├── .gitignore ├── config ├── crontab ├── 10_stream_acme.conf ├── 10_default_https.conf ├── error-pages │ ├── 404 │ │ └── 00_index.html │ ├── 40x │ │ └── 00_index.html │ ├── 50x │ │ └── 00_index.html │ ├── all │ │ └── 00_index.html │ ├── 01_unified.conf │ └── 01_default.conf ├── 10_default.conf ├── 00_log.conf ├── 00_log_with_geoip.conf ├── 02_proxy.conf ├── nginx.conf ├── 01_ssl.conf ├── 03_geoip2.conf └── 00_vars.conf ├── config.sh ├── examples ├── stream.d │ └── mysql.conf ├── vhost.d │ ├── example.com.conf │ ├── git.example.com.conf │ ├── 00_default.conf │ ├── wiki.example.com.conf │ ├── static.example.com.conf │ ├── nexus3.example.com.conf │ ├── oidc.lua │ └── repo.example.com.conf └── epage.d │ └── all │ ├── 13_Clock.html │ ├── 11_Matrix_Rain.html │ ├── 10_Newton_Cradle.html │ └── 12_Solar_System.html ├── bin ├── update-certs ├── watch-config ├── entrypoint.sh ├── nginx-utils.awk ├── nginx-utils.sh └── build-certs ├── run.sh ├── README.md ├── LICENSE └── Dockerfile /.gitignore: -------------------------------------------------------------------------------- 1 | .idea/ 2 | 3 | -------------------------------------------------------------------------------- /config/crontab: -------------------------------------------------------------------------------- 1 | # m h dom mon dow command 2 | 41 6,15 * * * /usr/bin/update-certs 3 | -------------------------------------------------------------------------------- /config.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | IMAGE_VERSION=1.15.12-r1 4 | IMAGE_NAME=flytreeleft/nginx-gateway 5 | 6 | IMAGE_GEOIP_NAME=flytreeleft/nginx-gateway-with-geoip 7 | -------------------------------------------------------------------------------- /examples/stream.d/mysql.conf: -------------------------------------------------------------------------------- 1 | upstream mysql_upstreams { 2 | server mysql0:3306; 3 | server mysql1:3306; 4 | } 5 | 6 | server { 7 | listen 3306; 8 | 9 | proxy_pass mysql_upstreams; 10 | 11 | error_log /var/log/nginx/sites/mysql.example.com/error.log; 12 | } 13 | 14 | -------------------------------------------------------------------------------- /config/10_stream_acme.conf: -------------------------------------------------------------------------------- 1 | map $ssl_preread_alpn_protocols $backend { 2 | # ~\bacme-tls/1\b unix:/tmp/nginx-tls-alpn.sock; 3 | # default unix:/tmp/nginx-ssl.sock; 4 | ~\bacme-tls/1\b 0.0.0.0:21443; 5 | default 0.0.0.0:20443; 6 | } 7 | 8 | server { 9 | listen 443; 10 | listen [::]:443; 11 | 12 | ssl_preread on; 13 | proxy_pass $backend; 14 | } 15 | -------------------------------------------------------------------------------- /examples/vhost.d/example.com.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen 443 ssl; 3 | listen [::]:443 ssl; 4 | 5 | server_name example.com; 6 | 7 | include /etc/nginx/vhost.d/example.com/*.conf; 8 | 9 | location / { 10 | # Disable proxy cache 11 | proxy_cache off; 12 | 13 | # Avoid to get address resolve error when starting 14 | set $target http://:80; 15 | proxy_pass $target; 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /examples/vhost.d/git.example.com.conf: -------------------------------------------------------------------------------- 1 | ## 2 | # Gitlab service proxy settings 3 | ## 4 | 5 | server { 6 | listen 443 ssl; 7 | listen [::]:443 ssl; 8 | 9 | server_name git.example.com; 10 | 11 | include /etc/nginx/vhost.d/git.example.com/*.conf; 12 | 13 | # Support to push big files 14 | client_max_body_size 100M; 15 | 16 | location / { 17 | # Avoid to get address resolve error when starting 18 | set $target http://:; 19 | proxy_pass $target; 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /bin/update-certs: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | CERT_DIR=/etc/letsencrypt 4 | VHOSTD=/etc/nginx/vhost.d 5 | LOCK="${CERT_DIR}/.lck" 6 | 7 | if [ -e ${LOCK} ]; then 8 | exit 0 9 | else 10 | touch ${LOCK} 11 | fi 12 | 13 | 14 | # https://github.com/acmesh-official/acme.sh 15 | /usr/bin/acme.sh \ 16 | --cron \ 17 | --home /opt/acme.sh \ 18 | --config-home "${CERT_DIR}/config" \ 19 | "$@" \ 20 | >> "${CERT_DIR}/update.log" \ 21 | 2>&1 22 | 23 | chown -R nginx:nginx ${VHOSTD} ${CERT_DIR}/certs \ 24 | && chmod go-rw -R ${VHOSTD} ${CERT_DIR}/certs \ 25 | && /usr/sbin/nginx -s reload 26 | 27 | rm -f ${LOCK} 28 | -------------------------------------------------------------------------------- /config/10_default_https.conf: -------------------------------------------------------------------------------- 1 | # The port 443 is the default ssl port, 2 | # if you want to create ssl keys for all https server from scratch, 3 | # you need to enable this configuration for making a default https server 4 | # to make sure the nginx can be started successfully 5 | # https://itecnotes.com/server/nginx-disable-ssl-on-an-nginx-server-block-listening-on-port-443/#related-embeded 6 | server { 7 | listen 443 ssl default_server; 8 | listen [::]:443 ssl default_server; 9 | server_name _; 10 | 11 | ssl_certificate /etc/nginx/ssl/default_https_ssl.crt; 12 | ssl_certificate_key /etc/nginx/ssl/default_https_ssl.key; 13 | 14 | return 404; 15 | } 16 | -------------------------------------------------------------------------------- /examples/vhost.d/00_default.conf: -------------------------------------------------------------------------------- 1 | # http://nginx.org/en/docs/http/server_names.html 2 | # https://community.letsencrypt.org/t/ocsp-stapling-nginx-server/30865/8#post_9 3 | resolver 8.8.8.8 valid=300s; 4 | resolver_timeout 5s; 5 | 6 | # Websocket support 7 | proxy_http_version 1.1; 8 | proxy_set_header Upgrade $http_upgrade; 9 | proxy_set_header Connection "upgrade"; 10 | 11 | # Force to change the redirect url's scheme to https 12 | proxy_redirect http:// $scheme://; 13 | proxy_redirect / /; 14 | 15 | # Intercept proxy errors (e.g. 404, 500, etc.) and redirected them to nginx 16 | ## http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_intercept_errors 17 | #proxy_intercept_errors on; 18 | -------------------------------------------------------------------------------- /config/error-pages/404/00_index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 404 - Page Not Found 6 | 7 | 8 |

404 Page Not Found

9 |

10 | nginx.com 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /config/error-pages/40x/00_index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {{status}} - {{status_msg}} 6 | 7 | 8 |

9 |

10 | nginx.com 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /config/error-pages/50x/00_index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {{status}} - {{status_msg}} 6 | 7 | 8 |

9 |

10 | nginx.com 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /config/error-pages/all/00_index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {{status}} - {{status_msg}} 6 | 7 | 8 |

9 |

10 | nginx.com 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /config/10_default.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80 default_server; 3 | listen [::]:80 default_server; 4 | server_name _; 5 | 6 | # https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion/blob/master/app/nginx_location.conf 7 | location ^~ /.well-known/acme-challenge/ { 8 | allow all; 9 | 10 | # NOTE: The '/' must be put at the end. 11 | ## https://www.leavesongs.com/PENETRATION/nginx-insecure-configuration.html#_1 12 | alias /etc/letsencrypt/.well-known/acme-challenge/; 13 | try_files $uri =404; 14 | 15 | break; 16 | } 17 | 18 | # Health checking for k8s pod 19 | ## https://github.com/robszumski/k8s-service-proxy/blob/master/nginx.conf 20 | location /health { 21 | access_log off; 22 | add_header Content-Type text/plain; 23 | 24 | return 200; 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /config/00_log.conf: -------------------------------------------------------------------------------- 1 | # Rotate access log with the variable '$logdate' like 'access_log /var/log/nginx/access$logdate.log main;'. 2 | # But it's not possible to embed variables in error_log directives: 3 | ## https://github.com/fcambus/nginx-resources/issues/12 4 | ## https://www.cambus.net/log-rotation-directly-within-nginx-configuration-file/ 5 | map $time_iso8601 $logdate { 6 | default ''; 7 | '~^(?\d{4})-(?\d{2})-(?\d{2})' _$year-$month-$day; 8 | } 9 | 10 | # http://nginx.org/en/docs/http/ngx_http_log_module.html 11 | log_format main '$remote_addr - $remote_user [$time_local]' 12 | ' "$request"' 13 | ' $upstream_cache_status $status' 14 | ' $body_bytes_sent $request_time' 15 | ' "$http_referer" "$http_user_agent"' 16 | ' "$http_x_forwarded_for"'; 17 | 18 | error_log /var/log/nginx/error.log debug; 19 | access_log /var/log/nginx/access$logdate.log main; 20 | -------------------------------------------------------------------------------- /config/00_log_with_geoip.conf: -------------------------------------------------------------------------------- 1 | # Rotate access log with the variable '$logdate' like 'access_log /var/log/nginx/access$logdate.log main;'. 2 | # But it's not possible to embed variables in error_log directives: 3 | ## https://github.com/fcambus/nginx-resources/issues/12 4 | ## https://www.cambus.net/log-rotation-directly-within-nginx-configuration-file/ 5 | map $time_iso8601 $logdate { 6 | default ''; 7 | '~^(?\d{4})-(?\d{2})-(?\d{2})' _$year-$month-$day; 8 | } 9 | 10 | # http://nginx.org/en/docs/http/ngx_http_log_module.html 11 | log_format main '$remote_addr - $remote_user [$time_local]' 12 | ' "$request"' 13 | ' $upstream_cache_status $status' 14 | ' $body_bytes_sent $request_time' 15 | ' "$http_referer" "$http_user_agent"' 16 | ' "$http_x_forwarded_for"' 17 | ' "$http_x_geoip_data"'; 18 | 19 | error_log /var/log/nginx/error.log debug; 20 | access_log /var/log/nginx/access$logdate.log main; 21 | -------------------------------------------------------------------------------- /config/error-pages/01_unified.conf: -------------------------------------------------------------------------------- 1 | ## 2 | # Randomly choose the *.html (e.g. 00_xx.html) to be used as error page, 3 | # but all files will be used to display all errors. 4 | # 5 | # All error pages (*.html) will be picked from /etc/nginx/epage.d/, 6 | # the files in it's child directory are ignored. 7 | ## 8 | 9 | # Obmit the `[=[response]]` syntax to keep the error response code for clients. 10 | ## http://nginx.org/en/docs/http/ngx_http_core_module.html#error_page 11 | error_page 404 400 401 403 500 502 503 504 /_/; 12 | 13 | location /_/ { 14 | internal; 15 | random_index on; 16 | 17 | # http://nginx.org/en/docs/http/ngx_http_core_module.html#alias 18 | # https://stackoverflow.com/questions/10631933/nginx-static-file-serving-confusion-with-root-alias#answer-10647080 19 | alias /etc/nginx/epage.d/all/; 20 | 21 | # Replace the placeholders in response content 22 | # for showing the corresponding status and message. 23 | sub_filter '{{status}}' '$status'; 24 | sub_filter '{{status_msg}}' '$status_msg'; 25 | sub_filter_once off; 26 | } 27 | -------------------------------------------------------------------------------- /config/02_proxy.conf: -------------------------------------------------------------------------------- 1 | proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=cache_zone:50m inactive=1d max_size=200m; 2 | proxy_cache cache_zone; 3 | proxy_cache_key $host$uri$is_args$args; 4 | proxy_cache_valid 200 304 1h; 5 | 6 | # https://github.com/jwilder/nginx-proxy/issues/130#issuecomment-88962969 7 | ## issue with ip and the nginx proxy 8 | real_ip_header X-Forwarded-For; 9 | set_real_ip_from 172.17.0.0/16; 10 | 11 | # http://nginx.org/en/docs/http/ngx_http_proxy_module.html 12 | proxy_set_header Host $host; 13 | proxy_set_header X-Real-IP $remote_addr; 14 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 15 | proxy_set_header X-Forwarded-Proto $scheme; 16 | proxy_set_header X-Forwarded-Ssl on; 17 | 18 | # Mitigate httpoxy attack 19 | proxy_set_header Proxy ""; 20 | proxy_connect_timeout 120; 21 | proxy_send_timeout 120; 22 | proxy_read_timeout 120; 23 | proxy_buffer_size 4k; 24 | proxy_buffers 4 256k; 25 | proxy_busy_buffers_size 512k; 26 | proxy_temp_file_write_size 512k; 27 | 28 | # Nginx cache check 29 | ## http://www.361way.com/nginx-cache/2665.html 30 | add_header Nginx-Cache $upstream_cache_status; 31 | -------------------------------------------------------------------------------- /bin/watch-config: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | . /usr/bin/nginx-utils.sh 4 | 5 | while [[ -n "$1" ]]; do 6 | case "$1" in 7 | --) 8 | shift 9 | CMD="$@" 10 | break 11 | ;; 12 | esac 13 | shift 14 | done 15 | 16 | if [ "x$CMD" = "x" ]; then 17 | echo "Usage: $0 -- " 18 | exit 0 19 | fi 20 | 21 | 22 | CHECK_REF_FILE="/tmp/watch-config-check.ref" 23 | touch "${CHECK_REF_FILE}" 24 | 25 | update_ref() { 26 | local timestamp="$(date +%Y%m%d%H%M.%S)" 27 | 28 | touch "${CHECK_REF_FILE}" -t ${timestamp} 29 | } 30 | 31 | has_modified_anyof() { 32 | local result="false" 33 | 34 | while [[ -n "$1" ]]; do 35 | if [[ ! -e "${CHECK_REF_FILE}" || "x$(find "$1" -newer "${CHECK_REF_FILE}" 2>/dev/null)" != "x" ]]; then 36 | result="true" 37 | break 38 | fi 39 | shift 40 | done 41 | 42 | [[ "$result" = "true" ]] 43 | } 44 | 45 | run_cmd() { 46 | local cmd="$1" 47 | 48 | eval "${cmd}" 49 | update_ref 50 | } 51 | 52 | 53 | target_dirs=( 54 | $(get_include_files_from /etc/nginx/nginx.conf | sed -E 's|/[^/]+$||g; /^\/etc\/nginx$/d;' | uniq) 55 | ) 56 | while true; do 57 | sleep 10s 58 | 59 | if has_modified_anyof "${target_dirs[@]}"; then 60 | run_cmd "${CMD}" 61 | fi 62 | done 63 | -------------------------------------------------------------------------------- /examples/vhost.d/wiki.example.com.conf: -------------------------------------------------------------------------------- 1 | ## 2 | # Mediawiki service proxy settings, and enable user authentication 3 | ## 4 | 5 | server { 6 | listen 443 ssl; 7 | listen [::]:443 ssl; 8 | 9 | server_name wiki.example.com; 10 | 11 | include /etc/nginx/vhost.d/wiki.example.com/*.conf; 12 | 13 | client_max_body_size 100M; 14 | 15 | location / { 16 | # http://docs.openhab.org/installation/security.html#nginx-auth-users 17 | satisfy any; 18 | deny all; 19 | auth_basic "Username and Password Required"; 20 | # Debian: apt-get install apache2-utils 21 | # CentOS: yum install httpd-tools 22 | # Create first account: htpasswd -c .htpasswd 23 | # Add new account: htpasswd .htpasswd 24 | # Remove existing account: htpasswd -D .htpasswd 25 | auth_basic_user_file /etc/nginx/vhost.d/wiki.example.com/.htpasswd; 26 | 27 | # Authentication with OpenID 28 | #set $oidc_realm ""; 29 | #set $oidc_client_id ""; 30 | #set $oidc_ip_whitelist "10.10.0.1, 10.10.0.2"; 31 | #access_by_lua_file /etc/nginx/vhost.d/oidc.lua; 32 | 33 | # Avoid to get address resolve error when starting 34 | set $target http://:; 35 | proxy_pass $target; 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /config/error-pages/01_default.conf: -------------------------------------------------------------------------------- 1 | ## 2 | # Randomly choose the *.html (e.g. 00_xx.html) to be used as error page. 3 | # If the target directory only contains a single HTML file, 4 | # this file will be always the unique error page (A fixed error page). 5 | # 6 | # The error page (*.html) will be picked from the child directories of /etc/nginx/epage.d/ 7 | # e.g. /404/, /40x/, /50x/. 8 | ## 9 | 10 | # Obmit the `[=[response]]` syntax to keep the error response code for clients. 11 | ## http://nginx.org/en/docs/http/ngx_http_core_module.html#error_page 12 | error_page 404 /404/; 13 | error_page 400 401 403 /40x/; 14 | error_page 500 502 503 504 /50x/; 15 | 16 | location /404/ { 17 | internal; 18 | random_index on; 19 | 20 | root /etc/nginx/epage.d; 21 | } 22 | 23 | location /40x/ { 24 | internal; 25 | random_index on; 26 | 27 | root /etc/nginx/epage.d; 28 | 29 | # Replace the placeholders in response content 30 | # for showing the corresponding status and message. 31 | sub_filter '{{status}}' '$status'; 32 | sub_filter '{{status_msg}}' '$status_msg'; 33 | sub_filter_once off; 34 | } 35 | 36 | location /50x/ { 37 | internal; 38 | random_index on; 39 | 40 | root /etc/nginx/epage.d; 41 | 42 | # Replace the placeholders in response content 43 | # for showing the corresponding status and message. 44 | sub_filter '{{status}}' '$status'; 45 | sub_filter '{{status_msg}}' '$status_msg'; 46 | sub_filter_once off; 47 | } 48 | -------------------------------------------------------------------------------- /run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" 4 | . "${DIR}/config.sh" 5 | 6 | 7 | DCR_NAME=nginx-gateway 8 | DCR_IMAGE="${IMAGE_NAME}:${IMAGE_VERSION}" 9 | 10 | DCR_VOLUME=/var/lib/nginx-gateway 11 | 12 | DEBUG=false 13 | ULIMIT=655360 14 | ENABLE_CUSTOM_ERROR_PAGE=true 15 | CERT_EMAIL=nobody@example.com 16 | 17 | #ulimit -n ${ULIMIT} 18 | docker rm -f ${DCR_NAME} 19 | rm -f "${DCR_VOLUME}/letsencrypt/.lck" 20 | 21 | # http://serverfault.com/questions/786389/nginx-docker-container-cannot-see-client-ip-when-using-iptables-false-option#answer-788088 22 | docker run -d --name ${DCR_NAME} \ 23 | --restart always \ 24 | --network host \ 25 | --ulimit nofile=${ULIMIT} \ 26 | -p 443:443 -p 80:80 \ 27 | -e DEBUG=${DEBUG} \ 28 | -e CERT_EMAIL=${CERT_EMAIL} \ 29 | -e ENABLE_CUSTOM_ERROR_PAGE=${ENABLE_CUSTOM_ERROR_PAGE} \ 30 | -e DISABLE_CERTBOT=false \ 31 | -e DISABLE_GIXY=false \ 32 | -v /usr/share/zoneinfo:/usr/share/zoneinfo:ro \ 33 | -v /etc/localtime:/etc/localtime:ro \ 34 | -v ${DCR_VOLUME}/logs:/var/log/nginx/sites \ 35 | -v ${DCR_VOLUME}/letsencrypt:/etc/letsencrypt \ 36 | -v ${DCR_VOLUME}/vhost.d:/etc/nginx/vhost.d \ 37 | -v ${DCR_VOLUME}/stream.d:/etc/nginx/stream.d \ 38 | -v ${DCR_VOLUME}/epage.d:/etc/nginx/epage.d \ 39 | ${DCR_IMAGE} 40 | -------------------------------------------------------------------------------- /config/nginx.conf: -------------------------------------------------------------------------------- 1 | user nginx; 2 | # https://www.oschina.net/translate/nginx-tutorial-performance 3 | worker_processes auto; 4 | worker_rlimit_nofile 655360; 5 | 6 | pid /var/run/nginx.pid; 7 | error_log /var/log/nginx/error.log debug; 8 | 9 | events { 10 | use epoll; 11 | worker_connections 65536; 12 | multi_accept on; 13 | } 14 | 15 | http { 16 | sendfile on; 17 | tcp_nopush on; 18 | # sets TCP_NODELAY flag, used on keep-alive connections 19 | tcp_nodelay on; 20 | keepalive_timeout 60; 21 | keepalive_requests 100000; 22 | reset_timedout_connection on; 23 | types_hash_max_size 2048; 24 | client_body_timeout 12; 25 | client_header_timeout 12; 26 | send_timeout 10; 27 | server_tokens off; 28 | 29 | # For chunked cookie: https://github.com/pingidentity/lua-resty-openidc/issues/33 30 | client_body_buffer_size 16k; 31 | client_header_buffer_size 1k; 32 | large_client_header_buffers 4 16k; 33 | client_max_body_size 10M; 34 | #server_names_hash_bucket_size 64; 35 | #server_name_in_redirect off; 36 | 37 | include /etc/nginx/mime.types; 38 | default_type application/octet-stream; 39 | 40 | gzip on; 41 | gzip_disable "MSIE [1-6]."; 42 | gzip_vary on; 43 | gzip_proxied any; 44 | gzip_comp_level 6; 45 | gzip_buffers 16 8k; 46 | gzip_min_length 100; 47 | gzip_http_version 1.1; 48 | gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; 49 | 50 | # Lua modules 51 | lua_package_path '/usr/local/share/lua/5.1/?.lua;;'; 52 | 53 | include /etc/nginx/conf.d/*.conf; 54 | include /etc/nginx/vhost.d/*.conf; 55 | } 56 | 57 | stream { 58 | include /etc/nginx/vstream.d/*.conf; 59 | include /etc/nginx/stream.d/*.conf; 60 | } 61 | -------------------------------------------------------------------------------- /config/01_ssl.conf: -------------------------------------------------------------------------------- 1 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/ 2 | 3 | # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate 4 | #ssl_certificate /etc/letsencrypt/live/example.com/signed_cert_plus_intermediates; 5 | #ssl_certificate_key /etc/letsencrypt/live/example.com/private_key; 6 | # Improve HTTPS performance with session resumption 7 | ssl_session_cache shared:SSL:10m; 8 | ssl_session_timeout 5m; 9 | ssl_session_tickets off; 10 | 11 | # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits 12 | ## openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 13 | ssl_dhparam /etc/nginx/ssl/dhparam.pem; 14 | 15 | # intermediate configuration. tweak to your needs. 16 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 17 | ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; 18 | ssl_prefer_server_ciphers on; 19 | 20 | # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) 21 | add_header Strict-Transport-Security max-age=15768000; 22 | 23 | # OCSP Stapling --- 24 | # fetch OCSP records from URL in ssl_certificate and cache them 25 | #ssl_stapling on; 26 | #ssl_stapling_verify on; 27 | 28 | ## verify chain of trust of OCSP response using Root CA and Intermediate certs 29 | ### NOTE: ssl_certificate module aready includes intermediates 30 | #### http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling 31 | #ssl_trusted_certificate /etc/letsencrypt/live/example.com/root_CA_cert_plus_intermediates; 32 | -------------------------------------------------------------------------------- /config/03_geoip2.conf: -------------------------------------------------------------------------------- 1 | # http://www.treselle.com/blog/nginx-with-geoip2-maxmind-database-to-fetch-user-geo-location-data/#Configuring_Nginx_with_MaxMind_Databases 2 | # https://dev.maxmind.com/geoip/geoip2/geolite2/ 3 | # https://dev.maxmind.com/geoip/geoip2/whats-new-in-geoip2/#Web_Service_Example 4 | geoip2 /etc/nginx/geoip2/GeoLite2-Country.mmdb { 5 | $geoip_country_code source=$remote_addr country iso_code; 6 | $geoip_country_name country names en; 7 | } 8 | 9 | geoip2 /etc/nginx/geoip2/GeoLite2-City.mmdb { 10 | $geoip_state_name subdivisions 0 names en; 11 | $geoip_state_code subdivisions 0 iso_code; 12 | $geoip_city_name city names en; 13 | $geoip_postal_code postal code; 14 | $geoip_latitude location latitude; 15 | $geoip_longitude location longitude; 16 | } 17 | 18 | access_by_lua_block { 19 | -- https://github.com/dauer/geohash/blob/master/lua/lib/geohash.lua 20 | -- Access http://geohash.org/{geohash} to watch the location 21 | local geohash = "-" 22 | local geodata = "-" 23 | 24 | if ngx.var.geoip_latitude and ngx.var.geoip_longitude then 25 | local GeoHash = require("geohash") 26 | GeoHash.precision(6) 27 | 28 | -- "Ave, New York, NY, United States, US (40.746482,-74.01508; dr5rg9xv7wu0)" 29 | geohash = GeoHash.encode(tonumber(ngx.var.geoip_latitude), tonumber(ngx.var.geoip_longitude)) 30 | geodata = string.format("%s, %s, %s, %s, %s (%s,%s; %s)", 31 | ngx.var.geoip_city_name ? ngx.var.geoip_city_name : "-", 32 | ngx.var.geoip_state_name ? ngx.var.geoip_state_name : "-", 33 | ngx.var.geoip_state_code ? ngx.var.geoip_state_code : "-", 34 | ngx.var.geoip_country_name ? ngx.var.geoip_country_name : "-", 35 | ngx.var.geoip_country_code ? ngx.var.geoip_country_code : "-", 36 | ngx.var.geoip_latitude, 37 | ngx.var.geoip_longitude, 38 | geohash) 39 | end 40 | 41 | ngx.req.set_header("X-GeoIP-GeoHash", geohash) 42 | ngx.req.set_header("X-GeoIP-Data", geodata) 43 | 44 | -- ngx.log(ngx.DEBUG, ngx.var.http_x_geoip_geohash.." - "..ngx.var.http_x_geoip_data) 45 | } 46 | -------------------------------------------------------------------------------- /examples/vhost.d/static.example.com.conf: -------------------------------------------------------------------------------- 1 | ## 2 | # Remote static file proxy settings, and support to forward the target to the squid proxy 3 | # 4 | # Proxies: 5 | # - https://static.example.com/*/http://others.com/asset.js -> http://others.com/asset.js 6 | ## 7 | 8 | server { 9 | listen 443 ssl; 10 | listen [::]:443 ssl; 11 | 12 | server_name static.example.com; 13 | 14 | include /etc/nginx/vhost.d/static.example.com/*.conf; 15 | 16 | # https://static.example.com/*/http://others.com/asset.js -> http://others.com/asset.js 17 | ## https://www.mediasuite.co.nz/blog/proxying-s3-downloads-nginx/ 18 | location ~* ^/\*/(http[s]?):?/(.*?)/(.*)$ { 19 | # Note: Remove the directive 'internal;' to accept the external requests, 20 | # otherwise it will return 404 for the external requests. 21 | # See http://nginx.org/en/docs/http/ngx_http_core_module.html#internal 22 | set $backend_protocol $1; 23 | set $backend_host $2; 24 | set $backend_path $3; 25 | set $backend_uri $backend_host/$backend_path$is_args$args; 26 | set $backend_url $backend_protocol://$backend_uri; 27 | 28 | # Headers for the remote server, unset Authorization and Cookie for security reasons. 29 | proxy_set_header Host $backend_host; 30 | proxy_set_header Authorization ''; 31 | proxy_set_header Cookie ''; 32 | 33 | # Stops the local disk from being written to (just forwards data through) 34 | proxy_max_temp_file_size 0; 35 | 36 | # Forward the target to the squid proxy 37 | ## https://serverfault.com/questions/583743/how-to-make-an-existing-caching-nginx-proxy-use-another-proxy-to-bypass-a-firewa#683955 38 | ## Hide the reponse header to protect the backend proxy 39 | ### http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header 40 | proxy_hide_header Via; 41 | proxy_hide_header X-Cache; 42 | proxy_hide_header X-Cache-Hits; 43 | proxy_hide_header X-Cache-Lookup; 44 | proxy_hide_header X-Fastly-Request-ID; 45 | proxy_hide_header X-Served-By; 46 | proxy_hide_header X-Timer; 47 | rewrite ^(.*)$ "://$backend_uri" break; 48 | rewrite ^(.*)$ "$backend_protocol$1" break; 49 | proxy_pass http://:3128; 50 | 51 | # Proxy to the target directly 52 | #proxy_pass $backend_url; 53 | 54 | proxy_intercept_errors on; 55 | error_page 301 302 307 = @handle_backend_redirect; 56 | } 57 | 58 | # Nginx Embedded Variables: http://nginx.org/en/docs/varindex.html 59 | location @handle_backend_redirect { 60 | return 302 $scheme://$host/*/$upstream_http_location; 61 | } 62 | } 63 | -------------------------------------------------------------------------------- /bin/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | . /usr/bin/nginx-utils.sh 4 | 5 | ERROR_PAGES=${EPAGED} 6 | if [[ "$(ls -A "${ERROR_PAGES}" 2>/dev/null)" = "" || "${ENABLE_CUSTOM_ERROR_PAGE}" = "force" ]]; then 7 | cp -r ${DEFAULT_ERROR_PAGES}/* ${ERROR_PAGES} 8 | rm -rf ${ERROR_PAGES}/*.conf 9 | fi 10 | case ${ENABLE_CUSTOM_ERROR_PAGE} in 11 | false) 12 | rm -rf ${ERROR_PAGES}/01_default.conf 13 | ;; 14 | unified) 15 | cat ${DEFAULT_ERROR_PAGES}/01_unified.conf > ${ERROR_PAGES}/01_default.conf 16 | ;; 17 | *) 18 | cat ${DEFAULT_ERROR_PAGES}/01_default.conf > ${ERROR_PAGES}/01_default.conf 19 | ;; 20 | esac 21 | 22 | 23 | rm -f "${CERT_DIR}/.lck" 24 | 25 | if [[ ! -d "/opt/acme.sh" && "${DISABLE_CERTBOT}" != "true" ]]; then 26 | pushd /opt/acme.sh-src 27 | # https://github.com/acmesh-official/acme.sh 28 | bash ./acme.sh \ 29 | --install \ 30 | --home /opt/acme.sh \ 31 | --config-home "${CERT_DIR}/config" \ 32 | --cert-home "${CERT_DIR}/certs" \ 33 | --nocron \ 34 | --log \ 35 | --debug 2>/dev/null \ 36 | && ln -sf /opt/acme.sh/acme.sh /usr/bin/acme.sh \ 37 | && chmod +x /opt/acme.sh/acme.sh /usr/bin/acme.sh 38 | popd 39 | fi 40 | 41 | if [[ "${DISABLE_CERTBOT}" = "true" || "${CERT_CHALLENGE_TYPE}" != "alpn" ]]; then 42 | rm -f /etc/nginx/vstream.d/10_stream_acme.conf 43 | fi 44 | if [[ "${DISABLE_DEFAULT_HTTPS_SERVER}" = "true" ]]; then 45 | rm -f /etc/nginx/conf.d/10_default_https.conf 46 | fi 47 | if [[ "${DISABLE_CERTBOT}" = "true" || "${CERT_CHALLENGE_TYPE}" = "dns" ]]; then 48 | # Cancel automically updating 49 | rm -f /var/spool/cron/crontabs/root 50 | else 51 | crond -c /var/spool/cron/crontabs -b -L /var/log/cron/cron.log 52 | fi 53 | 54 | 55 | # https://github.com/yandex/gixy#usage 56 | if [[ "${DISABLE_GIXY}" != "true" && -e /usr/bin/gixy ]]; then 57 | # Note: Gixy will search all `include` directives 58 | /usr/bin/gixy /etc/nginx/nginx.conf 59 | fi 60 | 61 | # just check if the certification file exist 62 | /usr/bin/build-certs true true 63 | # create missing log 64 | check_log_files_for /etc/nginx/nginx.conf 65 | # and remove invaild ssl listen 66 | if [[ "${DISABLE_CERTBOT}" = "true" ]]; then 67 | update_server_ssl_for /etc/nginx/nginx.conf 68 | fi 69 | 70 | 71 | export -f update_host_config_for 72 | CERT_BUILD_CMD="update_host_config_for /etc/nginx/nginx.conf; /usr/sbin/nginx -s reload" 73 | 74 | if [[ "${CERT_CHALLENGE_TYPE}" = "dns" ]]; then 75 | echo "The cert challenge type is set to DNS, you should run the script /usr/bin/build-certs interactively" 76 | else 77 | CERT_BUILD_CMD="/usr/bin/build-certs ${DISABLE_CERTBOT} >> '${CERT_DIR}/build.log' 2>&1; ${CERT_BUILD_CMD}" 78 | fi 79 | /usr/bin/watch-config -- "${CERT_BUILD_CMD}" & 80 | 81 | 82 | NGINX=nginx 83 | if [[ "${DEBUG}" = "true" ]]; then 84 | NGINX=nginx-debug 85 | fi 86 | 87 | chown -R nginx /var/log/nginx 88 | 89 | eval "${NGINX} -g \"daemon off;\"" 90 | -------------------------------------------------------------------------------- /config/00_vars.conf: -------------------------------------------------------------------------------- 1 | # https://gist.github.com/tmthrgd/3504859568e1dba9ee80e260f974a708 2 | map $status $status_msg { 3 | default "An error occured"; 4 | 100 Continue; 5 | 101 "Switching Protocols"; 6 | 102 Processing; # WebDAV; RFC 2518 7 | 200 OK; 8 | 201 Created; 9 | 202 Accepted; 10 | 203 "Non-Authoritative Information"; 11 | 204 "No Content"; 12 | 205 "Reset Content"; 13 | 206 "Partial Content"; 14 | 207 Multi-Status; # WebDAV; RFC 4918 15 | 208 "Already Reported"; # WebDAV; RFC 5842 16 | 226 "IM Used"; # RFC 3229 17 | 300 "Multiple Choices"; 18 | 301 "Moved Permanently"; 19 | 302 Found; 20 | 303 "See Other"; 21 | 304 "Not Modified"; 22 | 305 "Use Proxy"; 23 | 306 "Switch Proxy"; 24 | 307 "Temporary Redirect"; 25 | 308 "Permanent Redirect"; # RFC 7538 26 | 400 "Bad Request"; 27 | 401 Unauthorized; 28 | 402 "Payment Required"; 29 | 403 Forbidden; 30 | 404 "Not Found"; 31 | 405 "Method Not Allowed"; 32 | 406 "Not Acceptable"; 33 | 407 "Proxy Authentication Required"; 34 | 408 "Request Timeout"; 35 | 409 Conflict; 36 | 410 Gone; 37 | 411 "Length Required"; 38 | 412 "Precondition Failed"; 39 | 413 "Request Entity Too Large"; 40 | 414 "Request-URI Too Long"; 41 | 415 "Unsupported Media Type"; 42 | 416 "Requested Range Not Satisfiable"; 43 | 417 "Expectation Failed"; 44 | 418 "I'm a teapot"; # RFC 2324 45 | 419 "Authentication Timeout"; # not in RFC 2616 46 | # 420 "Method Failure"; # Spring Framework 47 | 420 "Enhance Your Calm"; # Twitter 48 | 422 "Unprocessable Entity"; # WebDAV; RFC 4918 49 | 423 Locked; # WebDAV; RFC 4918 50 | 424 "Failed Dependency"; # WebDAV; RFC 4918 51 | 426 "Upgrade Required"; 52 | 428 "Precondition Required"; # RFC 6585 53 | 429 "Too Many Requests"; # RFC 6585 54 | 431 "Request Header Fields Too Large"; # RFC 6585 55 | 440 "Login Timeout"; # Microsoft 56 | 444 "No Response"; # Nginx 57 | 449 "Retry With"; # Microsoft 58 | 450 "Blocked by Windows Parental Controls"; # Microsoft 59 | 451 "Unavailable For Legal Reasons"; # Internet draft 60 | # 451 Redirect; # Microsoft 61 | 494 "Request Header Too Large"; # Nginx 62 | 495 "Cert Error"; # Nginx 63 | 496 "No Cert"; # Nginx 64 | 497 "HTTP to HTTPS"; # Nginx 65 | 498 "Token expired/invalid"; # Esri 66 | 499 "Client Closed Request"; # Nginx 67 | # 499 "Token required"; # Esri 68 | 500 "Internal Server Error"; 69 | 501 "Not Implemented"; 70 | 502 "Bad Gateway"; 71 | 503 "Service Unavailable"; 72 | 504 "Gateway Timeout"; 73 | 505 "HTTP Version Not Supported"; 74 | 506 "Variant Also Negotiates"; # RFC 2295 75 | 507 "Insufficient Storage"; # WebDAV; RFC 4918 76 | 508 "Loop Detected"; # WebDAV; RFC 5842 77 | 509 "Bandwidth Limit Exceeded"; # Apache bw/limited extension 78 | 510 "Not Extended"; # RFC 2774 79 | 511 "Network Authentication Required"; # RFC 6585 80 | 598 "Network read timeout error"; # Unknown 81 | 599 "Network connect timeout error"; # Unknown 82 | } 83 | -------------------------------------------------------------------------------- /bin/nginx-utils.awk: -------------------------------------------------------------------------------- 1 | BEGIN { 2 | cmd = "cat '" source_file "'" 3 | 4 | content_lines_index = 0 5 | current_block_index = 0 6 | while ( ( cmd | getline ) > 0 ) { 7 | line = $0 8 | 9 | content_lines_index += 1 10 | content_lines[content_lines_index] = line 11 | 12 | if ( match(line, /^[^#]+\{/) ) { 13 | current_block_index += 1 14 | } 15 | else if ( match(line, /^[[:space:]]*\}/) ) { 16 | current_block_index += 1 17 | } 18 | # listen 443 ssl; 19 | # listen [::]:443 ssl; 20 | else if ( match(line, /^[[:space:]]*listen[[:space:]]+.+;/) ) { 21 | listen_directive_block_indexes[content_lines_index] = current_block_index 22 | } 23 | else if ( match(line, /^[[:space:]]*include[[:space:]]+.+;/) ) { 24 | include_file = line 25 | # include /etc/nginx/vhost.d//*.conf; 26 | gsub(/^[[:space:]]*include[[:space:]]+|[[:space:]]*;.*$/, " ", include_file) 27 | 28 | file = include_files_in_block[current_block_index] 29 | if ( file ) { 30 | include_files_in_block[current_block_index] = file " " include_file 31 | } else { 32 | include_files_in_block[current_block_index] = include_file 33 | } 34 | } 35 | } 36 | close(cmd) 37 | 38 | for ( i = 1; i <= content_lines_index; i++ ) { 39 | line = content_lines[i] 40 | listen_directive_block_index = listen_directive_block_indexes[i] 41 | 42 | if ( ! ( listen_directive_block_index > 0 ) ) { 43 | print line 44 | continue 45 | } 46 | 47 | listen_directive = line 48 | # listen 443 ssl; # ssl enabled 49 | if ( ! match(listen_directive, /[[:space:]]+ssl.*;|;[[:space:]]+#[[:space:]]+ssl enabled/) ) { 50 | print listen_directive 51 | continue 52 | } 53 | 54 | include_files = include_files_in_block[listen_directive_block_index] 55 | 56 | is_ssl_exists = ssl_listen_enable_blocks[listen_directive_block_index] == "true" 57 | if ( ! is_ssl_exists && include_files ) { 58 | # The function 'is_server_ssl_existing_in' is defined in /usr/bin/nginx-utils.sh 59 | ## https://unix.stackexchange.com/questions/72935/using-bash-shell-function-inside-awk#answer-417232 60 | cmd = "bash -c 'is_server_ssl_existing_in " include_files "'" 61 | cmd | getline ssl_exists_checking 62 | close(cmd) 63 | 64 | if ( ssl_exists_checking == "true" ) { 65 | is_ssl_exists = 1 == 1 66 | } 67 | } 68 | 69 | if ( is_ssl_exists ) { 70 | ssl_listen_enable_blocks[listen_directive_block_index] = "true" 71 | 72 | if ( ! match(listen_directive, /[[:space:]]+ssl.*;/) ) { 73 | gsub(/[[:space:]]*;/, " ssl;", listen_directive) 74 | } 75 | } else { 76 | if ( match(listen_directive, /[[:space:]]+ssl.*;/) ) { 77 | gsub(/[[:space:]]+ssl/, "", listen_directive) 78 | } 79 | } 80 | gsub(/;.*/, "; # ssl enabled", listen_directive) 81 | 82 | print listen_directive 83 | } 84 | } 85 | -------------------------------------------------------------------------------- /examples/epage.d/all/13_Clock.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | {{status}} - {{status_msg}} 8 | 47 | 48 | 49 |

50 |

51 | 56 |

57 |

58 | 59 | 115 | 116 | -------------------------------------------------------------------------------- /examples/epage.d/all/11_Matrix_Rain.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | {{status}} - {{status_msg}} 8 | 61 | 62 | 63 |

64 |

An error has occurred: {{status}} {{status_msg}}

65 |

66 | Boy: Do not try and bend the website. That's impossible. Instead... only try to realize the truth. 67 |
68 | Neo: What truth? 69 |
70 | Boy: Perhaps, the error cannot be fixed in a short time. 71 |
72 | Neo: Oh, No! 73 |
74 | Boy: Then you'll see, that it is not the website that bends, it is only yourself. 75 |

76 | 83 |

84 |

85 | 86 | 106 | 107 | -------------------------------------------------------------------------------- /bin/nginx-utils.sh: -------------------------------------------------------------------------------- 1 | get_include_files_from() { 2 | local source="$1" 3 | 4 | for file in $(sed -E '/^\s*include /!d; s/^\s*include\s+([^ ;]+)\s*;/\1/g;' "$source"); do 5 | ls -1 $file 2>/dev/null 6 | done | sort | uniq 7 | } 8 | 9 | get_include_files_deeply_from() { 10 | local source="$1" 11 | 12 | for file in $(get_include_files_from "$source"); do 13 | echo "$file" 14 | 15 | get_include_files_deeply_from "$file" 16 | done | sort | uniq 17 | } 18 | 19 | get_server_names_from() { 20 | local source="$1" 21 | 22 | if [[ -d "$source" ]]; then 23 | source_content="$(cat "$source"/*.conf)" 24 | else 25 | source_content="$(cat "$source")" 26 | fi 27 | # https://stackoverflow.com/questions/32400933/how-can-i-list-all-vhosts-in-nginx#answer-46230868 28 | echo "$source_content" \ 29 | | sed -r -e 's/[ \t]*$//' -e 's/^[ \t]*//' -e 's/^#.*$//' -e 's/[ \t]*#.*$//' -e '/^$/d' \ 30 | | sed -e ':a;N;$!ba;s/$[^;\{\}]$\n/\1 /g' \ 31 | | grep -E 'server_name[ \t]' | grep -v '\$' | grep '\.' \ 32 | | sed -r -e 's/(\S)[ \t]+(\S)/\1\n\2/g' -e 's/[\t ]//g' -e 's/;//' -e 's/server_name//' \ 33 | | sed -e '/^$/d' -e 's/^\*\.//g' | sort | uniq 34 | } 35 | 36 | is_server_ssl_existing_in() { 37 | local ssl_files=( $( 38 | grep -Eh '^\s*(ssl_certificate|ssl_certificate_key|ssl_trusted_certificate)\s+/' "$@" \ 39 | | sed -E 's/^\s*(ssl_certificate|ssl_certificate_key|ssl_trusted_certificate)\s+([^ ;]+).*;/\2/g;' \ 40 | | sort | uniq 41 | ) ) 42 | 43 | if [[ "${#ssl_files[@]}" = "0" ]]; then 44 | return 45 | fi 46 | 47 | for file in "${ssl_files[@]}"; do 48 | if [[ ! -f "$file" ]]; then 49 | return 50 | fi 51 | done 52 | echo "true" 53 | } 54 | 55 | check_log_files_for() { 56 | local source="$1" 57 | 58 | echo "Check log files for '$source'" 59 | local files=( "$source" ) 60 | files+=( $(get_include_files_deeply_from "$source") ) 61 | 62 | for log in $(grep -Eh '^\s*(error_log|access_log)\s+/' "${files[@]}" \ 63 | | sed -E 's/^\s*(error_log|access_log)\s+([^ ;]+).*;/\2/g;' \ 64 | | sort | uniq); do 65 | if [[ -f "$log" ]]; then 66 | echo " - '$log' exists." 67 | continue 68 | fi 69 | 70 | local log_dir="$(dirname "$log")" 71 | if [[ "x$(echo "$log_dir" | grep '\$')" != "x" ]]; then 72 | echo " - '$log_dir' is ignored." 73 | continue 74 | fi 75 | 76 | mkdir -p "$log_dir" 77 | 78 | if [[ "x$(echo "$log" | grep '\$')" != "x" ]]; then 79 | echo " - '$log' is ignored." 80 | continue 81 | fi 82 | echo " - '$log' is creating..." 83 | touch "$log" && chown nginx "$log_dir" && chmod go-rwx "$log_dir" 84 | done 85 | } 86 | 87 | update_server_ssl_for() { 88 | local source="$1" 89 | 90 | # export bash function to awk scripts 91 | export -f is_server_ssl_existing_in 92 | 93 | echo "Check ssl configuration for '$source'" 94 | local files=( "$source" ) 95 | files+=( $(get_include_files_deeply_from "$source") ) 96 | 97 | for conf in $(grep -El '^\s*server\s+\{' "${files[@]}" | sort | uniq); do 98 | local updated_conf_content="$(awk -v source_file="$conf" -f /usr/bin/nginx-utils.awk)" 99 | 100 | if [[ "$(cat "$conf")" != "$updated_conf_content" ]]; then 101 | echo " - '$conf' is updating ..." 102 | echo "$updated_conf_content" > "$conf" 103 | else 104 | echo " - '$conf' is ignored." 105 | fi 106 | done 107 | } 108 | 109 | update_host_config_for() { 110 | local source="$1" 111 | 112 | check_log_files_for "$source" 113 | update_server_ssl_for "$source" 114 | } 115 | -------------------------------------------------------------------------------- /examples/vhost.d/nexus3.example.com.conf: -------------------------------------------------------------------------------- 1 | ## 2 | # Nexus3 service proxy settings, and enable Single-Sign-On (SSO) 3 | # 4 | # Note: You need to install the [Nexus3 Keycloak Plugin](https://github.com/flytreeleft/nexus3-keycloak-plugin) first 5 | ## 6 | 7 | server { 8 | listen 443 ssl; 9 | listen [::]:443 ssl; 10 | 11 | server_name nexus3.example.com; 12 | 13 | include /etc/nginx/vhost.d/nexus3.example.com/*.conf; 14 | 15 | set $oidc_logout_path "/logout"; 16 | set $oidc_redirect_after_logout_uri "/"; 17 | 18 | location / { 19 | # Note: $http_host contains ip and port, but $host just contains ip only 20 | proxy_set_header Host $http_host; 21 | proxy_set_header X-Keycloak-Sec-Auth $http_x_remote_user:$http_x_remote_user_access_token; 22 | # proxy_set_header Authorization $http_authorization; 23 | # Note: make the HTTP header to be smaller 24 | proxy_hide_header X-Remote-User-Access-Token; 25 | 26 | set $oidc_disabled "false"; 27 | # Disable OIDC when using maven client 28 | if ($http_user_agent ~* "^(Apache-Maven|docker)/.+$") { 29 | set $oidc_disabled "true"; 30 | } 31 | # And disable OIDC when the header Authorization was specified 32 | if ($http_authorization !~* "^$") { 33 | set $oidc_disabled "true"; 34 | } 35 | 36 | set $oidc_realm ""; 37 | # Note: change the client id and secret to the actual value 38 | set $oidc_client_id ""; 39 | set $oidc_client_secret ""; 40 | set $oidc_discovery "http://:/auth/realms/$oidc_realm/.well-known/openid-configuration"; 41 | access_by_lua_file /etc/nginx/vhost.d/oidc.lua; 42 | 43 | client_max_body_size 500M; 44 | # Disable cache of assets 45 | proxy_cache off; 46 | proxy_read_timeout 600; 47 | proxy_connect_timeout 600; 48 | 49 | # Avoid to get address resolve error when starting 50 | set $target http://:; 51 | proxy_pass $target; 52 | 53 | sub_filter '' ''; 54 | sub_filter_once on; 55 | 56 | # Just for debugging, you may not want it 57 | # header_filter_by_lua_block { 58 | # for key, value in pairs(ngx.resp.get_headers()) do 59 | # local val = type(value) == 'string' and {value} or value 60 | # for k, v in ipairs(val) do 61 | # for i=0, v:len(), 1024 do 62 | # ngx.log(ngx.DEBUG, 'Response Header: '..key..' -> '..v:sub(i + 1, i + 1024)) 63 | # end 64 | # end 65 | # end 66 | # for key, value in pairs(ngx.req.get_headers()) do 67 | # local val = type(value) == 'string' and {value} or value 68 | # for k, v in ipairs(val) do 69 | # for i=0, v:len(), 1024 do 70 | # ngx.log(ngx.DEBUG, 'Request Header: '..key..' -> '..v:sub(i + 1, i + 1024)) 71 | # end 72 | # end 73 | # end 74 | # } 75 | } 76 | 77 | # Override the logout action of Nexus 78 | location /service/rapture/session { 79 | if ($request_method ~* "^DELETE$") { 80 | # Redirect to the internal logout url 81 | return 302 $scheme://$http_host$oidc_logout_path; 82 | } 83 | # Login forbidden 84 | return 403; 85 | } 86 | } 87 | -------------------------------------------------------------------------------- /examples/epage.d/all/10_Newton_Cradle.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | {{status}} - {{status_msg}} 8 | 180 | 181 | 182 |

183 |

184 | 189 |

190 |

191 |

192 |

193 |

194 |

195 |

196 |

197 |

198 |

199 |

200 |

201 |

202 |

203 |

204 |

205 |

206 |

207 |

208 |

209 |

210 |

211 |

212 |

213 |

214 |

215 |

216 |

217 |

218 |

219 |

220 |

221 |

222 |

223 |

224 | 225 | 226 | -------------------------------------------------------------------------------- /bin/build-certs: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | SHOULD_NOT_RUN_CERTBOT="$1" 4 | DISABLE_DEBUG="$2" 5 | 6 | VHOSTS="${VHOSTD}" 7 | LOG="${NGINX_SITES_LOG}" 8 | # NOTE: All cluster nodes should share challenges 9 | LOCK="${CERT_DIR}/.lck" 10 | 11 | . /usr/bin/nginx-utils.sh 12 | 13 | 14 | # https://github.com/acmesh-official/acme.sh 15 | ACME_CMD="acme.sh --issue \ 16 | --config-home '${CERT_DIR}/config' \ 17 | --accountemail '${CERT_EMAIL}' \ 18 | -w '${CERT_DIR}' -k 4096" 19 | 20 | if [ "${CERT_STAGING}" = "true" ]; then 21 | ACME_CMD="${ACME_CMD} --staging" 22 | fi 23 | if [ "${CERT_CHALLENGE_TYPE}" = "alpn" ]; then 24 | ACME_CMD="${ACME_CMD} --alpn --tlsport 21443" 25 | fi 26 | if [ "${CERT_CHALLENGE_TYPE}" = "dns" ]; then 27 | ACME_CMD="${ACME_CMD} --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please" 28 | fi 29 | 30 | 31 | get_top_domains() { 32 | echo "$@" | sed -E 's/\s+/\n/g' | awk -F. '{ 33 | if ( length($3) == 0 ) { print $1"."$2 } 34 | else if ( length($4) == 0 ) { print $2"."$3 } 35 | else if ( length($5) == 0 ) { print $2"."$3"."$4 } 36 | else if ( length($6) == 0 ) { print $2"."$3"."$4"."$5 } 37 | }' 38 | } 39 | 40 | get_domain_conf() { 41 | local domain="$1" 42 | local domain_conf="${VHOSTS}/${domain}.conf" 43 | 44 | if [ ! -e "${domain_conf}" ]; then 45 | domain_conf="$(grep -rl -E "\binclude .*/${domain}/.+;" ${VHOSTS}/*.conf | head -n 1)" 46 | fi 47 | if [ ! -e "${domain_conf}" ]; then 48 | echo "" 49 | else 50 | echo "${domain_conf}" 51 | fi 52 | } 53 | 54 | is_matched_domain_list() { 55 | local domain="$1" 56 | local domains=( "$2" ) 57 | local top_domain=$(get_top_domains ${domain}) 58 | 59 | local matched="false" 60 | for d in "${domains[@]}"; do 61 | if [[ "${top_domain}" = "${d}" || "${domain}" = "${d}" ]]; then 62 | matched="true" 63 | break 64 | fi 65 | done 66 | 67 | [[ "${matched}" = "true" ]] 68 | } 69 | 70 | update_ssl_confs() { 71 | local domain="$1" 72 | local domain_conf="$2" 73 | local domain_cert_dir="$3" 74 | local domain_sub_dir="${VHOSTS}/${domain}" 75 | local domain_log_dir="${LOG}/${domain}" 76 | 77 | mkdir -p "${domain_sub_dir}" 78 | 79 | echo "Create ${domain_sub_dir}/01_ssl.conf ..." 80 | cat > "${domain_sub_dir}/01_ssl.conf" < "${domain_sub_dir}/02_log.conf" < "${domain_sub_dir}/03_epage.conf" </dev/null" 158 | if [[ "$?" != "0" ]]; then 159 | echo "Can not update certificate for ${domain}." 160 | return 161 | fi 162 | 163 | update_ssl_confs "${domain}" "${domain_conf}" "${domain_cert_dir}" 164 | } 165 | 166 | update_dns_acme() { 167 | local domain="$1" 168 | local domain_cert_dir="${CERT_DIR}/certs/${domain}" 169 | 170 | if is_all_certs_existing_in "${domain_cert_dir}"; then 171 | [[ 1 -eq 0 ]] # false 172 | return 173 | fi 174 | 175 | cmd="${ACME_CMD} -d ${domain} -d '*.${domain}'" 176 | 177 | eval "${cmd}" 2>&1 | sed '/integer expression expected/d' 178 | 179 | echo "Check if TXT is valid by running: dig -t TXT _acme-challenge.${domain}" 180 | 181 | read -p "Added TXT value for domain: _acme-challenge.${domain}? (Y/N): " confirm 182 | if [[ "${confirm}" != "Y" && "${confirm}" != "y" ]]; then 183 | [[ 1 -eq 0 ]] # false 184 | return 185 | fi 186 | 187 | eval "${cmd} --renew" 2>/dev/null 188 | if [[ "$?" != "0" ]]; then 189 | [[ 1 -eq 0 ]] # false 190 | return 191 | fi 192 | 193 | eval "acme.sh \ 194 | --install-cert \ 195 | --config-home '${CERT_DIR}/config' \ 196 | -d ${domain} \ 197 | --ca-file '${domain_cert_dir}/chain.pem' \ 198 | --cert-file '${domain_cert_dir}/cert.pem' \ 199 | --key-file '${domain_cert_dir}/privkey.pem' \ 200 | --fullchain-file '${domain_cert_dir}/fullchain.pem'" 201 | 202 | [[ "$?" != "0" ]] 203 | } 204 | 205 | 206 | if [ -e ${LOCK} ]; then 207 | echo "Other is updating certs now. Exit!" 208 | exit 0 209 | else 210 | touch ${LOCK} 211 | fi 212 | 213 | 214 | # include /etc/nginx/vhost.d//*.conf; 215 | domains=( $(get_server_names_from "${VHOSTS}") ) 216 | 217 | http_mode_domains=( "${domains[@]}" ) 218 | dns_mode_domains=( ) 219 | if [ "${CERT_CHALLENGE_TYPE}" = "dns" ]; then 220 | http_mode_domains=( ) 221 | top_domains=( 222 | $(get_top_domains ${domains[@]} | sort | uniq) 223 | ) 224 | for top_domain in "${top_domains[@]}"; do 225 | read -p "Use DNS acme mode for domain: *.${top_domain}? (Y/N): " confirm 226 | if [[ "${confirm}" != "Y" && "${confirm}" != "y" ]]; then 227 | http_mode_domains+=( "${top_domain}" ) 228 | continue 229 | fi 230 | 231 | echo "Update certificate in DNS mode for ${top_domain}." 232 | if update_dns_acme "${top_domain}"; then 233 | dns_mode_domains+=( "${top_domain}" ) 234 | fi 235 | done 236 | fi 237 | 238 | for domain in "${domains[@]}"; do 239 | domain_sub_dir="${VHOSTS}/${domain}" 240 | domain_conf="$(get_domain_conf "${domain}")" 241 | 242 | if [ "x${domain_conf}" = "x" ]; then 243 | echo "No configuration file found for the domain ${domain}, skip it." 244 | continue 245 | fi 246 | 247 | if [[ "${domains[@]}" = "${http_mode_domains[@]}" ]] || is_matched_domain_list "${domain}" "${http_mode_domains[@]}"; then 248 | if [ "${DISABLE_DEBUG}" != "true" ]; then 249 | set -x 250 | fi 251 | update_http_acme "${domain}" "${domain_conf}" 252 | set +x 253 | elif is_matched_domain_list "${domain}" "${dns_mode_domains[@]}"; then 254 | top_domain=$(get_top_domains ${domain}) 255 | domain_cert_dir="${CERT_DIR}/certs/${top_domain}" 256 | 257 | update_ssl_confs "${domain}" "${domain_conf}" "${domain_cert_dir}" 258 | else 259 | echo "Can not update certificate for ${domain}." 260 | fi 261 | done 262 | 263 | 264 | chown -R nginx:nginx ${VHOSTS} ${CERT_DIR}/certs \ 265 | && chmod go-rw -R ${VHOSTS} ${CERT_DIR}/certs 266 | 267 | rm ${LOCK} 268 | -------------------------------------------------------------------------------- /examples/vhost.d/oidc.lua: -------------------------------------------------------------------------------- 1 | local http = require "resty.http" 2 | local cjson = require "cjson" 3 | 4 | -- <<<<<<<< Source from https://github.com/zmartzone/lua-resty-openidc/blob/v1.5.3/lib/resty/openidc.lua 5 | local function openidc_parse_json_response(response) 6 | local err 7 | local res 8 | -- check the response from the OP 9 | if response.status ~= 200 then 10 | err = "response indicates failure, status="..response.status..", body="..response.body 11 | else 12 | -- decode the response and extract the JSON object 13 | res = cjson.decode(response.body) 14 | if not res then 15 | err = "JSON decoding failed" 16 | end 17 | end 18 | return res, err 19 | end 20 | 21 | local function openidc_cache_get(type, key) 22 | local dict = ngx.shared[type] 23 | local value 24 | local flags 25 | if dict then 26 | value, flags = dict:get(key) 27 | if value then ngx.log(ngx.DEBUG, "cache hit: type=", type, " key=", key) end 28 | end 29 | return value 30 | end 31 | 32 | local function openidc_cache_set(type, key, value, exp) 33 | local dict = ngx.shared[type] 34 | if dict then 35 | local success, err, forcible = dict:set(key, value, exp) 36 | ngx.log(ngx.DEBUG, "cache set: success=", success, " err=", err, " forcible=", forcible) 37 | end 38 | end 39 | 40 | local function openidc_discover(url, ssl_verify) 41 | ngx.log(ngx.DEBUG, "In openidc_discover - URL is "..url) 42 | 43 | local json, err 44 | local v = openidc_cache_get("discovery", url) 45 | if not v then 46 | ngx.log(ngx.DEBUG, "Discovery data not in cache. Making call to discovery endpoint") 47 | -- make the call to the discovery endpoint 48 | local httpc = http.new() 49 | local res, error = httpc:request_uri(url, { 50 | ssl_verify = (ssl_verify ~= "no") 51 | }) 52 | if not res then 53 | err = "accessing discovery url ("..url..") failed: "..error 54 | ngx.log(ngx.ERR, err) 55 | else 56 | ngx.log(ngx.DEBUG, "Response data: "..res.body) 57 | json, err = openidc_parse_json_response(res) 58 | if json then 59 | if string.sub(url, 1, string.len(json['issuer'])) == json['issuer'] then 60 | openidc_cache_set("discovery", url, cjson.encode(json), 24 * 60 * 60) 61 | else 62 | err = "issuer field in Discovery data does not match URL" 63 | json = nil 64 | end 65 | else 66 | err = "could not decode JSON from Discovery data" 67 | end 68 | end 69 | else 70 | json = cjson.decode(v) 71 | end 72 | 73 | return json, err 74 | end 75 | -- >>>>>> End 76 | 77 | local function openidc_send_error(err) 78 | ngx.status = 500 79 | ngx.say(err) 80 | ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR) 81 | end 82 | 83 | local function openidc_backend_logout(opts, session_opts) 84 | local discovery, err = openidc_discover(opts.discovery, opts.ssl_verify) 85 | if err then 86 | return openidc_send_error(err) 87 | end 88 | 89 | local session = require("resty.session").open(session_opts) 90 | local id_token = session.data.enc_id_token 91 | 92 | local end_session_endpoint = discovery.end_session_endpoint or discovery.ping_end_session_endpoint 93 | local httpc = http.new() 94 | -- https://github.com/ledgetech/lua-resty-http#request 95 | local res, err = httpc:request_uri(end_session_endpoint, { 96 | method = "GET", 97 | query = { 98 | id_token_hint = id_token -- Pass encoded id_token 99 | }, 100 | ssl_verify = (ssl_verify ~= "no") 101 | }) 102 | 103 | if err then 104 | return openidc_send_error(err) 105 | end 106 | session:destroy() 107 | 108 | if opts.redirect_after_logout_uri then 109 | return ngx.redirect(opts.redirect_after_logout_uri) 110 | else 111 | ngx.header.content_type = "text/html" 112 | ngx.say("Logged Out") 113 | ngx.exit(ngx.OK) 114 | end 115 | end 116 | 117 | 118 | local function oidc_check(opts, session_opts) 119 | -- https://github.com/pingidentity/lua-resty-openidc#sample-configuration-for-google-signin 120 | if ngx.var.oidc_ip_whitelist and ngx.var.remote_addr then 121 | for ip in string.gmatch(ngx.var.oidc_ip_whitelist, '([^, ]+)') do 122 | if ip == ngx.var.remote_addr then 123 | return 124 | end 125 | end 126 | end 127 | 128 | -- Change the redirect uri to the root uri to prevent to get 500 error 129 | local request_uri_args = ngx.req.get_uri_args() 130 | if ngx.var.request_uri == opts.redirect_uri_path and (not request_uri_args.code or not request_uri_args.state) then 131 | -- https://github.com/openresty/lua-nginx-module#ngxreqset_uri 132 | -- Note: 1. 'jump=true' isn't allowed in 'access_by_lua' directive 133 | -- 2. 'ngx.req.set_uri' will not change the value of 'ngx.var.request_uri' 134 | --ngx.req.set_uri("/", false) 135 | return ngx.redirect("/") 136 | end 137 | 138 | -- Do logout in the background 139 | if ngx.var.request_uri == opts.logout_path then 140 | return openidc_backend_logout(opts, session_opts) 141 | end 142 | 143 | -- Do authenticate 144 | local res, err = require("resty.openidc").authenticate(opts, nil, nil, session_opts) 145 | if err then 146 | ngx.status = 500 147 | ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR) 148 | return 149 | end 150 | 151 | -- for key, value in pairs(ngx.req.get_headers()) do 152 | -- local val = type(value) == 'string' and {value} or value 153 | -- for k, v in ipairs(val) do 154 | -- for i=0, v:len(), 1024 do 155 | -- ngx.log(ngx.DEBUG, 'Request Header: '..key..' -> '..v:sub(i + 1, i + 1024)) 156 | -- end 157 | -- end 158 | -- end 159 | 160 | -- https://kubernetes.io/docs/admin/authentication/#authenticating-proxy 161 | if res.id_token.sub then 162 | -- Drop the old session to avoid to pass big cookie to the proxied backend 163 | local cookie = ngx.req.get_headers()['Cookie']; 164 | if string.match(cookie, "session_%d=") then 165 | -- Note: ngx.log() will only print the first 2048 bytes for the long log 166 | -- for i=0, cookie:len(), 1024 do 167 | -- ngx.log(ngx.DEBUG, "old cookies: "..cookie:sub(i + 1, i + 1024)) 168 | -- end 169 | -- Lua Regex Pattern: https://riptutorial.com/lua/topic/5829/pattern-matching 170 | cookie = cookie:gsub('session=.-;', '') 171 | ngx.req.set_header('Cookie', cookie) 172 | end 173 | 174 | local username = res.id_token.username or res.id_token.preferred_username or (res.id_token.user and res.id_token.user.name) 175 | ngx.req.set_header("X-Remote-User", username) 176 | ngx.req.set_header("X-Remote-User-Access-Token", res.access_token) 177 | 178 | if res.id_token.groups then 179 | for i, group in ipairs(res.id_token.groups) do 180 | ngx.req.set_header("X-Remote-Group", group) 181 | end 182 | end 183 | else 184 | ngx.req.clear_header("X-Remote-USER") 185 | ngx.req.clear_header("X-Remote-GROUP") 186 | ngx.req.clear_header("X-Remote-User-Access-Token") 187 | end 188 | end 189 | 190 | 191 | if ngx.var.oidc_disabled == "true" then 192 | return 193 | end 194 | 195 | local opts = { 196 | -- Redirect uri which doesn't exist and cannot be '/' 197 | redirect_uri_path = "/redirect_uri", 198 | discovery = ngx.var.oidc_discovery, 199 | client_id = ngx.var.oidc_client_id, 200 | client_secret = ngx.var.oidc_client_secret, 201 | ssl_verify = ngx.var.oidc_ssl_verify or "no", 202 | logout_path = ngx.var.oidc_logout_path, 203 | redirect_after_logout_uri = ngx.var.oidc_redirect_after_logout_uri, 204 | -- Prevent 'client_secret' to be nil: 205 | -- https://github.com/pingidentity/lua-resty-openidc/blob/v1.5.3/lib/resty/openidc.lua#L353 206 | token_endpoint_auth_method = "client_secret_post", 207 | --refresh_session_interval = 900, 208 | --access_token_expires_in = 3600, 209 | --force_reauthorize = false 210 | } 211 | -- Set a fixed and unique session secret for every domain to prevent infinite redirect loop 212 | -- https://github.com/pingidentity/lua-resty-openidc/issues/32#issuecomment-273900768 213 | -- https://github.com/openresty/lua-nginx-module#set_by_lua 214 | local session_opts = { 215 | secret = ngx.encode_base64(ngx.var.server_name):sub(0, 32) 216 | } 217 | 218 | oidc_check(opts, session_opts) 219 | -------------------------------------------------------------------------------- /examples/vhost.d/repo.example.com.conf: -------------------------------------------------------------------------------- 1 | ## 2 | # Nexus3 service proxy settings 3 | # 4 | # Nexus3 supports to serve different repositories like npmjs, maven, docker, etc. 5 | # Here, we create different domain site for different repositories and change 6 | # the request URL via the directive 'rewrite'. 7 | ## 8 | 9 | server { 10 | listen 443 ssl; 11 | listen [::]:443 ssl; 12 | 13 | server_name repo.example.com; 14 | 15 | include /etc/nginx/vhost.d/repo.example.com/*.conf; 16 | 17 | proxy_cache off; 18 | 19 | location / { 20 | # Avoid to get address resolve error when starting 21 | set $target http://:; 22 | proxy_pass $target; 23 | } 24 | } 25 | 26 | ## 27 | # https://dcr.example.com 28 | # 29 | # Repositories: 30 | # - `docker-`(proxy): Proxy the offical or another public repository like 31 | # https://hub.docker.com/, https://gcr.io/, etc. 32 | # You can name them as `docker-docker.com` and `maven-gcr.io`. 33 | # - `docker-public`(group): Group all `docker-` repositories. The HTTP port should be set. 34 | # - `docker-hosted`(hosted): Host the private docker images. The HTTP port should be set. 35 | # 36 | # Proxies: 37 | # - HEAD|POST|PUT|DELETE|PATCH https://dcr.example.com -> http://nexus3-web: 38 | # - GET https://dcr.example.com -> http://nexus3-web: 39 | # 40 | # Usage: 41 | # - Login: `docker login dcr.example.com` 42 | # - Pull image: `docker pull dcr.example.com/:` 43 | # - Push image: `docker push dcr.example.com/:` 44 | ## 45 | server { 46 | listen 443 ssl; 47 | listen [::]:443 ssl; 48 | 49 | server_name dcr.example.com; 50 | 51 | include /etc/nginx/vhost.d/dcr.example.com/*.conf; 52 | 53 | # Disable cache of assets 54 | proxy_cache off; 55 | proxy_read_timeout 600; 56 | proxy_connect_timeout 600; 57 | 58 | client_max_body_size 500M; 59 | 60 | location / { 61 | if ($http_user_agent !~* "^docker/.+$") { 62 | return 301 $scheme://repo.example.com/#browse/browse/components:docker-public$request_uri; 63 | } 64 | 65 | set $nexus3 http://; 66 | 67 | # docker pull dcr.example.com/xx-xx 68 | set $target $nexus3:; 69 | 70 | # https://github.com/moby/moby/blob/7061b0f748c29ffd1e6852cdc5dd11f90840eb1c/daemon/logger/awslogs/cloudwatchlogs_test.go#L71 71 | # https://github.com/moby/moby/blob/master/client/image_pull.go 72 | # https://github.com/moby/moby/blob/master/client/image_push.go 73 | 74 | # NOTE: rewrite and proxy_pass should be put in the same block 75 | ## http://nginx.org/en/docs/http/ngx_http_rewrite_module.html#rewrite 76 | # docker push dcr.example.com/xx-xx 77 | if ($request_method ~* "^HEAD|POST|PUT|DELETE|PATCH$") { 78 | set $target $nexus3:; 79 | } 80 | 81 | proxy_pass $target; 82 | } 83 | } 84 | 85 | ## 86 | # https://mvn.example.com 87 | # 88 | # Repositories: 89 | # - `maven-`(proxy): Proxy the offical or another public repositoy like 90 | # http://central.maven.org/maven2/, https://repo.maven.apache.org/maven2/, etc. 91 | # You can name them as `maven-maven.org` and `maven-apache.org`. 92 | # - `maven-pulic`(group): Group all `maven-` repositories. 93 | # - `maven-hosted-releases`(hosted): Host the private release packages. 94 | # - `maven-hosted-snapshots`(hosted): Host the private snapshot packages. 95 | # - `maven-hosted`(group): Group the `maven-hosted-releases` and `maven-hosted-snapshots` repositories. 96 | # 97 | # Rewrites: 98 | # - GET|HEAD https://mvn.example.com/public/ -> http://nexus3-web/repository/maven-public/ 99 | # - GET|HEAD https://mvn.example.com/hosted/ -> http://nexus3-web/repository/maven-hosted/ 100 | # - GET|HEAD https://mvn.example.com/releases/ -> http://nexus3-web/repository/maven-hosted/ 101 | # - GET|HEAD https://mvn.example.com/snapshots/ -> http://nexus3-web/repository/maven-hosted/ 102 | # - POST|PUT https://mvn.example.com/releases/ -> http://nexus3-web/repository/maven-hosted-releases/ 103 | # - POST|PUT https://mvn.example.com/snapshots/ -> http://nexus3-web/repository/maven-hosted-snapshots/ 104 | ## 105 | server { 106 | listen 443 ssl; 107 | listen [::]:443 ssl; 108 | 109 | server_name mvn.example.com; 110 | 111 | include /etc/nginx/vhost.d/mvn.example.com/*.conf; 112 | 113 | # Redirect to the maven repository (named as 'maven-public') of Nexus3 114 | location = / { 115 | return 302 $scheme://repo.example.com/#browse/browse/components:maven-public/; 116 | } 117 | # Redirect to the target asset of Nexus3 118 | location ~* ^/repository/maven-.+$ { 119 | return 301 $scheme://repo.example.com$request_uri; 120 | } 121 | 122 | # Disable cache of assets 123 | proxy_cache off; 124 | proxy_read_timeout 300; 125 | proxy_connect_timeout 300; 126 | 127 | client_max_body_size 500M; 128 | 129 | location / { 130 | #access_by_lua_block { 131 | # local cjson = require("cjson") 132 | # -- Print the request headers 133 | # ngx.log(ngx.DEBUG, ngx.var.request_uri..", "..cjson.encode(ngx.req.get_headers())) 134 | #} 135 | 136 | set $target http://:; 137 | 138 | # NOTE: rewrite and proxy_pass should be put in the same block 139 | ## http://nginx.org/en/docs/http/ngx_http_rewrite_module.html#rewrite 140 | # we browse or `mvn compile` 141 | if ($request_method ~* "^GET|HEAD$") { 142 | rewrite ^/public/(.*) /repository/maven-public/$1 break; 143 | rewrite ^/hosted/(.*) /repository/maven-hosted/$1 break; 144 | rewrite ^/releases/(.*) /repository/maven-hosted/$1 break; 145 | rewrite ^/snapshots/(.*) /repository/maven-hosted/$1 break; 146 | proxy_pass $target; 147 | break; 148 | } 149 | 150 | # `mvn deploy` 151 | if ($request_method ~* "^POST|PUT$") { 152 | rewrite ^/(releases|snapshots)/(.*) /repository/maven-hosted-$1/$2 break; 153 | proxy_pass $target; 154 | break; 155 | } 156 | } 157 | } 158 | 159 | ## 160 | # https://npm.example.com 161 | # 162 | # Repositories: 163 | # - `npm-`(proxy): Proxy the offical or another public repositoy like 164 | # https://registry.npmjs.org/, https://registry.npm.taobao.org/, etc. 165 | # You can name them as `npm-npmjs.org` and `npm-taobao.org`. 166 | # - `npm-pulic`(group): Group all `npm-` repositories. 167 | # - `npm-hosted`(hosted): Host the private packages. 168 | # 169 | # Rewrites: 170 | # - GET https://npm.example.com/ -> http://nexus3-web/repository/npm-public/ 171 | # - PUT|DELETE https://npm.example.com/ -> http://nexus3-web/repository/npm-hosted/ 172 | # 173 | # Usage: 174 | # - Login: `npm login --registry=https://npm.example.com` 175 | # - Install modules: `npm --registry=https://npm.example.com install ` 176 | # - Publish module: `npm --registry=https://npm.example.com publish ` 177 | # - Change global registry: `npm config set registry https://npm.example.com` 178 | ## 179 | server { 180 | listen 443 ssl; 181 | listen [::]:443 ssl; 182 | 183 | server_name npm.example.com; 184 | 185 | include /etc/nginx/vhost.d/npm.example.com/*.conf; 186 | 187 | # Redirect to the npm repository (named as 'npm-public') of Nexus3 188 | location = / { 189 | return 302 $scheme://repo.example.com/#browse/browse/components:npm-public/; 190 | } 191 | # Redirect to the target asset of Nexus3 192 | location ~* ^/repository/npm-.+$ { 193 | return 301 $scheme://repo.example.com$request_uri; 194 | } 195 | 196 | # Disable cache of assets 197 | proxy_cache off; 198 | proxy_read_timeout 60; 199 | proxy_connect_timeout 60; 200 | 201 | client_max_body_size 50M; 202 | 203 | location / { 204 | set $target http://:; 205 | 206 | # NOTE: rewrite and proxy_pass should be put in the same block 207 | ## http://nginx.org/en/docs/http/ngx_http_rewrite_module.html#rewrite 208 | # we browse or `npm install` 209 | if ($request_method ~* "^GET$") { 210 | rewrite ^/(.+) /repository/npm-public/$ break; 211 | proxy_pass $target; 212 | break; 213 | } 214 | 215 | # `npm publish` 216 | if ($request_method ~* "^PUT|DELETE$") { 217 | rewrite ^/(.+) /repository/npm-hosted/$1 break; 218 | proxy_pass $target; 219 | break; 220 | } 221 | } 222 | } 223 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Nginx Gateway 2 | =============================== 3 | 4 | A tiny, flexable, configurable Nginx Gateway (reverse proxy) Docker image based on [alpine image](https://hub.docker.com/_/alpine/). 5 | 6 | ## Features 7 | 8 | - Enable HTTPS and [OCSP Stapling](https://tools.ietf.org/html/rfc4366#section-3.6) with [Let’s Encrypt](https://letsencrypt.org/). 9 | - Automatically register [Let’s Encrypt](https://letsencrypt.org/) certificate for new domain and update certificates via [acme.sh](https://github.com/acmesh-official/acme.sh). 10 | - Support to display your custom error pages randomly. 11 | - Support to load and execute [Lua](https://github.com/openresty/lua-nginx-module) codes. 12 | - Support to proxy HTTP and TCP stream. 13 | - Make individual configuration for every domain to serve static files or to proxy the backend servers. 14 | - Support to create multiple pod replicas in k8s. 15 | - Support access log rotation, e.g. `access_2018-04-26.log`. 16 | - Support authentication with OpenID (via [lua-resty-openidc](https://github.com/zmartzone/lua-resty-openidc)) and to add client IPs to the non-auth whitelist. 17 | - Enable building image with [GeoIp2](https://github.com/leev/ngx_http_geoip2_module) or not. 18 | - Integrated with [Gixy](https://github.com/yandex/gixy) to analyze Nginx configuration to prevent security misconfiguration and automate flaw detection. 19 | 20 | ## How to use? 21 | 22 | ### Image version 23 | 24 | The image version is formated as `-r[p]`, e.g. `1.11.2-r1`, `1.11.2-r1p1`, `1.11.2-r2` etc. 25 | 26 | ### Build image 27 | 28 | Run the following commands in the root directory of this git repository: 29 | 30 | ```bash 31 | IMAGE_VERSION=1.15.12-r1 32 | IMAGE_NAME=flytreeleft/nginx-gateway:${IMAGE_VERSION} 33 | 34 | docker build --rm -t ${IMAGE_NAME} . 35 | ``` 36 | 37 | If you want to enable [GeoIp2](https://github.com/leev/ngx_http_geoip2_module), just set the build argument `enable_geoip` to `true`: 38 | 39 | ```bash 40 | IMAGE_VERSION=1.15.12-r1 41 | IMAGE_NAME=flytreeleft/nginx-gateway-with-geoip:${IMAGE_VERSION} 42 | 43 | docker build --rm --build-arg enable_geoip=true -t ${IMAGE_NAME} . 44 | ``` 45 | 46 | **Note**: You can run `docker pull flytreeleft/nginx-gateway` or `docker pull flytreeleft/nginx-gateway-with-geoip` to get the latest image from the [Docker Hub](https://hub.docker.com/u/flytreeleft). 47 | 48 | ### Create and run 49 | 50 | ```bash 51 | DCR_IMAGE_VERSION=1.15.12-r1 52 | 53 | DCR_NAME=nginx-gateway 54 | DCR_IMAGE=flytreeleft/nginx-gateway:${DCR_IMAGE_VERSION} 55 | 56 | DCR_VOLUME=/var/lib/nginx-gateway 57 | 58 | DEBUG=false 59 | ULIMIT=655360 60 | ENABLE_CUSTOM_ERROR_PAGE=true 61 | CERT_EMAIL=nobody@example.com 62 | 63 | ulimit -n ${ULIMIT} 64 | docker run -d --name ${DCR_NAME} \ 65 | --restart always \ 66 | --network host \ 67 | --ulimit nofile=${ULIMIT} \ 68 | -p 443:443 -p 80:80 \ 69 | -e DEBUG=${DEBUG} \ 70 | -e CERT_EMAIL=${CERT_EMAIL} \ 71 | -e ENABLE_CUSTOM_ERROR_PAGE=${ENABLE_CUSTOM_ERROR_PAGE} \ 72 | -e DISABLE_CERTBOT=false \ 73 | -e DISABLE_GIXY=false \ 74 | -v /usr/share/zoneinfo:/usr/share/zoneinfo:ro \ 75 | -v /etc/localtime:/etc/localtime:ro \ 76 | -v ${DCR_VOLUME}/logs:/var/log/nginx/sites \ 77 | -v ${DCR_VOLUME}/letsencrypt:/etc/letsencrypt \ 78 | -v ${DCR_VOLUME}/vhost.d:/etc/nginx/vhost.d \ 79 | -v ${DCR_VOLUME}/stream.d:/etc/nginx/stream.d \ 80 | -v ${DCR_VOLUME}/epage.d:/etc/nginx/epage.d \ 81 | ${DCR_IMAGE} 82 | ``` 83 | 84 | **Note**: 85 | - If you want to use your error pages, just set `ENABLE_CUSTOM_ERROR_PAGE` to `false`, and put your configuration (e.g. [config/error-pages/01_default.conf](./config/error-pages/01_default.conf)) and error pages to `${STORAGE}/epage.d`. 86 | - Mapping `/usr/share/zoneinfo` and `/etc/localtime` from the host machine to make sure the container use the same Time Zone with the host. 87 | - The access and error log will be put in the directory `/var/log/nginx/sites/{domain}`. The access log file will be named as `access_{date}.log` (e.g. `access_2018-04-26.log`), and the error log will be named as `error.log`. 88 | - Set `DISABLE_CERTBOT` to `true` if you want to disable [certbot](https://certbot.eff.org/docs/using.html) to register or update [Let’s Encrypt](https://letsencrypt.org/) certificate automatically. If certbot is disabled, you can run `$ docker exec -it nginx-gateway sh -c '/usr/bin/build-certs && /usr/sbin/nginx -s reload'` to update **Let’s Encrypt** certificate manually. 89 | - Set `DISABLE_GIXY` to `true` if you don't want to run Gixy to check Nginx configuration files when they are changed. Otherwise, you can run `docker logs --tail 100 ${DCR_NAME}` to check the detection results. 90 | 91 | ## How to configure your site? 92 | 93 | There are some examples in [examples/vhost.d](./examples/vhost.d) for different needs. 94 | 95 | In [config/10_default.conf](./config/10_default.conf), all HTTP requests will be redirected to HTTPS, 96 | so you just need to listen on `443` and configure for you HTTPS site which is like the following codes: 97 | ```nginx 98 | server { 99 | listen 443 ssl; 100 | listen [::]:443 ssl; 101 | 102 | server_name ; 103 | 104 | # Note: The additional configuration files (for ssl, log, etc.) which are generated automatically 105 | # will be put into the fixed location as '/etc/nginx/vhost.d/', 106 | # so do not change it. 107 | include /etc/nginx/vhost.d//*.conf; 108 | 109 | location / { 110 | # Avoid to get address resolve error when starting 111 | set $target http://:80; 112 | proxy_pass $target; 113 | } 114 | } 115 | ``` 116 | 117 | Also, you can put the global and default settings in one file (e.g. [vhost.d/00_default.conf](./examples/vhost.d/00_default.conf)), 118 | just make sure it will be loaded before the other site configuration files. Here are some usefull configurations: 119 | ```nginx 120 | resolver 8.8.8.8 valid=300s; 121 | resolver_timeout 5s; 122 | 123 | # Websocket support 124 | proxy_http_version 1.1; 125 | proxy_set_header Upgrade $http_upgrade; 126 | proxy_set_header Connection "upgrade"; 127 | 128 | # Force to change the redirect url's scheme to https 129 | proxy_redirect http:// $scheme://; 130 | proxy_redirect / /; 131 | ``` 132 | 133 | For other needs, see details in: 134 | - [Enable upload big files to your site](./examples/vhost.d/git.example.com.conf) 135 | - [The Nexus3 repository sites for Docker images and the library packages of Maven, NPM, etc.](./examples/vhost.d/repo.example.com.conf) 136 | - [Proxy the static files behind the firewall](./examples/vhost.d/static.example.com.conf) 137 | - [Enable the HTTP Basic Authentication or OpenID](./examples/vhost.d/wiki.example.com.conf) 138 | - [Proxy the TCP streams](./examples/stream.d/mysql.conf) 139 | 140 | ## Thanks 141 | 142 | - [nginxinc/docker-nginx](https://github.com/nginxinc/docker-nginx/blob/master/stable/alpine/Dockerfile): The official NGINX Dockerfiles based on [alpine image](https://hub.docker.com/_/alpine/). 143 | - [sebble/docker-images/letsencrypt-certbot](https://github.com/sebble/docker-images/tree/master/letsencrypt-certbot): Running [certbot](https://certbot.eff.org/docs/using.html) via crontab. 144 | - [nrollr/nginx.conf](https://gist.github.com/nrollr/9a39bb636a820fb97eec2ed85e473d38): NGINX config for SSL with Let's Encrypt certs. 145 | - [JrCs/docker-letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion): LetsEncrypt companion container for nginx-proxy. 146 | - [tmthrgd/nginx-status-text.conf](https://gist.github.com/tmthrgd/3504859568e1dba9ee80e260f974a708): Nginx status code to message map. 147 | - [Using NGINX’s X-Accel with Remote URLs](https://www.mediasuite.co.nz/blog/proxying-s3-downloads-nginx/) 148 | - [How to make an existing caching Nginx proxy use another proxy to bypass a firewall?](https://serverfault.com/questions/583743/how-to-make-an-existing-caching-nginx-proxy-use-another-proxy-to-bypass-a-firewa#683955) 149 | - [nginx docker container cannot see client ip when using '--iptables=false' option](http://serverfault.com/questions/786389/nginx-docker-container-cannot-see-client-ip-when-using-iptables-false-option#answer-788088) 150 | - [Log rotation directly within Nginx configuration file](https://www.cambus.net/log-rotation-directly-within-nginx-configuration-file/): Using variables in `access_log` directives to rotate access log. Note: embed variables can not be used in `error_log` directives. 151 | - [Log rotation directly within Nginx configuration file: map instead of if](https://github.com/fcambus/nginx-resources/issues/12): Using `map` directives instead of `if` for rotating access log. 152 | - [zmartzone/lua-resty-openidc](https://github.com/zmartzone/lua-resty-openidc): Give a way to enable OpenID authentication for Nginx. 153 | - [Gixy](https://github.com/yandex/gixy): A tool to analyze Nginx configuration to prevent security misconfiguration. 154 | 155 | ## Reference 156 | 157 | - [Nginx ssl_stapling](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling) 158 | - [Nginx alias](http://nginx.org/en/docs/http/ngx_http_core_module.html#alias): Used to change the directory path of the request file. 159 | - [Nginx sub_filter](http://nginx.org/en/docs/http/ngx_http_sub_module.html#sub_filter): Filter and modify the response body. 160 | - [Nginx error_page](http://nginx.org/en/docs/http/ngx_http_core_module.html#error_page): Define the error page or URI. 161 | - [Nginx random_index](http://nginx.org/en/docs/http/ngx_http_random_index_module.html#random_index): Picks a random file in a directory to serve as an index file. 162 | - [Nginx proxy_intercept_errors](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_intercept_errors): Intercept proxy errors and redirected them to nginx for processing with the `error_page` directive. 163 | - [Nginx proxy_hide_header](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header): Hide the headers from the response of a proxied server to a client. 164 | - [Nginx variables](http://nginx.org/en/docs/varindex.html) 165 | - [Nginx log_format&access_log](http://nginx.org/en/docs/http/ngx_http_log_module.html) 166 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | # https://github.com/nginxinc/docker-nginx/blob/master/mainline/alpine/Dockerfile 2 | FROM alpine:3.10 3 | LABEL author="flytreeleft@crazydan.org" 4 | 5 | 6 | ENV LUA_JIT_VERSION 2.1-20190912 7 | ENV LUA_ROCKS_VERSION 3.2.1 8 | ENV LUA_RESTY_LRUCACHE_VERSION 0.09 9 | ENV LUA_RESTY_CORE_VERSION 0.1.17 10 | ENV LUA_RESTY_STRING_VERSION 0.11 11 | 12 | ENV NGINX_VERSION 1.15.12 13 | ENV NDK_VERSION 0.3.1 14 | ENV NGX_LUA_VERSION 0.10.15 15 | ENV NGX_GEOIP2_VERSION 2.0 16 | 17 | RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \ 18 | && CONFIG="\ 19 | --prefix=/etc/nginx \ 20 | --sbin-path=/usr/sbin/nginx \ 21 | --modules-path=/usr/lib/nginx/modules \ 22 | --conf-path=/etc/nginx/nginx.conf \ 23 | --error-log-path=/var/log/nginx/error.log \ 24 | --http-log-path=/var/log/nginx/access.log \ 25 | --pid-path=/var/run/nginx.pid \ 26 | --lock-path=/var/run/nginx.lock \ 27 | --http-client-body-temp-path=/var/cache/nginx/client_temp \ 28 | --http-proxy-temp-path=/var/cache/nginx/proxy_temp \ 29 | --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \ 30 | --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \ 31 | --http-scgi-temp-path=/var/cache/nginx/scgi_temp \ 32 | --user=nginx \ 33 | --group=nginx \ 34 | --with-ipv6 \ 35 | --with-http_ssl_module \ 36 | --with-http_realip_module \ 37 | --with-http_addition_module \ 38 | --with-http_sub_module \ 39 | --with-http_dav_module \ 40 | --with-http_flv_module \ 41 | --with-http_mp4_module \ 42 | --with-http_gunzip_module \ 43 | --with-http_gzip_static_module \ 44 | --with-http_random_index_module \ 45 | --with-http_secure_link_module \ 46 | --with-http_stub_status_module \ 47 | --with-http_auth_request_module \ 48 | --with-http_xslt_module=dynamic \ 49 | --with-http_image_filter_module=dynamic \ 50 | --with-threads \ 51 | --with-stream \ 52 | --with-stream_ssl_module \ 53 | --with-stream_ssl_preread_module \ 54 | --with-http_slice_module \ 55 | --with-mail \ 56 | --with-mail_ssl_module \ 57 | --with-file-aio \ 58 | --with-http_v2_module \ 59 | " \ 60 | && apk add --update --no-cache openssl ca-certificates bash curl \ 61 | && update-ca-certificates \ 62 | && addgroup -S nginx \ 63 | && adduser -D -S -h /var/cache/nginx -s /sbin/nologin -G nginx nginx \ 64 | && apk add --no-cache --virtual .build-deps \ 65 | git \ 66 | gcc \ 67 | libc-dev \ 68 | make \ 69 | openssl-dev \ 70 | pcre-dev \ 71 | zlib-dev \ 72 | linux-headers \ 73 | unzip \ 74 | gnupg \ 75 | libxslt-dev \ 76 | gd-dev \ 77 | libmaxminddb \ 78 | libmaxminddb-dev \ 79 | && curl -fSL https://github.com/openresty/luajit2/archive/v$LUA_JIT_VERSION.tar.gz -o lua-jit.tar.gz \ 80 | && curl -fSL https://github.com/luarocks/luarocks/archive/v$LUA_ROCKS_VERSION.tar.gz -o lua-rocks.tar.gz \ 81 | && curl -fSL https://github.com/openresty/lua-resty-lrucache/archive/v$LUA_RESTY_LRUCACHE_VERSION.tar.gz -o lua-resty-lrucache.tar.gz \ 82 | && curl -fSL https://github.com/openresty/lua-resty-core/archive/v$LUA_RESTY_CORE_VERSION.tar.gz -o lua-resty-core.tar.gz \ 83 | && curl -fSL https://github.com/openresty/lua-resty-string/archive/v$LUA_RESTY_STRING_VERSION.tar.gz -o lua-resty-string.tar.gz \ 84 | && curl -fSL http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz -o nginx.tar.gz \ 85 | && curl -fSL http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz.asc -o nginx.tar.gz.asc \ 86 | && curl -fSL https://github.com/simpl/ngx_devel_kit/archive/v$NDK_VERSION.tar.gz -o ngx_devel_kit.tar.gz \ 87 | && curl -fSL https://github.com/openresty/lua-nginx-module/archive/v$NGX_LUA_VERSION.tar.gz -o lua-nginx-module.tar.gz \ 88 | && curl -fSL https://github.com/leev/ngx_http_geoip2_module/archive/$NGX_GEOIP2_VERSION.tar.gz -o ngx_http_geoip2_module.tar.gz \ 89 | && export GNUPGHOME="$(mktemp -d)" \ 90 | && found=''; \ 91 | for server in \ 92 | ha.pool.sks-keyservers.net \ 93 | hkp://keyserver.ubuntu.com:80 \ 94 | hkp://p80.pool.sks-keyservers.net:80 \ 95 | pgp.mit.edu \ 96 | ; do \ 97 | echo "Fetching GPG key $GPG_KEYS from $server"; \ 98 | gpg --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$GPG_KEYS" && found=yes && break; \ 99 | done; \ 100 | test -z "$found" && echo >&2 "error: failed to fetch GPG key $GPG_KEYS" && exit 1; \ 101 | gpg --batch --verify nginx.tar.gz.asc nginx.tar.gz \ 102 | && rm -r "$GNUPGHOME" nginx.tar.gz.asc \ 103 | && mkdir -p /usr/src \ 104 | && tar -zxC /usr/src -f lua-jit.tar.gz \ 105 | && tar -zxC /usr/src -f lua-rocks.tar.gz \ 106 | && tar -zxC /usr/src -f lua-resty-lrucache.tar.gz \ 107 | && tar -zxC /usr/src -f lua-resty-core.tar.gz \ 108 | && tar -zxC /usr/src -f lua-resty-string.tar.gz \ 109 | && tar -zxC /usr/src -f nginx.tar.gz \ 110 | && tar -zxC /usr/src -f ngx_devel_kit.tar.gz \ 111 | && tar -zxC /usr/src -f lua-nginx-module.tar.gz \ 112 | && tar -zxC /usr/src -f ngx_http_geoip2_module.tar.gz \ 113 | && rm -f *.tar.gz \ 114 | && cd /usr/src/luajit2-$LUA_JIT_VERSION \ 115 | && make \ 116 | && make install \ 117 | && ln -sf /usr/local/bin/luajit /usr/local/bin/lua \ 118 | && export LUAJIT_LIB=/usr/local/lib \ 119 | && export LUAJIT_INC=/usr/local/include/luajit-2.1 \ 120 | && cd /usr/src/luarocks-$LUA_ROCKS_VERSION \ 121 | && ./configure --prefix=/usr/local \ 122 | --lua-suffix=jit \ 123 | --with-lua=/usr/local \ 124 | --with-lua-include=$LUAJIT_INC \ 125 | --with-lua-lib=$LUAJIT_LIB \ 126 | && make build \ 127 | && make install \ 128 | && cd /usr/src/lua-resty-string-$LUA_RESTY_STRING_VERSION \ 129 | && make \ 130 | && make install LUA_INCLUDE_DIR=$LUAJIT_INC LUA_LIB_DIR=/usr/local/share/lua/5.1 \ 131 | # Install Lua moduels 132 | && luarocks install lua-cjson \ 133 | && luarocks install lua-resty-http \ 134 | && luarocks install lua-resty-session \ 135 | && luarocks install lua-resty-jwt \ 136 | && luarocks install lua-resty-openidc \ 137 | && cp -r /usr/src/lua-resty-lrucache-$LUA_RESTY_LRUCACHE_VERSION/lib/* /usr/local/share/lua/5.1 \ 138 | && cp -r /usr/src/lua-resty-core-$LUA_RESTY_CORE_VERSION/lib/* /usr/local/share/lua/5.1 \ 139 | && cd /usr/src/nginx-$NGINX_VERSION \ 140 | && ./configure $CONFIG \ 141 | --with-debug \ 142 | --with-ld-opt="-Wl,-rpath,$LUAJIT_LIB" \ 143 | --add-module=/usr/src/ngx_devel_kit-$NDK_VERSION \ 144 | --add-module=/usr/src/lua-nginx-module-$NGX_LUA_VERSION \ 145 | --add-module=/usr/src/ngx_http_geoip2_module-$NGX_GEOIP2_VERSION \ 146 | && make -j$(getconf _NPROCESSORS_ONLN) \ 147 | && mv objs/nginx objs/nginx-debug \ 148 | && mv objs/ngx_http_xslt_filter_module.so objs/ngx_http_xslt_filter_module-debug.so \ 149 | && mv objs/ngx_http_image_filter_module.so objs/ngx_http_image_filter_module-debug.so \ 150 | && ./configure $CONFIG \ 151 | --with-ld-opt="-Wl,-rpath,$LUAJIT_LIB" \ 152 | --add-module=/usr/src/ngx_devel_kit-$NDK_VERSION \ 153 | --add-module=/usr/src/lua-nginx-module-$NGX_LUA_VERSION \ 154 | --add-module=/usr/src/ngx_http_geoip2_module-$NGX_GEOIP2_VERSION \ 155 | && make -j$(getconf _NPROCESSORS_ONLN) \ 156 | && make install \ 157 | # Note: Keep the '/etc/nginx/html' to prevent 'testing "/etc/nginx/html" existence failed' error 158 | #&& rm -rf /etc/nginx/html/ 159 | && mkdir /etc/nginx/conf.d/ \ 160 | && mkdir -p /usr/share/nginx/html/ \ 161 | && install -m644 html/index.html /usr/share/nginx/html/ \ 162 | && install -m644 html/50x.html /usr/share/nginx/html/ \ 163 | && install -m755 objs/nginx-debug /usr/sbin/nginx-debug \ 164 | && install -m755 objs/ngx_http_xslt_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_xslt_filter_module-debug.so \ 165 | && install -m755 objs/ngx_http_image_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_image_filter_module-debug.so \ 166 | && ln -s ../../usr/lib/nginx/modules /etc/nginx/modules \ 167 | && strip /usr/sbin/nginx* \ 168 | && strip /usr/lib/nginx/modules/*.so \ 169 | && rm -rf /usr/src \ 170 | \ 171 | # Bring in gettext so we can get `envsubst`, then throw 172 | # the rest away. To do this, we need to install `gettext` 173 | # then move `envsubst` out of the way so `gettext` can 174 | # be deleted completely, then move `envsubst` back. 175 | && apk add --no-cache --virtual .gettext gettext \ 176 | && mv /usr/bin/envsubst /tmp/ \ 177 | \ 178 | && runDeps="$( \ 179 | scanelf --needed --nobanner /usr/sbin/nginx /usr/lib/nginx/modules/*.so \ 180 | /usr/local/bin/luarocks /usr/local/bin/luajit \ 181 | /usr/local/lib/*.so /tmp/envsubst \ 182 | | awk '{ gsub(/,/, "\nso:", $2); print "so:" $2 }' \ 183 | | sort -u \ 184 | | xargs -r apk info --installed \ 185 | | sort -u \ 186 | )" \ 187 | && apk add --no-cache --virtual .nginx-rundeps $runDeps \ 188 | && apk del .build-deps \ 189 | && apk del .gettext \ 190 | && mv /tmp/envsubst /usr/local/bin/ \ 191 | \ 192 | # forward request and error logs to docker log collector 193 | #&& ln -sf /dev/stdout /var/log/nginx/access.log 194 | && ln -sf /dev/stderr /var/log/nginx/error.log 195 | 196 | 197 | ARG enable_gixy=false 198 | # https://github.com/docker-library/python/blob/master/3.7/alpine3.7/Dockerfile 199 | RUN set -ex; \ 200 | [[ "${enable_gixy}" = "true" ]] \ 201 | && apk add --update --no-cache python3 \ 202 | && ln -s /usr/bin/python3 /usr/bin/python \ 203 | && wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py' \ 204 | && python get-pip.py \ 205 | --no-cache-dir \ 206 | && pip --version \ 207 | && find /usr/local -depth \ 208 | $ \ 209 | \( -type d -a \( -name test -o -name tests $ \) \ 210 | -o \ 211 | $ -type f -a \( -name '*.pyc' -o -name '*.pyo' $ \) \ 212 | \) -exec rm -rf '{}' +; \ 213 | rm -f get-pip.py \ 214 | ; echo "" 215 | # https://github.com/yandex/gixy 216 | RUN [[ "${enable_gixy}" = "true" ]] && pip install gixy \ 217 | ; echo "" 218 | 219 | 220 | ARG enable_geoip=false 221 | # https://github.com/leev/ngx_http_geoip2_module 222 | # http://www.treselle.com/blog/nginx-with-geoip2-maxmind-database-to-fetch-user-geo-location-data/ 223 | # https://dev.maxmind.com/geoip/geoip2/geolite2/ 224 | RUN [[ "${enable_geoip}" = "true" ]] \ 225 | && mkdir -p /etc/nginx/geoip2 /tmp/geoip2 \ 226 | && cd /tmp/geoip2 \ 227 | && wget http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz \ 228 | http://geolite.maxmind.com/download/geoip/database/GeoLite2-Country.tar.gz \ 229 | && tar -zxf GeoLite2-City.tar.gz \ 230 | && tar -zxf GeoLite2-Country.tar.gz \ 231 | && find . -name "*.mmdb" -type f -exec mv {} /etc/nginx/geoip2 \; \ 232 | && cd - && rm -rf /tmp/geoip2 \ 233 | ; echo "" 234 | # https://github.com/dauer/geohash/blob/master/lua/README.md 235 | RUN [[ "${enable_geoip}" = "true" ]] \ 236 | && luarocks install https://github.com/dauer/geohash/raw/master/lua/geohash-0.9-1.rockspec \ 237 | ; echo "" 238 | 239 | RUN curl -fSL https://github.com/acmesh-official/acme.sh/archive/2.8.5.tar.gz -o acme-sh.tar.gz \ 240 | && tar -zxC /opt -f acme-sh.tar.gz \ 241 | && mv /opt/acme.sh-2.8.5 /opt/acme.sh-src \ 242 | && rm -f acme-sh.tar.gz 243 | 244 | 245 | ENV DEBUG=false 246 | ENV DOMAIN= 247 | ENV CERT_EMAIL= 248 | ENV CERT_DIR=/etc/letsencrypt 249 | ENV ENABLE_CUSTOM_ERROR_PAGE=false 250 | ENV DEFAULT_ERROR_PAGES=/usr/share/nginx/error-pages 251 | ENV VHOSTD=/etc/nginx/vhost.d 252 | ENV STREAMD=/etc/nginx/stream.d 253 | ENV EPAGED=/etc/nginx/epage.d 254 | ENV NGINX_LOG=/var/log/nginx 255 | ENV NGINX_SITES_LOG=/var/log/nginx/sites 256 | 257 | RUN mkdir -p /etc/nginx/ssl \ 258 | && openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096 \ 259 | && openssl req -x509 -nodes -days 36500 -newkey rsa:4096 \ 260 | -subj "/C=CC/ST=STT/L=LL/O=OO/CN=example.com" \ 261 | -keyout /etc/nginx/ssl/default_https_ssl.key \ 262 | -out /etc/nginx/ssl/default_https_ssl.crt 263 | 264 | RUN rm -rf /root/.cache 265 | 266 | RUN mkdir -p /var/log/cron /var/log/letsencrypt \ 267 | /etc/nginx/lua /etc/nginx/vstream.d \ 268 | ${NGINX_LOG} ${NGINX_SITES_LOG} 269 | #RUN mkdir -p /var/www/html && chown -R nginx:nginx /var/www/html 270 | RUN rm -f /etc/nginx/conf.d/default.conf 271 | 272 | ADD config/nginx.conf /etc/nginx/nginx.conf 273 | ADD config/00_vars.conf /etc/nginx/conf.d/00_vars.conf 274 | ADD config/00_log.conf /etc/nginx/conf.d/00_log.conf 275 | ADD config/01_ssl.conf /etc/nginx/conf.d/01_ssl.conf 276 | ADD config/02_proxy.conf /etc/nginx/conf.d/02_proxy.conf 277 | ADD config/03_geoip2.conf /etc/nginx/conf.d/03_geoip2.conf 278 | ADD config/00_log_with_geoip.conf /etc/nginx/conf.d/00_log_with_geoip.conf 279 | ADD config/10_default.conf /etc/nginx/conf.d/10_default.conf 280 | ADD config/10_default_https.conf /etc/nginx/conf.d/10_default_https.conf 281 | # NOTE: The other crontab file will not be scaned 282 | COPY config/crontab /var/spool/cron/crontabs/root 283 | ADD config/10_stream_acme.conf /etc/nginx/vstream.d/10_stream_acme.conf 284 | 285 | ADD bin/nginx-utils.sh /usr/bin/nginx-utils.sh 286 | ADD bin/nginx-utils.awk /usr/bin/nginx-utils.awk 287 | ADD bin/build-certs /usr/bin/build-certs 288 | ADD bin/update-certs /usr/bin/update-certs 289 | ADD bin/watch-config /usr/bin/watch-config 290 | ADD bin/entrypoint.sh /entrypoint.sh 291 | 292 | ADD config/error-pages ${DEFAULT_ERROR_PAGES} 293 | 294 | RUN [[ "${enable_geoip}" != "true" ]] \ 295 | && rm -f /etc/nginx/conf.d/*geoip* \ 296 | ; echo "" 297 | RUN mkdir -p ${VHOSTD} ${STREAMD} ${CERT_DIR} ${EPAGED} 298 | RUN chmod +x /usr/bin/build-certs /usr/bin/update-certs \ 299 | /usr/bin/watch-config /entrypoint.sh 300 | 301 | VOLUME ["${VHOSTD}", "${STREAMD}", "${EPAGED}", "${CERT_DIR}"] 302 | 303 | EXPOSE 80 443 304 | 305 | # CMD & ENTRYPOINT 306 | ## https://docs.docker.com/engine/reference/builder/#understand-how-cmd-and-entrypoint-interact 307 | ENTRYPOINT ["/entrypoint.sh"] 308 | -------------------------------------------------------------------------------- /examples/epage.d/all/12_Solar_System.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | {{status}} - {{status_msg}} 8 | 391 | 392 | 393 |

394 |

395 |

396 |

397 | Animation based on 398 | Solar System 399 | by Malik Dellidj 400 |

401 |

402 |

403 |

404 |

405 |

406 |

407 |

408 |

409 |

410 |

411 |

412 |

413 |

414 |

415 | 416 | 417 | --------------------------------------------------------------------------------

404 Page Not Found

{{status}} {{status_msg}}

{{status}} {{status_msg}}

{{status}} {{status_msg}}

{{status}} {{status_msg}}

An error has occurred: {{status}} {{status_msg}}

{{status}} {{status_msg}}

{{status}}{{status_msg}}

{{status}}
{{status_msg}}