{"id":16174354,"url":"https://github.com/hellothisisflo/the-gate","last_synced_at":"2026-04-17T07:32:24.813Z","repository":{"id":93127307,"uuid":"105926454","full_name":"HelloThisIsFlo/The-Gate","owner":"HelloThisIsFlo","description":"The Gate: Securely serve multiple services from one single entry-point.","archived":false,"fork":false,"pushed_at":"2018-06-22T19:51:56.000Z","size":12382,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-06-05T16:46:22.698Z","etag":null,"topics":["bootstrap","certbot","deploy","devops","docker","https","letsencrypt","network","nginx","quick","secure","ssl","ssl-certificates"],"latest_commit_sha":null,"homepage":"https://FlorianKempenich.github.io/The-Gate/","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/HelloThisIsFlo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-10-05T18:38:03.000Z","updated_at":"2018-05-26T15:59:21.000Z","dependencies_parsed_at":null,"dependency_job_id":"4ffdbb3c-ab3a-45ad-b8f6-c9ac24c65532","html_url":"https://github.com/HelloThisIsFlo/The-Gate","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/HelloThisIsFlo/The-Gate","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HelloThisIsFlo%2FThe-Gate","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HelloThisIsFlo%2FThe-Gate/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HelloThisIsFlo%2FThe-Gate/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HelloThisIsFlo%2FThe-Gate/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/HelloThisIsFlo","download_url":"https://codeload.github.com/HelloThisIsFlo/The-Gate/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HelloThisIsFlo%2FThe-Gate/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31919969,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-16T18:22:33.417Z","status":"online","status_checked_at":"2026-04-17T02:00:06.879Z","response_time":62,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bootstrap","certbot","deploy","devops","docker","https","letsencrypt","network","nginx","quick","secure","ssl","ssl-certificates"],"created_at":"2024-10-10T04:24:40.702Z","updated_at":"2026-04-17T07:32:24.787Z","avatar_url":"https://github.com/HelloThisIsFlo.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Docker Build Status](https://img.shields.io/docker/build/floriankempenich/the-gate.svg)](https://hub.docker.com/r/floriankempenich/the-gate/)\n\n## Check the Project Page: [https://FlorianKempenich.github.io/The-Gate/](https://floriankempenich.github.io/The-Gate/)\n# The Gate\n\n### Https Front-end Proxy with Nginx \u0026 Docker\n- [**Simple, secure, configurable**](#simple-secure-configurable)\n- [**Usage**](#usage)\n- [**Create your rules - `services.conf`**](#create-your-rules---servicesconf)\n- [**Setup**](#setup)\n    - [Installation](#installation)\n    - [Requirements](#requirements)\n- [**Configuration Examples**](#configuration-examples)\n    - [Basic scenario](#basic-scenario)\n    - [Certificates from Let's encrypt](#certificates-from-lets-encrypt)\n- [**Extra:** Generating certificates with Let's encrypt and `certbot`](#extra-generating-certificates-with-lets-encrypt-and-certbot)\n\n## Simple, secure, configurable\n\n**The Gate** is a _quick to deploy_ entry gate for your server.  \nIt provides a **single `HTTPS` endpoint that redirects to your services.**  \n\n**Securely serve multiple services from one single entrypoint.**\n![The Gate](https://raw.githubusercontent.com/FlorianKempenich/The-Gate/master/temp/the_gate.jpg)\n\n### No complex setup\n\n- Just `up` and all your services are securely available.\n- All the configuration is dynamically loaded, **no restart needed.**\n\n### All services are served via `HTTPS`\n\n- All `HTTP` connections are redirected to `HTTPS`\n- Provide the certificates and they'll be loaded automatically\n-    No certificates but would like to `up` **The Gate**?  \n     No problem, **The Gate** generates its own self-signed certificates in case it can not find yours.  \n     Your certificates will be loaded the moment they are available\n-    No idea how to provide certificates?  \n     Check out the dedicated section at the end: [Generating certificates with Let's encrypt and `certbot`](#extra-generating-certificates-with-lets-encrypt-and-certbot)\n      \n### Use your own rules\n\n- Want to serve one service per domain? No problems!\n- Want to serve different services depending on the url path? No problem!\n- Be creative...\n\n### The Gate helps you with your certificate challenges\n\n- It serves a static directory under `www.yourdomain.com/.well-known/`\n- No setup, just `up` and that directory is served.\n\n\n\n---\n## Usage\n\n**Once the initial setup is done, start up The Gate:**\n\n```bash\nthegate up\n```\n\nYou can now edit your redirection rules in the `services.conf`, and update the certificates.  \n-    **Certificates:**  \n     If no certificates were available at the given location, **The Gate** generates it own temporary self-signed certificates.\n     Simply override them with your own, and **The Gate** will load them up. **No restart needed**.\n-    **`services.conf`:**  \n     Same as the certificates, **No restart needed**. Simply edit the rules, and the new rules will be reloaded.\n\n\u003e Before using **The Gate**: \n\u003e - [Install](#installation) the lightweight command-line tool\n\u003e - Set up the [requirements](#requirements).\n\u003e - Create your [Rules](#create-your-rules---servicesconf)\n\u003e\n\u003e To turn The Gate off: `thegate down`\n\n\n## Create your rules - `services.conf`\n\nThe main configuration of your services is in the `services.conf` file.\n\n**This file defines:**\n\n* All the **Services** served by `The Gate`\n* The **Rules** on how to serve them\n\nThe syntax is the same as a regular `nginx` configuration file.\nBut only the services are defined here.\n\n\u003e This file will then be automatically included in the base `nginx` file.\n\n**/!\\ Each service needs to include `services.base.conf` /!\\\\**  \n**/!\\ Each service needs to include `services.base.conf` /!\\\\**  \n**/!\\ Each service needs to include `services.base.conf` /!\\\\**  \n\n```nginx\nserver {\n    include services.base.conf;\n\n    ### REST OF THE CONFIGURATION ###\n}\n```\n\n`services.base.conf` already includes everything needed for a `https` connection.\n```nginx\nlisten 443 ssl;\nssl on;\nssl_certificate PATH_TO_YOUR_CERTIFICATE;\nssl_certificate_key PATH_TO_YOUR_PRIVKEY;\n```\n\n_**Example `services.conf` file:**_\n```nginx\nserver {\n    include services.base.conf;\n    server_name professionalbeginner.com;\n\n    location / {\n        proxy_pass http://127.0.0.1:2000;\n    }\n}\n```\n\nSee the [Configuration Examples](#configuration-examples) for more examples.\n\n---\n\n## Setup\n### Installation\nTo install **The Gate**, simply run this command:\n```\nsudo curl -s https://raw.githubusercontent.com/FlorianKempenich/The-Gate/master/thegate -o /usr/bin/thegate \u0026\u0026 sudo chmod +x /usr/bin/thegate\n```\n\nThen **create** a configuration file at `~/.thegateconfig`.  \nThe configuration file is used to specify the location of the requirements on the HOST machine.\n\n_**Example `.thegateconfig` file:**_\n```\nDIR_CONFIG=/https/config/\nDIR_WEBROOT=/https/webroot/\nDIR_CERTIFICATES=/https/letsencrypt/\nFILE_CERT=./live/professionalbeginner.com/fullchain.pem\nFILE_PRIVKEY=./live/professionalbeginner.com/privkey.pem\n```\nRead about the `.thegateconfig` different variables in the [Requirements](#requirements) section.  \nSee the [Configuration Examples](#configuration-examples) for more examples.\n\n\u003e *Note:*  \n\u003e `.thegateconfig` is the only configuration that is not reloaded on change.\n\n\u003e *Uninstall:*  \n\u003e The install command will download the executable for `thegate` in `/usr/bin/thegate` and make it executable.\n\u003e To remove **The Gate**: \n\u003e ```\n\u003e sudo rm -f /usr/bin/thegate\n\u003e ```\n\n### Requirements\n\n**The Gate** only needs **4 elements**, for the magic to happen:\n\n- **`Configuration directory`: The Heart of The Gate** |  `services.conf`\n- **`Certificate base directory`**\n- **`Certificate` \u0026 `PrivKey` file names**\n- **`Webroot directory`:** From where to serve static content.\n\n#### `Configuration directory`: The Heart of The Gate |  `services.conf`\n\nThis directory holds the most important configuration part of **The Gate: You Rules**\n\nYou **redirection rules** are configured in a file called `services.conf`. To know more about how to setup your redirections rules, check the dedicated section: [Create your rules - `services.conf`(#create-your-rules---servicesconf)  \n**The `configuration directory` is the location where your `services.conf` is located on the Host machine.**\n\nThat directory will be mounted on **The Gate**, and every configuration change will be **automatically reloaded**. \nNo need to restart ;)\n\n#### Certificate base directory \u0026 Certificate/PrivKey file names\n \nTo serve traffic to your domains via `HTTPS` **The Gate** needs to have access to your **`SSL` certificates and private key.**\n\nThe `certificate base directory` is where these two files are located on the **Host** machine.  \nThe `certificate` and `private key` `filenames` are pretty self-explanatory. The `filenames` are **relative to the `certificate base directory`.**\n\n\u003e **Ex:**  \n\u003e If your folder structure is as follow:\n\u003e ```\n\u003e https\n\u003e └── certificates\n\u003e     ├── my_cert.pem\n\u003e     └── my_privkey.pem\n\u003e ```\n\u003e Then your configuration should be: \n\u003e ```\n\u003e DIR_CERTIFICATES=/https/certificates\n\u003e FILE_CERT=./my_cert.pem\n\u003e FILE_PRIVKEY=./my_privkey.pem\n\u003e ```\n\u003e Another example of a valid configuration for that folder structure would be:\n\u003e ```\n\u003e DIR_CERTIFICATES=/https\n\u003e FILE_CERT=./certificates/my_cert.pem\n\u003e FILE_PRIVKEY=./certificates/my_privkey.pem\n\u003e ```\n\n##### Special Case: Certificates as `Symlink`\nIn the case the `certificate` and/or `private key` `files` are actually `symlinks`, **both the `symlink` and the `actual file` must be present in the `certificate_base_dir`**\n\nAn example of that scenario is presented in the **complete configuration example: [Certificates from  Let's encrypt](#certificates-from-lets-encrypt)**\n\n\n#### Webroot directory: From where to serve static content.\nThis folder can be _any directory_ on the host machine.  \nStatic content will be served under `yourdomain.com/.well-known` through `HTTP` / port `80`.\n\u003e`XXX/.well-known` is the only path accessible through `HTTP`, all other traffic is automatically redirected to `HTTPS` / port `443`\n\nThis is especially useful to host **certificates challenges from Let's encrypt / `certbot`**.  \nFor more information see: [Generating certificates with **Let's encrypt** and `certbot`](#extra-generating-certificates-with-lets-encrypt-and-certbot)\n\n\u003e **Note:**  \n\u003e Static content at the _base_ of the directory will not be accessible. \n\u003e This is to keep the 1-1 relation between the `webroot` directory, and the `url`.  \n\u003e In other words to make a file available, say `my_file.txt`, under `yourdomain.com/.well-known/my_file.txt`: The file needs to be in a folder `.well-known` inside the `webroot` directory.\n\u003e\n\u003e ```\n\u003e webroot\n\u003e └── well-known\n\u003e     └── my_file.txt\n\u003e ```\n\u003e Additionally, a file placed at the _root_ of `webroot` will **not** be accessible.\n\u003e ```\n\u003e webroot\n\u003e ├── file_not_accessible.txt\n\u003e └── well-known\n\u003e     └── my_file.txt\n\u003e ```\n\n---------------------------\n\n## Configuration Examples\n### Basic scenario\n\n2 web application running on different ports.  \nWe want to expose each application under its own domain name.\n\n```\n- professionalbeginner.com  --REDIRECT-TO--\u003e  Application running on port `1234`\n- floriankempenich.com      --REDIRECT-TO--\u003e  Application running on port `8888`\n```\n\nCertficates are static and stored in the same folder.\n\n#### Folder structure\n```\nhttps\n├── certificates\n│   ├── my_certificate.pem\n│   └── my_private_key.pem\n├── servicesconfig\n│   └── services.conf\n└── webroot\n```\n\n\n#### `.thegateconfig`\n```\nDIR_CONFIG=/https/servicesconfig/\nDIR_WEBROOT=/https/webroot/\nDIR_CERTIFICATES=/https/certificates/\nFILE_CERT=my_certificate.pem\nFILE_PRIVKEY=my_private_key.pem\n```\n\n#### `services.conf`\n```nginx\nserver {\n    include services.base.conf;\n    server_name professionalbeginner.com;\n\n    location / {\n        proxy_pass http://127.0.0.1:1234;\n    }\n}\n\nserver {\n    include services.base.conf;\n    server_name floriankempenich.com;\n\n    location / {\n        proxy_pass http://127.0.0.1:8888;\n    }\n}\n```\n\n\n### Certificates from Let's encrypt \n\nIn this scenario, only one web app is running.  \nWe want to expose it using **certificates generated by Let's encrypt.**\n\n```\nprofessionalbeginner.com  --REDIRECT-TO--\u003e  Application running on port `1234`\n```\n\n\n#### Folder structure\n\nCertificates from **Let's encrypt** need to be renewed every 90 days.  \nTo facilitate that, **Let's encrypt** uses a particular folder structure and certificates are accessed through `symlinks`.\n\n\u003e**Let's encrypt folder structure:**\n```\n/etc/letsencrypt\n├── accounts\n│   └── acme-v01.api.letsencrypt.org\n│       └── directory\n│           └── cb3660c15be23b89e048d04b0530379e\n│               ├── meta.json\n│               ├── private_key.json\n│               └── regr.json\n├── archive\n│   └── professionalbeginner.com\n│       ├── cert1.pem\n│       ├── chain1.pem\n│       ├── fullchain1.pem\n│       └── privkey1.pem\n├── csr\n│   └── 0000_csr-certbot.pem\n├── keys\n│   └── 0000_key-certbot.pem\n├── live\n│   └── professionalbeginner.com\n│       ├── cert.pem -\u003e ../../archive/professionalbeginner.com/cert1.pem\n│       ├── chain.pem -\u003e ../../archive/professionalbeginner.com/chain1.pem\n│       ├── fullchain.pem -\u003e ../../archive/professionalbeginner.com/fullchain1.pem\n│       ├── privkey.pem -\u003e ../../archive/professionalbeginner.com/privkey1.pem\n│       └── README\n└── renewal\n    └── professionalbeginner.com.conf\n```\n\nThis folder configuration can totally be in a different folder than our **Webroot** and **Service configuration** folders.\n```\n/thegate\n├── servicesconfig\n│   └── services.conf\n└── webroot\n\n/etc/letsencrypt\n|...\n```\n\n\n#### `.thegateconfig`\n\u003e Remember, the only constraint when using `symlink`. Both the `symlink` **and** the `file` must be contained in the `DIR_CERTIFICATES` base directory.\n\n```\nDIR_CONFIG=/thegate/servicesconfig/\nDIR_WEBROOT=/thegate/webroot/\nDIR_CERTIFICATES=/etc/letsencrypt/\nFILE_CERT=./live/professionalbeginner.com/fullchain.pem\nFILE_PRIVKEY=./live/professionalbeginner.com/privkey.pem\n```\n\n#### `services.conf`\n```nginx\nserver {\n    include services.base.conf;\n    server_name professionalbeginner.com;\n\n    location / {\n        proxy_pass http://127.0.0.1:1234;\n    }\n}\n```\n\n## Extra: Generating certificates with **Let's encrypt** and `certbot`\n\nUsing **Let's encrypt** and `certbot` it is super easy to get **free `SSL` certificates**.  \nThere are multiple ways to use `certbot`, the tool used to request these certificates, but thanks to **The Gate** it is now easier than ever.\n\n**Six simple steps**:\n\n1.    **Configure the location where the certificates _will_ be stored**.  \n      By default certificates are stored under `/etc/letsencrypt/live/YOURDOMAIN/`, and are `symlink` to files located in `/etc/letsencrypt/archive/YOURDOMAIN/`  \n      The filenames are `fullchain.pem` and `privkey.pem` for the certificates and private key respectively.  \n      **_A correct `.thegateconfig` would be:_**\n      ```\n      DIR_CERTIFICATES=/etc/letsencrypt/\n      FILE_CERT=./live/YOURDOMAIN/fullchain.pem\n      FILE_PRIVKEY=./live/YOURDOMAIN/privkey.pem\n\n\n      # Also set the rest of the configuration\n      # DIR_CONFIG=Where `service.conf` is located\n      # DIR_WEBROOT=Webroot directory\n      ```\n      \u003e Read more about it in the [Let's Encrypt folder structure section](#folder-structure-1) and on the [official website of the `certbot` tool](https://certbot.eff.org/docs/using.html#where-are-my-certificates)\n\n2.    **Start up The Gate**  \n      ```\n      thegate up\n      ```\n      **The Gate** will start serving your services, thanks to a self-signed auto-generated certificate. \n      But more importantly, **The Gate** will serve static content on the `DIR_WEBROOT`.  \n      The `DIR_WEBROOT` will be used by `certbot` to place the certificates challenges.\n\n3.    **Delete the temporary certificates**  \n      To have a service up and running as quick as possible, **The Gate** generates its own self-signed certificates if it cannot find existing ones.  \n      **Before generating new certificates, we need to delete the existing ones.**\n      ```\n      rm -rf /etc/letsencrypt/live/YOURDOMAIN\n      ```\n      \u003e If not, when noticing an existing directory, `certbot` will assume the certificates already exist for this domain and skip the generation.\n\n      \n4.    **Install `certbot`**\n       ```\n       sudo apt-get update\n       sudo apt-get install software-properties-common\n       sudo add-apt-repository ppa:certbot/certbot\n       sudo apt-get update\n       sudo apt-get install certbot \n       ```\n5.    **Run `certbot` using the `webroot` plugin**\n      ```\n      sudo certbot certonly --webroot \\\n           -w DIR_WEBROOT \\\n           -d professionalbeginner.com \\\n           -d www.professionalbeginner.com \\\n           -d anotherdomain.net\n\n      ```\n      \u003e `DIR_WEBROOT` is the directory to **The Gate** in `.thegateconfig`.  \n      \u003e Read more about the webroot directory in the dedicated section: [Webroot directory: From where to serve static content.](#webroot-directory-from-where-to-serve-static-content)\n6.    **Set a `cron` job to automatically renew the certificates**  \n      Add a `cron` or `systemd` job which runs the following:  \n      ```\n      certbot renew\n      ``` \n7.    **Enjoy `HTTPS`**  \n      After the certificate generation was completed in step 3, **The Gate** automatically reloaded the new certificates. Also each time the certificates will be renewed, they will be automatically reloaded by **The Gate**.\n\n**You can now access your domains through `HTTPS`** \n\n\nTo learn more about `certbot` and **Let's encrypt**, head over to their website:\n- [https://certbot.eff.org/](https://certbot.eff.org/)\n- [https://letsencrypt.org/](https://letsencrypt.org/)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhellothisisflo%2Fthe-gate","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhellothisisflo%2Fthe-gate","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhellothisisflo%2Fthe-gate/lists"}