From 22eeb783b84ba78d3f85b403f045598078e19d7e Mon Sep 17 00:00:00 2001
From: Walter Oggioni <oggioni.walter@gmail.com>
Date: Tue, 17 Sep 2024 11:33:49 +0800
Subject: [PATCH] added nginx docker image

---
 nginx/Dockerfile                    | 187 ++++++++++++++++++++++++++++
 nginx/conf/nginx.conf               |  90 +++++++++++++
 nginx/conf/nginx.vh.no-default.conf |  16 +++
 3 files changed, 293 insertions(+)
 create mode 100644 nginx/Dockerfile
 create mode 100644 nginx/conf/nginx.conf
 create mode 100644 nginx/conf/nginx.vh.no-default.conf

diff --git a/nginx/Dockerfile b/nginx/Dockerfile
new file mode 100644
index 0000000..87463ba
--- /dev/null
+++ b/nginx/Dockerfile
@@ -0,0 +1,187 @@
+FROM alpine:latest
+ARG VERSION
+ENV NGINX_VERSION=${VERSION}
+RUN GPG_KEYS=D6786CE303D9A9022998DC6CC8464D549AF75C0A \
+	&& CONFIG="\
+		--prefix=/etc/nginx \
+		--sbin-path=/usr/sbin/nginx \
+		--modules-path=/usr/lib/nginx/modules \
+		--conf-path=/etc/nginx/nginx.conf \
+		--error-log-path=/var/log/nginx/error.log \
+		--http-log-path=/var/log/nginx/access.log \
+		--pid-path=/var/run/nginx.pid \
+		--lock-path=/var/run/nginx.lock \
+		--http-client-body-temp-path=/var/cache/nginx/client_temp \
+		--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
+		--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
+		--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
+		--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
+		--user=nginx \
+		--group=nginx \
+		--with-http_ssl_module \
+		--with-http_realip_module \
+		--with-http_addition_module \
+		--with-http_sub_module \
+		--with-http_dav_module \
+		--with-http_flv_module \
+		--with-http_mp4_module \
+		--with-http_gunzip_module \
+		--with-http_gzip_static_module \
+		--with-http_random_index_module \
+		--with-http_secure_link_module \
+		--with-http_stub_status_module \
+		--with-http_auth_request_module \
+		--with-http_xslt_module=dynamic \
+		--with-http_image_filter_module=dynamic \
+		--with-http_geoip_module=dynamic \
+		--with-http_perl_module=dynamic \
+		--with-threads \
+		--with-stream \
+		--with-stream_ssl_module \
+		--with-stream_ssl_preread_module \
+		--with-stream_realip_module \
+		--with-stream_geoip_module=dynamic \
+		--with-http_slice_module \
+		--with-mail \
+		--with-mail_ssl_module \
+		--with-compat \
+		--with-file-aio \
+		--with-http_v2_module \
+		--with-http_v3_module \
+		--add-dynamic-module=/usr/src/ngx_headers_more \
+		--add-dynamic-module=/usr/src/ngx_brotli \
+		--add-dynamic-module=/usr/src/njs/nginx \
+	" \
+	&& addgroup -S nginx \
+	&& adduser -D -S -h /var/cache/nginx -s /sbin/nologin -G nginx nginx \
+	&& apk add --no-cache --virtual .build-deps \
+		autoconf \
+		automake \
+		bind-tools \
+		binutils \
+		build-base \
+		ca-certificates \
+		cmake \
+		curl \
+		gcc \
+		gd-dev \
+		geoip-dev \
+		git \
+		gnupg \
+		go \
+		libc-dev \
+		libgcc \
+		libstdc++ \
+		libtool \
+		libxslt-dev \
+		linux-headers \
+		make \
+		pcre \
+		pcre-dev \
+		perl-dev \
+		su-exec \
+		tar \
+		tzdata \
+		zlib \
+		zlib-dev \
+		mercurial \
+	&& curl -fSL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o nginx-${NGINX_VERSION}.tar.gz \
+	&& curl -fSL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz.asc  -o nginx-${NGINX_VERSION}.tar.gz.asc \
+	&& export GNUPGHOME="$(mktemp -d)" \
+	&& found=''; \
+	for server in \
+		ha.pool.sks-keyservers.net \
+		hkp://keyserver.ubuntu.com:80 \
+		hkp://p80.pool.sks-keyservers.net:80 \
+		pgp.mit.edu \
+	; do \
+		echo "Fetching GPG key $GPG_KEYS from $server"; \
+		gpg --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$GPG_KEYS" && found=yes && break; \
+	done; \
+	test -z "$found" && echo >&2 "error: failed to fetch GPG key $GPG_KEYS" && exit 1; \
+	gpg --batch --verify nginx-${NGINX_VERSION}.tar.gz.asc nginx-${NGINX_VERSION}.tar.gz \
+	&& mkdir -p /usr/src \
+	&& tar -zxC /usr/src -f nginx-${NGINX_VERSION}.tar.gz \
+	&& rm nginx-${NGINX_VERSION}.tar.gz \
+	&& rm -rf "$GNUPGHOME" nginx-${NGINX_VERSION}.tar.gz.asc \
+	&& git clone --depth=1 --recurse-submodules https://github.com/google/ngx_brotli /usr/src/ngx_brotli \
+	&& git clone --depth=1 https://github.com/openresty/headers-more-nginx-module /usr/src/ngx_headers_more \
+	&& hg clone http://hg.nginx.org/njs /usr/src/njs \
+	&& (git clone https://boringssl.googlesource.com/boringssl /usr/src/boringssl \
+		&& cd /usr/src/boringssl && git checkout --force --quiet e648990 \
+		&& (grep -qxF 'SET_TARGET_PROPERTIES(crypto PROPERTIES SOVERSION 1)' /usr/src/boringssl/crypto/CMakeLists.txt || echo -e '\nSET_TARGET_PROPERTIES(crypto PROPERTIES SOVERSION 1)' >> /usr/src/boringssl/crypto/CMakeLists.txt) \
+		&& (grep -qxF 'SET_TARGET_PROPERTIES(ssl PROPERTIES SOVERSION 1)' /usr/src/boringssl/ssl/CMakeLists.txt || echo -e '\nSET_TARGET_PROPERTIES(ssl PROPERTIES SOVERSION 1)' >> /usr/src/boringssl/ssl/CMakeLists.txt) \
+		&& mkdir -p /usr/src/boringssl/build \
+		&& cmake -B/usr/src/boringssl/build -S/usr/src/boringssl -DCMAKE_BUILD_TYPE=RelWithDebInfo \
+		&& make -C/usr/src/boringssl/build -j$(getconf _NPROCESSORS_ONLN) \
+	   ) \
+	&& cd /usr/src/nginx-${NGINX_VERSION} \
+	&& curl -fSL https://raw.githubusercontent.com/nginx-modules/ngx_http_tls_dyn_size/master/nginx__dynamic_tls_records_1.25.1%2B.patch -o dynamic_tls_records.patch \
+	&& patch -p1 < dynamic_tls_records.patch \
+	&& ./configure $CONFIG --with-debug --with-cc-opt="-I/usr/src/boringssl/include" --with-ld-opt="-L/usr/src/boringssl/build/ssl -L/usr/src/boringssl/build/crypto" \
+	&& make -j$(getconf _NPROCESSORS_ONLN) \
+	&& mv objs/nginx objs/nginx-debug \
+	&& mv objs/ngx_http_xslt_filter_module.so objs/ngx_http_xslt_filter_module-debug.so \
+	&& mv objs/ngx_http_image_filter_module.so objs/ngx_http_image_filter_module-debug.so \
+	&& mv objs/ngx_http_geoip_module.so objs/ngx_http_geoip_module-debug.so \
+	&& mv objs/ngx_http_perl_module.so objs/ngx_http_perl_module-debug.so \
+	&& mv objs/ngx_stream_geoip_module.so objs/ngx_stream_geoip_module-debug.so \
+	&& ./configure $CONFIG --with-cc-opt="-I/usr/src/boringssl/include" --with-ld-opt="-L/usr/src/boringssl/build/ssl -L/usr/src/boringssl/build/crypto" \
+	&& make -j$(getconf _NPROCESSORS_ONLN) \
+	&& make install \
+	&& rm -rf /etc/nginx/html/ \
+	&& mkdir /etc/nginx/conf.d/ \
+	&& mkdir -p /usr/share/nginx/html/ \
+	&& install -m644 html/index.html /usr/share/nginx/html/ \
+	&& install -m644 html/50x.html /usr/share/nginx/html/ \
+	&& install -m755 objs/nginx-debug /usr/sbin/nginx-debug \
+	&& install -m755 objs/ngx_http_xslt_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_xslt_filter_module-debug.so \
+	&& install -m755 objs/ngx_http_image_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_image_filter_module-debug.so \
+	&& install -m755 objs/ngx_http_geoip_module-debug.so /usr/lib/nginx/modules/ngx_http_geoip_module-debug.so \
+	&& install -m755 objs/ngx_http_perl_module-debug.so /usr/lib/nginx/modules/ngx_http_perl_module-debug.so \
+	&& install -m755 objs/ngx_stream_geoip_module-debug.so /usr/lib/nginx/modules/ngx_stream_geoip_module-debug.so \
+	&& ln -s ../../usr/lib/nginx/modules /etc/nginx/modules \
+	&& strip /usr/sbin/nginx* \
+	&& strip /usr/lib/nginx/modules/*.so \
+	&& rm -rf /usr/src/nginx-${NGINX_VERSION} \
+	&& rm -rf /usr/src/boringssl /usr/src/ngx_* /usr/src/njs \
+	\
+	# Bring in gettext so we can get `envsubst`, then throw
+	# the rest away. To do this, we need to install `gettext`
+	# then move `envsubst` out of the way so `gettext` can
+	# be deleted completely, then move `envsubst` back.
+	&& apk add --no-cache --virtual .gettext gettext \
+	&& mv /usr/bin/envsubst /tmp/ \
+	\
+	&& runDeps="$( \
+		scanelf --needed --nobanner /usr/sbin/nginx /usr/lib/nginx/modules/*.so /tmp/envsubst \
+			| awk '{ gsub(/,/, "\nso:", $2); print "so:" $2 }' \
+			| sort -u \
+			| xargs -r apk info --installed \
+			| sort -u \
+	) tzdata ca-certificates" \
+	&& apk add --no-cache --virtual .nginx-rundeps $runDeps \
+	&& apk del .build-deps \
+	&& apk del .gettext \
+	&& mv /tmp/envsubst /usr/local/bin/ \
+	\
+	# forward request and error logs to docker log collector
+	&& ln -sf /dev/stdout /var/log/nginx/access.log \
+	&& ln -sf /dev/stderr /var/log/nginx/error.log
+
+COPY conf/nginx.conf /etc/nginx/nginx.conf
+COPY conf/nginx.vh.no-default.conf /etc/nginx/conf.d/default.conf
+
+RUN APK_ARCH="$(cat /etc/apk/arch)"
+
+LABEL description="NGINX Docker built top of rolling release BoringSSL" \
+      maintainer="Denis Denisov <denji0k@gmail.com>" \
+      openssl="BoringSSL" \
+      nginx="nginx ${NGINX_VERSION}" \
+      arch="$APK_ARCH"
+
+EXPOSE 80 443 443/udp
+
+STOPSIGNAL SIGTERM
+
+CMD ["nginx", "-g", "daemon off;"]
diff --git a/nginx/conf/nginx.conf b/nginx/conf/nginx.conf
new file mode 100644
index 0000000..27550fa
--- /dev/null
+++ b/nginx/conf/nginx.conf
@@ -0,0 +1,90 @@
+
+# load_module modules/ngx_http_xslt_filter_module.so;
+# load_module modules/ngx_http_image_filter_module.so;
+# load_module modules/ngx_http_geoip_module.so;
+# load_module modules/ngx_http_perl_module.so;
+# load_module modules/ngx_stream_geoip_module.so;
+load_module modules/ngx_http_headers_more_filter_module.so;
+load_module modules/ngx_http_brotli_static_module.so;
+#load_module modules/ngx_http_brotli_filter_module.so;
+#load_module modules/ngx_http_js_module.so;
+
+user  nginx;
+worker_processes  1;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+pcre_jit  on;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    aio             threads;
+
+    tcp_nopush      on;
+    tcp_nodelay     on;
+    server_tokens   off;
+
+    keepalive_disable  msie6;
+
+    ssl_dyn_rec_enable on;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ecdh_curve X25519:P-521:P-384;
+    ssl_ciphers [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES256-GCM-SHA384|ECDHE-RSA-AES256-GCM-SHA384]:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:20m;
+    ssl_session_timeout 15m;
+    ssl_session_tickets off;
+
+    http2 on;
+    http3 on;
+    quic_retry on;
+    #ssl_early_data on;
+    
+    gzip_static on;
+    gzip on;
+    gzip_comp_level 5;
+    gzip_min_length 512;
+    gzip_proxied any;
+    gzip_vary on;
+    gzip_disable "msie6";
+    gzip_types
+        text/plain
+        text/css
+        text/x-component
+        text/javascript application/javascript application/x-javascript
+        text/xml application/xml application/rss+xml
+        application/json
+        application/vnd.ms-fontobject
+        font/truetype font/opentype
+        image/svg+xml;
+
+    brotli_static on;
+    #brotli on;
+    #brotli_comp_level 6;
+    #brotli_types
+    #    text/plain
+    #    text/css
+    #    text/x-component
+    #    text/javascript application/javascript application/x-javascript
+    #    text/xml application/xml application/rss+xml
+    #    application/json
+    #    application/vnd.ms-fontobject
+    #    font/truetype font/opentype
+    #    image/svg+xml;
+
+    include /etc/nginx/conf.d/*.conf;
+}
diff --git a/nginx/conf/nginx.vh.no-default.conf b/nginx/conf/nginx.vh.no-default.conf
new file mode 100644
index 0000000..9c8d437
--- /dev/null
+++ b/nginx/conf/nginx.vh.no-default.conf
@@ -0,0 +1,16 @@
+# Drop requests for unknown hosts
+#
+# If no default server is defined, nginx will use the first found server.
+# To prevent host header attacks, or other potential problems when an unknown
+# servername is used in a request, it's recommended to drop the request
+# returning 444 "no response".
+
+server {
+  listen 80 default_server;
+  return 444;
+}
+
+server {
+  listen 443 ssl http2 default_server;
+  ssl_reject_handshake on;
+}