--- # Sets up a series of containers to automatically provision SSL certificates # and configure nginx for reverse proxying. Containers that should be proxied # need to be labelled with the following: # # com.chameth.vhost="main.domain.com,alternate.domain.com,alt2.com,..." # com.chameth.proxy=80 # com.chameth.proxy.protocol=http [optional, defaults to http] # # To prove ownership of domains to Let's Encrypt, we add a DNS entry when # required. This requires you to provide authentication details (e-mail # address, API key, password, etc). These should be specified in a # docker-compose.override.yml file. version: '2' services: # etcd is a key-value server. We use it to store meta-data about docker # containers which is then read by the service containers below. # # etcd can be distributed and accessed remotely, but this config is for # a single node instance. etcd: image: quay.io/coreos/etcd:v2.3.3 container_name: autoproxy_etcd restart: always command: >- --name etcd0 --initial-cluster etcd0=http://127.0.0.1:2380 --initial-advertise-peer-urls http://127.0.0.1:2380 --initial-cluster-state new --initial-cluster-token etcd-cluster-1 --bind-addr 0.0.0.0:2379 networks: - etcd-services # service-reporter interacts with docker (which is why it needs the # docker.sock mounted) to get a list of current containers, and # monitor when containers are added or removed. It keeps the information # in etcd up-to-date. reporter: image: csmith/service-reporter:latest container_name: autoproxy_reporter restart: always links: - etcd:etcd volumes: - /var/run/docker.sock:/var/run/docker.sock networks: - etcd-services depends_on: - etcd # service-letsencrypt reads a list of vhosts from container labels # (via etcd), and prepares a domains.txt file to send on to one of # the letsencrypt-* containers below. letsencrypt-updater: image: csmith/service-letsencrypt:latest container_name: autoproxy_letsencrypt-updater restart: always volumes: - letsencrypt-data:/letsencrypt networks: - etcd-services depends_on: - etcd # service-nginx reads proxy information and vhosts from etcd and # creates an nginx vhost config to enable SSL-terminated reverse # proxying to the containers. nginx-updater: image: csmith/service-nginx:latest container_name: autoproxy_nginx-updater restart: always volumes: - nginx-config:/nginx-config - letsencrypt-data:/letsencrypt networks: - etcd-services depends_on: - etcd # Finally, nginx is what actually does the SSL termination and # reverse proxying. Because it needs to connect to containers # on (potentially) many different networks, we set the # network_mode to host. nginx: image: nginx:1.13 container_name: autoproxy_nginx restart: always volumes: - nginx-config:/etc/nginx/conf.d - letsencrypt-data:/letsencrypt ports: - 80:80 - 443:443 network_mode: host # We use this container to monitor for nginx config file and SSL cert changes # (using inotify) and send nginx a SIGHUP signal. nginx-config-hupper: image: pstauffer/inotify:latest container_name: autoproxy_nginx-config-hupper restart: always volumes: - nginx-config:/monitor/nginx - letsencrypt-data:/monitor/letsencrypt - /var/run/docker.sock:/var/run/docker.sock environment: - 'CONTAINER=autoproxy_nginx' - 'VOLUMES=/monitor' - 'INOTIFY_OPTONS=--monitor --exclude=*.sw[px] --recursive' volumes: letsencrypt-data: nginx-config: networks: etcd-services: