forked from thaibault/proxy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDockerfile
125 lines (108 loc) · 5.75 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
# syntax=docker/dockerfile-upstream:master-labs
# region header
# [Project page](https://torben.website/proxy)
# Copyright Torben Sickert (info["~at~"]torben.website) 16.12.2012
# License
# -------
# This library written by Torben Sickert stand under a creative commons naming
# 3.0 unported license.
# See https://creativecommons.org/licenses/by/3.0/deed.de
# endregion
# region create image commands
# Run the following command in the directory where this file lives to build a
# new docker image:
# - docker pull ghcr.io/thaibault/containerbase:latest && docker buildx build --no-cache --tag ghcr.io/thaibault/proxy:latest .
# endregion
# region start container commands
# Run the following command in the directory where this file lives to start:
# - podman pod rm --force proxy_pod; podman play kube service/kubernetes/production.yaml
# - docker rm --force proxy; docker compose --file service/docker/base.yaml --file service/docker/local.yaml up
# endregion
# region configuration
ARG BASE_IMAGE
FROM ${BASE_IMAGE:-'ghcr.io/thaibault/containerbase:latest'}
LABEL maintainer="Torben Sickert <[email protected]>"
LABEL Description="proxy" Vendor="thaibault products" Version="1.0"
EXPOSE 80 443
ENV APPLICATION_USER_ID_INDICATOR_FILE_PATH /etc/nginx/conf.d
ENV MAIN_USER_NAME http
ENV PROXY_APPLICATION_SPECIFIC_NGINX_CONFIGURATION_FILE_PATH '/etc/nginx/conf.d/*.conf'
ENV PROXY_CERTIFICATES ''
ENV PROXY_CERTIFICATE_DOMAINS ''
ENV PROXY_CERTIFICATE_EMAIL_ADDRESSES ''
ENV PROXY_CERTIFICATES_START_UPDATE_DELAY 50m
ENV ACCESS_LOG '/dev/stdout'
ENV CERTIFICATION_SERVICE_LOG="${APPLICATION_PATH}certificates/log.txt"
ENV ERROR_LOG '/dev/stderr info'
ENV COMMAND nginx
ENV TEMPORARY_NGINX_PATH /tmp/nginx/
WORKDIR $APPLICATION_PATH
ENV SCRIPTS_PATH "${APPLICATION_PATH}scripts/"
USER root
# endregion
# region install needed packages
# NOTE: "neovim" is only needed for debugging scenarios.
RUN yay \
--needed \
--noconfirm \
--sync \
certbot \
certbot-nginx \
nginx \
openssl && \
clean-up
# endregion
# region preconfigure nginx to integrate application specifc options
RUN configure-user && \
# Set all file path options to application user writable locations
# that will otherwise default to restricted locations accessible
# only to root.
echo -e "daemon off;\nerror_log ${ERROR_LOG};\npid ${TEMPORARY_NGINX_PATH}pid;\n\nuser ${MAIN_USER_NAME} ${MAIN_USER_GROUP_NAME};\n\nworker_processes auto;\nworker_rlimit_nofile 2048;\n\nevents {\n worker_connections 1024;\n}\n\nhttp {\n access_log ${ACCESS_LOG};\n charset utf8;\n\n client_body_temp_path ${TEMPORARY_NGINX_PATH}clientBody;\n fastcgi_temp_path ${TEMPORARY_NGINX_PATH}fastcgiTemp;\n proxy_temp_path ${TEMPORARY_NGINX_PATH}proxyTemp;\n scgi_temp_path ${TEMPORARY_NGINX_PATH}scgiTemp;\n uwsgi_temp_path ${TEMPORARY_NGINX_PATH}uwsgiTemp;\n\n default_type application/octet-stream;\n gzip on;\n\n sendfile on;\n\n client_body_buffer_size 256k;\n types_hash_max_size 4096;\n\n proxy_set_header X-Forwarded-Proto \$scheme;\n proxy_set_header Upgrade \$http_upgrade;\n proxy_set_header Connection \"upgrade\";\n\n keepalive_timeout 65;\n\n resolver 8.8.8.8;\n\n include mime.types;\n include ${PROXY_APPLICATION_SPECIFIC_NGINX_CONFIGURATION_FILE_PATH};\n}" \
1>/etc/nginx/nginx.conf && \
mkdir --parents /etc/nginx/html && \
echo ''>/etc/nginx/html/index.html && \
mkdir --parents "$TEMPORARY_NGINX_PATH" && \
chown \
--dereference \
-L \
--recursive \
"${MAIN_USER_NAME}:${MAIN_USER_GROUP_NAME}" \
"$TEMPORARY_NGINX_PATH" && \
# NOTE: Allow none root user to bind to ports lower than 1024 with
# nginx.
setcap cap_net_bind_service=ep "$(which nginx)"
# endregion
# region build file structure
RUN mkdir --parents "${APPLICATION_PATH}certificates/acme-challenge"
COPY --link ./scripts "${SCRIPTS_PATH}"
RUN chown \
--dereference \
-L \
--recursive \
"${MAIN_USER_NAME}:${MAIN_USER_GROUP_NAME}" \
"$APPLICATION_PATH"
RUN ln --symbolic \
"${SCRIPTS_PATH}certificate-service.sh" \
/usr/bin/certificate-service
RUN ln --force --symbolic \
"${SCRIPTS_PATH}initialize.sh" \
"$INITIALIZING_FILE_PATH"
RUN ln --symbolic \
"${SCRIPTS_PATH}initialize-certificates.sh" \
/usr/bin/initialize-certificates
RUN mkdir --parents /etc/letsencrypt/renewal-hooks/post
RUN ln --symbolic \
"${SCRIPTS_PATH}reload-nginx.sh" \
/etc/letsencrypt/renewal-hooks/post/50-reload-nginx.sh
RUN ln --symbolic \
"${SCRIPTS_PATH}retrieve-certificate.sh" \
/usr/bin/retrieve-certificate
RUN ln --symbolic \
"${SCRIPTS_PATH}update-certificate.sh" \
/usr/bin/update-certificate
# endregion
#ENTRYPOINT ...
# region modline
# vim: set tabstop=4 shiftwidth=4 expandtab filetype=dockerfile:
# vim: foldmethod=marker foldmarker=region,endregion:
# endregion