diff --git a/reverse/Dockerfile b/reverse/Dockerfile deleted file mode 100644 index 6d7369b..0000000 --- a/reverse/Dockerfile +++ /dev/null @@ -1,128 +0,0 @@ -FROM alpine:3.3 -MAINTAINER Wonderfall - -ARG NGINX_VERSION=1.11.0 -ARG OPENSSL_VERSION=1.0.2h -ARG SIGNATURE=secret -ARG BUILD_CORES - -ARG GPG_matt="8657 ABB2 60F0 56B1 E519 0839 D9C4 D26D 0E60 4491" -ARG GPG_mdounin="B0F4 2533 73F8 F6F5 10D4 2178 520A 9993 A1C0 52F8" - -ENV UID=991 GID=991 - -RUN echo "@commuedge http://nl.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \ - && NB_CORES=${BUILD_CORES-$(getconf _NPROCESSORS_CONF)} \ - && BUILD_DEPS=" \ - build-base \ - linux-headers \ - ca-certificates \ - automake \ - autoconf \ - git \ - tar \ - libtool \ - pcre-dev \ - zlib-dev \ - binutils \ - gnupg" \ - && apk -U add \ - ${BUILD_DEPS} \ - pcre \ - zlib \ - libgcc \ - libstdc++ \ - su-exec \ - openssl \ - tini@commuedge \ - && cd /tmp && git clone https://github.com/bagder/libbrotli && cd libbrotli \ - && ./autogen.sh && ./configure && make -j ${NB_CORES} && make install \ - && mkdir /tmp/ngx_brotli && cd /tmp/ngx_brotli \ - && wget -qO- https://github.com/google/ngx_brotli/archive/master.tar.gz | tar xz --strip 1 \ - && cd /tmp \ - && OPENSSL_TARBALL="openssl-${OPENSSL_VERSION}.tar.gz" \ - && wget -q https://www.openssl.org/source/${OPENSSL_TARBALL} \ - && echo "Verifying both integrity and authenticity of ${OPENSLL_TARBALL} using GPG..." \ - && wget -q https://www.openssl.org/source/${OPENSSL_TARBALL}.asc \ - && wget -q https://www.openssl.org/source/${OPENSSL_TARBALL}.sha256 \ - && echo "$(cat ${OPENSSL_TARBALL}.sha256) ${OPENSSL_TARBALL}" > ${OPENSSL_TARBALL}.sha256 \ - && CHECKSUM_STATE=$(echo -n $(sha256sum -c ${OPENSSL_TARBALL}.sha256) | tail -c 2) \ - && if [ "${CHECKSUM_STATE}" != "OK" ]; then echo "Warning! Checksum does not match!" && exit 1; fi \ - && gpg --recv-keys 0E604491 \ - && FINGERPRINT="$(LANG=C gpg --verify ${OPENSSL_TARBALL}.asc ${OPENSSL_TARBALL} 2>&1 \ - | sed -n "s#Primary key fingerprint: \(.*\)#\1#p")" \ - && if [ -z "${FINGERPRINT}" ]; then echo "Warning! Invalid GPG signature!" && exit 1; fi \ - && if [ "${FINGERPRINT}" != "${GPG_matt}" ]; then echo "Warning! Wrong GPG fingerprint!" && exit 1; fi \ - && echo "All seems good, now unpacking ${OPENSSL_TARBALL}..." \ - && tar xzf ${OPENSSL_TARBALL} && cd openssl-${OPENSSL_VERSION} \ - && wget https://raw.githubusercontent.com/cloudflare/sslconfig/master/patches/openssl__chacha20_poly1305_draft_and_rfc_ossl102g.patch -O chacha.patch \ - && patch -p1 < chacha.patch \ - && ./config \ - && cd /tmp \ - && NGINX_TARBALL="nginx-${NGINX_VERSION}.tar.gz" \ - && wget -q http://nginx.org/download/${NGINX_TARBALL} \ - && echo "Verifying ${NGINX_TARBALL} using GPG..." \ - && wget -q http://nginx.org/download/${NGINX_TARBALL}.asc \ - && wget -q http://nginx.org/keys/mdounin.key \ - && gpg --import mdounin.key \ - && FINGERPRINT="$(LANG=C gpg --verify ${NGINX_TARBALL}.asc ${NGINX_TARBALL} 2>&1 \ - | sed -n "s#Primary key fingerprint: \(.*\)#\1#p")" \ - && if [ -z "${FINGERPRINT}" ]; then echo "Warning! Invalid GPG signature!" && exit 1; fi \ - && if [ "${FINGERPRINT}" != "${GPG_mdounin}" ]; then echo "Warning! Wrong GPG fingerprint!" && exit 1; fi \ - && echo "All seems good, now unpacking ${NGINX_TARBALL}..." \ - && tar xzf ${NGINX_TARBALL} && cd nginx-${NGINX_VERSION} \ - && sed -i -e "s/\"Server: nginx\" CRLF/\"Server: ${SIGNATURE}\" CRLF/g" \ - -e "s/\"Server: \" NGINX_VER CRLF/\"Server: ${SIGNATURE}\" NGINX_VER CRLF/g" \ - src/http/ngx_http_header_filter_module.c \ - && ./configure \ - --with-http_ssl_module \ - --with-http_v2_module \ - --with-http_gzip_static_module \ - --with-http_stub_status_module \ - --with-openssl=/tmp/openssl-${OPENSSL_VERSION} \ - --with-openssl-opt='no-ssl2 no-ssl3 no-camellia no-dsa no-rc2 no-rc4 no-rc5 no-md2 no-md4 no-krb5 no-comp no-idea no-shared enable-ec_nistp_64_gcc_128 -DOPENSSL_NO_HEARTBEATS -fstack-protector-strong' \ - --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security' \ - --with-ld-opt='-lrt' \ - --with-file-aio \ - --with-threads \ - --without-http_ssi_module \ - --without-http_scgi_module \ - --without-http_uwsgi_module \ - --without-http_fastcgi_module \ - --without-http_geo_module \ - --without-http_autoindex_module \ - --without-http_map_module \ - --without-http_split_clients_module \ - --without-http_memcached_module \ - --without-http_empty_gif_module \ - --without-http_browser_module \ - --prefix=/etc/nginx \ - --http-proxy-temp-path=/tmp/proxy-temp \ - --http-log-path=/var/log/nginx/access.log \ - --error-log-path=/var/log/nginx/error.log \ - --sbin-path=/usr/local/sbin/nginx \ - --add-module=/tmp/ngx_brotli \ - && make -j ${NB_CORES} && make install \ - && make clean \ - && strip -s /usr/local/sbin/nginx \ - && apk del ${BUILD_DEPS} \ - && rm -rf /tmp/* /var/cache/apk/* - -COPY nginx.conf /etc/nginx/conf/nginx.conf -COPY run.sh /usr/local/bin/run.sh -COPY ngxpasswd /usr/local/bin/ngxpasswd -COPY ssl_params /etc/nginx/conf/ssl_params -COPY headers_params /etc/nginx/conf/headers_params -COPY proxy_params /etc/nginx/conf/proxy_params - -RUN chmod +x /usr/local/bin/* - -EXPOSE 8000 4430 - -VOLUME /sites-enabled /conf.d /passwds /certs /var/log/nginx - -LABEL description="Secure reverse proxy using nginx" \ - openssl="OpenSSL v${OPENSSL_VERSION}" \ - nginx="nginx v${NGINX_VERSION}" - -CMD ["/sbin/tini","--","run.sh"] diff --git a/reverse/README.md b/reverse/README.md deleted file mode 100644 index ab9aaf7..0000000 --- a/reverse/README.md +++ /dev/null @@ -1,47 +0,0 @@ -## wonderfall/reverse - -![](https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/115px-Nginx_logo.svg.png) - -![](https://upload.wikimedia.org/wikipedia/commons/thumb/a/a1/OpenSSL_logo.png/220px-OpenSSL_logo.png) - -#### What is this? -It is nginx statically linked against a custom OpenSSL build, with embedded Brotli support. Secured by default (no root processes, even the master one), it should be safe to use... - -#### Features -- Based on Alpine Linux. -- nginx built against OpenSSL. -- OpenSSL : no weak algorithms. -- OpenSSL : ChaCha20 ciphers support. -- nginx : HTTP/2 (+NPN) support. -- nginx : Brotli compression support (and configured). -- nginx : no root master process. -- nginx : AIO Threads support. -- nginx : no unnessary modules. -- nginx : optimized configuration. - -#### Notes -It is required to chown your certs files with the right uid/pid and change the `listen` directive to 8000/4430 instead of 80/443. Linux 3.17+, and the latest Docker stable are recommended. - -#### Volumes -- **/sites-enabled** : vhosts files (*.conf) -- **/conf.d** : additional configuration files -- **/certs** : SSL/TLS certificates -- **/var/log/nginx** : nginx logs -- **/passwds** : authentication files - -#### Build-time variables -- **NGINX_VERSION** : version of nginx -- **OPENSSL_VERSION** : version of LibreSSL - -#### Environment variables -- **GID** : nginx group id *(default : 991)* -- **UID** : nginx user id *(default : 991)* - -#### How to use it? -https://github.com/hardware/mailserver/wiki/Reverse-proxy-configuration - -Some configuration files located in `/etc/nginx/conf` are already provided, you can use them with the `include` directive. - -- `ssl_params` : TLS (1.0, 1.1, 1.2), CHACHA20, AES 256/128. Nice balance between compatibility and security. -- `headers_params` : HSTS (+ preload), XSS protection... -- `proxy_params` : useful with `proxy_pass`. diff --git a/reverse/headers_params b/reverse/headers_params deleted file mode 100644 index 1f3c409..0000000 --- a/reverse/headers_params +++ /dev/null @@ -1,4 +0,0 @@ -add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; -add_header X-Frame-Options SAMEORIGIN; -add_header X-Content-Type-Options nosniff; -add_header X-XSS-Protection "1; mode=block"; diff --git a/reverse/nginx.conf b/reverse/nginx.conf deleted file mode 100644 index 4697cc8..0000000 --- a/reverse/nginx.conf +++ /dev/null @@ -1,80 +0,0 @@ -worker_processes auto; -pid /var/run/nginx.pid; -daemon off; - -events { - worker_connections 2048; - use epoll; -} - -http { - limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m; - limit_conn limit_per_ip 64; - limit_req_zone $binary_remote_addr zone=allips:10m rate=150r/s; - limit_req zone=allips burst=150 nodelay; - - include /etc/nginx/conf/mime.types; - default_type application/octet-stream; - - access_log /var/log/nginx/access.log combined; - error_log /var/log/nginx/error.log crit; - - client_body_buffer_size 10K; - client_header_buffer_size 1k; - client_max_body_size 8m; - large_client_header_buffers 2 1k; - - aio threads; - sendfile on; - keepalive_timeout 15; - keepalive_disable msie6; - keepalive_requests 100; - tcp_nopush on; - tcp_nodelay on; - server_tokens off; - - gzip on; - gzip_comp_level 5; - gzip_min_length 512; - gzip_buffers 4 8k; - gzip_proxied any; - gzip_vary on; - gzip_disable "msie6"; - gzip_types - text/css - text/javascript - text/xml - text/plain - text/x-component - application/javascript - application/x-javascript - application/json - application/xml - application/rss+xml - application/vnd.ms-fontobject - font/truetype - font/opentype - image/svg+xml; - - brotli on; - brotli_static on; - brotli_buffers 16 8k; - brotli_comp_level 6; - brotli_types - text/css - text/javascript - text/xml - text/plain - text/x-component - application/javascript - application/x-javascript - application/json - application/xml - application/rss+xml - application/vnd.ms-fontobject - font/truetype - font/opentype - image/svg+xml; - - include /sites-enabled/*.conf; -} diff --git a/reverse/ngxpasswd b/reverse/ngxpasswd deleted file mode 100644 index 03e834b..0000000 --- a/reverse/ngxpasswd +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/sh -NAME="$1" -USER="$2" -PASSWORD="$3" - -cd /passwds || exit 1 - -if [ -z "$NAME" ]; then - echo "Service name must be defined" 1>&2 - exit 1 -elif [ -f $NAME.htpasswd ]; then - echo "$NAME.htpasswd exists, aborting" 1>&2 - exit 1 -fi - -if [ -z "$USER" ]; then - echo "User must be defined" 1>&2 - exit 1 -fi - -if [ -z "$PASSWORD" ]; then - PASSWORD=`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1` - echo "Password was not defined, generating a random one..." -fi - -echo -n $USER:`openssl passwd -apr1 $PASSWORD` >> $NAME.htpasswd -chown $UID:$GID $NAME.htpasswd -chmod 640 $NAME.htpasswd - -echo -echo "A new password file has been saved to /passwds/$NAME.htpasswd :" -echo "- Service : $NAME" -echo "- User : $USER" -echo "- Password : $PASSWORD" -echo -echo "Paste this to your vhost in order to enable auth :" -echo " auth_basic \"Who's this?\";" -echo " auth_basic_user_file /passwds/$NAME.htpasswd;" -echo -echo "Done." - -exit 0 diff --git a/reverse/proxy_params b/reverse/proxy_params deleted file mode 100644 index 6f9827e..0000000 --- a/reverse/proxy_params +++ /dev/null @@ -1,6 +0,0 @@ -proxy_set_header Host $host; -proxy_set_header X-Real-IP $remote_addr; -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -proxy_set_header X-Remote-Port $remote_port; -proxy_set_header X-Forwarded-Proto $scheme; -proxy_redirect off; diff --git a/reverse/run.sh b/reverse/run.sh deleted file mode 100644 index b52ee90..0000000 --- a/reverse/run.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh -touch /var/run/nginx.pid -chown -R $UID:$GID /etc/nginx /var/log/nginx /var/run/nginx.pid /sites-enabled /conf.d /certs -chmod -R 700 /certs -su-exec $UID:$GID nginx diff --git a/reverse/ssl_params b/reverse/ssl_params deleted file mode 100644 index 7d516de..0000000 --- a/reverse/ssl_params +++ /dev/null @@ -1,8 +0,0 @@ -ssl_protocols TLSv1 TLSv1.1 TLSv1.2; -ssl_ecdh_curve brainpoolP512r1:sect571r1:secp521r1:secp384r1; -ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-D:ECDHE-RSA-CHACHA20-POLY1305-D:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA256'; -ssl_prefer_server_ciphers on; - -ssl_session_cache shared:SSL:20m; -ssl_session_timeout 15m; -ssl_session_tickets off; diff --git a/selfoss/Dockerfile b/selfoss/Dockerfile deleted file mode 100644 index b3014ca..0000000 --- a/selfoss/Dockerfile +++ /dev/null @@ -1,47 +0,0 @@ -FROM alpine:3.3 -MAINTAINER Wonderfall - -ENV GID=991 UID=991 VERSION=2.15 - -RUN echo "@commuedge http://nl.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \ - && echo "@testing http://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \ - && echo "@edge http://nl.alpinelinux.org/alpine/edge/main" >> /etc/apk/repositories \ - && apk -U add \ - musl \ - nginx \ - libwebp@edge \ - php7@testing \ - php7-fpm@testing \ - php7-gd@testing \ - php7-json@testing \ - php7-zlib@testing \ - php7-xml@testing \ - php7-dom@testing \ - php7-curl@testing \ - php7-iconv@testing \ - php7-mcrypt@testing \ - php7-pdo_sqlite@testing \ - php7-ctype@testing \ - php7-session@testing \ - supervisor \ - ca-certificates \ - tini@commuedge \ - && rm -f /var/cache/apk/* \ - && sed -i -e 's/max_execution_time = 30/max_execution_time = 300/' /etc/php7/php.ini - -RUN wget -q https://github.com/SSilence/selfoss/releases/download/$VERSION/selfoss-$VERSION.zip -P /tmp \ - && mkdir /selfoss && unzip -q /tmp/selfoss-$VERSION.zip -d /selfoss \ - && sed -i -e 's/base_url=/base_url=\//g' /selfoss/defaults.ini \ - && rm -rf /tmp/* - -COPY nginx.conf /etc/nginx/nginx.conf -COPY php-fpm.conf /etc/php7/php-fpm.conf -COPY supervisord.conf /etc/supervisor/supervisord.conf -COPY startup /usr/local/bin/startup -COPY cron /etc/periodic/15min/selfoss - -RUN chmod +x /usr/local/bin/startup /etc/periodic/15min/selfoss - -VOLUME /selfoss/data -EXPOSE 80 -CMD ["/sbin/tini","--","startup"] diff --git a/selfoss/README.md b/selfoss/README.md deleted file mode 100644 index 786252f..0000000 --- a/selfoss/README.md +++ /dev/null @@ -1,45 +0,0 @@ -# wonderfall/selfoss - -![selfoss](https://i.imgur.com/8hJyBgk.png "selfoss") - -The new multipurpose rss reader, live stream, mashup, aggregation web application. - -### Requirement - -- Docker 1.0 or higher - -### How to use - -``` -docker run -d \ - --name selfoss \ - -p 80:80 \ - -v /mnt/docker/selfoss:/selfoss/data \ - hardware/selfoss -``` - -### Environment variables - -- **VERSION** = selfoss version (*optional*, default: 2.15) -- **GID** = selfoss user id (*optional*, default: 991) -- **UID** = selfoss group id (*optional*, default: 991) - -### Docker-compose - -#### Docker-compose.yml - -``` -selfoss: - image: hardware/selfoss - container_name: selfoss - ports: - - "80:80" - volumes: - - /mnt/docker/selfoss:/selfoss/data -``` - -#### Run ! - -``` -docker-compose up -d -``` diff --git a/selfoss/cron b/selfoss/cron deleted file mode 100644 index 5b27503..0000000 --- a/selfoss/cron +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -su - selfoss -c "php7 -f /selfoss/cliupdate.php" > /dev/null 2>&1 diff --git a/selfoss/nginx.conf b/selfoss/nginx.conf deleted file mode 100644 index 5aa2fc0..0000000 --- a/selfoss/nginx.conf +++ /dev/null @@ -1,81 +0,0 @@ -user selfoss; -worker_processes auto; -pid /var/run/nginx.pid; -daemon off; - -events { - worker_connections 1024; - use epoll; -} - -http { - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - access_log /var/log/nginx/access.log combined; - error_log /var/log/nginx/error.log error; - - sendfile on; - keepalive_timeout 15; - keepalive_disable msie6; - keepalive_requests 100; - tcp_nopush on; - tcp_nodelay off; - server_tokens off; - - gzip on; - gzip_comp_level 5; - gzip_min_length 512; - gzip_buffers 4 8k; - gzip_proxied any; - gzip_vary on; - gzip_disable "msie6"; - gzip_types - text/css - text/javascript - text/xml - text/plain - text/x-component - application/javascript - application/x-javascript - application/json - application/xml - application/rss+xml - application/vnd.ms-fontobject - font/truetype - font/opentype - image/svg+xml; - - server { - listen 80; - root /selfoss; - index index.php; - charset utf-8; - - location ~ ^/favicons/.*$ { - try_files $uri /data/$uri; - } - - location ~ ^/thumbnails/.*$ { - try_files $uri /data/$uri; - } - - location ~* ^/(data\/logs|data\/sqlite|config\.ini|\.ht) { - deny all; - } - - location / { - try_files $uri /public/$uri /index.php$is_args$args; - } - - location ~* \.php$ { - try_files $uri =404; - fastcgi_index index.php; - fastcgi_pass unix:/var/run/php-fpm.sock; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - include /etc/nginx/fastcgi_params; - } - } - -} \ No newline at end of file diff --git a/selfoss/php-fpm.conf b/selfoss/php-fpm.conf deleted file mode 100644 index 73cac31..0000000 --- a/selfoss/php-fpm.conf +++ /dev/null @@ -1,16 +0,0 @@ -[global] -daemonize = no - -[www] -user = selfoss -group = selfoss -listen = /var/run/php-fpm.sock -listen.owner = selfoss -listen.group = selfoss -pm = dynamic -pm.max_children = 5 -pm.start_servers = 2 -pm.min_spare_servers = 1 -pm.max_spare_servers = 3 -chdir = / -request_terminate_timeout = 300 \ No newline at end of file diff --git a/selfoss/startup b/selfoss/startup deleted file mode 100644 index 723eb0f..0000000 --- a/selfoss/startup +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/sh - -# Create user and set permission -addgroup -g ${GID} selfoss && adduser -h /selfoss -s /bin/sh -D -G selfoss -u ${UID} selfoss - -# Selfoss custom configuration file -sed -i "s/lkjl1289/`cat \/dev\/urandom | tr -dc 'a-zA-Z' | fold -w 20 | head -n 1`/g" /selfoss/defaults.ini -rm /selfoss/config.ini - -if [ -e /selfoss/data/config.ini ]; then - cp /selfoss/data/config.ini /selfoss/config.ini -else - cp /selfoss/defaults.ini /selfoss/data/config.ini - cp /selfoss/defaults.ini /selfoss/config.ini -fi - -# Init data dir -if [ ! "$(ls -Ad /selfoss/data/*/)" ]; then - cd /selfoss/data/ && mkdir cache favicons logs sqlite thumbnails -fi - -# Set permissions -chown -R selfoss:selfoss /selfoss /var/run/php-fpm.sock /var/lib/nginx /tmp - -# RUN ! -supervisord -c /etc/supervisor/supervisord.conf diff --git a/selfoss/supervisord.conf b/selfoss/supervisord.conf deleted file mode 100644 index bbabd57..0000000 --- a/selfoss/supervisord.conf +++ /dev/null @@ -1,11 +0,0 @@ -[supervisord] -nodaemon=true - -[program:cron] -command=crond -f - -[program:php-fpm] -command=php-fpm7 - -[program:nginx] -command=nginx