initial commit - skeleton setup
This commit is contained in:
parent
3536434902
commit
141b932a1c
33
build/Dockerfile
Normal file
33
build/Dockerfile
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
FROM nginx:mainline-alpine
|
||||||
|
|
||||||
|
# standardized labels
|
||||||
|
LABEL maintainer="Asif Bacchus <asif@bacchus.cloud>"
|
||||||
|
LABEL org.label-schema.cmd=""
|
||||||
|
LABEL org.label-schema.description=""
|
||||||
|
LABEL org.label-schema.name="ab-nginx"
|
||||||
|
LABEL org.label-schema.schema-version="1.0"
|
||||||
|
LABEL org.label-schema.url="https://git.asifbacchus.app/ab-docker/ab-nginx"
|
||||||
|
LABEL org.label-schema.usage="https://git.asifbacchus.app/ab-docker/ab-nginx/wiki"
|
||||||
|
LABEL org.label-schema.vcs-url="https://git.asifbacchus.app/ab-docker/ab-nginx.git"
|
||||||
|
LABEL org.label-schema.version="0.1-beta"
|
||||||
|
|
||||||
|
# copy configuration files
|
||||||
|
COPY entrypoint.sh /entrypoint.sh
|
||||||
|
COPY config /etc/nginx/
|
||||||
|
COPY sites /etc/nginx/sites/
|
||||||
|
|
||||||
|
# expose ports
|
||||||
|
EXPOSE 80 443
|
||||||
|
|
||||||
|
# default environment variables
|
||||||
|
ENV SERVER_NAME="_"
|
||||||
|
|
||||||
|
# entrypoint script
|
||||||
|
ENTRYPOINT [ "/entrypoint.sh" ]
|
||||||
|
|
||||||
|
# run NGINX by default
|
||||||
|
CMD [ "nginx", "-g", "daemon off;" ]
|
||||||
|
|
||||||
|
# add build date label
|
||||||
|
ARG BUILD_DATE
|
||||||
|
LABEL org.label-schema.build-date=${BUILD_DATE}
|
34
build/config/config/mozIntermediate_ssl.conf.disabled
Normal file
34
build/config/config/mozIntermediate_ssl.conf.disabled
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
#######
|
||||||
|
### NGINX SSL configuration
|
||||||
|
### Generated using the Mozilla SSL Configuration Generator
|
||||||
|
### (https://ssl-config.mozilla.org)
|
||||||
|
### 'Intermediate' profile for NGINX 1.17 with OpenSSL 1.1.1c HSTS optional
|
||||||
|
### Last generated: October 16, 2019
|
||||||
|
#######
|
||||||
|
|
||||||
|
# SSL certificates should be defined in the relevant server block
|
||||||
|
|
||||||
|
# SSL parameters
|
||||||
|
ssl_session_timeout 1d;
|
||||||
|
ssl_session_cache shared:SSL:10m;
|
||||||
|
ssl_session_tickets off;
|
||||||
|
|
||||||
|
# SSL protocols and ciphers
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;ssl_prefer_server_ciphers off;
|
||||||
|
|
||||||
|
# Diffie-Hellman parameter for DHE cipher suites, using 4096 bits
|
||||||
|
ssl_dhparam /certs/dhparam.pem;
|
||||||
|
|
||||||
|
# HSTS (6 months = 15768000 seconds)
|
||||||
|
#add_header Strict-Transport-Security "max-age=63072000" always;
|
||||||
|
|
||||||
|
# OCSP Stapling
|
||||||
|
# fetch OCSP records from URL in ssl_certificate and cache them
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
|
||||||
|
# verify chain of trust of OCSP response using Root CA and Intermediate certs
|
||||||
|
ssl_trusted_certificate /certs/chain.pem;
|
||||||
|
|
||||||
|
# resolver should be specified in nginx.conf or in networking configuration
|
31
build/config/config/mozModern_ssl.conf.disabled
Normal file
31
build/config/config/mozModern_ssl.conf.disabled
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
#######
|
||||||
|
### NGINX SSL configuration
|
||||||
|
### Generated using the Mozilla SSL Configuration Generator
|
||||||
|
### (https://ssl-config.mozilla.org)
|
||||||
|
### 'Modern' profile for NGINX 1.17 with OpenSSL 1.1.1c HSTS optional
|
||||||
|
### Last generated: October 16, 2019
|
||||||
|
#######
|
||||||
|
|
||||||
|
# SSL certificates should be defined in the relevant server block
|
||||||
|
|
||||||
|
# SSL parameters
|
||||||
|
ssl_session_timeout 1d;
|
||||||
|
ssl_session_cache shared:SSL:10m;
|
||||||
|
ssl_session_tickets off;
|
||||||
|
|
||||||
|
# SSL protocols and ciphers
|
||||||
|
ssl_protocols TLSv1.3;
|
||||||
|
ssl_prefer_server_ciphers off;
|
||||||
|
|
||||||
|
# HSTS (6 months = 15768000 seconds)
|
||||||
|
#add_header Strict-Transport-Security "max-age=63072000" always;
|
||||||
|
|
||||||
|
# OCSP Stapling
|
||||||
|
# fetch OCSP records from URL in ssl_certificate and cache them
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
|
||||||
|
# verify chain of trust of OCSP response using Root CA and Intermediate certs
|
||||||
|
ssl_trusted_certificate /certs/chain.pem;
|
||||||
|
|
||||||
|
# resolver should be specified in nginx.conf or in networking configuration
|
49
build/config/nginx.conf
Normal file
49
build/config/nginx.conf
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
#
|
||||||
|
### NGINX main configuration
|
||||||
|
#
|
||||||
|
|
||||||
|
user nginx;
|
||||||
|
worker_processes 1;
|
||||||
|
pid /var/run/nginx.pid;
|
||||||
|
|
||||||
|
error_log /var/log/nginx/error.log warn;
|
||||||
|
|
||||||
|
# include dynamically linked modules
|
||||||
|
include /etc/nginx/modules/*.conf;
|
||||||
|
|
||||||
|
events {
|
||||||
|
worker_connections 512;
|
||||||
|
multi_accept off;
|
||||||
|
use epoll;
|
||||||
|
}
|
||||||
|
|
||||||
|
http {
|
||||||
|
default_type application/octet-stream;
|
||||||
|
charset utf-8;
|
||||||
|
include /etc/nginx/mime.types;
|
||||||
|
|
||||||
|
# set default index and webroot
|
||||||
|
index index.php index.html;
|
||||||
|
root /usr/share/nginx/html;
|
||||||
|
|
||||||
|
# logging options (off by default for performance)
|
||||||
|
log_format main '$remote_addr - $remote_user [$time_local] $request '
|
||||||
|
'$status $body_bytes_sent "$http_referer" '
|
||||||
|
'"$http_user_agent" "$http_x_forwarded_for" '
|
||||||
|
'"$host" server="$server_name" '
|
||||||
|
'reqtime="$request_time" '
|
||||||
|
'uaddr="$upstream_addr" ustat="$upstream_status" '
|
||||||
|
'utime="$upstream_response_time" ulen="$upstream_response_length" '
|
||||||
|
'cache="$upstream_cache_status"';
|
||||||
|
#access_log /var/log/nginx/access.log main;
|
||||||
|
access_log off;
|
||||||
|
|
||||||
|
# server configuration options
|
||||||
|
server_tokens off;
|
||||||
|
real_ip_recursive on;
|
||||||
|
resolver 1.1.1.1;
|
||||||
|
include /etc/nginx/config/*.conf;
|
||||||
|
|
||||||
|
# include enabled server blocks from sites/*.conf
|
||||||
|
include /etc/nginx/sites/*.conf;
|
||||||
|
}
|
7
build/config/server_names.conf
Normal file
7
build/config/server_names.conf
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
# server names
|
||||||
|
server_name
|
||||||
|
domain.tld
|
||||||
|
www.domain.tld
|
||||||
|
server.domain.tld
|
||||||
|
alt.domain.tld
|
||||||
|
;
|
3
build/config/ssl_location.conf
Normal file
3
build/config/ssl_location.conf
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
# SSL certificate for this connection
|
||||||
|
ssl_certificate <SSL_CERT>;
|
||||||
|
ssl_certificate_key <SSL_KEY>;
|
11
build/entrypoint.sh
Normal file
11
build/entrypoint.sh
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
#
|
||||||
|
### ab-nginx entrypoint script
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
# execute commands passed to this container
|
||||||
|
exec "$@"
|
||||||
|
|
||||||
|
#EOF
|
22
build/sites/00-redirectHTTPS.conf.disabled
Normal file
22
build/sites/00-redirectHTTPS.conf.disabled
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
### redirect to secure site
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
server_name default_server;
|
||||||
|
|
||||||
|
# redirect to properly formed HTTPS location
|
||||||
|
location / {
|
||||||
|
return 301 https://$host$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
# process Let's Encrypt challenges
|
||||||
|
location ^~ /.well-known/acme-challenge {
|
||||||
|
# log requests for security reasons
|
||||||
|
access_log /var/log/nginx/LetsEncrypt_access.log main;
|
||||||
|
error_log /var/log/nginx/LetsEncrypt_error.log warn;
|
||||||
|
|
||||||
|
default_type text/plain;
|
||||||
|
root /usr/share/nginx/html/letsencrypt;
|
||||||
|
autoindex on;
|
||||||
|
}
|
||||||
|
}
|
10
build/sites/05-test_nonsecured.conf
Normal file
10
build/sites/05-test_nonsecured.conf
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
### UNsecured test page
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
server_name default_server;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
}
|
||||||
|
}
|
10
build/sites/05-test_secured.conf
Normal file
10
build/sites/05-test_secured.conf
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
### UNsecured test page
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443;
|
||||||
|
include /etc/nginx/server_names.conf;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
}
|
||||||
|
}
|
4
config/config/buffers.conf
Normal file
4
config/config/buffers.conf
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
client_body_buffer_size 16k;
|
||||||
|
client_max_body_size 10M;
|
||||||
|
client_header_buffer_size 1k;
|
||||||
|
large_client_header_buffers 4 8k;
|
14
config/config/gzip.conf
Normal file
14
config/config/gzip.conf
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
gzip on;
|
||||||
|
gzip_vary on;
|
||||||
|
gzip_comp_level 4;
|
||||||
|
gzip_min_length 256;
|
||||||
|
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
|
||||||
|
gzip_types application/atom+xml application/javascript application/json
|
||||||
|
application/ld+json application/manifest+json application/rss+xml
|
||||||
|
application/vnd.geo+json application/vnd.ms-fontobject
|
||||||
|
application/x-font-ttf application/x-web-app-manifest+json
|
||||||
|
application/xhtml+xml application/xml font/opentype image/bmp
|
||||||
|
image/svg+xml image/x-icon text/cache-manifest text/css text/plain
|
||||||
|
text/vcard text/vnd.rim.location.xloc text/vtt text/x-component
|
||||||
|
text/x-cross-domain-policy;
|
||||||
|
gzip_disable "MSIE [1-6]\.";
|
12
config/config/headersSecurity.conf
Normal file
12
config/config/headersSecurity.conf
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
add_header Feature-Policy "geolocation 'self'";
|
||||||
|
|
||||||
|
add_header Referrer-Policy "strict-origin" always;
|
||||||
|
|
||||||
|
add_header X-Content-Type-Options "nosniff" always;
|
||||||
|
add_header X-Download-Options noopen;
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
add_header X-Permitted-Cross-Domain-Policies none;
|
||||||
|
add_header X-UA-Compatible "IE=edge";
|
||||||
|
add_header X-XSS-Protection "1; mode=block" always;
|
||||||
|
|
||||||
|
add_header X-Robots-Tag none;
|
7
config/config/readme
Normal file
7
config/config/readme
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
- Place all your configuration customization files in this directory
|
||||||
|
- feel free to edit the included recommended files
|
||||||
|
- files here override container settings including nginx.conf
|
||||||
|
- Files here are placed in the HTTP configuration context
|
||||||
|
- ONLY files that end with '.conf' will be processed!
|
||||||
|
- if you want to keep a file for reference or disable it temporarily,
|
||||||
|
simply change the extension. I like using '.conf.disabled'.
|
4
config/config/staticContent.conf
Normal file
4
config/config/staticContent.conf
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
sendfile on;
|
||||||
|
sendfile_max_chunk 1m;
|
||||||
|
tcp_nopush on;
|
||||||
|
tcp_nodelay on;
|
8
config/config/timeouts.conf
Normal file
8
config/config/timeouts.conf
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
client_body_timeout 15s;
|
||||||
|
client_header_timeout 15s;
|
||||||
|
send_timeout 15s;
|
||||||
|
keepalive_timeout 65s;
|
||||||
|
reset_timedout_connection on;
|
||||||
|
proxy_connect_timeout 30s;
|
||||||
|
proxy_read_timeout 60s;
|
||||||
|
proxy_send_timeout 60s;
|
9
sites/readme
Normal file
9
sites/readme
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
- Place all your server block configuration files in this directory
|
||||||
|
- This path should be bind-mounted to the container at:
|
||||||
|
'/etc/nginx/sites'
|
||||||
|
- this bind-mount will override the test pages included in the container by
|
||||||
|
default.
|
||||||
|
- All files should begin in the 'server' configuration context
|
||||||
|
- ONLY files that end with '.conf' will be processed!
|
||||||
|
- if you want to keep a file for reference or disable it temporarily,
|
||||||
|
simply change the extension. I like using '.conf.disabled'.
|
Loading…
Reference in New Issue
Block a user