services-oci/nginx/Containerfile
2024-11-26 18:32:25 +01:00

75 lines
2.9 KiB
Docker

# SPDX-License-Identifier: AGPL-3.0-or-later
# Copyright © 2022 Thorsten Schubert <tschubert@bafh.org>
ARG NGINX_VERSION=1.27.3
FROM docker.io/library/nginx:${NGINX_VERSION} AS builder
ARG NGINX_VERSION
ARG HEADERS_MORE_MODULE_COMMIT=06dc0be56e5ec9f7fd814e881b066b5540a85bec
ARG ECHO_MODULE_COMMIT=6b11aa8f844d0770bbfdd271bf44f0237c43d23b
ENV DEBIAN_FRONTEND=noninteractive
COPY rootfs/sig/*.key /root/
RUN apt-get -qq update \
&& apt-get -qq install -y --no-install-recommends \
build-essential \
curl \
git \
gnupg \
libpcre2-dev \
libssl-dev \
zlib1g-dev \
libcap2-bin
WORKDIR /usr/src
RUN gpg --import /root/*.key \
&& curl -sL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o nginx.tar.gz \
&& curl -sL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz.asc -o nginx.tar.gz.asc \
&& gpg --status-fd 1 --verify nginx.tar.gz.asc 2>/dev/null \
&& tar zxfv nginx.tar.gz \
&& mv nginx-${NGINX_VERSION} nginx \
&& git clone --single-branch https://github.com/openresty/headers-more-nginx-module.git \
&& git clone --single-branch https://github.com/openresty/echo-nginx-module.git \
&& git -C headers-more-nginx-module submodule update --init \
&& git -C echo-nginx-module submodule update --init \
&& git -C headers-more-nginx-module reset --hard ${HEADERS_MORE_MODULE_COMMIT} \
&& git -C echo-nginx-module reset --hard ${ECHO_MODULE_COMMIT} \
&& cd nginx \
&& ./configure --with-compat \
--add-dynamic-module=../headers-more-nginx-module \
--add-dynamic-module=../echo-nginx-module \
&& make modules && strip -s /usr/src/nginx/objs/*.so \
&& setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx
FROM docker.io/library/nginx:${NGINX_VERSION}
ARG PUID=1000
ARG PGID=1000
COPY --from=builder /usr/src/nginx/objs/ngx_http_*.so /usr/lib/nginx/modules/
# net_bind capability for potential binding to privileged ports
COPY --from=builder /usr/sbin/nginx /usr/sbin/nginx
RUN usermod -u ${PUID} nginx \
&& groupmod -g ${PGID} nginx \
&& sed -i 's,listen\s\+80;,listen 8080;,' /etc/nginx/conf.d/default.conf \
&& sed -i '/user\s\+nginx;/d' /etc/nginx/nginx.conf \
&& sed -i 's,/var/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf \
&& sed -i "/^http {/a \ proxy_temp_path /tmp/proxy_temp;\n client_body_temp_path /tmp/client_temp;\n fastcgi_temp_path /tmp/fastcgi_temp;\n uwsgi_temp_path /tmp/uwsgi_temp;\n scgi_temp_path /tmp/scgi_temp;\n" /etc/nginx/nginx.conf \
&& chown -R ${PUID}:0 /var/cache/nginx /etc/nginx /var/log/nginx \
&& chmod -R g+w /var/cache/nginx /etc/nginx /var/log/nginx \
&& chmod 0644 /usr/lib/nginx/modules/ngx_http_*_filter_module.so
COPY --chown=nginx:root rootfs/etc/nginx/ /etc/nginx/
USER $PUID
VOLUME /etc/nginx /srv/http/virtual
CMD ["nginx", "-g", "daemon off;"]
# vi: set ft=dockerfile ts=2 sw=2 sts=0 nosr et si tw=0 fdm=manual: