From 7fac5215051d4f88cf6a3fd6c4e9bc314266657a Mon Sep 17 00:00:00 2001 From: Aleksi Johansson Date: Thu, 3 Nov 2016 20:13:11 +0200 Subject: [PATCH 1/4] Merge better nginx.conf from downstream image. --- Dockerfile | 38 ++++++++-------- Dockerfile_svn | 32 +++++++------- README.md | 4 +- conf/nginx.conf | 31 -------------- etc/nginx/nginx.conf | 100 +++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 137 insertions(+), 68 deletions(-) delete mode 100644 conf/nginx.conf create mode 100644 etc/nginx/nginx.conf diff --git a/Dockerfile b/Dockerfile index 5b249e3..9adae01 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,18 +1,18 @@ FROM quay.io/wunder/image-fuzzy-alpine-base:v3.4 MAINTAINER aleksi.johansson@wunder.io -# Based on https://github.com/pagespeed/ngx_pagespeed/issues/1181#issuecomment-250776751 -# Secret Google tarball releases of mod_pagespeed from here https://github.com/pagespeed/mod_pagespeed/issues/968 +# Based on https://github.com/pagespeed/ngx_pagespeed/issues/1181#issuecomment-250776751. +# Secret Google tarball releases of mod_pagespeed from here https://github.com/pagespeed/mod_pagespeed/issues/968. -# Set versions as environment variables so that they can be inspected later +# Set versions as environment variables so that they can be inspected later. ENV LIBPNG_VERSION=1.2.56 \ - # mod_pagespeed requires an old version of http://www.libpng.org/pub/png/libpng.html + # mod_pagespeed requires an old version of http://www.libpng.org/pub/png/libpng.html. PAGESPEED_VERSION=1.11.33.4 \ - # Check https://github.com/pagespeed/ngx_pagespeed/releases for the latest version + # Check https://github.com/pagespeed/ngx_pagespeed/releases for the latest version. NGINX_VERSION=1.11.5 - # Check http://nginx.org/en/download.html for the latest version + # Check http://nginx.org/en/download.html for the latest version. -# Add dependencies +# Add dependencies. RUN apk --no-cache add \ ca-certificates \ libuuid \ @@ -26,7 +26,7 @@ RUN apk --no-cache add \ zlib # Add build dependencies -# and build mod_pagespeed from source for Alpine for Nginx with ngx_pagespeed +# and build mod_pagespeed from source for Alpine for Nginx with ngx_pagespeed. RUN set -x && \ apk --no-cache add -t .build-deps \ apache2-dev \ @@ -42,13 +42,13 @@ RUN set -x && \ pcre-dev \ python \ zlib-dev && \ - # Build libpng + # Build libpng. cd /tmp && \ curl -L http://prdownloads.sourceforge.net/libpng/libpng-${LIBPNG_VERSION}.tar.gz | tar -zx && \ cd /tmp/libpng-${LIBPNG_VERSION} && \ ./configure --build=$CBUILD --host=$CHOST --prefix=/usr --enable-shared --with-libpng-compat && \ make install V=0 && \ - # Build PageSpeed + # Build PageSpeed. cd /tmp && \ curl -L https://dl.google.com/dl/linux/mod-pagespeed/tar/beta/mod-pagespeed-beta-${PAGESPEED_VERSION}-r0.tar.bz2 | tar -jx && \ curl -L https://github.com/pagespeed/ngx_pagespeed/archive/v${PAGESPEED_VERSION}-beta.tar.gz | tar -zx && \ @@ -74,7 +74,7 @@ RUN set -x && \ cp -r /tmp/modpagespeed-${PAGESPEED_VERSION}/src/tools /tmp/ngx_pagespeed-${PAGESPEED_VERSION}-beta/psol/include/ && \ cp -r /tmp/modpagespeed-${PAGESPEED_VERSION}/src/url /tmp/ngx_pagespeed-${PAGESPEED_VERSION}-beta/psol/include/ && \ cp -r /tmp/modpagespeed-${PAGESPEED_VERSION}/src/pagespeed/automatic/pagespeed_automatic.a /tmp/ngx_pagespeed-${PAGESPEED_VERSION}-beta/psol/lib/Release/linux/x64 && \ - # Build Nginx with support for PageSpeed + # Build Nginx with support for PageSpeed. cd /tmp && \ curl -L http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz | tar -zx && \ cd /tmp/nginx-${NGINX_VERSION} && \ @@ -109,25 +109,25 @@ RUN set -x && \ --with-cc-opt="-fPIC -I /usr/include/apr-1" \ --with-ld-opt="-luuid -lapr-1 -laprutil-1 -licudata -licuuc -L/tmp/modpagespeed-${PAGESPEED_VERSION}/usr/lib -lpng12 -lturbojpeg -ljpeg" && \ make install --silent && \ - # Clean-up + # Clean-up. cd && \ apk del .build-deps && \ rm -rf /tmp/* && \ - # Forward request and error logs to docker log collector + # Forward request and error logs to docker log collector. ln -sf /dev/stdout /var/log/nginx/access.log && \ ln -sf /dev/stderr /var/log/nginx/error.log && \ - # Make PageSpeed cache writable + # Make PageSpeed cache writable. mkdir -p /var/cache/ngx_pagespeed && \ chmod -R o+wr /var/cache/ngx_pagespeed -# Make our nginx.conf available on the container -ADD conf/nginx.conf /etc/nginx/nginx.conf +# Make our nginx.conf available on the container. +ADD etc/nginx/nginx.conf /etc/nginx/nginx.conf +# Separate the logs into their own volume to keep them out of the container. VOLUME ["/var/log/nginx"] -# Little impact in this image -WORKDIR /app - +# Expose the HTTP and HTTPS ports. EXPOSE 80 443 +# Set nginx directly as the entrypoint. ENTRYPOINT ["nginx", "-g", "daemon off;"] diff --git a/Dockerfile_svn b/Dockerfile_svn index ed5128b..7ceaa5d 100644 --- a/Dockerfile_svn +++ b/Dockerfile_svn @@ -36,21 +36,21 @@ RUN set -x && \ subversion \ fakeroot \ git && \ - # Build libpng - # This sadly requires an old version of http://www.libpng.org/pub/png/libpng.html + # Build libpng. + # This sadly requires an old version of http://www.libpng.org/pub/png/libpng.html. LIBPNG_VERSION=1.2.56 && \ cd /tmp && \ curl -L http://prdownloads.sourceforge.net/libpng/libpng-${LIBPNG_VERSION}.tar.gz | tar -zx && \ cd /tmp/libpng-${LIBPNG_VERSION} && \ ./configure --build=$CBUILD --host=$CHOST --prefix=/usr --enable-shared --with-libpng-compat && \ make install V=0 && \ - # Build PageSpeed - # Check https://github.com/pagespeed/ngx_pagespeed/releases for the latest version - # Get Chromium Depot Tools for getting mode_pagespeed source + # Build PageSpeed. + # Check https://github.com/pagespeed/ngx_pagespeed/releases for the latest version. + # Get Chromium Depot Tools for getting mode_pagespeed source. cd /tmp && \ git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git && \ export PATH=$PATH:/tmp/depot_tools && \ - # Get mod_pagespeed + # Get mod_pagespeed. PAGESPEED_VERSION=1.11.33.4 && \ mkdir -p /tmp/mod_pagespeed-${PAGESPEED_VERSION} && \ cd /tmp/mod_pagespeed-${PAGESPEED_VERSION} && \ @@ -63,7 +63,7 @@ RUN set -x && \ # Get ngx_pagespeed cd /tmp && \ curl -L https://github.com/pagespeed/ngx_pagespeed/archive/v${PAGESPEED_VERSION}-beta.tar.gz | tar -zx && \ - # Patch mod_pagespeed for Alpine + # Patch mod_pagespeed for Alpine. cd /tmp/mod_pagespeed-${PAGESPEED_VERSION} && \ curl -L https://raw.githubusercontent.com/wunderkraut/alpine-nginx-pagespeed/master/patches/automatic_makefile.patch | patch -p1 && \ curl -L https://raw.githubusercontent.com/wunderkraut/alpine-nginx-pagespeed/master/patches/libpng_cflags.patch | patch -p1 && \ @@ -86,7 +86,7 @@ RUN set -x && \ cp -r /tmp/mod_pagespeed-${PAGESPEED_VERSION}/src/tools /tmp/ngx_pagespeed-${PAGESPEED_VERSION}-beta/psol/include/ && \ cp -r /tmp/mod_pagespeed-${PAGESPEED_VERSION}/src/url /tmp/ngx_pagespeed-${PAGESPEED_VERSION}-beta/psol/include/ && \ cp -r /tmp/mod_pagespeed-${PAGESPEED_VERSION}/src/pagespeed/automatic/pagespeed_automatic.a /tmp/ngx_pagespeed-${PAGESPEED_VERSION}-beta/psol/lib/Release/linux/x64 && \ - # Build Nginx with support for PageSpeed + # Build Nginx with support for PageSpeed. # Check http://nginx.org/en/download.html for the latest version. NGINX_VERSION=1.11.5 && \ cd /tmp && \ @@ -121,25 +121,25 @@ RUN set -x && \ --with-cc-opt="-fPIC -I /usr/include/apr-1" \ --with-ld-opt="-luuid -lapr-1 -laprutil-1 -licudata -licuuc -L/tmp/mod_pagespeed-${PAGESPEED_VERSION}/usr/lib -lpng12 -lturbojpeg -ljpeg" && \ make install --silent && \ - # Clean-up + # Clean-up. cd && \ apk del .build-deps && \ rm -rf /tmp/* && \ - # Forward request and error logs to docker log collector + # Forward request and error logs to docker log collector. ln -sf /dev/stdout /var/log/nginx/access.log && \ ln -sf /dev/stderr /var/log/nginx/error.log && \ - # Make PageSpeed cache writable + # Make PageSpeed cache writable. mkdir -p /var/cache/ngx_pagespeed && \ chmod -R o+wr /var/cache/ngx_pagespeed -# Make our nginx.conf available on the container -ADD conf/nginx.conf /etc/nginx/nginx.conf +# Make our nginx.conf available on the container. +ADD etc/nginx/nginx.conf /etc/nginx/nginx.conf +# Separate the logs into their own volume to keep them out of the container. VOLUME ["/var/log/nginx"] -# Little impact in this image -WORKDIR /app - +# Expose the HTTP and HTTPS ports. EXPOSE 80 443 +# Set nginx directly as the entrypoint. ENTRYPOINT ["nginx", "-g", "daemon off;"] diff --git a/README.md b/README.md index 19830ec..dbd0910 100644 --- a/README.md +++ b/README.md @@ -26,9 +26,9 @@ This image adds the following files: This is a custom nginx configuration: -1. runs as app:app; +1. runs as app; 2. include additional configs from `/etc/nginx/conf.d/*.conf`; -3. limit worker connections to 1024. +3. limit worker connections to 4096. ## Using this Image diff --git a/conf/nginx.conf b/conf/nginx.conf deleted file mode 100644 index bb46e9b..0000000 --- a/conf/nginx.conf +++ /dev/null @@ -1,31 +0,0 @@ -worker_processes auto; - -error_log /var/log/nginx/error.log warn; -pid /var/run/nginx.pid; - -user app app; - -events { - worker_connections 1024; -} - - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/access.log main; - - sendfile on; - #tcp_nopush on; - - keepalive_timeout 65; - - #gzip on; - - include /etc/nginx/conf.d/*.conf; -} \ No newline at end of file diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf new file mode 100644 index 0000000..950bbd1 --- /dev/null +++ b/etc/nginx/nginx.conf @@ -0,0 +1,100 @@ +user app; +worker_processes auto; + +error_log /var/log/nginx/error.log info; + +pid /var/run/nginx.pid; + +worker_rlimit_nofile 8192; + +events { + worker_connections 4096; + ## epoll is preferred on 2.6 Linux + ## kernels. Cf. http://www.kegel.com/c10k.html#nb.epoll + use epoll; + ## Accept as many connections as possible. + multi_accept on; +} + +http { + ## Get correct ip from X-Forwarded-For as we are behind Varnish + set_real_ip_from 0.0.0.0/0; + real_ip_header X-Forwarded-For; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + index index.htm, index.html, index.php; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main buffer=32k; + error_log /var/log/nginx/error.log info; + + # Enable HSTS; + add_header Strict-Transport-Security max-age=31536000; + + # Enable X-Frame-Options + add_header X-Frame-Options "SAMEORIGIN" always; + + # Enable Content Security Policy + #add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always; + + ## Enable the builtin cross-site scripting (XSS) filter available + ## in modern browsers. Usually enabled by default we just + ## reinstate in case it has been somehow disabled for this + ## particular server instance. + ## https://www.owasp.org/index.php/List_of_useful_HTTP_headers. + add_header X-XSS-Protection '1; mode=block'; + + ## Block MIME type sniffing on IE. + add_header X-Content-Options nosniff; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + client_header_timeout 10; + client_body_timeout 120; + send_timeout 120; + keepalive_timeout 15 10; + client_max_body_size 100M; + client_body_buffer_size 128k; + proxy_read_timeout 60; + + ## Reset lingering timed out connections. Deflect DDoS. + reset_timedout_connection on; + + port_in_redirect off; + + merge_slashes off; + + types_hash_max_size 8192; + server_names_hash_bucket_size 64; + + ## Compression. + gzip on; + gzip_buffers 16 8k; + gzip_comp_level 3; + gzip_http_version 1.1; + gzip_min_length 10; + gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon application/vnd.ms-fontobject font/opentype application/x-font-ttf image/svg+xml application/json; + gzip_vary on; + gzip_proxied any; # Compression for all requests. + ## No need for regexps. See + ## http://wiki.nginx.org/NginxHttpGzipModule#gzip_disable + gzip_disable "msie6"; + + ## Hide the Nginx version number. + server_tokens off; + + # Handle HTTPS server variable setting + map $http_x_forwarded_proto $fe_https { + default off; + https on; + } + + ## Include nginx configs and enabled sites. + include conf.d/nginx_*.conf; + +} From 0522b3aa4147e6362e73a3cd4aa830a5000186b6 Mon Sep 17 00:00:00 2001 From: Aleksi Johansson Date: Thu, 3 Nov 2016 20:16:35 +0200 Subject: [PATCH 2/4] Fixed a typo in base image name. --- Dockerfile | 2 +- Dockerfile_svn | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9adae01..5000e8b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM quay.io/wunder/image-fuzzy-alpine-base:v3.4 +FROM quay.io/wunder/fuzzy-alpine-base:v3.4 MAINTAINER aleksi.johansson@wunder.io # Based on https://github.com/pagespeed/ngx_pagespeed/issues/1181#issuecomment-250776751. diff --git a/Dockerfile_svn b/Dockerfile_svn index 7ceaa5d..0df2627 100644 --- a/Dockerfile_svn +++ b/Dockerfile_svn @@ -1,4 +1,4 @@ -FROM quay.io/wunder/image-fuzzy-alpine-base:v3.4 +FROM quay.io/wunder/fuzzy-alpine-base:v3.4 MAINTAINER aleksi.johansson@wunder.io # Based on https://github.com/pagespeed/ngx_pagespeed/issues/1181#issuecomment-250776751 From b195b00a2d626d8023a45a7469cf3e970059161b Mon Sep 17 00:00:00 2001 From: Aleksi Johansson Date: Thu, 3 Nov 2016 20:38:03 +0200 Subject: [PATCH 3/4] Added standard header for Dockerfile and make sure nginx conf.d exists. --- Dockerfile | 7 +++++++ Dockerfile_svn | 4 ++++ 2 files changed, 11 insertions(+) diff --git a/Dockerfile b/Dockerfile index 5000e8b..8c449e4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,3 +1,7 @@ +# wunder/fuzzy-alpine-nginx-pagespeed +# +# VERSION v1.11.5-3 +# FROM quay.io/wunder/fuzzy-alpine-base:v3.4 MAINTAINER aleksi.johansson@wunder.io @@ -109,6 +113,9 @@ RUN set -x && \ --with-cc-opt="-fPIC -I /usr/include/apr-1" \ --with-ld-opt="-luuid -lapr-1 -laprutil-1 -licudata -licuuc -L/tmp/modpagespeed-${PAGESPEED_VERSION}/usr/lib -lpng12 -lturbojpeg -ljpeg" && \ make install --silent && \ + # Make sure /etc/nginx/conf.d folder is available for images extending + # this one. + mkdir -p /etc/nginx/conf.d && \ # Clean-up. cd && \ apk del .build-deps && \ diff --git a/Dockerfile_svn b/Dockerfile_svn index 0df2627..acfe402 100644 --- a/Dockerfile_svn +++ b/Dockerfile_svn @@ -1,3 +1,7 @@ +# wunder/fuzzy-alpine-nginx-pagespeed +# +# VERSION v1.11.5-3 +# FROM quay.io/wunder/fuzzy-alpine-base:v3.4 MAINTAINER aleksi.johansson@wunder.io From 08eb51a48cfadc44ef9090ebafd9c96849898581 Mon Sep 17 00:00:00 2001 From: Aleksi Johansson Date: Thu, 3 Nov 2016 23:14:53 +0200 Subject: [PATCH 4/4] Updated nginx.conf from latest wundertools because the existing one was failing to start. --- etc/nginx/nginx.conf | 32 +++++++++++++++++++++++--------- 1 file changed, 23 insertions(+), 9 deletions(-) diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf index 950bbd1..40d88a4 100644 --- a/etc/nginx/nginx.conf +++ b/etc/nginx/nginx.conf @@ -32,6 +32,24 @@ http { access_log /var/log/nginx/access.log main buffer=32k; error_log /var/log/nginx/error.log info; + ## Define a zone for limiting the number of simultaneous + ## connections nginx accepts. 1m means 32000 simultaneous + ## sessions. We need to define for each server the limit_conn + ## value refering to this or other zones. + ## ** This syntax requires nginx version >= + ## ** 1.1.8. Cf. http://nginx.org/en/CHANGES. If using an older + ## ** version then use the limit_zone directive below + ## ** instead. Comment out this + ## ** one if not using nginx version >= 1.1.8. + limit_conn_zone $binary_remote_addr zone=arbeit:10m; + + ## Use a SSL/TLS cache for SSL session resume. This needs to be + ## here (in this context, for session resumption to work. See this + ## thread on the Nginx mailing list: + ## http://nginx.org/pipermail/nginx/2010-November/023736.html. + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + # Enable HSTS; add_header Strict-Transport-Security max-age=31536000; @@ -39,7 +57,7 @@ http { add_header X-Frame-Options "SAMEORIGIN" always; # Enable Content Security Policy - #add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always; + add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always; ## Enable the builtin cross-site scripting (XSS) filter available ## in modern browsers. Usually enabled by default we just @@ -78,7 +96,7 @@ http { gzip_comp_level 3; gzip_http_version 1.1; gzip_min_length 10; - gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon application/vnd.ms-fontobject font/opentype application/x-font-ttf image/svg+xml application/json; + gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon application/vnd.ms-fontobject font/opentype application/x-font-ttf application/json image/svg+xml; gzip_vary on; gzip_proxied any; # Compression for all requests. ## No need for regexps. See @@ -88,13 +106,9 @@ http { ## Hide the Nginx version number. server_tokens off; - # Handle HTTPS server variable setting - map $http_x_forwarded_proto $fe_https { - default off; - https on; - } - - ## Include nginx configs and enabled sites. + ## Include nginx configs. include conf.d/nginx_*.conf; + ## Load sites files from the /etc/nginx/sites-enabled directory + include /etc/nginx/sites-enabled/*.conf; }