initial commit - skeleton setup

2019-10-16 23:44:47 -06:00
parent 3536434902
commit 141b932a1c
17 changed files with 268 additions and 0 deletions
@@ -0,0 +1,33 @@
+FROM nginx:mainline-alpine
+
+# standardized labels
+LABEL maintainer="Asif Bacchus <asif@bacchus.cloud>"
+LABEL org.label-schema.cmd=""
+LABEL org.label-schema.description=""
+LABEL org.label-schema.name="ab-nginx"
+LABEL org.label-schema.schema-version="1.0"
+LABEL org.label-schema.url="https://git.asifbacchus.app/ab-docker/ab-nginx"
+LABEL org.label-schema.usage="https://git.asifbacchus.app/ab-docker/ab-nginx/wiki"
+LABEL org.label-schema.vcs-url="https://git.asifbacchus.app/ab-docker/ab-nginx.git"
+LABEL org.label-schema.version="0.1-beta"
+
+# copy configuration files
+COPY entrypoint.sh /entrypoint.sh
+COPY config /etc/nginx/
+COPY sites /etc/nginx/sites/
+
+# expose ports
+EXPOSE 80 443
+
+# default environment variables
+ENV SERVER_NAME="_"
+
+# entrypoint script
+ENTRYPOINT [ "/entrypoint.sh" ]
+
+# run NGINX by default
+CMD [ "nginx", "-g", "daemon off;" ]
+
+# add build date label
+ARG BUILD_DATE
+LABEL org.label-schema.build-date=${BUILD_DATE}
@@ -0,0 +1,34 @@
+#######
+### NGINX SSL configuration
+### Generated using the Mozilla SSL Configuration Generator
+### (https://ssl-config.mozilla.org)
+### 'Intermediate' profile for NGINX 1.17 with OpenSSL 1.1.1c HSTS optional
+### Last generated: October 16, 2019
+#######
+
+# SSL certificates should be defined in the relevant server block
+
+# SSL parameters
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+
+# SSL protocols and ciphers
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;ssl_prefer_server_ciphers off;
+
+# Diffie-Hellman parameter for DHE cipher suites, using 4096 bits
+ssl_dhparam /certs/dhparam.pem;
+
+# HSTS (6 months = 15768000 seconds)
+#add_header Strict-Transport-Security "max-age=63072000" always;
+
+# OCSP Stapling
+# fetch OCSP records from URL in ssl_certificate and cache them
+ssl_stapling on;
+ssl_stapling_verify on;
+
+# verify chain of trust of OCSP response using Root CA and Intermediate certs
+ssl_trusted_certificate /certs/chain.pem;
+
+# resolver should be specified in nginx.conf or in networking configuration
@@ -0,0 +1,31 @@
+#######
+### NGINX SSL configuration
+### Generated using the Mozilla SSL Configuration Generator
+### (https://ssl-config.mozilla.org)
+### 'Modern' profile for NGINX 1.17 with OpenSSL 1.1.1c HSTS optional
+### Last generated: October 16, 2019
+#######
+
+# SSL certificates should be defined in the relevant server block
+
+# SSL parameters
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+
+# SSL protocols and ciphers
+ssl_protocols TLSv1.3;
+ssl_prefer_server_ciphers off;
+
+# HSTS (6 months = 15768000 seconds)
+#add_header Strict-Transport-Security "max-age=63072000" always;
+
+# OCSP Stapling
+# fetch OCSP records from URL in ssl_certificate and cache them
+ssl_stapling on;
+ssl_stapling_verify on;
+
+# verify chain of trust of OCSP response using Root CA and Intermediate certs
+ssl_trusted_certificate /certs/chain.pem;
+
+# resolver should be specified in nginx.conf or in networking configuration
@@ -0,0 +1,49 @@
+#
+### NGINX main configuration
+#
+
+user nginx;
+worker_processes 1;
+pid /var/run/nginx.pid;
+
+error_log /var/log/nginx/error.log warn;
+
+# include dynamically linked modules
+include /etc/nginx/modules/*.conf;
+
+events {
+    worker_connections 512;
+    multi_accept off;
+    use epoll;    
+}
+
+http {
+    default_type application/octet-stream;
+    charset utf-8;
+    include /etc/nginx/mime.types;
+
+    # set default index and webroot
+    index index.php index.html;
+    root /usr/share/nginx/html;
+
+    # logging options (off by default for performance)
+    log_format main '$remote_addr - $remote_user [$time_local] $request '
+        '$status $body_bytes_sent "$http_referer" '
+        '"$http_user_agent" "$http_x_forwarded_for" '
+        '"$host" server="$server_name" '
+        'reqtime="$request_time" '
+        'uaddr="$upstream_addr" ustat="$upstream_status" '
+        'utime="$upstream_response_time" ulen="$upstream_response_length" '
+        'cache="$upstream_cache_status"';
+    #access_log /var/log/nginx/access.log main;
+    access_log off;
+
+    # server configuration options
+    server_tokens off;
+    real_ip_recursive on;
+    resolver 1.1.1.1;
+    include /etc/nginx/config/*.conf;
+    
+    # include enabled server blocks from sites/*.conf
+    include /etc/nginx/sites/*.conf;
+}
@@ -0,0 +1,7 @@
+# server names
+server_name
+    domain.tld
+    www.domain.tld
+    server.domain.tld
+    alt.domain.tld
+    ;
@@ -0,0 +1,3 @@
+# SSL certificate for this connection
+ssl_certificate         <SSL_CERT>;
+ssl_certificate_key     <SSL_KEY>;
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+#
+### ab-nginx entrypoint script
+#
+
+
+# execute commands passed to this container
+exec "$@"
+
+#EOF
@@ -0,0 +1,22 @@
+### redirect to secure site
+
+server {
+    listen 80;
+    server_name default_server;
+
+    # redirect to properly formed HTTPS location
+    location / {
+        return 301 https://$host$request_uri;
+    }
+    
+    # process Let's Encrypt challenges
+    location ^~ /.well-known/acme-challenge {
+        # log requests for security reasons
+        access_log /var/log/nginx/LetsEncrypt_access.log main;
+        error_log /var/log/nginx/LetsEncrypt_error.log warn;
+
+        default_type text/plain;
+        root /usr/share/nginx/html/letsencrypt;
+        autoindex on;
+    }
+}
@@ -0,0 +1,10 @@
+### UNsecured test page
+
+server {
+    listen 80;
+    server_name default_server;
+
+    location / {
+        try_files $uri $uri/ =404;        
+    }
+}
@@ -0,0 +1,10 @@
+### UNsecured test page
+
+server {
+    listen 443;
+    include /etc/nginx/server_names.conf;
+
+    location / {
+        try_files $uri $uri/ =404;        
+    }
+}