{"id":16330991,"url":"https://github.com/justsml/ssl-proxy","last_synced_at":"2025-03-20T23:30:17.358Z","repository":{"id":52891439,"uuid":"76326972","full_name":"justsml/ssl-proxy","owner":"justsml","description":"Docker https/ssl reverse proxy w/ nginx. Supports: Auto request letsencrypt cert, CORS, HTTP Auth, Real-time/Low Latency...","archived":false,"fork":false,"pushed_at":"2021-04-15T00:58:11.000Z","size":99,"stargazers_count":39,"open_issues_count":8,"forks_count":13,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-17T18:33:57.531Z","etag":null,"topics":["alpine-linux","cors-support","docker","haproxy","http-proxy","http2","nginx","proxy","rancher-server","reverse-proxy","ssl","ssl-proxy","ssllabs","tls"],"latest_commit_sha":null,"homepage":"https://hub.docker.com/r/justsml/ssl-proxy/","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/justsml.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-12-13T05:47:12.000Z","updated_at":"2024-03-28T15:37:15.000Z","dependencies_parsed_at":"2022-08-23T08:10:26.155Z","dependency_job_id":null,"html_url":"https://github.com/justsml/ssl-proxy","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/justsml%2Fssl-proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/justsml%2Fssl-proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/justsml%2Fssl-proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/justsml%2Fssl-proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/justsml","download_url":"https://codeload.github.com/justsml/ssl-proxy/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244710182,"owners_count":20497209,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["alpine-linux","cors-support","docker","haproxy","http-proxy","http2","nginx","proxy","rancher-server","reverse-proxy","ssl","ssl-proxy","ssllabs","tls"],"created_at":"2024-10-10T23:25:10.803Z","updated_at":"2025-03-20T23:30:16.966Z","avatar_url":"https://github.com/justsml.png","language":"Shell","readme":"# Simple docker \u0026 nginx-based ssl-proxy\n\nProtect any HTTP service with HTTPS!\n\u003e An Nginx \u0026 Docker-based HTTPS/SSL reverse proxy.\n\n\u003e Will upgrade to newest nginx\n\n### Table of Contents\n\n1. [Features](#features)\n1. [Example](#example)\n1. [Getting Started](#getting-started)\n  1. [Secure Docker Registry Example](#secure-docker-registry-example)\n  1. [Secure Rancher Server Example](#secure-rancher-server-example)\n  1. [Secure Rancher Server Example using Docker Compose](#secure-rancher-server-example-using-docker-compose)\n  1. [Client Verification Example](#client-verification-example)\n1. [Arguments / Configuration](#arguments)\n  \n## Features\n\n* Up-to-date Nginx \u0026 Alpine Linux.\n* Fast HTTP2 TLS-enabled reverse proxy\n* Advanced CORS Support (w/ credentials, auto hostname, smart headers)\n* Automatic **WebSockets Support**\n* NPN/ALPN Application-Layer Protocol Negotiation [test here](https://tools.keycdn.com/http2-test)\n* TLS Forward Secrecy, PFS (aka Perfect Forward Secrecy).\n* Supports Optional Username \u0026 Password (stored using bcrypt at 14+ rounds)\n  * Alternately an `.htpasswd` file can be volume mounted. (Multiple named users)\n* Great for securing a Docker Registry, Rancher server, Wordpress, etc\n\n## Example\n\nSample SSL Labs/Qualys SSL \u0026 TLS Report:\n\n\u003e Here's a sample of what you can expect with default configuration.\n\n![image](https://cloud.githubusercontent.com/assets/397632/21792469/4db4a768-d6a7-11e6-8728-97e80c3b5ed2.png)\n![image](https://cloud.githubusercontent.com/assets/397632/21792860/f24203d2-d6a9-11e6-8e35-9138e55c81da.png)\n\n\n## Getting Started\n\n*Requirements*\n\n\u003e 1. [Generate a HTTPS/SSL certificate using letsencrypt.](https://gist.github.com/justsml/63d2884e1cd88d6785999a2eb09cf48e)\n\nTo provide secure, proxied access to local HTTP service:\n\n1. Requires any working HTTP service (for UPSTREAM_TARGET.) (Supports **local, in-docker, even remote**).\n1. Start an instance of `justsml/ssl-proxy:latest` as shown below.\n\n### Secure Docker Registry Example\n\n```sh\n# Note: Small scale users can set certificates directly in the registry instance (v2+) \ndocker run -d --restart=on-failure:5 \\\n  --name docker-registry \\\n  -v /data/registry/registry:/var/lib/registry \\\n  registry:2.5\n\n# Create an ssl-proxy to point at the registry's port 5000 (via UPSTREAM_TARGET option - see below.)\ndocker run -d --restart=on-failure:5 \\\n  --name ssl-proxy \\\n  -p 5000:5000 \\\n  -e 'SERVER_NAME=hub.example.com' \\\n  -e 'UPSTREAM_TARGET=docker-registry:5000' \\\n  -e 'HTTPS_PORT=5000' \\\n  -e 'USERNAME=devops' \\\n  -e 'PASSWORD=secure' \\\n  -e 'CERT_PUBLIC_PATH=/certs/fullchain.pem' \\\n  -e 'CERT_PRIVATE_PATH=/certs/privkey.pem' \\\n  -e \"ADD_HEADER='Docker-Distribution-Api-Version' 'registry/2.0' always\" \\\n  -v '/certs:/certs:ro' \\\n  --link 'docker-registry:docker-registry' \\\n  justsml/ssl-proxy:latest\n\n# ALT Options\n# Create an ssl-proxy to point at the registry's port 5000 (via UPSTREAM_TARGET option - see below.)\ndocker run -d --restart=on-failure:5 \\\n  --name ssl-proxy \\\n  -p 5000:5000 \\\n  -e 'SERVER_NAME=hub.example.com' \\\n  -e 'UPSTREAM_TARGET=docker-registry:5000' \\\n  -e 'EXPIRES_DEFAULT=-1' \\\n  -e 'HTTPS_PORT=5000' \\\n  -e 'USERNAME=devops' \\\n  -e 'PASSWORD=secure' \\\n  -e 'CERT_PUBLIC_PATH=/certs/fullchain.pem' \\\n  -e 'CERT_PRIVATE_PATH=/certs/privkey.pem' \\\n  -e \"ADD_HEADER='Docker-Distribution-Api-Version' 'registry/2.0' always\" \\\n  -v '/certs:/certs:ro' \\\n  --link 'docker-registry:docker-registry' \\\n  justsml/ssl-proxy:latest\n```\n\n### Secure Rancher Server Example\n\n```sh\n# Update Cached Docker Images\ndocker pull rancher/server:latest\ndocker pull justsml/ssl-proxy:latest\n\n# Start Rancher w/ default local port 8080\ndocker run -d --restart=always \\\n  --name rancher-server \\\n  -v /data/rancher/mysql:/var/lib/mysql \\\n  rancher/server:latest\n\n# Create an ssl-proxy with certs in /certs, (w/o user/pass auth) to point at the local rancher-server's port 8080\ndocker run -d --restart=always \\\n  --name rancher-proxy \\\n  -p 8080:8080 \\\n  -e 'HTTPS_PORT=8080' \\\n  -e 'SERVER_NAME=_' \\\n  -e 'UPSTREAM_TARGET=rancher-server:8080' \\\n  -e 'CERT_PUBLIC_PATH=/certs/fullchain.pem' \\\n  -e 'CERT_PRIVATE_PATH=/certs/privkey.pem' \\\n  -v '/certs:/certs:ro' \\\n  --link 'rancher-server:rancher-server' \\\n  justsml/ssl-proxy:latest\n\n```\n\n### Secure Rancher Server Example using Docker Compose\n\n```yaml\nversion: '2'\nservices:\n  ssl-proxy:\n    image: justsml/ssl-proxy:latest\n    environment:\n    - HTTPS_PORT=8080\n    - SERVER_NAME=rancher.example.com\n    - UPSTREAM_TARGET=rancher-server:8080\n    - CERT_PUBLIC_PATH=/certs/fullchain.pem\n    - CERT_PRIVATE_PATH=/certs/privkey.pem\n    volumes:\n    - /certs:/certs:ro\n    links:\n    - 'rancher-server:rancher-server'\n    ports: [ '8080:8080' ]\n  rancher-server:\n    image: rancher/server:latest\n    expose: [ '8080' ]\n    volumes:\n    - /data/rancher/mysql:/var/lib/mysql\n```\n\n### Client Verification Example\n\n```sh\n# Start an nginx server that responds with the incoming request's headers on port 8080\ndocker run -d --restart=always \\\n  --name http-server \\\n  brndnmtthws/nginx-echo-headers\n\n# Create an ssl-proxy with certs in /certs, requiring a client certificate auth, to point at the local http-server's port 8080 and include the client certificate's subject as an http header\ndocker run -d --restart=always \\\n  --name verification-proxy \\\n  -p 443:443 \\\n  -e 'SERVER_NAME=verification.example.com' \\\n  -e 'UPSTREAM_TARGET=http-server:8080' \\\n  -e 'CERT_PUBLIC_PATH=/certs/fullchain.pem' \\\n  -e 'CERT_PRIVATE_PATH=/certs/privkey.pem' \\\n  -e 'SSL_VERIFY_CLIENT=on' \\\n  -e 'CERT_CLIENT_PATH=/certs/clientchain.pem' \\\n  -e 'ADD_PROXY_HEADER=X-Ssl-Client-Subject $ssl_client_s_dn' \\\n  -v '/certs:/certs:ro' \\\n  --link 'http-server:http-server' \\\n  justsml/ssl-proxy:latest\n```\n\n---------------\n\n\n## Arguments\n\n|Name               | Default/Reqd  | Notes\n|-------------------|---------------|-----------------------|\n|CERT_AUTO          | Optional      | Set to `true` to automatically request certificate for $SERVER_NAME - caution: don't exceed let's encrypts API limits.\n|CERT_PUBLIC_PATH   | Reqd. PEM file| Bind-mount certificate files to container path `/certs` - Or override path w/ this var.\n|CERT_PRIVATE_PATH  | Reqd. PEM file| Bind-mount certificate files to container path `/certs` - Or override path w/ this var.\n|SERVER_NAME        | Required      | Primary domain name. Not restricting.\n|CORS_ORIGIN        | Optional      | CORS origin to use for `Access-Control-Allow-Origin` header. Defaults to `SERVER_NAME`.\n|UPSTREAM_TARGET    | Required      | HTTP target host:port. Typically an internally routable address. e.g. `localhost:9090` or `rancher-server:8080`\n|HTTPS_PORT         | 443/Required  | Needed for URL rewriting.\n|ALLOW_RC4          | Not set       | Backwards Compatible Option Required for Java 6 or WinXP/IE8\n|EXPIRES_DEFAULT    | Not set       | Set to apply a default expiration value for nginx `location /`. Useful for app \u0026 caching proxies. (For app use `-1` and for caching proxy something like `6h`)\n|USERNAME           | admin         | Both PASSWORD and USERNAME must be set in order to use Basic authorization\n|PASSWORD           |               | Both PASSWORD and USERNAME must be set in order to use Basic authorization\n|PASSWD_PATH        | /etc/nginx/.htpasswd | Alternate auth support (don't combine with USERNAME/PASSWORD) Bind-mount a custom path to `/etc/nginx/.htpasswd`\n|SSL_VERIFY_CLIENT  | Not set       | Set to verify client certificates (may be `on`, `off`, `optional`, or `optional_no_ca`). If set and not `optional_no_ca`, CERT_CLIENT_PATH must be set.\n|CERT_CLIENT_PATH   | Not set       | Needed for client certificate verification. This cert must be PEM-encoded and contain the trusted CA and Intermediate CA certs.\n|ADD_HEADER         | Not set       | Useful for tagging routes in your infrastructure.\n|ADD_PROXY_HEADER   | Not set       | Useful for providing metadata to the upstream server.\n|SERVER_NAMES_HASH_SIZE         | 32       | Maximum size of server name. Set it to 64/128/... if nginx fails to start with `could not build server_names_hash, you should increase server_names_hash_bucket_size` error message.\n|PROXY_HEADER_HOST  | Optional       | The host value that will be set in the request header. Defaults to the nginx variable, `'$host'`. Set this value (e.g., to the nginx variable, `'$http_host'`) if including the port number in the `Host` header is important.\n\n\n-------------------\n\n\n### Contributing / Dev Notes\n\n\u003e WORK IN PROGRESS:\n\n1. HTTPS -\u003e HTTPS proxying support. AKA End-to-end TLS. (skipped due to underwhelming performance and extra complexity in the bash startup script.)\n1. Better CORS support: multi host name\n1. haproxy alt version\n\n\n```sh\n# Publish 'latest' version\ndocker build -t ssl-proxy:latest .\ndocker tag ssl-proxy:latest justsml/ssl-proxy:latest\ndocker push justsml/ssl-proxy:latest\n# Push a tagged version:\n# docker tag ssl-proxy:latest justsml/ssl-proxy:v1.0.1\n# docker push justsml/ssl-proxy:v1.0.1\n\n# Remember to docker pull on servers\ndocker pull justsml/ssl-proxy:latest\n\n# Local testing:\ndocker build -t ssl-proxy:latest .\ndocker rm -f TEST-ssl-proxy\ndocker run --rm \\\n  --name TEST-ssl-proxy \\\n  -v ~/certs/xray:/certs \\\n  -p 5000:5000 \\\n  -e 'HTTPS_PORT=5000' \\\n  -e 'USERNAME=devops' \\\n  -e 'PASSWORD=secure' \\\n  -e 'SERVER_NAME=hub.example.com' \\\n  -e 'UPSTREAM_TARGET=www.google.com:80' \\\n  -e 'CERT_PUBLIC_PATH=/certs/fullchain.pem' \\\n  -e 'CERT_PRIVATE_PATH=/certs/privkey.pem' \\\n  ssl-proxy:latest\n\n\n```\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjustsml%2Fssl-proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjustsml%2Fssl-proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjustsml%2Fssl-proxy/lists"}