Merge pull request #152 from Roxedus/nginx-proxy-confs

Add nginx-proxy-confs
2026-06-28 11:13:00 -04:00 · 2020-12-11 13:41:54 -05:00
parent d1dc6e5858 494e9e3ddd
commit bba5300302
9 changed files with 241 additions and 47 deletions
@@ -4,8 +4,8 @@ on: [push, pull_request, workflow_dispatch]

 env:
  ENDPOINT: "linuxserver/mods" #don't modify
-  BASEIMAGE: "replace_baseimage" #replace
-  MODNAME: "replace_modname" #replace
+  BASEIMAGE: "nginx" #replace
+  MODNAME: "proxy-confs" #replace

 jobs:
  build:
@@ -1,6 +1,29 @@
+FROM ghcr.io/linuxserver/baseimage-alpine:3.12 as grab-stage
+
+RUN \
+ apk add --no-cache --upgrade \
+    curl \
+    tar && \
+ mkdir -p /root/defaults/proxy-confs && \
+ curl -o \
+    /tmp/proxy.tar.gz -L \
+    "https://github.com/linuxserver/reverse-proxy-confs/tarball/master" && \
+ tar xf \
+    /tmp/proxy.tar.gz -C \
+    /root/defaults/proxy-confs \
+    --strip-components=1 \
+    --exclude=linux*/.gitattributes \
+    --exclude=linux*/.github \
+    --exclude=linux*/.gitignore \
+    --exclude=linux*/LICENSE
+# copy local files
+COPY root/ root/
+
+ADD https://raw.githubusercontent.com/linuxserver/docker-swag/master/root/defaults/proxy.conf /root/defaults/proxy.conf
+
 FROM scratch

-LABEL maintainer="username"
+LABEL maintainer="Roxedus"

-# copy local files
-COPY root/ /
+# copy proxy-confs
+COPY --from=grab-stage root/ /
@@ -1,17 +1,16 @@
-# Rsync - Docker mod for openssh-server
+# Proxy-conf - Docker mod for Nginx

-This mod adds rsync to openssh-server, to be installed/updated during container start.
+This mod adds some of the [proxy-conf](https://github.com/linuxserver/reverse-proxy-confs) functionality that is baked into [SWAG](https://github.com/linuxserver/docker-swag), to Nginx.

-In openssh-server docker arguments, set an environment variable `DOCKER_MODS=linuxserver/mods:openssh-server-rsync`
+This mod does some reshuffling to the files that originally ships with our Nginx image. You have to track changes to these files yourself. If you are adding this mod to an existing install you have to modify, or replace these files yourself.

-If adding multiple mods, enter them in an array separated by `|`, such as `DOCKER_MODS=linuxserver/mods:openssh-server-rsync|linuxserver/mods:openssh-server-mod2`
+| File | Change |
+| --- | --- |
+| site-confs/default | Added include directives to load the files from proxy-confs/ |
+| nginx.conf | Moved some directives to proxy.conf. Added the required map for websockets |
+| proxy.conf | Direct copy from SWAG |
+| ssl.conf | Based on the same file from SWAG, but changed certificate location |

-# Mod creation instructions
+In nginx docker arguments, set an environment variable `DOCKER_MODS=linuxserver/mods:nginx-proxy-confs`

-* Fork the repo, create a new branch based on the branch `template`.
-* Edit the `Dockerfile` for the mod. `Dockerfile.complex` is only an example and included for reference; it should be deleted when done.
-* Inspect the `root` folder contents. Edit, add and remove as necessary.
-* Edit this readme with pertinent info, delete these instructions.
-* Finally edit the `.github/workflows/BuildImage.yml`. Customize the build branch, and the vars for `BASEIMAGE` and `MODNAME`.
-* Ask the team to create a new branch named `<baseimagename>-<modname>`. Baseimage should be the name of the image the mod will be applied to. The new branch will be based on the `template` branch.
-* Submit PR against the branch created by the team.
+If adding multiple mods, enter them in an array separated by `|`, such as `DOCKER_MODS=linuxserver/mods:nginx-proxy-confs|linuxserver/mods:universal-git`
@@ -0,0 +1,37 @@
+## Version 2020/12/11 - Changelog: https://github.com/linuxserver/docker-mods/blob/nginx-proxy-confs/root/defaults/nginx.conf
+
+server {
+    listen 80 default_server;
+    listen 443 ssl;
+    server_name _;
+
+    root /config/www;
+
+    index index.html index.htm index.php;
+
+    # enable subfolder method reverse proxy confs
+    include /config/nginx/proxy-confs/*.subfolder.conf;
+
+    ssl_certificate /config/keys/cert.crt;
+    ssl_certificate_key /config/keys/cert.key;
+
+
+    client_max_body_size 0;
+
+    location / {
+        try_files $uri $uri/ /index.html /index.php?$args =404;
+    }
+
+    location ~ \.php$ {
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass 127.0.0.1:9000;
+        fastcgi_index index.php;
+        include /etc/nginx/fastcgi_params;
+    }
+
+}
+
+# enable subdomain method reverse proxy confs
+include /config/nginx/proxy-confs/*.subdomain.conf;
+# enable proxy cache for auth
+proxy_cache_path cache/ keys_zone=auth_cache:10m;
@@ -0,0 +1,91 @@
+## Version 2020/12/11 - Changelog: https://github.com/linuxserver/docker-mods/blob/nginx-proxy-confs/root/defaults/nginx.conf
+
+user abc;
+worker_processes 4;
+pid /run/nginx.pid;
+include /etc/nginx/modules/*.conf;
+
+events {
+    worker_connections 768;
+    # multi_accept on;
+}
+
+http {
+
+    ##
+    # Basic Settings
+    ##
+
+    client_body_buffer_size 128k;
+    client_max_body_size 0;
+    keepalive_timeout 65;
+    large_client_header_buffers 4 16k;
+    send_timeout 5m;
+    sendfile on;
+    tcp_nodelay on;
+    tcp_nopush on;
+    types_hash_max_size 2048;
+    variables_hash_max_size 2048;
+
+    # server_tokens off;
+    # server_names_hash_bucket_size 64;
+    # server_name_in_redirect off;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    ##
+    # Logging Settings
+    ##
+
+    access_log /config/log/nginx/access.log;
+    error_log /config/log/nginx/error.log;
+
+    ##
+    # Gzip Settings
+    ##
+
+    gzip on;
+    gzip_disable "msie6";
+
+    # gzip_vary on;
+    # gzip_proxied any;
+    # gzip_comp_level 6;
+    # gzip_buffers 16 8k;
+    # gzip_http_version 1.1;
+    # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+
+    ##
+    # nginx-naxsi config
+    ##
+    # Uncomment it if you installed nginx-naxsi
+    ##
+
+    #include /etc/nginx/naxsi_core.rules;
+
+    ##
+    # nginx-passenger config
+    ##
+    # Uncomment it if you installed nginx-passenger
+    ##
+
+    #passenger_root /usr;
+    #passenger_ruby /usr/bin/ruby;
+
+    ##
+    # WebSocket proxying
+    ##
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        ''      close;
+    }
+
+    ##
+    # Virtual Host Configs
+    ##
+    include /etc/nginx/conf.d/*.conf;
+    include /config/nginx/site-confs/*;
+    lua_load_resty_core off;
+}
+
+daemon off;
@@ -0,0 +1,46 @@
+## Version 2020/12/11 - Changelog: https://github.com/linuxserver/docker-mods/blob/nginx-proxy-confs/root/defaults/ssl.conf
+
+### Mozilla Recommendations
+# generated 2020-06-17, Mozilla Guideline v5.4, nginx 1.18.0-r0, OpenSSL 1.1.1g-r0, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0-r0&config=intermediate&openssl=1.1.1g-r0&guideline=5.4
+
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+ssl_session_tickets off;
+
+# intermediate configuration
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_prefer_server_ciphers off;
+
+# OCSP stapling
+ssl_stapling on;
+ssl_stapling_verify on;
+
+
+### Linuxserver.io Defaults
+
+# Certificates
+ssl_certificate /config/keys/cert.crt;
+ssl_certificate_key /config/keys/cert.key;
+
+# Diffie-Hellman Parameters
+ssl_dhparam /config/nginx/dhparams.pem;
+
+# Resolver
+resolver 127.0.0.11 valid=30s; # Docker DNS Server
+
+# Enable TLS 1.3 early data
+ssl_early_data on;
+
+# HSTS, remove # from the line below to enable HSTS
+#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+
+# Optional additional headers
+#add_header Cache-Control "no-transform" always;
+#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'";
+#add_header Referrer-Policy "same-origin" always;
+#add_header X-Content-Type-Options "nosniff" always;
+#add_header X-Frame-Options "SAMEORIGIN" always;
+#add_header X-UA-Compatible "IE=Edge" always;
+#add_header X-XSS-Protection "1; mode=block" always;
@@ -1,27 +0,0 @@
-#!/usr/bin/with-contenv bash
-
-# Determine if setup is needed
-if [ ! -f /usr/local/lib/python***/dist-packages/sshuttle ] && \
-[ -f /usr/bin/apt ]; then
-  ## Ubuntu
-  apt-get update
-  apt-get install --no-install-recommends -y \
-    iptables \
-    openssh-client \
-    python3 \
-    python3-pip 
-  pip3 install sshuttle
-fi
-if [ ! -f /usr/lib/python***/site-packages/sshuttle ] && \
-[ -f /sbin/apk ]; then
-  # Alpine
-  apk add --no-cache \
-    iptables \
-    openssh \
-    py3-pip \
-    python3 
-  pip3 install sshuttle
-fi
-
-chown -R root:root /root
-chmod -R 600 /root/.ssh
@@ -0,0 +1,28 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+###
+# SWAG LOGIC https://github.com/linuxserver/docker-swag/blob/master/root/etc/cont-init.d/50-config
+###
+
+# copy reverse proxy configs
+cp -R /defaults/proxy-confs /config/nginx/
+
+# copy proxy defaults
+[[ ! -f /config/nginx/proxy.conf ]] &&
+  cp /defaults/proxy.conf /config/nginx/proxy.conf
+[[ ! -f /config/nginx/ssl.conf ]] &&
+  cp /defaults/ssl.conf /config/nginx/ssl.conf
+
+# copy pre-generated dhparams or generate if needed
+if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then
+  curl -o /config/nginx/dhparams.pem -L "https://lsio.ams3.digitaloceanspaces.com/dhparams.pem"
+fi
+if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then
+  echo "Generating dhparams.pem. This will take a long time. Do not stop the container until this process is completed."
+  openssl dhparam -out /config/nginx/dhparams.pem 4096
+fi
+
+# permissions
+chown -R abc:abc \
+  /config/nginx/{proxy.conf,ssl.conf,dhparams.pem,proxy-confs/}
@@ -1,3 +0,0 @@
-#!/usr/bin/with-contenv bash
-
-sshuttle --dns --remote root@${HOST}:${PORT} 0/0 -x 172.17.0.0/16