From cd4f462e8f15e25808db9dbac4ffd8b8d55ce7a8 Mon Sep 17 00:00:00 2001
From: Roxedus <me@roxedus.dev>
Date: Fri, 11 Dec 2020 18:12:27 +0100
Subject: [PATCH] nginx-proxy-confs: Inital commit

---
 .github/workflows/BuildImage.yml   |  4 +-
 Dockerfile                         | 29 +++++++++-
 README.md                          | 23 ++++----
 root/defaults/default              | 37 ++++++++++++
 root/defaults/nginx.conf           | 91 ++++++++++++++++++++++++++++++
 root/defaults/ssl.conf             | 46 +++++++++++++++
 root/etc/cont-init.d/98-vpn-config | 27 ---------
 root/etc/cont-init.d/99-proxy-conf | 28 +++++++++
 root/etc/services.d/sshvpn/run     |  3 -
 9 files changed, 241 insertions(+), 47 deletions(-)
 create mode 100644 root/defaults/default
 create mode 100644 root/defaults/nginx.conf
 create mode 100644 root/defaults/ssl.conf
 delete mode 100644 root/etc/cont-init.d/98-vpn-config
 create mode 100644 root/etc/cont-init.d/99-proxy-conf
 delete mode 100644 root/etc/services.d/sshvpn/run

diff --git a/.github/workflows/BuildImage.yml b/.github/workflows/BuildImage.yml
index 518b0d8..ef12079 100644
--- a/.github/workflows/BuildImage.yml
+++ b/.github/workflows/BuildImage.yml
@@ -4,8 +4,8 @@ on: [push, pull_request, workflow_dispatch]
 
 env:
   ENDPOINT: "linuxserver/mods" #don't modify
-  BASEIMAGE: "replace_baseimage" #replace
-  MODNAME: "replace_modname" #replace
+  BASEIMAGE: "nginx" #replace
+  MODNAME: "proxy-confs" #replace
 
 jobs:
   build:
diff --git a/Dockerfile b/Dockerfile
index 4ece5e8..413a4f4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,29 @@
+FROM ghcr.io/linuxserver/baseimage-alpine:3.12 as grab-stage
+
+RUN \
+ apk add --no-cache --upgrade \
+	curl \
+    tar && \
+ mkdir -p /root/defaults/proxy-confs && \
+ curl -o \
+	/tmp/proxy.tar.gz -L \
+	"https://github.com/linuxserver/reverse-proxy-confs/tarball/master" && \
+ tar xf \
+	/tmp/proxy.tar.gz -C \
+	/root/defaults/proxy-confs \
+    --strip-components=1 \
+    --exclude=linux*/.gitattributes \
+    --exclude=linux*/.github \
+    --exclude=linux*/.gitignore \
+    --exclude=linux*/LICENSE
+# copy local files
+COPY root/ root/
+
+ADD https://raw.githubusercontent.com/linuxserver/docker-swag/master/root/defaults/proxy.conf /root/defaults/proxy.conf
+
 FROM scratch
 
-LABEL maintainer="username"
+LABEL maintainer="Roxedus"
 
-# copy local files
-COPY root/ /
+# copy proxy-confs
+COPY --from=grab-stage root/ /
\ No newline at end of file
diff --git a/README.md b/README.md
index 5636dec..1a884c5 100644
--- a/README.md
+++ b/README.md
@@ -1,17 +1,16 @@
-# Rsync - Docker mod for openssh-server
+# Proxy-conf - Docker mod for Nginx
 
-This mod adds rsync to openssh-server, to be installed/updated during container start.
+This mod adds some of the [proxy-conf](https://github.com/linuxserver/reverse-proxy-confs) functionality that is baked into [SWAG](https://github.com/linuxserver/docker-swag), to Nginx.
 
-In openssh-server docker arguments, set an environment variable `DOCKER_MODS=linuxserver/mods:openssh-server-rsync`
+This mod does some reshuffling to the files that originally ships with our Nginx image.
 
-If adding multiple mods, enter them in an array separated by `|`, such as `DOCKER_MODS=linuxserver/mods:openssh-server-rsync|linuxserver/mods:openssh-server-mod2`
+| File | Change |
+| --- | --- |
+| site-confs/default | Added include directives to load the files from proxy-confs/ |
+| nginx.conf | Moved some directives to proxy.conf. Added the required map for websockets |
+| proxy.conf | Direct copy from SWAG |
+| ssl.conf | Based on the same file from SWAG, but changed certificate location |
 
-# Mod creation instructions
+In nginx docker arguments, set an environment variable `DOCKER_MODS=linuxserver/mods:nginx-proxy-confs`
 
-* Fork the repo, create a new branch based on the branch `template`.
-* Edit the `Dockerfile` for the mod. `Dockerfile.complex` is only an example and included for reference; it should be deleted when done.
-* Inspect the `root` folder contents. Edit, add and remove as necessary.
-* Edit this readme with pertinent info, delete these instructions.
-* Finally edit the `.github/workflows/BuildImage.yml`. Customize the build branch, and the vars for `BASEIMAGE` and `MODNAME`.
-* Ask the team to create a new branch named `<baseimagename>-<modname>`. Baseimage should be the name of the image the mod will be applied to. The new branch will be based on the `template` branch.
-* Submit PR against the branch created by the team.
+If adding multiple mods, enter them in an array separated by `|`, such as `DOCKER_MODS=linuxserver/mods:nginx-proxy-confs|linuxserver/mods:universal-git`
diff --git a/root/defaults/default b/root/defaults/default
new file mode 100644
index 0000000..ff353a7
--- /dev/null
+++ b/root/defaults/default
@@ -0,0 +1,37 @@
+## Version 2020/12/11 - Changelog: https://github.com/linuxserver/docker-mods/blob/nginx-proxy-confs/root/defaults/nginx.conf
+
+server {
+	listen 80 default_server;
+	listen 443 ssl;
+	server_name _;
+
+	root /config/www;
+
+	index index.html index.htm index.php;
+
+	# enable subfolder method reverse proxy confs
+	include /config/nginx/proxy-confs/*.subfolder.conf;
+
+	ssl_certificate /config/keys/cert.crt;
+	ssl_certificate_key /config/keys/cert.key;
+
+
+	client_max_body_size 0;
+
+	location / {
+		try_files $uri $uri/ /index.html /index.php?$args =404;
+	}
+
+	location ~ \.php$ {
+		fastcgi_split_path_info ^(.+\.php)(/.+)$;
+		fastcgi_pass 127.0.0.1:9000;
+		fastcgi_index index.php;
+		include /etc/nginx/fastcgi_params;
+	}
+
+}
+
+# enable subdomain method reverse proxy confs
+include /config/nginx/proxy-confs/*.subdomain.conf;
+# enable proxy cache for auth
+proxy_cache_path cache/ keys_zone=auth_cache:10m;
\ No newline at end of file
diff --git a/root/defaults/nginx.conf b/root/defaults/nginx.conf
new file mode 100644
index 0000000..3c640ab
--- /dev/null
+++ b/root/defaults/nginx.conf
@@ -0,0 +1,91 @@
+## Version 2020/12/11 - Changelog: https://github.com/linuxserver/docker-mods/blob/nginx-proxy-confs/root/defaults/nginx.conf
+
+user abc;
+worker_processes 4;
+pid /run/nginx.pid;
+include /etc/nginx/modules/*.conf;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	client_body_buffer_size 128k;
+	client_max_body_size 0;
+	keepalive_timeout 65;
+	large_client_header_buffers 4 16k;
+	send_timeout 5m;
+	sendfile on;
+	tcp_nodelay on;
+	tcp_nopush on;
+	types_hash_max_size 2048;
+	variables_hash_max_size 2048;
+
+	# server_tokens off;
+	# server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# Logging Settings
+	##
+
+	access_log /config/log/nginx/access.log;
+	error_log /config/log/nginx/error.log;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+	gzip_disable "msie6";
+
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+
+	##
+	# nginx-naxsi config
+	##
+	# Uncomment it if you installed nginx-naxsi
+	##
+
+	#include /etc/nginx/naxsi_core.rules;
+
+	##
+	# nginx-passenger config
+	##
+	# Uncomment it if you installed nginx-passenger
+	##
+
+	#passenger_root /usr;
+	#passenger_ruby /usr/bin/ruby;
+
+	##
+	# WebSocket proxying
+	##
+	map $http_upgrade $connection_upgrade {
+		default upgrade;
+		''      close;
+	}
+
+	##
+	# Virtual Host Configs
+	##
+	include /etc/nginx/conf.d/*.conf;
+	include /config/nginx/site-confs/*;
+	lua_load_resty_core off;
+}
+
+daemon off;
\ No newline at end of file
diff --git a/root/defaults/ssl.conf b/root/defaults/ssl.conf
new file mode 100644
index 0000000..9cb0cb3
--- /dev/null
+++ b/root/defaults/ssl.conf
@@ -0,0 +1,46 @@
+## Version 2020/12/11 - Changelog: https://github.com/linuxserver/docker-mods/blob/nginx-proxy-confs/root/defaults/ssl.conf
+
+### Mozilla Recommendations
+# generated 2020-06-17, Mozilla Guideline v5.4, nginx 1.18.0-r0, OpenSSL 1.1.1g-r0, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0-r0&config=intermediate&openssl=1.1.1g-r0&guideline=5.4
+
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+ssl_session_tickets off;
+
+# intermediate configuration
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_prefer_server_ciphers off;
+
+# OCSP stapling
+ssl_stapling on;
+ssl_stapling_verify on;
+
+
+### Linuxserver.io Defaults
+
+# Certificates
+ssl_certificate /config/keys/cert.crt;
+ssl_certificate_key /config/keys/cert.key;
+
+# Diffie-Hellman Parameters
+ssl_dhparam /config/nginx/dhparams.pem;
+
+# Resolver
+resolver 127.0.0.11 valid=30s; # Docker DNS Server
+
+# Enable TLS 1.3 early data
+ssl_early_data on;
+
+# HSTS, remove # from the line below to enable HSTS
+#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+
+# Optional additional headers
+#add_header Cache-Control "no-transform" always;
+#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'";
+#add_header Referrer-Policy "same-origin" always;
+#add_header X-Content-Type-Options "nosniff" always;
+#add_header X-Frame-Options "SAMEORIGIN" always;
+#add_header X-UA-Compatible "IE=Edge" always;
+#add_header X-XSS-Protection "1; mode=block" always;
\ No newline at end of file
diff --git a/root/etc/cont-init.d/98-vpn-config b/root/etc/cont-init.d/98-vpn-config
deleted file mode 100644
index a5f9127..0000000
--- a/root/etc/cont-init.d/98-vpn-config
+++ /dev/null
@@ -1,27 +0,0 @@
-#!/usr/bin/with-contenv bash
-
-# Determine if setup is needed
-if [ ! -f /usr/local/lib/python***/dist-packages/sshuttle ] && \
-[ -f /usr/bin/apt ]; then
-  ## Ubuntu
-  apt-get update
-  apt-get install --no-install-recommends -y \
-    iptables \
-    openssh-client \
-    python3 \
-    python3-pip 
-  pip3 install sshuttle
-fi
-if [ ! -f /usr/lib/python***/site-packages/sshuttle ] && \
-[ -f /sbin/apk ]; then
-  # Alpine
-  apk add --no-cache \
-    iptables \
-    openssh \
-    py3-pip \
-    python3 
-  pip3 install sshuttle
-fi
-
-chown -R root:root /root
-chmod -R 600 /root/.ssh
diff --git a/root/etc/cont-init.d/99-proxy-conf b/root/etc/cont-init.d/99-proxy-conf
new file mode 100644
index 0000000..af7df1b
--- /dev/null
+++ b/root/etc/cont-init.d/99-proxy-conf
@@ -0,0 +1,28 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+###
+# SWAG LOGIC https://github.com/linuxserver/docker-swag/blob/master/root/etc/cont-init.d/50-config
+###
+
+# copy reverse proxy configs
+cp -R /defaults/proxy-confs /config/nginx/
+
+# copy proxy defaults
+[[ ! -f /config/nginx/proxy.conf ]] &&
+  cp /defaults/proxy.conf /config/nginx/proxy.conf
+[[ ! -f /config/nginx/ssl.conf ]] &&
+  cp /defaults/ssl.conf /config/nginx/ssl.conf
+
+# copy pre-generated dhparams or generate if needed
+if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then
+  curl -o /config/nginx/dhparams.pem -L "https://lsio.ams3.digitaloceanspaces.com/dhparams.pem"
+fi
+if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then
+  echo "Generating dhparams.pem. This will take a long time. Do not stop the container until this process is completed."
+  openssl dhparam -out /config/nginx/dhparams.pem 4096
+fi
+
+# permissions
+chown -R abc:abc \
+  /config/nginx/{proxy.conf,ssl.conf,dhparams.pem,proxy-confs/}
diff --git a/root/etc/services.d/sshvpn/run b/root/etc/services.d/sshvpn/run
deleted file mode 100644
index 7d49e79..0000000
--- a/root/etc/services.d/sshvpn/run
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/usr/bin/with-contenv bash
-
-sshuttle --dns --remote root@${HOST}:${PORT} 0/0 -x 172.17.0.0/16