v6.0.0

Dockerfile

@@ -1,4 +1,4 @@
-FROM bfren/nginx:nginx1.22-4.0.33
+FROM bfren/nginx:nginx1.22-alpine3.17-5.0.0
 
 LABEL org.opencontainers.image.source="https://github.com/bfren/docker-nginx-proxy"
 
@@ -35,7 +35,11 @@ ENV \
     # optional - add aliases to the auto-generated conf.json on first startup
     PROXY_AUTO_ALIASES= \
     # optional - mark the Nginx config as custom so it isn't regenerated on future startups
-    PROXY_AUTO_CUSTOM=0
+    PROXY_AUTO_CUSTOM=0 \
+    # upstream DNS resolver, set to Docker's internal resolver by default
+    PROXY_UPSTREAM_DNS_RESOLVER=127.0.0.11 \
+    # the number of seconds before the maintenance page will auto-refresh
+    PROXY_MAINTENANCE_REFRESH_SECONDS=6
 
 COPY ./overlay /
 

README.md

@@ -34,28 +34,35 @@ For SSL certificate requests to work correctly, ports 80 and 443 need mapping fr
 
 ## Environment Variables
 
-| Variable                             | Values                | Description                                                                                                                                  | Default               |
-| ------------------------------------ | --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
-| `PROXY_URI`                          | URI                   | The base URI of the proxy server - will be used to handle unbound requests.                                                                  | *None* - **required** |
-| `PROXY_CLEAN_INSTALL`                | 0 or 1                | If 1, all Nginx and SSL configuration and certificates will be deleted and regenerated.                                                      | 0                     |
-| `PROXY_HARDEN`                       | 0 or 1                | If 1, only modern SSL ciphers and protocols will be enabled (some older devices may not be able to access it).                               | 0                     |
-| `PROXY_LETS_ENCRYPT_EMAIL`           | A valid email address | Used by Lets Encrypt for notification emails.                                                                                                | *None* - **required** |
-| `PROXY_LETS_ENCRYPT_LIVE`            | 0 or 1                | Only set to 1 (to request live certificates) when your config is correct - Lets Encrypt rate limit certificate requests.                     | 0                     |
-| `PROXY_SSL_DHPARAM_BITS`             | A valid integer       | The size of your DHPARAM variables - adjust down only if you have limited processing resources.                                              | 4096                  |
-| `PROXY_SSL_REDIRECT_TO_CANONICAL`    | 0 or 1                | If 1, all requests will be redirected to the primary domain (defined in `conf.json`).                                                        | 0                     |
-| `PROXY_GETSSL_SKIP_HTTP_TOKEN_CHECK` | true or false         | Set to true to enable `getssl`'s [skip HTTP token check](https://github.com/srvrco/getssl/wiki/Config-variables#skip_http_token_checkfalse). | false                 |
+| Variable                              | Values                | Description                                                                                                                                   | Default               |
+| ------------------------------------- | --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
+| `PROXY_URI`                           | URI                   | The base URI of the proxy server - will be used to handle unbound requests.                                                                   | *None* - **required** |
+| `PROXY_CLEAN_INSTALL`                 | 0 or 1                | If 1, all Nginx and SSL configuration and certificates will be deleted and regenerated.                                                       | 0                     |
+| `PROXY_HARDEN`                        | 0 or 1                | If 1, only modern SSL ciphers and protocols will be enabled (some older devices may not be able to access it).                                | 0                     |
+| `PROXY_LETS_ENCRYPT_EMAIL`            | A valid email address | Used by Lets Encrypt for notification emails.                                                                                                 | *None* - **required** |
+| `PROXY_LETS_ENCRYPT_LIVE`             | 0 or 1                | Only set to 1 (to request live certificates) when your config is correct - Lets Encrypt rate limit certificate requests.                      | 0                     |
+| `PROXY_SSL_DHPARAM_BITS`              | A valid integer       | The size of your DHPARAM variables - adjust down only if you have limited processing resources.                                               | 4096                  |
+| `PROXY_SSL_REDIRECT_TO_CANONICAL`     | 0 or 1                | If 1, all requests will be redirected to the primary domain (defined in `conf.json`).                                                         | 0                     |
+| `PROXY_GETSSL_SKIP_HTTP_TOKEN_CHECK`  | true or false         | Set to true to enable `getssl`'s [skip HTTP token check](https://github.com/srvrco/getssl/wiki/Config-variables#skip_http_token_checkfalse).  | false                 |
+| `PROXY_AUTO_PRIMARY`                  | URI                   | If set (along with PROXY_AUTO_UPSTREAM) SSL config will be generated on first startup.                                                        | *None*                |
+| `PROXY_AUTO_UPSTREAM`                 | URI                   | If set (along with PROXY_AUTO_PRIMARY) SSL config will be generated on first startup.                                                         | *None*                |
+| `PROXY_AUTO_ALIASES`                  | string of URIs        | Add aliases to the auto-generated conf.json on first startup.                                                                                 | *None*                |
+| `PROXY_AUTO_CUSTOM`                   | 0 or 1                | Mark the auto-generated SSL config to 'custom' so the Nginx configuration is not regenerated on startup.                                      | 0                     |
+| `PROXY_UPSTREAM_DNS_RESOLVER`         | IP address            | Upstream DNS resolver - set to Docker's by default.                                                                                           | 127.0.0.11            |
+| `PROXY_MAINTENANCE_REFRESH_SECONDS`   | A valid integer       | The number of seconds to count down before the maintenance page auto-refreshes.                                                               | 6                     |
 
 ## Helper Functions
 
-| Function              | Arguments | Description                                                                                                                |
-| --------------------- | --------- | -------------------------------------------------------------------------------------------------------------------------- |
-| `nginx-regenerate`    | -f: force | Removes non-custom Nginx configuration files (in `/sites`) and regenerates based on `conf.json` (with force, removes all). |
-| `ssl-cleanup`         | -m: mode  | Removes SSL and Nginx configuration files and directories not defined in `conf.json` (mode 0 = dry run, 1 = live).         |
-| `ssl-init`            | *None*    | Initialises SSL configuration based on `conf.json`.                                                                        |
-| `ssl-regenerate`      | *None*    | Removes SSL configuration files (in `/ssl/certs`) and regenerates based on `conf.json`.                                    |
-| `ssl-regenerate-full` | *None*    | Removes SSL configuration files (in `/ssl/certs`), as well as DH parameters, and regenerates based on `conf.json`.         |
-| `ssl-request`         | *None*    | Requests SSL certificates from Lets Encrypt.                                                                               |
-| `ssl-update`          | *None*    | Attempts to update SSL certificates manually.                                                                              |
+| Function              | Arguments                 | Description                                                                                                                   |
+| --------------------- | ------------------------- | ----------------------------------------------------------------------------------------------------------------------------- |
+| `nginx-adduser`       | 0: username, 1: password  | Add a user to enable basic HTTP auth.                                                                                         |
+| `nginx-regenerate`    | -f: force                 | Removes non-custom Nginx configuration files (in `/sites`) and regenerates based on `conf.json` (with force, removes all).    |
+| `ssl-cleanup`         | -m: mode                  | Removes SSL and Nginx configuration files and directories not defined in `conf.json` (mode 0 = dry run, 1 = live).            |
+| `ssl-init`            | *None*                    | Initialises SSL configuration based on `conf.json`.                                                                           |
+| `ssl-regenerate`      | *None*                    | Removes SSL configuration files (in `/ssl/certs`) and regenerates based on `conf.json`.                                       |
+| `ssl-regenerate-full` | *None*                    | Removes SSL configuration files (in `/ssl/certs`), as well as DH parameters, and regenerates based on `conf.json`.            |
+| `ssl-request`         | *None*                    | Requests SSL certificates from Lets Encrypt.                                                                                  |
+| `ssl-update`          | *None*                    | Attempts to update SSL certificates manually.                                                                                 |
 
 ## Nginx Configuration Helpers
 

VERSION

@@ -1 +1 @@
-5.1.25
+6.0.0

VERSION_MAJOR

@@ -1 +1 @@
-5
+6

VERSION_MINOR

@@ -1 +1 @@
-5.1
+6.0

overlay/etc/bf/init.d/23-maintenance

@@ -0,0 +1,14 @@
+#!/command/with-contenv bash
+
+set -euo pipefail
+export BF_E=`basename ${0}`
+
+
+#======================================================================================================================
+# Generate maintenance configuration helper and page.
+#======================================================================================================================
+
+bf-echo "Generating maintenance files."
+bf-esh ${BF_TEMPLATES}/proxy-maintenance.conf.esh /etc/nginx/helpers/proxy-maintenance.conf
+bf-esh ${BF_TEMPLATES}/maintenance.html.esh ${NGINX_ROOT}/maintenance.html
+bf-done

overlay/www/maintenance.html → overlay/etc/bf/templates/maintenance.html.esh

@@ -11,9 +11,9 @@
 <body>
 <h1>Maintenance</h1>
 <p>The site you requested is temporarily down for maintenance.  Please try again later.</p>
-<p class="muted">This page will auto-refresh in <span id="remaining">10</span>s.</p>
+<p class="muted">This page will auto-refresh in <span id="remaining"><%= "${PROXY_MAINTENANCE_REFRESH_SECONDS}" %></span>s.</p>
 <script type="text/javascript">
-    let remaining = 7;
+    let remaining = <%= "${PROXY_MAINTENANCE_REFRESH_SECONDS}" %>;
     let countdown = function () {
         // reload the page
         if (remaining == 0) {

overlay/etc/bf/templates/nginx-site.conf.esh

@@ -22,7 +22,7 @@
 # WARNING: This file is generated. Do not make changes to this file.
 # Changes will be overwritten the next time the container is started.
 #
-# To add server names or aliases please use /ssl/conf.sh (see ssl-conf-sample.sh).
+# To add server names or aliases please use /ssl/conf.json (see ssl-conf-sample.json).
 #
 # If you need a fully custom configuration then add the following to /ssl/conf.json in the object where the primary
 # domain is "<%= "${DOMAIN_NAME}" %>":
@@ -78,18 +78,28 @@ server {
     listen                          [::]:443 ssl http2;
 
 <% if [ "${PROXY_SSL_REDIRECT_TO_CANONICAL}" = "1" ] ; then -%>
-    # redirect to primary domain name
+    # redirect to primary (canonical) domain name
     if ($host != <%= "${DOMAIN_NAME}" %>) {
         return                      301 <%= "https://${DOMAIN_NAME}" %>$request_uri;
     }
 <% fi -%>
 
     # main site configuration block
     location / {
-        proxy_pass                  <%= "${UPSTREAM}" %>;
+        # set resolver to Docker's internal DNS resolver and use an upstream variable so Nginx will always start,
+        # even if $upstream is not available - h/t https://stackoverflow.com/a/54719226/8199362
+        resolver                    <%= "${PROXY_UPSTREAM_DNS_RESOLVER}" %> valid=30s;
+        set $upstream               <%= "${UPSTREAM}" %>;
+
+        # proxy to the upstream server, enabling best-practice proxy and security headers
+        proxy_pass                  $upstream;
         include                     helpers/proxy-params.conf;
         include                     helpers/proxy-secure-headers.conf;
+
+        # use maintenance page (defined in helpers/proxy-maintenance.conf - see below) when there's an upstream error
         error_page                  502 503 504 /maintenance.html;
+
+        # include custom configuration files
         include                     <%= "${CUSTOM_CONF}/*.conf" %>;
 
         # because he was a legend

overlay/etc/bf/templates/proxy-maintenance.conf.esh

@@ -0,0 +1,3 @@
+location = /maintenance.html {
+    root                                <%= "${NGINX_ROOT}" %>;
+}