Merge pull request #1 from PabloZaiden/letsencrypt-server-env

Letsencrypt server env

Author: PabloZaiden

Dockerfile

@@ -1,20 +1,20 @@
 FROM openresty/openresty:alpine-fat
 
 # allowed domains should be lua match pattern
-ENV DIFFIE_HELLMAN='' ALLOWED_DOMAINS='.*' AUTO_SSL_VERSION='0.11.1' FORCE_HTTPS='true' SITES=''
+ENV DIFFIE_HELLMAN='' ALLOWED_DOMAINS='.*' AUTO_SSL_VERSION='0.11.1' FORCE_HTTPS='true' SITES='' LETSENCRYPT_URL='https://acme-v01.api.letsencrypt.org/directory'
 
 # Here we install open resty and generate dhparam.pem file.
 # You can specify DIFFIE_HELLMAN=true to force regeneration of that file on first run
 # also we create fallback ssl keys
 RUN apk --no-cache add bash openssl \
- && /usr/local/openresty/luajit/bin/luarocks install lua-resty-auto-ssl $AUTO_SSL_VERSION \
- && openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
+    && /usr/local/openresty/luajit/bin/luarocks install lua-resty-auto-ssl $AUTO_SSL_VERSION \
+    && openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
     -subj '/CN=sni-support-required-for-valid-ssl' \
     -keyout /etc/ssl/resty-auto-ssl-fallback.key \
     -out /etc/ssl/resty-auto-ssl-fallback.crt \
- && openssl dhparam -out /usr/local/openresty/nginx/conf/dhparam.pem 2048 \
- # let's remove default open resty configuration, we'll conditionally add modified version in entrypoint.sh
- && rm /etc/nginx/conf.d/default.conf
+    && openssl dhparam -out /usr/local/openresty/nginx/conf/dhparam.pem 2048 \
+    # let's remove default open resty configuration, we'll conditionally add modified version in entrypoint.sh
+    && rm /etc/nginx/conf.d/default.conf
 
 COPY nginx.conf snippets /usr/local/openresty/nginx/conf/
 COPY entrypoint.sh /entrypoint.sh

README.md

@@ -29,6 +29,7 @@ Available configuration options:
  | DIFFIE_HELLMAN | `true` | Force regeneration of `dhparam.pem`. If not specified, default one is used. |
  | SITES | `db.com=localhost:5432; *.app.com=localhost:8080`, `_=localhost:8080` | Shortcut for defining multiple proxies, in form of `domain1=endpoint1; domain2=endpoint2`. Default template for proxy is [here](https://github.com/Valian/docker-nginx-auto-ssl/blob/master/snippets/server-proxy.conf). Name `_` means default server, just like in nginx configuration |
  | FORCE_HTTPS | `true`, `false` | If `true`, automatically adds location to `resty-server-http.conf` redirecting traffic from http to https. `true` by default. |
+ | LETSENCRYPT_URL | `https://acme-v01.api.letsencrypt.org/directory`, `https://acme-staging.api.letsencrypt.org/directory` | Let's Encrypt server URL to use |
 
 
 If you want to proxy multiple sites (probably the most common case, that's why I've made it possible to achieve without custom configuration):

entrypoint.sh

@@ -58,8 +58,8 @@ if [ "$FORCE_HTTPS" == "true" ]; then
 fi
 
 
-# let's substitute $ALLOWED_DOMAINS into OpenResty configuration
-envsubst '$ALLOWED_DOMAINS' \
+# let's substitute $ALLOWED_DOMAINS and $LETSENCRYPT_URL into OpenResty configuration
+envsubst '$ALLOWED_DOMAINS,$LETSENCRYPT_URL' \
   < ${RESTY_CONF_DIR}/resty-http.conf \
   > ${RESTY_CONF_DIR}/resty-http.conf.copy \
   && mv ${RESTY_CONF_DIR}/resty-http.conf.copy ${RESTY_CONF_DIR}/resty-http.conf

snippets/resty-http.conf

@@ -19,7 +19,7 @@ resolver 8.8.8.8;
 # Initial setup tasks.
 init_by_lua_block {
     auto_ssl = (require "resty.auto-ssl").new()
-
+    auto_ssl:set("ca", '$LETSENCRYPT_URL')
     -- Define a function to determine which SNI domains to automatically handle
     -- and register new certificates for. Defaults to not allowing any domains,
     -- so this must be configured.