hoellen/dockerfiles
1
0
Fork 0
mirror of https://github.com/hoellen/dockerfiles.git synced 2025-04-19 20:09:16 +00:00
Code Issues Projects Releases Wiki Activity
dockerfiles/reverse/README.md
Wonderfall 13f2d49927 initial commit
2016-04-11 15:59:32 +02:00

124 lines
3.9 KiB
Markdown
Raw Blame History

## wonderfall/reverse
**SIZE : ±39MB**
![](https://i.goopics.net/lv.jpg) ![](https://i.goopics.net/lL.png) ![](https://upload.wikimedia.org/wikipedia/en/2/25/LibreSSL_logo.jpg)
#### What is this?
It is nginx latest mainline statically linked against LibreSSL latest snapshot, with embedded Brotli support.
Secured by default (no root processes, even the master one). I made this image for my own purpose, but I added some flexibility so you can use it easily.
#### Features
- Based on Alpine Linux (3.3) : lightweight and secure distribution.
- nginx mainline + LibreSSL snapshot
- HTTP/2 support.
- Brotli compression support.
- No root master process. Better security.
- AIO Threads support.
- No unnessary modules.
- Optimized nginx configuration.
#### Notes
It is required to :
- chown your certs files with the right uid/pid (no other way)
- change `listen` directive to 8000/4430 instead of 80/443
By the way, it is recommended to **build this image** (using docker-compose 1.6 and later for args compatibily) directly instead of pulling it from Docker Hub.
#### Volumes
- **/sites-enabled** : should contain your vhosts files (.conf)
- **/conf.d** : additional configuration files if you want
- **/certs** : SSL/TLS certificates
- **/var/log/nginx** : nginx logs (access and error)
#### Build arguments
- **NGINX_VER** : nginx's version, change it if needed but the default version is tested
- **LIBRESSL_VER** : same as NGINX_VER
- **GID** : nginx group id *(default : 991)*
- **UID** : nginx user id *(default : 991)*
#### Source (Dockerfile)
https://github.com/Wonderfall/dockerfiles/tree/master/reverse
#### Examples : compose, vhost, TLS conf
**NOTES** :
- compose file must use version 2. [See more here](https://docs.docker.com/compose/compose-file/#version-2:91de898b5f5cdb090642a917d3dedf68).
- Docker 1.10+ and docker-compose 1.6+ are needed.
- if you're using docker-compose inside a container, pay attention to `context`.
```
# docker-compose.yml
nginx:
#image: wonderfall/reverse
build:
context: /path/to/reverse/dockerfile
dockerfile: Dockerfile
args:
- NGINX_VER=1.9.10
- LIBRESSL_VER=2.3.2
- GID=1000
- UID=1000
- BUILD_CORES=8
ports:
- "80:8000"
- "443:4430"
links:
- container_1:container_1
- container_2:container_2
- container_n:container_n
volumes:
- /mnt/docker/nginx/sites:/sites-enabled
- /mnt/docker/nginx/conf:/conf.d
- /etc/letsencrypt:/certs
- /mnt/docker/nginx/log:/var/log/nginx
```
```
# /mnt/docker/nginx/sites/service.conf
server {
listen 8000;
server_name service.domain.tld;
return 301 https://$host$request_uri;
}
server {
listen 4430 ssl http2;
server_name service.domain.tld;
ssl_certificate /certs/live/service.domain.tld/fullchain.pem;
ssl_certificate_key /certs/live/service.domain.tld/privkey.pem;
include /conf.d/ssl_params.conf;
include /conf.d/headers.conf;
#client_max_body_size 10M; #(M = Megabytes / G = Gigabytes)
location / {
proxy_pass http://container_n:$PORT;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Remote-Port $remote_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
}
}
```
```
# /mnt/docker/conf/ssl_params.conf
ssl_protocols TLSv1.2;
ssl_ciphers "ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256";
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_session_tickets off;
```
```
# /mnt/docker/conf/headers.conf
add_header Strict-Transport-Security "max-age=31536000";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
```
Reference in New Issue View Git Blame Copy Permalink