|
1 | | -FROM debian:bookworm-slim@sha256:f528891ab1aa484bf7233dbcc84f3c806c3e427571d75510a9d74bb5ec535b33 |
| 1 | +ARG RELEASE=bookworm |
| 2 | +FROM debian:${RELEASE}-slim@sha256:f528891ab1aa484bf7233dbcc84f3c806c3e427571d75510a9d74bb5ec535b33 |
2 | 3 |
|
3 | | -ENV NGINX_PLUS_VERSION 30-2 |
4 | | -ENV NGINX_VERSION 1.25.1 |
5 | | -ENV NJS_VERSION 30+0.8.0-1 |
6 | | -ENV XSLT_VERSION 30-1 |
| 4 | +# Persist RELEASE argument |
| 5 | +ARG RELEASE |
7 | 6 |
|
8 | | -ENV PROXY_CACHE_MAX_SIZE "10g" |
9 | | -ENV PROXY_CACHE_INACTIVE "60m" |
10 | | -ENV PROXY_CACHE_SLICE_SIZE "1m" |
11 | | -ENV PROXY_CACHE_VALID_OK "1h" |
12 | | -ENV PROXY_CACHE_VALID_NOTFOUND "1m" |
13 | | -ENV PROXY_CACHE_VALID_FORBIDDEN "30s" |
14 | | -ENV CORS_ENABLED 0 |
15 | | -ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS "" |
16 | | -ENV DIRECTORY_LISTING_PATH_PREFIX "" |
17 | | -ENV STRIP_LEADING_DIRECTORY_PATH "" |
18 | | -ENV PREFIX_LEADING_DIRECTORY_PATH "" |
| 7 | +# NJS env vars |
| 8 | +ENV NGINX_VERSION=32 |
| 9 | +ENV NGINX_PKG_RELEASE=1~${RELEASE} |
| 10 | +ENV NJS_VERSION=0.8.4 |
| 11 | +ENV NJS_PKG_RELEASE=1~${RELEASE} |
19 | 12 |
|
20 | | -COPY plus/usr /usr |
| 13 | +# Proxy cache env vars |
| 14 | +ENV PROXY_CACHE_MAX_SIZE=10g |
| 15 | +ENV PROXY_CACHE_INACTIVE=60m |
| 16 | +ENV PROXY_CACHE_SLICE_SIZE=1m |
| 17 | +ENV PROXY_CACHE_VALID_OK=1h |
| 18 | +ENV PROXY_CACHE_VALID_NOTFOUND=1m |
| 19 | +ENV PROXY_CACHE_VALID_FORBIDDEN=30s |
21 | 20 |
|
22 | | -# Copy files from the OSS NGINX Docker container such that the container |
23 | | -# startup is the same. |
24 | | -# Source: https://github.com/nginxinc/docker-nginx/tree/1.19.2/stable/buster |
25 | | -COPY common/docker-entrypoint.sh /docker-entrypoint.sh |
26 | | -COPY common/docker-entrypoint.d /docker-entrypoint.d/ |
27 | | -COPY plus/docker-entrypoint.d /docker-entrypoint.d/ |
28 | | -# Add NGINX Plus package repository keyring |
29 | | -COPY plus/usr/share/keyrings/nginx-archive-keyring.gpg /usr/share/keyrings/nginx-archive-keyring.gpg |
| 21 | +# CORS env vars |
| 22 | +ENV CORS_ENABLED=0 |
| 23 | +ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS="" |
30 | 24 |
|
31 | | -RUN --mount=type=secret,id=nginx-crt --mount=type=secret,id=nginx-key \ |
32 | | - set -eux \ |
33 | | - export DEBIAN_FRONTEND=noninteractive; \ |
34 | | - mkdir -p /etc/ssl/nginx; \ |
35 | | - cp /run/secrets/nginx-crt /etc/ssl/nginx/nginx-repo.crt; \ |
36 | | - chmod 0664 /etc/ssl/nginx/nginx-repo.crt; \ |
37 | | - cp /run/secrets/nginx-key /etc/ssl/nginx/nginx-repo.key; \ |
38 | | - chmod 0664 /etc/ssl/nginx/nginx-repo.key; \ |
39 | | - # create nginx user/group first, to be consistent throughout docker variants |
40 | | - addgroup --system --gid 101 nginx; \ |
41 | | - adduser --system --disabled-login --ingroup nginx --no-create-home --home /nonexistent --gecos "nginx user" --shell /bin/false --uid 101 nginx; \ |
42 | | - apt-get -qq update; \ |
43 | | - apt-get -qq upgrade --yes; \ |
44 | | - apt-get -qq install --yes \ |
45 | | - ca-certificates \ |
46 | | - curl \ |
47 | | - libedit2; \ |
48 | | - sh -a /usr/local/bin/add_nginx_plus_repo.sh; \ |
49 | | - rm /usr/local/bin/add_nginx_plus_repo.sh; \ |
50 | | - apt-get -qq update; \ |
51 | | - export DISTRO_VERSION="$(grep '^VERSION_CODENAME=' /etc/os-release | awk -v FS='=' '{print $2}')" && \ |
52 | | - apt-get -qq install --no-install-recommends --no-install-suggests -y \ |
53 | | - nginx-plus=${NGINX_PLUS_VERSION}~${DISTRO_VERSION} \ |
54 | | - nginx-plus-module-njs=${NJS_VERSION}~${DISTRO_VERSION} \ |
55 | | - nginx-plus-module-xslt=${XSLT_VERSION}~${DISTRO_VERSION} \ |
56 | | - gettext-base; \ |
57 | | - apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ |
58 | | - rm -rf /etc/apt/sources.list.d/nginx-plus.list /var/lib/apt/lists/* /var/tmp/* /tmp/* /etc/ssl/nginx; \ |
59 | | - # forward request and error logs to docker log collector |
60 | | - ln -sf /dev/stdout /var/log/nginx/access.log; \ |
61 | | - ln -sf /dev/stderr /var/log/nginx/error.log; \ |
62 | | - chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh |
| 25 | +# S3 proxy env vars |
| 26 | +ENV DIRECTORY_LISTING_PATH_PREFIX="" |
| 27 | +ENV STRIP_LEADING_DIRECTORY_PATH="" |
| 28 | +ENV PREFIX_LEADING_DIRECTORY_PATH="" |
63 | 29 |
|
64 | | -ENTRYPOINT ["/docker-entrypoint.sh"] |
| 30 | +# We create an NGINX Plus image based on the official NGINX Plus Dockerfiles (https://gist.github.com/nginx-gists/36e97fc87efb5cf0039978c8e41a34b5) and modify it by: |
| 31 | +# 1. Explicitly installing the version of njs coded in the environment variable above. |
| 32 | +# 2. Adding configuration files needed for proxying private S3 buckets. |
| 33 | +# 3. Adding a directory for proxied objects to be stored. |
| 34 | +# 4. Adding the entrypoint scripts found in the base NGINX OSS Docker image with a modified version that explicitly sets resolvers. |
| 35 | + |
| 36 | +# Download your NGINX license certificate and key from the F5 customer portal (https://account.f5.com) and copy it to the build context |
| 37 | +RUN --mount=type=secret,id=nginx-crt,dst=nginx-repo.crt \ |
| 38 | + --mount=type=secret,id=nginx-key,dst=nginx-repo.key \ |
| 39 | + set -x \ |
| 40 | +# Create nginx user/group first, to be consistent throughout Docker variants |
| 41 | + && groupadd --system --gid 101 nginx \ |
| 42 | + && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ |
| 43 | + && apt-get update \ |
| 44 | + && apt-get install --no-install-recommends --no-install-suggests -y ca-certificates gnupg1 lsb-release \ |
| 45 | + && \ |
| 46 | + NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \ |
| 47 | + NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \ |
| 48 | + export GNUPGHOME="$(mktemp -d)"; \ |
| 49 | + found=''; \ |
| 50 | + for NGINX_GPGKEY in $NGINX_GPGKEYS; do \ |
| 51 | + for server in \ |
| 52 | + hkp://keyserver.ubuntu.com:80 \ |
| 53 | + pgp.mit.edu \ |
| 54 | + ; do \ |
| 55 | + echo "Fetching GPG key $NGINX_GPGKEY from $server"; \ |
| 56 | + gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \ |
| 57 | + done; \ |
| 58 | + test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \ |
| 59 | + done; \ |
| 60 | + gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \ |
| 61 | + rm -rf "$GNUPGHOME"; \ |
| 62 | + apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \ |
| 63 | +# Install the latest release of NGINX Plus and/or NGINX Plus modules (written and maintained by F5) |
| 64 | + && nginxPackages=" \ |
| 65 | + nginx-plus=${NGINX_VERSION}-${NGINX_PKG_RELEASE} \ |
| 66 | + nginx-plus-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_PKG_RELEASE} \ |
| 67 | + nginx-plus-module-xslt=${NGINX_VERSION}-${NGINX_PKG_RELEASE} \ |
| 68 | + " \ |
| 69 | + && echo "Acquire::https::pkgs.nginx.com::Verify-Peer \"true\";" > /etc/apt/apt.conf.d/90nginx \ |
| 70 | + && echo "Acquire::https::pkgs.nginx.com::Verify-Host \"true\";" >> /etc/apt/apt.conf.d/90nginx \ |
| 71 | + && echo "Acquire::https::pkgs.nginx.com::SslCert \"/etc/ssl/nginx/nginx-repo.crt\";" >> /etc/apt/apt.conf.d/90nginx \ |
| 72 | + && echo "Acquire::https::pkgs.nginx.com::SslKey \"/etc/ssl/nginx/nginx-repo.key\";" >> /etc/apt/apt.conf.d/90nginx \ |
| 73 | + && echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list \ |
| 74 | + && mkdir -p /etc/ssl/nginx \ |
| 75 | + && cat nginx-repo.crt > /etc/ssl/nginx/nginx-repo.crt \ |
| 76 | + && cat nginx-repo.key > /etc/ssl/nginx/nginx-repo.key \ |
| 77 | + && apt-get update \ |
| 78 | + && apt-get install --no-install-recommends --no-install-suggests -y $nginxPackages curl gettext-base \ |
| 79 | + && apt-get remove --purge -y lsb-release \ |
| 80 | + && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-plus.list \ |
| 81 | + && rm -rf /etc/apt/apt.conf.d/90nginx /etc/ssl/nginx \ |
| 82 | +# Forward request logs to Docker log collector |
| 83 | + && ln -sf /dev/stdout /var/log/nginx/access.log \ |
| 84 | + && ln -sf /dev/stderr /var/log/nginx/error.log |
65 | 85 |
|
66 | 86 | EXPOSE 80 |
67 | 87 |
|
68 | 88 | STOPSIGNAL SIGTERM |
69 | 89 |
|
70 | 90 | CMD ["nginx", "-g", "daemon off;"] |
71 | 91 |
|
72 | | -# NGINX Docker image setup complete, everything below is specific for |
73 | | -# the S3 Gateway use case. |
74 | | - |
| 92 | +# Copy files from the OSS NGINX Docker container such that the container |
| 93 | +# startup is the same. |
75 | 94 | COPY plus/etc/nginx /etc/nginx |
76 | 95 | COPY common/etc /etc |
77 | | -COPY common/docker-entrypoint.d/00-check-for-required-env.sh /docker-entrypoint.d/00-check-for-required-env.sh |
| 96 | +COPY common/docker-entrypoint.sh /docker-entrypoint.sh |
| 97 | +COPY common/docker-entrypoint.d /docker-entrypoint.d/ |
| 98 | +COPY plus/docker-entrypoint.d /docker-entrypoint.d/ |
| 99 | + |
| 100 | +RUN set -x \ |
| 101 | + && mkdir -p /var/cache/nginx/s3_proxy \ |
| 102 | + && chown nginx:nginx /var/cache/nginx/s3_proxy \ |
| 103 | + && chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh; |
78 | 104 |
|
79 | | -RUN set -eux \ |
80 | | - export DEBIAN_FRONTEND=noninteractive; \ |
81 | | - mkdir -p /var/cache/nginx/s3_proxy; \ |
82 | | - chown nginx:nginx /var/cache/nginx/s3_proxy; \ |
83 | | - chmod -R +x /docker-entrypoint.d/* |
| 105 | +ENTRYPOINT ["/docker-entrypoint.sh"] |
0 commit comments