From fae764c0b4b8b67979b2983c7ef789a8dae8ba1f Mon Sep 17 00:00:00 2001 From: ajoergensen <31108516+ajoergensen@users.noreply.github.com> Date: Thu, 17 Aug 2017 22:17:28 +0200 Subject: [PATCH 1/9] Update README --- README.md | 26 +++++++++++++++++--------- build.sh | 7 +++++++ 2 files changed, 24 insertions(+), 9 deletions(-) create mode 100755 build.sh diff --git a/README.md b/README.md index 07cc3a9..289042a 100755 --- a/README.md +++ b/README.md @@ -1,12 +1,20 @@ -# **NGINX** built with **LibreSSL** +# **[nginx][3]** built with **[LibreSSL][4]** -#### Features +## Features -- Images are used Alpine Linux. -- PCRE with JIT enabled. -- HTTP/2.0 (+NPN) support. -- Async I/O using threads support. -- Dynamic TLS records patch CloudFlare support (and configured). -- Brotli compression support (and configured). +- Uses [Alpine Linux][5] as base +- PCRE with JIT enabled +- HTTP/2.0 (+NPN) support +- Async I/O using threads support +- Dynamic TLS records patch support (and configured) - From [Cloudflare][6] +- [Brotli][7] compression support (and configured) -#### Based on the Official NGINX Dockerfile & `Wonderfall/boring-nginx` +Originally based on the official nginx Dockerfile & `Wonderfall/boring-nginx` - Forked from [denji/nginx-libressl][1] - This version uses [tini][2], a tiny but valid `init` for containers + +[1]: https://github.com/nginx-modules/docker-nginx-libressl/ +[2]: https://github.com/krallin/tini/ +[3]: http://nginx.org/ +[4]: https://libressl.org/ +[5]: https://alpinelinux.org/ +[6]: https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency/ +[7]: https://en.wikipedia.org/wiki/Brotli diff --git a/build.sh b/build.sh new file mode 100755 index 0000000..ad2cdaa --- /dev/null +++ b/build.sh @@ -0,0 +1,7 @@ +#!/bin/bash +set -e + +for i in stable mainline + do + docker build -t nginx-testbuild-$i $i/alpine && docker rmi nginx-testbuild-$i +done From 7802075b1372d8a93871337eca37e4ea68b84a32 Mon Sep 17 00:00:00 2001 From: ajoergensen <31108516+ajoergensen@users.noreply.github.com> Date: Thu, 17 Aug 2017 22:17:46 +0200 Subject: [PATCH 2/9] Add tini package and change entry point --- mainline/alpine/Dockerfile | 5 +++-- stable/alpine/Dockerfile | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/mainline/alpine/Dockerfile b/mainline/alpine/Dockerfile index e532928..f5c468d 100755 --- a/mainline/alpine/Dockerfile +++ b/mainline/alpine/Dockerfile @@ -1,6 +1,6 @@ FROM alpine:3.6 -MAINTAINER Denis Denisov "denji0k@gmail.com" +MAINTAINER ajoergensen ENV NGINX_VERSION 1.13.3 ENV LIBRESSL_VERSION 2.5.5 @@ -171,7 +171,7 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \ | sort -u \ | xargs -r apk info --installed \ | sort -u \ - ) tzdata ca-certificates" \ + ) tzdata ca-certificates tini" \ && apk add --no-cache --virtual .nginx-rundeps $runDeps \ && apk del .build-deps \ && apk del .gettext \ @@ -190,4 +190,5 @@ LABEL description="nginx built from source" \ EXPOSE 80 443 +ENTRYPOINT ["/sbin/tini", "--"] CMD ["nginx", "-g", "daemon off;"] diff --git a/stable/alpine/Dockerfile b/stable/alpine/Dockerfile index cd06156..4ff45b2 100755 --- a/stable/alpine/Dockerfile +++ b/stable/alpine/Dockerfile @@ -1,6 +1,6 @@ FROM alpine:3.6 -MAINTAINER Denis Denisov "denji0k@gmail.com" +MAINTAINER ajoergensen ENV NGINX_VERSION 1.12.1 ENV LIBRESSL_VERSION 2.5.5 @@ -171,7 +171,7 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \ | sort -u \ | xargs -r apk info --installed \ | sort -u \ - ) tzdata ca-certificates" \ + ) tzdata ca-certificates tini" \ && apk add --no-cache --virtual .nginx-rundeps $runDeps \ && apk del .build-deps \ && apk del .gettext \ @@ -190,4 +190,5 @@ LABEL description="nginx built from source" \ EXPOSE 80 443 +ENTRYPOINT ["/sbin/tini", "--"] CMD ["nginx", "-g", "daemon off;"] From a7ffe294d28a17c77c76d9b8281512e9d5e50d6b Mon Sep 17 00:00:00 2001 From: ajoergensen <31108516+ajoergensen@users.noreply.github.com> Date: Thu, 17 Aug 2017 22:06:45 +0200 Subject: [PATCH 3/9] Use "-rf" when deleting GNUPGHOME to avoid/ignore racy "S.gpg-agent.ssh" edge cases --- mainline/alpine/Dockerfile | 2 +- stable/alpine/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/mainline/alpine/Dockerfile b/mainline/alpine/Dockerfile index f5c468d..32050ce 100755 --- a/mainline/alpine/Dockerfile +++ b/mainline/alpine/Dockerfile @@ -106,7 +106,7 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \ done; \ test -z "$found" && echo >&2 "error: failed to fetch GPG key $GPG_KEYS" && exit 1; \ gpg --batch --verify nginx.tar.gz.asc nginx.tar.gz \ - && rm -r "$GNUPGHOME" nginx.tar.gz.asc \ + && rm -rf "$GNUPGHOME" nginx.tar.gz.asc \ && mkdir -p /usr/src \ \ && LIBRESSL_TARBALL="libressl-$LIBRESSL_VERSION.tar.gz" \ diff --git a/stable/alpine/Dockerfile b/stable/alpine/Dockerfile index 4ff45b2..1b859be 100755 --- a/stable/alpine/Dockerfile +++ b/stable/alpine/Dockerfile @@ -106,7 +106,7 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \ done; \ test -z "$found" && echo >&2 "error: failed to fetch GPG key $GPG_KEYS" && exit 1; \ gpg --batch --verify nginx.tar.gz.asc nginx.tar.gz \ - && rm -r "$GNUPGHOME" nginx.tar.gz.asc \ + && rm -rf "$GNUPGHOME" nginx.tar.gz.asc \ && mkdir -p /usr/src \ \ && LIBRESSL_TARBALL="libressl-$LIBRESSL_VERSION.tar.gz" \ From b9abf241b3fb85c0e955ef9db8f4fd0697bb8269 Mon Sep 17 00:00:00 2001 From: ajoergensen <31108516+ajoergensen@users.noreply.github.com> Date: Fri, 18 Aug 2017 18:45:22 +0200 Subject: [PATCH 4/9] Update README --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 289042a..5bc966b 100755 --- a/README.md +++ b/README.md @@ -9,6 +9,8 @@ - Dynamic TLS records patch support (and configured) - From [Cloudflare][6] - [Brotli][7] compression support (and configured) +Currently the HPACK patch from Cloudflare is not used because it does not apply clean against mainline. + Originally based on the official nginx Dockerfile & `Wonderfall/boring-nginx` - Forked from [denji/nginx-libressl][1] - This version uses [tini][2], a tiny but valid `init` for containers [1]: https://github.com/nginx-modules/docker-nginx-libressl/ From 19fbedc92fe15abd26fb567ccb63a0dfaa057a68 Mon Sep 17 00:00:00 2001 From: ajoergensen <31108516+ajoergensen@users.noreply.github.com> Date: Fri, 18 Aug 2017 18:45:37 +0200 Subject: [PATCH 5/9] Update nginx to 1.13.4. Rework Dockerfile. --- mainline/alpine/Dockerfile | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/mainline/alpine/Dockerfile b/mainline/alpine/Dockerfile index 32050ce..a9d149e 100755 --- a/mainline/alpine/Dockerfile +++ b/mainline/alpine/Dockerfile @@ -2,7 +2,7 @@ FROM alpine:3.6 MAINTAINER ajoergensen -ENV NGINX_VERSION 1.13.3 +ENV NGINX_VERSION 1.13.4 ENV LIBRESSL_VERSION 2.5.5 RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \ @@ -68,6 +68,7 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \ ca-certificates \ cmake \ curl \ + file \ gcc \ gd-dev \ geoip-dev \ @@ -88,6 +89,7 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \ su-exec \ tar \ tzdata \ + wget \ zlib \ zlib-dev \ \ @@ -106,7 +108,6 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \ done; \ test -z "$found" && echo >&2 "error: failed to fetch GPG key $GPG_KEYS" && exit 1; \ gpg --batch --verify nginx.tar.gz.asc nginx.tar.gz \ - && rm -rf "$GNUPGHOME" nginx.tar.gz.asc \ && mkdir -p /usr/src \ \ && LIBRESSL_TARBALL="libressl-$LIBRESSL_VERSION.tar.gz" \ @@ -116,7 +117,6 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \ && curl -fSL https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl.asc -o libressl.asc \ && gpg --import libressl.asc \ && gpg --batch --verify $LIBRESSL_TARBALL.asc $LIBRESSL_TARBALL \ - && rm -r "$GNUPGHOME" libressl.asc $LIBRESSL_TARBALL.asc \ && tar -zxC /usr/src -f $LIBRESSL_TARBALL \ \ && (git clone --depth=1 https://github.com/bagder/libbrotli /usr/src/libbrotli \ @@ -126,9 +126,8 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \ && git clone --depth=1 https://github.com/openresty/headers-more-nginx-module /usr/src/ngx_headers_more \ \ && tar -zxC /usr/src -f nginx.tar.gz \ - && rm nginx.tar.gz \ && cd /usr/src/nginx-$NGINX_VERSION \ - && curl -fSL https://cdn.rawgit.com/nginx-modules/ngx_http_tls_dyn_size/0.1/nginx-dyntls-1.11.5.diff -o dynamic_tls_records.patch \ + && wget -q https://raw.githubusercontent.com/cujanovic/nginx-dynamic-tls-records-patch/master/nginx__dynamic_tls_records_1.13.0%2B.patch -O dynamic_tls_records.patch \ && patch -p1 < dynamic_tls_records.patch \ && ./configure $CONFIG --with-debug \ && make -j$(getconf _NPROCESSORS_ONLN) \ @@ -155,8 +154,6 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \ && ln -s ../../usr/lib/nginx/modules /etc/nginx/modules \ && strip /usr/sbin/nginx* \ && strip /usr/lib/nginx/modules/*.so \ - && rm -rf /usr/src/nginx-$NGINX_VERSION \ - && rm -rf /usr/src/libressl* /usr/src/libbrotli /usr/src/ngx_* \ \ # Bring in gettext so we can get `envsubst`, then throw # the rest away. To do this, we need to install `gettext` @@ -179,7 +176,8 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \ \ # forward request and error logs to docker log collector && ln -sf /dev/stdout /var/log/nginx/access.log \ - && ln -sf /dev/stderr /var/log/nginx/error.log + && ln -sf /dev/stderr /var/log/nginx/error.log \ + && rm -rf /tmp/* /usr/src/* /var/cache/apk/* /root/.gnupg COPY nginx.conf /etc/nginx/nginx.conf COPY nginx.vh.no-default.conf /etc/nginx/conf.d/default.conf From 72904e5154cf876320057e518d2207695bfa3c1e Mon Sep 17 00:00:00 2001 From: ajoergensen <31108516+ajoergensen@users.noreply.github.com> Date: Fri, 18 Aug 2017 18:49:16 +0200 Subject: [PATCH 6/9] Update Dockerfile --- stable/alpine/Dockerfile | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/stable/alpine/Dockerfile b/stable/alpine/Dockerfile index 1b859be..16cd5c6 100755 --- a/stable/alpine/Dockerfile +++ b/stable/alpine/Dockerfile @@ -68,6 +68,7 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \ ca-certificates \ cmake \ curl \ + file \ gcc \ gd-dev \ geoip-dev \ @@ -106,7 +107,6 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \ done; \ test -z "$found" && echo >&2 "error: failed to fetch GPG key $GPG_KEYS" && exit 1; \ gpg --batch --verify nginx.tar.gz.asc nginx.tar.gz \ - && rm -rf "$GNUPGHOME" nginx.tar.gz.asc \ && mkdir -p /usr/src \ \ && LIBRESSL_TARBALL="libressl-$LIBRESSL_VERSION.tar.gz" \ @@ -116,7 +116,6 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \ && curl -fSL https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl.asc -o libressl.asc \ && gpg --import libressl.asc \ && gpg --batch --verify $LIBRESSL_TARBALL.asc $LIBRESSL_TARBALL \ - && rm -r "$GNUPGHOME" libressl.asc $LIBRESSL_TARBALL.asc \ && tar -zxC /usr/src -f $LIBRESSL_TARBALL \ \ && (git clone --depth=1 https://github.com/bagder/libbrotli /usr/src/libbrotli \ @@ -126,7 +125,6 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \ && git clone --depth=1 https://github.com/openresty/headers-more-nginx-module /usr/src/ngx_headers_more \ \ && tar -zxC /usr/src -f nginx.tar.gz \ - && rm nginx.tar.gz \ && cd /usr/src/nginx-$NGINX_VERSION \ && curl -fSL https://cdn.rawgit.com/nginx-modules/ngx_http_tls_dyn_size/0.1/nginx-dyntls-1.11.5.diff -o dynamic_tls_records.patch \ && patch -p1 < dynamic_tls_records.patch \ @@ -155,8 +153,6 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \ && ln -s ../../usr/lib/nginx/modules /etc/nginx/modules \ && strip /usr/sbin/nginx* \ && strip /usr/lib/nginx/modules/*.so \ - && rm -rf /usr/src/nginx-$NGINX_VERSION \ - && rm -rf /usr/src/libressl* /usr/src/libbrotli /usr/src/ngx_* \ \ # Bring in gettext so we can get `envsubst`, then throw # the rest away. To do this, we need to install `gettext` @@ -179,7 +175,8 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \ \ # forward request and error logs to docker log collector && ln -sf /dev/stdout /var/log/nginx/access.log \ - && ln -sf /dev/stderr /var/log/nginx/error.log + && ln -sf /dev/stderr /var/log/nginx/error.log \ + && rm -rf /tmp/* /usr/src/* /var/cache/apk/* /root/.gnupg COPY nginx.conf /etc/nginx/nginx.conf COPY nginx.vh.no-default.conf /etc/nginx/conf.d/default.conf From cdba1bba70b8a556c0e24d9f8b5ad1f561ea3f93 Mon Sep 17 00:00:00 2001 From: ajoergensen <31108516+ajoergensen@users.noreply.github.com> Date: Sat, 19 Aug 2017 11:16:55 +0200 Subject: [PATCH 7/9] Change the images to use the Alpine baseimage --- README.md | 28 ++++++- mainline/alpine/Dockerfile | 15 ++-- .../root/etc/cont-init.d/51_setup_nginx.sh | 26 ++++++ .../etc/nginx/conf.d/nginx.vh.no-default.conf | 16 ++++ mainline/alpine/root/etc/nginx/nginx.conf | 83 +++++++++++++++++++ mainline/alpine/root/etc/services.d/nginx/run | 3 + stable/alpine/Dockerfile | 15 ++-- .../root/etc/cont-init.d/51_setup_nginx.sh | 26 ++++++ .../etc/nginx/conf.d/nginx.vh.no-default.conf | 16 ++++ stable/alpine/root/etc/nginx/nginx.conf | 83 +++++++++++++++++++ stable/alpine/root/etc/services.d/nginx/run | 3 + 11 files changed, 297 insertions(+), 17 deletions(-) create mode 100644 mainline/alpine/root/etc/cont-init.d/51_setup_nginx.sh create mode 100755 mainline/alpine/root/etc/nginx/conf.d/nginx.vh.no-default.conf create mode 100755 mainline/alpine/root/etc/nginx/nginx.conf create mode 100644 mainline/alpine/root/etc/services.d/nginx/run create mode 100644 stable/alpine/root/etc/cont-init.d/51_setup_nginx.sh create mode 100755 stable/alpine/root/etc/nginx/conf.d/nginx.vh.no-default.conf create mode 100755 stable/alpine/root/etc/nginx/nginx.conf create mode 100644 stable/alpine/root/etc/services.d/nginx/run diff --git a/README.md b/README.md index 5bc966b..7272f32 100755 --- a/README.md +++ b/README.md @@ -9,14 +9,36 @@ - Dynamic TLS records patch support (and configured) - From [Cloudflare][6] - [Brotli][7] compression support (and configured) -Currently the HPACK patch from Cloudflare is not used because it does not apply clean against mainline. +Currently the HPACK patch from Cloudflare is not used because it does not apply cleanly against mainline. -Originally based on the official nginx Dockerfile & `Wonderfall/boring-nginx` - Forked from [denji/nginx-libressl][1] - This version uses [tini][2], a tiny but valid `init` for containers +## Usage + +```docker run --rm --name nginx -v ./htdocs:/var/www -p 80:80 -p 443:443 -d ajoergensen/nginx-libressl:tag``` + +Available tags are `stable` and `mainline` + +## Environment + +- **PUID**: Change the uid of the user running nginx +- **PGID**: Change the gid of the user running nginx +- **CHOWN_WWWDIR**: Enable/disable the change of ownership of /var/www to $PUID:$PGID, defaults to TRUE. Note, if /var/www read only this variable will always be FALSE +- **WORKER_PROCESSES**: Change the value of nginx worker_processes, defaults to auto. + +## Other + +Though not defined as a volume, I recommend mapping a folder to /etc/nginx/conf.d to store your vhost definitions. + +This image works great with [docker-gen][8] and [docker-letsencrypt-nginx-proxy-companion][9] (as a drop-in replacement for the nginx-proxy image) + +---- + +Originally based on the official nginx Dockerfile & `Wonderfall/boring-nginx` - Forked from [denji/nginx-libressl][1] [1]: https://github.com/nginx-modules/docker-nginx-libressl/ -[2]: https://github.com/krallin/tini/ [3]: http://nginx.org/ [4]: https://libressl.org/ [5]: https://alpinelinux.org/ [6]: https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency/ [7]: https://en.wikipedia.org/wiki/Brotli +[8]: https://github.com/jwilder/nginx-proxy +[9]: https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion diff --git a/mainline/alpine/Dockerfile b/mainline/alpine/Dockerfile index a9d149e..b75fe4b 100755 --- a/mainline/alpine/Dockerfile +++ b/mainline/alpine/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.6 +FROM ajoergensen/baseimage-alpine MAINTAINER ajoergensen @@ -168,7 +168,7 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \ | sort -u \ | xargs -r apk info --installed \ | sort -u \ - ) tzdata ca-certificates tini" \ + ) sed tzdata ca-certificates" \ && apk add --no-cache --virtual .nginx-rundeps $runDeps \ && apk del .build-deps \ && apk del .gettext \ @@ -179,14 +179,15 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \ && ln -sf /dev/stderr /var/log/nginx/error.log \ && rm -rf /tmp/* /usr/src/* /var/cache/apk/* /root/.gnupg -COPY nginx.conf /etc/nginx/nginx.conf -COPY nginx.vh.no-default.conf /etc/nginx/conf.d/default.conf +ADD root/ / + +RUN \ + chmod -v +x /etc/cont-init.d/*.sh /etc/services.d/*/run && \ + mkdir /var/www LABEL description="nginx built from source" \ openssl="LibreSSL $LIBRESSL_VERSION" \ nginx="nginx $NGINX_VERSION" EXPOSE 80 443 - -ENTRYPOINT ["/sbin/tini", "--"] -CMD ["nginx", "-g", "daemon off;"] +VOLUME /var/www diff --git a/mainline/alpine/root/etc/cont-init.d/51_setup_nginx.sh b/mainline/alpine/root/etc/cont-init.d/51_setup_nginx.sh new file mode 100644 index 0000000..9b30f5d --- /dev/null +++ b/mainline/alpine/root/etc/cont-init.d/51_setup_nginx.sh @@ -0,0 +1,26 @@ +#!/usr/bin/with-contenv bash +set -x + +# Set worker_processes +: ${WORKER_PROCESSES:="auto"} + +grep -q "@@WORKER_PROCESSES@@" /etc/nginx/nginx.conf + +if [[ $? -eq 0 ]] + then + sed -i "s|@@WORKER_PROCESSES@@|$WORKER_PROCESSES|" /etc/nginx/nginx.conf +fi + +# chown'ning the entire /var/www may not be desireable + +: ${CHOWN_WWWDIR:="TRUE"} + +[ -w /var/www ] || CHOWN_WWWDIR="FALSE" + +if [[ $CHOWN_WWWDIR == "TRUE" ]] + then + chown -R app:app /var/www +fi + +# Make sure the app user is able to write to nginx directories +chown -R app:app /var/log/nginx /var/cache/nginx diff --git a/mainline/alpine/root/etc/nginx/conf.d/nginx.vh.no-default.conf b/mainline/alpine/root/etc/nginx/conf.d/nginx.vh.no-default.conf new file mode 100755 index 0000000..e31354b --- /dev/null +++ b/mainline/alpine/root/etc/nginx/conf.d/nginx.vh.no-default.conf @@ -0,0 +1,16 @@ +# Drop requests for unknown hosts +# +# If no default server is defined, nginx will use the first found server. +# To prevent host header attacks, or other potential problems when an unknown +# servername is used in a request, it's recommended to drop the request +# returning 444 "no response". + +server { + listen 80 default_server; + return 444; +} + +server { + listen 443 ssl default_server; + return 444; +} diff --git a/mainline/alpine/root/etc/nginx/nginx.conf b/mainline/alpine/root/etc/nginx/nginx.conf new file mode 100755 index 0000000..a52ca22 --- /dev/null +++ b/mainline/alpine/root/etc/nginx/nginx.conf @@ -0,0 +1,83 @@ + +# load_module modules/ngx_http_xslt_filter_module.so; +# load_module modules/ngx_http_image_filter_module.so; +# load_module modules/ngx_http_geoip_module.so; +# load_module modules/ngx_http_perl_module.so; +# load_module modules/ngx_stream_geoip_module.so; +load_module modules/ngx_http_headers_more_filter_module.so; +load_module modules/ngx_http_brotli_static_module.so; +load_module modules/ngx_http_brotli_filter_module.so; + +user app; +worker_processes @@WORKER_PROCESSES@@; + +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + +pcre_jit on; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + aio threads; + + tcp_nopush on; + tcp_nodelay on; + server_tokens off; + + keepalive_disable msie6; + + ssl_dyn_rec_enable on; + ssl_protocols TLSv1.2; + ssl_ecdh_curve secp384r1; + ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:20m; + ssl_session_timeout 15m; + ssl_session_tickets off; + + gzip on; + gzip_comp_level 5; + gzip_min_length 512; + gzip_proxied any; + gzip_vary on; + gzip_disable "msie6"; + gzip_types + text/plain + text/css + text/x-component + text/javascript application/javascript application/x-javascript + text/xml application/xml application/rss+xml + application/json + application/vnd.ms-fontobject + font/truetype font/opentype + image/svg+xml; + + brotli on; + brotli_static on; + brotli_comp_level 6; + brotli_types + text/plain + text/css + text/x-component + text/javascript application/javascript application/x-javascript + text/xml application/xml application/rss+xml + application/json + application/vnd.ms-fontobject + font/truetype font/opentype + image/svg+xml; + + include /etc/nginx/conf.d/*.conf; +} diff --git a/mainline/alpine/root/etc/services.d/nginx/run b/mainline/alpine/root/etc/services.d/nginx/run new file mode 100644 index 0000000..134fcdb --- /dev/null +++ b/mainline/alpine/root/etc/services.d/nginx/run @@ -0,0 +1,3 @@ +#!/usr/bin/with-contenv sh + +exec nginx -g 'daemon off;' diff --git a/stable/alpine/Dockerfile b/stable/alpine/Dockerfile index 16cd5c6..5592180 100755 --- a/stable/alpine/Dockerfile +++ b/stable/alpine/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.6 +FROM ajoergensen/baseimage-alpine MAINTAINER ajoergensen @@ -167,7 +167,7 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \ | sort -u \ | xargs -r apk info --installed \ | sort -u \ - ) tzdata ca-certificates tini" \ + ) sed tzdata ca-certificates" \ && apk add --no-cache --virtual .nginx-rundeps $runDeps \ && apk del .build-deps \ && apk del .gettext \ @@ -178,14 +178,15 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \ && ln -sf /dev/stderr /var/log/nginx/error.log \ && rm -rf /tmp/* /usr/src/* /var/cache/apk/* /root/.gnupg -COPY nginx.conf /etc/nginx/nginx.conf -COPY nginx.vh.no-default.conf /etc/nginx/conf.d/default.conf +ADD root/ / + +RUN \ + chmod -v +x /etc/cont-init.d/*.sh /etc/services.d/*/run && \ + mkdir /var/www LABEL description="nginx built from source" \ openssl="LibreSSL $LIBRESSL_VERSION" \ nginx="nginx $NGINX_VERSION" EXPOSE 80 443 - -ENTRYPOINT ["/sbin/tini", "--"] -CMD ["nginx", "-g", "daemon off;"] +VOLUME /var/www diff --git a/stable/alpine/root/etc/cont-init.d/51_setup_nginx.sh b/stable/alpine/root/etc/cont-init.d/51_setup_nginx.sh new file mode 100644 index 0000000..9b30f5d --- /dev/null +++ b/stable/alpine/root/etc/cont-init.d/51_setup_nginx.sh @@ -0,0 +1,26 @@ +#!/usr/bin/with-contenv bash +set -x + +# Set worker_processes +: ${WORKER_PROCESSES:="auto"} + +grep -q "@@WORKER_PROCESSES@@" /etc/nginx/nginx.conf + +if [[ $? -eq 0 ]] + then + sed -i "s|@@WORKER_PROCESSES@@|$WORKER_PROCESSES|" /etc/nginx/nginx.conf +fi + +# chown'ning the entire /var/www may not be desireable + +: ${CHOWN_WWWDIR:="TRUE"} + +[ -w /var/www ] || CHOWN_WWWDIR="FALSE" + +if [[ $CHOWN_WWWDIR == "TRUE" ]] + then + chown -R app:app /var/www +fi + +# Make sure the app user is able to write to nginx directories +chown -R app:app /var/log/nginx /var/cache/nginx diff --git a/stable/alpine/root/etc/nginx/conf.d/nginx.vh.no-default.conf b/stable/alpine/root/etc/nginx/conf.d/nginx.vh.no-default.conf new file mode 100755 index 0000000..e31354b --- /dev/null +++ b/stable/alpine/root/etc/nginx/conf.d/nginx.vh.no-default.conf @@ -0,0 +1,16 @@ +# Drop requests for unknown hosts +# +# If no default server is defined, nginx will use the first found server. +# To prevent host header attacks, or other potential problems when an unknown +# servername is used in a request, it's recommended to drop the request +# returning 444 "no response". + +server { + listen 80 default_server; + return 444; +} + +server { + listen 443 ssl default_server; + return 444; +} diff --git a/stable/alpine/root/etc/nginx/nginx.conf b/stable/alpine/root/etc/nginx/nginx.conf new file mode 100755 index 0000000..a52ca22 --- /dev/null +++ b/stable/alpine/root/etc/nginx/nginx.conf @@ -0,0 +1,83 @@ + +# load_module modules/ngx_http_xslt_filter_module.so; +# load_module modules/ngx_http_image_filter_module.so; +# load_module modules/ngx_http_geoip_module.so; +# load_module modules/ngx_http_perl_module.so; +# load_module modules/ngx_stream_geoip_module.so; +load_module modules/ngx_http_headers_more_filter_module.so; +load_module modules/ngx_http_brotli_static_module.so; +load_module modules/ngx_http_brotli_filter_module.so; + +user app; +worker_processes @@WORKER_PROCESSES@@; + +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + +pcre_jit on; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + aio threads; + + tcp_nopush on; + tcp_nodelay on; + server_tokens off; + + keepalive_disable msie6; + + ssl_dyn_rec_enable on; + ssl_protocols TLSv1.2; + ssl_ecdh_curve secp384r1; + ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:20m; + ssl_session_timeout 15m; + ssl_session_tickets off; + + gzip on; + gzip_comp_level 5; + gzip_min_length 512; + gzip_proxied any; + gzip_vary on; + gzip_disable "msie6"; + gzip_types + text/plain + text/css + text/x-component + text/javascript application/javascript application/x-javascript + text/xml application/xml application/rss+xml + application/json + application/vnd.ms-fontobject + font/truetype font/opentype + image/svg+xml; + + brotli on; + brotli_static on; + brotli_comp_level 6; + brotli_types + text/plain + text/css + text/x-component + text/javascript application/javascript application/x-javascript + text/xml application/xml application/rss+xml + application/json + application/vnd.ms-fontobject + font/truetype font/opentype + image/svg+xml; + + include /etc/nginx/conf.d/*.conf; +} diff --git a/stable/alpine/root/etc/services.d/nginx/run b/stable/alpine/root/etc/services.d/nginx/run new file mode 100644 index 0000000..134fcdb --- /dev/null +++ b/stable/alpine/root/etc/services.d/nginx/run @@ -0,0 +1,3 @@ +#!/usr/bin/with-contenv sh + +exec nginx -g 'daemon off;' From f010a306d94cb0069a7e0203b0efcf7f01614f9c Mon Sep 17 00:00:00 2001 From: ajoergensen <31108516+ajoergensen@users.noreply.github.com> Date: Sat, 19 Aug 2017 11:22:42 +0200 Subject: [PATCH 8/9] Remove debug and test if nginx.conf is writeable --- mainline/alpine/nginx.conf | 83 ------------------- mainline/alpine/nginx.vh.no-default.conf | 16 ---- .../root/etc/cont-init.d/51_setup_nginx.sh | 3 +- stable/alpine/nginx.conf | 83 ------------------- stable/alpine/nginx.vh.no-default.conf | 16 ---- .../root/etc/cont-init.d/51_setup_nginx.sh | 3 +- 6 files changed, 2 insertions(+), 202 deletions(-) delete mode 100755 mainline/alpine/nginx.conf delete mode 100755 mainline/alpine/nginx.vh.no-default.conf delete mode 100755 stable/alpine/nginx.conf delete mode 100755 stable/alpine/nginx.vh.no-default.conf diff --git a/mainline/alpine/nginx.conf b/mainline/alpine/nginx.conf deleted file mode 100755 index ce123bd..0000000 --- a/mainline/alpine/nginx.conf +++ /dev/null @@ -1,83 +0,0 @@ - -# load_module modules/ngx_http_xslt_filter_module.so; -# load_module modules/ngx_http_image_filter_module.so; -# load_module modules/ngx_http_geoip_module.so; -# load_module modules/ngx_http_perl_module.so; -# load_module modules/ngx_stream_geoip_module.so; -load_module modules/ngx_http_headers_more_filter_module.so; -load_module modules/ngx_http_brotli_static_module.so; -load_module modules/ngx_http_brotli_filter_module.so; - -user nginx; -worker_processes 1; - -error_log /var/log/nginx/error.log warn; -pid /var/run/nginx.pid; - -pcre_jit on; - -events { - worker_connections 1024; -} - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - aio threads; - - tcp_nopush on; - tcp_nodelay on; - server_tokens off; - - keepalive_disable msie6; - - ssl_dyn_rec_enable on; - ssl_protocols TLSv1.2; - ssl_ecdh_curve secp384r1; - ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:20m; - ssl_session_timeout 15m; - ssl_session_tickets off; - - gzip on; - gzip_comp_level 5; - gzip_min_length 512; - gzip_proxied any; - gzip_vary on; - gzip_disable "msie6"; - gzip_types - text/plain - text/css - text/x-component - text/javascript application/javascript application/x-javascript - text/xml application/xml application/rss+xml - application/json - application/vnd.ms-fontobject - font/truetype font/opentype - image/svg+xml; - - brotli on; - brotli_static on; - brotli_comp_level 6; - brotli_types - text/plain - text/css - text/x-component - text/javascript application/javascript application/x-javascript - text/xml application/xml application/rss+xml - application/json - application/vnd.ms-fontobject - font/truetype font/opentype - image/svg+xml; - - include /etc/nginx/conf.d/*.conf; -} diff --git a/mainline/alpine/nginx.vh.no-default.conf b/mainline/alpine/nginx.vh.no-default.conf deleted file mode 100755 index e31354b..0000000 --- a/mainline/alpine/nginx.vh.no-default.conf +++ /dev/null @@ -1,16 +0,0 @@ -# Drop requests for unknown hosts -# -# If no default server is defined, nginx will use the first found server. -# To prevent host header attacks, or other potential problems when an unknown -# servername is used in a request, it's recommended to drop the request -# returning 444 "no response". - -server { - listen 80 default_server; - return 444; -} - -server { - listen 443 ssl default_server; - return 444; -} diff --git a/mainline/alpine/root/etc/cont-init.d/51_setup_nginx.sh b/mainline/alpine/root/etc/cont-init.d/51_setup_nginx.sh index 9b30f5d..9d444a9 100644 --- a/mainline/alpine/root/etc/cont-init.d/51_setup_nginx.sh +++ b/mainline/alpine/root/etc/cont-init.d/51_setup_nginx.sh @@ -1,12 +1,11 @@ #!/usr/bin/with-contenv bash -set -x # Set worker_processes : ${WORKER_PROCESSES:="auto"} grep -q "@@WORKER_PROCESSES@@" /etc/nginx/nginx.conf -if [[ $? -eq 0 ]] +if [[ $? -eq 0 ]] && [[ -w /etc/nginx/nginx.conf ]] then sed -i "s|@@WORKER_PROCESSES@@|$WORKER_PROCESSES|" /etc/nginx/nginx.conf fi diff --git a/stable/alpine/nginx.conf b/stable/alpine/nginx.conf deleted file mode 100755 index ce123bd..0000000 --- a/stable/alpine/nginx.conf +++ /dev/null @@ -1,83 +0,0 @@ - -# load_module modules/ngx_http_xslt_filter_module.so; -# load_module modules/ngx_http_image_filter_module.so; -# load_module modules/ngx_http_geoip_module.so; -# load_module modules/ngx_http_perl_module.so; -# load_module modules/ngx_stream_geoip_module.so; -load_module modules/ngx_http_headers_more_filter_module.so; -load_module modules/ngx_http_brotli_static_module.so; -load_module modules/ngx_http_brotli_filter_module.so; - -user nginx; -worker_processes 1; - -error_log /var/log/nginx/error.log warn; -pid /var/run/nginx.pid; - -pcre_jit on; - -events { - worker_connections 1024; -} - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - aio threads; - - tcp_nopush on; - tcp_nodelay on; - server_tokens off; - - keepalive_disable msie6; - - ssl_dyn_rec_enable on; - ssl_protocols TLSv1.2; - ssl_ecdh_curve secp384r1; - ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:20m; - ssl_session_timeout 15m; - ssl_session_tickets off; - - gzip on; - gzip_comp_level 5; - gzip_min_length 512; - gzip_proxied any; - gzip_vary on; - gzip_disable "msie6"; - gzip_types - text/plain - text/css - text/x-component - text/javascript application/javascript application/x-javascript - text/xml application/xml application/rss+xml - application/json - application/vnd.ms-fontobject - font/truetype font/opentype - image/svg+xml; - - brotli on; - brotli_static on; - brotli_comp_level 6; - brotli_types - text/plain - text/css - text/x-component - text/javascript application/javascript application/x-javascript - text/xml application/xml application/rss+xml - application/json - application/vnd.ms-fontobject - font/truetype font/opentype - image/svg+xml; - - include /etc/nginx/conf.d/*.conf; -} diff --git a/stable/alpine/nginx.vh.no-default.conf b/stable/alpine/nginx.vh.no-default.conf deleted file mode 100755 index e31354b..0000000 --- a/stable/alpine/nginx.vh.no-default.conf +++ /dev/null @@ -1,16 +0,0 @@ -# Drop requests for unknown hosts -# -# If no default server is defined, nginx will use the first found server. -# To prevent host header attacks, or other potential problems when an unknown -# servername is used in a request, it's recommended to drop the request -# returning 444 "no response". - -server { - listen 80 default_server; - return 444; -} - -server { - listen 443 ssl default_server; - return 444; -} diff --git a/stable/alpine/root/etc/cont-init.d/51_setup_nginx.sh b/stable/alpine/root/etc/cont-init.d/51_setup_nginx.sh index 9b30f5d..9d444a9 100644 --- a/stable/alpine/root/etc/cont-init.d/51_setup_nginx.sh +++ b/stable/alpine/root/etc/cont-init.d/51_setup_nginx.sh @@ -1,12 +1,11 @@ #!/usr/bin/with-contenv bash -set -x # Set worker_processes : ${WORKER_PROCESSES:="auto"} grep -q "@@WORKER_PROCESSES@@" /etc/nginx/nginx.conf -if [[ $? -eq 0 ]] +if [[ $? -eq 0 ]] && [[ -w /etc/nginx/nginx.conf ]] then sed -i "s|@@WORKER_PROCESSES@@|$WORKER_PROCESSES|" /etc/nginx/nginx.conf fi From 642e86d2d0e10365751dd73fda1e6e56283179e6 Mon Sep 17 00:00:00 2001 From: ajoergensen <31108516+ajoergensen@users.noreply.github.com> Date: Tue, 5 Sep 2017 20:56:54 +0200 Subject: [PATCH 9/9] Update nginx mainline to 1.13.5 --- mainline/alpine/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mainline/alpine/Dockerfile b/mainline/alpine/Dockerfile index b75fe4b..e5e91ea 100755 --- a/mainline/alpine/Dockerfile +++ b/mainline/alpine/Dockerfile @@ -2,7 +2,7 @@ FROM ajoergensen/baseimage-alpine MAINTAINER ajoergensen -ENV NGINX_VERSION 1.13.4 +ENV NGINX_VERSION 1.13.5 ENV LIBRESSL_VERSION 2.5.5 RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \