Merge pull request #115 from linuxserver/upstream-defaults

Rework nginx.conf to be inline with alpine upstream and relocate line…
2025-11-01 05:27:42 +09:00 · 2021-05-18 10:53:05 -04:00
parent c48705cbc4 1cc2e4d395
commit 27e727eede
22 changed files with 867 additions and 825 deletions
--- a/5
+++ b/5
@@ -96,7 +96,7 @@ RUN \
  fi && \
  pip3 install -U \
    pip && \
- pip3 install -U \
+  pip3 install -U --find-links https://wheel-index.linuxserver.io/alpine/ \
    ${CERTBOT} \
    certbot-dns-aliyun \
    certbot-dns-cloudflare \
@@ -140,9 +140,6 @@ RUN \
    /defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \
  echo "**** configure nginx ****" && \
  rm -f /etc/nginx/conf.d/default.conf && \
 curl -o \
 	/defaults/dhparams.pem -L \
 	"https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" && \
  echo "**** cleanup ****" && \
  apk del --purge \
    build-dependencies && \
--- a/Dockerfile.aarch64
+++ b/Dockerfile.aarch64
@@ -96,7 +96,7 @@ RUN \
  fi && \
  pip3 install -U \
    pip && \
- pip3 install -U \
+  pip3 install -U --find-links https://wheel-index.linuxserver.io/alpine/ \
    ${CERTBOT} \
    certbot-dns-aliyun \
    certbot-dns-cloudflare \
@@ -140,9 +140,6 @@ RUN \
    /defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \
  echo "**** configure nginx ****" && \
  rm -f /etc/nginx/conf.d/default.conf && \
 curl -o \
 	/defaults/dhparams.pem -L \
 	"https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" && \
  echo "**** cleanup ****" && \
  apk del --purge \
    build-dependencies && \
--- a/Dockerfile.armhf
+++ b/Dockerfile.armhf
@@ -96,7 +96,7 @@ RUN \
  fi && \
  pip3 install -U \
    pip && \
- pip3 install -U \
+  pip3 install -U --find-links https://wheel-index.linuxserver.io/alpine/ \
    ${CERTBOT} \
    certbot-dns-aliyun \
    certbot-dns-cloudflare \
@@ -140,9 +140,6 @@ RUN \
    /defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \
  echo "**** configure nginx ****" && \
  rm -f /etc/nginx/conf.d/default.conf && \
 curl -o \
 	/defaults/dhparams.pem -L \
 	"https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" && \
  echo "**** cleanup ****" && \
  apk del --purge \
    build-dependencies && \
--- a/README.md
+++ b/README.md
@@ -82,7 +82,7 @@ The architectures supported by this image are:
 * Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances.
 ### Security and password protection
 * The container detects changes to url and subdomains, revokes existing certs and generates new ones during start.
-* The container provides a pre-generated 4096-bit dhparams.pem (rotated weekly via [Jenkins job](https://ci.linuxserver.io/blue/organizations/jenkins/Xtras-Builders-Etc%2Fdhparams-uploader/activity)) for new instances, however you may generate your own by running `docker exec swag openssl dhparam -out /config/nginx/dhparams.pem 4096` WARNING: This takes a very long time
+* Per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919), the container is shipping [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) as the `dhparams.pem`.
 * If you'd like to password protect your sites, you can use htpasswd. Run the following command on your host to generate the htpasswd file `docker exec -it swag htpasswd -c /config/nginx/.htpasswd <username>`
 * You can add multiple user:pass to `.htpasswd`. For the first user, use the above command, for others, use the above command without the `-c` flag, as it will force deletion of the existing `.htpasswd` and creation of a new one
 * You can also use ldap auth for security and access control. A sample, user configurable ldap.conf is provided, and it requires the separate image [linuxserver/ldap-auth](https://hub.docker.com/r/linuxserver/ldap-auth/) to communicate with an ldap server.
@@ -330,6 +330,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 ## Versions
 * **14.05.21:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, ssl.conf, proxy.conf, and the default site-conf - Rework nginx.conf to be inline with alpine upstream and relocate lines from other files. Use linuxserver.io wheel index for pip packages. Switch to using [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) for `dhparams.pem` per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919). Added `worker_processes.conf`, which sets the number of nginx workers, and `resolver.conf`, which sets the dns resolver. Both conf files are auto-generated only on first start and can be user modified later.
 * **21.04.21:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf and authelia-location.conf - Add remote name/email headers and pass http method.
 * **12.04.21:** - Add php7-gmp and php7-pecl-mailparse.
 * **12.04.21:** - Add support for vultr dns validation.
--- a/readme-vars.yml
+++ b/readme-vars.yml
@@ -101,7 +101,7 @@ app_setup_block: |
  * Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances.
  ### Security and password protection
  * The container detects changes to url and subdomains, revokes existing certs and generates new ones during start.
-  * The container provides a pre-generated 4096-bit dhparams.pem (rotated weekly via [Jenkins job](https://ci.linuxserver.io/blue/organizations/jenkins/Xtras-Builders-Etc%2Fdhparams-uploader/activity)) for new instances, however you may generate your own by running `docker exec swag openssl dhparam -out /config/nginx/dhparams.pem 4096` WARNING: This takes a very long time
+  * Per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919), the container is shipping [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) as the `dhparams.pem`.
  * If you'd like to password protect your sites, you can use htpasswd. Run the following command on your host to generate the htpasswd file `docker exec -it swag htpasswd -c /config/nginx/.htpasswd <username>`
  * You can add multiple user:pass to `.htpasswd`. For the first user, use the above command, for others, use the above command without the `-c` flag, as it will force deletion of the existing `.htpasswd` and creation of a new one
  * You can also use ldap auth for security and access control. A sample, user configurable ldap.conf is provided, and it requires the separate image [linuxserver/ldap-auth](https://hub.docker.com/r/linuxserver/ldap-auth/) to communicate with an ldap server.
@@ -151,6 +151,7 @@ app_setup_nginx_reverse_proxy_block: ""
 # changelog
 changelogs:
  - { date: "14.05.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, ssl.conf, proxy.conf, and the default site-conf - Rework nginx.conf to be inline with alpine upstream and relocate lines from other files. Use linuxserver.io wheel index for pip packages. Switch to using [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) for `dhparams.pem` per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919). Added `worker_processes.conf`, which sets the number of nginx workers, and `resolver.conf`, which sets the dns resolver. Both conf files are auto-generated only on first start and can be user modified later." }
  - { date: "21.04.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf and authelia-location.conf - Add remote name/email headers and pass http method." }
  - { date: "12.04.21:", desc: "Add php7-gmp and php7-pecl-mailparse." }
  - { date: "12.04.21:", desc: "Add support for vultr dns validation." }
--- a/root/defaults/default
+++ b/root/defaults/default
@@ -1,4 +1,4 @@
-## Version 2021/01/03 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/default
+## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/default
 error_page 502 /502.html;
@@ -151,5 +151,3 @@ server {
 # enable subdomain method reverse proxy confs
 include /config/nginx/proxy-confs/*.subdomain.conf;
 # enable proxy cache for auth
 proxy_cache_path cache/ keys_zone=auth_cache:10m;
--- a/root/defaults/dhparams.pem
+++ b/root/defaults/dhparams.pem
@@ -0,0 +1,13 @@
 -----BEGIN DH PARAMETERS-----
 MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
 +8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
 87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
 YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
 7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
 ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
 7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
 nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
 8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
 iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
 zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
 -----END DH PARAMETERS-----
--- a/root/defaults/nginx.conf
+++ b/root/defaults/nginx.conf
@@ -1,53 +1,91 @@
-## Version 2021/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf
+## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf
 user abc;
-worker_processes 4;
+
-pid /run/nginx.pid;
+# Set number of worker processes automatically based on number of CPU cores.
 include /config/nginx/worker_processes.conf;
 # Enables the use of JIT for regular expressions to speed-up their processing.
 pcre_jit on;
 # Configures default error logger.
 error_log /config/log/nginx/error.log;
 # Includes files with directives to load dynamic modules.
 include /etc/nginx/modules/*.conf;
 events {
-	worker_connections 768;
+    # The maximum number of simultaneous connections that can be opened by
    # a worker process.
    worker_connections 1024;
    # multi_accept on;
 }
 http {
    # Includes mapping of file name extensions to MIME types of responses
    # and defines the default type.
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    # Name servers used to resolve names of upstream servers into addresses.
    # It's also needed when using tcpsocket and udpsocket in Lua modules.
    #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001;
    include /config/nginx/resolver.conf;
    # Don't tell nginx version to the clients. Default is 'on'.
    server_tokens off;
    # Specifies the maximum accepted body size of a client request, as
    # indicated by the request header Content-Length. If the stated content
    # length is greater than this size, then the client receives the HTTP
    # error code 413. Set to 0 to disable. Default is '1m'.
    client_max_body_size 0;
    # Sendfile copies data between one FD and other from within the kernel,
    # which is more efficient than read() + write(). Default is off.
    sendfile on;
    # Causes nginx to attempt to send its HTTP response head in one packet,
    # instead of using partial frames. Default is 'off'.
    tcp_nopush on;
    # Helper variable for proxying websockets.
    map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
    }
    # Sets the path, format, and configuration for a buffered log write.
    access_log /config/log/nginx/access.log;
    # Includes virtual hosts configs.
    #include /etc/nginx/http.d/*.conf;
    # WARNING: Don't use this directory for virtual hosts anymore.
    # This include will be moved to the root context in Alpine 3.14.
    #include /etc/nginx/conf.d/*.conf;
    ##
    # Basic Settings
    ##
    client_body_buffer_size 128k;
 	client_max_body_size 0;
    keepalive_timeout 65;
    large_client_header_buffers 4 16k;
    send_timeout 5m;
 	sendfile on;
    tcp_nodelay on;
 	tcp_nopush on;
    types_hash_max_size 2048;
    variables_hash_max_size 2048;
 	# server_tokens off;
    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;
 	include /etc/nginx/mime.types;
 	default_type application/octet-stream;
 	##
 	# Logging Settings
 	##
 	access_log /config/log/nginx/access.log;
 	error_log /config/log/nginx/error.log;
    ##
    # Gzip Settings
    ##
    gzip on;
    gzip_disable "msie6";
    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
@@ -72,18 +110,9 @@ http {
    #passenger_root /usr;
    #passenger_ruby /usr/bin/ruby;
 	##
 	# WebSocket proxying
 	##
 	map $http_upgrade $connection_upgrade {
 		default upgrade;
 		''      close;
 	}
    ##
    # Virtual Host Configs
    ##
 	include /etc/nginx/conf.d/*.conf;
    include /config/nginx/site-confs/*;
    #Removed lua. Do not remove this comment
@@ -96,7 +125,6 @@ http {
    #include /config/nginx/geoip2.conf;
 }
 #mail {
 #    # See sample authentication script at:
 #    # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
@@ -117,4 +145,6 @@ http {
 #        proxy      on;
 #    }
 #}
 daemon off;
 pid /run/nginx.pid;
--- a/root/defaults/proxy.conf
+++ b/root/defaults/proxy.conf
@@ -1,4 +1,4 @@
-## Version 2020/10/04 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf
+## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf
 # Timeout if the real server is dead
 proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
@@ -15,6 +15,7 @@ proxy_send_timeout 240;
 # Proxy Cache and Cookie Settings
 proxy_cache_bypass $cookie_session;
 proxy_cache_path cache/ keys_zone=auth_cache:10m;
 #proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps
 proxy_no_cache $cookie_session;
--- a/root/defaults/ssl.conf
+++ b/root/defaults/ssl.conf
@@ -1,4 +1,4 @@
-## Version 2020/10/29 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ssl.conf
+## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ssl.conf
 ### Mozilla Recommendations
 # generated 2020-06-17, Mozilla Guideline v5.4, nginx 1.18.0-r0, OpenSSL 1.1.1g-r0, intermediate configuration
@@ -29,9 +29,6 @@ ssl_trusted_certificate /config/keys/letsencrypt/fullchain.pem;
 # Diffie-Hellman Parameters
 ssl_dhparam /config/nginx/dhparams.pem;
 # Resolver
 resolver 127.0.0.11 valid=30s; # Docker DNS Server
 # Enable TLS 1.3 early data
 ssl_early_data on;
--- a/root/etc/cont-init.d/50-config
+++ b/root/etc/cont-init.d/50-config
@@ -81,6 +81,20 @@ cp /config/fail2ban/jail.local /etc/fail2ban/jail.local
 [[ ! -f /config/www/502.html ]] &&
    cp /defaults/502.html /config/www/502.html
 # Set resolver
 if ! grep -q 'resolver' /config/nginx/resolver.conf; then
    RESOLVER=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {print $2}' /etc/resolv.conf)
    echo "Setting resolver to ${RESOLVER}"
    echo -e "# This file is auto-generated only on first start, based on the container's /etc/resolv.conf file. Feel free to modify it as you wish.\n\nresolver ${RESOLVER} valid=30s;" > /config/nginx/resolver.conf
 fi
 # Set worker_processes
 if ! grep -q 'worker_processes' /config/nginx/worker_processes.conf; then
    WORKER_PROCESSES=$(nproc)
    echo "Setting worker_processes to ${WORKER_PROCESSES}"
    echo -e "# This file is auto-generated only on first start, based on the cpu cores detected. Feel free to change it to any other number or to auto to let nginx handle it automatically.\n\nworker_processes ${WORKER_PROCESSES};" > /config/nginx/worker_processes.conf
 fi
 # remove lua bits from nginx.conf if not done before
 if ! grep -q '#Removed lua' /config/nginx/nginx.conf; then
    echo "Removing lua specific info from nginx.conf"
@@ -91,11 +105,7 @@ fi
 [[ ! -f /config/nginx/dhparams.pem ]] && \
    cp /defaults/dhparams.pem /config/nginx/dhparams.pem
 if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then
-  curl -o /config/nginx/dhparams.pem -L "https://lsio.ams3.digitaloceanspaces.com/dhparams.pem"
+    curl -o /config/nginx/dhparams.pem -L "https://ssl-config.mozilla.org/ffdhe4096.txt"
 fi
 if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then
  echo "Generating dhparams.pem. This will take a long time. Do not stop the container until this process is completed."
  openssl dhparam -out /config/nginx/dhparams.pem 4096
 fi
 # check to make sure DNSPLUGIN is selected if dns validation is used
--- a/root/etc/services.d/fail2ban/run
+++ b/root/etc/services.d/fail2ban/run
@@ -1,4 +1,4 @@
 #!/usr/bin/with-contenv bash
-  exec \
+exec \
    fail2ban-client -x -f start