diff --git a/.github/workflows/BuildImage.yml b/.github/workflows/BuildImage.yml index 518b0d8..ef12079 100644 --- a/.github/workflows/BuildImage.yml +++ b/.github/workflows/BuildImage.yml @@ -4,8 +4,8 @@ on: [push, pull_request, workflow_dispatch] env: ENDPOINT: "linuxserver/mods" #don't modify - BASEIMAGE: "replace_baseimage" #replace - MODNAME: "replace_modname" #replace + BASEIMAGE: "nginx" #replace + MODNAME: "proxy-confs" #replace jobs: build: diff --git a/Dockerfile b/Dockerfile index 4ece5e8..64d30c7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,29 @@ +FROM ghcr.io/linuxserver/baseimage-alpine:3.12 as grab-stage + +RUN \ + apk add --no-cache --upgrade \ + curl \ + tar && \ + mkdir -p /root/defaults/proxy-confs && \ + curl -o \ + /tmp/proxy.tar.gz -L \ + "https://github.com/linuxserver/reverse-proxy-confs/tarball/master" && \ + tar xf \ + /tmp/proxy.tar.gz -C \ + /root/defaults/proxy-confs \ + --strip-components=1 \ + --exclude=linux*/.gitattributes \ + --exclude=linux*/.github \ + --exclude=linux*/.gitignore \ + --exclude=linux*/LICENSE +# copy local files +COPY root/ root/ + +ADD https://raw.githubusercontent.com/linuxserver/docker-swag/master/root/defaults/proxy.conf /root/defaults/proxy.conf + FROM scratch -LABEL maintainer="username" +LABEL maintainer="Roxedus" -# copy local files -COPY root/ / +# copy proxy-confs +COPY --from=grab-stage root/ / \ No newline at end of file diff --git a/README.md b/README.md index 5636dec..d5d098c 100644 --- a/README.md +++ b/README.md @@ -1,17 +1,16 @@ -# Rsync - Docker mod for openssh-server +# Proxy-conf - Docker mod for Nginx -This mod adds rsync to openssh-server, to be installed/updated during container start. +This mod adds some of the [proxy-conf](https://github.com/linuxserver/reverse-proxy-confs) functionality that is baked into [SWAG](https://github.com/linuxserver/docker-swag), to Nginx. -In openssh-server docker arguments, set an environment variable `DOCKER_MODS=linuxserver/mods:openssh-server-rsync` +This mod does some reshuffling to the files that originally ships with our Nginx image. You have to track changes to these files yourself. If you are adding this mod to an existing install you have to modify, or replace these files yourself. -If adding multiple mods, enter them in an array separated by `|`, such as `DOCKER_MODS=linuxserver/mods:openssh-server-rsync|linuxserver/mods:openssh-server-mod2` +| File | Change | +| --- | --- | +| site-confs/default | Added include directives to load the files from proxy-confs/ | +| nginx.conf | Moved some directives to proxy.conf. Added the required map for websockets | +| proxy.conf | Direct copy from SWAG | +| ssl.conf | Based on the same file from SWAG, but changed certificate location | -# Mod creation instructions +In nginx docker arguments, set an environment variable `DOCKER_MODS=linuxserver/mods:nginx-proxy-confs` -* Fork the repo, create a new branch based on the branch `template`. -* Edit the `Dockerfile` for the mod. `Dockerfile.complex` is only an example and included for reference; it should be deleted when done. -* Inspect the `root` folder contents. Edit, add and remove as necessary. -* Edit this readme with pertinent info, delete these instructions. -* Finally edit the `.github/workflows/BuildImage.yml`. Customize the build branch, and the vars for `BASEIMAGE` and `MODNAME`. -* Ask the team to create a new branch named `-`. Baseimage should be the name of the image the mod will be applied to. The new branch will be based on the `template` branch. -* Submit PR against the branch created by the team. +If adding multiple mods, enter them in an array separated by `|`, such as `DOCKER_MODS=linuxserver/mods:nginx-proxy-confs|linuxserver/mods:universal-git` diff --git a/root/defaults/default b/root/defaults/default new file mode 100644 index 0000000..84730f0 --- /dev/null +++ b/root/defaults/default @@ -0,0 +1,37 @@ +## Version 2020/12/11 - Changelog: https://github.com/linuxserver/docker-mods/blob/nginx-proxy-confs/root/defaults/nginx.conf + +server { + listen 80 default_server; + listen 443 ssl; + server_name _; + + root /config/www; + + index index.html index.htm index.php; + + # enable subfolder method reverse proxy confs + include /config/nginx/proxy-confs/*.subfolder.conf; + + ssl_certificate /config/keys/cert.crt; + ssl_certificate_key /config/keys/cert.key; + + + client_max_body_size 0; + + location / { + try_files $uri $uri/ /index.html /index.php?$args =404; + } + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } + +} + +# enable subdomain method reverse proxy confs +include /config/nginx/proxy-confs/*.subdomain.conf; +# enable proxy cache for auth +proxy_cache_path cache/ keys_zone=auth_cache:10m; \ No newline at end of file diff --git a/root/defaults/nginx.conf b/root/defaults/nginx.conf new file mode 100644 index 0000000..b6be7f0 --- /dev/null +++ b/root/defaults/nginx.conf @@ -0,0 +1,91 @@ +## Version 2020/12/11 - Changelog: https://github.com/linuxserver/docker-mods/blob/nginx-proxy-confs/root/defaults/nginx.conf + +user abc; +worker_processes 4; +pid /run/nginx.pid; +include /etc/nginx/modules/*.conf; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + + ## + # Basic Settings + ## + + client_body_buffer_size 128k; + client_max_body_size 0; + keepalive_timeout 65; + large_client_header_buffers 4 16k; + send_timeout 5m; + sendfile on; + tcp_nodelay on; + tcp_nopush on; + types_hash_max_size 2048; + variables_hash_max_size 2048; + + # server_tokens off; + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # Logging Settings + ## + + access_log /config/log/nginx/access.log; + error_log /config/log/nginx/error.log; + + ## + # Gzip Settings + ## + + gzip on; + gzip_disable "msie6"; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; + + ## + # nginx-naxsi config + ## + # Uncomment it if you installed nginx-naxsi + ## + + #include /etc/nginx/naxsi_core.rules; + + ## + # nginx-passenger config + ## + # Uncomment it if you installed nginx-passenger + ## + + #passenger_root /usr; + #passenger_ruby /usr/bin/ruby; + + ## + # WebSocket proxying + ## + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + ## + # Virtual Host Configs + ## + include /etc/nginx/conf.d/*.conf; + include /config/nginx/site-confs/*; + lua_load_resty_core off; +} + +daemon off; \ No newline at end of file diff --git a/root/defaults/ssl.conf b/root/defaults/ssl.conf new file mode 100644 index 0000000..9cb0cb3 --- /dev/null +++ b/root/defaults/ssl.conf @@ -0,0 +1,46 @@ +## Version 2020/12/11 - Changelog: https://github.com/linuxserver/docker-mods/blob/nginx-proxy-confs/root/defaults/ssl.conf + +### Mozilla Recommendations +# generated 2020-06-17, Mozilla Guideline v5.4, nginx 1.18.0-r0, OpenSSL 1.1.1g-r0, intermediate configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0-r0&config=intermediate&openssl=1.1.1g-r0&guideline=5.4 + +ssl_session_timeout 1d; +ssl_session_cache shared:MozSSL:10m; # about 40000 sessions +ssl_session_tickets off; + +# intermediate configuration +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +ssl_prefer_server_ciphers off; + +# OCSP stapling +ssl_stapling on; +ssl_stapling_verify on; + + +### Linuxserver.io Defaults + +# Certificates +ssl_certificate /config/keys/cert.crt; +ssl_certificate_key /config/keys/cert.key; + +# Diffie-Hellman Parameters +ssl_dhparam /config/nginx/dhparams.pem; + +# Resolver +resolver 127.0.0.11 valid=30s; # Docker DNS Server + +# Enable TLS 1.3 early data +ssl_early_data on; + +# HSTS, remove # from the line below to enable HSTS +#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + +# Optional additional headers +#add_header Cache-Control "no-transform" always; +#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'"; +#add_header Referrer-Policy "same-origin" always; +#add_header X-Content-Type-Options "nosniff" always; +#add_header X-Frame-Options "SAMEORIGIN" always; +#add_header X-UA-Compatible "IE=Edge" always; +#add_header X-XSS-Protection "1; mode=block" always; \ No newline at end of file diff --git a/root/etc/cont-init.d/98-vpn-config b/root/etc/cont-init.d/98-vpn-config deleted file mode 100644 index a5f9127..0000000 --- a/root/etc/cont-init.d/98-vpn-config +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/with-contenv bash - -# Determine if setup is needed -if [ ! -f /usr/local/lib/python***/dist-packages/sshuttle ] && \ -[ -f /usr/bin/apt ]; then - ## Ubuntu - apt-get update - apt-get install --no-install-recommends -y \ - iptables \ - openssh-client \ - python3 \ - python3-pip - pip3 install sshuttle -fi -if [ ! -f /usr/lib/python***/site-packages/sshuttle ] && \ -[ -f /sbin/apk ]; then - # Alpine - apk add --no-cache \ - iptables \ - openssh \ - py3-pip \ - python3 - pip3 install sshuttle -fi - -chown -R root:root /root -chmod -R 600 /root/.ssh diff --git a/root/etc/cont-init.d/99-proxy-conf b/root/etc/cont-init.d/99-proxy-conf new file mode 100644 index 0000000..af7df1b --- /dev/null +++ b/root/etc/cont-init.d/99-proxy-conf @@ -0,0 +1,28 @@ +#!/usr/bin/with-contenv bash +# shellcheck shell=bash + +### +# SWAG LOGIC https://github.com/linuxserver/docker-swag/blob/master/root/etc/cont-init.d/50-config +### + +# copy reverse proxy configs +cp -R /defaults/proxy-confs /config/nginx/ + +# copy proxy defaults +[[ ! -f /config/nginx/proxy.conf ]] && + cp /defaults/proxy.conf /config/nginx/proxy.conf +[[ ! -f /config/nginx/ssl.conf ]] && + cp /defaults/ssl.conf /config/nginx/ssl.conf + +# copy pre-generated dhparams or generate if needed +if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then + curl -o /config/nginx/dhparams.pem -L "https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" +fi +if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then + echo "Generating dhparams.pem. This will take a long time. Do not stop the container until this process is completed." + openssl dhparam -out /config/nginx/dhparams.pem 4096 +fi + +# permissions +chown -R abc:abc \ + /config/nginx/{proxy.conf,ssl.conf,dhparams.pem,proxy-confs/} diff --git a/root/etc/services.d/sshvpn/run b/root/etc/services.d/sshvpn/run deleted file mode 100644 index 7d49e79..0000000 --- a/root/etc/services.d/sshvpn/run +++ /dev/null @@ -1,3 +0,0 @@ -#!/usr/bin/with-contenv bash - -sshuttle --dns --remote root@${HOST}:${PORT} 0/0 -x 172.17.0.0/16