-
-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Standard base #84
Merged
Merged
Standard base #84
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Split apart init scripts Include dhparams Include ssl.conf Include resolver.conf generation Include worker_processes.conf generation use nginx.conf and default site config formatted like swag (formatted similar to upstream nginx)
default.conf now universally handles /app/www/public or /config/www ssl.conf now includes mozilla recommendations
This was referenced Oct 18, 2021
$host sends $http_host without the port and falls back to sending $server_name if HTTP_HOST header is empty
quietsy
reviewed
Dec 6, 2021
quietsy
reviewed
Dec 6, 2021
1 similar comment
drizuid
approved these changes
Dec 19, 2021
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm! great work
Merged
Merged
nemchik
added a commit
to linuxserver/reverse-proxy-confs
that referenced
this pull request
Sep 8, 2022
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
!! NOTICE !!
Some of the changes listed below have been rolled back in #98
Items listed below that are NOT checked have been rolled back.
Update:
linuxserver/cstate#114
https://github.com/linuxserver/cstate/blob/master/content/issues/2022-08-20-nginx-base.md
https://info.linuxserver.io/issues/2022-08-20-nginx-base/
Standardizing all images using our alpine nginx base. More info will be recorded here soon.
Objectives:
worker_processes.conf
and init script to generate it in the baseresolver.conf
and init script to generate it in the basessl.conf
in the base (the same as what is currently shipped in SWAG, but adjusted to use the self-signed certs generated by the base)include /config/nginx/site-confs/*.conf;
with*.conf
extension (rename existing user files automatically)root/migrations/01-nginx-site-confs-default
migrate existingdefault
todefault.conf
root/etc/cont-init.d/11-folders
creates all the folders needed in /configroot/etc/cont-init.d/12-samples
removes existing*.sample
files from /config/nginx and copies any included*.sample
files from the imageroot/etc/cont-init.d/13-nginx
enable required configs (nginx.conf
,default.conf
) if they don't exist, setup dhparams, setupresolver.conf
, setupworker_processes.conf
root/etc/cont-init.d/14-php
configure phproot/etc/cont-init.d/15-keygen
create certificates forssl.conf
possibly could be overwritten downstream (ex: swag could ship a different script for certs from certbot)root/etc/cont-init.d/20-permissions
set /config permissionsroot/etc/cont-init.d/85-version-checks
check all enabled*.conf
files against all*.sample
files shipped with the image and alert the user about updatesdefault.conf
/app/www/public/
, and if that does not exist, use/config/www
ssl.conf
/config/nginx/.htpasswd
and apply basic auth automaticallyPATH_INFO
and mitigateHTTP_PROXY
vulnerabilityroot/defaults/nginx/
(presented in the container as/defaults/nginx/
)/defaults/nginx/
are recursively copied to the user's/config/nginx/
(maintaining the structure)*.sample
and all include## Version YYYY/MM/DD - Changelog: <url to repo history>
used by/etc/cont-init.d/85-version-checks
/config/nginx/nginx.conf
and/config/nginx/site-confs/default.conf
) are enabled by default. Downstream images can include and/or enable others as needed (ex: SWAG will enable/config/nginx/location-confs/proxy.conf
,/config/nginx/server-confs/502.conf
and/config/nginx/server-confs/ssl.conf
)/config/nginx/
context):proxy.conf
(swag),authelia-location.conf
(swag),ldap-location.conf
(swag)ssl.conf
(base and swag)502.conf
(swag),authelia-server.conf
(swag),ldap-server.conf
(swag)/config/nginx/site-confs/*
included inside thehttp
context in/config/nginx/nginx.conf
default.conf
(base or downstream images)/config/nginx/http-confs/*
included inside thehttp
context in/config/nginx/nginx.conf
/config/nginx/location-confs/*
included inside thelocation
context in/config/nginx/site-confs/default.conf
/config/nginx/server-confs/*
included inside theserver
context in/config/nginx/site-confs/default.conf
/config/nginx/subdomain-confs/*
included inside thehttp
context in/config/nginx/site-confs/default.conf
(swag)/config/nginx/subfolder-confs/*
included inside thehttp
context in/config/nginx/site-confs/default.conf
(swag)