use the newest sw

Dockerfile

@@ -1,12 +1,124 @@
-FROM nginx
+FROM centos:7
 MAINTAINER Andrey Arapov <andrey.arapov@nixaid.com>
 
-ENV DEBIAN_FRONTEND noninteractive
+WORKDIR /root
+
+RUN yum -y install epel-release && \
+    yum -y update && \
+    yum -y install make gcc pcre-devel zlib-devel \
+                   inotify-tools \
+                   glibc-static perl
+
+# Compile runit and socklog
+# Deps: glibc-static
+ENV RUNIT_NAME "runit-2.1.2"
+ENV RUNIT_HASH "6fd0160cb0cf1207de4e66754b6d39750cff14bb0aa66ab49490992c0c47ba18"
+ENV SOCKLOG_NAME "socklog-2.1.0"
+ENV SOCKLOG_HASH "aa869a787ee004da4e5509b5a0031bcc17a4ab4ac650c2ce8d4e488123acb455"
+
+RUN pushd /opt && \
+    curl -#L -o $RUNIT_NAME.tar.gz http://smarden.org/runit/$RUNIT_NAME.tar.gz && \
+    sha256sum $RUNIT_NAME.tar.gz |grep -qw $RUNIT_HASH && \
+    tar xf $RUNIT_NAME.tar.gz && \
+    rm -f $RUNIT_NAME.tar.gz && \
+    pushd admin/$RUNIT_NAME && \
+    package/install && \
+    package/install-man && \
+    popd && \
+    curl -#L -o $SOCKLOG_NAME.tar.gz http://smarden.org/socklog/$SOCKLOG_NAME.tar.gz && \
+    sha256sum $SOCKLOG_NAME.tar.gz |grep -qw $SOCKLOG_HASH && \
+    tar xf $SOCKLOG_NAME.tar.gz && \
+    rm -f $SOCKLOG_NAME.tar.gz && \
+    pushd admin/$SOCKLOG_NAME && \
+    package/install && \
+    package/install-man && \
+    popd && \
+    popd
+
+
+# runit-docker - painlessly use Runit in Docker containers
+RUN curl -#L -o runit-docker.tar.gz https://github.com/pixers/runit-docker/archive/master.tar.gz && \
+    tar xf runit-docker.tar.gz && \
+    cd runit-docker-master/ && \
+    make && \
+    make install && \
+    sed -i 's;runsvdir;runsvdir -P;g' /sbin/runit-docker
+
+
+# Global variables
+ENV GPG_KEY_SERVER "pgp.mit.edu"
+
+
+# Obtain the OpenSSL
+# Deps: perl
+ENV OPENSSL_NAME "openssl-1.0.2h"
+ENV OPENSSL_GPGKEY_FP "8657ABB260F056B1E5190839D9C4D26D0E604491"
+
+RUN curl -#L -o $OPENSSL_NAME.tar.gz https://www.openssl.org/source/$OPENSSL_NAME.tar.gz && \
+    curl -#L -o $OPENSSL_NAME.tar.gz.asc https://www.openssl.org/source/$OPENSSL_NAME.tar.gz.asc && \
+    gpg2 --keyserver $GPG_KEY_SERVER --recv-key $OPENSSL_GPGKEY_FP && \
+    gpg2 -v $OPENSSL_NAME.tar.gz.asc && \
+    tar xf $OPENSSL_NAME.tar.gz && \
+    rm -f $OPENSSL_NAME.tar.gz
+
+
+# Compile nginx
+# Deps: make gcc openssl-devel(* custom now!) pcre-devel zlib-devel
+ENV NGINX_NAME "nginx-1.10.1"
+ENV NGINX_GPGKEY_FP "B0F4253373F8F6F510D42178520A9993A1C052F8"
+
+RUN curl -#L -o $NGINX_NAME.tar.gz https://nginx.org/download/$NGINX_NAME.tar.gz && \
+    curl -#L -o $NGINX_NAME.tar.gz.asc https://nginx.org/download/$NGINX_NAME.tar.gz.asc && \
+    gpg2 --keyserver $GPG_KEY_SERVER --recv-keys $NGINX_GPGKEY_FP && \
+    gpg2 -v $NGINX_NAME.tar.gz.asc && \
+    tar xf $NGINX_NAME.tar.gz && \
+    rm -f $NGINX_NAME.tar.gz && \
+    pushd $NGINX_NAME && \
+    ./configure --prefix=/usr/share/nginx \
+                --sbin-path=/usr/sbin/nginx \
+                --conf-path=/etc/nginx/nginx.conf \
+                --error-log-path=/var/log/nginx/error.log \
+                --http-log-path=/var/log/nginx/access.log \
+                --http-client-body-temp-path=/var/lib/nginx/tmp/client_body \
+                --http-proxy-temp-path=/var/lib/nginx/tmp/proxy \
+                --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi \
+                --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi \
+                --http-scgi-temp-path=/var/lib/nginx/tmp/scgi \
+                --pid-path=/run/nginx.pid \
+                --lock-path=/run/lock/subsys/nginx \
+                --user=nginx \
+                --group=nginx \
+                --with-http_ssl_module \
+                --with-openssl=../$OPENSSL_NAME \
+                --with-openssl-opt="-fPIC" \
+                --with-http_v2_module \
+                --with-file-aio \
+                --with-ipv6 \
+                --with-ld-opt="-pie -Wl,-z,relro,-z,now -Wl,--as-needed" \
+                --with-cc-opt="-O2 \
+                               -fPIC \
+                               -fstack-protector-all \
+                               --param=ssp-buffer-size=4 \
+                               -Wformat -Werror=format-security \
+                               -Wp,-D_FORTIFY_SOURCE=2" && \
+    make -j$(nproc) && \
+    make install && \
+    popd && \
+    rm -rf $NGINX_NAME $OPENSSL_NAME
+
+
+RUN useradd -u 1000 -d /var/lib/nginx -s /sbin/nologin nginx && \
+    mkdir -m=0700 -p /etc/nginx/conf.d \
+                     /var/lib/nginx/tmp/client_body \
+                     /var/lib/nginx/tmp/fastcgi_temp \
+                     /var/lib/nginx/tmp/proxy_temp \
+                     /var/lib/nginx/tmp/scgi_temp \
+                     /var/lib/nginx/tmp/uwsgi_temp && \
+    chown -Rh nginx:root /var/lib/nginx
 
-RUN apt-get update && \
-    apt-get -y install inotify-tools
 
 COPY nginx.conf /etc/nginx/nginx.conf
-COPY launch /launch
+COPY service /etc/service/
+RUN chmod +x -- /etc/service/*/run
 
-ENTRYPOINT /launch
+ENTRYPOINT ["/sbin/runit-docker"]

README.md

@@ -3,6 +3,14 @@
 Simply mount your volume or a directory as `/etc/nginx/conf.d` to the container,
 it will automatically detect the differences in there and load-up the new configuration!
 
+To build and run the image:  
+```
+docker build --ulimit nofile=1024:1024 -t andrey01/nginx .
+docker run --rm -ti --name nginx -p 80:80 -p 443:443 andrey01/nginx
+```
+
+> Smaller nofile `ulimit -n` is needed when running the grsecurity patched kernel, otherwise things may go terribly slow.
+
 
 **docker-compose.yml** file example
 ```
@@ -19,8 +27,8 @@ services:
       - backend
       - frontend
     volumes:
-      - /home/docker/configs/letsencrypt:/etc/letsencrypt:ro
-      - /home/docker/configs/nginx:/etc/nginx/conf.d:ro
+      - /srv/letsencrypt:/etc/letsencrypt:ro
+      - /srv/nginx:/etc/nginx/conf.d:ro
     ports:
       - 80:80
       - 443:443
@@ -42,8 +50,8 @@ server {
   listen 443 ssl http2;
   server_name webmail.mydomain.com;
   ssl on;
-  ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
+  ssl_certificate /etc/letsencrypt/live/webmail.mydomain.com/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/webmail.mydomain.com/privkey.pem;
 
   # enable HSTS (HTTP Strict Transport Security) to avoid SSL stripping
   add_header Strict-Transport-Security "max-age=15768000; includeSubdomains" always;
@@ -53,6 +61,8 @@ server {
   set $upstream_endpoint http://webmail:8080;
 
   location / {
+    client_max_body_size 100M;
+
     proxy_pass $upstream_endpoint;
     proxy_redirect off;
     proxy_buffering off;
@@ -65,5 +75,5 @@ server {
 }
 ```
 
-You can have your `webmail` service running in the `backend` network, of which the nginx will take care of and pass it to the frontend.
-
+You can have your `webmail` service running in the `backend` network,
+of which the nginx will take care of and pass it to the frontend.

launch

@@ -1,12 +0,0 @@
-#!/bin/sh
-# debug
-# set -x
-
-while true; do
-  inotifywait -e close_write,moved_to,create,delete /etc/nginx/conf.d
-  sleep 2
-  echo "INFO: nginx configuration change detected, attempting to load the new configuration ..."
-  nginx -t && nginx -s reload || echo "ERROR: nginx configuration has problems, thus cannot be reloaded."
-done &
-
-/usr/sbin/nginx