75 lines
2.9 KiB
Docker
75 lines
2.9 KiB
Docker
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
# Copyright © 2022 Thorsten Schubert <tschubert@bafh.org>
|
|
|
|
ARG NGINX_VERSION=1.27.2
|
|
FROM docker.io/library/nginx:${NGINX_VERSION} AS builder
|
|
|
|
ARG NGINX_VERSION
|
|
ARG HEADERS_MORE_MODULE_COMMIT=06dc0be56e5ec9f7fd814e881b066b5540a85bec
|
|
ARG ECHO_MODULE_COMMIT=6b11aa8f844d0770bbfdd271bf44f0237c43d23b
|
|
|
|
ENV DEBIAN_FRONTEND=noninteractive
|
|
|
|
COPY rootfs/sig/*.key /root/
|
|
|
|
RUN apt-get -qq update \
|
|
&& apt-get -qq install -y --no-install-recommends \
|
|
build-essential \
|
|
curl \
|
|
git \
|
|
gnupg \
|
|
libpcre2-dev \
|
|
libssl-dev \
|
|
zlib1g-dev \
|
|
libcap2-bin
|
|
|
|
WORKDIR /usr/src
|
|
|
|
RUN gpg --import /root/*.key \
|
|
&& curl -sL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o nginx.tar.gz \
|
|
&& curl -sL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz.asc -o nginx.tar.gz.asc \
|
|
&& gpg --status-fd 1 --verify nginx.tar.gz.asc 2>/dev/null \
|
|
&& tar zxfv nginx.tar.gz \
|
|
&& mv nginx-${NGINX_VERSION} nginx \
|
|
&& git clone --single-branch https://github.com/openresty/headers-more-nginx-module.git \
|
|
&& git clone --single-branch https://github.com/openresty/echo-nginx-module.git \
|
|
&& git -C headers-more-nginx-module submodule update --init \
|
|
&& git -C echo-nginx-module submodule update --init \
|
|
&& git -C headers-more-nginx-module reset --hard ${HEADERS_MORE_MODULE_COMMIT} \
|
|
&& git -C echo-nginx-module reset --hard ${ECHO_MODULE_COMMIT} \
|
|
&& cd nginx \
|
|
&& ./configure --with-compat \
|
|
--add-dynamic-module=../headers-more-nginx-module \
|
|
--add-dynamic-module=../echo-nginx-module \
|
|
&& make modules && strip -s /usr/src/nginx/objs/*.so \
|
|
&& setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx
|
|
|
|
|
|
FROM docker.io/library/nginx:${NGINX_VERSION}
|
|
|
|
ARG PUID=1000
|
|
ARG PGID=1000
|
|
|
|
COPY --from=builder /usr/src/nginx/objs/ngx_http_*.so /usr/lib/nginx/modules/
|
|
# net_bind capability for potential binding to privileged ports
|
|
COPY --from=builder /usr/sbin/nginx /usr/sbin/nginx
|
|
|
|
RUN usermod -u ${PUID} nginx \
|
|
&& groupmod -g ${PGID} nginx \
|
|
&& sed -i 's,listen\s\+80;,listen 8080;,' /etc/nginx/conf.d/default.conf \
|
|
&& sed -i '/user\s\+nginx;/d' /etc/nginx/nginx.conf \
|
|
&& sed -i 's,/var/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf \
|
|
&& sed -i "/^http {/a \ proxy_temp_path /tmp/proxy_temp;\n client_body_temp_path /tmp/client_temp;\n fastcgi_temp_path /tmp/fastcgi_temp;\n uwsgi_temp_path /tmp/uwsgi_temp;\n scgi_temp_path /tmp/scgi_temp;\n" /etc/nginx/nginx.conf \
|
|
&& chown -R ${PUID}:0 /var/cache/nginx /etc/nginx /var/log/nginx \
|
|
&& chmod -R g+w /var/cache/nginx /etc/nginx /var/log/nginx \
|
|
&& chmod 0644 /usr/lib/nginx/modules/ngx_http_*_filter_module.so
|
|
|
|
COPY --chown=nginx:root rootfs/etc/nginx/ /etc/nginx/
|
|
|
|
USER $PUID
|
|
|
|
VOLUME /etc/nginx /srv/http/virtual
|
|
|
|
CMD ["nginx", "-g", "daemon off;"]
|
|
|
|
# vi: set ft=dockerfile ts=2 sw=2 sts=0 nosr et si tw=0 fdm=manual:
|