hoellen/dockerfiles
1
0
Fork 0
mirror of https://github.com/hoellen/dockerfiles.git synced 2025-04-20 04:19:18 +00:00
Code Issues Projects Releases Wiki Activity

add nginx image

Browse Source
This commit is contained in:
Wonderfall 2016-06-11 11:51:13 +02:00
parent 03a20d45b1
commit 6d4faf4327
11 changed files with 528 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

113
nginx/Dockerfile Normal file
View File

@ -0,0 +1,113 @@
FROM alpine:edge
MAINTAINER Wonderfall <wonderfall@schrodinger.io>
ENV UID=991 GID=991
ARG NGINX_VERSION=1.11.1
ARG GPG_NGINX="B0F4 2533 73F8 F6F5 10D4 2178 520A 9993 A1C0 52F8"
ARG BUILD_CORES
RUN echo "@commuedge http://nl.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \
&& NB_CORES=${BUILD_CORES-$(getconf _NPROCESSORS_CONF)} \
&& BUILD_DEPS=" \
build-base \
linux-headers \
ca-certificates \
automake \
autoconf \
git \
tar \
libtool \
pcre-dev \
zlib-dev \
binutils \
gnupg" \
&& apk -U add \
${BUILD_DEPS} \
pcre \
zlib \
libgcc \
libstdc++ \
su-exec \
openssl \
bind-tools \
tini@commuedge \
&& cd /tmp \
&& git clone https://github.com/bagder/libbrotli && cd libbrotli \
&& ./autogen.sh && ./configure && make -j ${NB_CORES} && make install \
&& cd /tmp \
&& git clone https://github.com/google/ngx_brotli \
&& git clone https://github.com/openresty/headers-more-nginx-module \
&& git clone https://github.com/openssl/openssl.git && cd openssl && ./config \
&& cd /tmp \
&& NGINX_TARBALL="nginx-${NGINX_VERSION}.tar.gz" \
&& wget -q http://nginx.org/download/${NGINX_TARBALL} \
&& echo "Verifying ${NGINX_TARBALL} using GPG..." \
&& wget -q http://nginx.org/download/${NGINX_TARBALL}.asc \
&& wget -q http://nginx.org/keys/mdounin.key \
&& gpg --import mdounin.key \
&& FINGERPRINT="$(LANG=C gpg --verify ${NGINX_TARBALL}.asc ${NGINX_TARBALL} 2>&1 \
| sed -n "s#Primary key fingerprint: \(.*\)#\1#p")" \
&& if [ -z "${FINGERPRINT}" ]; then echo "Warning! Invalid GPG signature!" && exit 1; fi \
&& if [ "${FINGERPRINT}" != "${GPG_NGINX}" ]; then echo "Warning! Wrong GPG fingerprint!" && exit 1; fi \
&& echo "All seems good, now unpacking ${NGINX_TARBALL}..." \
&& tar xzf ${NGINX_TARBALL} && cd nginx-${NGINX_VERSION} \
&& wget https://raw.githubusercontent.com/felixbuenemann/sslconfig/b8ebac6a337e8e4e373dfee76e7dfac3cc6c56e6/patches/nginx_1_9_15_http2_spdy.patch -O spdy.patch \
&& patch -p1 < spdy.patch \
&& wget https://raw.githubusercontent.com/cloudflare/sslconfig/master/patches/nginx__dynamic_tls_records.patch \
&& patch -p1 < nginx__dynamic_tls_records.patch \
&& ./configure \
--prefix=/etc/nginx \
--sbin-path=/usr/sbin/nginx \
--with-cc-opt='-O3 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security' \
--with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro' \
--with-openssl=/tmp/openssl \
--with-openssl-opt='no-ssl3 no-camellia no-dsa no-rc2 no-rc4 no-rc5 no-md2 no-md4 no-comp no-idea no-shared enable-ec_nistp_64_gcc_128 -DOPENSSL_NO_HEARTBEATS -D_FORTIFY_SOURCE=2 -fstack-protector-strong' \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_spdy_module \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--with-file-aio \
--with-threads \
--with-pcre-jit \
--without-http_ssi_module \
--without-http_scgi_module \
--without-http_uwsgi_module \
--without-http_geo_module \
--without-http_autoindex_module \
--without-http_map_module \
--without-http_split_clients_module \
--without-http_memcached_module \
--without-http_empty_gif_module \
--without-http_browser_module \
--http-log-path=/var/log/nginx/access.log \
--error-log-path=/var/log/nginx/error.log \
--add-module=/tmp/headers-more-nginx-module \
--add-module=/tmp/ngx_brotli \
&& make -j ${NB_CORES} && make install && make clean \
&& strip -s /usr/sbin/nginx \
&& apk del ${BUILD_DEPS} \
&& rm -rf /tmp/* /var/cache/apk/* /root/.gnupg
COPY nginx.conf /etc/nginx/conf/nginx.conf
COPY run.sh /usr/local/bin/run.sh
COPY ngxpasswd /usr/local/bin/ngxpasswd
COPY ngxproxy /usr/local/bin/ngxproxy
COPY vhost_http.conf /etc/nginx/conf/vhost_http.conf
COPY vhost_https.conf /etc/nginx/conf/vhost_https.conf
COPY ssl_params /etc/nginx/conf/ssl_params
COPY headers_params /etc/nginx/conf/headers_params
COPY proxy_params /etc/nginx/conf/proxy_params
RUN chmod +x /usr/local/bin/*
EXPOSE 8000 4430
VOLUME /sites-enabled /www /conf.d /passwds /certs /var/log/nginx
LABEL description="Secure nginx built from source." \
openssl="BoringSSL (date of the container)." \
nginx="nginx ${NGINX_VERSION}."
CMD ["/sbin/tini","--","run.sh"]

51
nginx/README.md Normal file
View File

@ -0,0 +1,51 @@
## wonderfall/boring-nginx
![](https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/115px-Nginx_logo.svg.png)
#### What is this?
It is nginx statically linked against BoringSSL, with embedded Brotli support. Secured by default (no root processes, even the master one), it should be safe to use...
#### Features
- Based on Alpine Linux.
- nginx built against **BoringSSL**.
- nginx : securely built using hardening gcc flags.
- nginx : HTTP/2 (+NPN) support.
- nginx : Brotli compression support (and configured).
- nginx : no root master process.
- nginx : AIO Threads support.
- nginx : no unnessary modules (except fastcgi).
- nginx : pcre jit enabled.
- nginx : optimized configuration.
- ngxpasswd : generates a htpasswd file easily.
- ngxproxy : generates a *proxy vhost* after asking you a few questions.
#### Notes
It is required to chown your certs files with the right uid/pid and change the `listen` directive to 8000/4430 instead of 80/443. Linux 3.17+, and the latest Docker stable are recommended.
#### Volumes
- **/sites-enabled** : vhosts files (*.conf)
- **/conf.d** : additional configuration files
- **/certs** : SSL/TLS certificates
- **/var/log/nginx** : nginx logs
- **/passwds** : authentication files
- **/www** : put your websites there
#### Build-time variables
- **NGINX_VERSION** : version of nginx
- **GPG_NGINX** : fingerprint of signing key package
- **SIGNATURE** : HTTP signature of nginx, default is *secret*
#### Environment variables
- **GID** : nginx group id *(default : 991)*
- **UID** : nginx user id *(default : 991)*
#### How to use it?
https://github.com/hardware/mailserver/wiki/Reverse-proxy-configuration
You can use `ngxproxy` to generate a *vhost* through an easy process : `docker exec -ti nginx ngxproxy`. `ngxpasswd` can generate htpasswd files : `docker exec -ti nginx ngxpasswd`. Both utilites are interactive so you won't feel lost.
Some configuration files located in `/etc/nginx/conf` are already provided, you can use them with the `include` directive.
- `ssl_params` : Provides a nice balance between compatibility and security.
- `headers_params` : HSTS (+ preload), XSS protection, etc.
- `proxy_params` : use with `proxy_pass`.

3
nginx/headers_params Normal file
View File

@ -0,0 +1,3 @@
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

85
nginx/nginx.conf Normal file
View File

@ -0,0 +1,85 @@
worker_processes auto;
pid /var/run/nginx.pid;
daemon off;
pcre_jit on;
events {
worker_connections 2048;
use epoll;
}
http {
limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
limit_conn limit_per_ip 128;
limit_req_zone $binary_remote_addr zone=allips:10m rate=150r/s;
limit_req zone=allips burst=150 nodelay;
include /etc/nginx/conf/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log combined;
error_log /var/log/nginx/error.log crit;
fastcgi_temp_path /tmp/fastcgi 1 2;
proxy_temp_path /tmp/proxy 1 2;
client_body_temp_path /tmp/client_body 1 2;
client_body_buffer_size 10K;
client_header_buffer_size 1k;
client_max_body_size 8m;
large_client_header_buffers 2 1k;
aio threads;
sendfile on;
keepalive_timeout 15;
keepalive_disable msie6;
keepalive_requests 100;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
gzip on;
gzip_comp_level 5;
gzip_min_length 512;
gzip_buffers 4 8k;
gzip_proxied any;
gzip_vary on;
gzip_disable "msie6";
gzip_types
text/css
text/javascript
text/xml
text/plain
text/x-component
application/javascript
application/x-javascript
application/json
application/xml
application/rss+xml
application/vnd.ms-fontobject
font/truetype
font/opentype
image/svg+xml;
brotli on;
brotli_static on;
brotli_buffers 16 8k;
brotli_comp_level 6;
brotli_types
text/css
text/javascript
text/xml
text/plain
text/x-component
application/javascript
application/x-javascript
application/json
application/xml
application/rss+xml
application/vnd.ms-fontobject
font/truetype
font/opentype
image/svg+xml;
include /sites-enabled/*.conf;
}

76
nginx/ngxpasswd Normal file
View File

@ -0,0 +1,76 @@
#!/bin/sh
echo
echo "Welcome to ngxpasswd utility."
echo "We're about to create a password file."
echo
cd /passwds || exit 1
while [ "$NAME" == "" ]; do
read -p "Name: " NAME
done
if [ -f "/passwds/$NAME.htpasswd" ]; then
echo "ERROR: /passwds/$NAME.htpasswd already exists."
exit 1
fi
while [ "$USER" == "" ]; do
read -p "User: " USER
done
read -p "Password (leave blank to generate one): " PASSWORD
if [ "$PASSWORD" == "" ]; then
echo "Password was not defined, generating a random one..."
PASSWORD=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
elif [ ${#PASSWORD} -le 6 ]; then
echo "WARNING: Non-secure password."
fi
echo -n $USER:$(openssl passwd -apr1 $PASSWORD) >> $NAME.htpasswd
chown $UID:$GID $NAME.htpasswd
chmod 640 $NAME.htpasswd
echo
echo "A new password file has been saved to /passwds/$NAME.htpasswd :"
echo "- Service : $NAME"
echo "- User : $USER"
echo "- Password : $PASSWORD"
echo
if [ -f "/sites-enabled/$NAME.conf" ] && grep -q '#auth' /sites-enabled/$NAME.conf; then
echo "vhost at /sites-enabled/$NAME.conf detected."
while [[ "$ADD" != "y" && "$ADD" != "n" ]]; do
read -p "Add authentication to $NAME.conf? [y/n]: " ADD
done
if [ "$ADD" == "y" ]; then
cd /etc/nginx/conf
sed -i -e 's/#auth/auth/g' -e "s/<NAME>/$NAME/g" /sites-enabled/$NAME.conf
echo "Automatically added, please verify. Otherwise follow these instructions."
echo
fi
fi
echo "Paste this to your vhost in order to enable auth :"
echo " auth_basic \"Who's this?\";"
echo " auth_basic_user_file /passwds/$NAME.htpasswd;"
echo
if [ "$ADD" == "y" ]; then
while [[ "$RELOAD" != "y" && "$RELOAD" != "n" ]]; do
read -p "Reload nginx now? [y/n]: " RELOAD
done
if [ "$RELOAD" == "y" ]; then
su-exec $UID:$GID nginx -s reload
echo "nginx successfully reloaded."
else
echo "Restart manually nginx to enable authentication."
fi
fi
exit 0

139
nginx/ngxproxy Normal file
View File

@ -0,0 +1,139 @@
#!/bin/sh
echo
echo "Welcome to ngxproxy utility."
echo "We're about to create a new virtual host (AKA server block)."
echo
while [ "$NAME" == "" ]; do
read -p "Name: " NAME
done
if [ -f "/sites-enabled/$NAME.conf" ]; then
echo "ERROR: /sites-enabled/$NAME.conf already exists."
exit 1
fi
while [ "$DOMAIN" == "" ]; do
read -p "Domain: " DOMAIN
done
if [ "$(dig +short $DOMAIN)" == "" ]; then
echo "WARNING: $DOMAIN couldn't be resolved: it may not work!"
echo "HINT: Is this domain correct? Did you update your DNS zone?"
fi
read -p "Webroot (default is /): " WEBROOT
if [ "$WEBROOT" == "" ]; then
WEBROOT="/"
elif [ "$WEBROOT" != "/" ]; then
echo "WARNING: You might have to add a proxy header to get your custom webroot working."
while [[ "$CONFIGURE_WEBROOT" != "y" && "$CONFIGURE_WEBROOT" != "n" ]]; do
read -p "Is it required (by the app) to configure it? [y/n]: " CONFIGURE_WEBROOT
done
if [ "$CONFIGURE_WEBROOT" == "y" ]; then
while [ "$WEBROOT_HEADER" == "" ]; do
read -p "Type the required proxy_set_header (like X-Script-Name): " WEBROOT_HEADER
done
fi
fi
while [ "$CONTAINER" == "" ]; do
read -p "Container: " CONTAINER
done
ping -c 1 $CONTAINER >/dev/null 2>&1
if [ "$?" != "0" ]; then
echo "WARNING: $CONTAINER seems to be unavailable. It may not work!"
echo "HINT: Did you correctly link the container?"
fi
read -p "Port (default is 80): " PORT
if [ "$PORT" == "" ]; then
PORT="80"
elif ! [ "$PORT" -eq "$PORT" ] 2>/dev/null; then
echo "ERROR: an integer value was expected."
exit 1
elif [ "$PORT" -gt "65535" ]; then
echo "ERROR: $PORT exceeds the maximum TCP port which is 65535"
exit 1
fi
while [[ "$HTTPS" != "y" && "$HTTPS" != "n" ]]; do
read -p "HTTPS [y/n]: " HTTPS
done
if [ "$HTTPS" == "y" ]; then
while [ ! -f "$CERTIFICATE_PATH" ]; do
read -p "Certificate path: " CERTIFICATE_PATH
done
while [ ! -f "$KEY_PATH" ]; do
read -p "Certificate key path: " KEY_PATH
done
cp -f /etc/nginx/conf/vhost_https.conf /tmp/${NAME}.conf
sed -i \
-e "s|<CERTIFICATE_PATH>|$CERTIFICATE_PATH|g" \
-e "s|<KEY_PATH>|$KEY_PATH|g" \
/tmp/$NAME.conf
while [[ "$HEADERS" != "y" && "$HEADERS" != "n" ]]; do
read -p "Secure headers [y/n]: " HEADERS
done
if [ "$HEADERS" == "y" ]; then
sed -i 's|#include /etc/nginx/conf/headers_params|include /etc/nginx/conf/headers_params|g' /tmp/$NAME.conf
fi
else
cp -f /etc/nginx/conf/vhost_http.conf /tmp/${NAME}.conf
fi
while [ "$MAX_BODY_SIZE" == "" ]; do
read -p "Max body size in MB (integer/n): " MAX_BODY_SIZE
done
if ! [ "$MAX_BODY_SIZE" -eq "$MAX_BODY_SIZE" ] 2>/dev/null && [ "$MAX_BODY_SIZE" != "n" ]; then
echo "ERROR: Incorrect value."
exit 1
fi
if [ "$MAX_BODY_SIZE" != "n" ]; then
sed -i "s|#client_max_body_size <MAX_BODY_SIZE>|client_max_body_size $MAX_BODY_SIZE|g" /tmp/$NAME.conf
fi
if [ "$CONFIGURE_WEBROOT" == "y" ]; then
sed -i "/proxy_pass/a \ \ \ \ proxy_set_header $WEBROOT_HEADER $WEBROOT;" /tmp/$NAME.conf
fi
sed -i \
-e "s|<DOMAIN>|$DOMAIN|g" \
-e "s|<CONTAINER>|$CONTAINER|g" \
-e "s|<PORT>|$PORT|g" \
-e "s|<WEBROOT>|$WEBROOT|g" \
/tmp/$NAME.conf
mv /tmp/$NAME.conf /sites-enabled/
echo
echo "Done! $NAME.conf has been generated."
while [[ "$RELOAD" != "y" && "$RELOAD" != "n" ]]; do
read -p "Reload nginx now? [y/n]: " RELOAD
done
if [ "$RELOAD" == "y" ]; then
su-exec $UID:$GID nginx -s reload
echo "nginx successfully reloaded."
else
echo "Restart manually nginx to enable this new vhost."
fi
echo
exit 0

6
nginx/proxy_params Normal file
View File

@ -0,0 +1,6 @@
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Remote-Port $remote_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;

5
nginx/run.sh Normal file
View File

@ -0,0 +1,5 @@
#!/bin/sh
touch /var/run/nginx.pid
chown -R $UID:$GID /etc/nginx /var/log/nginx /var/run/nginx.pid /sites-enabled /conf.d /certs /www /tmp
chmod -R 700 /certs
su-exec $UID:$GID nginx

10
nginx/ssl_params Normal file
View File

@ -0,0 +1,10 @@
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 15m;
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

14
nginx/vhost_http.conf Normal file
View File

@ -0,0 +1,14 @@
server {
listen 8000;
server_name <DOMAIN>;
#client_max_body_size <MAX_BODY_SIZE>M;
#auth_basic "Who's this?";
#auth_basic_user_file /passwds/<NAME>.htpasswd;
location <WEBROOT> {
proxy_pass http://<CONTAINER>:<PORT>;
include /etc/nginx/conf/proxy_params;
}
}

26
nginx/vhost_https.conf Normal file
View File

@ -0,0 +1,26 @@
server {
listen 8000;
server_name <DOMAIN>;
return 301 https://$host$request_uri;
}
server {
listen 4430 ssl http2;
server_name <DOMAIN>;
ssl_certificate <CERTIFICATE_PATH>;
ssl_certificate_key <KEY_PATH>;
include /conf.d/ssl_params.conf;
include /etc/nginx/conf/headers_params;
#client_max_body_size <MAX_BODY_SIZE>M;
#auth_basic "Who's this?";
#auth_basic_user_file /passwds/<NAME>.htpasswd;
location <WEBROOT> {
proxy_pass http://<CONTAINER>:<PORT>;
include /etc/nginx/conf/proxy_params;
}
}