Skip to content

Commit

Permalink
Merge branch 'master' into ssl-dhparam-fix
Browse files Browse the repository at this point in the history
  • Loading branch information
@macbre
macbre authored Oct 9, 2020
2 parents 383eb37 + 9da3f7a commit fa67d72
Show file tree
Hide file tree
Showing 6 changed files with 62 additions and 15 deletions.
8 changes: 6 additions & 2 deletions .github/workflows/dockerimage.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,11 @@ jobs:

- name: Serve a static asset
run: |
docker run --detach --rm -p 0.0.0.0:8888:80 -v "$PWD/tests":/static:ro -v "$PWD/tests/static.conf":/etc/nginx/conf.d/static.conf:ro --name test_nginx -t ${{ github.repository }}
docker run --detach --rm -p 0.0.0.0:8888:80 -v "$PWD/tests":/static:ro -v "$PWD/tests/static.conf":/etc/nginx/conf.d/static.conf:ro -v "$PWD/tests/env.conf":/etc/nginx/main.d/env.conf:ro --env FOO=foo-test-value --name test_nginx -t ${{ github.repository }}
sleep 2; docker ps
curl -v --compressed 0.0.0.0:8888
curl -v --compressed 0.0.0.0:8888 2>&1 | tee /tmp/out
# assert response headers presense
grep 'X-Foo: foo-test-value' /tmp/out
docker logs test_nginx
40 changes: 34 additions & 6 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,15 @@
FROM alpine:3.12

ARG NGINX_VERSION=1.19.2
ARG NGINX_VERSION=1.19.3

# https://github.com/google/ngx_brotli
ARG NGX_BROTLI_COMMIT=25f86f0bac1101b6512135eac5f93c49c63609e3

# https://github.com/vision5/ngx_devel_kit/releases
# https://hub.docker.com/r/firesh/nginx-lua/dockerfile
ARG NGX_DEVEL_KIT_VERSION=0.3.1

# https://github.com/openresty/luajit2/releases
ARG LUA_NGINX_MODULE_VERSION=0.10.14

ARG CONFIG="\
--prefix=/etc/nginx \
--sbin-path=/usr/sbin/nginx \
Expand Down Expand Up @@ -49,6 +55,9 @@ ARG CONFIG="\
--with-file-aio \
--with-http_v2_module \
--add-module=/usr/src/ngx_brotli \
--with-ld-opt="-Wl,-rpath,/usr/lib" \
--add-module=/tmp/ngx_devel_kit-${NGX_DEVEL_KIT_VERSION} \
--add-module=/tmp/lua-nginx-module-${LUA_NGINX_MODULE_VERSION} \
"

FROM alpine:3.12
Expand All @@ -57,6 +66,8 @@ LABEL maintainer="NGINX Docker Maintainers <[email protected]>"
ARG NGINX_VERSION
ARG NGX_BROTLI_COMMIT
ARG CONFIG
ARG NGX_DEVEL_KIT_VERSION
ARG LUA_NGINX_MODULE_VERSION

RUN \
apk add --no-cache --virtual .build-deps \
Expand All @@ -72,6 +83,8 @@ RUN \
libxslt-dev \
gd-dev \
geoip-dev \
luajit \
luajit-dev \
&& apk add --no-cache --virtual .brotli-build-deps \
autoconf \
libtool \
Expand All @@ -83,8 +96,14 @@ RUN \
COPY nginx.pub /tmp/nginx.pub

RUN \
echo "Compiling nginx $NGINX_VERSION with brotli $NGX_BROTLI_COMMIT" \
&& mkdir -p /usr/src/ngx_brotli \
echo "Fetcing lua-nginx-module $LUA_NGINX_MODULE_VERSION and nginx devel kit $NGX_DEVEL_KIT_VERSION ..." \
&& curl -fSL https://github.com/simpl/ngx_devel_kit/archive/v${NGX_DEVEL_KIT_VERSION}.tar.gz -o /tmp/ndk.tar.gz \
&& tar -xvf /tmp/ndk.tar.gz -C /tmp \
&& curl -fSL https://github.com/openresty/lua-nginx-module/archive/v${LUA_NGINX_MODULE_VERSION}.tar.gz -o /tmp/lua-nginx.tar.gz \
&& tar -xvf /tmp/lua-nginx.tar.gz -C /tmp

RUN \
mkdir -p /usr/src/ngx_brotli \
&& cd /usr/src/ngx_brotli \
&& git init \
&& git remote add origin https://github.com/google/ngx_brotli.git \
Expand All @@ -102,7 +121,10 @@ RUN \
&& tar -zxC /usr/src -f nginx.tar.gz

RUN \
cd /usr/src/nginx-$NGINX_VERSION \
export LUAJIT_LIB=/usr/lib \
&& export LUAJIT_INC=/usr/include/luajit-2.1 \
&& echo "Compiling nginx $NGINX_VERSION with brotli $NGX_BROTLI_COMMIT and lua nginx module v$LUA_NGINX_MODULE_VERSION ..." \
&& cd /usr/src/nginx-$NGINX_VERSION \
&& ./configure $CONFIG --with-debug \
&& make -j$(getconf _NPROCESSORS_ONLN) \
&& mv objs/nginx objs/nginx-debug \
Expand Down Expand Up @@ -147,6 +169,8 @@ RUN \

FROM alpine:3.12
ARG NGINX_VERSION
ARG NGX_BROTLI_COMMIT
ARG LUA_NGINX_MODULE_VERSION

COPY --from=0 /tmp/runDeps.txt /tmp/runDeps.txt
COPY --from=0 /etc/nginx /etc/nginx
Expand All @@ -171,6 +195,10 @@ RUN \
COPY nginx.conf /etc/nginx/nginx.conf
COPY ssl_common.conf /etc/nginx/conf.d/ssl_common.conf

ENV NGINX_VERSION $NGINX_VERSION
ENV NGX_BROTLI_COMMIT $NGX_BROTLI_COMMIT
ENV LUA_NGINX_MODULE_VERSION $LUA_NGINX_MODULE_VERSION

EXPOSE 80 443

STOPSIGNAL SIGTERM
Expand Down
4 changes: 4 additions & 0 deletions nginx.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,3 +32,7 @@ http {

include /etc/nginx/conf.d/*.conf;
}

# this allows you to call directives such as "env" in your own conf files
# http://nginx.org/en/docs/ngx_core_module.html#env
include /etc/nginx/main.d/*.conf;
19 changes: 12 additions & 7 deletions readme.md
View file
Original file line number Diff line number Diff line change
@@ -1,30 +1,35 @@
# What is this?
## What is this?
This project is based on Alpine Linux, the official nginx image and an nginx module that provides static and dynamic brotli compression. [Brotli](https://github.com/google/brotli) and the [nginx brotli module ](https://github.com/google/ngx_brotli) are built by Google.

# How to use this image
## How to use this image
As this project is based on the official [nginx image](https://hub.docker.com/_/nginx/) look for instructions there. In addition to the standard configuration directives, you'll be able to use the brotli module specific ones, see [here for official documentation](https://github.com/google/ngx_brotli#configuration-directives)

```
docker pull macbre/nginx-brotli:1.19.2
docker pull macbre/nginx-brotli:1.19.3
```

# What's inside
## What's inside

```
$ docker run -it macbre/nginx-brotli nginx -V
nginx version: nginx/1.19.2
nginx version: nginx/1.19.3
built by gcc 9.3.0 (Alpine 9.3.0)
built with OpenSSL 1.1.1g 21 Apr 2020
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --with-threads --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-http_slice_module --with-mail --with-mail_ssl_module --with-compat --with-file-aio --with-http_v2_module --add-module=/usr/src/ngx_brotli
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-threads --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-http_slice_module --with-mail --with-mail_ssl_module --with-compat --with-file-aio --with-http_v2_module --add-module=/usr/src/ngx_brotli --with-ld-opt=-Wl,-rpath,/usr/lib --add-module=/tmp/ngx_devel_kit-0.3.1 --add-module=/tmp/lua-nginx-module-0.10.14
```

> [nginx release notes](https://nginx.org/en/CHANGES)
# SSL Grade A+ handling
## SSL Grade A+ handling

Please refer to [Mozilla's SSL Configuration Generator](https://ssl-config.mozilla.org/). This image has `https://ssl-config.mozilla.org/ffdhe2048.txt` DH parameters for DHE ciphers fetched and stored in `/etc/ssl/dhparam.pem`:

```
ssl_dhparam /etc/ssl/dhparam.pem;
```

## nginx config files includes

* `.conf` files mounted in `/etc/nginx/main.d` will be included in the `main` nginx context (e.g. you can call [`env` directive](http://nginx.org/en/docs/ngx_core_module.html#env) there)
* `.conf` files mounted in `/etc/nginx/conf.d` will be included in the `http` nginx context
1 change: 1 addition & 0 deletions tests/env.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
env FOO;
5 changes: 5 additions & 0 deletions tests/static.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,5 +9,10 @@ server {
brotli_static on;

expires 1d;

# test lua module, see env.conf too
set_by_lua $foo_from_env 'return os.getenv("FOO")';

add_header X-Foo $foo_from_env;
}
}

0 comments on commit fa67d72

Please sign in to comment.