initial commit - skeleton setup

2019-10-16 23:44:47 -06:00 · 2019-10-16 23:44:47 -06:00 · 141b932a1c
commit 141b932a1c
parent 3536434902
17 changed files with 268 additions and 0 deletions
--- a/build/Dockerfile
+++ b/build/Dockerfile
@ -0,0 +1,33 @@
 FROM nginx:mainline-alpine
 # standardized labels
 LABEL maintainer="Asif Bacchus <asif@bacchus.cloud>"
 LABEL org.label-schema.cmd=""
 LABEL org.label-schema.description=""
 LABEL org.label-schema.name="ab-nginx"
 LABEL org.label-schema.schema-version="1.0"
 LABEL org.label-schema.url="https://git.asifbacchus.app/ab-docker/ab-nginx"
 LABEL org.label-schema.usage="https://git.asifbacchus.app/ab-docker/ab-nginx/wiki"
 LABEL org.label-schema.vcs-url="https://git.asifbacchus.app/ab-docker/ab-nginx.git"
 LABEL org.label-schema.version="0.1-beta"
 # copy configuration files
 COPY entrypoint.sh /entrypoint.sh
 COPY config /etc/nginx/
 COPY sites /etc/nginx/sites/
 # expose ports
 EXPOSE 80 443
 # default environment variables
 ENV SERVER_NAME="_"
 # entrypoint script
 ENTRYPOINT [ "/entrypoint.sh" ]
 # run NGINX by default
 CMD [ "nginx", "-g", "daemon off;" ]
 # add build date label
 ARG BUILD_DATE
 LABEL org.label-schema.build-date=${BUILD_DATE}
--- a/build/config/config/mozIntermediate_ssl.conf.disabled
+++ b/build/config/config/mozIntermediate_ssl.conf.disabled
@ -0,0 +1,34 @@
 #######
 ### NGINX SSL configuration
 ### Generated using the Mozilla SSL Configuration Generator
 ### (https://ssl-config.mozilla.org)
 ### 'Intermediate' profile for NGINX 1.17 with OpenSSL 1.1.1c HSTS optional
 ### Last generated: October 16, 2019
 #######
 # SSL certificates should be defined in the relevant server block
 # SSL parameters
 ssl_session_timeout 1d;
 ssl_session_cache shared:SSL:10m;
 ssl_session_tickets off;
 # SSL protocols and ciphers
 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;ssl_prefer_server_ciphers off;
 # Diffie-Hellman parameter for DHE cipher suites, using 4096 bits
 ssl_dhparam /certs/dhparam.pem;
 # HSTS (6 months = 15768000 seconds)
 #add_header Strict-Transport-Security "max-age=63072000" always;
 # OCSP Stapling
 # fetch OCSP records from URL in ssl_certificate and cache them
 ssl_stapling on;
 ssl_stapling_verify on;
 # verify chain of trust of OCSP response using Root CA and Intermediate certs
 ssl_trusted_certificate /certs/chain.pem;
 # resolver should be specified in nginx.conf or in networking configuration
--- a/build/config/config/mozModern_ssl.conf.disabled
+++ b/build/config/config/mozModern_ssl.conf.disabled
@ -0,0 +1,31 @@
 #######
 ### NGINX SSL configuration
 ### Generated using the Mozilla SSL Configuration Generator
 ### (https://ssl-config.mozilla.org)
 ### 'Modern' profile for NGINX 1.17 with OpenSSL 1.1.1c HSTS optional
 ### Last generated: October 16, 2019
 #######
 # SSL certificates should be defined in the relevant server block
 # SSL parameters
 ssl_session_timeout 1d;
 ssl_session_cache shared:SSL:10m;
 ssl_session_tickets off;
 # SSL protocols and ciphers
 ssl_protocols TLSv1.3;
 ssl_prefer_server_ciphers off;
 # HSTS (6 months = 15768000 seconds)
 #add_header Strict-Transport-Security "max-age=63072000" always;
 # OCSP Stapling
 # fetch OCSP records from URL in ssl_certificate and cache them
 ssl_stapling on;
 ssl_stapling_verify on;
 # verify chain of trust of OCSP response using Root CA and Intermediate certs
 ssl_trusted_certificate /certs/chain.pem;
 # resolver should be specified in nginx.conf or in networking configuration
--- a/build/config/nginx.conf
+++ b/build/config/nginx.conf
@ -0,0 +1,49 @@
 #
 ### NGINX main configuration
 #
 user nginx;
 worker_processes 1;
 pid /var/run/nginx.pid;
 error_log /var/log/nginx/error.log warn;
 # include dynamically linked modules
 include /etc/nginx/modules/*.conf;
 events {
    worker_connections 512;
    multi_accept off;
    use epoll;    
 }
 http {
    default_type application/octet-stream;
    charset utf-8;
    include /etc/nginx/mime.types;
    # set default index and webroot
    index index.php index.html;
    root /usr/share/nginx/html;
    # logging options (off by default for performance)
    log_format main '$remote_addr - $remote_user [$time_local] $request '
        '$status $body_bytes_sent "$http_referer" '
        '"$http_user_agent" "$http_x_forwarded_for" '
        '"$host" server="$server_name" '
        'reqtime="$request_time" '
        'uaddr="$upstream_addr" ustat="$upstream_status" '
        'utime="$upstream_response_time" ulen="$upstream_response_length" '
        'cache="$upstream_cache_status"';
    #access_log /var/log/nginx/access.log main;
    access_log off;
    # server configuration options
    server_tokens off;
    real_ip_recursive on;
    resolver 1.1.1.1;
    include /etc/nginx/config/*.conf;
    # include enabled server blocks from sites/*.conf
    include /etc/nginx/sites/*.conf;
 }
--- a/build/config/server_names.conf
+++ b/build/config/server_names.conf
@ -0,0 +1,7 @@
 # server names
 server_name
    domain.tld
    www.domain.tld
    server.domain.tld
    alt.domain.tld
    ;
--- a/build/config/ssl_location.conf
+++ b/build/config/ssl_location.conf
@ -0,0 +1,3 @@
 # SSL certificate for this connection
 ssl_certificate         <SSL_CERT>;
 ssl_certificate_key     <SSL_KEY>;
--- a/build/entrypoint.sh
+++ b/build/entrypoint.sh
@ -0,0 +1,11 @@
 #!/bin/sh
 #
 ### ab-nginx entrypoint script
 #
 # execute commands passed to this container
 exec "$@"
 #EOF
--- a/build/sites/00-redirectHTTPS.conf.disabled
+++ b/build/sites/00-redirectHTTPS.conf.disabled
@ -0,0 +1,22 @@
 ### redirect to secure site
 server {
    listen 80;
    server_name default_server;
    # redirect to properly formed HTTPS location
    location / {
        return 301 https://$host$request_uri;
    }
    # process Let's Encrypt challenges
    location ^~ /.well-known/acme-challenge {
        # log requests for security reasons
        access_log /var/log/nginx/LetsEncrypt_access.log main;
        error_log /var/log/nginx/LetsEncrypt_error.log warn;
        default_type text/plain;
        root /usr/share/nginx/html/letsencrypt;
        autoindex on;
    }
 }
--- a/build/sites/05-test_nonsecured.conf
+++ b/build/sites/05-test_nonsecured.conf
@ -0,0 +1,10 @@
 ### UNsecured test page
 server {
    listen 80;
    server_name default_server;
    location / {
        try_files $uri $uri/ =404;        
    }
 }
--- a/build/sites/05-test_secured.conf
+++ b/build/sites/05-test_secured.conf
@ -0,0 +1,10 @@
 ### UNsecured test page
 server {
    listen 443;
    include /etc/nginx/server_names.conf;
    location / {
        try_files $uri $uri/ =404;        
    }
 }
--- a/config/config/buffers.conf
+++ b/config/config/buffers.conf
@ -0,0 +1,4 @@
 client_body_buffer_size 16k;
 client_max_body_size 10M;
 client_header_buffer_size 1k;
 large_client_header_buffers 4 8k;
--- a/config/config/gzip.conf
+++ b/config/config/gzip.conf
@ -0,0 +1,14 @@
 gzip on;
 gzip_vary on;
 gzip_comp_level 4;
 gzip_min_length 256;
 gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
 gzip_types application/atom+xml application/javascript application/json
    application/ld+json application/manifest+json application/rss+xml
    application/vnd.geo+json application/vnd.ms-fontobject
    application/x-font-ttf application/x-web-app-manifest+json
    application/xhtml+xml application/xml font/opentype image/bmp
    image/svg+xml image/x-icon text/cache-manifest text/css text/plain
    text/vcard text/vnd.rim.location.xloc text/vtt text/x-component
    text/x-cross-domain-policy;
 gzip_disable "MSIE [1-6]\.";
--- a/config/config/headersSecurity.conf
+++ b/config/config/headersSecurity.conf
@ -0,0 +1,12 @@
 add_header Feature-Policy "geolocation 'self'";
 add_header Referrer-Policy "strict-origin" always;
 add_header X-Content-Type-Options "nosniff" always;
 add_header X-Download-Options noopen;
 add_header X-Frame-Options DENY;
 add_header X-Permitted-Cross-Domain-Policies none;
 add_header X-UA-Compatible "IE=edge";
 add_header X-XSS-Protection "1; mode=block" always;
 add_header X-Robots-Tag none;
--- a/config/config/readme
+++ b/config/config/readme
@ -0,0 +1,7 @@
 - Place all your configuration customization files in this directory
    - feel free to edit the included recommended files
    - files here override container settings including nginx.conf
 - Files here are placed in the HTTP configuration context
 - ONLY files that end with '.conf' will be processed!
    - if you want to keep a file for reference or disable it temporarily, 
        simply change the extension.  I like using '.conf.disabled'.
--- a/config/config/staticContent.conf
+++ b/config/config/staticContent.conf
@ -0,0 +1,4 @@
 sendfile on;
 sendfile_max_chunk 1m;
 tcp_nopush on;
 tcp_nodelay on;
--- a/config/config/timeouts.conf
+++ b/config/config/timeouts.conf
@ -0,0 +1,8 @@
 client_body_timeout 15s;
 client_header_timeout 15s;
 send_timeout 15s;
 keepalive_timeout 65s;
 reset_timedout_connection on;
 proxy_connect_timeout 30s;
 proxy_read_timeout 60s;
 proxy_send_timeout 60s;
--- a/sites/readme
+++ b/sites/readme
@ -0,0 +1,9 @@
 - Place all your server block configuration files in this directory
 - This path should be bind-mounted to the container at:
  '/etc/nginx/sites'
    - this bind-mount will override the test pages included in the container by 
        default.
 - All files should begin in the 'server' configuration context
 - ONLY files that end with '.conf' will be processed!
    - if you want to keep a file for reference or disable it temporarily, 
        simply change the extension.  I like using '.conf.disabled'.