106 lines
3.5 KiB
Docker
106 lines
3.5 KiB
Docker
# multi-stage build for dockerized nginx
|
|
|
|
# set up nginx build container
|
|
FROM alpine:edge AS nginx
|
|
|
|
# install dependencies
|
|
RUN apk add --update-cache \
|
|
curl \
|
|
g++ \
|
|
gcc \
|
|
git \
|
|
linux-headers \
|
|
make \
|
|
tar \
|
|
upx
|
|
|
|
# download pcre library
|
|
WORKDIR /src/pcre
|
|
ARG PCRE_VER=10.43
|
|
RUN curl -L -O "https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${PCRE_VER}/pcre2-${PCRE_VER}.tar.gz" \
|
|
&& tar xzf "/src/pcre/pcre2-${PCRE_VER}.tar.gz"
|
|
|
|
# download fancy-index module
|
|
RUN git clone https://github.com/aperezdc/ngx-fancyindex.git /src/ngx-fancyindex
|
|
|
|
# download nginx source
|
|
WORKDIR /src/nginx
|
|
ARG NGINX_VER
|
|
RUN curl -L -O "http://nginx.org/download/nginx-${NGINX_VER}.tar.gz" \
|
|
&& tar xzf "nginx-${NGINX_VER}.tar.gz"
|
|
|
|
# configure and build nginx
|
|
WORKDIR /src/nginx/nginx-"${NGINX_VER}"
|
|
ARG CORE_COUNT
|
|
RUN ./configure --prefix=/usr/share/nginx \
|
|
--sbin-path=/usr/sbin/nginx \
|
|
--conf-path=/etc/nginx/nginx.conf \
|
|
--error-log-path=/var/log/nginx/error.log \
|
|
--http-log-path=/var/log/nginx/access.log \
|
|
--pid-path=/tmp/nginx.pid \
|
|
--lock-path=/run/lock/subsys/nginx \
|
|
--http-client-body-temp-path=/tmp/nginx/client \
|
|
--http-proxy-temp-path=/tmp/nginx/proxy \
|
|
--with-threads \
|
|
--with-file-aio \
|
|
--with-ld-opt='lpcre' \
|
|
--with-pcre="/src/pcre/pcre2-${PCRE_VER}" \
|
|
--with-pcre-jit \
|
|
--with-http_addition_module \
|
|
--with-http_random_index_module \
|
|
--with-http_stub_status_module \
|
|
--with-http_sub_module \
|
|
--add-module=/src/ngx-fancyindex \
|
|
--without-http_uwsgi_module \
|
|
--without-http_scgi_module \
|
|
--without-http_gzip_module \
|
|
--without-select_module \
|
|
--without-poll_module \
|
|
--without-mail_pop3_module \
|
|
--without-mail_imap_module \
|
|
--without-mail_smtp_module \
|
|
--with-cc-opt="-O2 -flto -ffunction-sections -fdata-sections -fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security" \
|
|
--with-ld-opt="-Wl,--gc-sections -s -static -static-libgcc" \
|
|
&& make -j"${CORE_COUNT}" \
|
|
&& make install
|
|
|
|
# compress the nginx binary
|
|
RUN upx --best /usr/sbin/nginx
|
|
|
|
# setup nginx folders and files
|
|
RUN touch /tmp/nginx.pid \
|
|
&& mkdir -p /tmp/nginx/client \
|
|
&& mkdir -p /tmp/nginx/proxy \
|
|
&& chmod -R 700 /tmp/nginx \
|
|
&& mkdir -p /usr/share/nginx/fastcgi_temp \
|
|
&& mkdir -p /var/log/nginx \
|
|
&& mkdir -p /var/www/html \
|
|
&& chmod -R 555 /usr
|
|
|
|
# set up the final container
|
|
FROM scratch
|
|
|
|
# create nonroot user
|
|
COPY passwd /etc/passwd
|
|
|
|
# run as nonroot
|
|
USER nonroot
|
|
|
|
# copy in default nginx configs
|
|
COPY nginx/ /etc/nginx
|
|
|
|
# copy files over
|
|
COPY --from=nginx --chown=nonroot:nonroot /tmp/nginx.pid /tmp/nginx.pid
|
|
COPY --from=nginx --chown=nonroot:nonroot /tmp/nginx /tmp/nginx
|
|
COPY --from=nginx /usr/sbin/nginx /usr/sbin/nginx
|
|
COPY --from=nginx --chown=nonroot:nonroot /usr/share/nginx/fastcgi_temp /usr/share/nginx/fastcgi_temp
|
|
COPY --from=nginx --chown=nonroot:nonroot /var/log/nginx /var/log/nginx
|
|
COPY --from=nginx /var/www/html /var/www/html
|
|
COPY html/index.html /var/www/html/index.html
|
|
|
|
# listen on an unprivileged port
|
|
EXPOSE 8080
|
|
|
|
# configure entrypoint
|
|
ENTRYPOINT ["/usr/sbin/nginx","-g","daemon off;"]
|