hoellen/dockerfiles
1
0
Fork 0
mirror of https://github.com/hoellen/dockerfiles.git synced 2025-07-01 14:45:38 +00:00
Code Issues Projects Releases Wiki Activity

initial commit

Browse Source
This commit is contained in:
Wonderfall
2016-04-11 15:59:32 +02:00
commit 13f2d49927
85 changed files with 4343 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

95
reverse/Dockerfile Normal file
View File

@ -0,0 +1,95 @@
FROM alpine:3.3
MAINTAINER Wonderfall <wonderfall@mondedie.fr>
ARG NGINX_VER=1.9.14
ARG LIBRESSL_VER=2.3.3
ARG SIGNATURE=nginx
ARG BUILD_CORES
ENV UID=991 GID=991
RUN echo "@testing http://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \
&& echo "@commuedge http://nl.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \
&& NB_CORES=${BUILD_CORES-`getconf _NPROCESSORS_CONF`} \
&& BUILD_DEPS=" \
build-base \
linux-headers \
ca-certificates \
automake \
autoconf \
git \
tar \
libtool \
pcre-dev \
zlib-dev" \
&& apk -U add \
$BUILD_DEPS \
pcre \
zlib \
libgcc \
libstdc++ \
gosu@testing \
libressl@testing \
tini@commuedge \
&& cd /tmp && git clone https://github.com/bagder/libbrotli && cd libbrotli \
&& ./autogen.sh && ./configure && make -j $NB_CORES && make install \
&& mkdir /tmp/ngx_brotli && cd /tmp/ngx_brotli \
&& wget -qO- https://github.com/google/ngx_brotli/archive/master.tar.gz | tar xz --strip 1 \
&& mkdir /tmp/libressl && cd /tmp/libressl \
&& wget -qO- http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-$LIBRESSL_VER.tar.gz | tar xz --strip 1 \
&& ./configure \
LDFLAGS=-lrt \
CFLAGS=-fstack-protector-strong \
--prefix=/tmp/libressl/.openssl/ \
--enable-shared=no \
&& make install-strip -j $NB_CORES \
&& mkdir /tmp/nginx && cd /tmp/nginx \
&& wget -qO- http://nginx.org/download/nginx-$NGINX_VER.tar.gz | tar zxf - \
&& cd nginx-$NGINX_VER \
&& sed -i -e "s/\"Server: nginx\" CRLF/\"Server: $SIGNATURE\" CRLF/g" \
-e "s/\"Server: \" NGINX_VER CRLF/\"Server: $SIGNATURE\" NGINX_VER CRLF/g" \
src/http/ngx_http_header_filter_module.c \
&& ./configure \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--with-openssl=/tmp/libressl \
--with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security' \
--with-ld-opt="-lrt" \
--with-file-aio \
--with-threads \
--without-http_ssi_module \
--without-http_scgi_module \
--without-http_uwsgi_module \
--without-http_fastcgi_module \
--without-http_geo_module \
--without-http_autoindex_module \
--without-http_map_module \
--without-http_split_clients_module \
--without-http_memcached_module \
--without-http_empty_gif_module \
--without-http_browser_module \
--prefix=/etc/nginx \
--http-log-path=/var/log/nginx/access.log \
--error-log-path=/var/log/nginx/error.log \
--sbin-path=/usr/local/sbin/nginx \
--add-module=/tmp/ngx_brotli \
&& make -j $NB_CORES && make install \
&& apk del $BUILD_DEPS \
&& rm -rf /tmp/* /var/cache/apk/*
COPY nginx.conf /etc/nginx/conf/nginx.conf
COPY run.sh /usr/local/bin/run.sh
COPY ngxpasswd /usr/local/bin/ngxpasswd
RUN chmod +x /usr/local/bin/*
EXPOSE 8000 4430
VOLUME /sites-enabled /conf.d /passwds /certs /var/log/nginx
LABEL description="Secure reverse proxy using nginx" \
libressl="LibreSSL v$LIBRESSL_VER" \
nginx="nginx v$NGINX_VER"
CMD ["tini","--","run.sh"]

123
reverse/README.md Normal file
View File

@ -0,0 +1,123 @@
## wonderfall/reverse
**SIZE : ±39MB**
![](https://i.goopics.net/lv.jpg) ![](https://i.goopics.net/lL.png) ![](https://upload.wikimedia.org/wikipedia/en/2/25/LibreSSL_logo.jpg)
#### What is this?
It is nginx latest mainline statically linked against LibreSSL latest snapshot, with embedded Brotli support.
Secured by default (no root processes, even the master one). I made this image for my own purpose, but I added some flexibility so you can use it easily.
#### Features
- Based on Alpine Linux (3.3) : lightweight and secure distribution.
- nginx mainline + LibreSSL snapshot
- HTTP/2 support.
- Brotli compression support.
- No root master process. Better security.
- AIO Threads support.
- No unnessary modules.
- Optimized nginx configuration.
#### Notes
It is required to :
- chown your certs files with the right uid/pid (no other way)
- change `listen` directive to 8000/4430 instead of 80/443
By the way, it is recommended to **build this image** (using docker-compose 1.6 and later for args compatibily) directly instead of pulling it from Docker Hub.
#### Volumes
- **/sites-enabled** : should contain your vhosts files (.conf)
- **/conf.d** : additional configuration files if you want
- **/certs** : SSL/TLS certificates
- **/var/log/nginx** : nginx logs (access and error)
#### Build arguments
- **NGINX_VER** : nginx's version, change it if needed but the default version is tested
- **LIBRESSL_VER** : same as NGINX_VER
- **GID** : nginx group id *(default : 991)*
- **UID** : nginx user id *(default : 991)*
#### Source (Dockerfile)
https://github.com/Wonderfall/dockerfiles/tree/master/reverse
#### Examples : compose, vhost, TLS conf
**NOTES** :
- compose file must use version 2. [See more here](https://docs.docker.com/compose/compose-file/#version-2:91de898b5f5cdb090642a917d3dedf68).
- Docker 1.10+ and docker-compose 1.6+ are needed.
- if you're using docker-compose inside a container, pay attention to `context`.
```
# docker-compose.yml
nginx:
#image: wonderfall/reverse
build:
context: /path/to/reverse/dockerfile
dockerfile: Dockerfile
args:
- NGINX_VER=1.9.10
- LIBRESSL_VER=2.3.2
- GID=1000
- UID=1000
- BUILD_CORES=8
ports:
- "80:8000"
- "443:4430"
links:
- container_1:container_1
- container_2:container_2
- container_n:container_n
volumes:
- /mnt/docker/nginx/sites:/sites-enabled
- /mnt/docker/nginx/conf:/conf.d
- /etc/letsencrypt:/certs
- /mnt/docker/nginx/log:/var/log/nginx
```
```
# /mnt/docker/nginx/sites/service.conf
server {
listen 8000;
server_name service.domain.tld;
return 301 https://$host$request_uri;
}
server {
listen 4430 ssl http2;
server_name service.domain.tld;
ssl_certificate /certs/live/service.domain.tld/fullchain.pem;
ssl_certificate_key /certs/live/service.domain.tld/privkey.pem;
include /conf.d/ssl_params.conf;
include /conf.d/headers.conf;
#client_max_body_size 10M; #(M = Megabytes / G = Gigabytes)
location / {
proxy_pass http://container_n:$PORT;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Remote-Port $remote_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
}
}
```
```
# /mnt/docker/conf/ssl_params.conf
ssl_protocols TLSv1.2;
ssl_ciphers "ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256";
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_session_tickets off;
```
```
# /mnt/docker/conf/headers.conf
add_header Strict-Transport-Security "max-age=31536000";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
```

80
reverse/nginx.conf Normal file
View File

@ -0,0 +1,80 @@
worker_processes auto;
pid /var/run/nginx.pid;
daemon off;
events {
worker_connections 2048;
use epoll;
}
http {
limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
limit_conn limit_per_ip 64;
limit_req_zone $binary_remote_addr zone=allips:10m rate=150r/s;
limit_req zone=allips burst=150 nodelay;
include /etc/nginx/conf/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log combined;
error_log /var/log/nginx/error.log crit;
client_body_buffer_size 10K;
client_header_buffer_size 1k;
client_max_body_size 8m;
large_client_header_buffers 2 1k;
aio threads;
sendfile on;
keepalive_timeout 15;
keepalive_disable msie6;
keepalive_requests 100;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
gzip on;
gzip_comp_level 5;
gzip_min_length 512;
gzip_buffers 4 8k;
gzip_proxied any;
gzip_vary on;
gzip_disable "msie6";
gzip_types
text/css
text/javascript
text/xml
text/plain
text/x-component
application/javascript
application/x-javascript
application/json
application/xml
application/rss+xml
application/vnd.ms-fontobject
font/truetype
font/opentype
image/svg+xml;
brotli on;
brotli_static on;
brotli_buffers 16 8k;
brotli_comp_level 6;
brotli_types
text/css
text/javascript
text/xml
text/plain
text/x-component
application/javascript
application/x-javascript
application/json
application/xml
application/rss+xml
application/vnd.ms-fontobject
font/truetype
font/opentype
image/svg+xml;
include /sites-enabled/*.conf;
}

42
reverse/ngxpasswd Normal file
View File

@ -0,0 +1,42 @@
#!/bin/sh
NAME="$1"
USER="$2"
PASSWORD="$3"
cd /passwds || exit 1
if [ -z "$NAME" ]; then
echo "Service name must be defined" 1>&2
exit 1
elif [ -f $NAME.htpasswd ]; then
echo "$NAME.htpasswd exists, aborting" 1>&2
exit 1
fi
if [ -z "$USER" ]; then
echo "User must be defined" 1>&2
exit 1
fi
if [ -z "$PASSWORD" ]; then
PASSWORD=`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1`
echo "Password was not defined, generating a random one..."
fi
echo -n $USER:`openssl passwd -apr1 $PASSWORD` >> $NAME.htpasswd
chown $UID:$GID $NAME.htpasswd
chmod 640 $NAME.htpasswd
echo
echo "A new password file has been saved to /passwds/$NAME.htpasswd :"
echo "- Service : $NAME"
echo "- User : $USER"
echo "- Password : $PASSWORD"
echo
echo "Paste this to your vhost in order to enable auth :"
echo " auth_basic \"Who's this?\";"
echo " auth_basic_user_file /passwds/$NAME.htpasswd;"
echo
echo "Done."
exit 0

5
reverse/run.sh Normal file
View File

@ -0,0 +1,5 @@
#!/bin/sh
touch /var/run/nginx.pid
chown -R $UID:$GID /etc/nginx /var/log/nginx /var/run/nginx.pid /sites-enabled /conf.d /certs
chmod -R 700 /certs
gosu $UID:$GID nginx