-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
omaralsoudanii
committed
Sep 1, 2021
0 parents
commit d689458
Showing
11 changed files
with
677 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
|
||
# Binaries for programs and plugins | ||
*.exe | ||
*.exe~ | ||
*.dll | ||
*.so | ||
*.dylib | ||
*.vscode | ||
*.idea | ||
*.test | ||
*.out | ||
.DS_Store | ||
*.pem |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,203 @@ | ||
ARG NGINX_VERSION=1.21.2 | ||
|
||
# headers-more-nginx module repo latest commit | ||
# https://github.com/openresty/headers-more-nginx-module.git | ||
ARG NGX_MORE_HDR_COMMIT=f85af9649b858e21b400a2150a4c7b8ebd36e921 | ||
|
||
# Google brotli repo latest commit | ||
# https://github.com/google/ngx_brotli/commit/9aec15e2aa6feea2113119ba06460af70ab3ea62 | ||
ARG NGX_BROTLI_COMMIT=9aec15e2aa6feea2113119ba06460af70ab3ea62 | ||
|
||
# Arguments that we will configure NGINX with | ||
ARG CONFIG="\ | ||
--prefix=/etc/nginx \ | ||
--sbin-path=/usr/sbin/nginx \ | ||
--modules-path=/usr/lib/nginx/modules \ | ||
--conf-path=/etc/nginx/nginx.conf \ | ||
--error-log-path=/var/log/nginx/error.log \ | ||
--http-log-path=/var/log/nginx/access.log \ | ||
--pid-path=/var/run/nginx.pid \ | ||
--lock-path=/var/run/nginx.lock \ | ||
--http-client-body-temp-path=/var/cache/nginx/client_temp \ | ||
--http-proxy-temp-path=/var/cache/nginx/proxy_temp \ | ||
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \ | ||
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \ | ||
--http-scgi-temp-path=/var/cache/nginx/scgi_temp \ | ||
--user=nginx \ | ||
--group=nginx \ | ||
--with-http_ssl_module \ | ||
--with-http_realip_module \ | ||
--with-http_addition_module \ | ||
--with-http_sub_module \ | ||
--with-http_dav_module \ | ||
--with-http_flv_module \ | ||
--with-http_mp4_module \ | ||
--with-http_gunzip_module \ | ||
--with-http_gzip_static_module \ | ||
--with-http_random_index_module \ | ||
--with-http_secure_link_module \ | ||
--with-http_stub_status_module \ | ||
--with-http_auth_request_module \ | ||
--with-http_xslt_module=dynamic \ | ||
--with-http_image_filter_module=dynamic \ | ||
--with-http_geoip_module=dynamic \ | ||
--with-threads \ | ||
--with-stream \ | ||
--with-stream_ssl_module \ | ||
--with-stream_ssl_preread_module \ | ||
--with-stream_realip_module \ | ||
--with-stream_geoip_module=dynamic \ | ||
--with-http_slice_module \ | ||
--with-mail \ | ||
--with-mail_ssl_module \ | ||
--with-compat \ | ||
--with-file-aio \ | ||
--with-http_v2_module \ | ||
--add-module=/usr/src/ngx_brotli \ | ||
--add-module=/usr/src/ngx_http_headers_more_filter_module \ | ||
" | ||
|
||
|
||
# Multi stage build, we start from alpine | ||
FROM alpine:3.14.2 as build | ||
LABEL maintainer="NGINX Docker Maintainers <docker-maint@nginx.com>" | ||
|
||
# Declare the ARGS we defined above, due to entering new build stage (FROM alpine) | ||
ARG NGINX_VERSION | ||
ARG NGX_BROTLI_COMMIT | ||
ARG NGX_MORE_HDR_COMMIT | ||
ARG CONFIG | ||
|
||
# Deps for NGINX and brotli | ||
RUN \ | ||
apk add --no-cache --virtual .build-deps \ | ||
gcc \ | ||
libc-dev \ | ||
make \ | ||
openssl-dev \ | ||
pcre-dev \ | ||
zlib-dev \ | ||
linux-headers \ | ||
curl \ | ||
gnupg1 \ | ||
libxslt-dev \ | ||
gd-dev \ | ||
geoip-dev \ | ||
&& apk add --no-cache --virtual .brotli-build-deps \ | ||
autoconf \ | ||
libtool \ | ||
automake \ | ||
git \ | ||
g++ \ | ||
cmake | ||
|
||
# NGINX GPG key https://www.nginx.com/blog/updating-gpg-key-nginx-products/ | ||
COPY nginx.pub /tmp/nginx.pub | ||
|
||
# Clone brotli to the commit hash we defined, grab NGINX source code, grab headers-more-nginx module tar ball | ||
RUN \ | ||
mkdir -p /usr/src/ngx_brotli \ | ||
&& cd /usr/src/ngx_brotli \ | ||
&& git init \ | ||
&& git remote add origin https://github.com/google/ngx_brotli.git \ | ||
&& git fetch --depth 1 origin $NGX_BROTLI_COMMIT \ | ||
&& git checkout --recurse-submodules -q FETCH_HEAD \ | ||
&& git submodule update --init --depth 1 \ | ||
# Grab headers-more-nginx module | ||
&& mkdir -p /usr/src/ngx_http_headers_more_filter_module \ | ||
&& cd /usr/src/ngx_http_headers_more_filter_module \ | ||
&& git init \ | ||
&& git remote add origin https://github.com/openresty/headers-more-nginx-module.git \ | ||
&& git fetch --depth 1 origin $NGX_MORE_HDR_COMMIT \ | ||
&& git checkout --recurse-submodules -q FETCH_HEAD \ | ||
&& git submodule update --init --depth 1 \ | ||
# Grab NGINX source code | ||
&& cd .. \ | ||
&& curl -fSL https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz -o nginx.tar.gz \ | ||
&& curl -fSL https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz.asc -o nginx.tar.gz.asc \ | ||
&& sha512sum nginx.tar.gz nginx.tar.gz.asc \ | ||
&& export GNUPGHOME="$(mktemp -d)" \ | ||
&& gpg --import /tmp/nginx.pub \ | ||
&& gpg --batch --verify nginx.tar.gz.asc nginx.tar.gz \ | ||
&& mkdir -p /usr/src \ | ||
&& tar -zxC /usr/src -f nginx.tar.gz | ||
|
||
# Configure NGINX with the config we assigned, above then compile it from the source | ||
RUN \ | ||
cd /usr/src/nginx-$NGINX_VERSION \ | ||
&& ./configure $CONFIG --with-debug \ | ||
&& make -j$(getconf _NPROCESSORS_ONLN) \ | ||
&& mv objs/nginx objs/nginx-debug \ | ||
&& mv objs/ngx_http_xslt_filter_module.so objs/ngx_http_xslt_filter_module-debug.so \ | ||
&& mv objs/ngx_http_image_filter_module.so objs/ngx_http_image_filter_module-debug.so \ | ||
&& mv objs/ngx_http_geoip_module.so objs/ngx_http_geoip_module-debug.so \ | ||
&& mv objs/ngx_stream_geoip_module.so objs/ngx_stream_geoip_module-debug.so \ | ||
&& ./configure $CONFIG \ | ||
&& make -j$(getconf _NPROCESSORS_ONLN) | ||
|
||
# install NGINX, and it's modules in addition to brotli, headers-more-nginx | ||
RUN \ | ||
cd /usr/src/nginx-$NGINX_VERSION \ | ||
&& make install \ | ||
&& rm -rf /etc/nginx/html/ \ | ||
&& mkdir /etc/nginx/conf.d/ \ | ||
&& mkdir /etc/nginx/ssl/ \ | ||
&& mkdir -p /usr/share/nginx/html/ \ | ||
&& install -m644 html/index.html /usr/share/nginx/html/ \ | ||
&& install -m644 html/50x.html /usr/share/nginx/html/ \ | ||
&& install -m755 objs/nginx-debug /usr/sbin/nginx-debug \ | ||
&& install -m755 objs/ngx_http_xslt_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_xslt_filter_module-debug.so \ | ||
&& install -m755 objs/ngx_http_image_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_image_filter_module-debug.so \ | ||
&& install -m755 objs/ngx_http_geoip_module-debug.so /usr/lib/nginx/modules/ngx_http_geoip_module-debug.so \ | ||
&& install -m755 objs/ngx_stream_geoip_module-debug.so /usr/lib/nginx/modules/ngx_stream_geoip_module-debug.so \ | ||
&& strip /usr/sbin/nginx* \ | ||
&& strip /usr/lib/nginx/modules/*.so \ | ||
\ | ||
&& apk add --no-cache --virtual .gettext gettext \ | ||
\ | ||
&& scanelf --needed --nobanner /usr/sbin/nginx /usr/lib/nginx/modules/*.so /usr/bin/envsubst \ | ||
| awk '{ gsub(/,/, "\nso:", $2); print "so:" $2 }' \ | ||
| sort -u \ | ||
| xargs -r apk info --installed \ | ||
| sort -u > /tmp/runDeps.txt | ||
|
||
|
||
# Multi build stage 2, again from alpine. This is the release stage, which contains the installed NGINX only | ||
FROM alpine:3.14.2 as release | ||
ARG NGINX_VERSION | ||
|
||
# Copy nginx and it's deps from build stage | ||
COPY --from=build /tmp/runDeps.txt /tmp/runDeps.txt | ||
COPY --from=build /etc/nginx /etc/nginx | ||
COPY --from=build /usr/lib/nginx/modules/*.so /usr/lib/nginx/modules/ | ||
COPY --from=build /usr/sbin/nginx /usr/sbin/nginx-debug /usr/sbin/ | ||
COPY --from=build /usr/share/nginx/html/* /usr/share/nginx/html/ | ||
COPY --from=build /usr/bin/envsubst /usr/local/bin/envsubst | ||
|
||
# Create NGINX user and group inside the container | ||
RUN \ | ||
addgroup -S nginx \ | ||
&& adduser -D -S -h /var/cache/nginx -s /sbin/nologin -G nginx nginx \ | ||
&& apk add --no-cache --virtual .nginx-rundeps tzdata $(cat /tmp/runDeps.txt) \ | ||
&& rm /tmp/runDeps.txt \ | ||
&& ln -s /usr/lib/nginx/modules /etc/nginx/modules \ | ||
# forward request and error logs to docker log collector | ||
&& mkdir /var/log/nginx \ | ||
&& touch /var/log/nginx/access.log /var/log/nginx/error.log \ | ||
&& ln -sf /dev/stdout /var/log/nginx/access.log \ | ||
&& ln -sf /dev/stderr /var/log/nginx/error.log | ||
|
||
|
||
# COPY your NGINX configuration files to the container | ||
COPY ./conf/ /etc/nginx | ||
|
||
# Define your servers here | ||
COPY ./conf.d/ /etc/nginx/conf.d | ||
|
||
# Don't copy SSL Certs.... just don't, mount them via docker volumes | ||
|
||
# Override stop signal to stop process gracefully | ||
STOPSIGNAL SIGQUIT | ||
|
||
# Start NGINX | ||
CMD ["nginx", "-g", "daemon off;"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
# Dockerized NGINX with optimized configs | ||
|
||
This is a boilerplate NGINX configs using Docker, you can include it in your repo and add your server(s) config. | ||
|
||
Dockerfile based on https://github.com/fholzer/docker-nginx-brotli | ||
|
||
# Why it's not synced with the original repo? | ||
|
||
- The original repo main goal is setting up NGINX with brotli, my goal is to have a centralized repo where I can keep up with changes & tweaks I make for my own. | ||
|
||
- In addition to adding new 3rd party modules ‑ at the time of writing I think I added `headers-more-nginx-module` and upgraded base Alpine image. Currently the final image size is **13.22MB** | ||
|
||
- So I made this as a standalone repo rather than forcing the original author to add stuff that meets my needs. | ||
# How to integrate in my project? | ||
|
||
1. Assuming your project is containerized | ||
2. You read the files and tweaked them based on your needs and server(s) hardware | ||
3. Add the Dockerfile with the rest of your infrastructure configs | ||
4. You don't need a volume for the configs, check the last lines of the `Dockerfile`, I am copying them directly into the container. Doesn't work with you? remove it and mount/bind the configs just like you do for your other services | ||
5. While this thing is building and you get an error, open a ticket | ||
6. While you can use it, you need to dive in the licensing stuff (this is why I am not adding one) | ||
7. Here is some rambling about NGINX https://mkreg.dev/writing/nginx-treats |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# Dummy vhost | ||
|
||
server { | ||
listen 80; | ||
server_name localhost; | ||
|
||
location / { | ||
root /usr/share/nginx/html; | ||
index index.html index.htm; | ||
} | ||
|
||
# redirect server error pages to the static page /50x.html | ||
# | ||
error_page 500 502 503 504 /50x.html; | ||
location = /50x.html { | ||
root /usr/share/nginx/html; | ||
} | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
# if NGINX acts as a reverse proxy, this is a caching config | ||
proxy_cache_key $scheme$proxy_host$uri$is_args$args; | ||
proxy_cache_min_uses 1; | ||
proxy_cache_revalidate on; | ||
proxy_cache_lock_timeout 5s; | ||
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; | ||
proxy_cache_background_update on; | ||
proxy_cache_lock on; | ||
proxy_cache_methods GET HEAD; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
# Compression settings for gzip and brotli | ||
|
||
brotli on; | ||
brotli_static on; | ||
brotli_comp_level 6; | ||
brotli_min_length 512; | ||
brotli_window 512k; | ||
brotli_types text/plain | ||
text/css | ||
text/markdown | ||
application/javascript | ||
application/json | ||
image/apng | ||
image/gif | ||
image/jpeg | ||
image/png | ||
image/x-icon | ||
application/manifest+json | ||
image/svg+xml; | ||
|
||
|
||
# gzip settings | ||
# gzip_vary does not play nice with Cloudflare | ||
gzip on; | ||
gzip_vary off; | ||
gzip_min_length 512; | ||
gzip_http_version 1.1; | ||
gzip_comp_level 8; | ||
gzip_buffers 8 16k; | ||
gzip_proxied any; | ||
gzip_disable "msie6"; | ||
gzip_types text/plain | ||
text/css | ||
text/markdown | ||
application/javascript | ||
application/json | ||
image/apng | ||
image/gif | ||
image/jpeg | ||
image/png | ||
image/x-icon | ||
application/manifest+json | ||
image/svg+xml; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
# Read the docs for those headers and remove un-needed one's | ||
# Some of them won't work without SSL | ||
# Then Read Strict-Transport-Security (HSTS) AGAIN before applying | ||
|
||
# X-Frame-Options (DENY or SELF) | ||
add_header X-Frame-Options "DENY" always; | ||
|
||
# X-Xss-Protection (for Chrome, Safari, IE) | ||
add_header X-XSS-Protection "1; mode=block" always; | ||
|
||
# X-Content-Type-Options | ||
add_header X-Content-Type-Options "nosniff" always; | ||
|
||
# X-Download-Options | ||
add_header X-Download-Options "noopen" always; | ||
|
||
# HSTS (31536000 seconds = 1 year) | ||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; | ||
|
||
# Revealing HTTPS URLs When Navigating Away to HTTP Sites | ||
add_header Referrer-Policy "strict-origin-when-cross-origin" always; | ||
|
||
# X-DNS-Prefetch-Control | ||
add_header X-DNS-Prefetch-Control "on" always; | ||
|
||
# Permissions Policy, Opt out from Google FloC | ||
add_header Permissions-Policy "interest-cohort=()" always; | ||
|
||
# CSP https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy | ||
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' blob: data:; manifest-src 'self'; media-src 'self'; worker-src 'none';" always; |
Oops, something went wrong.