Merge pull request #4 from 720kb/next

Next

Author: wouldgo

.gitignore

@@ -1,86 +1,152 @@
-FROM ubuntu
-MAINTAINER Dario Andrei <wouldgo84@gmail.com>
+FROM alpine:3.6
+ARG NGINX_VERSION=1.13.2
+#ftp://ftp.openssl.org/source/
+ARG OPENSSL_VERSION=1.0.2l
+ARG HEADERES_MORE_NGINX_MODULE=0.33
+ARG MODSECURITY_MODULE=3.0.0
+ARG MODSECURITY_NGINX_MODULE=1.0.0
+ARG NAXSI_MODULE=0.55.3
 
-RUN apt-get update && apt-get upgrade -y
+RUN apk --no-cache add \
+    curl-dev \
+    wget \
+    linux-headers \
+    alpine-sdk \
+    zlib-dev \
+    pcre-dev \
+    libxslt-dev \
+    libxml2-dev \
+    geoip-dev \
+    perl \
+    libaio-dev \
+    acme-client \
+    libtool \
+    m4 \
+    autoconf \
+    automake \
+    yajl-dev \
+    gd-dev
 
-RUN apt-get install -y \
-  wget \
-  build-essential \
-  zlib1g-dev \
-  libpcre3-dev \
-  libxslt1-dev \
-  libxml2-dev \
-  libgd2-xpm-dev \
-  libgeoip-dev \
-  libgoogle-perftools-dev \
-  libperl-dev
+RUN addgroup -g 9000 -S www-data \
+  && adduser -u 9000 -D -S -G www-data www-data
 
-RUN wget http://nginx.org/download/nginx-$(wget -O - http://nginx.org/download/ | \
-  grep -o -P '<a href="nginx-.+.tar.gz">' | \
-  sed -re's/<a href="nginx-(.+)\.tar.gz">/\1/g' | \
-  tail -1).tar.gz -O latest_ngnix.gzipped && \
-wget $(wget -O - ftp://ftp.openssl.org/source/ | \
-  grep -o -P 'ftp://ftp\.openssl\.org:21/source/openssl-1\.0\.2\w.*.tar.gz' | \
-  sed -re's/(ftp:\/\/ftp\.openssl\.org:21\/source\/openssl-1\.0\.2\w\.tar\.gz)">.+/\1/g' | \
-  sed -n 1p) -O latest_openssl.gzipped
+RUN mkdir -p /tmp/nginx \
+    /tmp/headers-more-nginx-module \
+    /tmp/modsecurity-nginx \
+    /tmp/naxsi \
+    /opt/.openssl \
+    /opt/nginx-configuration \
+    /opt/modsecurity
 
-RUN mkdir -p /tmp/nginx /opt/.openssl && \
-mkdir -p /opt/nginx-configuration && \
-tar --extract --file=latest_openssl.gzipped --strip-components=1 --directory=/opt/.openssl && \
-cd /opt/.openssl && \
-./config --prefix=/usr/local \
-  --openssldir=/usr/local/open-ssl \
-  threads \
-  zlib && \
-make && \
-make test && \
-make install && \
-cd / && \
-tar --extract --file=latest_ngnix.gzipped --strip-components=1 --directory=/tmp/nginx && \
-cd /tmp/nginx && \
-./configure --prefix=/usr/local/nginx \
-  --sbin-path=/usr/local/sbin/nginx \
-  --conf-path=/opt/nginx-configuration/nginx.conf \
-  --error-log-path=/var/log/nginx/error.log \
-  --http-log-path=/var/log/nginx/access.log \
-  --pid-path=/var/run/nginx.pid \
-  --lock-path=/run/lock/subsys/nginx \
-  --user=www-data --group=www-data \
-  --with-file-aio \
-  --with-ipv6 \
-  --with-http_ssl_module \
-  --with-openssl=/opt/.openssl \
-  --with-stream \
-  --with-http_v2_module \
-  --with-http_realip_module \
-  --with-http_addition_module \
-  --with-http_xslt_module \
-  --with-http_image_filter_module \
-  --with-http_geoip_module \
-  --with-http_sub_module \
-  --with-http_dav_module \
-  --with-http_flv_module \
-  --with-http_mp4_module \
-  --with-http_gunzip_module \
-  --with-http_gzip_static_module \
-  --with-http_random_index_module \
-  --with-http_secure_link_module \
-  --with-http_degradation_module \
-  --with-http_stub_status_module \
-  --with-http_perl_module \
-  --with-mail \
-  --with-mail_ssl_module \
-  --with-pcre \
-  --with-google_perftools_module \
-  --with-debug && \
-make && \
-make install
+RUN wget http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz \
+    -O latest_ngnix.gzipped
+RUN wget ftp://ftp.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz \
+    -O latest_openssl.gzipped
+RUN wget https://github.com/openresty/headers-more-nginx-module/archive/v${HEADERES_MORE_NGINX_MODULE}.tar.gz \
+    -O headers_more_nginx_module.gzipped
+RUN wget https://github.com/SpiderLabs/ModSecurity/releases/download/v${MODSECURITY_MODULE}/modsecurity-v${MODSECURITY_MODULE}.tar.gz \
+    -O modsecurity.gzipped
+RUN wget https://github.com/SpiderLabs/ModSecurity-nginx/releases/download/v${MODSECURITY_NGINX_MODULE}/modsecurity-nginx-v${MODSECURITY_NGINX_MODULE}.tar.gz \
+    -O modsecurity-nginx.gzipped
+RUN wget https://github.com/nbs-system/naxsi/archive/${NAXSI_MODULE}.tar.gz \
+    -O naxsi.gzipped
 
-RUN openssl dhparam -out /etc/dh2048.pem 2048
+WORKDIR /
+RUN tar --extract \
+    --strip-components=1 \
+    --file=latest_ngnix.gzipped --directory=/tmp/nginx \
+  && tar --extract \
+    --strip-components=1 \
+    --file=modsecurity.gzipped --directory=/opt/modsecurity \
+  && tar --extract \
+    --strip-components=1 \
+    --file=headers_more_nginx_module.gzipped --directory=/tmp/headers-more-nginx-module \
+  && tar --extract \
+    --strip-components=1 \
+    --file=latest_openssl.gzipped --directory=/opt/.openssl \
+  && tar --extract \
+    --strip-components=1 \
+    --file=modsecurity-nginx.gzipped --directory=/tmp/modsecurity-nginx \
+  && tar --extract \
+    --strip-components=1 \
+    --file=naxsi.gzipped --directory=/tmp/naxsi \
+  && rm -Rfv latest_ngnix.gzipped \
+    latest_openssl.gzipped \
+    headers_more_nginx_module.gzipped \
+    modsecurity.gzipped \
+    modsecurity-nginx.gzipped \
+    naxsi.gzipped
+
+WORKDIR /opt/modsecurity
+RUN ./configure \
+  && make -j 8 \
+  && make install
+
+WORKDIR /opt/.openssl
+RUN ./config --prefix=/usr/local \
+    --openssldir=/usr/local/open-ssl \
+    threads \
+    zlib \
+  && make -j 8 \
+  && make test \
+  && make install
+
+WORKDIR /tmp/nginx
+RUN ./configure --prefix=/usr/local/nginx \
+    --sbin-path=/usr/local/sbin/nginx \
+    --user=www-data --group=www-data \
+    --pid-path=/var/run/nginx.pid \
+    --lock-path=/run/lock/subsys/nginx \
+    --http-client-body-temp-path=/var/lib/nginx/body \
+    --http-proxy-temp-path=/var/lib/nginx/proxy \
+    --http-log-path=/var/log/nginx/access.log \
+    --error-log-path=/var/log/nginx/error.log \
+    --conf-path=/opt/nginx-configuration/nginx.conf \
+    --add-module=/tmp/headers-more-nginx-module \
+    --add-module=/tmp/modsecurity-nginx \
+    --add-module=/tmp/naxsi/naxsi_src \
+    --with-openssl=/opt/.openssl \
+    --with-file-aio \
+    --with-ipv6 \
+    --with-http_ssl_module \
+    --with-http_v2_module \
+    --with-stream \
+    --with-stream_ssl_module \
+    --with-http_realip_module \
+    --with-http_addition_module \
+    --with-http_xslt_module \
+    --with-http_image_filter_module \
+    --with-http_geoip_module \
+    --with-http_sub_module \
+    --with-http_dav_module \
+    --with-http_flv_module \
+    --with-http_mp4_module \
+    --with-http_gunzip_module \
+    --with-http_gzip_static_module \
+    --with-http_random_index_module \
+    --with-http_secure_link_module \
+    --with-http_degradation_module \
+    --with-http_stub_status_module \
+    --with-pcre-jit \
+    --with-pcre \
+    --with-debug \
+    --with-mail \
+    --with-mail_ssl_module \
+    --without-mail_pop3_module \
+    --without-http_uwsgi_module \
+    --without-http_scgi_module \
+  && make -j 8 \
+  && make install
+
+RUN openssl dhparam -out /etc/dhparam.pem 4096
+RUN mv /tmp/naxsi/naxsi_config/naxsi_core.rules /opt/naxsi_core.rules
+RUN mkdir -p /var/lib/nginx/body /var/www/acme
+RUN rm -Rfv /tmp/*
 
-RUN mkdir /add-folder && mkdir -p /www/log
-ADD ./run/bootstrap.sh /opt/bootstrap.sh
-ADD ./add-folder.sh /add-folder/add-folder.sh
 EXPOSE 80 443
+WORKDIR /opt
+ADD ./run/bootstrap.sh bootstrap.sh
+ADD ./certbot certbot/
+RUN chmod u+x bootstrap.sh
 
-CMD ["/bin/bash", "/opt/bootstrap.sh" ]
+ENTRYPOINT ["sh", "bootstrap.sh" ]

.gitmodules

@@ -0,0 +1,4 @@
+rsa-key-size = 4096
+email = wouldgo84@gmail.com
+server = https://acme-v01.api.letsencrypt.org/directory
+text = True

Dockerfile

@@ -0,0 +1,41 @@
+version: '3.2'
+services:
+  nginx:
+    image: 720kb/nginx
+    container_name: nginx
+    hostname: nginx
+    build:
+      context: .
+      dockerfile: Dockerfile
+      args:
+        NGINX_VERSION: 1.13.7
+        OPENSSL_VERSION: 1.0.2n
+        HEADERES_MORE_NGINX_MODULE: 0.33
+        MODSECURITY_MODULE: 3.0.0
+        MODSECURITY_NGINX_MODULE: 1.0.0
+        NAXSI_MODULE: 0.55.3
+    volumes:
+      - type: volume
+        source: nginx-conf
+        target: /opt/nginx-configuration
+        read_only: true
+      - type: volume
+        source: sites
+        target: /var/sites
+        read_only: true
+    networks:
+      - dmz
+      - internal
+    ports:
+      - "80:80"
+      - "443:443"
+networks:
+  dmz:
+  internal:
+
+volumes:
+  nginx-conf:
+    driver: kassisol/gitvol:0.1.0
+    driver_opts:
+      url: https://${GITHUB_ACCESS_TOKEN}@github.com/720kb/nginx-confs.git
+  sites: