generated from cstate/example
-
-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #114 from linuxserver/nginx-base
Notification: Significant changes to nginx based images
- Loading branch information
Showing
1 changed file
with
106 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,106 @@ | ||
| --- | ||
| title: 'Notification: Significant changes to nginx based images' | ||
| date: '2022-08-20 18:00:00Z' | ||
| informational: true | ||
| affected: | ||
| - 'Notifications' | ||
| - 'bookstack' | ||
| - 'cops' | ||
| - 'diskover' | ||
| - 'dokuwiki' | ||
| - 'freshrss' | ||
| - 'grav' | ||
| - 'grocy' | ||
| - 'heimdall' | ||
| - 'librespeed' | ||
| - 'lychee' | ||
| - 'muximux' | ||
| - 'nextcloud' | ||
| - 'nginx' | ||
| - 'photoshow' | ||
| - 'phpmyadmin' | ||
| - 'piwigo' | ||
| - 'pixapop' | ||
| - 'projectsend' | ||
| - 'snapdrop' | ||
| - 'snipe-it' | ||
| - 'swag' | ||
| - 'xbackbone' | ||
| section: 'Notifications' | ||
| --- | ||
| Most images using our alpine-nginx base image are being updated to alpine 3.15 with php8 and some significant changes to the nginx configs. | ||
|
|
||
| Changes you will likely notice: | ||
|
|
||
| - Bring our default shipped configs as close as possible to alpine upstream defaults | ||
| - <https://git.alpinelinux.org/aports/tree/main/nginx/nginx.conf?h=3.15-stable> | ||
| - Include `worker_processes.conf` and init script to generate it in the base | ||
| - Include `resolver.conf` and init script to generate it in the base | ||
| - Include `ssl.conf` in the base (the same as what is currently shipped in SWAG, but adjusted to use the self-signed certs generated by the base) | ||
| - `include /config/nginx/site-confs/*.conf;` with `*.conf` extension (rename existing user files automatically) | ||
| - Rework `default.conf` | ||
| - Expect applications inside containers to exist at `/app/www/public/`, and if that does not exist, use `/config/www` | ||
| - Include ipv6 support | ||
| - deny access to `.htaccess`/`.htpasswd` files | ||
| - adjust php location and `fastcgi_params` to use `PATH_INFO` and mitigate `HTTP_PROXY` vulnerability | ||
| - Restructure nginx configs | ||
| - Configs in `/defaults/nginx/` are recursively copied to the user's `/config/nginx/` (maintaining the structure) | ||
| - All configs are now named `*.sample` and all include `## Version YYYY/MM/DD - Changelog: <url to repo history>` used by `/etc/cont-init.d/85-version-checks` | ||
| - Required configs (`/config/nginx/nginx.conf`, `/config/nginx/server-confs/ssl.conf` and `/config/nginx/site-confs/default.conf`) are enabled by default. Downstream images can include and/or enable others as needed (ex: SWAG will enable `/config/nginx/location-confs/proxy.conf` and `/config/nginx/server-confs/502.conf`) | ||
| - Folder structure is as follows (in the `/config/nginx/` context): | ||
| - All nginx based images: | ||
| - Includes `nginx.conf` (enabled by default) | ||
| - Includes `resolver.conf` (enabled by default) | ||
| - Includes `ssl.conf` (enabled by default) | ||
| - Includes `worker_processes.conf` (enabled by default) | ||
| - `/config/nginx/site-confs/*` included inside the `http` context in `/config/nginx/nginx.conf` | ||
| - Includes `default.conf` (enabled by default) | ||
| - SWAG: | ||
| - Includes `502.conf` (enabled by default) | ||
| - Includes `authelia-location.conf` | ||
| - Includes `authelia-server.conf` | ||
| - Includes `ldap-location.conf` | ||
| - Includes `ldap-server.conf` | ||
| - Includes `proxy.conf` (enabled by default) | ||
|
|
||
| Under the hood: | ||
|
|
||
| - Split out init scripts | ||
| - `root/migrations/01-nginx-site-confs-default` migrate existing `default` to `default.conf` | ||
| - `root/etc/cont-init.d/11-folders` creates all the folders needed in `/config` | ||
| - `root/etc/cont-init.d/12-samples` removes existing `*.sample` files from `/config/nginx` and copies any included `*.sample` files from the image | ||
| - `root/etc/cont-init.d/13-nginx` enable required configs (`nginx.conf`, `ssl.conf` and `default.conf`) if they don't exist, setup `dhparams.pem`, setup `resolver.conf`, setup `worker_processes.conf` | ||
| - `root/etc/cont-init.d/14-php` configure php | ||
| - `root/etc/cont-init.d/15-keygen` create self signed certificates for `ssl.conf` | ||
| - `root/etc/cont-init.d/20-permissions` set `/config` permissions | ||
| - `root/etc/cont-init.d/85-version-checks` check all enabled `*.conf` files against all `*.sample` files shipped with the image and alert the user about updates | ||
|
|
||
| Status of affected images: | ||
|
|
||
| | Image | Branch | PR | Notes | | ||
| |---|---|---|---| | ||
| | baseimage-alpine-nginx | master | <https://github.com/linuxserver/docker-baseimage-alpine-nginx/pull/84> | | | ||
| | bookstack | master | <https://github.com/linuxserver/docker-bookstack/pull/113> | | | ||
| | cops | master | <https://github.com/linuxserver/docker-cops/pull/34> | composer dependencies not compatible with php8 | | ||
| | diskover | master | <https://github.com/linuxserver/docker-diskover/pull/43> | | | ||
| | dokuwiki | master | <https://github.com/linuxserver/docker-dokuwiki/pull/43> | | | ||
| | freshrss | master | <https://github.com/linuxserver/docker-freshrss/pull/40> | | | ||
| | grav | main | <https://github.com/linuxserver/docker-grav/pull/9> | | | ||
| | grocy | master | <https://github.com/linuxserver/docker-grocy/pull/52> | | | ||
| | heimdall | main | <https://github.com/linuxserver/docker-heimdall/pull/79> | | | ||
| | librespeed | master | <https://github.com/linuxserver/docker-librespeed/pull/15> | | | ||
| | lychee | master | <https://github.com/linuxserver/docker-lychee/pull/51> | composer dependencies not compatible with php8 | | ||
| | muximux | master | <https://github.com/linuxserver/docker-muximux/pull/26> | | | ||
| | nextcloud | master | <https://github.com/linuxserver/docker-nextcloud/pull/219> | | | ||
| | nginx | master | <https://github.com/linuxserver/docker-nginx/pull/79> | | | ||
| | photoshow | master | <https://github.com/linuxserver/docker-photoshow/pull/28> | uses deprecated function [get_magic_quotes_gpc](https://www.php.net/manual/en/function.get-magic-quotes-gpc.php), not compatible with php8 | | ||
| | phpmyadmin | main | <https://github.com/linuxserver/docker-phpmyadmin/pull/12> | | | ||
| | piwigo | master | <https://github.com/linuxserver/docker-piwigo/pull/49> | | | ||
| | pixapop | master | <https://github.com/linuxserver/docker-pixapop/pull/11> | composer dependencies not compatible with php8 | | ||
| | projectsend | master | <https://github.com/linuxserver/docker-projectsend/pull/22> | | | ||
| | snapdrop | master | <https://github.com/linuxserver/docker-snapdrop/pull/6> | | | ||
| | snipe-it | master | <https://github.com/linuxserver/docker-snipe-it/pull/28> | | | ||
| | swag | master | <https://github.com/linuxserver/docker-swag/pull/169> | | | ||
| | xbackbone | main | <https://github.com/linuxserver/docker-xbackbone/pull/5> | | | ||
|
|
||
| Any images with notes above may not be merged. We will make efforts to update this page if any of the images with notes above are merged at a later date. We may also make individual announcements about status updates regarding these images. |