-
Notifications
You must be signed in to change notification settings - Fork 134
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: update NGINX Plus Dockerfile (#274)
- Loading branch information
Showing
6 changed files
with
197 additions
and
203 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,83 +1,105 @@ | ||
| FROM debian:bookworm-slim@sha256:f528891ab1aa484bf7233dbcc84f3c806c3e427571d75510a9d74bb5ec535b33 | ||
| ARG RELEASE=bookworm | ||
| FROM debian:${RELEASE}-slim@sha256:f528891ab1aa484bf7233dbcc84f3c806c3e427571d75510a9d74bb5ec535b33 | ||
|
|
||
| ENV NGINX_PLUS_VERSION 30-2 | ||
| ENV NGINX_VERSION 1.25.1 | ||
| ENV NJS_VERSION 30+0.8.0-1 | ||
| ENV XSLT_VERSION 30-1 | ||
| # Persist RELEASE argument | ||
| ARG RELEASE | ||
|
|
||
| ENV PROXY_CACHE_MAX_SIZE "10g" | ||
| ENV PROXY_CACHE_INACTIVE "60m" | ||
| ENV PROXY_CACHE_SLICE_SIZE "1m" | ||
| ENV PROXY_CACHE_VALID_OK "1h" | ||
| ENV PROXY_CACHE_VALID_NOTFOUND "1m" | ||
| ENV PROXY_CACHE_VALID_FORBIDDEN "30s" | ||
| ENV CORS_ENABLED 0 | ||
| ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS "" | ||
| ENV DIRECTORY_LISTING_PATH_PREFIX "" | ||
| ENV STRIP_LEADING_DIRECTORY_PATH "" | ||
| ENV PREFIX_LEADING_DIRECTORY_PATH "" | ||
| # NJS env vars | ||
| ENV NGINX_VERSION=32 | ||
| ENV NGINX_PKG_RELEASE=1~${RELEASE} | ||
| ENV NJS_VERSION=0.8.4 | ||
| ENV NJS_PKG_RELEASE=1~${RELEASE} | ||
|
|
||
| COPY plus/usr /usr | ||
| # Proxy cache env vars | ||
| ENV PROXY_CACHE_MAX_SIZE=10g | ||
| ENV PROXY_CACHE_INACTIVE=60m | ||
| ENV PROXY_CACHE_SLICE_SIZE=1m | ||
| ENV PROXY_CACHE_VALID_OK=1h | ||
| ENV PROXY_CACHE_VALID_NOTFOUND=1m | ||
| ENV PROXY_CACHE_VALID_FORBIDDEN=30s | ||
|
|
||
| # Copy files from the OSS NGINX Docker container such that the container | ||
| # startup is the same. | ||
| # Source: https://github.com/nginxinc/docker-nginx/tree/1.19.2/stable/buster | ||
| COPY common/docker-entrypoint.sh /docker-entrypoint.sh | ||
| COPY common/docker-entrypoint.d /docker-entrypoint.d/ | ||
| COPY plus/docker-entrypoint.d /docker-entrypoint.d/ | ||
| # Add NGINX Plus package repository keyring | ||
| COPY plus/usr/share/keyrings/nginx-archive-keyring.gpg /usr/share/keyrings/nginx-archive-keyring.gpg | ||
| # CORS env vars | ||
| ENV CORS_ENABLED=0 | ||
| ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS="" | ||
|
|
||
| RUN --mount=type=secret,id=nginx-crt --mount=type=secret,id=nginx-key \ | ||
| set -eux \ | ||
| export DEBIAN_FRONTEND=noninteractive; \ | ||
| mkdir -p /etc/ssl/nginx; \ | ||
| cp /run/secrets/nginx-crt /etc/ssl/nginx/nginx-repo.crt; \ | ||
| chmod 0664 /etc/ssl/nginx/nginx-repo.crt; \ | ||
| cp /run/secrets/nginx-key /etc/ssl/nginx/nginx-repo.key; \ | ||
| chmod 0664 /etc/ssl/nginx/nginx-repo.key; \ | ||
| # create nginx user/group first, to be consistent throughout docker variants | ||
| addgroup --system --gid 101 nginx; \ | ||
| adduser --system --disabled-login --ingroup nginx --no-create-home --home /nonexistent --gecos "nginx user" --shell /bin/false --uid 101 nginx; \ | ||
| apt-get -qq update; \ | ||
| apt-get -qq upgrade --yes; \ | ||
| apt-get -qq install --yes \ | ||
| ca-certificates \ | ||
| curl \ | ||
| libedit2; \ | ||
| sh -a /usr/local/bin/add_nginx_plus_repo.sh; \ | ||
| rm /usr/local/bin/add_nginx_plus_repo.sh; \ | ||
| apt-get -qq update; \ | ||
| export DISTRO_VERSION="$(grep '^VERSION_CODENAME=' /etc/os-release | awk -v FS='=' '{print $2}')" && \ | ||
| apt-get -qq install --no-install-recommends --no-install-suggests -y \ | ||
| nginx-plus=${NGINX_PLUS_VERSION}~${DISTRO_VERSION} \ | ||
| nginx-plus-module-njs=${NJS_VERSION}~${DISTRO_VERSION} \ | ||
| nginx-plus-module-xslt=${XSLT_VERSION}~${DISTRO_VERSION} \ | ||
| gettext-base; \ | ||
| apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ | ||
| rm -rf /etc/apt/sources.list.d/nginx-plus.list /var/lib/apt/lists/* /var/tmp/* /tmp/* /etc/ssl/nginx; \ | ||
| # forward request and error logs to docker log collector | ||
| ln -sf /dev/stdout /var/log/nginx/access.log; \ | ||
| ln -sf /dev/stderr /var/log/nginx/error.log; \ | ||
| chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh | ||
| # S3 proxy env vars | ||
| ENV DIRECTORY_LISTING_PATH_PREFIX="" | ||
| ENV STRIP_LEADING_DIRECTORY_PATH="" | ||
| ENV PREFIX_LEADING_DIRECTORY_PATH="" | ||
|
|
||
| ENTRYPOINT ["/docker-entrypoint.sh"] | ||
| # We create an NGINX Plus image based on the official NGINX Plus Dockerfiles (https://gist.github.com/nginx-gists/36e97fc87efb5cf0039978c8e41a34b5) and modify it by: | ||
| # 1. Explicitly installing the version of njs coded in the environment variable above. | ||
| # 2. Adding configuration files needed for proxying private S3 buckets. | ||
| # 3. Adding a directory for proxied objects to be stored. | ||
| # 4. Adding the entrypoint scripts found in the base NGINX OSS Docker image with a modified version that explicitly sets resolvers. | ||
|
|
||
| # Download your NGINX license certificate and key from the F5 customer portal (https://account.f5.com) and copy it to the build context | ||
| RUN --mount=type=secret,id=nginx-crt,dst=nginx-repo.crt \ | ||
| --mount=type=secret,id=nginx-key,dst=nginx-repo.key \ | ||
| set -x \ | ||
| # Create nginx user/group first, to be consistent throughout Docker variants | ||
| && groupadd --system --gid 101 nginx \ | ||
| && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ | ||
| && apt-get update \ | ||
| && apt-get install --no-install-recommends --no-install-suggests -y ca-certificates gnupg1 lsb-release \ | ||
| && \ | ||
| NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \ | ||
| NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \ | ||
| export GNUPGHOME="$(mktemp -d)"; \ | ||
| found=''; \ | ||
| for NGINX_GPGKEY in $NGINX_GPGKEYS; do \ | ||
| for server in \ | ||
| hkp://keyserver.ubuntu.com:80 \ | ||
| pgp.mit.edu \ | ||
| ; do \ | ||
| echo "Fetching GPG key $NGINX_GPGKEY from $server"; \ | ||
| gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \ | ||
| done; \ | ||
| test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \ | ||
| done; \ | ||
| gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \ | ||
| rm -rf "$GNUPGHOME"; \ | ||
| apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \ | ||
| # Install the latest release of NGINX Plus and/or NGINX Plus modules (written and maintained by F5) | ||
| && nginxPackages=" \ | ||
| nginx-plus=${NGINX_VERSION}-${NGINX_PKG_RELEASE} \ | ||
| nginx-plus-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_PKG_RELEASE} \ | ||
| nginx-plus-module-xslt=${NGINX_VERSION}-${NGINX_PKG_RELEASE} \ | ||
| " \ | ||
| && echo "Acquire::https::pkgs.nginx.com::Verify-Peer \"true\";" > /etc/apt/apt.conf.d/90nginx \ | ||
| && echo "Acquire::https::pkgs.nginx.com::Verify-Host \"true\";" >> /etc/apt/apt.conf.d/90nginx \ | ||
| && echo "Acquire::https::pkgs.nginx.com::SslCert \"/etc/ssl/nginx/nginx-repo.crt\";" >> /etc/apt/apt.conf.d/90nginx \ | ||
| && echo "Acquire::https::pkgs.nginx.com::SslKey \"/etc/ssl/nginx/nginx-repo.key\";" >> /etc/apt/apt.conf.d/90nginx \ | ||
| && echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list \ | ||
| && mkdir -p /etc/ssl/nginx \ | ||
| && cat nginx-repo.crt > /etc/ssl/nginx/nginx-repo.crt \ | ||
| && cat nginx-repo.key > /etc/ssl/nginx/nginx-repo.key \ | ||
| && apt-get update \ | ||
| && apt-get install --no-install-recommends --no-install-suggests -y $nginxPackages curl gettext-base \ | ||
| && apt-get remove --purge -y lsb-release \ | ||
| && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-plus.list \ | ||
| && rm -rf /etc/apt/apt.conf.d/90nginx /etc/ssl/nginx \ | ||
| # Forward request logs to Docker log collector | ||
| && ln -sf /dev/stdout /var/log/nginx/access.log \ | ||
| && ln -sf /dev/stderr /var/log/nginx/error.log | ||
|
|
||
| EXPOSE 80 | ||
|
|
||
| STOPSIGNAL SIGTERM | ||
|
|
||
| CMD ["nginx", "-g", "daemon off;"] | ||
|
|
||
| # NGINX Docker image setup complete, everything below is specific for | ||
| # the S3 Gateway use case. | ||
|
|
||
| # Copy files from the OSS NGINX Docker container such that the container | ||
| # startup is the same. | ||
| COPY plus/etc/nginx /etc/nginx | ||
| COPY common/etc /etc | ||
| COPY common/docker-entrypoint.d/00-check-for-required-env.sh /docker-entrypoint.d/00-check-for-required-env.sh | ||
| COPY common/docker-entrypoint.sh /docker-entrypoint.sh | ||
| COPY common/docker-entrypoint.d /docker-entrypoint.d/ | ||
| COPY plus/docker-entrypoint.d /docker-entrypoint.d/ | ||
|
|
||
| RUN set -x \ | ||
| && mkdir -p /var/cache/nginx/s3_proxy \ | ||
| && chown nginx:nginx /var/cache/nginx/s3_proxy \ | ||
| && chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh; | ||
|
|
||
| RUN set -eux \ | ||
| export DEBIAN_FRONTEND=noninteractive; \ | ||
| mkdir -p /var/cache/nginx/s3_proxy; \ | ||
| chown nginx:nginx /var/cache/nginx/s3_proxy; \ | ||
| chmod -R +x /docker-entrypoint.d/* | ||
| ENTRYPOINT ["/docker-entrypoint.sh"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,63 +1,46 @@ | ||
| FROM nginx:1.27.0@sha256:67682bda769fae1ccf5183192b8daf37b64cae99c6c3302650f6f8bf5f0f95df | ||
|
|
||
| # NJS env vars | ||
| ENV NJS_VERSION 0.8.4 | ||
| ENV NJS_RELEASE 2~bookworm | ||
| ENV NJS_VERSION=0.8.4 | ||
| ENV NJS_RELEASE=2~bookworm | ||
|
|
||
| # Proxy cache env vars | ||
| ENV PROXY_CACHE_MAX_SIZE "10g" | ||
| ENV PROXY_CACHE_INACTIVE "60m" | ||
| ENV PROXY_CACHE_SLICE_SIZE "1m" | ||
| ENV PROXY_CACHE_VALID_OK "1h" | ||
| ENV PROXY_CACHE_VALID_NOTFOUND "1m" | ||
| ENV PROXY_CACHE_VALID_FORBIDDEN "30s" | ||
| ENV PROXY_CACHE_MAX_SIZE=10g | ||
| ENV PROXY_CACHE_INACTIVE=60m | ||
| ENV PROXY_CACHE_SLICE_SIZE=1m | ||
| ENV PROXY_CACHE_VALID_OK=1h | ||
| ENV PROXY_CACHE_VALID_NOTFOUND=1m | ||
| ENV PROXY_CACHE_VALID_FORBIDDEN=30s | ||
|
|
||
| # CORS env vars | ||
| ENV CORS_ENABLED 0 | ||
| ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS "" | ||
| ENV CORS_ENABLED=0 | ||
| ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS="" | ||
|
|
||
| # S3 proxy env vars | ||
| ENV DIRECTORY_LISTING_PATH_PREFIX "" | ||
| ENV STRIP_LEADING_DIRECTORY_PATH "" | ||
| ENV PREFIX_LEADING_DIRECTORY_PATH "" | ||
|
|
||
| # We modify the nginx base image by: | ||
| # 1. Explicitly install the version of njs coded in the environment variable above. | ||
| # 2. Adding configuration files needed for proxying private S3 buckets | ||
| # 3. Adding a directory for proxied objects to be stored | ||
| ENV DIRECTORY_LISTING_PATH_PREFIX="" | ||
| ENV STRIP_LEADING_DIRECTORY_PATH="" | ||
| ENV PREFIX_LEADING_DIRECTORY_PATH="" | ||
|
|
||
| # We modify the NGINX base image by: | ||
| # 1. Explicitly installing the version of njs coded in the environment variable above. | ||
| # 2. Adding configuration files needed for proxying private S3 buckets. | ||
| # 3. Adding a directory for proxied objects to be stored. | ||
| # 4. Replacing the entrypoint script with a modified version that explicitly sets resolvers. | ||
|
|
||
| RUN set -x \ | ||
| && apt-get update \ | ||
| && apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \ | ||
| && \ | ||
| NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \ | ||
| NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \ | ||
| export GNUPGHOME="$(mktemp -d)"; \ | ||
| found=''; \ | ||
| for server in \ | ||
| hkp://keyserver.ubuntu.com:80 \ | ||
| pgp.mit.edu \ | ||
| ; do \ | ||
| echo "Fetching GPG key $NGINX_GPGKEY from $server"; \ | ||
| gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \ | ||
| done; \ | ||
| test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \ | ||
| gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \ | ||
| rm -rf "$GNUPGHOME"; \ | ||
| apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/*; \ | ||
| echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo $PKG_RELEASE | cut -f2 -d~) nginx" >> /etc/apt/sources.list.d/nginx.list; \ | ||
| && echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo $PKG_RELEASE | cut -f2 -d~) nginx" >> /etc/apt/sources.list.d/nginx.list; \ | ||
| apt-get update \ | ||
| && apt-get install --no-install-recommends --no-install-suggests -y \ | ||
| libedit2 \ | ||
| nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_RELEASE} \ | ||
| && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list | ||
|
|
||
| COPY common/etc /etc | ||
| COPY oss/etc /etc | ||
| COPY common/etc /etc | ||
| COPY common/docker-entrypoint.sh /docker-entrypoint.sh | ||
| COPY common/docker-entrypoint.d /docker-entrypoint.d/ | ||
|
|
||
| RUN mkdir -p /var/cache/nginx/s3_proxy \ | ||
| RUN set -x \ | ||
| && mkdir -p /var/cache/nginx/s3_proxy \ | ||
| && chown nginx:nginx /var/cache/nginx/s3_proxy \ | ||
| && chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh; |
Oops, something went wrong.