public
/
docker-automatic-nginx-letsencrypt


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154
							---

# Sets up a series of containers to automatically provision SSL certificates
# and configure nginx for reverse proxying. Containers that should be proxied
# need to be labelled with the following:
#
#   com.chameth.vhost="main.domain.com,alternate.domain.com,alt2.com,..."
#   com.chameth.proxy=80
#   com.chameth.proxy.protocol=http [optional, defaults to http]
#
# To prove ownership of domains to Let's Encrypt, we add a DNS entry when
# required. You will need to configure one of the letsencrypt-* services
# below to make these changes.

version: '2'

services:

  # etcd is a key-value server. We use it to store meta-data about docker
  # containers which is then read by the service containers below.
  #
  # etcd can be distributed and accessed remotely, but this config is for
  # a single node instance.
  etcd:
    image: quay.io/coreos/etcd:v2.3.3
    container_name: autoproxy_etcd
    restart: always
    command: >-
      --name etcd0
      --initial-cluster etcd0=http://127.0.0.1:2380
      --initial-advertise-peer-urls http://127.0.0.1:2380
      --initial-cluster-state new
      --initial-cluster-token etcd-cluster-1
      --bind-addr 0.0.0.0:2379
    networks:
      - etcd-services

  # service-reporter interacts with docker (which is why it needs the
  # docker.sock mounted) to get a list of current containers, and
  # monitor when containers are added or removed. It keeps the information
  # in etcd up-to-date.
  reporter:
    image: csmith/service-reporter:latest
    container_name: autoproxy_reporter
    restart: always
    links:
      - etcd:etcd
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - etcd-services
    depends_on:
      - etcd

  # service-letsencrypt reads a list of vhosts from container labels
  # (via etcd), and prepares a domains.txt file to send on to one of
  # the letsencrypt-* containers below.
  letsencrypt-updater:
    image: csmith/service-letsencrypt:latest
    container_name: autoproxy_letsencrypt-updater
    restart: always
    volumes:
      - letsencrypt-data:/letsencrypt
    networks:
      - etcd-services
    depends_on:
      - etcd

  # letsencrypt-lexicon obtains Let's Encrypt certificates by modifying
  # DNS records. It supports several major cloud DNS providers. You
  # need to set the provider and auth tokens below.
  letsencrypt-lexicon:
    image: csmith/letsencrypt-lexicon:latest
    container_name: autoproxy_letsencrypt-lexicon
    restart: always
    volumes:
      - letsencrypt-data:/letsencrypt
    environment:
      - STAGING=yes
      - EMAIL=your@email.addr
      - PROVIDER=cloudflare
      - LEXICON_CLOUDFLARE_USERNAME=your@email.addr
      - LEXICON_CLOUDFLARE_TOKEN=1234567890123456789012345678901234567890

  # letsencrypt-generic uses a user-defined hook to update DNS entries.
  # You need to supply your own hook, available at /dns/hook. See the
  # letsencrypt.sh repo for details about hook arguments.
  #letsencrypt-generic:
  #  image: csmith/letsencrypt-generic:latest
  #  container_name: autoproxy_letsencrypt-generic
  #  restart: always
  #  volumes:
  #    - letsencrypt-data:/letsencrypt
  #    - /my/hook/script:/dns/hook
  #  environment:
  #    - STAGING=yes
  #    - EMAIL=your@email.addr

  # service-nginx reads proxy information and vhosts from etcd and
  # creates an nginx vhost config to enable SSL-terminated reverse
  # proxying to the containers.
  nginx-updater:
    image: csmith/service-nginx:latest
    container_name: autoproxy_nginx-updater
    restart: always
    volumes:
      - nginx-config:/nginx-config
    networks:
      - etcd-services
    depends_on:
      - etcd

  # Finally, nginx is what actually does the SSL termination and
  # reverse proxying. Because it needs to connect to containers
  # on (potentially) many different networks, we set the
  # network_mode to host.
  nginx:
    image: nginx:1.9
    container_name: autoproxy_nginx
    restart: always
    volumes:
      - nginx-config:/etc/nginx/conf.d
      - letsencrypt-data:/letsencrypt
    ports:
      - 80:80
      - 443:443
    network_mode: host

  # We use inotify-signal-container to monitor for nginx config
  # file and SSL cert changes (using inotify) and send nginx a
  # SIGHUP signal.
  nginx-config-hupper:
    image: masm/inotify-signal-container:latest
    container_name: autoproxy_nginx-config-hupper
    restart: always
    volumes:
      - nginx-config:/monitor/nginx
      - letsencrypt-data:/monitor/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock
    command:
      - autoproxy_nginx
      - SIGHUP
      - /monitor

volumes:

  letsencrypt-data:

  nginx-config:

networks:

  etcd-services: