Dryusdan/Dockerfiles
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Update dockerfile

Browse source
This commit is contained in:
Dryusdan 2017-04-16 14:54:30 +02:00
parent d6a0954df6
commit 23ec5fa32c
17 changed files with 148 additions and 545 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
.gitlab-ci.yml
View file

@ -5,6 +5,7 @@ stages:
- buildphpFuelPHP
- buildetherpad
- buildGrav
- buildMonitoring
- pushOnGithub
before_script:
@ -27,7 +28,7 @@ buildNginx:
- docker
- build
script:
- docker build -t registry.dryusdan.fr/dryusdan/nginx:ipv6 nginx/
- sh nginx/builder.sh
- docker push registry.dryusdan.fr/dryusdan/nginx:ipv6
- docker rmi registry.dryusdan.fr/dryusdan/nginx:ipv6
@ -62,6 +63,16 @@ buildGrav:
- docker push registry.dryusdan.fr/dryusdan/php:grav
- docker rmi registry.dryusdan.fr/dryusdan/php:grav
buildMonitoring:
stage: buildMonitoring
tags:
- docker
- build
script:
- docker build -t registry.dryusdan.fr/dryusdan/cachet-monitoring cachet-monitoring
- docker push registry.dryusdan.fr/dryusdan/cachet-monitoring
- docker rmi registry.dryusdan.fr/dryusdan/cachet-monitoring
pushOnGithub:
stage: pushOnGithub
tags:

4
README.md
View file

@ -1,5 +1,5 @@
# Dockerfile
[![build status](https://git.dryusdan.fr/Dryusdan/Dockerfiles/badges/master/build.svg)](https://git.dryusdan.fr/Dryusdan/Dockerfiles/commits/master)
[![build status](https://git.drycat.fr/Dryusdan/Dockerfiles/badges/master/build.svg)](https://git.drycat.fr/Dryusdan/Dockerfiles/commits/master)
## What ?
In this repository, you will find lots of dockerfiles, with a philosophy of being as light as possible, easy to use.
@ -10,4 +10,4 @@ Now, all my images is build and push with my own [gitlab instance](https://gitla
If you don't trust, you can build yourself images. Instructions are on README.
## Contributing
Any contributions, are very welcome !
Any contributions, are very welcome !

15
cachet-monitoring/Dockerfile Normal file
View file

@ -0,0 +1,15 @@
FROM golang:1.8-alpine
ARG VERSION=3.0
ADD monitoring/ /monitoring
WORKDIR /monitoring/
RUN apk -U add wget ca-certificates \
&& wget https://github.com/CastawayLabs/cachet-monitor/releases/download/v${VERSION}/cachet_monitor_linux_amd64 \
&& mv cachet_monitor_linux_amd64 cachet-monitor \
&& chmod +x cachet-monitor \
&& chmod +x start.sh
ENTRYPOINT ["./start.sh"]
CMD ["./cachet-monitor", "-c", "/monitoring/config.json"]

91
cachet-monitoring/monitoring/config.json Normal file
View file

@ -0,0 +1,91 @@
{
"api": {
"url": "https://status.drycat.fr/api/v1",
"token": "E0ZZuIEIuUsfBpQdw1z6",
"insecure": false
},
"date_format": "02/01/2006 15:04:05 MST",
"monitors": [
{
"name": "Blog Drycat",
"target":"https://www.drycat.fr",
"strict": true,
"method": "GET",
"component_id": 8,
"template": {
"investigating": {
"subject": "{{ .Monitor.Name }} - {{ .SystemName }}",
"message": "{{ .Monitor.Name }} check **failed** (server time: {{ .now }})\n\n{{ .FailReason }}"
},
"fixed": {
"subject": "Le service est revenu à la normal"
}
},
"interval": 10,
"timeout": 5,
"threshold": 80,
"expected_status_code": 200
},
{
"name": "Miaou",
"target":"https://miaou.drycat.fr",
"strict": true,
"method": "GET",
"component_id": 1,
"metric_id": 3,
"template": {
"investigating": {
"subject": "{{ .Monitor.Name }} - {{ .SystemName }}",
"message": "{{ .Monitor.Name }} check **failed** (server time: {{ .now }})\n\n{{ .FailReason }}"
},
"fixed": {
"subject": "Le service est revenu à la normal"
}
},
"interval": 10,
"timeout": 5,
"threshold": 80,
"expected_status_code": 200
},
{
"name": "Lutim",
"target":"https://img.drycat.fr",
"strict": true,
"method": "GET",
"component_id": 2,
"template": {
"investigating": {
"subject": "{{ .Monitor.Name }} - {{ .SystemName }}",
"message": "{{ .Monitor.Name }} check **failed** (server time: {{ .now }})\n\n{{ .FailReason }}"
},
"fixed": {
"subject": "Le service est revenu à la normal"
}
},
"interval": 10,
"timeout": 5,
"threshold": 80,
"expected_status_code": 200
},
{
"name": "PrivateBin",
"target":"https://paste.drycat.fr",
"strict": true,
"method": "GET",
"component_id": 3,
"template": {
"investigating": {
"subject": "{{ .Monitor.Name }} - {{ .SystemName }}",
"message": "{{ .Monitor.Name }} check **failed** (server time: {{ .now }})\n\n{{ .FailReason }}"
},
"fixed": {
"subject": "Le service est revenu à la normal"
}
},
"interval": 10,
"timeout": 5,
"threshold": 80,
"expected_status_code": 200
}
]
}

7
cachet-monitoring/monitoring/start.sh Normal file
View file

@ -0,0 +1,7 @@
#!/bin/sh
if [ $# -eq 0 ]; then
exec ./cachet-monitor -c config.json
else
exec $@
fi

121
nginx/Dockerfile
View file

@ -1,121 +0,0 @@
FROM alpine:3.5
# MAINTAINER Wonderfall <https://github.com/Wonderfall/dockerfiles>
MAINTAINER Dryusdan
ENV UID=991 GID=991
ARG NGINX_VERSION=1.11.13
ARG LIBRESSL_VERSION=2.5.2
ARG GPG_LIBRESSL="A1EB 079B 8D3E B92B 4EBD 3139 663A F51B D5E4 D8D5"
ARG GPG_NGINX="B0F4 2533 73F8 F6F5 10D4 2178 520A 9993 A1C0 52F8"
ARG BUILD_CORES
RUN echo "@commuedge https://nl.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \
&& NB_CORES=${BUILD_CORES-$(getconf _NPROCESSORS_CONF)} \
&& BUILD_DEPS=" \
build-base \
linux-headers \
ca-certificates \
automake \
autoconf \
git \
tar \
libtool \
pcre-dev \
zlib-dev \
binutils \
gnupg" \
&& apk -U add \
${BUILD_DEPS} \
pcre \
zlib \
libgcc \
libstdc++ \
su-exec \
openssl \
bind-tools \
tini@commuedge \
&& cd /tmp \
&& git clone https://github.com/bagder/libbrotli --depth=1 && cd libbrotli \
&& ./autogen.sh && ./configure && make -j ${NB_CORES} && make install \
&& cd /tmp \
&& git clone https://github.com/google/ngx_brotli --depth=1 \
&& git clone https://github.com/openresty/headers-more-nginx-module --depth=1 \
&& cp -R /tmp/libbrotli/brotli /tmp/ngx_brotli/deps \
&& LIBRESSL_TARBALL="libressl-${LIBRESSL_VERSION}.tar.gz" \
&& wget -q http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/${LIBRESSL_TARBALL} \
&& echo "Verifying ${LIBRESSL_TARBALL} using GPG..." \
&& wget -q http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/${LIBRESSL_TARBALL}.asc \
&& wget -q http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl.asc \
&& gpg --import libressl.asc \
&& FINGERPRINT="$(LANG=C gpg --verify ${LIBRESSL_TARBALL}.asc ${LIBRESSL_TARBALL} 2>&1 \
| sed -n "s#Primary key fingerprint: \(.*\)#\1#p")" \
&& if [ -z "${FINGERPRINT}" ]; then echo "Warning! Invalid GPG signature!" && exit 1; fi \
&& if [ "${FINGERPRINT}" != "${GPG_LIBRESSL}" ]; then echo "Warning! Wrong GPG fingerprint!" && exit 1; fi \
&& echo "All seems good, now unpacking ${LIBRESSL_TARBALL}..." \
&& tar xzf ${LIBRESSL_TARBALL} \
&& NGINX_TARBALL="nginx-${NGINX_VERSION}.tar.gz" \
&& wget -q https://nginx.org/download/${NGINX_TARBALL} \
&& echo "Verifying ${NGINX_TARBALL} using GPG..." \
&& wget -q https://nginx.org/download/${NGINX_TARBALL}.asc \
&& wget -q https://nginx.org/keys/mdounin.key \
&& gpg --import mdounin.key \
&& FINGERPRINT="$(LANG=C gpg --verify ${NGINX_TARBALL}.asc ${NGINX_TARBALL} 2>&1 \
| sed -n "s#Primary key fingerprint: \(.*\)#\1#p")" \
&& if [ -z "${FINGERPRINT}" ]; then echo "Warning! Invalid GPG signature!" && exit 1; fi \
&& if [ "${FINGERPRINT}" != "${GPG_NGINX}" ]; then echo "Warning! Wrong GPG fingerprint!" && exit 1; fi \
&& echo "All seems good, now unpacking ${NGINX_TARBALL}..." \
&& tar xzf ${NGINX_TARBALL} && cd nginx-${NGINX_VERSION} \
&& wget -q https://raw.githubusercontent.com/cloudflare/sslconfig/acc5f83b5fdf2ee28ad7f6b6530f4152f2883601/patches/nginx__1.11.5_dynamic_tls_records.patch -O nginx__dynamic_tls_records.patch \
&& echo "error is here" \
&& patch -p1 < nginx__dynamic_tls_records.patch \
&& echo "launch configure" \
&& ./configure \
--prefix=/etc/nginx \
--sbin-path=/usr/sbin/nginx \
--with-cc-opt='-O3 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wno-deprecated-declarations' \
--with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro' \
--with-openssl=/tmp/libressl-${LIBRESSL_VERSION} \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--with-file-aio \
--with-threads \
--with-pcre-jit \
--with-ipv6 \
--without-http_ssi_module \
--without-http_scgi_module \
--without-http_uwsgi_module \
--without-http_geo_module \
--without-http_autoindex_module \
--without-http_split_clients_module \
--without-http_memcached_module \
--without-http_empty_gif_module \
--without-http_browser_module \
--http-log-path=/var/log/nginx/access.log \
--error-log-path=/var/log/nginx/error.log \
--add-module=/tmp/headers-more-nginx-module \
--add-module=/tmp/ngx_brotli \
&& make -j ${NB_CORES} && make install && make clean \
&& strip -s /usr/sbin/nginx \
&& apk del ${BUILD_DEPS} \
&& rm -rf /tmp/* /var/cache/apk/* /root/.gnupg
COPY nginx.conf /etc/nginx/conf/nginx.conf
COPY run.sh /usr/local/bin/run.sh
COPY ssl_params /etc/nginx/conf/ssl_params
COPY headers_params /etc/nginx/conf/headers_params
COPY proxy_params /etc/nginx/conf/proxy_params
RUN chmod +x /usr/local/bin/*
EXPOSE 8000 4430
VOLUME /sites-enabled /www /conf.d /passwds /certs /var/log/nginx
LABEL description="nginx built from source." \
openssl="LibreSSL ${LIBRESSL_VERSION}." \
nginx="nginx ${NGINX_VERSION}."
CMD ["run.sh"]

56
nginx/README.md
View file

@ -1,56 +0,0 @@
## wonderfall/nginx
![](https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/115px-Nginx_logo.svg.png)
#### What is this?
It is nginx statically linked against LibreSSL, with the following modules embedded : ngx_brotli (Brotli compression support) and headers_more. Secured by default (no root processes, even the master one), so it should be safe to use.
#### Features
- Based on Alpine Linux Edge.
- nginx built against **LibreSSL**.
- nginx : Cloudfare's SPDY patch.
- nginx : Cloudfare's dynamic TLS records patch.
- nginx : securely built using hardening gcc flags.
- nginx : HTTP/2 (+NPN) support.
- nginx : Brotli compression support (and configured).
- nginx : Headers More module.
- nginx : no root master process.
- nginx : AIO Threads support.
- nginx : no unnessary modules (except fastcgi).
- nginx : pcre-jit enabled.
- nginx : optimized configuration.
- ngxpasswd : generates a htpasswd file easily.
- ngxproxy : generates a *proxy vhost* after asking you a few questions.
#### Notes
It is required to chown your certs files with the right uid/pid and change the `listen` directive to 8000/4430 instead of 80/443. Linux 3.17+, and the latest Docker stable are recommended.
#### Volumes
- **/sites-enabled** : vhosts files (*.conf)
- **/conf.d** : additional configuration files
- **/certs** : SSL/TLS certificates
- **/var/log/nginx** : nginx logs
- **/passwds** : authentication files
- **/www** : put your websites there
#### Build-time variables
- **NGINX_VERSION** : version of nginx
- **LIBRESSL_VERSION** : version of LibreSSL
- **GPG_NGINX** : fingerprint of signing key package
- **GPG_LIBRESSL** : fingerprint of signing key package
- **BUILD_CORES** : number of cores you'd like to build with (default : all)
#### Environment variables
- **GID** : nginx group id *(default : 991)*
- **UID** : nginx user id *(default : 991)*
#### How to use it?
https://github.com/hardware/mailserver/wiki/Reverse-proxy-configuration
You can use `ngxproxy` to generate a *vhost* through an easy process : `docker exec -ti nginx ngxproxy`. `ngxpasswd` can generate htpasswd files : `docker exec -ti nginx ngxpasswd`. Both utilites are interactive so you won't feel lost.
Some configuration files located in `/etc/nginx/conf` are already provided, you can use them with the `include` directive.
- `ssl_params` : Provides a nice balance between compatibility and security.
- `headers_params` : HSTS (+ preload), XSS protection, etc.
- `proxy_params` : use with `proxy_pass`.

21
nginx/builder.sh Executable file
View file

@ -0,0 +1,21 @@
#!/bin/sh
docker build -t registry.dryusdan.fr/dryusdan/nginx:ipv6 \
--build-arg NGINX_MODULES=" \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--with-file-aio \
--with-threads \
--with-pcre-jit \
--with-ipv6 \
--without-http_ssi_module \
--without-http_scgi_module \
--without-http_uwsgi_module \
--without-http_geo_module \
--without-http_autoindex_module \
--without-http_split_clients_module \
--without-http_memcached_module \
--without-http_empty_gif_module \
--without-http_browser_module " \
github.com/Wonderfall/dockerfiles.git#master:boring-nginx

3
nginx/headers_params
View file

@ -1,3 +0,0 @@
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

87
nginx/nginx.conf
View file

@ -1,87 +0,0 @@
worker_processes auto;
pid /tmp/nginx.pid;
daemon off;
pcre_jit on;
events {
worker_connections 2048;
use epoll;
}
http {
limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
limit_conn limit_per_ip 128;
limit_req_zone $binary_remote_addr zone=allips:10m rate=150r/s;
limit_req zone=allips burst=150 nodelay;
more_set_headers 'Server: secret';
include /etc/nginx/conf/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log combined;
error_log /var/log/nginx/error.log crit;
fastcgi_temp_path /tmp/fastcgi 1 2;
proxy_temp_path /tmp/proxy 1 2;
client_body_temp_path /tmp/client_body 1 2;
client_body_buffer_size 10K;
client_header_buffer_size 1k;
client_max_body_size 8m;
large_client_header_buffers 2 1k;
aio threads;
sendfile on;
keepalive_timeout 15;
keepalive_disable msie6;
keepalive_requests 100;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
gzip on;
gzip_comp_level 5;
gzip_min_length 512;
gzip_buffers 4 8k;
gzip_proxied any;
gzip_vary on;
gzip_disable "msie6";
gzip_types
text/css
text/javascript
text/xml
text/plain
text/x-component
application/javascript
application/x-javascript
application/json
application/xml
application/rss+xml
application/vnd.ms-fontobject
font/truetype
font/opentype
image/svg+xml;
brotli on;
brotli_static on;
brotli_buffers 16 8k;
brotli_comp_level 6;
brotli_types
text/css
text/javascript
text/xml
text/plain
text/x-component
application/javascript
application/x-javascript
application/json
application/xml
application/rss+xml
application/vnd.ms-fontobject
font/truetype
font/opentype
image/svg+xml;
include /sites-enabled/*.conf;
}

76
nginx/ngxpasswd
View file

@ -1,76 +0,0 @@
#!/bin/sh
echo
echo "Welcome to ngxpasswd utility."
echo "We're about to create a password file."
echo
cd /passwds || exit 1
while [ "$NAME" == "" ]; do
read -p "Name: " NAME
done
if [ -f "/passwds/$NAME.htpasswd" ]; then
echo "ERROR: /passwds/$NAME.htpasswd already exists."
exit 1
fi
while [ "$USER" == "" ]; do
read -p "User: " USER
done
read -p "Password (leave blank to generate one): " PASSWORD
if [ "$PASSWORD" == "" ]; then
echo "Password was not defined, generating a random one..."
PASSWORD=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
elif [ ${#PASSWORD} -le 6 ]; then
echo "WARNING: Non-secure password."
fi
echo -n $USER:$(openssl passwd -apr1 $PASSWORD) >> $NAME.htpasswd
chown $UID:$GID $NAME.htpasswd
chmod 640 $NAME.htpasswd
echo
echo "A new password file has been saved to /passwds/$NAME.htpasswd :"
echo "- Service : $NAME"
echo "- User : $USER"
echo "- Password : $PASSWORD"
echo
if [ -f "/sites-enabled/$NAME.conf" ] && grep -q '#auth' /sites-enabled/$NAME.conf; then
echo "vhost at /sites-enabled/$NAME.conf detected."
while [[ "$ADD" != "y" && "$ADD" != "n" ]]; do
read -p "Add authentication to $NAME.conf? [y/n]: " ADD
done
if [ "$ADD" == "y" ]; then
cd /etc/nginx/conf
sed -i -e 's/#auth/auth/g' -e "s/<NAME>/$NAME/g" /sites-enabled/$NAME.conf
echo "Automatically added, please verify. Otherwise follow these instructions."
echo
fi
fi
echo "Paste this to your vhost in order to enable auth :"
echo " auth_basic \"Who's this?\";"
echo " auth_basic_user_file /passwds/$NAME.htpasswd;"
echo
if [ "$ADD" == "y" ]; then
while [[ "$RELOAD" != "y" && "$RELOAD" != "n" ]]; do
read -p "Reload nginx now? [y/n]: " RELOAD
done
if [ "$RELOAD" == "y" ]; then
su-exec $UID:$GID nginx -s reload
echo "nginx successfully reloaded."
else
echo "Restart manually nginx to enable authentication."
fi
fi
exit 0

139
nginx/ngxproxy
View file

@ -1,139 +0,0 @@
#!/bin/sh
echo
echo "Welcome to ngxproxy utility."
echo "We're about to create a new virtual host (AKA server block)."
echo
while [ "$NAME" == "" ]; do
read -p "Name: " NAME
done
if [ -f "/sites-enabled/$NAME.conf" ]; then
echo "ERROR: /sites-enabled/$NAME.conf already exists."
exit 1
fi
while [ "$DOMAIN" == "" ]; do
read -p "Domain: " DOMAIN
done
if [ "$(dig +short $DOMAIN)" == "" ]; then
echo "WARNING: $DOMAIN couldn't be resolved: it may not work!"
echo "HINT: Is this domain correct? Did you update your DNS zone?"
fi
read -p "Webroot (default is /): " WEBROOT
if [ "$WEBROOT" == "" ]; then
WEBROOT="/"
elif [ "$WEBROOT" != "/" ]; then
echo "WARNING: You might have to add a proxy header to get your custom webroot working."
while [[ "$CONFIGURE_WEBROOT" != "y" && "$CONFIGURE_WEBROOT" != "n" ]]; do
read -p "Is it required (by the app) to configure it? [y/n]: " CONFIGURE_WEBROOT
done
if [ "$CONFIGURE_WEBROOT" == "y" ]; then
while [ "$WEBROOT_HEADER" == "" ]; do
read -p "Type the required proxy_set_header (like X-Script-Name): " WEBROOT_HEADER
done
fi
fi
while [ "$CONTAINER" == "" ]; do
read -p "Container: " CONTAINER
done
ping -c 1 $CONTAINER >/dev/null 2>&1
if [ "$?" != "0" ]; then
echo "WARNING: $CONTAINER seems to be unavailable. It may not work!"
echo "HINT: Did you correctly link the container?"
fi
read -p "Port (default is 80): " PORT
if [ "$PORT" == "" ]; then
PORT="80"
elif ! [ "$PORT" -eq "$PORT" ] 2>/dev/null; then
echo "ERROR: an integer value was expected."
exit 1
elif [ "$PORT" -gt "65535" ]; then
echo "ERROR: $PORT exceeds the maximum TCP port which is 65535"
exit 1
fi
while [[ "$HTTPS" != "y" && "$HTTPS" != "n" ]]; do
read -p "HTTPS [y/n]: " HTTPS
done
if [ "$HTTPS" == "y" ]; then
while [ ! -f "$CERTIFICATE_PATH" ]; do
read -p "Certificate path: " CERTIFICATE_PATH
done
while [ ! -f "$KEY_PATH" ]; do
read -p "Certificate key path: " KEY_PATH
done
cp -f /etc/nginx/conf/vhost_https.conf /tmp/${NAME}.conf
sed -i \
-e "s|<CERTIFICATE_PATH>|$CERTIFICATE_PATH|g" \
-e "s|<KEY_PATH>|$KEY_PATH|g" \
/tmp/$NAME.conf
while [[ "$HEADERS" != "y" && "$HEADERS" != "n" ]]; do
read -p "Secure headers [y/n]: " HEADERS
done
if [ "$HEADERS" == "y" ]; then
sed -i 's|#include /etc/nginx/conf/headers_params|include /etc/nginx/conf/headers_params|g' /tmp/$NAME.conf
fi
else
cp -f /etc/nginx/conf/vhost_http.conf /tmp/${NAME}.conf
fi
while [ "$MAX_BODY_SIZE" == "" ]; do
read -p "Max body size in MB (integer/n): " MAX_BODY_SIZE
done
if ! [ "$MAX_BODY_SIZE" -eq "$MAX_BODY_SIZE" ] 2>/dev/null && [ "$MAX_BODY_SIZE" != "n" ]; then
echo "ERROR: Incorrect value."
exit 1
fi
if [ "$MAX_BODY_SIZE" != "n" ]; then
sed -i "s|#client_max_body_size <MAX_BODY_SIZE>|client_max_body_size $MAX_BODY_SIZE|g" /tmp/$NAME.conf
fi
if [ "$CONFIGURE_WEBROOT" == "y" ]; then
sed -i "/proxy_pass/a \ \ \ \ proxy_set_header $WEBROOT_HEADER $WEBROOT;" /tmp/$NAME.conf
fi
sed -i \
-e "s|<DOMAIN>|$DOMAIN|g" \
-e "s|<CONTAINER>|$CONTAINER|g" \
-e "s|<PORT>|$PORT|g" \
-e "s|<WEBROOT>|$WEBROOT|g" \
/tmp/$NAME.conf
mv /tmp/$NAME.conf /sites-enabled/
echo
echo "Done! $NAME.conf has been generated."
while [[ "$RELOAD" != "y" && "$RELOAD" != "n" ]]; do
read -p "Reload nginx now? [y/n]: " RELOAD
done
if [ "$RELOAD" == "y" ]; then
su-exec $UID:$GID nginx -s reload
echo "nginx successfully reloaded."
else
echo "Restart manually nginx to enable this new vhost."
fi
echo
exit 0

6
nginx/proxy_params
View file

@ -1,6 +0,0 @@
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Remote-Port $remote_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;

4
nginx/run.sh
View file

@ -1,4 +0,0 @@
#!/bin/sh
chown -R $UID:$GID /etc/nginx /var/log/nginx /sites-enabled /conf.d /certs /www /tmp
chmod -R 700 /certs
exec su-exec $UID:$GID /sbin/tini -- nginx

10
nginx/ssl_params
View file

@ -1,10 +0,0 @@
ssl_protocols TLSv1.2;
ssl_ecdh_curve secp384r1;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 15m;
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

14
nginx/vhost_http.conf
View file

@ -1,14 +0,0 @@
server {
listen 8000;
server_name <DOMAIN>;
#client_max_body_size <MAX_BODY_SIZE>M;
#auth_basic "Who's this?";
#auth_basic_user_file /passwds/<NAME>.htpasswd;
location <WEBROOT> {
proxy_pass http://<CONTAINER>:<PORT>;
include /etc/nginx/conf/proxy_params;
}
}

26
nginx/vhost_https.conf
View file

@ -1,26 +0,0 @@
server {
listen 8000;
server_name <DOMAIN>;
return 301 https://$host$request_uri;
}
server {
listen 4430 ssl spdy http2;
server_name <DOMAIN>;
ssl_certificate <CERTIFICATE_PATH>;
ssl_certificate_key <KEY_PATH>;
include /etc/nginx/conf/ssl_params;
include /etc/nginx/conf/headers_params;
#client_max_body_size <MAX_BODY_SIZE>M;
#auth_basic "Who's this?";
#auth_basic_user_file /passwds/<NAME>.htpasswd;
location <WEBROOT> {
proxy_pass http://<CONTAINER>:<PORT>;
include /etc/nginx/conf/proxy_params;
}
}