{"id":20456687,"url":"https://github.com/jgoerzen/docker-apache-proxy","last_synced_at":"2026-04-16T03:32:13.605Z","repository":{"id":66276338,"uuid":"119869763","full_name":"jgoerzen/docker-apache-proxy","owner":"jgoerzen","description":"[read-only mirror] Apache reverse proxy and proxy client setup for Docker","archived":false,"fork":false,"pushed_at":"2025-08-05T13:25:36.000Z","size":38,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-10-24T04:59:13.327Z","etag":null,"topics":["apache","docker","docker-image","proxy","reverse-proxy"],"latest_commit_sha":null,"homepage":"https://salsa.debian.org/jgoerzen/docker-apache-proxy","language":"Shell","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jgoerzen.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-02-01T17:30:54.000Z","updated_at":"2025-08-05T13:25:39.000Z","dependencies_parsed_at":null,"dependency_job_id":"e219f586-bf6a-4322-8a81-edf94d789932","html_url":"https://github.com/jgoerzen/docker-apache-proxy","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/jgoerzen/docker-apache-proxy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jgoerzen%2Fdocker-apache-proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jgoerzen%2Fdocker-apache-proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jgoerzen%2Fdocker-apache-proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jgoerzen%2Fdocker-apache-proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jgoerzen","download_url":"https://codeload.github.com/jgoerzen/docker-apache-proxy/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jgoerzen%2Fdocker-apache-proxy/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31870506,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-15T15:24:51.572Z","status":"online","status_checked_at":"2026-04-16T02:00:06.042Z","response_time":69,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apache","docker","docker-image","proxy","reverse-proxy"],"created_at":"2024-11-15T11:23:38.104Z","updated_at":"2026-04-16T03:32:13.567Z","avatar_url":"https://github.com/jgoerzen.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Docker web proxy help\n\n**NOTE: This package has moved from Github.  See its [new home on Salsa](https://salsa.debian.org/jgoerzen/docker-apache-proxy).**\n\nPart of the [docker-apache-proxy](https://salsa.debian.org/jgoerzen/docker-apache-proxy) collection.\n\nDocker users frequently have a reverse proxy (nginx, haproxy, apache,\netc) listen for incoming requests on ports 80 and 443, and the\ndispatch them to various workers.\n\nThis collection helps streamline this process.  It uses Apache for\nboth the reverse proxy and the proxy client, and takes the annoying\nparts out of setting this up.  It features optional full integration\nwith letsencrypt for free and easy SSL/TLS certificates.\n\n# Feature List\n\n - Based on my\n   [Debian Apache base](https://salsa.debian.org/jgoerzen/docker-debian-base),\n   inheriting its features:\n   - automated security patches for the OS, openssl, and Apache\n   - Real init with zombie process reaping\n   - Clean shutdown support\n   - See the above URL for details.\n - Support for automating the process of requesting and updating your\n   SSL certificates from letsencrypt, making the process completely\n   transparent and automatic - should you wish to use it.\n - Low memory requirements and efficient.\n - Based on Apache, so it's what you (probably) already know.\n\n# Assumptions\n\nYou have set up a Docker network of some sort that these systems can\nuse.  One easy way is to use `docker net create proxynet` and then\nmake sure to say `--net=proxynet` and set a `--name` on your calls to\n`docker run`.\n\n# The proxied application (jgoerzen/proxied-app-apache)\n\nLet's talk about the proxied application first.  This is where you run\nyour web applications -- blogs, wikis, whatever.  This is a base image\nfor you to build upon.\n\n## Use\n\nTo act as a proper proxied application, your Dockerfile can start with\n`FROM jgoerzen/proxied-app-apache`.  Then, you only need to do two\nthings:\n\nFirst, drop a file in `/etc/apache2/sites-available` with a\n`\u003cVirtualHost *:80\u003e` line.  It should include an\n`Include sites-avaialable/common-sites` line to bring in needed\nconfiguration.  Don't forget to call `RUN a2ensite sitename` in your\nDockerfile for this.  (Of course, you can add as many of these files\nas you like.)\n\nSecondly, you need to define what IPs to authorize as your reverse\nproxy.  You can do this by either setting the `PROXYCLIENT_AUTHORIZED`\nenvironment variable to a single IP address or address plus netmask,\nor replacing the file `/etc/apache2/authorized-proxies.txt` with one\nor more such entries, one per line.  These are sent to the Apache\n[RemoteIPInternalProxyList](https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html#remoteipinternalproxylist)\ndirective.  If you are using Docker's default networking, and wish to\nauthorize *any* internal host as your source, a common way would be\n`172.16.0.0/12`.  However, it would be more secure to put your systems\non a separate Docker network and only authorize it.  Even better, give\nyour reverse proxy an `--ip` and authorize only that.\n\nFinally, make sure to end your Dockerfile with `CMD [\"/usr/local/bin/boot-debian-base\"]`.\n\n## Internal details\n\nThere are a couple of interesting issues here.  First, the IP address\nthat the request appears to come from is going to be the IP of the\nreverse proxy or load balancer, not the IP of the browser.  This can\nmess with logging, security, etc.  This uses the `X-Forwarded-For` and\n`X-Forwarded-Proto` headers to propagate the proper remote IP, and set\nthe HTTPS variable if relevant.  This lets most web programs properly\nunderstand what the real remote is, and whether they used SSL to\naccess the site.  Note that while you could proxy port 443 over to\nyour proxied application with these scripts, this setup assumes that\nyou terminate SSL at the proxy and use basic HTTP on over to the\nclient.\n\nThe reverse-proxy-apache setup included here will set both of these\nheaders appropriately.\n\nIt is not necessary to expose ports using `-p` or `-P` from this\ncontainer, since the reverse proxy server does so.\n\nPlease see the comments below under Recommended Volumes.\n\n# Reverse proxy server (jgoerzen/reverse-proxy-apache)\n\nThis server receives connections and dispatches them to your other\nDocker containers.  It also is fully integrated with the letsencrypt\nproject, automatically requesting and renewing your SSL certificates\nif you'd like.\n\nYou can build upon this image, but it should need very little\ntweaking.\n\nThere are three core things that you can do with this image as-is:\n\n 1. Proxy (almost) all requests to a site to the Docker container\n    hosting it.  \"Almost\" because letsencrypt verification requests\n    are intercepted and handled here.\n 2. Perform simple redirects (eg, example.com -\u003e www.example.com)\n 3. Proxy letsencrypt (ACME) requests ONLY (for when you are running\n    letsencrypt in your target container)\n\n## Site setup\n\nIn your Dockerfile, you'll use RUN to call `docker-setupsites` to\nprovision configurations.  I'll cover each of the above three cases\nhere.\n\n### Site setup, case 1: proxying requests to a Docker container\n\nThere are three `docker-setupsites` subcommands here:\n`proxysite_ssl`, `proxysite_nossl`, and `proxysite_both`.  They all\ntake the same parameters and differ only in how they handle SSL.  The\nfirst parameter is the target (which should almost always be port 80,\nsince we do SSL termination here), the second is the name of the\nconfiguration, and the third and following are a list of one or more\ndomains.  Examples:\n\n    docker-setupsites proxysite_both \"wordpress.proxynet:80\" wordpress-sites  \\\n          blog.example.com news.example.com\n    \n    docker-setupsites proxysite_nossl \"mainweb.proxynet:80\" mainweb \\\n          www.example.com\n\nThis will cause configurations to be created for blog.example.com and\nnews.example.com, in both SSL and non-SSL versions, directing traffic\nto wordpress.proxynet:80 (saved, incidentally, in configuration files\nnamed wordpress-sites.80.conf and wordpress-sites.443.conf).  If\nletsencrypt generation is used, SSL certificates for blog.example.com\nand news.example.com will be automatically handled.  Also,\nwww.example.com will have its traffic sent to mainweb.proxynet:80.\n\n### Site setup, case 2: redirect sites\n\nThis is very similar - the subcommands are `redirectside_ssl`,\n`redirectsite_nossl`, and `redirectsite_both`.  They take exactly two\nparameters - the source for redirection as a site, and a target URL,\nneither of which should have a trailing slash.\n\nFor instance:\n\n    docker-setupsites redirectsite_both example.com https://www.example.com\n    docker-setupsites redirectsite_nossl happenings.example.com http://news.example.com\n    docker-setupsites redirectsite_ssl happenings.example.com https://news.example.com\n   \nIn this case, a request for either `http://example.com` or\n`https://example.com` will be sent to `https://www.example.com`.  Note\nthat this will tend to push people to SSL.  Becuase we redirect an\nentire site, `http://example.com/linux` will be sent to\n`https://www.example.com/linux` as well.\n\nWhen you use `redirectsite_ssl` or `redirectsite_both`, your target\nshould always be an `https` URL, so you can avoid the user getting\nwarnings about an insecure redirect.  Sometimes you do not wish to\npush people into SSL.  The second and third lines in the example above\ndemonstrate that situation, where the non-SSL and SSL redirects go to\n`http` or `https` URLs, respectively.\n\n### Site setup, case 3: ACME redirects\n\nSometimes, you need only to proxy ACME to a destination.  Perhaps, for\ninstance, you're running an IMAP server and have a local certbot\nthere.  With all of the instances in cases 1 and 2, ACME verification\nrequests are intercepted and handled locally.  This inverts the sense;\nONLY ACME verification requests are sent.\n\nHere's an example:\n\n    docker-setupsites proxy_acme \"imap.proxynet:81\" \\\n         imap.example.com smtp.example.com\n    \nIn this case, inbound requests on port 80 (these are always non-SSL\nrequests) for imap.example.com and smtp.example.com will be sent to\nport 81 on imap.proxynet, where you have presumably set up certbot to\nlisten.\n\n## Letsencrypt handling\n\nBy default, letsencrypt handling is not enabled.  If you wish to\nhandle SSL on your own, you will need to `a2enmod ssl` and make some\nmodifications to the SSL config files.  However, if you want\nletsencrypt to handle it, do *NOT* `a2enmod ssl` but rather set the\n`LETSENCRYPT_EMAIL` environment variable to your container.\n\nWhen `LETSENCRYPT_EMAIL` is set, then When your container first\nstarts, a pre-init script will do this:\n\n - First, it will start Apache on the non-SSL ports only.  (The SSL\n   configurations generated by docker-setupsites are all wrapped in\n   `IfModule` for SSL, and SSL isn't enabled yet, which is good,\n   because we don't have a valid configuration yet.)  This is to\n   answer the certbot validation requests.\n - Then, it sends off an automated certbot request and waits for the\n   answers.\n - It lets certbot install its certs and enable SSL in Apache as\n   appropriate.\n - The pre-init script then deletes itself and proceeds with the boot.\n \nA cron job in the container will handle updates and revalidation of\nyour certs.\n\n## Final note\n\nFinally, make sure to end your Dockerfile with `CMD [\"/usr/local/bin/boot-debian-base\"]`.\n\n\n# Recommended Parameters - Running Container\n\nWith a modern systemd, as in Debian bullseye or newer on the host:\n\n    docker run -td --stop-signal=SIGRTMIN+3 \\\n      --tmpfs /run:size=100M --tmpfs /run/lock:size=100M \\\n      -v /sys/fs/cgroup:/sys/fs/cgroup:rw --cgroupns=host \\\n      --name=name --net=whatever\n\nOn a pretty old host, with older systemd and cgroupd v1:\n\n    docker run -td --stop-signal=SIGRTMIN+3 \\\n      --tmpfs /run:size=100M --tmpfs /run/lock:size=100M \\\n      -v /sys/fs/cgroup:/sys/fs/cgroup:ro \\\n      --name=name -t -d --net=whatever\n      \n\n# Recommended Volumes\n\nI recommend that you add `VOLUME [\"/var/log/apache2\"]` to your\nDockerfile for both containers, and `VOLUME [\"/etc/letsencrypt\"]` to\nyour reverse proxy container.  When rebuilding and restarting your\ncontainers, use a sequence such as:\n\n    docker stop web\n    docker rename web web.old\n    docker run \u003c\u003cparameters\u003e\u003e --volumes-from=web.old  --name-web ....\n    docker rm web.old\n   \nThis will let your logs persist, and will avoid unnecessary calls to\nletsencrypt to obtain new certs.  The latter is important to avoid\nfalse expiration emails and hitting their rate limiting.\n\n# Copyright\n\nDocker scripts, etc. are\nCopyright (c) 2018-2025 John Goerzen\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n1. Redistributions of source code must retain the above copyright\n   notice, this list of conditions and the following disclaimer.\n2. Redistributions in binary form must reproduce the above copyright\n   notice, this list of conditions and the following disclaimer in the\n   documentation and/or other materials provided with the distribution.\n3. Neither the name of the University nor the names of its contributors\n   may be used to endorse or promote products derived from this software\n   without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND\nANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\nIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE\nARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE\nFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\nDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS\nOR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)\nHOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT\nLIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY\nOUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF\nSUCH DAMAGE.\n\nAdditional software copyrights as noted.\n\n# See Also\n\n - [Salsa page](https://salsa.debian.org/jgoerzen/docker-apache-proxy)\n - Docker hub packages:\n   [jgoerzen/proxied-app-apache](https://hub.docker.com/r/jgoerzen/proxied-app-apache/),\n   [jgoerzen/reverse-proxy-apache](https://hub.docker.com/r/jgoerzen/reverse-proxy-apache/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjgoerzen%2Fdocker-apache-proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjgoerzen%2Fdocker-apache-proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjgoerzen%2Fdocker-apache-proxy/lists"}