From ece33f9ed8c51b69964236f8e55f215cfc14872f Mon Sep 17 00:00:00 2001 From: JesusPerez Date: Tue, 29 Jun 2021 03:52:58 +0100 Subject: [PATCH] chore: pipe and src --- pipeline/PersistentVolumeCDCI.yaml | 29 ++++ pipeline/down.sh | 6 + pipeline/pipe-resource.yaml | 24 ++++ pipeline/pipeline-run.yaml | 22 +++ pipeline/pipeline.yaml | 32 +++++ pipeline/task.yaml | 91 ++++++++++++ pipeline/up.sh | 24 ++++ repo-config.yaml | 14 ++ src/10-listen-on-ipv6-by-default.sh | 61 ++++++++ src/20-envsubst-on-templates.sh | 32 +++++ src/30-tune-worker-processes.sh | 188 +++++++++++++++++++++++++ src/Dockerfile | 134 ++++++++++++++++++ src/docker-entrypoint.sh | 38 +++++ src/global/gzip.conf | 50 +++++++ src/global/http.conf | 8 ++ src/global/limits.conf | 17 +++ src/server/defaults.conf | 11 ++ src/server/exclusions.conf | 12 ++ src/server/fastcgi-cache.conf | 34 +++++ src/server/multisite-subdirectory.conf | 6 + src/server/security.conf | 19 +++ src/server/ssl.conf | 23 +++ src/server/static-files.conf | 32 +++++ 23 files changed, 907 insertions(+) create mode 100644 pipeline/PersistentVolumeCDCI.yaml create mode 100755 pipeline/down.sh create mode 100644 pipeline/pipe-resource.yaml create mode 100644 pipeline/pipeline-run.yaml create mode 100644 pipeline/pipeline.yaml create mode 100644 pipeline/task.yaml create mode 100755 pipeline/up.sh create mode 100644 repo-config.yaml create mode 100755 src/10-listen-on-ipv6-by-default.sh create mode 100755 src/20-envsubst-on-templates.sh create mode 100755 src/30-tune-worker-processes.sh create mode 100644 src/Dockerfile create mode 100755 src/docker-entrypoint.sh create mode 100644 src/global/gzip.conf create mode 100644 src/global/http.conf create mode 100644 src/global/limits.conf create mode 100644 src/server/defaults.conf create mode 100644 src/server/exclusions.conf create mode 100644 src/server/fastcgi-cache.conf create mode 100644 src/server/multisite-subdirectory.conf create mode 100644 src/server/security.conf create mode 100644 src/server/ssl.conf create mode 100644 src/server/static-files.conf diff --git a/pipeline/PersistentVolumeCDCI.yaml b/pipeline/PersistentVolumeCDCI.yaml new file mode 100644 index 0000000..35c9eec --- /dev/null +++ b/pipeline/PersistentVolumeCDCI.yaml @@ -0,0 +1,29 @@ +kind: PersistentVolume +apiVersion: v1 +metadata: + name: cdci-nginx-pvc-volume + namespace: cdci-librecloud-online + labels: + type: local +spec: + storageClassName: manual + persistentVolumeReclaimPolicy: Delete + capacity: + storage: 1Gi + accessModes: + - ReadWriteOnce + hostPath: + path: "/mnt/cdci" +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: cdci-nginx-pvc + namespace: cdci-librecloud-online +spec: + storageClassName: manual + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/pipeline/down.sh b/pipeline/down.sh new file mode 100755 index 0000000..28f48ff --- /dev/null +++ b/pipeline/down.sh @@ -0,0 +1,6 @@ +#/bin/bash +kubectl delete -f pipeline-run.yaml 2>/dev/null +kubectl delete -f pipeline.yaml 2>/dev/null +kubectl delete -f task.yaml 2>/dev/null +kubectl delete -f PersistentVolumeCDCI.yaml 2>/dev/null +kubectl delete -f pipe-resource.yaml 2>/dev/null diff --git a/pipeline/pipe-resource.yaml b/pipeline/pipe-resource.yaml new file mode 100644 index 0000000..7bb36ad --- /dev/null +++ b/pipeline/pipe-resource.yaml @@ -0,0 +1,24 @@ +apiVersion: tekton.dev/v1alpha1 +kind: PipelineResource +metadata: + name: librecloud-nginx-img + namespace: cdci-librecloud-online +spec: + type: image + params: + - name: url + value: termas.librecloud.online/termas_librecloud/nginx:1.21.0 +--- +apiVersion: tekton.dev/v1alpha1 +kind: PipelineResource +metadata: + name: librecloud-nginx-git + namespace: cdci-librecloud-online +spec: + type: git + params: + - name: revision + value: master + - name: url + value: https://rlung.librecloud.online/Termas_LibreCloud/nginx.git + diff --git a/pipeline/pipeline-run.yaml b/pipeline/pipeline-run.yaml new file mode 100644 index 0000000..66f3a8f --- /dev/null +++ b/pipeline/pipeline-run.yaml @@ -0,0 +1,22 @@ +apiVersion: tekton.dev/v1alpha1 +kind: PipelineRun +metadata: + name: cdci-nginx + namespace: cdci-librecloud-online +spec: + serviceAccountName: build-bot + pipelineRef: + name: cdci-nginx + # podTemplate: + #volumes: + #- name: cdci-volume + # #emptyDir: {} + # persistentVolumeClaim: + # claimName: cdci-nginx-pvc + resources: + - name: source-repo + resourceRef: + name: librecloud-nginx-git + - name: target-image + resourceRef: + name: librecloud-nginx-img diff --git a/pipeline/pipeline.yaml b/pipeline/pipeline.yaml new file mode 100644 index 0000000..c8dbb8a --- /dev/null +++ b/pipeline/pipeline.yaml @@ -0,0 +1,32 @@ +apiVersion: tekton.dev/v1alpha1 +kind: Pipeline +metadata: + name: cdci-nginx + namespace: cdci-librecloud-online +spec: + #serviceAccount: build-bot + resources: + - name: source-repo + type: git + #resourceRef: + # name: librecloud-nginx-git + - name: target-image + type: image + #resourceRef: + # name: librecloud-nginx-img + tasks: + - name: build-nginx-img + taskRef: + name: nginx-build-image-from-git-source + params: + - name: pathToDockerFile + value: /workspace/source/src + - name: pathToContext + value: /workspace/source/src #configure: may change according to your source + resources: + inputs: + - name: source + resource: source-repo + outputs: + - name: builtImage + resource: target-image diff --git a/pipeline/task.yaml b/pipeline/task.yaml new file mode 100644 index 0000000..539b0ee --- /dev/null +++ b/pipeline/task.yaml @@ -0,0 +1,91 @@ +apiVersion: tekton.dev/v1alpha1 +kind: Task +metadata: + name: nginx-build-image-from-git-source + namespace: cdci-librecloud-online +spec: + #serviceAccount: build-bot + inputs: + params: + - name: pathToDockerFile + type: string + description: The path to the dockerfile to build + default: /workspace/source/src/Dockerfile + - name: pathToContext + type: string + description: + The build context used by Kaniko + (https://github.com/GoogleContainerTools/kaniko#kaniko-build-contexts) + default: /workspace/source/src + - name: DOCKERFILE + type: string + description: The name of the Dockerfile + default: "Dockerfile" + - name: BUILDKIT_CLIENT_IMAGE + type: string + description: The name of the BuildKit client (buildctl) image + + default: "docker.io/moby/buildkit:master-rootless" + - name: BUILDKIT_DAEMON_ADDRESS + type: string + description: The address of the BuildKit daemon (buildkitd) service + default: "tcp://buildkitd:1234" + resources: + - name: source + type: git + outputs: + resources: + - name: builtImage + type: image + volumes: + + - name: dckr-cfg-volume + secret: + secretName: regcred + - name: ssh-volume + secret: + secretName: ssh-key + - name: certs + secret: + secretName: buildkit-client-certs + + steps: + - name: build-and-push + image: $(inputs.params.BUILDKIT_CLIENT_IMAGE) + + + workingDir: /workspace/source + + command: [ "buildctl" ] + args: + - --tlscacert + - /certs/ca.pem + - --tlscert + - /certs/cert.pem + - --tlskey + - /certs/key.pem + - --debug + - --addr=$(inputs.params.BUILDKIT_DAEMON_ADDRESS) + - build + - --progress=plain + - --frontend=dockerfile.v0 + - --opt + - filename=$(inputs.params.DOCKERFILE) + - --local + - context=$(inputs.params.pathToContext) + - --local + - dockerfile=$(inputs.params.pathToDockerFile) + - --output + - type=image,name=$(outputs.resources.builtImage.url),push=true + - --export-cache + - type=inline + - --import-cache + - type=registry,ref=$(outputs.resources.builtImage.url) + volumeMounts: + - name: certs + readOnly: true + mountPath: /certs + - name: ssh-volume + readOnly: true + mountPath: /.ssh + diff --git a/pipeline/up.sh b/pipeline/up.sh new file mode 100755 index 0000000..3336c37 --- /dev/null +++ b/pipeline/up.sh @@ -0,0 +1,24 @@ +#/bin/bash +FOLLOW_UP="yes" +NS_DOMAIN="cdci-librecloud-online" +PIPELINE_NAME="cdci-nginx" +[ "$1" == "-s" ] && FOLLOW_UP="" +is_running=`kubectl get pods -n $NS_DOMAIN | grep $PIPELINE_NAME 2>/dev/null` +if [ -n "$is_running" ] ; then + kubectl delete -f pipeline-run.yaml 2>/dev/null + kubectl delete -f pipeline.yaml 2>/dev/null + kubectl delete -f task.yaml 2>/dev/null + kubectl delete -f pipe-resource.yaml 2>/dev/null +fi +kubectl delete -f PersistentVolumeCDCI.yaml 2>/dev/null +kubectl create -f PersistentVolumeCDCI.yaml +#. lib_dply.sh +#make_host_alias task +kubectl apply -f pipe-resource.yaml +kubectl apply -f task.yaml +kubectl apply -f pipeline.yaml +kubectl apply -f pipeline-run.yaml +if [ -n "$FOLLOW_UP" ] ; then + has_tkn=`type tkn 2>/dev/null` + [ -n "$has_tkn" ] && tkn pipelinerun logs -f $PIPELINE_NAME -n $NS_DOMAIN +fi diff --git a/repo-config.yaml b/repo-config.yaml new file mode 100644 index 0000000..5ec0ef7 --- /dev/null +++ b/repo-config.yaml @@ -0,0 +1,14 @@ +Active: true +# Active: false # to not follow up webhook workflow + +# Sources for src file +Repo: https://github.com/nginxinc/docker-nginx.git +Source: docker-nginx/mainline/alpine + +# Name - Version, etc +Name: nginx +Version: 1.21.0 + +# To get latest +IMAGE_NAME: nginx +IMAGE_MATCH: 1.21 diff --git a/src/10-listen-on-ipv6-by-default.sh b/src/10-listen-on-ipv6-by-default.sh new file mode 100755 index 0000000..9585152 --- /dev/null +++ b/src/10-listen-on-ipv6-by-default.sh @@ -0,0 +1,61 @@ +#!/bin/sh +# vim:sw=4:ts=4:et + +set -e + +ME=$(basename $0) +DEFAULT_CONF_FILE="etc/nginx/conf.d/default.conf" + +# check if we have ipv6 available +if [ ! -f "/proc/net/if_inet6" ]; then + echo >&3 "$ME: info: ipv6 not available" + exit 0 +fi + +if [ ! -f "/$DEFAULT_CONF_FILE" ]; then + echo >&3 "$ME: info: /$DEFAULT_CONF_FILE is not a file or does not exist" + exit 0 +fi + +# check if the file can be modified, e.g. not on a r/o filesystem +touch /$DEFAULT_CONF_FILE 2>/dev/null || { echo >&3 "$ME: info: can not modify /$DEFAULT_CONF_FILE (read-only file system?)"; exit 0; } + +# check if the file is already modified, e.g. on a container restart +grep -q "listen \[::]\:80;" /$DEFAULT_CONF_FILE && { echo >&3 "$ME: info: IPv6 listen already enabled"; exit 0; } + +if [ -f "/etc/os-release" ]; then + . /etc/os-release +else + echo >&3 "$ME: info: can not guess the operating system" + exit 0 +fi + +echo >&3 "$ME: info: Getting the checksum of /$DEFAULT_CONF_FILE" + +case "$ID" in + "debian") + CHECKSUM=$(dpkg-query --show --showformat='${Conffiles}\n' nginx | grep $DEFAULT_CONF_FILE | cut -d' ' -f 3) + echo "$CHECKSUM /$DEFAULT_CONF_FILE" | md5sum -c - >/dev/null 2>&1 || { + echo >&3 "$ME: info: /$DEFAULT_CONF_FILE differs from the packaged version" + exit 0 + } + ;; + "alpine") + CHECKSUM=$(apk manifest nginx 2>/dev/null| grep $DEFAULT_CONF_FILE | cut -d' ' -f 1 | cut -d ':' -f 2) + echo "$CHECKSUM /$DEFAULT_CONF_FILE" | sha1sum -c - >/dev/null 2>&1 || { + echo >&3 "$ME: info: /$DEFAULT_CONF_FILE differs from the packaged version" + exit 0 + } + ;; + *) + echo >&3 "$ME: info: Unsupported distribution" + exit 0 + ;; +esac + +# enable ipv6 on default.conf listen sockets +sed -i -E 's,listen 80;,listen 80;\n listen [::]:80;,' /$DEFAULT_CONF_FILE + +echo >&3 "$ME: info: Enabled listen on IPv6 in /$DEFAULT_CONF_FILE" + +exit 0 diff --git a/src/20-envsubst-on-templates.sh b/src/20-envsubst-on-templates.sh new file mode 100755 index 0000000..4f33029 --- /dev/null +++ b/src/20-envsubst-on-templates.sh @@ -0,0 +1,32 @@ +#!/bin/sh + +set -e + +ME=$(basename $0) + +auto_envsubst() { + local template_dir="${NGINX_ENVSUBST_TEMPLATE_DIR:-/etc/nginx/templates}" + local suffix="${NGINX_ENVSUBST_TEMPLATE_SUFFIX:-.template}" + local output_dir="${NGINX_ENVSUBST_OUTPUT_DIR:-/etc/nginx/conf.d}" + + local template defined_envs relative_path output_path subdir + defined_envs=$(printf '${%s} ' $(env | cut -d= -f1)) + [ -d "$template_dir" ] || return 0 + if [ ! -w "$output_dir" ]; then + echo >&3 "$ME: ERROR: $template_dir exists, but $output_dir is not writable" + return 0 + fi + find "$template_dir" -follow -type f -name "*$suffix" -print | while read -r template; do + relative_path="${template#$template_dir/}" + output_path="$output_dir/${relative_path%$suffix}" + subdir=$(dirname "$relative_path") + # create a subdirectory where the template file exists + mkdir -p "$output_dir/$subdir" + echo >&3 "$ME: Running envsubst on $template to $output_path" + envsubst "$defined_envs" < "$template" > "$output_path" + done +} + +auto_envsubst + +exit 0 diff --git a/src/30-tune-worker-processes.sh b/src/30-tune-worker-processes.sh new file mode 100755 index 0000000..5650587 --- /dev/null +++ b/src/30-tune-worker-processes.sh @@ -0,0 +1,188 @@ +#!/bin/sh +# vim:sw=2:ts=2:sts=2:et + +set -eu + +LC_ALL=C +ME=$( basename "$0" ) +PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + +[ "${NGINX_ENTRYPOINT_WORKER_PROCESSES_AUTOTUNE:-}" ] || exit 0 + +touch /etc/nginx/nginx.conf 2>/dev/null || { echo >&2 "$ME: error: can not modify /etc/nginx/nginx.conf (read-only file system?)"; exit 0; } + +ceildiv() { + num=$1 + div=$2 + echo $(( (num + div - 1) / div )) +} + +get_cpuset() { + cpusetroot=$1 + cpusetfile=$2 + ncpu=0 + [ -f "$cpusetroot/$cpusetfile" ] || return 1 + for token in $( tr ',' ' ' < "$cpusetroot/$cpusetfile" ); do + case "$token" in + *-*) + count=$( seq $(echo "$token" | tr '-' ' ') | wc -l ) + ncpu=$(( ncpu+count )) + ;; + *) + ncpu=$(( ncpu+1 )) + ;; + esac + done + echo "$ncpu" +} + +get_quota() { + cpuroot=$1 + ncpu=0 + [ -f "$cpuroot/cpu.cfs_quota_us" ] || return 1 + [ -f "$cpuroot/cpu.cfs_period_us" ] || return 1 + cfs_quota=$( cat "$cpuroot/cpu.cfs_quota_us" ) + cfs_period=$( cat "$cpuroot/cpu.cfs_period_us" ) + [ "$cfs_quota" = "-1" ] && return 1 + [ "$cfs_period" = "0" ] && return 1 + ncpu=$( ceildiv "$cfs_quota" "$cfs_period" ) + [ "$ncpu" -gt 0 ] || return 1 + echo "$ncpu" +} + +get_quota_v2() { + cpuroot=$1 + ncpu=0 + [ -f "$cpuroot/cpu.max" ] || return 1 + cfs_quota=$( cut -d' ' -f 1 < "$cpuroot/cpu.max" ) + cfs_period=$( cut -d' ' -f 2 < "$cpuroot/cpu.max" ) + [ "$cfs_quota" = "max" ] && return 1 + [ "$cfs_period" = "0" ] && return 1 + ncpu=$( ceildiv "$cfs_quota" "$cfs_period" ) + [ "$ncpu" -gt 0 ] || return 1 + echo "$ncpu" +} + +get_cgroup_v1_path() { + needle=$1 + found= + foundroot= + mountpoint= + + [ -r "/proc/self/mountinfo" ] || return 1 + [ -r "/proc/self/cgroup" ] || return 1 + + while IFS= read -r line; do + case "$needle" in + "cpuset") + case "$line" in + *cpuset*) + found=$( echo "$line" | cut -d ' ' -f 4,5 ) + break + ;; + esac + ;; + "cpu") + case "$line" in + *cpuset*) + ;; + *cpu,cpuacct*|*cpuacct,cpu|*cpuacct*|*cpu*) + found=$( echo "$line" | cut -d ' ' -f 4,5 ) + break + ;; + esac + esac + done << __EOF__ +$( grep -F -- '- cgroup ' /proc/self/mountinfo ) +__EOF__ + + while IFS= read -r line; do + controller=$( echo "$line" | cut -d: -f 2 ) + case "$needle" in + "cpuset") + case "$controller" in + cpuset) + mountpoint=$( echo "$line" | cut -d: -f 3 ) + break + ;; + esac + ;; + "cpu") + case "$controller" in + cpu,cpuacct|cpuacct,cpu|cpuacct|cpu) + mountpoint=$( echo "$line" | cut -d: -f 3 ) + break + ;; + esac + ;; + esac +done << __EOF__ +$( grep -F -- 'cpu' /proc/self/cgroup ) +__EOF__ + + case "${found%% *}" in + "/") + foundroot="${found##* }$mountpoint" + ;; + "$mountpoint") + foundroot="${found##* }" + ;; + esac + echo "$foundroot" +} + +get_cgroup_v2_path() { + found= + foundroot= + mountpoint= + + [ -r "/proc/self/mountinfo" ] || return 1 + [ -r "/proc/self/cgroup" ] || return 1 + + while IFS= read -r line; do + found=$( echo "$line" | cut -d ' ' -f 4,5 ) + done << __EOF__ +$( grep -F -- '- cgroup2 ' /proc/self/mountinfo ) +__EOF__ + + while IFS= read -r line; do + mountpoint=$( echo "$line" | cut -d: -f 3 ) +done << __EOF__ +$( grep -F -- '0::' /proc/self/cgroup ) +__EOF__ + + case "${found%% *}" in + "") + return 1 + ;; + "/") + foundroot="${found##* }$mountpoint" + ;; + "$mountpoint") + foundroot="${found##* }" + ;; + esac + echo "$foundroot" +} + +ncpu_online=$( getconf _NPROCESSORS_ONLN ) +ncpu_cpuset= +ncpu_quota= +ncpu_cpuset_v2= +ncpu_quota_v2= + +cpuset=$( get_cgroup_v1_path "cpuset" ) && ncpu_cpuset=$( get_cpuset "$cpuset" "cpuset.effective_cpus" ) || ncpu_cpuset=$ncpu_online +cpu=$( get_cgroup_v1_path "cpu" ) && ncpu_quota=$( get_quota "$cpu" ) || ncpu_quota=$ncpu_online +cgroup_v2=$( get_cgroup_v2_path ) && ncpu_cpuset_v2=$( get_cpuset "$cgroup_v2" "cpuset.cpus.effective" ) || ncpu_cpuset_v2=$ncpu_online +cgroup_v2=$( get_cgroup_v2_path ) && ncpu_quota_v2=$( get_quota_v2 "$cgroup_v2" ) || ncpu_quota_v2=$ncpu_online + +ncpu=$( printf "%s\n%s\n%s\n%s\n%s\n" \ + "$ncpu_online" \ + "$ncpu_cpuset" \ + "$ncpu_quota" \ + "$ncpu_cpuset_v2" \ + "$ncpu_quota_v2" \ + | sort -n \ + | head -n 1 ) + +sed -i.bak -r 's/^(worker_processes)(.*)$/# Commented out by '"$ME"' on '"$(date)"'\n#\1\2\n\1 '"$ncpu"';/' /etc/nginx/nginx.conf diff --git a/src/Dockerfile b/src/Dockerfile new file mode 100644 index 0000000..437942a --- /dev/null +++ b/src/Dockerfile @@ -0,0 +1,134 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "update.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# +FROM alpine:3.13 + +LABEL maintainer="NGINX Docker Maintainers " + +ENV NGINX_VERSION 1.21.0 +ENV NJS_VERSION 0.5.3 +ENV PKG_RELEASE 1 + +RUN set -x \ +# create nginx user/group first, to be consistent throughout docker variants + && addgroup -g 101 -S nginx \ + && adduser -S -D -H -u 101 -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx \ + && addgroup -g 82 -S www-data \ + && adduser -S -D -H -u 82 -h /var/cache/nginx -s /sbin/nologin -G www-data -g www-data www-data \ + && apkArch="$(cat /etc/apk/arch)" \ + && nginxPackages=" \ + nginx=${NGINX_VERSION}-r${PKG_RELEASE} \ + nginx-module-xslt=${NGINX_VERSION}-r${PKG_RELEASE} \ + nginx-module-geoip=${NGINX_VERSION}-r${PKG_RELEASE} \ + nginx-module-image-filter=${NGINX_VERSION}-r${PKG_RELEASE} \ + nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${PKG_RELEASE} \ + " \ + && case "$apkArch" in \ + x86_64|aarch64) \ +# arches officially built by upstream + set -x \ + && KEY_SHA512="e7fa8303923d9b95db37a77ad46c68fd4755ff935d0a534d26eba83de193c76166c68bfe7f65471bf8881004ef4aa6df3e34689c305662750c0172fca5d8552a *stdin" \ + && apk add --no-cache --virtual .cert-deps \ + openssl \ + && wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub \ + && if [ "$(openssl rsa -pubin -in /tmp/nginx_signing.rsa.pub -text -noout | openssl sha512 -r)" = "$KEY_SHA512" ]; then \ + echo "key verification succeeded!"; \ + mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; \ + else \ + echo "key verification failed!"; \ + exit 1; \ + fi \ + && apk del .cert-deps \ + && apk add -X "https://nginx.org/packages/mainline/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \ + ;; \ + *) \ +# we're on an architecture upstream doesn't officially build for +# let's build binaries from the published packaging sources + set -x \ + && tempDir="$(mktemp -d)" \ + && chown nobody:nobody $tempDir \ + && apk add --no-cache --virtual .build-deps \ + gcc \ + libc-dev \ + make \ + openssl-dev \ + pcre-dev \ + zlib-dev \ + linux-headers \ + libxslt-dev \ + gd-dev \ + geoip-dev \ + perl-dev \ + libedit-dev \ + mercurial \ + bash \ + alpine-sdk \ + findutils \ + && su nobody -s /bin/sh -c " \ + export HOME=${tempDir} \ + && cd ${tempDir} \ + && hg clone https://hg.nginx.org/pkg-oss \ + && cd pkg-oss \ + && hg up ${NGINX_VERSION}-${PKG_RELEASE} \ + && cd alpine \ + && make all \ + && apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ + && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \ + " \ + && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \ + && apk del .build-deps \ + && apk add -X ${tempDir}/packages/alpine/ --no-cache $nginxPackages \ + ;; \ + esac \ +# if we have leftovers from building, let's purge them (including extra, unnecessary build deps) + && if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \ + && if [ -n "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \ + && if [ -n "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi \ +# Bring in gettext so we can get `envsubst`, then throw +# the rest away. To do this, we need to install `gettext` +# then move `envsubst` out of the way so `gettext` can +# be deleted completely, then move `envsubst` back. + && apk add --no-cache --virtual .gettext gettext \ + && mv /usr/bin/envsubst /tmp/ \ + \ + && runDeps="$( \ + scanelf --needed --nobanner /tmp/envsubst \ + | awk '{ gsub(/,/, "\nso:", $2); print "so:" $2 }' \ + | sort -u \ + | xargs -r apk info --installed \ + | sort -u \ + )" \ + && apk add --no-cache $runDeps \ + && apk del .gettext \ + && mv /tmp/envsubst /usr/local/bin/ \ +# Bring in tzdata so users could set the timezones through the environment +# variables + && apk add --no-cache tzdata \ +# Bring in curl and ca-certificates to make registering on DNS SD easier + && apk add --no-cache curl ca-certificates \ +# forward request and error logs to docker log collector + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log \ +# create a docker-entrypoint.d directory + && mkdir /docker-entrypoint.d + +## copy global +COPY ./global /etc/nginx/global + +### copy server +COPY ./server /etc/nginx/server + +COPY docker-entrypoint.sh / +COPY 10-listen-on-ipv6-by-default.sh /docker-entrypoint.d +COPY 20-envsubst-on-templates.sh /docker-entrypoint.d +COPY 30-tune-worker-processes.sh /docker-entrypoint.d +ENTRYPOINT ["/docker-entrypoint.sh"] + +EXPOSE 80 +EXPOSE 443 + +STOPSIGNAL SIGQUIT + +CMD ["nginx", "-g", "daemon off;"] diff --git a/src/docker-entrypoint.sh b/src/docker-entrypoint.sh new file mode 100755 index 0000000..72d5cd9 --- /dev/null +++ b/src/docker-entrypoint.sh @@ -0,0 +1,38 @@ +#!/bin/sh +# vim:sw=4:ts=4:et + +set -e + +if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then + exec 3>&1 +else + exec 3>/dev/null +fi + +if [ "$1" = "nginx" -o "$1" = "nginx-debug" ]; then + if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then + echo >&3 "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration" + + echo >&3 "$0: Looking for shell scripts in /docker-entrypoint.d/" + find "/docker-entrypoint.d/" -follow -type f -print | sort -V | while read -r f; do + case "$f" in + *.sh) + if [ -x "$f" ]; then + echo >&3 "$0: Launching $f"; + "$f" + else + # warn on shell scripts without exec bit + echo >&3 "$0: Ignoring $f, not executable"; + fi + ;; + *) echo >&3 "$0: Ignoring $f";; + esac + done + + echo >&3 "$0: Configuration complete; ready for start up" + else + echo >&3 "$0: No files found in /docker-entrypoint.d/, skipping configuration" + fi +fi + +exec "$@" diff --git a/src/global/gzip.conf b/src/global/gzip.conf new file mode 100644 index 0000000..77e8e79 --- /dev/null +++ b/src/global/gzip.conf @@ -0,0 +1,50 @@ +# Enable Gzip compression. +gzip on; + +# Disable Gzip on IE6. +gzip_disable "msie6"; + +# Allow proxies to cache both compressed and regular version of file. +# Avoids clients that don't support Gzip outputting gibberish. +gzip_vary on; + +# Compress data, even when the client connects through a proxy. +gzip_proxied any; + +# The level of compression to apply to files. A higher compression level increases +# CPU usage. Level 5 is a happy medium resulting in roughly 75% compression. +gzip_comp_level 5; + +# The minimum HTTP version of a request to perform compression. +gzip_http_version 1.1; + +# Don't compress files smaller than 256 bytes, as size reduction will be negligible. +gzip_min_length 256; + +# Compress the following MIME types. +gzip_types + application/atom+xml + application/javascript + application/json + application/ld+json + application/manifest+json + application/rss+xml + application/vnd.geo+json + application/vnd.ms-fontobject + application/x-font-ttf + application/x-web-app-manifest+json + application/xhtml+xml + application/xml + font/opentype + image/bmp + image/svg+xml + image/x-icon + text/cache-manifest + text/css + text/plain + text/vcard + text/vnd.rim.location.xloc + text/vtt + text/x-component + text/x-cross-domain-policy; + # text/html is always compressed when enabled. \ No newline at end of file diff --git a/src/global/http.conf b/src/global/http.conf new file mode 100644 index 0000000..faf1e6d --- /dev/null +++ b/src/global/http.conf @@ -0,0 +1,8 @@ +# Speed up file transfer by using sendfile(). +sendfile on; + +# Don't send partial frames, which increases throughput. +tcp_nopush on; + +# Don't wait to send data in keep-alive state. +tcp_nodelay on; \ No newline at end of file diff --git a/src/global/limits.conf b/src/global/limits.conf new file mode 100644 index 0000000..bb302cd --- /dev/null +++ b/src/global/limits.conf @@ -0,0 +1,17 @@ +# How long each connection should stay open for. +keepalive_timeout 15; + +# Timeout for reading client request body. +client_body_timeout 30; + +# Timeout for reading client request header. +client_header_timeout 30; + +# Timeout for transmitting reponse to client. +send_timeout 30; + +# Set the maximum allowed size of client request body. This should be set +# to the value of files sizes you wish to upload to the WordPress Media Library. +# You may also need to change the values `upload_max_filesize` and `post_max_size` within +# your php.ini for the changes to apply. +client_max_body_size 64m; \ No newline at end of file diff --git a/src/server/defaults.conf b/src/server/defaults.conf new file mode 100644 index 0000000..7b8bae9 --- /dev/null +++ b/src/server/defaults.conf @@ -0,0 +1,11 @@ +# Should be included for most sites, as contains sensible defaults +# for file exclusions, security and static file caching. + +# Exclusions +include server/exclusions.conf; + +# Security +include server/security.conf; + +# Static Content +include server/static-files.conf; diff --git a/src/server/exclusions.conf b/src/server/exclusions.conf new file mode 100644 index 0000000..19fb359 --- /dev/null +++ b/src/server/exclusions.conf @@ -0,0 +1,12 @@ +# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). +# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) +location ~ /\. { + deny all; +} + +# Deny access to any files with a .php extension in the uploads directory +# Works in sub-directory installs and also in multisite network +# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) +location ~* /(?:uploads|files)/.*\.php$ { + deny all; +} \ No newline at end of file diff --git a/src/server/fastcgi-cache.conf b/src/server/fastcgi-cache.conf new file mode 100644 index 0000000..6ca822f --- /dev/null +++ b/src/server/fastcgi-cache.conf @@ -0,0 +1,34 @@ +# The key to use when saving cache files, which will run through the MD5 hashing algorithm. +fastcgi_cache_key "$scheme$request_method$host$request_uri"; + +# If an error occurs when communicating with FastCGI server, return cached content. +# Useful for serving cached content if the PHP process dies or timeouts. +fastcgi_cache_use_stale error timeout invalid_header http_500; + +# Allow caching of requests which contain the following headers. +fastcgi_ignore_headers Cache-Control Expires Set-Cookie; + +# Show the cache status in server responses. +add_header Fastcgi-Cache $upstream_cache_status; + +# Don't skip by default +set $skip_cache 0; + +# POST requests and urls with a query string should always go to PHP +if ($request_method = POST) { + set $skip_cache 1; +} + +if ($query_string != "") { + set $skip_cache 1; +} + +# Don't cache uris containing the following segments +if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") { + set $skip_cache 1; +} + +# Don't use the cache for logged in users or recent commenters +if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") { + set $skip_cache 1; +} \ No newline at end of file diff --git a/src/server/multisite-subdirectory.conf b/src/server/multisite-subdirectory.conf new file mode 100644 index 0000000..3d960f3 --- /dev/null +++ b/src/server/multisite-subdirectory.conf @@ -0,0 +1,6 @@ +# Rewrite requests to `/wp-.*` on subdirectory installs. +if (!-e $request_filename) { + rewrite /wp-admin$ $scheme://$host$uri/ permanent; + rewrite ^/[_0-9a-zA-Z-]+(/wp-.*) $1 last; + rewrite ^/[_0-9a-zA-Z-]+(/.*\.php)$ $1 last; +} \ No newline at end of file diff --git a/src/server/security.conf b/src/server/security.conf new file mode 100644 index 0000000..9b7d487 --- /dev/null +++ b/src/server/security.conf @@ -0,0 +1,19 @@ +# Generic security enhancements. Use https://securityheaders.io to test +# and recommend further improvements. + +# Hide Nginx version in error messages and reponse headers. +server_tokens off; + +# Don't allow pages to be rendered in an iframe on external domains. +add_header X-Frame-Options "SAMEORIGIN" always; + +# MIME sniffing prevention +add_header X-Content-Type-Options "nosniff" always; + +# Enable cross-site scripting filter in supported browsers. +add_header X-Xss-Protection "1; mode=block" always; + +# Whitelist sources which are allowed to load assets (JS, CSS, etc). The following will block +# only none HTTPS assets, but check out https://scotthelme.co.uk/content-security-policy-an-introduction/ +# for an in-depth guide on creating a more restrictive policy. +# add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always; \ No newline at end of file diff --git a/src/server/ssl.conf b/src/server/ssl.conf new file mode 100644 index 0000000..db7cb2b --- /dev/null +++ b/src/server/ssl.conf @@ -0,0 +1,23 @@ +# Generic SSL enhancements. Use https://www.ssllabs.com/ssltest/ to test +# and recommend further improvements. + +# Don't use outdated SSLv3 protocol. Protects against BEAST and POODLE attacks. +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + +# Use secure ciphers +ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; +ssl_prefer_server_ciphers on; + +# Define the size of the SSL session cache in MBs. +ssl_session_cache shared:SSL:10m; + +# Define the time in minutes to cache SSL sessions. +ssl_session_timeout 1h; + +# Use HTTPS exclusively for 1 year, uncomment one. Second line applies to subdomains. +add_header Strict-Transport-Security "max-age=31536000;"; +# add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; + +# The default key used by DHE is weak and it's recommended to use a 2048 bit key. +# Uncomment this line if you have generated a custom key using `cd /etc/ssl/; sudo openssl dhparam -out dhparams.pem 2048` +# ssl_dhparam /etc/ssl/dhparams.pem; \ No newline at end of file diff --git a/src/server/static-files.conf b/src/server/static-files.conf new file mode 100644 index 0000000..2a37a4a --- /dev/null +++ b/src/server/static-files.conf @@ -0,0 +1,32 @@ +# Don't cache appcache, document html and data. +location ~* \.(?:manifest|appcache|html?|xml|json)$ { + expires -1; +} + +# Cache RSS and Atom feeds. +location ~* \.(?:rss|atom)$ { + expires 1h; + add_header Cache-Control "public"; +} + +# Caches images, icons, video, audio, HTC, etc. +location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ { + expires 1y; + add_header Cache-Control "public"; + + # Comment out these lines if you wish to record access/error logs for static files. + log_not_found off; + access_log off; +} + +# Cache CSS and JavaScript. +location ~* \.(?:css|js|ttf|woff)$ { + expires 1y; + add_header Cache-Control "public"; +} + +# Don't record access/error logs for robots.txt. +location = /robots.txt { + log_not_found off; + access_log off; +} \ No newline at end of file