123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145 |
- ---
-
- # Sets up a series of containers to automatically provision SSL certificates
- # and configure nginx for reverse proxying. Containers that should be proxied
- # need to be labelled with the following:
- #
- # com.chameth.vhost="main.domain.com,alternate.domain.com,alt2.com,..."
- # com.chameth.proxy=80
- # com.chameth.proxy.protocol=http [optional, defaults to http]
- #
- # To prove ownership of domains to Let's Encrypt, we add a DNS entry when
- # required. This requires you to provide authentication details (e-mail
- # address, API key, password, etc). These should be specified in a
- # docker-compose.override.yml file.
-
- version: '2'
-
- services:
-
- # etcd is a key-value server. We use it to store meta-data about docker
- # containers which is then read by the service containers below.
- #
- # etcd can be distributed and accessed remotely, but this config is for
- # a single node instance.
- etcd:
- image: quay.io/coreos/etcd:v2.3.3
- container_name: autoproxy_etcd
- restart: always
- command: >-
- --name etcd0
- --initial-cluster etcd0=http://127.0.0.1:2380
- --initial-advertise-peer-urls http://127.0.0.1:2380
- --initial-cluster-state new
- --initial-cluster-token etcd-cluster-1
- --bind-addr 0.0.0.0:2379
- networks:
- - etcd-services
-
- # service-reporter interacts with docker (which is why it needs the
- # docker.sock mounted) to get a list of current containers, and
- # monitor when containers are added or removed. It keeps the information
- # in etcd up-to-date.
- reporter:
- image: csmith/service-reporter:latest
- container_name: autoproxy_reporter
- restart: always
- links:
- - etcd:etcd
- volumes:
- - /var/run/docker.sock:/var/run/docker.sock
- networks:
- - etcd-services
- depends_on:
- - etcd
-
- # service-letsencrypt reads a list of vhosts from container labels
- # (via etcd), and prepares a domains.txt file to send on to one of
- # the letsencrypt-* containers below.
- letsencrypt-updater:
- image: csmith/service-letsencrypt:latest
- container_name: autoproxy_letsencrypt-updater
- restart: always
- volumes:
- - letsencrypt-data:/letsencrypt
- networks:
- - etcd-services
- depends_on:
- - etcd
-
- # letsencrypt-lexicon obtains Let's Encrypt certificates by modifying
- # DNS records. It supports several major cloud DNS providers.
- letsencrypt-lexicon:
- image: csmith/letsencrypt-lexicon:latest
- container_name: autoproxy_letsencrypt-lexicon
- restart: always
- volumes:
- - letsencrypt-data:/letsencrypt
-
- # letsencrypt-generic uses a user-defined hook to update DNS entries.
- # You need to supply your own hook, available at /dns/hook. See the
- # letsencrypt.sh repo for details about hook arguments.
- #letsencrypt-generic:
- # image: csmith/letsencrypt-generic:latest
- # container_name: autoproxy_letsencrypt-generic
- # restart: always
- # volumes:
- # - letsencrypt-data:/letsencrypt
- # - /my/hook/script:/dns/hook
-
- # service-nginx reads proxy information and vhosts from etcd and
- # creates an nginx vhost config to enable SSL-terminated reverse
- # proxying to the containers.
- nginx-updater:
- image: csmith/service-nginx:latest
- container_name: autoproxy_nginx-updater
- restart: always
- volumes:
- - nginx-config:/nginx-config
- - letsencrypt-data:/letsencrypt
- networks:
- - etcd-services
- depends_on:
- - etcd
-
- # Finally, nginx is what actually does the SSL termination and
- # reverse proxying. Because it needs to connect to containers
- # on (potentially) many different networks, we set the
- # network_mode to host.
- nginx:
- image: nginx:1.13
- container_name: autoproxy_nginx
- restart: always
- volumes:
- - nginx-config:/etc/nginx/conf.d
- - letsencrypt-data:/letsencrypt
- ports:
- - 80:80
- - 443:443
- network_mode: host
-
- # We use this container to monitor for nginx config file and SSL cert changes
- # (using inotify) and send nginx a SIGHUP signal.
- nginx-config-hupper:
- image: pstauffer/inotify:latest
- container_name: autoproxy_nginx-config-hupper
- restart: always
- volumes:
- - nginx-config:/monitor/nginx
- - letsencrypt-data:/monitor/letsencrypt
- - /var/run/docker.sock:/var/run/docker.sock
- environment:
- - 'CONTAINER=autoproxy_nginx'
- - 'VOLUMES=/monitor'
- - 'INOTIFY_OPTONS=--monitor --exclude=*.sw[px] --recursive'
-
- volumes:
-
- letsencrypt-data:
-
- nginx-config:
-
- networks:
-
- etcd-services:
|