From 332dc0f632796dec00a29b39518a34e84a22c578 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Tue, 5 Oct 2021 15:19:04 -0500 Subject: [PATCH] Standardize configs Split apart init scripts Include dhparams Include ssl.conf Include resolver.conf generation Include worker_processes.conf generation use nginx.conf and default site config formatted like swag (formatted similar to upstream nginx) --- root/defaults/default | 18 +- root/defaults/dhparams.pem | 13 ++ root/defaults/nginx.conf | 178 ++++++++++++------ root/defaults/ssl.conf | 44 +++++ root/etc/cont-init.d/15-dhparams | 8 + root/etc/cont-init.d/{30-keygen => 16-keygen} | 1 + root/etc/cont-init.d/17-php | 17 ++ root/etc/cont-init.d/18-resolver | 16 ++ root/etc/cont-init.d/19-worker_processes | 8 + root/etc/cont-init.d/20-config | 18 +- 10 files changed, 247 insertions(+), 74 deletions(-) create mode 100644 root/defaults/dhparams.pem create mode 100644 root/defaults/ssl.conf create mode 100644 root/etc/cont-init.d/15-dhparams rename root/etc/cont-init.d/{30-keygen => 16-keygen} (99%) create mode 100644 root/etc/cont-init.d/17-php create mode 100644 root/etc/cont-init.d/18-resolver create mode 100644 root/etc/cont-init.d/19-worker_processes diff --git a/root/defaults/default b/root/defaults/default index cdf2fc1..8ff051b 100644 --- a/root/defaults/default +++ b/root/defaults/default @@ -1,19 +1,26 @@ +## Version 2021/10/05 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/default + server { listen 80 default_server; - - listen 443 ssl; + listen [::]:80 default_server; + listen 443 ssl http2 default_server; + listen [::]:443 ssl http2 default_server; root /config/www; index index.html index.htm index.php; server_name _; - ssl_certificate /config/keys/cert.crt; - ssl_certificate_key /config/keys/cert.key; + # all ssl related config moved to ssl.conf + include /config/nginx/ssl.conf; client_max_body_size 0; location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + try_files $uri $uri/ /index.html /index.php?$args =404; } @@ -24,3 +31,6 @@ server { include /etc/nginx/fastcgi_params; } } + +# enable proxy cache for auth +proxy_cache_path cache/ keys_zone=auth_cache:10m; diff --git a/root/defaults/dhparams.pem b/root/defaults/dhparams.pem new file mode 100644 index 0000000..eed4c41 --- /dev/null +++ b/root/defaults/dhparams.pem @@ -0,0 +1,13 @@ +-----BEGIN DH PARAMETERS----- +MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3 +7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32 +nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e +8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx +iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K +zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI= +-----END DH PARAMETERS----- \ No newline at end of file diff --git a/root/defaults/nginx.conf b/root/defaults/nginx.conf index 6134671..c6040d1 100644 --- a/root/defaults/nginx.conf +++ b/root/defaults/nginx.conf @@ -1,80 +1,150 @@ -## Version 2021/06/15 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx.conf +## Version 2021/10/05 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx.conf user abc; -worker_processes 4; -pid /run/nginx.pid; + +# Set number of worker processes automatically based on number of CPU cores. +include /config/nginx/worker_processes.conf; + +# Enables the use of JIT for regular expressions to speed-up their processing. +pcre_jit on; + +# Configures default error logger. +error_log /config/log/nginx/error.log; + +# Includes files with directives to load dynamic modules. include /etc/nginx/modules/*.conf; events { - worker_connections 768; - # multi_accept on; + # The maximum number of simultaneous connections that can be opened by + # a worker process. + worker_connections 1024; + # multi_accept on; } http { + # Includes mapping of file name extensions to MIME types of responses + # and defines the default type. + include /etc/nginx/mime.types; + default_type application/octet-stream; - ## - # Basic Settings - ## + # Name servers used to resolve names of upstream servers into addresses. + # It's also needed when using tcpsocket and udpsocket in Lua modules. + #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001; + include /config/nginx/resolver.conf; - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - # server_tokens off; + # Don't tell nginx version to the clients. Default is 'on'. + server_tokens off; - # server_names_hash_bucket_size 64; - # server_name_in_redirect off; + # Specifies the maximum accepted body size of a client request, as + # indicated by the request header Content-Length. If the stated content + # length is greater than this size, then the client receives the HTTP + # error code 413. Set to 0 to disable. Default is '1m'. + client_max_body_size 0; - client_max_body_size 0; + # Sendfile copies data between one FD and other from within the kernel, + # which is more efficient than read() + write(). Default is off. + sendfile on; - include /etc/nginx/mime.types; - default_type application/octet-stream; + # Causes nginx to attempt to send its HTTP response head in one packet, + # instead of using partial frames. Default is 'off'. + tcp_nopush on; - ## - # Logging Settings - ## + # Helper variable for proxying websockets. + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } - access_log /config/log/nginx/access.log; - error_log /config/log/nginx/error.log; + # Sets the path, format, and configuration for a buffered log write. + access_log /config/log/nginx/access.log; - ## - # Gzip Settings - ## + # Includes virtual hosts configs. + #include /etc/nginx/http.d/*.conf; - gzip on; - gzip_disable "msie6"; + # WARNING: Don't use this directory for virtual hosts anymore. + # This include will be moved to the root context in Alpine 3.14. + #include /etc/nginx/conf.d/*.conf; - # gzip_vary on; - # gzip_proxied any; - # gzip_comp_level 6; - # gzip_buffers 16 8k; - # gzip_http_version 1.1; - # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; - ## - # nginx-naxsi config - ## - # Uncomment it if you installed nginx-naxsi - ## + ## + # Basic Settings + ## - #include /etc/nginx/naxsi_core.rules; + client_body_buffer_size 128k; + keepalive_timeout 65; + large_client_header_buffers 4 16k; + send_timeout 5m; + tcp_nodelay on; + types_hash_max_size 2048; + variables_hash_max_size 2048; + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; - ## - # nginx-passenger config - ## - # Uncomment it if you installed nginx-passenger - ## + ## + # Gzip Settings + ## - #passenger_root /usr; - #passenger_ruby /usr/bin/ruby; + gzip on; + gzip_disable "msie6"; + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; - ## - # Virtual Host Configs - ## - include /etc/nginx/http.d/*.conf; - include /config/nginx/site-confs/*; - + ## + # nginx-naxsi config + ## + # Uncomment it if you installed nginx-naxsi + ## + + #include /etc/nginx/naxsi_core.rules; + + ## + # nginx-passenger config + ## + # Uncomment it if you installed nginx-passenger + ## + + #passenger_root /usr; + #passenger_ruby /usr/bin/ruby; + + ## + # Virtual Host Configs + ## + include /config/nginx/site-confs/*; + #Removed lua. Do not remove this comment + + ## + # Geoip2 config + ## + # Uncomment to add the Geoip2 configs needed to geo block countries/cities. + ## + + #include /config/nginx/geoip2.conf; } +#mail { +# # See sample authentication script at: +# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript +# +# # auth_http localhost/auth.php; +# # pop3_capabilities "TOP" "USER"; +# # imap_capabilities "IMAP4rev1" "UIDPLUS"; +# +# server { +# listen localhost:110; +# protocol pop3; +# proxy on; +# } +# +# server { +# listen localhost:143; +# protocol imap; +# proxy on; +# } +#} + daemon off; +pid /run/nginx.pid; diff --git a/root/defaults/ssl.conf b/root/defaults/ssl.conf new file mode 100644 index 0000000..891b922 --- /dev/null +++ b/root/defaults/ssl.conf @@ -0,0 +1,44 @@ +## Version 2021/10/05 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/ssl.conf + +### Mozilla Recommendations +# generated 2020-06-17, Mozilla Guideline v5.4, nginx 1.18.0-r0, OpenSSL 1.1.1g-r0, intermediate configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0-r0&config=intermediate&openssl=1.1.1g-r0&guideline=5.4 + +ssl_session_timeout 1d; +ssl_session_cache shared:MozSSL:10m; # about 40000 sessions +ssl_session_tickets off; + +# intermediate configuration +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +ssl_prefer_server_ciphers off; + +# OCSP stapling +ssl_stapling on; +ssl_stapling_verify on; + + +### Linuxserver.io Defaults + +# Certificates +ssl_certificate /config/keys/cert.crt; +ssl_certificate_key /config/keys/cert.key; + +# Diffie-Hellman Parameters +ssl_dhparam /config/nginx/dhparams.pem; + +# Enable TLS 1.3 early data +ssl_early_data on; + +# HSTS, remove # from the line below to enable HSTS +#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + +# Optional additional headers +#add_header Cache-Control "no-transform" always; +#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'"; +#add_header Permissions-Policy "interest-cohort=()"; +#add_header Referrer-Policy "same-origin" always; +#add_header X-Content-Type-Options "nosniff" always; +#add_header X-Frame-Options "SAMEORIGIN" always; +#add_header X-UA-Compatible "IE=Edge" always; +#add_header X-XSS-Protection "1; mode=block" always; diff --git a/root/etc/cont-init.d/15-dhparams b/root/etc/cont-init.d/15-dhparams new file mode 100644 index 0000000..37200e8 --- /dev/null +++ b/root/etc/cont-init.d/15-dhparams @@ -0,0 +1,8 @@ +#!/usr/bin/with-contenv bash + +# copy pre-generated dhparams or generate if needed +[[ ! -f /config/nginx/dhparams.pem ]] && \ + cp /defaults/dhparams.pem /config/nginx/dhparams.pem +if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then + curl -o /config/nginx/dhparams.pem -L "https://ssl-config.mozilla.org/ffdhe4096.txt" +fi diff --git a/root/etc/cont-init.d/30-keygen b/root/etc/cont-init.d/16-keygen similarity index 99% rename from root/etc/cont-init.d/30-keygen rename to root/etc/cont-init.d/16-keygen index ceef02d..7d2340d 100644 --- a/root/etc/cont-init.d/30-keygen +++ b/root/etc/cont-init.d/16-keygen @@ -1,4 +1,5 @@ #!/usr/bin/with-contenv bash + SUBJECT="/C=US/ST=CA/L=Carlsbad/O=Linuxserver.io/OU=LSIO Server/CN=*" if [[ -f /config/keys/cert.key && -f /config/keys/cert.crt ]]; then echo "using keys found in /config/keys" diff --git a/root/etc/cont-init.d/17-php b/root/etc/cont-init.d/17-php new file mode 100644 index 0000000..aca0fa8 --- /dev/null +++ b/root/etc/cont-init.d/17-php @@ -0,0 +1,17 @@ +#!/usr/bin/with-contenv bash + +# create local php.ini if it doesn't exist, set local timezone +[[ ! -f /config/php/php-local.ini ]] && \ + printf "; Edit this file to override php.ini directives and restart the container\\n\\ndate.timezone = %s\\n" "$TZ" > /config/php/php-local.ini +# copy user php-local.ini to image +cp /config/php/php-local.ini /etc/php7/conf.d/php-local.ini +#fix php-fpm log location +sed -i "s#;error_log = log/php7/error.log.*#error_log = /config/log/php/error.log#g" /etc/php7/php-fpm.conf +#fix php-fpm user +sed -i "s#user = nobody.*#user = abc#g" /etc/php7/php-fpm.d/www.conf +sed -i "s#group = nobody.*#group = abc#g" /etc/php7/php-fpm.d/www.conf +# create override for www.conf if it doesn't exist +[[ ! -f /config/php/www2.conf ]] && \ + printf "; Edit this file to override www.conf and php-fpm.conf directives and restart the container\\n\\n; Pool name\\n[www]\\n\\n" > /config/php/www2.conf +# copy user www2.conf to image +cp /config/php/www2.conf /etc/php7/php-fpm.d/www2.conf diff --git a/root/etc/cont-init.d/18-resolver b/root/etc/cont-init.d/18-resolver new file mode 100644 index 0000000..8061ce8 --- /dev/null +++ b/root/etc/cont-init.d/18-resolver @@ -0,0 +1,16 @@ +#!/usr/bin/with-contenv bash + +# Set resolver, ignore ipv6 addresses +if ! grep -q 'resolver' /config/nginx/resolver.conf; then + RESOLVERRAW=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {print $2}' /etc/resolv.conf) + for i in ${RESOLVERRAW}; do + if [ $(awk -F ':' '{print NF-1}' <<< ${i}) -le 2 ]; then + RESOLVER="${RESOLVER} ${i}" + fi + done + if [ -z "${RESOLVER}" ]; then + RESOLVER="127.0.0.11" + fi + echo "Setting resolver to ${RESOLVER}" + echo -e "# This file is auto-generated only on first start, based on the container's /etc/resolv.conf file. Feel free to modify it as you wish.\n\nresolver ${RESOLVER} valid=30s;" > /config/nginx/resolver.conf +fi diff --git a/root/etc/cont-init.d/19-worker_processes b/root/etc/cont-init.d/19-worker_processes new file mode 100644 index 0000000..dfe4010 --- /dev/null +++ b/root/etc/cont-init.d/19-worker_processes @@ -0,0 +1,8 @@ +#!/usr/bin/with-contenv bash + +# Set worker_processes +if ! grep -q 'worker_processes' /config/nginx/worker_processes.conf; then + WORKER_PROCESSES=$(nproc) + echo "Setting worker_processes to ${WORKER_PROCESSES}" + echo -e "# This file is auto-generated only on first start, based on the cpu cores detected. Feel free to change it to any other number or to auto to let nginx handle it automatically.\n\nworker_processes ${WORKER_PROCESSES};" > /config/nginx/worker_processes.conf +fi diff --git a/root/etc/cont-init.d/20-config b/root/etc/cont-init.d/20-config index 88542b9..0574d7c 100644 --- a/root/etc/cont-init.d/20-config +++ b/root/etc/cont-init.d/20-config @@ -10,27 +10,13 @@ mkdir -p \ # copy config files [[ ! -f /config/nginx/nginx.conf ]] && \ cp /defaults/nginx.conf /config/nginx/nginx.conf +[[ ! -f /config/nginx/ssl.conf ]] && \ + cp /defaults/ssl.conf /config/nginx/ssl.conf [[ ! -f /config/nginx/site-confs/default ]] && \ cp /defaults/default /config/nginx/site-confs/default [[ $(find /config/www -type f | wc -l) -eq 0 ]] && \ cp /defaults/index.html /config/www/index.html -# create local php.ini if it doesn't exist, set local timezone -[[ ! -f /config/php/php-local.ini ]] && \ - printf "; Edit this file to override php.ini directives and restart the container\\n\\ndate.timezone = %s\\n" "$TZ" > /config/php/php-local.ini -# copy user php-local.ini to image -cp /config/php/php-local.ini /etc/php7/conf.d/php-local.ini -#fix php-fpm log location -sed -i "s#;error_log = log/php7/error.log.*#error_log = /config/log/php/error.log#g" /etc/php7/php-fpm.conf -#fix php-fpm user -sed -i "s#user = nobody.*#user = abc#g" /etc/php7/php-fpm.d/www.conf -sed -i "s#group = nobody.*#group = abc#g" /etc/php7/php-fpm.d/www.conf -# create override for www.conf if it doesn't exist -[[ ! -f /config/php/www2.conf ]] && \ - printf "; Edit this file to override www.conf and php-fpm.conf directives and restart the container\\n\\n; Pool name\\n[www]\\n\\n" > /config/php/www2.conf -# copy user www2.conf to image -cp /config/php/www2.conf /etc/php7/php-fpm.d/www2.conf - # backwards compatibility for alpine >=3.14 if [ ! -e /etc/nginx/conf.d ]; then ln -s /etc/nginx/http.d /etc/nginx/conf.d