FROM harbor.dragse.it/base/alpine:3.15 LABEL maintainer="Lennard Brinkhaus " ENV NGINX_VERSION 1.21.5 ENV NJS_VERSION 0.7.1 ENV PKG_RELEASE 1 RUN echo $'http://nexus.dragse.it/repository/apk-main/\nhttp://nexus.dragse.it/repository/apk-community/' > /etc/apk/repositories RUN apk --no-cache upgrade \ && apk --no-cache add ca-certificates wget openssl \ && update-ca-certificates ARG UID=101 ARG GID=101 RUN set -x \ # create nginx user/group first, to be consistent throughout docker variants && addgroup -g $GID -S nginx || true \ && adduser -S -D -H -u $UID -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx || true \ && apkArch="$(cat /etc/apk/arch)" \ && nginxPackages=" \ nginx=${NGINX_VERSION}-r${PKG_RELEASE} \ nginx-module-xslt=${NGINX_VERSION}-r${PKG_RELEASE} \ nginx-module-geoip=${NGINX_VERSION}-r${PKG_RELEASE} \ nginx-module-image-filter=${NGINX_VERSION}-r${PKG_RELEASE} \ nginx-module-perl=${NGINX_VERSION}-r${PKG_RELEASE} \ nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${PKG_RELEASE} \ " \ # install prerequisites for public key and pkg-oss checks && apk add --no-cache --virtual .checksum-deps \ openssl \ && case "$apkArch" in \ x86_64|aarch64) \ # arches officially built by upstream set -x \ && KEY_SHA512="e7fa8303923d9b95db37a77ad46c68fd4755ff935d0a534d26eba83de193c76166c68bfe7f65471bf8881004ef4aa6df3e34689c305662750c0172fca5d8552a *stdin" \ && wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub \ && if [ "$(openssl rsa -pubin -in /tmp/nginx_signing.rsa.pub -text -noout | openssl sha512 -r)" = "$KEY_SHA512" ]; then \ echo "key verification succeeded!"; \ mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; \ else \ echo "key verification failed!"; \ exit 1; \ fi \ && apk add -X "https://nginx.org/packages/mainline/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \ ;; \ *) \ # we're on an architecture upstream doesn't officially build for # let's build binaries from the published packaging sources set -x \ && tempDir="$(mktemp -d)" \ && chown nobody:nobody $tempDir \ && apk add --no-cache --virtual .build-deps \ gcc \ libc-dev \ make \ openssl-dev \ pcre-dev \ zlib-dev \ linux-headers \ libxslt-dev \ gd-dev \ geoip-dev \ perl-dev \ libedit-dev \ bash \ alpine-sdk \ findutils \ && su nobody -s /bin/sh -c " \ export HOME=${tempDir} \ && cd ${tempDir} \ && curl -f -O https://hg.nginx.org/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \ && PKGOSSCHECKSUM=\"f917c27702aa89cda46878fc80d446839c592c43ce7f251b3f4ced60c7033d34496a92d283927225d458cbc4f2f89499e7fb16344923317cd7725ad722eaf93e *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \ && if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \ echo \"pkg-oss tarball checksum verification succeeded!\"; \ else \ echo \"pkg-oss tarball checksum verification failed!\"; \ exit 1; \ fi \ && tar xzvf ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \ && cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \ && cd alpine \ && make all \ && apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \ " \ && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \ && apk del .build-deps \ && apk add -X ${tempDir}/packages/alpine/ --no-cache $nginxPackages \ ;; \ esac \ # remove checksum deps && apk del .checksum-deps \ # if we have leftovers from building, let's purge them (including extra, unnecessary build deps) && if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \ && if [ -n "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \ && if [ -n "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi \ # Bring in gettext so we can get `envsubst`, then throw # the rest away. To do this, we need to install `gettext` # then move `envsubst` out of the way so `gettext` can # be deleted completely, then move `envsubst` back. && apk add --no-cache --virtual .gettext gettext \ && mv /usr/bin/envsubst /tmp/ \ \ && runDeps="$( \ scanelf --needed --nobanner /tmp/envsubst \ | awk '{ gsub(/,/, "\nso:", $2); print "so:" $2 }' \ | sort -u \ | xargs -r apk info --installed \ | sort -u \ )" \ && apk add --no-cache $runDeps \ && apk del .gettext \ && mv /tmp/envsubst /usr/local/bin/ \ # Bring in tzdata so users could set the timezones through the environment # variables && apk add --no-cache tzdata \ # Bring in curl and ca-certificates to make registering on DNS SD easier && apk add --no-cache curl ca-certificates \ # forward request and error logs to docker log collector && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log \ # create a docker-entrypoint.d directory && mkdir /docker-entrypoint.d # implement changes required to run NGINX as an unprivileged user RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/conf.d/default.conf \ && sed -i '/user nginx;/d' /etc/nginx/nginx.conf \ && sed -i 's,/var/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf \ && sed -i "/^http {/a \ proxy_temp_path /tmp/proxy_temp;\n client_body_temp_path /tmp/client_temp;\n fastcgi_temp_path /tmp/fastcgi_temp;\n uwsgi_temp_path /tmp/uwsgi_temp;\n scgi_temp_path /tmp/scgi_temp;\n" /etc/nginx/nginx.conf \ # nginx user must own the cache and etc directory to write cache and tweak the nginx config && chown -R $UID:0 /var/cache/nginx \ && chmod -R g+w /var/cache/nginx \ && chown -R $UID:0 /etc/nginx \ && chmod -R g+w /etc/nginx COPY docker-entrypoint.sh / COPY 10-listen-on-ipv6-by-default.sh /docker-entrypoint.d COPY 20-envsubst-on-templates.sh /docker-entrypoint.d COPY 30-tune-worker-processes.sh /docker-entrypoint.d ENTRYPOINT ["/docker-entrypoint.sh"] EXPOSE 8080 STOPSIGNAL SIGQUIT USER $UID CMD ["nginx", "-g", "daemon off;"]