refactor(helpers): remove dhparams check

- container now auto-generates this file if needed

.gitattributes

@@ -10,17 +10,17 @@
 
 # Documents
 *.bibtex   text diff=bibtex
-*.doc           diff=astextplain
-*.DOC           diff=astextplain
-*.docx          diff=astextplain
-*.DOCX          diff=astextplain
-*.dot           diff=astextplain
-*.DOT           diff=astextplain
-*.pdf           diff=astextplain
-*.PDF           diff=astextplain
-*.rtf           diff=astextplain
-*.RTF           diff=astextplain
-*.md       text eol=lf
+*.doc      diff=astextplain
+*.DOC      diff=astextplain
+*.docx     diff=astextplain
+*.DOCX     diff=astextplain
+*.dot      diff=astextplain
+*.DOT      diff=astextplain
+*.pdf      diff=astextplain
+*.PDF      diff=astextplain
+*.rtf      diff=astextplain
+*.RTF      diff=astextplain
+*.md       text diff=markdown
 *.tex      text diff=tex
 *.adoc     text
 *.textile  text
@@ -30,6 +30,7 @@
 *.tsv      text
 *.txt      text
 *.sql      text
+*.ps1      text eol=crlf
 
 # Graphics
 *.png      binary
@@ -53,7 +54,22 @@
 # These are explicitly windows files and should use crlf
 *.bat      text eol=crlf
 *.cmd      text eol=crlf
-*.ps1      text eol=crlf
+
+# web frontend stack -- force LF so SRI hashes are always correct
+*.html     text eol=lf
+*.htm      text eol=lf
+*.css      text eol=lf
+*.min.css  text eol=lf
+*.js       text eol=lf
+*.min.js   text eol=lf
+
+# Visual Studio projects (Rider also)
+*.cs     diff=csharp
+*.sln    merge=union
+*.csproj merge=union
+*.vbproj merge=union
+*.fsproj merge=union
+*.dbproj merge=union
 
 # Serialisation
 *.json     text
@@ -66,19 +82,18 @@
 *.7z       binary
 *.gz       binary
 *.tar      binary
+*.tgz      binary
 *.zip      binary
 
-# nginx files
-*.conf     text eol=lf
+# Text files where line endings should be preserved
+*.patch    -text
 
 #
 # Exclude files from exporting
-#   only export helper scripts
 #
 
-.gitattributes export-ignore
-.gitignore     export-ignore
-.vscode        export-ignore
-.idea          export-ignore
-build          export-ignore
-README.md      export-ignore
+.gitattributes  export-ignore
+.gitignore      export-ignore
+.gitkeep        export-ignore
+.idea           export-ignore
+.vscode         export-ignore

.gitignore

@@ -1,10 +1,75 @@
-.vscode/*
-!.vscode/settings.json
-!.vscode/tasks.json
-!.vscode/launch.json
-!.vscode/extensions.json
-!.vscode/numbered-bookmarks.json
-*.code-workspace
+### JetBrains template
+# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider
+# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
+
+# User-specific stuff
+.idea/**/workspace.xml
+.idea/**/tasks.xml
+.idea/**/usage.statistics.xml
+.idea/**/dictionaries
+.idea/**/shelf
+
+# Generated files
+.idea/**/contentModel.xml
+
+# Sensitive or high-churn files
+.idea/**/dataSources/
+.idea/**/dataSources.ids
+.idea/**/dataSources.local.xml
+.idea/**/sqlDataSources.xml
+.idea/**/dynamic.xml
+.idea/**/uiDesigner.xml
+.idea/**/dbnavigator.xml
+
+# Gradle
+.idea/**/gradle.xml
+.idea/**/libraries
+
+# Gradle and Maven with auto-import
+# When using Gradle or Maven with auto-import, you should exclude module files,
+# since they will be recreated, and may cause churn.  Uncomment if using
+# auto-import.
+# .idea/artifacts
+# .idea/compiler.xml
+# .idea/jarRepositories.xml
+# .idea/modules.xml
+# .idea/*.iml
+# .idea/modules
+# *.iml
+# *.ipr
+
+# CMake
+cmake-build-*/
+
+# Mongo Explorer plugin
+.idea/**/mongoSettings.xml
+
+# File-based project format
+*.iws
+
+# IntelliJ
+out/
+
+# mpeltonen/sbt-idea plugin
+.idea_modules/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Cursive Clojure plugin
+.idea/replstate.xml
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+fabric.properties
+
+# Editor-based Rest Client
+.idea/httpRequests
+
+# Android studio 3.1+ serialized cache file
+.idea/caches/build_file_checksums.ser
 
 # don't track my testing params file
 ab-nginx.params

.idea/.idea.ab-nginx.dir/.idea/indexLayout.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project version="4">
-  <component name="ContentModelUserStore">
+  <component name="UserContentModel">
     <attachedFolders />
     <explicitIncludes />
     <explicitExcludes />

.idea/.idea.ab-nginx.dir/.idea/riderModule.iml

@@ -1,7 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<module type="RIDER_MODULE" version="4">
-  <component name="NewModuleRootManager">
-    <content url="file://$MODULE_DIR$/../.." />
-    <orderEntry type="sourceFolder" forTests="false" />
-  </component>
-</module>

.idea/.idea.ab-nginx.dir/.idea/vcs.xml

@@ -2,11 +2,18 @@
 <project version="4">
   <component name="CommitMessageInspectionProfile">
     <profile version="1.0">
-      <inspection_tool class="BodyLimit" enabled="true" level="ERROR" enabled_by_default="true" />
+      <inspection_tool class="BodyLimit" enabled="true" level="WEAK WARNING" enabled_by_default="true" />
       <inspection_tool class="SubjectBodySeparation" enabled="true" level="ERROR" enabled_by_default="true" />
-      <inspection_tool class="SubjectLimit" enabled="true" level="ERROR" enabled_by_default="true" />
+      <inspection_tool class="SubjectLimit" enabled="true" level="WARNING" enabled_by_default="true" />
     </profile>
   </component>
+  <component name="GitSharedSettings">
+    <option name="FORCE_PUSH_PROHIBITED_PATTERNS">
+      <list>
+        <option value="master main" />
+      </list>
+    </option>
+  </component>
   <component name="VcsDirectoryMappings">
     <mapping directory="$PROJECT_DIR$" vcs="Git" />
   </component>

README.md

@@ -1,6 +1,6 @@
 # ab-nginx
 
-Containerized fully-functional implementation of NGINX running on Alpine **as a fully NON-ROOT user**. The container by default is a 'blank slate' that just serves files out of the box. Changing configuration, server blocks and content is accomplished with bind-mounts using a sensible, simple directory structure. The container auto-detects mounted certificates and switches to TLS automatically. [Helper scripts](https://git.asifbacchus.app/ab-docker/ab-nginx/releases) in the git repo make certificate mounting easier, allow for custom docker networks and more. The container by default can be used as a Let’s Encrypt endpoint with tools like certbot.
+Containerized fully-functional implementation of NGINX running on Alpine **as a fully NON-ROOT user**. The container by default is a 'blank slate' that just serves files out of the box. Changing configuration, server blocks and content is accomplished with bind-mounts using a sensible, simple directory structure. The container auto-detects mounted certificates and switches to TLS automatically. [Helper scripts](https://git.asifbacchus.dev/ab-docker/ab-nginx/releases) in the git repo make certificate mounting easier, allow for custom docker networks and more. The container by default can be used as a Let’s Encrypt endpoint with tools like certbot.
 
 ## Contents
 
@@ -24,27 +24,27 @@ Containerized fully-functional implementation of NGINX running on Alpine **as a
 
 ## Alternate repository
 
-Throughout this document, I reference my repository on DockerHub (`asifbacchus/ab-nginx:tag`). You may also feel free to pull directly from my private registry instead, especially if you need signed containers. Simply use `docker.asifbacchus.app/nginx/ab-nginx:tag`. I usually sign major dot-version releases (1.18, 1.19, etc.) as well as the 'latest' image.
+Throughout this document, I reference my repository on DockerHub (`asifbacchus/ab-nginx:tag`). You may also feel free to pull directly from my private registry instead, especially if you need signed containers. Simply use `docker.asifbacchus.dev/nginx/ab-nginx:tag`. I usually sign major dot-version releases (1.18, 1.19, etc.) as well as the 'latest' image.
 
 ## Documentation and scripts
 
-Check out the [repo wiki](https://git.asifbacchus.app/ab-docker/ab-nginx/wiki) for detailed examples and documentation about the container and the [helper scripts](https://git.asifbacchus.app/ab-docker/ab-nginx/releases) which are located [here](https://git.asifbacchus.app/ab-docker/ab-nginx/releases).
+Check out the [repo wiki](https://git.asifbacchus.dev/ab-docker/ab-nginx/wiki) for detailed examples and documentation about the container and the [helper scripts](https://git.asifbacchus.dev/ab-docker/ab-nginx/releases) which are located [here](https://git.asifbacchus.dev/ab-docker/ab-nginx/releases).
 
 ## Permissions
 
-The container does **NOT** run under the root account. It runs under a user named *www-docker* with a UID of 8080. **This means any files you mount into the container need to be readable (and/or writable depending on your use-case) by UID 8080**. This does not mean just content files, it also includes configurations, server-blocks and *certificates*! Before mounting your files, ensure this is the case. There are more detailed instructions in the [wiki](https://git.asifbacchus.app/ab-docker/ab-nginx/wiki) if you need help setting file permissions.
+The container does **NOT** run under the root account. It runs under a user named *www-docker* with a UID of 8080. **This means any files you mount into the container need to be readable (and/or writable depending on your use-case) by UID 8080**. This does not mean just content files, it also includes configurations, server-blocks and *certificates*! Before mounting your files, ensure this is the case. There are more detailed instructions in the [wiki](https://git.asifbacchus.dev/ab-docker/ab-nginx/wiki) if you need help setting file permissions.
 
 This is a significant change versus most other NGINX implementations/containers where the main process is run as root
 and the *worker processes* run as a limited user. In those cases, permissions don’t matter since NGINX can always use
 the root account to read any files (and especially certificates!) it needs. Please understand this difference.
 
 If you need to change the UID, then you’ll need to rebuild the container using
-the [Dockerfile in the git repo](https://git.asifbacchus.app/ab-docker/ab-nginx). The process would be something like
+the [Dockerfile in the git repo](https://git.asifbacchus.dev/ab-docker/ab-nginx). The process would be something like
 this:
 
 ```bash
 # clone the repo
-git clone https://git.asifbacchus.app/ab-docker/ab-nginx
+git clone https://git.asifbacchus.dev/ab-docker/ab-nginx
 
 # change to the proper directory and build the container
 cd ab-nginx/build
@@ -82,7 +82,7 @@ All configuration is in the `/etc/nginx` directory and its children. Here is the
 ├── ssl_certs.conf – (hard-coded for the container, best not to touch)
 ```
 
-Locations with \**starred descriptions** are designed to be overwritten via bind-mounts to customize the container. For more details on all of these files and what they do, please refer to the [repo wiki](https://git.asifbacchus.app/ab-docker/ab-nginx/wiki). **Remember that UID 8080 needs to be able to read any files you choose to bind-mount over the container defaults!**
+Locations with \**starred descriptions** are designed to be overwritten via bind-mounts to customize the container. For more details on all of these files and what they do, please refer to the [repo wiki](https://git.asifbacchus.dev/ab-docker/ab-nginx/wiki). **Remember that UID 8080 needs to be able to read any files you choose to bind-mount over the container defaults!**
 
 ## Quick-start
 
@@ -121,7 +121,7 @@ docker restart ab-nginx
 
 If you want the container to ignore a specific set of configuration options, say you’re testing something, then rename the file with those configuration options using any extension other than *.conf*. I usually use *.conf.disabled*. Restart the container and that file will be ignored.
 
-More details and examples are found in the [wiki](https://git.asifbacchus.app/ab-docker/ab-nginx/wiki).
+More details and examples are found in the [wiki](https://git.asifbacchus.dev/ab-docker/ab-nginx/wiki).
 
 ### Mounting server-blocks
 
@@ -146,7 +146,7 @@ docker run -d --name ab-nginx --restart unless-stopped \
   asifbacchus/ab-nginx
 ```
 
-More details and examples are found in the [wiki](https://git.asifbacchus.app/ab-docker/ab-nginx/wiki).
+More details and examples are found in the [wiki](https://git.asifbacchus.dev/ab-docker/ab-nginx/wiki).
 
 ## TLS
 
@@ -186,9 +186,9 @@ The container will load a secure configuration automatically, require SSL connec
 
 You may have noticed I also specified the `SERVER_NAMES` variable. This is necessary or SSL will not work since the hostname the server responds to must match the certificate being presented. **Make sure you set this environment variable to match your certificates!** N.B. If you are using your own server-blocks, then this environment variable is **NOT** required – it is only used by the container when auto-configuring the default server-blocks.
 
-If you want to integrate with Let's Encrypt, please refer to the [wiki](https://git.asifbacchus.app/ab-docker/ab-nginx/wiki).
+If you want to integrate with Let's Encrypt, please refer to the [wiki](https://git.asifbacchus.dev/ab-docker/ab-nginx/wiki).
 
-Finally, I’d remind you once again that UID 8080 must be able to read your certificate files! It is common practice to restrict the private key to root readability only (i.e. chown root:root & chmod 600/400) but, that would stop the NGINX user in the container from reading it and NGINX will exit with an error. I address ways to allow your certificate files to remain secure but still readable by the NGINX user in the [wiki](https://git.asifbacchus.app/ab-docker/ab-nginx/wiki).
+Finally, I’d remind you once again that UID 8080 must be able to read your certificate files! It is common practice to restrict the private key to root readability only (i.e. chown root:root & chmod 600/400) but, that would stop the NGINX user in the container from reading it and NGINX will exit with an error. I address ways to allow your certificate files to remain secure but still readable by the NGINX user in the [wiki](https://git.asifbacchus.dev/ab-docker/ab-nginx/wiki).
 
 ## Environment variables
 
@@ -248,8 +248,8 @@ docker logs -n 10 -f ab-nginx
 
 ## Final thoughts
 
-I think that's everything to get you going if you are already familiar with docker and with NGINX in general. If you need more help, please [refer to the wiki](https://git.asifbacchus.app/ab-docker/ab-nginx/wiki). I've explained everything there in detail. Also, check out the [helper scripts](https://git.asifbacchus.app/ab-docker/ab-nginx/releases) especially if you are deploying certificates. The scripts take care of all the docker command-lines for you so you have much less typing!
+I think that's everything to get you going if you are already familiar with docker and with NGINX in general. If you need more help, please [refer to the wiki](https://git.asifbacchus.dev/ab-docker/ab-nginx/wiki). I've explained everything there in detail. Also, check out the [helper scripts](https://git.asifbacchus.dev/ab-docker/ab-nginx/releases) especially if you are deploying certificates. The scripts take care of all the docker command-lines for you so you have much less typing!
 
-If I've forgotten anything, you find any bugs or you have suggestions, please file an issue either on my private [git server ](https://git.asifbachus.app/ab-docker/ab-nginx) or on [github](https://github.com/asifbacchus/ab-nginx). Also, I am *not* affiliated with NGINX in any way, so please **do not** bother them with any issues you find with this container. Bother me instead, I actually enjoy it!
+If I've forgotten anything, you find any bugs or you have suggestions, please file an issue either on my private [git server ](https://git.asifbacchus.dev/ab-docker/ab-nginx) or on [github](https://github.com/asifbacchus/ab-nginx). Also, I am *not* affiliated with NGINX in any way, so please **do not** bother them with any issues you find with this container. Bother me instead, I actually enjoy it!
 
 **All the best and have fun!**

build/Dockerfile

@@ -1,10 +1,17 @@
-FROM nginx:mainline-alpine
+#
+# build AB-NGINX container (based on NGINX mainline)
+#
 
-# default uid for nginx user
+ARG NGINX_VERSION=1.21.1
+FROM nginx:${NGINX_VERSION}-alpine
+ARG NGINX_VERSION
+
+# default uid and gid for nginx user
 ARG UID=8080
+ARG GID=8080
 
 # create nginx user
-RUN addgroup --gid ${UID} www-docker \
+RUN addgroup --gid ${GID} www-docker \
     && adduser \
         -S \
         -h /home/www-docker \
@@ -15,11 +22,13 @@ RUN addgroup --gid ${UID} www-docker \
         www-docker
 
 # add libcap, allow nginx to bind to ports <1024, extract fun error pages & create LetsEncrypt challenge directory outside webroot
-RUN apk --no-cache add libcap \
+RUN apk --update --no-cache add \
+    libcap \
+    openssl \
     && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \
     && cd /usr/share/nginx \
     && rm -rf html/* \
-    && wget -O /tmp/errorpages.tar.gz https://git.asifbacchus.app/asif/fun-errorpages/archive/v1.0.tar.gz \
+    && wget -O /tmp/errorpages.tar.gz https://git.asifbacchus.dev/asif/fun-errorpages/archive/v1.0.tar.gz \
     && tar -xzf /tmp/errorpages.tar.gz -C /tmp \
     && mv /tmp/fun-errorpages/errorpages ./ \
     && rm -rf /tmp/* \
@@ -28,22 +37,28 @@ RUN apk --no-cache add libcap \
     && mkdir /usr/share/nginx/letsencrypt
 
 # health check
-HEALTHCHECK --interval=60s --timeout=5s --start-period=30s --retries=3 \
+HEALTHCHECK \
+    --interval=10s \
+    --timeout=5s \
+    --start-period=60s \
+    --retries=3 \
     CMD curl --fail http://127.0.0.1:9000/nginx_status || exit 1
 
 # standardized labels
-LABEL author="Asif Bacchus <asif@bacchus.cloud>"
+MAINTAINER Asif Bacchus <asif@bacchus.cloud>
 LABEL maintainer="Asif Bacchus <asif@bacchus.cloud>"
 LABEL org.opencontainers.image.author="Asif Bacchus <asif@bacchus.cloud>"
-LABEL org.opencontainers.image.url="https://git.asifbacchus.app/ab-docker/ab-nginx"
-LABEL org.opencontainers.image.documentation="https://git.asifbacchus.app/ab-docker/ab-nginx/wiki"
-LABEL org.opencontainers.image.source="https://git.asifbacchus.app/ab-docker/ab-nginx.git"
+LABEL org.opencontainers.image.url="https://git.asifbacchus.dev/ab-docker/ab-nginx"
+LABEL org.opencontainers.image.documentation="https://git.asifbacchus.dev/ab-docker/ab-nginx/wiki"
+LABEL org.opencontainers.image.source="https://git.asifbacchus.dev/ab-docker/ab-nginx.git"
 LABEL org.opencontainers.image.vendor="NGINX"
 LABEL org.opencontainers.image.title="ab-nginx"
 LABEL org.opencontainers.image.description="NGINX-mainline-alpine with more logical file location layout and automatic SSL set up if certificates are provided."
 
-# copy configuration files
-COPY entrypoint.sh /entrypoint.sh
+# copy configuration files and utility scripts
+COPY entrypoint.sh /usr/local/bin/entrypoint.sh
+COPY generate-cert.sh /usr/local/bin/generate-cert
+COPY selfsigned.cnf /etc/selfsigned.cnf
 COPY config /etc/nginx/
 COPY sites /etc/nginx/sites/
 COPY webroot /usr/share/nginx/html/
@@ -59,7 +74,9 @@ RUN chown -R www-docker:www-docker /usr/share/nginx \
     && find /etc/nginx -type d -exec chmod 750 {} \; \
     && find /etc/nginx -type f -exec chmod 640 {} \; \
     && chown www-docker:www-docker /var/cache/nginx \
-    && chown www-docker:www-docker /var/log/nginx
+    && chown www-docker:www-docker /var/log/nginx \
+    && chmod 644 /etc/selfsigned.cnf \
+    && chmod 755 /usr/local/bin/generate-cert /usr/local/bin/entrypoint.sh
 USER www-docker
 WORKDIR /usr/share/nginx/html
 
@@ -73,7 +90,7 @@ ENV HSTS=FALSE
 ENV TLS13_ONLY=FALSE
 
 # entrypoint script
-ENTRYPOINT [ "/entrypoint.sh" ]
+ENTRYPOINT [ "/usr/local/bin/entrypoint.sh" ]
 
 # run NGINX by default
 STOPSIGNAL SIGQUIT
@@ -81,8 +98,11 @@ CMD [ "nginx", "-g", "daemon off;" ]
 
 # add build date and version labels
 ARG BUILD_DATE
-LABEL org.opencontainers.image.version="1.19.6"
-LABEL app.asifbacchus.docker.internalVersion="4.0"
+ARG GIT_COMMIT
+ARG INTERNAL_VERSION
+LABEL org.opencontainers.image.revision=${GIT_COMMIT}
+LABEL org.opencontainers.image.version=${NGINX_VERSION}
+LABEL app.asifbacchus.docker.internalVersion=${INTERNAL_VERSION}-${NGINX_VERSION}
 LABEL org.opencontainers.image.created=${BUILD_DATE}
 
-#EOF
+#EOF

build/entrypoint.sh

@@ -54,8 +54,20 @@ fi
 if [ -f "/certs/fullchain.pem" ]; then
     # activate SSL configuration as appropriate and only if certs exist
     if [ "$TLS13_ONLY" = 'FALSE' ]; then
-        if [ -f "/certs/fullchain.pem" ] && [ -f "/certs/privkey.pem" ] && [ -f "/certs/chain.pem" ] && [ -f "/certs/dhparam.pem" ]; then
+        if [ -f "/certs/fullchain.pem" ] && [ -f "/certs/privkey.pem" ] && [ -f "/certs/chain.pem" ]; then
             printf "Certificates found. Securing deployment using TLS 1.2\n"
+
+            # check for dhparam file and generate, if necessary
+            if ! [ -f "/certs/dhparam.pem" ]; then
+                printf "Diffie-Hellman Parameters not found... generating (using Digital Signature Algorithm instead of Diffie-Hellman)...\n"
+                if ! openssl dhparam -dsaparam -out /certs/dhparam.pem 4096; then
+                    printf "\n\nUnable to generate 'dhparam.pem'. Is your '/certs' directory writable by this container?\n"
+                    printf "TLS version 1.2 requires DHParams (or DSAParams) in order to function securely. Exiting.\n\n"
+                    exit 101
+                fi
+            printf "\nDSA-Params generated successfully\n"
+            fi
+
             # activate shared SSL configuration file
             if [ -f "/etc/nginx/ssl-config/mozIntermediate_ssl.conf.disabled" ]; then
                 mv /etc/nginx/ssl-config/mozIntermediate_ssl.conf.disabled \
@@ -123,4 +135,11 @@ fi
 printf "\nSetup complete...Container ready...\n"
 exec "$@"
 
-#EOF
+
+# exit return codes
+# 10x       certificate generation errors
+#   101     unable to generate DSA-parameters
+#   102     unable to generate private key
+#   103     unable to generate self-signed certificate
+
+#EOF

build/generate-cert.sh

@@ -0,0 +1,48 @@
+#!/bin/sh
+
+#
+# generate a self-signed certificate
+#
+
+# check for null hostname
+if [ -z "$1" ]; then
+    printf "\nPlease supply a hostname for the generated certificate as a parameter to this script. Exiting.\n\n"
+    exit 1
+fi
+
+# update openssl configuration file
+sed -e "s/{CERT_HOSTNAME}/$1/" /etc/selfsigned.cnf > /tmp/selfsigned.cnf
+
+printf "\nGenerating self-signed certificate for '%s':\n" "$1"
+
+# create placeholder files to set permissions
+if ! touch /certs/fullchain.pem && chmod 644 /certs/fullchain.pem; then
+    printf "\nUnable to write to '/certs', is it mounted writable by this container?\n\n"
+    exit 2
+fi
+touch /certs/privkey.pem && chmod 640 /certs/privkey.pem
+
+# generate certificate
+if ! openssl req -new -x509 -days 365 -nodes -out /certs/fullchain.pem -keyout /certs/privkey.pem -config /tmp/selfsigned.cnf; then
+    printf "\nUnable to generate certificate. Is the '/certs' directory writable by this container?\n\n"
+    exit 3
+fi
+\cp /certs/fullchain.pem /certs/chain.pem
+
+# print user notification
+printf "\n\nA self-signed certificate has been generated and saved in the location mounted to '/certs' in this container.\n"
+printf "The certificate and private key are PEM formatted with names 'fullchain.pem' and 'privkey.pem', respectively.\n"
+printf "Remember to import 'fullchain.pem' to the trusted store on any client machines or you will get warnings.\n\n"
+
+# exit gracefully
+exit 0
+
+
+#
+# exit codes
+# 0:    normal exit, no errors
+# 1:    invalid or missing parameters
+# 2:    unable to write to certs directory
+# 3:    unable to generate certificate
+
+#EOF

build/selfsigned.cnf

@@ -0,0 +1,16 @@
+default_bits = 4096
+default_md = sha256
+distinguished_name = dn
+req_extensions = san
+x509_extensions = san
+prompt = no
+
+[dn]
+organizationName = AB-NGINX Webserver
+CN = {CERT_HOSTNAME}
+
+[san]
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = {CERT_HOSTNAME}

helpers/ab-nginx.params.template

@@ -1,156 +0,0 @@
-###
-### Parameters for use by ab-nginx helper script
-###
-### If you are NOT using the 'ab-nginx.sh' script file to start the container,
-### then you don't have to do anything with this file.
-###
-
-
-#
-# Network options
-#
-
-# If you want to specify a network to which this container should bind or one
-# that should be created, then use this variable. If you don't know what this
-# means or if you just want to use the default, leave this variable commented.
-# REQUIRED: NO
-# DEFAULT: nginx_network
-# VALID OPTIONS: network names acceptable to the docker engine
-#NETWORK=nginx_network
-
-# If you want to specify a particular IP subnet for the network to be created
-# as per the above variable, specify it here.  Again, if you don't know what
-# this means, just leave this variable commented.
-# REQUIRED: NO
-# DEFAULT: '172.31.254.0/24'
-# VALID OPTIONS: subnet in CIDR format
-#SUBNET='172.31.254.0/24'
-
-
-#
-# Timezone
-#
-
-# This doesn't impact any functionality of the container, but it does make your
-# logs easier to understand if they report the correct local time, right? Valid
-# options can be found at
-#   https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
-# REQUIRED: NO
-# DEFAULT: Etc/UTC
-# VALID OPTIONS: IANA time zones in TZ format
-#TZ=Etc/UTC
-
-
-#
-# NGINX options
-#
-
-# Hostnames to which this instance of NGINX should answer:
-# By default, this is set to '_' meaning 'match anything'.  However, that won't
-# work if you're using SSL certificates! Multiple hostnames must be space
-# delimited and "enclosed in quotes".
-#
-# This is NOT required if you are supplying your own server blocks via
-# 'SERVERS_DIR'
-#
-# REQUIRED: YES, if using SSL and default server-blocks
-# DEFAULT: "_"
-#HOSTNAMES="domain.tld www.domain.tld server.domain.tld alt.domain.tld"
-
-# Ports to listen on:
-# If you need to use ports other than HTTP=80 and HTTPS=443, remember to set up
-# your server blocks accordingly!
-#
-# If you're using the default server-blocks, they will auto-adjust to whatever
-# you use here.
-# REQUIRED: NO
-# DEFAULTS: 80 and 443, respectively
-#HTTP_PORT=80
-#HTTPS_PORT=443
-
-# Access logging (global preference):
-# Unless overridden in a server/location block, access logging will be handled
-# according to this setting. Logs are printed to the container console.
-# REQUIRED: NO
-# DEFAULT: OFF
-# VALID OPTIONS: 'ON' or 'OFF'
-#ACCESS_LOG=OFF
-
-
-#
-# Content locations
-# Whatever you specify here will replace the default files in the container with
-# your content/configurations. You may comment any/all of the following lines to
-# disable them use the container defaults.
-#
-
-# Specify a directory containing your NGINX configurations (if any)
-# Remember that these will be all be applied in the HTTP configuration context.
-# Only files with a ".conf" extension will be loaded!  If you want to disable a
-# file, simply change its extension (i.e. '.conf.disabled').
-#
-# REMEMBER: Your configuration files must be readable by UID 8080!
-CONFIG_DIR=$(pwd)/config
-
-# Specify a directory containing your NGINX server-block configurations (if any)
-# If you are just serving static content from the 'webroot', you can use the
-# container default server-blocks and comment this variable.
-#
-# More likely, you will have your own server blocks.  Remember, files are
-# processed in order so consider starting file names with numbers
-#   (i.e. 00-first_server.conf, 05-second_server.conf)
-#
-# Only files with a ".conf" extension will be loaded!  If you want to disable a
-#   file, simply change its extension (i.e. '.conf.disabled').
-#
-# REMEMBER: Your server-block files must be readable by UID 8080!
-SERVERS_DIR=$(pwd)/sites
-
-# Specify a directory containing 'snippets' of NGINX code you want/need to
-# reference in other configuration files. Pointers to other SSL certificates for
-# hosted domains or commonly used headers are good examples.
-#
-# You can then "include /etc/nginx/snippets/yourSnippet.conf;" in your configs
-# instead of having to type the same thing many times.
-
-# This is totally optional! Comment this variable to disable it.
-# REMEMBER: Your snippets must be readable by UID 8080!
-SNIPPETS_DIR=$(pwd)/snippets
-
-# Specify a directory with the content you want to serve.
-# REMEMBER: This directory must be readable by UID 8080!
-WEBROOT_DIR=/var/www
-
-
-#
-# SSL options:
-#
-
-# Enable HSTS only AFTER you've tested SSL implementation!  Container sets the
-# header to require SSL for 6 months! Subdomains are NOT included.
-# REQUIRED: NO
-# DEFAULT: FALSE
-# VALID OPTIONS: 'TRUE', 'FALSE'
-#HSTS=FALSE
-
-# TLS 1.3 mode:
-#   If 'FALSE' (default), NGINX will accept both TLS 1.2 and 1.3 connections.
-#   If 'TRUE', only TLS 1.3 connections will be accepted.
-#TLS13_ONLY=FALSE
-
-
-#
-# Certificate files
-#
-# If you are mounting symlinks you MUST specify the full path of the symlink so
-# the target is resolved! DH (Diffie-Hellman Parameters file) is only required
-# if using TLS 1.2.
-#
-# REMEMBER: ALL files must be readble by UID 8080!
-#SSL_CERT=/path/to/your/ssl-certificate/fullchain.pem
-#SSL_KEY=/path/to/your/ssl-private-key/privkey.pem
-#SSL_CHAIN=/path/to/your/ssl-certificate-chain/chain.pem
-#DH=/path/to/your/diffie-hellman-parameters-file/dhparam.pem
-
-
-#EOF

helpers/ab-nginx.sh

@@ -4,25 +4,27 @@
 # start ab-nginx container using params file variables
 #
 
+# TODO: add stop & stop and remove commands
+
 # text formatting presets
 if command -v tput >/dev/null; then
-  cyan=$(tput bold)$(tput setaf 6)
-  err=$(tput bold)$(tput setaf 1)
-  magenta=$(tput sgr0)$(tput setaf 5)
-  norm=$(tput sgr0)
-  yellow=$(tput sgr0)$(tput setaf 3)
-  width=$(tput cols)
+    cyan=$(tput bold)$(tput setaf 6)
+    err=$(tput bold)$(tput setaf 1)
+    magenta=$(tput sgr0)$(tput setaf 5)
+    norm=$(tput sgr0)
+    yellow=$(tput sgr0)$(tput setaf 3)
+    width=$(tput cols)
 else
-  cyan=''
-  err=''
-  magenta=''
-  norm=''
-  yellow=''
-  width=80
+    cyan=''
+    err=''
+    magenta=''
+    norm=''
+    yellow=''
+    width=80
 fi
 
 ### parameter defaults
-shell=false
+doShell=false
 container_name="ab-nginx"
 NETWORK='nginx_network'
 SUBNET='172.31.254.0/24'
@@ -36,77 +38,80 @@ unset vmount
 ### functions
 
 checkExist() {
-  if [ "$1" = 'file' ]; then
-    if [ ! -f "$2" ]; then
-      printf "%s\nCannot find file: '$2'. Exiting.\n%s" "$err" "$norm"
-      exit 3
+    if [ "$1" = 'file' ]; then
+        if [ ! -f "$2" ]; then
+            printf "%s\nCannot find file: '$2'. Exiting.\n%s" "$err" "$norm"
+            exit 3
+        fi
+    elif [ "$1" = 'dir' ]; then
+        if [ ! -d "$2" ]; then
+            printf "%s\nCannot find directory: '$2'. Exiting.\n$%s" "$err" "$norm"
+            exit 3
+        fi
     fi
-  elif [ "$1" = 'dir' ]; then
-    if [ ! -d "$2" ]; then
-      printf "%s\nCannot find directory: '$2'. Exiting.\n$%s" "$err" "$norm"
-      exit 3
-    fi
-  fi
-  return 0
+    return 0
 }
 
 scriptHelp() {
-  printf "\n%s%1000s\n" "$magenta" | tr " " "-" | cut -c -$width
-  printf "%s" "$norm"
-  textblock "This is a simple helper script so you can avoid typing lengthy commands when working with the ab-nginx container."
-  textblock "The script reads the contents of 'ab-nginx.params' and constructs various 'docker run' commands based on that file. The biggest time-saver is working with certificates. If they are specified in the params file, the script will automatically bind-mount them so nginx serves content via SSL by default."
-  newline
-  textblock "If you run the script with no parameters, it will execute the container 'normally': Run in detached mode with nginx automatically launched. If you specified certificates, nginx will serve over SSL by default."
-  textblock "Note: Containers (except shell) are always set to restart 'unless-stopped'. You must remove them manually if desired."
-  printf "%s" "$magenta"
-  newline
-  textblock "The script has the following (optional) parameters:"
-  textblockParam 'parameter in cyan' 'default in yellow'
-  newline
-  textblockParam '-n|--name' 'ab-nginx'
-  textblock "Change the name of the container. This is cosmetic and does not affect operation in any way."
-  newline
-  textblockParam '-s|--shell' 'off: run in detached mode'
-  textblock "Enter the container using an interactive POSIX shell. This happens after startup operations but *before* nginx is actually started. This is a great way to see configuration changes possibly stopping nginx from starting normally."
-  printf "%s" "$yellow"
-  newline
-  textblock "More information can be found at: https://git.asifbacchus.app/ab-docker/ab-nginx/wiki"
-  printf "%s%1000s\n" "$magenta" | tr " " "-" | cut -c -$width
-  exit 0
+    printf "\n%s" "$magenta"
+    printf '%.0s-' $(seq "$width")
+    printf "\n%s" "$norm"
+    textBlock "This is a simple helper script so you can avoid typing lengthy commands when working with the ab-nginx container."
+    textBlock "The script reads the contents of 'ab-nginx.params' and constructs various 'docker run' commands based on that file. The biggest time-saver is working with certificates. If they are specified in the params file, the script will automatically bind-mount them so nginx serves content via SSL by default."
+    newline
+    textBlock "If you run the script with no parameters, it will execute the container 'normally': Run in detached mode with nginx automatically launched. If you specified certificates, nginx will serve over SSL by default."
+    textBlock "Note: Containers (except shell) are always set to restart 'unless-stopped'. You must remove them manually if desired."
+    printf "%s" "$magenta"
+    newline
+    textBlock "The script has the following (optional) parameters:"
+    textBlockParam 'parameter in cyan' 'default in yellow'
+    newline
+    textBlockParam '-n|--name' 'ab-nginx'
+    textBlock "Set the name of the container, otherwise the default will be used."
+    newline
+    textBlockParam'-s|--shell' 'off: run in detached mode'
+    textBlock "Enter the container using an interactive ASH/BusyBox shell. This happens after startup operations but *before* nginx is actually started. This is a great way to see configuration changes possibly stopping nginx from starting normally."
+    printf "%s" "$yellow"
+    newline
+    textBlock"More information can be found at: https://git.asifbacchus.dev/ab-docker/ab-nginx/wiki"
+    printf "\n%s" "$magenta"
+    printf '%.0s-' $(seq "$width")
+    printf "\n%s" "$norm"
+    exit 0
 }
 
 newline() {
-  printf "\n"
+    printf "\n"
 }
 
-textblock() {
-  printf "%s\n" "$1" | fold -w "$width" -s
+textBlock() {
+    printf "%s\n" "$1" | fold -w "$width" -s
 }
 
-textblockParam() {
-  if [ -z "$2" ]; then
-    # no default
-    printf "%s%s%s\n" "$cyan" "$1" "$norm"
-  else
-    # default param provided
-    printf "%s%s %s(%s)%s\n" "$cyan" "$1" "$yellow" "$2" "$norm"
-  fi
+textBlockParam() {
+    if [ -z "$2" ]; then
+        # no default
+        printf "%s%s%s\n" "$cyan" "$1" "$norm"
+    else
+        # default param provided
+        printf "%s%s %s(%s)%s\n" "$cyan" "$1" "$yellow" "$2" "$norm"
+    fi
 }
 
 ### pre-requisite checks
 
 # is docker installed?
-if ! command -v docker > /dev/null; then
-  printf "%s\nCannot find docker... is it installed?\n%s" "$err" "$norm"
-  exit 2
+if ! command -v docker >/dev/null; then
+    printf "%s\nCannot find docker... is it installed?\n%s" "$err" "$norm"
+    exit 2
 fi
 
 # is user root or in the docker group?
 if [ ! "$(id -u)" -eq 0 ]; then
-  if ! id -Gn | grep docker >/dev/null; then
-    printf "%s\nYou must either be root or in the 'docker' group to run this script since you must be able to actually start the container! Exiting.\n$%s" "$err" "$norm"
-    exit 2
-  fi
+    if ! id -Gn | grep docker >/dev/null; then
+        printf "%s\nYou must either be root or in the 'docker' group to run this script since you must be able to actually start the container! Exiting.\n$%s" "$err" "$norm"
+        exit 2
+    fi
 fi
 
 # does the params file exist?
@@ -117,7 +122,7 @@ checkExist 'file' './ab-nginx.params'
 
 # fix case of TLS13_ONLY var
 if [ "$TLS13_ONLY" ]; then
-  TLS13_ONLY=$(printf "%s" "$TLS13_ONLY" | tr "[:lower:]" "[:upper:]")
+    TLS13_ONLY=$(printf "%s" "$TLS13_ONLY" | tr "[:lower:]" "[:upper:]")
 fi
 
 # check for certs if using SSL
@@ -125,43 +130,33 @@ if [ "$SSL_CERT" ]; then checkExist 'file' "$SSL_CERT"; fi
 if [ "$SSL_KEY" ]; then checkExist 'file' "$SSL_KEY"; fi
 if [ "$SSL_CHAIN" ]; then checkExist 'file' "$SSL_CHAIN"; fi
 
-# check for DHparam if using TLS1.2
-if [ "$SSL_CERT" ] && [ "$TLS13_ONLY" = 'FALSE' ]; then
-  if [ -z "$DH" ]; then
-    printf "%s\nA DHparam file must be specified when using TLS 1.2. Exiting.%s\n" "$err" "$norm"
-    exit 5
-  else
-    checkExist 'file' "$DH"
-  fi
-fi
-
 # check if specified config directory exists
 if [ "$CONFIG_DIR" ]; then
-  checkExist 'dir' "$CONFIG_DIR"
+    checkExist 'dir' "$CONFIG_DIR"
 fi
 
 # check if specified server-block directory exists
 if [ "$SERVERS_DIR" ]; then
-  checkExist 'dir' "$SERVERS_DIR"
+    checkExist 'dir' "$SERVERS_DIR"
 fi
 
 # check if specified webroot directory exists
 if [ "$WEBROOT_DIR" ]; then
-  checkExist 'dir' "$WEBROOT_DIR"
+    checkExist 'dir' "$WEBROOT_DIR"
 fi
 
 # set up volume mounts
 if [ "$CONFIG_DIR" ]; then
-  vmount="$vmount -v $CONFIG_DIR:/etc/nginx/config"
+    vmount="$vmount -v $CONFIG_DIR:/etc/nginx/config"
 fi
 if [ "$SERVERS_DIR" ]; then
-  vmount="$vmount -v $SERVERS_DIR:/etc/nginx/sites"
+    vmount="$vmount -v $SERVERS_DIR:/etc/nginx/sites"
 fi
 if [ "$SNIPPETS_DIR" ]; then
-  vmount="$vmount -v $SNIPPETS_DIR:/etc/nginx/snippets"
+    vmount="$vmount -v $SNIPPETS_DIR:/etc/nginx/snippets"
 fi
 if [ "$WEBROOT_DIR" ]; then
-  vmount="$vmount -v $WEBROOT_DIR:/usr/share/nginx/html"
+    vmount="$vmount -v $WEBROOT_DIR:/usr/share/nginx/html"
 fi
 # trim leading whitespace
 vmount=${vmount##[[:space:]]}
@@ -171,129 +166,111 @@ if [ -z "$HOSTNAMES" ]; then HOSTNAMES="_"; fi
 
 # process startup parameters
 while [ $# -gt 0 ]; do
-  case "$1" in
-  -h | -\? | --help)
-    # display help
-    scriptHelp
-    exit 0
-    ;;
-  -s | --shell)
-    # start shell instead of default CMD
-    shell=true
-    ;;
-  -n | --name)
-    # container name
-    if [ -z "$2" ]; then
-      printf "%s\nNo container name specified. Exiting.\n%s" "$err" "$norm"
-      exit 1
-    fi
-    container_name="$2"
+    case "$1" in
+    -h | -\? | --help)
+        # display help
+        scriptHelp
+        exit 0
+        ;;
+    -s | --shell)
+        # start shell instead of default CMD
+        doShell=true
+        ;;
+    -n | --name)
+        # container name
+        if [ -z "$2" ]; then
+            printf "%s\nNo container name specified. Exiting.\n%s" "$err" "$norm"
+            exit 1
+        fi
+        container_name="$2"
+        shift
+        ;;
+    *)
+        printf "%s\nUnknown option: %s\n" "$err" "$1"
+        printf "Use '--help' for valid options.\n\n%s" "$norm"
+        exit 1
+        ;;
+    esac
     shift
-    ;;
-  *)
-    printf "%s\nUnknown option: %s\n" "$err" "$1"
-    printf "Use '--help' for valid options.\n\n%s" "$norm"
-    exit 1
-    ;;
-  esac
-  shift
 done
 
 # create network if it doesn't already exist
 docker network inspect ${NETWORK} >/dev/null 2>&1 ||
-  docker network create \
-    --attachable \
-    --driver=bridge \
-    --subnet=${SUBNET} \
-    ${NETWORK}
+    docker network create \
+        --attachable \
+        --driver=bridge \
+        --subnet=${SUBNET} \
+        ${NETWORK}
 
 # run without TLS
 if [ -z "$SSL_CERT" ]; then
-  if [ $shell = 'true' ]; then
-    # exec shell
-    printf "%s\nRunning SHELL on %s...%s\n" "$cyan" "$container_name" "$norm"
-    docker run --rm -it --name "${container_name}" \
-      --env-file ab-nginx.params \
-      -e SERVER_NAMES="$HOSTNAMES" \
-      $vmount \
-      --network=${NETWORK} \
-      -p ${HTTP_PORT}:80 \
-      docker.asifbacchus.app/nginx/ab-nginx:latest /bin/sh
-  else
-    # exec normally
-    printf "%s\nRunning NGINX on %s...%s\n" "$cyan" "$container_name" "$norm"
-    docker run -d --name "${container_name}" \
-      --env-file ab-nginx.params \
-      -e SERVER_NAMES="$HOSTNAMES" \
-      $vmount \
-      --network=${NETWORK} \
-      -p ${HTTP_PORT}:80 \
-      --restart unless-stopped \
-      docker.asifbacchus.app/nginx/ab-nginx:latest
-  fi
-# run with TLS1.2
-elif [ "$SSL_CERT" ] && [ "$TLS13_ONLY" = 'FALSE' ]; then
-  if [ $shell = 'true' ]; then
-    # exec shell
-    printf "%s\nRunning SHELL on %s (TLS 1.2)...%s\n" "$cyan" "$container_name" "$norm"
-    docker run --rm -it --name "${container_name}" \
-      --env-file ab-nginx.params \
-      -e SERVER_NAMES="$HOSTNAMES" \
-      $vmount \
-      --network=${NETWORK} \
-      -v "$SSL_CERT":/certs/fullchain.pem:ro \
-      -v "$SSL_KEY":/certs/privkey.pem:ro \
-      -v "$SSL_CHAIN":/certs/chain.pem:ro \
-      -v "$DH":/certs/dhparam.pem:ro \
-      -p ${HTTP_PORT}:80 -p ${HTTPS_PORT}:443 \
-      docker.asifbacchus.app/nginx/ab-nginx:latest /bin/sh
-  else
-    # exec normally
-    printf "%s\nRunning NGINX on %s (TLS 1.2)...%s\n" "$cyan" "$container_name" "$norm"
-    docker run -d --name "${container_name}" \
-      --env-file ab-nginx.params \
-      -e SERVER_NAMES="$HOSTNAMES" \
-      $vmount \
-      --network=${NETWORK} \
-      -v "$SSL_CERT":/certs/fullchain.pem:ro \
-      -v "$SSL_KEY":/certs/privkey.pem:ro \
-      -v "$SSL_CHAIN":/certs/chain.pem:ro \
-      -v "$DH":/certs/dhparam.pem:ro \
-      -p ${HTTP_PORT}:80 -p ${HTTPS_PORT}:443 \
-      --restart unless-stopped \
-      docker.asifbacchus.app/nginx/ab-nginx:latest
-  fi
-# run with TLS1.3
-elif [ "$SSL_CERT" ] && [ "$TLS13_ONLY" = 'TRUE' ]; then
-  if [ $shell = 'true' ]; then
-    # exec shell
-    printf "%s\nRunning SHELL on %s (TLS 1.3)...%s\n" "$cyan" "$container_name" "$norm"
-    docker run --rm -it --name "${container_name}" \
-      --env-file ab-nginx.params \
-      -e SERVER_NAMES="$HOSTNAMES" \
-      $vmount \
-      --network=${NETWORK} \
-      -v "$SSL_CERT":/certs/fullchain.pem:ro \
-      -v "$SSL_KEY":/certs/privkey.pem:ro \
-      -v "$SSL_CHAIN":/certs/chain.pem:ro \
-      -p ${HTTP_PORT}:80 -p ${HTTPS_PORT}:443 \
-      docker.asifbacchus.app/nginx/ab-nginx:latest /bin/sh
-  else
-    # exec normally
-    printf "%s\nRunning NGINX on %s (TLS 1.3)...%s\n" "$cyan" "$container_name" "$norm"
-    docker run -d --name "${container_name}" \
-      --env-file ab-nginx.params \
-      -e SERVER_NAMES="$HOSTNAMES" \
-      $vmount \
-      --network=${NETWORK} \
-      -v "$SSL_CERT":/certs/fullchain.pem:ro \
-      -v "$SSL_KEY":/certs/privkey.pem:ro \
-      -v "$SSL_CHAIN":/certs/chain.pem:ro \
-      -p ${HTTP_PORT}:80 -p ${HTTPS_PORT}:443 \
-      --restart unless-stopped \
-      docker.asifbacchus.app/nginx/ab-nginx:latest
-  fi
+    if [ "$doShell" = 'true' ]; then
+        # exec shell
+        printf "%s\nRunning SHELL on %s...%s\n" "$cyan" "$container_name" "$norm"
+        # shellcheck disable=SC2086
+        docker run --rm -it --name "${container_name}" \
+            --env-file ab-nginx.params \
+            --user="${NGINX_UID:-8080}:${NGINX_GID:-8080}" \
+            -e SERVER_NAMES="$HOSTNAMES" \
+            $vmount \
+            --network=${NETWORK} \
+            -p ${HTTP_PORT}:80 \
+            docker.asifbacchus.dev/nginx/ab-nginx:latest /bin/sh
+    else
+        # exec normally
+        printf "%s\nRunning NGINX on %s...%s\n" "$cyan" "$container_name" "$norm"
+        # shellcheck disable=SC2086
+        docker run -d --name "${container_name}" \
+            --env-file ab-nginx.params \
+            --user="${NGINX_UID:-8080}:${NGINX_GID:-8080}" \
+            -e SERVER_NAMES="$HOSTNAMES" \
+            $vmount \
+            --network=${NETWORK} \
+            -p ${HTTP_PORT}:80 \
+            --restart unless-stopped \
+            docker.asifbacchus.dev/nginx/ab-nginx:${TAG:-latest}
+    fi
+# run with TLS
+else
+    if [ "$doShell" = 'true' ]; then
+        if [ "$TLS13_ONLY" = 'FALSE' ]; then
+            printf "%s\nRunning SHELL on %s (TLS 1.2)...%s\n" "$cyan" "$container_name" "$norm"
+        else
+            printf "%s\nRunning SHELL on %s (TLS 1.3)...%s\n" "$cyan" "$container_name" "$norm"
+        fi
+        # shellcheck disable=SC2086
+        docker run --rm -it --name "${container_name}" \
+            --env-file ab-nginx.params \
+            --user="${NGINX_UID:-8080}:${NGINX_GID:-8080}" \
+            -e SERVER_NAMES="$HOSTNAMES" \
+            $vmount \
+            --network=${NETWORK} \
+            -v "$SSL_CERT":/certs/fullchain.pem:ro \
+            -v "$SSL_KEY":/certs/privkey.pem:ro \
+            -v "$SSL_CHAIN":/certs/chain.pem:ro \
+            -p ${HTTP_PORT}:80 -p ${HTTPS_PORT}:443 \
+            docker.asifbacchus.dev/nginx/ab-nginx:${TAG:-latest} /bin/sh
+    else
+        if [ "$TLS13_ONLY" = 'FALSE' ]; then
+            printf "%s\nRunning NGINX on %s (TLS 1.2)...%s\n" "$cyan" "$container_name" "$norm"
+        else
+            printf "%s\nRunning NGINX on %s (TLS 1.3)...%s\n" "$cyan" "$container_name" "$norm"
+        fi
+        # shellcheck disable=SC2086
+        docker run -d --name "${container_name}" \
+            --env-file ab-nginx.params \
+            --user="${NGINX_UID:-8080}:${NGINX_GID:-8080}" \
+            -e SERVER_NAMES="$HOSTNAMES" \
+            $vmount \
+            --network=${NETWORK} \
+            -v "$SSL_CERT":/certs/fullchain.pem:ro \
+            -v "$SSL_KEY":/certs/privkey.pem:ro \
+            -v "$SSL_CHAIN":/certs/chain.pem:ro \
+            -p ${HTTP_PORT}:80 -p ${HTTPS_PORT}:443 \
+            --restart unless-stopped \
+            docker.asifbacchus.dev/nginx/ab-nginx:${TAG:-latest}
+    fi
 fi
 
 ### exit gracefully
-exit 0
+exit 0

helpers/sites/readme

@@ -1,11 +1,11 @@
 - Place all your server block configuration files in this directory
 - This path should be bind-mounted to the container at:
   '/etc/nginx/sites'
-    - this bind-mount will override the test pages included in the container by 
-        default.
+    - this bind-mount will override the default server configurations
+        included in the container by default.
 - All files should begin in the 'server' configuration context
 - ONLY files that end with '.conf' will be processed!
-    - if you want to keep a file for reference or disable it temporarily, 
+    - if you want to keep a file for reference or disable it temporarily,
         simply change the extension.  I like using '.conf.disabled'.
-- If you don't want to use this directory, you can bind-mount any other 
+- If you don't want to use this directory, you can bind-mount any other
   directory you want to '/etc/nginx/sites/'

helpers/update.sh

@@ -90,8 +90,8 @@ updateSuccess=0
 # reference constants
 dockerNamespace='nginx'
 containerName='ab-nginx'
-containerUpdatePath="docker.asifbacchus.app/$dockerNamespace/$containerName:latest"
-server="https://asifbacchus.app/updates/docker/$dockerNamespace/$containerName/"
+containerUpdatePath="docker.asifbacchus.dev/$dockerNamespace/$containerName:latest"
+server="https://asifbacchus.dev/public/docker/$dockerNamespace/$containerName/"
 checksumFilename='checksums.sha256'
 
 # operation triggers
@@ -247,4 +247,4 @@ if [ "$doScriptUpdate" -eq 1 ]; then
   printf "\tUpdates: %s%s applied%s, %s%s failed%s\n" "$ok" "$updateSuccess" "$norm" "$err" "$updateFailed" "$norm"
 fi
 
-exit 0
+exit 0