Skip to content

Commit 7adab16

Browse files
ValianValian
authored
Update README.md
Added `How does it work?` section to the README
1 parent c0ff810 commit 7adab16

File tree

1 file changed

+12
-1
lines changed

1 file changed

+12
-1
lines changed

README.md

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
# docker-nginx-auto-ssl
22
*The simpliest solution to add SSL cert to your site*
33

4-
![build](https://img.shields.io/docker/build/valian/docker-nginx-auto-ssl.svg)
4+
![build](https://img.shields.io/docker/cloud/build/valian/docker-nginx-auto-ssl.svg)
55
![build](https://img.shields.io/docker/pulls/valian/docker-nginx-auto-ssl.svg)
66

77
Docker image for automatic generation of SSL certs using Let's encrypt and Open Resty, with reasonable SSL settings, HTTP/2 and WebSockets support out-of-the-box.
@@ -238,6 +238,17 @@ docker build -t docker-nginx-auto-ssl .
238238
docker run [YOUR_OPTIONS] docker-nginx-auto-ssl
239239
```
240240

241+
## How does it work?
242+
243+
A short walktrough of what's going on here.
244+
245+
- [The docker entrypoint](https://github.com/Valian/docker-nginx-auto-ssl/blob/master/entrypoint.sh#L29) is responsible for preparing a location block for each site declared in `SITES` env variable. [This file is used as a template](https://github.com/Valian/docker-nginx-auto-ssl/blob/master/snippets/server-proxy.conf).
246+
- when request comes to port 80, it's by default redirected to 443 (HTTP -> HTTPS redirection)
247+
- when request comes to port 443, HTTPS certificate is resolved by lua code (relevant [file in this repo](https://github.com/Valian/docker-nginx-auto-ssl/blob/master/snippets/resty-server-https.conf) and [source code from lua-resty-auto-ssl](https://github.com/auto-ssl/lua-resty-auto-ssl/blob/master/lib/resty/auto-ssl/ssl_certificate.lua)). If certificate exists for a given domain and is valid, it's returned. Otherwise, a process of generating new certificate starts. It's initialized [here](https://github.com/auto-ssl/lua-resty-auto-ssl/blob/master/lib/resty/auto-ssl/ssl_providers/lets_encrypt.lua) and uses https://github.com/dehydrated-io/dehydrated for all the Let's Encrypt-related communication. It starts challenge process, prepares files for challenge and receives certificates. All of that is done in a couple of seconds, while the original request waits for the response.
248+
- challenge files are prepared and served under `/.well-known/acme-challenge/` ([relevant file from this repo ](https://github.com/Valian/docker-nginx-auto-ssl/blob/master/snippets/resty-server-http.conf) and source code from [lua-resty-auto-ssl](https://github.com/auto-ssl/lua-resty-auto-ssl/blob/71259605a3868b287ac0501d5850594b3f1b9cbb/lib/resty/auto-ssl/servers/challenge.lua))
249+
250+
There's more to it, eg locks across all workers to only generate one certificate for a domain at a time, upload of the certificate to shared storage if configured, checking if domain is whitelisted, communication with Let's Encrypt etc. All in all, it's fairly efficient and shouldn't add any noticeable overhead to nginx.
251+
241252
# CHANGELOG
242253

243254
* **11-11-2019** - Added gzip support and dropped TLS 1.0 and 1.1 #33

0 commit comments

Comments
 (0)