Standardize configs

Split apart init scripts
Include dhparams
Include ssl.conf
Include resolver.conf generation
Include worker_processes.conf generation
use nginx.conf and default site config formatted like swag (formatted similar to upstream nginx)

root/defaults/default

@@ -1,19 +1,26 @@
+## Version 2021/10/05 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/default
+
 server {
 	listen 80 default_server;
-
-	listen 443 ssl;
+    listen [::]:80 default_server;
+    listen 443 ssl http2 default_server;
+    listen [::]:443 ssl http2 default_server;
 
 	root /config/www;
 	index index.html index.htm index.php;
 
 	server_name _;
 
-	ssl_certificate /config/keys/cert.crt;
-	ssl_certificate_key /config/keys/cert.key;
+    # all ssl related config moved to ssl.conf
+    include /config/nginx/ssl.conf;
 
 	client_max_body_size 0;
 
 	location / {
+        # enable the next two lines for http auth
+        #auth_basic "Restricted";
+        #auth_basic_user_file /config/nginx/.htpasswd;
+
 		try_files $uri $uri/ /index.html /index.php?$args =404;
 	}
 
@@ -24,3 +31,6 @@ server {
 		include /etc/nginx/fastcgi_params;
 	}
 }
+
+# enable proxy cache for auth
+proxy_cache_path cache/ keys_zone=auth_cache:10m;

root/defaults/dhparams.pem

@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
+7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
+nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
+8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
+iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
+zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
+-----END DH PARAMETERS-----

root/defaults/nginx.conf

@@ -1,80 +1,150 @@
-## Version 2021/06/15 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx.conf
+## Version 2021/10/05 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx.conf
 
 user abc;
-worker_processes 4;
-pid /run/nginx.pid;
+
+# Set number of worker processes automatically based on number of CPU cores.
+include /config/nginx/worker_processes.conf;
+
+# Enables the use of JIT for regular expressions to speed-up their processing.
+pcre_jit on;
+
+# Configures default error logger.
+error_log /config/log/nginx/error.log;
+
+# Includes files with directives to load dynamic modules.
 include /etc/nginx/modules/*.conf;
 
 events {
-	worker_connections 768;
-	# multi_accept on;
+    # The maximum number of simultaneous connections that can be opened by
+    # a worker process.
+    worker_connections 1024;
+    # multi_accept on;
 }
 
 http {
+    # Includes mapping of file name extensions to MIME types of responses
+    # and defines the default type.
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
 
-	##
-	# Basic Settings
-	##
+    # Name servers used to resolve names of upstream servers into addresses.
+    # It's also needed when using tcpsocket and udpsocket in Lua modules.
+    #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001;
+    include /config/nginx/resolver.conf;
 
-	sendfile on;
-	tcp_nopush on;
-	tcp_nodelay on;
-	keepalive_timeout 65;
-	types_hash_max_size 2048;
-	# server_tokens off;
+    # Don't tell nginx version to the clients. Default is 'on'.
+    server_tokens off;
 
-	# server_names_hash_bucket_size 64;
-	# server_name_in_redirect off;
+    # Specifies the maximum accepted body size of a client request, as
+    # indicated by the request header Content-Length. If the stated content
+    # length is greater than this size, then the client receives the HTTP
+    # error code 413. Set to 0 to disable. Default is '1m'.
+    client_max_body_size 0;
 
-	client_max_body_size 0;
+    # Sendfile copies data between one FD and other from within the kernel,
+    # which is more efficient than read() + write(). Default is off.
+    sendfile on;
 
-	include /etc/nginx/mime.types;
-	default_type application/octet-stream;
+    # Causes nginx to attempt to send its HTTP response head in one packet,
+    # instead of using partial frames. Default is 'off'.
+    tcp_nopush on;
 
-	##
-	# Logging Settings
-	##
+    # Helper variable for proxying websockets.
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        '' close;
+    }
 
-	access_log /config/log/nginx/access.log;
-	error_log /config/log/nginx/error.log;
+    # Sets the path, format, and configuration for a buffered log write.
+    access_log /config/log/nginx/access.log;
 
-	##
-	# Gzip Settings
-	##
+    # Includes virtual hosts configs.
+    #include /etc/nginx/http.d/*.conf;
 
-	gzip on;
-	gzip_disable "msie6";
+    # WARNING: Don't use this directory for virtual hosts anymore.
+    # This include will be moved to the root context in Alpine 3.14.
+    #include /etc/nginx/conf.d/*.conf;
 
-	# gzip_vary on;
-	# gzip_proxied any;
-	# gzip_comp_level 6;
-	# gzip_buffers 16 8k;
-	# gzip_http_version 1.1;
-	# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
 
-	##
-	# nginx-naxsi config
-	##
-	# Uncomment it if you installed nginx-naxsi
-	##
+    ##
+    # Basic Settings
+    ##
 
-	#include /etc/nginx/naxsi_core.rules;
+    client_body_buffer_size 128k;
+    keepalive_timeout 65;
+    large_client_header_buffers 4 16k;
+    send_timeout 5m;
+    tcp_nodelay on;
+    types_hash_max_size 2048;
+    variables_hash_max_size 2048;
+    # server_names_hash_bucket_size 64;
+    # server_name_in_redirect off;
 
-	##
-	# nginx-passenger config
-	##
-	# Uncomment it if you installed nginx-passenger
-	##
+    ##
+    # Gzip Settings
+    ##
 
-	#passenger_root /usr;
-	#passenger_ruby /usr/bin/ruby;
+    gzip on;
+    gzip_disable "msie6";
+    # gzip_vary on;
+    # gzip_proxied any;
+    # gzip_comp_level 6;
+    # gzip_buffers 16 8k;
+    # gzip_http_version 1.1;
+    # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
 
-	##
-	# Virtual Host Configs
-	##
-	include /etc/nginx/http.d/*.conf;
-	include /config/nginx/site-confs/*;
-  
+    ##
+    # nginx-naxsi config
+    ##
+    # Uncomment it if you installed nginx-naxsi
+    ##
+
+    #include /etc/nginx/naxsi_core.rules;
+
+    ##
+    # nginx-passenger config
+    ##
+    # Uncomment it if you installed nginx-passenger
+    ##
+
+    #passenger_root /usr;
+    #passenger_ruby /usr/bin/ruby;
+
+    ##
+    # Virtual Host Configs
+    ##
+    include /config/nginx/site-confs/*;
+    #Removed lua. Do not remove this comment
+
+    ##
+    # Geoip2 config
+    ##
+    # Uncomment to add the Geoip2 configs needed to geo block countries/cities.
+    ##
+
+    #include /config/nginx/geoip2.conf;
 }
 
+#mail {
+#    # See sample authentication script at:
+#    # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
+#
+#    # auth_http localhost/auth.php;
+#    # pop3_capabilities "TOP" "USER";
+#    # imap_capabilities "IMAP4rev1" "UIDPLUS";
+#
+#    server {
+#        listen     localhost:110;
+#        protocol   pop3;
+#        proxy      on;
+#    }
+#
+#    server {
+#        listen     localhost:143;
+#        protocol   imap;
+#        proxy      on;
+#    }
+#}
+
 daemon off;
+pid /run/nginx.pid;

root/defaults/ssl.conf

@@ -0,0 +1,44 @@
+## Version 2021/10/05 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/ssl.conf
+
+### Mozilla Recommendations
+# generated 2020-06-17, Mozilla Guideline v5.4, nginx 1.18.0-r0, OpenSSL 1.1.1g-r0, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0-r0&config=intermediate&openssl=1.1.1g-r0&guideline=5.4
+
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+ssl_session_tickets off;
+
+# intermediate configuration
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_prefer_server_ciphers off;
+
+# OCSP stapling
+ssl_stapling on;
+ssl_stapling_verify on;
+
+
+### Linuxserver.io Defaults
+
+# Certificates
+ssl_certificate /config/keys/cert.crt;
+ssl_certificate_key /config/keys/cert.key;
+
+# Diffie-Hellman Parameters
+ssl_dhparam /config/nginx/dhparams.pem;
+
+# Enable TLS 1.3 early data
+ssl_early_data on;
+
+# HSTS, remove # from the line below to enable HSTS
+#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+
+# Optional additional headers
+#add_header Cache-Control "no-transform" always;
+#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'";
+#add_header Permissions-Policy "interest-cohort=()";
+#add_header Referrer-Policy "same-origin" always;
+#add_header X-Content-Type-Options "nosniff" always;
+#add_header X-Frame-Options "SAMEORIGIN" always;
+#add_header X-UA-Compatible "IE=Edge" always;
+#add_header X-XSS-Protection "1; mode=block" always;

root/etc/cont-init.d/15-dhparams

@@ -0,0 +1,8 @@
+#!/usr/bin/with-contenv bash
+
+# copy pre-generated dhparams or generate if needed
+[[ ! -f /config/nginx/dhparams.pem ]] && \
+    cp /defaults/dhparams.pem /config/nginx/dhparams.pem
+if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then
+    curl -o /config/nginx/dhparams.pem -L "https://ssl-config.mozilla.org/ffdhe4096.txt"
+fi

root/etc/cont-init.d/16-keygen

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+
 SUBJECT="/C=US/ST=CA/L=Carlsbad/O=Linuxserver.io/OU=LSIO Server/CN=*"
 if [[ -f /config/keys/cert.key && -f /config/keys/cert.crt ]]; then
     echo "using keys found in /config/keys"

root/etc/cont-init.d/17-php

@@ -0,0 +1,17 @@
+#!/usr/bin/with-contenv bash
+
+# create local php.ini if it doesn't exist, set local timezone
+[[ ! -f /config/php/php-local.ini ]] && \
+    printf "; Edit this file to override php.ini directives and restart the container\\n\\ndate.timezone = %s\\n" "$TZ" > /config/php/php-local.ini
+# copy user php-local.ini to image
+cp /config/php/php-local.ini /etc/php7/conf.d/php-local.ini
+#fix php-fpm log location
+sed -i "s#;error_log = log/php7/error.log.*#error_log = /config/log/php/error.log#g" /etc/php7/php-fpm.conf
+#fix php-fpm user
+sed -i "s#user = nobody.*#user = abc#g" /etc/php7/php-fpm.d/www.conf
+sed -i "s#group = nobody.*#group = abc#g" /etc/php7/php-fpm.d/www.conf
+# create override for www.conf if it doesn't exist
+[[ ! -f /config/php/www2.conf ]] && \
+    printf "; Edit this file to override www.conf and php-fpm.conf directives and restart the container\\n\\n; Pool name\\n[www]\\n\\n" > /config/php/www2.conf
+# copy user www2.conf to image
+cp /config/php/www2.conf /etc/php7/php-fpm.d/www2.conf

root/etc/cont-init.d/18-resolver

@@ -0,0 +1,16 @@
+#!/usr/bin/with-contenv bash
+
+# Set resolver, ignore ipv6 addresses
+if ! grep -q 'resolver' /config/nginx/resolver.conf; then
+    RESOLVERRAW=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {print $2}' /etc/resolv.conf)
+    for i in ${RESOLVERRAW}; do
+        if [ $(awk -F ':' '{print NF-1}' <<< ${i}) -le 2 ]; then
+            RESOLVER="${RESOLVER} ${i}"
+        fi
+    done
+    if [ -z "${RESOLVER}" ]; then
+        RESOLVER="127.0.0.11"
+    fi
+    echo "Setting resolver to ${RESOLVER}"
+    echo -e "# This file is auto-generated only on first start, based on the container's /etc/resolv.conf file. Feel free to modify it as you wish.\n\nresolver ${RESOLVER} valid=30s;" > /config/nginx/resolver.conf
+fi

root/etc/cont-init.d/19-worker_processes

@@ -0,0 +1,8 @@
+#!/usr/bin/with-contenv bash
+
+# Set worker_processes
+if ! grep -q 'worker_processes' /config/nginx/worker_processes.conf; then
+    WORKER_PROCESSES=$(nproc)
+    echo "Setting worker_processes to ${WORKER_PROCESSES}"
+    echo -e "# This file is auto-generated only on first start, based on the cpu cores detected. Feel free to change it to any other number or to auto to let nginx handle it automatically.\n\nworker_processes ${WORKER_PROCESSES};" > /config/nginx/worker_processes.conf
+fi

root/etc/cont-init.d/20-config

@@ -10,27 +10,13 @@ mkdir -p \
 # copy config files
 [[ ! -f /config/nginx/nginx.conf ]] && \
     cp /defaults/nginx.conf /config/nginx/nginx.conf
+[[ ! -f /config/nginx/ssl.conf ]] && \
+    cp /defaults/ssl.conf /config/nginx/ssl.conf
 [[ ! -f /config/nginx/site-confs/default ]] && \
     cp /defaults/default /config/nginx/site-confs/default
 [[ $(find /config/www -type f | wc -l) -eq 0 ]] && \
     cp /defaults/index.html /config/www/index.html
 
-# create local php.ini if it doesn't exist, set local timezone
-[[ ! -f /config/php/php-local.ini ]] && \
-    printf "; Edit this file to override php.ini directives and restart the container\\n\\ndate.timezone = %s\\n" "$TZ" > /config/php/php-local.ini
-# copy user php-local.ini to image
-cp /config/php/php-local.ini /etc/php7/conf.d/php-local.ini
-#fix php-fpm log location
-sed -i "s#;error_log = log/php7/error.log.*#error_log = /config/log/php/error.log#g" /etc/php7/php-fpm.conf
-#fix php-fpm user
-sed -i "s#user = nobody.*#user = abc#g" /etc/php7/php-fpm.d/www.conf
-sed -i "s#group = nobody.*#group = abc#g" /etc/php7/php-fpm.d/www.conf
-# create override for www.conf if it doesn't exist
-[[ ! -f /config/php/www2.conf ]] && \
-    printf "; Edit this file to override www.conf and php-fpm.conf directives and restart the container\\n\\n; Pool name\\n[www]\\n\\n" > /config/php/www2.conf
-# copy user www2.conf to image
-cp /config/php/www2.conf /etc/php7/php-fpm.d/www2.conf
-
 # backwards compatibility for alpine >=3.14
 if [ ! -e /etc/nginx/conf.d ]; then
     ln -s /etc/nginx/http.d /etc/nginx/conf.d