Merge pull request #15 from wunderkraut/better_conf

Better conf
wunderio · Nov 3, 2016 · 304ffeb · 304ffeb
2 parents b082292 + 08eb51a
commit 304ffeb
Show file tree

Hide file tree

Showing 5 changed files with 164 additions and 70 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,18 +1,22 @@
-FROM quay.io/wunder/image-fuzzy-alpine-base:v3.4
+# wunder/fuzzy-alpine-nginx-pagespeed
+#
+# VERSION v1.11.5-3
+#
+FROM quay.io/wunder/fuzzy-alpine-base:v3.4
 MAINTAINER aleksi.johansson@wunder.io
 
-# Based on https://github.com/pagespeed/ngx_pagespeed/issues/1181#issuecomment-250776751
-# Secret Google tarball releases of mod_pagespeed from here https://github.com/pagespeed/mod_pagespeed/issues/968
+# Based on https://github.com/pagespeed/ngx_pagespeed/issues/1181#issuecomment-250776751.
+# Secret Google tarball releases of mod_pagespeed from here https://github.com/pagespeed/mod_pagespeed/issues/968.
 
-# Set versions as environment variables so that they can be inspected later
+# Set versions as environment variables so that they can be inspected later.
 ENV LIBPNG_VERSION=1.2.56 \
-    # mod_pagespeed requires an old version of http://www.libpng.org/pub/png/libpng.html
+    # mod_pagespeed requires an old version of http://www.libpng.org/pub/png/libpng.html.
     PAGESPEED_VERSION=1.11.33.4 \
-    # Check https://github.com/pagespeed/ngx_pagespeed/releases for the latest version
+    # Check https://github.com/pagespeed/ngx_pagespeed/releases for the latest version.
     NGINX_VERSION=1.11.5
-    # Check http://nginx.org/en/download.html for the latest version
+    # Check http://nginx.org/en/download.html for the latest version.
 
-# Add dependencies
+# Add dependencies.
 RUN apk --no-cache add \
         ca-certificates \
         libuuid \
@@ -26,7 +30,7 @@ RUN apk --no-cache add \
         zlib
 
 # Add build dependencies
-# and build mod_pagespeed from source for Alpine for Nginx with ngx_pagespeed
+# and build mod_pagespeed from source for Alpine for Nginx with ngx_pagespeed.
 RUN set -x && \
     apk --no-cache add -t .build-deps \
         apache2-dev \
@@ -42,13 +46,13 @@ RUN set -x && \
         pcre-dev \
         python \
         zlib-dev && \
-    # Build libpng
+    # Build libpng.
     cd /tmp && \
     curl -L http://prdownloads.sourceforge.net/libpng/libpng-${LIBPNG_VERSION}.tar.gz | tar -zx && \
     cd /tmp/libpng-${LIBPNG_VERSION} && \
     ./configure --build=$CBUILD --host=$CHOST --prefix=/usr --enable-shared --with-libpng-compat && \
     make install V=0 && \
-    # Build PageSpeed
+    # Build PageSpeed.
     cd /tmp && \
     curl -L https://dl.google.com/dl/linux/mod-pagespeed/tar/beta/mod-pagespeed-beta-${PAGESPEED_VERSION}-r0.tar.bz2 | tar -jx && \
     curl -L https://github.com/pagespeed/ngx_pagespeed/archive/v${PAGESPEED_VERSION}-beta.tar.gz | tar -zx && \
@@ -74,7 +78,7 @@ RUN set -x && \
     cp -r /tmp/modpagespeed-${PAGESPEED_VERSION}/src/tools /tmp/ngx_pagespeed-${PAGESPEED_VERSION}-beta/psol/include/ && \
     cp -r /tmp/modpagespeed-${PAGESPEED_VERSION}/src/url /tmp/ngx_pagespeed-${PAGESPEED_VERSION}-beta/psol/include/ && \
     cp -r /tmp/modpagespeed-${PAGESPEED_VERSION}/src/pagespeed/automatic/pagespeed_automatic.a /tmp/ngx_pagespeed-${PAGESPEED_VERSION}-beta/psol/lib/Release/linux/x64 && \
-    # Build Nginx with support for PageSpeed
+    # Build Nginx with support for PageSpeed.
     cd /tmp && \
     curl -L http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz | tar -zx && \
     cd /tmp/nginx-${NGINX_VERSION} && \
@@ -109,25 +113,28 @@ RUN set -x && \
         --with-cc-opt="-fPIC -I /usr/include/apr-1" \
         --with-ld-opt="-luuid -lapr-1 -laprutil-1 -licudata -licuuc -L/tmp/modpagespeed-${PAGESPEED_VERSION}/usr/lib -lpng12 -lturbojpeg -ljpeg" && \
     make install --silent && \
-    # Clean-up
+    # Make sure /etc/nginx/conf.d folder is available for images extending
+    # this one.
+    mkdir -p /etc/nginx/conf.d && \
+    # Clean-up.
     cd && \
     apk del .build-deps && \
     rm -rf /tmp/* && \
-    # Forward request and error logs to docker log collector
+    # Forward request and error logs to docker log collector.
     ln -sf /dev/stdout /var/log/nginx/access.log && \
     ln -sf /dev/stderr /var/log/nginx/error.log && \
-    # Make PageSpeed cache writable
+    # Make PageSpeed cache writable.
     mkdir -p /var/cache/ngx_pagespeed && \
     chmod -R o+wr /var/cache/ngx_pagespeed
 
-# Make our nginx.conf available on the container
-ADD conf/nginx.conf /etc/nginx/nginx.conf
+# Make our nginx.conf available on the container.
+ADD etc/nginx/nginx.conf /etc/nginx/nginx.conf
 
+# Separate the logs into their own volume to keep them out of the container.
 VOLUME ["/var/log/nginx"]
 
-# Little impact in this image
-WORKDIR /app
-
+# Expose the HTTP and HTTPS ports.
 EXPOSE 80 443
 
+# Set nginx directly as the entrypoint.
 ENTRYPOINT ["nginx", "-g", "daemon off;"]
diff --git a/Dockerfile_svn b/Dockerfile_svn
@@ -1,4 +1,8 @@
-FROM quay.io/wunder/image-fuzzy-alpine-base:v3.4
+# wunder/fuzzy-alpine-nginx-pagespeed
+#
+# VERSION v1.11.5-3
+#
+FROM quay.io/wunder/fuzzy-alpine-base:v3.4
 MAINTAINER aleksi.johansson@wunder.io
 
 # Based on https://github.com/pagespeed/ngx_pagespeed/issues/1181#issuecomment-250776751
@@ -36,21 +40,21 @@ RUN set -x && \
         subversion \
         fakeroot \
         git && \
-    # Build libpng
-    # This sadly requires an old version of http://www.libpng.org/pub/png/libpng.html
+    # Build libpng.
+    # This sadly requires an old version of http://www.libpng.org/pub/png/libpng.html.
     LIBPNG_VERSION=1.2.56 && \
     cd /tmp && \
     curl -L http://prdownloads.sourceforge.net/libpng/libpng-${LIBPNG_VERSION}.tar.gz | tar -zx && \
     cd /tmp/libpng-${LIBPNG_VERSION} && \
     ./configure --build=$CBUILD --host=$CHOST --prefix=/usr --enable-shared --with-libpng-compat && \
     make install V=0 && \
-    # Build PageSpeed
-    # Check https://github.com/pagespeed/ngx_pagespeed/releases for the latest version
-    # Get Chromium Depot Tools for getting mode_pagespeed source
+    # Build PageSpeed.
+    # Check https://github.com/pagespeed/ngx_pagespeed/releases for the latest version.
+    # Get Chromium Depot Tools for getting mode_pagespeed source.
     cd /tmp && \
     git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git && \
     export PATH=$PATH:/tmp/depot_tools && \
-    # Get mod_pagespeed
+    # Get mod_pagespeed.
     PAGESPEED_VERSION=1.11.33.4 && \
     mkdir -p /tmp/mod_pagespeed-${PAGESPEED_VERSION} && \
     cd /tmp/mod_pagespeed-${PAGESPEED_VERSION} && \
@@ -63,7 +67,7 @@ RUN set -x && \
     # Get ngx_pagespeed
     cd /tmp && \
     curl -L https://github.com/pagespeed/ngx_pagespeed/archive/v${PAGESPEED_VERSION}-beta.tar.gz | tar -zx && \
-    # Patch mod_pagespeed for Alpine
+    # Patch mod_pagespeed for Alpine.
     cd /tmp/mod_pagespeed-${PAGESPEED_VERSION} && \
     curl -L https://raw.githubusercontent.com/wunderkraut/alpine-nginx-pagespeed/master/patches/automatic_makefile.patch | patch -p1 && \
     curl -L https://raw.githubusercontent.com/wunderkraut/alpine-nginx-pagespeed/master/patches/libpng_cflags.patch | patch -p1 && \
@@ -86,7 +90,7 @@ RUN set -x && \
     cp -r /tmp/mod_pagespeed-${PAGESPEED_VERSION}/src/tools /tmp/ngx_pagespeed-${PAGESPEED_VERSION}-beta/psol/include/ && \
     cp -r /tmp/mod_pagespeed-${PAGESPEED_VERSION}/src/url /tmp/ngx_pagespeed-${PAGESPEED_VERSION}-beta/psol/include/ && \
     cp -r /tmp/mod_pagespeed-${PAGESPEED_VERSION}/src/pagespeed/automatic/pagespeed_automatic.a /tmp/ngx_pagespeed-${PAGESPEED_VERSION}-beta/psol/lib/Release/linux/x64 && \
-    # Build Nginx with support for PageSpeed
+    # Build Nginx with support for PageSpeed.
     # Check http://nginx.org/en/download.html for the latest version.
     NGINX_VERSION=1.11.5 && \
     cd /tmp && \
@@ -121,25 +125,25 @@ RUN set -x && \
         --with-cc-opt="-fPIC -I /usr/include/apr-1" \
         --with-ld-opt="-luuid -lapr-1 -laprutil-1 -licudata -licuuc -L/tmp/mod_pagespeed-${PAGESPEED_VERSION}/usr/lib -lpng12 -lturbojpeg -ljpeg" && \
     make install --silent && \
-    # Clean-up
+    # Clean-up.
     cd && \
     apk del .build-deps && \
     rm -rf /tmp/* && \
-    # Forward request and error logs to docker log collector
+    # Forward request and error logs to docker log collector.
     ln -sf /dev/stdout /var/log/nginx/access.log && \
     ln -sf /dev/stderr /var/log/nginx/error.log && \
-    # Make PageSpeed cache writable
+    # Make PageSpeed cache writable.
     mkdir -p /var/cache/ngx_pagespeed && \
     chmod -R o+wr /var/cache/ngx_pagespeed
 
-# Make our nginx.conf available on the container
-ADD conf/nginx.conf /etc/nginx/nginx.conf
+# Make our nginx.conf available on the container.
+ADD etc/nginx/nginx.conf /etc/nginx/nginx.conf
 
+# Separate the logs into their own volume to keep them out of the container.
 VOLUME ["/var/log/nginx"]
 
-# Little impact in this image
-WORKDIR /app
-
+# Expose the HTTP and HTTPS ports.
 EXPOSE 80 443
 
+# Set nginx directly as the entrypoint.
 ENTRYPOINT ["nginx", "-g", "daemon off;"]
diff --git a/README.md b/README.md
@@ -26,9 +26,9 @@ This image adds the following files:
 
 This is a custom nginx configuration:
 
-1. runs as app:app;
+1. runs as app;
 2. include additional configs from `/etc/nginx/conf.d/*.conf`;
-3. limit worker connections to 1024.
+3. limit worker connections to 4096.
 
 ## Using this Image
 

diff --git a/conf/nginx.conf b/conf/nginx.conf
diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf
@@ -0,0 +1,114 @@
+user app;
+worker_processes auto;
+
+error_log  /var/log/nginx/error.log  info;
+
+pid        /var/run/nginx.pid;
+
+worker_rlimit_nofile 8192;
+
+events {
+  worker_connections  4096;
+  ## epoll is preferred on 2.6 Linux
+  ## kernels. Cf. http://www.kegel.com/c10k.html#nb.epoll
+  use epoll;
+  ## Accept as many connections as possible.
+  multi_accept on;
+}
+
+http {
+  ## Get correct ip from X-Forwarded-For as we are behind Varnish
+  set_real_ip_from   0.0.0.0/0;
+  real_ip_header     X-Forwarded-For;
+
+  include       /etc/nginx/mime.types;
+  default_type  application/octet-stream;
+  index index.htm, index.html, index.php;
+
+  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" "$http_x_forwarded_for"';
+
+  access_log  /var/log/nginx/access.log  main buffer=32k;
+  error_log   /var/log/nginx/error.log   info;
+
+  ## Define a zone for limiting the number of simultaneous
+  ## connections nginx accepts. 1m means 32000 simultaneous
+  ## sessions. We need to define for each server the limit_conn
+  ## value refering to this or other zones.
+  ## ** This syntax requires nginx version >=
+  ## ** 1.1.8. Cf. http://nginx.org/en/CHANGES. If using an older
+  ## ** version then use the limit_zone directive below
+  ## ** instead. Comment out this
+  ## ** one if not using nginx version >= 1.1.8.
+  limit_conn_zone $binary_remote_addr zone=arbeit:10m;
+
+  ## Use a SSL/TLS cache for SSL session resume. This needs to be
+  ## here (in this context, for session resumption to work. See this
+  ## thread on the Nginx mailing list:
+  ## http://nginx.org/pipermail/nginx/2010-November/023736.html.
+  ssl_session_cache   shared:SSL:10m;
+  ssl_session_timeout 10m;
+
+  # Enable HSTS;
+  add_header Strict-Transport-Security max-age=31536000;
+
+  # Enable X-Frame-Options
+  add_header X-Frame-Options "SAMEORIGIN" always;
+
+  # Enable Content Security Policy
+  add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always;
+
+  ## Enable the builtin cross-site scripting (XSS) filter available
+  ## in modern browsers.  Usually enabled by default we just
+  ## reinstate in case it has been somehow disabled for this
+  ## particular server instance.
+  ## https://www.owasp.org/index.php/List_of_useful_HTTP_headers.
+  add_header X-XSS-Protection '1; mode=block';
+
+  ## Block MIME type sniffing on IE.
+  add_header X-Content-Options nosniff;
+
+  sendfile                on;
+  tcp_nopush              on;
+  tcp_nodelay             on;
+  client_header_timeout   10;
+  client_body_timeout     120;
+  send_timeout            120;
+  keepalive_timeout       15 10;
+  client_max_body_size    100M;
+  client_body_buffer_size 128k;
+  proxy_read_timeout      60;
+
+  ## Reset lingering timed out connections. Deflect DDoS.
+  reset_timedout_connection on;
+
+  port_in_redirect off;
+
+  merge_slashes off;
+
+  types_hash_max_size 8192;
+  server_names_hash_bucket_size 64;
+
+  ## Compression.
+  gzip              on;
+  gzip_buffers      16 8k;
+  gzip_comp_level   3;
+  gzip_http_version 1.1;
+  gzip_min_length   10;
+  gzip_types        text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon application/vnd.ms-fontobject font/opentype application/x-font-ttf application/json image/svg+xml;
+  gzip_vary         on;
+  gzip_proxied      any; # Compression for all requests.
+  ## No need for regexps. See
+  ## http://wiki.nginx.org/NginxHttpGzipModule#gzip_disable
+  gzip_disable "msie6";
+
+  ## Hide the Nginx version number.
+  server_tokens off;
+
+  ## Include nginx configs.
+  include conf.d/nginx_*.conf;
+
+  ## Load sites files from the /etc/nginx/sites-enabled directory
+  include /etc/nginx/sites-enabled/*.conf;
+}