Improve Docker Nginx deployment: Add IPv6, HTTP/2, SSL support, gzip compression and image caching

PabloG02 · PabloG02 · commit a01836b0a3ea · 2025-03-14T12:00:18.000+01:00
Also adds auto certificate generation for SSL in case no existing certificates are found.
diff --git a/docker/deploy-local-build/Dockerfile b/docker/deploy-local-build/Dockerfile
@@ -1,11 +1,16 @@
 # Stage 1: Serve the website with nginx
-FROM nginx:stable-alpine
+FROM nginx:mainline-alpine
 # Copy the built website files to the nginx serve directory
 COPY dist/dockerfiles-website/browser /usr/share/nginx/html
 # Replace the default nginx configuration with our custom configuration (with proxy enabled)
 COPY docker/deploy-local-build/default.conf /etc/nginx/conf.d/default.conf
+# Create directory for SSL certificates
+RUN mkdir -p /etc/nginx/ssl
 # Expose ports
-EXPOSE 80
+EXPOSE 80 443
 
-# Start nginx
-CMD ["sh", "-c", "nginx -g 'daemon off;'"]
+# Start nginx with a script that generates certificates if needed
+RUN apk add openssl
+COPY docker/deploy-local-build/start.sh /start.sh
+RUN chmod +x /start.sh
+CMD ["/start.sh"]
diff --git a/docker/deploy-local-build/default.conf b/docker/deploy-local-build/default.conf
@@ -2,14 +2,53 @@
 proxy_cache_path /var/cache/nginx/dockerhub_cache levels=1:2 keys_zone=dockerhub_cache:10m max_size=1g inactive=60m use_temp_path=off;
 
 server {
-    listen 80;
+    listen 80; # IPv4
+    listen [::]:80; # IPv6
+    # HTTP/2 support (requires SSL)
+    http2 on;
+    listen 443 ssl;
+    listen [::]:443 ssl;
     server_name localhost;
 
+    # SSL configuration (required for HTTP/2)
+    ssl_certificate /etc/nginx/ssl/nginx.crt;
+    ssl_certificate_key /etc/nginx/ssl/nginx.key;
+    ssl_protocols TLSv1.3;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+
+    # Security headers
+    add_header X-Content-Type-Options nosniff;
+    add_header X-Frame-Options SAMEORIGIN;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header Referrer-Policy no-referrer-when-downgrade;
+
+    # Compression settings
+    gzip on;
+    gzip_comp_level 5;
+    gzip_min_length 4096;
+    gzip_proxied any;
+    gzip_vary on;
+    gzip_types
+        application/javascript
+        application/json
+        application/xml
+        text/css
+        text/javascript
+        text/plain
+        text/xml;
+
     # Default location block for serving static files
     location / {
         root /usr/share/nginx/html;
         index index.html index.htm;
         try_files $uri $uri/ /index.html;
+
+        # Cache control for static assets
+        location ~* \.(jpg|jpeg|png|webp|gif|ico|svg)$ {
+            expires 1d;
+            add_header Cache-Control "public, no-transform, must-revalidate";
+        }
     }
 
     # Error pages configuration
@@ -19,7 +58,7 @@ server {
     }
 
     # Proxy configuration for Docker Hub API requests with caching.
-    location /v2/namespaces/pegi3s/repositories/ {
+    location /v2/namespaces/pegi3s/repositories {
         resolver 1.1.1.1; # DNS resolver for domain name lookup.
         set $upstream_endpoint https://hub.docker.com; # The upstream service to proxy requests to.
 
@@ -28,9 +67,18 @@ server {
         proxy_cache_valid 200 302 10m; # Cache 200 and 302 responses for 10 minutes
         proxy_cache_valid 404 1m; # Cache 404 responses for 1 minute
         proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+        proxy_cache_lock on; # Prevents multiple clients from requesting the same uncached item.
+        proxy_cache_background_update on; # Updates cache in background without blocking clients.
         add_header X-Proxy-Cache $upstream_cache_status; # Adds a header to the response with the cache status.
 
         # Pass the request to the upstream server
         proxy_pass $upstream_endpoint$request_uri;
     }
+
+    # Deny access to hidden files
+    location ~ /\. {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
 }
diff --git a/docker/deploy-local-build/start.sh b/docker/deploy-local-build/start.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+set -e
+
+# Check if certificates exist, if not generate self-signed ones
+if [ ! -f /etc/nginx/ssl/nginx.crt ] || [ ! -f /etc/nginx/ssl/nginx.key ]; then
+    echo "SSL certificates not found, generating self-signed certificates..."
+    echo "Using $(openssl version)"
+    mkdir -p /etc/nginx/ssl
+    openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+        -keyout /etc/nginx/ssl/nginx.key \
+        -out /etc/nginx/ssl/nginx.crt \
+        -subj "/CN=localhost" \
+        -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"
+    echo "Self-signed certificates generated."
+else
+    echo "Using existing SSL certificates."
+fi
+
+# Start nginx
+echo "Starting Nginx..."
+exec nginx -g 'daemon off;'
