kanootoko/ssl-nginx
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Version 0.6.0 (2026-04-01)

Browse Source 
Changes:
- add config validation option via Makefile
- add `default-http{,s}-port` commands to add_servers.py
- update add_servers.py to pass generic parameters to servers in templates
- add nginx_conf.d directory usage for more than one custom nginx configurations
- rename `port` and `ssl_port` to `http{,s}_port` for templates
- add `http{,s}_custom_params` to templates
This commit is contained in:
Aleksei Sokol
2026-03-25 16:16:01 +03:00
parent 94259c5f99
commit 8946fa4244
14 changed files with 314 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
nginx/Dockerfile
View File

@@ -7,13 +7,17 @@ COPY servers.yaml /servers.yaml
COPY domains.txt /domains.txt
COPY nginx.conf.j2 /nginx.conf.j2
RUN python /add_servers.py --nginx-template /nginx.conf.j2 -o /nginx.conf --domains_list_txt /domains.txt --servers-config servers.yaml --certificates-path /ssl
RUN python /add_servers.py --nginx-template /nginx.conf.j2 -o /nginx.conf --domains-list-txt /domains.txt --servers-config servers.yaml --certificates-path /ssl
# service
FROM nginx:alpine
RUN apk add curl bash
COPY --from=builder /nginx.conf /etc/nginx/nginx.conf
RUN rm -rf /etc/nginx/conf.d
COPY nginx_conf.d /etc/nginx/conf.d
COPY domains.txt /domains.txt
RUN echo "20 2 */7 * * nginx -s reload" > /etc/crontabs/root && \

106
nginx/add_servers.py
View File

@@ -4,52 +4,43 @@ from __future__ import annotations
import argparse
import os
from dataclasses import dataclass, field
from dataclasses import dataclass
from typing import Any
import jinja2
import yaml
@dataclass
class Server:
"""Server entry for nginx.conf file."""
name: str
all_names: str | None = None
proxy_pass: str | None = None
certificate_dir: str | None = None
port: int = None
ssl_port: int = None
server_options: list[str] = field(default_factory=list)
location_options: list[str] = field(default_factory=list)
DEFAULT_HTTP_PORT = 80
DEFAULT_HTTPS_PORT = 443
certificates_path: str = "/etc/letsencrypt/live"
def __init__(
self,
http_port: int = ...,
https_port: int = ...,
**kwargs: dict[str, Any],
):
if http_port is ...:
http_port = Server.DEFAULT_HTTP_PORT
if https_port is ...:
https_port = Server.DEFAULT_HTTPS_PORT
self._params = dict(kwargs)
for additional_name, additional_value in zip(
["http_port", "https_port"],
[http_port, https_port],
):
self._params[additional_name] = additional_value
def __post_init__(self) -> None:
if self.server_options is None:
self.server_options = []
if self.location_options is None:
self.location_options = []
if self.all_names is None:
self.all_names = self.name
if self.port is None:
self.port = 80
if self.ssl_port is None:
self.ssl_port = 443
def __getattr__(self, name) -> Any:
return self._params.get(name)
def to_dict(self) -> dict:
"""Convert server class to dict for nginx.conf.j2 jinja2-template"""
return {
"name": self.name,
"all_names": self.all_names,
"proxy_pass": self.proxy_pass,
"server_options": self.server_options,
"location_options": self.location_options,
"certificate_dir": self.certificate_dir,
"port": self.port,
"ssl_port": self.ssl_port,
}
return dict(self._params)
@dataclass
@@ -59,6 +50,8 @@ class CLIParams:
nginx_template: str
domains_list_txt: str
servers_config: str
default_http_port: str
default_https_port: str
certificates_path: str
http_only: bool
output: str | None
@@ -69,7 +62,7 @@ def main() -> None:
parser = argparse.ArgumentParser("add-servers", description="Add domain servers to a given nginx.conf file")
parser.add_argument("--nginx-template", "-f", required=True, help="Path to nginx.conf.j2 template file")
parser.add_argument(
"--domains_list_txt",
"--domains-list-txt",
"-d",
required=True,
help="Path to file with domains which have ssl certificates",
@@ -81,6 +74,18 @@ def main() -> None:
default=None,
help="Path to servers configuration yaml file",
)
parser.add_argument(
"--default-http-port",
required=False,
default=80,
help="Default port for https protocol",
)
parser.add_argument(
"--default-https-port",
required=False,
default=443,
help="Default port for https protocol",
)
parser.add_argument(
"--certificates-path",
"-c",
@@ -97,6 +102,9 @@ def main() -> None:
args: CLIParams = parser.parse_args()
Server.DEFAULT_HTTP_PORT = args.default_http_port
Server.DEFAULT_HTTPS_PORT = args.default_https_port
if args.domains_list_txt is not None:
with open(args.domains_list_txt, "r", encoding="utf-8") as file:
domains_with_certs = [
@@ -117,22 +125,21 @@ def main() -> None:
servers: dict[str, dict[str, Any]] = data["servers"]
for server_name, params in servers.items():
params_part = dict(params)
all_names = params.get(
"all_names",
None if "*" not in server_name else f"{server_name} {server_name.replace('*.', '', 1)}",
)
certificate_dir = _get_certificate_path(
http_only=args.http_only,
domains_with_certs=domains_with_certs,
base_certs_path=args.certificates_path,
server_name=params.get("certificate_name") or server_name,
)
params_part.pop("all_names", None)
params_part.pop("certificate_name", None)
nginx_servers.append(
Server(
name=server_name,
all_names=params.get(
"all_names",
None if "*" not in server_name else f"{server_name} {server_name.replace('*.', '', 1)}",
),
proxy_pass=params.get("proxy_pass"),
certificate_dir=_get_certificate_path(
args.http_only, domains_with_certs, args.certificates_path, params.get("certificate_name") or server_name
),
port=params.get("port"),
ssl_port=params.get("ssl_port"),
server_options=params.get("server_options"),
location_options=params.get("location_options"),
)
Server(name=server_name, all_names=all_names, certificate_dir=certificate_dir, **params_part)
)
for domain in domains_with_certs:
if not any(
@@ -140,8 +147,7 @@ def main() -> None:
(server.all_names is None and domain == server.name)
or (
server.all_names is not None
and f" {domain}" in server.all_names
or server.all_names.startswith(domain)
and (f" {domain}" in server.all_names or server.all_names.startswith(domain))
)
)
for server in nginx_servers

0
nginx/domains.txt.example → nginx/examples/domains.txt
View File

48
nginx/nginx.conf.j2.example → nginx/examples/nginx.conf.j2
View File

@@ -1,8 +1,24 @@
{#- variables ~ examples: #}
{#- acme_challenge_location ~ /ssl/: #}
{#- resolver ~ 127.0.0.11: #}
{#- servers ~ ["name": ..., ("proxy_pass": ..., "server_options": ..., "location_options": ..., "all_names": ..., "port": ..., "ssl_port": ...)]: #}
{#- #}user nginx;
{# input variables ~ examples:
- acme_challenge_location ~ /ssl/:
- resolver ~ 127.0.0.11:
- servers
- name ~ doma.in,
- all_names ~ doma.in testing.doma.in
- proxy_pass ~ http://localhost:3333
- certificate_dir ~ /ssl/other.doma.in (configured by certificate_name parameter)
- server_options
- opt_1;
...
- location_options
- opt_1;
...
- http_port ~ 80
- https_port ~ 443
- http_custom_params ~ proxy_protocol
- https_custom_params ~ proxy_protocol
-#}
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
@@ -31,9 +47,12 @@ http {
{%- for server in servers %}
{# #}
server {
listen {{ server["port"] or 80 }};
{%- if server["certificate_dir"] is not none %}
listen {{ server["ssl_port"] or 443 }} ssl;
{%- if server["http_port"] %}
listen {{ server["http_port"] }} {{- " " + server["http_custom_params"] if server["http_custom_params"] else ""}};
{%- endif %}
{%- if server["certificate_dir"] %}
listen {{ server["https_port"] }} ssl {{- " " + server["https_custom_params"] if server["https_custom_params"] else ""}};
ssl_certificate {{ server["certificate_dir"] }}/fullchain.pem;
ssl_certificate_key {{ server["certificate_dir"] }}/privkey.pem;
@@ -45,21 +64,21 @@ http {
server_name {{ server["all_names"] or server["name"] }};
{%- if acme_challenge_location is not none %}
{%- if acme_challenge_location %}
{# #}
location /.well-known/acme-challenge {
root {{ acme_challenge_location }};
}
{%- endif %}
{%- if server["server_options"]|length > 0 %}
{%- if server["server_options"] %}
{# #}
{%- for server_option in server["server_options"] %}
{{ server_option }}
{%- endfor %}
{%- endif %}
{%- if server["proxy_pass"] is not none %}
{%- if server["proxy_pass"] %}
{# #}
location / {
resolver {{ resolver }};
@@ -68,9 +87,12 @@ http {
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Real-IP $remote_addr;
{%- if server["location_options"]|length > 0 %}
{%- if server["location_options"] %}
{# #}
{%- for location_option in server["location_options"] %}
{{ location_option }}
@@ -81,3 +103,5 @@ http {
}
{%- endfor %}
}
include /etc/nginx/conf.d/*.conf;

131
nginx/examples/nginx.middle.conf.j2 Normal file
View File

@@ -0,0 +1,131 @@
{# input variables ~ examples:
- acme_challenge_location ~ /ssl/:
- resolver ~ 127.0.0.11:
- servers
- name ~ doma.in,
- all_names ~ doma.in testing.doma.in
- proxy_pass ~ http://localhost:3333
- certificate_dir ~ /ssl/other.doma.in (configured by certificate_name parameter)
- server_options
- opt_1;
...
- location_options
- opt_1;
...
- http_port ~ 80
- https_port ~ 443
- http_custom_params ~ proxy_protocol
- https_custom_params ~ proxy_protocol
-#}
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
server_tokens off;
gzip on;
proxy_connect_timeout 300;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
client_max_body_size 500M;
server {
return 404;
}
map $http_host $proxied_host {
"" $host;
default $http_host;
}
map $http_x_forwarded_port $proxied_port {
"" $server_port;
default $http_x_forwarded_port;
}
map $http_x_forwarded_host $proxied_x_host {
"" $host:$proxied_port;
default $http_x_forwarded_host;
}
map $http_x_forwarded_proto $proxied_proto {
"" $scheme;
default $http_x_forwarded_proto;
}
map $http_x_real_ip $proxied_remote_addr {
"" $remote_addr;
default $http_x_real_ip;
}
map $http_x_forwarded_for $proxied_forwarded_for {
"" $proxy_add_x_forwarded_for;
default $http_x_forwarded_for;
}
{%- for server in servers %}
{# #}
server {
{%- if server["http_port"] %}
listen {{ server["http_port"] }} {{- " " + server["http_custom_params"] if server["http_custom_params"] else ""}};
{%- endif %}
{%- if server["certificate_dir"] %}
listen {{ server["https_port"] }} ssl {{- " " + server["https_custom_params"] if server["https_custom_params"] else ""}};
ssl_certificate {{ server["certificate_dir"] }}/fullchain.pem;
ssl_certificate_key {{ server["certificate_dir"] }}/privkey.pem;
if ($scheme = 'http') {
return 302 https://$host$request_uri;
}
{%- endif %}
keepalive_timeout 70;
server_name {{ server["all_names"] or server["name"] }};
{%- if acme_challenge_location %}
{# #}
location /.well-known/acme-challenge {
root {{ acme_challenge_location }};
}
{%- endif %}
{%- if server["server_options"] %}
{# #}
{%- for server_option in server["server_options"] %}
{{ server_option }}
{%- endfor %}
{%- endif %}
{%- if server["proxy_pass"] %}
{# #}
location / {
resolver {{ resolver }};
set $host_{{ loop.index }} {{ server["proxy_pass"] }};
proxy_pass $host_{{ loop.index }};
proxy_set_header HOST $proxied_host;
proxy_set_header X-Forwarded-Host $proxied_x_host;
proxy_set_header X-Forwarded-Port $proxied_port;
proxy_set_header X-Forwarded-Proto $proxied_proto;
proxy_set_header X-Forwarded-For $proxied_forwarded_for;
proxy_set_header X-Real-IP $proxied_remote_addr;
{%- if server["location_options"] %}
{# #}
{%- for location_option in server["location_options"] %}
{{ location_option }}
{%- endfor %}
{%- endif %}
}
{%- endif %}
}
{%- endfor %}
}
include /etc/nginx/conf.d/*.conf;

12
nginx/servers.yaml.example → nginx/examples/servers.yaml
View File

@@ -1,5 +1,5 @@
resolver: 127.0.0.1
acme_challenge_location: /etc/nginx/acme/
resolver: 127.0.0.1 # 127.0.0.11 for docker
acme_challenge_location: /etc/nginx/acme/ # /ssl for docker volume
servers:
@@ -18,8 +18,14 @@ servers:
"*.doma.in":
all_names: "*.doma.in doma.in"
certificate_name: doma.in
proxy_pass: "http://full.subdomain.proxy"
proxy_pass: "http://full.subdomain.proxy"
server_options:
- "proxy_buffering off;"
- "proxy_request_buffering off;"
- "client_max_body_size 0;"
- "http2 on;"
"custom.doma.in":
proxy_pass: "http://custom"
http_port: 4480
https_port: 4443
https_custom_params: "http2 proxy_protocol"

27
nginx/examples/stream.conf Normal file
View File

@@ -0,0 +1,27 @@
stream {
log_format stream '$remote_addr [$time_local] host=$ssl_preread_server_name '
'prot=$protocol status=$status out=$bytes_sent in=$bytes_received';
# access_log /var/log/nginx/stream_access.log stream;
# error_log /var/log/nginx/stream_error.log;
map $ssl_preread_server_name $backend_name {
your.special.domain proxy_protocol_backend;
default nginx_https;
}
upstream nginx_https {
server 127.0.0.1:4443;
}
upstream proxy_protocol_backend {
server container_backend:443;
}
server {
listen 443 reuseport;
proxy_pass $backend_name;
ssl_preread on;
proxy_protocol on;
}
}

2
nginx/nginx_conf.d/.dockerignore Normal file
View File

@@ -0,0 +1,2 @@
/.gitignore
/.dockerignore

3
nginx/nginx_conf.d/.gitignore vendored Normal file
View File

@@ -0,0 +1,3 @@
*
!/.gitignore
!/.dockerignore