add boring-nginx, based on reverse

2025-04-20 04:19:18 +00:00 · 2016-05-29 02:09:20 +02:00 · 2016-05-29 02:09:20 +02:00 · dcc4266fcc
commit dcc4266fcc
parent b3eb048d54
9 changed files with 351 additions and 0 deletions
--- a/boring-nginx/Dockerfile
+++ b/boring-nginx/Dockerfile
@ -0,0 +1,118 @@
 FROM alpine:3.3
 MAINTAINER Wonderfall <wonderfall@schrodinger.io>
 ENV UID=991 GID=991
 ARG NGINX_VERSION=1.11.0
 ARG GPG_NGINX="B0F4 2533 73F8 F6F5 10D4  2178 520A 9993 A1C0 52F8"
 ARG SIGNATURE=secret
 ARG BUILD_CORES
 COPY boring.patch /tmp/boring.patch
 RUN echo "@commuedge http://nl.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \
 && NB_CORES=${BUILD_CORES-$(getconf _NPROCESSORS_CONF)} \
 && BUILD_DEPS=" \
    build-base \
    linux-headers \
    ca-certificates \
    automake \
    autoconf \
    git \
    tar \
    libtool \
    pcre-dev \
    zlib-dev \
    binutils \
    gnupg \
    cmake \
    go" \
 && apk -U add \
    ${BUILD_DEPS} \
    pcre \
    zlib \
    libgcc \
    libstdc++ \
    su-exec \
    openssl \
    tini@commuedge \
 && cd /tmp && git clone https://github.com/bagder/libbrotli && cd libbrotli \
 && ./autogen.sh && ./configure && make -j ${NB_CORES} && make install \
 && mkdir /tmp/ngx_brotli && cd /tmp/ngx_brotli \
 && wget -qO- https://github.com/google/ngx_brotli/archive/master.tar.gz | tar xz --strip 1 \
 && cd /tmp && git clone https://boringssl.googlesource.com/boringssl \
 && cd boringssl \
 && mkdir build && cd build && cmake -DCMAKE_BUILD_TYPE=Release .. && make -j ${NB_CORES} && cd .. \
 && mkdir -p .openssl/lib/ && cd .openssl && ln -s ../include && cd .. \
 && cp build/crypto/libcrypto.a build/ssl/libssl.a .openssl/lib && cd /tmp \
 && NGINX_TARBALL="nginx-${NGINX_VERSION}.tar.gz" \
 && wget -q http://nginx.org/download/${NGINX_TARBALL} \
 && echo "Verifying ${NGINX_TARBALL} using GPG..." \
 && wget -q http://nginx.org/download/${NGINX_TARBALL}.asc \
 && wget -q http://nginx.org/keys/mdounin.key \
 && gpg --import mdounin.key \
 && FINGERPRINT="$(LANG=C gpg --verify ${NGINX_TARBALL}.asc ${NGINX_TARBALL} 2>&1 \
  | sed -n "s#Primary key fingerprint: \(.*\)#\1#p")" \
 && if [ -z "${FINGERPRINT}" ]; then echo "Warning! Invalid GPG signature!" && exit 1; fi \
 && if [ "${FINGERPRINT}" != "${GPG_NGINX}" ]; then echo "Warning! Wrong GPG fingerprint!" && exit 1; fi \
 && echo "All seems good, now unpacking ${NGINX_TARBALL}..." \
 && tar xzf ${NGINX_TARBALL} && cd nginx-${NGINX_VERSION} \
 && sed -i -e "s/\"Server: nginx\" CRLF/\"Server: ${SIGNATURE}\" CRLF/g" \
    -e "s/\"Server: \" NGINX_VER CRLF/\"Server: ${SIGNATURE}\" NGINX_VER CRLF/g" \
    src/http/ngx_http_header_filter_module.c \
 && patch -p1 < /tmp/boring.patch \
 && sed -i \
    -e '/SSL_R_BLOCK_CIPHER_PAD_IS_WRONG/d' \
    -e '/SSL_R_NO_CIPHERS_SPECIFIED/d' \
    src/event/ngx_event_openssl.c \
 && ./configure \
    --prefix=/etc/nginx \
    --sbin-path=/usr/local/sbin/nginx \
    --with-cc-opt='-g -O2 -fstack-protector-strong -fPIE -Wformat -Werror=format-security -I ../boringssl/.openssl/include/' \
    --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -L ../boringssl/.openssl/lib' \
    --with-http_ssl_module \
    --with-http_v2_module \
    --with-http_gzip_static_module \
    --with-http_stub_status_module \
    --with-file-aio \
    --with-threads \
    --with-pcre-jit \
    --without-http_ssi_module \
    --without-http_scgi_module \
    --without-http_uwsgi_module \
    --without-http_geo_module \
    --without-http_autoindex_module \
    --without-http_map_module \
    --without-http_split_clients_module \
    --without-http_memcached_module \
    --without-http_empty_gif_module \
    --without-http_browser_module \
    --http-proxy-temp-path=/tmp/proxy_temp \
    --http-client-body-temp-path=/tmp/client_body_temp \
    --http-fastcgi-temp-path=/tmp/fastcgi_temp \
    --http-log-path=/var/log/nginx/access.log \
    --error-log-path=/var/log/nginx/error.log \
    --add-module=/tmp/ngx_brotli \
 && make -j ${NB_CORES} && make install && make clean \
 && strip -s /usr/local/sbin/nginx \
 && apk del ${BUILD_DEPS} \
 && rm -rf /tmp/* /var/cache/apk/*
 COPY nginx.conf /etc/nginx/conf/nginx.conf
 COPY run.sh /usr/local/bin/run.sh
 COPY ngxpasswd /usr/local/bin/ngxpasswd
 COPY ssl_params /etc/nginx/conf/ssl_params
 COPY headers_params /etc/nginx/conf/headers_params
 COPY proxy_params /etc/nginx/conf/proxy_params
 RUN chmod +x /usr/local/bin/*
 EXPOSE 8000 4430
 VOLUME /sites-enabled /conf.d /passwds /certs /var/log/nginx
 LABEL description="Secure nginx built from source." \
      openssl="BoringSSL (date of the container)." \
      nginx="nginx ${NGINX_VERSION}."
 CMD ["/sbin/tini","--","run.sh"]
--- a/boring-nginx/README.md
+++ b/boring-nginx/README.md
@ -0,0 +1,47 @@
 ## wonderfall/reverse
 ![](https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/115px-Nginx_logo.svg.png)
 ![](https://upload.wikimedia.org/wikipedia/commons/thumb/a/a1/OpenSSL_logo.png/220px-OpenSSL_logo.png)
 #### What is this?
 It is nginx statically linked against a custom OpenSSL build, with embedded Brotli support. Secured by default (no root processes, even the master one), it should be safe to use...
 #### Features
 - Based on Alpine Linux.
 - nginx built against OpenSSL.
 - OpenSSL : no weak algorithms.
 - OpenSSL : ChaCha20 ciphers support.
 - nginx : HTTP/2 (+NPN) support.
 - nginx : Brotli compression support (and configured).
 - nginx : no root master process.
 - nginx : AIO Threads support.
 - nginx : no unnessary modules.
 - nginx : optimized configuration.
 #### Notes
 It is required to chown your certs files with the right uid/pid and change the `listen` directive to 8000/4430 instead of 80/443. Linux 3.17+, and the latest Docker stable are recommended.
 #### Volumes
 - **/sites-enabled** : vhosts files (*.conf)
 - **/conf.d** : additional configuration files
 - **/certs** : SSL/TLS certificates
 - **/var/log/nginx** : nginx logs
 - **/passwds** : authentication files
 #### Build-time variables
 - **NGINX_VERSION** : version of nginx
 - **OPENSSL_VERSION** : version of LibreSSL
 #### Environment variables
 - **GID** : nginx group id *(default : 991)*
 - **UID** : nginx user id *(default : 991)*
 #### How to use it?
 https://github.com/hardware/mailserver/wiki/Reverse-proxy-configuration
 Some configuration files located in `/etc/nginx/conf` are already provided, you can use them with the `include` directive.
 - `ssl_params` : TLS (1.0, 1.1, 1.2), CHACHA20, AES 256/128. Nice balance between compatibility and security.
 - `headers_params` : HSTS (+ preload), XSS protection...
 - `proxy_params` : useful with `proxy_pass`.
--- a/boring-nginx/boring.patch
+++ b/boring-nginx/boring.patch
@ -0,0 +1,40 @@
 # HG changeset patch
 # User Piotr Sikora <piotrsikora at google.com>
 # Date 1446864006 28800
 #      Fri Nov 06 18:40:06 2015 -0800
 # Node ID 9716b76675442d78d750ee542e4c80fa86d9b355
 # Parent  8aef9afa46e31a112fa1ceaffaefbc5990dbde22
 SSL: cast hostname in SSL_set_tlsext_host_name().
 BoringSSL promoted this macro to a proper function,
 so it requires parameters with correct types now.
 Signed-off-by: Piotr Sikora <piotrsikora at google.com>
 diff -r 8aef9afa46e3 -r 9716b7667544 src/http/ngx_http_upstream.c
 --- a/src/http/ngx_http_upstream.c
 +++ b/src/http/ngx_http_upstream.c
@@ -1660,7 +1660,9 @@ ngx_http_upstream_ssl_name(ngx_http_requ
     ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
                    "upstream SSL server name: \"%s\"", name.data);
 -    if (SSL_set_tlsext_host_name(c->ssl->connection, name.data) == 0) {
 +    if (SSL_set_tlsext_host_name(c->ssl->connection, (const char *) name.data)
 +        == 0)
 +    {
         ngx_ssl_error(NGX_LOG_ERR, r->connection->log, 0,
                       "SSL_set_tlsext_host_name(\"%s\") failed", name.data);
         return NGX_ERROR;
 diff -r 8aef9afa46e3 -r 9716b7667544 src/stream/ngx_stream_proxy_module.c
 --- a/src/stream/ngx_stream_proxy_module.c
 +++ b/src/stream/ngx_stream_proxy_module.c
@@ -851,7 +851,8 @@ ngx_stream_proxy_ssl_name(ngx_stream_ses
     ngx_log_debug1(NGX_LOG_DEBUG_STREAM, s->connection->log, 0,
                    "upstream SSL server name: \"%s\"", name.data);
 -    if (SSL_set_tlsext_host_name(u->peer.connection->ssl->connection, name.data)
 +    if (SSL_set_tlsext_host_name(u->peer.connection->ssl->connection,
 +                                 (const char *) name.data)
         == 0)
     {
         ngx_ssl_error(NGX_LOG_ERR, s->connection->log, 0,
--- a/boring-nginx/headers_params
+++ b/boring-nginx/headers_params
@ -0,0 +1,4 @@
 add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
 add_header X-Frame-Options SAMEORIGIN;
 add_header X-Content-Type-Options nosniff;
 add_header X-XSS-Protection "1; mode=block";
--- a/boring-nginx/nginx.conf
+++ b/boring-nginx/nginx.conf
@ -0,0 +1,81 @@
 worker_processes auto;
 pid /var/run/nginx.pid;
 daemon off;
 pcre_jit on;
 events {
    worker_connections 2048; 
    use epoll;
 }
 http {
    limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
    limit_conn limit_per_ip 64;
    limit_req_zone $binary_remote_addr zone=allips:10m rate=150r/s;
    limit_req zone=allips burst=150 nodelay;
    include /etc/nginx/conf/mime.types;
    default_type application/octet-stream;
    access_log /var/log/nginx/access.log combined;
    error_log /var/log/nginx/error.log crit;
    client_body_buffer_size 10K;
    client_header_buffer_size 1k;
    client_max_body_size 8m;
    large_client_header_buffers 2 1k;
    aio threads;
    sendfile on;
    keepalive_timeout 15;
    keepalive_disable msie6;
    keepalive_requests 100;
    tcp_nopush on;
    tcp_nodelay on;
    server_tokens off;
    gzip on;
    gzip_comp_level 5;
    gzip_min_length 512;
    gzip_buffers 4 8k;
    gzip_proxied any;
    gzip_vary on;
    gzip_disable "msie6";
    gzip_types
        text/css
        text/javascript
        text/xml
        text/plain
        text/x-component
        application/javascript
        application/x-javascript
        application/json
        application/xml
        application/rss+xml
        application/vnd.ms-fontobject
        font/truetype
        font/opentype
        image/svg+xml;
    brotli on;
    brotli_static on;
    brotli_buffers 16 8k;
    brotli_comp_level 6;
    brotli_types
        text/css
        text/javascript
        text/xml
        text/plain
        text/x-component
        application/javascript
        application/x-javascript
        application/json
        application/xml
        application/rss+xml
        application/vnd.ms-fontobject
        font/truetype
        font/opentype
        image/svg+xml;
    include /sites-enabled/*.conf;
 }
--- a/boring-nginx/ngxpasswd
+++ b/boring-nginx/ngxpasswd
@ -0,0 +1,42 @@
 #!/bin/sh
 NAME="$1"
 USER="$2"
 PASSWORD="$3"
 cd /passwds || exit 1
 if [ -z "$NAME" ]; then
    echo "Service name must be defined" 1>&2
    exit 1
 elif [ -f $NAME.htpasswd ]; then
    echo "$NAME.htpasswd exists, aborting" 1>&2
    exit 1
 fi
 if [ -z "$USER" ]; then
    echo "User must be defined" 1>&2
    exit 1
 fi
 if [ -z "$PASSWORD" ]; then
    PASSWORD=`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1`
    echo "Password was not defined, generating a random one..."
 fi
 echo -n $USER:`openssl passwd -apr1 $PASSWORD` >> $NAME.htpasswd
 chown $UID:$GID $NAME.htpasswd
 chmod 640 $NAME.htpasswd
 echo
 echo  "A new password file has been saved to /passwds/$NAME.htpasswd :"
 echo  "- Service  :  $NAME"
 echo  "- User     :  $USER"
 echo  "- Password :  $PASSWORD"
 echo
 echo  "Paste this to your vhost in order to enable auth :"
 echo  "        auth_basic \"Who's this?\";"
 echo  "        auth_basic_user_file /passwds/$NAME.htpasswd;"
 echo
 echo "Done."
 exit 0
--- a/boring-nginx/proxy_params
+++ b/boring-nginx/proxy_params
@ -0,0 +1,6 @@
 proxy_set_header        Host                 $host;
 proxy_set_header        X-Real-IP            $remote_addr;
 proxy_set_header        X-Forwarded-For      $proxy_add_x_forwarded_for;
 proxy_set_header        X-Remote-Port        $remote_port;
 proxy_set_header        X-Forwarded-Proto    $scheme;
 proxy_redirect          off;
--- a/boring-nginx/run.sh
+++ b/boring-nginx/run.sh
@ -0,0 +1,5 @@
 #!/bin/sh
 touch /var/run/nginx.pid
 chown -R $UID:$GID /etc/nginx /var/log/nginx /var/run/nginx.pid /sites-enabled /conf.d /certs
 chmod -R 700 /certs
 su-exec $UID:$GID nginx
--- a/boring-nginx/ssl_params
+++ b/boring-nginx/ssl_params
@ -0,0 +1,8 @@
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ecdh_curve secp384r1;
 ssl_ciphers [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-ECDSA-CHACHA20-POLY1305-D|ECDHE-RSA-CHACHA20-POLY1305-D|ECDHE-ECDSA-AES256-GCM-SHA384|ECDHE-RSA-AES256-GCM-SHA384|ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-RSA-AES128-GCM-SHA256]:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA;
 ssl_prefer_server_ciphers on;
 ssl_session_cache shared:SSL:20m;
 ssl_session_timeout 15m;
 ssl_session_tickets off;