feat: disable automatic ACME HTTP challenge location configuration

README.md

@@ -31,7 +31,6 @@ It handles the automated creation, renewal and use of SSL certificates for proxi
 Three writable volumes must be declared on the **nginx-proxy** container so that they can be shared with the **acme-companion** container:
 
 * `/etc/nginx/certs` to store certificates and private keys (readonly for the **nginx-proxy** container).
-* `/etc/nginx/vhost.d` to change the configuration of vhosts (required so the CA may access `http-01` challenge files).
 * `/usr/share/nginx/html` to write `http-01` challenge files.
 
 Additionally, a fourth volume must be declared on the **acme-companion** container to store `acme.sh` configuration and state: `/etc/acme.sh`.
@@ -50,7 +49,6 @@ $ docker run --detach \
     --publish 80:80 \
     --publish 443:443 \
     --volume certs:/etc/nginx/certs \
-    --volume vhost:/etc/nginx/vhost.d \
     --volume html:/usr/share/nginx/html \
     --volume /var/run/docker.sock:/tmp/docker.sock:ro \
     nginxproxy/nginx-proxy

app/entrypoint.sh

@@ -167,10 +167,13 @@ if [[ "$*" == "/bin/bash /app/start.sh" ]]; then
         exit 1
     fi
     check_writable_directory '/etc/nginx/certs'
-    check_writable_directory '/etc/nginx/vhost.d'
+    parse_true "${ACME_HTTP_CHALLENGE_LOCATION:=false}" && check_writable_directory '/etc/nginx/vhost.d'
     check_writable_directory '/etc/acme.sh'
     check_writable_directory '/usr/share/nginx/html'
-    [[ -f /app/letsencrypt_user_data ]] && check_writable_directory '/etc/nginx/conf.d'
+    if [[ -f /app/letsencrypt_user_data ]]; then
+        check_writable_directory '/etc/nginx/vhost.d'
+        check_writable_directory '/etc/nginx/conf.d'
+    fi
     check_default_cert_key
     check_dh_group
     reload_nginx

app/letsencrypt_service

@@ -348,8 +348,10 @@ function update_cert {
     for domain in "${hosts_array[@]}"; do
         # Add all the domains to certificate
         params_issue_arr+=(--domain "$domain")
-        # Add location configuration for the domain
-        add_location_configuration "$domain" || reload_nginx
+        # If enabled, add location configuration for the domain
+        if parse_true "${ACME_HTTP_CHALLENGE_LOCATION:=false}"; then
+            add_location_configuration "$domain" || reload_nginx
+        fi
     done
 
     params_issue_arr=("${params_base_arr[@]}" "${params_issue_arr[@]}")

docs/Advanced-usage.md

@@ -26,7 +26,6 @@ $ docker run --detach \
     --publish 80:80 \
     --publish 443:443 \
     --volume conf:/etc/nginx/conf.d  \
-    --volume vhost:/etc/nginx/vhost.d \
     --volume html:/usr/share/nginx/html \
     --volume certs:/etc/nginx/certs \
     nginx

docs/Basic-usage.md

@@ -1,9 +1,8 @@
 ## Basic usage (with the nginx-proxy container)
 
-Three writable volumes must be declared on the **nginx-proxy** container so that they can be shared with the **acme-companion** container:
+Two writable volumes must be declared on the **nginx-proxy** container so that they can be shared with the **acme-companion** container:
 
 * `/etc/nginx/certs` to store certificates and private keys (readonly for the **nginx-proxy** container).
-* `/etc/nginx/vhost.d` to change the configuration of vhosts (required so the CA may access `http-01` challenge files).
 * `/usr/share/nginx/html` to write `http-01` challenge files.
 
 Additionally, a fourth volume must be declared on the **acme-companion** container to store `acme.sh` configuration and state: `/etc/acme.sh`.
@@ -22,7 +21,6 @@ $ docker run --detach \
     --publish 80:80 \
     --publish 443:443 \
     --volume certs:/etc/nginx/certs \
-    --volume vhost:/etc/nginx/vhost.d \
     --volume html:/usr/share/nginx/html \
     --volume /var/run/docker.sock:/tmp/docker.sock:ro \
     nginxproxy/nginx-proxy

docs/Container-configuration.md

@@ -32,4 +32,6 @@ You can also create test certificates per container (see [Test certificates](./L
 
 * `ACME_PRE_HOOK` - The provided command will be run before every certificate issuance. The action is limited to the commands available inside the **acme-companion** container. For example `--env "ACME_PRE_HOOK=echo 'start'"`. For more information see [Pre- and Post-Hook](./Hooks.md)
 
-* `ACME_POST_HOOK` - The provided command will be run after every certificate issuance. The action is limited to the commands available inside the **acme-companion** container. For example `--env "ACME_POST_HOOK=echo 'end'"`. For more information see [Pre- and Post-Hook](./Hooks.md)
+* `ACME_POST_HOOK` - The provided command will be run after every certificate issuance. The action is limited to the commands available inside the **acme-companion** container. For example `--env "ACME_POST_HOOK=echo 'end'"`. For more information see [Pre- and Post-Hook](./Hooks.md)
+
+* `ACME_HTTP_CHALLENGE_LOCATION` - Previously **acme-companion** automatically added the ACME HTTP challenge location to the nginx configuration through files generated in `/etc/nginx/vhost.d`. Recent versions of **nginx-proxy** (>= `1.6`) already include the required location configuration, which remove the need for **acme-companion** to attempt to dynamically add them. If you're running and older version of **nginx-proxy** (or **docker-gen** with an older version of the `nginx.tmpl` file), you can re-enable this behaviour by setting `ACME_HTTP_CHALLENGE_LOCATION` to `true`.

docs/Docker-Compose.md

@@ -15,7 +15,7 @@ The use of named containers and volume is not required but helps keeping everyth
 ### Two containers example
 
 ```yaml
-version: '2'
+version: "2"
 
 services:
   nginx-proxy:
@@ -25,8 +25,10 @@ services:
       - "80:80"
       - "443:443"
     volumes:
-      - conf:/etc/nginx/conf.d
-      - vhost:/etc/nginx/vhost.d
+      # The vhost and conf volumes are only required
+      # if you plan to obtain standalone certificates
+      # - vhost:/etc/nginx/vhost.d
+      # - conf:/etc/nginx/conf.d
       - html:/usr/share/nginx/html
       - certs:/etc/nginx/certs:ro
       - /var/run/docker.sock:/tmp/docker.sock:ro
@@ -46,8 +48,8 @@ services:
     network_mode: bridge
 
 volumes:
-  conf:
-  vhost:
+  # vhost:
+  # conf:
   html:
   certs:
   acme:
@@ -56,7 +58,7 @@ volumes:
 ### Three containers example
 
 ```yaml
-version: '2'
+version: "2"
 
 services:
   nginx-proxy:
@@ -66,8 +68,10 @@ services:
       - "80:80"
       - "443:443"
     volumes:
+      # The vhost volume is only required if you
+      # plan to obtain standalone certificates
+      # - vhost:/etc/nginx/vhost.d
       - conf:/etc/nginx/conf.d
-      - vhost:/etc/nginx/vhost.d
       - html:/usr/share/nginx/html
       - certs:/etc/nginx/certs:ro
     network_mode: bridge
@@ -99,8 +103,8 @@ services:
     network_mode: bridge
 
 volumes:
+  # vhost:
   conf:
-  vhost:
   html:
   certs:
   acme:

docs/Persistent-data.md

@@ -10,15 +10,13 @@ $ docker run -d \
     -p 80:80 \
     -p 443:443 \
     -v certs:/etc/nginx/certs \
-    -v vhost:/etc/nginx/vhost.d \
     -v html:/usr/share/nginx/html \
     -v /var/run/docker.sock:/tmp/docker.sock:ro \
     nginxproxy/nginx-proxy
 
 $ docker volume ls
 DRIVER              VOLUME NAME
 local               certs
-local               vhost
 local               html
 ```
 
@@ -32,15 +30,13 @@ $ docker run -d \
     -p 80:80 \
     -p 443:443 \
     -v /etc/nginx/certs \
-    -v /etc/nginx/vhost.d \
     -v /usr/share/nginx/html \
     -v /var/run/docker.sock:/tmp/docker.sock:ro \
     nginxproxy/nginx-proxy
 
 $ docker volume ls
 DRIVER              VOLUME NAME
 local               287be3abd610e5566500d719ceb8b952952f12c9324ef02d05785d4ee9737ae9
-local               6530b1b40cf89efb71aa7fd19bddec927fa2bcae59b04b9c1c850af72ffe0123
 local               f260f71fefadcdfc311d285d69151f2312915174d3fb1fab89949ec5ec871a54
 ```
 

docs/Standalone-certificates.md

@@ -1,6 +1,6 @@
 ## Standalone certificates
 
-You can generate certificate that are not tied to containers environment variable by mounting a user configuration file inside the container at `/app/letsencrypt_user_data`. This feature also require sharing the `/etc/nginx/conf.d` folder between the **nginx-proxy** and **acme-companion** container (and the **docker-gen** container if you are running a [three container setup](./Advanced-usage.md)):
+You can generate certificate that are not tied to containers environment variable by mounting a user configuration file inside the container at `/app/letsencrypt_user_data`. This feature also require sharing the `/etc/nginx/vhost.d` and `/etc/nginx/conf.d` folder between the **nginx-proxy** and **acme-companion** container (and the **docker-gen** container if you are running a [three container setup](./Advanced-usage.md)):
 
 ```bash
 $ docker run --detach \
@@ -14,6 +14,7 @@ $ docker run --detach \
     --volume /var/run/docker.sock:/tmp/docker.sock:ro \
     nginxproxy/nginx-proxy
 ```
+
 ```bash
 $ docker run --detach \
     --name nginx-proxy-acme \