Update dockerfile
This commit is contained in:
parent
d6a0954df6
commit
23ec5fa32c
|
@ -5,6 +5,7 @@ stages:
|
|||
- buildphpFuelPHP
|
||||
- buildetherpad
|
||||
- buildGrav
|
||||
- buildMonitoring
|
||||
- pushOnGithub
|
||||
|
||||
before_script:
|
||||
|
@ -27,7 +28,7 @@ buildNginx:
|
|||
- docker
|
||||
- build
|
||||
script:
|
||||
- docker build -t registry.dryusdan.fr/dryusdan/nginx:ipv6 nginx/
|
||||
- sh nginx/builder.sh
|
||||
- docker push registry.dryusdan.fr/dryusdan/nginx:ipv6
|
||||
- docker rmi registry.dryusdan.fr/dryusdan/nginx:ipv6
|
||||
|
||||
|
@ -62,6 +63,16 @@ buildGrav:
|
|||
- docker push registry.dryusdan.fr/dryusdan/php:grav
|
||||
- docker rmi registry.dryusdan.fr/dryusdan/php:grav
|
||||
|
||||
buildMonitoring:
|
||||
stage: buildMonitoring
|
||||
tags:
|
||||
- docker
|
||||
- build
|
||||
script:
|
||||
- docker build -t registry.dryusdan.fr/dryusdan/cachet-monitoring cachet-monitoring
|
||||
- docker push registry.dryusdan.fr/dryusdan/cachet-monitoring
|
||||
- docker rmi registry.dryusdan.fr/dryusdan/cachet-monitoring
|
||||
|
||||
pushOnGithub:
|
||||
stage: pushOnGithub
|
||||
tags:
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# Dockerfile
|
||||
[![build status](https://git.dryusdan.fr/Dryusdan/Dockerfiles/badges/master/build.svg)](https://git.dryusdan.fr/Dryusdan/Dockerfiles/commits/master)
|
||||
[![build status](https://git.drycat.fr/Dryusdan/Dockerfiles/badges/master/build.svg)](https://git.drycat.fr/Dryusdan/Dockerfiles/commits/master)
|
||||
## What ?
|
||||
In this repository, you will find lots of dockerfiles, with a philosophy of being as light as possible, easy to use.
|
||||
|
||||
|
@ -10,4 +10,4 @@ Now, all my images is build and push with my own [gitlab instance](https://gitla
|
|||
If you don't trust, you can build yourself images. Instructions are on README.
|
||||
|
||||
## Contributing
|
||||
Any contributions, are very welcome !
|
||||
Any contributions, are very welcome !
|
||||
|
|
15
cachet-monitoring/Dockerfile
Normal file
15
cachet-monitoring/Dockerfile
Normal file
|
@ -0,0 +1,15 @@
|
|||
FROM golang:1.8-alpine
|
||||
|
||||
ARG VERSION=3.0
|
||||
|
||||
ADD monitoring/ /monitoring
|
||||
WORKDIR /monitoring/
|
||||
|
||||
RUN apk -U add wget ca-certificates \
|
||||
&& wget https://github.com/CastawayLabs/cachet-monitor/releases/download/v${VERSION}/cachet_monitor_linux_amd64 \
|
||||
&& mv cachet_monitor_linux_amd64 cachet-monitor \
|
||||
&& chmod +x cachet-monitor \
|
||||
&& chmod +x start.sh
|
||||
|
||||
ENTRYPOINT ["./start.sh"]
|
||||
CMD ["./cachet-monitor", "-c", "/monitoring/config.json"]
|
91
cachet-monitoring/monitoring/config.json
Normal file
91
cachet-monitoring/monitoring/config.json
Normal file
|
@ -0,0 +1,91 @@
|
|||
{
|
||||
"api": {
|
||||
"url": "https://status.drycat.fr/api/v1",
|
||||
"token": "E0ZZuIEIuUsfBpQdw1z6",
|
||||
"insecure": false
|
||||
},
|
||||
"date_format": "02/01/2006 15:04:05 MST",
|
||||
"monitors": [
|
||||
{
|
||||
"name": "Blog Drycat",
|
||||
"target":"https://www.drycat.fr",
|
||||
"strict": true,
|
||||
"method": "GET",
|
||||
"component_id": 8,
|
||||
"template": {
|
||||
"investigating": {
|
||||
"subject": "{{ .Monitor.Name }} - {{ .SystemName }}",
|
||||
"message": "{{ .Monitor.Name }} check **failed** (server time: {{ .now }})\n\n{{ .FailReason }}"
|
||||
},
|
||||
"fixed": {
|
||||
"subject": "Le service est revenu à la normal"
|
||||
}
|
||||
},
|
||||
"interval": 10,
|
||||
"timeout": 5,
|
||||
"threshold": 80,
|
||||
"expected_status_code": 200
|
||||
},
|
||||
{
|
||||
"name": "Miaou",
|
||||
"target":"https://miaou.drycat.fr",
|
||||
"strict": true,
|
||||
"method": "GET",
|
||||
"component_id": 1,
|
||||
"metric_id": 3,
|
||||
"template": {
|
||||
"investigating": {
|
||||
"subject": "{{ .Monitor.Name }} - {{ .SystemName }}",
|
||||
"message": "{{ .Monitor.Name }} check **failed** (server time: {{ .now }})\n\n{{ .FailReason }}"
|
||||
},
|
||||
"fixed": {
|
||||
"subject": "Le service est revenu à la normal"
|
||||
}
|
||||
},
|
||||
"interval": 10,
|
||||
"timeout": 5,
|
||||
"threshold": 80,
|
||||
"expected_status_code": 200
|
||||
},
|
||||
{
|
||||
"name": "Lutim",
|
||||
"target":"https://img.drycat.fr",
|
||||
"strict": true,
|
||||
"method": "GET",
|
||||
"component_id": 2,
|
||||
"template": {
|
||||
"investigating": {
|
||||
"subject": "{{ .Monitor.Name }} - {{ .SystemName }}",
|
||||
"message": "{{ .Monitor.Name }} check **failed** (server time: {{ .now }})\n\n{{ .FailReason }}"
|
||||
},
|
||||
"fixed": {
|
||||
"subject": "Le service est revenu à la normal"
|
||||
}
|
||||
},
|
||||
"interval": 10,
|
||||
"timeout": 5,
|
||||
"threshold": 80,
|
||||
"expected_status_code": 200
|
||||
},
|
||||
{
|
||||
"name": "PrivateBin",
|
||||
"target":"https://paste.drycat.fr",
|
||||
"strict": true,
|
||||
"method": "GET",
|
||||
"component_id": 3,
|
||||
"template": {
|
||||
"investigating": {
|
||||
"subject": "{{ .Monitor.Name }} - {{ .SystemName }}",
|
||||
"message": "{{ .Monitor.Name }} check **failed** (server time: {{ .now }})\n\n{{ .FailReason }}"
|
||||
},
|
||||
"fixed": {
|
||||
"subject": "Le service est revenu à la normal"
|
||||
}
|
||||
},
|
||||
"interval": 10,
|
||||
"timeout": 5,
|
||||
"threshold": 80,
|
||||
"expected_status_code": 200
|
||||
}
|
||||
]
|
||||
}
|
7
cachet-monitoring/monitoring/start.sh
Normal file
7
cachet-monitoring/monitoring/start.sh
Normal file
|
@ -0,0 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
if [ $# -eq 0 ]; then
|
||||
exec ./cachet-monitor -c config.json
|
||||
else
|
||||
exec $@
|
||||
fi
|
121
nginx/Dockerfile
121
nginx/Dockerfile
|
@ -1,121 +0,0 @@
|
|||
FROM alpine:3.5
|
||||
# MAINTAINER Wonderfall <https://github.com/Wonderfall/dockerfiles>
|
||||
MAINTAINER Dryusdan
|
||||
|
||||
ENV UID=991 GID=991
|
||||
|
||||
ARG NGINX_VERSION=1.11.13
|
||||
ARG LIBRESSL_VERSION=2.5.2
|
||||
ARG GPG_LIBRESSL="A1EB 079B 8D3E B92B 4EBD 3139 663A F51B D5E4 D8D5"
|
||||
ARG GPG_NGINX="B0F4 2533 73F8 F6F5 10D4 2178 520A 9993 A1C0 52F8"
|
||||
ARG BUILD_CORES
|
||||
|
||||
RUN echo "@commuedge https://nl.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \
|
||||
&& NB_CORES=${BUILD_CORES-$(getconf _NPROCESSORS_CONF)} \
|
||||
&& BUILD_DEPS=" \
|
||||
build-base \
|
||||
linux-headers \
|
||||
ca-certificates \
|
||||
automake \
|
||||
autoconf \
|
||||
git \
|
||||
tar \
|
||||
libtool \
|
||||
pcre-dev \
|
||||
zlib-dev \
|
||||
binutils \
|
||||
gnupg" \
|
||||
&& apk -U add \
|
||||
${BUILD_DEPS} \
|
||||
pcre \
|
||||
zlib \
|
||||
libgcc \
|
||||
libstdc++ \
|
||||
su-exec \
|
||||
openssl \
|
||||
bind-tools \
|
||||
tini@commuedge \
|
||||
&& cd /tmp \
|
||||
&& git clone https://github.com/bagder/libbrotli --depth=1 && cd libbrotli \
|
||||
&& ./autogen.sh && ./configure && make -j ${NB_CORES} && make install \
|
||||
&& cd /tmp \
|
||||
&& git clone https://github.com/google/ngx_brotli --depth=1 \
|
||||
&& git clone https://github.com/openresty/headers-more-nginx-module --depth=1 \
|
||||
&& cp -R /tmp/libbrotli/brotli /tmp/ngx_brotli/deps \
|
||||
&& LIBRESSL_TARBALL="libressl-${LIBRESSL_VERSION}.tar.gz" \
|
||||
&& wget -q http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/${LIBRESSL_TARBALL} \
|
||||
&& echo "Verifying ${LIBRESSL_TARBALL} using GPG..." \
|
||||
&& wget -q http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/${LIBRESSL_TARBALL}.asc \
|
||||
&& wget -q http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl.asc \
|
||||
&& gpg --import libressl.asc \
|
||||
&& FINGERPRINT="$(LANG=C gpg --verify ${LIBRESSL_TARBALL}.asc ${LIBRESSL_TARBALL} 2>&1 \
|
||||
| sed -n "s#Primary key fingerprint: \(.*\)#\1#p")" \
|
||||
&& if [ -z "${FINGERPRINT}" ]; then echo "Warning! Invalid GPG signature!" && exit 1; fi \
|
||||
&& if [ "${FINGERPRINT}" != "${GPG_LIBRESSL}" ]; then echo "Warning! Wrong GPG fingerprint!" && exit 1; fi \
|
||||
&& echo "All seems good, now unpacking ${LIBRESSL_TARBALL}..." \
|
||||
&& tar xzf ${LIBRESSL_TARBALL} \
|
||||
&& NGINX_TARBALL="nginx-${NGINX_VERSION}.tar.gz" \
|
||||
&& wget -q https://nginx.org/download/${NGINX_TARBALL} \
|
||||
&& echo "Verifying ${NGINX_TARBALL} using GPG..." \
|
||||
&& wget -q https://nginx.org/download/${NGINX_TARBALL}.asc \
|
||||
&& wget -q https://nginx.org/keys/mdounin.key \
|
||||
&& gpg --import mdounin.key \
|
||||
&& FINGERPRINT="$(LANG=C gpg --verify ${NGINX_TARBALL}.asc ${NGINX_TARBALL} 2>&1 \
|
||||
| sed -n "s#Primary key fingerprint: \(.*\)#\1#p")" \
|
||||
&& if [ -z "${FINGERPRINT}" ]; then echo "Warning! Invalid GPG signature!" && exit 1; fi \
|
||||
&& if [ "${FINGERPRINT}" != "${GPG_NGINX}" ]; then echo "Warning! Wrong GPG fingerprint!" && exit 1; fi \
|
||||
&& echo "All seems good, now unpacking ${NGINX_TARBALL}..." \
|
||||
&& tar xzf ${NGINX_TARBALL} && cd nginx-${NGINX_VERSION} \
|
||||
&& wget -q https://raw.githubusercontent.com/cloudflare/sslconfig/acc5f83b5fdf2ee28ad7f6b6530f4152f2883601/patches/nginx__1.11.5_dynamic_tls_records.patch -O nginx__dynamic_tls_records.patch \
|
||||
&& echo "error is here" \
|
||||
&& patch -p1 < nginx__dynamic_tls_records.patch \
|
||||
&& echo "launch configure" \
|
||||
&& ./configure \
|
||||
--prefix=/etc/nginx \
|
||||
--sbin-path=/usr/sbin/nginx \
|
||||
--with-cc-opt='-O3 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wno-deprecated-declarations' \
|
||||
--with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro' \
|
||||
--with-openssl=/tmp/libressl-${LIBRESSL_VERSION} \
|
||||
--with-http_ssl_module \
|
||||
--with-http_v2_module \
|
||||
--with-http_gzip_static_module \
|
||||
--with-http_stub_status_module \
|
||||
--with-file-aio \
|
||||
--with-threads \
|
||||
--with-pcre-jit \
|
||||
--with-ipv6 \
|
||||
--without-http_ssi_module \
|
||||
--without-http_scgi_module \
|
||||
--without-http_uwsgi_module \
|
||||
--without-http_geo_module \
|
||||
--without-http_autoindex_module \
|
||||
--without-http_split_clients_module \
|
||||
--without-http_memcached_module \
|
||||
--without-http_empty_gif_module \
|
||||
--without-http_browser_module \
|
||||
--http-log-path=/var/log/nginx/access.log \
|
||||
--error-log-path=/var/log/nginx/error.log \
|
||||
--add-module=/tmp/headers-more-nginx-module \
|
||||
--add-module=/tmp/ngx_brotli \
|
||||
&& make -j ${NB_CORES} && make install && make clean \
|
||||
&& strip -s /usr/sbin/nginx \
|
||||
&& apk del ${BUILD_DEPS} \
|
||||
&& rm -rf /tmp/* /var/cache/apk/* /root/.gnupg
|
||||
|
||||
COPY nginx.conf /etc/nginx/conf/nginx.conf
|
||||
COPY run.sh /usr/local/bin/run.sh
|
||||
COPY ssl_params /etc/nginx/conf/ssl_params
|
||||
COPY headers_params /etc/nginx/conf/headers_params
|
||||
COPY proxy_params /etc/nginx/conf/proxy_params
|
||||
|
||||
RUN chmod +x /usr/local/bin/*
|
||||
|
||||
EXPOSE 8000 4430
|
||||
|
||||
VOLUME /sites-enabled /www /conf.d /passwds /certs /var/log/nginx
|
||||
|
||||
LABEL description="nginx built from source." \
|
||||
openssl="LibreSSL ${LIBRESSL_VERSION}." \
|
||||
nginx="nginx ${NGINX_VERSION}."
|
||||
|
||||
CMD ["run.sh"]
|
|
@ -1,56 +0,0 @@
|
|||
## wonderfall/nginx
|
||||
|
||||
![](https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/115px-Nginx_logo.svg.png)
|
||||
|
||||
#### What is this?
|
||||
It is nginx statically linked against LibreSSL, with the following modules embedded : ngx_brotli (Brotli compression support) and headers_more. Secured by default (no root processes, even the master one), so it should be safe to use.
|
||||
|
||||
#### Features
|
||||
- Based on Alpine Linux Edge.
|
||||
- nginx built against **LibreSSL**.
|
||||
- nginx : Cloudfare's SPDY patch.
|
||||
- nginx : Cloudfare's dynamic TLS records patch.
|
||||
- nginx : securely built using hardening gcc flags.
|
||||
- nginx : HTTP/2 (+NPN) support.
|
||||
- nginx : Brotli compression support (and configured).
|
||||
- nginx : Headers More module.
|
||||
- nginx : no root master process.
|
||||
- nginx : AIO Threads support.
|
||||
- nginx : no unnessary modules (except fastcgi).
|
||||
- nginx : pcre-jit enabled.
|
||||
- nginx : optimized configuration.
|
||||
- ngxpasswd : generates a htpasswd file easily.
|
||||
- ngxproxy : generates a *proxy vhost* after asking you a few questions.
|
||||
|
||||
#### Notes
|
||||
It is required to chown your certs files with the right uid/pid and change the `listen` directive to 8000/4430 instead of 80/443. Linux 3.17+, and the latest Docker stable are recommended.
|
||||
|
||||
#### Volumes
|
||||
- **/sites-enabled** : vhosts files (*.conf)
|
||||
- **/conf.d** : additional configuration files
|
||||
- **/certs** : SSL/TLS certificates
|
||||
- **/var/log/nginx** : nginx logs
|
||||
- **/passwds** : authentication files
|
||||
- **/www** : put your websites there
|
||||
|
||||
#### Build-time variables
|
||||
- **NGINX_VERSION** : version of nginx
|
||||
- **LIBRESSL_VERSION** : version of LibreSSL
|
||||
- **GPG_NGINX** : fingerprint of signing key package
|
||||
- **GPG_LIBRESSL** : fingerprint of signing key package
|
||||
- **BUILD_CORES** : number of cores you'd like to build with (default : all)
|
||||
|
||||
#### Environment variables
|
||||
- **GID** : nginx group id *(default : 991)*
|
||||
- **UID** : nginx user id *(default : 991)*
|
||||
|
||||
#### How to use it?
|
||||
https://github.com/hardware/mailserver/wiki/Reverse-proxy-configuration
|
||||
|
||||
You can use `ngxproxy` to generate a *vhost* through an easy process : `docker exec -ti nginx ngxproxy`. `ngxpasswd` can generate htpasswd files : `docker exec -ti nginx ngxpasswd`. Both utilites are interactive so you won't feel lost.
|
||||
|
||||
Some configuration files located in `/etc/nginx/conf` are already provided, you can use them with the `include` directive.
|
||||
|
||||
- `ssl_params` : Provides a nice balance between compatibility and security.
|
||||
- `headers_params` : HSTS (+ preload), XSS protection, etc.
|
||||
- `proxy_params` : use with `proxy_pass`.
|
21
nginx/builder.sh
Executable file
21
nginx/builder.sh
Executable file
|
@ -0,0 +1,21 @@
|
|||
#!/bin/sh
|
||||
docker build -t registry.dryusdan.fr/dryusdan/nginx:ipv6 \
|
||||
--build-arg NGINX_MODULES=" \
|
||||
--with-http_ssl_module \
|
||||
--with-http_v2_module \
|
||||
--with-http_gzip_static_module \
|
||||
--with-http_stub_status_module \
|
||||
--with-file-aio \
|
||||
--with-threads \
|
||||
--with-pcre-jit \
|
||||
--with-ipv6 \
|
||||
--without-http_ssi_module \
|
||||
--without-http_scgi_module \
|
||||
--without-http_uwsgi_module \
|
||||
--without-http_geo_module \
|
||||
--without-http_autoindex_module \
|
||||
--without-http_split_clients_module \
|
||||
--without-http_memcached_module \
|
||||
--without-http_empty_gif_module \
|
||||
--without-http_browser_module " \
|
||||
github.com/Wonderfall/dockerfiles.git#master:boring-nginx
|
|
@ -1,3 +0,0 @@
|
|||
add_header X-Frame-Options SAMEORIGIN;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
|
@ -1,87 +0,0 @@
|
|||
worker_processes auto;
|
||||
pid /tmp/nginx.pid;
|
||||
daemon off;
|
||||
pcre_jit on;
|
||||
|
||||
events {
|
||||
worker_connections 2048;
|
||||
use epoll;
|
||||
}
|
||||
|
||||
http {
|
||||
limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
|
||||
limit_conn limit_per_ip 128;
|
||||
limit_req_zone $binary_remote_addr zone=allips:10m rate=150r/s;
|
||||
limit_req zone=allips burst=150 nodelay;
|
||||
|
||||
more_set_headers 'Server: secret';
|
||||
|
||||
include /etc/nginx/conf/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
access_log /var/log/nginx/access.log combined;
|
||||
error_log /var/log/nginx/error.log crit;
|
||||
|
||||
fastcgi_temp_path /tmp/fastcgi 1 2;
|
||||
proxy_temp_path /tmp/proxy 1 2;
|
||||
client_body_temp_path /tmp/client_body 1 2;
|
||||
|
||||
client_body_buffer_size 10K;
|
||||
client_header_buffer_size 1k;
|
||||
client_max_body_size 8m;
|
||||
large_client_header_buffers 2 1k;
|
||||
|
||||
aio threads;
|
||||
sendfile on;
|
||||
keepalive_timeout 15;
|
||||
keepalive_disable msie6;
|
||||
keepalive_requests 100;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
server_tokens off;
|
||||
|
||||
gzip on;
|
||||
gzip_comp_level 5;
|
||||
gzip_min_length 512;
|
||||
gzip_buffers 4 8k;
|
||||
gzip_proxied any;
|
||||
gzip_vary on;
|
||||
gzip_disable "msie6";
|
||||
gzip_types
|
||||
text/css
|
||||
text/javascript
|
||||
text/xml
|
||||
text/plain
|
||||
text/x-component
|
||||
application/javascript
|
||||
application/x-javascript
|
||||
application/json
|
||||
application/xml
|
||||
application/rss+xml
|
||||
application/vnd.ms-fontobject
|
||||
font/truetype
|
||||
font/opentype
|
||||
image/svg+xml;
|
||||
|
||||
brotli on;
|
||||
brotli_static on;
|
||||
brotli_buffers 16 8k;
|
||||
brotli_comp_level 6;
|
||||
brotli_types
|
||||
text/css
|
||||
text/javascript
|
||||
text/xml
|
||||
text/plain
|
||||
text/x-component
|
||||
application/javascript
|
||||
application/x-javascript
|
||||
application/json
|
||||
application/xml
|
||||
application/rss+xml
|
||||
application/vnd.ms-fontobject
|
||||
font/truetype
|
||||
font/opentype
|
||||
image/svg+xml;
|
||||
|
||||
include /sites-enabled/*.conf;
|
||||
}
|
|
@ -1,76 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
echo
|
||||
echo "Welcome to ngxpasswd utility."
|
||||
echo "We're about to create a password file."
|
||||
echo
|
||||
|
||||
cd /passwds || exit 1
|
||||
|
||||
while [ "$NAME" == "" ]; do
|
||||
read -p "Name: " NAME
|
||||
done
|
||||
|
||||
if [ -f "/passwds/$NAME.htpasswd" ]; then
|
||||
echo "ERROR: /passwds/$NAME.htpasswd already exists."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
while [ "$USER" == "" ]; do
|
||||
read -p "User: " USER
|
||||
done
|
||||
|
||||
read -p "Password (leave blank to generate one): " PASSWORD
|
||||
|
||||
if [ "$PASSWORD" == "" ]; then
|
||||
echo "Password was not defined, generating a random one..."
|
||||
PASSWORD=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
|
||||
elif [ ${#PASSWORD} -le 6 ]; then
|
||||
echo "WARNING: Non-secure password."
|
||||
fi
|
||||
|
||||
echo -n $USER:$(openssl passwd -apr1 $PASSWORD) >> $NAME.htpasswd
|
||||
chown $UID:$GID $NAME.htpasswd
|
||||
chmod 640 $NAME.htpasswd
|
||||
|
||||
echo
|
||||
echo "A new password file has been saved to /passwds/$NAME.htpasswd :"
|
||||
echo "- Service : $NAME"
|
||||
echo "- User : $USER"
|
||||
echo "- Password : $PASSWORD"
|
||||
echo
|
||||
|
||||
if [ -f "/sites-enabled/$NAME.conf" ] && grep -q '#auth' /sites-enabled/$NAME.conf; then
|
||||
echo "vhost at /sites-enabled/$NAME.conf detected."
|
||||
|
||||
while [[ "$ADD" != "y" && "$ADD" != "n" ]]; do
|
||||
read -p "Add authentication to $NAME.conf? [y/n]: " ADD
|
||||
done
|
||||
|
||||
if [ "$ADD" == "y" ]; then
|
||||
cd /etc/nginx/conf
|
||||
sed -i -e 's/#auth/auth/g' -e "s/<NAME>/$NAME/g" /sites-enabled/$NAME.conf
|
||||
echo "Automatically added, please verify. Otherwise follow these instructions."
|
||||
echo
|
||||
fi
|
||||
fi
|
||||
|
||||
echo "Paste this to your vhost in order to enable auth :"
|
||||
echo " auth_basic \"Who's this?\";"
|
||||
echo " auth_basic_user_file /passwds/$NAME.htpasswd;"
|
||||
echo
|
||||
|
||||
if [ "$ADD" == "y" ]; then
|
||||
while [[ "$RELOAD" != "y" && "$RELOAD" != "n" ]]; do
|
||||
read -p "Reload nginx now? [y/n]: " RELOAD
|
||||
done
|
||||
|
||||
if [ "$RELOAD" == "y" ]; then
|
||||
su-exec $UID:$GID nginx -s reload
|
||||
echo "nginx successfully reloaded."
|
||||
else
|
||||
echo "Restart manually nginx to enable authentication."
|
||||
fi
|
||||
fi
|
||||
|
||||
exit 0
|
139
nginx/ngxproxy
139
nginx/ngxproxy
|
@ -1,139 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
echo
|
||||
echo "Welcome to ngxproxy utility."
|
||||
echo "We're about to create a new virtual host (AKA server block)."
|
||||
echo
|
||||
|
||||
while [ "$NAME" == "" ]; do
|
||||
read -p "Name: " NAME
|
||||
done
|
||||
|
||||
if [ -f "/sites-enabled/$NAME.conf" ]; then
|
||||
echo "ERROR: /sites-enabled/$NAME.conf already exists."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
while [ "$DOMAIN" == "" ]; do
|
||||
read -p "Domain: " DOMAIN
|
||||
done
|
||||
|
||||
if [ "$(dig +short $DOMAIN)" == "" ]; then
|
||||
echo "WARNING: $DOMAIN couldn't be resolved: it may not work!"
|
||||
echo "HINT: Is this domain correct? Did you update your DNS zone?"
|
||||
fi
|
||||
|
||||
read -p "Webroot (default is /): " WEBROOT
|
||||
|
||||
if [ "$WEBROOT" == "" ]; then
|
||||
WEBROOT="/"
|
||||
elif [ "$WEBROOT" != "/" ]; then
|
||||
echo "WARNING: You might have to add a proxy header to get your custom webroot working."
|
||||
|
||||
while [[ "$CONFIGURE_WEBROOT" != "y" && "$CONFIGURE_WEBROOT" != "n" ]]; do
|
||||
read -p "Is it required (by the app) to configure it? [y/n]: " CONFIGURE_WEBROOT
|
||||
done
|
||||
|
||||
if [ "$CONFIGURE_WEBROOT" == "y" ]; then
|
||||
while [ "$WEBROOT_HEADER" == "" ]; do
|
||||
read -p "Type the required proxy_set_header (like X-Script-Name): " WEBROOT_HEADER
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
||||
while [ "$CONTAINER" == "" ]; do
|
||||
read -p "Container: " CONTAINER
|
||||
done
|
||||
|
||||
ping -c 1 $CONTAINER >/dev/null 2>&1
|
||||
|
||||
if [ "$?" != "0" ]; then
|
||||
echo "WARNING: $CONTAINER seems to be unavailable. It may not work!"
|
||||
echo "HINT: Did you correctly link the container?"
|
||||
fi
|
||||
|
||||
read -p "Port (default is 80): " PORT
|
||||
|
||||
if [ "$PORT" == "" ]; then
|
||||
PORT="80"
|
||||
elif ! [ "$PORT" -eq "$PORT" ] 2>/dev/null; then
|
||||
echo "ERROR: an integer value was expected."
|
||||
exit 1
|
||||
elif [ "$PORT" -gt "65535" ]; then
|
||||
echo "ERROR: $PORT exceeds the maximum TCP port which is 65535"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
while [[ "$HTTPS" != "y" && "$HTTPS" != "n" ]]; do
|
||||
read -p "HTTPS [y/n]: " HTTPS
|
||||
done
|
||||
|
||||
if [ "$HTTPS" == "y" ]; then
|
||||
while [ ! -f "$CERTIFICATE_PATH" ]; do
|
||||
read -p "Certificate path: " CERTIFICATE_PATH
|
||||
done
|
||||
|
||||
while [ ! -f "$KEY_PATH" ]; do
|
||||
read -p "Certificate key path: " KEY_PATH
|
||||
done
|
||||
|
||||
cp -f /etc/nginx/conf/vhost_https.conf /tmp/${NAME}.conf
|
||||
|
||||
sed -i \
|
||||
-e "s|<CERTIFICATE_PATH>|$CERTIFICATE_PATH|g" \
|
||||
-e "s|<KEY_PATH>|$KEY_PATH|g" \
|
||||
/tmp/$NAME.conf
|
||||
|
||||
while [[ "$HEADERS" != "y" && "$HEADERS" != "n" ]]; do
|
||||
read -p "Secure headers [y/n]: " HEADERS
|
||||
done
|
||||
|
||||
if [ "$HEADERS" == "y" ]; then
|
||||
sed -i 's|#include /etc/nginx/conf/headers_params|include /etc/nginx/conf/headers_params|g' /tmp/$NAME.conf
|
||||
fi
|
||||
else
|
||||
cp -f /etc/nginx/conf/vhost_http.conf /tmp/${NAME}.conf
|
||||
fi
|
||||
|
||||
while [ "$MAX_BODY_SIZE" == "" ]; do
|
||||
read -p "Max body size in MB (integer/n): " MAX_BODY_SIZE
|
||||
done
|
||||
|
||||
if ! [ "$MAX_BODY_SIZE" -eq "$MAX_BODY_SIZE" ] 2>/dev/null && [ "$MAX_BODY_SIZE" != "n" ]; then
|
||||
echo "ERROR: Incorrect value."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "$MAX_BODY_SIZE" != "n" ]; then
|
||||
sed -i "s|#client_max_body_size <MAX_BODY_SIZE>|client_max_body_size $MAX_BODY_SIZE|g" /tmp/$NAME.conf
|
||||
fi
|
||||
|
||||
if [ "$CONFIGURE_WEBROOT" == "y" ]; then
|
||||
sed -i "/proxy_pass/a \ \ \ \ proxy_set_header $WEBROOT_HEADER $WEBROOT;" /tmp/$NAME.conf
|
||||
fi
|
||||
|
||||
sed -i \
|
||||
-e "s|<DOMAIN>|$DOMAIN|g" \
|
||||
-e "s|<CONTAINER>|$CONTAINER|g" \
|
||||
-e "s|<PORT>|$PORT|g" \
|
||||
-e "s|<WEBROOT>|$WEBROOT|g" \
|
||||
/tmp/$NAME.conf
|
||||
|
||||
mv /tmp/$NAME.conf /sites-enabled/
|
||||
|
||||
echo
|
||||
echo "Done! $NAME.conf has been generated."
|
||||
|
||||
while [[ "$RELOAD" != "y" && "$RELOAD" != "n" ]]; do
|
||||
read -p "Reload nginx now? [y/n]: " RELOAD
|
||||
done
|
||||
|
||||
if [ "$RELOAD" == "y" ]; then
|
||||
su-exec $UID:$GID nginx -s reload
|
||||
echo "nginx successfully reloaded."
|
||||
else
|
||||
echo "Restart manually nginx to enable this new vhost."
|
||||
fi
|
||||
|
||||
echo
|
||||
exit 0
|
|
@ -1,6 +0,0 @@
|
|||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Remote-Port $remote_port;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_redirect off;
|
|
@ -1,4 +0,0 @@
|
|||
#!/bin/sh
|
||||
chown -R $UID:$GID /etc/nginx /var/log/nginx /sites-enabled /conf.d /certs /www /tmp
|
||||
chmod -R 700 /certs
|
||||
exec su-exec $UID:$GID /sbin/tini -- nginx
|
|
@ -1,10 +0,0 @@
|
|||
ssl_protocols TLSv1.2;
|
||||
ssl_ecdh_curve secp384r1;
|
||||
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
ssl_session_cache shared:SSL:20m;
|
||||
ssl_session_timeout 15m;
|
||||
ssl_session_tickets off;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
|
|
@ -1,14 +0,0 @@
|
|||
server {
|
||||
listen 8000;
|
||||
server_name <DOMAIN>;
|
||||
|
||||
#client_max_body_size <MAX_BODY_SIZE>M;
|
||||
|
||||
#auth_basic "Who's this?";
|
||||
#auth_basic_user_file /passwds/<NAME>.htpasswd;
|
||||
|
||||
location <WEBROOT> {
|
||||
proxy_pass http://<CONTAINER>:<PORT>;
|
||||
include /etc/nginx/conf/proxy_params;
|
||||
}
|
||||
}
|
|
@ -1,26 +0,0 @@
|
|||
server {
|
||||
listen 8000;
|
||||
server_name <DOMAIN>;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 4430 ssl spdy http2;
|
||||
server_name <DOMAIN>;
|
||||
|
||||
ssl_certificate <CERTIFICATE_PATH>;
|
||||
ssl_certificate_key <KEY_PATH>;
|
||||
|
||||
include /etc/nginx/conf/ssl_params;
|
||||
include /etc/nginx/conf/headers_params;
|
||||
|
||||
#client_max_body_size <MAX_BODY_SIZE>M;
|
||||
|
||||
#auth_basic "Who's this?";
|
||||
#auth_basic_user_file /passwds/<NAME>.htpasswd;
|
||||
|
||||
location <WEBROOT> {
|
||||
proxy_pass http://<CONTAINER>:<PORT>;
|
||||
include /etc/nginx/conf/proxy_params;
|
||||
}
|
||||
}
|
Reference in a new issue