feat: New release v1.21.4, better usage and documention for some stuff

- Added the latest mainline release for NGINX v1.21.4 - Modified the demo a bit by using a Docker demo file rather than mapping volumes - Minor adjustment to README and a real world sample - Minor editing to configuration files documentation
omaralsoudanii · Nov 3, 2021 · b460297 · b460297
1 parent e67a197
commit b460297
Show file tree

Hide file tree

Showing 9 changed files with 80 additions and 45 deletions.
diff --git a/.gitattributes b/.gitattributes
@@ -1,2 +1,21 @@
-public/* linguist-generated
+# Automatically normalize line endings for all text-based files
+# https://git-scm.com/docs/gitattributes#_end_of_line_conversion
+
+* text=auto
+
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+# Make GitHub's language statistics treat the `*.conf` files as
+# Nginx configuration files
+#
+# https://github.com/github/linguist/blob/master/README.md
+
+*.conf linguist-language=Nginx
+
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+/.git*          export-ignore
+/test           export-ignore
+
+
 Dockerfile* linguist-language=Dockerfile
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-ARG NGINX_VERSION=1.21.3
+ARG NGINX_VERSION=1.21.4
 
 # headers-more-nginx module repo latest commit
 # https://github.com/openresty/headers-more-nginx-module.git

diff --git a/Dockerfile.demo b/Dockerfile.demo
@@ -0,0 +1,12 @@
+## This file is used for demo purpose only, check README for more details
+FROM omaralsoudani/nginx-brotli
+
+# COPY your NGINX configuration files to the container, and your servers in conf.d folder
+COPY ./conf/ /etc/nginx
+COPY ./conf.d/ /etc/nginx/conf.d
+
+# copy a demo page (index.html) for NGINX to serve inside public folder
+COPY ./public/ /usr/share/nginx/html
+
+# Start NGINX (the base image takes care of some things like docker STOPSIGNAL and using init as entrypoint)
+CMD ["nginx", "-g", "daemon off;"]
diff --git a/README.md b/README.md
@@ -20,53 +20,48 @@ The docker image build is automatically triggered on new releases or tuning I ma
 
 ## Examples
 
-- I added a working demo here, make sure port 80 is not used and run the following:
+- I added a working demo here, **make sure port 80**, or change it by removing `network_mode` in `docker-compose.yml` is not used and run the following:
+
   ```bash
   docker-compose up -d
   ```
-  Then navigate to http://localhost — the files served from the public folder in the repository.
-
-- Add the image to a Dockerfile in your build process:
-
-  ```docker
-  # Start from the base image
-  FROM omaralsoudani/nginx-brotli
-  
-  # copy my configs
-  COPY ./nginx.conf /etc/nginx/nginx.conf
-  COPY ./conf /etc/nginx/extras
-  COPY ./conf.d /etc/nginx/conf.d
-  
-  # Run NGINX
-  CMD ["nginx", "-g", "daemon off;"]
-    ```
+  Then navigate to http://localhost — the files (just one file...) served from the public folder in the repository.
+
+- Add the image to a Dockerfile in your build process — check `Dockerfile.demo` for reference.
 
 - Add it in a docker compose file:
-  ```yaml
+
+```yaml
   version: "3.6"
   services:
     mk-nginx:
         image: omaralsoudani/nginx-brotli
         container_name: mk-nginx
         restart: unless-stopped
         volumes:
-        - ./nginx.conf:/etc/nginx/nginx.conf
-        - ./conf:/etc/nginx/extras
-        - ./conf.d:/etc/nginx/conf.d
-        - ./public:/usr/share/nginx/html
+          - /etc/ssl/mk/ecc.pem:/etc/nginx/ssl/ecc.pem:ro
+          - /etc/ssl/mk/priv.key:/etc/nginx/ssl/priv.key:ro
+          - /etc/ssl/mk/ca_root.pem:/etc/nginx/ssl/ca_root.pem:ro
+          - /etc/ssl/mk/dh/dhparam.pem:/etc/nginx/ssl/dhparam.pem:ro
+          # The below disables docker logging to stdout and uses file system (I like it with logrotate)
+          - /var/log/nginx:/var/log/nginx 
         ports:
-        - 80:80
+          - 80:80
+          - 443:443
         networks:
-        - mk_nginx
+          - mk_nginx
+
+networks:
+  mk_nginx:
+```
+
+- You could also check the configs and the docker setup that I use on my personal site [mkreg.dev](https://github.com/omaralsoudanii/mkreg.dev/tree/main/docker)
 
-  networks:
-    mk_nginx:
-  ```
 - You could ignore the published images and build it by your self using the [`Dockerfile`](https://github.com/omaralsoudanii/NGINX-docker-starter/blob/main/Dockerfile) (do it within the repo, since I am using NGINX signing key to verify the image), then read the [Integration](#how-to-integrate-in-my-project)
 
 **Note**: Check the configration and read them, I documented most of the directives — some of them are only suitable for production, some are for proxy configration and the demo is static so I didn't use the caching or the proxy in the demo.
 
-Remove comments from those when it suits you (production, or you have a server that you want nginx to be a proxy). Also some are kinda needs a bit of research before enabling them (I added a warning for those), also watch out for the main `nginx.conf`, it is not in the `conf` directory it's outside in the root dir which is the main entry point for NGINX — this is because docker volume mapping overrides `/etc/nginx` if you just mount that to `conf`.
+Remove comments from those when it suits you (production, or you have a server that you want nginx to be a proxy) — Also some needs a bit of research before enabling them (I added a warning for those).
 
 ## Why it's not synced with the original repo?
 

diff --git a/conf.d/nginx.vh.default.conf b/conf.d/nginx.vh.default.conf
@@ -1,8 +1,8 @@
 # Dummy vhost
 
 server {
-    listen 80 default_server reuseport;
-    listen [::]:80 default_server reuseport;
+    listen 80 default_server reuseport so_keepalive=30m::10;
+    listen [::]:80 default_server reuseport so_keepalive=30m::10;
     server_name _;
 
     # subfilter for demo purpose
@@ -37,9 +37,10 @@ server {
     index index.html index.htm;
 
     # include configs
-    include /etc/nginx/extras/headers.conf;
+    include /etc/nginx/headers.conf;
 
     more_set_headers 'Cache-Control: max-age=60, stale-while-revalidate=60';
+    more_set_headers 'X-Powered-by: ME';
 
     location / {
         try_files $uri $uri/ $uri/index.html $uri.html =404;

diff --git a/conf/compression.conf b/conf/compression.conf
@@ -1,4 +1,14 @@
 # Compression settings for gzip and brotli
+# same min length for both means: Hey NGINX I want brotli compression used
+# on all the resources listed, but if the browser doesn't support it, then fallback to gzip
+# if you are not restricted to a CDN or a dependency, you can tweak it better.
+
+# For example you could make brotli min length 1024(1KB) and gzip 512(bytes) — gzip is fast, however
+# for me if most of the resources are static or doesn't change much (and we have cache busing mechanism)
+# then I'll choose brotli always, this is due to another factor.
+# NGINX is compressing small files using brotli is a waste of CPU cycles, but if those files are cached then
+# the client device de-compressing brotli is faster than gzip and lower on battery
+# TLDR: based on the above (and your research) this can be tuned.
 
 brotli on;
 brotli_static on;

diff --git a/conf/headers.conf b/conf/headers.conf
@@ -1,5 +1,5 @@
 # Read the docs for those headers and remove un-needed one's
-# Some of them won't work without SSL
+# Some of them won't work without SSL (commented)
 # Then Read Strict-Transport-Security (HSTS) AGAIN before applying
 
 # NOTE: I commented some headers, applicable to production only – for local development you don't need them
@@ -25,8 +25,8 @@ add_header X-Download-Options "noopen" always;
 # X-DNS-Prefetch-Control
 add_header X-DNS-Prefetch-Control "on" always;
 
-# Permissions Policy, Opt out from Google FloC 
-#add_header Permissions-Policy "interest-cohort=()" always;
+#Permissions Policy, Opt out from Google FloC 
+add_header Permissions-Policy "interest-cohort=()" always;
 
 # CSP https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
 #add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' blob: data:; manifest-src 'self'; media-src 'self'; worker-src 'none';" always;
diff --git a/nginx.conf → conf/nginx.conf b/nginx.conf → conf/nginx.conf
@@ -48,7 +48,7 @@ events {
 }
 
 http {
-    include /etc/nginx/extras/mime.types;
+    include /etc/nginx/mime.types;
 
     # Yeah that bugs some times
     charset utf-8;
@@ -119,6 +119,6 @@ http {
     # Proxy caching, change the value to suit your needs
     #proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mk_cache:10m max_size=5g inactive=3d use_temp_path=off;
 
-    include /etc/nginx/extras/compression.conf;
+    include /etc/nginx/compression.conf;
     include /etc/nginx/conf.d/*.conf;
 }
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,12 +1,10 @@
 version: "3.6"
 services:
   mk-nginx:
-    image: omaralsoudani/nginx-brotli
+    build:
+      context: .
+      dockerfile: Dockerfile.demo
+    image: mk-nginx
     container_name: mk-nginx
     restart: unless-stopped
-    network_mode: host
-    volumes:
-      - ./nginx.conf:/etc/nginx/nginx.conf
-      - ./conf:/etc/nginx/extras
-      - ./conf.d:/etc/nginx/conf.d
-      - ./public:/usr/share/nginx/html
+    network_mode: host