build custom SSL images; add SSL tests (TeslaGov#126)

Author: JoshMcCullough

.github/workflows/ci.yml renamed to .github/workflows/make-releases.yml

@@ -3,12 +3,12 @@ name: CI
 on:
   push:
     branches: 
-      - 'master'
+      - master
     paths:
       - src/**
   pull_request:
     branches:
-      - 'master'
+      - master
     paths:
       - src/**
   workflow_dispatch:
@@ -18,24 +18,26 @@ jobs:
     name: "NGINX: ${{ matrix.nginx-version }}; libjwt: ${{ matrix.libjwt-version }}"
     strategy:
       matrix:
-        # Each nginx version to build against
+        # NGINX versions to build/test against
         nginx-version: ['1.20.2', '1.22.1', '1.24.0', '1.25.3']
+
         # The following versions of libjwt are compatible:
         #   * v1.0 - v1.12.0
         #   * v1.12.1 - v1.14.0
         #   * v1.15.0+
         # At the time of writing this:
         #   * Debian and Ubuntu's repos have v1.10.2
         #   * EPEL has v1.12.1
-        # This compilles against each version prior to a breaking change and the latest release
+        # This compiles against each version prior to a breaking change and the latest release
         libjwt-version: ['1.12.0', '1.14.0', '1.15.3']
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout code
+    - name: Checkout Code
       uses: actions/checkout@v3
       with:
         path: 'ngx-http-auth-jwt-module'
 
+    # TODO cache the build result so we don't have to do this every time?
     - name: Download jansson
       uses: actions/checkout@v3
       with:
@@ -50,7 +52,8 @@ jobs:
         make && \
         make check && \
         sudo make install
-        
+
+    # TODO cache the build result so we don't have to do this every time?
     - name: Download libjwt
       uses: actions/checkout@v3
       with:
@@ -71,20 +74,22 @@ jobs:
         mkdir nginx
         curl -O http://nginx.org/download/nginx-${{matrix.nginx-version}}.tar.gz
         tar -xzf nginx-${{matrix.nginx-version}}.tar.gz --strip-components 1 -C nginx
-        
-    - name: Run configure
+
+    - name: Configure NGINX
       working-directory: ./nginx
       run: |
         BUILD_FLAGS=''
         MAJ=$(echo ${{matrix.nginx-version}} | cut -f1 -d.)
         MIN=$(echo ${{matrix.nginx-version}} | cut -f2 -d.)
         REV=$(echo ${{matrix.nginx-version}} | cut -f3 -d.)
+        
         if [ "${MAJ}" -gt 1 ] || [ "${MAJ}" -eq 1 -a "${MIN}" -ge 23 ]; then
-        BUILD_FLAGS="${BUILD_FLAGS} --with-cc-opt='-DNGX_LINKED_LIST_COOKIES=1'"
+          BUILD_FLAGS="${BUILD_FLAGS} --with-cc-opt='-DNGX_LINKED_LIST_COOKIES=1'"
         fi
-        ./configure --with-compat --add-dynamic-module=../ngx-http-auth-jwt-module ${BUILD_FLAGS}
         
-    - name: Run make
+        ./configure --with-compat --add-dynamic-module=../ngx-http-auth-jwt-module ${BUILD_FLAGS}
+
+    - name: Make Modules
       working-directory: ./nginx
       run: make modules
 

Dockerfile

@@ -0,0 +1,136 @@
+ARG BASE_IMAGE
+ARG NGINX_VERSION
+
+
+FROM ${BASE_IMAGE} as ngx_http_auth_jwt_builder_base
+LABEL stage=ngx_http_auth_jwt_builder
+RUN <<`
+apt-get update
+apt-get install -y curl build-essential
+`
+
+
+FROM ngx_http_auth_jwt_builder_base as ngx_http_auth_jwt_builder_module
+LABEL stage=ngx_http_auth_jwt_builder
+ENV PATH "${PATH}:/etc/nginx"
+ENV LD_LIBRARY_PATH=/usr/local/lib
+ARG NGINX_VERSION
+RUN <<`
+	set -e
+	apt-get install -y libjwt-dev libjwt0 libjansson-dev libjansson4 libpcre2-dev zlib1g-dev libpcre3-dev
+	mkdir -p /root/build/ngx-http-auth-jwt-module
+`
+WORKDIR /root/build/ngx-http-auth-jwt-module
+ADD config ./
+ADD src/*.h src/*.c ./src/
+WORKDIR /root/build
+RUN <<`
+	set -e
+	mkdir nginx
+	curl -O http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz
+	tar -xzf nginx-${NGINX_VERSION}.tar.gz --strip-components 1 -C nginx
+`
+WORKDIR /root/build/nginx
+RUN <<`
+	set -e
+	BUILD_FLAGS=''
+	MAJ=$(echo ${NGINX_VERSION} | cut -f1 -d.)
+	MIN=$(echo ${NGINX_VERSION} | cut -f2 -d.)
+	REV=$(echo ${NGINX_VERSION} | cut -f3 -d.)
+
+	# NGINX 1.23.0+ changes cookies to use a linked list, and renames `cookies` to `cookie`
+	if [ "${MAJ}" -gt 1 ] || [ "${MAJ}" -eq 1 -a "${MIN}" -ge 23 ]; then
+		BUILD_FLAGS="${BUILD_FLAGS} --with-cc-opt='-DNGX_LINKED_LIST_COOKIES=1'"
+	fi
+
+	./configure \
+    --prefix=/etc/nginx \
+		--sbin-path=/usr/sbin/nginx \
+		--modules-path=/usr/lib64/nginx/modules \
+		--conf-path=/etc/nginx/nginx.conf \
+		--error-log-path=/var/log/nginx/error.log \
+		--http-log-path=/var/log/nginx/access.log \
+		--pid-path=/var/run/nginx.pid \
+		--lock-path=/var/run/nginx.lock \
+		--http-client-body-temp-path=/var/cache/nginx/client_temp \
+		--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
+		--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
+		--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
+		--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
+		--user=nginx \
+		--group=nginx \
+		--with-compat \
+		--with-debug \
+		--with-file-aio \
+		--with-threads \
+		--with-http_addition_module \
+		--with-http_auth_request_module \
+		--with-http_dav_module \
+		--with-http_flv_module \
+		--with-http_gunzip_module \
+		--with-http_gzip_static_module \
+		--with-http_mp4_module \
+		--with-http_random_index_module \
+		--with-http_realip_module \
+		--with-http_secure_link_module \
+		--with-http_slice_module \
+		--with-http_ssl_module \
+		--with-http_stub_status_module \
+		--with-http_sub_module \
+		--with-http_v2_module \
+		--with-mail \
+		--with-mail_ssl_module \
+		--with-stream \
+		--with-stream_realip_module \
+		--with-stream_ssl_module \
+		--with-stream_ssl_preread_module \
+		--with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.25.4/debian/debuild-base/nginx-1.25.4=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' \
+		--with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' \
+		--add-dynamic-module=../ngx-http-auth-jwt-module \
+		${BUILD_FLAGS}
+		# --with-openssl=/usr/local \
+`
+RUN make modules
+RUN make install
+WORKDIR /usr/lib64/nginx/modules
+RUN	cp /root/build/nginx/objs/ngx_http_auth_jwt_module.so .
+RUN rm -rf /root/build
+RUN adduser --system --no-create-home --shell /bin/false --group --disabled-login nginx
+RUN mkdir -p /var/cache/nginx /var/log/nginx
+WORKDIR /etc/nginx
+
+FROM ngx_http_auth_jwt_builder_module AS ngx_http_auth_jwt_nginx
+LABEL maintainer="TeslaGov" email="[email protected]"
+ARG NGINX_VERSION
+RUN <<`
+	set -e
+
+	apt-get update
+	apt-get install -y libjansson4 libjwt0
+	apt-get clean
+`
+COPY <<` /etc/nginx/nginx.conf
+user nginx;
+pid /var/run/nginx.pid;
+
+load_module /usr/lib64/nginx/modules/ngx_http_auth_jwt_module.so;
+
+worker_processes 1;
+
+events {
+	worker_connections 1024;
+}
+
+http {
+	include mime.types;
+	default_type application/octet-stream;
+
+	log_format main '$$remote_addr - $$remote_user [$$time_local] "$$request" '
+	                '$$status $$body_bytes_sent "$$http_referer" '
+	                '"$$http_user_agent" "$$http_x_forwarded_for"';
+
+	access_log /var/log/nginx/access.log main;
+	include conf.d/*.conf;
+}
+`
+ENTRYPOINT ["nginx", "-g", "daemon off;"]

nginx.dockerfile

@@ -0,0 +1,37 @@
+ARG BASE_IMAGE
+
+FROM ${BASE_IMAGE}
+ARG SRC_DIR=/tmp/openssl-src
+ARG OUT_DIR=/usr/local/.openssl
+ARG SSL_VERSION
+RUN <<`
+    set -e
+    apt-get update
+    apt-get install -y curl build-essential libssl-dev libz-dev
+    apt-get remove -y openssl
+    apt-get clean
+`
+WORKDIR ${SRC_DIR}
+RUN <<`
+    set -e
+    curl --silent -O https://www.openssl.org/source/openssl-${SSL_VERSION}.tar.gz
+    tar -xf openssl-${SSL_VERSION}.tar.gz --strip-components=1
+`
+RUN ./config --prefix=${OUT_DIR} --openssldir=${OUT_DIR} shared zlib
+RUN <<`
+    set -e
+    make
+    make test
+    make install
+`
+RUN <<`
+    set -e
+    echo "${OUT_DIR}/lib" > /etc/ld.so.conf.d/openssl-${SSL_VERSION}.conf
+    ldconfig
+
+    ln -sf ${OUT_DIR}/bin/openssl /usr/bin/openssl
+    ln -sf ${OUT_DIR}/lib64/libssl.so.3 /lib/x86_64-linux-gnu/libssl.so.3
+    ln -sf ${OUT_DIR}/lib64/libcrypto.so.3 /lib/x86_64-linux-gnu/libcrypto.so.3
+`
+WORKDIR /
+#RUN rm -rf ${SRC_DIR}