remove reverse and selfoss

2025-04-20 04:19:18 +00:00 · 2016-06-02 00:36:51 +02:00 · 2016-06-02 00:36:51 +02:00 · b195951a11
commit b195951a11
parent 064ee897a2
15 changed files with 0 additions and 548 deletions
--- a/reverse/Dockerfile
+++ b/reverse/Dockerfile
@ -1,128 +0,0 @@
 FROM alpine:3.3
 MAINTAINER Wonderfall <wonderfall@schrodinger.io>
 ARG NGINX_VERSION=1.11.0
 ARG OPENSSL_VERSION=1.0.2h
 ARG SIGNATURE=secret
 ARG BUILD_CORES
 ARG GPG_matt="8657 ABB2 60F0 56B1 E519  0839 D9C4 D26D 0E60 4491"
 ARG GPG_mdounin="B0F4 2533 73F8 F6F5 10D4  2178 520A 9993 A1C0 52F8"
 ENV UID=991 GID=991
 RUN echo "@commuedge http://nl.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \
 && NB_CORES=${BUILD_CORES-$(getconf _NPROCESSORS_CONF)} \
 && BUILD_DEPS=" \
    build-base \
    linux-headers \
    ca-certificates \
    automake \
    autoconf \
    git \
    tar \
    libtool \
    pcre-dev \
    zlib-dev \
    binutils \
    gnupg" \
 && apk -U add \
    ${BUILD_DEPS} \
    pcre \
    zlib \
    libgcc \
    libstdc++ \
    su-exec \
    openssl \
    tini@commuedge \
 && cd /tmp && git clone https://github.com/bagder/libbrotli && cd libbrotli \
 && ./autogen.sh && ./configure && make -j ${NB_CORES} && make install \
 && mkdir /tmp/ngx_brotli && cd /tmp/ngx_brotli \
 && wget -qO- https://github.com/google/ngx_brotli/archive/master.tar.gz | tar xz --strip 1 \
 && cd /tmp \
 && OPENSSL_TARBALL="openssl-${OPENSSL_VERSION}.tar.gz" \
 && wget -q https://www.openssl.org/source/${OPENSSL_TARBALL} \
 && echo "Verifying both integrity and authenticity of ${OPENSLL_TARBALL} using GPG..." \
 && wget -q https://www.openssl.org/source/${OPENSSL_TARBALL}.asc \
 && wget -q https://www.openssl.org/source/${OPENSSL_TARBALL}.sha256 \
 && echo "$(cat ${OPENSSL_TARBALL}.sha256)  ${OPENSSL_TARBALL}" > ${OPENSSL_TARBALL}.sha256 \
 && CHECKSUM_STATE=$(echo -n $(sha256sum -c ${OPENSSL_TARBALL}.sha256) | tail -c 2) \
 && if [ "${CHECKSUM_STATE}" != "OK" ]; then echo "Warning! Checksum does not match!" && exit 1; fi \
 && gpg --recv-keys 0E604491 \
 && FINGERPRINT="$(LANG=C gpg --verify ${OPENSSL_TARBALL}.asc ${OPENSSL_TARBALL} 2>&1 \
  | sed -n "s#Primary key fingerprint: \(.*\)#\1#p")" \
 && if [ -z "${FINGERPRINT}" ]; then echo "Warning! Invalid GPG signature!" && exit 1; fi \
 && if [ "${FINGERPRINT}" != "${GPG_matt}" ]; then echo "Warning! Wrong GPG fingerprint!" && exit 1; fi \
 && echo "All seems good, now unpacking ${OPENSSL_TARBALL}..." \
 && tar xzf ${OPENSSL_TARBALL} && cd openssl-${OPENSSL_VERSION} \
 && wget https://raw.githubusercontent.com/cloudflare/sslconfig/master/patches/openssl__chacha20_poly1305_draft_and_rfc_ossl102g.patch -O chacha.patch \
 && patch -p1 < chacha.patch \
 && ./config \
 && cd /tmp \
 && NGINX_TARBALL="nginx-${NGINX_VERSION}.tar.gz" \
 && wget -q http://nginx.org/download/${NGINX_TARBALL} \
 && echo "Verifying ${NGINX_TARBALL} using GPG..." \
 && wget -q http://nginx.org/download/${NGINX_TARBALL}.asc \
 && wget -q http://nginx.org/keys/mdounin.key \
 && gpg --import mdounin.key \
 && FINGERPRINT="$(LANG=C gpg --verify ${NGINX_TARBALL}.asc ${NGINX_TARBALL} 2>&1 \
  | sed -n "s#Primary key fingerprint: \(.*\)#\1#p")" \
 && if [ -z "${FINGERPRINT}" ]; then echo "Warning! Invalid GPG signature!" && exit 1; fi \
 && if [ "${FINGERPRINT}" != "${GPG_mdounin}" ]; then echo "Warning! Wrong GPG fingerprint!" && exit 1; fi \
 && echo "All seems good, now unpacking ${NGINX_TARBALL}..." \
 && tar xzf ${NGINX_TARBALL} && cd nginx-${NGINX_VERSION} \
 && sed -i -e "s/\"Server: nginx\" CRLF/\"Server: ${SIGNATURE}\" CRLF/g" \
    -e "s/\"Server: \" NGINX_VER CRLF/\"Server: ${SIGNATURE}\" NGINX_VER CRLF/g" \
    src/http/ngx_http_header_filter_module.c \
 && ./configure \
    --with-http_ssl_module \
    --with-http_v2_module \
    --with-http_gzip_static_module \
    --with-http_stub_status_module \
    --with-openssl=/tmp/openssl-${OPENSSL_VERSION} \
    --with-openssl-opt='no-ssl2 no-ssl3 no-camellia no-dsa no-rc2 no-rc4 no-rc5 no-md2 no-md4 no-krb5 no-comp no-idea no-shared enable-ec_nistp_64_gcc_128 -DOPENSSL_NO_HEARTBEATS -fstack-protector-strong' \
    --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security' \
    --with-ld-opt='-lrt' \
    --with-file-aio \
    --with-threads \
    --without-http_ssi_module \
    --without-http_scgi_module \
    --without-http_uwsgi_module \
    --without-http_fastcgi_module \
    --without-http_geo_module \
    --without-http_autoindex_module \
    --without-http_map_module \
    --without-http_split_clients_module \
    --without-http_memcached_module \
    --without-http_empty_gif_module \
    --without-http_browser_module \
    --prefix=/etc/nginx \
    --http-proxy-temp-path=/tmp/proxy-temp \
    --http-log-path=/var/log/nginx/access.log \
    --error-log-path=/var/log/nginx/error.log \
    --sbin-path=/usr/local/sbin/nginx \
    --add-module=/tmp/ngx_brotli \
 && make -j ${NB_CORES} && make install \
 && make clean \
 && strip -s /usr/local/sbin/nginx \
 && apk del ${BUILD_DEPS} \
 && rm -rf /tmp/* /var/cache/apk/*
 COPY nginx.conf /etc/nginx/conf/nginx.conf
 COPY run.sh /usr/local/bin/run.sh
 COPY ngxpasswd /usr/local/bin/ngxpasswd
 COPY ssl_params /etc/nginx/conf/ssl_params
 COPY headers_params /etc/nginx/conf/headers_params
 COPY proxy_params /etc/nginx/conf/proxy_params
 RUN chmod +x /usr/local/bin/*
 EXPOSE 8000 4430
 VOLUME /sites-enabled /conf.d /passwds /certs /var/log/nginx
 LABEL description="Secure reverse proxy using nginx" \
      openssl="OpenSSL v${OPENSSL_VERSION}" \
      nginx="nginx v${NGINX_VERSION}"
 CMD ["/sbin/tini","--","run.sh"]
--- a/reverse/README.md
+++ b/reverse/README.md
@ -1,47 +0,0 @@
 ## wonderfall/reverse
 ![](https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/115px-Nginx_logo.svg.png)
 ![](https://upload.wikimedia.org/wikipedia/commons/thumb/a/a1/OpenSSL_logo.png/220px-OpenSSL_logo.png)
 #### What is this?
 It is nginx statically linked against a custom OpenSSL build, with embedded Brotli support. Secured by default (no root processes, even the master one), it should be safe to use...
 #### Features
 - Based on Alpine Linux.
 - nginx built against OpenSSL.
 - OpenSSL : no weak algorithms.
 - OpenSSL : ChaCha20 ciphers support.
 - nginx : HTTP/2 (+NPN) support.
 - nginx : Brotli compression support (and configured).
 - nginx : no root master process.
 - nginx : AIO Threads support.
 - nginx : no unnessary modules.
 - nginx : optimized configuration.
 #### Notes
 It is required to chown your certs files with the right uid/pid and change the `listen` directive to 8000/4430 instead of 80/443. Linux 3.17+, and the latest Docker stable are recommended.
 #### Volumes
 - **/sites-enabled** : vhosts files (*.conf)
 - **/conf.d** : additional configuration files
 - **/certs** : SSL/TLS certificates
 - **/var/log/nginx** : nginx logs
 - **/passwds** : authentication files
 #### Build-time variables
 - **NGINX_VERSION** : version of nginx
 - **OPENSSL_VERSION** : version of LibreSSL
 #### Environment variables
 - **GID** : nginx group id *(default : 991)*
 - **UID** : nginx user id *(default : 991)*
 #### How to use it?
 https://github.com/hardware/mailserver/wiki/Reverse-proxy-configuration
 Some configuration files located in `/etc/nginx/conf` are already provided, you can use them with the `include` directive.
 - `ssl_params` : TLS (1.0, 1.1, 1.2), CHACHA20, AES 256/128. Nice balance between compatibility and security.
 - `headers_params` : HSTS (+ preload), XSS protection...
 - `proxy_params` : useful with `proxy_pass`.
--- a/reverse/headers_params
+++ b/reverse/headers_params
@ -1,4 +0,0 @@
 add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
 add_header X-Frame-Options SAMEORIGIN;
 add_header X-Content-Type-Options nosniff;
 add_header X-XSS-Protection "1; mode=block";
--- a/reverse/nginx.conf
+++ b/reverse/nginx.conf
@ -1,80 +0,0 @@
 worker_processes auto;
 pid /var/run/nginx.pid;
 daemon off;
 events {
    worker_connections 2048; 
    use epoll;
 }
 http {
    limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
    limit_conn limit_per_ip 64;
    limit_req_zone $binary_remote_addr zone=allips:10m rate=150r/s;
    limit_req zone=allips burst=150 nodelay;
    include /etc/nginx/conf/mime.types;
    default_type application/octet-stream;
    access_log /var/log/nginx/access.log combined;
    error_log /var/log/nginx/error.log crit;
    client_body_buffer_size 10K;
    client_header_buffer_size 1k;
    client_max_body_size 8m;
    large_client_header_buffers 2 1k;
    aio threads;
    sendfile on;
    keepalive_timeout 15;
    keepalive_disable msie6;
    keepalive_requests 100;
    tcp_nopush on;
    tcp_nodelay on;
    server_tokens off;
    gzip on;
    gzip_comp_level 5;
    gzip_min_length 512;
    gzip_buffers 4 8k;
    gzip_proxied any;
    gzip_vary on;
    gzip_disable "msie6";
    gzip_types
        text/css
        text/javascript
        text/xml
        text/plain
        text/x-component
        application/javascript
        application/x-javascript
        application/json
        application/xml
        application/rss+xml
        application/vnd.ms-fontobject
        font/truetype
        font/opentype
        image/svg+xml;
    brotli on;
    brotli_static on;
    brotli_buffers 16 8k;
    brotli_comp_level 6;
    brotli_types
        text/css
        text/javascript
        text/xml
        text/plain
        text/x-component
        application/javascript
        application/x-javascript
        application/json
        application/xml
        application/rss+xml
        application/vnd.ms-fontobject
        font/truetype
        font/opentype
        image/svg+xml;
    include /sites-enabled/*.conf;
 }
--- a/reverse/ngxpasswd
+++ b/reverse/ngxpasswd
@ -1,42 +0,0 @@
 #!/bin/sh
 NAME="$1"
 USER="$2"
 PASSWORD="$3"
 cd /passwds || exit 1
 if [ -z "$NAME" ]; then
    echo "Service name must be defined" 1>&2
    exit 1
 elif [ -f $NAME.htpasswd ]; then
    echo "$NAME.htpasswd exists, aborting" 1>&2
    exit 1
 fi
 if [ -z "$USER" ]; then
    echo "User must be defined" 1>&2
    exit 1
 fi
 if [ -z "$PASSWORD" ]; then
    PASSWORD=`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1`
    echo "Password was not defined, generating a random one..."
 fi
 echo -n $USER:`openssl passwd -apr1 $PASSWORD` >> $NAME.htpasswd
 chown $UID:$GID $NAME.htpasswd
 chmod 640 $NAME.htpasswd
 echo
 echo  "A new password file has been saved to /passwds/$NAME.htpasswd :"
 echo  "- Service  :  $NAME"
 echo  "- User     :  $USER"
 echo  "- Password :  $PASSWORD"
 echo
 echo  "Paste this to your vhost in order to enable auth :"
 echo  "        auth_basic \"Who's this?\";"
 echo  "        auth_basic_user_file /passwds/$NAME.htpasswd;"
 echo
 echo "Done."
 exit 0
--- a/reverse/proxy_params
+++ b/reverse/proxy_params
@ -1,6 +0,0 @@
 proxy_set_header        Host                 $host;
 proxy_set_header        X-Real-IP            $remote_addr;
 proxy_set_header        X-Forwarded-For      $proxy_add_x_forwarded_for;
 proxy_set_header        X-Remote-Port        $remote_port;
 proxy_set_header        X-Forwarded-Proto    $scheme;
 proxy_redirect          off;
--- a/reverse/run.sh
+++ b/reverse/run.sh
@ -1,5 +0,0 @@
 #!/bin/sh
 touch /var/run/nginx.pid
 chown -R $UID:$GID /etc/nginx /var/log/nginx /var/run/nginx.pid /sites-enabled /conf.d /certs
 chmod -R 700 /certs
 su-exec $UID:$GID nginx
--- a/reverse/ssl_params
+++ b/reverse/ssl_params
@ -1,8 +0,0 @@
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ecdh_curve brainpoolP512r1:sect571r1:secp521r1:secp384r1;
 ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-D:ECDHE-RSA-CHACHA20-POLY1305-D:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA256';
 ssl_prefer_server_ciphers on;
 ssl_session_cache shared:SSL:20m;
 ssl_session_timeout 15m;
 ssl_session_tickets off;
--- a/selfoss/Dockerfile
+++ b/selfoss/Dockerfile
@ -1,47 +0,0 @@
 FROM alpine:3.3
 MAINTAINER Wonderfall <wonderfall@schrodinger.io>
 ENV GID=991 UID=991 VERSION=2.15
 RUN echo "@commuedge http://nl.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \
 && echo "@testing http://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \
 && echo "@edge http://nl.alpinelinux.org/alpine/edge/main" >> /etc/apk/repositories \
 && apk -U add \
    musl \
    nginx \
    libwebp@edge \
    php7@testing \
    php7-fpm@testing \
    php7-gd@testing \
    php7-json@testing \
    php7-zlib@testing \
    php7-xml@testing \
    php7-dom@testing \
    php7-curl@testing \
    php7-iconv@testing \
    php7-mcrypt@testing \
    php7-pdo_sqlite@testing \
    php7-ctype@testing \
    php7-session@testing \
    supervisor \
    ca-certificates \
    tini@commuedge \
 && rm -f /var/cache/apk/* \
 && sed -i -e 's/max_execution_time = 30/max_execution_time = 300/' /etc/php7/php.ini
 RUN wget -q https://github.com/SSilence/selfoss/releases/download/$VERSION/selfoss-$VERSION.zip -P /tmp \
 && mkdir /selfoss && unzip -q /tmp/selfoss-$VERSION.zip -d /selfoss \
 && sed -i -e 's/base_url=/base_url=\//g' /selfoss/defaults.ini \
 && rm -rf /tmp/*
 COPY nginx.conf /etc/nginx/nginx.conf
 COPY php-fpm.conf /etc/php7/php-fpm.conf
 COPY supervisord.conf /etc/supervisor/supervisord.conf
 COPY startup /usr/local/bin/startup
 COPY cron /etc/periodic/15min/selfoss
 RUN chmod +x /usr/local/bin/startup /etc/periodic/15min/selfoss
 VOLUME /selfoss/data
 EXPOSE 80
 CMD ["/sbin/tini","--","startup"]
--- a/selfoss/README.md
+++ b/selfoss/README.md
@ -1,45 +0,0 @@
 # wonderfall/selfoss
 ![selfoss](https://i.imgur.com/8hJyBgk.png "selfoss")
 The new multipurpose rss reader, live stream, mashup, aggregation web application.
 ### Requirement
 - Docker 1.0 or higher
 ### How to use
 ```
 docker run -d \
  --name selfoss \
  -p 80:80 \
  -v /mnt/docker/selfoss:/selfoss/data \
  hardware/selfoss
 ```
 ### Environment variables
 - **VERSION** = selfoss version (*optional*, default: 2.15)
 - **GID** = selfoss user id (*optional*, default: 991)
 - **UID** = selfoss group id (*optional*, default: 991)
 ### Docker-compose
 #### Docker-compose.yml
 ```
 selfoss:
  image: hardware/selfoss
  container_name: selfoss
  ports:
    - "80:80"
  volumes:
    - /mnt/docker/selfoss:/selfoss/data
 ```
 #### Run !
 ```
 docker-compose up -d
 ```
--- a/selfoss/cron
+++ b/selfoss/cron
@ -1,2 +0,0 @@
 #!/bin/sh
 su - selfoss -c "php7 -f /selfoss/cliupdate.php" > /dev/null 2>&1
--- a/selfoss/nginx.conf
+++ b/selfoss/nginx.conf
@ -1,81 +0,0 @@
 user selfoss;
 worker_processes auto;
 pid /var/run/nginx.pid;
 daemon off;
 events {
  worker_connections 1024;
  use epoll;
 }
 http {
  include /etc/nginx/mime.types;
  default_type application/octet-stream;
  access_log /var/log/nginx/access.log combined;
  error_log /var/log/nginx/error.log error;
  sendfile on;
  keepalive_timeout 15;
  keepalive_disable msie6;
  keepalive_requests 100;
  tcp_nopush on;
  tcp_nodelay off;
  server_tokens off;
  gzip on;
  gzip_comp_level 5;
  gzip_min_length 512;
  gzip_buffers 4 8k;
  gzip_proxied any;
  gzip_vary on;
  gzip_disable "msie6";
  gzip_types
    text/css
    text/javascript
    text/xml
    text/plain
    text/x-component
    application/javascript
    application/x-javascript
    application/json
    application/xml
    application/rss+xml
    application/vnd.ms-fontobject
    font/truetype
    font/opentype
    image/svg+xml;
  server {
    listen 80;
    root /selfoss;
    index index.php;
    charset utf-8;
    location ~ ^/favicons/.*$ {
      try_files $uri /data/$uri;
    }
    location ~ ^/thumbnails/.*$ {
      try_files $uri /data/$uri;
    }
    location ~* ^/(data\/logs|data\/sqlite|config\.ini|\.ht) {
      deny all;
    }
    location / {
      try_files $uri /public/$uri /index.php$is_args$args;
    }
    location ~* \.php$ {
      try_files $uri =404;
      fastcgi_index index.php;
      fastcgi_pass unix:/var/run/php-fpm.sock;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      include /etc/nginx/fastcgi_params;
    }
  }
 }
--- a/selfoss/php-fpm.conf
+++ b/selfoss/php-fpm.conf
@ -1,16 +0,0 @@
 [global]
 daemonize = no
 [www]
 user = selfoss
 group = selfoss
 listen = /var/run/php-fpm.sock
 listen.owner = selfoss
 listen.group = selfoss
 pm = dynamic
 pm.max_children = 5
 pm.start_servers = 2
 pm.min_spare_servers = 1
 pm.max_spare_servers = 3
 chdir = /
 request_terminate_timeout = 300
--- a/selfoss/startup
+++ b/selfoss/startup
@ -1,26 +0,0 @@
 #!/bin/sh
 # Create user and set permission
 addgroup -g ${GID} selfoss && adduser -h /selfoss -s /bin/sh -D -G selfoss -u ${UID} selfoss
 # Selfoss custom configuration file
 sed -i "s/lkjl1289/`cat \/dev\/urandom | tr -dc 'a-zA-Z' | fold -w 20 | head -n 1`/g" /selfoss/defaults.ini
 rm /selfoss/config.ini
 if [ -e /selfoss/data/config.ini ]; then
  cp /selfoss/data/config.ini /selfoss/config.ini
 else
  cp /selfoss/defaults.ini /selfoss/data/config.ini
  cp /selfoss/defaults.ini /selfoss/config.ini
 fi
 # Init data dir
 if [ ! "$(ls -Ad /selfoss/data/*/)" ]; then
   cd /selfoss/data/ && mkdir cache favicons logs sqlite thumbnails
 fi
 # Set permissions
 chown -R selfoss:selfoss /selfoss /var/run/php-fpm.sock /var/lib/nginx /tmp
 # RUN !
 supervisord -c /etc/supervisor/supervisord.conf
--- a/selfoss/supervisord.conf
+++ b/selfoss/supervisord.conf
@ -1,11 +0,0 @@
 [supervisord]
 nodaemon=true
 [program:cron]
 command=crond -f
 [program:php-fpm]
 command=php-fpm7
 [program:nginx]
 command=nginx
		`@ -1,2 +0,0 @@`
			`#!/bin/sh`
			`su - selfoss -c "php7 -f /selfoss/cliupdate.php" > /dev/null 2>&1`