diff --git a/.gitea/workflows/build-nginx.yaml b/.gitea/workflows/build-nginx.yaml index 66ecb7b..7e7f02d 100644 --- a/.gitea/workflows/build-nginx.yaml +++ b/.gitea/workflows/build-nginx.yaml @@ -36,7 +36,9 @@ jobs: tags: | "gitea.woggioni.net/woggioni/nginx:latest" "gitea.woggioni.net/woggioni/nginx:v1.27.4" - build-args: "VERSION=1.27.3" + secrets: | + GIT_AUTH_TOKEN.github.com=${{ secrets.GH_ACCESS_TOKEN }} + build-args: "NGINX_VERSION=1.27.4" cache-from: type=registry,ref=gitea.woggioni.net/woggioni/nginx:buildx cache-to: type=registry,mode=max,compression=zstd,image-manifest=true,oci-mediatypes=true,ref=gitea.woggioni.net/woggioni/nginx:buildx diff --git a/nginx/Dockerfile b/nginx/Dockerfile index bd88faa..e7b30f8 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -1,180 +1,102 @@ -FROM alpine:latest + +FROM alpine:latest AS base + +FROM alpine:latest AS build +ARG NGINX_VERSION LIBRESSL_VERSION=4.0.0 +ENV NGINX_VERSION=${NGINX_VERSION} +RUN --mount=type=cache,target=/var/cache/apk apk update +RUN --mount=type=cache,target=/var/cache/apk apk add \ + autoconf \ + automake \ + bind-tools \ + binutils \ + build-base \ + ca-certificates \ + cmake \ + curl \ + gcc \ + gd-dev \ + geoip-dev \ + git \ + gnupg \ + go \ + libc-dev \ + libgcc \ + libstdc++ \ + libtool \ + libxslt-dev \ + linux-headers \ + make \ + ninja \ + pcre \ + pcre-dev \ + perl-dev \ + su-exec \ + tar \ + tzdata \ + zlib \ + zlib-dev \ + mercurial +RUN adduser -D luser +USER luser +WORKDIR /home/luser +# ADD --chown=luser:luser https://boringssl.googlesource.com/boringssl.git boringssl +# RUN grep -qxF 'SET_TARGET_PROPERTIES(crypto PROPERTIES SOVERSION 1)' boringssl/crypto/CMakeLists.txt || echo -e '\nSET_TARGET_PROPERTIES(crypto PROPERTIES SOVERSION 1)' >> boringssl/crypto/CMakeLists.txt +# RUN grep -qxF 'SET_TARGET_PROPERTIES(ssl PROPERTIES SOVERSION 1)' boringssl/ssl/CMakeLists.txt || echo -e '\nSET_TARGET_PROPERTIES(ssl PROPERTIES SOVERSION 1)' >> boringssl/ssl/CMakeLists.txt +# RUN mkdir -p boringssl/build +# RUN cmake -G Ninja -B boringssl/build -S boringssl -DCMAKE_BUILD_TYPE=Release +# RUN cmake --build boringssl/build + +#RUN git clone --depth 1 --branch v4.0.0 https://github.com/libressl/portable.git libressl +ADD --chown=luser:luser https://cdn.openbsd.org/pub/OpenBSD/LibreSSL/libressl-${LIBRESSL_VERSION}.tar.gz libressl.tgz +RUN tar -xzf libressl.tgz && mv libressl-${LIBRESSL_VERSION} libressl && rm libressl.tgz +RUN mkdir -p libressl/build +RUN cmake -G Ninja -B libressl/build -S libressl \ + -DCMAKE_BUILD_TYPE=Release \ + -DLIBRESSL_APPS=OFF \ + -DLIBRESSL_SKIP_INSTALL=ON \ + -DENABLE_ASM=OFF \ + -DENABLE_NC=OFF \ + -DLIBRESSL_TESTS=OFF \ + -DBUILD_SHARED_LIBS=OFF +RUN cmake --build libressl/build + +ADD --chown=luser:luser https://github.com/nginx/nginx.git#release-${NGINX_VERSION} /nginx +ADD --chown=luser:luser https://github.com/openresty/headers-more-nginx-module.git /ngx_headers_more +ADD --chown=luser:luser https://github.com/google/ngx_brotli.git /ngx_brotli +USER root +WORKDIR / +RUN hg clone http://hg.nginx.org/njs /njs +RUN chown luser:luser -R /njs +USER luser +WORKDIR /home/luser +ADD --chown=luser:luser --chmod=755 ./build.sh ./build.sh +RUN ./build.sh + + +FROM base AS release ARG VERSION ENV NGINX_VERSION=${VERSION} -RUN GPG_KEYS=D6786CE303D9A9022998DC6CC8464D549AF75C0A \ - && CONFIG="\ - --prefix=/etc/nginx \ - --sbin-path=/usr/sbin/nginx \ - --modules-path=/usr/lib/nginx/modules \ - --conf-path=/etc/nginx/nginx.conf \ - --error-log-path=/var/log/nginx/error.log \ - --http-log-path=/var/log/nginx/access.log \ - --pid-path=/var/run/nginx.pid \ - --lock-path=/var/run/nginx.lock \ - --http-client-body-temp-path=/var/cache/nginx/client_temp \ - --http-proxy-temp-path=/var/cache/nginx/proxy_temp \ - --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \ - --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \ - --http-scgi-temp-path=/var/cache/nginx/scgi_temp \ - --user=nginx \ - --group=nginx \ - --with-http_ssl_module \ - --with-http_realip_module \ - --with-http_addition_module \ - --with-http_sub_module \ - --with-http_dav_module \ - --with-http_flv_module \ - --with-http_mp4_module \ - --with-http_gunzip_module \ - --with-http_gzip_static_module \ - --with-http_random_index_module \ - --with-http_secure_link_module \ - --with-http_stub_status_module \ - --with-http_auth_request_module \ - --with-http_xslt_module=dynamic \ - --with-http_image_filter_module=dynamic \ - --with-http_geoip_module=dynamic \ - --with-http_perl_module=dynamic \ - --with-threads \ - --with-stream \ - --with-stream_ssl_module \ - --with-stream_ssl_preread_module \ - --with-stream_realip_module \ - --with-stream_geoip_module=dynamic \ - --with-http_slice_module \ - --with-mail \ - --with-mail_ssl_module \ - --with-compat \ - --with-file-aio \ - --with-http_v2_module \ - --with-http_v3_module \ - --add-dynamic-module=/usr/src/ngx_headers_more \ - --add-dynamic-module=/usr/src/ngx_brotli \ - --add-dynamic-module=/usr/src/njs/nginx \ - " \ - && addgroup -S nginx \ - && adduser -D -S -h /var/cache/nginx -s /sbin/nologin -G nginx nginx \ - && apk add --no-cache --virtual .build-deps \ - autoconf \ - automake \ - bind-tools \ - binutils \ - build-base \ - ca-certificates \ - cmake \ - curl \ - gcc \ - gd-dev \ - geoip-dev \ - git \ - gnupg \ - go \ - libc-dev \ - libgcc \ - libstdc++ \ - libtool \ - libxslt-dev \ - linux-headers \ - make \ - pcre \ - pcre-dev \ - perl-dev \ - su-exec \ - tar \ - tzdata \ - zlib \ - zlib-dev \ - mercurial \ - && curl -fSL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o nginx-${NGINX_VERSION}.tar.gz \ - && curl -fSL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz.asc -o nginx-${NGINX_VERSION}.tar.gz.asc \ - && export GNUPGHOME="$(mktemp -d)" \ - && found=''; \ - for server in \ - ha.pool.sks-keyservers.net \ - hkp://keyserver.ubuntu.com:80 \ - hkp://p80.pool.sks-keyservers.net:80 \ - pgp.mit.edu \ - ; do \ - echo "Fetching GPG key $GPG_KEYS from $server"; \ - gpg --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$GPG_KEYS" && found=yes && break; \ - done; \ - test -z "$found" && echo >&2 "error: failed to fetch GPG key $GPG_KEYS" && exit 1; \ - gpg --batch --verify nginx-${NGINX_VERSION}.tar.gz.asc nginx-${NGINX_VERSION}.tar.gz \ - && mkdir -p /usr/src \ - && tar -zxC /usr/src -f nginx-${NGINX_VERSION}.tar.gz \ - && rm nginx-${NGINX_VERSION}.tar.gz \ - && rm -rf "$GNUPGHOME" nginx-${NGINX_VERSION}.tar.gz.asc \ - && git clone --depth=1 --recurse-submodules https://github.com/google/ngx_brotli /usr/src/ngx_brotli \ - && git clone --depth=1 https://github.com/openresty/headers-more-nginx-module /usr/src/ngx_headers_more \ - && hg clone http://hg.nginx.org/njs /usr/src/njs \ - && (git clone https://boringssl.googlesource.com/boringssl /usr/src/boringssl \ - && cd /usr/src/boringssl && git checkout --force --quiet e648990 \ - && (grep -qxF 'SET_TARGET_PROPERTIES(crypto PROPERTIES SOVERSION 1)' /usr/src/boringssl/crypto/CMakeLists.txt || echo -e '\nSET_TARGET_PROPERTIES(crypto PROPERTIES SOVERSION 1)' >> /usr/src/boringssl/crypto/CMakeLists.txt) \ - && (grep -qxF 'SET_TARGET_PROPERTIES(ssl PROPERTIES SOVERSION 1)' /usr/src/boringssl/ssl/CMakeLists.txt || echo -e '\nSET_TARGET_PROPERTIES(ssl PROPERTIES SOVERSION 1)' >> /usr/src/boringssl/ssl/CMakeLists.txt) \ - && mkdir -p /usr/src/boringssl/build \ - && cmake -B/usr/src/boringssl/build -S/usr/src/boringssl -DCMAKE_BUILD_TYPE=RelWithDebInfo \ - && make -C/usr/src/boringssl/build -j$(getconf _NPROCESSORS_ONLN) \ - ) \ - && cd /usr/src/nginx-${NGINX_VERSION} \ - && curl -fSL https://raw.githubusercontent.com/nginx-modules/ngx_http_tls_dyn_size/master/nginx__dynamic_tls_records_1.27.2%2B.patch -o dynamic_tls_records.patch \ - && patch -p1 < dynamic_tls_records.patch \ - && ./configure $CONFIG --with-debug --with-cc-opt="-I/usr/src/boringssl/include" --with-ld-opt="-L/usr/src/boringssl/build/ssl -L/usr/src/boringssl/build/crypto" \ - && make -j$(getconf _NPROCESSORS_ONLN) \ - && mv objs/nginx objs/nginx-debug \ - && mv objs/ngx_http_xslt_filter_module.so objs/ngx_http_xslt_filter_module-debug.so \ - && mv objs/ngx_http_image_filter_module.so objs/ngx_http_image_filter_module-debug.so \ - && mv objs/ngx_http_geoip_module.so objs/ngx_http_geoip_module-debug.so \ - && mv objs/ngx_http_perl_module.so objs/ngx_http_perl_module-debug.so \ - && mv objs/ngx_stream_geoip_module.so objs/ngx_stream_geoip_module-debug.so \ - && ./configure $CONFIG --with-cc-opt="-I/usr/src/boringssl/include" --with-ld-opt="-L/usr/src/boringssl/build/ssl -L/usr/src/boringssl/build/crypto" \ - && make -j$(getconf _NPROCESSORS_ONLN) \ - && make install \ - && rm -rf /etc/nginx/html/ \ - && mkdir /etc/nginx/conf.d/ \ - && mkdir -p /usr/share/nginx/html/ \ - && install -m644 html/index.html /usr/share/nginx/html/ \ - && install -m644 html/50x.html /usr/share/nginx/html/ \ - && install -m755 objs/nginx-debug /usr/sbin/nginx-debug \ - && install -m755 objs/ngx_http_xslt_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_xslt_filter_module-debug.so \ - && install -m755 objs/ngx_http_image_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_image_filter_module-debug.so \ - && install -m755 objs/ngx_http_geoip_module-debug.so /usr/lib/nginx/modules/ngx_http_geoip_module-debug.so \ - && install -m755 objs/ngx_http_perl_module-debug.so /usr/lib/nginx/modules/ngx_http_perl_module-debug.so \ - && install -m755 objs/ngx_stream_geoip_module-debug.so /usr/lib/nginx/modules/ngx_stream_geoip_module-debug.so \ - && ln -s ../../usr/lib/nginx/modules /etc/nginx/modules \ - && strip /usr/sbin/nginx* \ - && strip /usr/lib/nginx/modules/*.so \ - && rm -rf /usr/src/nginx-${NGINX_VERSION} \ - && rm -rf /usr/src/boringssl /usr/src/ngx_* /usr/src/njs \ - \ - # Bring in gettext so we can get `envsubst`, then throw - # the rest away. To do this, we need to install `gettext` - # then move `envsubst` out of the way so `gettext` can - # be deleted completely, then move `envsubst` back. - && apk add --no-cache --virtual .gettext gettext \ - && mv /usr/bin/envsubst /tmp/ \ - \ - && runDeps="$( \ - scanelf --needed --nobanner /usr/sbin/nginx /usr/lib/nginx/modules/*.so /tmp/envsubst \ - | awk '{ gsub(/,/, "\nso:", $2); print "so:" $2 }' \ - | sort -u \ - | xargs -r apk info --installed \ - | sort -u \ - ) tzdata ca-certificates" \ - && apk add --no-cache --virtual .nginx-rundeps $runDeps \ - && apk del .build-deps \ - && apk del .gettext \ - && mv /tmp/envsubst /usr/local/bin/ \ - \ - # forward request and error logs to docker log collector - && ln -sf /dev/stdout /var/log/nginx/access.log \ - && ln -sf /dev/stderr /var/log/nginx/error.log + +RUN addgroup -S nginx +RUN adduser -D -S -h /var/cache/nginx -s /sbin/nologin -G nginx nginx + +RUN --mount=type=cache,target=/var/cache/apk apk add --virtual .install_deps make perl-dev gettext binutils +RUN --mount=type=cache,target=/var/cache/apk \ + --mount=type=bind,from=build,source=/nginx,target=/nginx \ + --mount=type=bind,from=build,source=/ngx_headers_more,target=/ngx_headers_more \ + --mount=type=bind,from=build,source=/ngx_brotli,target=/ngx_brotli \ + --mount=type=bind,from=build,source=/njs,target=/njs \ + --mount=type=bind,source=install.sh,target=/install.sh \ + (cd nginx && sh /install.sh) +RUN --mount=type=cache,target=/var/cache/apk apk del .install_deps COPY conf/nginx.conf /etc/nginx/nginx.conf COPY conf/nginx.vh.no-default.conf /etc/nginx/conf.d/default.conf -LABEL description="NGINX Docker built top of rolling release BoringSSL" \ - maintainer="Denis Denisov " \ - openssl="BoringSSL" \ +LABEL description="NGINX Docker built top of LibreSSL" \ + maintainer="Walter Oggioni " \ + openssl="LibreSSL" \ nginx="nginx ${NGINX_VERSION}" EXPOSE 80 443 443/udp diff --git a/nginx/build.sh b/nginx/build.sh new file mode 100644 index 0000000..1bc85ef --- /dev/null +++ b/nginx/build.sh @@ -0,0 +1,61 @@ +#!/usr/bin/env sh + +set -e + +CONFIG=' + --prefix=/etc/nginx + --sbin-path=/usr/sbin/nginx + --modules-path=/usr/lib/nginx/modules + --conf-path=/etc/nginx/nginx.conf + --error-log-path=/var/log/nginx/error.log + --http-log-path=/var/log/nginx/access.log + --pid-path=/var/run/nginx.pid + --lock-path=/var/run/nginx.lock + --http-client-body-temp-path=/var/cache/nginx/client_temp + --http-proxy-temp-path=/var/cache/nginx/proxy_temp + --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp + --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp + --http-scgi-temp-path=/var/cache/nginx/scgi_temp + --user=nginx + --group=nginx + --with-http_ssl_module + --with-http_realip_module + --with-http_addition_module + --with-http_sub_module + --with-http_dav_module + --with-http_flv_module + --with-http_mp4_module + --with-http_gunzip_module + --with-http_gzip_static_module + --with-http_random_index_module + --with-http_secure_link_module + --with-http_stub_status_module + --with-http_auth_request_module + --with-http_xslt_module=dynamic + --with-http_geoip_module=dynamic + --with-threads + --with-stream + --with-stream_ssl_module + --with-stream_ssl_preread_module + --with-stream_realip_module + --with-stream_geoip_module=dynamic + --with-http_slice_module + --with-mail + --with-mail_ssl_module + --with-compat + --with-file-aio + --with-http_v2_module + --with-http_v3_module + --add-dynamic-module=/ngx_headers_more + --add-dynamic-module=/ngx_brotli + --add-dynamic-module=/njs/nginx +' + +cd /nginx +curl -fSL https://raw.githubusercontent.com/nginx-modules/ngx_http_tls_dyn_size/master/nginx__dynamic_tls_records_1.27.2%2B.patch -o dynamic_tls_records.patch +patch -p1 < dynamic_tls_records.patch + +auto/configure $CONFIG \ + --with-cc-opt="-I/home/luser/libressl/build/include" \ + --with-ld-opt="-lstdc++ -L/home/luser/libressl/build/ssl -L/home/luser/libressl/build/crypto" +make -j$(nproc) diff --git a/nginx/conf/nginx.conf b/nginx/conf/nginx.conf index 6eb25e6..9f2eb9d 100644 --- a/nginx/conf/nginx.conf +++ b/nginx/conf/nginx.conf @@ -1,9 +1,9 @@ -# load_module modules/ngx_http_xslt_filter_module.so; -# load_module modules/ngx_http_image_filter_module.so; -# load_module modules/ngx_http_geoip_module.so; -# load_module modules/ngx_http_perl_module.so; -# load_module modules/ngx_stream_geoip_module.so; +load_module modules/ngx_http_xslt_filter_module.so; +#load_module modules/ngx_http_image_filter_module.so; +load_module modules/ngx_http_geoip_module.so; +#load_module modules/ngx_http_perl_module.so; +load_module modules/ngx_stream_geoip_module.so; load_module modules/ngx_http_headers_more_filter_module.so; load_module modules/ngx_http_brotli_static_module.so; load_module modules/ngx_http_brotli_filter_module.so; @@ -41,9 +41,9 @@ http { keepalive_disable msie6; ssl_dyn_rec_enable on; - ssl_protocols TLSv1.2 TLSv1.3; + ssl_protocols TLSv1.3; ssl_ecdh_curve X25519:P-521:P-384; - ssl_ciphers [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES256-GCM-SHA384|ECDHE-RSA-AES256-GCM-SHA384]:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; + ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-CAMELLIA256-SHA256:DHE-RSA-CAMELLIA256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA256:DHE-RSA-CAMELLIA128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA256:CAMELLIA128-SHA; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:1m; ssl_session_timeout 1h; @@ -52,8 +52,10 @@ http { http2 on; http3 on; + http3_hq on; + quic_gso on; quic_retry on; - #ssl_early_data on; + ssl_early_data off; gzip_static on; gzip on; @@ -62,30 +64,64 @@ http { gzip_proxied any; gzip_vary on; gzip_disable "msie6"; - gzip_types - text/plain - text/css - text/x-component - text/javascript application/javascript application/x-javascript - text/xml application/xml application/rss+xml - application/json - application/vnd.ms-fontobject - font/truetype font/opentype - image/svg+xml; + + gzip_types + application/atom+xml + application/javascript + application/json + application/ld+json + application/manifest+json + application/rss+xml + application/vnd.geo+json + application/vnd.ms-fontobject + application/x-font-ttf + application/x-web-app-manifest+json + application/xhtml+xml + application/xml + font/opentype + image/bmp + image/svg+xml + image/x-icon + text/cache-manifest + text/css + text/plain + text/vcard + text/vnd.rim.location.xloc + text/vtt text/x-component + text/x-cross-domain-policy + application/wasm; + + brotli_static on; brotli on; brotli_comp_level 6; - brotli_types - text/plain - text/css - text/x-component - text/javascript application/javascript application/x-javascript - text/xml application/xml application/rss+xml - application/json - application/vnd.ms-fontobject - font/truetype font/opentype - image/svg+xml; + brotli_types + application/atom+xml + application/javascript + application/json + application/rss+xml + application/vnd.ms-fontobject + application/x-font-opentype + application/x-font-truetype + application/x-font-ttf + application/x-javascript + application/xhtml+xml + application/xml + font/eot + font/opentype + font/otf + font/truetype + image/svg+xml + image/vnd.microsoft.icon + image/x-icon + image/x-win-bitmap + text/css + text/javascript + text/plain + text/xml + application/wasm; + include /etc/nginx/conf.d/*.conf; } diff --git a/nginx/conf/nginx.vh.no-default.conf b/nginx/conf/nginx.vh.no-default.conf index 9c8d437..0653838 100644 --- a/nginx/conf/nginx.vh.no-default.conf +++ b/nginx/conf/nginx.vh.no-default.conf @@ -11,6 +11,7 @@ server { } server { - listen 443 ssl http2 default_server; + listen 443 ssl default_server; + http2 on; ssl_reject_handshake on; } diff --git a/nginx/install.sh b/nginx/install.sh new file mode 100644 index 0000000..ab3ca9f --- /dev/null +++ b/nginx/install.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env sh +set -e +make install +rm -rf /etc/nginx/html/ +mkdir -p /etc/nginx/conf.d/ +mkdir -p /usr/share/nginx/html/ +install -m644 docs/html/index.html /usr/share/nginx/html/ +install -m644 docs/html/50x.html /usr/share/nginx/html/ +ln -s ../../usr/lib/nginx/modules /etc/nginx/modules +strip /usr/sbin/nginx* +strip /usr/lib/nginx/modules/*.so + +# Bring in gettext so we can get `envsubst`, then throw +# the rest away. To do this, we need to install `gettext` +# then move `envsubst` out of the way so `gettext` can +# be deleted completely, then move `envsubst` back. + +apk add --no-cache --virtual .gettext gettext +mv /usr/bin/envsubst /tmp/ +runDeps="libintl libxml2 musl zlib tzdata ca-certificates pcre brotli-libs libxslt geoip" +apk add --no-cache $runDeps +apk del .gettext +mv /tmp/envsubst /usr/local/bin/ +# forward request and error logs to docker log collect +mkdir -p /var/log/nginx +ln -sf /dev/stdout /var/log/nginx/access.log +ln -sf /dev/stderr /var/log/nginx/error.log \ No newline at end of file