init

.gitignore

@@ -0,0 +1,13 @@
+
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+*.vscode
+*.idea
+*.test
+*.out
+.DS_Store
+*.pem

Dockerfile

@@ -0,0 +1,203 @@
+ARG NGINX_VERSION=1.21.2
+
+# headers-more-nginx module repo latest commit
+# https://github.com/openresty/headers-more-nginx-module.git
+ARG NGX_MORE_HDR_COMMIT=f85af9649b858e21b400a2150a4c7b8ebd36e921
+
+# Google brotli repo latest commit
+# https://github.com/google/ngx_brotli/commit/9aec15e2aa6feea2113119ba06460af70ab3ea62
+ARG NGX_BROTLI_COMMIT=9aec15e2aa6feea2113119ba06460af70ab3ea62
+
+# Arguments that we will configure NGINX with
+ARG CONFIG="\
+    --prefix=/etc/nginx \
+    --sbin-path=/usr/sbin/nginx \
+    --modules-path=/usr/lib/nginx/modules \
+    --conf-path=/etc/nginx/nginx.conf \
+    --error-log-path=/var/log/nginx/error.log \
+    --http-log-path=/var/log/nginx/access.log \
+    --pid-path=/var/run/nginx.pid \
+    --lock-path=/var/run/nginx.lock \
+    --http-client-body-temp-path=/var/cache/nginx/client_temp \
+    --http-proxy-temp-path=/var/cache/nginx/proxy_temp \
+    --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
+    --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
+    --http-scgi-temp-path=/var/cache/nginx/scgi_temp \
+    --user=nginx \
+    --group=nginx \
+    --with-http_ssl_module \
+    --with-http_realip_module \
+    --with-http_addition_module \
+    --with-http_sub_module \
+    --with-http_dav_module \
+    --with-http_flv_module \
+    --with-http_mp4_module \
+    --with-http_gunzip_module \
+    --with-http_gzip_static_module \
+    --with-http_random_index_module \
+    --with-http_secure_link_module \
+    --with-http_stub_status_module \
+    --with-http_auth_request_module \
+    --with-http_xslt_module=dynamic \
+    --with-http_image_filter_module=dynamic \
+    --with-http_geoip_module=dynamic \
+    --with-threads \
+    --with-stream \
+    --with-stream_ssl_module \
+    --with-stream_ssl_preread_module \
+    --with-stream_realip_module \
+    --with-stream_geoip_module=dynamic \
+    --with-http_slice_module \
+    --with-mail \
+    --with-mail_ssl_module \
+    --with-compat \
+    --with-file-aio \
+    --with-http_v2_module \
+    --add-module=/usr/src/ngx_brotli \
+    --add-module=/usr/src/ngx_http_headers_more_filter_module \
+    "
+
+
+# Multi stage build, we start from alpine
+FROM alpine:3.14.2 as build
+LABEL maintainer="NGINX Docker Maintainers <docker-maint@nginx.com>"
+
+# Declare the ARGS we defined above, due to entering new build stage (FROM alpine)
+ARG NGINX_VERSION
+ARG NGX_BROTLI_COMMIT
+ARG NGX_MORE_HDR_COMMIT
+ARG CONFIG
+
+# Deps for NGINX and brotli
+RUN \
+    apk add --no-cache --virtual .build-deps \
+    gcc \
+    libc-dev \
+    make \
+    openssl-dev \
+    pcre-dev \
+    zlib-dev \
+    linux-headers \
+    curl \
+    gnupg1 \
+    libxslt-dev \
+    gd-dev \
+    geoip-dev \
+    && apk add --no-cache --virtual .brotli-build-deps \
+    autoconf \
+    libtool \
+    automake \
+    git \
+    g++ \
+    cmake
+
+# NGINX GPG key https://www.nginx.com/blog/updating-gpg-key-nginx-products/
+COPY nginx.pub /tmp/nginx.pub
+
+# Clone brotli to the commit hash we defined, grab NGINX source code, grab headers-more-nginx module tar ball
+RUN \
+    mkdir -p /usr/src/ngx_brotli \
+    && cd /usr/src/ngx_brotli \
+    && git init \
+    && git remote add origin https://github.com/google/ngx_brotli.git \
+    && git fetch --depth 1 origin $NGX_BROTLI_COMMIT \
+    && git checkout --recurse-submodules -q FETCH_HEAD \
+    && git submodule update --init --depth 1 \    
+    # Grab headers-more-nginx module 
+    && mkdir -p /usr/src/ngx_http_headers_more_filter_module \
+    && cd /usr/src/ngx_http_headers_more_filter_module \
+    && git init \
+    && git remote add origin https://github.com/openresty/headers-more-nginx-module.git \
+    && git fetch --depth 1 origin $NGX_MORE_HDR_COMMIT \
+    && git checkout --recurse-submodules -q FETCH_HEAD \
+    && git submodule update --init --depth 1 \
+    # Grab NGINX source code
+    && cd .. \
+    && curl -fSL https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz -o nginx.tar.gz \
+    && curl -fSL https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz.asc  -o nginx.tar.gz.asc \
+    && sha512sum nginx.tar.gz nginx.tar.gz.asc \
+    && export GNUPGHOME="$(mktemp -d)" \
+    && gpg --import /tmp/nginx.pub \
+    && gpg --batch --verify nginx.tar.gz.asc nginx.tar.gz \
+    && mkdir -p /usr/src \
+    && tar -zxC /usr/src -f nginx.tar.gz
+
+# Configure NGINX with the config we assigned, above then compile it from the source
+RUN \
+    cd /usr/src/nginx-$NGINX_VERSION \
+    && ./configure $CONFIG --with-debug \
+    && make -j$(getconf _NPROCESSORS_ONLN) \
+    && mv objs/nginx objs/nginx-debug \
+    && mv objs/ngx_http_xslt_filter_module.so objs/ngx_http_xslt_filter_module-debug.so \
+    && mv objs/ngx_http_image_filter_module.so objs/ngx_http_image_filter_module-debug.so \
+    && mv objs/ngx_http_geoip_module.so objs/ngx_http_geoip_module-debug.so \
+    && mv objs/ngx_stream_geoip_module.so objs/ngx_stream_geoip_module-debug.so \
+    && ./configure $CONFIG \
+    && make -j$(getconf _NPROCESSORS_ONLN)
+
+# install NGINX, and it's modules in addition to brotli, headers-more-nginx
+RUN \
+    cd /usr/src/nginx-$NGINX_VERSION \
+    && make install \
+    && rm -rf /etc/nginx/html/ \
+    && mkdir /etc/nginx/conf.d/ \
+    && mkdir /etc/nginx/ssl/ \
+    && mkdir -p /usr/share/nginx/html/ \
+    && install -m644 html/index.html /usr/share/nginx/html/ \
+    && install -m644 html/50x.html /usr/share/nginx/html/ \
+    && install -m755 objs/nginx-debug /usr/sbin/nginx-debug \
+    && install -m755 objs/ngx_http_xslt_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_xslt_filter_module-debug.so \
+    && install -m755 objs/ngx_http_image_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_image_filter_module-debug.so \
+    && install -m755 objs/ngx_http_geoip_module-debug.so /usr/lib/nginx/modules/ngx_http_geoip_module-debug.so \
+    && install -m755 objs/ngx_stream_geoip_module-debug.so /usr/lib/nginx/modules/ngx_stream_geoip_module-debug.so \
+    && strip /usr/sbin/nginx* \
+    && strip /usr/lib/nginx/modules/*.so \
+    \
+    && apk add --no-cache --virtual .gettext gettext \
+    \
+    && scanelf --needed --nobanner /usr/sbin/nginx /usr/lib/nginx/modules/*.so /usr/bin/envsubst \
+    | awk '{ gsub(/,/, "\nso:", $2); print "so:" $2 }' \
+    | sort -u \
+    | xargs -r apk info --installed \
+    | sort -u > /tmp/runDeps.txt
+
+
+# Multi build stage 2, again from alpine. This is the release stage, which contains the installed NGINX only
+FROM alpine:3.14.2 as release
+ARG NGINX_VERSION
+
+# Copy nginx and it's deps from build stage
+COPY --from=build /tmp/runDeps.txt /tmp/runDeps.txt
+COPY --from=build /etc/nginx /etc/nginx
+COPY --from=build /usr/lib/nginx/modules/*.so /usr/lib/nginx/modules/
+COPY --from=build /usr/sbin/nginx /usr/sbin/nginx-debug /usr/sbin/
+COPY --from=build /usr/share/nginx/html/* /usr/share/nginx/html/
+COPY --from=build /usr/bin/envsubst /usr/local/bin/envsubst
+
+# Create NGINX user and group inside the container
+RUN \
+    addgroup -S nginx \
+    && adduser -D -S -h /var/cache/nginx -s /sbin/nologin -G nginx nginx \
+    && apk add --no-cache --virtual .nginx-rundeps tzdata $(cat /tmp/runDeps.txt) \
+    && rm /tmp/runDeps.txt \
+    && ln -s /usr/lib/nginx/modules /etc/nginx/modules \
+	# forward request and error logs to docker log collector
+	&& mkdir /var/log/nginx \
+	&& touch /var/log/nginx/access.log /var/log/nginx/error.log \
+	&& ln -sf /dev/stdout /var/log/nginx/access.log \
+	&& ln -sf /dev/stderr /var/log/nginx/error.log
+
+
+# COPY your NGINX configuration files to the container
+COPY ./conf/ /etc/nginx
+
+# Define your servers here 
+COPY ./conf.d/ /etc/nginx/conf.d
+
+# Don't copy SSL Certs.... just don't, mount them via docker volumes
+
+# Override stop signal to stop process gracefully
+STOPSIGNAL SIGQUIT
+
+# Start NGINX
+CMD ["nginx", "-g", "daemon off;"]

README.md

@@ -0,0 +1,22 @@
+# Dockerized NGINX with optimized configs
+
+This is a boilerplate NGINX configs using Docker, you can include it in your repo and add your server(s) config.
+
+Dockerfile based on https://github.com/fholzer/docker-nginx-brotli 
+
+# Why it's not synced with the original repo?
+
+- The original repo main goal is setting up NGINX with brotli, my goal is to have a centralized repo where I can keep up with changes & tweaks I make for my own.
+
+- In addition to adding new 3rd party modules ‑ at the time of writing I think I added `headers-more-nginx-module` and upgraded base Alpine image. Currently the final image size is **13.22MB**
+
+- So I made this as a standalone repo rather than forcing the original author to add stuff that meets my needs.
+# How to integrate in my project?
+
+1. Assuming your project is containerized
+2. You read the files and tweaked them based on your needs and server(s) hardware
+3. Add the Dockerfile with the rest of your infrastructure configs
+4. You don't need a volume for the configs, check the last lines of the `Dockerfile`, I am copying them directly into the container. Doesn't work with you? remove it and mount/bind the configs just like you do for your other services
+5. While this thing is building and you get an error, open a ticket
+6. While you can use it, you need to dive in the licensing stuff (this is why I am not adding one)
+7. Here is some rambling about NGINX https://mkreg.dev/writing/nginx-treats

conf.d/nginx.vh.default.conf

@@ -0,0 +1,19 @@
+# Dummy vhost
+
+server {
+    listen       80;
+    server_name  localhost;
+
+    location / {
+        root   /usr/share/nginx/html;
+        index  index.html index.htm;
+    }
+
+    # redirect server error pages to the static page /50x.html
+    #
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+        root   /usr/share/nginx/html;
+    }
+}
+

conf/cache.conf

@@ -0,0 +1,9 @@
+# if NGINX acts as a reverse proxy, this is a caching config
+proxy_cache_key $scheme$proxy_host$uri$is_args$args;
+proxy_cache_min_uses 1;
+proxy_cache_revalidate on;
+proxy_cache_lock_timeout 5s;
+proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+proxy_cache_background_update on;
+proxy_cache_lock on;
+proxy_cache_methods GET HEAD;

conf/compression.conf

@@ -0,0 +1,43 @@
+# Compression settings for gzip and brotli
+
+ brotli on;
+ brotli_static on;
+ brotli_comp_level 6;
+ brotli_min_length 512;
+ brotli_window 512k;
+ brotli_types text/plain
+     text/css
+     text/markdown
+     application/javascript
+     application/json
+     image/apng
+     image/gif
+     image/jpeg
+     image/png
+     image/x-icon
+     application/manifest+json
+     image/svg+xml;
+
+
+ # gzip settings
+ # gzip_vary does not play nice with Cloudflare
+ gzip on;
+ gzip_vary off;
+ gzip_min_length 512;
+ gzip_http_version 1.1;
+ gzip_comp_level 8;
+ gzip_buffers 8 16k;
+ gzip_proxied any;
+ gzip_disable "msie6";
+ gzip_types text/plain
+     text/css
+     text/markdown
+     application/javascript
+     application/json
+     image/apng
+     image/gif
+     image/jpeg
+     image/png
+     image/x-icon
+     application/manifest+json
+     image/svg+xml;

conf/headers.conf

@@ -0,0 +1,30 @@
+# Read the docs for those headers and remove un-needed one's
+# Some of them won't work without SSL
+# Then Read Strict-Transport-Security (HSTS) AGAIN before applying
+
+# X-Frame-Options (DENY or SELF)
+add_header X-Frame-Options "DENY" always;
+
+# X-Xss-Protection (for Chrome, Safari, IE)
+add_header X-XSS-Protection "1; mode=block" always;
+
+# X-Content-Type-Options
+add_header X-Content-Type-Options "nosniff" always;
+
+# X-Download-Options
+add_header X-Download-Options "noopen" always;
+
+# HSTS (31536000 seconds = 1 year)
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+# Revealing HTTPS URLs When Navigating Away to HTTP Sites
+add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
+# X-DNS-Prefetch-Control
+add_header X-DNS-Prefetch-Control "on" always;
+
+# Permissions Policy, Opt out from Google FloC 
+add_header Permissions-Policy "interest-cohort=()" always;
+
+# CSP https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' blob: data:; manifest-src 'self'; media-src 'self'; worker-src 'none';" always;