boring-nginx: update Dockerfile, optimisations

boring-nginx/rootfs/etc/nginx/conf/headers_params

@@ -0,0 +1,3 @@
+add_header X-Frame-Options SAMEORIGIN;
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";

boring-nginx/rootfs/etc/nginx/conf/nginx.conf

@@ -0,0 +1,89 @@
+worker_processes auto;
+pid /tmp/nginx.pid;
+daemon off;
+pcre_jit on;
+
+events {
+    worker_connections 2048;
+    use epoll;
+}
+
+http {
+    limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
+    limit_conn limit_per_ip 128;
+    limit_req_zone $binary_remote_addr zone=allips:10m rate=150r/s;
+    limit_req zone=allips burst=150 nodelay;
+
+    more_set_headers 'Server: secret';
+
+    ssl_dyn_rec_enable on;
+
+    include /etc/nginx/conf/mime.types;
+    default_type application/octet-stream;
+
+    access_log /var/log/nginx/access.log combined;
+    error_log /var/log/nginx/error.log crit;
+
+    fastcgi_temp_path /tmp/fastcgi 1 2;
+    proxy_temp_path /tmp/proxy 1 2;
+    client_body_temp_path /tmp/client_body 1 2;
+
+    client_body_buffer_size 10K;
+    client_header_buffer_size 1k;
+    client_max_body_size 8m;
+    large_client_header_buffers 2 1k;
+
+    aio threads;
+    sendfile on;
+    keepalive_timeout 15;
+    keepalive_disable msie6;
+    keepalive_requests 100;
+    tcp_nopush on;
+    tcp_nodelay on;
+    server_tokens off;
+
+    gzip on;
+    gzip_comp_level 5;
+    gzip_min_length 512;
+    gzip_buffers 4 8k;
+    gzip_proxied any;
+    gzip_vary on;
+    gzip_disable "msie6";
+    gzip_types
+        text/css
+        text/javascript
+        text/xml
+        text/plain
+        text/x-component
+        application/javascript
+        application/x-javascript
+        application/json
+        application/xml
+        application/rss+xml
+        application/vnd.ms-fontobject
+        font/truetype
+        font/opentype
+        image/svg+xml;
+
+    brotli on;
+    brotli_static on;
+    brotli_buffers 16 8k;
+    brotli_comp_level 6;
+    brotli_types
+        text/css
+        text/javascript
+        text/xml
+        text/plain
+        text/x-component
+        application/javascript
+        application/x-javascript
+        application/json
+        application/xml
+        application/rss+xml
+        application/vnd.ms-fontobject
+        font/truetype
+        font/opentype
+        image/svg+xml;
+
+    include /sites-enabled/*.conf;
+}

boring-nginx/rootfs/etc/nginx/conf/proxy_params

@@ -0,0 +1,6 @@
+proxy_set_header        Host                 $host;
+proxy_set_header        X-Real-IP            $remote_addr;
+proxy_set_header        X-Forwarded-For      $proxy_add_x_forwarded_for;
+proxy_set_header        X-Remote-Port        $remote_port;
+proxy_set_header        X-Forwarded-Proto    $scheme;
+proxy_redirect          off;

boring-nginx/rootfs/etc/nginx/conf/ssl_params

@@ -0,0 +1,8 @@
+ssl_protocols TLSv1.2;
+ssl_ecdh_curve X25519:P-521:P-384;
+ssl_ciphers [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES256-GCM-SHA384|ECDHE-RSA-AES256-GCM-SHA384]:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
+ssl_prefer_server_ciphers on;
+
+ssl_session_cache shared:SSL:20m;
+ssl_session_timeout 15m;
+ssl_session_tickets off;

boring-nginx/rootfs/etc/nginx/conf/vhost_http.conf

@@ -0,0 +1,14 @@
+server {
+  listen 8000;
+  server_name <DOMAIN>;
+
+  #client_max_body_size <MAX_BODY_SIZE>M;
+
+  #auth_basic "Who's this?";
+  #auth_basic_user_file /passwds/<NAME>.htpasswd;
+
+  location <WEBROOT> {
+    proxy_pass http://<CONTAINER>:<PORT>;
+    include /etc/nginx/conf/proxy_params;
+  }
+}

boring-nginx/rootfs/etc/nginx/conf/vhost_https.conf

@@ -0,0 +1,27 @@
+server {
+  listen 8000;
+  server_name <DOMAIN>;
+  return 301 https://$host$request_uri;
+}
+
+server {
+  listen 4430 ssl http2;
+  server_name <DOMAIN>;
+
+  ssl_certificate <CERTIFICATE_PATH>;
+  ssl_certificate_key <KEY_PATH>;
+
+  include /etc/nginx/conf/ssl_params;
+  include /etc/nginx/conf/headers_params;
+
+  #add_header Strict-Transport-Security "max-age=<HSTS_MAX_AGE>;<HSTS_SUBDOMAINS><HSTS_PRELOAD>";
+  #client_max_body_size <MAX_BODY_SIZE>M;
+
+  #auth_basic "Who's this?";
+  #auth_basic_user_file /passwds/<NAME>.htpasswd;
+
+  location <WEBROOT> {
+    proxy_pass http://<CONTAINER>:<PORT>;
+    include /etc/nginx/conf/proxy_params;
+  }
+}

boring-nginx/rootfs/usr/local/bin/ngxpasswd

@@ -0,0 +1,76 @@
+#!/bin/sh
+
+echo
+echo "Welcome to ngxpasswd utility."
+echo "We're about to create a password file."
+echo
+
+cd /passwds || exit 1
+
+while [ "$NAME" == "" ]; do
+    read -p "Name: " NAME
+done
+
+if [ -f "/passwds/$NAME.htpasswd" ]; then
+    echo "ERROR: /passwds/$NAME.htpasswd already exists."
+    exit 1
+fi
+
+while [ "$USER" == "" ]; do
+    read -p "User: " USER
+done
+
+read -p "Password (leave blank to generate one): " PASSWORD
+
+if [ "$PASSWORD" == "" ]; then
+    echo "Password was not defined, generating a random one..."
+    PASSWORD=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
+elif [ ${#PASSWORD} -le 6 ]; then
+    echo "WARNING: Non-secure password."
+fi
+
+echo -n $USER:$(openssl passwd -apr1 $PASSWORD) >> $NAME.htpasswd
+chown $UID:$GID $NAME.htpasswd
+chmod 640 $NAME.htpasswd
+
+echo
+echo  "A new password file has been saved to /passwds/$NAME.htpasswd :"
+echo  "- Service  :  $NAME"
+echo  "- User     :  $USER"
+echo  "- Password :  $PASSWORD"
+echo
+
+if [ -f "/sites-enabled/$NAME.conf" ] && grep -q '#auth' /sites-enabled/$NAME.conf; then
+    echo "vhost at /sites-enabled/$NAME.conf detected."
+
+    while [[ "$ADD" !=  "y" && "$ADD" != "n" ]]; do
+        read -p "Add authentication to $NAME.conf? [y/n]: " ADD
+    done
+
+    if [ "$ADD" == "y" ]; then
+        cd /etc/nginx/conf
+        sed -i -e 's/#auth/auth/g' -e "s/<NAME>/$NAME/g" /sites-enabled/$NAME.conf
+        echo "Automatically added, please verify. Otherwise follow these instructions."
+        echo
+    fi
+fi
+
+echo  "Paste this to your vhost in order to enable auth :"
+echo  "        auth_basic \"Who's this?\";"
+echo  "        auth_basic_user_file /passwds/$NAME.htpasswd;"
+echo
+
+if [ "$ADD" == "y" ]; then
+    while [[ "$RELOAD" !=  "y" && "$RELOAD" != "n" ]]; do
+        read -p "Reload nginx now? [y/n]: " RELOAD
+    done
+
+    if [ "$RELOAD" == "y" ]; then
+        su-exec $UID:$GID nginx -s reload
+        echo "nginx successfully reloaded."
+    else
+        echo "Restart manually nginx to enable authentication."
+    fi
+fi
+
+exit 0

boring-nginx/rootfs/usr/local/bin/ngxproxy

@@ -0,0 +1,181 @@
+#!/bin/sh
+
+echo
+echo "Welcome to ngxproxy utility."
+echo "We're about to create a new virtual host (AKA server block)."
+echo
+
+while [ "$NAME" == "" ]; do
+    read -p "Name: " NAME
+done
+
+if [ -f "/sites-enabled/$NAME.conf" ]; then
+    echo "ERROR: /sites-enabled/$NAME.conf already exists."
+    exit 1
+fi
+
+while [ "$DOMAIN" == "" ]; do
+    read -p "Domain: " DOMAIN
+done
+
+if [ "$(dig +short $DOMAIN)" == "" ]; then
+    echo "WARNING: $DOMAIN couldn't be resolved: it may not work!"
+    echo "HINT: Is this domain correct? Did you update your DNS zone?"
+fi
+
+read -p "Webroot (default is /): " WEBROOT
+
+if [ "$WEBROOT" == "" ]; then
+    WEBROOT="/"
+elif [ "$WEBROOT" != "/" ]; then
+    echo "WARNING: You might have to add a proxy header to get your custom webroot working."
+
+    while [[ "$CONFIGURE_WEBROOT" !=  "y" && "$CONFIGURE_WEBROOT" != "n" ]]; do
+        read -p "Is it required (by the app) to configure it? [y/n]: " CONFIGURE_WEBROOT
+    done
+
+    if [ "$CONFIGURE_WEBROOT" == "y" ]; then
+        while [ "$WEBROOT_HEADER" == "" ]; do
+            read -p "Type the required proxy_set_header (like X-Script-Name): " WEBROOT_HEADER
+        done
+    fi
+fi
+
+while [ "$CONTAINER" == "" ]; do
+    read -p "Container: " CONTAINER
+done
+
+ping -c 1 $CONTAINER >/dev/null 2>&1
+
+if [ "$?" != "0" ]; then
+    echo "WARNING: $CONTAINER seems to be unavailable. It may not work!"
+    echo "HINT: Did you correctly link the container?"
+fi
+
+read -p "Port (default is 80): " PORT
+
+if [ "$PORT" == "" ]; then
+    PORT="80"
+elif ! [ "$PORT" -eq "$PORT" ] 2>/dev/null; then
+    echo "ERROR: an integer value was expected."
+    exit 1
+elif [ "$PORT" -gt "65535" ]; then
+    echo "ERROR: $PORT exceeds the maximum TCP port which is 65535"
+    exit 1
+fi
+
+while [[ "$HTTPS" !=  "y" && "$HTTPS" != "n" ]]; do
+    read -p "HTTPS [y/n]: " HTTPS
+done
+
+if [ "$HTTPS" == "y" ]; then
+    while [ ! -f "$CERTIFICATE_PATH" ]; do
+        read -p "Certificate path: " CERTIFICATE_PATH
+    done
+
+    while [ ! -f "$KEY_PATH" ]; do
+        read -p "Certificate key path: " KEY_PATH
+    done
+
+    cp -f /etc/nginx/conf/vhost_https.conf /tmp/${NAME}.conf
+
+    sed -i \
+        -e "s|<CERTIFICATE_PATH>|$CERTIFICATE_PATH|g" \
+        -e "s|<KEY_PATH>|$KEY_PATH|g" \
+        /tmp/$NAME.conf
+
+    while [[ "$HEADERS" !=  "y" && "$HEADERS" != "n" ]]; do
+        read -p "Secure headers [y/n]: " HEADERS
+    done
+
+    if [ "$HEADERS" == "y" ]; then
+        sed -i 's|#include /etc/nginx/conf/headers_params|include /etc/nginx/conf/headers_params|g' /tmp/$NAME.conf
+    fi
+
+    while [[ "$HSTS" !=  "y" && "$HSTS" != "n" ]]; do
+        read -p "Enable HSTS header ? [y/n]: " HSTS
+    done
+
+    if [ "$HSTS" == "y" ]; then
+
+        read -p "Max-age in seconds (default is 31536000): " HSTS_MAX_AGE
+
+        if [ "$HSTS_MAX_AGE" == "" ]; then
+            HSTS_MAX_AGE="31536000"
+        elif ! [ "$HSTS_MAX_AGE" -eq "$HSTS_MAX_AGE" ] 2>/dev/null; then
+            echo "ERROR: an integer value was expected."
+            exit 1
+        fi
+
+        while [[ "$HSTS_SUBDOMAINS" !=  "y" && "$HSTS_SUBDOMAINS" != "n" ]]; do
+            read -p "Include subdomains ? [y/n]: " HSTS_SUBDOMAINS
+        done
+
+        if [ "$HSTS_SUBDOMAINS" == "y" ]; then
+            HSTS_SUBDOMAINS="includeSubDomains;"
+        else
+            HSTS_SUBDOMAINS=""
+        fi
+
+        while [[ "$HSTS_PRELOAD" !=  "y" && "$HSTS_PRELOAD" != "n" ]]; do
+            read -p "Enable preload list mechanism ? [y/n]: " HSTS_PRELOAD
+        done
+
+        if [ "$HSTS_PRELOAD" == "y" ]; then
+            HSTS_PRELOAD="preload"
+        else
+            HSTS_PRELOAD=""
+        fi
+
+        sed -i \
+            -e 's/#add_header/add_header/g' \
+            -e "s/<HSTS_MAX_AGE>/$HSTS_MAX_AGE/g" \
+            -e "s/<HSTS_SUBDOMAINS>/$HSTS_SUBDOMAINS/g" \
+            -e "s/<HSTS_PRELOAD>/$HSTS_PRELOAD/g" /tmp/$NAME.conf
+    fi
+else
+    cp -f /etc/nginx/conf/vhost_http.conf /tmp/${NAME}.conf
+fi
+
+while [ "$MAX_BODY_SIZE" == "" ]; do
+    read -p "Max body size in MB (integer/null): " MAX_BODY_SIZE
+done
+
+if ! [ "$MAX_BODY_SIZE" -eq "$MAX_BODY_SIZE" ] 2>/dev/null && [ "$MAX_BODY_SIZE" != "null" ]; then
+    echo "ERROR: Incorrect value."
+    exit 1
+fi
+
+if [ "$MAX_BODY_SIZE" != "null" ]; then
+    sed -i "s|#client_max_body_size <MAX_BODY_SIZE>|client_max_body_size $MAX_BODY_SIZE|g" /tmp/$NAME.conf
+fi
+
+if [ "$CONFIGURE_WEBROOT" == "y" ]; then
+    sed -i "/proxy_pass/a \ \ \ \ proxy_set_header $WEBROOT_HEADER $WEBROOT;" /tmp/$NAME.conf
+fi
+
+sed -i \
+    -e "s|<DOMAIN>|$DOMAIN|g" \
+    -e "s|<CONTAINER>|$CONTAINER|g" \
+    -e "s|<PORT>|$PORT|g" \
+    -e "s|<WEBROOT>|$WEBROOT|g" \
+    /tmp/$NAME.conf
+
+mv /tmp/$NAME.conf /sites-enabled/
+
+echo
+echo "Done! $NAME.conf has been generated."
+
+while [[ "$RELOAD" !=  "y" && "$RELOAD" != "n" ]]; do
+    read -p "Reload nginx now? [y/n]: " RELOAD
+done
+
+if [ "$RELOAD" == "y" ]; then
+    su-exec $UID:$GID nginx -s reload
+    echo "nginx successfully reloaded."
+else
+    echo "Restart manually nginx to enable this new vhost."
+fi
+
+echo
+exit 0

boring-nginx/rootfs/usr/local/bin/run.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+chown -R $UID:$GID /etc/nginx /var/log/nginx /sites-enabled /conf.d /certs /www /tmp
+chmod -R 700 /certs
+exec su-exec $UID:$GID /sbin/tini -- nginx