Nginx Reverse Proxy automatically managing Let's Encrypt certificates
Environment variables:
ORIGIN_HOST
main server hostname or ip addressORIGIN_PORT
main server port (optional, defaults to 80)DOMAINS
regular expression of valid domains
Volumes:
/cache
mount arw
volume to cache SSL private keys and web content
docker run -t -p 80:80 -p 443:443 -v $(pwd)/cache:/cache:rw -e ORIGIN_HOST=172.217.18.206 -e DOMAINS=test front
By default, succesfull GET
responses are cached for one day. Error responses
(not 200
, 301
or 302
) are cached for five seconds. Methods other than
GET
or HEAD
are not cached at all. Specifically POST
requests are not
cached.
The X-Accel-Expires
header can be used to change the default cache time. The
value 0
disables caching of the result. Other numbers set the cache validity
in seconds. The normal cache affecting headers Expires
, Cache-Control
,
Set-Cookie
, Vary
are ignored, but they are passed to the
The cache can be explicitely invalidated by the ORIGIN_HOST
. To do this, the
origin sends the request to be invalidated with an additional header
X-Accel-Purge: purge
. The ORIGIN_HOST
will imediately be requested for the
updated content.
Cache entries can get aribitrarily removed, but this should not happen often.
The rate limiter is based on remote ip address. After an initial burst of ten requests, the request rate is limited to one request per second. There is also a hard limit of 100 open connections per ip address.
Connections are also required to send the headers and body within 5 seconds. This prevents a class of attacks (‘slowloris’) where the attacker tries to keep many connections open.