Termas_LibreCloud/nginx
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

chore: pipe and src

Browse Source
This commit is contained in:
Jesús Pérez Lorenzo 2021-06-29 03:52:58 +01:00
parent 40b6165f00
commit ece33f9ed8
23 changed files with 907 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
pipeline/PersistentVolumeCDCI.yaml Normal file
View File

@ -0,0 +1,29 @@
kind: PersistentVolume
apiVersion: v1
metadata:
name: cdci-nginx-pvc-volume
namespace: cdci-librecloud-online
labels:
type: local
spec:
storageClassName: manual
persistentVolumeReclaimPolicy: Delete
capacity:
storage: 1Gi
accessModes:
- ReadWriteOnce
hostPath:
path: "/mnt/cdci"
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: cdci-nginx-pvc
namespace: cdci-librecloud-online
spec:
storageClassName: manual
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi

6
pipeline/down.sh Executable file
View File

@ -0,0 +1,6 @@
#/bin/bash
kubectl delete -f pipeline-run.yaml 2>/dev/null
kubectl delete -f pipeline.yaml 2>/dev/null
kubectl delete -f task.yaml 2>/dev/null
kubectl delete -f PersistentVolumeCDCI.yaml 2>/dev/null
kubectl delete -f pipe-resource.yaml 2>/dev/null

24
pipeline/pipe-resource.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
name: librecloud-nginx-img
namespace: cdci-librecloud-online
spec:
type: image
params:
- name: url
value: termas.librecloud.online/termas_librecloud/nginx:1.21.0
---
apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
name: librecloud-nginx-git
namespace: cdci-librecloud-online
spec:
type: git
params:
- name: revision
value: master
- name: url
value: https://rlung.librecloud.online/Termas_LibreCloud/nginx.git

22
pipeline/pipeline-run.yaml Normal file
View File

@ -0,0 +1,22 @@
apiVersion: tekton.dev/v1alpha1
kind: PipelineRun
metadata:
name: cdci-nginx
namespace: cdci-librecloud-online
spec:
serviceAccountName: build-bot
pipelineRef:
name: cdci-nginx
# podTemplate:
#volumes:
#- name: cdci-volume
# #emptyDir: {}
# persistentVolumeClaim:
# claimName: cdci-nginx-pvc
resources:
- name: source-repo
resourceRef:
name: librecloud-nginx-git
- name: target-image
resourceRef:
name: librecloud-nginx-img

32
pipeline/pipeline.yaml Normal file
View File

@ -0,0 +1,32 @@
apiVersion: tekton.dev/v1alpha1
kind: Pipeline
metadata:
name: cdci-nginx
namespace: cdci-librecloud-online
spec:
#serviceAccount: build-bot
resources:
- name: source-repo
type: git
#resourceRef:
# name: librecloud-nginx-git
- name: target-image
type: image
#resourceRef:
# name: librecloud-nginx-img
tasks:
- name: build-nginx-img
taskRef:
name: nginx-build-image-from-git-source
params:
- name: pathToDockerFile
value: /workspace/source/src
- name: pathToContext
value: /workspace/source/src #configure: may change according to your source
resources:
inputs:
- name: source
resource: source-repo
outputs:
- name: builtImage
resource: target-image

91
pipeline/task.yaml Normal file
View File

@ -0,0 +1,91 @@
apiVersion: tekton.dev/v1alpha1
kind: Task
metadata:
name: nginx-build-image-from-git-source
namespace: cdci-librecloud-online
spec:
#serviceAccount: build-bot
inputs:
params:
- name: pathToDockerFile
type: string
description: The path to the dockerfile to build
default: /workspace/source/src/Dockerfile
- name: pathToContext
type: string
description:
The build context used by Kaniko
(https://github.com/GoogleContainerTools/kaniko#kaniko-build-contexts)
default: /workspace/source/src
- name: DOCKERFILE
type: string
description: The name of the Dockerfile
default: "Dockerfile"
- name: BUILDKIT_CLIENT_IMAGE
type: string
description: The name of the BuildKit client (buildctl) image
default: "docker.io/moby/buildkit:master-rootless"
- name: BUILDKIT_DAEMON_ADDRESS
type: string
description: The address of the BuildKit daemon (buildkitd) service
default: "tcp://buildkitd:1234"
resources:
- name: source
type: git
outputs:
resources:
- name: builtImage
type: image
volumes:
- name: dckr-cfg-volume
secret:
secretName: regcred
- name: ssh-volume
secret:
secretName: ssh-key
- name: certs
secret:
secretName: buildkit-client-certs
steps:
- name: build-and-push
image: $(inputs.params.BUILDKIT_CLIENT_IMAGE)
workingDir: /workspace/source
command: [ "buildctl" ]
args:
- --tlscacert
- /certs/ca.pem
- --tlscert
- /certs/cert.pem
- --tlskey
- /certs/key.pem
- --debug
- --addr=$(inputs.params.BUILDKIT_DAEMON_ADDRESS)
- build
- --progress=plain
- --frontend=dockerfile.v0
- --opt
- filename=$(inputs.params.DOCKERFILE)
- --local
- context=$(inputs.params.pathToContext)
- --local
- dockerfile=$(inputs.params.pathToDockerFile)
- --output
- type=image,name=$(outputs.resources.builtImage.url),push=true
- --export-cache
- type=inline
- --import-cache
- type=registry,ref=$(outputs.resources.builtImage.url)
volumeMounts:
- name: certs
readOnly: true
mountPath: /certs
- name: ssh-volume
readOnly: true
mountPath: /.ssh

24
pipeline/up.sh Executable file
View File

@ -0,0 +1,24 @@
#/bin/bash
FOLLOW_UP="yes"
NS_DOMAIN="cdci-librecloud-online"
PIPELINE_NAME="cdci-nginx"
[ "$1" == "-s" ] && FOLLOW_UP=""
is_running=`kubectl get pods -n $NS_DOMAIN | grep $PIPELINE_NAME 2>/dev/null`
if [ -n "$is_running" ] ; then
kubectl delete -f pipeline-run.yaml 2>/dev/null
kubectl delete -f pipeline.yaml 2>/dev/null
kubectl delete -f task.yaml 2>/dev/null
kubectl delete -f pipe-resource.yaml 2>/dev/null
fi
kubectl delete -f PersistentVolumeCDCI.yaml 2>/dev/null
kubectl create -f PersistentVolumeCDCI.yaml
#. lib_dply.sh
#make_host_alias task
kubectl apply -f pipe-resource.yaml
kubectl apply -f task.yaml
kubectl apply -f pipeline.yaml
kubectl apply -f pipeline-run.yaml
if [ -n "$FOLLOW_UP" ] ; then
has_tkn=`type tkn 2>/dev/null`
[ -n "$has_tkn" ] && tkn pipelinerun logs -f $PIPELINE_NAME -n $NS_DOMAIN
fi

14
repo-config.yaml Normal file
View File

@ -0,0 +1,14 @@
Active: true
# Active: false # to not follow up webhook workflow
# Sources for src file
Repo: https://github.com/nginxinc/docker-nginx.git
Source: docker-nginx/mainline/alpine
# Name - Version, etc
Name: nginx
Version: 1.21.0
# To get latest
IMAGE_NAME: nginx
IMAGE_MATCH: 1.21

61
src/10-listen-on-ipv6-by-default.sh Executable file
View File

@ -0,0 +1,61 @@
#!/bin/sh
# vim:sw=4:ts=4:et
set -e
ME=$(basename $0)
DEFAULT_CONF_FILE="etc/nginx/conf.d/default.conf"
# check if we have ipv6 available
if [ ! -f "/proc/net/if_inet6" ]; then
echo >&3 "$ME: info: ipv6 not available"
exit 0
fi
if [ ! -f "/$DEFAULT_CONF_FILE" ]; then
echo >&3 "$ME: info: /$DEFAULT_CONF_FILE is not a file or does not exist"
exit 0
fi
# check if the file can be modified, e.g. not on a r/o filesystem
touch /$DEFAULT_CONF_FILE 2>/dev/null || { echo >&3 "$ME: info: can not modify /$DEFAULT_CONF_FILE (read-only file system?)"; exit 0; }
# check if the file is already modified, e.g. on a container restart
grep -q "listen \[::]\:80;" /$DEFAULT_CONF_FILE && { echo >&3 "$ME: info: IPv6 listen already enabled"; exit 0; }
if [ -f "/etc/os-release" ]; then
. /etc/os-release
else
echo >&3 "$ME: info: can not guess the operating system"
exit 0
fi
echo >&3 "$ME: info: Getting the checksum of /$DEFAULT_CONF_FILE"
case "$ID" in
"debian")
CHECKSUM=$(dpkg-query --show --showformat='${Conffiles}\n' nginx | grep $DEFAULT_CONF_FILE | cut -d' ' -f 3)
echo "$CHECKSUM /$DEFAULT_CONF_FILE" | md5sum -c - >/dev/null 2>&1 || {
echo >&3 "$ME: info: /$DEFAULT_CONF_FILE differs from the packaged version"
exit 0
}
;;
"alpine")
CHECKSUM=$(apk manifest nginx 2>/dev/null| grep $DEFAULT_CONF_FILE | cut -d' ' -f 1 | cut -d ':' -f 2)
echo "$CHECKSUM /$DEFAULT_CONF_FILE" | sha1sum -c - >/dev/null 2>&1 || {
echo >&3 "$ME: info: /$DEFAULT_CONF_FILE differs from the packaged version"
exit 0
}
;;
*)
echo >&3 "$ME: info: Unsupported distribution"
exit 0
;;
esac
# enable ipv6 on default.conf listen sockets
sed -i -E 's,listen 80;,listen 80;\n listen [::]:80;,' /$DEFAULT_CONF_FILE
echo >&3 "$ME: info: Enabled listen on IPv6 in /$DEFAULT_CONF_FILE"
exit 0

32
src/20-envsubst-on-templates.sh Executable file
View File

@ -0,0 +1,32 @@
#!/bin/sh
set -e
ME=$(basename $0)
auto_envsubst() {
local template_dir="${NGINX_ENVSUBST_TEMPLATE_DIR:-/etc/nginx/templates}"
local suffix="${NGINX_ENVSUBST_TEMPLATE_SUFFIX:-.template}"
local output_dir="${NGINX_ENVSUBST_OUTPUT_DIR:-/etc/nginx/conf.d}"
local template defined_envs relative_path output_path subdir
defined_envs=$(printf '${%s} ' $(env | cut -d= -f1))
[ -d "$template_dir" ] || return 0
if [ ! -w "$output_dir" ]; then
echo >&3 "$ME: ERROR: $template_dir exists, but $output_dir is not writable"
return 0
fi
find "$template_dir" -follow -type f -name "*$suffix" -print | while read -r template; do
relative_path="${template#$template_dir/}"
output_path="$output_dir/${relative_path%$suffix}"
subdir=$(dirname "$relative_path")
# create a subdirectory where the template file exists
mkdir -p "$output_dir/$subdir"
echo >&3 "$ME: Running envsubst on $template to $output_path"
envsubst "$defined_envs" < "$template" > "$output_path"
done
}
auto_envsubst
exit 0

188
src/30-tune-worker-processes.sh Executable file
View File

@ -0,0 +1,188 @@
#!/bin/sh
# vim:sw=2:ts=2:sts=2:et
set -eu
LC_ALL=C
ME=$( basename "$0" )
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[ "${NGINX_ENTRYPOINT_WORKER_PROCESSES_AUTOTUNE:-}" ] || exit 0
touch /etc/nginx/nginx.conf 2>/dev/null || { echo >&2 "$ME: error: can not modify /etc/nginx/nginx.conf (read-only file system?)"; exit 0; }
ceildiv() {
num=$1
div=$2
echo $(( (num + div - 1) / div ))
}
get_cpuset() {
cpusetroot=$1
cpusetfile=$2
ncpu=0
[ -f "$cpusetroot/$cpusetfile" ] || return 1
for token in $( tr ',' ' ' < "$cpusetroot/$cpusetfile" ); do
case "$token" in
*-*)
count=$( seq $(echo "$token" | tr '-' ' ') | wc -l )
ncpu=$(( ncpu+count ))
;;
*)
ncpu=$(( ncpu+1 ))
;;
esac
done
echo "$ncpu"
}
get_quota() {
cpuroot=$1
ncpu=0
[ -f "$cpuroot/cpu.cfs_quota_us" ] || return 1
[ -f "$cpuroot/cpu.cfs_period_us" ] || return 1
cfs_quota=$( cat "$cpuroot/cpu.cfs_quota_us" )
cfs_period=$( cat "$cpuroot/cpu.cfs_period_us" )
[ "$cfs_quota" = "-1" ] && return 1
[ "$cfs_period" = "0" ] && return 1
ncpu=$( ceildiv "$cfs_quota" "$cfs_period" )
[ "$ncpu" -gt 0 ] || return 1
echo "$ncpu"
}
get_quota_v2() {
cpuroot=$1
ncpu=0
[ -f "$cpuroot/cpu.max" ] || return 1
cfs_quota=$( cut -d' ' -f 1 < "$cpuroot/cpu.max" )
cfs_period=$( cut -d' ' -f 2 < "$cpuroot/cpu.max" )
[ "$cfs_quota" = "max" ] && return 1
[ "$cfs_period" = "0" ] && return 1
ncpu=$( ceildiv "$cfs_quota" "$cfs_period" )
[ "$ncpu" -gt 0 ] || return 1
echo "$ncpu"
}
get_cgroup_v1_path() {
needle=$1
found=
foundroot=
mountpoint=
[ -r "/proc/self/mountinfo" ] || return 1
[ -r "/proc/self/cgroup" ] || return 1
while IFS= read -r line; do
case "$needle" in
"cpuset")
case "$line" in
*cpuset*)
found=$( echo "$line" | cut -d ' ' -f 4,5 )
break
;;
esac
;;
"cpu")
case "$line" in
*cpuset*)
;;
*cpu,cpuacct*|*cpuacct,cpu|*cpuacct*|*cpu*)
found=$( echo "$line" | cut -d ' ' -f 4,5 )
break
;;
esac
esac
done << __EOF__
$( grep -F -- '- cgroup ' /proc/self/mountinfo )
__EOF__
while IFS= read -r line; do
controller=$( echo "$line" | cut -d: -f 2 )
case "$needle" in
"cpuset")
case "$controller" in
cpuset)
mountpoint=$( echo "$line" | cut -d: -f 3 )
break
;;
esac
;;
"cpu")
case "$controller" in
cpu,cpuacct|cpuacct,cpu|cpuacct|cpu)
mountpoint=$( echo "$line" | cut -d: -f 3 )
break
;;
esac
;;
esac
done << __EOF__
$( grep -F -- 'cpu' /proc/self/cgroup )
__EOF__
case "${found%% *}" in
"/")
foundroot="${found##* }$mountpoint"
;;
"$mountpoint")
foundroot="${found##* }"
;;
esac
echo "$foundroot"
}
get_cgroup_v2_path() {
found=
foundroot=
mountpoint=
[ -r "/proc/self/mountinfo" ] || return 1
[ -r "/proc/self/cgroup" ] || return 1
while IFS= read -r line; do
found=$( echo "$line" | cut -d ' ' -f 4,5 )
done << __EOF__
$( grep -F -- '- cgroup2 ' /proc/self/mountinfo )
__EOF__
while IFS= read -r line; do
mountpoint=$( echo "$line" | cut -d: -f 3 )
done << __EOF__
$( grep -F -- '0::' /proc/self/cgroup )
__EOF__
case "${found%% *}" in
"")
return 1
;;
"/")
foundroot="${found##* }$mountpoint"
;;
"$mountpoint")
foundroot="${found##* }"
;;
esac
echo "$foundroot"
}
ncpu_online=$( getconf _NPROCESSORS_ONLN )
ncpu_cpuset=
ncpu_quota=
ncpu_cpuset_v2=
ncpu_quota_v2=
cpuset=$( get_cgroup_v1_path "cpuset" ) && ncpu_cpuset=$( get_cpuset "$cpuset" "cpuset.effective_cpus" ) || ncpu_cpuset=$ncpu_online
cpu=$( get_cgroup_v1_path "cpu" ) && ncpu_quota=$( get_quota "$cpu" ) || ncpu_quota=$ncpu_online
cgroup_v2=$( get_cgroup_v2_path ) && ncpu_cpuset_v2=$( get_cpuset "$cgroup_v2" "cpuset.cpus.effective" ) || ncpu_cpuset_v2=$ncpu_online
cgroup_v2=$( get_cgroup_v2_path ) && ncpu_quota_v2=$( get_quota_v2 "$cgroup_v2" ) || ncpu_quota_v2=$ncpu_online
ncpu=$( printf "%s\n%s\n%s\n%s\n%s\n" \
"$ncpu_online" \
"$ncpu_cpuset" \
"$ncpu_quota" \
"$ncpu_cpuset_v2" \
"$ncpu_quota_v2" \
| sort -n \
| head -n 1 )
sed -i.bak -r 's/^(worker_processes)(.*)$/# Commented out by '"$ME"' on '"$(date)"'\n#\1\2\n\1 '"$ncpu"';/' /etc/nginx/nginx.conf

134
src/Dockerfile Normal file
View File

@ -0,0 +1,134 @@
#
# NOTE: THIS DOCKERFILE IS GENERATED VIA "update.sh"
#
# PLEASE DO NOT EDIT IT DIRECTLY.
#
FROM alpine:3.13
LABEL maintainer="NGINX Docker Maintainers <docker-maint@nginx.com>"
ENV NGINX_VERSION 1.21.0
ENV NJS_VERSION 0.5.3
ENV PKG_RELEASE 1
RUN set -x \
# create nginx user/group first, to be consistent throughout docker variants
&& addgroup -g 101 -S nginx \
&& adduser -S -D -H -u 101 -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx \
&& addgroup -g 82 -S www-data \
&& adduser -S -D -H -u 82 -h /var/cache/nginx -s /sbin/nologin -G www-data -g www-data www-data \
&& apkArch="$(cat /etc/apk/arch)" \
&& nginxPackages=" \
nginx=${NGINX_VERSION}-r${PKG_RELEASE} \
nginx-module-xslt=${NGINX_VERSION}-r${PKG_RELEASE} \
nginx-module-geoip=${NGINX_VERSION}-r${PKG_RELEASE} \
nginx-module-image-filter=${NGINX_VERSION}-r${PKG_RELEASE} \
nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${PKG_RELEASE} \
" \
&& case "$apkArch" in \
x86_64|aarch64) \
# arches officially built by upstream
set -x \
&& KEY_SHA512="e7fa8303923d9b95db37a77ad46c68fd4755ff935d0a534d26eba83de193c76166c68bfe7f65471bf8881004ef4aa6df3e34689c305662750c0172fca5d8552a *stdin" \
&& apk add --no-cache --virtual .cert-deps \
openssl \
&& wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub \
&& if [ "$(openssl rsa -pubin -in /tmp/nginx_signing.rsa.pub -text -noout | openssl sha512 -r)" = "$KEY_SHA512" ]; then \
echo "key verification succeeded!"; \
mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; \
else \
echo "key verification failed!"; \
exit 1; \
fi \
&& apk del .cert-deps \
&& apk add -X "https://nginx.org/packages/mainline/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \
;; \
*) \
# we're on an architecture upstream doesn't officially build for
# let's build binaries from the published packaging sources
set -x \
&& tempDir="$(mktemp -d)" \
&& chown nobody:nobody $tempDir \
&& apk add --no-cache --virtual .build-deps \
gcc \
libc-dev \
make \
openssl-dev \
pcre-dev \
zlib-dev \
linux-headers \
libxslt-dev \
gd-dev \
geoip-dev \
perl-dev \
libedit-dev \
mercurial \
bash \
alpine-sdk \
findutils \
&& su nobody -s /bin/sh -c " \
export HOME=${tempDir} \
&& cd ${tempDir} \
&& hg clone https://hg.nginx.org/pkg-oss \
&& cd pkg-oss \
&& hg up ${NGINX_VERSION}-${PKG_RELEASE} \
&& cd alpine \
&& make all \
&& apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \
" \
&& cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \
&& apk del .build-deps \
&& apk add -X ${tempDir}/packages/alpine/ --no-cache $nginxPackages \
;; \
esac \
# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
&& if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \
&& if [ -n "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \
&& if [ -n "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi \
# Bring in gettext so we can get `envsubst`, then throw
# the rest away. To do this, we need to install `gettext`
# then move `envsubst` out of the way so `gettext` can
# be deleted completely, then move `envsubst` back.
&& apk add --no-cache --virtual .gettext gettext \
&& mv /usr/bin/envsubst /tmp/ \
\
&& runDeps="$( \
scanelf --needed --nobanner /tmp/envsubst \
| awk '{ gsub(/,/, "\nso:", $2); print "so:" $2 }' \
| sort -u \
| xargs -r apk info --installed \
| sort -u \
)" \
&& apk add --no-cache $runDeps \
&& apk del .gettext \
&& mv /tmp/envsubst /usr/local/bin/ \
# Bring in tzdata so users could set the timezones through the environment
# variables
&& apk add --no-cache tzdata \
# Bring in curl and ca-certificates to make registering on DNS SD easier
&& apk add --no-cache curl ca-certificates \
# forward request and error logs to docker log collector
&& ln -sf /dev/stdout /var/log/nginx/access.log \
&& ln -sf /dev/stderr /var/log/nginx/error.log \
# create a docker-entrypoint.d directory
&& mkdir /docker-entrypoint.d
## copy global
COPY ./global /etc/nginx/global
### copy server
COPY ./server /etc/nginx/server
COPY docker-entrypoint.sh /
COPY 10-listen-on-ipv6-by-default.sh /docker-entrypoint.d
COPY 20-envsubst-on-templates.sh /docker-entrypoint.d
COPY 30-tune-worker-processes.sh /docker-entrypoint.d
ENTRYPOINT ["/docker-entrypoint.sh"]
EXPOSE 80
EXPOSE 443
STOPSIGNAL SIGQUIT
CMD ["nginx", "-g", "daemon off;"]

38
src/docker-entrypoint.sh Executable file
View File

@ -0,0 +1,38 @@
#!/bin/sh
# vim:sw=4:ts=4:et
set -e
if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then
exec 3>&1
else
exec 3>/dev/null
fi
if [ "$1" = "nginx" -o "$1" = "nginx-debug" ]; then
if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then
echo >&3 "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration"
echo >&3 "$0: Looking for shell scripts in /docker-entrypoint.d/"
find "/docker-entrypoint.d/" -follow -type f -print | sort -V | while read -r f; do
case "$f" in
*.sh)
if [ -x "$f" ]; then
echo >&3 "$0: Launching $f";
"$f"
else
# warn on shell scripts without exec bit
echo >&3 "$0: Ignoring $f, not executable";
fi
;;
*) echo >&3 "$0: Ignoring $f";;
esac
done
echo >&3 "$0: Configuration complete; ready for start up"
else
echo >&3 "$0: No files found in /docker-entrypoint.d/, skipping configuration"
fi
fi
exec "$@"

50
src/global/gzip.conf Normal file
View File

@ -0,0 +1,50 @@
# Enable Gzip compression.
gzip on;
# Disable Gzip on IE6.
gzip_disable "msie6";
# Allow proxies to cache both compressed and regular version of file.
# Avoids clients that don't support Gzip outputting gibberish.
gzip_vary on;
# Compress data, even when the client connects through a proxy.
gzip_proxied any;
# The level of compression to apply to files. A higher compression level increases
# CPU usage. Level 5 is a happy medium resulting in roughly 75% compression.
gzip_comp_level 5;
# The minimum HTTP version of a request to perform compression.
gzip_http_version 1.1;
# Don't compress files smaller than 256 bytes, as size reduction will be negligible.
gzip_min_length 256;
# Compress the following MIME types.
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/bmp
image/svg+xml
image/x-icon
text/cache-manifest
text/css
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
# text/html is always compressed when enabled.

8
src/global/http.conf Normal file
View File

@ -0,0 +1,8 @@
# Speed up file transfer by using sendfile().
sendfile on;
# Don't send partial frames, which increases throughput.
tcp_nopush on;
# Don't wait to send data in keep-alive state.
tcp_nodelay on;

17
src/global/limits.conf Normal file
View File

@ -0,0 +1,17 @@
# How long each connection should stay open for.
keepalive_timeout 15;
# Timeout for reading client request body.
client_body_timeout 30;
# Timeout for reading client request header.
client_header_timeout 30;
# Timeout for transmitting reponse to client.
send_timeout 30;
# Set the maximum allowed size of client request body. This should be set
# to the value of files sizes you wish to upload to the WordPress Media Library.
# You may also need to change the values `upload_max_filesize` and `post_max_size` within
# your php.ini for the changes to apply.
client_max_body_size 64m;

11
src/server/defaults.conf Normal file
View File

@ -0,0 +1,11 @@
# Should be included for most sites, as contains sensible defaults
# for file exclusions, security and static file caching.
# Exclusions
include server/exclusions.conf;
# Security
include server/security.conf;
# Static Content
include server/static-files.conf;

12
src/server/exclusions.conf Normal file
View File

@ -0,0 +1,12 @@
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~ /\. {
deny all;
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}

34
src/server/fastcgi-cache.conf Normal file
View File

@ -0,0 +1,34 @@
# The key to use when saving cache files, which will run through the MD5 hashing algorithm.
fastcgi_cache_key "$scheme$request_method$host$request_uri";
# If an error occurs when communicating with FastCGI server, return cached content.
# Useful for serving cached content if the PHP process dies or timeouts.
fastcgi_cache_use_stale error timeout invalid_header http_500;
# Allow caching of requests which contain the following headers.
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
# Show the cache status in server responses.
add_header Fastcgi-Cache $upstream_cache_status;
# Don't skip by default
set $skip_cache 0;
# POST requests and urls with a query string should always go to PHP
if ($request_method = POST) {
set $skip_cache 1;
}
if ($query_string != "") {
set $skip_cache 1;
}
# Don't cache uris containing the following segments
if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") {
set $skip_cache 1;
}
# Don't use the cache for logged in users or recent commenters
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
set $skip_cache 1;
}

6
src/server/multisite-subdirectory.conf Normal file
View File

@ -0,0 +1,6 @@
# Rewrite requests to `/wp-.*` on subdirectory installs.
if (!-e $request_filename) {
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
rewrite ^/[_0-9a-zA-Z-]+(/wp-.*) $1 last;
rewrite ^/[_0-9a-zA-Z-]+(/.*\.php)$ $1 last;
}

19
src/server/security.conf Normal file
View File

@ -0,0 +1,19 @@
# Generic security enhancements. Use https://securityheaders.io to test
# and recommend further improvements.
# Hide Nginx version in error messages and reponse headers.
server_tokens off;
# Don't allow pages to be rendered in an iframe on external domains.
add_header X-Frame-Options "SAMEORIGIN" always;
# MIME sniffing prevention
add_header X-Content-Type-Options "nosniff" always;
# Enable cross-site scripting filter in supported browsers.
add_header X-Xss-Protection "1; mode=block" always;
# Whitelist sources which are allowed to load assets (JS, CSS, etc). The following will block
# only none HTTPS assets, but check out https://scotthelme.co.uk/content-security-policy-an-introduction/
# for an in-depth guide on creating a more restrictive policy.
# add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;

23
src/server/ssl.conf Normal file
View File

@ -0,0 +1,23 @@
# Generic SSL enhancements. Use https://www.ssllabs.com/ssltest/ to test
# and recommend further improvements.
# Don't use outdated SSLv3 protocol. Protects against BEAST and POODLE attacks.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Use secure ciphers
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
# Define the size of the SSL session cache in MBs.
ssl_session_cache shared:SSL:10m;
# Define the time in minutes to cache SSL sessions.
ssl_session_timeout 1h;
# Use HTTPS exclusively for 1 year, uncomment one. Second line applies to subdomains.
add_header Strict-Transport-Security "max-age=31536000;";
# add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
# The default key used by DHE is weak and it's recommended to use a 2048 bit key.
# Uncomment this line if you have generated a custom key using `cd /etc/ssl/; sudo openssl dhparam -out dhparams.pem 2048`
# ssl_dhparam /etc/ssl/dhparams.pem;

32
src/server/static-files.conf Normal file
View File

@ -0,0 +1,32 @@
# Don't cache appcache, document html and data.
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
expires -1;
}
# Cache RSS and Atom feeds.
location ~* \.(?:rss|atom)$ {
expires 1h;
add_header Cache-Control "public";
}
# Caches images, icons, video, audio, HTC, etc.
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
expires 1y;
add_header Cache-Control "public";
# Comment out these lines if you wish to record access/error logs for static files.
log_not_found off;
access_log off;
}
# Cache CSS and JavaScript.
location ~* \.(?:css|js|ttf|woff)$ {
expires 1y;
add_header Cache-Control "public";
}
# Don't record access/error logs for robots.txt.
location = /robots.txt {
log_not_found off;
access_log off;
}