nginx
diff --git a/‎.github/dependabot.yml
Lines changed: 9 additions & 0 deletions b/‎.github/dependabot.yml
Lines changed: 9 additions & 0 deletions
diff --git a/‎.github/workflows/f5-cla.yml
Lines changed: 6 additions & 6 deletions b/‎.github/workflows/f5-cla.yml
Lines changed: 6 additions & 6 deletions
diff --git a/‎.github/workflows/ossf-scorecard.yml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/ossf-scorecard.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/s3-gateway.yml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/s3-gateway.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎Dockerfile.buildkit.plus
Lines changed: 89 additions & 67 deletions b/‎Dockerfile.buildkit.plus
Lines changed: 89 additions & 67 deletions
diff --git a/‎Dockerfile.oss
Lines changed: 22 additions & 39 deletions b/‎Dockerfile.oss
Lines changed: 22 additions & 39 deletions
@@ -7,12 +7,21 @@ updates:
       interval: weekly
       day: monday
       time: "00:00"
+
   - package-ecosystem: github-actions
     directory: /
     schedule:
       interval: weekly
       day: monday
       time: "00:00"
+    groups:
+      docker-github-actions:
+        patterns:
+          - docker/*
+      official-github-actions:
+        patterns:
+          - actions/*
+
   - package-ecosystem: npm
     directory: /
     schedule:
 
@@ -9,7 +9,7 @@ permissions: read-all
 jobs:
   f5-cla:
     name: F5 CLA
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       actions: write
       pull-requests: write
@@ -20,17 +20,17 @@ jobs:
         uses: contributor-assistant/github-action@9340315624c6e16cef1f2c63bdeb0f0c49c6f474 # v2.4.0
         with:
           # Any pull request targeting the following branch will trigger a CLA check.
-          branch: 'main'
+          branch: main
           # Path to the CLA document.
-          path-to-document: 'https://github.com/f5/.github/blob/main/CLA/cla-markdown.md'
+          path-to-document: https://github.com/f5/.github/blob/main/CLA/cla-markdown.md
           # Custom CLA messages.
           custom-notsigned-prcomment: '🎉 Thank you for your contribution! It appears you have not yet signed the F5 Contributor License Agreement (CLA), which is required for your changes to be incorporated into an F5 Open Source Software (OSS) project. Please kindly read the [F5 CLA](https://github.com/f5/.github/blob/main/CLA/cla-markdown.md) and reply on a new comment with the following text to agree:'
           custom-pr-sign-comment: 'I have hereby read the F5 CLA and agree to its terms'
           custom-allsigned-prcomment: '✅ All required contributors have signed the F5 CLA for this PR. Thank you!'
           # Remote repository storing CLA signatures.
-          remote-organization-name: 'f5'
-          remote-repository-name: 'f5-cla-data'
-          path-to-signatures: 'signatures/beta/signatures.json'
+          remote-organization-name: f5
+          remote-repository-name: f5-cla-data
+          path-to-signatures: signatures/signatures.json
           # Comma separated list of usernames for maintainers or any other individuals who should not be prompted for a CLA.
           allowlist: 4141done, alessfg, dekobon, bot*
           # Do not lock PRs after a merge.
 
@@ -15,7 +15,7 @@ permissions: read-all
 jobs:
   analysis:
     name: Scorecard analysis
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       # Needed if using Code Scanning alerts
       security-events: write
 
@@ -28,7 +28,7 @@ permissions: read-all
 jobs:
   build-oss-for-test:
     name: Build NGINX OSS image
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Check out the codebase
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
@@ -1,83 +1,105 @@
-FROM debian:bookworm-slim@sha256:f528891ab1aa484bf7233dbcc84f3c806c3e427571d75510a9d74bb5ec535b33
+ARG RELEASE=bookworm
+FROM debian:${RELEASE}-slim@sha256:f528891ab1aa484bf7233dbcc84f3c806c3e427571d75510a9d74bb5ec535b33
 
-ENV NGINX_PLUS_VERSION   30-2
-ENV NGINX_VERSION        1.25.1
-ENV NJS_VERSION          30+0.8.0-1
-ENV XSLT_VERSION         30-1
+# Persist RELEASE argument
+ARG RELEASE
 
-ENV PROXY_CACHE_MAX_SIZE "10g"
-ENV PROXY_CACHE_INACTIVE "60m"
-ENV PROXY_CACHE_SLICE_SIZE "1m"
-ENV PROXY_CACHE_VALID_OK "1h"
-ENV PROXY_CACHE_VALID_NOTFOUND "1m"
-ENV PROXY_CACHE_VALID_FORBIDDEN "30s"
-ENV CORS_ENABLED 0
-ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS ""
-ENV DIRECTORY_LISTING_PATH_PREFIX ""
-ENV STRIP_LEADING_DIRECTORY_PATH ""
-ENV PREFIX_LEADING_DIRECTORY_PATH ""
+# NJS env vars
+ENV NGINX_VERSION=32
+ENV NGINX_PKG_RELEASE=1~${RELEASE}
+ENV NJS_VERSION=0.8.4
+ENV NJS_PKG_RELEASE=1~${RELEASE}
 
-COPY plus/usr /usr
+# Proxy cache env vars
+ENV PROXY_CACHE_MAX_SIZE=10g
+ENV PROXY_CACHE_INACTIVE=60m
+ENV PROXY_CACHE_SLICE_SIZE=1m
+ENV PROXY_CACHE_VALID_OK=1h
+ENV PROXY_CACHE_VALID_NOTFOUND=1m
+ENV PROXY_CACHE_VALID_FORBIDDEN=30s
 
-# Copy files from the OSS NGINX Docker container such that the container
-# startup is the same.
-# Source: https://github.com/nginxinc/docker-nginx/tree/1.19.2/stable/buster
-COPY common/docker-entrypoint.sh /docker-entrypoint.sh
-COPY common/docker-entrypoint.d /docker-entrypoint.d/
-COPY plus/docker-entrypoint.d /docker-entrypoint.d/
-# Add NGINX Plus package repository keyring
-COPY plus/usr/share/keyrings/nginx-archive-keyring.gpg /usr/share/keyrings/nginx-archive-keyring.gpg
+# CORS env vars
+ENV CORS_ENABLED=0
+ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS=""
 
-RUN --mount=type=secret,id=nginx-crt --mount=type=secret,id=nginx-key \
-    set -eux \
-    export DEBIAN_FRONTEND=noninteractive; \
-    mkdir -p /etc/ssl/nginx; \
-    cp /run/secrets/nginx-crt /etc/ssl/nginx/nginx-repo.crt; \
-    chmod 0664 /etc/ssl/nginx/nginx-repo.crt; \
-    cp /run/secrets/nginx-key /etc/ssl/nginx/nginx-repo.key; \
-    chmod 0664 /etc/ssl/nginx/nginx-repo.key; \
-    # create nginx user/group first, to be consistent throughout docker variants
-    addgroup --system --gid 101 nginx; \
-    adduser --system --disabled-login --ingroup nginx --no-create-home --home /nonexistent --gecos "nginx user" --shell /bin/false --uid 101 nginx; \
-    apt-get -qq update; \
-    apt-get -qq upgrade --yes; \
-    apt-get -qq install --yes \
-      ca-certificates \
-      curl \
-      libedit2; \
-    sh -a /usr/local/bin/add_nginx_plus_repo.sh; \
-    rm /usr/local/bin/add_nginx_plus_repo.sh; \
-    apt-get -qq update; \
-    export DISTRO_VERSION="$(grep '^VERSION_CODENAME=' /etc/os-release | awk -v FS='=' '{print $2}')" && \
-    apt-get -qq install --no-install-recommends --no-install-suggests -y \
-        nginx-plus=${NGINX_PLUS_VERSION}~${DISTRO_VERSION} \
-        nginx-plus-module-njs=${NJS_VERSION}~${DISTRO_VERSION} \
-        nginx-plus-module-xslt=${XSLT_VERSION}~${DISTRO_VERSION} \
-        gettext-base; \
-    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
-    rm -rf /etc/apt/sources.list.d/nginx-plus.list /var/lib/apt/lists/* /var/tmp/* /tmp/* /etc/ssl/nginx; \
-    # forward request and error logs to docker log collector
-    ln -sf /dev/stdout /var/log/nginx/access.log; \
-    ln -sf /dev/stderr /var/log/nginx/error.log; \
-    chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh
+# S3 proxy env vars
+ENV DIRECTORY_LISTING_PATH_PREFIX=""
+ENV STRIP_LEADING_DIRECTORY_PATH=""
+ENV PREFIX_LEADING_DIRECTORY_PATH=""
 
-ENTRYPOINT ["/docker-entrypoint.sh"]
+# We create an NGINX Plus image based on the official NGINX Plus Dockerfiles (https://gist.github.com/nginx-gists/36e97fc87efb5cf0039978c8e41a34b5) and modify it by:
+# 1. Explicitly installing the version of njs coded in the environment variable above.
+# 2. Adding configuration files needed for proxying private S3 buckets.
+# 3. Adding a directory for proxied objects to be stored.
+# 4. Adding the entrypoint scripts found in the base NGINX OSS Docker image with a modified version that explicitly sets resolvers.
+
+# Download your NGINX license certificate and key from the F5 customer portal (https://account.f5.com) and copy it to the build context
+RUN --mount=type=secret,id=nginx-crt,dst=nginx-repo.crt \
+    --mount=type=secret,id=nginx-key,dst=nginx-repo.key \
+    set -x \
+# Create nginx user/group first, to be consistent throughout Docker variants
+    && groupadd --system --gid 101 nginx \
+    && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
+    && apt-get update \
+    && apt-get install --no-install-recommends --no-install-suggests -y ca-certificates gnupg1 lsb-release \
+    && \
+    NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \
+    NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \
+    export GNUPGHOME="$(mktemp -d)"; \
+    found=''; \
+    for NGINX_GPGKEY in $NGINX_GPGKEYS; do \
+    for server in \
+        hkp://keyserver.ubuntu.com:80 \
+        pgp.mit.edu \
+    ; do \
+        echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
+        gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
+    done; \
+    test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
+    done; \
+    gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \
+    rm -rf "$GNUPGHOME"; \
+    apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \
+# Install the latest release of NGINX Plus and/or NGINX Plus modules (written and maintained by F5)
+    && nginxPackages=" \
+        nginx-plus=${NGINX_VERSION}-${NGINX_PKG_RELEASE} \
+        nginx-plus-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_PKG_RELEASE} \
+        nginx-plus-module-xslt=${NGINX_VERSION}-${NGINX_PKG_RELEASE} \
+    " \
+    && echo "Acquire::https::pkgs.nginx.com::Verify-Peer \"true\";" > /etc/apt/apt.conf.d/90nginx \
+    && echo "Acquire::https::pkgs.nginx.com::Verify-Host \"true\";" >> /etc/apt/apt.conf.d/90nginx \
+    && echo "Acquire::https::pkgs.nginx.com::SslCert     \"/etc/ssl/nginx/nginx-repo.crt\";" >> /etc/apt/apt.conf.d/90nginx \
+    && echo "Acquire::https::pkgs.nginx.com::SslKey      \"/etc/ssl/nginx/nginx-repo.key\";" >> /etc/apt/apt.conf.d/90nginx \
+    && echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list \
+    && mkdir -p /etc/ssl/nginx \
+    && cat nginx-repo.crt > /etc/ssl/nginx/nginx-repo.crt \
+    && cat nginx-repo.key > /etc/ssl/nginx/nginx-repo.key \
+    && apt-get update \
+    && apt-get install --no-install-recommends --no-install-suggests -y $nginxPackages curl gettext-base \
+    && apt-get remove --purge -y lsb-release \
+    && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-plus.list \
+    && rm -rf /etc/apt/apt.conf.d/90nginx /etc/ssl/nginx \
+# Forward request logs to Docker log collector
+    && ln -sf /dev/stdout /var/log/nginx/access.log \
+    && ln -sf /dev/stderr /var/log/nginx/error.log
 
 EXPOSE 80
 
 STOPSIGNAL SIGTERM
 
 CMD ["nginx", "-g", "daemon off;"]
 
-# NGINX Docker image setup complete, everything below is specific for
-# the S3 Gateway use case.
-
+# Copy files from the OSS NGINX Docker container such that the container
+# startup is the same.
 COPY plus/etc/nginx /etc/nginx
 COPY common/etc /etc
-COPY common/docker-entrypoint.d/00-check-for-required-env.sh /docker-entrypoint.d/00-check-for-required-env.sh
+COPY common/docker-entrypoint.sh /docker-entrypoint.sh
+COPY common/docker-entrypoint.d /docker-entrypoint.d/
+COPY plus/docker-entrypoint.d /docker-entrypoint.d/
+
+RUN set -x \
+    && mkdir -p /var/cache/nginx/s3_proxy \
+    && chown nginx:nginx /var/cache/nginx/s3_proxy \
+    && chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh;
 
-RUN set -eux \
-    export DEBIAN_FRONTEND=noninteractive; \
-    mkdir -p /var/cache/nginx/s3_proxy; \
-    chown nginx:nginx /var/cache/nginx/s3_proxy; \
-    chmod -R +x /docker-entrypoint.d/*
+ENTRYPOINT ["/docker-entrypoint.sh"]
@@ -1,63 +1,46 @@
 FROM nginx:1.27.0@sha256:67682bda769fae1ccf5183192b8daf37b64cae99c6c3302650f6f8bf5f0f95df
 
 # NJS env vars
-ENV NJS_VERSION     0.8.4
-ENV NJS_RELEASE     2~bookworm
+ENV NJS_VERSION=0.8.4
+ENV NJS_RELEASE=2~bookworm
 
 # Proxy cache env vars
-ENV PROXY_CACHE_MAX_SIZE "10g"
-ENV PROXY_CACHE_INACTIVE "60m"
-ENV PROXY_CACHE_SLICE_SIZE "1m"
-ENV PROXY_CACHE_VALID_OK "1h"
-ENV PROXY_CACHE_VALID_NOTFOUND "1m"
-ENV PROXY_CACHE_VALID_FORBIDDEN "30s"
+ENV PROXY_CACHE_MAX_SIZE=10g
+ENV PROXY_CACHE_INACTIVE=60m
+ENV PROXY_CACHE_SLICE_SIZE=1m
+ENV PROXY_CACHE_VALID_OK=1h
+ENV PROXY_CACHE_VALID_NOTFOUND=1m
+ENV PROXY_CACHE_VALID_FORBIDDEN=30s
 
 # CORS env vars
-ENV CORS_ENABLED 0
-ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS ""
+ENV CORS_ENABLED=0
+ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS=""
 
 # S3 proxy env vars
-ENV DIRECTORY_LISTING_PATH_PREFIX ""
-ENV STRIP_LEADING_DIRECTORY_PATH ""
-ENV PREFIX_LEADING_DIRECTORY_PATH ""
-
-# We modify the nginx base image by:
-# 1. Explicitly install the version of njs coded in the environment variable above.
-# 2. Adding configuration files needed for proxying private S3 buckets
-# 3. Adding a directory for proxied objects to be stored
+ENV DIRECTORY_LISTING_PATH_PREFIX=""
+ENV STRIP_LEADING_DIRECTORY_PATH=""
+ENV PREFIX_LEADING_DIRECTORY_PATH=""
+
+# We modify the NGINX base image by:
+# 1. Explicitly installing the version of njs coded in the environment variable above.
+# 2. Adding configuration files needed for proxying private S3 buckets.
+# 3. Adding a directory for proxied objects to be stored.
 # 4. Replacing the entrypoint script with a modified version that explicitly sets resolvers.
 
 RUN set -x \
-    && apt-get update \
-    && apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \
-    && \
-    NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \
-    NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \
-    export GNUPGHOME="$(mktemp -d)"; \
-    found=''; \
-    for server in \
-        hkp://keyserver.ubuntu.com:80 \
-        pgp.mit.edu \
-    ; do \
-        echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
-        gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
-    done; \
-    test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
-    gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \
-    rm -rf "$GNUPGHOME"; \
-    apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/*; \
-    echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo $PKG_RELEASE | cut -f2 -d~) nginx" >> /etc/apt/sources.list.d/nginx.list; \
+    && echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo $PKG_RELEASE | cut -f2 -d~) nginx" >> /etc/apt/sources.list.d/nginx.list; \
     apt-get update \
     && apt-get install --no-install-recommends --no-install-suggests -y \
       libedit2 \
       nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_RELEASE} \
     && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list
 
-COPY common/etc /etc
 COPY oss/etc /etc
+COPY common/etc /etc
 COPY common/docker-entrypoint.sh /docker-entrypoint.sh
 COPY common/docker-entrypoint.d /docker-entrypoint.d/
 
-RUN mkdir -p /var/cache/nginx/s3_proxy \
+RUN set -x \
+    && mkdir -p /var/cache/nginx/s3_proxy \
     && chown nginx:nginx /var/cache/nginx/s3_proxy \
     && chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh;