/
Dockerfile
155 lines (145 loc) · 4.59 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
FROM debian:jessie-backports
# add our user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added
#RUN groupadd -r www-data && useradd -r --create-home -g www-data www-data
ENV HTTPD_PREFIX /usr/local/apache2
ENV PATH $HTTPD_PREFIX/bin:$PATH
RUN mkdir -p "$HTTPD_PREFIX" \
&& chown www-data:www-data "$HTTPD_PREFIX"
WORKDIR $HTTPD_PREFIX
# library for mod_http2
ENV NGHTTP2_VERSION 1.18.1-1
ENV OPENSSL_VERSION 1.0.2l-1~bpo8+1
RUN { \
echo 'deb http://deb.debian.org/debian stretch main'; \
} > /etc/apt/sources.list.d/stretch.list \
&& { \
# add a negative "Pin-Priority" so that we never ever get packages from stretch unless we explicitly request them
echo 'Package: *'; \
echo 'Pin: release n=stretch'; \
echo 'Pin-Priority: -10'; \
echo; \
# except nghttp2, which is the reason we're here
echo 'Package: libnghttp2*'; \
echo "Pin: version $NGHTTP2_VERSION"; \
echo 'Pin-Priority: 990'; \
echo; \
} > /etc/apt/preferences.d/unstable-nghttp2
# install httpd runtime dependencies
# https://httpd.apache.org/docs/2.4/install.html#requirements
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
libapr1 \
libaprutil1 \
libaprutil1-ldap \
libapr1-dev \
libaprutil1-dev \
liblua5.2-0 \
libnghttp2-14=$NGHTTP2_VERSION \
libpcre++0 \
libssl1.0.0=$OPENSSL_VERSION \
libxml2 \
&& rm -r /var/lib/apt/lists/*
ENV HTTPD_VERSION 2.4.33
ENV HTTPD_SHA256 de02511859b00d17845b9abdd1f975d5ccb5d0b280c567da5bf2ad4b70846f05
# https://httpd.apache.org/security/vulnerabilities_24.html
ENV HTTPD_PATCHES=""
ENV APACHE_DIST_URLS \
# https://issues.apache.org/jira/browse/INFRA-8753?focusedCommentId=14735394#comment-14735394
https://www.apache.org/dyn/closer.cgi?action=download&filename= \
# if the version is outdated (or we're grabbing the .asc file), we might have to pull from the dist/archive :/
https://www-us.apache.org/dist/ \
https://www.apache.org/dist/ \
https://archive.apache.org/dist/
# see https://httpd.apache.org/docs/2.4/install.html#requirements
RUN set -eux; \
\
# mod_http2 mod_lua mod_proxy_html mod_xml2enc
# https://anonscm.debian.org/cgit/pkg-apache/apache2.git/tree/debian/control?id=adb6f181257af28ee67af15fc49d2699a0080d4c
buildDeps=" \
bzip2 \
ca-certificates \
dpkg-dev \
gcc \
liblua5.2-dev \
libnghttp2-dev=$NGHTTP2_VERSION \
libpcre++-dev \
libssl-dev=$OPENSSL_VERSION \
libxml2-dev \
zlib1g-dev \
make \
wget \
"; \
apt-get update; \
apt-get install -y --no-install-recommends -V $buildDeps; \
rm -r /var/lib/apt/lists/*; \
\
ddist() { \
local f="$1"; shift; \
local distFile="$1"; shift; \
local success=; \
local distUrl=; \
for distUrl in $APACHE_DIST_URLS; do \
if wget -O "$f" "$distUrl$distFile" && [ -s "$f" ]; then \
success=1; \
break; \
fi; \
done; \
[ -n "$success" ]; \
}; \
\
ddist 'httpd.tar.bz2' "httpd/httpd-$HTTPD_VERSION.tar.bz2"; \
echo "$HTTPD_SHA256 *httpd.tar.bz2" | sha256sum -c -; \
\
# see https://httpd.apache.org/download.cgi#verify
ddist 'httpd.tar.bz2.asc' "httpd/httpd-$HTTPD_VERSION.tar.bz2.asc"; \
export GNUPGHOME="$(mktemp -d)"; \
for key in \
# gpg: key 791485A8: public key "Jim Jagielski (Release Signing Key) <jim@apache.org>" imported
A93D62ECC3C8EA12DB220EC934EA76E6791485A8 \
# gpg: key 995E35221AD84DFF: public key "Daniel Ruggeri (http://home.apache.org/~druggeri/) <druggeri@apache.org>" imported
B9E8213AEFB861AF35A41F2C995E35221AD84DFF \
; do \
gpg --keyserver ha.pool.sks-keyservers.net --recv-keys "$key"; \
done; \
gpg --batch --verify httpd.tar.bz2.asc httpd.tar.bz2; \
rm -rf "$GNUPGHOME" httpd.tar.bz2.asc; \
\
mkdir -p src; \
tar -xf httpd.tar.bz2 -C src --strip-components=1; \
rm httpd.tar.bz2; \
cd src; \
\
patches() { \
while [ "$#" -gt 0 ]; do \
local patchFile="$1"; shift; \
local patchSha256="$1"; shift; \
ddist "$patchFile" "httpd/patches/apply_to_$HTTPD_VERSION/$patchFile"; \
echo "$patchSha256 *$patchFile" | sha256sum -c -; \
patch -p0 < "$patchFile"; \
rm -f "$patchFile"; \
done; \
}; \
patches $HTTPD_PATCHES; \
\
gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
./configure \
--build="$gnuArch" \
--prefix="$HTTPD_PREFIX" \
--enable-mods-shared=reallyall \
--enable-mpms-shared=all \
; \
make -j "$(nproc)"; \
make install; \
\
cd ..; \
rm -r src man manual; \
\
sed -ri \
-e 's!^(\s*CustomLog)\s+\S+!\1 /proc/self/fd/1!g' \
-e 's!^(\s*ErrorLog)\s+\S+!\1 /proc/self/fd/2!g' \
"$HTTPD_PREFIX/conf/httpd.conf"; \
\
apt-get purge -y --auto-remove $buildDeps
COPY httpd-foreground /usr/local/bin/
EXPOSE 80
CMD ["httpd-foreground"]