switched nginx from boringssl to libressl

.gitea/workflows/build-nginx.yaml

@@ -36,7 +36,9 @@ jobs:
           tags: |
             "gitea.woggioni.net/woggioni/nginx:latest"
             "gitea.woggioni.net/woggioni/nginx:v1.27.4"
-          build-args: "VERSION=1.27.3"
+          secrets: |
+            GIT_AUTH_TOKEN.github.com=${{ secrets.GH_ACCESS_TOKEN }}
+          build-args: "NGINX_VERSION=1.27.4"
           cache-from: type=registry,ref=gitea.woggioni.net/woggioni/nginx:buildx
           cache-to: type=registry,mode=max,compression=zstd,image-manifest=true,oci-mediatypes=true,ref=gitea.woggioni.net/woggioni/nginx:buildx
 

nginx/Dockerfile

@@ -1,180 +1,102 @@
-FROM alpine:latest
+
+FROM alpine:latest AS base
+
+FROM alpine:latest AS build
+ARG NGINX_VERSION LIBRESSL_VERSION=4.0.0
+ENV NGINX_VERSION=${NGINX_VERSION}
+RUN --mount=type=cache,target=/var/cache/apk apk update
+RUN --mount=type=cache,target=/var/cache/apk apk add \
+	autoconf \
+	automake \
+	bind-tools \
+	binutils \
+	build-base \
+	ca-certificates \
+	cmake \
+	curl \
+	gcc \
+	gd-dev \
+	geoip-dev \
+	git \
+	gnupg \
+	go \
+	libc-dev \
+	libgcc \
+	libstdc++ \
+	libtool \
+	libxslt-dev \
+	linux-headers \
+	make \
+	ninja \
+	pcre \
+	pcre-dev \
+	perl-dev \
+	su-exec \
+	tar \
+	tzdata \
+	zlib \
+	zlib-dev \
+	mercurial
+RUN adduser -D luser
+USER luser
+WORKDIR /home/luser
+# ADD --chown=luser:luser https://boringssl.googlesource.com/boringssl.git boringssl
+# RUN grep -qxF 'SET_TARGET_PROPERTIES(crypto PROPERTIES SOVERSION 1)' boringssl/crypto/CMakeLists.txt || echo -e '\nSET_TARGET_PROPERTIES(crypto PROPERTIES SOVERSION 1)' >> boringssl/crypto/CMakeLists.txt
+# RUN grep -qxF 'SET_TARGET_PROPERTIES(ssl PROPERTIES SOVERSION 1)' boringssl/ssl/CMakeLists.txt || echo -e '\nSET_TARGET_PROPERTIES(ssl PROPERTIES SOVERSION 1)' >> boringssl/ssl/CMakeLists.txt
+# RUN mkdir -p boringssl/build
+# RUN cmake -G Ninja -B boringssl/build -S boringssl -DCMAKE_BUILD_TYPE=Release
+# RUN cmake --build boringssl/build
+
+#RUN git clone --depth 1 --branch v4.0.0 https://github.com/libressl/portable.git libressl
+ADD --chown=luser:luser https://cdn.openbsd.org/pub/OpenBSD/LibreSSL/libressl-${LIBRESSL_VERSION}.tar.gz libressl.tgz
+RUN tar -xzf libressl.tgz && mv libressl-${LIBRESSL_VERSION} libressl && rm libressl.tgz
+RUN mkdir -p libressl/build
+RUN cmake -G Ninja -B libressl/build -S libressl \ 
+	-DCMAKE_BUILD_TYPE=Release \
+	-DLIBRESSL_APPS=OFF \
+	-DLIBRESSL_SKIP_INSTALL=ON \
+	-DENABLE_ASM=OFF \
+	-DENABLE_NC=OFF \
+	-DLIBRESSL_TESTS=OFF \
+	-DBUILD_SHARED_LIBS=OFF
+RUN cmake --build libressl/build
+
+ADD --chown=luser:luser https://github.com/nginx/nginx.git#release-${NGINX_VERSION} /nginx
+ADD --chown=luser:luser https://github.com/openresty/headers-more-nginx-module.git /ngx_headers_more
+ADD --chown=luser:luser https://github.com/google/ngx_brotli.git /ngx_brotli
+USER root
+WORKDIR /
+RUN hg clone http://hg.nginx.org/njs /njs
+RUN chown luser:luser -R /njs
+USER luser
+WORKDIR /home/luser
+ADD --chown=luser:luser --chmod=755 ./build.sh ./build.sh
+RUN ./build.sh
+
+
+FROM base AS release
 ARG VERSION
 ENV NGINX_VERSION=${VERSION}
-RUN GPG_KEYS=D6786CE303D9A9022998DC6CC8464D549AF75C0A \
+
-	&& CONFIG="\
+RUN addgroup -S nginx
-		--prefix=/etc/nginx \
+RUN adduser -D -S -h /var/cache/nginx -s /sbin/nologin -G nginx nginx
-		--sbin-path=/usr/sbin/nginx \
+
-		--modules-path=/usr/lib/nginx/modules \
+RUN --mount=type=cache,target=/var/cache/apk apk add --virtual .install_deps make perl-dev gettext binutils
-		--conf-path=/etc/nginx/nginx.conf \
+RUN --mount=type=cache,target=/var/cache/apk \
-		--error-log-path=/var/log/nginx/error.log \
+    --mount=type=bind,from=build,source=/nginx,target=/nginx \
-		--http-log-path=/var/log/nginx/access.log \
+    --mount=type=bind,from=build,source=/ngx_headers_more,target=/ngx_headers_more \
-		--pid-path=/var/run/nginx.pid \
+    --mount=type=bind,from=build,source=/ngx_brotli,target=/ngx_brotli \
-		--lock-path=/var/run/nginx.lock \
+    --mount=type=bind,from=build,source=/njs,target=/njs \
-		--http-client-body-temp-path=/var/cache/nginx/client_temp \
+	--mount=type=bind,source=install.sh,target=/install.sh \
-		--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
+	 (cd nginx && sh /install.sh)
-		--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
+RUN --mount=type=cache,target=/var/cache/apk apk del .install_deps
-		--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
-		--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
-		--user=nginx \
-		--group=nginx \
-		--with-http_ssl_module \
-		--with-http_realip_module \
-		--with-http_addition_module \
-		--with-http_sub_module \
-		--with-http_dav_module \
-		--with-http_flv_module \
-		--with-http_mp4_module \
-		--with-http_gunzip_module \
-		--with-http_gzip_static_module \
-		--with-http_random_index_module \
-		--with-http_secure_link_module \
-		--with-http_stub_status_module \
-		--with-http_auth_request_module \
-		--with-http_xslt_module=dynamic \
-		--with-http_image_filter_module=dynamic \
-		--with-http_geoip_module=dynamic \
-		--with-http_perl_module=dynamic \
-		--with-threads \
-		--with-stream \
-		--with-stream_ssl_module \
-		--with-stream_ssl_preread_module \
-		--with-stream_realip_module \
-		--with-stream_geoip_module=dynamic \
-		--with-http_slice_module \
-		--with-mail \
-		--with-mail_ssl_module \
-		--with-compat \
-		--with-file-aio \
-		--with-http_v2_module \
-		--with-http_v3_module \
-		--add-dynamic-module=/usr/src/ngx_headers_more \
-		--add-dynamic-module=/usr/src/ngx_brotli \
-		--add-dynamic-module=/usr/src/njs/nginx \
-	" \
-	&& addgroup -S nginx \
-	&& adduser -D -S -h /var/cache/nginx -s /sbin/nologin -G nginx nginx \
-	&& apk add --no-cache --virtual .build-deps \
-		autoconf \
-		automake \
-		bind-tools \
-		binutils \
-		build-base \
-		ca-certificates \
-		cmake \
-		curl \
-		gcc \
-		gd-dev \
-		geoip-dev \
-		git \
-		gnupg \
-		go \
-		libc-dev \
-		libgcc \
-		libstdc++ \
-		libtool \
-		libxslt-dev \
-		linux-headers \
-		make \
-		pcre \
-		pcre-dev \
-		perl-dev \
-		su-exec \
-		tar \
-		tzdata \
-		zlib \
-		zlib-dev \
-		mercurial \
-	&& curl -fSL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o nginx-${NGINX_VERSION}.tar.gz \
-	&& curl -fSL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz.asc  -o nginx-${NGINX_VERSION}.tar.gz.asc \
-	&& export GNUPGHOME="$(mktemp -d)" \
-	&& found=''; \
-	for server in \
-		ha.pool.sks-keyservers.net \
-		hkp://keyserver.ubuntu.com:80 \
-		hkp://p80.pool.sks-keyservers.net:80 \
-		pgp.mit.edu \
-	; do \
-		echo "Fetching GPG key $GPG_KEYS from $server"; \
-		gpg --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$GPG_KEYS" && found=yes && break; \
-	done; \
-	test -z "$found" && echo >&2 "error: failed to fetch GPG key $GPG_KEYS" && exit 1; \
-	gpg --batch --verify nginx-${NGINX_VERSION}.tar.gz.asc nginx-${NGINX_VERSION}.tar.gz \
-	&& mkdir -p /usr/src \
-	&& tar -zxC /usr/src -f nginx-${NGINX_VERSION}.tar.gz \
-	&& rm nginx-${NGINX_VERSION}.tar.gz \
-	&& rm -rf "$GNUPGHOME" nginx-${NGINX_VERSION}.tar.gz.asc \
-	&& git clone --depth=1 --recurse-submodules https://github.com/google/ngx_brotli /usr/src/ngx_brotli \
-	&& git clone --depth=1 https://github.com/openresty/headers-more-nginx-module /usr/src/ngx_headers_more \
-	&& hg clone http://hg.nginx.org/njs /usr/src/njs \
-	&& (git clone https://boringssl.googlesource.com/boringssl /usr/src/boringssl \
-		&& cd /usr/src/boringssl && git checkout --force --quiet e648990 \
-		&& (grep -qxF 'SET_TARGET_PROPERTIES(crypto PROPERTIES SOVERSION 1)' /usr/src/boringssl/crypto/CMakeLists.txt || echo -e '\nSET_TARGET_PROPERTIES(crypto PROPERTIES SOVERSION 1)' >> /usr/src/boringssl/crypto/CMakeLists.txt) \
-		&& (grep -qxF 'SET_TARGET_PROPERTIES(ssl PROPERTIES SOVERSION 1)' /usr/src/boringssl/ssl/CMakeLists.txt || echo -e '\nSET_TARGET_PROPERTIES(ssl PROPERTIES SOVERSION 1)' >> /usr/src/boringssl/ssl/CMakeLists.txt) \
-		&& mkdir -p /usr/src/boringssl/build \
-		&& cmake -B/usr/src/boringssl/build -S/usr/src/boringssl -DCMAKE_BUILD_TYPE=RelWithDebInfo \
-		&& make -C/usr/src/boringssl/build -j$(getconf _NPROCESSORS_ONLN) \
-	   ) \
-	&& cd /usr/src/nginx-${NGINX_VERSION} \
-	&& curl -fSL https://raw.githubusercontent.com/nginx-modules/ngx_http_tls_dyn_size/master/nginx__dynamic_tls_records_1.27.2%2B.patch -o dynamic_tls_records.patch \
-	&& patch -p1 < dynamic_tls_records.patch \
-	&& ./configure $CONFIG --with-debug --with-cc-opt="-I/usr/src/boringssl/include" --with-ld-opt="-L/usr/src/boringssl/build/ssl -L/usr/src/boringssl/build/crypto" \
-	&& make -j$(getconf _NPROCESSORS_ONLN) \
-	&& mv objs/nginx objs/nginx-debug \
-	&& mv objs/ngx_http_xslt_filter_module.so objs/ngx_http_xslt_filter_module-debug.so \
-	&& mv objs/ngx_http_image_filter_module.so objs/ngx_http_image_filter_module-debug.so \
-	&& mv objs/ngx_http_geoip_module.so objs/ngx_http_geoip_module-debug.so \
-	&& mv objs/ngx_http_perl_module.so objs/ngx_http_perl_module-debug.so \
-	&& mv objs/ngx_stream_geoip_module.so objs/ngx_stream_geoip_module-debug.so \
-	&& ./configure $CONFIG --with-cc-opt="-I/usr/src/boringssl/include" --with-ld-opt="-L/usr/src/boringssl/build/ssl -L/usr/src/boringssl/build/crypto" \
-	&& make -j$(getconf _NPROCESSORS_ONLN) \
-	&& make install \
-	&& rm -rf /etc/nginx/html/ \
-	&& mkdir /etc/nginx/conf.d/ \
-	&& mkdir -p /usr/share/nginx/html/ \
-	&& install -m644 html/index.html /usr/share/nginx/html/ \
-	&& install -m644 html/50x.html /usr/share/nginx/html/ \
-	&& install -m755 objs/nginx-debug /usr/sbin/nginx-debug \
-	&& install -m755 objs/ngx_http_xslt_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_xslt_filter_module-debug.so \
-	&& install -m755 objs/ngx_http_image_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_image_filter_module-debug.so \
-	&& install -m755 objs/ngx_http_geoip_module-debug.so /usr/lib/nginx/modules/ngx_http_geoip_module-debug.so \
-	&& install -m755 objs/ngx_http_perl_module-debug.so /usr/lib/nginx/modules/ngx_http_perl_module-debug.so \
-	&& install -m755 objs/ngx_stream_geoip_module-debug.so /usr/lib/nginx/modules/ngx_stream_geoip_module-debug.so \
-	&& ln -s ../../usr/lib/nginx/modules /etc/nginx/modules \
-	&& strip /usr/sbin/nginx* \
-	&& strip /usr/lib/nginx/modules/*.so \
-	&& rm -rf /usr/src/nginx-${NGINX_VERSION} \
-	&& rm -rf /usr/src/boringssl /usr/src/ngx_* /usr/src/njs \
-	\
-	# Bring in gettext so we can get `envsubst`, then throw
-	# the rest away. To do this, we need to install `gettext`
-	# then move `envsubst` out of the way so `gettext` can
-	# be deleted completely, then move `envsubst` back.
-	&& apk add --no-cache --virtual .gettext gettext \
-	&& mv /usr/bin/envsubst /tmp/ \
-	\
-	&& runDeps="$( \
-		scanelf --needed --nobanner /usr/sbin/nginx /usr/lib/nginx/modules/*.so /tmp/envsubst \
-			| awk '{ gsub(/,/, "\nso:", $2); print "so:" $2 }' \
-			| sort -u \
-			| xargs -r apk info --installed \
-			| sort -u \
-	) tzdata ca-certificates" \
-	&& apk add --no-cache --virtual .nginx-rundeps $runDeps \
-	&& apk del .build-deps \
-	&& apk del .gettext \
-	&& mv /tmp/envsubst /usr/local/bin/ \
-	\
-	# forward request and error logs to docker log collector
-	&& ln -sf /dev/stdout /var/log/nginx/access.log \
-	&& ln -sf /dev/stderr /var/log/nginx/error.log
 
 COPY conf/nginx.conf /etc/nginx/nginx.conf
 COPY conf/nginx.vh.no-default.conf /etc/nginx/conf.d/default.conf
 
-LABEL description="NGINX Docker built top of rolling release BoringSSL" \
+LABEL description="NGINX Docker built top of LibreSSL" \
-      maintainer="Denis Denisov <denji0k@gmail.com>" \
+      maintainer="Walter Oggioni <oggioni.walter@gmail.com>" \
-      openssl="BoringSSL" \
+      openssl="LibreSSL" \
       nginx="nginx ${NGINX_VERSION}"
 
 EXPOSE 80 443 443/udp

nginx/build.sh

@@ -0,0 +1,61 @@
+#!/usr/bin/env sh
+
+set -e
+
+CONFIG='
+		--prefix=/etc/nginx
+		--sbin-path=/usr/sbin/nginx
+		--modules-path=/usr/lib/nginx/modules
+		--conf-path=/etc/nginx/nginx.conf
+		--error-log-path=/var/log/nginx/error.log
+		--http-log-path=/var/log/nginx/access.log
+		--pid-path=/var/run/nginx.pid
+		--lock-path=/var/run/nginx.lock
+		--http-client-body-temp-path=/var/cache/nginx/client_temp
+		--http-proxy-temp-path=/var/cache/nginx/proxy_temp
+		--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
+		--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
+		--http-scgi-temp-path=/var/cache/nginx/scgi_temp
+		--user=nginx
+		--group=nginx
+		--with-http_ssl_module
+		--with-http_realip_module
+		--with-http_addition_module
+		--with-http_sub_module
+		--with-http_dav_module
+		--with-http_flv_module
+		--with-http_mp4_module
+		--with-http_gunzip_module
+		--with-http_gzip_static_module
+		--with-http_random_index_module
+		--with-http_secure_link_module
+		--with-http_stub_status_module
+		--with-http_auth_request_module
+		--with-http_xslt_module=dynamic
+		--with-http_geoip_module=dynamic
+		--with-threads
+		--with-stream
+		--with-stream_ssl_module
+		--with-stream_ssl_preread_module
+		--with-stream_realip_module
+		--with-stream_geoip_module=dynamic
+		--with-http_slice_module
+		--with-mail
+		--with-mail_ssl_module
+		--with-compat
+		--with-file-aio
+		--with-http_v2_module
+		--with-http_v3_module
+		--add-dynamic-module=/ngx_headers_more
+		--add-dynamic-module=/ngx_brotli
+		--add-dynamic-module=/njs/nginx
+'
+
+cd /nginx
+curl -fSL https://raw.githubusercontent.com/nginx-modules/ngx_http_tls_dyn_size/master/nginx__dynamic_tls_records_1.27.2%2B.patch -o dynamic_tls_records.patch
+patch -p1 < dynamic_tls_records.patch
+
+auto/configure $CONFIG \
+    --with-cc-opt="-I/home/luser/libressl/build/include" \
+    --with-ld-opt="-lstdc++ -L/home/luser/libressl/build/ssl -L/home/luser/libressl/build/crypto"
+make -j$(nproc)

nginx/conf/nginx.conf

@@ -1,9 +1,9 @@
 
-# load_module modules/ngx_http_xslt_filter_module.so;
+load_module modules/ngx_http_xslt_filter_module.so;
-# load_module modules/ngx_http_image_filter_module.so;
+#load_module modules/ngx_http_image_filter_module.so;
-# load_module modules/ngx_http_geoip_module.so;
+load_module modules/ngx_http_geoip_module.so;
-# load_module modules/ngx_http_perl_module.so;
+#load_module modules/ngx_http_perl_module.so;
-# load_module modules/ngx_stream_geoip_module.so;
+load_module modules/ngx_stream_geoip_module.so;
 load_module modules/ngx_http_headers_more_filter_module.so;
 load_module modules/ngx_http_brotli_static_module.so;
 load_module modules/ngx_http_brotli_filter_module.so;
@@ -41,9 +41,9 @@ http {
     keepalive_disable  msie6;
 
     ssl_dyn_rec_enable on;
-    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_protocols TLSv1.3;
     ssl_ecdh_curve X25519:P-521:P-384;
-    ssl_ciphers [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES256-GCM-SHA384|ECDHE-RSA-AES256-GCM-SHA384]:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
+    ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-CAMELLIA256-SHA256:DHE-RSA-CAMELLIA256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA256:DHE-RSA-CAMELLIA128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA256:CAMELLIA128-SHA;
     ssl_prefer_server_ciphers on;
     ssl_session_cache shared:SSL:1m;
     ssl_session_timeout 1h;
@@ -52,8 +52,10 @@ http {
 
     http2 on;
     http3 on;
+    http3_hq on;
+    quic_gso on;
     quic_retry on;
-    #ssl_early_data on;
+    ssl_early_data off;
     
     gzip_static on;
     gzip on;
@@ -62,30 +64,64 @@ http {
     gzip_proxied any;
     gzip_vary on;
     gzip_disable "msie6";
-    gzip_types
+    
-        text/plain
+    gzip_types 
-        text/css
+        application/atom+xml 
-        text/x-component
+        application/javascript 
-        text/javascript application/javascript application/x-javascript
+        application/json 
-        text/xml application/xml application/rss+xml
+        application/ld+json 
-        application/json
+        application/manifest+json 
-        application/vnd.ms-fontobject
+        application/rss+xml 
-        font/truetype font/opentype
+        application/vnd.geo+json 
-        image/svg+xml;
+        application/vnd.ms-fontobject 
+        application/x-font-ttf 
+        application/x-web-app-manifest+json 
+        application/xhtml+xml 
+        application/xml 
+        font/opentype 
+        image/bmp 
+        image/svg+xml
+        image/x-icon 
+        text/cache-manifest 
+        text/css 
+        text/plain 
+        text/vcard 
+        text/vnd.rim.location.xloc 
+        text/vtt text/x-component 
+        text/x-cross-domain-policy 
+        application/wasm;
+
+
 
     brotli_static on;
     brotli on;
     brotli_comp_level 6;
-    brotli_types
+    brotli_types 
-       text/plain
+        application/atom+xml 
-       text/css
+        application/javascript 
-       text/x-component
+        application/json 
-       text/javascript application/javascript application/x-javascript
+        application/rss+xml
-       text/xml application/xml application/rss+xml
+        application/vnd.ms-fontobject
-       application/json
+        application/x-font-opentype 
-       application/vnd.ms-fontobject
+        application/x-font-truetype
-       font/truetype font/opentype
+        application/x-font-ttf 
-       image/svg+xml;
+        application/x-javascript 
+        application/xhtml+xml 
+        application/xml
+        font/eot 
+        font/opentype 
+        font/otf 
+        font/truetype 
+        image/svg+xml 
+        image/vnd.microsoft.icon
+        image/x-icon 
+        image/x-win-bitmap 
+        text/css 
+        text/javascript 
+        text/plain 
+        text/xml 
+        application/wasm;
+
 
     include /etc/nginx/conf.d/*.conf;
 }

nginx/conf/nginx.vh.no-default.conf

@@ -11,6 +11,7 @@ server {
 }
 
 server {
-  listen 443 ssl http2 default_server;
+  listen 443 ssl default_server;
+  http2 on;
   ssl_reject_handshake on;
 }

nginx/install.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/env sh
+set -e
+make install
+rm -rf /etc/nginx/html/
+mkdir -p /etc/nginx/conf.d/
+mkdir -p /usr/share/nginx/html/
+install -m644 docs/html/index.html /usr/share/nginx/html/
+install -m644 docs/html/50x.html /usr/share/nginx/html/
+ln -s ../../usr/lib/nginx/modules /etc/nginx/modules
+strip /usr/sbin/nginx*
+strip /usr/lib/nginx/modules/*.so
+
+# Bring in gettext so we can get `envsubst`, then throw
+# the rest away. To do this, we need to install `gettext`
+# then move `envsubst` out of the way so `gettext` can
+# be deleted completely, then move `envsubst` back.
+
+apk add --no-cache --virtual .gettext gettext
+mv /usr/bin/envsubst /tmp/
+runDeps="libintl libxml2 musl zlib tzdata ca-certificates pcre brotli-libs libxslt geoip"
+apk add --no-cache $runDeps
+apk del .gettext
+mv /tmp/envsubst /usr/local/bin/
+# forward request and error logs to docker log collect
+mkdir -p /var/log/nginx
+ln -sf /dev/stdout /var/log/nginx/access.log
+ln -sf /dev/stderr /var/log/nginx/error.log