This page is used to test the proper operation of the HTTP server after it has been + installed. If you can read this page, it means that the + web server installed at this site is working + properly.
+diff --git a/Dockerfile b/Dockerfile index c322df9..20be8eb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -43,7 +43,7 @@ ADD ./files/etc/ /etc/ ADD ./files/root/ /root/ ADD ./files/sbin/ /sbin/ -RUN bash /root/bin/placeholder-ssl.sh \ +RUN bash /root/bin/dummycert.sh \ && bash /etc/cron.daily/geoip2-update \ && mkdir -p /app-start/etc \ && mv /etc/nginx /app-start/etc/nginx \ diff --git a/files/etc/nginx/cdn-example.conf b/files/etc/nginx/cdn-example.conf deleted file mode 100644 index 26de029..0000000 --- a/files/etc/nginx/cdn-example.conf +++ /dev/null @@ -1,64 +0,0 @@ -# this is example how to you can setup like a cdn -proxy_cache_path /tmp/nginx/cache levels=1:2 keys_zone=cdn_diskcached:10m max_size=5g inactive=45m; - -server { - listen 80; - listen [::]:80 ipv6only=on; - - listen 443 ssl; - listen [::]:443 ipv6only=on ssl; - - ssl_stapling on; - ssl_stapling_verify on; - - ssl_certificate /etc/nginx/ssl/placeholder-fullchain.crt; - ssl_certificate_key /etc/nginx/ssl/placeholder-privkey.key; - - resolver 8.8.8.8 8.8.4.4; - proxy_redirect off; - proxy_set_header X-Real-IP $realip_remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_connect_timeout 30s; - proxy_send_timeout 30s; - proxy_read_timeout 30s; - proxy_temp_path /var/cache/nginx/temp; - - # prevent client headers from going to origin - proxy_pass_request_headers off; - - proxy_ignore_headers Vary Expires Set-Cookie Cache-Control; - proxy_pass_header P3P; - proxy_cache_min_uses 2; - proxy_cache cdn_diskcached; - proxy_ssl_server_name on; - proxy_intercept_errors on; - - location / { - expires 12h; - - # ProxySettings - - set $backend your.origin.com; - - proxy_set_header Host $backend; - proxy_hide_header access-control-allow-origin; - add_header Access-Control-Allow-Origin "*"; - add_header X-Cache $upstream_cache_status; - - proxy_set_header X-Forwarded-For $realip_remote_addr; - - include /etc/nginx/sites-enabled/proxy-hide-headers.common; - - proxy_pass http://$backend$request_uri; - proxy_pass_header P3P; - proxy_cache_min_uses 2; - proxy_cache_valid 200 12h; - proxy_cache_valid 403 404 500 501 502 503 5s; - - proxy_cache_key acme.mycachedefault$uri$is_args$args; - # END ProxySettings - } -} - - diff --git a/files/etc/nginx/include/.gitkeep b/files/etc/nginx/include/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/files/etc/nginx/include/resolvers.conf b/files/etc/nginx/include/resolvers.conf new file mode 100644 index 0000000..036540d --- /dev/null +++ b/files/etc/nginx/include/resolvers.conf @@ -0,0 +1,2 @@ +# default resolver +resolver 8.8.8.8 8.8.4.4 ipv6=off; \ No newline at end of file diff --git a/files/etc/nginx/include/ssl-ciphers.conf b/files/etc/nginx/include/ssl-ciphers.conf new file mode 100644 index 0000000..f2495ec --- /dev/null +++ b/files/etc/nginx/include/ssl-ciphers.conf @@ -0,0 +1,7 @@ +ssl_session_timeout 5m; +ssl_session_cache shared:SSL:50m; +ssl_prefer_server_ciphers off; + +# intermediate configuration. tweak to your needs. +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; diff --git a/files/etc/nginx/mime.types b/files/etc/nginx/mime.types new file mode 100644 index 0000000..7c7cdef --- /dev/null +++ b/files/etc/nginx/mime.types @@ -0,0 +1,96 @@ +types { + text/html html htm shtml; + text/css css; + text/xml xml; + image/gif gif; + image/jpeg jpeg jpg; + application/javascript js; + application/atom+xml atom; + application/rss+xml rss; + + text/mathml mml; + text/plain txt; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/x-component htc; + + image/png png; + image/svg+xml svg svgz; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/webp webp; + image/x-icon ico; + image/x-jng jng; + image/x-ms-bmp bmp; + + font/woff woff; + font/woff2 woff2; + + application/java-archive jar war ear; + application/json json; + application/mac-binhex40 hqx; + application/msword doc; + application/pdf pdf; + application/postscript ps eps ai; + application/rtf rtf; + application/vnd.apple.mpegurl m3u8; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/vnd.ms-excel xls; + application/vnd.ms-fontobject eot; + application/vnd.ms-powerpoint ppt; + application/vnd.oasis.opendocument.graphics odg; + application/vnd.oasis.opendocument.presentation odp; + application/vnd.oasis.opendocument.spreadsheet ods; + application/vnd.oasis.opendocument.text odt; + application/vnd.openxmlformats-officedocument.presentationml.presentation + pptx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet + xlsx; + application/vnd.openxmlformats-officedocument.wordprocessingml.document + docx; + application/vnd.wap.wmlc wmlc; + application/x-7z-compressed 7z; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xspf+xml xspf; + application/zip zip; + + application/octet-stream bin exe dll; + application/octet-stream deb; + application/octet-stream dmg; + application/octet-stream iso img; + application/octet-stream msi msp msm; + + audio/midi mid midi kar; + audio/mpeg mp3; + audio/ogg ogg; + audio/x-m4a m4a; + audio/x-realaudio ra; + + video/3gpp 3gpp 3gp; + video/mp2t ts; + video/mp4 mp4; + video/mpeg mpeg mpg; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-m4v m4v; + video/x-mng mng; + video/x-ms-asf asx asf; + video/x-ms-wmv wmv; + video/x-msvideo avi; +} diff --git a/files/etc/nginx/nginx.new b/files/etc/nginx/nginx.new index 28f89e4..e5eea18 100644 --- a/files/etc/nginx/nginx.new +++ b/files/etc/nginx/nginx.new @@ -8,85 +8,62 @@ pid /var/run/nginx.pid; # Worker config events { - worker_connections 8192; - use epoll; - multi_accept on; + worker_connections 8192; + use epoll; + multi_accept on; } +# Includes files with directives to load dynamic modules. +include /etc/nginx/modules/*.conf; http { - # Main settings - sendfile on; - tcp_nopush on; - tcp_nodelay on; - client_header_timeout 1m; - client_body_timeout 1m; - client_header_buffer_size 2k; - client_body_buffer_size 256k; - client_max_body_size 256m; - large_client_header_buffers 4 8k; - send_timeout 30; - keepalive_timeout 60 60; - reset_timedout_connection on; - server_tokens off; - server_name_in_redirect off; - server_names_hash_max_size 512; - server_names_hash_bucket_size 512; - - # Log format - log_format main '$time_iso8601 $remote_addr - $realip_remote_addr - $remote_user - $server_name ' - '$host "$request" $status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for" "upstream - $upstream_addr"'; - - access_log /var/log/nginx/access.log main; - - # Mime settings - include /etc/nginx/mime.types; - default_type application/octet-stream; - - # Compression settings - aggressively cache text file types - gzip on; - gzip_comp_level 9; - gzip_min_length 512; - gzip_buffers 8 64k; - gzip_types text/plain text/css text/javascript text/js text/xml application/json application/javascript application/x-javascript application/xml application/xml+rss application/x-font-ttf image/svg+xml font/opentype; - gzip_proxied any; - gzip_disable "MSIE [1-6]\."; - - - # SSL PCI Compliance - ssl_session_cache shared:SSL:10m; - ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; - ssl_prefer_server_ciphers on; - ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK"; - - - # Error pages - error_page 403 /error/403.html; - error_page 404 /error/404.html; - error_page 502 503 504 /error/50x.html; - - - # Cache bypass - map $http_cookie $no_cache { - default 0; - ~SESS 1; - ~wordpress_logged_in 1; + include /etc/nginx/mime.types; + default_type application/octet-stream; + sendfile on; + server_tokens off; + tcp_nopush on; + tcp_nodelay on; + client_body_temp_path /tmp/nginx/body 1 2; + keepalive_timeout 90s; + proxy_connect_timeout 90s; + proxy_send_timeout 90s; + proxy_read_timeout 90s; + proxy_ignore_client_abort off; + gzip on; + client_max_body_size 2000m; + server_names_hash_bucket_size 1024; + proxy_http_version 1.1; + proxy_set_header X-Forwarded-Scheme $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Accept-Encoding ""; + proxy_cache off; + proxy_cache_path /var/cache/nginx/public levels=1:2 keys_zone=public-cache:30m max_size=192m; + proxy_cache_path /var/cache/nginx/private levels=1:2 keys_zone=private-cache:5m max_size=1024m; + + # Log formats + # + # # predefined combined format as example + # log_format combined '$remote_addr - $remote_user [$time_local] ' + # '"$request" $status $body_bytes_sent ' + # '"$http_referer" "$http_user_agent"'; + + log_format main '[$time_iso8601] $remote_addr - $realip_remote_addr - $remote_user - $server_name ' + '$host "$request" $status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for" "upstream - $upstream_addr"'; + + + access_log /var/log/nginx/access.log main; + + # Dynamically generated resolvers file + include /etc/nginx/conf.d/include/resolvers.conf; + + # Default upstream scheme + map $host $forward_scheme { + default http; } - # File cache settings - open_file_cache max=20000 inactive=20s; - open_file_cache_valid 60s; - open_file_cache_min_uses 2; - open_file_cache_errors off; - - # Other settings - log_subrequest on; - rewrite_log on; - - include /etc/nginx/cdn-ips.conf; + include /etc/nginx/cdn-ips.conf; # Wildcard include - include /etc/nginx/conf.d/*.conf; - include /etc/nginx/sites-enabled/*.conf; + include /etc/nginx/sites-enabled/*.conf; } diff --git a/files/etc/nginx/sites-enabled/1-geoip.conf b/files/etc/nginx/sites-enabled/1-geoip.conf index 45aa993..8db69fb 100644 --- a/files/etc/nginx/sites-enabled/1-geoip.conf +++ b/files/etc/nginx/sites-enabled/1-geoip.conf @@ -1,6 +1,5 @@ server { listen 127.0.0.1:9081; - resolver 8.8.8.8 8.8.4.4; location / { charset utf-8; diff --git a/files/etc/nginx/sites-enabled/server.conf b/files/etc/nginx/sites-enabled/server.conf index d84c797..ffa43f9 100644 --- a/files/etc/nginx/sites-enabled/server.conf +++ b/files/etc/nginx/sites-enabled/server.conf @@ -1,51 +1,44 @@ -proxy_cache_path /tmp/nginx/cache levels=1:2 keys_zone=remoteimages:10m max_size=1g inactive=45m; +proxy_cache_path /var/cache/nginx/imgproxy levels=1:2 keys_zone=imgproxy:10m max_size=1g inactive=45m; server { listen 80; listen [::]:80 ipv6only=on; - listen 443 ssl; - listen [::]:443 ipv6only=on ssl; - - ssl_certificate /etc/nginx/ssl/placeholder-fullchain.crt; - ssl_certificate_key /etc/nginx/ssl/placeholder-privkey.key; - - set $width -; - set $height -; - set $rotate 0; - set $quality 96; # default to best quality in case image previously optimized - set $sharpen 0; - set $debugkey "empty"; - set $myhost ""; - set $ofmt ""; + listen 443 ssl http2; + listen [::]:443 ipv6only=on ssl http2; + + include include/ssl-ciphers.conf; + ssl_certificate ssl/dummycert.crt; + ssl_certificate_key ssl/dummykey.key; + + set $width -; + set $height -; + set $rotate 0; + set $quality 96; # default to best quality in case image previously optimized + set $sharpen 0; + set $debugkey "empty"; + set $myhost ""; + set $ofmt ""; set $debugcode ""; -# image_filter_crop_offset {left,center,right} {top,center,bottom}; + # image_filter_crop_offset {left,center,right} {top,center,bottom}; set $crop_offx left; set $crop_offy top; server_name _; root /usr/share/nginx/html; index index.html index.htm; - -# error should simply return as error so user can use image onerror handler -# error_page 403 = @403; -# error_page 404 = @404; -# error_page 415 = @415; -# error_page 500 = @500; -# error_page 502 503 504 = @empty; error_page 301 302 307 = @handle_redirect; -# begin image_filter stuff - resolver 8.8.8.8 8.8.4.4; + # begin image_filter stuff image_filter_buffer 20M; image_filter_interlace on; -# needed to allow uri protocol slashes from being merged + # needed to allow uri protocol slashes from being merged merge_slashes off; -# proxy_redirect off; + # proxy_redirect off; proxy_set_header X-Real-IP $realip_remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header User-Agent "$http_user_agent"; @@ -56,24 +49,24 @@ server { proxy_temp_path /var/cache/nginx/temp; -# prevent client headers from going to origin + # prevent client headers from going to origin proxy_pass_request_headers off; proxy_ignore_headers Vary Expires Set-Cookie Cache-Control; proxy_pass_header P3P; proxy_cache_min_uses 2; - proxy_cache remoteimages; + proxy_cache imgproxy; proxy_ssl_server_name on; proxy_intercept_errors on; proxy_cache_use_stale updating error timeout http_500 http_502 http_503 http_504; proxy_cache_background_update on; -# valid for "any" http status within 10 minutes + # valid for "any" http status within 10 minutes proxy_cache_valid any 10m; proxy_cache_valid 301 302 307 0s; proxy_cache_key $request_uri; -# only allow GET method + # only allow GET method proxy_method GET; location /healthcheck { @@ -89,13 +82,12 @@ server { set $image_path ""; set $clean_uri ""; - -# if no protocol in URL, add them + # if no protocol in URL, add them if ($image_uri !~ "(http:|https:)") { set $image_uri "http://$image_uri"; } -# now process the real image url + # now process the real image url if ($image_uri ~ "^(http|https)+([:\/]+)([^/]*)(.*)") { set $protocol $1; set $myhost $3; @@ -103,18 +95,13 @@ server { set $image_uri "$protocol://$myhost$image_path"; } - - -# change this to whitelist your host -# if ($myhost !~ ".*(host1.com|host2.org|host3.edu|host4.net|host5.info)$") { -# set $image_uri ""; -# set $debugkey "$myhost=denied"; -# return 403; -# break; -# } - - - + # change this to whitelist your host + # if ($myhost !~ ".*(host1.com|host2.org|host3.edu|host4.net|host5.info)$") { + # set $image_uri ""; + # set $debugkey "$myhost=denied"; + # return 403; + # break; + # } # width if ($myargs ~ "^(\d+)\D*") { @@ -239,8 +226,8 @@ server { expires 24h; add_header Cache-Control "public"; - #image_filter_water_image /app/logo.png; - #image_filter_water_pos center; + # image_filter_water_image /app/logo.png; + # image_filter_water_pos center; image_filter_scale_max 3; image_filter_sharpen $sharpen; @@ -249,7 +236,6 @@ server { image_filter_output $ofmt; image_filter rotate $rotate; - # image_filter resize $width $height; image_filter resize $width $height; } @@ -264,8 +250,8 @@ server { expires 24h; add_header Cache-Control "public"; - #image_filter_water_image /app/logo.png; - #image_filter_water_pos center; + # image_filter_water_image /app/logo.png; + # image_filter_water_pos center; image_filter_scale_max 3; image_filter_sharpen $sharpen; @@ -281,7 +267,7 @@ server { location @handle_redirect { set $image_uri "$upstream_http_location"; -# if relative url, append base path + # if relative url, append base path if ($image_uri !~ "(http:|https:)") { set $image_uri "$protocol://$myhost$image_uri"; } @@ -290,33 +276,4 @@ server { proxy_cache_bypass 1; proxy_pass $clean_uri; } - - location @403 { - add_header X-ImageProxy-Code 403 always; - add_header X-ImageProxy-Debug $debugkey always; - empty_gif; - } - - location @404 { - add_header X-ImageProxy-Code 404 always; - add_header X-ImageProxy-Debug $debugkey always; - empty_gif; - } - - location @415 { - add_header X-ImageProxy-Code 415 always; - add_header X-ImageProxy-Debug $debugkey always; - empty_gif; - } - - location @500 { - add_header X-ImageProxy-Code 500 always; - add_header X-ImageProxy-Debug $debugkey always; - empty_gif; - } - - location @empty { - add_header X-ImageProxy-Debug $debugkey always; - empty_gif; - } } diff --git a/files/root/bin/dummycert.sh b/files/root/bin/dummycert.sh new file mode 100755 index 0000000..15698df --- /dev/null +++ b/files/root/bin/dummycert.sh @@ -0,0 +1,24 @@ +#!/bin/bash +# Specify where we will install +# the dummycert certificate +SSL_DIR="/etc/nginx/ssl" + +# Create our SSL directory +# in case it doesn't exist +mkdir -p "$SSL_DIR" + +# Generate dummy self-signed certificate. +if [ ! -f $SSL_DIR/dummycert.pem ] || [ ! -f $SSL_DIR/dummykey.pem ] +then + echo "Generating dummy SSL certificate..." + openssl req \ + -new \ + -newkey rsa:2048 \ + -days 3650 \ + -nodes \ + -x509 \ + -subj '/O=localhost/OU=localhost/CN=localhost' \ + -keyout $SSL_DIR/dummykey.pem \ + -out $SSL_DIR/dummycert.pem + echo "Complete" +fi diff --git a/files/root/bin/placeholder-ssl.sh b/files/root/bin/placeholder-ssl.sh deleted file mode 100755 index ae8ab2b..0000000 --- a/files/root/bin/placeholder-ssl.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/bash - -# Specify where we will install -# the placeholder.local certificate -SSL_DIR="/etc/nginx/ssl" - -# Set the domain -# we want to use -DOMAIN="placeholder.local" - -# A blank passphrase -PASSPHRASE="" - -# Set our CSR variables -SUBJ=" -C=US -ST=MINNESOTA -L=MINNEAPOLIS -O=NIIKNOW -EMAIL=somebody@somewhere.com -CN=$DOMAIN -" - -# Create our SSL directory -# in case it doesn't exist -mkdir -p "$SSL_DIR" - -# Generate our Private Key, CSR and Certificate -openssl genrsa -out "$SSL_DIR/placeholder-privkey.key" 2048 -openssl req -new -subj "$(echo -n "$SUBJ" | tr "\n" "/")" -key "$SSL_DIR/placeholder-privkey.key" -out "$SSL_DIR/placeholder.csr" -passin pass:$PASSPHRASE -openssl x509 -req -days 3650 -in "$SSL_DIR/placeholder.csr" -signkey "$SSL_DIR/placeholder-privkey.key" -out "$SSL_DIR/placeholder-fullchain.crt" diff --git a/files/sbin/my_init b/files/sbin/my_init index a1f242a..ea7bd5a 100755 --- a/files/sbin/my_init +++ b/files/sbin/my_init @@ -5,18 +5,27 @@ export TERM=xterm # save environment variables for use later in cron, if required env > /root/env.txt -if [ ! -f /etc/nginx/cdn.conf ]; then +# no conf, so copy content +if [ ! -f /etc/nginx/nginx.conf ]; then echo "[i] running for the 1st time" rsync --update -raz /app-start/* /app fi -mkdir -p /tmp/nginx/cache +mkdir -p /tmp/nginx/cache \ + /tmp/nginx/body chown -R www-data:nginx /tmp/nginx +# if there is nginx.new, then make it current and backup existing if [ -f /etc/nginx/nginx.new ]; then - mv /etc/nginx/nginx.conf /etc/nginx/nginx.old - mv /etc/nginx/nginx.new /etc/nginx/nginx.conf + # backup old conf if exists + if [ -f /etc/nginx/nginx.conf ]; then + mv /etc/nginx/nginx.conf /etc/nginx/nginx.old + fi + mv /etc/nginx/nginx.new /etc/nginx/nginx.conf fi +# Dynamically generate resolvers file, if resolver is IPv6, enclose in `[]` +echo resolver "$(awk 'BEGIN{ORS=" "} $1=="nameserver" { sub(/%.*$/,"",$2); print ($2 ~ ":")? "["$2"]": $2}' /etc/resolv.conf) valid=10s;" > /etc/nginx/include/resolvers.conf + echo "*** Running /root/bin/my-startup.sh..." bash /root/bin/my-startup.sh diff --git a/files/usr/share/nginx/html/index.html b/files/usr/share/nginx/html/index.html new file mode 100644 index 0000000..ca6ae42 --- /dev/null +++ b/files/usr/share/nginx/html/index.html @@ -0,0 +1,48 @@ + + +
+ + + +This page is used to test the proper operation of the HTTP server after it has been + installed. If you can read this page, it means that the + web server installed at this site is working + properly.
+