From 8cfaa03acbf10084335a809584fd74fa59cb27d2 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Sat, 23 Jul 2022 19:25:11 -0500 Subject: [PATCH] Roll back new folder structure --- Dockerfile | 2 +- Dockerfile.aarch64 | 2 +- Dockerfile.armhf | 2 +- jenkins-vars.yml | 2 +- root/defaults/nginx/nginx.conf.sample | 59 +++++++++++++------ .../nginx/server-confs/ssl.conf.sample | 47 --------------- .../nginx/site-confs/default.conf.sample | 16 ++--- root/etc/cont-init.d/11-folders | 2 +- root/etc/cont-init.d/12-samples | 21 ------- root/etc/cont-init.d/13-nginx | 7 +-- 10 files changed, 53 insertions(+), 107 deletions(-) delete mode 100644 root/defaults/nginx/server-confs/ssl.conf.sample diff --git a/Dockerfile b/Dockerfile index 02cbb48..d3b586a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/linuxserver/baseimage-alpine:3.15 +FROM ghcr.io/linuxserver/baseimage-alpine:3.16 # install packages RUN \ diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index f8f2812..a688223 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -1,4 +1,4 @@ -FROM ghcr.io/linuxserver/baseimage-alpine:arm64v8-3.15 +FROM ghcr.io/linuxserver/baseimage-alpine:arm64v8-3.16 # install packages RUN \ diff --git a/Dockerfile.armhf b/Dockerfile.armhf index f839c1a..4232b85 100644 --- a/Dockerfile.armhf +++ b/Dockerfile.armhf @@ -1,4 +1,4 @@ -FROM ghcr.io/linuxserver/baseimage-alpine:arm32v7-3.15 +FROM ghcr.io/linuxserver/baseimage-alpine:arm32v7-3.16 # install packages RUN \ diff --git a/jenkins-vars.yml b/jenkins-vars.yml index b6acf06..f35da92 100644 --- a/jenkins-vars.yml +++ b/jenkins-vars.yml @@ -4,7 +4,7 @@ project_name: docker-baseimage-alpine-nginx external_type: os release_type: stable -release_tag: "3.15" +release_tag: "3.16" ls_branch: master repo_vars: - BUILD_VERSION_ARG = 'OS' diff --git a/root/defaults/nginx/nginx.conf.sample b/root/defaults/nginx/nginx.conf.sample index 5cb59d9..c9b9fc1 100644 --- a/root/defaults/nginx/nginx.conf.sample +++ b/root/defaults/nginx/nginx.conf.sample @@ -1,7 +1,7 @@ -## Version 2021/11/25 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx.conf.sample +## Version 2022/07/23 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx.conf.sample ### Based on alpine defaults -# https://git.alpinelinux.org/aports/tree/main/nginx/nginx.conf?h=3.14-stable +# https://git.alpinelinux.org/aports/tree/main/nginx/nginx.conf?h=3.16-stable user abc; @@ -36,6 +36,7 @@ http { # Name servers used to resolve names of upstream servers into addresses. # It's also needed when using tcpsocket and udpsocket in Lua modules. #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001; + include /config/nginx/resolver.conf; # Don't tell nginx version to the clients. Default is 'on'. server_tokens off; @@ -54,13 +55,50 @@ http { # instead of using partial frames. Default is 'off'. tcp_nopush on; + ### Mozilla Recommendations + # generated 2022-07-23, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration + # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 + + ssl_certificate /config/keys/cert.crt; + ssl_certificate_key /config/keys/cert.key; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam + ssl_dhparam /config/nginx/dhparams.pem; + + # intermediate configuration + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + #add_header Strict-Transport-Security "max-age=63072000" always; + + # OCSP stapling + ssl_stapling on; + ssl_stapling_verify on; + + # verify chain of trust of OCSP response using Root CA and Intermediate certs + ssl_trusted_certificate /config/keys/cert.crt; + + # Optional additional headers + #add_header Cache-Control "no-transform" always; + #add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'"; + #add_header Permissions-Policy "interest-cohort=()"; + #add_header Referrer-Policy "same-origin" always; + #add_header X-Content-Type-Options "nosniff" always; + #add_header X-Frame-Options "SAMEORIGIN" always; + #add_header X-UA-Compatible "IE=Edge" always; + #add_header X-XSS-Protection "1; mode=block" always; + # Enable gzipping of responses. #gzip on; # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'. gzip_vary on; - # Helper variable for proxying websockets. map $http_upgrade $connection_upgrade { default upgrade; @@ -70,24 +108,9 @@ http { # Sets the path, format, and configuration for a buffered log write. access_log /config/log/nginx/access.log; - ### Linuxserver.io Defaults - - client_body_buffer_size 128k; # default: client_body_buffer_size 8k|16k; - #keepalive_timeout 75s; # default: keepalive_timeout 75s; - large_client_header_buffers 4 16k; # default: large_client_header_buffers 4 8k; - send_timeout 5m; # default: send_timeout 60s; - #server_name_in_redirect off; # default: server_name_in_redirect off; - #server_names_hash_bucket_size 64; # default: server_names_hash_bucket_size 32|64|128; - #tcp_nodelay on; # default: tcp_nodelay on; - types_hash_max_size 2048; # default: types_hash_max_size 1024; - variables_hash_max_size 2048; # default: variables_hash_max_size 1024; - # Includes virtual hosts configs. include /config/nginx/site-confs/*.conf; #Removed lua. Do not remove this comment - - # Include configs for http block. - include /config/nginx/http-confs/*.conf; } daemon off; diff --git a/root/defaults/nginx/server-confs/ssl.conf.sample b/root/defaults/nginx/server-confs/ssl.conf.sample deleted file mode 100644 index d3456da..0000000 --- a/root/defaults/nginx/server-confs/ssl.conf.sample +++ /dev/null @@ -1,47 +0,0 @@ -## Version 2021/11/25 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/server-confs/ssl.conf.sample - -### Mozilla Recommendations -# generated 2021-10-16, Mozilla Guideline v5.6, nginx 1.20.1-r3, OpenSSL 1.1.1l-r0, intermediate configuration -# https://ssl-config.mozilla.org/#server=nginx&version=1.20.1-r3&config=intermediate&openssl=1.1.1l-r0&guideline=5.6 - -listen 443 ssl http2; -listen [::]:443 ssl http2; - -ssl_certificate /config/keys/cert.crt; -ssl_certificate_key /config/keys/cert.key; -ssl_session_timeout 1d; -ssl_session_cache shared:MozSSL:10m; # about 40000 sessions -ssl_session_tickets off; - -# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam -ssl_dhparam /config/nginx/dhparams.pem; - -# intermediate configuration -ssl_protocols TLSv1.2 TLSv1.3; -ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; -ssl_prefer_server_ciphers off; - -# HSTS (ngx_http_headers_module is required) (63072000 seconds) -#add_header Strict-Transport-Security "max-age=63072000" always; - -# OCSP stapling -ssl_stapling on; -ssl_stapling_verify on; - -# verify chain of trust of OCSP response using Root CA and Intermediate certs -ssl_trusted_certificate /config/keys/cert.crt; - -### Linuxserver.io Defaults - -# Enable TLS 1.3 early data -ssl_early_data on; - -# Optional additional headers -#add_header Cache-Control "no-transform" always; -#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'"; -#add_header Permissions-Policy "interest-cohort=()"; -#add_header Referrer-Policy "same-origin" always; -#add_header X-Content-Type-Options "nosniff" always; -#add_header X-Frame-Options "SAMEORIGIN" always; -#add_header X-UA-Compatible "IE=Edge" always; -#add_header X-XSS-Protection "1; mode=block" always; diff --git a/root/defaults/nginx/site-confs/default.conf.sample b/root/defaults/nginx/site-confs/default.conf.sample index 1aab5fa..5e72615 100644 --- a/root/defaults/nginx/site-confs/default.conf.sample +++ b/root/defaults/nginx/site-confs/default.conf.sample @@ -1,8 +1,6 @@ -## Version 2021/11/25 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/site-confs/default.conf.sample +## Version 2022/07/23 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/site-confs/default.conf.sample server { - include /config/nginx/server-confs/*.conf; - listen 80 default_server; listen [::]:80 default_server; @@ -15,16 +13,10 @@ server { root $root; index index.html index.htm index.php; - set $htpasswd_file /config/nginx/.htpasswd; - set $auth_basic "Restricted"; - if (!-f $htpasswd_file) { - set $auth_basic off; - } location / { - include /config/nginx/location-confs/*.conf; - - auth_basic $auth_basic; - auth_basic_user_file $htpasswd_file; + # enable for basic auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; try_files $uri $uri/ /index.html /index.php?$args =404; } diff --git a/root/etc/cont-init.d/11-folders b/root/etc/cont-init.d/11-folders index eed752e..90344ef 100644 --- a/root/etc/cont-init.d/11-folders +++ b/root/etc/cont-init.d/11-folders @@ -4,7 +4,7 @@ mkdir -p \ /config/{keys,php,www} \ /config/log/{nginx,php} \ - /config/nginx/{http-confs,location-confs,server-confs,site-confs} \ + /config/nginx/site-confs \ /run \ /var/lib/nginx/tmp/client_body \ /var/tmp/nginx diff --git a/root/etc/cont-init.d/12-samples b/root/etc/cont-init.d/12-samples index 0281368..682a863 100644 --- a/root/etc/cont-init.d/12-samples +++ b/root/etc/cont-init.d/12-samples @@ -13,27 +13,6 @@ find /defaults/nginx/ \ -type f \ -exec cp "{}" /config/nginx/ + -[[ -d /defaults/nginx/http-confs/ ]] && - find /defaults/nginx/http-confs/ \ - -maxdepth 1 \ - -name "*.conf.sample" \ - -type f \ - -exec cp "{}" /config/nginx/http-confs/ + - -[[ -d /defaults/nginx/location-confs/ ]] && - find /defaults/nginx/location-confs/ \ - -maxdepth 1 \ - -name "*.conf.sample" \ - -type f \ - -exec cp "{}" /config/nginx/location-confs/ + - -[[ -d /defaults/nginx/server-confs/ ]] && - find /defaults/nginx/server-confs/ \ - -maxdepth 1 \ - -name "*.conf.sample" \ - -type f \ - -exec cp "{}" /config/nginx/server-confs/ + - [[ -d /defaults/nginx/site-confs/ ]] && find /defaults/nginx/site-confs/ \ -maxdepth 1 \ diff --git a/root/etc/cont-init.d/13-nginx b/root/etc/cont-init.d/13-nginx index eeb4922..701f352 100644 --- a/root/etc/cont-init.d/13-nginx +++ b/root/etc/cont-init.d/13-nginx @@ -25,8 +25,8 @@ if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then fi # Set resolver, ignore ipv6 addresses -touch /config/nginx/http-confs/resolver.conf -if ! grep -q 'resolver' /config/nginx/http-confs/resolver.conf; then +touch /config/nginx/resolver.conf +if ! grep -q 'resolver' /config/nginx/resolver.conf; then RESOLVERRAW=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {print $2}' /etc/resolv.conf) for i in ${RESOLVERRAW}; do if [[ "$(awk -F ':' '{print NF-1}' <<< "${i}")" -le 2 ]]; then @@ -38,8 +38,7 @@ if ! grep -q 'resolver' /config/nginx/http-confs/resolver.conf; then fi echo "Setting resolver to ${RESOLVER}" RESOLVEROUTPUT="# This file is auto-generated only on first start, based on the container's /etc/resolv.conf file. Feel free to modify it as you wish.\n\nresolver ${RESOLVER} valid=30s;" - echo -e "${RESOLVEROUTPUT}" > /config/nginx/http-confs/resolver.conf - echo -e "${RESOLVEROUTPUT}" > /config/nginx/location-confs/resolver.conf + echo -e "${RESOLVEROUTPUT}" > /config/nginx/resolver.conf fi # Set worker_processes