From bb4cfbbf08d45722c036f9613257c10a9d35dd87 Mon Sep 17 00:00:00 2001 From: juan131 Date: Thu, 25 Apr 2019 09:49:25 +0200 Subject: [PATCH 1/9] Adapt NGINX so it can be customized --- bitnami/nginx/1.14/debian-9/Dockerfile | 14 +- .../nginx/1.14/debian-9/docker-compose.yml | 2 + .../nginx/1.14/debian-9/rootfs/libnginx.sh | 102 ++++++++--- .../1.14/debian-9/rootfs/nginx-inputs.json | 6 - .../extra/nginx/templates/nginx.conf.tpl | 64 ------- bitnami/nginx/1.14/debian-9/rootfs/prepare.sh | 18 +- bitnami/nginx/1.14/debian-9/rootfs/run.sh | 4 +- bitnami/nginx/1.14/debian-9/rootfs/setup.sh | 3 +- bitnami/nginx/1.14/ol-7/Dockerfile | 14 +- bitnami/nginx/1.14/ol-7/docker-compose.yml | 2 + bitnami/nginx/1.14/ol-7/rootfs/entrypoint.sh | 25 --- bitnami/nginx/1.14/ol-7/rootfs/libnginx.sh | 173 ------------------ .../nginx/1.14/ol-7/rootfs/nginx-inputs.json | 6 - .../extra/nginx/templates/nginx.conf.tpl | 64 ------- bitnami/nginx/1.14/ol-7/rootfs/prepare.sh | 20 -- bitnami/nginx/1.14/ol-7/rootfs/run.sh | 21 --- bitnami/nginx/1.14/ol-7/rootfs/setup.sh | 23 --- bitnami/nginx/1.14/rhel-7/Dockerfile | 14 +- bitnami/nginx/1.14/rhel-7/docker-compose.yml | 2 + .../nginx/1.14/rhel-7/rootfs/entrypoint.sh | 25 --- bitnami/nginx/1.14/rhel-7/rootfs/libnginx.sh | 173 ------------------ .../1.14/rhel-7/rootfs/nginx-inputs.json | 6 - .../extra/nginx/templates/nginx.conf.tpl | 64 ------- bitnami/nginx/1.14/rhel-7/rootfs/prepare.sh | 20 -- bitnami/nginx/1.14/rhel-7/rootfs/run.sh | 21 --- bitnami/nginx/1.14/rhel-7/rootfs/setup.sh | 23 --- bitnami/nginx/README.md | 161 +++++++++++++--- bitnami/nginx/docker-compose.yml | 2 + 28 files changed, 248 insertions(+), 824 deletions(-) delete mode 100644 bitnami/nginx/1.14/debian-9/rootfs/nginx-inputs.json delete mode 100644 bitnami/nginx/1.14/debian-9/rootfs/opt/bitnami/extra/nginx/templates/nginx.conf.tpl delete mode 100755 bitnami/nginx/1.14/ol-7/rootfs/entrypoint.sh delete mode 100644 bitnami/nginx/1.14/ol-7/rootfs/libnginx.sh delete mode 100644 bitnami/nginx/1.14/ol-7/rootfs/nginx-inputs.json delete mode 100644 bitnami/nginx/1.14/ol-7/rootfs/opt/bitnami/extra/nginx/templates/nginx.conf.tpl delete mode 100755 bitnami/nginx/1.14/ol-7/rootfs/prepare.sh delete mode 100755 bitnami/nginx/1.14/ol-7/rootfs/run.sh delete mode 100755 bitnami/nginx/1.14/ol-7/rootfs/setup.sh delete mode 100755 bitnami/nginx/1.14/rhel-7/rootfs/entrypoint.sh delete mode 100644 bitnami/nginx/1.14/rhel-7/rootfs/libnginx.sh delete mode 100644 bitnami/nginx/1.14/rhel-7/rootfs/nginx-inputs.json delete mode 100644 bitnami/nginx/1.14/rhel-7/rootfs/opt/bitnami/extra/nginx/templates/nginx.conf.tpl delete mode 100755 bitnami/nginx/1.14/rhel-7/rootfs/prepare.sh delete mode 100755 bitnami/nginx/1.14/rhel-7/rootfs/run.sh delete mode 100755 bitnami/nginx/1.14/rhel-7/rootfs/setup.sh diff --git a/bitnami/nginx/1.14/debian-9/Dockerfile b/bitnami/nginx/1.14/debian-9/Dockerfile index 4de8856f6ea4..48330dde1cdc 100644 --- a/bitnami/nginx/1.14/debian-9/Dockerfile +++ b/bitnami/nginx/1.14/debian-9/Dockerfile @@ -2,7 +2,6 @@ FROM bitnami/minideb-extras-base:stretch-r229 LABEL maintainer "Bitnami " ENV BITNAMI_PKG_CHMOD="-R g+rwX" \ - BITNAMI_PKG_EXTRA_DIRS="/bitnami/nginx/conf" \ HOME="/" \ OS_ARCH="amd64" \ OS_FLAVOUR="debian-9" \ @@ -11,24 +10,19 @@ ENV BITNAMI_PKG_CHMOD="-R g+rwX" \ # Install required system packages and dependencies RUN install_packages libc6 libpcre3 libssl1.1 zlib1g RUN . ./libcomponent.sh && component_unpack "nginx" "1.14.2-21" --checksum 73c924db078bebc7173aa5a596036285d1da41cbe985d1e4cc024f681e6dca52 -RUN ln -sf /opt/bitnami/nginx/html /app -RUN ln -sf /dev/stdout /opt/bitnami/nginx/logs/access.log -RUN ln -sf /dev/stderr /opt/bitnami/nginx/logs/error.log COPY rootfs / RUN /prepare.sh + ENV BITNAMI_APP_NAME="nginx" \ BITNAMI_IMAGE_VERSION="1.14.2-debian-9-r125" \ NAMI_PREFIX="/.nami" \ - NGINX_DAEMON_GROUP="" \ - NGINX_DAEMON_USER="" \ - NGINX_HTTPS_PORT_NUMBER="443" \ - NGINX_HTTP_PORT_NUMBER="8080" \ PATH="/opt/bitnami/nginx/sbin:$PATH" -EXPOSE 8080 - +EXPOSE 8080 8443 +VOLUME [ "/app" "/certs" ] WORKDIR /app USER 1001 + ENTRYPOINT [ "/entrypoint.sh" ] CMD [ "/run.sh" ] diff --git a/bitnami/nginx/1.14/debian-9/docker-compose.yml b/bitnami/nginx/1.14/debian-9/docker-compose.yml index 9ed581f73ffb..bc81b8e95be9 100644 --- a/bitnami/nginx/1.14/debian-9/docker-compose.yml +++ b/bitnami/nginx/1.14/debian-9/docker-compose.yml @@ -5,3 +5,5 @@ services: image: 'bitnami/nginx:1.14' ports: - '80:8080' + environment: + - NGINX_HTTP_PORT_NUMBER=8080 diff --git a/bitnami/nginx/1.14/debian-9/rootfs/libnginx.sh b/bitnami/nginx/1.14/debian-9/rootfs/libnginx.sh index c20297d4738c..7aa230e3539b 100644 --- a/bitnami/nginx/1.14/debian-9/rootfs/libnginx.sh +++ b/bitnami/nginx/1.14/debian-9/rootfs/libnginx.sh @@ -61,7 +61,7 @@ nginx_start() { is_nginx_running && return debug "Starting NGIX..." if am_i_root; then - gosu "$NGINX_DAEMON_USER" "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" + gosu "${NGINX_DAEMON_USER}" "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" else "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" fi @@ -98,6 +98,57 @@ export PATH="${NGINX_BASEDIR}/sbin:$PATH" EOF } +######################## +# Configure default HTTP port +# Globals: +# NGINX_CONFDIR +# Arguments: +# $1 - (optionl) HTTP Port +# Returns: +# None +######################### +nginx_config_http_port() { + local http_port=${1:-8080} + debug "Configuring default HTTP port..." + # TODO: find an appropriate NGINX parser to avoid 'sed calls' + sed -i -r "s/(listen\s+)[0-9]{1,5};/\1${http_port};/g" ${NGINX_CONFDIR}/nginx.conf +} + +######################## +# Unset HTTP_PROXY header to protect vs HTTPPOXY vulnerability +# Ref: https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-httpoxy-vulnerability +# Globals: +# NGINX_* +# Arguments: +# None +# Returns: +# None +######################### +nginx_patch_httpoxy_vulnerability() { + debug "Unsetting HTTP_PROXY header..." + echo '# Unset the HTTP_PROXY header' >> "${NGINX_CONFDIR}/fastcgi_params" + echo 'fastcgi_param HTTP_PROXY "";' >> "${NGINX_CONFDIR}/fastcgi_params" +} + +######################## +# Prepare directories for users to mount its static files and certificates +# Globals: +# NGINX_* +# Arguments: +# None +# Returns: +# None +######################### +nginx_prepare_directories() { + # Users can mount their html sites at /app + mv "${NGINX_BASEDIR}/html" /app + ln -sf /app "${NGINX_BASEDIR}/html" + # Users can mount their certificates at /certs + ln -sf /certs "${NGINX_CONFDIR}/bitnami/certs" + # Fix to avoid issues for those using the old structure (vhosts) + ln -sf "${NGINX_CONFDIR}/server_blocks" "${NGINX_CONFDIR}/vhosts" +} + ######################## # Validate settings in NGINX_* env vars # Globals: @@ -112,19 +163,21 @@ nginx_validate() { local validate_port_args=() ! am_i_root && validate_port_args+=("-unprivileged") - if ! err=$(validate_port "${validate_port_args[@]}" "$NGINX_HTTP_PORT_NUMBER"); then - error "An invalid port was specified in the environment variable NGINX_HTTP_PORT_NUMBER: $err" - exit 1 + if [[ -n "${NGINX_HTTP_PORT_NUMBER:-}" ]]; then + if ! err=$(validate_port "${validate_port_args[@]}" "${NGINX_HTTP_PORT_NUMBER:-}"); then + error "An invalid port was specified in the environment variable NGINX_HTTP_PORT_NUMBER: $err" + exit 1 + fi fi for var in "NGINX_DAEMON_USER" "NGINX_DAEMON_GROUP"; do if am_i_root; then - if [[ -z "${!var}" ]]; then + if [[ -z "${!var:-}" ]]; then error "The $var environment variable cannot be empty when running as root" exit 1 fi else - if [[ -n "${!var}" ]]; then + if [[ -n "${!var:-}" ]]; then warn "The $var environment variable will be ignored when running as non-root" fi fi @@ -132,7 +185,7 @@ nginx_validate() { } ######################## -# Ensure NGINX is initialized +# Initialize NGINX # Globals: # NGINX_* # Arguments: @@ -145,29 +198,24 @@ nginx_initialize() { # Persisted configuration files from old versions if [[ -f "$NGINX_VOLUME/conf/nginx.conf" ]]; then - warn "'nginx.conf' was found in a legacy location: ${NGINX_VOLUME}/conf/nginx.conf" - warn " Please use ${NGINX_CONFDIR}/nginx.conf instead" - debug "Moving 'nginx.conf' file to new location..." - cp "$NGINX_VOLUME/conf/nginx.conf" "$NGINX_CONFDIR/nginx.conf" + error "A 'nginx.conf' file was found inside '${NGINX_VOLUME}/conf'. This configuration is not supported anymore. Please mount the configuration file at '${NGINX_CONFDIR}/nginx.conf' instead." + exit 1 fi if ! is_dir_empty "$NGINX_VOLUME/conf/vhosts"; then - warn "Custom vhosts config files were found in a legacy directory: $NGINX_VOLUME/conf/vhosts" - warn " Please use ${NGINX_CONFDIR}/vhosts instead" - debug "Moving vhosts config files to new location..." - cp -r "$NGINX_VOLUME/conf/vhosts" "$NGINX_CONFDIR" + error "Custom server blocks files were found inside '$NGINX_VOLUME/conf/vhosts'. This configuration is not supported anymore. Please mount your custom server blocks config files at '${NGINX_CONFDIR}/server_blocks' instead." + exit 1 fi - if [[ -e "${NGINX_CONFDIR}/nginx.conf" ]]; then - debug "Custom configuration detected. Using it..." - return - else - debug "'nginx.conf' not found. Applying bitnami configuration..." - debug "Ensuring expected directories/files exist..." - for dir in "$NGINX_TMPDIR" "$NGINX_CONFDIR" "${NGINX_CONFDIR}/vhosts"; do - ensure_dir_exists "$dir" "$NGINX_DAEMON_USER" - done - debug "Rendering 'nginx.conf.tpl' template..." - render-template "${NGINX_TEMPLATES_DIR}/nginx.conf.tpl" > "${NGINX_CONFDIR}/nginx.conf" - echo 'fastcgi_param HTTP_PROXY "";' >> "${NGINX_CONFDIR}/fastcgi_params" + if am_i_root; then + debug "Ensure NGINX daemon user/group exists..." + ensure_user_exists "$NGINX_DAEMON_USER" "$NGINX_DAEMON_GROUP" + if [[ -n "${NGINX_DAEMON_USER:-}" ]]; then + chown -R "${NGINX_DAEMON_USER:-}" "${NGINX_CONFDIR}" "$NGINX_TMPDIR" + fi + fi + + debug "Updating 'nginx.conf' based on user configuration..." + if [[ -n "${NGINX_HTTP_PORT_NUMBER:-}" ]]; then + nginx_config_http_port "${NGINX_HTTP_PORT_NUMBER}" fi } diff --git a/bitnami/nginx/1.14/debian-9/rootfs/nginx-inputs.json b/bitnami/nginx/1.14/debian-9/rootfs/nginx-inputs.json deleted file mode 100644 index 47ac7e683346..000000000000 --- a/bitnami/nginx/1.14/debian-9/rootfs/nginx-inputs.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "httpPort": "{{$global.env.NGINX_HTTP_PORT_NUMBER}}", - "httpsPort": "{{$global.env.NGINX_HTTPS_PORT_NUMBER}}", - "systemGroup": "{{$global.env.NGINX_DAEMON_GROUP}}", - "systemUser": "{{$global.env.NGINX_DAEMON_USER}}" -} \ No newline at end of file diff --git a/bitnami/nginx/1.14/debian-9/rootfs/opt/bitnami/extra/nginx/templates/nginx.conf.tpl b/bitnami/nginx/1.14/debian-9/rootfs/opt/bitnami/extra/nginx/templates/nginx.conf.tpl deleted file mode 100644 index baa4c22a3107..000000000000 --- a/bitnami/nginx/1.14/debian-9/rootfs/opt/bitnami/extra/nginx/templates/nginx.conf.tpl +++ /dev/null @@ -1,64 +0,0 @@ -# based on http://brainspl.at/nginx.conf.txt - -{{#if NGINX_DAEMON_USER}}{{#if NGINX_DAEMON_GROUP}} -user {{NGINX_DAEMON_USER}} {{NGINX_DAEMON_GROUP}}; -{{/if}}{{/if}} - -worker_processes auto; - -error_log "{{NGINX_LOGDIR}}/error.log"; -pid "{{NGINX_TMPDIR}}/nginx.pid"; - -events { - worker_connections 1024; -} - -http { - include mime.types; - default_type application/octet-stream; - - add_header X-Frame-Options SAMEORIGIN; - client_body_temp_path "{{NGINX_TMPDIR}}/client_body" 1 2; - proxy_temp_path "{{NGINX_TMPDIR}}/proxy" 1 2; - fastcgi_temp_path "{{NGINX_TMPDIR}}/fastcgi" 1 2; - scgi_temp_path "{{NGINX_TMPDIR}}/scgi" 1 2; - uwsgi_temp_path "{{NGINX_TMPDIR}}/uwsgi" 1 2; - - log_format main '$remote_addr - $remote_user [$time_local] ' - '"$request" $status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log "{{NGINX_LOGDIR}}/access.log"; - - # no sendfile on OSX - sendfile on; - - tcp_nopush on; - tcp_nodelay off; - - #keepalive_timeout 0; - keepalive_timeout 65; - gzip on; - gzip_http_version 1.0; - gzip_comp_level 2; - gzip_proxied any; - gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - - include "{{NGINX_CONFDIR}}/vhosts/*.conf"; - - # HTTP Server - server { - # port to listen on. Can also be set to an IP:PORT - listen {{NGINX_HTTP_PORT_NUMBER}}; - - location /status { - stub_status on; - access_log off; - allow 127.0.0.1; - deny all; - } - } -} - diff --git a/bitnami/nginx/1.14/debian-9/rootfs/prepare.sh b/bitnami/nginx/1.14/debian-9/rootfs/prepare.sh index 6429b926d20c..f71811f45aca 100755 --- a/bitnami/nginx/1.14/debian-9/rootfs/prepare.sh +++ b/bitnami/nginx/1.14/debian-9/rootfs/prepare.sh @@ -4,17 +4,19 @@ # Load libraries . /libnginx.sh +. /libfs.sh # Load NGINX environment variables eval "$(nginx_env)" -for dir in "/bitnami" "$NGINX_VOLUME" "$NGINX_CONFDIR" "$NGINX_BASEDIR" "$NGINX_TMPDIR"; do +# Ensure non-root user has write permissions on a set of directories +for dir in "/bitnami" "$NGINX_VOLUME" "${NGINX_CONFDIR}/server_blocks" "${NGINX_CONFDIR}/bitnami" "$NGINX_BASEDIR" "$NGINX_TMPDIR"; do ensure_dir_exists "$dir" - chmod -R g+rwX "$dir" done - -# Users can mount their html sites at /app -ln -sf "$NGINX_BASEDIR/html" /app -# Redirect all logging to stdout/stderr -ln -sf /dev/stdout "$NGINX_LOGDIR/access.log" -ln -sf /dev/stderr "$NGINX_LOGDIR/error.log" +chmod -R g+rwX "$NGINX_VOLUME" "$NGINX_CONFDIR" "$NGINX_TMPDIR" +# Configure default HTTP port +nginx_config_http_port +# Unset HTTP_PROXY header to protect vs HTTPPOXY vulnerability +nginx_patch_httpoxy_vulnerability +# Prepare directories for users to mount its static files and certificates +nginx_prepare_directories diff --git a/bitnami/nginx/1.14/debian-9/rootfs/run.sh b/bitnami/nginx/1.14/debian-9/rootfs/run.sh index 06f5cfb4c642..c5e6ed3933ac 100755 --- a/bitnami/nginx/1.14/debian-9/rootfs/run.sh +++ b/bitnami/nginx/1.14/debian-9/rootfs/run.sh @@ -15,7 +15,7 @@ eval "$(nginx_env)" info "** Starting NGINX **" if am_i_root; then - exec gosu "$NGINX_DAEMON_USER" "$NGINX_BASEDIR/sbin/nginx" -c "$NGINX_CONFDIR/nginx.conf" -g "daemon off;" + exec gosu "${NGINX_DAEMON_USER}" "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" -g "daemon off; user ${NGINX_DAEMON_USER} ${NGINX_DAEMON_GROUP}" else - exec "$NGINX_BASEDIR/sbin/nginx" -c "$NGINX_CONFDIR/nginx.conf" -g "daemon off;" + exec "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" -g "daemon off;" fi diff --git a/bitnami/nginx/1.14/debian-9/rootfs/setup.sh b/bitnami/nginx/1.14/debian-9/rootfs/setup.sh index 48a45ab4efcd..89e70923cd66 100755 --- a/bitnami/nginx/1.14/debian-9/rootfs/setup.sh +++ b/bitnami/nginx/1.14/debian-9/rootfs/setup.sh @@ -18,6 +18,5 @@ eval "$(nginx_env)" nginx_validate # Ensure NGINX is stopped when this script ends trap "nginx_stop" EXIT -am_i_root && ensure_user_exists "$NGINX_DAEMON_USER" "$NGINX_DAEMON_GROUP" -# Ensure NGINX is initialized +# Initialize NGINX nginx_initialize diff --git a/bitnami/nginx/1.14/ol-7/Dockerfile b/bitnami/nginx/1.14/ol-7/Dockerfile index 943d85f285cd..3c4d72213849 100644 --- a/bitnami/nginx/1.14/ol-7/Dockerfile +++ b/bitnami/nginx/1.14/ol-7/Dockerfile @@ -2,7 +2,6 @@ FROM bitnami/oraclelinux-extras-base:7-r267 LABEL maintainer "Bitnami " ENV BITNAMI_PKG_CHMOD="-R g+rwX" \ - BITNAMI_PKG_EXTRA_DIRS="/bitnami/nginx/conf" \ HOME="/" \ OS_ARCH="x86_64" \ OS_FLAVOUR="ol-7" \ @@ -11,24 +10,19 @@ ENV BITNAMI_PKG_CHMOD="-R g+rwX" \ # Install required system packages and dependencies RUN install_packages glibc keyutils-libs krb5-libs libcom_err libselinux nss-softokn-freebl openssl-libs pcre zlib RUN . ./libcomponent.sh && component_unpack "nginx" "1.14.2-21" --checksum d4d907cc0c038a32cb7fe0d681552f469a5d6c2af51d12fe83c710f250c2e463 -RUN ln -sf /opt/bitnami/nginx/html /app -RUN ln -sf /dev/stdout /opt/bitnami/nginx/logs/access.log -RUN ln -sf /dev/stderr /opt/bitnami/nginx/logs/error.log COPY rootfs / RUN /prepare.sh + ENV BITNAMI_APP_NAME="nginx" \ BITNAMI_IMAGE_VERSION="1.14.2-ol-7-r131" \ NAMI_PREFIX="/.nami" \ - NGINX_DAEMON_GROUP="" \ - NGINX_DAEMON_USER="" \ - NGINX_HTTPS_PORT_NUMBER="443" \ - NGINX_HTTP_PORT_NUMBER="8080" \ PATH="/opt/bitnami/nginx/sbin:$PATH" -EXPOSE 8080 - +EXPOSE 8080 8443 +VOLUME [ "/app" "/certs" ] WORKDIR /app USER 1001 + ENTRYPOINT [ "/entrypoint.sh" ] CMD [ "/run.sh" ] diff --git a/bitnami/nginx/1.14/ol-7/docker-compose.yml b/bitnami/nginx/1.14/ol-7/docker-compose.yml index 9e61ca71c6e1..1e3512d62308 100644 --- a/bitnami/nginx/1.14/ol-7/docker-compose.yml +++ b/bitnami/nginx/1.14/ol-7/docker-compose.yml @@ -5,3 +5,5 @@ services: image: 'bitnami/nginx:1.14-ol-7' ports: - '80:8080' + environment: + - NGINX_HTTP_PORT_NUMBER=8080 diff --git a/bitnami/nginx/1.14/ol-7/rootfs/entrypoint.sh b/bitnami/nginx/1.14/ol-7/rootfs/entrypoint.sh deleted file mode 100755 index e7711dd20490..000000000000 --- a/bitnami/nginx/1.14/ol-7/rootfs/entrypoint.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash - -set -o errexit -set -o nounset -set -o pipefail -#set -o xtrace -# shellcheck disable=SC1091 - -# Load libraries -. /libbitnami.sh -. /libnginx.sh - -# Load NGINX environment variables -eval "$(nginx_env)" - -print_welcome_page - -if [[ "$*" = "/run.sh" ]]; then - info "** Starting NGINX setup **" - /setup.sh - info "** NGINX setup finished! **" -fi - -echo "" -exec "$@" diff --git a/bitnami/nginx/1.14/ol-7/rootfs/libnginx.sh b/bitnami/nginx/1.14/ol-7/rootfs/libnginx.sh deleted file mode 100644 index c20297d4738c..000000000000 --- a/bitnami/nginx/1.14/ol-7/rootfs/libnginx.sh +++ /dev/null @@ -1,173 +0,0 @@ -#!/bin/bash -# -# Bitnami NGINX library - -# shellcheck disable=SC1091 - -# Load Generic Libraries -. /libfile.sh -. /liblog.sh -. /libos.sh -. /libservice.sh -. /libvalidations.sh - -# Functions - -######################## -# Check if NGINX is running -# Globals: -# NGINX_TMPDIR -# Arguments: -# None -# Returns: -# Boolean -######################### -is_nginx_running() { - local pid - pid=$(get_pid_from_file "${NGINX_TMPDIR}/nginx.pid") - - if [[ -z "$pid" ]]; then - false - else - is_service_running "$pid" - fi -} - -######################## -# Stop NGINX -# Globals: -# NGINX_TMPDIR -# Arguments: -# None -# Returns: -# None -######################### -nginx_stop() { - ! is_nginx_running && return - debug "Stopping NGINX..." - stop_service_using_pid "${NGINX_TMPDIR}/nginx.pid" -} - -######################## -# Start NGINX and wait until it's ready -# Globals: -# NGINX_* -# Arguments: -# None -# Returns: -# None -######################### -nginx_start() { - is_nginx_running && return - debug "Starting NGIX..." - if am_i_root; then - gosu "$NGINX_DAEMON_USER" "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" - else - "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" - fi - - local counter=3 - while ! is_nginx_running ; do - if [[ "$counter" -ne 0 ]]; then - break - fi - sleep 1; - counter=$((counter - 1)) - done -} - -######################## -# Load global variables used on NGINX configuration -# Globals: -# NGINX_* -# Arguments: -# None -# Returns: -# Series of exports to be used as 'eval' arguments -######################### -nginx_env() { - cat <<"EOF" -export NGINX_BASEDIR="/opt/bitnami/nginx" -export NGINX_VOLUME="/bitnami/nginx" -export NGINX_EXTRAS_DIR="/opt/bitnami/extra/nginx" -export NGINX_TEMPLATES_DIR="${NGINX_EXTRAS_DIR}/templates" -export NGINX_TMPDIR="${NGINX_BASEDIR}/tmp" -export NGINX_CONFDIR="${NGINX_BASEDIR}/conf" -export NGINX_LOGDIR="${NGINX_BASEDIR}/logs" -export PATH="${NGINX_BASEDIR}/sbin:$PATH" -EOF -} - -######################## -# Validate settings in NGINX_* env vars -# Globals: -# NGINX_* -# Arguments: -# None -# Returns: -# None -######################### -nginx_validate() { - info "Validating settings in NGINX_* env vars..." - - local validate_port_args=() - ! am_i_root && validate_port_args+=("-unprivileged") - if ! err=$(validate_port "${validate_port_args[@]}" "$NGINX_HTTP_PORT_NUMBER"); then - error "An invalid port was specified in the environment variable NGINX_HTTP_PORT_NUMBER: $err" - exit 1 - fi - - for var in "NGINX_DAEMON_USER" "NGINX_DAEMON_GROUP"; do - if am_i_root; then - if [[ -z "${!var}" ]]; then - error "The $var environment variable cannot be empty when running as root" - exit 1 - fi - else - if [[ -n "${!var}" ]]; then - warn "The $var environment variable will be ignored when running as non-root" - fi - fi - done -} - -######################## -# Ensure NGINX is initialized -# Globals: -# NGINX_* -# Arguments: -# None -# Returns: -# None -######################### -nginx_initialize() { - info "Initializing NGINX..." - - # Persisted configuration files from old versions - if [[ -f "$NGINX_VOLUME/conf/nginx.conf" ]]; then - warn "'nginx.conf' was found in a legacy location: ${NGINX_VOLUME}/conf/nginx.conf" - warn " Please use ${NGINX_CONFDIR}/nginx.conf instead" - debug "Moving 'nginx.conf' file to new location..." - cp "$NGINX_VOLUME/conf/nginx.conf" "$NGINX_CONFDIR/nginx.conf" - fi - if ! is_dir_empty "$NGINX_VOLUME/conf/vhosts"; then - warn "Custom vhosts config files were found in a legacy directory: $NGINX_VOLUME/conf/vhosts" - warn " Please use ${NGINX_CONFDIR}/vhosts instead" - debug "Moving vhosts config files to new location..." - cp -r "$NGINX_VOLUME/conf/vhosts" "$NGINX_CONFDIR" - fi - - if [[ -e "${NGINX_CONFDIR}/nginx.conf" ]]; then - debug "Custom configuration detected. Using it..." - return - else - debug "'nginx.conf' not found. Applying bitnami configuration..." - debug "Ensuring expected directories/files exist..." - for dir in "$NGINX_TMPDIR" "$NGINX_CONFDIR" "${NGINX_CONFDIR}/vhosts"; do - ensure_dir_exists "$dir" "$NGINX_DAEMON_USER" - done - debug "Rendering 'nginx.conf.tpl' template..." - render-template "${NGINX_TEMPLATES_DIR}/nginx.conf.tpl" > "${NGINX_CONFDIR}/nginx.conf" - echo 'fastcgi_param HTTP_PROXY "";' >> "${NGINX_CONFDIR}/fastcgi_params" - fi -} diff --git a/bitnami/nginx/1.14/ol-7/rootfs/nginx-inputs.json b/bitnami/nginx/1.14/ol-7/rootfs/nginx-inputs.json deleted file mode 100644 index 47ac7e683346..000000000000 --- a/bitnami/nginx/1.14/ol-7/rootfs/nginx-inputs.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "httpPort": "{{$global.env.NGINX_HTTP_PORT_NUMBER}}", - "httpsPort": "{{$global.env.NGINX_HTTPS_PORT_NUMBER}}", - "systemGroup": "{{$global.env.NGINX_DAEMON_GROUP}}", - "systemUser": "{{$global.env.NGINX_DAEMON_USER}}" -} \ No newline at end of file diff --git a/bitnami/nginx/1.14/ol-7/rootfs/opt/bitnami/extra/nginx/templates/nginx.conf.tpl b/bitnami/nginx/1.14/ol-7/rootfs/opt/bitnami/extra/nginx/templates/nginx.conf.tpl deleted file mode 100644 index baa4c22a3107..000000000000 --- a/bitnami/nginx/1.14/ol-7/rootfs/opt/bitnami/extra/nginx/templates/nginx.conf.tpl +++ /dev/null @@ -1,64 +0,0 @@ -# based on http://brainspl.at/nginx.conf.txt - -{{#if NGINX_DAEMON_USER}}{{#if NGINX_DAEMON_GROUP}} -user {{NGINX_DAEMON_USER}} {{NGINX_DAEMON_GROUP}}; -{{/if}}{{/if}} - -worker_processes auto; - -error_log "{{NGINX_LOGDIR}}/error.log"; -pid "{{NGINX_TMPDIR}}/nginx.pid"; - -events { - worker_connections 1024; -} - -http { - include mime.types; - default_type application/octet-stream; - - add_header X-Frame-Options SAMEORIGIN; - client_body_temp_path "{{NGINX_TMPDIR}}/client_body" 1 2; - proxy_temp_path "{{NGINX_TMPDIR}}/proxy" 1 2; - fastcgi_temp_path "{{NGINX_TMPDIR}}/fastcgi" 1 2; - scgi_temp_path "{{NGINX_TMPDIR}}/scgi" 1 2; - uwsgi_temp_path "{{NGINX_TMPDIR}}/uwsgi" 1 2; - - log_format main '$remote_addr - $remote_user [$time_local] ' - '"$request" $status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log "{{NGINX_LOGDIR}}/access.log"; - - # no sendfile on OSX - sendfile on; - - tcp_nopush on; - tcp_nodelay off; - - #keepalive_timeout 0; - keepalive_timeout 65; - gzip on; - gzip_http_version 1.0; - gzip_comp_level 2; - gzip_proxied any; - gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - - include "{{NGINX_CONFDIR}}/vhosts/*.conf"; - - # HTTP Server - server { - # port to listen on. Can also be set to an IP:PORT - listen {{NGINX_HTTP_PORT_NUMBER}}; - - location /status { - stub_status on; - access_log off; - allow 127.0.0.1; - deny all; - } - } -} - diff --git a/bitnami/nginx/1.14/ol-7/rootfs/prepare.sh b/bitnami/nginx/1.14/ol-7/rootfs/prepare.sh deleted file mode 100755 index 6429b926d20c..000000000000 --- a/bitnami/nginx/1.14/ol-7/rootfs/prepare.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash - -# shellcheck disable=SC1091 - -# Load libraries -. /libnginx.sh - -# Load NGINX environment variables -eval "$(nginx_env)" - -for dir in "/bitnami" "$NGINX_VOLUME" "$NGINX_CONFDIR" "$NGINX_BASEDIR" "$NGINX_TMPDIR"; do - ensure_dir_exists "$dir" - chmod -R g+rwX "$dir" -done - -# Users can mount their html sites at /app -ln -sf "$NGINX_BASEDIR/html" /app -# Redirect all logging to stdout/stderr -ln -sf /dev/stdout "$NGINX_LOGDIR/access.log" -ln -sf /dev/stderr "$NGINX_LOGDIR/error.log" diff --git a/bitnami/nginx/1.14/ol-7/rootfs/run.sh b/bitnami/nginx/1.14/ol-7/rootfs/run.sh deleted file mode 100755 index 06f5cfb4c642..000000000000 --- a/bitnami/nginx/1.14/ol-7/rootfs/run.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash - -set -o errexit -set -o nounset -set -o pipefail -#set -o xtrace -# shellcheck disable=SC1091 - -# Load libraries -. /liblog.sh -. /libnginx.sh - -# Load NGINX environment variables -eval "$(nginx_env)" - -info "** Starting NGINX **" -if am_i_root; then - exec gosu "$NGINX_DAEMON_USER" "$NGINX_BASEDIR/sbin/nginx" -c "$NGINX_CONFDIR/nginx.conf" -g "daemon off;" -else - exec "$NGINX_BASEDIR/sbin/nginx" -c "$NGINX_CONFDIR/nginx.conf" -g "daemon off;" -fi diff --git a/bitnami/nginx/1.14/ol-7/rootfs/setup.sh b/bitnami/nginx/1.14/ol-7/rootfs/setup.sh deleted file mode 100755 index 48a45ab4efcd..000000000000 --- a/bitnami/nginx/1.14/ol-7/rootfs/setup.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/bash - -set -o errexit -set -o nounset -set -o pipefail -#set -o xtrace -# shellcheck disable=SC1091 - -# Load libraries -. /libos.sh -. /libfs.sh -. /libnginx.sh - -# Load NGINX environment variables -eval "$(nginx_env)" - -# Ensure NGINX environment variables settings are valid -nginx_validate -# Ensure NGINX is stopped when this script ends -trap "nginx_stop" EXIT -am_i_root && ensure_user_exists "$NGINX_DAEMON_USER" "$NGINX_DAEMON_GROUP" -# Ensure NGINX is initialized -nginx_initialize diff --git a/bitnami/nginx/1.14/rhel-7/Dockerfile b/bitnami/nginx/1.14/rhel-7/Dockerfile index 7a310f67a1af..a51be19ea298 100644 --- a/bitnami/nginx/1.14/rhel-7/Dockerfile +++ b/bitnami/nginx/1.14/rhel-7/Dockerfile @@ -2,7 +2,6 @@ FROM registry.rhc4tp.openshift.com/bitnami/rhel-extras-base-7:latest LABEL maintainer "Bitnami " ENV BITNAMI_PKG_CHMOD="-R g+rwX" \ - BITNAMI_PKG_EXTRA_DIRS="/bitnami/nginx/conf" \ HOME="/" \ OS_ARCH="x86_64" \ OS_FLAVOUR="rhel-7" \ @@ -11,24 +10,19 @@ ENV BITNAMI_PKG_CHMOD="-R g+rwX" \ # Install required system packages and dependencies RUN install_packages glibc keyutils-libs krb5-libs libcom_err libselinux nss-softokn-freebl openssl-libs pcre zlib RUN . ./libcomponent.sh && component_unpack "nginx" "1.14.2-20" --checksum 10e7ce1e441ca0e949b16cb3a3f21338bd61fea074f62ad947aa135d5e824ef0 -RUN ln -sf /opt/bitnami/nginx/html /app -RUN ln -sf /dev/stdout /opt/bitnami/nginx/logs/access.log -RUN ln -sf /dev/stderr /opt/bitnami/nginx/logs/error.log COPY rootfs / RUN /prepare.sh + ENV BITNAMI_APP_NAME="nginx" \ BITNAMI_IMAGE_VERSION="1.14.2-rhel-7-r79" \ NAMI_PREFIX="/.nami" \ - NGINX_DAEMON_GROUP="" \ - NGINX_DAEMON_USER="" \ - NGINX_HTTPS_PORT_NUMBER="443" \ - NGINX_HTTP_PORT_NUMBER="8080" \ PATH="/opt/bitnami/nginx/sbin:$PATH" -EXPOSE 8080 - +EXPOSE 8080 8443 +VOLUME [ "/app" "/certs" ] WORKDIR /app USER 1001 + ENTRYPOINT [ "/entrypoint.sh" ] CMD [ "/run.sh" ] diff --git a/bitnami/nginx/1.14/rhel-7/docker-compose.yml b/bitnami/nginx/1.14/rhel-7/docker-compose.yml index 57ffdf0e6bcf..b010958aa959 100644 --- a/bitnami/nginx/1.14/rhel-7/docker-compose.yml +++ b/bitnami/nginx/1.14/rhel-7/docker-compose.yml @@ -9,3 +9,5 @@ services: build: . ports: - '80:8080' + environment: + - NGINX_HTTP_PORT_NUMBER=8080 diff --git a/bitnami/nginx/1.14/rhel-7/rootfs/entrypoint.sh b/bitnami/nginx/1.14/rhel-7/rootfs/entrypoint.sh deleted file mode 100755 index e7711dd20490..000000000000 --- a/bitnami/nginx/1.14/rhel-7/rootfs/entrypoint.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash - -set -o errexit -set -o nounset -set -o pipefail -#set -o xtrace -# shellcheck disable=SC1091 - -# Load libraries -. /libbitnami.sh -. /libnginx.sh - -# Load NGINX environment variables -eval "$(nginx_env)" - -print_welcome_page - -if [[ "$*" = "/run.sh" ]]; then - info "** Starting NGINX setup **" - /setup.sh - info "** NGINX setup finished! **" -fi - -echo "" -exec "$@" diff --git a/bitnami/nginx/1.14/rhel-7/rootfs/libnginx.sh b/bitnami/nginx/1.14/rhel-7/rootfs/libnginx.sh deleted file mode 100644 index c20297d4738c..000000000000 --- a/bitnami/nginx/1.14/rhel-7/rootfs/libnginx.sh +++ /dev/null @@ -1,173 +0,0 @@ -#!/bin/bash -# -# Bitnami NGINX library - -# shellcheck disable=SC1091 - -# Load Generic Libraries -. /libfile.sh -. /liblog.sh -. /libos.sh -. /libservice.sh -. /libvalidations.sh - -# Functions - -######################## -# Check if NGINX is running -# Globals: -# NGINX_TMPDIR -# Arguments: -# None -# Returns: -# Boolean -######################### -is_nginx_running() { - local pid - pid=$(get_pid_from_file "${NGINX_TMPDIR}/nginx.pid") - - if [[ -z "$pid" ]]; then - false - else - is_service_running "$pid" - fi -} - -######################## -# Stop NGINX -# Globals: -# NGINX_TMPDIR -# Arguments: -# None -# Returns: -# None -######################### -nginx_stop() { - ! is_nginx_running && return - debug "Stopping NGINX..." - stop_service_using_pid "${NGINX_TMPDIR}/nginx.pid" -} - -######################## -# Start NGINX and wait until it's ready -# Globals: -# NGINX_* -# Arguments: -# None -# Returns: -# None -######################### -nginx_start() { - is_nginx_running && return - debug "Starting NGIX..." - if am_i_root; then - gosu "$NGINX_DAEMON_USER" "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" - else - "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" - fi - - local counter=3 - while ! is_nginx_running ; do - if [[ "$counter" -ne 0 ]]; then - break - fi - sleep 1; - counter=$((counter - 1)) - done -} - -######################## -# Load global variables used on NGINX configuration -# Globals: -# NGINX_* -# Arguments: -# None -# Returns: -# Series of exports to be used as 'eval' arguments -######################### -nginx_env() { - cat <<"EOF" -export NGINX_BASEDIR="/opt/bitnami/nginx" -export NGINX_VOLUME="/bitnami/nginx" -export NGINX_EXTRAS_DIR="/opt/bitnami/extra/nginx" -export NGINX_TEMPLATES_DIR="${NGINX_EXTRAS_DIR}/templates" -export NGINX_TMPDIR="${NGINX_BASEDIR}/tmp" -export NGINX_CONFDIR="${NGINX_BASEDIR}/conf" -export NGINX_LOGDIR="${NGINX_BASEDIR}/logs" -export PATH="${NGINX_BASEDIR}/sbin:$PATH" -EOF -} - -######################## -# Validate settings in NGINX_* env vars -# Globals: -# NGINX_* -# Arguments: -# None -# Returns: -# None -######################### -nginx_validate() { - info "Validating settings in NGINX_* env vars..." - - local validate_port_args=() - ! am_i_root && validate_port_args+=("-unprivileged") - if ! err=$(validate_port "${validate_port_args[@]}" "$NGINX_HTTP_PORT_NUMBER"); then - error "An invalid port was specified in the environment variable NGINX_HTTP_PORT_NUMBER: $err" - exit 1 - fi - - for var in "NGINX_DAEMON_USER" "NGINX_DAEMON_GROUP"; do - if am_i_root; then - if [[ -z "${!var}" ]]; then - error "The $var environment variable cannot be empty when running as root" - exit 1 - fi - else - if [[ -n "${!var}" ]]; then - warn "The $var environment variable will be ignored when running as non-root" - fi - fi - done -} - -######################## -# Ensure NGINX is initialized -# Globals: -# NGINX_* -# Arguments: -# None -# Returns: -# None -######################### -nginx_initialize() { - info "Initializing NGINX..." - - # Persisted configuration files from old versions - if [[ -f "$NGINX_VOLUME/conf/nginx.conf" ]]; then - warn "'nginx.conf' was found in a legacy location: ${NGINX_VOLUME}/conf/nginx.conf" - warn " Please use ${NGINX_CONFDIR}/nginx.conf instead" - debug "Moving 'nginx.conf' file to new location..." - cp "$NGINX_VOLUME/conf/nginx.conf" "$NGINX_CONFDIR/nginx.conf" - fi - if ! is_dir_empty "$NGINX_VOLUME/conf/vhosts"; then - warn "Custom vhosts config files were found in a legacy directory: $NGINX_VOLUME/conf/vhosts" - warn " Please use ${NGINX_CONFDIR}/vhosts instead" - debug "Moving vhosts config files to new location..." - cp -r "$NGINX_VOLUME/conf/vhosts" "$NGINX_CONFDIR" - fi - - if [[ -e "${NGINX_CONFDIR}/nginx.conf" ]]; then - debug "Custom configuration detected. Using it..." - return - else - debug "'nginx.conf' not found. Applying bitnami configuration..." - debug "Ensuring expected directories/files exist..." - for dir in "$NGINX_TMPDIR" "$NGINX_CONFDIR" "${NGINX_CONFDIR}/vhosts"; do - ensure_dir_exists "$dir" "$NGINX_DAEMON_USER" - done - debug "Rendering 'nginx.conf.tpl' template..." - render-template "${NGINX_TEMPLATES_DIR}/nginx.conf.tpl" > "${NGINX_CONFDIR}/nginx.conf" - echo 'fastcgi_param HTTP_PROXY "";' >> "${NGINX_CONFDIR}/fastcgi_params" - fi -} diff --git a/bitnami/nginx/1.14/rhel-7/rootfs/nginx-inputs.json b/bitnami/nginx/1.14/rhel-7/rootfs/nginx-inputs.json deleted file mode 100644 index 47ac7e683346..000000000000 --- a/bitnami/nginx/1.14/rhel-7/rootfs/nginx-inputs.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "httpPort": "{{$global.env.NGINX_HTTP_PORT_NUMBER}}", - "httpsPort": "{{$global.env.NGINX_HTTPS_PORT_NUMBER}}", - "systemGroup": "{{$global.env.NGINX_DAEMON_GROUP}}", - "systemUser": "{{$global.env.NGINX_DAEMON_USER}}" -} \ No newline at end of file diff --git a/bitnami/nginx/1.14/rhel-7/rootfs/opt/bitnami/extra/nginx/templates/nginx.conf.tpl b/bitnami/nginx/1.14/rhel-7/rootfs/opt/bitnami/extra/nginx/templates/nginx.conf.tpl deleted file mode 100644 index baa4c22a3107..000000000000 --- a/bitnami/nginx/1.14/rhel-7/rootfs/opt/bitnami/extra/nginx/templates/nginx.conf.tpl +++ /dev/null @@ -1,64 +0,0 @@ -# based on http://brainspl.at/nginx.conf.txt - -{{#if NGINX_DAEMON_USER}}{{#if NGINX_DAEMON_GROUP}} -user {{NGINX_DAEMON_USER}} {{NGINX_DAEMON_GROUP}}; -{{/if}}{{/if}} - -worker_processes auto; - -error_log "{{NGINX_LOGDIR}}/error.log"; -pid "{{NGINX_TMPDIR}}/nginx.pid"; - -events { - worker_connections 1024; -} - -http { - include mime.types; - default_type application/octet-stream; - - add_header X-Frame-Options SAMEORIGIN; - client_body_temp_path "{{NGINX_TMPDIR}}/client_body" 1 2; - proxy_temp_path "{{NGINX_TMPDIR}}/proxy" 1 2; - fastcgi_temp_path "{{NGINX_TMPDIR}}/fastcgi" 1 2; - scgi_temp_path "{{NGINX_TMPDIR}}/scgi" 1 2; - uwsgi_temp_path "{{NGINX_TMPDIR}}/uwsgi" 1 2; - - log_format main '$remote_addr - $remote_user [$time_local] ' - '"$request" $status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log "{{NGINX_LOGDIR}}/access.log"; - - # no sendfile on OSX - sendfile on; - - tcp_nopush on; - tcp_nodelay off; - - #keepalive_timeout 0; - keepalive_timeout 65; - gzip on; - gzip_http_version 1.0; - gzip_comp_level 2; - gzip_proxied any; - gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - - include "{{NGINX_CONFDIR}}/vhosts/*.conf"; - - # HTTP Server - server { - # port to listen on. Can also be set to an IP:PORT - listen {{NGINX_HTTP_PORT_NUMBER}}; - - location /status { - stub_status on; - access_log off; - allow 127.0.0.1; - deny all; - } - } -} - diff --git a/bitnami/nginx/1.14/rhel-7/rootfs/prepare.sh b/bitnami/nginx/1.14/rhel-7/rootfs/prepare.sh deleted file mode 100755 index 6429b926d20c..000000000000 --- a/bitnami/nginx/1.14/rhel-7/rootfs/prepare.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash - -# shellcheck disable=SC1091 - -# Load libraries -. /libnginx.sh - -# Load NGINX environment variables -eval "$(nginx_env)" - -for dir in "/bitnami" "$NGINX_VOLUME" "$NGINX_CONFDIR" "$NGINX_BASEDIR" "$NGINX_TMPDIR"; do - ensure_dir_exists "$dir" - chmod -R g+rwX "$dir" -done - -# Users can mount their html sites at /app -ln -sf "$NGINX_BASEDIR/html" /app -# Redirect all logging to stdout/stderr -ln -sf /dev/stdout "$NGINX_LOGDIR/access.log" -ln -sf /dev/stderr "$NGINX_LOGDIR/error.log" diff --git a/bitnami/nginx/1.14/rhel-7/rootfs/run.sh b/bitnami/nginx/1.14/rhel-7/rootfs/run.sh deleted file mode 100755 index 06f5cfb4c642..000000000000 --- a/bitnami/nginx/1.14/rhel-7/rootfs/run.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash - -set -o errexit -set -o nounset -set -o pipefail -#set -o xtrace -# shellcheck disable=SC1091 - -# Load libraries -. /liblog.sh -. /libnginx.sh - -# Load NGINX environment variables -eval "$(nginx_env)" - -info "** Starting NGINX **" -if am_i_root; then - exec gosu "$NGINX_DAEMON_USER" "$NGINX_BASEDIR/sbin/nginx" -c "$NGINX_CONFDIR/nginx.conf" -g "daemon off;" -else - exec "$NGINX_BASEDIR/sbin/nginx" -c "$NGINX_CONFDIR/nginx.conf" -g "daemon off;" -fi diff --git a/bitnami/nginx/1.14/rhel-7/rootfs/setup.sh b/bitnami/nginx/1.14/rhel-7/rootfs/setup.sh deleted file mode 100755 index 48a45ab4efcd..000000000000 --- a/bitnami/nginx/1.14/rhel-7/rootfs/setup.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/bash - -set -o errexit -set -o nounset -set -o pipefail -#set -o xtrace -# shellcheck disable=SC1091 - -# Load libraries -. /libos.sh -. /libfs.sh -. /libnginx.sh - -# Load NGINX environment variables -eval "$(nginx_env)" - -# Ensure NGINX environment variables settings are valid -nginx_validate -# Ensure NGINX is stopped when this script ends -trap "nginx_stop" EXIT -am_i_root && ensure_user_exists "$NGINX_DAEMON_USER" "$NGINX_DAEMON_GROUP" -# Ensure NGINX is initialized -nginx_initialize diff --git a/bitnami/nginx/README.md b/bitnami/nginx/README.md index 6de00e462f85..ad8c709719c3 100644 --- a/bitnami/nginx/README.md +++ b/bitnami/nginx/README.md @@ -46,9 +46,9 @@ Non-root container images add an extra layer of security and are generally recom Learn more about the Bitnami tagging policy and the difference between rolling tags and immutable tags [in our documentation page](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/). -* [`1.14-rhel-7`, `1.14.2-rhel-7-r79` (1.14/rhel-7/Dockerfile)](https://github.com/bitnami/bitnami-docker-nginx/blob/1.14.2-rhel-7-r79/1.14/rhel-7/Dockerfile) -* [`1.14-ol-7`, `1.14.2-ol-7-r131` (1.14/ol-7/Dockerfile)](https://github.com/bitnami/bitnami-docker-nginx/blob/1.14.2-ol-7-r131/1.14/ol-7/Dockerfile) -* [`1.14-debian-9`, `1.14.2-debian-9-r125`, `1.14`, `1.14.2`, `1.14.2-r125`, `latest` (1.14/debian-9/Dockerfile)](https://github.com/bitnami/bitnami-docker-nginx/blob/1.14.2-debian-9-r125/1.14/debian-9/Dockerfile) +* [`1.14-rhel-7`, `1.14.2-rhel-7-r78` (1.14/rhel-7/Dockerfile)](https://github.com/bitnami/bitnami-docker-nginx/blob/1.14.2-rhel-7-r78/1.14/rhel-7/Dockerfile) +* [`1.14-ol-7`, `1.14.2-ol-7-r127` (1.14/ol-7/Dockerfile)](https://github.com/bitnami/bitnami-docker-nginx/blob/1.14.2-ol-7-r127/1.14/ol-7/Dockerfile) +* [`1.14-debian-9`, `1.14.2-debian-9-r120`, `1.14`, `1.14.2`, `1.14.2-r120`, `latest` (1.14/debian-9/Dockerfile)](https://github.com/bitnami/bitnami-docker-nginx/blob/1.14.2-debian-9-r120/1.14/debian-9/Dockerfile) # Get this image @@ -75,7 +75,7 @@ $ docker build -t bitnami/nginx:latest https://github.com/bitnami/bitnami-docker # Hosting a static website -This NGINX Open Source image exposes a volume at `/app`. Content mounted here is served by the default catch-all virtual host. +This NGINX Open Source image exposes a volume at `/app`. Content mounted here is served by the default catch-all server block. ```bash $ docker run -v /path/to/app:/app bitnami/nginx:latest @@ -120,13 +120,13 @@ Access your web server in the browser by navigating to [http://localhost:9000](h # Configuration -## Adding custom virtual hosts +## Adding custom server blocks -The default `nginx.conf` includes virtual hosts placed in `/bitnami/nginx/conf/vhosts/`. You can mount a `my_vhost.conf` file containing your custom virtual hosts at this location. +The default `nginx.conf` includes server blocks placed in `/opt/bitnami/nginx/conf/server_blocks/`. You can mount a `my_server_block.conf` file containing your custom server block at this location. -For example, in order add a vhost for `www.example.com`: +For example, in order add a server block for `www.example.com`: -# Step 1: Write your `my_vhost.conf` file with the following content. +# Step 1: Write your `my_server_block.conf` file with the following content. ```nginx server { @@ -141,7 +141,7 @@ server { ```bash $ docker run --name nginx \ - -v /path/to/my_vhost.conf:/opt/bitnami/nginx/conf/vhosts/my_vhost.conf:ro \ + -v /path/to/my_server_block.conf:/opt/bitnami/nginx/conf/server_blocks/my_server_block.conf:ro \ bitnami/nginx:latest ``` @@ -156,7 +156,7 @@ services: ports: - '80:8080' volumes: - - /path/to/my_vhost.conf:/opt/bitnami/nginx/conf/vhosts/my_vhost.conf:ro + - /path/to/my_server_block.conf:/opt/bitnami/nginx/conf/server_blocks/my_server_block.conf:ro ``` ## Using custom SSL certificates @@ -168,14 +168,15 @@ services: In your local computer, create a folder called `certs` and put your certificates files. Make sure you rename both files to `server.crt` and `server.key` respectively: ```bash -$ mkdir /path/to/nginx-persistence/nginx/conf/bitnami/certs -p -$ cp /path/to/certfile.crt /path/to/nginx-persistence/nginx/conf/bitnami/certs/server.crt -$ cp /path/to/keyfile.key /path/to/nginx-persistence/nginx/conf/bitnami/certs/server.key +$ mkdir -p /path/to/nginx-persistence/certs +$ cp /path/to/certfile.crt /path/to/nginx-persistence/certs/server.crt +$ cp /path/to/keyfile.key /path/to/nginx-persistence/certs/server.key ``` -### Step 2: Provide a custom Virtual Host for SSL connections +### Step 2: Provide a custom Server Block for SSL connections + +Write your `my_server_block.conf` file with the SSL configuration and the relative path to the certificates: -Write your `my_vhost.conf` file with the SSL configuration and the relative path to the certificates. ```nginx server { listen 8443 ssl; @@ -202,8 +203,8 @@ Run the NGINX Open Source image, mounting the certificates directory from your h ```bash $ docker run --name nginx \ - -v /path/to/my_vhost.conf:/opt/bitnami/nginx/conf/vhosts/my_vhost.conf:ro \ - -v /path/to/nginx-persistence/nginx/conf/bitnami/certs:/bitnami/nginx/conf/bitnami/certs \ + -v /path/to/my_server_block.conf:/opt/bitnami/nginx/conf/server_blocks/my_server_block.conf:ro \ + -v /path/to/nginx-persistence/certs:/certs \ bitnami/nginx:latest ``` @@ -219,7 +220,8 @@ services: - '80:8080' - '443:8443' volumes: - - /path/to/nginx-persistence/nginx/conf/bitnami/certs:/bitnami/nginx/conf/bitnami/certs + - /path/to/nginx-persistence/certs:/certs + - /path/to/my_server_block.conf:/opt/bitnami/nginx/conf/server_blocks/my_server_block.conf:ro ``` ## Full configuration @@ -229,7 +231,7 @@ The image looks for configurations in `/opt/bitnami/nginx/conf/nginx.conf`. You ```bash $ docker run --name nginx \ - -v /path/to/your_nginx.conf:/opt/bitnami/nginx/conf/nginx.conf \ + -v /path/to/your_nginx.conf:/opt/bitnami/nginx/conf/nginx.conf:ro \ bitnami/nginx:latest ``` @@ -244,12 +246,12 @@ services: ports: - '80:8080' volumes: - - /path/to/your_nginx.conf:/opt/bitnami/nginx/conf/nginx.conf + - /path/to/your_nginx.conf:/opt/bitnami/nginx/conf/nginx.conf:ro ``` # Reverse proxy to other containers -NGINX can be used to reverse proxy to other containers using Docker's linking system. This is particularly useful if you want to serve dynamic content through an NGINX frontend. To do so, [add a virtual host](#adding-custom-virtual-hosts) like the following in the `/opt/bitnami/nginx/conf/vhosts/` folder: +NGINX can be used to reverse proxy to other containers using Docker's linking system. This is particularly useful if you want to serve dynamic content through an NGINX frontend. To do so, [add a server block](#adding-custom-server-blocks) like the following in the `/opt/bitnami/nginx/conf/erver_blocks/` folder: ``` server { @@ -289,6 +291,123 @@ $ docker-compose logs nginx You can configure the containers [logging driver](https://docs.docker.com/engine/admin/logging/overview/) using the `--log-driver` option if you wish to consume the container logs differently. In the default configuration docker uses the `json-file` driver. +# Understand this image structure + +The Bitnami NGINX Docker image is built using a Dockerfile with the structure below: + +```Dockerfile +FROM bitnami/minideb-extras-base +... +# Install required system packages and dependencies +RUN install_packages xxx yyy zzz +RUN . ./libcomponent.sh && component_unpack "nginx" "a.b.c-0" +... +COPY rootfs / +RUN /prepare.sh +... +ENV BITNAMI_APP_NAME="nginx" ... +EXPOSE 8080 8443 +VOLUME /app +VOLUME /certs +WORKDIR /app +USER 1001 +... +ENTRYPOINT [ "/entrypoint.sh" ] +CMD [ "/run.sh" ] +``` + +We can identify several sections within the Dockerfile: + +- A section where all the required components are installed. +- A section where all the components are statically configured. +- A section where the env. variables, the ports to be exposed, the working directory and the user are defined. + - Note that once the user is set to 1001, unprivileged commands cannot be executed anymore. +- A section where the entrypoint and command used to start the service are declared. + - Take into account these actions are not executed until the container is started. + +# Customizing Bitnami NGINX Docker Image + +The Bitnami NGINX Docker image is designed to be extended so it can be used as the base image for your custom web applications. + +> Note: It's recommended to read the [previous section](./#understand-this-image-structure) to understand the Dockerfile structure, before extending this image. + +## Extending the Bitnami NGINX Docker Image + +Before extending this image, please note there are certain configuration settings you can modify using the original image: + +- Settings that can be adapted using environment variables. For instance, you can change the port used by NGINX for HTTP setting the environment variable `NGINX_HTTP_PORT_NUMBER`. +- [Adding custom server blocks](./#adding-custom-server-blocks). +- [Replacing the 'nginx.conf' file](./#full-configuration). +- [Using custom SSL certificates](./#using-custom-ssl-certificates). + +If your desired customizations cannot be covered using the methods mentioned above, extend the image. To do so, create your own image using a Dockerfile with the format below: + +```Dockerfile +FROM bitnami/nginx +## Put your customizations below +... +``` + +On this example, we provide an extended wit the following modifications: + +- Install `vim` editor. +- Modify the NGINX configuration. +- Modify the ports used by NGINX. +- Modify the container user. + +```Dockerfile +FROM bitnami/nginx +LABEL maintainer "Bitnami " + +## Install 'vim' +USER 0 # Required to perform privileged actions +RUN install_packages vim + +## Modify 'worker_connections' on NGINX config file to '512' +RUN sed -i -r "s#(\s+)worker_connections(\s+)[0-9]+;#\1worker_connections\2512;#g" /opt/bitnami/nginx/conf/nginx.conf + +## Modify the ports used by NGINX by default +ENV NGINX_HTTP_PORT_NUMBER=8181 +EXPOSE 8181 8443 + +## Modify the default container user +USER 1002 +``` + +Based on the extended image, you can use a Docker Compose like the one below to add other features: + +- Adding custom server block +- Adding custom certificates +- Cloning your web app and serve it trough NGINX + +```yaml +version: '2' + +services: + nginx: + build: . + ports: + - '80:8181' + - '443:8443' + depends_on: + - cloner + volumes: + - ./config/my_server_block.conf:/opt/bitnami/nginx/conf/conf.d/server_blocks/my_server_block.conf:ro + - ./certs:/certs + - data:/app + cloner: + image: 'bitnami/git:latest' + command: + - clone + - https://github.com/cloudacademy/static-website-example + - /app + volumes: + - data:/app +volumes: + data: + driver: local +``` + # Maintenance ## Upgrade this image diff --git a/bitnami/nginx/docker-compose.yml b/bitnami/nginx/docker-compose.yml index 9ed581f73ffb..bc81b8e95be9 100644 --- a/bitnami/nginx/docker-compose.yml +++ b/bitnami/nginx/docker-compose.yml @@ -5,3 +5,5 @@ services: image: 'bitnami/nginx:1.14' ports: - '80:8080' + environment: + - NGINX_HTTP_PORT_NUMBER=8080 From f16b3b9345802730cc56c3e4e0b80e336d63926c Mon Sep 17 00:00:00 2001 From: juan131 Date: Thu, 25 Apr 2019 09:55:42 +0200 Subject: [PATCH 2/9] Add libraries for Rhel and OL too --- bitnami/nginx/1.14/ol-7/rootfs/entrypoint.sh | 25 ++ bitnami/nginx/1.14/ol-7/rootfs/libnginx.sh | 221 ++++++++++++++++++ bitnami/nginx/1.14/ol-7/rootfs/prepare.sh | 22 ++ bitnami/nginx/1.14/ol-7/rootfs/run.sh | 21 ++ bitnami/nginx/1.14/ol-7/rootfs/setup.sh | 22 ++ .../nginx/1.14/rhel-7/rootfs/entrypoint.sh | 25 ++ bitnami/nginx/1.14/rhel-7/rootfs/libnginx.sh | 221 ++++++++++++++++++ bitnami/nginx/1.14/rhel-7/rootfs/prepare.sh | 22 ++ bitnami/nginx/1.14/rhel-7/rootfs/run.sh | 21 ++ bitnami/nginx/1.14/rhel-7/rootfs/setup.sh | 22 ++ 10 files changed, 622 insertions(+) create mode 100755 bitnami/nginx/1.14/ol-7/rootfs/entrypoint.sh create mode 100644 bitnami/nginx/1.14/ol-7/rootfs/libnginx.sh create mode 100755 bitnami/nginx/1.14/ol-7/rootfs/prepare.sh create mode 100755 bitnami/nginx/1.14/ol-7/rootfs/run.sh create mode 100755 bitnami/nginx/1.14/ol-7/rootfs/setup.sh create mode 100755 bitnami/nginx/1.14/rhel-7/rootfs/entrypoint.sh create mode 100644 bitnami/nginx/1.14/rhel-7/rootfs/libnginx.sh create mode 100755 bitnami/nginx/1.14/rhel-7/rootfs/prepare.sh create mode 100755 bitnami/nginx/1.14/rhel-7/rootfs/run.sh create mode 100755 bitnami/nginx/1.14/rhel-7/rootfs/setup.sh diff --git a/bitnami/nginx/1.14/ol-7/rootfs/entrypoint.sh b/bitnami/nginx/1.14/ol-7/rootfs/entrypoint.sh new file mode 100755 index 000000000000..e7711dd20490 --- /dev/null +++ b/bitnami/nginx/1.14/ol-7/rootfs/entrypoint.sh @@ -0,0 +1,25 @@ +#!/bin/bash + +set -o errexit +set -o nounset +set -o pipefail +#set -o xtrace +# shellcheck disable=SC1091 + +# Load libraries +. /libbitnami.sh +. /libnginx.sh + +# Load NGINX environment variables +eval "$(nginx_env)" + +print_welcome_page + +if [[ "$*" = "/run.sh" ]]; then + info "** Starting NGINX setup **" + /setup.sh + info "** NGINX setup finished! **" +fi + +echo "" +exec "$@" diff --git a/bitnami/nginx/1.14/ol-7/rootfs/libnginx.sh b/bitnami/nginx/1.14/ol-7/rootfs/libnginx.sh new file mode 100644 index 000000000000..7aa230e3539b --- /dev/null +++ b/bitnami/nginx/1.14/ol-7/rootfs/libnginx.sh @@ -0,0 +1,221 @@ +#!/bin/bash +# +# Bitnami NGINX library + +# shellcheck disable=SC1091 + +# Load Generic Libraries +. /libfile.sh +. /liblog.sh +. /libos.sh +. /libservice.sh +. /libvalidations.sh + +# Functions + +######################## +# Check if NGINX is running +# Globals: +# NGINX_TMPDIR +# Arguments: +# None +# Returns: +# Boolean +######################### +is_nginx_running() { + local pid + pid=$(get_pid_from_file "${NGINX_TMPDIR}/nginx.pid") + + if [[ -z "$pid" ]]; then + false + else + is_service_running "$pid" + fi +} + +######################## +# Stop NGINX +# Globals: +# NGINX_TMPDIR +# Arguments: +# None +# Returns: +# None +######################### +nginx_stop() { + ! is_nginx_running && return + debug "Stopping NGINX..." + stop_service_using_pid "${NGINX_TMPDIR}/nginx.pid" +} + +######################## +# Start NGINX and wait until it's ready +# Globals: +# NGINX_* +# Arguments: +# None +# Returns: +# None +######################### +nginx_start() { + is_nginx_running && return + debug "Starting NGIX..." + if am_i_root; then + gosu "${NGINX_DAEMON_USER}" "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" + else + "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" + fi + + local counter=3 + while ! is_nginx_running ; do + if [[ "$counter" -ne 0 ]]; then + break + fi + sleep 1; + counter=$((counter - 1)) + done +} + +######################## +# Load global variables used on NGINX configuration +# Globals: +# NGINX_* +# Arguments: +# None +# Returns: +# Series of exports to be used as 'eval' arguments +######################### +nginx_env() { + cat <<"EOF" +export NGINX_BASEDIR="/opt/bitnami/nginx" +export NGINX_VOLUME="/bitnami/nginx" +export NGINX_EXTRAS_DIR="/opt/bitnami/extra/nginx" +export NGINX_TEMPLATES_DIR="${NGINX_EXTRAS_DIR}/templates" +export NGINX_TMPDIR="${NGINX_BASEDIR}/tmp" +export NGINX_CONFDIR="${NGINX_BASEDIR}/conf" +export NGINX_LOGDIR="${NGINX_BASEDIR}/logs" +export PATH="${NGINX_BASEDIR}/sbin:$PATH" +EOF +} + +######################## +# Configure default HTTP port +# Globals: +# NGINX_CONFDIR +# Arguments: +# $1 - (optionl) HTTP Port +# Returns: +# None +######################### +nginx_config_http_port() { + local http_port=${1:-8080} + debug "Configuring default HTTP port..." + # TODO: find an appropriate NGINX parser to avoid 'sed calls' + sed -i -r "s/(listen\s+)[0-9]{1,5};/\1${http_port};/g" ${NGINX_CONFDIR}/nginx.conf +} + +######################## +# Unset HTTP_PROXY header to protect vs HTTPPOXY vulnerability +# Ref: https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-httpoxy-vulnerability +# Globals: +# NGINX_* +# Arguments: +# None +# Returns: +# None +######################### +nginx_patch_httpoxy_vulnerability() { + debug "Unsetting HTTP_PROXY header..." + echo '# Unset the HTTP_PROXY header' >> "${NGINX_CONFDIR}/fastcgi_params" + echo 'fastcgi_param HTTP_PROXY "";' >> "${NGINX_CONFDIR}/fastcgi_params" +} + +######################## +# Prepare directories for users to mount its static files and certificates +# Globals: +# NGINX_* +# Arguments: +# None +# Returns: +# None +######################### +nginx_prepare_directories() { + # Users can mount their html sites at /app + mv "${NGINX_BASEDIR}/html" /app + ln -sf /app "${NGINX_BASEDIR}/html" + # Users can mount their certificates at /certs + ln -sf /certs "${NGINX_CONFDIR}/bitnami/certs" + # Fix to avoid issues for those using the old structure (vhosts) + ln -sf "${NGINX_CONFDIR}/server_blocks" "${NGINX_CONFDIR}/vhosts" +} + +######################## +# Validate settings in NGINX_* env vars +# Globals: +# NGINX_* +# Arguments: +# None +# Returns: +# None +######################### +nginx_validate() { + info "Validating settings in NGINX_* env vars..." + + local validate_port_args=() + ! am_i_root && validate_port_args+=("-unprivileged") + if [[ -n "${NGINX_HTTP_PORT_NUMBER:-}" ]]; then + if ! err=$(validate_port "${validate_port_args[@]}" "${NGINX_HTTP_PORT_NUMBER:-}"); then + error "An invalid port was specified in the environment variable NGINX_HTTP_PORT_NUMBER: $err" + exit 1 + fi + fi + + for var in "NGINX_DAEMON_USER" "NGINX_DAEMON_GROUP"; do + if am_i_root; then + if [[ -z "${!var:-}" ]]; then + error "The $var environment variable cannot be empty when running as root" + exit 1 + fi + else + if [[ -n "${!var:-}" ]]; then + warn "The $var environment variable will be ignored when running as non-root" + fi + fi + done +} + +######################## +# Initialize NGINX +# Globals: +# NGINX_* +# Arguments: +# None +# Returns: +# None +######################### +nginx_initialize() { + info "Initializing NGINX..." + + # Persisted configuration files from old versions + if [[ -f "$NGINX_VOLUME/conf/nginx.conf" ]]; then + error "A 'nginx.conf' file was found inside '${NGINX_VOLUME}/conf'. This configuration is not supported anymore. Please mount the configuration file at '${NGINX_CONFDIR}/nginx.conf' instead." + exit 1 + fi + if ! is_dir_empty "$NGINX_VOLUME/conf/vhosts"; then + error "Custom server blocks files were found inside '$NGINX_VOLUME/conf/vhosts'. This configuration is not supported anymore. Please mount your custom server blocks config files at '${NGINX_CONFDIR}/server_blocks' instead." + exit 1 + fi + + if am_i_root; then + debug "Ensure NGINX daemon user/group exists..." + ensure_user_exists "$NGINX_DAEMON_USER" "$NGINX_DAEMON_GROUP" + if [[ -n "${NGINX_DAEMON_USER:-}" ]]; then + chown -R "${NGINX_DAEMON_USER:-}" "${NGINX_CONFDIR}" "$NGINX_TMPDIR" + fi + fi + + debug "Updating 'nginx.conf' based on user configuration..." + if [[ -n "${NGINX_HTTP_PORT_NUMBER:-}" ]]; then + nginx_config_http_port "${NGINX_HTTP_PORT_NUMBER}" + fi +} diff --git a/bitnami/nginx/1.14/ol-7/rootfs/prepare.sh b/bitnami/nginx/1.14/ol-7/rootfs/prepare.sh new file mode 100755 index 000000000000..f71811f45aca --- /dev/null +++ b/bitnami/nginx/1.14/ol-7/rootfs/prepare.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +# shellcheck disable=SC1091 + +# Load libraries +. /libnginx.sh +. /libfs.sh + +# Load NGINX environment variables +eval "$(nginx_env)" + +# Ensure non-root user has write permissions on a set of directories +for dir in "/bitnami" "$NGINX_VOLUME" "${NGINX_CONFDIR}/server_blocks" "${NGINX_CONFDIR}/bitnami" "$NGINX_BASEDIR" "$NGINX_TMPDIR"; do + ensure_dir_exists "$dir" +done +chmod -R g+rwX "$NGINX_VOLUME" "$NGINX_CONFDIR" "$NGINX_TMPDIR" +# Configure default HTTP port +nginx_config_http_port +# Unset HTTP_PROXY header to protect vs HTTPPOXY vulnerability +nginx_patch_httpoxy_vulnerability +# Prepare directories for users to mount its static files and certificates +nginx_prepare_directories diff --git a/bitnami/nginx/1.14/ol-7/rootfs/run.sh b/bitnami/nginx/1.14/ol-7/rootfs/run.sh new file mode 100755 index 000000000000..c5e6ed3933ac --- /dev/null +++ b/bitnami/nginx/1.14/ol-7/rootfs/run.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +set -o errexit +set -o nounset +set -o pipefail +#set -o xtrace +# shellcheck disable=SC1091 + +# Load libraries +. /liblog.sh +. /libnginx.sh + +# Load NGINX environment variables +eval "$(nginx_env)" + +info "** Starting NGINX **" +if am_i_root; then + exec gosu "${NGINX_DAEMON_USER}" "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" -g "daemon off; user ${NGINX_DAEMON_USER} ${NGINX_DAEMON_GROUP}" +else + exec "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" -g "daemon off;" +fi diff --git a/bitnami/nginx/1.14/ol-7/rootfs/setup.sh b/bitnami/nginx/1.14/ol-7/rootfs/setup.sh new file mode 100755 index 000000000000..89e70923cd66 --- /dev/null +++ b/bitnami/nginx/1.14/ol-7/rootfs/setup.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +set -o errexit +set -o nounset +set -o pipefail +#set -o xtrace +# shellcheck disable=SC1091 + +# Load libraries +. /libos.sh +. /libfs.sh +. /libnginx.sh + +# Load NGINX environment variables +eval "$(nginx_env)" + +# Ensure NGINX environment variables settings are valid +nginx_validate +# Ensure NGINX is stopped when this script ends +trap "nginx_stop" EXIT +# Initialize NGINX +nginx_initialize diff --git a/bitnami/nginx/1.14/rhel-7/rootfs/entrypoint.sh b/bitnami/nginx/1.14/rhel-7/rootfs/entrypoint.sh new file mode 100755 index 000000000000..e7711dd20490 --- /dev/null +++ b/bitnami/nginx/1.14/rhel-7/rootfs/entrypoint.sh @@ -0,0 +1,25 @@ +#!/bin/bash + +set -o errexit +set -o nounset +set -o pipefail +#set -o xtrace +# shellcheck disable=SC1091 + +# Load libraries +. /libbitnami.sh +. /libnginx.sh + +# Load NGINX environment variables +eval "$(nginx_env)" + +print_welcome_page + +if [[ "$*" = "/run.sh" ]]; then + info "** Starting NGINX setup **" + /setup.sh + info "** NGINX setup finished! **" +fi + +echo "" +exec "$@" diff --git a/bitnami/nginx/1.14/rhel-7/rootfs/libnginx.sh b/bitnami/nginx/1.14/rhel-7/rootfs/libnginx.sh new file mode 100644 index 000000000000..7aa230e3539b --- /dev/null +++ b/bitnami/nginx/1.14/rhel-7/rootfs/libnginx.sh @@ -0,0 +1,221 @@ +#!/bin/bash +# +# Bitnami NGINX library + +# shellcheck disable=SC1091 + +# Load Generic Libraries +. /libfile.sh +. /liblog.sh +. /libos.sh +. /libservice.sh +. /libvalidations.sh + +# Functions + +######################## +# Check if NGINX is running +# Globals: +# NGINX_TMPDIR +# Arguments: +# None +# Returns: +# Boolean +######################### +is_nginx_running() { + local pid + pid=$(get_pid_from_file "${NGINX_TMPDIR}/nginx.pid") + + if [[ -z "$pid" ]]; then + false + else + is_service_running "$pid" + fi +} + +######################## +# Stop NGINX +# Globals: +# NGINX_TMPDIR +# Arguments: +# None +# Returns: +# None +######################### +nginx_stop() { + ! is_nginx_running && return + debug "Stopping NGINX..." + stop_service_using_pid "${NGINX_TMPDIR}/nginx.pid" +} + +######################## +# Start NGINX and wait until it's ready +# Globals: +# NGINX_* +# Arguments: +# None +# Returns: +# None +######################### +nginx_start() { + is_nginx_running && return + debug "Starting NGIX..." + if am_i_root; then + gosu "${NGINX_DAEMON_USER}" "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" + else + "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" + fi + + local counter=3 + while ! is_nginx_running ; do + if [[ "$counter" -ne 0 ]]; then + break + fi + sleep 1; + counter=$((counter - 1)) + done +} + +######################## +# Load global variables used on NGINX configuration +# Globals: +# NGINX_* +# Arguments: +# None +# Returns: +# Series of exports to be used as 'eval' arguments +######################### +nginx_env() { + cat <<"EOF" +export NGINX_BASEDIR="/opt/bitnami/nginx" +export NGINX_VOLUME="/bitnami/nginx" +export NGINX_EXTRAS_DIR="/opt/bitnami/extra/nginx" +export NGINX_TEMPLATES_DIR="${NGINX_EXTRAS_DIR}/templates" +export NGINX_TMPDIR="${NGINX_BASEDIR}/tmp" +export NGINX_CONFDIR="${NGINX_BASEDIR}/conf" +export NGINX_LOGDIR="${NGINX_BASEDIR}/logs" +export PATH="${NGINX_BASEDIR}/sbin:$PATH" +EOF +} + +######################## +# Configure default HTTP port +# Globals: +# NGINX_CONFDIR +# Arguments: +# $1 - (optionl) HTTP Port +# Returns: +# None +######################### +nginx_config_http_port() { + local http_port=${1:-8080} + debug "Configuring default HTTP port..." + # TODO: find an appropriate NGINX parser to avoid 'sed calls' + sed -i -r "s/(listen\s+)[0-9]{1,5};/\1${http_port};/g" ${NGINX_CONFDIR}/nginx.conf +} + +######################## +# Unset HTTP_PROXY header to protect vs HTTPPOXY vulnerability +# Ref: https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-httpoxy-vulnerability +# Globals: +# NGINX_* +# Arguments: +# None +# Returns: +# None +######################### +nginx_patch_httpoxy_vulnerability() { + debug "Unsetting HTTP_PROXY header..." + echo '# Unset the HTTP_PROXY header' >> "${NGINX_CONFDIR}/fastcgi_params" + echo 'fastcgi_param HTTP_PROXY "";' >> "${NGINX_CONFDIR}/fastcgi_params" +} + +######################## +# Prepare directories for users to mount its static files and certificates +# Globals: +# NGINX_* +# Arguments: +# None +# Returns: +# None +######################### +nginx_prepare_directories() { + # Users can mount their html sites at /app + mv "${NGINX_BASEDIR}/html" /app + ln -sf /app "${NGINX_BASEDIR}/html" + # Users can mount their certificates at /certs + ln -sf /certs "${NGINX_CONFDIR}/bitnami/certs" + # Fix to avoid issues for those using the old structure (vhosts) + ln -sf "${NGINX_CONFDIR}/server_blocks" "${NGINX_CONFDIR}/vhosts" +} + +######################## +# Validate settings in NGINX_* env vars +# Globals: +# NGINX_* +# Arguments: +# None +# Returns: +# None +######################### +nginx_validate() { + info "Validating settings in NGINX_* env vars..." + + local validate_port_args=() + ! am_i_root && validate_port_args+=("-unprivileged") + if [[ -n "${NGINX_HTTP_PORT_NUMBER:-}" ]]; then + if ! err=$(validate_port "${validate_port_args[@]}" "${NGINX_HTTP_PORT_NUMBER:-}"); then + error "An invalid port was specified in the environment variable NGINX_HTTP_PORT_NUMBER: $err" + exit 1 + fi + fi + + for var in "NGINX_DAEMON_USER" "NGINX_DAEMON_GROUP"; do + if am_i_root; then + if [[ -z "${!var:-}" ]]; then + error "The $var environment variable cannot be empty when running as root" + exit 1 + fi + else + if [[ -n "${!var:-}" ]]; then + warn "The $var environment variable will be ignored when running as non-root" + fi + fi + done +} + +######################## +# Initialize NGINX +# Globals: +# NGINX_* +# Arguments: +# None +# Returns: +# None +######################### +nginx_initialize() { + info "Initializing NGINX..." + + # Persisted configuration files from old versions + if [[ -f "$NGINX_VOLUME/conf/nginx.conf" ]]; then + error "A 'nginx.conf' file was found inside '${NGINX_VOLUME}/conf'. This configuration is not supported anymore. Please mount the configuration file at '${NGINX_CONFDIR}/nginx.conf' instead." + exit 1 + fi + if ! is_dir_empty "$NGINX_VOLUME/conf/vhosts"; then + error "Custom server blocks files were found inside '$NGINX_VOLUME/conf/vhosts'. This configuration is not supported anymore. Please mount your custom server blocks config files at '${NGINX_CONFDIR}/server_blocks' instead." + exit 1 + fi + + if am_i_root; then + debug "Ensure NGINX daemon user/group exists..." + ensure_user_exists "$NGINX_DAEMON_USER" "$NGINX_DAEMON_GROUP" + if [[ -n "${NGINX_DAEMON_USER:-}" ]]; then + chown -R "${NGINX_DAEMON_USER:-}" "${NGINX_CONFDIR}" "$NGINX_TMPDIR" + fi + fi + + debug "Updating 'nginx.conf' based on user configuration..." + if [[ -n "${NGINX_HTTP_PORT_NUMBER:-}" ]]; then + nginx_config_http_port "${NGINX_HTTP_PORT_NUMBER}" + fi +} diff --git a/bitnami/nginx/1.14/rhel-7/rootfs/prepare.sh b/bitnami/nginx/1.14/rhel-7/rootfs/prepare.sh new file mode 100755 index 000000000000..f71811f45aca --- /dev/null +++ b/bitnami/nginx/1.14/rhel-7/rootfs/prepare.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +# shellcheck disable=SC1091 + +# Load libraries +. /libnginx.sh +. /libfs.sh + +# Load NGINX environment variables +eval "$(nginx_env)" + +# Ensure non-root user has write permissions on a set of directories +for dir in "/bitnami" "$NGINX_VOLUME" "${NGINX_CONFDIR}/server_blocks" "${NGINX_CONFDIR}/bitnami" "$NGINX_BASEDIR" "$NGINX_TMPDIR"; do + ensure_dir_exists "$dir" +done +chmod -R g+rwX "$NGINX_VOLUME" "$NGINX_CONFDIR" "$NGINX_TMPDIR" +# Configure default HTTP port +nginx_config_http_port +# Unset HTTP_PROXY header to protect vs HTTPPOXY vulnerability +nginx_patch_httpoxy_vulnerability +# Prepare directories for users to mount its static files and certificates +nginx_prepare_directories diff --git a/bitnami/nginx/1.14/rhel-7/rootfs/run.sh b/bitnami/nginx/1.14/rhel-7/rootfs/run.sh new file mode 100755 index 000000000000..c5e6ed3933ac --- /dev/null +++ b/bitnami/nginx/1.14/rhel-7/rootfs/run.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +set -o errexit +set -o nounset +set -o pipefail +#set -o xtrace +# shellcheck disable=SC1091 + +# Load libraries +. /liblog.sh +. /libnginx.sh + +# Load NGINX environment variables +eval "$(nginx_env)" + +info "** Starting NGINX **" +if am_i_root; then + exec gosu "${NGINX_DAEMON_USER}" "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" -g "daemon off; user ${NGINX_DAEMON_USER} ${NGINX_DAEMON_GROUP}" +else + exec "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" -g "daemon off;" +fi diff --git a/bitnami/nginx/1.14/rhel-7/rootfs/setup.sh b/bitnami/nginx/1.14/rhel-7/rootfs/setup.sh new file mode 100755 index 000000000000..89e70923cd66 --- /dev/null +++ b/bitnami/nginx/1.14/rhel-7/rootfs/setup.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +set -o errexit +set -o nounset +set -o pipefail +#set -o xtrace +# shellcheck disable=SC1091 + +# Load libraries +. /libos.sh +. /libfs.sh +. /libnginx.sh + +# Load NGINX environment variables +eval "$(nginx_env)" + +# Ensure NGINX environment variables settings are valid +nginx_validate +# Ensure NGINX is stopped when this script ends +trap "nginx_stop" EXIT +# Initialize NGINX +nginx_initialize From c6f37d929c8cd4b3a6a419e5e7c9062d9bc76946 Mon Sep 17 00:00:00 2001 From: Marcos Bjoerkelund Date: Fri, 26 Apr 2019 09:52:29 +0200 Subject: [PATCH 3/9] Apply suggestions from Marcos review Co-Authored-By: juan131 --- bitnami/nginx/README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/bitnami/nginx/README.md b/bitnami/nginx/README.md index ad8c709719c3..a1d683ea1883 100644 --- a/bitnami/nginx/README.md +++ b/bitnami/nginx/README.md @@ -291,7 +291,7 @@ $ docker-compose logs nginx You can configure the containers [logging driver](https://docs.docker.com/engine/admin/logging/overview/) using the `--log-driver` option if you wish to consume the container logs differently. In the default configuration docker uses the `json-file` driver. -# Understand this image structure +# Understand the structure of this image The Bitnami NGINX Docker image is built using a Dockerfile with the structure below: @@ -325,13 +325,13 @@ We can identify several sections within the Dockerfile: - A section where the entrypoint and command used to start the service are declared. - Take into account these actions are not executed until the container is started. -# Customizing Bitnami NGINX Docker Image +# Customizing the Bitnami NGINX Docker image The Bitnami NGINX Docker image is designed to be extended so it can be used as the base image for your custom web applications. > Note: It's recommended to read the [previous section](./#understand-this-image-structure) to understand the Dockerfile structure, before extending this image. -## Extending the Bitnami NGINX Docker Image +## Extending the Bitnami NGINX Docker image Before extending this image, please note there are certain configuration settings you can modify using the original image: @@ -348,12 +348,12 @@ FROM bitnami/nginx ... ``` -On this example, we provide an extended wit the following modifications: +In this example, we provide an extended with the following modifications: - Install `vim` editor. -- Modify the NGINX configuration. +- Modify the NGINX configuration file. - Modify the ports used by NGINX. -- Modify the container user. +- Change the user that runs the container. ```Dockerfile FROM bitnami/nginx From 4e1128ac696f88f77edaada6c4002d09377244ed Mon Sep 17 00:00:00 2001 From: juan131 Date: Fri, 26 Apr 2019 10:13:40 +0200 Subject: [PATCH 4/9] Apply Marcos suggestions + moving to NGINX 1.16 --- bitnami/nginx/1.14/debian-9/Dockerfile | 28 --- .../nginx/1.14/debian-9/docker-compose.yml | 9 - .../nginx/1.14/debian-9/rootfs/entrypoint.sh | 25 -- .../nginx/1.14/debian-9/rootfs/libnginx.sh | 221 ------------------ bitnami/nginx/1.14/debian-9/rootfs/prepare.sh | 22 -- bitnami/nginx/1.14/debian-9/rootfs/run.sh | 21 -- bitnami/nginx/1.14/debian-9/rootfs/setup.sh | 22 -- bitnami/nginx/1.14/ol-7/Dockerfile | 28 --- bitnami/nginx/1.14/ol-7/docker-compose.yml | 9 - bitnami/nginx/1.14/ol-7/rootfs/entrypoint.sh | 25 -- bitnami/nginx/1.14/ol-7/rootfs/libnginx.sh | 221 ------------------ bitnami/nginx/1.14/ol-7/rootfs/prepare.sh | 22 -- bitnami/nginx/1.14/ol-7/rootfs/run.sh | 21 -- bitnami/nginx/1.14/ol-7/rootfs/setup.sh | 22 -- bitnami/nginx/1.14/rhel-7/Dockerfile | 28 --- bitnami/nginx/1.14/rhel-7/docker-compose.yml | 13 -- .../nginx/1.14/rhel-7/rootfs/entrypoint.sh | 25 -- bitnami/nginx/1.14/rhel-7/rootfs/libnginx.sh | 221 ------------------ bitnami/nginx/1.14/rhel-7/rootfs/prepare.sh | 22 -- bitnami/nginx/1.14/rhel-7/rootfs/run.sh | 21 -- bitnami/nginx/1.14/rhel-7/rootfs/setup.sh | 22 -- bitnami/nginx/1.16/debian-9/Dockerfile | 14 +- .../nginx/1.16/debian-9/docker-compose.yml | 2 + .../nginx/1.16/debian-9/rootfs/libnginx.sh | 102 +++++--- .../1.16/debian-9/rootfs/nginx-inputs.json | 6 - .../extra/nginx/templates/nginx.conf.tpl | 64 ----- bitnami/nginx/1.16/debian-9/rootfs/prepare.sh | 18 +- bitnami/nginx/1.16/debian-9/rootfs/run.sh | 4 +- bitnami/nginx/1.16/debian-9/rootfs/setup.sh | 3 +- bitnami/nginx/1.16/ol-7/Dockerfile | 14 +- bitnami/nginx/1.16/ol-7/docker-compose.yml | 2 + bitnami/nginx/1.16/ol-7/rootfs/libnginx.sh | 102 +++++--- .../nginx/1.16/ol-7/rootfs/nginx-inputs.json | 6 - .../extra/nginx/templates/nginx.conf.tpl | 64 ----- bitnami/nginx/1.16/ol-7/rootfs/prepare.sh | 18 +- bitnami/nginx/1.16/ol-7/rootfs/run.sh | 4 +- bitnami/nginx/1.16/ol-7/rootfs/setup.sh | 3 +- bitnami/nginx/README.md | 20 +- 38 files changed, 199 insertions(+), 1295 deletions(-) delete mode 100644 bitnami/nginx/1.14/debian-9/Dockerfile delete mode 100644 bitnami/nginx/1.14/debian-9/docker-compose.yml delete mode 100755 bitnami/nginx/1.14/debian-9/rootfs/entrypoint.sh delete mode 100644 bitnami/nginx/1.14/debian-9/rootfs/libnginx.sh delete mode 100755 bitnami/nginx/1.14/debian-9/rootfs/prepare.sh delete mode 100755 bitnami/nginx/1.14/debian-9/rootfs/run.sh delete mode 100755 bitnami/nginx/1.14/debian-9/rootfs/setup.sh delete mode 100644 bitnami/nginx/1.14/ol-7/Dockerfile delete mode 100644 bitnami/nginx/1.14/ol-7/docker-compose.yml delete mode 100755 bitnami/nginx/1.14/ol-7/rootfs/entrypoint.sh delete mode 100644 bitnami/nginx/1.14/ol-7/rootfs/libnginx.sh delete mode 100755 bitnami/nginx/1.14/ol-7/rootfs/prepare.sh delete mode 100755 bitnami/nginx/1.14/ol-7/rootfs/run.sh delete mode 100755 bitnami/nginx/1.14/ol-7/rootfs/setup.sh delete mode 100644 bitnami/nginx/1.14/rhel-7/Dockerfile delete mode 100644 bitnami/nginx/1.14/rhel-7/docker-compose.yml delete mode 100755 bitnami/nginx/1.14/rhel-7/rootfs/entrypoint.sh delete mode 100644 bitnami/nginx/1.14/rhel-7/rootfs/libnginx.sh delete mode 100755 bitnami/nginx/1.14/rhel-7/rootfs/prepare.sh delete mode 100755 bitnami/nginx/1.14/rhel-7/rootfs/run.sh delete mode 100755 bitnami/nginx/1.14/rhel-7/rootfs/setup.sh delete mode 100644 bitnami/nginx/1.16/debian-9/rootfs/nginx-inputs.json delete mode 100644 bitnami/nginx/1.16/debian-9/rootfs/opt/bitnami/extra/nginx/templates/nginx.conf.tpl delete mode 100644 bitnami/nginx/1.16/ol-7/rootfs/nginx-inputs.json delete mode 100644 bitnami/nginx/1.16/ol-7/rootfs/opt/bitnami/extra/nginx/templates/nginx.conf.tpl diff --git a/bitnami/nginx/1.14/debian-9/Dockerfile b/bitnami/nginx/1.14/debian-9/Dockerfile deleted file mode 100644 index 48330dde1cdc..000000000000 --- a/bitnami/nginx/1.14/debian-9/Dockerfile +++ /dev/null @@ -1,28 +0,0 @@ -FROM bitnami/minideb-extras-base:stretch-r229 -LABEL maintainer "Bitnami " - -ENV BITNAMI_PKG_CHMOD="-R g+rwX" \ - HOME="/" \ - OS_ARCH="amd64" \ - OS_FLAVOUR="debian-9" \ - OS_NAME="linux" - -# Install required system packages and dependencies -RUN install_packages libc6 libpcre3 libssl1.1 zlib1g -RUN . ./libcomponent.sh && component_unpack "nginx" "1.14.2-21" --checksum 73c924db078bebc7173aa5a596036285d1da41cbe985d1e4cc024f681e6dca52 - -COPY rootfs / -RUN /prepare.sh - -ENV BITNAMI_APP_NAME="nginx" \ - BITNAMI_IMAGE_VERSION="1.14.2-debian-9-r125" \ - NAMI_PREFIX="/.nami" \ - PATH="/opt/bitnami/nginx/sbin:$PATH" - -EXPOSE 8080 8443 -VOLUME [ "/app" "/certs" ] -WORKDIR /app -USER 1001 - -ENTRYPOINT [ "/entrypoint.sh" ] -CMD [ "/run.sh" ] diff --git a/bitnami/nginx/1.14/debian-9/docker-compose.yml b/bitnami/nginx/1.14/debian-9/docker-compose.yml deleted file mode 100644 index bc81b8e95be9..000000000000 --- a/bitnami/nginx/1.14/debian-9/docker-compose.yml +++ /dev/null @@ -1,9 +0,0 @@ -version: '2' - -services: - nginx: - image: 'bitnami/nginx:1.14' - ports: - - '80:8080' - environment: - - NGINX_HTTP_PORT_NUMBER=8080 diff --git a/bitnami/nginx/1.14/debian-9/rootfs/entrypoint.sh b/bitnami/nginx/1.14/debian-9/rootfs/entrypoint.sh deleted file mode 100755 index e7711dd20490..000000000000 --- a/bitnami/nginx/1.14/debian-9/rootfs/entrypoint.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash - -set -o errexit -set -o nounset -set -o pipefail -#set -o xtrace -# shellcheck disable=SC1091 - -# Load libraries -. /libbitnami.sh -. /libnginx.sh - -# Load NGINX environment variables -eval "$(nginx_env)" - -print_welcome_page - -if [[ "$*" = "/run.sh" ]]; then - info "** Starting NGINX setup **" - /setup.sh - info "** NGINX setup finished! **" -fi - -echo "" -exec "$@" diff --git a/bitnami/nginx/1.14/debian-9/rootfs/libnginx.sh b/bitnami/nginx/1.14/debian-9/rootfs/libnginx.sh deleted file mode 100644 index 7aa230e3539b..000000000000 --- a/bitnami/nginx/1.14/debian-9/rootfs/libnginx.sh +++ /dev/null @@ -1,221 +0,0 @@ -#!/bin/bash -# -# Bitnami NGINX library - -# shellcheck disable=SC1091 - -# Load Generic Libraries -. /libfile.sh -. /liblog.sh -. /libos.sh -. /libservice.sh -. /libvalidations.sh - -# Functions - -######################## -# Check if NGINX is running -# Globals: -# NGINX_TMPDIR -# Arguments: -# None -# Returns: -# Boolean -######################### -is_nginx_running() { - local pid - pid=$(get_pid_from_file "${NGINX_TMPDIR}/nginx.pid") - - if [[ -z "$pid" ]]; then - false - else - is_service_running "$pid" - fi -} - -######################## -# Stop NGINX -# Globals: -# NGINX_TMPDIR -# Arguments: -# None -# Returns: -# None -######################### -nginx_stop() { - ! is_nginx_running && return - debug "Stopping NGINX..." - stop_service_using_pid "${NGINX_TMPDIR}/nginx.pid" -} - -######################## -# Start NGINX and wait until it's ready -# Globals: -# NGINX_* -# Arguments: -# None -# Returns: -# None -######################### -nginx_start() { - is_nginx_running && return - debug "Starting NGIX..." - if am_i_root; then - gosu "${NGINX_DAEMON_USER}" "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" - else - "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" - fi - - local counter=3 - while ! is_nginx_running ; do - if [[ "$counter" -ne 0 ]]; then - break - fi - sleep 1; - counter=$((counter - 1)) - done -} - -######################## -# Load global variables used on NGINX configuration -# Globals: -# NGINX_* -# Arguments: -# None -# Returns: -# Series of exports to be used as 'eval' arguments -######################### -nginx_env() { - cat <<"EOF" -export NGINX_BASEDIR="/opt/bitnami/nginx" -export NGINX_VOLUME="/bitnami/nginx" -export NGINX_EXTRAS_DIR="/opt/bitnami/extra/nginx" -export NGINX_TEMPLATES_DIR="${NGINX_EXTRAS_DIR}/templates" -export NGINX_TMPDIR="${NGINX_BASEDIR}/tmp" -export NGINX_CONFDIR="${NGINX_BASEDIR}/conf" -export NGINX_LOGDIR="${NGINX_BASEDIR}/logs" -export PATH="${NGINX_BASEDIR}/sbin:$PATH" -EOF -} - -######################## -# Configure default HTTP port -# Globals: -# NGINX_CONFDIR -# Arguments: -# $1 - (optionl) HTTP Port -# Returns: -# None -######################### -nginx_config_http_port() { - local http_port=${1:-8080} - debug "Configuring default HTTP port..." - # TODO: find an appropriate NGINX parser to avoid 'sed calls' - sed -i -r "s/(listen\s+)[0-9]{1,5};/\1${http_port};/g" ${NGINX_CONFDIR}/nginx.conf -} - -######################## -# Unset HTTP_PROXY header to protect vs HTTPPOXY vulnerability -# Ref: https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-httpoxy-vulnerability -# Globals: -# NGINX_* -# Arguments: -# None -# Returns: -# None -######################### -nginx_patch_httpoxy_vulnerability() { - debug "Unsetting HTTP_PROXY header..." - echo '# Unset the HTTP_PROXY header' >> "${NGINX_CONFDIR}/fastcgi_params" - echo 'fastcgi_param HTTP_PROXY "";' >> "${NGINX_CONFDIR}/fastcgi_params" -} - -######################## -# Prepare directories for users to mount its static files and certificates -# Globals: -# NGINX_* -# Arguments: -# None -# Returns: -# None -######################### -nginx_prepare_directories() { - # Users can mount their html sites at /app - mv "${NGINX_BASEDIR}/html" /app - ln -sf /app "${NGINX_BASEDIR}/html" - # Users can mount their certificates at /certs - ln -sf /certs "${NGINX_CONFDIR}/bitnami/certs" - # Fix to avoid issues for those using the old structure (vhosts) - ln -sf "${NGINX_CONFDIR}/server_blocks" "${NGINX_CONFDIR}/vhosts" -} - -######################## -# Validate settings in NGINX_* env vars -# Globals: -# NGINX_* -# Arguments: -# None -# Returns: -# None -######################### -nginx_validate() { - info "Validating settings in NGINX_* env vars..." - - local validate_port_args=() - ! am_i_root && validate_port_args+=("-unprivileged") - if [[ -n "${NGINX_HTTP_PORT_NUMBER:-}" ]]; then - if ! err=$(validate_port "${validate_port_args[@]}" "${NGINX_HTTP_PORT_NUMBER:-}"); then - error "An invalid port was specified in the environment variable NGINX_HTTP_PORT_NUMBER: $err" - exit 1 - fi - fi - - for var in "NGINX_DAEMON_USER" "NGINX_DAEMON_GROUP"; do - if am_i_root; then - if [[ -z "${!var:-}" ]]; then - error "The $var environment variable cannot be empty when running as root" - exit 1 - fi - else - if [[ -n "${!var:-}" ]]; then - warn "The $var environment variable will be ignored when running as non-root" - fi - fi - done -} - -######################## -# Initialize NGINX -# Globals: -# NGINX_* -# Arguments: -# None -# Returns: -# None -######################### -nginx_initialize() { - info "Initializing NGINX..." - - # Persisted configuration files from old versions - if [[ -f "$NGINX_VOLUME/conf/nginx.conf" ]]; then - error "A 'nginx.conf' file was found inside '${NGINX_VOLUME}/conf'. This configuration is not supported anymore. Please mount the configuration file at '${NGINX_CONFDIR}/nginx.conf' instead." - exit 1 - fi - if ! is_dir_empty "$NGINX_VOLUME/conf/vhosts"; then - error "Custom server blocks files were found inside '$NGINX_VOLUME/conf/vhosts'. This configuration is not supported anymore. Please mount your custom server blocks config files at '${NGINX_CONFDIR}/server_blocks' instead." - exit 1 - fi - - if am_i_root; then - debug "Ensure NGINX daemon user/group exists..." - ensure_user_exists "$NGINX_DAEMON_USER" "$NGINX_DAEMON_GROUP" - if [[ -n "${NGINX_DAEMON_USER:-}" ]]; then - chown -R "${NGINX_DAEMON_USER:-}" "${NGINX_CONFDIR}" "$NGINX_TMPDIR" - fi - fi - - debug "Updating 'nginx.conf' based on user configuration..." - if [[ -n "${NGINX_HTTP_PORT_NUMBER:-}" ]]; then - nginx_config_http_port "${NGINX_HTTP_PORT_NUMBER}" - fi -} diff --git a/bitnami/nginx/1.14/debian-9/rootfs/prepare.sh b/bitnami/nginx/1.14/debian-9/rootfs/prepare.sh deleted file mode 100755 index f71811f45aca..000000000000 --- a/bitnami/nginx/1.14/debian-9/rootfs/prepare.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash - -# shellcheck disable=SC1091 - -# Load libraries -. /libnginx.sh -. /libfs.sh - -# Load NGINX environment variables -eval "$(nginx_env)" - -# Ensure non-root user has write permissions on a set of directories -for dir in "/bitnami" "$NGINX_VOLUME" "${NGINX_CONFDIR}/server_blocks" "${NGINX_CONFDIR}/bitnami" "$NGINX_BASEDIR" "$NGINX_TMPDIR"; do - ensure_dir_exists "$dir" -done -chmod -R g+rwX "$NGINX_VOLUME" "$NGINX_CONFDIR" "$NGINX_TMPDIR" -# Configure default HTTP port -nginx_config_http_port -# Unset HTTP_PROXY header to protect vs HTTPPOXY vulnerability -nginx_patch_httpoxy_vulnerability -# Prepare directories for users to mount its static files and certificates -nginx_prepare_directories diff --git a/bitnami/nginx/1.14/debian-9/rootfs/run.sh b/bitnami/nginx/1.14/debian-9/rootfs/run.sh deleted file mode 100755 index c5e6ed3933ac..000000000000 --- a/bitnami/nginx/1.14/debian-9/rootfs/run.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash - -set -o errexit -set -o nounset -set -o pipefail -#set -o xtrace -# shellcheck disable=SC1091 - -# Load libraries -. /liblog.sh -. /libnginx.sh - -# Load NGINX environment variables -eval "$(nginx_env)" - -info "** Starting NGINX **" -if am_i_root; then - exec gosu "${NGINX_DAEMON_USER}" "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" -g "daemon off; user ${NGINX_DAEMON_USER} ${NGINX_DAEMON_GROUP}" -else - exec "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" -g "daemon off;" -fi diff --git a/bitnami/nginx/1.14/debian-9/rootfs/setup.sh b/bitnami/nginx/1.14/debian-9/rootfs/setup.sh deleted file mode 100755 index 89e70923cd66..000000000000 --- a/bitnami/nginx/1.14/debian-9/rootfs/setup.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash - -set -o errexit -set -o nounset -set -o pipefail -#set -o xtrace -# shellcheck disable=SC1091 - -# Load libraries -. /libos.sh -. /libfs.sh -. /libnginx.sh - -# Load NGINX environment variables -eval "$(nginx_env)" - -# Ensure NGINX environment variables settings are valid -nginx_validate -# Ensure NGINX is stopped when this script ends -trap "nginx_stop" EXIT -# Initialize NGINX -nginx_initialize diff --git a/bitnami/nginx/1.14/ol-7/Dockerfile b/bitnami/nginx/1.14/ol-7/Dockerfile deleted file mode 100644 index 3c4d72213849..000000000000 --- a/bitnami/nginx/1.14/ol-7/Dockerfile +++ /dev/null @@ -1,28 +0,0 @@ -FROM bitnami/oraclelinux-extras-base:7-r267 -LABEL maintainer "Bitnami " - -ENV BITNAMI_PKG_CHMOD="-R g+rwX" \ - HOME="/" \ - OS_ARCH="x86_64" \ - OS_FLAVOUR="ol-7" \ - OS_NAME="linux" - -# Install required system packages and dependencies -RUN install_packages glibc keyutils-libs krb5-libs libcom_err libselinux nss-softokn-freebl openssl-libs pcre zlib -RUN . ./libcomponent.sh && component_unpack "nginx" "1.14.2-21" --checksum d4d907cc0c038a32cb7fe0d681552f469a5d6c2af51d12fe83c710f250c2e463 - -COPY rootfs / -RUN /prepare.sh - -ENV BITNAMI_APP_NAME="nginx" \ - BITNAMI_IMAGE_VERSION="1.14.2-ol-7-r131" \ - NAMI_PREFIX="/.nami" \ - PATH="/opt/bitnami/nginx/sbin:$PATH" - -EXPOSE 8080 8443 -VOLUME [ "/app" "/certs" ] -WORKDIR /app -USER 1001 - -ENTRYPOINT [ "/entrypoint.sh" ] -CMD [ "/run.sh" ] diff --git a/bitnami/nginx/1.14/ol-7/docker-compose.yml b/bitnami/nginx/1.14/ol-7/docker-compose.yml deleted file mode 100644 index 1e3512d62308..000000000000 --- a/bitnami/nginx/1.14/ol-7/docker-compose.yml +++ /dev/null @@ -1,9 +0,0 @@ -version: '2' - -services: - nginx: - image: 'bitnami/nginx:1.14-ol-7' - ports: - - '80:8080' - environment: - - NGINX_HTTP_PORT_NUMBER=8080 diff --git a/bitnami/nginx/1.14/ol-7/rootfs/entrypoint.sh b/bitnami/nginx/1.14/ol-7/rootfs/entrypoint.sh deleted file mode 100755 index e7711dd20490..000000000000 --- a/bitnami/nginx/1.14/ol-7/rootfs/entrypoint.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash - -set -o errexit -set -o nounset -set -o pipefail -#set -o xtrace -# shellcheck disable=SC1091 - -# Load libraries -. /libbitnami.sh -. /libnginx.sh - -# Load NGINX environment variables -eval "$(nginx_env)" - -print_welcome_page - -if [[ "$*" = "/run.sh" ]]; then - info "** Starting NGINX setup **" - /setup.sh - info "** NGINX setup finished! **" -fi - -echo "" -exec "$@" diff --git a/bitnami/nginx/1.14/ol-7/rootfs/libnginx.sh b/bitnami/nginx/1.14/ol-7/rootfs/libnginx.sh deleted file mode 100644 index 7aa230e3539b..000000000000 --- a/bitnami/nginx/1.14/ol-7/rootfs/libnginx.sh +++ /dev/null @@ -1,221 +0,0 @@ -#!/bin/bash -# -# Bitnami NGINX library - -# shellcheck disable=SC1091 - -# Load Generic Libraries -. /libfile.sh -. /liblog.sh -. /libos.sh -. /libservice.sh -. /libvalidations.sh - -# Functions - -######################## -# Check if NGINX is running -# Globals: -# NGINX_TMPDIR -# Arguments: -# None -# Returns: -# Boolean -######################### -is_nginx_running() { - local pid - pid=$(get_pid_from_file "${NGINX_TMPDIR}/nginx.pid") - - if [[ -z "$pid" ]]; then - false - else - is_service_running "$pid" - fi -} - -######################## -# Stop NGINX -# Globals: -# NGINX_TMPDIR -# Arguments: -# None -# Returns: -# None -######################### -nginx_stop() { - ! is_nginx_running && return - debug "Stopping NGINX..." - stop_service_using_pid "${NGINX_TMPDIR}/nginx.pid" -} - -######################## -# Start NGINX and wait until it's ready -# Globals: -# NGINX_* -# Arguments: -# None -# Returns: -# None -######################### -nginx_start() { - is_nginx_running && return - debug "Starting NGIX..." - if am_i_root; then - gosu "${NGINX_DAEMON_USER}" "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" - else - "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" - fi - - local counter=3 - while ! is_nginx_running ; do - if [[ "$counter" -ne 0 ]]; then - break - fi - sleep 1; - counter=$((counter - 1)) - done -} - -######################## -# Load global variables used on NGINX configuration -# Globals: -# NGINX_* -# Arguments: -# None -# Returns: -# Series of exports to be used as 'eval' arguments -######################### -nginx_env() { - cat <<"EOF" -export NGINX_BASEDIR="/opt/bitnami/nginx" -export NGINX_VOLUME="/bitnami/nginx" -export NGINX_EXTRAS_DIR="/opt/bitnami/extra/nginx" -export NGINX_TEMPLATES_DIR="${NGINX_EXTRAS_DIR}/templates" -export NGINX_TMPDIR="${NGINX_BASEDIR}/tmp" -export NGINX_CONFDIR="${NGINX_BASEDIR}/conf" -export NGINX_LOGDIR="${NGINX_BASEDIR}/logs" -export PATH="${NGINX_BASEDIR}/sbin:$PATH" -EOF -} - -######################## -# Configure default HTTP port -# Globals: -# NGINX_CONFDIR -# Arguments: -# $1 - (optionl) HTTP Port -# Returns: -# None -######################### -nginx_config_http_port() { - local http_port=${1:-8080} - debug "Configuring default HTTP port..." - # TODO: find an appropriate NGINX parser to avoid 'sed calls' - sed -i -r "s/(listen\s+)[0-9]{1,5};/\1${http_port};/g" ${NGINX_CONFDIR}/nginx.conf -} - -######################## -# Unset HTTP_PROXY header to protect vs HTTPPOXY vulnerability -# Ref: https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-httpoxy-vulnerability -# Globals: -# NGINX_* -# Arguments: -# None -# Returns: -# None -######################### -nginx_patch_httpoxy_vulnerability() { - debug "Unsetting HTTP_PROXY header..." - echo '# Unset the HTTP_PROXY header' >> "${NGINX_CONFDIR}/fastcgi_params" - echo 'fastcgi_param HTTP_PROXY "";' >> "${NGINX_CONFDIR}/fastcgi_params" -} - -######################## -# Prepare directories for users to mount its static files and certificates -# Globals: -# NGINX_* -# Arguments: -# None -# Returns: -# None -######################### -nginx_prepare_directories() { - # Users can mount their html sites at /app - mv "${NGINX_BASEDIR}/html" /app - ln -sf /app "${NGINX_BASEDIR}/html" - # Users can mount their certificates at /certs - ln -sf /certs "${NGINX_CONFDIR}/bitnami/certs" - # Fix to avoid issues for those using the old structure (vhosts) - ln -sf "${NGINX_CONFDIR}/server_blocks" "${NGINX_CONFDIR}/vhosts" -} - -######################## -# Validate settings in NGINX_* env vars -# Globals: -# NGINX_* -# Arguments: -# None -# Returns: -# None -######################### -nginx_validate() { - info "Validating settings in NGINX_* env vars..." - - local validate_port_args=() - ! am_i_root && validate_port_args+=("-unprivileged") - if [[ -n "${NGINX_HTTP_PORT_NUMBER:-}" ]]; then - if ! err=$(validate_port "${validate_port_args[@]}" "${NGINX_HTTP_PORT_NUMBER:-}"); then - error "An invalid port was specified in the environment variable NGINX_HTTP_PORT_NUMBER: $err" - exit 1 - fi - fi - - for var in "NGINX_DAEMON_USER" "NGINX_DAEMON_GROUP"; do - if am_i_root; then - if [[ -z "${!var:-}" ]]; then - error "The $var environment variable cannot be empty when running as root" - exit 1 - fi - else - if [[ -n "${!var:-}" ]]; then - warn "The $var environment variable will be ignored when running as non-root" - fi - fi - done -} - -######################## -# Initialize NGINX -# Globals: -# NGINX_* -# Arguments: -# None -# Returns: -# None -######################### -nginx_initialize() { - info "Initializing NGINX..." - - # Persisted configuration files from old versions - if [[ -f "$NGINX_VOLUME/conf/nginx.conf" ]]; then - error "A 'nginx.conf' file was found inside '${NGINX_VOLUME}/conf'. This configuration is not supported anymore. Please mount the configuration file at '${NGINX_CONFDIR}/nginx.conf' instead." - exit 1 - fi - if ! is_dir_empty "$NGINX_VOLUME/conf/vhosts"; then - error "Custom server blocks files were found inside '$NGINX_VOLUME/conf/vhosts'. This configuration is not supported anymore. Please mount your custom server blocks config files at '${NGINX_CONFDIR}/server_blocks' instead." - exit 1 - fi - - if am_i_root; then - debug "Ensure NGINX daemon user/group exists..." - ensure_user_exists "$NGINX_DAEMON_USER" "$NGINX_DAEMON_GROUP" - if [[ -n "${NGINX_DAEMON_USER:-}" ]]; then - chown -R "${NGINX_DAEMON_USER:-}" "${NGINX_CONFDIR}" "$NGINX_TMPDIR" - fi - fi - - debug "Updating 'nginx.conf' based on user configuration..." - if [[ -n "${NGINX_HTTP_PORT_NUMBER:-}" ]]; then - nginx_config_http_port "${NGINX_HTTP_PORT_NUMBER}" - fi -} diff --git a/bitnami/nginx/1.14/ol-7/rootfs/prepare.sh b/bitnami/nginx/1.14/ol-7/rootfs/prepare.sh deleted file mode 100755 index f71811f45aca..000000000000 --- a/bitnami/nginx/1.14/ol-7/rootfs/prepare.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash - -# shellcheck disable=SC1091 - -# Load libraries -. /libnginx.sh -. /libfs.sh - -# Load NGINX environment variables -eval "$(nginx_env)" - -# Ensure non-root user has write permissions on a set of directories -for dir in "/bitnami" "$NGINX_VOLUME" "${NGINX_CONFDIR}/server_blocks" "${NGINX_CONFDIR}/bitnami" "$NGINX_BASEDIR" "$NGINX_TMPDIR"; do - ensure_dir_exists "$dir" -done -chmod -R g+rwX "$NGINX_VOLUME" "$NGINX_CONFDIR" "$NGINX_TMPDIR" -# Configure default HTTP port -nginx_config_http_port -# Unset HTTP_PROXY header to protect vs HTTPPOXY vulnerability -nginx_patch_httpoxy_vulnerability -# Prepare directories for users to mount its static files and certificates -nginx_prepare_directories diff --git a/bitnami/nginx/1.14/ol-7/rootfs/run.sh b/bitnami/nginx/1.14/ol-7/rootfs/run.sh deleted file mode 100755 index c5e6ed3933ac..000000000000 --- a/bitnami/nginx/1.14/ol-7/rootfs/run.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash - -set -o errexit -set -o nounset -set -o pipefail -#set -o xtrace -# shellcheck disable=SC1091 - -# Load libraries -. /liblog.sh -. /libnginx.sh - -# Load NGINX environment variables -eval "$(nginx_env)" - -info "** Starting NGINX **" -if am_i_root; then - exec gosu "${NGINX_DAEMON_USER}" "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" -g "daemon off; user ${NGINX_DAEMON_USER} ${NGINX_DAEMON_GROUP}" -else - exec "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" -g "daemon off;" -fi diff --git a/bitnami/nginx/1.14/ol-7/rootfs/setup.sh b/bitnami/nginx/1.14/ol-7/rootfs/setup.sh deleted file mode 100755 index 89e70923cd66..000000000000 --- a/bitnami/nginx/1.14/ol-7/rootfs/setup.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash - -set -o errexit -set -o nounset -set -o pipefail -#set -o xtrace -# shellcheck disable=SC1091 - -# Load libraries -. /libos.sh -. /libfs.sh -. /libnginx.sh - -# Load NGINX environment variables -eval "$(nginx_env)" - -# Ensure NGINX environment variables settings are valid -nginx_validate -# Ensure NGINX is stopped when this script ends -trap "nginx_stop" EXIT -# Initialize NGINX -nginx_initialize diff --git a/bitnami/nginx/1.14/rhel-7/Dockerfile b/bitnami/nginx/1.14/rhel-7/Dockerfile deleted file mode 100644 index a51be19ea298..000000000000 --- a/bitnami/nginx/1.14/rhel-7/Dockerfile +++ /dev/null @@ -1,28 +0,0 @@ -FROM registry.rhc4tp.openshift.com/bitnami/rhel-extras-base-7:latest -LABEL maintainer "Bitnami " - -ENV BITNAMI_PKG_CHMOD="-R g+rwX" \ - HOME="/" \ - OS_ARCH="x86_64" \ - OS_FLAVOUR="rhel-7" \ - OS_NAME="linux" - -# Install required system packages and dependencies -RUN install_packages glibc keyutils-libs krb5-libs libcom_err libselinux nss-softokn-freebl openssl-libs pcre zlib -RUN . ./libcomponent.sh && component_unpack "nginx" "1.14.2-20" --checksum 10e7ce1e441ca0e949b16cb3a3f21338bd61fea074f62ad947aa135d5e824ef0 - -COPY rootfs / -RUN /prepare.sh - -ENV BITNAMI_APP_NAME="nginx" \ - BITNAMI_IMAGE_VERSION="1.14.2-rhel-7-r79" \ - NAMI_PREFIX="/.nami" \ - PATH="/opt/bitnami/nginx/sbin:$PATH" - -EXPOSE 8080 8443 -VOLUME [ "/app" "/certs" ] -WORKDIR /app -USER 1001 - -ENTRYPOINT [ "/entrypoint.sh" ] -CMD [ "/run.sh" ] diff --git a/bitnami/nginx/1.14/rhel-7/docker-compose.yml b/bitnami/nginx/1.14/rhel-7/docker-compose.yml deleted file mode 100644 index b010958aa959..000000000000 --- a/bitnami/nginx/1.14/rhel-7/docker-compose.yml +++ /dev/null @@ -1,13 +0,0 @@ -version: '2' - -services: - nginx: - # Force docker-compose to use a comprehensive name for the image - image: bitnami_nginx:1.14-rhel-7 - # Build action should be successful from any RHEL Host system running the Docker service with subscription managed registered - # + info: https://access.redhat.com/solutions/253273 - build: . - ports: - - '80:8080' - environment: - - NGINX_HTTP_PORT_NUMBER=8080 diff --git a/bitnami/nginx/1.14/rhel-7/rootfs/entrypoint.sh b/bitnami/nginx/1.14/rhel-7/rootfs/entrypoint.sh deleted file mode 100755 index e7711dd20490..000000000000 --- a/bitnami/nginx/1.14/rhel-7/rootfs/entrypoint.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash - -set -o errexit -set -o nounset -set -o pipefail -#set -o xtrace -# shellcheck disable=SC1091 - -# Load libraries -. /libbitnami.sh -. /libnginx.sh - -# Load NGINX environment variables -eval "$(nginx_env)" - -print_welcome_page - -if [[ "$*" = "/run.sh" ]]; then - info "** Starting NGINX setup **" - /setup.sh - info "** NGINX setup finished! **" -fi - -echo "" -exec "$@" diff --git a/bitnami/nginx/1.14/rhel-7/rootfs/libnginx.sh b/bitnami/nginx/1.14/rhel-7/rootfs/libnginx.sh deleted file mode 100644 index 7aa230e3539b..000000000000 --- a/bitnami/nginx/1.14/rhel-7/rootfs/libnginx.sh +++ /dev/null @@ -1,221 +0,0 @@ -#!/bin/bash -# -# Bitnami NGINX library - -# shellcheck disable=SC1091 - -# Load Generic Libraries -. /libfile.sh -. /liblog.sh -. /libos.sh -. /libservice.sh -. /libvalidations.sh - -# Functions - -######################## -# Check if NGINX is running -# Globals: -# NGINX_TMPDIR -# Arguments: -# None -# Returns: -# Boolean -######################### -is_nginx_running() { - local pid - pid=$(get_pid_from_file "${NGINX_TMPDIR}/nginx.pid") - - if [[ -z "$pid" ]]; then - false - else - is_service_running "$pid" - fi -} - -######################## -# Stop NGINX -# Globals: -# NGINX_TMPDIR -# Arguments: -# None -# Returns: -# None -######################### -nginx_stop() { - ! is_nginx_running && return - debug "Stopping NGINX..." - stop_service_using_pid "${NGINX_TMPDIR}/nginx.pid" -} - -######################## -# Start NGINX and wait until it's ready -# Globals: -# NGINX_* -# Arguments: -# None -# Returns: -# None -######################### -nginx_start() { - is_nginx_running && return - debug "Starting NGIX..." - if am_i_root; then - gosu "${NGINX_DAEMON_USER}" "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" - else - "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" - fi - - local counter=3 - while ! is_nginx_running ; do - if [[ "$counter" -ne 0 ]]; then - break - fi - sleep 1; - counter=$((counter - 1)) - done -} - -######################## -# Load global variables used on NGINX configuration -# Globals: -# NGINX_* -# Arguments: -# None -# Returns: -# Series of exports to be used as 'eval' arguments -######################### -nginx_env() { - cat <<"EOF" -export NGINX_BASEDIR="/opt/bitnami/nginx" -export NGINX_VOLUME="/bitnami/nginx" -export NGINX_EXTRAS_DIR="/opt/bitnami/extra/nginx" -export NGINX_TEMPLATES_DIR="${NGINX_EXTRAS_DIR}/templates" -export NGINX_TMPDIR="${NGINX_BASEDIR}/tmp" -export NGINX_CONFDIR="${NGINX_BASEDIR}/conf" -export NGINX_LOGDIR="${NGINX_BASEDIR}/logs" -export PATH="${NGINX_BASEDIR}/sbin:$PATH" -EOF -} - -######################## -# Configure default HTTP port -# Globals: -# NGINX_CONFDIR -# Arguments: -# $1 - (optionl) HTTP Port -# Returns: -# None -######################### -nginx_config_http_port() { - local http_port=${1:-8080} - debug "Configuring default HTTP port..." - # TODO: find an appropriate NGINX parser to avoid 'sed calls' - sed -i -r "s/(listen\s+)[0-9]{1,5};/\1${http_port};/g" ${NGINX_CONFDIR}/nginx.conf -} - -######################## -# Unset HTTP_PROXY header to protect vs HTTPPOXY vulnerability -# Ref: https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-httpoxy-vulnerability -# Globals: -# NGINX_* -# Arguments: -# None -# Returns: -# None -######################### -nginx_patch_httpoxy_vulnerability() { - debug "Unsetting HTTP_PROXY header..." - echo '# Unset the HTTP_PROXY header' >> "${NGINX_CONFDIR}/fastcgi_params" - echo 'fastcgi_param HTTP_PROXY "";' >> "${NGINX_CONFDIR}/fastcgi_params" -} - -######################## -# Prepare directories for users to mount its static files and certificates -# Globals: -# NGINX_* -# Arguments: -# None -# Returns: -# None -######################### -nginx_prepare_directories() { - # Users can mount their html sites at /app - mv "${NGINX_BASEDIR}/html" /app - ln -sf /app "${NGINX_BASEDIR}/html" - # Users can mount their certificates at /certs - ln -sf /certs "${NGINX_CONFDIR}/bitnami/certs" - # Fix to avoid issues for those using the old structure (vhosts) - ln -sf "${NGINX_CONFDIR}/server_blocks" "${NGINX_CONFDIR}/vhosts" -} - -######################## -# Validate settings in NGINX_* env vars -# Globals: -# NGINX_* -# Arguments: -# None -# Returns: -# None -######################### -nginx_validate() { - info "Validating settings in NGINX_* env vars..." - - local validate_port_args=() - ! am_i_root && validate_port_args+=("-unprivileged") - if [[ -n "${NGINX_HTTP_PORT_NUMBER:-}" ]]; then - if ! err=$(validate_port "${validate_port_args[@]}" "${NGINX_HTTP_PORT_NUMBER:-}"); then - error "An invalid port was specified in the environment variable NGINX_HTTP_PORT_NUMBER: $err" - exit 1 - fi - fi - - for var in "NGINX_DAEMON_USER" "NGINX_DAEMON_GROUP"; do - if am_i_root; then - if [[ -z "${!var:-}" ]]; then - error "The $var environment variable cannot be empty when running as root" - exit 1 - fi - else - if [[ -n "${!var:-}" ]]; then - warn "The $var environment variable will be ignored when running as non-root" - fi - fi - done -} - -######################## -# Initialize NGINX -# Globals: -# NGINX_* -# Arguments: -# None -# Returns: -# None -######################### -nginx_initialize() { - info "Initializing NGINX..." - - # Persisted configuration files from old versions - if [[ -f "$NGINX_VOLUME/conf/nginx.conf" ]]; then - error "A 'nginx.conf' file was found inside '${NGINX_VOLUME}/conf'. This configuration is not supported anymore. Please mount the configuration file at '${NGINX_CONFDIR}/nginx.conf' instead." - exit 1 - fi - if ! is_dir_empty "$NGINX_VOLUME/conf/vhosts"; then - error "Custom server blocks files were found inside '$NGINX_VOLUME/conf/vhosts'. This configuration is not supported anymore. Please mount your custom server blocks config files at '${NGINX_CONFDIR}/server_blocks' instead." - exit 1 - fi - - if am_i_root; then - debug "Ensure NGINX daemon user/group exists..." - ensure_user_exists "$NGINX_DAEMON_USER" "$NGINX_DAEMON_GROUP" - if [[ -n "${NGINX_DAEMON_USER:-}" ]]; then - chown -R "${NGINX_DAEMON_USER:-}" "${NGINX_CONFDIR}" "$NGINX_TMPDIR" - fi - fi - - debug "Updating 'nginx.conf' based on user configuration..." - if [[ -n "${NGINX_HTTP_PORT_NUMBER:-}" ]]; then - nginx_config_http_port "${NGINX_HTTP_PORT_NUMBER}" - fi -} diff --git a/bitnami/nginx/1.14/rhel-7/rootfs/prepare.sh b/bitnami/nginx/1.14/rhel-7/rootfs/prepare.sh deleted file mode 100755 index f71811f45aca..000000000000 --- a/bitnami/nginx/1.14/rhel-7/rootfs/prepare.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash - -# shellcheck disable=SC1091 - -# Load libraries -. /libnginx.sh -. /libfs.sh - -# Load NGINX environment variables -eval "$(nginx_env)" - -# Ensure non-root user has write permissions on a set of directories -for dir in "/bitnami" "$NGINX_VOLUME" "${NGINX_CONFDIR}/server_blocks" "${NGINX_CONFDIR}/bitnami" "$NGINX_BASEDIR" "$NGINX_TMPDIR"; do - ensure_dir_exists "$dir" -done -chmod -R g+rwX "$NGINX_VOLUME" "$NGINX_CONFDIR" "$NGINX_TMPDIR" -# Configure default HTTP port -nginx_config_http_port -# Unset HTTP_PROXY header to protect vs HTTPPOXY vulnerability -nginx_patch_httpoxy_vulnerability -# Prepare directories for users to mount its static files and certificates -nginx_prepare_directories diff --git a/bitnami/nginx/1.14/rhel-7/rootfs/run.sh b/bitnami/nginx/1.14/rhel-7/rootfs/run.sh deleted file mode 100755 index c5e6ed3933ac..000000000000 --- a/bitnami/nginx/1.14/rhel-7/rootfs/run.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash - -set -o errexit -set -o nounset -set -o pipefail -#set -o xtrace -# shellcheck disable=SC1091 - -# Load libraries -. /liblog.sh -. /libnginx.sh - -# Load NGINX environment variables -eval "$(nginx_env)" - -info "** Starting NGINX **" -if am_i_root; then - exec gosu "${NGINX_DAEMON_USER}" "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" -g "daemon off; user ${NGINX_DAEMON_USER} ${NGINX_DAEMON_GROUP}" -else - exec "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" -g "daemon off;" -fi diff --git a/bitnami/nginx/1.14/rhel-7/rootfs/setup.sh b/bitnami/nginx/1.14/rhel-7/rootfs/setup.sh deleted file mode 100755 index 89e70923cd66..000000000000 --- a/bitnami/nginx/1.14/rhel-7/rootfs/setup.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash - -set -o errexit -set -o nounset -set -o pipefail -#set -o xtrace -# shellcheck disable=SC1091 - -# Load libraries -. /libos.sh -. /libfs.sh -. /libnginx.sh - -# Load NGINX environment variables -eval "$(nginx_env)" - -# Ensure NGINX environment variables settings are valid -nginx_validate -# Ensure NGINX is stopped when this script ends -trap "nginx_stop" EXIT -# Initialize NGINX -nginx_initialize diff --git a/bitnami/nginx/1.16/debian-9/Dockerfile b/bitnami/nginx/1.16/debian-9/Dockerfile index 3d7dfe1d33d3..900a29c1c743 100644 --- a/bitnami/nginx/1.16/debian-9/Dockerfile +++ b/bitnami/nginx/1.16/debian-9/Dockerfile @@ -2,7 +2,6 @@ FROM bitnami/minideb-extras-base:stretch-r231 LABEL maintainer "Bitnami " ENV BITNAMI_PKG_CHMOD="-R g+rwX" \ - BITNAMI_PKG_EXTRA_DIRS="/bitnami/nginx/conf" \ HOME="/" \ OS_ARCH="amd64" \ OS_FLAVOUR="debian-9" \ @@ -11,24 +10,19 @@ ENV BITNAMI_PKG_CHMOD="-R g+rwX" \ # Install required system packages and dependencies RUN install_packages libc6 libpcre3 libssl1.1 zlib1g RUN . ./libcomponent.sh && component_unpack "nginx" "1.16.0-0" --checksum b08c5b2a428e2e54726d47e290102496780db1ddd4a0a67bed82da6c34e56784 -RUN ln -sf /opt/bitnami/nginx/html /app -RUN ln -sf /dev/stdout /opt/bitnami/nginx/logs/access.log -RUN ln -sf /dev/stderr /opt/bitnami/nginx/logs/error.log COPY rootfs / RUN /prepare.sh + ENV BITNAMI_APP_NAME="nginx" \ BITNAMI_IMAGE_VERSION="1.16.0-debian-9-r0" \ NAMI_PREFIX="/.nami" \ - NGINX_DAEMON_GROUP="" \ - NGINX_DAEMON_USER="" \ - NGINX_HTTPS_PORT_NUMBER="443" \ - NGINX_HTTP_PORT_NUMBER="8080" \ PATH="/opt/bitnami/nginx/sbin:$PATH" -EXPOSE 8080 - +EXPOSE 8080 8443 +VOLUME [ "/app" "/certs" ] WORKDIR /app USER 1001 + ENTRYPOINT [ "/entrypoint.sh" ] CMD [ "/run.sh" ] diff --git a/bitnami/nginx/1.16/debian-9/docker-compose.yml b/bitnami/nginx/1.16/debian-9/docker-compose.yml index 0141de336e39..99327593e03a 100644 --- a/bitnami/nginx/1.16/debian-9/docker-compose.yml +++ b/bitnami/nginx/1.16/debian-9/docker-compose.yml @@ -5,3 +5,5 @@ services: image: 'bitnami/nginx:1.16' ports: - '80:8080' + environment: + - NGINX_HTTP_PORT_NUMBER=8080 diff --git a/bitnami/nginx/1.16/debian-9/rootfs/libnginx.sh b/bitnami/nginx/1.16/debian-9/rootfs/libnginx.sh index c20297d4738c..7aa230e3539b 100644 --- a/bitnami/nginx/1.16/debian-9/rootfs/libnginx.sh +++ b/bitnami/nginx/1.16/debian-9/rootfs/libnginx.sh @@ -61,7 +61,7 @@ nginx_start() { is_nginx_running && return debug "Starting NGIX..." if am_i_root; then - gosu "$NGINX_DAEMON_USER" "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" + gosu "${NGINX_DAEMON_USER}" "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" else "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" fi @@ -98,6 +98,57 @@ export PATH="${NGINX_BASEDIR}/sbin:$PATH" EOF } +######################## +# Configure default HTTP port +# Globals: +# NGINX_CONFDIR +# Arguments: +# $1 - (optionl) HTTP Port +# Returns: +# None +######################### +nginx_config_http_port() { + local http_port=${1:-8080} + debug "Configuring default HTTP port..." + # TODO: find an appropriate NGINX parser to avoid 'sed calls' + sed -i -r "s/(listen\s+)[0-9]{1,5};/\1${http_port};/g" ${NGINX_CONFDIR}/nginx.conf +} + +######################## +# Unset HTTP_PROXY header to protect vs HTTPPOXY vulnerability +# Ref: https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-httpoxy-vulnerability +# Globals: +# NGINX_* +# Arguments: +# None +# Returns: +# None +######################### +nginx_patch_httpoxy_vulnerability() { + debug "Unsetting HTTP_PROXY header..." + echo '# Unset the HTTP_PROXY header' >> "${NGINX_CONFDIR}/fastcgi_params" + echo 'fastcgi_param HTTP_PROXY "";' >> "${NGINX_CONFDIR}/fastcgi_params" +} + +######################## +# Prepare directories for users to mount its static files and certificates +# Globals: +# NGINX_* +# Arguments: +# None +# Returns: +# None +######################### +nginx_prepare_directories() { + # Users can mount their html sites at /app + mv "${NGINX_BASEDIR}/html" /app + ln -sf /app "${NGINX_BASEDIR}/html" + # Users can mount their certificates at /certs + ln -sf /certs "${NGINX_CONFDIR}/bitnami/certs" + # Fix to avoid issues for those using the old structure (vhosts) + ln -sf "${NGINX_CONFDIR}/server_blocks" "${NGINX_CONFDIR}/vhosts" +} + ######################## # Validate settings in NGINX_* env vars # Globals: @@ -112,19 +163,21 @@ nginx_validate() { local validate_port_args=() ! am_i_root && validate_port_args+=("-unprivileged") - if ! err=$(validate_port "${validate_port_args[@]}" "$NGINX_HTTP_PORT_NUMBER"); then - error "An invalid port was specified in the environment variable NGINX_HTTP_PORT_NUMBER: $err" - exit 1 + if [[ -n "${NGINX_HTTP_PORT_NUMBER:-}" ]]; then + if ! err=$(validate_port "${validate_port_args[@]}" "${NGINX_HTTP_PORT_NUMBER:-}"); then + error "An invalid port was specified in the environment variable NGINX_HTTP_PORT_NUMBER: $err" + exit 1 + fi fi for var in "NGINX_DAEMON_USER" "NGINX_DAEMON_GROUP"; do if am_i_root; then - if [[ -z "${!var}" ]]; then + if [[ -z "${!var:-}" ]]; then error "The $var environment variable cannot be empty when running as root" exit 1 fi else - if [[ -n "${!var}" ]]; then + if [[ -n "${!var:-}" ]]; then warn "The $var environment variable will be ignored when running as non-root" fi fi @@ -132,7 +185,7 @@ nginx_validate() { } ######################## -# Ensure NGINX is initialized +# Initialize NGINX # Globals: # NGINX_* # Arguments: @@ -145,29 +198,24 @@ nginx_initialize() { # Persisted configuration files from old versions if [[ -f "$NGINX_VOLUME/conf/nginx.conf" ]]; then - warn "'nginx.conf' was found in a legacy location: ${NGINX_VOLUME}/conf/nginx.conf" - warn " Please use ${NGINX_CONFDIR}/nginx.conf instead" - debug "Moving 'nginx.conf' file to new location..." - cp "$NGINX_VOLUME/conf/nginx.conf" "$NGINX_CONFDIR/nginx.conf" + error "A 'nginx.conf' file was found inside '${NGINX_VOLUME}/conf'. This configuration is not supported anymore. Please mount the configuration file at '${NGINX_CONFDIR}/nginx.conf' instead." + exit 1 fi if ! is_dir_empty "$NGINX_VOLUME/conf/vhosts"; then - warn "Custom vhosts config files were found in a legacy directory: $NGINX_VOLUME/conf/vhosts" - warn " Please use ${NGINX_CONFDIR}/vhosts instead" - debug "Moving vhosts config files to new location..." - cp -r "$NGINX_VOLUME/conf/vhosts" "$NGINX_CONFDIR" + error "Custom server blocks files were found inside '$NGINX_VOLUME/conf/vhosts'. This configuration is not supported anymore. Please mount your custom server blocks config files at '${NGINX_CONFDIR}/server_blocks' instead." + exit 1 fi - if [[ -e "${NGINX_CONFDIR}/nginx.conf" ]]; then - debug "Custom configuration detected. Using it..." - return - else - debug "'nginx.conf' not found. Applying bitnami configuration..." - debug "Ensuring expected directories/files exist..." - for dir in "$NGINX_TMPDIR" "$NGINX_CONFDIR" "${NGINX_CONFDIR}/vhosts"; do - ensure_dir_exists "$dir" "$NGINX_DAEMON_USER" - done - debug "Rendering 'nginx.conf.tpl' template..." - render-template "${NGINX_TEMPLATES_DIR}/nginx.conf.tpl" > "${NGINX_CONFDIR}/nginx.conf" - echo 'fastcgi_param HTTP_PROXY "";' >> "${NGINX_CONFDIR}/fastcgi_params" + if am_i_root; then + debug "Ensure NGINX daemon user/group exists..." + ensure_user_exists "$NGINX_DAEMON_USER" "$NGINX_DAEMON_GROUP" + if [[ -n "${NGINX_DAEMON_USER:-}" ]]; then + chown -R "${NGINX_DAEMON_USER:-}" "${NGINX_CONFDIR}" "$NGINX_TMPDIR" + fi + fi + + debug "Updating 'nginx.conf' based on user configuration..." + if [[ -n "${NGINX_HTTP_PORT_NUMBER:-}" ]]; then + nginx_config_http_port "${NGINX_HTTP_PORT_NUMBER}" fi } diff --git a/bitnami/nginx/1.16/debian-9/rootfs/nginx-inputs.json b/bitnami/nginx/1.16/debian-9/rootfs/nginx-inputs.json deleted file mode 100644 index 47ac7e683346..000000000000 --- a/bitnami/nginx/1.16/debian-9/rootfs/nginx-inputs.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "httpPort": "{{$global.env.NGINX_HTTP_PORT_NUMBER}}", - "httpsPort": "{{$global.env.NGINX_HTTPS_PORT_NUMBER}}", - "systemGroup": "{{$global.env.NGINX_DAEMON_GROUP}}", - "systemUser": "{{$global.env.NGINX_DAEMON_USER}}" -} \ No newline at end of file diff --git a/bitnami/nginx/1.16/debian-9/rootfs/opt/bitnami/extra/nginx/templates/nginx.conf.tpl b/bitnami/nginx/1.16/debian-9/rootfs/opt/bitnami/extra/nginx/templates/nginx.conf.tpl deleted file mode 100644 index baa4c22a3107..000000000000 --- a/bitnami/nginx/1.16/debian-9/rootfs/opt/bitnami/extra/nginx/templates/nginx.conf.tpl +++ /dev/null @@ -1,64 +0,0 @@ -# based on http://brainspl.at/nginx.conf.txt - -{{#if NGINX_DAEMON_USER}}{{#if NGINX_DAEMON_GROUP}} -user {{NGINX_DAEMON_USER}} {{NGINX_DAEMON_GROUP}}; -{{/if}}{{/if}} - -worker_processes auto; - -error_log "{{NGINX_LOGDIR}}/error.log"; -pid "{{NGINX_TMPDIR}}/nginx.pid"; - -events { - worker_connections 1024; -} - -http { - include mime.types; - default_type application/octet-stream; - - add_header X-Frame-Options SAMEORIGIN; - client_body_temp_path "{{NGINX_TMPDIR}}/client_body" 1 2; - proxy_temp_path "{{NGINX_TMPDIR}}/proxy" 1 2; - fastcgi_temp_path "{{NGINX_TMPDIR}}/fastcgi" 1 2; - scgi_temp_path "{{NGINX_TMPDIR}}/scgi" 1 2; - uwsgi_temp_path "{{NGINX_TMPDIR}}/uwsgi" 1 2; - - log_format main '$remote_addr - $remote_user [$time_local] ' - '"$request" $status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log "{{NGINX_LOGDIR}}/access.log"; - - # no sendfile on OSX - sendfile on; - - tcp_nopush on; - tcp_nodelay off; - - #keepalive_timeout 0; - keepalive_timeout 65; - gzip on; - gzip_http_version 1.0; - gzip_comp_level 2; - gzip_proxied any; - gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - - include "{{NGINX_CONFDIR}}/vhosts/*.conf"; - - # HTTP Server - server { - # port to listen on. Can also be set to an IP:PORT - listen {{NGINX_HTTP_PORT_NUMBER}}; - - location /status { - stub_status on; - access_log off; - allow 127.0.0.1; - deny all; - } - } -} - diff --git a/bitnami/nginx/1.16/debian-9/rootfs/prepare.sh b/bitnami/nginx/1.16/debian-9/rootfs/prepare.sh index 6429b926d20c..f71811f45aca 100755 --- a/bitnami/nginx/1.16/debian-9/rootfs/prepare.sh +++ b/bitnami/nginx/1.16/debian-9/rootfs/prepare.sh @@ -4,17 +4,19 @@ # Load libraries . /libnginx.sh +. /libfs.sh # Load NGINX environment variables eval "$(nginx_env)" -for dir in "/bitnami" "$NGINX_VOLUME" "$NGINX_CONFDIR" "$NGINX_BASEDIR" "$NGINX_TMPDIR"; do +# Ensure non-root user has write permissions on a set of directories +for dir in "/bitnami" "$NGINX_VOLUME" "${NGINX_CONFDIR}/server_blocks" "${NGINX_CONFDIR}/bitnami" "$NGINX_BASEDIR" "$NGINX_TMPDIR"; do ensure_dir_exists "$dir" - chmod -R g+rwX "$dir" done - -# Users can mount their html sites at /app -ln -sf "$NGINX_BASEDIR/html" /app -# Redirect all logging to stdout/stderr -ln -sf /dev/stdout "$NGINX_LOGDIR/access.log" -ln -sf /dev/stderr "$NGINX_LOGDIR/error.log" +chmod -R g+rwX "$NGINX_VOLUME" "$NGINX_CONFDIR" "$NGINX_TMPDIR" +# Configure default HTTP port +nginx_config_http_port +# Unset HTTP_PROXY header to protect vs HTTPPOXY vulnerability +nginx_patch_httpoxy_vulnerability +# Prepare directories for users to mount its static files and certificates +nginx_prepare_directories diff --git a/bitnami/nginx/1.16/debian-9/rootfs/run.sh b/bitnami/nginx/1.16/debian-9/rootfs/run.sh index 06f5cfb4c642..c5e6ed3933ac 100755 --- a/bitnami/nginx/1.16/debian-9/rootfs/run.sh +++ b/bitnami/nginx/1.16/debian-9/rootfs/run.sh @@ -15,7 +15,7 @@ eval "$(nginx_env)" info "** Starting NGINX **" if am_i_root; then - exec gosu "$NGINX_DAEMON_USER" "$NGINX_BASEDIR/sbin/nginx" -c "$NGINX_CONFDIR/nginx.conf" -g "daemon off;" + exec gosu "${NGINX_DAEMON_USER}" "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" -g "daemon off; user ${NGINX_DAEMON_USER} ${NGINX_DAEMON_GROUP}" else - exec "$NGINX_BASEDIR/sbin/nginx" -c "$NGINX_CONFDIR/nginx.conf" -g "daemon off;" + exec "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" -g "daemon off;" fi diff --git a/bitnami/nginx/1.16/debian-9/rootfs/setup.sh b/bitnami/nginx/1.16/debian-9/rootfs/setup.sh index 48a45ab4efcd..89e70923cd66 100755 --- a/bitnami/nginx/1.16/debian-9/rootfs/setup.sh +++ b/bitnami/nginx/1.16/debian-9/rootfs/setup.sh @@ -18,6 +18,5 @@ eval "$(nginx_env)" nginx_validate # Ensure NGINX is stopped when this script ends trap "nginx_stop" EXIT -am_i_root && ensure_user_exists "$NGINX_DAEMON_USER" "$NGINX_DAEMON_GROUP" -# Ensure NGINX is initialized +# Initialize NGINX nginx_initialize diff --git a/bitnami/nginx/1.16/ol-7/Dockerfile b/bitnami/nginx/1.16/ol-7/Dockerfile index 4a0c1c343a65..71afc722c2af 100644 --- a/bitnami/nginx/1.16/ol-7/Dockerfile +++ b/bitnami/nginx/1.16/ol-7/Dockerfile @@ -2,7 +2,6 @@ FROM bitnami/oraclelinux-extras-base:7-r267 LABEL maintainer "Bitnami " ENV BITNAMI_PKG_CHMOD="-R g+rwX" \ - BITNAMI_PKG_EXTRA_DIRS="/bitnami/nginx/conf" \ HOME="/" \ OS_ARCH="x86_64" \ OS_FLAVOUR="ol-7" \ @@ -11,24 +10,19 @@ ENV BITNAMI_PKG_CHMOD="-R g+rwX" \ # Install required system packages and dependencies RUN install_packages glibc keyutils-libs krb5-libs libcom_err libselinux nss-softokn-freebl openssl-libs pcre zlib RUN . ./libcomponent.sh && component_unpack "nginx" "1.16.0-0" --checksum de3f2e7f973f2d4a60069edfd3b71d7b106bbb54b347bcf6d2781a71a1b65aca -RUN ln -sf /opt/bitnami/nginx/html /app -RUN ln -sf /dev/stdout /opt/bitnami/nginx/logs/access.log -RUN ln -sf /dev/stderr /opt/bitnami/nginx/logs/error.log COPY rootfs / RUN /prepare.sh + ENV BITNAMI_APP_NAME="nginx" \ BITNAMI_IMAGE_VERSION="1.16.0-ol-7-r0" \ NAMI_PREFIX="/.nami" \ - NGINX_DAEMON_GROUP="" \ - NGINX_DAEMON_USER="" \ - NGINX_HTTPS_PORT_NUMBER="443" \ - NGINX_HTTP_PORT_NUMBER="8080" \ PATH="/opt/bitnami/nginx/sbin:$PATH" -EXPOSE 8080 - +EXPOSE 8080 8443 +VOLUME [ "/app" "/certs" ] WORKDIR /app USER 1001 + ENTRYPOINT [ "/entrypoint.sh" ] CMD [ "/run.sh" ] diff --git a/bitnami/nginx/1.16/ol-7/docker-compose.yml b/bitnami/nginx/1.16/ol-7/docker-compose.yml index 0ade917ae122..38660f07d36a 100644 --- a/bitnami/nginx/1.16/ol-7/docker-compose.yml +++ b/bitnami/nginx/1.16/ol-7/docker-compose.yml @@ -5,3 +5,5 @@ services: image: 'bitnami/nginx:1.16-ol-7' ports: - '80:8080' + environment: + - NGINX_HTTP_PORT_NUMBER=8080 diff --git a/bitnami/nginx/1.16/ol-7/rootfs/libnginx.sh b/bitnami/nginx/1.16/ol-7/rootfs/libnginx.sh index c20297d4738c..7aa230e3539b 100644 --- a/bitnami/nginx/1.16/ol-7/rootfs/libnginx.sh +++ b/bitnami/nginx/1.16/ol-7/rootfs/libnginx.sh @@ -61,7 +61,7 @@ nginx_start() { is_nginx_running && return debug "Starting NGIX..." if am_i_root; then - gosu "$NGINX_DAEMON_USER" "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" + gosu "${NGINX_DAEMON_USER}" "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" else "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" fi @@ -98,6 +98,57 @@ export PATH="${NGINX_BASEDIR}/sbin:$PATH" EOF } +######################## +# Configure default HTTP port +# Globals: +# NGINX_CONFDIR +# Arguments: +# $1 - (optionl) HTTP Port +# Returns: +# None +######################### +nginx_config_http_port() { + local http_port=${1:-8080} + debug "Configuring default HTTP port..." + # TODO: find an appropriate NGINX parser to avoid 'sed calls' + sed -i -r "s/(listen\s+)[0-9]{1,5};/\1${http_port};/g" ${NGINX_CONFDIR}/nginx.conf +} + +######################## +# Unset HTTP_PROXY header to protect vs HTTPPOXY vulnerability +# Ref: https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-httpoxy-vulnerability +# Globals: +# NGINX_* +# Arguments: +# None +# Returns: +# None +######################### +nginx_patch_httpoxy_vulnerability() { + debug "Unsetting HTTP_PROXY header..." + echo '# Unset the HTTP_PROXY header' >> "${NGINX_CONFDIR}/fastcgi_params" + echo 'fastcgi_param HTTP_PROXY "";' >> "${NGINX_CONFDIR}/fastcgi_params" +} + +######################## +# Prepare directories for users to mount its static files and certificates +# Globals: +# NGINX_* +# Arguments: +# None +# Returns: +# None +######################### +nginx_prepare_directories() { + # Users can mount their html sites at /app + mv "${NGINX_BASEDIR}/html" /app + ln -sf /app "${NGINX_BASEDIR}/html" + # Users can mount their certificates at /certs + ln -sf /certs "${NGINX_CONFDIR}/bitnami/certs" + # Fix to avoid issues for those using the old structure (vhosts) + ln -sf "${NGINX_CONFDIR}/server_blocks" "${NGINX_CONFDIR}/vhosts" +} + ######################## # Validate settings in NGINX_* env vars # Globals: @@ -112,19 +163,21 @@ nginx_validate() { local validate_port_args=() ! am_i_root && validate_port_args+=("-unprivileged") - if ! err=$(validate_port "${validate_port_args[@]}" "$NGINX_HTTP_PORT_NUMBER"); then - error "An invalid port was specified in the environment variable NGINX_HTTP_PORT_NUMBER: $err" - exit 1 + if [[ -n "${NGINX_HTTP_PORT_NUMBER:-}" ]]; then + if ! err=$(validate_port "${validate_port_args[@]}" "${NGINX_HTTP_PORT_NUMBER:-}"); then + error "An invalid port was specified in the environment variable NGINX_HTTP_PORT_NUMBER: $err" + exit 1 + fi fi for var in "NGINX_DAEMON_USER" "NGINX_DAEMON_GROUP"; do if am_i_root; then - if [[ -z "${!var}" ]]; then + if [[ -z "${!var:-}" ]]; then error "The $var environment variable cannot be empty when running as root" exit 1 fi else - if [[ -n "${!var}" ]]; then + if [[ -n "${!var:-}" ]]; then warn "The $var environment variable will be ignored when running as non-root" fi fi @@ -132,7 +185,7 @@ nginx_validate() { } ######################## -# Ensure NGINX is initialized +# Initialize NGINX # Globals: # NGINX_* # Arguments: @@ -145,29 +198,24 @@ nginx_initialize() { # Persisted configuration files from old versions if [[ -f "$NGINX_VOLUME/conf/nginx.conf" ]]; then - warn "'nginx.conf' was found in a legacy location: ${NGINX_VOLUME}/conf/nginx.conf" - warn " Please use ${NGINX_CONFDIR}/nginx.conf instead" - debug "Moving 'nginx.conf' file to new location..." - cp "$NGINX_VOLUME/conf/nginx.conf" "$NGINX_CONFDIR/nginx.conf" + error "A 'nginx.conf' file was found inside '${NGINX_VOLUME}/conf'. This configuration is not supported anymore. Please mount the configuration file at '${NGINX_CONFDIR}/nginx.conf' instead." + exit 1 fi if ! is_dir_empty "$NGINX_VOLUME/conf/vhosts"; then - warn "Custom vhosts config files were found in a legacy directory: $NGINX_VOLUME/conf/vhosts" - warn " Please use ${NGINX_CONFDIR}/vhosts instead" - debug "Moving vhosts config files to new location..." - cp -r "$NGINX_VOLUME/conf/vhosts" "$NGINX_CONFDIR" + error "Custom server blocks files were found inside '$NGINX_VOLUME/conf/vhosts'. This configuration is not supported anymore. Please mount your custom server blocks config files at '${NGINX_CONFDIR}/server_blocks' instead." + exit 1 fi - if [[ -e "${NGINX_CONFDIR}/nginx.conf" ]]; then - debug "Custom configuration detected. Using it..." - return - else - debug "'nginx.conf' not found. Applying bitnami configuration..." - debug "Ensuring expected directories/files exist..." - for dir in "$NGINX_TMPDIR" "$NGINX_CONFDIR" "${NGINX_CONFDIR}/vhosts"; do - ensure_dir_exists "$dir" "$NGINX_DAEMON_USER" - done - debug "Rendering 'nginx.conf.tpl' template..." - render-template "${NGINX_TEMPLATES_DIR}/nginx.conf.tpl" > "${NGINX_CONFDIR}/nginx.conf" - echo 'fastcgi_param HTTP_PROXY "";' >> "${NGINX_CONFDIR}/fastcgi_params" + if am_i_root; then + debug "Ensure NGINX daemon user/group exists..." + ensure_user_exists "$NGINX_DAEMON_USER" "$NGINX_DAEMON_GROUP" + if [[ -n "${NGINX_DAEMON_USER:-}" ]]; then + chown -R "${NGINX_DAEMON_USER:-}" "${NGINX_CONFDIR}" "$NGINX_TMPDIR" + fi + fi + + debug "Updating 'nginx.conf' based on user configuration..." + if [[ -n "${NGINX_HTTP_PORT_NUMBER:-}" ]]; then + nginx_config_http_port "${NGINX_HTTP_PORT_NUMBER}" fi } diff --git a/bitnami/nginx/1.16/ol-7/rootfs/nginx-inputs.json b/bitnami/nginx/1.16/ol-7/rootfs/nginx-inputs.json deleted file mode 100644 index 47ac7e683346..000000000000 --- a/bitnami/nginx/1.16/ol-7/rootfs/nginx-inputs.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "httpPort": "{{$global.env.NGINX_HTTP_PORT_NUMBER}}", - "httpsPort": "{{$global.env.NGINX_HTTPS_PORT_NUMBER}}", - "systemGroup": "{{$global.env.NGINX_DAEMON_GROUP}}", - "systemUser": "{{$global.env.NGINX_DAEMON_USER}}" -} \ No newline at end of file diff --git a/bitnami/nginx/1.16/ol-7/rootfs/opt/bitnami/extra/nginx/templates/nginx.conf.tpl b/bitnami/nginx/1.16/ol-7/rootfs/opt/bitnami/extra/nginx/templates/nginx.conf.tpl deleted file mode 100644 index baa4c22a3107..000000000000 --- a/bitnami/nginx/1.16/ol-7/rootfs/opt/bitnami/extra/nginx/templates/nginx.conf.tpl +++ /dev/null @@ -1,64 +0,0 @@ -# based on http://brainspl.at/nginx.conf.txt - -{{#if NGINX_DAEMON_USER}}{{#if NGINX_DAEMON_GROUP}} -user {{NGINX_DAEMON_USER}} {{NGINX_DAEMON_GROUP}}; -{{/if}}{{/if}} - -worker_processes auto; - -error_log "{{NGINX_LOGDIR}}/error.log"; -pid "{{NGINX_TMPDIR}}/nginx.pid"; - -events { - worker_connections 1024; -} - -http { - include mime.types; - default_type application/octet-stream; - - add_header X-Frame-Options SAMEORIGIN; - client_body_temp_path "{{NGINX_TMPDIR}}/client_body" 1 2; - proxy_temp_path "{{NGINX_TMPDIR}}/proxy" 1 2; - fastcgi_temp_path "{{NGINX_TMPDIR}}/fastcgi" 1 2; - scgi_temp_path "{{NGINX_TMPDIR}}/scgi" 1 2; - uwsgi_temp_path "{{NGINX_TMPDIR}}/uwsgi" 1 2; - - log_format main '$remote_addr - $remote_user [$time_local] ' - '"$request" $status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log "{{NGINX_LOGDIR}}/access.log"; - - # no sendfile on OSX - sendfile on; - - tcp_nopush on; - tcp_nodelay off; - - #keepalive_timeout 0; - keepalive_timeout 65; - gzip on; - gzip_http_version 1.0; - gzip_comp_level 2; - gzip_proxied any; - gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - - include "{{NGINX_CONFDIR}}/vhosts/*.conf"; - - # HTTP Server - server { - # port to listen on. Can also be set to an IP:PORT - listen {{NGINX_HTTP_PORT_NUMBER}}; - - location /status { - stub_status on; - access_log off; - allow 127.0.0.1; - deny all; - } - } -} - diff --git a/bitnami/nginx/1.16/ol-7/rootfs/prepare.sh b/bitnami/nginx/1.16/ol-7/rootfs/prepare.sh index 6429b926d20c..f71811f45aca 100755 --- a/bitnami/nginx/1.16/ol-7/rootfs/prepare.sh +++ b/bitnami/nginx/1.16/ol-7/rootfs/prepare.sh @@ -4,17 +4,19 @@ # Load libraries . /libnginx.sh +. /libfs.sh # Load NGINX environment variables eval "$(nginx_env)" -for dir in "/bitnami" "$NGINX_VOLUME" "$NGINX_CONFDIR" "$NGINX_BASEDIR" "$NGINX_TMPDIR"; do +# Ensure non-root user has write permissions on a set of directories +for dir in "/bitnami" "$NGINX_VOLUME" "${NGINX_CONFDIR}/server_blocks" "${NGINX_CONFDIR}/bitnami" "$NGINX_BASEDIR" "$NGINX_TMPDIR"; do ensure_dir_exists "$dir" - chmod -R g+rwX "$dir" done - -# Users can mount their html sites at /app -ln -sf "$NGINX_BASEDIR/html" /app -# Redirect all logging to stdout/stderr -ln -sf /dev/stdout "$NGINX_LOGDIR/access.log" -ln -sf /dev/stderr "$NGINX_LOGDIR/error.log" +chmod -R g+rwX "$NGINX_VOLUME" "$NGINX_CONFDIR" "$NGINX_TMPDIR" +# Configure default HTTP port +nginx_config_http_port +# Unset HTTP_PROXY header to protect vs HTTPPOXY vulnerability +nginx_patch_httpoxy_vulnerability +# Prepare directories for users to mount its static files and certificates +nginx_prepare_directories diff --git a/bitnami/nginx/1.16/ol-7/rootfs/run.sh b/bitnami/nginx/1.16/ol-7/rootfs/run.sh index 06f5cfb4c642..c5e6ed3933ac 100755 --- a/bitnami/nginx/1.16/ol-7/rootfs/run.sh +++ b/bitnami/nginx/1.16/ol-7/rootfs/run.sh @@ -15,7 +15,7 @@ eval "$(nginx_env)" info "** Starting NGINX **" if am_i_root; then - exec gosu "$NGINX_DAEMON_USER" "$NGINX_BASEDIR/sbin/nginx" -c "$NGINX_CONFDIR/nginx.conf" -g "daemon off;" + exec gosu "${NGINX_DAEMON_USER}" "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" -g "daemon off; user ${NGINX_DAEMON_USER} ${NGINX_DAEMON_GROUP}" else - exec "$NGINX_BASEDIR/sbin/nginx" -c "$NGINX_CONFDIR/nginx.conf" -g "daemon off;" + exec "${NGINX_BASEDIR}/sbin/nginx" -c "${NGINX_CONFDIR}/nginx.conf" -g "daemon off;" fi diff --git a/bitnami/nginx/1.16/ol-7/rootfs/setup.sh b/bitnami/nginx/1.16/ol-7/rootfs/setup.sh index 48a45ab4efcd..89e70923cd66 100755 --- a/bitnami/nginx/1.16/ol-7/rootfs/setup.sh +++ b/bitnami/nginx/1.16/ol-7/rootfs/setup.sh @@ -18,6 +18,5 @@ eval "$(nginx_env)" nginx_validate # Ensure NGINX is stopped when this script ends trap "nginx_stop" EXIT -am_i_root && ensure_user_exists "$NGINX_DAEMON_USER" "$NGINX_DAEMON_GROUP" -# Ensure NGINX is initialized +# Initialize NGINX nginx_initialize diff --git a/bitnami/nginx/README.md b/bitnami/nginx/README.md index 8298161bbaa9..fe8b1840492d 100644 --- a/bitnami/nginx/README.md +++ b/bitnami/nginx/README.md @@ -318,27 +318,29 @@ CMD [ "/run.sh" ] We can identify several sections within the Dockerfile: -- A section where all the required components are installed. -- A section where all the components are statically configured. -- A section where the env. variables, the ports to be exposed, the working directory and the user are defined. +- Components installation. +- Components static configuration. +- Environment variables. +- Ports to be exposed. +- Working directory and user. - Note that once the user is set to 1001, unprivileged commands cannot be executed anymore. -- A section where the entrypoint and command used to start the service are declared. +- Entrypoint and command. - Take into account these actions are not executed until the container is started. # Customizing the Bitnami NGINX Docker image The Bitnami NGINX Docker image is designed to be extended so it can be used as the base image for your custom web applications. -> Note: It's recommended to read the [previous section](./#understand-this-image-structure) to understand the Dockerfile structure, before extending this image. +> Note: It's recommended to read the [previous section](#understand-this-image-structure) to understand the Dockerfile structure, before extending this image. ## Extending the Bitnami NGINX Docker image Before extending this image, please note there are certain configuration settings you can modify using the original image: - Settings that can be adapted using environment variables. For instance, you can change the port used by NGINX for HTTP setting the environment variable `NGINX_HTTP_PORT_NUMBER`. -- [Adding custom server blocks](./#adding-custom-server-blocks). -- [Replacing the 'nginx.conf' file](./#full-configuration). -- [Using custom SSL certificates](./#using-custom-ssl-certificates). +- [Adding custom server blocks](#adding-custom-server-blocks). +- [Replacing the 'nginx.conf' file](#full-configuration). +- [Using custom SSL certificates](#using-custom-ssl-certificates). If your desired customizations cannot be covered using the methods mentioned above, extend the image. To do so, create your own image using a Dockerfile with the format below: @@ -367,7 +369,7 @@ RUN install_packages vim RUN sed -i -r "s#(\s+)worker_connections(\s+)[0-9]+;#\1worker_connections\2512;#g" /opt/bitnami/nginx/conf/nginx.conf ## Modify the ports used by NGINX by default -ENV NGINX_HTTP_PORT_NUMBER=8181 +ENV NGINX_HTTP_PORT_NUMBER=8181 # It is also possible to change this environment variable at runtime EXPOSE 8181 8443 ## Modify the default container user From 3e9c1ad7ece1222421bd739f30d68237afec7a3b Mon Sep 17 00:00:00 2001 From: Marko Mikulicic Date: Wed, 1 May 2019 12:28:59 +0200 Subject: [PATCH 5/9] Apply suggestions from code review Co-Authored-By: juan131 --- bitnami/nginx/1.16/debian-9/rootfs/libnginx.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bitnami/nginx/1.16/debian-9/rootfs/libnginx.sh b/bitnami/nginx/1.16/debian-9/rootfs/libnginx.sh index 7aa230e3539b..79b6b76ccebb 100644 --- a/bitnami/nginx/1.16/debian-9/rootfs/libnginx.sh +++ b/bitnami/nginx/1.16/debian-9/rootfs/libnginx.sh @@ -111,7 +111,7 @@ nginx_config_http_port() { local http_port=${1:-8080} debug "Configuring default HTTP port..." # TODO: find an appropriate NGINX parser to avoid 'sed calls' - sed -i -r "s/(listen\s+)[0-9]{1,5};/\1${http_port};/g" ${NGINX_CONFDIR}/nginx.conf + sed -i -E "s/(listen\s+)[0-9]{1,5};/\1${http_port};/g" ${NGINX_CONFDIR}/nginx.conf } ######################## From 2630bf2ed3ee534e5f5b04540a07e0c202ef9994 Mon Sep 17 00:00:00 2001 From: juan131 Date: Wed, 1 May 2019 12:31:40 +0200 Subject: [PATCH 6/9] Fix typos Signed-off-by: juan131 --- bitnami/nginx/1.16/debian-9/rootfs/libnginx.sh | 3 ++- bitnami/nginx/README.md | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/bitnami/nginx/1.16/debian-9/rootfs/libnginx.sh b/bitnami/nginx/1.16/debian-9/rootfs/libnginx.sh index 7aa230e3539b..5a3ca1ebc2b8 100644 --- a/bitnami/nginx/1.16/debian-9/rootfs/libnginx.sh +++ b/bitnami/nginx/1.16/debian-9/rootfs/libnginx.sh @@ -103,7 +103,7 @@ EOF # Globals: # NGINX_CONFDIR # Arguments: -# $1 - (optionl) HTTP Port +# $1 - (optional) HTTP Port # Returns: # None ######################### @@ -146,6 +146,7 @@ nginx_prepare_directories() { # Users can mount their certificates at /certs ln -sf /certs "${NGINX_CONFDIR}/bitnami/certs" # Fix to avoid issues for those using the old structure (vhosts) + warn "Creating a symlink to support mounting custom server_blocks at \"${NGINX_CONFDIR}/vhosts\". It will be deprecated in future versions." ln -sf "${NGINX_CONFDIR}/server_blocks" "${NGINX_CONFDIR}/vhosts" } diff --git a/bitnami/nginx/README.md b/bitnami/nginx/README.md index fe8b1840492d..823c3bea77c2 100644 --- a/bitnami/nginx/README.md +++ b/bitnami/nginx/README.md @@ -251,7 +251,7 @@ services: # Reverse proxy to other containers -NGINX can be used to reverse proxy to other containers using Docker's linking system. This is particularly useful if you want to serve dynamic content through an NGINX frontend. To do so, [add a server block](#adding-custom-server-blocks) like the following in the `/opt/bitnami/nginx/conf/erver_blocks/` folder: +NGINX can be used to reverse proxy to other containers using Docker's linking system. This is particularly useful if you want to serve dynamic content through an NGINX frontend. To do so, [add a server block](#adding-custom-server-blocks) like the following in the `/opt/bitnami/nginx/conf/server_blocks/` folder: ``` server { From 06b2e8a841be91a5d8e0783422cd13c182db0d7c Mon Sep 17 00:00:00 2001 From: Marko Mikulicic Date: Thu, 2 May 2019 12:30:56 +0200 Subject: [PATCH 7/9] Update README.md Co-Authored-By: juan131 --- bitnami/nginx/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bitnami/nginx/README.md b/bitnami/nginx/README.md index 823c3bea77c2..47d51f2f5be5 100644 --- a/bitnami/nginx/README.md +++ b/bitnami/nginx/README.md @@ -366,7 +366,7 @@ USER 0 # Required to perform privileged actions RUN install_packages vim ## Modify 'worker_connections' on NGINX config file to '512' -RUN sed -i -r "s#(\s+)worker_connections(\s+)[0-9]+;#\1worker_connections\2512;#g" /opt/bitnami/nginx/conf/nginx.conf +RUN sed -i -r "s#(\s+worker_connections\s+)[0-9]+;#\1512;#" /opt/bitnami/nginx/conf/nginx.conf ## Modify the ports used by NGINX by default ENV NGINX_HTTP_PORT_NUMBER=8181 # It is also possible to change this environment variable at runtime From f8a282af7268f6e7e83c02b7a4468ef058eca996 Mon Sep 17 00:00:00 2001 From: juan131 Date: Thu, 2 May 2019 12:32:41 +0200 Subject: [PATCH 8/9] Refactor libraries based on Mkm feedback --- bitnami/nginx/1.16/debian-9/Dockerfile | 2 +- .../nginx/1.16/debian-9/rootfs/libnginx.sh | 40 +--------- .../nginx/1.16/debian-9/rootfs/post-unpack.sh | 76 +++++++++++++++++++ bitnami/nginx/1.16/debian-9/rootfs/prepare.sh | 22 ------ bitnami/nginx/1.16/ol-7/Dockerfile | 2 +- bitnami/nginx/1.16/ol-7/rootfs/libnginx.sh | 43 ++--------- bitnami/nginx/1.16/ol-7/rootfs/post-unpack.sh | 76 +++++++++++++++++++ bitnami/nginx/1.16/ol-7/rootfs/prepare.sh | 22 ------ bitnami/nginx/README.md | 1 + 9 files changed, 165 insertions(+), 119 deletions(-) create mode 100755 bitnami/nginx/1.16/debian-9/rootfs/post-unpack.sh delete mode 100755 bitnami/nginx/1.16/debian-9/rootfs/prepare.sh create mode 100755 bitnami/nginx/1.16/ol-7/rootfs/post-unpack.sh delete mode 100755 bitnami/nginx/1.16/ol-7/rootfs/prepare.sh diff --git a/bitnami/nginx/1.16/debian-9/Dockerfile b/bitnami/nginx/1.16/debian-9/Dockerfile index 900a29c1c743..61cd6ba53173 100644 --- a/bitnami/nginx/1.16/debian-9/Dockerfile +++ b/bitnami/nginx/1.16/debian-9/Dockerfile @@ -12,7 +12,7 @@ RUN install_packages libc6 libpcre3 libssl1.1 zlib1g RUN . ./libcomponent.sh && component_unpack "nginx" "1.16.0-0" --checksum b08c5b2a428e2e54726d47e290102496780db1ddd4a0a67bed82da6c34e56784 COPY rootfs / -RUN /prepare.sh +RUN /post-unpack.sh ENV BITNAMI_APP_NAME="nginx" \ BITNAMI_IMAGE_VERSION="1.16.0-debian-9-r0" \ diff --git a/bitnami/nginx/1.16/debian-9/rootfs/libnginx.sh b/bitnami/nginx/1.16/debian-9/rootfs/libnginx.sh index 47f2310b65f7..c4796cb07d9b 100644 --- a/bitnami/nginx/1.16/debian-9/rootfs/libnginx.sh +++ b/bitnami/nginx/1.16/debian-9/rootfs/libnginx.sh @@ -114,42 +114,6 @@ nginx_config_http_port() { sed -i -E "s/(listen\s+)[0-9]{1,5};/\1${http_port};/g" ${NGINX_CONFDIR}/nginx.conf } -######################## -# Unset HTTP_PROXY header to protect vs HTTPPOXY vulnerability -# Ref: https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-httpoxy-vulnerability -# Globals: -# NGINX_* -# Arguments: -# None -# Returns: -# None -######################### -nginx_patch_httpoxy_vulnerability() { - debug "Unsetting HTTP_PROXY header..." - echo '# Unset the HTTP_PROXY header' >> "${NGINX_CONFDIR}/fastcgi_params" - echo 'fastcgi_param HTTP_PROXY "";' >> "${NGINX_CONFDIR}/fastcgi_params" -} - -######################## -# Prepare directories for users to mount its static files and certificates -# Globals: -# NGINX_* -# Arguments: -# None -# Returns: -# None -######################### -nginx_prepare_directories() { - # Users can mount their html sites at /app - mv "${NGINX_BASEDIR}/html" /app - ln -sf /app "${NGINX_BASEDIR}/html" - # Users can mount their certificates at /certs - ln -sf /certs "${NGINX_CONFDIR}/bitnami/certs" - # Fix to avoid issues for those using the old structure (vhosts) - warn "Creating a symlink to support mounting custom server_blocks at \"${NGINX_CONFDIR}/vhosts\". It will be deprecated in future versions." - ln -sf "${NGINX_CONFDIR}/server_blocks" "${NGINX_CONFDIR}/vhosts" -} - ######################## # Validate settings in NGINX_* env vars # Globals: @@ -213,6 +177,10 @@ nginx_initialize() { if [[ -n "${NGINX_DAEMON_USER:-}" ]]; then chown -R "${NGINX_DAEMON_USER:-}" "${NGINX_CONFDIR}" "$NGINX_TMPDIR" fi + else + # The "user" directive makes sense only if the master process runs with super-user privileges + # TODO: find an appropriate NGINX parser to avoid 'sed calls' + sed -i -E "s/(^user)/# \1/g" ${NGINX_CONFDIR}/nginx.conf fi debug "Updating 'nginx.conf' based on user configuration..." diff --git a/bitnami/nginx/1.16/debian-9/rootfs/post-unpack.sh b/bitnami/nginx/1.16/debian-9/rootfs/post-unpack.sh new file mode 100755 index 000000000000..d1150c18d91b --- /dev/null +++ b/bitnami/nginx/1.16/debian-9/rootfs/post-unpack.sh @@ -0,0 +1,76 @@ +#!/bin/bash + +# shellcheck disable=SC1091 + +# Load libraries +. /libnginx.sh +. /libfs.sh + +# Auxiliar Functions + +######################## +# Ensure non-root user has write permissions on a set of directories +# Globals: +# NGINX_* +# Arguments: +# None +# Returns: +# None +######################### +nginx_configure_permissions() { + for dir in "/bitnami" "$NGINX_VOLUME" "${NGINX_CONFDIR}/server_blocks" "${NGINX_CONFDIR}/bitnami" "$NGINX_BASEDIR" "$NGINX_LOGDIR" "$NGINX_TMPDIR"; do + ensure_dir_exists "$dir" + done + chmod -R g+rwX "$NGINX_VOLUME" "$NGINX_CONFDIR" "$NGINX_TMPDIR" "$NGINX_LOGDIR" +} + +######################## +# Unset HTTP_PROXY header to protect vs HTTPPOXY vulnerability +# Ref: https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-httpoxy-vulnerability +# Globals: +# NGINX_* +# Arguments: +# None +# Returns: +# None +######################### +nginx_patch_httpoxy_vulnerability() { + debug "Unsetting HTTP_PROXY header..." + echo '# Unset the HTTP_PROXY header' >> "${NGINX_CONFDIR}/fastcgi_params" + echo 'fastcgi_param HTTP_PROXY "";' >> "${NGINX_CONFDIR}/fastcgi_params" +} + +######################## +# Prepare directories for users to mount its static files and certificates +# Globals: +# NGINX_* +# Arguments: +# None +# Returns: +# None +######################### +nginx_prepare_directories() { + # Users can mount their html sites at /app + mv "${NGINX_BASEDIR}/html" /app + ln -sf /app "${NGINX_BASEDIR}/html" + # Users can mount their certificates at /certs + ln -sf /certs "${NGINX_CONFDIR}/bitnami/certs" + # Fix to avoid issues for those using the old structure (vhosts) + warn "Creating a symlink to support mounting custom server_blocks at \"${NGINX_CONFDIR}/vhosts\". It will be deprecated in future versions." + ln -sf "${NGINX_CONFDIR}/server_blocks" "${NGINX_CONFDIR}/vhosts" + # Redirect all logging to stdout/stderr + ln -sf /dev/stdout "$NGINX_LOGDIR/access.log" + ln -sf /dev/stderr "$NGINX_LOGDIR/error.log" +} + +# Load NGINX environment variables +eval "$(nginx_env)" + +# Ensure non-root user has write permissions on a set of directories +nginx_configure_permissions +# Configure default HTTP port +nginx_config_http_port +# Unset HTTP_PROXY header to protect vs HTTPPOXY vulnerability +nginx_patch_httpoxy_vulnerability +# Prepare directories for users to mount its static files and certificates +nginx_prepare_directories diff --git a/bitnami/nginx/1.16/debian-9/rootfs/prepare.sh b/bitnami/nginx/1.16/debian-9/rootfs/prepare.sh deleted file mode 100755 index f71811f45aca..000000000000 --- a/bitnami/nginx/1.16/debian-9/rootfs/prepare.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash - -# shellcheck disable=SC1091 - -# Load libraries -. /libnginx.sh -. /libfs.sh - -# Load NGINX environment variables -eval "$(nginx_env)" - -# Ensure non-root user has write permissions on a set of directories -for dir in "/bitnami" "$NGINX_VOLUME" "${NGINX_CONFDIR}/server_blocks" "${NGINX_CONFDIR}/bitnami" "$NGINX_BASEDIR" "$NGINX_TMPDIR"; do - ensure_dir_exists "$dir" -done -chmod -R g+rwX "$NGINX_VOLUME" "$NGINX_CONFDIR" "$NGINX_TMPDIR" -# Configure default HTTP port -nginx_config_http_port -# Unset HTTP_PROXY header to protect vs HTTPPOXY vulnerability -nginx_patch_httpoxy_vulnerability -# Prepare directories for users to mount its static files and certificates -nginx_prepare_directories diff --git a/bitnami/nginx/1.16/ol-7/Dockerfile b/bitnami/nginx/1.16/ol-7/Dockerfile index 71afc722c2af..81d2488f5cff 100644 --- a/bitnami/nginx/1.16/ol-7/Dockerfile +++ b/bitnami/nginx/1.16/ol-7/Dockerfile @@ -12,7 +12,7 @@ RUN install_packages glibc keyutils-libs krb5-libs libcom_err libselinux nss-sof RUN . ./libcomponent.sh && component_unpack "nginx" "1.16.0-0" --checksum de3f2e7f973f2d4a60069edfd3b71d7b106bbb54b347bcf6d2781a71a1b65aca COPY rootfs / -RUN /prepare.sh +RUN /post-unpack.sh ENV BITNAMI_APP_NAME="nginx" \ BITNAMI_IMAGE_VERSION="1.16.0-ol-7-r0" \ diff --git a/bitnami/nginx/1.16/ol-7/rootfs/libnginx.sh b/bitnami/nginx/1.16/ol-7/rootfs/libnginx.sh index 7aa230e3539b..c4796cb07d9b 100644 --- a/bitnami/nginx/1.16/ol-7/rootfs/libnginx.sh +++ b/bitnami/nginx/1.16/ol-7/rootfs/libnginx.sh @@ -103,7 +103,7 @@ EOF # Globals: # NGINX_CONFDIR # Arguments: -# $1 - (optionl) HTTP Port +# $1 - (optional) HTTP Port # Returns: # None ######################### @@ -111,42 +111,7 @@ nginx_config_http_port() { local http_port=${1:-8080} debug "Configuring default HTTP port..." # TODO: find an appropriate NGINX parser to avoid 'sed calls' - sed -i -r "s/(listen\s+)[0-9]{1,5};/\1${http_port};/g" ${NGINX_CONFDIR}/nginx.conf -} - -######################## -# Unset HTTP_PROXY header to protect vs HTTPPOXY vulnerability -# Ref: https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-httpoxy-vulnerability -# Globals: -# NGINX_* -# Arguments: -# None -# Returns: -# None -######################### -nginx_patch_httpoxy_vulnerability() { - debug "Unsetting HTTP_PROXY header..." - echo '# Unset the HTTP_PROXY header' >> "${NGINX_CONFDIR}/fastcgi_params" - echo 'fastcgi_param HTTP_PROXY "";' >> "${NGINX_CONFDIR}/fastcgi_params" -} - -######################## -# Prepare directories for users to mount its static files and certificates -# Globals: -# NGINX_* -# Arguments: -# None -# Returns: -# None -######################### -nginx_prepare_directories() { - # Users can mount their html sites at /app - mv "${NGINX_BASEDIR}/html" /app - ln -sf /app "${NGINX_BASEDIR}/html" - # Users can mount their certificates at /certs - ln -sf /certs "${NGINX_CONFDIR}/bitnami/certs" - # Fix to avoid issues for those using the old structure (vhosts) - ln -sf "${NGINX_CONFDIR}/server_blocks" "${NGINX_CONFDIR}/vhosts" + sed -i -E "s/(listen\s+)[0-9]{1,5};/\1${http_port};/g" ${NGINX_CONFDIR}/nginx.conf } ######################## @@ -212,6 +177,10 @@ nginx_initialize() { if [[ -n "${NGINX_DAEMON_USER:-}" ]]; then chown -R "${NGINX_DAEMON_USER:-}" "${NGINX_CONFDIR}" "$NGINX_TMPDIR" fi + else + # The "user" directive makes sense only if the master process runs with super-user privileges + # TODO: find an appropriate NGINX parser to avoid 'sed calls' + sed -i -E "s/(^user)/# \1/g" ${NGINX_CONFDIR}/nginx.conf fi debug "Updating 'nginx.conf' based on user configuration..." diff --git a/bitnami/nginx/1.16/ol-7/rootfs/post-unpack.sh b/bitnami/nginx/1.16/ol-7/rootfs/post-unpack.sh new file mode 100755 index 000000000000..d1150c18d91b --- /dev/null +++ b/bitnami/nginx/1.16/ol-7/rootfs/post-unpack.sh @@ -0,0 +1,76 @@ +#!/bin/bash + +# shellcheck disable=SC1091 + +# Load libraries +. /libnginx.sh +. /libfs.sh + +# Auxiliar Functions + +######################## +# Ensure non-root user has write permissions on a set of directories +# Globals: +# NGINX_* +# Arguments: +# None +# Returns: +# None +######################### +nginx_configure_permissions() { + for dir in "/bitnami" "$NGINX_VOLUME" "${NGINX_CONFDIR}/server_blocks" "${NGINX_CONFDIR}/bitnami" "$NGINX_BASEDIR" "$NGINX_LOGDIR" "$NGINX_TMPDIR"; do + ensure_dir_exists "$dir" + done + chmod -R g+rwX "$NGINX_VOLUME" "$NGINX_CONFDIR" "$NGINX_TMPDIR" "$NGINX_LOGDIR" +} + +######################## +# Unset HTTP_PROXY header to protect vs HTTPPOXY vulnerability +# Ref: https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-httpoxy-vulnerability +# Globals: +# NGINX_* +# Arguments: +# None +# Returns: +# None +######################### +nginx_patch_httpoxy_vulnerability() { + debug "Unsetting HTTP_PROXY header..." + echo '# Unset the HTTP_PROXY header' >> "${NGINX_CONFDIR}/fastcgi_params" + echo 'fastcgi_param HTTP_PROXY "";' >> "${NGINX_CONFDIR}/fastcgi_params" +} + +######################## +# Prepare directories for users to mount its static files and certificates +# Globals: +# NGINX_* +# Arguments: +# None +# Returns: +# None +######################### +nginx_prepare_directories() { + # Users can mount their html sites at /app + mv "${NGINX_BASEDIR}/html" /app + ln -sf /app "${NGINX_BASEDIR}/html" + # Users can mount their certificates at /certs + ln -sf /certs "${NGINX_CONFDIR}/bitnami/certs" + # Fix to avoid issues for those using the old structure (vhosts) + warn "Creating a symlink to support mounting custom server_blocks at \"${NGINX_CONFDIR}/vhosts\". It will be deprecated in future versions." + ln -sf "${NGINX_CONFDIR}/server_blocks" "${NGINX_CONFDIR}/vhosts" + # Redirect all logging to stdout/stderr + ln -sf /dev/stdout "$NGINX_LOGDIR/access.log" + ln -sf /dev/stderr "$NGINX_LOGDIR/error.log" +} + +# Load NGINX environment variables +eval "$(nginx_env)" + +# Ensure non-root user has write permissions on a set of directories +nginx_configure_permissions +# Configure default HTTP port +nginx_config_http_port +# Unset HTTP_PROXY header to protect vs HTTPPOXY vulnerability +nginx_patch_httpoxy_vulnerability +# Prepare directories for users to mount its static files and certificates +nginx_prepare_directories diff --git a/bitnami/nginx/1.16/ol-7/rootfs/prepare.sh b/bitnami/nginx/1.16/ol-7/rootfs/prepare.sh deleted file mode 100755 index f71811f45aca..000000000000 --- a/bitnami/nginx/1.16/ol-7/rootfs/prepare.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash - -# shellcheck disable=SC1091 - -# Load libraries -. /libnginx.sh -. /libfs.sh - -# Load NGINX environment variables -eval "$(nginx_env)" - -# Ensure non-root user has write permissions on a set of directories -for dir in "/bitnami" "$NGINX_VOLUME" "${NGINX_CONFDIR}/server_blocks" "${NGINX_CONFDIR}/bitnami" "$NGINX_BASEDIR" "$NGINX_TMPDIR"; do - ensure_dir_exists "$dir" -done -chmod -R g+rwX "$NGINX_VOLUME" "$NGINX_CONFDIR" "$NGINX_TMPDIR" -# Configure default HTTP port -nginx_config_http_port -# Unset HTTP_PROXY header to protect vs HTTPPOXY vulnerability -nginx_patch_httpoxy_vulnerability -# Prepare directories for users to mount its static files and certificates -nginx_prepare_directories diff --git a/bitnami/nginx/README.md b/bitnami/nginx/README.md index 823c3bea77c2..2a0d926ff516 100644 --- a/bitnami/nginx/README.md +++ b/bitnami/nginx/README.md @@ -364,6 +364,7 @@ LABEL maintainer "Bitnami " ## Install 'vim' USER 0 # Required to perform privileged actions RUN install_packages vim +USER 1001 # Revert to the original non-root user ## Modify 'worker_connections' on NGINX config file to '512' RUN sed -i -r "s#(\s+)worker_connections(\s+)[0-9]+;#\1worker_connections\2512;#g" /opt/bitnami/nginx/conf/nginx.conf From a113b07aa12e92748a21ce60dd08d37168c2845c Mon Sep 17 00:00:00 2001 From: juan131 Date: Thu, 2 May 2019 16:14:42 +0200 Subject: [PATCH 9/9] Rename 'post-unpack.sh' -> 'postunpack.sh' --- bitnami/nginx/1.16/debian-9/Dockerfile | 2 +- .../1.16/debian-9/rootfs/{post-unpack.sh => postunpack.sh} | 0 bitnami/nginx/1.16/ol-7/Dockerfile | 2 +- .../nginx/1.16/ol-7/rootfs/{post-unpack.sh => postunpack.sh} | 0 4 files changed, 2 insertions(+), 2 deletions(-) rename bitnami/nginx/1.16/debian-9/rootfs/{post-unpack.sh => postunpack.sh} (100%) rename bitnami/nginx/1.16/ol-7/rootfs/{post-unpack.sh => postunpack.sh} (100%) diff --git a/bitnami/nginx/1.16/debian-9/Dockerfile b/bitnami/nginx/1.16/debian-9/Dockerfile index 61cd6ba53173..40cf29a8494d 100644 --- a/bitnami/nginx/1.16/debian-9/Dockerfile +++ b/bitnami/nginx/1.16/debian-9/Dockerfile @@ -12,7 +12,7 @@ RUN install_packages libc6 libpcre3 libssl1.1 zlib1g RUN . ./libcomponent.sh && component_unpack "nginx" "1.16.0-0" --checksum b08c5b2a428e2e54726d47e290102496780db1ddd4a0a67bed82da6c34e56784 COPY rootfs / -RUN /post-unpack.sh +RUN /postunpack.sh ENV BITNAMI_APP_NAME="nginx" \ BITNAMI_IMAGE_VERSION="1.16.0-debian-9-r0" \ diff --git a/bitnami/nginx/1.16/debian-9/rootfs/post-unpack.sh b/bitnami/nginx/1.16/debian-9/rootfs/postunpack.sh similarity index 100% rename from bitnami/nginx/1.16/debian-9/rootfs/post-unpack.sh rename to bitnami/nginx/1.16/debian-9/rootfs/postunpack.sh diff --git a/bitnami/nginx/1.16/ol-7/Dockerfile b/bitnami/nginx/1.16/ol-7/Dockerfile index 81d2488f5cff..fab544c2e398 100644 --- a/bitnami/nginx/1.16/ol-7/Dockerfile +++ b/bitnami/nginx/1.16/ol-7/Dockerfile @@ -12,7 +12,7 @@ RUN install_packages glibc keyutils-libs krb5-libs libcom_err libselinux nss-sof RUN . ./libcomponent.sh && component_unpack "nginx" "1.16.0-0" --checksum de3f2e7f973f2d4a60069edfd3b71d7b106bbb54b347bcf6d2781a71a1b65aca COPY rootfs / -RUN /post-unpack.sh +RUN /postunpack.sh ENV BITNAMI_APP_NAME="nginx" \ BITNAMI_IMAGE_VERSION="1.16.0-ol-7-r0" \ diff --git a/bitnami/nginx/1.16/ol-7/rootfs/post-unpack.sh b/bitnami/nginx/1.16/ol-7/rootfs/postunpack.sh similarity index 100% rename from bitnami/nginx/1.16/ol-7/rootfs/post-unpack.sh rename to bitnami/nginx/1.16/ol-7/rootfs/postunpack.sh