Skip to content
Snippets Groups Projects
Commit 34e97939 authored by nimrod's avatar nimrod
Browse files

Nginx base image.

parent b17059b0
No related branches found
No related tags found
No related merge requests found
Pipeline #2412 failed
Stage: .pre
Stage: build-base
Stage: deploy-base
Hide whitespace changes
Inline Side-by-side
Showing
with 140 additions and 0 deletions
.gitlab-ci.yml
+ 16
0
View file @ 34e97939
......@@ -151,3 +151,19 @@ push-webdav:
needs:
- job: build-webdav
artifacts: true
# nginx image:
build-nginx:
extends: .container-build-base
variables:
CONTEXT: nginx
push-nginx:
extends: .container-push-base
variables:
CONTEXT: nginx
IMAGE: nginx
needs:
- job: build-nginx
artifacts: true
nginx/.dockerignore 0 → 100644
+ 4
0
View file @ 34e97939
*
!conf.d/
!www/
!snippets/
nginx/Dockerfile 0 → 100644
+ 26
0
View file @ 34e97939
FROM nginx:1.21.3-alpine
# hadolint ignore=DL3018
RUN rm -rf /etc/nginx/conf./* && \
chmod 777 /run && \
apk add --no-cache --update libcap openssl && \
curl https://letsencrypt.org/certs/isrg-root-ocsp-x1.pem.txt > /etc/ssl/ocsp.pem && \
mkdir /var/ssl &&\
curl https://ssl-config.mozilla.org/ffdhe2048.txt > /var/ssl/dhparams &&\
chmod 644 /var/ssl/dhparams && \
install -d -m 755 -o root -g root /etc/nginx/snippets && \
install -d -m 755 -o root -g root /var/ssl && \
install -d -m 755 -o root -g root /var/www && \
install -d -m 700 -o nginx -g nginx /var/cache/nginx && \
openssl req -x509 \
-newkey rsa:4096 \
-keyout /var/ssl/site.key \
-nodes \
-out /var/ssl/site.crt \
-batch && \
setcap CAP_NET_BIND_SERVICE=+ep "$(command -v nginx)" && \
chown nginx /var/ssl/site.*
COPY conf.d/ /etc/nginx/conf.d/
COPY snippets/ /etc/nginx/snippets/
USER nginx
RUN nginx -t
HEALTHCHECK CMD curl --fail --verbose --user-agent 'Docker health check' --header "Host: status" http://localhost/ || exit 1
nginx/README.md 0 → 100644
+ 3
0
View file @ 34e97939
# Nginx
My tweaked version of the Nginx image.
nginx/conf.d/default.conf 0 → 100644
+ 13
0
View file @ 34e97939
server {
listen 80 default_server;
listen [::]:80 default_server;
include snippets/www-acme-challenge.conf;
location / { return 301 https://www.shore.co.il$request_uri; }
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
include snippets/ssl.conf;
location / { return 301 https://www.shore.co.il$request_uri; }
}
nginx/conf.d/global.conf 0 → 100644
+ 13
0
View file @ 34e97939
# The resolver for the Docker network.
resolver 127.0.0.11 valid=30s;
gzip on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
include snippets/common-headers.conf;
# Validate proxied SSL connections.
proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
proxy_ssl_verify on;
proxy_ssl_verify_depth 4;
# For proxying /validate on different hosts to Vouch.
map $host $vouch { default vouch; }
nginx/conf.d/status.conf 0 → 100644
+ 7
0
View file @ 34e97939
server {
listen 80;
listen [::]:80;
server_name status;
location = / { stub_status; }
include snippets/allow-private-ips.conf;
}
nginx/snippets/ads-txt.conf 0 → 100644
+ 9
0
View file @ 34e97939
location = /ads.txt {
if ($scheme = http) {
return 301 https://$host$request_uri;
}
if ($scheme = https) {
add_header Content-Type "text/plain; charset=utf-8";
return 200 "contact=webmaster@shore.co.il\n";
}
}
nginx/snippets/allow-ns1.conf 0 → 100644
+ 1
0
View file @ 34e97939
allow 62.219.131.121; # ns1.shore.co.il
nginx/snippets/allow-ns4.conf 0 → 100644
+ 1
0
View file @ 34e97939
allow 163.172.74.36; # ns4.shore.co.il
nginx/snippets/allow-private-ips.conf 0 → 100644
+ 5
0
View file @ 34e97939
allow 127.0.0.0/8;
allow 10.0.0.0/8;
allow 192.168.0.0/16;
allow 172.16.0.0/12;
deny all;
nginx/snippets/allow-shore-ips.conf 0 → 100644
+ 3
0
View file @ 34e97939
include snippets/allow-ns1.conf;
include snippets/allow-ns4.conf;
include snippets/allow-private-ips.conf;
nginx/snippets/common-headers.conf 0 → 100644
+ 6
0
View file @ 34e97939
# add_headers are inherited from previous level if and only if there are no
# add_header directives defined on the current level. So any time there's an
# add_header directive there should be an `include snippets/common-headers.conf`
# directive as well.
add_header X-Frame-Options SAMEORIGIN always;
add_header Permissions-Policy interest-cohort=();
nginx/snippets/ldap-auth.conf 0 → 100644
+ 10
0
View file @ 34e97939
auth_request /validate;
location = /validate {
proxy_pass https://auth.shore.co.il/validate;
proxy_http_version 1.1;
include snippets/proxy-ssl.conf;
internal;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
nginx/snippets/proxy-headers.conf 0 → 100644
+ 8
0
View file @ 34e97939
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_hide_header Strict-Transport-Security;
proxy_hide_header Public-Key-Pins;
proxy_hide_header Public-Key-Pins-Report-Only;
nginx/snippets/proxy-ssl.conf 0 → 100644
+ 5
0
View file @ 34e97939
proxy_ssl_verify on;
proxy_ssl_verify_depth 3;
proxy_ssl_name auth.shore.co.il;
proxy_ssl_server_name on;
proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
nginx/snippets/redirect-https.conf 0 → 100644
+ 1
0
View file @ 34e97939
location / { return 301 https://$host$request_uri; }
nginx/snippets/redirect-www.conf 0 → 100644
+ 1
0
View file @ 34e97939
location / { return 301 https://www.$host$request_uri; }
nginx/snippets/robots-allow-all.conf 0 → 100644
+ 4
0
View file @ 34e97939
location = /robots.txt {
add_header Content-Type "text/plain; charset=utf-8";
return 200 "User-agent: *\nDisallow:\n";
}
nginx/snippets/robots-disallow-all.conf 0 → 100644
+ 4
0
View file @ 34e97939
location = /robots.txt {
add_header Content-Type "text/plain; charset=utf-8";
return 200 "User-agent: *\nDisallow: *\n";
}
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment