Name: nginx-ssl-proxy
Owner: Google Cloud Platform
Description: null
Created: 2015-05-12 15:19:27.0
Updated: 2018-05-19 05:45:25.0
Pushed: 2017-05-12 14:51:22.0
Homepage: null
Size: 116
Language: Shell
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
This repository is used to build a Docker image that acts as an HTTP reverse proxy with optional (but strongly encouraged) support for acting as an SSL termination proxy. The proxy can also be configured to enforce HTTP basic access authentication. Nginx is the HTTP server, and its SSL configuration is included (and may be modified to suit your needs) at nginx/proxy_ssl.conf
in this repository.
Build the image yourself by cloning this repository then running:
er build -t nginx-ssl-proxy .
This image is optimized for use in a Kubernetes cluster to provide SSL termination for other services in the cluster. It should be deployed as a Kubernetes replication controller with a service and public load balancer in front of it. SSL certificates, keys, and other secrets are managed via the Kubernetes Secrets API.
Here's how the replication controller and service would function terminating SSL for Jenkins in a Kubernetes cluster:
See https://github.com/GoogleCloudPlatform/kube-jenkins-imager for a complete tutorial that uses the nginx-ssl-proxy
in Kubernetes.
To run an SSL termination proxy you must have an existing SSL certificate and key. These instructions assume they are stored at /path/to/secrets/ and named cert.crt
and key.pem
. You'll need to change those values based on your actual file path and names.
Create a DHE Param
The nginx SSL configuration for this image also requires that you generate your own DHE parameter. It's easy and takes just a few minutes to complete:
ssl dhparam -out /path/to/secrets/dhparam.pem 2048
Launch a Container
Modify the below command to include the actual address or host name you want to proxy to, as well as the correct /path/to/secrets for your certificate, key, and dhparam:
er run \
ENABLE_SSL=true \
TARGET_SERVICE=THE_ADDRESS_OR_HOST_YOU_ARE_PROXYING_TO \
/path/to/secrets/cert.crt:/etc/secrets/proxycert \
/path/to/secrets/key.pem:/etc/secrets/proxykey \
/path/to/secrets/dhparam.pem:/etc/secrets/dhparam \
inx-ssl-proxy
The really important thing here is that you map in your cert to /etc/secrets/proxycert
, your key to /etc/secrets/proxykey
, and your dhparam to /etc/secrets/dhparam
as shown in the command above.
Enable Basic Access Authentication
Create an htpaddwd file:
sswd -nb YOUR_USERNAME SUPER_SECRET_PASSWORD > /path/to/secrets/htpasswd
Launch the container, enabling the feature and mapping in the htpasswd file:
er run \
ENABLE_SSL=true \
ENABLE_BASIC_AUTH=true \
TARGET_SERVICE=THE_ADDRESS_OR_HOST_YOU_ARE_PROXYING_TO \
/path/to/secrets/cert.crt:/etc/secrets/proxycert \
/path/to/secrets/key.pem:/etc/secrets/proxykey \
/path/to/secrets/dhparam.pem:/etc/secrets/dhparam \
/path/to/secrets/htpasswd:/etc/secrets/htpasswd \
inx-ssl-proxy
Add additional nginx config
All .conf from nginx/extra are added during built to /etc/nginx/extra-conf.d and get included on startup of the container. Using volumes you can overwrite them on start* of the container:
er run \
ENABLE_SSL=true \
TARGET_SERVICE=THE_ADDRESS_OR_HOST_YOU_ARE_PROXYING_TO \
/path/to/secrets/cert.crt:/etc/secrets/proxycert \
/path/to/secrets/key.pem:/etc/secrets/proxykey \
/path/to/secrets/dhparam.pem:/etc/secrets/dhparam \
/path/to/additional-nginx.conf:/etc/nginx/extra-conf.d/additional_proxy.conf \
inx-ssl-proxy
That way it is possible to setup additional proxies or modifying the nginx configuration.