Nginx 1.13.5

README.md

@@ -1,12 +1,44 @@
-# **NGINX** built with **LibreSSL**
+#  **[nginx][3]** built with **[LibreSSL][4]**
 
-#### Features
+## Features
 
-- Images are used Alpine Linux.
-- PCRE with JIT enabled.
-- HTTP/2.0 (+NPN) support.
-- Async I/O using threads support.
-- Dynamic TLS records patch CloudFlare support (and configured).
-- Brotli compression support (and configured).
+- Uses [Alpine Linux][5] as base
+- PCRE with JIT enabled
+- HTTP/2.0 (+NPN) support
+- Async I/O using threads support
+- Dynamic TLS records patch support (and configured) - From [Cloudflare][6]
+- [Brotli][7] compression support (and configured)
 
-#### Based on the Official NGINX Dockerfile & `Wonderfall/boring-nginx`
+Currently the HPACK patch from Cloudflare is not used because it does not apply cleanly against mainline.
+
+## Usage
+
+```docker run --rm --name nginx -v ./htdocs:/var/www -p 80:80 -p 443:443 -d ajoergensen/nginx-libressl:tag```
+
+Available tags are `stable` and `mainline`
+
+## Environment
+
+- **PUID**: Change the uid of the user running nginx
+- **PGID**: Change the gid of the user running nginx
+- **CHOWN_WWWDIR**: Enable/disable the change of ownership of /var/www to $PUID:$PGID, defaults to TRUE. Note, if /var/www read only this variable will always be FALSE
+- **WORKER_PROCESSES**: Change the value of nginx worker_processes, defaults to auto.
+
+## Other
+
+Though not defined as a volume, I recommend mapping a folder to /etc/nginx/conf.d to store your vhost definitions.
+
+This image works great with [docker-gen][8] and [docker-letsencrypt-nginx-proxy-companion][9] (as a drop-in replacement for the nginx-proxy image)
+
+----
+
+Originally based on the official nginx Dockerfile & `Wonderfall/boring-nginx` - Forked from [denji/nginx-libressl][1]
+
+[1]: https://github.com/nginx-modules/docker-nginx-libressl/
+[3]: http://nginx.org/
+[4]: https://libressl.org/
+[5]: https://alpinelinux.org/
+[6]: https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency/
+[7]: https://en.wikipedia.org/wiki/Brotli
+[8]: https://github.com/jwilder/nginx-proxy
+[9]: https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion

build.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+set -e
+
+for i in stable mainline
+ do
+	docker build -t nginx-testbuild-$i $i/alpine && docker rmi nginx-testbuild-$i
+done

mainline/alpine/Dockerfile

@@ -1,8 +1,8 @@
-FROM alpine:3.6
+FROM ajoergensen/baseimage-alpine
 
-MAINTAINER Denis Denisov "[email protected]"
+MAINTAINER ajoergensen
 
-ENV NGINX_VERSION 1.13.3
+ENV NGINX_VERSION 1.13.5
 ENV LIBRESSL_VERSION 2.5.5
 
 RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \
@@ -68,6 +68,7 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \
 		ca-certificates \
 		cmake \
 		curl \
+		file \
 		gcc \
 		gd-dev \
 		geoip-dev \
@@ -88,6 +89,7 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \
 		su-exec \
 		tar \
 		tzdata \
+		wget \
 		zlib \
 		zlib-dev \
 	\
@@ -106,7 +108,6 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \
 	done; \
 	test -z "$found" && echo >&2 "error: failed to fetch GPG key $GPG_KEYS" && exit 1; \
 	gpg --batch --verify nginx.tar.gz.asc nginx.tar.gz \
-	&& rm -r "$GNUPGHOME" nginx.tar.gz.asc \
 	&& mkdir -p /usr/src \
 	\
 	&& LIBRESSL_TARBALL="libressl-$LIBRESSL_VERSION.tar.gz" \
@@ -116,7 +117,6 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \
 	&& curl -fSL https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl.asc -o libressl.asc \
 	&& gpg --import libressl.asc \
 	&& gpg --batch --verify $LIBRESSL_TARBALL.asc $LIBRESSL_TARBALL \
-	&& rm -r "$GNUPGHOME" libressl.asc $LIBRESSL_TARBALL.asc \
 	&& tar -zxC /usr/src -f $LIBRESSL_TARBALL \
 	\
 	&& (git clone --depth=1 https://github.com/bagder/libbrotli /usr/src/libbrotli \
@@ -126,9 +126,8 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \
 	&& git clone --depth=1 https://github.com/openresty/headers-more-nginx-module /usr/src/ngx_headers_more \
 	\
 	&& tar -zxC /usr/src -f nginx.tar.gz \
-	&& rm nginx.tar.gz \
 	&& cd /usr/src/nginx-$NGINX_VERSION \
-	&& curl -fSL https://cdn.rawgit.com/nginx-modules/ngx_http_tls_dyn_size/0.1/nginx-dyntls-1.11.5.diff -o dynamic_tls_records.patch \
+	&& wget -q https://raw.githubusercontent.com/cujanovic/nginx-dynamic-tls-records-patch/master/nginx__dynamic_tls_records_1.13.0%2B.patch -O dynamic_tls_records.patch \
 	&& patch -p1 < dynamic_tls_records.patch \
 	&& ./configure $CONFIG --with-debug \
 	&& make -j$(getconf _NPROCESSORS_ONLN) \
@@ -155,8 +154,6 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \
 	&& ln -s ../../usr/lib/nginx/modules /etc/nginx/modules \
 	&& strip /usr/sbin/nginx* \
 	&& strip /usr/lib/nginx/modules/*.so \
-	&& rm -rf /usr/src/nginx-$NGINX_VERSION \
-	&& rm -rf /usr/src/libressl* /usr/src/libbrotli /usr/src/ngx_* \
 	\
 	# Bring in gettext so we can get `envsubst`, then throw
 	# the rest away. To do this, we need to install `gettext`
@@ -171,23 +168,26 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \
 			| sort -u \
 			| xargs -r apk info --installed \
 			| sort -u \
-	) tzdata ca-certificates" \
+	) sed tzdata ca-certificates" \
 	&& apk add --no-cache --virtual .nginx-rundeps $runDeps \
 	&& apk del .build-deps \
 	&& apk del .gettext \
 	&& mv /tmp/envsubst /usr/local/bin/ \
 	\
 	# forward request and error logs to docker log collector
 	&& ln -sf /dev/stdout /var/log/nginx/access.log \
-	&& ln -sf /dev/stderr /var/log/nginx/error.log
+	&& ln -sf /dev/stderr /var/log/nginx/error.log \
+	&& rm -rf /tmp/* /usr/src/* /var/cache/apk/* /root/.gnupg
 
-COPY nginx.conf /etc/nginx/nginx.conf
-COPY nginx.vh.no-default.conf /etc/nginx/conf.d/default.conf
+ADD root/ /
+
+RUN \
+        chmod -v +x /etc/cont-init.d/*.sh /etc/services.d/*/run && \
+        mkdir /var/www
 
 LABEL description="nginx built from source" \
       openssl="LibreSSL $LIBRESSL_VERSION" \
       nginx="nginx $NGINX_VERSION"
 
 EXPOSE 80 443
-
-CMD ["nginx", "-g", "daemon off;"]
+VOLUME /var/www

mainline/alpine/root/etc/cont-init.d/51_setup_nginx.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/with-contenv bash
+
+# Set worker_processes
+: ${WORKER_PROCESSES:="auto"}
+
+grep -q "@@WORKER_PROCESSES@@" /etc/nginx/nginx.conf
+
+if [[ $? -eq 0 ]] && [[ -w /etc/nginx/nginx.conf ]]
+ then
+	sed -i "s|@@WORKER_PROCESSES@@|$WORKER_PROCESSES|" /etc/nginx/nginx.conf
+fi
+
+# chown'ning the entire /var/www may not be desireable
+
+: ${CHOWN_WWWDIR:="TRUE"}
+
+[ -w /var/www ] || CHOWN_WWWDIR="FALSE"
+
+if [[ $CHOWN_WWWDIR == "TRUE" ]]
+ then
+	chown -R app:app /var/www
+fi
+
+# Make sure the app user is able to write to nginx directories
+chown -R app:app /var/log/nginx /var/cache/nginx 

mainline/alpine/nginx.conf → mainline/alpine/root/etc/nginx/nginx.conf

@@ -8,8 +8,8 @@ load_module modules/ngx_http_headers_more_filter_module.so;
 load_module modules/ngx_http_brotli_static_module.so;
 load_module modules/ngx_http_brotli_filter_module.so;
 
-user  nginx;
-worker_processes  1;
+user  app;
+worker_processes  @@WORKER_PROCESSES@@;
 
 error_log  /var/log/nginx/error.log warn;
 pid        /var/run/nginx.pid;

mainline/alpine/root/etc/services.d/nginx/run

@@ -0,0 +1,3 @@
+#!/usr/bin/with-contenv sh
+
+exec nginx -g 'daemon off;'

stable/alpine/Dockerfile

@@ -1,6 +1,6 @@
-FROM alpine:3.6
+FROM ajoergensen/baseimage-alpine
 
-MAINTAINER Denis Denisov "[email protected]"
+MAINTAINER ajoergensen
 
 ENV NGINX_VERSION 1.12.1
 ENV LIBRESSL_VERSION 2.5.5
@@ -68,6 +68,7 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \
 		ca-certificates \
 		cmake \
 		curl \
+		file \
 		gcc \
 		gd-dev \
 		geoip-dev \
@@ -106,7 +107,6 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \
 	done; \
 	test -z "$found" && echo >&2 "error: failed to fetch GPG key $GPG_KEYS" && exit 1; \
 	gpg --batch --verify nginx.tar.gz.asc nginx.tar.gz \
-	&& rm -r "$GNUPGHOME" nginx.tar.gz.asc \
 	&& mkdir -p /usr/src \
 	\
 	&& LIBRESSL_TARBALL="libressl-$LIBRESSL_VERSION.tar.gz" \
@@ -116,7 +116,6 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \
 	&& curl -fSL https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl.asc -o libressl.asc \
 	&& gpg --import libressl.asc \
 	&& gpg --batch --verify $LIBRESSL_TARBALL.asc $LIBRESSL_TARBALL \
-	&& rm -r "$GNUPGHOME" libressl.asc $LIBRESSL_TARBALL.asc \
 	&& tar -zxC /usr/src -f $LIBRESSL_TARBALL \
 	\
 	&& (git clone --depth=1 https://github.com/bagder/libbrotli /usr/src/libbrotli \
@@ -126,7 +125,6 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \
 	&& git clone --depth=1 https://github.com/openresty/headers-more-nginx-module /usr/src/ngx_headers_more \
 	\
 	&& tar -zxC /usr/src -f nginx.tar.gz \
-	&& rm nginx.tar.gz \
 	&& cd /usr/src/nginx-$NGINX_VERSION \
 	&& curl -fSL https://cdn.rawgit.com/nginx-modules/ngx_http_tls_dyn_size/0.1/nginx-dyntls-1.11.5.diff -o dynamic_tls_records.patch \
 	&& patch -p1 < dynamic_tls_records.patch \
@@ -155,8 +153,6 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \
 	&& ln -s ../../usr/lib/nginx/modules /etc/nginx/modules \
 	&& strip /usr/sbin/nginx* \
 	&& strip /usr/lib/nginx/modules/*.so \
-	&& rm -rf /usr/src/nginx-$NGINX_VERSION \
-	&& rm -rf /usr/src/libressl* /usr/src/libbrotli /usr/src/ngx_* \
 	\
 	# Bring in gettext so we can get `envsubst`, then throw
 	# the rest away. To do this, we need to install `gettext`
@@ -171,23 +167,26 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \
 			| sort -u \
 			| xargs -r apk info --installed \
 			| sort -u \
-	) tzdata ca-certificates" \
+	) sed tzdata ca-certificates" \
 	&& apk add --no-cache --virtual .nginx-rundeps $runDeps \
 	&& apk del .build-deps \
 	&& apk del .gettext \
 	&& mv /tmp/envsubst /usr/local/bin/ \
 	\
 	# forward request and error logs to docker log collector
 	&& ln -sf /dev/stdout /var/log/nginx/access.log \
-	&& ln -sf /dev/stderr /var/log/nginx/error.log
+	&& ln -sf /dev/stderr /var/log/nginx/error.log \
+	&& rm -rf /tmp/* /usr/src/* /var/cache/apk/* /root/.gnupg
 
-COPY nginx.conf /etc/nginx/nginx.conf
-COPY nginx.vh.no-default.conf /etc/nginx/conf.d/default.conf
+ADD root/ /
+
+RUN \
+	chmod -v +x /etc/cont-init.d/*.sh /etc/services.d/*/run && \
+	mkdir /var/www
 
 LABEL description="nginx built from source" \
       openssl="LibreSSL $LIBRESSL_VERSION" \
       nginx="nginx $NGINX_VERSION"
 
 EXPOSE 80 443
-
-CMD ["nginx", "-g", "daemon off;"]
+VOLUME /var/www

stable/alpine/root/etc/cont-init.d/51_setup_nginx.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/with-contenv bash
+
+# Set worker_processes
+: ${WORKER_PROCESSES:="auto"}
+
+grep -q "@@WORKER_PROCESSES@@" /etc/nginx/nginx.conf
+
+if [[ $? -eq 0 ]] && [[ -w /etc/nginx/nginx.conf ]]
+ then
+	sed -i "s|@@WORKER_PROCESSES@@|$WORKER_PROCESSES|" /etc/nginx/nginx.conf
+fi
+
+# chown'ning the entire /var/www may not be desireable
+
+: ${CHOWN_WWWDIR:="TRUE"}
+
+[ -w /var/www ] || CHOWN_WWWDIR="FALSE"
+
+if [[ $CHOWN_WWWDIR == "TRUE" ]]
+ then
+	chown -R app:app /var/www
+fi
+
+# Make sure the app user is able to write to nginx directories
+chown -R app:app /var/log/nginx /var/cache/nginx 

stable/alpine/nginx.conf → stable/alpine/root/etc/nginx/nginx.conf

@@ -8,8 +8,8 @@ load_module modules/ngx_http_headers_more_filter_module.so;
 load_module modules/ngx_http_brotli_static_module.so;
 load_module modules/ngx_http_brotli_filter_module.so;
 
-user  nginx;
-worker_processes  1;
+user  app;
+worker_processes  @@WORKER_PROCESSES@@;
 
 error_log  /var/log/nginx/error.log warn;
 pid        /var/run/nginx.pid;

stable/alpine/root/etc/services.d/nginx/run

@@ -0,0 +1,3 @@
+#!/usr/bin/with-contenv sh
+
+exec nginx -g 'daemon off;'