v8.0.0

.gitattributes

@@ -0,0 +1,2 @@
+# Always use LF endings.
+* text eol=lf

.github/workflows/dev.yml

@@ -53,7 +53,7 @@ jobs:
           platforms: linux/amd64,linux/arm/v7,linux/arm64
           tags: |
             bfren/nginx-proxy:dev
-            bfren/nginx-proxy:${{ steps.version.outputs.contents }}-beta
+            bfren/nginx-proxy:${{ steps.version.outputs.contents }}-dev
       -
         name: Image digest
         run: echo ${{ steps.docker_build.outputs.digest }}

Dockerfile

@@ -1,4 +1,4 @@
-FROM bfren/nginx:nginx1.24-alpine3.18-5.0.16
+FROM bfren/nginx:nginx1.26-alpine3.21-6.4.3
 
 LABEL org.opencontainers.image.source="https://github.com/bfren/docker-nginx-proxy"
 
@@ -8,42 +8,44 @@ ARG BF_VERSION
 # port 80 is already exposed by the base image
 EXPOSE 443
 
+COPY ./overlay /
+
 ENV \
-    # the base domain of the proxy server (will be used when SSL bindings fail)
-    PROXY_DOMAIN= \
-    # clean all config and certificates before doing anything else
-    PROXY_CLEAN_INSTALL=0 \
+    # the root domain of the proxy server (will be used when SSL bindings fail)
+    BF_PROXY_DOMAIN= \
+    # delete all config and certificates before doing anything else
+    BF_PROXY_CLEAN_INSTALL=0 \
     # enable automatic certificate updating
-    PROXY_ENABLE_AUTO_UPDATE=1 \
-    # enable NAXSI web application firewall
-    PROXY_ENABLE_NAXSI=0 \
-    # use hardened mode (remove old / insecure ciphers and protocols)
-    PROXY_HARDEN=0 \
+    BF_PROXY_ENABLE_AUTO_UPDATE=1 \
+    # use hardened mode (e.g. remove old / insecure ciphers and protocols)
+    BF_PROXY_HARDEN=0 \
     # used for renewal notification emails
-    PROXY_LETS_ENCRYPT_EMAIL= \
+    BF_PROXY_GETSSL_EMAIL= \
     # set to 1 to use live instead of staging server
-    PROXY_LETS_ENCRYPT_LIVE=0 \
+    BF_PROXY_GETSSL_USE_LIVE_SERVER=0 \
+    # the renew window number of days - certificates with more than this will not renew (Nu duration)
+    BF_PROXY_GETSSL_RENEW_WINDOW=14day \
+    # set to 1 to skip local HTTP token check
+    BF_PROXY_GETSSL_SKIP_HTTP_TOKEN_CHECK=0 \
     # set to the number of bits to use for generating private key
-    PROXY_SSL_KEY_BITS=4096 \
+    BF_PROXY_SSL_KEY_BITS=4096 \
     # set to the number of bits to use for generating DHPARAM
-    PROXY_SSL_DHPARAM_BITS=4096 \
+    BF_PROXY_SSL_DHPARAM_BITS=4096 \
+    # the period of time before self-generated SSL certificates will expire (Nu duration)
+    BF_PROXY_SSL_EXPIRY=36500day \
     # canonical domain name redirection
-    PROXY_SSL_REDIRECT_TO_CANONICAL=0 \
-    # set to true to skip local HTTP token check
-    PROXY_GETSSL_SKIP_HTTP_TOKEN_CHECK="false" \
+    BF_PROXY_SSL_REDIRECT_TO_CANONICAL=0 \
     # if both are set, on first startup will generate SSL config and request certs
-    PROXY_AUTO_PRIMARY= \
-    PROXY_AUTO_UPSTREAM= \
+    BF_PROXY_AUTO_PRIMARY= \
+    BF_PROXY_AUTO_UPSTREAM= \
     # optional - add aliases to the auto-generated conf.json on first startup
-    PROXY_AUTO_ALIASES= \
+    BF_PROXY_AUTO_ALIASES= \
     # optional - mark the Nginx config as custom so it isn't regenerated on future startups
-    PROXY_AUTO_CUSTOM=0 \
+    BF_PROXY_AUTO_CUSTOM=0 \
     # upstream DNS resolver, set to Docker's internal resolver by default
-    PROXY_UPSTREAM_DNS_RESOLVER=127.0.0.11 \
-    # the number of seconds before the maintenance page will auto-refresh
-    PROXY_MAINTENANCE_REFRESH_SECONDS=6
-
-COPY ./overlay /
+    BF_PROXY_UPSTREAM_DNS_RESOLVER=127.0.0.11 \
+    # the number of seconds before the maintenance page will automatically refresh (Nu duration)
+    BF_PROXY_MAINTENANCE_REFRESH=6sec
 
 RUN bf-install
 

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2020-2024 bfren
+Copyright (c) 2020-2025 bfren
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -4,7 +4,7 @@
 
 [Docker Repository](https://hub.docker.com/r/bfren/nginx-proxy) - [bfren ecosystem](https://github.com/bfren/docker)
 
-Nginx Proxy which uses [getssl](https://github.com/srvrco/getssl) to automate requesting and renewing SSL certificates via Let's Encrypt.  Certificates are checked for renewal every day - the last check can be viewed in the `/ssl` volume.  Also includes [NAXSI](https://github.com/nbs-system/naxsi), a web application firewall.
+Nginx Proxy which uses [getssl](https://github.com/srvrco/getssl) to automate requesting and renewing SSL certificates via Let's Encrypt.  Certificates are checked for renewal every day - the last check can be viewed in the `/ssl` volume.
 
 As of v4, configuration is handled via a JSON file - see ssl-conf-sample.json for an example and ssl-conf-schema.json for the full file definition.
 
@@ -34,23 +34,22 @@ For SSL certificate requests to work correctly, ports 80 and 443 need mapping fr
 
 ## Environment Variables
 
-| Variable                              | Values                | Description                                                                                                                                   | Default               |
-| ------------------------------------- | --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
-| `PROXY_AUTO_PRIMARY`                  | URI                   | If set (along with PROXY_AUTO_UPSTREAM) SSL config will be generated on first startup.                                                        | *None*                |
-| `PROXY_AUTO_UPSTREAM`                 | URI                   | If set (along with PROXY_AUTO_PRIMARY) SSL config will be generated on first startup.                                                         | *None*                |
-| `PROXY_AUTO_ALIASES`                  | string of URIs        | Add aliases to the auto-generated conf.json on first startup.                                                                                 | *None*                |
-| `PROXY_AUTO_CUSTOM`                   | 0 or 1                | Mark the auto-generated SSL config to 'custom' so the Nginx configuration is not regenerated on startup.                                      | 0                     |
-| `PROXY_CLEAN_INSTALL`                 | 0 or 1                | If 1, all Nginx and SSL configuration and certificates will be deleted and regenerated.                                                       | 0                     |
-| `PROXY_DOMAIN`                        | URI                   | The base domain of the proxy server - will be used to handle unbound requests.                                                                | *None* - **required** |
-| `PROXY_ENABLE_NAXSI`                  | 0 or 1                | If 1, NAXSI web application firewall will be enabled for all sites.                                                                           | 0                     |
-| `PROXY_GETSSL_SKIP_HTTP_TOKEN_CHECK`  | true or false         | Set to true to enable `getssl`'s [skip HTTP token check](https://github.com/srvrco/getssl/wiki/Config-variables#skip_http_token_checkfalse).  | false                 |
-| `PROXY_HARDEN`                        | 0 or 1                | If 1, only modern SSL ciphers and protocols will be enabled (some older devices may not be able to access it).                                | 0                     |
-| `PROXY_LETS_ENCRYPT_EMAIL`            | A valid email address | Used by Lets Encrypt for notification emails.                                                                                                 | *None* - **required** |
-| `PROXY_LETS_ENCRYPT_LIVE`             | 0 or 1                | Only set to 1 (to request live certificates) when your config is correct - Lets Encrypt rate limit certificate requests.                      | 0                     |
-| `PROXY_MAINTENANCE_REFRESH_SECONDS`   | A valid integer       | The number of seconds to count down before the maintenance page auto-refreshes.                                                               | 6                     |
-| `PROXY_SSL_DHPARAM_BITS`              | A valid integer       | The size of your DHPARAM variables - adjust down only if you have limited processing resources.                                               | 4096                  |
-| `PROXY_SSL_REDIRECT_TO_CANONICAL`     | 0 or 1                | If 1, all requests will be redirected to the primary domain (defined in `conf.json`).                                                         | 0                     |
-| `PROXY_UPSTREAM_DNS_RESOLVER`         | IP address            | Upstream DNS resolver - set to Docker's by default.                                                                                           | 127.0.0.11            |
+| Variable                                  | Values                | Description                                                                                                                                   | Default               |
+| ----------------------------------------- | --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
+| `BF_PROXY_AUTO_ALIASES`                   | string of URIs        | Add aliases to the auto-generated conf.json on first startup.                                                                                 | *None*                |
+| `BF_PROXY_AUTO_CUSTOM`                    | 0 or 1                | Mark the auto-generated SSL config to 'custom' so the Nginx configuration is not regenerated on startup.                                      | 0                     |
+| `BF_PROXY_AUTO_PRIMARY`                   | URI                   | If set (along with PROXY_AUTO_UPSTREAM) SSL config will be generated on first startup.                                                        | *None*                |
+| `BF_PROXY_AUTO_UPSTREAM`                  | URI                   | If set (along with PROXY_AUTO_PRIMARY) SSL config will be generated on first startup.                                                         | *None*                |
+| `BF_PROXY_CLEAN_INSTALL`                  | 0 or 1                | If 1, all Nginx and SSL configuration and certificates will be deleted and regenerated.                                                       | 0                     |
+| `BF_PROXY_DOMAIN`                         | URI                   | The base domain of the proxy server - will be used to handle unbound requests.                                                                | *None* - **required** |
+| `BF_PROXY_GETSSL_EMAIL`                   | A valid email address | Used by Lets Encrypt for notification emails.                                                                                                 | *None* - **required** |
+| `BF_PROXY_GETSSL_SKIP_HTTP_TOKEN_CHECK`   | true or false         | Set to true to enable `getssl`'s [skip HTTP token check](https://github.com/srvrco/getssl/wiki/Config-variables#skip_http_token_checkfalse).  | false                 |
+| `BF_PROXY_GETSSL_USE_LIVE_SERVER`         | 0 or 1                | Only set to 1 (to request live certificates) when your config is correct - Lets Encrypt rate limit certificate requests.                      | 0                     |
+| `BF_PROXY_HARDEN`                         | 0 or 1                | If 1, only modern SSL ciphers and protocols will be enabled (some older devices may not be able to access it).                                | 0                     |
+| `BF_PROXY_MAINTENANCE_REFRESH_SECONDS`    | A valid integer       | The number of seconds to count down before the maintenance page auto-refreshes.                                                               | 6                     |
+| `BF_PROXY_SSL_DHPARAM_BITS`               | A valid integer       | The size of your DHPARAM variables - adjust down only if you have limited processing resources.                                               | 4096                  |
+| `BF_PROXY_SSL_REDIRECT_TO_CANONICAL`      | 0 or 1                | If 1, all requests will be redirected to the primary domain (defined in `conf.json`).                                                         | 0                     |
+| `BF_PROXY_UPSTREAM_DNS_RESOLVER`          | IP address            | Upstream DNS resolver - set to Docker's by default.                                                                                           | 127.0.0.11            |
 
 ## Helper Functions
 
@@ -83,4 +82,4 @@ The image contains a handful of useful Nginx configuration 'helper' files, which
 
 ## Copyright
 
-> Copyright (c) 2020-2024 [bfren](https://bfren.dev) (unless otherwise stated)
+> Copyright (c) 2020-2025 [bfren](https://bfren.dev) (unless otherwise stated)

VERSION

@@ -1 +1 @@
-7.1.1
+8.0.0

VERSION_MAJOR

@@ -1 +1 @@
-7
+8

VERSION_MINOR

@@ -1 +1 @@
-7.1
+8.0

overlay/etc/bf/ch.d/20-proxy

@@ -1,5 +1,2 @@
-/etc/naxsi www:www 0640 0750
-/etc/nginx/sites www:www 0640 0750
-/etc/ssl/certs www:www 0640 0750
 /sites www:www 0640 0750
 /ssl www:www 0640 0750

overlay/etc/bf/init.d/20-env.nu

@@ -0,0 +1,35 @@
+use bf
+bf env load
+
+# Set environment variables
+def main []: nothing -> nothing {
+    bf env set "PROXY_GETSSL" "/usr/bin/getssl"
+
+    let proxy_ssl = "/ssl"
+    bf env set "PROXY_SSL" $proxy_ssl
+    bf env set "PROXY_SSL_CONF" $"($proxy_ssl)/conf.json"
+    bf env set "PROXY_SSL_DHPARAM" $"($proxy_ssl)/dhparam.pem"
+
+    let proxy_ssl_certs = $"($proxy_ssl)/certs"
+    let proxy_getssl_config = "getssl.cfg"
+    bf env set "PROXY_SSL_CERTS" $proxy_ssl_certs
+    bf env set "PROXY_GETSSL_CFG" $proxy_getssl_config
+    bf env set "PROXY_GETSSL_GLOBAL_CFG" $"($proxy_ssl_certs)/($proxy_getssl_config)"
+    bf env set "PROXY_GETSSL_ACCOUNT_KEY" $"($proxy_ssl_certs)/account.key"
+
+    let proxy_sites = "/sites"
+    bf env set "PROXY_SITES" $proxy_sites
+
+    let proxy_acme_challenge = ".well-known/acme-challenge"
+    bf env set "PROXY_ACME_CHALLENGE" $proxy_acme_challenge
+    bf env set "PROXY_WWW_ACME_CHALLENGE" $"(bf env NGINX_WWW)/($proxy_acme_challenge)"
+
+    let getssl_flags = match (bf env check PROXY_GETSSL_DEBUG) {
+        true => "-d -U"
+        false => "-U"
+    }
+    bf env set "PROXY_GETSSL_FLAGS" $getssl_flags
+
+    # return nothing
+    return
+}

overlay/etc/bf/init.d/21-nginx-conf.nu

@@ -0,0 +1,6 @@
+use bf
+use bf/nginx/proxy nginx
+bf env load
+
+# Generate Nginx server SSL configuration file
+def main []: nothing -> nothing { nginx generate_server_conf }

overlay/etc/bf/init.d/22-ssl-init.nu

@@ -0,0 +1,31 @@
+use bf
+use bf/nginx/proxy
+bf env load
+
+# Initialise SSL global config and proxy domain
+def main []: nothing -> nothing {
+    # setup for a clean install
+    if (bf env check PROXY_CLEAN_INSTALL) {
+        bf write "Clean install detected."
+        proxy init setup_clean_install
+    }
+
+    # if auto init is enabled, generate config and ssl
+    # otherwise, generate SSL for root domain only
+    if (proxy auto is_enabled) {
+        # set PROXY_AUTO so we know downstream that we are auto generating files
+        bf env set "PROXY_AUTO" "1"
+
+        # generate conf.json
+        proxy auto generate_conf_json
+
+        # if there are aliases enable canonical redirection
+        if (bf env check "PROXY_AUTO_ALIASES") { bf env set "PROXY_SSL_REDIRECT_TO_CANONICAL" "1" }
+
+        # initialise all domains (root plus auto)
+        proxy init --all
+    } else {
+        # initialise only the root domain
+        proxy init --root
+    }
+}

overlay/etc/bf/init.d/23-maintenance.nu

@@ -0,0 +1,11 @@
+use bf
+use bf/nginx/proxy maintenance
+bf env load
+
+# Generate maintenance helper config and html page
+def main []: nothing -> nothing {
+    bf write "Generating maintenance files."
+    maintenance generate_helper_conf
+    maintenance generate_html
+    return
+}