diff --git a/reverse/.drone.yml b/reverse/.drone.yml new file mode 100644 index 0000000..cf74e8d --- /dev/null +++ b/reverse/.drone.yml @@ -0,0 +1,21 @@ +pipeline: + build: + image: xataz/docker-drone-plugin + repo: xataz/reverse-nginx + action: build + volumes: + - /var/run/docker.sock:/var/run/docker.sock + + push: + image: xataz/docker-drone-plugin + repo: xataz/reverse-nginx + action: push + environment: + - UID=1000 + - GID=991 + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - /home/xataz/.docker/config.json:/docker/.docker/config.json + when: + branch: master + event: [push, tag, deployment] \ No newline at end of file diff --git a/reverse/Dockerfile b/reverse/Dockerfile new file mode 100644 index 0000000..a92d0e1 --- /dev/null +++ b/reverse/Dockerfile @@ -0,0 +1,138 @@ +FROM alpine:3.6 + +ENV UID=991 GID=991 + +ARG NGINX_VERSION=1.13.5 +ARG OPENSSL_VERSION=1.1.0f +ARG GPG_NGINX="B0F4 2533 73F8 F6F5 10D4 2178 520A 9993 A1C0 52F8" +ARG BUILD_CORES + +ARG NGINX_MODULES=" \ + --with-http_ssl_module \ + --with-http_v2_module \ + --with-http_gzip_static_module \ + --with-http_stub_status_module \ + --with-file-aio \ + --with-threads \ + --with-pcre-jit \ + --without-http_ssi_module \ + --without-http_scgi_module \ + --without-http_uwsgi_module \ + --without-http_geo_module \ + --without-http_autoindex_module \ + --without-http_split_clients_module \ + --without-http_memcached_module \ + --without-http_empty_gif_module \ + --without-http_browser_module" + +ARG NGINX_3RD_PARTY_MODULES=" \ + --add-module=/tmp/headers-more-nginx-module \ + --add-module=/tmp/ngx_brotli" + +RUN NB_CORES=${BUILD_CORES-$(getconf _NPROCESSORS_CONF)} \ + +# Update system + && apk -U upgrade \ + +# Installing runtime dependencies + && apk add \ + ${BUILD_DEPS} \ + pcre \ + zlib \ + libgcc \ + libstdc++ \ + jemalloc \ + su-exec \ + s6 \ + libressl \ + bind-tools \ + +# Installing build dependencies + && apk add -t build-dependencies \ + build-base \ + linux-headers \ + ca-certificates \ + automake \ + autoconf \ + git \ + go \ + jemalloc-dev \ + tar \ + libtool \ + pcre-dev \ + zlib-dev \ + binutils \ + gnupg \ + cmake \ + go \ + +# Brotli + && cd /tmp && git clone https://github.com/bagder/libbrotli --depth=1 \ + && cd libbrotli && ./autogen.sh && ./configure && make -j ${NB_CORES} && make install \ + && cd /tmp && git clone https://github.com/google/ngx_brotli --depth=1 \ + && cd ngx_brotli && git submodule update --init \ + +# Headers More + && cd /tmp && git clone https://github.com/openresty/headers-more-nginx-module --depth=1 \ + +# OpenSSL + && OPENSSL_TARBALL="openssl-${OPENSSL_VERSION}.tar.gz" \ + && wget -q https://www.openssl.org/source/${OPENSSL_TARBALL} \ + && tar xzf ${OPENSSL_TARBALL} \ + +# Nginx tarball checking + && NGINX_TARBALL="nginx-${NGINX_VERSION}.tar.gz" \ + && wget -q https://nginx.org/download/${NGINX_TARBALL} \ + && echo "Verifying ${NGINX_TARBALL} using GPG..." \ + && wget -q https://nginx.org/download/${NGINX_TARBALL}.asc \ + && wget -q https://nginx.org/keys/mdounin.key \ + && gpg --import mdounin.key \ + && FINGERPRINT="$(LANG=C gpg --verify ${NGINX_TARBALL}.asc ${NGINX_TARBALL} 2>&1 \ + | sed -n "s#Primary key fingerprint: \(.*\)#\1#p")" \ + && if [ -z "${FINGERPRINT}" ]; then echo "Warning! Invalid GPG signature!" && exit 1; fi \ + && if [ "${FINGERPRINT}" != "${GPG_NGINX}" ]; then echo "Warning! Wrong GPG fingerprint!" && exit 1; fi \ + && echo "All seems good, now unpacking ${NGINX_TARBALL}..." \ + && tar xzf ${NGINX_TARBALL} && cd nginx-${NGINX_VERSION} \ + +# Nginx patch : dynamic TLS records + && wget -q https://raw.githubusercontent.com/cujanovic/nginx-dynamic-tls-records-patch/master/nginx__dynamic_tls_records_1.13.0%2B.patch -O dynamic_records.patch \ + && patch -p1 < dynamic_records.patch \ + +# Nginx compilation + && ./configure \ + --prefix=/nginx \ + --sbin-path=/usr/local/sbin/nginx \ + --with-cc-opt="-O3 -fPIE -fstack-protector-strong -D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -Wno-deprecated-declarations -I ../boringssl/.openssl/include/" \ + --with-ld-opt="-lrt -ljemalloc -Wl,-Bsymbolic-functions -Wl,-z,relro -L ../boringssl/.openssl/lib" \ + --with-openssl-opt='no-async enable-ec_nistp_64_gcc_128 no-shared no-ssl2 no-ssl3 no-comp no-idea no-weak-ssl-ciphers -DOPENSSL_NO_HEARTBEATS -m64 -march=native -mtune=native -O3 -fPIE -fstack-protector-strong -D_FORTIFY_SOURCE=2' \ + --with-openssl=/tmp/openssl-${OPENSSL_VERSION} \ + --http-log-path=/nginx/log/nginx_access.log \ + --error-log-path=/nginx/log/nginx/nginx_error.log \ + --pid-path=/nginx/run/nginx.pid \ + --lock-path=/nginx/run/nginx.lock \ + --user=reverse --group=reverse \ + ${NGINX_MODULES} \ + ${NGINX_3RD_PARTY_MODULES} \ + && make -j ${NB_CORES} && make install && make clean \ + && strip -s /usr/local/sbin/nginx \ + +# Lego + && mkdir -p /tmp/go/bin \ + && export GOPATH=/tmp/go \ + && export GOBIN=$GOPATH/bin \ + && git config --global http.https://gopkg.in.followRedirects true \ + && go get github.com/xenolf/lego \ + && mv /tmp/go/bin/lego /usr/local/bin/lego \ + +# Clean + && apk del build-dependencies \ + && rm -rf /tmp/* /var/cache/apk/* /root/.gnupg + +COPY rootfs / + +RUN chmod +x /usr/local/bin/startup /etc/s6.d/*/* + +EXPOSE 8000 8443 + +ENTRYPOINT ["/usr/local/bin/startup"] +CMD ["/bin/s6-svscan", "/etc/s6.d"] diff --git a/reverse/README.md b/reverse/README.md new file mode 100644 index 0000000..b2a23a2 --- /dev/null +++ b/reverse/README.md @@ -0,0 +1,116 @@ +![](http://nginx.org/nginx.png) + +# BETA VERSION ACTUALY !!!!! +[![Build Status](https://drone.xataz.net/api/badges/xataz/docker-reverse-nginx/status.svg)](https://drone.xataz.net/xataz/docker-reverse-nginx) +[![](https://images.microbadger.com/badges/image/xataz/reverse-nginx.svg)](https://microbadger.com/images/xataz/reverse-nginx "Get your own image badge on microbadger.com") +[![](https://images.microbadger.com/badges/version/xataz/reverse-nginx.svg)](https://microbadger.com/images/xataz/reverse-nginx "Get your own version badge on microbadger.com") + +> This image is build and push with [drone.io](https://github.com/drone/drone), a circle-ci like self-hosted. +> If you don't trust, you can build yourself. + +## Tag available +* latest, mainline, 1.13.5, 1.13 [(Dockerfile)](https://github.com/xataz/dockerfiles/blob/master/reverse-nginx/Dockerfile) + +## Features +* No ROOT process +* Automatic configuration generation +* Automatic certificate generation and renew with letsencrypt and without downtime (use lego) +* Latest nginx version +* ARG for custom build + +## Description +What is [Nginx](http://nginx.org)? + +nginx (engine x) is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP proxy server, originally written by Igor Sysoev. For a long time, it has been running on many heavily loaded Russian sites including Yandex, Mail.Ru, VK, and Rambler. According to Netcraft, nginx served or proxied 24.29% busiest sites in December 2015. Here are some of the success stories: Netflix, Wordpress.com, FastMail.FM. + +Reverse-nginx generate for you the configuration of reverse proxy. Like traefik, it is based on the labels of containers, but it isn't dynamicly. + +## Build Image +### Build arguments +* NGINX_CONF : Nginx make configure options +* NGINX_VER : Nginx version +* ARG NGINX_GPG : GPG fingerprint (default : "B0F4253373F8F6F510D42178520A9993A1C052F8") +* ARG BUILD_CORES : Number of core use for make nginx (default : All cores) + +### Simply build +```shell +docker build -t xataz/reverse-nginx github.com/xataz/dockerfiles.git#master:reverse-nginx +``` +### Build other version +```shell +docker build -t xataz/reverse-nginx --build-arg NGINX_VER=1.9.5 github.com/xataz/dockerfiles.git#master:reverse-nginx +``` + +## Configuration +### Environments +* UID : Choose uid for launch nginx (default : 991) +* GID : Choose gid for launch nginx (default : 991) + +### Volumes +* /nginx/ssl : For certificate persistance +* /nginx/custom_sites : For create your own sites + +### Ports +* 8080 +* 8443 + +## Usage +### Environments +| Variable | Description | default | value | +| -------- | ----------- | ------- | ----- | +| UID | UID for launch nginx | 991 | Valid UID number | +| GID | GID for launch nginx | 991 | Valid GID number | +| EMAIL | email use for generate letsencrypt certificates | admin@mydomain.local | Valid address mail | + +### Labels +| Label Name | Description | default | value | +| ---------- | ----------- | ------- | ----- | +| reverse.frontend.domain | Domain Name for this service | mydomain.local | valid domain name | +| reverse.frontend.path | Domain path (warning, no rewrite url) | / | valid path, with / | +| reverse.frontend.auth | For auth basic | none | user:encryptpassword | +| reverse.frontend.ssltype | Choose ssl type | ec384 | rsa2048, rsa4096, rsa8192, ec256 or ec384 | +| reverse.frontend.domain\_max\_body\_size | Choose max size upload | 200M | Numeric value with unit (K,M,G,T) | +| reverse.frontend.ssl | Generate letsencrypt certificate | false | true or false | +| reverse.backend.port | Port use by container | 8080 | Valid port number | + +More labels soon !!! + +### Launch +#### First launch another container +For exemple, I launch lutim container : +```shell +$ docker run -d \ + --name lutim \ + --label reverse.frontend.domain=sub.domain.com \ + --label reverse.frontend.path=lutim \ + --label reverse.frontend.auth=USER:$(openssl passwd -crypt PASSWORD) \ + --label reverse.frontend.ssltype=ec256 \ + --label reverse.frontend.ssl = true \ + --label reverse.backend.port=8181 \ + -v /docker/config/lutim/data:/data \ + -v /docker/data/lutim:/lutim/files \ + -e UID=1001 \ + -e GID=1001 \ + -e WEBROOT=/lutim \ + -e SECRET=$(date +%s | md5sum | head -c 32) \ + -e CONTACT=contact@domain.com \ + -e MAX_FILE_SIZE=250000000 \ + xataz/lutim +``` + + +#### Launch reverse-nginx +```shell +docker run -d \ + -p 80:8080 \ + -p 443:8443 \ + --name reverse \ + -e EMAIL=me@mydomain.com \ + -v /var/run/docker.sock:/var/run/docker.sock \ + xataz/reverse-nginx +``` + +URI Access : https://sub.domain.com/lutim + + + diff --git a/reverse/auto_upgrade.sh b/reverse/auto_upgrade.sh new file mode 100755 index 0000000..200243e --- /dev/null +++ b/reverse/auto_upgrade.sh @@ -0,0 +1,32 @@ +#!/bin/bash + +NGINX_MAINLINE_VERSION=$(grep "NGINX_VER=" Dockerfile | cut -d"=" -f2) +NEW_NGINX_MAINLINE_VERSION=$(curl http://nginx.org/en/download.html 2> /dev/null | sed 's|>|>\n|g' | grep '^ { + include /nginx/conf.d/proxy.conf; + client_max_body_size ; + proxy_pass http://:; + } \ No newline at end of file diff --git a/reverse/rootfs/nginx/path.d/template_auth b/reverse/rootfs/nginx/path.d/template_auth new file mode 100644 index 0000000..eea9bf7 --- /dev/null +++ b/reverse/rootfs/nginx/path.d/template_auth @@ -0,0 +1,7 @@ + location { + include /nginx/conf.d/proxy.conf; + auth_basic "Who's this?"; + auth_basic_user_file ""; + client_max_body_size ; + proxy_pass http://:; + } \ No newline at end of file diff --git a/reverse/rootfs/nginx/sites-enabled/template b/reverse/rootfs/nginx/sites-enabled/template new file mode 100644 index 0000000..d82fd18 --- /dev/null +++ b/reverse/rootfs/nginx/sites-enabled/template @@ -0,0 +1,6 @@ +server { + listen 8080; + server_name ; + include /nginx/conf.d/headers.conf; + include /nginx/path.d//*.conf; +} \ No newline at end of file diff --git a/reverse/rootfs/nginx/sites-enabled/template_ssl b/reverse/rootfs/nginx/sites-enabled/template_ssl new file mode 100644 index 0000000..70a6fc5 --- /dev/null +++ b/reverse/rootfs/nginx/sites-enabled/template_ssl @@ -0,0 +1,27 @@ +server { + listen 8080; + server_name ; + + rewrite ^ https://:443$request_uri? permanent; +} + + +server { + + listen 8443 ssl http2; + server_name ; + index index.html index.php index.htm; + + ssl_certificate /nginx/ssl/certificates/.crt; + ssl_certificate_key /nginx/ssl/certificates/.key; + ssl_trusted_certificate /nginx/ssl/certificates/.chain.pem; + include /nginx/conf.d/ssl.conf; + include /nginx/conf.d/headers.conf; + + include /nginx/path.d//*.conf; + + location ~ /\.well-known/acme-challenge { + root /nginx/www/; + allow all; + } +} diff --git a/reverse/rootfs/nginx/www/letsencrypt b/reverse/rootfs/nginx/www/letsencrypt new file mode 100644 index 0000000..e69de29 diff --git a/reverse/rootfs/usr/local/bin/check_certs b/reverse/rootfs/usr/local/bin/check_certs new file mode 100644 index 0000000..8054b3a --- /dev/null +++ b/reverse/rootfs/usr/local/bin/check_certs @@ -0,0 +1,64 @@ +#!/bin/sh + +## Variables +CSI="\033[" +CEND="${CSI}0m" +CRED="${CSI}1;31m" +CGREEN="${CSI}1;32m" +CYELLOW="${CSI}1;33m" +CBLUE="${CSI}1;34m" + +## Functions +f_log() { + LOG_TYPE=$1 + LOG_MESSAGE=$2 + + case "${LOG_TYPE}" in + "INF") + echo -e "${CBLUE}=INF= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}" + ;; + "WRN") + echo -e "${CYELLOW}=WRN= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}" + ;; + "ERR") + echo -e "${CRED}=ERR= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}" + ;; + esac +} + +f_check_certs() { + LIST_DOMAINS=$(ls /nginx/ssl/certificates | grep .crt | grep -v issuer | sed 's|.crt||g') + RELOAD_NGINX=0 + + for domain in ${LIST_DOMAINS}; do + CERTFILE=/nginx/ssl/certificates/${domain}.cert.pem + KEYFILE=/nginx/ssl/certificates/${domain}.key + CHAINFILE=/nginx/ssl/certificates/${domain}.chain.pem + FULLCHAINFILE=/nginx/ssl/certificates/${domain}.crt + + mkdir -p /nginx/www/${domain} + openssl x509 -checkend 864000 -noout -in "${FULLCHAINFILE}" + if [ $? == 0 ]; then + f_log INF "Certificate for ${domain} is good for another 10 days!" + else + f_log INF "Generate New Certificate for ${domain}" + /usr/local/bin/lego -a -m ${EMAIL} -d ${domain} --path /nginx/ssl --webroot /nginx/www/${domain} renew + if [ $? == 0 ]; then + if [ -e ${FULLCHAINFILE} ]; then + head -$(grep -n "END CERTIFICATE" ${FULLCHAINFILE} | head -1 | cut -d: -f1) ${FULLCHAINFILE} > ${CERTFILE} + tail -$(($(wc -l ${FULLCHAINFILE} | awk '{print $1}')-$(grep -n "END CERTIFICATE" ${FULLCHAINFILE} | head -1 | cut -d: -f1))) ${FULLCHAINFILE} > ${CHAINFILE} + RELOAD_NGINX=1 + f_log INF "New Certificate for ${domain} generated" + fi + else + f_log ERR "New Certificate for ${domain} not generated" + fi + fi + done +} + +f_check_certs + +if [ ${RELOAD_NGINX} -eq 1 ]; then + nginx reload +fi diff --git a/reverse/rootfs/usr/local/bin/startup b/reverse/rootfs/usr/local/bin/startup new file mode 100644 index 0000000..57ad10b --- /dev/null +++ b/reverse/rootfs/usr/local/bin/startup @@ -0,0 +1,182 @@ +#!/bin/sh + +## Variables +CSI="\033[" +CEND="${CSI}0m" +CRED="${CSI}1;31m" +CGREEN="${CSI}1;32m" +CYELLOW="${CSI}1;33m" +CBLUE="${CSI}1;34m" + +## Functions +f_log() { + LOG_TYPE=$1 + LOG_MESSAGE=$2 + + case "${LOG_TYPE}" in + "INF") + echo -e "${CBLUE}=INF= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}" + ;; + "SUC") + echo -e "${CGREEN}=SUC= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}" + ;; + "WRN") + echo -e "${CYELLOW}=WRN= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}" + ;; + "ERR") + echo -e "${CRED}=ERR= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}" + ;; + esac +} + +f_gen_sites_enabled() { + if [ "${FRONTEND_SSL}" == "true" ]; then + template_sites=/nginx/sites-enabled/template_ssl + else + template_sites=/nginx/sites-enabled/template + fi + sed -e 's||'${FRONTEND_DOMAIN}'|' ${template_sites} > /nginx/sites-enabled/${FRONTEND_DOMAIN}.conf +} + +f_gen_location() { + container_name=$1 + if [ ! -d /nginx/path.d/${FRONTEND_DOMAIN} ]; then + mkdir -p /nginx/path.d/${FRONTEND_DOMAIN} + fi + + if [ "${FRONTEND_PATH}" == "/" ]; then + path_file=/nginx/path.d/${FRONTEND_DOMAIN}/base.conf + auth_file=/nginx/auth/${FRONTEND_DOMAIN}/base.auth + else + path_file=/nginx/path.d/${FRONTEND_DOMAIN}/${FRONTEND_PATH}.conf + auth_file=/nginx/auth/${FRONTEND_DOMAIN}/${FRONTEND_PATH}.auth + fi + if [ ! -e ${path_file} ]; then + if [ "${FRONTEND_AUTH}" != "" ]; then + mkdir -p /nginx/auth/${FRONTEND_DOMAIN} + sed -e 's||'${FRONTEND_MAX_BODY_SIZE}'|' \ + -e 's||'${container_name}'|' \ + -e 's||'${BACKEND_PORT}'|' \ + -e 's||'${FRONTEND_DOMAIN}'|' \ + -e 's||'${FRONTEND_PATH}'|' \ + -e 's||'${auth_file}'|' /nginx/path.d/template_auth > ${path_file} + echo "${FRONTEND_AUTH}" > ${auth_file} + else + sed -e 's||'${FRONTEND_MAX_BODY_SIZE}'|' \ + -e 's||'${container_name}'|' \ + -e 's||'${BACKEND_PORT}'|' \ + -e 's||'${FRONTEND_PATH}'|' /nginx/path.d/template > ${path_file} + fi + fi +} + +f_gen_certs() { + container_name=$1 + if [ "${FRONTEND_SSL}" == "true" ]; then + CERTFILE=/nginx/ssl/certificates/${FRONTEND_DOMAIN}.cert.pem + KEYFILE=/nginx/ssl/certificates/${FRONTEND_DOMAIN}.key + CHAINFILE=/nginx/ssl/certificates/${FRONTEND_DOMAIN}.chain.pem + FULLCHAINFILE=/nginx/ssl/certificates/${FRONTEND_DOMAIN}.crt + if [ ! -e ${CERTFILE} ] || [ ! -e ${KEYFILE} ] || [ ! -e ${CHAINFILE} ] || [ ! -e ${FULLCHAINFILE} ]; then + mkdir -p /nginx/www/${FRONTEND_DOMAIN} + /usr/local/bin/lego -a -m ${EMAIL} -d ${FRONTEND_DOMAIN} --path /nginx/ssl --http :8080 --tls :8443 -k ${FRONTEND_SSLTYPE} run + if [ $? == 0 ]; then + head -$(grep -n "END CERTIFICATE" ${FULLCHAINFILE} | head -1 | cut -d: -f1) ${FULLCHAINFILE} > ${CERTFILE} + tail -$(($(wc -l ${FULLCHAINFILE} | awk '{print $1}')-$(grep -n "END CERTIFICATE" ${FULLCHAINFILE} | head -1 | cut -d: -f1))) ${FULLCHAINFILE} > ${CHAINFILE} + chown -R ${UID}:${GID} /nginx/ssl/ + fi + [[ $? == 0 ]] && f_log INF "New Certificate for ${FRONTEND_DOMAIN} generated" || f_log ERR "New Certificate for ${FRONTEND_DOMAIN} not generated" + fi + fi +} + + + +f_make_conf() { + + FRONTEND_DOMAIN=mydomain.local + FRONTEND_MAX_BODY_SIZE=200M + FRONTEND_SSLTYPE=ec384 + BACKEND_PORT=8080 + FRONTEND_PATH="/" + FRONTEND_SSL=false + FRONTEND_AUTH="" + + container_name=$1 + IFS=$'\n' + if [ "${CONTAINER_LABELS}" != "" ]; then + for label in ${CONTAINER_LABELS}; do + case "$(echo ${label} | awk '{print $1}')" in + "reverse.frontend.domain") + FRONTEND_DOMAIN="" + FRONTEND_DOMAIN="$(echo ${label} | awk '{print $2}')" + ;; + "reverse.frontend.path") + FRONTEND_PATH="$(echo ${label} | awk '{print $2}')" + ;; + "reverse.frontend.auth") + FRONTEND_AUTH="$(echo ${label} | awk '{print $2}')" + ;; + "reverse.frontend.ssltype") + FRONTEND_SSLTYPE="$(echo ${label} | awk '{print $2}')" + ;; + "reverse.frontend.domain_max_body_size") + FRONTEND_MAX_BODY_SIZE="$(echo ${label} | awk '{print $2}')" + ;; + "reverse.frontend.ssl") + FRONTEND_SSL="$(echo ${label} | awk '{print $2}')" + ;; + "reverse.backend.port") + BACKEND_PORT="$(echo ${label} | awk '{print $2}')" + ;; + esac + done + f_log INF "Generate files for ${FRONTEND_DOMAIN}, with path=${FRONTEND_PATH}, auth=${FRONTEND_AUTH}, ssl_type=${FRONTEND_SSLTYPE}, ssl=${FRONTEND_SSL} and port=${BACKEND_PORT}" + f_gen_location ${container_name} + f_gen_sites_enabled + f_gen_certs ${container_name} + fi +} + + +# Check /var/run/docker.sock +f_log INF "Check if /var/run/docker.sock exist ..." +ls /var/run/docker.sock > /dev/null 2>&1 +if [ $? == 0 ]; then + f_log INF "/var/run/docker.sock exist ..." +else + f_log ERR "/var/run/docker.sock don't exist ..." + exit 1 +fi + + +f_log INF "Start reverse configuration ..." + +# Prepare container +f_log INF "Create user 'reverse'" +addgroup -g ${GID} reverse && adduser -H -s /bin/sh -D -G reverse -u ${UID} reverse +f_log INF "Create folder" +mkdir -p /nginx/sites-enabled /nginx /nginx/log /nginx/run /nginx/sites-enabled /nginx/ssl /nginx/ssl/selfsigned/dhparam + + +# Generate file +for container in $(curl --unix-socket /var/run/docker.sock http://localhost/containers/json 2> /dev/null | jq '.[].Names' | sed 's|.*"/\(.*\)"$|\1|;/\[/d;/\]/d'); do + CONTAINER_LABELS=$(curl --unix-socket /var/run/docker.sock http://localhost/containers/${container}/json 2> /dev/null | jq '.Config.Labels' | grep -E "reverse\." | sed 's|.*"\(.*\)": "\(.*\)".*$|\1 \2|') + f_make_conf ${container} +done + +f_log INF "Apply permissions" +chown -R reverse:reverse /nginx /etc/s6.d +chmod +x /usr/local/bin/check_certs +find /etc/s6.d -name run -exec chmod +x {} \; +find /etc/s6.d -name finish -exec chmod +x {} \; + +f_log SUC "End reverse configuration" + + +## run s6 +if [ $# -gt 0 ]; then + exec su-exec reverse:reverse "$@" +else + exec su-exec reverse:reverse /bin/s6-svscan /etc/s6.d +fi