arno/nginx
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

use the newest sw

Browse Source
This commit is contained in:
Andy 2016-07-16 00:01:43 +02:00
parent b4fb76581d
commit b3c35281fc
Signed by: arno
GPG Key ID: 368DDA2E9A471EAC
3 changed files with 134 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

124
Dockerfile
View File

@ -1,12 +1,124 @@
FROM nginx FROM centos:7
MAINTAINER Andrey Arapov <andrey.arapov@nixaid.com> MAINTAINER Andrey Arapov <andrey.arapov@nixaid.com>
ENV DEBIAN_FRONTEND noninteractive WORKDIR /root
RUN yum -y install epel-release && \
yum -y update && \
yum -y install make gcc pcre-devel zlib-devel \
inotify-tools \
glibc-static perl
# Compile runit and socklog
# Deps: glibc-static
ENV RUNIT_NAME "runit-2.1.2"
ENV RUNIT_HASH "6fd0160cb0cf1207de4e66754b6d39750cff14bb0aa66ab49490992c0c47ba18"
ENV SOCKLOG_NAME "socklog-2.1.0"
ENV SOCKLOG_HASH "aa869a787ee004da4e5509b5a0031bcc17a4ab4ac650c2ce8d4e488123acb455"
RUN pushd /opt && \
curl -#L -o $RUNIT_NAME.tar.gz http://smarden.org/runit/$RUNIT_NAME.tar.gz && \
sha256sum $RUNIT_NAME.tar.gz |grep -qw $RUNIT_HASH && \
tar xf $RUNIT_NAME.tar.gz && \
rm -f $RUNIT_NAME.tar.gz && \
pushd admin/$RUNIT_NAME && \
package/install && \
package/install-man && \
popd && \
curl -#L -o $SOCKLOG_NAME.tar.gz http://smarden.org/socklog/$SOCKLOG_NAME.tar.gz && \
sha256sum $SOCKLOG_NAME.tar.gz |grep -qw $SOCKLOG_HASH && \
tar xf $SOCKLOG_NAME.tar.gz && \
rm -f $SOCKLOG_NAME.tar.gz && \
pushd admin/$SOCKLOG_NAME && \
package/install && \
package/install-man && \
popd && \
popd
# runit-docker - painlessly use Runit in Docker containers
RUN curl -#L -o runit-docker.tar.gz https://github.com/pixers/runit-docker/archive/master.tar.gz && \
tar xf runit-docker.tar.gz && \
cd runit-docker-master/ && \
make && \
make install && \
sed -i 's;runsvdir;runsvdir -P;g' /sbin/runit-docker
# Global variables
ENV GPG_KEY_SERVER "pgp.mit.edu"
# Obtain the OpenSSL
# Deps: perl
ENV OPENSSL_NAME "openssl-1.0.2h"
ENV OPENSSL_GPGKEY_FP "8657ABB260F056B1E5190839D9C4D26D0E604491"
RUN curl -#L -o $OPENSSL_NAME.tar.gz https://www.openssl.org/source/$OPENSSL_NAME.tar.gz && \
curl -#L -o $OPENSSL_NAME.tar.gz.asc https://www.openssl.org/source/$OPENSSL_NAME.tar.gz.asc && \
gpg2 --keyserver $GPG_KEY_SERVER --recv-key $OPENSSL_GPGKEY_FP && \
gpg2 -v $OPENSSL_NAME.tar.gz.asc && \
tar xf $OPENSSL_NAME.tar.gz && \
rm -f $OPENSSL_NAME.tar.gz
# Compile nginx
# Deps: make gcc openssl-devel(* custom now!) pcre-devel zlib-devel
ENV NGINX_NAME "nginx-1.10.1"
ENV NGINX_GPGKEY_FP "B0F4253373F8F6F510D42178520A9993A1C052F8"
RUN curl -#L -o $NGINX_NAME.tar.gz https://nginx.org/download/$NGINX_NAME.tar.gz && \
curl -#L -o $NGINX_NAME.tar.gz.asc https://nginx.org/download/$NGINX_NAME.tar.gz.asc && \
gpg2 --keyserver $GPG_KEY_SERVER --recv-keys $NGINX_GPGKEY_FP && \
gpg2 -v $NGINX_NAME.tar.gz.asc && \
tar xf $NGINX_NAME.tar.gz && \
rm -f $NGINX_NAME.tar.gz && \
pushd $NGINX_NAME && \
./configure --prefix=/usr/share/nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--http-client-body-temp-path=/var/lib/nginx/tmp/client_body \
--http-proxy-temp-path=/var/lib/nginx/tmp/proxy \
--http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi \
--http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi \
--http-scgi-temp-path=/var/lib/nginx/tmp/scgi \
--pid-path=/run/nginx.pid \
--lock-path=/run/lock/subsys/nginx \
--user=nginx \
--group=nginx \
--with-http_ssl_module \
--with-openssl=../$OPENSSL_NAME \
--with-openssl-opt="-fPIC" \
--with-http_v2_module \
--with-file-aio \
--with-ipv6 \
--with-ld-opt="-pie -Wl,-z,relro,-z,now -Wl,--as-needed" \
--with-cc-opt="-O2 \
-fPIC \
-fstack-protector-all \
--param=ssp-buffer-size=4 \
-Wformat -Werror=format-security \
-Wp,-D_FORTIFY_SOURCE=2" && \
make -j$(nproc) && \
make install && \
popd && \
rm -rf $NGINX_NAME $OPENSSL_NAME
RUN useradd -u 1000 -d /var/lib/nginx -s /sbin/nologin nginx && \
mkdir -m=0700 -p /etc/nginx/conf.d \
/var/lib/nginx/tmp/client_body \
/var/lib/nginx/tmp/fastcgi_temp \
/var/lib/nginx/tmp/proxy_temp \
/var/lib/nginx/tmp/scgi_temp \
/var/lib/nginx/tmp/uwsgi_temp && \
chown -Rh nginx:root /var/lib/nginx
RUN apt-get update && \
apt-get -y install inotify-tools
COPY nginx.conf /etc/nginx/nginx.conf COPY nginx.conf /etc/nginx/nginx.conf
COPY launch /launch COPY service /etc/service/
RUN chmod +x -- /etc/service/*/run
ENTRYPOINT /launch ENTRYPOINT ["/sbin/runit-docker"]

22
README.md
View File

@ -3,6 +3,14 @@
Simply mount your volume or a directory as `/etc/nginx/conf.d` to the container, Simply mount your volume or a directory as `/etc/nginx/conf.d` to the container,
it will automatically detect the differences in there and load-up the new configuration! it will automatically detect the differences in there and load-up the new configuration!
To build and run the image:
```
docker build --ulimit nofile=1024:1024 -t andrey01/nginx .
docker run --rm -ti --name nginx -p 80:80 -p 443:443 andrey01/nginx
```
> Smaller nofile `ulimit -n` is needed when running the grsecurity patched kernel, otherwise things may go terribly slow.
**docker-compose.yml** file example **docker-compose.yml** file example
``` ```
@ -19,8 +27,8 @@ services:
- backend - backend
- frontend - frontend
volumes: volumes:
- /home/docker/configs/letsencrypt:/etc/letsencrypt:ro - /srv/letsencrypt:/etc/letsencrypt:ro
- /home/docker/configs/nginx:/etc/nginx/conf.d:ro - /srv/nginx:/etc/nginx/conf.d:ro
ports: ports:
- 80:80 - 80:80
- 443:443 - 443:443
@ -42,8 +50,8 @@ server {
listen 443 ssl http2; listen 443 ssl http2;
server_name webmail.mydomain.com; server_name webmail.mydomain.com;
ssl on; ssl on;
ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; ssl_certificate /etc/letsencrypt/live/webmail.mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/webmail.mydomain.com/privkey.pem;
# enable HSTS (HTTP Strict Transport Security) to avoid SSL stripping # enable HSTS (HTTP Strict Transport Security) to avoid SSL stripping
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains" always; add_header Strict-Transport-Security "max-age=15768000; includeSubdomains" always;
@ -53,6 +61,8 @@ server {
set $upstream_endpoint http://webmail:8080; set $upstream_endpoint http://webmail:8080;
location / { location / {
client_max_body_size 100M;
proxy_pass $upstream_endpoint; proxy_pass $upstream_endpoint;
proxy_redirect off; proxy_redirect off;
proxy_buffering off; proxy_buffering off;
@ -65,5 +75,5 @@ server {
} }
``` ```
You can have your `webmail` service running in the `backend` network, of which the nginx will take care of and pass it to the frontend. You can have your `webmail` service running in the `backend` network,
of which the nginx will take care of and pass it to the frontend.

12
launch
View File

@ -1,12 +0,0 @@
#!/bin/sh
# debug
# set -x
while true; do
inotifywait -e close_write,moved_to,create,delete /etc/nginx/conf.d
sleep 2
echo "INFO: nginx configuration change detected, attempting to load the new configuration ..."
nginx -t && nginx -s reload || echo "ERROR: nginx configuration has problems, thus cannot be reloaded."
done &
/usr/sbin/nginx