Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Notification: Significant changes to nginx based images #114

Merged
merged 5 commits into from
Aug 20, 2022
Merged

Notification: Significant changes to nginx based images #114

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
c9977db
Notification: Significant changes to nginx based images
nemchik Aug 15, 2022
beae6f9
Update 2022-08-20-nginx-base.md
nemchik Aug 15, 2022
036703d
Update 2022-08-20-nginx-base.md
nemchik Aug 15, 2022
4a6e085
Update 2022-08-20-nginx-base.md
nemchik Aug 20, 2022
c282421
Update 2022-08-20-nginx-base.md
nemchik Aug 20, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
106 changes: 106 additions & 0 deletions content/issues/2022-08-20-nginx-base.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
---
title: 'Notification: Significant changes to nginx based images'
date: '2022-08-20 18:00:00Z'
informational: true
affected:
- 'Notifications'
- 'bookstack'
- 'cops'
- 'diskover'
- 'dokuwiki'
- 'freshrss'
- 'grav'
- 'grocy'
- 'heimdall'
- 'librespeed'
- 'lychee'
- 'muximux'
- 'nextcloud'
- 'nginx'
- 'photoshow'
- 'phpmyadmin'
- 'piwigo'
- 'pixapop'
- 'projectsend'
- 'snapdrop'
- 'snipe-it'
- 'swag'
- 'xbackbone'
section: 'Notifications'
---
Most images using our alpine-nginx base image are being updated to alpine 3.15 with php8 and some significant changes to the nginx configs.

Changes you will likely notice:

- Bring our default shipped configs as close as possible to alpine upstream defaults
- <https://git.alpinelinux.org/aports/tree/main/nginx/nginx.conf?h=3.15-stable>
- Include `worker_processes.conf` and init script to generate it in the base
- Include `resolver.conf` and init script to generate it in the base
- Include `ssl.conf` in the base (the same as what is currently shipped in SWAG, but adjusted to use the self-signed certs generated by the base)
- `include /config/nginx/site-confs/*.conf;` with `*.conf` extension (rename existing user files automatically)
- Rework `default.conf`
- Expect applications inside containers to exist at `/app/www/public/`, and if that does not exist, use `/config/www`
- Include ipv6 support
- deny access to `.htaccess`/`.htpasswd` files
- adjust php location and `fastcgi_params` to use `PATH_INFO` and mitigate `HTTP_PROXY` vulnerability
- Restructure nginx configs
- Configs in `/defaults/nginx/` are recursively copied to the user's `/config/nginx/` (maintaining the structure)
- All configs are now named `*.sample` and all include `## Version YYYY/MM/DD - Changelog: <url to repo history>` used by `/etc/cont-init.d/85-version-checks`
- Required configs (`/config/nginx/nginx.conf`, `/config/nginx/server-confs/ssl.conf` and `/config/nginx/site-confs/default.conf`) are enabled by default. Downstream images can include and/or enable others as needed (ex: SWAG will enable `/config/nginx/location-confs/proxy.conf` and `/config/nginx/server-confs/502.conf`)
- Folder structure is as follows (in the `/config/nginx/` context):
- All nginx based images:
- Includes `nginx.conf` (enabled by default)
- Includes `resolver.conf` (enabled by default)
- Includes `ssl.conf` (enabled by default)
- Includes `worker_processes.conf` (enabled by default)
- `/config/nginx/site-confs/*` included inside the `http` context in `/config/nginx/nginx.conf`
- Includes `default.conf` (enabled by default)
- SWAG:
- Includes `502.conf` (enabled by default)
- Includes `authelia-location.conf`
- Includes `authelia-server.conf`
- Includes `ldap-location.conf`
- Includes `ldap-server.conf`
- Includes `proxy.conf` (enabled by default)

Under the hood:

- Split out init scripts
- `root/migrations/01-nginx-site-confs-default` migrate existing `default` to `default.conf`
- `root/etc/cont-init.d/11-folders` creates all the folders needed in `/config`
- `root/etc/cont-init.d/12-samples` removes existing `*.sample` files from `/config/nginx` and copies any included `*.sample` files from the image
- `root/etc/cont-init.d/13-nginx` enable required configs (`nginx.conf`, `ssl.conf` and `default.conf`) if they don't exist, setup `dhparams.pem`, setup `resolver.conf`, setup `worker_processes.conf`
- `root/etc/cont-init.d/14-php` configure php
- `root/etc/cont-init.d/15-keygen` create self signed certificates for `ssl.conf`
- `root/etc/cont-init.d/20-permissions` set `/config` permissions
- `root/etc/cont-init.d/85-version-checks` check all enabled `*.conf` files against all `*.sample` files shipped with the image and alert the user about updates

Status of affected images:

| Image | Branch | PR | Notes |
|---|---|---|---|
| baseimage-alpine-nginx | master | <https://github.com/linuxserver/docker-baseimage-alpine-nginx/pull/84> | |
| bookstack | master | <https://github.com/linuxserver/docker-bookstack/pull/113> | |
| cops | master | <https://github.com/linuxserver/docker-cops/pull/34> | composer dependencies not compatible with php8 |
| diskover | master | <https://github.com/linuxserver/docker-diskover/pull/43> | |
| dokuwiki | master | <https://github.com/linuxserver/docker-dokuwiki/pull/43> | |
| freshrss | master | <https://github.com/linuxserver/docker-freshrss/pull/40> | |
| grav | main | <https://github.com/linuxserver/docker-grav/pull/9> | |
| grocy | master | <https://github.com/linuxserver/docker-grocy/pull/52> | |
| heimdall | main | <https://github.com/linuxserver/docker-heimdall/pull/79> | |
| librespeed | master | <https://github.com/linuxserver/docker-librespeed/pull/15> | |
| lychee | master | <https://github.com/linuxserver/docker-lychee/pull/51> | composer dependencies not compatible with php8 |
| muximux | master | <https://github.com/linuxserver/docker-muximux/pull/26> | |
| nextcloud | master | <https://github.com/linuxserver/docker-nextcloud/pull/219> | |
| nginx | master | <https://github.com/linuxserver/docker-nginx/pull/79> | |
| photoshow | master | <https://github.com/linuxserver/docker-photoshow/pull/28> | uses deprecated function [get_magic_quotes_gpc](https://www.php.net/manual/en/function.get-magic-quotes-gpc.php), not compatible with php8 |
| phpmyadmin | main | <https://github.com/linuxserver/docker-phpmyadmin/pull/12> | |
| piwigo | master | <https://github.com/linuxserver/docker-piwigo/pull/49> | |
| pixapop | master | <https://github.com/linuxserver/docker-pixapop/pull/11> | composer dependencies not compatible with php8 |
| projectsend | master | <https://github.com/linuxserver/docker-projectsend/pull/22> | |
| snapdrop | master | <https://github.com/linuxserver/docker-snapdrop/pull/6> | |
| snipe-it | master | <https://github.com/linuxserver/docker-snipe-it/pull/28> | |
| swag | master | <https://github.com/linuxserver/docker-swag/pull/169> | |
| xbackbone | main | <https://github.com/linuxserver/docker-xbackbone/pull/5> | |

Any images with notes above may not be merged. We will make efforts to update this page if any of the images with notes above are merged at a later date. We may also make individual announcements about status updates regarding these images.