From 332dc0f632796dec00a29b39518a34e84a22c578 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Tue, 5 Oct 2021 15:19:04 -0500 Subject: [PATCH 01/22] Standardize configs Split apart init scripts Include dhparams Include ssl.conf Include resolver.conf generation Include worker_processes.conf generation use nginx.conf and default site config formatted like swag (formatted similar to upstream nginx) --- root/defaults/default | 18 +- root/defaults/dhparams.pem | 13 ++ root/defaults/nginx.conf | 208 ++++++++++++------ root/defaults/ssl.conf | 44 ++++ root/etc/cont-init.d/15-dhparams | 8 + root/etc/cont-init.d/{30-keygen => 16-keygen} | 1 + root/etc/cont-init.d/17-php | 17 ++ root/etc/cont-init.d/18-resolver | 16 ++ root/etc/cont-init.d/19-worker_processes | 8 + root/etc/cont-init.d/20-config | 18 +- 10 files changed, 262 insertions(+), 89 deletions(-) create mode 100644 root/defaults/dhparams.pem create mode 100644 root/defaults/ssl.conf create mode 100644 root/etc/cont-init.d/15-dhparams rename root/etc/cont-init.d/{30-keygen => 16-keygen} (99%) create mode 100644 root/etc/cont-init.d/17-php create mode 100644 root/etc/cont-init.d/18-resolver create mode 100644 root/etc/cont-init.d/19-worker_processes diff --git a/root/defaults/default b/root/defaults/default index cdf2fc11..8ff051b4 100644 --- a/root/defaults/default +++ b/root/defaults/default @@ -1,19 +1,26 @@ +## Version 2021/10/05 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/default + server { listen 80 default_server; - - listen 443 ssl; + listen [::]:80 default_server; + listen 443 ssl http2 default_server; + listen [::]:443 ssl http2 default_server; root /config/www; index index.html index.htm index.php; server_name _; - ssl_certificate /config/keys/cert.crt; - ssl_certificate_key /config/keys/cert.key; + # all ssl related config moved to ssl.conf + include /config/nginx/ssl.conf; client_max_body_size 0; location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + try_files $uri $uri/ /index.html /index.php?$args =404; } @@ -24,3 +31,6 @@ server { include /etc/nginx/fastcgi_params; } } + +# enable proxy cache for auth +proxy_cache_path cache/ keys_zone=auth_cache:10m; diff --git a/root/defaults/dhparams.pem b/root/defaults/dhparams.pem new file mode 100644 index 00000000..eed4c41e --- /dev/null +++ b/root/defaults/dhparams.pem @@ -0,0 +1,13 @@ +-----BEGIN DH PARAMETERS----- +MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3 +7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32 +nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e +8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx +iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K +zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI= +-----END DH PARAMETERS----- \ No newline at end of file diff --git a/root/defaults/nginx.conf b/root/defaults/nginx.conf index 61346711..c6040d1b 100644 --- a/root/defaults/nginx.conf +++ b/root/defaults/nginx.conf @@ -1,80 +1,150 @@ -## Version 2021/06/15 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx.conf +## Version 2021/10/05 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx.conf user abc; -worker_processes 4; -pid /run/nginx.pid; + +# Set number of worker processes automatically based on number of CPU cores. +include /config/nginx/worker_processes.conf; + +# Enables the use of JIT for regular expressions to speed-up their processing. +pcre_jit on; + +# Configures default error logger. +error_log /config/log/nginx/error.log; + +# Includes files with directives to load dynamic modules. include /etc/nginx/modules/*.conf; events { - worker_connections 768; - # multi_accept on; + # The maximum number of simultaneous connections that can be opened by + # a worker process. + worker_connections 1024; + # multi_accept on; } http { - - ## - # Basic Settings - ## - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - # server_tokens off; - - # server_names_hash_bucket_size 64; - # server_name_in_redirect off; - - client_max_body_size 0; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - ## - # Logging Settings - ## - - access_log /config/log/nginx/access.log; - error_log /config/log/nginx/error.log; - - ## - # Gzip Settings - ## - - gzip on; - gzip_disable "msie6"; - - # gzip_vary on; - # gzip_proxied any; - # gzip_comp_level 6; - # gzip_buffers 16 8k; - # gzip_http_version 1.1; - # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; - - ## - # nginx-naxsi config - ## - # Uncomment it if you installed nginx-naxsi - ## - - #include /etc/nginx/naxsi_core.rules; - - ## - # nginx-passenger config - ## - # Uncomment it if you installed nginx-passenger - ## - - #passenger_root /usr; - #passenger_ruby /usr/bin/ruby; - - ## - # Virtual Host Configs - ## - include /etc/nginx/http.d/*.conf; - include /config/nginx/site-confs/*; - + # Includes mapping of file name extensions to MIME types of responses + # and defines the default type. + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # Name servers used to resolve names of upstream servers into addresses. + # It's also needed when using tcpsocket and udpsocket in Lua modules. + #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001; + include /config/nginx/resolver.conf; + + # Don't tell nginx version to the clients. Default is 'on'. + server_tokens off; + + # Specifies the maximum accepted body size of a client request, as + # indicated by the request header Content-Length. If the stated content + # length is greater than this size, then the client receives the HTTP + # error code 413. Set to 0 to disable. Default is '1m'. + client_max_body_size 0; + + # Sendfile copies data between one FD and other from within the kernel, + # which is more efficient than read() + write(). Default is off. + sendfile on; + + # Causes nginx to attempt to send its HTTP response head in one packet, + # instead of using partial frames. Default is 'off'. + tcp_nopush on; + + # Helper variable for proxying websockets. + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + # Sets the path, format, and configuration for a buffered log write. + access_log /config/log/nginx/access.log; + + # Includes virtual hosts configs. + #include /etc/nginx/http.d/*.conf; + + # WARNING: Don't use this directory for virtual hosts anymore. + # This include will be moved to the root context in Alpine 3.14. + #include /etc/nginx/conf.d/*.conf; + + + ## + # Basic Settings + ## + + client_body_buffer_size 128k; + keepalive_timeout 65; + large_client_header_buffers 4 16k; + send_timeout 5m; + tcp_nodelay on; + types_hash_max_size 2048; + variables_hash_max_size 2048; + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + ## + # Gzip Settings + ## + + gzip on; + gzip_disable "msie6"; + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; + + ## + # nginx-naxsi config + ## + # Uncomment it if you installed nginx-naxsi + ## + + #include /etc/nginx/naxsi_core.rules; + + ## + # nginx-passenger config + ## + # Uncomment it if you installed nginx-passenger + ## + + #passenger_root /usr; + #passenger_ruby /usr/bin/ruby; + + ## + # Virtual Host Configs + ## + include /config/nginx/site-confs/*; + #Removed lua. Do not remove this comment + + ## + # Geoip2 config + ## + # Uncomment to add the Geoip2 configs needed to geo block countries/cities. + ## + + #include /config/nginx/geoip2.conf; } +#mail { +# # See sample authentication script at: +# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript +# +# # auth_http localhost/auth.php; +# # pop3_capabilities "TOP" "USER"; +# # imap_capabilities "IMAP4rev1" "UIDPLUS"; +# +# server { +# listen localhost:110; +# protocol pop3; +# proxy on; +# } +# +# server { +# listen localhost:143; +# protocol imap; +# proxy on; +# } +#} + daemon off; +pid /run/nginx.pid; diff --git a/root/defaults/ssl.conf b/root/defaults/ssl.conf new file mode 100644 index 00000000..891b9220 --- /dev/null +++ b/root/defaults/ssl.conf @@ -0,0 +1,44 @@ +## Version 2021/10/05 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/ssl.conf + +### Mozilla Recommendations +# generated 2020-06-17, Mozilla Guideline v5.4, nginx 1.18.0-r0, OpenSSL 1.1.1g-r0, intermediate configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0-r0&config=intermediate&openssl=1.1.1g-r0&guideline=5.4 + +ssl_session_timeout 1d; +ssl_session_cache shared:MozSSL:10m; # about 40000 sessions +ssl_session_tickets off; + +# intermediate configuration +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +ssl_prefer_server_ciphers off; + +# OCSP stapling +ssl_stapling on; +ssl_stapling_verify on; + + +### Linuxserver.io Defaults + +# Certificates +ssl_certificate /config/keys/cert.crt; +ssl_certificate_key /config/keys/cert.key; + +# Diffie-Hellman Parameters +ssl_dhparam /config/nginx/dhparams.pem; + +# Enable TLS 1.3 early data +ssl_early_data on; + +# HSTS, remove # from the line below to enable HSTS +#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + +# Optional additional headers +#add_header Cache-Control "no-transform" always; +#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'"; +#add_header Permissions-Policy "interest-cohort=()"; +#add_header Referrer-Policy "same-origin" always; +#add_header X-Content-Type-Options "nosniff" always; +#add_header X-Frame-Options "SAMEORIGIN" always; +#add_header X-UA-Compatible "IE=Edge" always; +#add_header X-XSS-Protection "1; mode=block" always; diff --git a/root/etc/cont-init.d/15-dhparams b/root/etc/cont-init.d/15-dhparams new file mode 100644 index 00000000..37200e89 --- /dev/null +++ b/root/etc/cont-init.d/15-dhparams @@ -0,0 +1,8 @@ +#!/usr/bin/with-contenv bash + +# copy pre-generated dhparams or generate if needed +[[ ! -f /config/nginx/dhparams.pem ]] && \ + cp /defaults/dhparams.pem /config/nginx/dhparams.pem +if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then + curl -o /config/nginx/dhparams.pem -L "https://ssl-config.mozilla.org/ffdhe4096.txt" +fi diff --git a/root/etc/cont-init.d/30-keygen b/root/etc/cont-init.d/16-keygen similarity index 99% rename from root/etc/cont-init.d/30-keygen rename to root/etc/cont-init.d/16-keygen index ceef02d0..7d2340dd 100644 --- a/root/etc/cont-init.d/30-keygen +++ b/root/etc/cont-init.d/16-keygen @@ -1,4 +1,5 @@ #!/usr/bin/with-contenv bash + SUBJECT="/C=US/ST=CA/L=Carlsbad/O=Linuxserver.io/OU=LSIO Server/CN=*" if [[ -f /config/keys/cert.key && -f /config/keys/cert.crt ]]; then echo "using keys found in /config/keys" diff --git a/root/etc/cont-init.d/17-php b/root/etc/cont-init.d/17-php new file mode 100644 index 00000000..aca0fa8d --- /dev/null +++ b/root/etc/cont-init.d/17-php @@ -0,0 +1,17 @@ +#!/usr/bin/with-contenv bash + +# create local php.ini if it doesn't exist, set local timezone +[[ ! -f /config/php/php-local.ini ]] && \ + printf "; Edit this file to override php.ini directives and restart the container\\n\\ndate.timezone = %s\\n" "$TZ" > /config/php/php-local.ini +# copy user php-local.ini to image +cp /config/php/php-local.ini /etc/php7/conf.d/php-local.ini +#fix php-fpm log location +sed -i "s#;error_log = log/php7/error.log.*#error_log = /config/log/php/error.log#g" /etc/php7/php-fpm.conf +#fix php-fpm user +sed -i "s#user = nobody.*#user = abc#g" /etc/php7/php-fpm.d/www.conf +sed -i "s#group = nobody.*#group = abc#g" /etc/php7/php-fpm.d/www.conf +# create override for www.conf if it doesn't exist +[[ ! -f /config/php/www2.conf ]] && \ + printf "; Edit this file to override www.conf and php-fpm.conf directives and restart the container\\n\\n; Pool name\\n[www]\\n\\n" > /config/php/www2.conf +# copy user www2.conf to image +cp /config/php/www2.conf /etc/php7/php-fpm.d/www2.conf diff --git a/root/etc/cont-init.d/18-resolver b/root/etc/cont-init.d/18-resolver new file mode 100644 index 00000000..8061ce8f --- /dev/null +++ b/root/etc/cont-init.d/18-resolver @@ -0,0 +1,16 @@ +#!/usr/bin/with-contenv bash + +# Set resolver, ignore ipv6 addresses +if ! grep -q 'resolver' /config/nginx/resolver.conf; then + RESOLVERRAW=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {print $2}' /etc/resolv.conf) + for i in ${RESOLVERRAW}; do + if [ $(awk -F ':' '{print NF-1}' <<< ${i}) -le 2 ]; then + RESOLVER="${RESOLVER} ${i}" + fi + done + if [ -z "${RESOLVER}" ]; then + RESOLVER="127.0.0.11" + fi + echo "Setting resolver to ${RESOLVER}" + echo -e "# This file is auto-generated only on first start, based on the container's /etc/resolv.conf file. Feel free to modify it as you wish.\n\nresolver ${RESOLVER} valid=30s;" > /config/nginx/resolver.conf +fi diff --git a/root/etc/cont-init.d/19-worker_processes b/root/etc/cont-init.d/19-worker_processes new file mode 100644 index 00000000..dfe40100 --- /dev/null +++ b/root/etc/cont-init.d/19-worker_processes @@ -0,0 +1,8 @@ +#!/usr/bin/with-contenv bash + +# Set worker_processes +if ! grep -q 'worker_processes' /config/nginx/worker_processes.conf; then + WORKER_PROCESSES=$(nproc) + echo "Setting worker_processes to ${WORKER_PROCESSES}" + echo -e "# This file is auto-generated only on first start, based on the cpu cores detected. Feel free to change it to any other number or to auto to let nginx handle it automatically.\n\nworker_processes ${WORKER_PROCESSES};" > /config/nginx/worker_processes.conf +fi diff --git a/root/etc/cont-init.d/20-config b/root/etc/cont-init.d/20-config index 88542b97..0574d7cf 100644 --- a/root/etc/cont-init.d/20-config +++ b/root/etc/cont-init.d/20-config @@ -10,27 +10,13 @@ mkdir -p \ # copy config files [[ ! -f /config/nginx/nginx.conf ]] && \ cp /defaults/nginx.conf /config/nginx/nginx.conf +[[ ! -f /config/nginx/ssl.conf ]] && \ + cp /defaults/ssl.conf /config/nginx/ssl.conf [[ ! -f /config/nginx/site-confs/default ]] && \ cp /defaults/default /config/nginx/site-confs/default [[ $(find /config/www -type f | wc -l) -eq 0 ]] && \ cp /defaults/index.html /config/www/index.html -# create local php.ini if it doesn't exist, set local timezone -[[ ! -f /config/php/php-local.ini ]] && \ - printf "; Edit this file to override php.ini directives and restart the container\\n\\ndate.timezone = %s\\n" "$TZ" > /config/php/php-local.ini -# copy user php-local.ini to image -cp /config/php/php-local.ini /etc/php7/conf.d/php-local.ini -#fix php-fpm log location -sed -i "s#;error_log = log/php7/error.log.*#error_log = /config/log/php/error.log#g" /etc/php7/php-fpm.conf -#fix php-fpm user -sed -i "s#user = nobody.*#user = abc#g" /etc/php7/php-fpm.d/www.conf -sed -i "s#group = nobody.*#group = abc#g" /etc/php7/php-fpm.d/www.conf -# create override for www.conf if it doesn't exist -[[ ! -f /config/php/www2.conf ]] && \ - printf "; Edit this file to override www.conf and php-fpm.conf directives and restart the container\\n\\n; Pool name\\n[www]\\n\\n" > /config/php/www2.conf -# copy user www2.conf to image -cp /config/php/www2.conf /etc/php7/php-fpm.d/www2.conf - # backwards compatibility for alpine >=3.14 if [ ! -e /etc/nginx/conf.d ]; then ln -s /etc/nginx/http.d /etc/nginx/conf.d From 989adda7d423a055e225f4f3c806fd2b5fe85ed0 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Tue, 5 Oct 2021 15:29:46 -0500 Subject: [PATCH 02/22] Replace tabs with spaces --- root/defaults/default | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/root/defaults/default b/root/defaults/default index 8ff051b4..56324c48 100644 --- a/root/defaults/default +++ b/root/defaults/default @@ -1,35 +1,35 @@ ## Version 2021/10/05 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/default server { - listen 80 default_server; + listen 80 default_server; listen [::]:80 default_server; listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; - root /config/www; - index index.html index.htm index.php; + root /config/www; + index index.html index.htm index.php; - server_name _; + server_name _; # all ssl related config moved to ssl.conf include /config/nginx/ssl.conf; - client_max_body_size 0; + client_max_body_size 0; - location / { + location / { # enable the next two lines for http auth #auth_basic "Restricted"; #auth_basic_user_file /config/nginx/.htpasswd; - try_files $uri $uri/ /index.html /index.php?$args =404; - } + try_files $uri $uri/ /index.html /index.php?$args =404; + } - location ~ \.php$ { - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass 127.0.0.1:9000; - fastcgi_index index.php; - include /etc/nginx/fastcgi_params; - } + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } } # enable proxy cache for auth From 42b8dd659d3a4a1e4caf44800e582318ecd6ed20 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Thu, 14 Oct 2021 08:52:14 -0500 Subject: [PATCH 03/22] Slim down ssl.conf --- root/defaults/ssl.conf | 34 ---------------------------------- 1 file changed, 34 deletions(-) diff --git a/root/defaults/ssl.conf b/root/defaults/ssl.conf index 891b9220..8c19492e 100644 --- a/root/defaults/ssl.conf +++ b/root/defaults/ssl.conf @@ -1,23 +1,5 @@ ## Version 2021/10/05 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/ssl.conf -### Mozilla Recommendations -# generated 2020-06-17, Mozilla Guideline v5.4, nginx 1.18.0-r0, OpenSSL 1.1.1g-r0, intermediate configuration -# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0-r0&config=intermediate&openssl=1.1.1g-r0&guideline=5.4 - -ssl_session_timeout 1d; -ssl_session_cache shared:MozSSL:10m; # about 40000 sessions -ssl_session_tickets off; - -# intermediate configuration -ssl_protocols TLSv1.2 TLSv1.3; -ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; -ssl_prefer_server_ciphers off; - -# OCSP stapling -ssl_stapling on; -ssl_stapling_verify on; - - ### Linuxserver.io Defaults # Certificates @@ -26,19 +8,3 @@ ssl_certificate_key /config/keys/cert.key; # Diffie-Hellman Parameters ssl_dhparam /config/nginx/dhparams.pem; - -# Enable TLS 1.3 early data -ssl_early_data on; - -# HSTS, remove # from the line below to enable HSTS -#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; - -# Optional additional headers -#add_header Cache-Control "no-transform" always; -#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'"; -#add_header Permissions-Policy "interest-cohort=()"; -#add_header Referrer-Policy "same-origin" always; -#add_header X-Content-Type-Options "nosniff" always; -#add_header X-Frame-Options "SAMEORIGIN" always; -#add_header X-UA-Compatible "IE=Edge" always; -#add_header X-XSS-Protection "1; mode=block" always; From 260efca82e3214ef4bd4f9ef4cfdd708617e4089 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Thu, 14 Oct 2021 13:23:28 -0500 Subject: [PATCH 04/22] Rearrange conf --- root/defaults/default | 5 +- root/defaults/nginx.conf | 108 ++++++++++++++------------------------- 2 files changed, 38 insertions(+), 75 deletions(-) diff --git a/root/defaults/default b/root/defaults/default index 56324c48..c7f0e92d 100644 --- a/root/defaults/default +++ b/root/defaults/default @@ -1,4 +1,4 @@ -## Version 2021/10/05 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/default +## Version 2021/10/14 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/default server { listen 80 default_server; @@ -31,6 +31,3 @@ server { include /etc/nginx/fastcgi_params; } } - -# enable proxy cache for auth -proxy_cache_path cache/ keys_zone=auth_cache:10m; diff --git a/root/defaults/nginx.conf b/root/defaults/nginx.conf index c6040d1b..d1fdeac6 100644 --- a/root/defaults/nginx.conf +++ b/root/defaults/nginx.conf @@ -1,4 +1,7 @@ -## Version 2021/10/05 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx.conf +## Version 2021/10/14 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx.conf + +### Based on alpine defaults +# https://git.alpinelinux.org/aports/tree/main/nginx/nginx.conf?h=3.14-stable user abc; @@ -14,11 +17,14 @@ error_log /config/log/nginx/error.log; # Includes files with directives to load dynamic modules. include /etc/nginx/modules/*.conf; +# Uncomment to include files with config snippets into the root context. +# NOTE: This will be enabled by default in Alpine 3.15. +#include /etc/nginx/conf.d/*.conf; + events { # The maximum number of simultaneous connections that can be opened by # a worker process. worker_connections 1024; - # multi_accept on; } http { @@ -49,79 +55,39 @@ http { # instead of using partial frames. Default is 'off'. tcp_nopush on; - # Helper variable for proxying websockets. - map $http_upgrade $connection_upgrade { - default upgrade; - '' close; - } - - # Sets the path, format, and configuration for a buffered log write. - access_log /config/log/nginx/access.log; - - # Includes virtual hosts configs. - #include /etc/nginx/http.d/*.conf; - - # WARNING: Don't use this directory for virtual hosts anymore. - # This include will be moved to the root context in Alpine 3.14. - #include /etc/nginx/conf.d/*.conf; - - - ## - # Basic Settings - ## - - client_body_buffer_size 128k; - keepalive_timeout 65; - large_client_header_buffers 4 16k; - send_timeout 5m; - tcp_nodelay on; - types_hash_max_size 2048; - variables_hash_max_size 2048; - # server_names_hash_bucket_size 64; - # server_name_in_redirect off; - - ## - # Gzip Settings - ## - - gzip on; - gzip_disable "msie6"; - # gzip_vary on; - # gzip_proxied any; - # gzip_comp_level 6; - # gzip_buffers 16 8k; - # gzip_http_version 1.1; - # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; - - ## - # nginx-naxsi config - ## - # Uncomment it if you installed nginx-naxsi - ## - - #include /etc/nginx/naxsi_core.rules; - - ## - # nginx-passenger config - ## - # Uncomment it if you installed nginx-passenger - ## - - #passenger_root /usr; - #passenger_ruby /usr/bin/ruby; - - ## - # Virtual Host Configs - ## + # Enable gzipping of responses. + #gzip on; + + # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'. + gzip_vary on; + + + # Helper variable for proxying websockets. + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + # Sets the path, format, and configuration for a buffered log write. + access_log /config/log/nginx/access.log; + + ### Linuxserver.io Defaults + + client_body_buffer_size 128k; # default: client_body_buffer_size 8k|16k; + #keepalive_timeout 75s; # default: keepalive_timeout 75s; + large_client_header_buffers 4 16k; # default: large_client_header_buffers 4 8k; + send_timeout 5m; # default: send_timeout 60s; + #server_name_in_redirect off; # default: server_name_in_redirect off; + #server_names_hash_bucket_size 64; # default: server_names_hash_bucket_size 32|64|128; + #tcp_nodelay on; # default: tcp_nodelay on; + types_hash_max_size 2048; # default: types_hash_max_size 1024; + variables_hash_max_size 2048; # default: variables_hash_max_size 1024; + + # Includes virtual hosts configs. include /config/nginx/site-confs/*; #Removed lua. Do not remove this comment - ## - # Geoip2 config - ## # Uncomment to add the Geoip2 configs needed to geo block countries/cities. - ## - #include /config/nginx/geoip2.conf; } From 9fc56705b8ae2b2b008b46e6f2573b3a84cacb68 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Thu, 14 Oct 2021 16:13:37 -0500 Subject: [PATCH 05/22] Formatting --- root/defaults/nginx.conf | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/root/defaults/nginx.conf b/root/defaults/nginx.conf index d1fdeac6..23e3cc26 100644 --- a/root/defaults/nginx.conf +++ b/root/defaults/nginx.conf @@ -55,21 +55,21 @@ http { # instead of using partial frames. Default is 'off'. tcp_nopush on; - # Enable gzipping of responses. - #gzip on; + # Enable gzipping of responses. + #gzip on; - # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'. - gzip_vary on; + # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'. + gzip_vary on; - # Helper variable for proxying websockets. - map $http_upgrade $connection_upgrade { - default upgrade; - '' close; - } + # Helper variable for proxying websockets. + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } - # Sets the path, format, and configuration for a buffered log write. - access_log /config/log/nginx/access.log; + # Sets the path, format, and configuration for a buffered log write. + access_log /config/log/nginx/access.log; ### Linuxserver.io Defaults @@ -83,7 +83,7 @@ http { types_hash_max_size 2048; # default: types_hash_max_size 1024; variables_hash_max_size 2048; # default: variables_hash_max_size 1024; - # Includes virtual hosts configs. + # Includes virtual hosts configs. include /config/nginx/site-confs/*; #Removed lua. Do not remove this comment From 6c9347d3b7c5935991a8823048468c6944fe6f59 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Fri, 15 Oct 2021 21:42:28 -0500 Subject: [PATCH 06/22] move default to default.conf --- root/defaults/{default => default.conf} | 0 root/defaults/nginx.conf | 2 +- root/etc/cont-init.d/20-config | 8 ++++++-- 3 files changed, 7 insertions(+), 3 deletions(-) rename root/defaults/{default => default.conf} (100%) diff --git a/root/defaults/default b/root/defaults/default.conf similarity index 100% rename from root/defaults/default rename to root/defaults/default.conf diff --git a/root/defaults/nginx.conf b/root/defaults/nginx.conf index 23e3cc26..a77db3b4 100644 --- a/root/defaults/nginx.conf +++ b/root/defaults/nginx.conf @@ -84,7 +84,7 @@ http { variables_hash_max_size 2048; # default: variables_hash_max_size 1024; # Includes virtual hosts configs. - include /config/nginx/site-confs/*; + include /config/nginx/site-confs/*.conf; #Removed lua. Do not remove this comment # Uncomment to add the Geoip2 configs needed to geo block countries/cities. diff --git a/root/etc/cont-init.d/20-config b/root/etc/cont-init.d/20-config index 0574d7cf..de7fead3 100644 --- a/root/etc/cont-init.d/20-config +++ b/root/etc/cont-init.d/20-config @@ -7,13 +7,17 @@ mkdir -p \ /var/lib/nginx/tmp/client_body \ /var/tmp/nginx +# move default to default.conf +[[ -f /config/nginx/site-confs/default && ! -f /config/nginx/site-confs/default.conf ]] && \ + mv /config/nginx/site-confs/default /config/nginx/site-confs/default.conf + # copy config files [[ ! -f /config/nginx/nginx.conf ]] && \ cp /defaults/nginx.conf /config/nginx/nginx.conf [[ ! -f /config/nginx/ssl.conf ]] && \ cp /defaults/ssl.conf /config/nginx/ssl.conf -[[ ! -f /config/nginx/site-confs/default ]] && \ - cp /defaults/default /config/nginx/site-confs/default +[[ ! -f /config/nginx/site-confs/default.conf ]] && \ + cp /defaults/default.conf /config/nginx/site-confs/default.conf [[ $(find /config/www -type f | wc -l) -eq 0 ]] && \ cp /defaults/index.html /config/www/index.html From 522a93a412ba46a7cb5659652c6a77cfa443be25 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Sat, 16 Oct 2021 11:07:13 -0500 Subject: [PATCH 07/22] Rework default.conf and ssl.conf default.conf now universally handles /app/www/public or /config/www ssl.conf now includes mozilla recommendations --- root/defaults/default.conf | 29 ++++++++++++++---------- root/defaults/nginx.conf | 21 ------------------ root/defaults/ssl.conf | 45 ++++++++++++++++++++++++++++++++++---- 3 files changed, 59 insertions(+), 36 deletions(-) diff --git a/root/defaults/default.conf b/root/defaults/default.conf index c7f0e92d..31e70be4 100644 --- a/root/defaults/default.conf +++ b/root/defaults/default.conf @@ -3,23 +3,25 @@ server { listen 80 default_server; listen [::]:80 default_server; - listen 443 ssl http2 default_server; - listen [::]:443 ssl http2 default_server; - root /config/www; + set $root /app/www/public; + if (!-d /app/www/public) { + set $root /config/www; + } + root $root; index index.html index.htm index.php; - server_name _; - # all ssl related config moved to ssl.conf - include /config/nginx/ssl.conf; - - client_max_body_size 0; + #include /config/nginx/ssl.conf; + set $htpasswd_file /config/nginx/.htpasswd; + set $auth_basic "Restricted"; + if (!-f $htpasswd_file) { + set $auth_basic off; + } location / { - # enable the next two lines for http auth - #auth_basic "Restricted"; - #auth_basic_user_file /config/nginx/.htpasswd; + auth_basic $auth_basic; + auth_basic_user_file $htpasswd_file; try_files $uri $uri/ /index.html /index.php?$args =404; } @@ -30,4 +32,9 @@ server { fastcgi_index index.php; include /etc/nginx/fastcgi_params; } + + # deny access to .htaccess/.htpasswd files + location ~ /\.ht { + deny all; + } } diff --git a/root/defaults/nginx.conf b/root/defaults/nginx.conf index a77db3b4..052a37ac 100644 --- a/root/defaults/nginx.conf +++ b/root/defaults/nginx.conf @@ -91,26 +91,5 @@ http { #include /config/nginx/geoip2.conf; } -#mail { -# # See sample authentication script at: -# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript -# -# # auth_http localhost/auth.php; -# # pop3_capabilities "TOP" "USER"; -# # imap_capabilities "IMAP4rev1" "UIDPLUS"; -# -# server { -# listen localhost:110; -# protocol pop3; -# proxy on; -# } -# -# server { -# listen localhost:143; -# protocol imap; -# proxy on; -# } -#} - daemon off; pid /run/nginx.pid; diff --git a/root/defaults/ssl.conf b/root/defaults/ssl.conf index 8c19492e..c094746a 100644 --- a/root/defaults/ssl.conf +++ b/root/defaults/ssl.conf @@ -1,10 +1,47 @@ -## Version 2021/10/05 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/ssl.conf +## Version 2021/10/16 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/ssl.conf -### Linuxserver.io Defaults +### Mozilla Recommendations +# generated 2021-10-16, Mozilla Guideline v5.6, nginx 1.20.1-r3, OpenSSL 1.1.1l-r0, intermediate configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.20.1-r3&config=intermediate&openssl=1.1.1l-r0&guideline=5.6 + +listen 443 ssl http2; +listen [::]:443 ssl http2; -# Certificates ssl_certificate /config/keys/cert.crt; ssl_certificate_key /config/keys/cert.key; +ssl_session_timeout 1d; +ssl_session_cache shared:MozSSL:10m; # about 40000 sessions +ssl_session_tickets off; -# Diffie-Hellman Parameters +# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam ssl_dhparam /config/nginx/dhparams.pem; + +# intermediate configuration +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +ssl_prefer_server_ciphers off; + +# HSTS (ngx_http_headers_module is required) (63072000 seconds) +#add_header Strict-Transport-Security "max-age=63072000" always; + +# OCSP stapling +ssl_stapling on; +ssl_stapling_verify on; + +# verify chain of trust of OCSP response using Root CA and Intermediate certs +ssl_trusted_certificate /config/keys/cert.crt; + +### Linuxserver.io Defaults + +# Enable TLS 1.3 early data +ssl_early_data on; + +# Optional additional headers +#add_header Cache-Control "no-transform" always; +#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'"; +#add_header Permissions-Policy "interest-cohort=()"; +#add_header Referrer-Policy "same-origin" always; +#add_header X-Content-Type-Options "nosniff" always; +#add_header X-Frame-Options "SAMEORIGIN" always; +#add_header X-UA-Compatible "IE=Edge" always; +#add_header X-XSS-Protection "1; mode=block" always; From 445809a60918c3f79f12b636bd9bcddef5d920a1 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Sun, 24 Oct 2021 10:19:56 -0500 Subject: [PATCH 08/22] Update versions --- root/defaults/default.conf | 2 +- root/defaults/nginx.conf | 2 +- root/defaults/ssl.conf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/root/defaults/default.conf b/root/defaults/default.conf index 31e70be4..a266269a 100644 --- a/root/defaults/default.conf +++ b/root/defaults/default.conf @@ -1,4 +1,4 @@ -## Version 2021/10/14 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/default +## Version 2021/10/24 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/default.conf server { listen 80 default_server; diff --git a/root/defaults/nginx.conf b/root/defaults/nginx.conf index 052a37ac..558634e3 100644 --- a/root/defaults/nginx.conf +++ b/root/defaults/nginx.conf @@ -1,4 +1,4 @@ -## Version 2021/10/14 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx.conf +## Version 2021/10/24 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx.conf ### Based on alpine defaults # https://git.alpinelinux.org/aports/tree/main/nginx/nginx.conf?h=3.14-stable diff --git a/root/defaults/ssl.conf b/root/defaults/ssl.conf index c094746a..62f324a6 100644 --- a/root/defaults/ssl.conf +++ b/root/defaults/ssl.conf @@ -1,4 +1,4 @@ -## Version 2021/10/16 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/ssl.conf +## Version 2021/10/24 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/ssl.conf ### Mozilla Recommendations # generated 2021-10-16, Mozilla Guideline v5.6, nginx 1.20.1-r3, OpenSSL 1.1.1l-r0, intermediate configuration From 5d81044073b9473c6cf88ec469022cea9540d8d9 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Tue, 26 Oct 2021 08:13:51 -0500 Subject: [PATCH 09/22] Update php configs --- Dockerfile | 6 +++++- Dockerfile.aarch64 | 6 +++++- Dockerfile.armhf | 6 +++++- root/defaults/default.conf | 4 ++-- 4 files changed, 17 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index ca9306d4..6a37172e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -23,7 +23,11 @@ RUN \ php7-xmlwriter \ php7-zlib && \ echo "**** configure nginx ****" && \ - echo 'fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> \ + echo 'fastcgi_param HTTP_PROXY ""; # https://httpoxy.org/' >> \ + /etc/nginx/fastcgi_params && \ + echo 'fastcgi_param PATH_INFO $fastcgi_path_info; # http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_split_path_info' >> \ + /etc/nginx/fastcgi_params && \ + echo 'fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; # https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/#connecting-nginx-to-php-fpm' >> \ /etc/nginx/fastcgi_params && \ rm -f /etc/nginx/http.d/default.conf && \ echo "**** fix logrotate ****" && \ diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index f53a125c..163c8437 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -23,7 +23,11 @@ RUN \ php7-xmlwriter \ php7-zlib && \ echo "**** configure nginx ****" && \ - echo 'fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> \ + echo 'fastcgi_param HTTP_PROXY ""; # https://httpoxy.org/' >> \ + /etc/nginx/fastcgi_params && \ + echo 'fastcgi_param PATH_INFO $fastcgi_path_info; # http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_split_path_info' >> \ + /etc/nginx/fastcgi_params && \ + echo 'fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; # https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/#connecting-nginx-to-php-fpm' >> \ /etc/nginx/fastcgi_params && \ rm -f /etc/nginx/http.d/default.conf && \ echo "**** fix logrotate ****" && \ diff --git a/Dockerfile.armhf b/Dockerfile.armhf index 7176c598..a484d2d5 100644 --- a/Dockerfile.armhf +++ b/Dockerfile.armhf @@ -23,7 +23,11 @@ RUN \ php7-xmlwriter \ php7-zlib && \ echo "**** configure nginx ****" && \ - echo 'fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> \ + echo 'fastcgi_param HTTP_PROXY ""; # https://httpoxy.org/' >> \ + /etc/nginx/fastcgi_params && \ + echo 'fastcgi_param PATH_INFO $fastcgi_path_info; # http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_split_path_info' >> \ + /etc/nginx/fastcgi_params && \ + echo 'fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; # https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/#connecting-nginx-to-php-fpm' >> \ /etc/nginx/fastcgi_params && \ rm -f /etc/nginx/http.d/default.conf && \ echo "**** fix logrotate ****" && \ diff --git a/root/defaults/default.conf b/root/defaults/default.conf index a266269a..23464803 100644 --- a/root/defaults/default.conf +++ b/root/defaults/default.conf @@ -26,8 +26,8 @@ server { try_files $uri $uri/ /index.html /index.php?$args =404; } - location ~ \.php$ { - fastcgi_split_path_info ^(.+\.php)(/.+)$; + location ~ ^(.+\.php)(.*)$ { + fastcgi_split_path_info ^(.+\.php)(.*)$; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include /etc/nginx/fastcgi_params; From 855893a86a552d46c508fa34343e5b4be2ca3796 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Thu, 25 Nov 2021 17:37:14 -0600 Subject: [PATCH 10/22] New directory structure --- root/defaults/migrate.sh | 16 +++++++++ root/defaults/{ => nginx}/dhparams.pem | 0 .../{nginx.conf => nginx/nginx.conf.sample} | 5 ++- .../server-confs/ssl.conf.sample} | 2 +- .../site-confs/default.conf.sample} | 3 +- root/defaults/{ => www}/index.html | 0 root/etc/cont-init.d/11-make-folders | 10 ++++++ root/etc/cont-init.d/12-migrate-confs | 8 +++++ root/etc/cont-init.d/13-copy-samples | 24 +++++++++++++ root/etc/cont-init.d/14-enable-defaults | 9 +++++ root/etc/cont-init.d/{16-keygen => 15-keygen} | 0 .../cont-init.d/{15-dhparams => 17-dhparams} | 2 +- .../{18-resolver => 17-nginx-confs} | 11 ++++-- root/etc/cont-init.d/19-worker_processes | 8 ----- root/etc/cont-init.d/20-config | 36 ------------------- root/etc/cont-init.d/20-permissions | 10 ++++++ 16 files changed, 91 insertions(+), 53 deletions(-) create mode 100644 root/defaults/migrate.sh rename root/defaults/{ => nginx}/dhparams.pem (100%) rename root/defaults/{nginx.conf => nginx/nginx.conf.sample} (95%) rename root/defaults/{ssl.conf => nginx/server-confs/ssl.conf.sample} (95%) rename root/defaults/{default.conf => nginx/site-confs/default.conf.sample} (92%) rename root/defaults/{ => www}/index.html (100%) create mode 100644 root/etc/cont-init.d/11-make-folders create mode 100644 root/etc/cont-init.d/12-migrate-confs create mode 100644 root/etc/cont-init.d/13-copy-samples create mode 100644 root/etc/cont-init.d/14-enable-defaults rename root/etc/cont-init.d/{16-keygen => 15-keygen} (100%) rename root/etc/cont-init.d/{15-dhparams => 17-dhparams} (81%) rename root/etc/cont-init.d/{18-resolver => 17-nginx-confs} (52%) delete mode 100644 root/etc/cont-init.d/19-worker_processes delete mode 100644 root/etc/cont-init.d/20-config create mode 100644 root/etc/cont-init.d/20-permissions diff --git a/root/defaults/migrate.sh b/root/defaults/migrate.sh new file mode 100644 index 00000000..92e9e2ee --- /dev/null +++ b/root/defaults/migrate.sh @@ -0,0 +1,16 @@ +#!/usr/bin/with-contenv bash + +migrate(){ + local OLD_LOCATION="${1}" + local NEW_LOCATION="${2}" + + if [[ -f ${OLD_LOCATION} ]];then + echo "found ${OLD_LOCATION}" + if [[ ! -f ${NEW_LOCATION} ]];then + echo "moving to ${NEW_LOCATION}" + mv "${OLD_LOCATION}" "${NEW_LOCATION}" + else + echo "new file location already exists ${NEW_LOCATION}" + fi + fi +} diff --git a/root/defaults/dhparams.pem b/root/defaults/nginx/dhparams.pem similarity index 100% rename from root/defaults/dhparams.pem rename to root/defaults/nginx/dhparams.pem diff --git a/root/defaults/nginx.conf b/root/defaults/nginx/nginx.conf.sample similarity index 95% rename from root/defaults/nginx.conf rename to root/defaults/nginx/nginx.conf.sample index 558634e3..7d04492a 100644 --- a/root/defaults/nginx.conf +++ b/root/defaults/nginx/nginx.conf.sample @@ -36,7 +36,6 @@ http { # Name servers used to resolve names of upstream servers into addresses. # It's also needed when using tcpsocket and udpsocket in Lua modules. #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001; - include /config/nginx/resolver.conf; # Don't tell nginx version to the clients. Default is 'on'. server_tokens off; @@ -87,8 +86,8 @@ http { include /config/nginx/site-confs/*.conf; #Removed lua. Do not remove this comment - # Uncomment to add the Geoip2 configs needed to geo block countries/cities. - #include /config/nginx/geoip2.conf; + # Include configs for http block. + include /config/nginx/http-confs/*.conf; } daemon off; diff --git a/root/defaults/ssl.conf b/root/defaults/nginx/server-confs/ssl.conf.sample similarity index 95% rename from root/defaults/ssl.conf rename to root/defaults/nginx/server-confs/ssl.conf.sample index 62f324a6..875de933 100644 --- a/root/defaults/ssl.conf +++ b/root/defaults/nginx/server-confs/ssl.conf.sample @@ -1,4 +1,4 @@ -## Version 2021/10/24 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/ssl.conf +## Version 2021/10/24 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/server-confs/ssl.conf ### Mozilla Recommendations # generated 2021-10-16, Mozilla Guideline v5.6, nginx 1.20.1-r3, OpenSSL 1.1.1l-r0, intermediate configuration diff --git a/root/defaults/default.conf b/root/defaults/nginx/site-confs/default.conf.sample similarity index 92% rename from root/defaults/default.conf rename to root/defaults/nginx/site-confs/default.conf.sample index 23464803..033f28c4 100644 --- a/root/defaults/default.conf +++ b/root/defaults/nginx/site-confs/default.conf.sample @@ -11,8 +11,7 @@ server { root $root; index index.html index.htm index.php; - # all ssl related config moved to ssl.conf - #include /config/nginx/ssl.conf; + include /config/nginx/server-confs/*.conf; set $htpasswd_file /config/nginx/.htpasswd; set $auth_basic "Restricted"; diff --git a/root/defaults/index.html b/root/defaults/www/index.html similarity index 100% rename from root/defaults/index.html rename to root/defaults/www/index.html diff --git a/root/etc/cont-init.d/11-make-folders b/root/etc/cont-init.d/11-make-folders new file mode 100644 index 00000000..9405cb19 --- /dev/null +++ b/root/etc/cont-init.d/11-make-folders @@ -0,0 +1,10 @@ +#!/usr/bin/with-contenv bash + +# make folders +mkdir -p \ + /config/{keys,php,www} \ + /config/log/{nginx,php} \ + /config/nginx/{http-confs,location-confs,server-confs,site-confs,subdomain-confs,subfolder-confs} \ + /run \ + /var/lib/nginx/tmp/client_body \ + /var/tmp/nginx diff --git a/root/etc/cont-init.d/12-migrate-confs b/root/etc/cont-init.d/12-migrate-confs new file mode 100644 index 00000000..ee39323c --- /dev/null +++ b/root/etc/cont-init.d/12-migrate-confs @@ -0,0 +1,8 @@ +#!/usr/bin/with-contenv bash + +# shellcheck source=/dev/null +source /defaults/migrate.sh + +migrate "/config/nginx/site-confs/default" "/config/nginx/site-confs/default.conf" +migrate "/config/nginx/resolver.conf" "/config/nginx/http-confs/resolver.conf" +migrate "/config/nginx/ssl.conf" "/config/nginx/server-confs/ssl.conf" diff --git a/root/etc/cont-init.d/13-copy-samples b/root/etc/cont-init.d/13-copy-samples new file mode 100644 index 00000000..3127fda8 --- /dev/null +++ b/root/etc/cont-init.d/13-copy-samples @@ -0,0 +1,24 @@ +#!/usr/bin/with-contenv bash + +# copy samples +cp \ + /defaults/nginx/*.conf.sample \ + /config/nginx/ +cp \ + /defaults/nginx/http-confs/*.conf.sample \ + /config/nginx/http-confs/ +cp \ + /defaults/nginx/location-confs/*.conf.sample \ + /config/nginx/location-confs/ +cp \ + /defaults/nginx/server-confs/*.conf.sample \ + /config/nginx/server-confs/ +cp \ + /defaults/nginx/site-confs/*.conf.sample \ + /config/nginx/site-confs/ +cp \ + /defaults/nginx/subdomain-confs/*.conf.sample \ + /config/nginx/subdomain-confs/ +cp \ + /defaults/nginx/subfolder-confs/*.conf.sample \ + /config/nginx/subfolder-confs/ diff --git a/root/etc/cont-init.d/14-enable-defaults b/root/etc/cont-init.d/14-enable-defaults new file mode 100644 index 00000000..4c6d9d06 --- /dev/null +++ b/root/etc/cont-init.d/14-enable-defaults @@ -0,0 +1,9 @@ +#!/usr/bin/with-contenv bash + +# copy config files +[[ ! -f /config/nginx/nginx.conf ]] && \ + cp /defaults/nginx/nginx.conf.sample /config/nginx/nginx.conf +[[ ! -f /config/nginx/site-confs/default.conf ]] && \ + cp /defaults/nginx/site-confs/default.conf.sample /config/nginx/site-confs/default.conf +[[ $(find /config/www -type f | wc -l) -eq 0 ]] && \ + cp /defaults/www/index.html /config/www/index.html diff --git a/root/etc/cont-init.d/16-keygen b/root/etc/cont-init.d/15-keygen similarity index 100% rename from root/etc/cont-init.d/16-keygen rename to root/etc/cont-init.d/15-keygen diff --git a/root/etc/cont-init.d/15-dhparams b/root/etc/cont-init.d/17-dhparams similarity index 81% rename from root/etc/cont-init.d/15-dhparams rename to root/etc/cont-init.d/17-dhparams index 37200e89..9dca831d 100644 --- a/root/etc/cont-init.d/15-dhparams +++ b/root/etc/cont-init.d/17-dhparams @@ -2,7 +2,7 @@ # copy pre-generated dhparams or generate if needed [[ ! -f /config/nginx/dhparams.pem ]] && \ - cp /defaults/dhparams.pem /config/nginx/dhparams.pem + cp /defaults/nginx/dhparams.pem /config/nginx/dhparams.pem if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then curl -o /config/nginx/dhparams.pem -L "https://ssl-config.mozilla.org/ffdhe4096.txt" fi diff --git a/root/etc/cont-init.d/18-resolver b/root/etc/cont-init.d/17-nginx-confs similarity index 52% rename from root/etc/cont-init.d/18-resolver rename to root/etc/cont-init.d/17-nginx-confs index 8061ce8f..f356b6a8 100644 --- a/root/etc/cont-init.d/18-resolver +++ b/root/etc/cont-init.d/17-nginx-confs @@ -1,7 +1,7 @@ #!/usr/bin/with-contenv bash # Set resolver, ignore ipv6 addresses -if ! grep -q 'resolver' /config/nginx/resolver.conf; then +if ! grep -q 'resolver' /config/nginx/http-confs/resolver.conf; then RESOLVERRAW=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {print $2}' /etc/resolv.conf) for i in ${RESOLVERRAW}; do if [ $(awk -F ':' '{print NF-1}' <<< ${i}) -le 2 ]; then @@ -12,5 +12,12 @@ if ! grep -q 'resolver' /config/nginx/resolver.conf; then RESOLVER="127.0.0.11" fi echo "Setting resolver to ${RESOLVER}" - echo -e "# This file is auto-generated only on first start, based on the container's /etc/resolv.conf file. Feel free to modify it as you wish.\n\nresolver ${RESOLVER} valid=30s;" > /config/nginx/resolver.conf + echo -e "# This file is auto-generated only on first start, based on the container's /etc/resolv.conf file. Feel free to modify it as you wish.\n\nresolver ${RESOLVER} valid=30s;" > /config/nginx/http-confs/resolver.conf +fi + +# Set worker_processes +if ! grep -q 'worker_processes' /config/nginx/worker_processes.conf; then + WORKER_PROCESSES=$(nproc) + echo "Setting worker_processes to ${WORKER_PROCESSES}" + echo -e "# This file is auto-generated only on first start, based on the cpu cores detected. Feel free to change it to any other number or to auto to let nginx handle it automatically.\n\nworker_processes ${WORKER_PROCESSES};" > /config/nginx/worker_processes.conf fi diff --git a/root/etc/cont-init.d/19-worker_processes b/root/etc/cont-init.d/19-worker_processes deleted file mode 100644 index dfe40100..00000000 --- a/root/etc/cont-init.d/19-worker_processes +++ /dev/null @@ -1,8 +0,0 @@ -#!/usr/bin/with-contenv bash - -# Set worker_processes -if ! grep -q 'worker_processes' /config/nginx/worker_processes.conf; then - WORKER_PROCESSES=$(nproc) - echo "Setting worker_processes to ${WORKER_PROCESSES}" - echo -e "# This file is auto-generated only on first start, based on the cpu cores detected. Feel free to change it to any other number or to auto to let nginx handle it automatically.\n\nworker_processes ${WORKER_PROCESSES};" > /config/nginx/worker_processes.conf -fi diff --git a/root/etc/cont-init.d/20-config b/root/etc/cont-init.d/20-config deleted file mode 100644 index de7fead3..00000000 --- a/root/etc/cont-init.d/20-config +++ /dev/null @@ -1,36 +0,0 @@ -#!/usr/bin/with-contenv bash - -# make our folders -mkdir -p \ - /config/{nginx/site-confs,www,log/nginx,keys,log/php,php} \ - /run \ - /var/lib/nginx/tmp/client_body \ - /var/tmp/nginx - -# move default to default.conf -[[ -f /config/nginx/site-confs/default && ! -f /config/nginx/site-confs/default.conf ]] && \ - mv /config/nginx/site-confs/default /config/nginx/site-confs/default.conf - -# copy config files -[[ ! -f /config/nginx/nginx.conf ]] && \ - cp /defaults/nginx.conf /config/nginx/nginx.conf -[[ ! -f /config/nginx/ssl.conf ]] && \ - cp /defaults/ssl.conf /config/nginx/ssl.conf -[[ ! -f /config/nginx/site-confs/default.conf ]] && \ - cp /defaults/default.conf /config/nginx/site-confs/default.conf -[[ $(find /config/www -type f | wc -l) -eq 0 ]] && \ - cp /defaults/index.html /config/www/index.html - -# backwards compatibility for alpine >=3.14 -if [ ! -e /etc/nginx/conf.d ]; then - ln -s /etc/nginx/http.d /etc/nginx/conf.d -fi - -# permissions -chown -R abc:abc \ - /config \ - /var/lib/nginx \ - /var/tmp/nginx -chmod -R g+w \ - /config/{nginx,www} -chmod -R 644 /etc/logrotate.d diff --git a/root/etc/cont-init.d/20-permissions b/root/etc/cont-init.d/20-permissions new file mode 100644 index 00000000..99216949 --- /dev/null +++ b/root/etc/cont-init.d/20-permissions @@ -0,0 +1,10 @@ +#!/usr/bin/with-contenv bash + +# permissions +chown -R abc:abc \ + /config \ + /var/lib/nginx \ + /var/tmp/nginx +chmod -R g+w \ + /config/{nginx,www} +chmod -R 644 /etc/logrotate.d From a9c8972a70dc221b74ad1fb0d7a09552eda2180b Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Fri, 26 Nov 2021 19:02:04 -0600 Subject: [PATCH 11/22] Formatting --- root/etc/cont-init.d/17-nginx-confs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/root/etc/cont-init.d/17-nginx-confs b/root/etc/cont-init.d/17-nginx-confs index f356b6a8..0524a062 100644 --- a/root/etc/cont-init.d/17-nginx-confs +++ b/root/etc/cont-init.d/17-nginx-confs @@ -4,11 +4,11 @@ if ! grep -q 'resolver' /config/nginx/http-confs/resolver.conf; then RESOLVERRAW=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {print $2}' /etc/resolv.conf) for i in ${RESOLVERRAW}; do - if [ $(awk -F ':' '{print NF-1}' <<< ${i}) -le 2 ]; then + if [[ "$(awk -F ':' '{print NF-1}' <<< "${i}")" -le 2 ]]; then RESOLVER="${RESOLVER} ${i}" fi done - if [ -z "${RESOLVER}" ]; then + if [[ -z "${RESOLVER}" ]]; then RESOLVER="127.0.0.11" fi echo "Setting resolver to ${RESOLVER}" From 07f3ab3e3289867c910f3c8d59ff4124bb219aba Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Fri, 26 Nov 2021 20:52:11 -0600 Subject: [PATCH 12/22] Structure changes --- root/defaults/nginx/nginx.conf.sample | 2 +- root/defaults/nginx/server-confs/ssl.conf.sample | 4 ++-- root/defaults/nginx/site-confs/default.conf.sample | 12 ++++++++---- root/etc/cont-init.d/17-nginx-confs | 4 +++- 4 files changed, 14 insertions(+), 8 deletions(-) diff --git a/root/defaults/nginx/nginx.conf.sample b/root/defaults/nginx/nginx.conf.sample index 7d04492a..6f1434d1 100644 --- a/root/defaults/nginx/nginx.conf.sample +++ b/root/defaults/nginx/nginx.conf.sample @@ -1,4 +1,4 @@ -## Version 2021/10/24 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx.conf +## Version 2021/10/24 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx.conf.sample ### Based on alpine defaults # https://git.alpinelinux.org/aports/tree/main/nginx/nginx.conf?h=3.14-stable diff --git a/root/defaults/nginx/server-confs/ssl.conf.sample b/root/defaults/nginx/server-confs/ssl.conf.sample index 875de933..1902b589 100644 --- a/root/defaults/nginx/server-confs/ssl.conf.sample +++ b/root/defaults/nginx/server-confs/ssl.conf.sample @@ -1,4 +1,4 @@ -## Version 2021/10/24 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/server-confs/ssl.conf +## Version 2021/10/24 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/server-confs/ssl.conf.sample ### Mozilla Recommendations # generated 2021-10-16, Mozilla Guideline v5.6, nginx 1.20.1-r3, OpenSSL 1.1.1l-r0, intermediate configuration @@ -10,7 +10,7 @@ listen [::]:443 ssl http2; ssl_certificate /config/keys/cert.crt; ssl_certificate_key /config/keys/cert.key; ssl_session_timeout 1d; -ssl_session_cache shared:MozSSL:10m; # about 40000 sessions +ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam diff --git a/root/defaults/nginx/site-confs/default.conf.sample b/root/defaults/nginx/site-confs/default.conf.sample index 033f28c4..1bf1a643 100644 --- a/root/defaults/nginx/site-confs/default.conf.sample +++ b/root/defaults/nginx/site-confs/default.conf.sample @@ -1,9 +1,13 @@ -## Version 2021/10/24 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/default.conf +## Version 2021/10/24 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/default.conf.sample server { + include /config/nginx/server-confs/*.conf; + listen 80 default_server; listen [::]:80 default_server; + server_name _; + set $root /app/www/public; if (!-d /app/www/public) { set $root /config/www; @@ -11,14 +15,14 @@ server { root $root; index index.html index.htm index.php; - include /config/nginx/server-confs/*.conf; - set $htpasswd_file /config/nginx/.htpasswd; set $auth_basic "Restricted"; if (!-f $htpasswd_file) { set $auth_basic off; } location / { + include /config/nginx/location-confs/*.conf; + auth_basic $auth_basic; auth_basic_user_file $htpasswd_file; @@ -34,6 +38,6 @@ server { # deny access to .htaccess/.htpasswd files location ~ /\.ht { - deny all; + deny all; } } diff --git a/root/etc/cont-init.d/17-nginx-confs b/root/etc/cont-init.d/17-nginx-confs index 0524a062..c4552901 100644 --- a/root/etc/cont-init.d/17-nginx-confs +++ b/root/etc/cont-init.d/17-nginx-confs @@ -12,7 +12,9 @@ if ! grep -q 'resolver' /config/nginx/http-confs/resolver.conf; then RESOLVER="127.0.0.11" fi echo "Setting resolver to ${RESOLVER}" - echo -e "# This file is auto-generated only on first start, based on the container's /etc/resolv.conf file. Feel free to modify it as you wish.\n\nresolver ${RESOLVER} valid=30s;" > /config/nginx/http-confs/resolver.conf + RESOLVEROUTPUT="# This file is auto-generated only on first start, based on the container's /etc/resolv.conf file. Feel free to modify it as you wish.\n\nresolver ${RESOLVER} valid=30s;" + echo -e "${RESOLVEROUTPUT}" > /config/nginx/http-confs/resolver.conf + echo -e "${RESOLVEROUTPUT}" > /config/nginx/location-confs/resolver.conf fi # Set worker_processes From c0df59b26fc7824aa8cf038d77e34811936dabb8 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Fri, 26 Nov 2021 21:11:11 -0600 Subject: [PATCH 13/22] Version Updates --- root/defaults/nginx/nginx.conf.sample | 2 +- root/defaults/nginx/server-confs/ssl.conf.sample | 2 +- root/defaults/nginx/site-confs/default.conf.sample | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/root/defaults/nginx/nginx.conf.sample b/root/defaults/nginx/nginx.conf.sample index 6f1434d1..5cb59d97 100644 --- a/root/defaults/nginx/nginx.conf.sample +++ b/root/defaults/nginx/nginx.conf.sample @@ -1,4 +1,4 @@ -## Version 2021/10/24 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx.conf.sample +## Version 2021/11/25 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx.conf.sample ### Based on alpine defaults # https://git.alpinelinux.org/aports/tree/main/nginx/nginx.conf?h=3.14-stable diff --git a/root/defaults/nginx/server-confs/ssl.conf.sample b/root/defaults/nginx/server-confs/ssl.conf.sample index 1902b589..d3456daf 100644 --- a/root/defaults/nginx/server-confs/ssl.conf.sample +++ b/root/defaults/nginx/server-confs/ssl.conf.sample @@ -1,4 +1,4 @@ -## Version 2021/10/24 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/server-confs/ssl.conf.sample +## Version 2021/11/25 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/server-confs/ssl.conf.sample ### Mozilla Recommendations # generated 2021-10-16, Mozilla Guideline v5.6, nginx 1.20.1-r3, OpenSSL 1.1.1l-r0, intermediate configuration diff --git a/root/defaults/nginx/site-confs/default.conf.sample b/root/defaults/nginx/site-confs/default.conf.sample index 1bf1a643..1aab5fa1 100644 --- a/root/defaults/nginx/site-confs/default.conf.sample +++ b/root/defaults/nginx/site-confs/default.conf.sample @@ -1,4 +1,4 @@ -## Version 2021/10/24 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/default.conf.sample +## Version 2021/11/25 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/site-confs/default.conf.sample server { include /config/nginx/server-confs/*.conf; From 2a240d901c456958c36e139e9c97a115197a55d0 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Sat, 27 Nov 2021 14:52:13 -0600 Subject: [PATCH 14/22] Rebasing to alpine 3.15 with php8 --- Dockerfile | 22 +++++++++++----------- Dockerfile.aarch64 | 22 +++++++++++----------- Dockerfile.armhf | 22 +++++++++++----------- root/etc/cont-init.d/17-php | 10 +++++----- root/etc/services.d/php-fpm/run | 2 +- 5 files changed, 39 insertions(+), 39 deletions(-) diff --git a/Dockerfile b/Dockerfile index 7db9c995..ff6c9ae1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,17 +11,17 @@ RUN \ nano \ nginx \ openssl \ - php7 \ - php7-fileinfo \ - php7-fpm \ - php7-json \ - php7-mbstring \ - php7-openssl \ - php7-session \ - php7-simplexml \ - php7-xml \ - php7-xmlwriter \ - php7-zlib && \ + php8 \ + php8-fileinfo \ + php8-fpm \ + php8-json \ + php8-mbstring \ + php8-openssl \ + php8-session \ + php8-simplexml \ + php8-xml \ + php8-xmlwriter \ + php8-zlib && \ echo "**** configure nginx ****" && \ echo 'fastcgi_param HTTP_PROXY ""; # https://httpoxy.org/' >> \ /etc/nginx/fastcgi_params && \ diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 24328343..c5e0ad56 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -11,17 +11,17 @@ RUN \ nano \ nginx \ openssl \ - php7 \ - php7-fileinfo \ - php7-fpm \ - php7-json \ - php7-mbstring \ - php7-openssl \ - php7-session \ - php7-simplexml \ - php7-xml \ - php7-xmlwriter \ - php7-zlib && \ + php8 \ + php8-fileinfo \ + php8-fpm \ + php8-json \ + php8-mbstring \ + php8-openssl \ + php8-session \ + php8-simplexml \ + php8-xml \ + php8-xmlwriter \ + php8-zlib && \ echo "**** configure nginx ****" && \ echo 'fastcgi_param HTTP_PROXY ""; # https://httpoxy.org/' >> \ /etc/nginx/fastcgi_params && \ diff --git a/Dockerfile.armhf b/Dockerfile.armhf index 5d5bc273..cd88b834 100644 --- a/Dockerfile.armhf +++ b/Dockerfile.armhf @@ -11,17 +11,17 @@ RUN \ nano \ nginx \ openssl \ - php7 \ - php7-fileinfo \ - php7-fpm \ - php7-json \ - php7-mbstring \ - php7-openssl \ - php7-session \ - php7-simplexml \ - php7-xml \ - php7-xmlwriter \ - php7-zlib && \ + php8 \ + php8-fileinfo \ + php8-fpm \ + php8-json \ + php8-mbstring \ + php8-openssl \ + php8-session \ + php8-simplexml \ + php8-xml \ + php8-xmlwriter \ + php8-zlib && \ echo "**** configure nginx ****" && \ echo 'fastcgi_param HTTP_PROXY ""; # https://httpoxy.org/' >> \ /etc/nginx/fastcgi_params && \ diff --git a/root/etc/cont-init.d/17-php b/root/etc/cont-init.d/17-php index aca0fa8d..072dadec 100644 --- a/root/etc/cont-init.d/17-php +++ b/root/etc/cont-init.d/17-php @@ -4,14 +4,14 @@ [[ ! -f /config/php/php-local.ini ]] && \ printf "; Edit this file to override php.ini directives and restart the container\\n\\ndate.timezone = %s\\n" "$TZ" > /config/php/php-local.ini # copy user php-local.ini to image -cp /config/php/php-local.ini /etc/php7/conf.d/php-local.ini +cp /config/php/php-local.ini /etc/php8/conf.d/php-local.ini #fix php-fpm log location -sed -i "s#;error_log = log/php7/error.log.*#error_log = /config/log/php/error.log#g" /etc/php7/php-fpm.conf +sed -i "s#;error_log = log/php8/error.log.*#error_log = /config/log/php/error.log#g" /etc/php8/php-fpm.conf #fix php-fpm user -sed -i "s#user = nobody.*#user = abc#g" /etc/php7/php-fpm.d/www.conf -sed -i "s#group = nobody.*#group = abc#g" /etc/php7/php-fpm.d/www.conf +sed -i "s#user = nobody.*#user = abc#g" /etc/php8/php-fpm.d/www.conf +sed -i "s#group = nobody.*#group = abc#g" /etc/php8/php-fpm.d/www.conf # create override for www.conf if it doesn't exist [[ ! -f /config/php/www2.conf ]] && \ printf "; Edit this file to override www.conf and php-fpm.conf directives and restart the container\\n\\n; Pool name\\n[www]\\n\\n" > /config/php/www2.conf # copy user www2.conf to image -cp /config/php/www2.conf /etc/php7/php-fpm.d/www2.conf +cp /config/php/www2.conf /etc/php8/php-fpm.d/www2.conf diff --git a/root/etc/services.d/php-fpm/run b/root/etc/services.d/php-fpm/run index 158771ee..ff83b186 100644 --- a/root/etc/services.d/php-fpm/run +++ b/root/etc/services.d/php-fpm/run @@ -1,3 +1,3 @@ #!/usr/bin/with-contenv bash -exec /usr/sbin/php-fpm7 -F +exec /usr/sbin/php-fpm8 -F From 7c441d25e93f1832b52ecd01f529244820299765 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Sat, 27 Nov 2021 16:29:15 -0600 Subject: [PATCH 15/22] Replace samples --- root/etc/cont-init.d/{13-copy-samples => 13-replace-samples} | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) rename root/etc/cont-init.d/{13-copy-samples => 13-replace-samples} (85%) diff --git a/root/etc/cont-init.d/13-copy-samples b/root/etc/cont-init.d/13-replace-samples similarity index 85% rename from root/etc/cont-init.d/13-copy-samples rename to root/etc/cont-init.d/13-replace-samples index 3127fda8..8725d65f 100644 --- a/root/etc/cont-init.d/13-copy-samples +++ b/root/etc/cont-init.d/13-replace-samples @@ -1,6 +1,9 @@ #!/usr/bin/with-contenv bash -# copy samples +# remove old samples +find /config/nginx/ -name "*.conf.sample" -type f -delete + +# copy new samples cp \ /defaults/nginx/*.conf.sample \ /config/nginx/ From 80618475ed4d591f938db2e9b861c72274b0819d Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Sat, 27 Nov 2021 17:44:02 -0600 Subject: [PATCH 16/22] Remove init migration --- root/defaults/migrate.sh | 16 --------- .../{11-make-folders => 11-folders} | 0 root/etc/cont-init.d/12-migrate-confs | 8 ----- .../{13-replace-samples => 12-samples} | 0 .../cont-init.d/{17-nginx-confs => 13-nginx} | 33 +++++++++++++++++++ root/etc/cont-init.d/14-enable-defaults | 9 ----- root/etc/cont-init.d/{17-php => 14-php} | 0 root/etc/cont-init.d/17-dhparams | 8 ----- root/etc/cont-init.d/85-version-checks | 19 +++++++++++ 9 files changed, 52 insertions(+), 41 deletions(-) delete mode 100644 root/defaults/migrate.sh rename root/etc/cont-init.d/{11-make-folders => 11-folders} (100%) delete mode 100644 root/etc/cont-init.d/12-migrate-confs rename root/etc/cont-init.d/{13-replace-samples => 12-samples} (100%) rename root/etc/cont-init.d/{17-nginx-confs => 13-nginx} (51%) delete mode 100644 root/etc/cont-init.d/14-enable-defaults rename root/etc/cont-init.d/{17-php => 14-php} (100%) delete mode 100644 root/etc/cont-init.d/17-dhparams create mode 100644 root/etc/cont-init.d/85-version-checks diff --git a/root/defaults/migrate.sh b/root/defaults/migrate.sh deleted file mode 100644 index 92e9e2ee..00000000 --- a/root/defaults/migrate.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/usr/bin/with-contenv bash - -migrate(){ - local OLD_LOCATION="${1}" - local NEW_LOCATION="${2}" - - if [[ -f ${OLD_LOCATION} ]];then - echo "found ${OLD_LOCATION}" - if [[ ! -f ${NEW_LOCATION} ]];then - echo "moving to ${NEW_LOCATION}" - mv "${OLD_LOCATION}" "${NEW_LOCATION}" - else - echo "new file location already exists ${NEW_LOCATION}" - fi - fi -} diff --git a/root/etc/cont-init.d/11-make-folders b/root/etc/cont-init.d/11-folders similarity index 100% rename from root/etc/cont-init.d/11-make-folders rename to root/etc/cont-init.d/11-folders diff --git a/root/etc/cont-init.d/12-migrate-confs b/root/etc/cont-init.d/12-migrate-confs deleted file mode 100644 index ee39323c..00000000 --- a/root/etc/cont-init.d/12-migrate-confs +++ /dev/null @@ -1,8 +0,0 @@ -#!/usr/bin/with-contenv bash - -# shellcheck source=/dev/null -source /defaults/migrate.sh - -migrate "/config/nginx/site-confs/default" "/config/nginx/site-confs/default.conf" -migrate "/config/nginx/resolver.conf" "/config/nginx/http-confs/resolver.conf" -migrate "/config/nginx/ssl.conf" "/config/nginx/server-confs/ssl.conf" diff --git a/root/etc/cont-init.d/13-replace-samples b/root/etc/cont-init.d/12-samples similarity index 100% rename from root/etc/cont-init.d/13-replace-samples rename to root/etc/cont-init.d/12-samples diff --git a/root/etc/cont-init.d/17-nginx-confs b/root/etc/cont-init.d/13-nginx similarity index 51% rename from root/etc/cont-init.d/17-nginx-confs rename to root/etc/cont-init.d/13-nginx index c4552901..013f3f66 100644 --- a/root/etc/cont-init.d/17-nginx-confs +++ b/root/etc/cont-init.d/13-nginx @@ -1,5 +1,38 @@ #!/usr/bin/with-contenv bash +migrate(){ + local OLD_LOCATION="${1}" + local NEW_LOCATION="${2}" + + if [[ -f ${OLD_LOCATION} ]];then + echo "found ${OLD_LOCATION}" + if [[ ! -f ${NEW_LOCATION} ]];then + echo "moving to ${NEW_LOCATION}" + mv "${OLD_LOCATION}" "${NEW_LOCATION}" + else + echo "new file location already exists ${NEW_LOCATION}" + fi + fi +} + +# rename default to default.conf +migrate "/config/nginx/site-confs/default" "/config/nginx/site-confs/default.conf" + +# copy default config files if they don't exist +[[ ! -f /config/nginx/nginx.conf ]] && \ + cp /defaults/nginx/nginx.conf.sample /config/nginx/nginx.conf +[[ ! -f /config/nginx/site-confs/default.conf ]] && \ + cp /defaults/nginx/site-confs/default.conf.sample /config/nginx/site-confs/default.conf +[[ $(find /config/www -type f | wc -l) -eq 0 ]] && \ + cp /defaults/www/index.html /config/www/index.html + +# copy pre-generated dhparams or generate if needed +[[ ! -f /config/nginx/dhparams.pem ]] && \ + cp /defaults/nginx/dhparams.pem /config/nginx/dhparams.pem +if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then + curl -o /config/nginx/dhparams.pem -L "https://ssl-config.mozilla.org/ffdhe4096.txt" +fi + # Set resolver, ignore ipv6 addresses if ! grep -q 'resolver' /config/nginx/http-confs/resolver.conf; then RESOLVERRAW=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {print $2}' /etc/resolv.conf) diff --git a/root/etc/cont-init.d/14-enable-defaults b/root/etc/cont-init.d/14-enable-defaults deleted file mode 100644 index 4c6d9d06..00000000 --- a/root/etc/cont-init.d/14-enable-defaults +++ /dev/null @@ -1,9 +0,0 @@ -#!/usr/bin/with-contenv bash - -# copy config files -[[ ! -f /config/nginx/nginx.conf ]] && \ - cp /defaults/nginx/nginx.conf.sample /config/nginx/nginx.conf -[[ ! -f /config/nginx/site-confs/default.conf ]] && \ - cp /defaults/nginx/site-confs/default.conf.sample /config/nginx/site-confs/default.conf -[[ $(find /config/www -type f | wc -l) -eq 0 ]] && \ - cp /defaults/www/index.html /config/www/index.html diff --git a/root/etc/cont-init.d/17-php b/root/etc/cont-init.d/14-php similarity index 100% rename from root/etc/cont-init.d/17-php rename to root/etc/cont-init.d/14-php diff --git a/root/etc/cont-init.d/17-dhparams b/root/etc/cont-init.d/17-dhparams deleted file mode 100644 index 9dca831d..00000000 --- a/root/etc/cont-init.d/17-dhparams +++ /dev/null @@ -1,8 +0,0 @@ -#!/usr/bin/with-contenv bash - -# copy pre-generated dhparams or generate if needed -[[ ! -f /config/nginx/dhparams.pem ]] && \ - cp /defaults/nginx/dhparams.pem /config/nginx/dhparams.pem -if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then - curl -o /config/nginx/dhparams.pem -L "https://ssl-config.mozilla.org/ffdhe4096.txt" -fi diff --git a/root/etc/cont-init.d/85-version-checks b/root/etc/cont-init.d/85-version-checks new file mode 100644 index 00000000..328a41a4 --- /dev/null +++ b/root/etc/cont-init.d/85-version-checks @@ -0,0 +1,19 @@ +#!/usr/bin/with-contenv bash + +active_confs=$(find /config/nginx/ -name "*.conf" -type f 2>/dev/null) + +for i in ${active_confs}; do + if [ -f "${i}.sample" ]; then + if [ "$(sed -nE 's|^## Version ([0-9]{4}\/[0-9]{2}\/[0-9]{2}).*|\1|p' "${i}")" != "$(sed -nE 's|^## Version ([0-9]{4}\/[0-9]{2}\/[0-9]{2}).*|\1|p' "${i}.sample")" ]; then + active_confs_changed="${i}\n${active_confs_changed}" + fi + fi +done + +if [ -n "${active_confs_changed}" ]; then + echo "**** The following active confs have different version dates than the samples that are shipped. ****" + echo "**** This may be due to user customization or an update to the samples. ****" + echo "**** You should compare the following files to the samples in the same folder and update them. ****" + echo "**** Use the link at the top of the file to view the changelog. ****" + echo -e "${active_confs_changed}" +fi From 03a35dbb35c5cadc5b89499fbbe9d5746461f837 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Sun, 5 Dec 2021 14:15:02 -0600 Subject: [PATCH 17/22] symlink php binary --- root/etc/cont-init.d/14-php | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/root/etc/cont-init.d/14-php b/root/etc/cont-init.d/14-php index 072dadec..2ece5600 100644 --- a/root/etc/cont-init.d/14-php +++ b/root/etc/cont-init.d/14-php @@ -1,17 +1,26 @@ #!/usr/bin/with-contenv bash +# symlink php binary +[[ ! -e /usr/bin/php ]] && \ + ln -s /usr/bin/php8 /usr/bin/php + # create local php.ini if it doesn't exist, set local timezone [[ ! -f /config/php/php-local.ini ]] && \ printf "; Edit this file to override php.ini directives and restart the container\\n\\ndate.timezone = %s\\n" "$TZ" > /config/php/php-local.ini + # copy user php-local.ini to image cp /config/php/php-local.ini /etc/php8/conf.d/php-local.ini + #fix php-fpm log location sed -i "s#;error_log = log/php8/error.log.*#error_log = /config/log/php/error.log#g" /etc/php8/php-fpm.conf + #fix php-fpm user sed -i "s#user = nobody.*#user = abc#g" /etc/php8/php-fpm.d/www.conf sed -i "s#group = nobody.*#group = abc#g" /etc/php8/php-fpm.d/www.conf + # create override for www.conf if it doesn't exist [[ ! -f /config/php/www2.conf ]] && \ printf "; Edit this file to override www.conf and php-fpm.conf directives and restart the container\\n\\n; Pool name\\n[www]\\n\\n" > /config/php/www2.conf + # copy user www2.conf to image cp /config/php/www2.conf /etc/php8/php-fpm.d/www2.conf From 0a619fc818542228f88a459a8a00d1baa4a1b43a Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Sun, 5 Dec 2021 14:42:48 -0600 Subject: [PATCH 18/22] Rewrite index.html check --- root/etc/cont-init.d/13-nginx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/etc/cont-init.d/13-nginx b/root/etc/cont-init.d/13-nginx index 013f3f66..7dc16a9d 100644 --- a/root/etc/cont-init.d/13-nginx +++ b/root/etc/cont-init.d/13-nginx @@ -23,7 +23,7 @@ migrate "/config/nginx/site-confs/default" "/config/nginx/site-confs/default.con cp /defaults/nginx/nginx.conf.sample /config/nginx/nginx.conf [[ ! -f /config/nginx/site-confs/default.conf ]] && \ cp /defaults/nginx/site-confs/default.conf.sample /config/nginx/site-confs/default.conf -[[ $(find /config/www -type f | wc -l) -eq 0 ]] && \ +[[ ! -f /config/www/index.html ]] && grep -Eq '^\s*index[^#]*index\.html' /config/nginx/**/*.conf && \ cp /defaults/www/index.html /config/www/index.html # copy pre-generated dhparams or generate if needed From ef07e8db9bfb0114b28689df48e9c7d527c52e83 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Sun, 5 Dec 2021 15:52:12 -0600 Subject: [PATCH 19/22] Check wildcards with index check --- root/etc/cont-init.d/13-nginx | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/root/etc/cont-init.d/13-nginx b/root/etc/cont-init.d/13-nginx index 7dc16a9d..1b4f1ea4 100644 --- a/root/etc/cont-init.d/13-nginx +++ b/root/etc/cont-init.d/13-nginx @@ -23,7 +23,16 @@ migrate "/config/nginx/site-confs/default" "/config/nginx/site-confs/default.con cp /defaults/nginx/nginx.conf.sample /config/nginx/nginx.conf [[ ! -f /config/nginx/site-confs/default.conf ]] && \ cp /defaults/nginx/site-confs/default.conf.sample /config/nginx/site-confs/default.conf -[[ ! -f /config/www/index.html ]] && grep -Eq '^\s*index[^#]*index\.html' /config/nginx/**/*.conf && \ + +# copy index.html if no index file exists +INDEX_EXISTS=false +for file in /config/www/index.*; do + if [[ -e "${file}" ]]; then + INDEX_EXISTS=true + break + fi +done +[[ ${INDEX_EXISTS} == false ]] && grep -Eq '^\s*index[^#]*index\.html' /config/nginx/**/*.conf && \ cp /defaults/www/index.html /config/www/index.html # copy pre-generated dhparams or generate if needed From 2377c9413371f6c5d883f738611ac36c45af371a Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Mon, 6 Dec 2021 11:05:31 -0600 Subject: [PATCH 20/22] Send HTTP_HOST as SERVER_NAME in fastcgi_param $host sends $http_host without the port and falls back to sending $server_name if HTTP_HOST header is empty --- Dockerfile | 2 ++ Dockerfile.aarch64 | 2 ++ Dockerfile.armhf | 2 ++ 3 files changed, 6 insertions(+) diff --git a/Dockerfile b/Dockerfile index ff6c9ae1..f3cbf048 100644 --- a/Dockerfile +++ b/Dockerfile @@ -29,6 +29,8 @@ RUN \ /etc/nginx/fastcgi_params && \ echo 'fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; # https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/#connecting-nginx-to-php-fpm' >> \ /etc/nginx/fastcgi_params && \ + echo 'fastcgi_param SERVER_NAME $host; # Send HTTP_HOST as SERVER_NAME. If HTTP_HOST is blank, send the value of server_name from nginx (default is `_`)' >> \ + /etc/nginx/fastcgi_params && \ rm -f /etc/nginx/http.d/default.conf && \ echo "**** fix logrotate ****" && \ sed -i "s#/var/log/messages {}.*# #g" /etc/logrotate.conf && \ diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index c5e0ad56..9607a9e5 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -29,6 +29,8 @@ RUN \ /etc/nginx/fastcgi_params && \ echo 'fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; # https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/#connecting-nginx-to-php-fpm' >> \ /etc/nginx/fastcgi_params && \ + echo 'fastcgi_param SERVER_NAME $host; # Send HTTP_HOST as SERVER_NAME. If HTTP_HOST is blank, send the value of server_name from nginx (default is `_`)' >> \ + /etc/nginx/fastcgi_params && \ rm -f /etc/nginx/http.d/default.conf && \ echo "**** fix logrotate ****" && \ sed -i "s#/var/log/messages {}.*# #g" /etc/logrotate.conf && \ diff --git a/Dockerfile.armhf b/Dockerfile.armhf index cd88b834..0125a3e1 100644 --- a/Dockerfile.armhf +++ b/Dockerfile.armhf @@ -29,6 +29,8 @@ RUN \ /etc/nginx/fastcgi_params && \ echo 'fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; # https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/#connecting-nginx-to-php-fpm' >> \ /etc/nginx/fastcgi_params && \ + echo 'fastcgi_param SERVER_NAME $host; # Send HTTP_HOST as SERVER_NAME. If HTTP_HOST is blank, send the value of server_name from nginx (default is `_`)' >> \ + /etc/nginx/fastcgi_params && \ rm -f /etc/nginx/http.d/default.conf && \ echo "**** fix logrotate ****" && \ sed -i "s#/var/log/messages {}.*# #g" /etc/logrotate.conf && \ From 97ceb8661651f107ed8e2bcf29798ff3e44307f5 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Sun, 19 Dec 2021 11:23:50 -0600 Subject: [PATCH 21/22] move subfolder/subdomain folder creation to swag --- root/etc/cont-init.d/11-folders | 2 +- root/etc/cont-init.d/12-samples | 6 ------ 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/root/etc/cont-init.d/11-folders b/root/etc/cont-init.d/11-folders index 9405cb19..eed752e6 100644 --- a/root/etc/cont-init.d/11-folders +++ b/root/etc/cont-init.d/11-folders @@ -4,7 +4,7 @@ mkdir -p \ /config/{keys,php,www} \ /config/log/{nginx,php} \ - /config/nginx/{http-confs,location-confs,server-confs,site-confs,subdomain-confs,subfolder-confs} \ + /config/nginx/{http-confs,location-confs,server-confs,site-confs} \ /run \ /var/lib/nginx/tmp/client_body \ /var/tmp/nginx diff --git a/root/etc/cont-init.d/12-samples b/root/etc/cont-init.d/12-samples index 8725d65f..066cb882 100644 --- a/root/etc/cont-init.d/12-samples +++ b/root/etc/cont-init.d/12-samples @@ -19,9 +19,3 @@ cp \ cp \ /defaults/nginx/site-confs/*.conf.sample \ /config/nginx/site-confs/ -cp \ - /defaults/nginx/subdomain-confs/*.conf.sample \ - /config/nginx/subdomain-confs/ -cp \ - /defaults/nginx/subfolder-confs/*.conf.sample \ - /config/nginx/subfolder-confs/ From 050220e4b02a8f651f67bf6989fbfa5940075509 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Sun, 19 Dec 2021 11:33:16 -0600 Subject: [PATCH 22/22] use new migration --- root/etc/cont-init.d/13-nginx | 18 ------------------ root/migrations/01-nginx-site-confs-default | 19 +++++++++++++++++++ 2 files changed, 19 insertions(+), 18 deletions(-) create mode 100644 root/migrations/01-nginx-site-confs-default diff --git a/root/etc/cont-init.d/13-nginx b/root/etc/cont-init.d/13-nginx index 1b4f1ea4..029cc67f 100644 --- a/root/etc/cont-init.d/13-nginx +++ b/root/etc/cont-init.d/13-nginx @@ -1,23 +1,5 @@ #!/usr/bin/with-contenv bash -migrate(){ - local OLD_LOCATION="${1}" - local NEW_LOCATION="${2}" - - if [[ -f ${OLD_LOCATION} ]];then - echo "found ${OLD_LOCATION}" - if [[ ! -f ${NEW_LOCATION} ]];then - echo "moving to ${NEW_LOCATION}" - mv "${OLD_LOCATION}" "${NEW_LOCATION}" - else - echo "new file location already exists ${NEW_LOCATION}" - fi - fi -} - -# rename default to default.conf -migrate "/config/nginx/site-confs/default" "/config/nginx/site-confs/default.conf" - # copy default config files if they don't exist [[ ! -f /config/nginx/nginx.conf ]] && \ cp /defaults/nginx/nginx.conf.sample /config/nginx/nginx.conf diff --git a/root/migrations/01-nginx-site-confs-default b/root/migrations/01-nginx-site-confs-default new file mode 100644 index 00000000..b631be28 --- /dev/null +++ b/root/migrations/01-nginx-site-confs-default @@ -0,0 +1,19 @@ +#!/usr/bin/with-contenv bash + +migrate(){ + local OLD_LOCATION="${1}" + local NEW_LOCATION="${2}" + + if [[ -f ${OLD_LOCATION} ]];then + echo "found ${OLD_LOCATION}" + if [[ ! -f ${NEW_LOCATION} ]];then + echo "moving to ${NEW_LOCATION}" + mv "${OLD_LOCATION}" "${NEW_LOCATION}" + else + echo "new file location already exists ${NEW_LOCATION}" + fi + fi +} + +# rename default to default.conf +migrate "/config/nginx/site-confs/default" "/config/nginx/site-confs/default.conf"