fossilfranv/nginx_docker-swag
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

seperate config directory for renewal hooks /config/renewal-hooks/

Browse Source
This commit is contained in:
Feilner 2021-02-16 07:33:17 +01:00
parent 72479211f1
commit 41a85f9203
2 changed files with 13 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
readme-vars.yml
View File

@ -99,7 +99,7 @@ app_setup_block: |
* If you need a dynamic dns provider, you can use the free provider duckdns.org where the `URL` will be `yoursubdomain.duckdns.org` and the `SUBDOMAINS` can be `www,ftp,cloud` with http validation, or `wildcard` with dns validation. * If you need a dynamic dns provider, you can use the free provider duckdns.org where the `URL` will be `yoursubdomain.duckdns.org` and the `SUBDOMAINS` can be `www,ftp,cloud` with http validation, or `wildcard` with dns validation.
* After setup, navigate to `https://yourdomain.url` to access the default homepage (http access through port 80 is disabled by default, you can enable it by editing the default site config at `/config/nginx/site-confs/default`). * After setup, navigate to `https://yourdomain.url` to access the default homepage (http access through port 80 is disabled by default, you can enable it by editing the default site config at `/config/nginx/site-confs/default`).
* Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances. * Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances.
* It's possible to extend default the renewal-hooks `/etc/letsencrypt/renewal-hooks/*` they are executed in sorted order. * It's possible to extend default the renewal-hooks `/config/renewal-hooks/*` they are executed in sorted order.
### Security and password protection ### Security and password protection
* The container detects changes to url and subdomains, revokes existing certs and generates new ones during start. * The container detects changes to url and subdomains, revokes existing certs and generates new ones during start.
* The container provides a pre-generated 4096-bit dhparams.pem (rotated weekly via [Jenkins job](https://ci.linuxserver.io/blue/organizations/jenkins/Xtras-Builders-Etc%2Fdhparams-uploader/activity)) for new instances, however you may generate your own by running `docker exec swag openssl dhparam -out /config/nginx/dhparams.pem 4096` WARNING: This takes a very long time * The container provides a pre-generated 4096-bit dhparams.pem (rotated weekly via [Jenkins job](https://ci.linuxserver.io/blue/organizations/jenkins/Xtras-Builders-Etc%2Fdhparams-uploader/activity)) for new instances, however you may generate your own by running `docker exec swag openssl dhparam -out /config/nginx/dhparams.pem 4096` WARNING: This takes a very long time
@ -118,7 +118,7 @@ app_setup_block: |
* To use these certs in other containers, do either of the following: * To use these certs in other containers, do either of the following:
1. *(Easier)* Mount the container's config folder in other containers (ie. `-v /path-to-le-config:/le-ssl`) and in the other containers, use the cert location `/le-ssl/keys/letsencrypt/` 1. *(Easier)* Mount the container's config folder in other containers (ie. `-v /path-to-le-config:/le-ssl`) and in the other containers, use the cert location `/le-ssl/keys/letsencrypt/`
2. *(More secure)* Mount the SWAG folder `etc` that resides under `/config` in other containers (ie. `-v /path-to-le-config/etc:/le-ssl`) and in the other containers, use the cert location `/le-ssl/letsencrypt/live/<your.domain.url>/` (This is more secure because the first method shares the entire SWAG config folder with other containers, including the www files, whereas the second method only shares the ssl certs) 2. *(More secure)* Mount the SWAG folder `etc` that resides under `/config` in other containers (ie. `-v /path-to-le-config/etc:/le-ssl`) and in the other containers, use the cert location `/le-ssl/letsencrypt/live/<your.domain.url>/` (This is more secure because the first method shares the entire SWAG config folder with other containers, including the www files, whereas the second method only shares the ssl certs)
3. *(Alternative)* Use custom custom deploy hook e.g. `/etc/letsencrypt/renewal-hooks/deploy/20-my` to deploy the certificates. 3. *(Alternative)* Use custom custom deploy hook e.g. `/config/renewal-hooks/deploy/20-my` to deploy the certificates.
* These certs include: * These certs include:
1. `cert.pem`, `chain.pem`, `fullchain.pem` and `privkey.pem`, which are generated by Certbot and used by nginx and various other apps 1. `cert.pem`, `chain.pem`, `fullchain.pem` and `privkey.pem`, which are generated by Certbot and used by nginx and various other apps
2. `privkey.pfx`, a format supported by Microsoft and commonly used by dotnet apps such as Emby Server (no password) 2. `privkey.pfx`, a format supported by Microsoft and commonly used by dotnet apps such as Emby Server (no password)
@ -153,7 +153,7 @@ app_setup_nginx_reverse_proxy_block: ""
# changelog # changelog
changelogs: changelogs:
- { date: "15.02.21:", desc: "Use certbot file hooks instead of command line hooks" } - { date: "16.02.21:", desc: "Use certbot file hooks instead of command line hooks" }
- { date: "12.02.21:", desc: "Clean up rust/cargo cache, which ballooned the image size in the last couple of builds." } - { date: "12.02.21:", desc: "Clean up rust/cargo cache, which ballooned the image size in the last couple of builds." }
- { date: "10.02.21:", desc: "Fix aliyun, domeneshop, inwx and transip dns confs for existing users." } - { date: "10.02.21:", desc: "Fix aliyun, domeneshop, inwx and transip dns confs for existing users." }
- { date: "09.02.21:", desc: "Rebasing to alpine 3.13. Add nginx mods brotli and dav-ext. Remove nginx mods lua and lua-upstream (due to regression over the last couple of years)." } - { date: "09.02.21:", desc: "Rebasing to alpine 3.13. Add nginx mods brotli and dav-ext. Remove nginx mods lua and lua-upstream (due to regression over the last couple of years)." }

16
root/etc/cont-init.d/50-config
View File

@ -35,11 +35,19 @@ done
# make our folders and links # make our folders and links
mkdir -p \ mkdir -p \
/config/{log/letsencrypt,log/fail2ban,etc/letsencrypt/renewal-hooks,fail2ban,crontabs,dns-conf,geoip2db} \ /config/{log/letsencrypt,log/fail2ban,etc/letsencrypt,fail2ban,crontabs,dns-conf,geoip2db,renewal-hooks} \
/var/run/fail2ban /var/run/fail2ban
rm -rf /etc/letsencrypt rm -rf /etc/letsencrypt
ln -s /config/etc/letsencrypt /etc/letsencrypt ln -s /config/etc/letsencrypt /etc/letsencrypt
rm -rf /config/etc/letsencrypt/renewal-hooks
ln -s ../../renewal-hooks /config/etc/letsencrypt/renewal-hooks
# copy default renewal hooks
chmod -R +x /defaults/renewal-hooks
cp -nR /defaults/renewal-hooks/* /config/renewal-hooks/
chown -R abc:abc /config/renewal-hooks
# copy dns default configs # copy dns default configs
cp -n /defaults/dns-conf/* /config/dns-conf/ cp -n /defaults/dns-conf/* /config/dns-conf/
chown -R abc:abc /config/dns-conf chown -R abc:abc /config/dns-conf
@ -81,11 +89,6 @@ cp /config/fail2ban/jail.local /etc/fail2ban/jail.local
[[ ! -f /config/www/502.html ]] && [[ ! -f /config/www/502.html ]] &&
cp /defaults/502.html /config/www/502.html cp /defaults/502.html /config/www/502.html
# copy default renewal hooks
chmod -R +x /defaults/renewal-hooks
cp -nR /defaults/renewal-hooks/* /etc/letsencrypt/renewal-hooks/
chown -R abc:abc /config/renewal-hooks
# remove lua bits from nginx.conf if not done before # remove lua bits from nginx.conf if not done before
if ! grep -q '#Removed lua' /config/nginx/nginx.conf; then if ! grep -q '#Removed lua' /config/nginx/nginx.conf; then
echo "Removing lua specific info from nginx.conf" echo "Removing lua specific info from nginx.conf"
@ -279,6 +282,7 @@ if [ ! "$URL" = "$ORIGURL" ] || [ ! "$SUBDOMAINS" = "$ORIGSUBDOMAINS" ] || [ ! "
[[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]] && certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER [[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]] && certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER
rm -rf /config/etc/letsencrypt rm -rf /config/etc/letsencrypt
mkdir -p /config/etc/letsencrypt mkdir -p /config/etc/letsencrypt
ln -s ../../renewal-hooks /config/etc/letsencrypt/renewal-hooks
fi fi
# saving new variables # saving new variables