From 3d7a9f4a034dc3eb7f1feca34fee6744565dca02 Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Wed, 29 Jun 2016 16:18:44 +0200 Subject: [PATCH] boring-nginx: few changes --- boring-nginx/Dockerfile | 26 ++++++++++++++------------ boring-nginx/nginx.conf | 1 + boring-nginx/run.sh | 1 - 3 files changed, 15 insertions(+), 13 deletions(-) diff --git a/boring-nginx/Dockerfile b/boring-nginx/Dockerfile index 80c7033..8ea05d1 100644 --- a/boring-nginx/Dockerfile +++ b/boring-nginx/Dockerfile @@ -5,7 +5,6 @@ ENV UID=991 GID=991 ARG NGINX_VERSION=1.11.1 ARG GPG_NGINX="B0F4 2533 73F8 F6F5 10D4 2178 520A 9993 A1C0 52F8" -ARG SIGNATURE=secret ARG BUILD_CORES COPY boring.patch /tmp/boring.patch @@ -38,11 +37,12 @@ RUN echo "@commuedge https://nl.alpinelinux.org/alpine/edge/community" >> /etc/a bind-tools \ tini@commuedge \ && cd /tmp && git clone https://github.com/bagder/libbrotli && cd libbrotli \ - && ./autogen.sh && ./configure \ - && make -j ${NB_CORES} && make install \ - && mkdir /tmp/ngx_brotli && cd /tmp/ngx_brotli \ - && wget -qO- https://github.com/google/ngx_brotli/archive/master.tar.gz | tar xz --strip 1 \ - && cd /tmp && git clone https://boringssl.googlesource.com/boringssl && cd boringssl \ + && ./autogen.sh && ./configure && make -j ${NB_CORES} && make install \ + && cd /tmp \ + && git clone https://github.com/google/ngx_brotli \ + && git clone https://github.com/openresty/headers-more-nginx-module \ + && git clone https://boringssl.googlesource.com/boringssl \ + && cd boringssl \ && mkdir build && cd build && cmake -DCMAKE_BUILD_TYPE=Release .. \ && make -j ${NB_CORES} && cd .. \ && mkdir -p .openssl/lib/ && cd .openssl && ln -s ../include && cd .. \ @@ -59,14 +59,15 @@ RUN echo "@commuedge https://nl.alpinelinux.org/alpine/edge/community" >> /etc/a && if [ "${FINGERPRINT}" != "${GPG_NGINX}" ]; then echo "Warning! Wrong GPG fingerprint!" && exit 1; fi \ && echo "All seems good, now unpacking ${NGINX_TARBALL}..." \ && tar xzf ${NGINX_TARBALL} && cd nginx-${NGINX_VERSION} \ - && sed -i -e "s/\"Server: nginx\" CRLF/\"Server: ${SIGNATURE}\" CRLF/g" \ - -e "s/\"Server: \" NGINX_VER CRLF/\"Server: ${SIGNATURE}\" NGINX_VER CRLF/g" \ - src/http/ngx_http_header_filter_module.c \ + && wget -q https://raw.githubusercontent.com/felixbuenemann/sslconfig/updated-nginx-1.9.15-spdy-patch/patches/nginx_1_9_15_http2_spdy.patch -O spdy.patch \ + && patch -p1 < spdy.patch \ + && wget -q https://raw.githubusercontent.com/cloudflare/sslconfig/master/patches/nginx__dynamic_tls_records.patch \ + && patch -p1 < nginx__dynamic_tls_records.patch \ && patch -p1 < /tmp/boring.patch \ && ./configure \ --prefix=/etc/nginx \ - --sbin-path=/sbin/nginx \ - --with-cc-opt="-g -O3 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -I ../boringssl/.openssl/include/" \ + --sbin-path=/usr/sbin/nginx \ + --with-cc-opt="-O3 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -I ../boringssl/.openssl/include/" \ --with-ld-opt="-Wl,-Bsymbolic-functions -Wl,-z,relro -L ../boringssl/.openssl/lib" \ --with-http_ssl_module \ --with-http_v2_module \ @@ -87,9 +88,10 @@ RUN echo "@commuedge https://nl.alpinelinux.org/alpine/edge/community" >> /etc/a --without-http_browser_module \ --http-log-path=/var/log/nginx/access.log \ --error-log-path=/var/log/nginx/error.log \ + --add-module=/tmp/headers-more-nginx-module \ --add-module=/tmp/ngx_brotli \ && make -j ${NB_CORES} && make install && make clean \ - && strip -s /sbin/nginx \ + && strip -s /usr/sbin/nginx \ && apk del ${BUILD_DEPS} \ && rm -rf /tmp/* /var/cache/apk/* /root/.gnupg diff --git a/boring-nginx/nginx.conf b/boring-nginx/nginx.conf index 9ef2078..aa1fbec 100644 --- a/boring-nginx/nginx.conf +++ b/boring-nginx/nginx.conf @@ -37,6 +37,7 @@ http { tcp_nopush on; tcp_nodelay on; server_tokens off; + more_set_headers 'Server: secret'; gzip on; gzip_comp_level 5; diff --git a/boring-nginx/run.sh b/boring-nginx/run.sh index 0606f33..2051125 100644 --- a/boring-nginx/run.sh +++ b/boring-nginx/run.sh @@ -1,5 +1,4 @@ #!/bin/sh -touch /var/run/nginx.pid chown -R $UID:$GID /etc/nginx /var/log/nginx /var/run/nginx.pid /sites-enabled /conf.d /certs /www /tmp chmod -R 700 /certs su-exec $UID:$GID nginx