Cleanup and update dockerfile

.gitignore

@@ -0,0 +1 @@
+.env

Dockerfile

@@ -1,42 +1,44 @@
-FROM nginx:1.9.0
+FROM nginx:1.9.14
 MAINTAINER Richard Adams richard@madwire.co.uk
 
+ENV NGINX_DEFAULT_CONF=/etc/nginx/conf.d/default.conf
+ENV NGINX_DEFAULT_SSL_CRT=/etc/nginx/certs/default.crt
+ENV NGINX_DEFAULT_SSL_KEY=/etc/nginx/certs/default.key
+
 # Install wget and install/updates certificates
 RUN apt-get update \
- && apt-get install -y -q --no-install-recommends \
+  && apt-get install -y -q --no-install-recommends \
  ca-certificates \
  wget \
  build-essential \
  openssl \
  libssl-dev \
  ruby-full \
- && apt-get clean \
- && rm -r /var/lib/apt/lists/*
+  && apt-get clean \
+  && rm -r /var/lib/apt/lists/*
 
 # Configure Nginx and apply fix for very long server names
 RUN echo "daemon off;" >> /etc/nginx/nginx.conf \
- && sed -i 's/^http {/&\n server_names_hash_bucket_size 128;/g' /etc/nginx/nginx.conf
+  && sed -i 's/^http {/&\n server_names_hash_bucket_size 128;/g' /etc/nginx/nginx.conf
 
 # Install Forego
-RUN wget -P /usr/local/bin https://godist.herokuapp.com/projects/ddollar/forego/releases/current/linux-amd64/forego \
+RUN wget -P /usr/local/bin https://github.com/jwilder/forego/releases/download/v0.16.1/forego \
  && chmod u+x /usr/local/bin/forego
 
 # Install App dependancies
 RUN gem install faye-websocket --no-ri --no-rdoc && gem install tutum --no-ri --no-rdoc
 
-ENV NGINX_DEFAULT_CONF=/etc/nginx/conf.d/default.conf
-
 COPY . /app/
 WORKDIR /app/
 
 # Generate Default Self-signed certificate
 RUN openssl genrsa -des3 -passout pass:x -out default.pass.key 2048 \
- && openssl rsa -passin pass:x -in default.pass.key -out default.key \
- && rm default.pass.key \
- && openssl req -new -key default.key -out default.csr -subj "/C=UK/ST=State/L=local/O=OrgName/OU=Web/CN=example.com" \
- && openssl x509 -req -days 365 -in default.csr -signkey default.key -out default.crt \
- && mkdir -p /etc/nginx/certs/ \
- && mv default.crt /etc/nginx/certs/default.crt && mv default.key /etc/nginx/certs/default.key
- # Then, just use the generated default.key and default.crt files.
+  && openssl rsa -passin pass:x -in default.pass.key -out default.key \
+  && rm default.pass.key \
+  && openssl req -new -key default.key -out default.csr -subj "/C=UK/ST=State/L=local/O=OrgName/OU=Web/CN=example.com" \
+  && openssl x509 -req -days 365 -in default.csr -signkey default.key -out default.crt \
+  && mkdir -p /etc/nginx/certs/ \
+  && mv default.crt /etc/nginx/certs/default.crt && mv default.key /etc/nginx/certs/default.key
+  # Then, just use the generated default.key and default.crt files.
 
 CMD ["forego", "start", "-r"]

docker-compose.yml

@@ -1,2 +1,3 @@
 dockercloud_nginx_proxy:
  build: .
+ env_file: .env

nginx.conf.erb

@@ -37,6 +37,14 @@ server {
  return 503;
 }
 
+server {
+ server_name _; # This is just an invalid value which will never trigger on a real hostname.
+ listen 443 ssl http2;
+ return 503;
+ ssl_certificate <%= ENV['NGINX_DEFAULT_SSL_CRT'] %>;
+ ssl_certificate_key <%= ENV['NGINX_DEFAULT_SSL_KEY'] %>;
+}
+
 <% @services.each do |service| %>
 <% if service.host %>
 upstream <%= service.name %> {
@@ -48,29 +56,29 @@ upstream <%= service.name %> {
 <% if service.ssl? %>
 
 server {
-server_name <%= service.host %>;
-return 301 https://$host$request_uri;
+ server_name <%= service.host %>;
+ return 301 https://$host$request_uri;
 }
 
 server {
-server_name <%= service.host %>;
-listen 443 ssl spdy;
+ server_name <%= service.host %>;
+ listen 443 ssl http2;
 
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
 
-ssl_prefer_server_ciphers on;
-ssl_session_timeout 5m;
-ssl_session_cache shared:SSL:50m;
+ ssl_prefer_server_ciphers on;
+ ssl_session_timeout 5m;
+ ssl_session_cache shared:SSL:50m;
 
-ssl_certificate /etc/nginx/certs/default.crt;
-ssl_certificate_key /etc/nginx/certs/default.key;
+ ssl_certificate <%= ENV['NGINX_DEFAULT_SSL_CRT'] %>;
+ ssl_certificate_key <%= ENV['NGINX_DEFAULT_SSL_KEY'] %>;
 
-add_header Strict-Transport-Security "max-age=31536000";
+ add_header Strict-Transport-Security "max-age=31536000";
 
-location / {
+ location / {
  proxy_pass http://<%= service.name %>;
-}
+ }
 }
 
 <% else %>