From 09c37bf32788ed1fa506a4a2165b0a8ed14b7f74 Mon Sep 17 00:00:00 2001 From: Roxedus Date: Tue, 18 May 2021 19:04:47 +0200 Subject: [PATCH] Prepare for upstream changes --- Dockerfile | 2 + root/defaults/nginx.conf | 107 ++++++++++++++++------------- root/defaults/ssl.conf | 5 +- root/etc/cont-init.d/99-proxy-conf | 22 ++++-- 4 files changed, 80 insertions(+), 56 deletions(-) diff --git a/Dockerfile b/Dockerfile index 64d30c7..e50f974 100644 --- a/Dockerfile +++ b/Dockerfile @@ -21,6 +21,8 @@ COPY root/ root/ ADD https://raw.githubusercontent.com/linuxserver/docker-swag/master/root/defaults/proxy.conf /root/defaults/proxy.conf +ADD https://raw.githubusercontent.com/linuxserver/docker-swag/master/root/defaults/dhparams.pem /defaults/dhparams.pem + FROM scratch LABEL maintainer="Roxedus" diff --git a/root/defaults/nginx.conf b/root/defaults/nginx.conf index cc44f78..79be80e 100644 --- a/root/defaults/nginx.conf +++ b/root/defaults/nginx.conf @@ -1,53 +1,91 @@ -## Version 2021/03/30 - Changelog: https://github.com/linuxserver/docker-mods/blob/nginx-proxy-confs/root/defaults/nginx.conf +## Version 2021/05/18 - Changelog: https://github.com/linuxserver/docker-mods/blob/nginx-proxy-confs/root/defaults/nginx.conf user abc; -worker_processes 4; -pid /run/nginx.pid; + +# Set number of worker processes automatically based on number of CPU cores. +include /config/nginx/worker_processes.conf; + +# Enables the use of JIT for regular expressions to speed-up their processing. +pcre_jit on; + +# Configures default error logger. +error_log /config/log/nginx/error.log; + +# Includes files with directives to load dynamic modules. include /etc/nginx/modules/*.conf; events { - worker_connections 768; + # The maximum number of simultaneous connections that can be opened by + # a worker process. + worker_connections 1024; # multi_accept on; } http { + # Includes mapping of file name extensions to MIME types of responses + # and defines the default type. + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # Name servers used to resolve names of upstream servers into addresses. + # It's also needed when using tcpsocket and udpsocket in Lua modules. + #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001; + include /config/nginx/resolver.conf; + + # Don't tell nginx version to the clients. Default is 'on'. + server_tokens off; + + # Specifies the maximum accepted body size of a client request, as + # indicated by the request header Content-Length. If the stated content + # length is greater than this size, then the client receives the HTTP + # error code 413. Set to 0 to disable. Default is '1m'. + client_max_body_size 0; + + # Sendfile copies data between one FD and other from within the kernel, + # which is more efficient than read() + write(). Default is off. + sendfile on; + + # Causes nginx to attempt to send its HTTP response head in one packet, + # instead of using partial frames. Default is 'off'. + tcp_nopush on; + + # Helper variable for proxying websockets. + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + # Sets the path, format, and configuration for a buffered log write. + access_log /config/log/nginx/access.log; + + # Includes virtual hosts configs. + #include /etc/nginx/http.d/*.conf; + + # WARNING: Don't use this directory for virtual hosts anymore. + # This include will be moved to the root context in Alpine 3.14. + #include /etc/nginx/conf.d/*.conf; + ## # Basic Settings ## client_body_buffer_size 128k; - client_max_body_size 0; keepalive_timeout 65; large_client_header_buffers 4 16k; send_timeout 5m; - sendfile on; tcp_nodelay on; - tcp_nopush on; types_hash_max_size 2048; variables_hash_max_size 2048; - - # server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; - include /etc/nginx/mime.types; - default_type application/octet-stream; - - ## - # Logging Settings - ## - - access_log /config/log/nginx/access.log; - error_log /config/log/nginx/error.log; - ## # Gzip Settings ## gzip on; gzip_disable "msie6"; - # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; @@ -55,38 +93,13 @@ http { # gzip_http_version 1.1; # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; - ## - # nginx-naxsi config - ## - # Uncomment it if you installed nginx-naxsi - ## - - #include /etc/nginx/naxsi_core.rules; - - ## - # nginx-passenger config - ## - # Uncomment it if you installed nginx-passenger - ## - - #passenger_root /usr; - #passenger_ruby /usr/bin/ruby; - - ## - # WebSocket proxying - ## - map $http_upgrade $connection_upgrade { - default upgrade; - '' close; - } - ## # Virtual Host Configs ## - include /etc/nginx/conf.d/*.conf; include /config/nginx/site-confs/*; #Removed lua. Do not remove this comment } -daemon off; \ No newline at end of file +daemon off; +pid /run/nginx.pid; \ No newline at end of file diff --git a/root/defaults/ssl.conf b/root/defaults/ssl.conf index 9cb0cb3..2851edc 100644 --- a/root/defaults/ssl.conf +++ b/root/defaults/ssl.conf @@ -1,4 +1,4 @@ -## Version 2020/12/11 - Changelog: https://github.com/linuxserver/docker-mods/blob/nginx-proxy-confs/root/defaults/ssl.conf +## Version 2021/05/18 - Changelog: https://github.com/linuxserver/docker-mods/blob/nginx-proxy-confs/root/defaults/ssl.conf ### Mozilla Recommendations # generated 2020-06-17, Mozilla Guideline v5.4, nginx 1.18.0-r0, OpenSSL 1.1.1g-r0, intermediate configuration @@ -27,9 +27,6 @@ ssl_certificate_key /config/keys/cert.key; # Diffie-Hellman Parameters ssl_dhparam /config/nginx/dhparams.pem; -# Resolver -resolver 127.0.0.11 valid=30s; # Docker DNS Server - # Enable TLS 1.3 early data ssl_early_data on; diff --git a/root/etc/cont-init.d/99-proxy-conf b/root/etc/cont-init.d/99-proxy-conf index af7df1b..d4709c6 100644 --- a/root/etc/cont-init.d/99-proxy-conf +++ b/root/etc/cont-init.d/99-proxy-conf @@ -14,13 +14,25 @@ cp -R /defaults/proxy-confs /config/nginx/ [[ ! -f /config/nginx/ssl.conf ]] && cp /defaults/ssl.conf /config/nginx/ssl.conf -# copy pre-generated dhparams or generate if needed -if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then - curl -o /config/nginx/dhparams.pem -L "https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" +# Set resolver +if ! grep -q 'resolver' /config/nginx/resolver.conf; then + RESOLVER=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {print $2}' /etc/resolv.conf) + echo "Setting resolver to ${RESOLVER}" + echo -e "# This file is auto-generated only on first start, based on the container's /etc/resolv.conf file. Feel free to modify it as you wish.\n\nresolver ${RESOLVER} valid=30s;" > /config/nginx/resolver.conf fi + +# Set worker_processes +if ! grep -q 'worker_processes' /config/nginx/worker_processes.conf; then + WORKER_PROCESSES=$(nproc) + echo "Setting worker_processes to ${WORKER_PROCESSES}" + echo -e "# This file is auto-generated only on first start, based on the cpu cores detected. Feel free to change it to any other number or to auto to let nginx handle it automatically.\n\nworker_processes ${WORKER_PROCESSES};" > /config/nginx/worker_processes.conf +fi + +# copy pre-generated dhparams or generate if needed +[[ ! -f /config/nginx/dhparams.pem ]] && \ + cp /defaults/dhparams.pem /config/nginx/dhparams.pem if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then - echo "Generating dhparams.pem. This will take a long time. Do not stop the container until this process is completed." - openssl dhparam -out /config/nginx/dhparams.pem 4096 + curl -o /config/nginx/dhparams.pem -L "https://ssl-config.mozilla.org/ffdhe4096.txt" fi # permissions