Undergoing Scheduled Maintenance

├── install ├── etc │ ├── zabbix │ │ └── zabbix_agentd.conf.d │ │ │ ├── nginx-status.conf │ │ │ └── scripts │ │ │ └── nginx-status.sh │ ├── nginx │ │ ├── conf.d │ │ │ ├── maintenance.conf.maint │ │ │ ├── 01-ldap.conf │ │ │ ├── 02-default.conf │ │ │ └── 02-default.llng │ │ └── nginx.conf │ ├── logrotate.d │ │ └── nginx │ ├── s6 │ │ └── services │ │ │ └── 10-nginx │ │ │ └── run │ └── cont-init.d │ │ └── 09-nginx ├── assets │ └── maintenance │ │ └── maintenance.html └── usr │ └── sbin │ └── maintenance ├── examples └── docker-compose.yml ├── LICENSE ├── CHANGELOG.md ├── Dockerfile ├── README.md └── zabbix_templates ├── zabbix_agent_container.xml └── app_nginx.xml /install/etc/zabbix/zabbix_agentd.conf.d/nginx-status.conf: -------------------------------------------------------------------------------- 1 | UserParameter=nginx.status[*],/etc/zabbix/zabbix_agentd.conf.d/scripts/nginx-status.sh $1 2 | -------------------------------------------------------------------------------- /install/etc/nginx/conf.d/maintenance.conf.maint: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80; 3 | server_name localhost; 4 | 5 | location / { 6 | root /assets/maintenance; 7 | index maintenance.html; 8 | } 9 | 10 | } 11 | -------------------------------------------------------------------------------- /install/etc/logrotate.d/nginx: -------------------------------------------------------------------------------- 1 | /www/logs/nginx/*.log { 2 | daily 3 | ifempty 4 | rotate 7 5 | missingok 6 | compress 7 | dateext 8 | sharedscripts 9 | postrotate 10 | s6-svc -h /var/run/s6/services/10-nginx 11 | endscript 12 | } 13 | -------------------------------------------------------------------------------- /install/assets/maintenance/maintenance.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Undergoing Scheduled Maintenance 5 | 6 | 7 | 8 |

Sorry, we're presently performing maintenance on our services.

9 | 10 | 11 | 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /install/etc/nginx/conf.d/01-ldap.conf: -------------------------------------------------------------------------------- 1 | ldap_server ldapserver { 2 | url "$LDAP_HOST/$LDAP_BASE_DN?$LDAP_ATTRIBUTE?$LDAP_SCOPE?$LDAP_FILTER"; 3 | binddn "$LDAP_BIND_DN"; 4 | binddn_passwd $LDAP_BIND_PW; 5 | #group_attribute $LDAP_GROUP_ATTRIBUTE; 6 | #group_attribute_is_dn on; 7 | # require group 'cn=docker,ou=groups,dc=example,dc=com'; 8 | require valid_user; 9 | satisfy all; 10 | } 11 | 12 | 13 | -------------------------------------------------------------------------------- /install/etc/nginx/conf.d/02-default.conf: -------------------------------------------------------------------------------- 1 | server { 2 | 3 | listen 80; 4 | 5 | auth_ldap "Authentication is required"; 6 | auth_ldap_servers ldapserver; 7 | 8 | root /www/html; 9 | index index.html index.htm; 10 | access_log /www/logs/nginx/access.log; 11 | error_log /www/logs/nginx/error.log; 12 | 13 | disable_symlinks off; 14 | 15 | location = /robots.txt { 16 | allow all; 17 | log_not_found off; 18 | access_log off; 19 | } 20 | 21 | # deny dot-files 22 | location ~ /\. { 23 | deny all; 24 | access_log off; 25 | log_not_found off; 26 | } 27 | 28 | location ~* \.(jpg|jpeg|gif|png|css|js|ico|xml)$ { 29 | access_log on; 30 | log_not_found on; 31 | expires 360d; 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /install/etc/s6/services/10-nginx/run: -------------------------------------------------------------------------------- 1 | #!/usr/bin/with-contenv bash 2 | 3 | while [ ! -f /tmp/state/99-container-init ] 4 | do 5 | sleep 1 6 | done 7 | 8 | 9 | if [ ! -f /tmp/state/10-nginx ]; then 10 | sleep 2 11 | 12 | ### Check to see if this is a new install, if yes create directories... 13 | if [ ! -f /www/html/index.html ] ; then 14 | echo "** [nginx-ldap] No Files found - New Installation Detected......" 15 | mkdir -p /www/html 16 | touch /www/html/index.html 17 | chown nginx /www/html 18 | fi 19 | 20 | ### Force Reset Permissions for Security 21 | chown -R nginx /www/html 22 | mkdir -p /www/logs/nginx 23 | mkdir -p /tmp/nginx 24 | chown -R nginx /www/logs/nginx 25 | chown nginx /tmp/nginx 26 | mkdir -p /tmp/state/ 27 | echo 'Initialization Complete' >/tmp/state/10-nginx 28 | fi 29 | 30 | echo '' 31 | echo '** [nginx-ldap] Starting nginx' 32 | exec nginx 33 | 34 | -------------------------------------------------------------------------------- /install/etc/nginx/conf.d/02-default.llng: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80; 3 | server_name localhost; 4 | 5 | # LemonLDAP:NG authentication request 6 | location = /lmauth { 7 | internal; 8 | include /etc/nginx/fastcgi_params; 9 | fastcgi_pass :; 10 | fastcgi_param REMOTE_PORT ; 11 | fastcgi_pass_request_body off; 12 | fastcgi_param CONTENT_LENGTH ""; 13 | fastcgi_param HOST $http_host; 14 | fastcgi_param X_ORIGINAL_URI $request_uri; 15 | } 16 | 17 | location / { 18 | root /www/html; 19 | index index.html index.htm; 20 | 21 | auth_request /lmauth; 22 | auth_request_set $lmremote_user $upstream_http_lm_remote_user; 23 | auth_request_set $lmlocation $upstream_http_location; 24 | auth_request_set $cookie_value $upstream_http_set_cookie; 25 | add_header Set-Cookie $cookie_value; 26 | error_page 401 $lmlocation; 27 | } 28 | 29 | } 30 | -------------------------------------------------------------------------------- /install/etc/zabbix/zabbix_agentd.conf.d/scripts/nginx-status.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | HOST="localhost" 3 | PORT="73" 4 | 5 | function proc_num { 6 | num=$(pgrep nginx |wc -l) 7 | } 8 | function active { 9 | num=$(curl -s "http://$HOST:$PORT/stub_status" |grep 'Active' |awk '{print $NF}') 10 | } 11 | function reading { 12 | num=$(curl -s "http://$HOST:$PORT/stub_status" |grep 'Reading' |awk '{print $2}') 13 | } 14 | function writing { 15 | num=$(curl -s "http://$HOST:$PORT/stub_status" |grep 'Writing' |awk '{print $4}') 16 | } 17 | function waiting { 18 | num=$(curl -s "http://$HOST:$PORT/stub_status" |grep 'Waiting' |awk '{print $6}') 19 | } 20 | function accepts { 21 | num=$(curl -s "http://$HOST:$PORT/stub_status" |awk NR==3 |awk '{print $1}') 22 | } 23 | function handled { 24 | num=$(curl -s "http://$HOST:$PORT/stub_status" |awk NR==3 |awk '{print $2}') 25 | } 26 | function requests { 27 | num=$(curl -s "http://$HOST:$PORT/stub_status" |awk NR==3 |awk '{print $3}') 28 | } 29 | 30 | $1 31 | echo ${num:-0} 32 | 33 | -------------------------------------------------------------------------------- /examples/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '2' 2 | 3 | services: 4 | nginx-ldap-app: 5 | image: tiredofit/nginx-ldap 6 | container_name: nginx-ldap-app 7 | environment: 8 | - VIRTUAL_HOST=nginx-ldap.hostname.com 9 | - VIRTUAL_NETWORK=nginx-proxy 10 | - VIRTUAL_PORT=80 11 | - LETSENCRYPT_HOST=nginx-ldap.hostname.com 12 | - LETSENCRYPT_EMAIL=user@hostname.com 13 | 14 | - UPLOAD_MAX_SIZE=2G 15 | 16 | - ZABBIX_HOSTNAME=nginx-ldap-app 17 | 18 | - LDAP_HOST=ldap://ldapserver:389 19 | - LDAP_BIND_DN=cn=binduser,dc=whatever,dc=org 20 | - LDAP_BIND_PW=surepassword 21 | - LDAP_BASE_DN=dc=hostname,dc=com 22 | - LDAP_ATTRIBUTE=uid 23 | - LDAP_SCOPE=sub 24 | - LDAP_FILTER=(objectClass=*) 25 | - LDAP_GROUP_ATTRIBUTE=uniquemember 26 | 27 | volumes: 28 | - /etc/localtime:/etc/localtime:ro 29 | - ./data:/www/html 30 | - ./logs:/www/logs 31 | networks: 32 | - proxy-tier 33 | restart: always 34 | 35 | networks: 36 | proxy-tier: 37 | external: 38 | name: nginx-proxy 39 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2017 Dave Conroy 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /install/etc/nginx/nginx.conf: -------------------------------------------------------------------------------- 1 | daemon off; 2 | 3 | user nginx www-data; 4 | worker_processes 1; 5 | 6 | error_log /www/logs/nginx/error.log warn; 7 | pid /var/run/nginx.pid; 8 | 9 | 10 | events { 11 | worker_connections 1024; 12 | } 13 | 14 | 15 | http { 16 | include /etc/nginx/mime.types; 17 | default_type application/octet-stream; 18 | 19 | real_ip_header X-Forwarded-For; 20 | set_real_ip_from 172.16.0.0/12; 21 | 22 | log_format main '$remote_addr - $remote_user [$time_local] "$request" ' 23 | '$status $body_bytes_sent "$http_referer" ' 24 | '"$http_user_agent" "$http_x_forwarded_for"'; 25 | 26 | access_log /www/logs/nginx/access.log main; 27 | 28 | sendfile on; 29 | #tcp_nopush on; 30 | 31 | keepalive_timeout 265; 32 | 33 | client_max_body_size ; 34 | 35 | server { 36 | listen 73; 37 | server_name 127.0.0.1; 38 | 39 | ## Zabbix 40 | location /stub_status { 41 | stub_status on; 42 | access_log off; 43 | allow 127.0.0.1; 44 | deny all; 45 | } 46 | 47 | } 48 | 49 | include /etc/nginx/conf.d/*.conf; 50 | } 51 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | ## 4.0.1 2018-09-24 2 | 3 | * Bump to Nginx 1.15.3 4 | 5 | ## 4.0 2018-04-28 6 | 7 | * Ability to protect service via basic authentication or using LemonLDAP:NG Handlers 8 | 9 | 10 | ## 3.7 2018-04-02 11 | 12 | * Added MAINTENANCE environment variable to move system to maintenance mode. Also maintenance script (off/on/sleep 60) inside container. 13 | 14 | ## 3.6 2018-02-20 15 | 16 | * Fix Startup issues with missing logfiles 17 | 18 | ## 3.5 2018-02-20 19 | 20 | * Add Reverse Proxy Detection 21 | 22 | ## 3.4 2018-02-01 23 | 24 | * Rebase 25 | 26 | ## 3.3 2018-01-29 27 | 28 | * Update Nginx to 1.13.8 29 | * Update Zabbix Scripts 30 | 31 | ## 3.2 2017-12-01 32 | 33 | * Update Base to Alpine 3.7 34 | 35 | ## 3.11 2017-12-01 36 | 37 | * Bump Nginx Version 1.13.7 38 | 39 | ## 3.1 2017-09-27 40 | 41 | * Fix Build Issues 42 | 43 | ## 3.0 2017-08-27 44 | 45 | * Major Release Bump to support Base Image 46 | 47 | ## 2.3 2017-07-13 48 | 49 | * Updated Initialization Routines via cont-init.d 50 | 51 | ## 2.2 2017-07-03 52 | 53 | * Add Logwatch 54 | 55 | ## 2.1 2017-07-02 56 | 57 | * Init Script Sanity Fix 58 | 59 | ## 2.0 2017-06-23 60 | 61 | * Rebase with s6.d 62 | 63 | ## 1.2 2017-05-20 64 | 65 | * Rebase Alpine 3.4 66 | * Nginx 1.13.0 67 | * Updated Modules and Configuration to match upstream Nginx Image 68 | 69 | ## 1.1 2017-04-05 70 | 71 | * Base Cleanup 72 | 73 | ## 1.0 2017-02-09 74 | 75 | * Rebase with SD Alpine:edge w/Zabbix 76 | 77 | ## 0.9 2017-01-30 78 | 79 | * Alpine:edge Base 80 | * Nginx 1.11.9 81 | * Nginx mod-ldap included 82 | 83 | -------------------------------------------------------------------------------- /install/usr/sbin/maintenance: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ -z $1 ]; then 4 | echo "Usage: maintenance (on|off|sleep NUM VALUE)" 5 | echo "" 6 | echo "Example: " 7 | echo "" 8 | echo "maintenance on - Switches on Maintenance Mode" 9 | echo "maintenance off - Switches off Maintenance Mode" 10 | echo "maintenance sleep - Switches on Maintenance Mode temporarily for 15 minutes" 11 | echo "maintenance sleep 10 min - Switches on Maintenance Mode temporarily for 10 min" 12 | echo "" 13 | echo "Valid VALUE is seconds (sec, secs), minutes (min, mins) , hours (hour, hr) , days (day)" 14 | exit 15 | fi 16 | 17 | case "$1" in 18 | "on" | "ON" | "true" | "TRUE" ) 19 | mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.orig 20 | mv /etc/nginx/conf.d/maintenance.conf.maint /etc/nginx/conf.d/maintenance.conf 21 | nginx -s reload 22 | echo 'Maintenance Mode Activated' 23 | ;; 24 | "off" | "OFF" | "false" | "FALSE" ) 25 | mv /etc/nginx/conf.d/default.conf.orig /etc/nginx/conf.d/default.conf 26 | mv /etc/nginx/conf.d/maintenance.conf /etc/nginx/conf.d/maintenance.conf.maint 27 | nginx -s reload 28 | echo 'Maintenance Mode Deactivated' 29 | ;; 30 | "sleep" | "SLEEP" | "temp" | "TEMP" ) 31 | mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.orig 32 | mv /etc/nginx/conf.d/maintenance.conf.maint /etc/nginx/conf.d/maintenance.conf 33 | nginx -s reload 34 | if [ -z $2 ]; then 35 | SLEEPNUM="15" 36 | SLEEPCALC=$((15 * 60)) 37 | fi 38 | 39 | if [ -z $3 ]; then 40 | set -- "${@:1:2}" "min" 41 | fi 42 | 43 | case "$3" in 44 | "min" | "minutes" | "MIN" | "MINUTES" ) 45 | SLEEPCALC=$(($2 * 60)) 46 | SLEEPDESC="minutes" 47 | ;; 48 | "seconds" | "secs" | "sec" | "SECONDS" | "SECS" | "SEC" ) 49 | SLEEPCALC=$(($2 * 1)) 50 | SLEEPDESC="seconds" 51 | ;; 52 | "hour" | "hours" | "hr" | "hrs" | "HOUR" | "HOURS" | "HRS" ) 53 | SLEEPCALC=$(($2 * 3600)) 54 | SLEEPDESC="hour(s)" 55 | ;; 56 | "day" | "days" | "DAY" | "DAYS" ) 57 | SLEEPCALC=$(($2 * 86400)) 58 | SLEEPDESC="day(s)" 59 | ;; 60 | esac 61 | 62 | echo 'Maintenance Mode Temporarily Activated for '$SLEEPNUM' '$SLEEPDESC 63 | sleep $SLEEPCALC 64 | mv /etc/nginx/conf.d/default.conf.orig /etc/nginx/conf.d/default.conf 65 | mv /etc/nginx/conf.d/maintenance.conf /etc/nginx/conf.d/maintenance.conf.maint 66 | nginx -s reload 67 | echo 'Maintenance Mode Deactivated' 68 | ;; 69 | esac 70 | -------------------------------------------------------------------------------- /install/etc/cont-init.d/09-nginx: -------------------------------------------------------------------------------- 1 | #!/usr/bin/with-contenv bash 2 | 3 | ### Set Defaults 4 | tokensFromEnv="LDAP_HOST LDAP_BIND_DN LDAP_BIND_PW LDAP_BASE_DN LDAP_ATTRIBUTE LDAP_SCOPE LDAP_FILTER LDAP_GROUP_ATTRIBUTE" 5 | 6 | AUTHENTICATION_TYPE=${AUTHENTICATION_TYPE:-NONE} 7 | MAINTENANCE=${MAINTENANCE:-"FALSE"} 8 | PHP_TIMEOUT=${PHP_TIMEOUT:-"180"} 9 | UPLOAD_MAX_SIZE=${UPLOAD_MAX_SIZE:-"2G"} 10 | STAGE=${STAGE:-"DEVELOP"} 11 | LDAP_ATTRIBUTE=${LDAP_ATTRIBUTE:="uid"} 12 | LDAP_SCOPE=${LDAP_SCOPE:="sub"} 13 | LDAP_FILTER=${LDAP_FILTER:="(objectClass=person)"} 14 | LDAP_GROUP_ATTRIBUTE=${LDAP_GROUP_ATTRIBUTE:="uniquemember"} 15 | LLNG_HANDLER_HOST=${LLNG_HANDLER_HOST="llng-handler"} 16 | LLNG_HANDLER_PORT=${LLNG_HANDLER_PORT="2884"} 17 | WEB_USER=${WEB_USER:-admin} 18 | WEB_PASS=${WEB_PASS:-password} 19 | 20 | ### Map Authentication 21 | case "$AUTHENTICATION_TYPE" in 22 | "BASIC") 23 | htpasswd -b -c /etc/nginx/htpasswd $WEB_USER $WEB_PASS 24 | sed -i "/ location \//a\ \ \ auth_basic "Protected"; auth_basic_user_file /etc/nginx/htpasswd;" /etc/nginx/conf.d/02-default.conf 25 | echo '** [nginx-php-fpm] Setting Basic Authentication' 26 | ;; 27 | "LLNG") 28 | if [ -f "/etc/nginx/conf.d/02-default.llng" ]; then 29 | sed -i "s//$LLNG_HANDLER_HOST/g" /etc/nginx/conf.d/02-default.llng 30 | sed -i "s//$LLNG_HANDLER_PORT/g" /etc/nginx/conf.d/02-default.llng 31 | echo '** [nginx-php-fpm] Setting LLNG Authentication' 32 | mv /etc/nginx/conf.d/02-default.conf /etc/nginx/conf.d/02-default.orig 33 | mv /etc/nginx/conf.d/02-default.llng /etc/nginx/conf.d/02-default.conf 34 | else 35 | echo '** [nginx-php-fpm] ERROR: Cannot find specific Configuration for LLNG Authentication exiting.' 36 | exit 1 37 | fi 38 | ;; 39 | "NONE") 40 | echo '** [nginx-php-fpm] Relying on Application Authentication' 41 | ;; 42 | *) 43 | echo '** [nginx-php-fpm] Unknown AUTHENTICATION_TYPE option. Relying on Application Authentication' 44 | ;; 45 | esac 46 | 47 | 48 | ### Adjust NGINX Runtime Variables 49 | 50 | sed -i -e "s//$UPLOAD_MAX_SIZE/g" /etc/nginx/nginx.conf 51 | sed -i -e "s//$PHP_TIMEOUT/g" /etc/nginx/conf.d/02-default.conf 52 | 53 | if [ "$MAINTENANCE" = "TRUE" ] || [ "$MAINTENANCE" = "true" ]; then 54 | echo '** MAINTENANCE MODE ACTIVATED - THIS IMAGE WILL NOT SERVE PAGES' 55 | mv /etc/nginx/conf.d/02-default.conf /etc/nginx/conf.d/02-default.conf.orig 56 | mv /etc/nginx/conf.d/01-ldap.conf /etc/nginx/conf.d/01-ldap.conf.orig 57 | mv /etc/nginx/conf.d/maintenance.conf.maint /etc/nginx.conf.d/maintenance.conf 58 | fi 59 | 60 | ### LDAP Setup 61 | for envVar in $tokensFromEnv; do 62 | envValue=$(echo "${!envVar}" | sed -e 's/[&\\\$]/\\&/g') 63 | sed -i -e "s|\$${envVar}|${envValue}|g" /etc/nginx/conf.d/01-ldap.conf; 64 | done 65 | 66 | mkdir -p /www/logs/nginx 67 | chown -R nginx /www/logs/nginx 68 | mkdir -p /tmp/nginx 69 | chown -R nginx /tmp/nginx 70 | 71 | mkdir -p /tmp/state 72 | touch /tmp/state/09-nginx 73 | 74 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM tiredofit/alpine:3.9 2 | LABEL maintainer="Dave Conroy (dave at tiredofit dot ca)" 3 | 4 | ### Build Nginx 5 | ENV NGINX_VERSION=1.16.0 \ 6 | ZABBIX_HOSTNAME=nginx-ldap 7 | 8 | RUN set -x ; \ 9 | CONFIG="\ 10 | --prefix=/etc/nginx \ 11 | --sbin-path=/usr/sbin/nginx \ 12 | --modules-path=/usr/lib/nginx/modules \ 13 | --conf-path=/etc/nginx/nginx.conf \ 14 | --error-log-path=/var/log/nginx/error.log \ 15 | --http-log-path=/var/log/nginx/access.log \ 16 | --pid-path=/var/run/nginx.pid \ 17 | --lock-path=/var/run/nginx.lock \ 18 | --http-client-body-temp-path=/var/cache/nginx/client_temp \ 19 | --http-proxy-temp-path=/var/cache/nginx/proxy_temp \ 20 | --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \ 21 | --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \ 22 | --http-scgi-temp-path=/var/cache/nginx/scgi_temp \ 23 | --user=nginx \ 24 | --group=nginx \ 25 | --with-http_ssl_module \ 26 | --with-http_realip_module \ 27 | --with-http_addition_module \ 28 | --with-http_sub_module \ 29 | --with-http_dav_module \ 30 | --with-http_flv_module \ 31 | --with-http_mp4_module \ 32 | --with-http_gunzip_module \ 33 | --with-http_gzip_static_module \ 34 | --with-http_random_index_module \ 35 | --with-http_secure_link_module \ 36 | --with-http_stub_status_module \ 37 | --with-http_auth_request_module \ 38 | --with-http_xslt_module=dynamic \ 39 | --with-http_image_filter_module=dynamic \ 40 | --with-http_geoip_module=dynamic \ 41 | --with-http_perl_module=dynamic \ 42 | --with-threads \ 43 | --with-stream \ 44 | --with-stream_ssl_module \ 45 | --with-stream_ssl_preread_module \ 46 | --with-stream_realip_module \ 47 | --with-stream_geoip_module=dynamic \ 48 | --with-http_slice_module \ 49 | --with-mail \ 50 | --with-mail_ssl_module \ 51 | --with-compat \ 52 | --with-file-aio \ 53 | --with-http_v2_module \ 54 | --add-module=/usr/src/nginx-auth-ldap \ 55 | " ; \ 56 | addgroup -S www-data ; \ 57 | adduser -D -S -h /var/cache/nginx -s /sbin/nologin -G www-data nginx ; \ 58 | apk add --no-cache --virtual .nginx-build-deps \ 59 | gcc \ 60 | gd-dev \ 61 | geoip-dev \ 62 | gnupg \ 63 | libc-dev \ 64 | libressl-dev \ 65 | libxslt-dev \ 66 | linux-headers \ 67 | make \ 68 | openldap-dev \ 69 | pcre-dev \ 70 | perl-dev \ 71 | tar \ 72 | zlib-dev \ 73 | ; \ 74 | \ 75 | mkdir -p /usr/src/nginx-auth-ldap /www /www/logs/nginx ; \ 76 | curl https://codeload.github.com/kvspb/nginx-auth-ldap/tar.gz/master | tar xz --strip=1 -C /usr/src/nginx-auth-ldap ; \ 77 | curl -fSL http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz -o nginx.tar.gz ; \ 78 | mkdir -p /usr/src ; \ 79 | tar -zxC /usr/src -f nginx.tar.gz ; \ 80 | rm nginx.tar.gz ; \ 81 | cd /usr/src/nginx-$NGINX_VERSION ; \ 82 | ./configure $CONFIG --with-debug ; \ 83 | make -j$(getconf _NPROCESSORS_ONLN) ; \ 84 | mv objs/nginx objs/nginx-debug ; \ 85 | mv objs/ngx_http_xslt_filter_module.so objs/ngx_http_xslt_filter_module-debug.so ; \ 86 | mv objs/ngx_http_image_filter_module.so objs/ngx_http_image_filter_module-debug.so ; \ 87 | mv objs/ngx_http_geoip_module.so objs/ngx_http_geoip_module-debug.so ; \ 88 | mv objs/ngx_http_perl_module.so objs/ngx_http_perl_module-debug.so ; \ 89 | mv objs/ngx_stream_geoip_module.so objs/ngx_stream_geoip_module-debug.so ; \ 90 | ./configure $CONFIG ; \ 91 | make -j$(getconf _NPROCESSORS_ONLN) ; \ 92 | make install ; \ 93 | rm -rf /etc/nginx/html/ ; \ 94 | mkdir -p /etc/nginx/conf.d/ ; \ 95 | mkdir -p /usr/share/nginx/html/ ; \ 96 | install -m644 html/index.html /usr/share/nginx/html/ ; \ 97 | install -m644 html/50x.html /usr/share/nginx/html/ ; \ 98 | install -m755 objs/nginx-debug /usr/sbin/nginx-debug ; \ 99 | install -m755 objs/ngx_http_xslt_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_xslt_filter_module-debug.so ; \ 100 | install -m755 objs/ngx_http_image_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_image_filter_module-debug.so ; \ 101 | install -m755 objs/ngx_http_geoip_module-debug.so /usr/lib/nginx/modules/ngx_http_geoip_module-debug.so ; \ 102 | install -m755 objs/ngx_http_perl_module-debug.so /usr/lib/nginx/modules/ngx_http_perl_module-debug.so ; \ 103 | install -m755 objs/ngx_stream_geoip_module-debug.so /usr/lib/nginx/modules/ngx_stream_geoip_module-debug.so ; \ 104 | ln -s ../../usr/lib/nginx/modules /etc/nginx/modules ; \ 105 | strip /usr/sbin/nginx* ; \ 106 | strip /usr/lib/nginx/modules/*.so ; \ 107 | rm -rf /usr/src/nginx-$NGINX_VERSION ; \ 108 | \ 109 | # Bring in gettext so we can get `envsubst`, then throw 110 | # the rest away. To do this, we need to install `gettext` 111 | # then move `envsubst` out of the way so `gettext` can 112 | # be deleted completely, then move `envsubst` back. 113 | apk add --no-cache --virtual .gettext gettext ; \ 114 | mv /usr/bin/envsubst /tmp/ ; \ 115 | \ 116 | runDeps="$( \ 117 | scanelf --needed --nobanner /usr/sbin/nginx /usr/lib/nginx/modules/*.so /tmp/envsubst \ 118 | | awk '{ gsub(/,/, "\nso:", $2); print "so:" $2 }' \ 119 | | sort -u \ 120 | | xargs -r apk info --installed \ 121 | | sort -u \ 122 | )" ; \ 123 | apk add --no-cache --virtual .nginx-rundeps $runDeps ; \ 124 | apk add --no-cache apache2-utils openldap ; \ 125 | apk del .nginx-build-deps ; \ 126 | apk del .gettext ; \ 127 | mv /tmp/envsubst /usr/local/bin/ ; \ 128 | \ 129 | rm -rf /usr/src/* /var/tmp/* /var/cache/apk/* ; \ 130 | \ 131 | 132 | ### WWW Installation 133 | mkdir -p /www/logs/nginx 134 | 135 | ### Files Addition 136 | ADD install / 137 | RUN chmod +x /etc/zabbix/zabbix_agentd.conf.d/scripts/* 138 | 139 | ### Networking Configuration 140 | EXPOSE 80 141 | 142 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # hub.docker.com/r/tiredofit/nginx-ldap 2 | 3 | [![Build Status](https://img.shields.io/docker/build/tiredofit/nginx-ldap.svg)](https://hub.docker.com/r/tiredofit/nginx-ldap) 4 | [![Docker Pulls](https://img.shields.io/docker/pulls/tiredofit/nginx-ldap.svg)](https://hub.docker.com/r/tiredofit/nginx-ldap) 5 | [![Docker Stars](https://img.shields.io/docker/stars/tiredofit/nginx-ldap.svg)](https://hub.docker.com/r/tiredofit/nginx-ldap) 6 | [![Docker 7 | Layers](https://images.microbadger.com/badges/image/tiredofit/nginx-ldap.svg)](https://microbadger.com/images/tiredofit/nginx-ldap) 8 | 9 | # Introduction 10 | 11 | This will build a container for [Nginx](https://www.nginx.org) w/ LDAP Authentication Enabled 12 | 13 | * Tracks Mainline release channel 14 | * Includes Zabbix Monitoring (nginx status) on port 73 15 | * Logrotate Included to roll over log files at 23:59, compress and retain for 7 days 16 | * Ability to Password Protect (Basic) or use LemonLDAP:NG Handler 17 | * Compile Options: 18 | * --with-threads 19 | --with-http_ssl_module 20 | --with-http_realip_module 21 | --with-http_addition_module 22 | --with-http_sub_module 23 | --with-http_dav_module 24 | --with-http_flv_module 25 | --with-http_mp4_module 26 | --with-http_gunzip_module 27 | --with-http_gzip_static_module 28 | --with-http_random_index_module 29 | --with-http_secure_link_module 30 | --with-http_stub_status_module 31 | --with-http_auth_request_module 32 | --with-http_xslt_module=dynamic 33 | --with-http_image_filter_module=dynamic 34 | --with-http_geoip_module=dynamic 35 | --with-http_perl_module=dynamic 36 | --with-threads 37 | --with-stream 38 | --with-stream_ssl_module 39 | --with-stream_ssl_preread_module 40 | --with-stream_realip_module 41 | --with-stream_geoip_module=dynamic 42 | --with-http_slice_module 43 | --with-mail 44 | --with-mail_ssl_module 45 | --with-compat 46 | --with-file-aio 47 | --with-http_v2_module 48 | 49 | This Container uses [tiredofit:alpine:3.7](https://hub.docker.com/r/tiredofit/alpine) as a base. 50 | 51 | 52 | [Changelog](CHANGELOG.md) 53 | 54 | # Authors 55 | 56 | - [Dave Conroy](https://github.com/tiredofit) 57 | 58 | # Table of Contents 59 | 60 | - [Introduction](#introduction) 61 | - [Changelog](CHANGELOG.md) 62 | - [Prerequisites](#prerequisites) 63 | - [Installation](#installation) 64 | - [Quick Start](#quick-start) 65 | - [Configuration](#configuration) 66 | - [Data Volumes](#data-volumes) 67 | - [Environment Variables](#environmentvariables) 68 | - [Networking](#networking) 69 | - [Maintenance](#maintenance) 70 | - [Shell Access](#shell-access) 71 | - [References](#references) 72 | 73 | # Prerequisites 74 | 75 | This image assumes that you are using a reverse proxy such as [jwilder/nginx-proxy](https://github.com/jwilder/nginx-proxy) and optionally the [Let's Encrypt Proxy Companion @ https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion) in order to serve your pages. However, it will run just fine on it's own if you map appropriate ports. 76 | 77 | 78 | # Installation 79 | 80 | Automated builds of the image are available on [Docker Hub](https://hub.docker.com/tiredofit/nginx-ldap) and is the recommended method of installation. 81 | 82 | 83 | ```bash 84 | docker pull tiredofit/nginx-ldap 85 | ``` 86 | 87 | # Quick Start 88 | 89 | * The quickest way to get started is using [docker-compose](https://docs.docker.com/compose/). See the examples folder for a working [docker-compose.yml](examples/docker-compose.yml) that can be modified for development or production use. 90 | 91 | * Set various [environment variables](#environment-variables) to understand the capabilities of this image. 92 | * Map [persistent storage](#data-volumes) for access to configuration and data files for backup. 93 | * Make [networking ports](#networking) available for public access if necessary 94 | 95 | 96 | 97 | # Configuration 98 | 99 | ### Data-Volumes 100 | 101 | The container starts up and reads from `/etc/nginx/nginx.conf` for some basic configuration and to listen on port 73 internally for Nginx Status responses. `/etc/nginx/conf.d` contains a sample configuration file that can be used to customize a nginx server block. The LDAP configuration resides in the `/etc/nginx/conf.d/01-ldap.conf` upon container start. 102 | 103 | 104 | The following directories are used for configuration and can be mapped for persistent storage. 105 | 106 | | Directory | Description | 107 | |--------------|-------------------------------------------------------------| 108 | | `/www/html` | Drop your Datafiles in this directory to be served by Nginx | 109 | | `/www/logs` | Logfiles for Nginx error and access | 110 | 111 | 112 | ### Environment Variables 113 | 114 | Along with the Environment Variables from the [Base image](https://hub.docker.com/r/tiredofit/alpine), below is the complete list of available options that can be used to customize your installation. 115 | 116 | Authentication Options 117 | 118 | | Parameter | Description | 119 | |-----------|-------------| 120 | | `AUTHENTICATION_TYPE` | Protect site - `NONE`,`BASIC`,`LLNG` - Default `NONE` | 121 | | `WEB_USER` | If `BASIC` chosen enter this for the username to protect site | 122 | | `WEB_PASS` | If `BASIC` chosen enter this for the password to protect site | 123 | | `LLNG_HANDLER_HOST` | If `LLNG` chosen use hostname of handler - Default `llng-handler` 124 | | `LLNG_HANDLER_PORT` | If `LLNG` chosen use this port for handler - Default `2884` | 125 | 126 | The `LLNG` option is for when using LemonLDAP:NG Handlers to protect your application and require modification to the `/etc/nginx/conf.d/default.llng` file to fully work properly! 127 | 128 | General Options 129 | 130 | 131 | | Parameter | Description | 132 | |------------------|----------------------------------------| 133 | | `UPLOAD_MAX_SIZE` | Maximum Upload Size for Nginx (e.g 2G) | 134 | | `LDAP_HOST` | Hostname and port number of LDAP Server (e.g. ldapserver:389) | 135 | | `LDAP_BIND_DN` | User to Bind to LDAP (e.g. cn=admin,dc=orgname,dc=org) | 136 | | `LDAP_BIND_PW` | Password for Above Bind User (e.g. password) | 137 | | `LDAP_BASE_DN` | Base Distringuished Name (e =dc=hostname,dc=com | 138 | | `LDAP_ATTRIBUTE` | Unique Identifier Attrbiute (e.g. uid) | 139 | | `LDAP_SCOPE` |LDAP Scope for searching (e.g. sub) | 140 | | `LDAP_FILTER` | Define what object that is searched for (e.g. objectClass=person) | 141 | | `LDAP_GROUP_ATTRIBUTE` | If searching inside of a group what is the Group Attribute (e.g. uniquemember) | 142 | 143 | 144 | 145 | ### Networking 146 | 147 | The following ports are exposed. 148 | 149 | | Port | Description | 150 | |-----------|-------------| 151 | | `80` | HTTP | 152 | | `443` | HTTPS | 153 | 154 | 155 | # Maintenance 156 | #### Shell Access 157 | 158 | For debugging and maintenance purposes you may want access the containers shell. 159 | 160 | ```bash 161 | docker exec -it (whatever your container name is e.g. nginx-ldap) bash 162 | ``` 163 | 164 | # References 165 | 166 | * https://nginx.org/ 167 | * https://github.com/kvspb/nginx-auth-ldap 168 | -------------------------------------------------------------------------------- /zabbix_templates/zabbix_agent_container.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 3.4 4 | 2018-02-02T19:04:27Z 5 | 6 | 7 | Discovered Containers 8 | 9 | 10 | Templates 11 | 12 | 13 | 14 | 161 | 396 | 397 | 398 | 399 | {Service - ICMP:icmpping.max(3m)}=3 400 | 0 401 | 402 | Cannot be pinged 403 | 0 404 | 405 | 406 | 0 407 | 5 408 | 409 | 0 410 | 0 411 | 412 | 413 | 414 | 415 | {Service - ICMP:icmppingloss.min(10m)}>50 416 | 0 417 | 418 | Ping loss is too high 419 | 0 420 | 421 | 422 | 0 423 | 4 424 | 425 | 0 426 | 0 427 | 428 | 429 | Cannot be pinged 430 | {Service - ICMP:icmpping.max(3m)}=3 431 | 432 | 433 | 434 | 435 | 436 | 437 | {Service - ICMP:icmppingsec.avg(2m)}>100 438 | 0 439 | 440 | Ping Response time is too high 441 | 0 442 | 443 | 444 | 0 445 | 4 446 | 447 | 1 448 | 0 449 | 450 | 451 | Cannot be pinged 452 | {Service - ICMP:icmpping.max(3m)}=3 453 | 454 | 455 | 456 | 457 | 458 | 459 | {Zabbix - Container Agent:packages.upgradable.last()}>0 460 | 0 461 | 462 | Upgraded Packages in Container Available 463 | 0 464 | 465 | 466 | 0 467 | 1 468 | 469 | 0 470 | 0 471 | 472 | 473 | 474 | 475 | {Zabbix - Container Agent:agent.ping.nodata(3m)}=1 476 | 0 477 | 478 | Zabbix agent is unreachable 479 | 0 480 | 481 | 482 | 0 483 | 5 484 | 485 | 0 486 | 0 487 | 488 | 489 | 490 | 491 | 492 | 493 | Service state 494 | 495 | 496 | 0 497 | Down 498 | 499 | 500 | 1 501 | Up 502 | 503 | 504 | 505 | 506 | Zabbix agent ping status 507 | 508 | 509 | 1 510 | Up 511 | 512 | 513 | 514 | 515 | 516 | -------------------------------------------------------------------------------- /zabbix_templates/app_nginx.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 3.4 4 | 2018-02-02T19:00:11Z 5 | 6 | 7 | Templates 8 | 9 | 10 | VPN 11 | 12 | 13 | Websites 14 | 15 | 16 | 17 | 388 | 389 | 390 | 391 | {APP - Nginx:nginx.status[proc_num].last()}=0 392 | 0 393 | 394 | Nginx is down 395 | 0 396 | 397 | 398 | 0 399 | 5 400 | 401 | 0 402 | 0 403 | 404 | 405 | 406 | 407 | 408 | 409 | Active connections 410 | 900 411 | 200 412 | 0.0000 413 | 100.0000 414 | 1 415 | 1 416 | 0 417 | 1 418 | 0 419 | 0.0000 420 | 0.0000 421 | 0 422 | 0 423 | 0 424 | 0 425 | 426 | 427 | 0 428 | 0 429 | 00C800 430 | 0 431 | 2 432 | 0 433 | 434 | APP - Nginx 435 | nginx.status[active] 436 | 437 | 438 | 439 | 1 440 | 0 441 | C80000 442 | 0 443 | 2 444 | 0 445 | 446 | APP - Nginx 447 | nginx.status[waiting] 448 | 449 | 450 | 451 | 452 | 453 | Nginx Connections\min 454 | 900 455 | 200 456 | 0.0000 457 | 100.0000 458 | 1 459 | 1 460 | 0 461 | 1 462 | 0 463 | 0.0000 464 | 0.0000 465 | 1 466 | 0 467 | 0 468 | 0 469 | 470 | 471 | 0 472 | 0 473 | 00C800 474 | 0 475 | 2 476 | 0 477 | 478 | APP - Nginx 479 | nginx.status[accepts] 480 | 481 | 482 | 483 | 1 484 | 0 485 | C80000 486 | 0 487 | 2 488 | 0 489 | 490 | APP - Nginx 491 | nginx.status[handled] 492 | 493 | 494 | 495 | 2 496 | 0 497 | 0000C8 498 | 0 499 | 2 500 | 0 501 | 502 | APP - Nginx 503 | nginx.status[requests] 504 | 505 | 506 | 507 | 508 | 509 | Nginx Proc_Num 510 | 900 511 | 200 512 | 0.0000 513 | 100.0000 514 | 1 515 | 1 516 | 0 517 | 1 518 | 0 519 | 0.0000 520 | 0.0000 521 | 1 522 | 0 523 | 0 524 | 0 525 | 526 | 527 | 0 528 | 0 529 | 00C800 530 | 0 531 | 2 532 | 0 533 | 534 | APP - Nginx 535 | nginx.status[proc_num] 536 | 537 | 538 | 539 | 540 | 541 | 542 | --------------------------------------------------------------------------------