From 141b932a1c25242947a7e1e0b83179a38c93d91e Mon Sep 17 00:00:00 2001
From: Asif Bacchus <asif@linuxprogramming.test.bacchus.network>
Date: Wed, 16 Oct 2019 23:44:47 -0600
Subject: [PATCH] initial commit - skeleton setup

---
 build/Dockerfile                              | 33 +++++++++++++
 .../config/mozIntermediate_ssl.conf.disabled  | 34 +++++++++++++
 .../config/config/mozModern_ssl.conf.disabled | 31 ++++++++++++
 build/config/nginx.conf                       | 49 +++++++++++++++++++
 build/config/server_names.conf                |  7 +++
 build/config/ssl_location.conf                |  3 ++
 build/entrypoint.sh                           | 11 +++++
 build/sites/00-redirectHTTPS.conf.disabled    | 22 +++++++++
 build/sites/05-test_nonsecured.conf           | 10 ++++
 build/sites/05-test_secured.conf              | 10 ++++
 config/config/buffers.conf                    |  4 ++
 config/config/gzip.conf                       | 14 ++++++
 config/config/headersSecurity.conf            | 12 +++++
 config/config/readme                          |  7 +++
 config/config/staticContent.conf              |  4 ++
 config/config/timeouts.conf                   |  8 +++
 sites/readme                                  |  9 ++++
 17 files changed, 268 insertions(+)
 create mode 100644 build/Dockerfile
 create mode 100644 build/config/config/mozIntermediate_ssl.conf.disabled
 create mode 100644 build/config/config/mozModern_ssl.conf.disabled
 create mode 100644 build/config/nginx.conf
 create mode 100644 build/config/server_names.conf
 create mode 100644 build/config/ssl_location.conf
 create mode 100644 build/entrypoint.sh
 create mode 100644 build/sites/00-redirectHTTPS.conf.disabled
 create mode 100644 build/sites/05-test_nonsecured.conf
 create mode 100644 build/sites/05-test_secured.conf
 create mode 100644 config/config/buffers.conf
 create mode 100644 config/config/gzip.conf
 create mode 100644 config/config/headersSecurity.conf
 create mode 100644 config/config/readme
 create mode 100644 config/config/staticContent.conf
 create mode 100644 config/config/timeouts.conf
 create mode 100644 sites/readme

diff --git a/build/Dockerfile b/build/Dockerfile
new file mode 100644
index 0000000..7262d48
--- /dev/null
+++ b/build/Dockerfile
@@ -0,0 +1,33 @@
+FROM nginx:mainline-alpine
+
+# standardized labels
+LABEL maintainer="Asif Bacchus <asif@bacchus.cloud>"
+LABEL org.label-schema.cmd=""
+LABEL org.label-schema.description=""
+LABEL org.label-schema.name="ab-nginx"
+LABEL org.label-schema.schema-version="1.0"
+LABEL org.label-schema.url="https://git.asifbacchus.app/ab-docker/ab-nginx"
+LABEL org.label-schema.usage="https://git.asifbacchus.app/ab-docker/ab-nginx/wiki"
+LABEL org.label-schema.vcs-url="https://git.asifbacchus.app/ab-docker/ab-nginx.git"
+LABEL org.label-schema.version="0.1-beta"
+
+# copy configuration files
+COPY entrypoint.sh /entrypoint.sh
+COPY config /etc/nginx/
+COPY sites /etc/nginx/sites/
+
+# expose ports
+EXPOSE 80 443
+
+# default environment variables
+ENV SERVER_NAME="_"
+
+# entrypoint script
+ENTRYPOINT [ "/entrypoint.sh" ]
+
+# run NGINX by default
+CMD [ "nginx", "-g", "daemon off;" ]
+
+# add build date label
+ARG BUILD_DATE
+LABEL org.label-schema.build-date=${BUILD_DATE}
diff --git a/build/config/config/mozIntermediate_ssl.conf.disabled b/build/config/config/mozIntermediate_ssl.conf.disabled
new file mode 100644
index 0000000..a0d58b1
--- /dev/null
+++ b/build/config/config/mozIntermediate_ssl.conf.disabled
@@ -0,0 +1,34 @@
+#######
+### NGINX SSL configuration
+### Generated using the Mozilla SSL Configuration Generator
+### (https://ssl-config.mozilla.org)
+### 'Intermediate' profile for NGINX 1.17 with OpenSSL 1.1.1c HSTS optional
+### Last generated: October 16, 2019
+#######
+
+# SSL certificates should be defined in the relevant server block
+
+# SSL parameters
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+
+# SSL protocols and ciphers
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;ssl_prefer_server_ciphers off;
+
+# Diffie-Hellman parameter for DHE cipher suites, using 4096 bits
+ssl_dhparam /certs/dhparam.pem;
+
+# HSTS (6 months = 15768000 seconds)
+#add_header Strict-Transport-Security "max-age=63072000" always;
+
+# OCSP Stapling
+# fetch OCSP records from URL in ssl_certificate and cache them
+ssl_stapling on;
+ssl_stapling_verify on;
+
+# verify chain of trust of OCSP response using Root CA and Intermediate certs
+ssl_trusted_certificate /certs/chain.pem;
+
+# resolver should be specified in nginx.conf or in networking configuration
\ No newline at end of file
diff --git a/build/config/config/mozModern_ssl.conf.disabled b/build/config/config/mozModern_ssl.conf.disabled
new file mode 100644
index 0000000..5cfe985
--- /dev/null
+++ b/build/config/config/mozModern_ssl.conf.disabled
@@ -0,0 +1,31 @@
+#######
+### NGINX SSL configuration
+### Generated using the Mozilla SSL Configuration Generator
+### (https://ssl-config.mozilla.org)
+### 'Modern' profile for NGINX 1.17 with OpenSSL 1.1.1c HSTS optional
+### Last generated: October 16, 2019
+#######
+
+# SSL certificates should be defined in the relevant server block
+
+# SSL parameters
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+
+# SSL protocols and ciphers
+ssl_protocols TLSv1.3;
+ssl_prefer_server_ciphers off;
+
+# HSTS (6 months = 15768000 seconds)
+#add_header Strict-Transport-Security "max-age=63072000" always;
+
+# OCSP Stapling
+# fetch OCSP records from URL in ssl_certificate and cache them
+ssl_stapling on;
+ssl_stapling_verify on;
+
+# verify chain of trust of OCSP response using Root CA and Intermediate certs
+ssl_trusted_certificate /certs/chain.pem;
+
+# resolver should be specified in nginx.conf or in networking configuration
\ No newline at end of file
diff --git a/build/config/nginx.conf b/build/config/nginx.conf
new file mode 100644
index 0000000..b64208e
--- /dev/null
+++ b/build/config/nginx.conf
@@ -0,0 +1,49 @@
+#
+### NGINX main configuration
+#
+
+user nginx;
+worker_processes 1;
+pid /var/run/nginx.pid;
+
+error_log /var/log/nginx/error.log warn;
+
+# include dynamically linked modules
+include /etc/nginx/modules/*.conf;
+
+events {
+    worker_connections 512;
+    multi_accept off;
+    use epoll;    
+}
+
+http {
+    default_type application/octet-stream;
+    charset utf-8;
+    include /etc/nginx/mime.types;
+
+    # set default index and webroot
+    index index.php index.html;
+    root /usr/share/nginx/html;
+
+    # logging options (off by default for performance)
+    log_format main '$remote_addr - $remote_user [$time_local] $request '
+        '$status $body_bytes_sent "$http_referer" '
+        '"$http_user_agent" "$http_x_forwarded_for" '
+        '"$host" server="$server_name" '
+        'reqtime="$request_time" '
+        'uaddr="$upstream_addr" ustat="$upstream_status" '
+        'utime="$upstream_response_time" ulen="$upstream_response_length" '
+        'cache="$upstream_cache_status"';
+    #access_log /var/log/nginx/access.log main;
+    access_log off;
+
+    # server configuration options
+    server_tokens off;
+    real_ip_recursive on;
+    resolver 1.1.1.1;
+    include /etc/nginx/config/*.conf;
+    
+    # include enabled server blocks from sites/*.conf
+    include /etc/nginx/sites/*.conf;
+}
diff --git a/build/config/server_names.conf b/build/config/server_names.conf
new file mode 100644
index 0000000..38a8964
--- /dev/null
+++ b/build/config/server_names.conf
@@ -0,0 +1,7 @@
+# server names
+server_name
+    domain.tld
+    www.domain.tld
+    server.domain.tld
+    alt.domain.tld
+    ;
diff --git a/build/config/ssl_location.conf b/build/config/ssl_location.conf
new file mode 100644
index 0000000..c8f94cb
--- /dev/null
+++ b/build/config/ssl_location.conf
@@ -0,0 +1,3 @@
+# SSL certificate for this connection
+ssl_certificate         <SSL_CERT>;
+ssl_certificate_key     <SSL_KEY>;
diff --git a/build/entrypoint.sh b/build/entrypoint.sh
new file mode 100644
index 0000000..7056733
--- /dev/null
+++ b/build/entrypoint.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+#
+### ab-nginx entrypoint script
+#
+
+
+# execute commands passed to this container
+exec "$@"
+
+#EOF
\ No newline at end of file
diff --git a/build/sites/00-redirectHTTPS.conf.disabled b/build/sites/00-redirectHTTPS.conf.disabled
new file mode 100644
index 0000000..e47200d
--- /dev/null
+++ b/build/sites/00-redirectHTTPS.conf.disabled
@@ -0,0 +1,22 @@
+### redirect to secure site
+
+server {
+    listen 80;
+    server_name default_server;
+
+    # redirect to properly formed HTTPS location
+    location / {
+        return 301 https://$host$request_uri;
+    }
+    
+    # process Let's Encrypt challenges
+    location ^~ /.well-known/acme-challenge {
+        # log requests for security reasons
+        access_log /var/log/nginx/LetsEncrypt_access.log main;
+        error_log /var/log/nginx/LetsEncrypt_error.log warn;
+
+        default_type text/plain;
+        root /usr/share/nginx/html/letsencrypt;
+        autoindex on;
+    }
+}
diff --git a/build/sites/05-test_nonsecured.conf b/build/sites/05-test_nonsecured.conf
new file mode 100644
index 0000000..cdbeb4a
--- /dev/null
+++ b/build/sites/05-test_nonsecured.conf
@@ -0,0 +1,10 @@
+### UNsecured test page
+
+server {
+    listen 80;
+    server_name default_server;
+
+    location / {
+        try_files $uri $uri/ =404;        
+    }
+}
diff --git a/build/sites/05-test_secured.conf b/build/sites/05-test_secured.conf
new file mode 100644
index 0000000..bef6fd2
--- /dev/null
+++ b/build/sites/05-test_secured.conf
@@ -0,0 +1,10 @@
+### UNsecured test page
+
+server {
+    listen 443;
+    include /etc/nginx/server_names.conf;
+
+    location / {
+        try_files $uri $uri/ =404;        
+    }
+}
diff --git a/config/config/buffers.conf b/config/config/buffers.conf
new file mode 100644
index 0000000..466ba99
--- /dev/null
+++ b/config/config/buffers.conf
@@ -0,0 +1,4 @@
+client_body_buffer_size 16k;
+client_max_body_size 10M;
+client_header_buffer_size 1k;
+large_client_header_buffers 4 8k;
diff --git a/config/config/gzip.conf b/config/config/gzip.conf
new file mode 100644
index 0000000..768afea
--- /dev/null
+++ b/config/config/gzip.conf
@@ -0,0 +1,14 @@
+gzip on;
+gzip_vary on;
+gzip_comp_level 4;
+gzip_min_length 256;
+gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+gzip_types application/atom+xml application/javascript application/json
+    application/ld+json application/manifest+json application/rss+xml
+    application/vnd.geo+json application/vnd.ms-fontobject
+    application/x-font-ttf application/x-web-app-manifest+json
+    application/xhtml+xml application/xml font/opentype image/bmp
+    image/svg+xml image/x-icon text/cache-manifest text/css text/plain
+    text/vcard text/vnd.rim.location.xloc text/vtt text/x-component
+    text/x-cross-domain-policy;
+gzip_disable "MSIE [1-6]\.";
\ No newline at end of file
diff --git a/config/config/headersSecurity.conf b/config/config/headersSecurity.conf
new file mode 100644
index 0000000..0d2a47a
--- /dev/null
+++ b/config/config/headersSecurity.conf
@@ -0,0 +1,12 @@
+add_header Feature-Policy "geolocation 'self'";
+
+add_header Referrer-Policy "strict-origin" always;
+
+add_header X-Content-Type-Options "nosniff" always;
+add_header X-Download-Options noopen;
+add_header X-Frame-Options DENY;
+add_header X-Permitted-Cross-Domain-Policies none;
+add_header X-UA-Compatible "IE=edge";
+add_header X-XSS-Protection "1; mode=block" always;
+
+add_header X-Robots-Tag none;
\ No newline at end of file
diff --git a/config/config/readme b/config/config/readme
new file mode 100644
index 0000000..652171f
--- /dev/null
+++ b/config/config/readme
@@ -0,0 +1,7 @@
+- Place all your configuration customization files in this directory
+    - feel free to edit the included recommended files
+    - files here override container settings including nginx.conf
+- Files here are placed in the HTTP configuration context
+- ONLY files that end with '.conf' will be processed!
+    - if you want to keep a file for reference or disable it temporarily, 
+        simply change the extension.  I like using '.conf.disabled'.
\ No newline at end of file
diff --git a/config/config/staticContent.conf b/config/config/staticContent.conf
new file mode 100644
index 0000000..20b5de5
--- /dev/null
+++ b/config/config/staticContent.conf
@@ -0,0 +1,4 @@
+sendfile on;
+sendfile_max_chunk 1m;
+tcp_nopush on;
+tcp_nodelay on;
\ No newline at end of file
diff --git a/config/config/timeouts.conf b/config/config/timeouts.conf
new file mode 100644
index 0000000..e31b0b4
--- /dev/null
+++ b/config/config/timeouts.conf
@@ -0,0 +1,8 @@
+client_body_timeout 15s;
+client_header_timeout 15s;
+send_timeout 15s;
+keepalive_timeout 65s;
+reset_timedout_connection on;
+proxy_connect_timeout 30s;
+proxy_read_timeout 60s;
+proxy_send_timeout 60s;
\ No newline at end of file
diff --git a/sites/readme b/sites/readme
new file mode 100644
index 0000000..e6e5c25
--- /dev/null
+++ b/sites/readme
@@ -0,0 +1,9 @@
+- Place all your server block configuration files in this directory
+- This path should be bind-mounted to the container at:
+  '/etc/nginx/sites'
+    - this bind-mount will override the test pages included in the container by 
+        default.
+- All files should begin in the 'server' configuration context
+- ONLY files that end with '.conf' will be processed!
+    - if you want to keep a file for reference or disable it temporarily, 
+        simply change the extension.  I like using '.conf.disabled'.
\ No newline at end of file