From c7d2b5d9c1317ade1c56f38c4db28811879aee3e Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Tue, 11 Oct 2016 18:59:35 +0200 Subject: [PATCH] boring-nginx: fix build, remove old patches --- boring-nginx/Dockerfile | 11 +++-------- boring-nginx/README.md | 25 +++++++++++++------------ 2 files changed, 16 insertions(+), 20 deletions(-) diff --git a/boring-nginx/Dockerfile b/boring-nginx/Dockerfile index 20803f0..049521b 100644 --- a/boring-nginx/Dockerfile +++ b/boring-nginx/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.4 +FROM alpine:edge MAINTAINER Wonderfall ENV UID=991 GID=991 @@ -59,10 +59,6 @@ RUN echo "@commuedge https://nl.alpinelinux.org/alpine/edge/community" >> /etc/a && if [ "${FINGERPRINT}" != "${GPG_NGINX}" ]; then echo "Warning! Wrong GPG fingerprint!" && exit 1; fi \ && echo "All seems good, now unpacking ${NGINX_TARBALL}..." \ && tar xzf ${NGINX_TARBALL} && cd nginx-${NGINX_VERSION} \ - && wget -q https://raw.githubusercontent.com/felixbuenemann/sslconfig/updated-nginx-1.9.15-spdy-patch/patches/nginx_1_9_15_http2_spdy.patch -O spdy.patch \ - && patch -p1 < spdy.patch \ - && wget -q https://raw.githubusercontent.com/cloudflare/sslconfig/master/patches/nginx__dynamic_tls_records.patch \ - && patch -p1 < nginx__dynamic_tls_records.patch \ && patch -p1 < /tmp/boring.patch \ && ./configure \ --prefix=/etc/nginx \ @@ -71,7 +67,6 @@ RUN echo "@commuedge https://nl.alpinelinux.org/alpine/edge/community" >> /etc/a --with-ld-opt="-Wl,-Bsymbolic-functions -Wl,-z,relro -L ../boringssl/.openssl/lib" \ --with-http_ssl_module \ --with-http_v2_module \ - --with-http_spdy_module \ --with-http_gzip_static_module \ --with-http_stub_status_module \ --with-file-aio \ @@ -112,8 +107,8 @@ EXPOSE 8000 4430 VOLUME /sites-enabled /www /conf.d /passwds /certs /var/log/nginx -LABEL description="nginx built from source." \ +LABEL description="nginx built from source" \ openssl="BoringSSL" \ - nginx="nginx ${NGINX_VERSION}." + nginx="nginx ${NGINX_VERSION}" CMD ["run.sh"] diff --git a/boring-nginx/README.md b/boring-nginx/README.md index 23d4bcc..986be78 100644 --- a/boring-nginx/README.md +++ b/boring-nginx/README.md @@ -3,21 +3,22 @@ ![](https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/115px-Nginx_logo.svg.png) #### What is this? -It is nginx statically linked against BoringSSL, with embedded Brotli support. Secured by default (no root processes, even the master one), it should be safe to use... +This is nginx statically linked against BoringSSL, with embedded Brotli support. #### Features - Based on Alpine Linux. - nginx built against **BoringSSL**. -- nginx : securely built using hardening gcc flags. -- nginx : HTTP/2 (+NPN) support. -- nginx : Brotli compression support (and configured). -- nginx : no root master process. -- nginx : AIO Threads support. -- nginx : no unnessary modules (except fastcgi). -- nginx : pcre jit enabled. -- nginx : optimized configuration. -- ngxpasswd : generates a htpasswd file easily. -- ngxproxy : generates a *proxy vhost* after asking you a few questions. +- Built using hardening gcc flags. +- TTP/2 (+NPN) support. +- Brotli compression support (and configured). +- No root master process. +- AIO Threads support. +- No unnessary modules (except fastcgi). +- PCRE-jit enabled. +- Strong configurations included. +- Anonymous webserver signature (headers-more). +- ngxpasswd : generates a htpasswd file. +- ngxproxy : generates a proxy virtual host file. #### Notes - It is required to change the `listen` directive to 8000/4430 instead of 80/443. @@ -36,7 +37,7 @@ It is nginx statically linked against BoringSSL, with embedded Brotli support. S #### Build-time variables - **NGINX_VERSION** : version of nginx - **GPG_NGINX** : fingerprint of signing key package -- **SIGNATURE** : HTTP signature of nginx, default is *secret* +- ** #### Environment variables - **GID** : nginx group id *(default : 991)*