.io/docker/image-size/nginxproxy/acme-companion?sort=semver)](https://hub.docker.com/r/nginxproxy/acme-companion "Click to view the image on Docker Hub")
[![Docker stars](https://img.shields.io/docker/stars/nginxproxy/acme-companion.svg)](https://hub.docker.com/r/nginxproxy/acme-companion "Click to view the image on Docker Hub")
[![Docker pulls](https://img.shields.io/docker/pulls/nginxproxy/acme-companion.svg)](https://hub.docker.com/r/nginxproxy/acme-companion "Click to view the image on Docker Hub")
![Tests](https://github.com/nginx-proxy/acme-companion/workflows/Tests/badge.svg)
**acme-companion** is a lightweight companion container for [**nginx-proxy**](https://github.com/nginx-proxy/nginx-proxy). [![GitHub release](https://img.shields.io/github/release/nginx-proxy/acme-companion.svg)](https://github.com/nginx-proxy/acme-companion/releases)
[![Docker Image Size](https://img.shields.io/docker/image-size/nginxproxy/acme-companion?sort=semver)](https://hub.docker.com/r/nginxproxy/acme-companion "Click to view the image on Docker Hub")
It handles the automated creation, renewal and use of SSL certificates for proxied Docker containers through the ACME protocol. [![Docker stars](https://img.shields.io/docker/stars/nginxproxy/acme-companion.svg)](https://hub.docker.com/r/nginxproxy/acme-companion "Click to view the image on Docker Hub")
[![Docker pulls](https://img.shields.io/docker/pulls/nginxproxy/acme-companion.svg)](https://hub.docker.com/r/nginxproxy/acme-companion "Click to view the image on Docker Hub")
**Required read if you use the `latest` version** : the `v2.0.0` release of this project mark the switch of the ACME client used by the Docker image from [**simp.le**](https://github.com/zenhack/simp_le) to [**acme.sh**](https://github.com/acmesh-official/acme.sh). This switch result in some backward incompatible changes, so please read [this issue](https://github.com/nginx-proxy/acme-companion/issues/510) and the updated docs for more details before updating your image. The single most important change is that the container now requires a volume mounted to `/etc/acme.sh` in order to persist ACME account keys and SSL certificates. The last tagged version that uses **simp_le** is `v1.13.1`.
**acme-companion** is a lightweight companion container for [**nginx-proxy**](https://github.com/nginx-proxy/nginx-proxy).
### Features:
* Automated creation/renewal of Let's Encrypt (or other ACME CAs) certificates using [**acme.sh**](https://github.com/acmesh-official/acme.sh). It handles the automated creation, renewal and use of SSL certificates for proxied Docker containers through the ACME protocol.
* Let's Encrypt / ACME domain validation through `http-01` challenge only.
* Automated update and reload of nginx config on certificate creation/renewal. **Required read if you use the `latest` version** : the `v2.0.0` release of this project mark the switch of the ACME client used by the Docker image from [**simp.le**](https://github.com/zenhack/simp_le) to [**acme.sh**](https://github.com/acmesh-official/acme.sh). This switch result in some backward incompatible changes, so please read [this issue](https://github.com/nginx-proxy/acme-companion/issues/510) and the updated docs for more details before updating your image. The single most important change is that the container now requires a volume mounted to `/etc/acme.sh` in order to persist ACME account keys and SSL certificates. The last tagged version that uses **simp_le** is `v1.13.1`.
* Support creation of [Multi-Domain (SAN) Certificates](https://github.com/nginx-proxy/acme-companion/blob/main/docs/Let's-Encrypt-and-ACME.md#multi-domains-certificates).
* Creation of a Strong Diffie-Hellman Group at startup. ### Features:
* Work with all versions of docker. * Automated creation/renewal of Let's Encrypt (or other ACME CAs) certificates using [**acme.sh**](https://github.com/acmesh-official/acme.sh).
* Let's Encrypt / ACME domain validation through `http-01` challenge only.
### Requirements: * Automated update and reload of nginx config on certificate creation/renewal.
* Your host **must** be publicly reachable on **both** port `80` and `443`. * Support creation of [Multi-Domain (SAN) Certificates](https://github.com/nginx-proxy/acme-companion/blob/main/docs/Let's-Encrypt-and-ACME.md#multi-domains-certificates).
* Check your firewall rules and **do not attempt to block port `80`** as that will prevent `http-01` challenges from completing. * Creation of a Strong Diffie-Hellman Group at startup.
* For the same reason, you can't use nginx-proxy's [`HTTPS_METHOD=nohttp`](https://github.com/nginx-proxy/nginx-proxy#how-ssl-support-works). * Work with all versions of docker.
* The (sub)domains you want to issue certificates for must correctly resolve to the host.
* Your DNS provider must [answer correctly to CAA record requests](https://letsencrypt.org/docs/caa/). ### Requirements:
* If your (sub)domains have AAAA records set, the host must be publicly reachable over IPv6 on port `80` and `443`. * Your host **must** be publicly reachable on **both** port `80` and `443`.
* Check your firewall rules and **do not attempt to block port `80`** as that will prevent `http-01` challenges from completing.
![schema](https://github.com/nginx-proxy/acme-companion/blob/main/schema.png) * For the same reason, you can't use nginx-proxy's [`HTTPS_METHOD=nohttp`](https://github.com/nginx-proxy/nginx-proxy#how-ssl-support-works).
* The (sub)domains you want to issue certificates for must correctly resolve to the host.
## Basic usage (with the nginx-proxy container) * Your DNS provider must [answer correctly to CAA record requests](https://letsencrypt.org/docs/caa/).
* If your (sub)domains have AAAA records set, the host must be publicly reachable over IPv6 on port `80` and `443`.
Three writable volumes must be declared on the **nginx-proxy** container so that they can be shared with the **acme-companion** container:
![schema](https://github.com/nginx-proxy/acme-companion/blob/main/schema.png)
* `/etc/nginx/certs` to store certificates and private keys (readonly for the **nginx-proxy** container).
* `/etc/nginx/vhost.d` to change the configuration of vhosts (required so the CA may access `http-01` challenge files). ## Basic usage (with the nginx-proxy container)
* `/usr/share/nginx/html` to write `http-01` challenge files.
Three writable volumes must be declared on the **nginx-proxy** container so that they can be shared with the **acme-companion** container:
Additionally, a fourth volume must be declared on the **acme-companion** container to store `acme.sh` configuration and state: `/etc/acme.sh`.
* `/etc/nginx/certs` to store certificates and private keys (readonly for the **nginx-proxy** container).
Please also read the doc about [data persistence](./docs/Persistent-data.md). * `/etc/nginx/vhost.d` to change the configuration of vhosts (required so the CA may access `http-01` challenge files).
* `/usr/share/nginx/html` to write `http-01` challenge files.
Example of use:
Additionally, a fourth volume must be declared on the **acme-companion** container to store `acme.sh` configuration and state: `/etc/acme.sh`.
### Step 1 - nginx-proxy
Please also read the doc about [data persistence](./docs/Persistent-data.md).
Start **nginx-proxy** with the three additional volumes declared:
Example of use:
```shell
$ docker run --detach \ ### Step 1 - nginx-proxy
--name nginx-proxy \
--publish 80:80 \ Start **nginx-proxy** with the three additional volumes declared:
--publish 443:443 \
--volume certs:/etc/nginx/certs \ ```shell
--volume vhost:/etc/nginx/vhost.d \ $ docker run --detach \
--volume html:/usr/share/nginx/html \ --name nginx-proxy \
--volume /var/run/docker.sock:/tmp/docker.sock:ro \ --publish 80:80 \
nginxproxy/nginx-proxy --publish 443:443 \
``` --volume certs:/etc/nginx/certs \
--volume vhost:/etc/nginx/vhost.d \
Binding the host docker socket (`/var/run/docker.sock`) inside the container to `/tmp/docker.sock` is a requirement of **nginx-proxy**. --volume html:/usr/share/nginx/html \
--volume /var/run/docker.sock:/tmp/docker.sock:ro \
### Step 2 - acme-companion nginxproxy/nginx-proxy
```
Start the **acme-companion** container, getting the volumes from **nginx-proxy** with `--volumes-from`:
Binding the host docker socket (`/var/run/docker.sock`) inside the container to `/tmp/docker.sock` is a requirement of **nginx-proxy**.
```shell
$ docker run --detach \ ### Step 2 - acme-companion
--name nginx-proxy-acme \
--volumes-from nginx-proxy \ Start the **acme-companion** container, getting the volumes from **nginx-proxy** with `--volumes-from`:
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
--volume acme:/etc/acme.sh \ ```shell
--env "DEFAULT_EMAIL=mail@yourdomain.tld" \ $ docker run --detach \
nginxproxy/acme-companion --name nginx-proxy-acme \
``` --volumes-from nginx-proxy \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
The host docker socket has to be bound inside this container too, this time to `/var/run/docker.sock`. --volume acme:/etc/acme.sh \
--env "DEFAULT_EMAIL=mail@yourdomain.tld" \
Albeit **optional**, it is **recommended** to provide a valid default email address through the `DEFAULT_EMAIL` environment variable, so that Let's Encrypt can warn you about expiring certificates and allow you to recover your account. nginxproxy/acme-companion
```
### Step 3 - proxied container(s)
The host docker socket has to be bound inside this container too, this time to `/var/run/docker.sock`.
Once both **nginx-proxy** and **acme-companion** containers are up and running, start any container you want proxied with environment variables `VIRTUAL_HOST` and `LETSENCRYPT_HOST` both set to the domain(s) your proxied container is going to use.
Albeit **optional**, it is **recommended** to provide a valid default email address through the `DEFAULT_EMAIL` environment variable, so that Let's Encrypt can warn you about expiring certificates and allow you to recover your account.
[`VIRTUAL_HOST`](https://github.com/nginx-proxy/nginx-proxy#usage) control proxying by **nginx-proxy** and `LETSENCRYPT_HOST` control certificate creation and SSL enabling by **acme-companion**.
### Step 3 - proxied container(s)
Certificates will only be issued for containers that have both `VIRTUAL_HOST` and `LETSENCRYPT_HOST` variables set to domain(s) that correctly resolve to the host, provided the host is publicly reachable.
Once both **nginx-proxy** and **acme-companion** containers are up and running, start any container you want proxied with environment variables `VIRTUAL_HOST` and `LETSENCRYPT_HOST` both set to the domain(s) your proxied container is going to use.
```shell
$ docker run --detach \ [`VIRTUAL_HOST`](https://github.com/nginx-proxy/nginx-proxy#usage) control proxying by **nginx-proxy** and `LETSENCRYPT_HOST` control certificate creation and SSL enabling by **acme-companion**.
--name your-proxied-app \
--env "VIRTUAL_HOST=subdomain.yourdomain.tld" \ Certificates will only be issued for containers that have both `VIRTUAL_HOST` and `LETSENCRYPT_HOST` variables set to domain(s) that correctly resolve to the host, provided the host is publicly reachable.
--env "LETSENCRYPT_HOST=subdomain.yourdomain.tld" \
nginx ```shell
``` $ docker run --detach \
--name your-proxied-app \
The containers being proxied must expose the port to be proxied, either by using the `EXPOSE` directive in their Dockerfile or by using the `--expose` flag to `docker run` or `docker create`. --env "VIRTUAL_HOST=subdomain.yourdomain.tld" \
--env "LETSENCRYPT_HOST=subdomain.yourdomain.tld" \
If the proxied container listen on and expose another port than the default `80`, you can force **nginx-proxy** to use this port with the [`VIRTUAL_PORT`](https://github.com/nginx-proxy/nginx-proxy#multiple-ports) environment variable. nginx
```
Example using [Grafana](https://hub.docker.com/r/grafana/grafana/) (expose and listen on port 3000):
The containers being proxied must expose the port to be proxied, either by using the `EXPOSE` directive in their Dockerfile or by using the `--expose` flag to `docker run` or `docker create`.
```shell
$ docker run --detach \ If the proxied container listen on and expose another port than the default `80`, you can force **nginx-proxy** to use this port with the [`VIRTUAL_PORT`](https://github.com/nginx-proxy/nginx-proxy#multiple-ports) environment variable.
--name grafana \
--env "VIRTUAL_HOST=othersubdomain.yourdomain.tld" \ Example using [Grafana](https://hub.docker.com/r/grafana/grafana/) (expose and listen on port 3000):
--env "VIRTUAL_PORT=3000" \
--env "LETSENCRYPT_HOST=othersubdomain.yourdomain.tld" \ ```shell
--env "LETSENCRYPT_EMAIL=mail@yourdomain.tld" \ $ docker run --detach \
grafana/grafana --name grafana \
``` --env "VIRTUAL_HOST=othersubdomain.yourdomain.tld" \
--env "VIRTUAL_PORT=3000" \
Repeat [Step 3](#step-3---proxied-containers) for any other container you want to proxy. --env "LETSENCRYPT_HOST=othersubdomain.yourdomain.tld" \
--env "LETSENCRYPT_EMAIL=mail@yourdomain.tld" \
## Additional documentation grafana/grafana
```
Please check the [docs section](https://github.com/nginx-proxy/acme-companion/tree/main/docs).
Repeat [Step 3](#step-3---proxied-containers) for any other container you want to proxy.
## Additional documentation
Please check the [docs section](https://github.com/nginx-proxy/acme-companion/tree/main/docs).