container/nginx-s3
1
0
Fork 0
Code Issues 1 Pull Requests Releases 6 Activity

feat: improve naming and read secrets from files
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Robert Kaussow 2023-09-24 15:12:22 +02:00
parent b194a8e245
commit 3d71062d4b
Signed by: xoxys
GPG Key ID: 4E692A2EAECC03C0
5 changed files with 100 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Dockerfile.multiarch
View File

@ -34,15 +34,15 @@ RUN addgroup -g 1001 -S nginx && \
ADD overlay/ / ADD overlay/ /
RUN mkdir -p /var/www /etc/proxy-config /etc/nginx/conf.d /var/tmp/nginx /var/cache/nginx && \ RUN mkdir -p /var/www /etc/nginx-s3 /etc/nginx/conf.d /var/tmp/nginx /var/cache/nginx && \
touch /run/nginx.pid && \ touch /run/nginx.pid && \
touch /etc/nginx/conf.d/vhost.conf && \ touch /etc/nginx/conf.d/vhosts.conf && \
chown nginx /run/nginx.pid && \ chown nginx /run/nginx.pid && \
chown -R nginx /var/log/nginx /var/tmp/nginx /var/cache/nginx && \ chown -R nginx /var/log/nginx /var/tmp/nginx /var/cache/nginx && \
chown -R nginx:nginx /var/www && \ chown -R nginx:nginx /var/www && \
chown -R root:nginx /etc/nginx /etc/nginx/conf.d && \ chown -R root:nginx /etc/nginx /etc/nginx/conf.d && \
chmod -R 640 /etc/nginx /etc/nginx/conf.d && \ chmod -R 640 /etc/nginx /etc/nginx/conf.d && \
chmod 750 /var/www /var/cache/nginx /etc/proxy-config /etc/nginx /etc/nginx/conf.d chmod 750 /var/www /var/cache/nginx /etc/nginx-s3 /etc/nginx /etc/nginx/conf.d
EXPOSE 8080 EXPOSE 8080

2
overlay/etc/nginx/nginx.conf
View File

@ -25,5 +25,5 @@ http {
~/$ ${request_uri}index.html; ~/$ ${request_uri}index.html;
} }
include /etc/nginx/conf.d/vhost.conf; include /etc/nginx/conf.d/vhosts.conf;
} }

59
overlay/etc/templates/vhost.conf.tmpl
View File

@ -1,59 +0,0 @@
{{- $vhost := ds "vhost" }}
{{- $defauls := data.YAML "{hostnames: [localhost], proxy_ssl_protocols: TLSv1.2 TLSv1.3, proxy_hide_header: [X-Amz-*]}" -}}
{{- range $vhost }}
{{- $this := coll.Merge . $defauls }}
{{- $upstream_host := index ($this.upstream | strings.Split ":") 0 }}
{{- $access_key_id := index $this "access_key_id" }}
{{- $secret_access_key := index $this "secret_access_key" -}}
upstream backend_s3_{{ $this.bucket }} {
server {{ $this.upstream }};
}
server {
listen 8080;
server_name {{ conv.Join $this.hostnames " " }};
location / {
{{ if and $access_key_id $secret_access_key -}}
set_by_lua $now "return ngx.http_time(ngx.time())";
set $string_to_sign "GET\n\n\n${now}\n/{{ $this.bucket }}/${repo}$request_path";
set_hmac_sha1 $aws_signature "{{ $this.secret_access_key }}" "$string_to_sign";
set_encode_base64 $aws_signature "$aws_signature";
proxy_set_header Date "$now";
proxy_set_header Authorization "AWS {{ $this.access_key_id }}:$aws_signature";
{{ end -}}
proxy_pass https://backend_s3_{{ $this.bucket }}/{{ $this.bucket }}/${repo}$uri;
proxy_ssl_name {{ $upstream_host }};
proxy_ssl_server_name on;
proxy_ssl_verify on;
proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
proxy_ssl_protocols {{ $this.proxy_ssl_protocols }};
proxy_http_version 1.1;
proxy_buffering off;
proxy_connect_timeout 300;
proxy_intercept_errors on;
port_in_redirect off;
proxy_set_header Host "{{ $upstream_host }}";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
{{ range $this.proxy_hide_header }}
more_clear_headers {{ . }};
{{- end }}
proxy_ignore_headers Set-Cookie;
rewrite ^([^.]*[^/])$ $1/ permanent;
rewrite ^(.*)/$ $1/index.html break;
rewrite ^(.*/[^./]+)$ $1/index.html break;
}
}
{{- end -}}

90
overlay/etc/templates/vhosts.conf.tmpl Normal file
View File

@ -0,0 +1,90 @@
{{- $config := ds "config" }}
{{- $defauls := data.YAML "{hostnames: [localhost], upstream_use_tls: false, proxy_ssl_protocols: TLSv1.2 TLSv1.3, proxy_hide_header: [X-Amz-*]}" -}}
{{- range $config }}
{{- $this := coll.Merge . $defauls }}
{{- $upstream_host := index ($this.upstream | strings.Split ":") 0 }}
{{- $upstream_use_tls := $this.upstream_use_tls | conv.ToBool }}
{{- $access_key_id_file := index $this "access_key_id_file" }}
{{- $secret_access_key_file := index $this "secret_access_key_file" -}}
upstream backend_s3_{{ $this.bucket }} {
server {{ $this.upstream }};
}
server {
listen 8080;
server_name {{ conv.Join $this.hostnames " " }};
location / {
{{ if and $access_key_id_file $secret_access_key_file -}}
set_by_lua $now "return ngx.http_time(ngx.time())";
set_by_lua_block $access_key_id {
local f, err = io.open('{{ $access_key_id_file }}', 'r')
local content
if f == nil then
ngx.log(ngx.STDERR, err)
else
content = string.gsub(f:read("*all"), "%s", "")
f:close()
end
return content
}
set_by_lua_block $secret_access_key {
local f, err = io.open('{{ $secret_access_key_file }}', 'r')
local content
if f == nil then
ngx.log(ngx.STDERR, err)
else
content = string.gsub(f:read("*all"), "%s", "")
f:close()
end
return content
}
set $string_to_sign "GET\n\n\n${now}\n/{{ $this.bucket }}/${repo}$request_path";
set_hmac_sha1 $aws_signature "$secret_access_key" "$string_to_sign";
set_encode_base64 $aws_signature "$aws_signature";
proxy_set_header Date "$now";
proxy_set_header Authorization "AWS $access_key_id:$aws_signature";
{{ end -}}
proxy_pass https://backend_s3_{{ $this.bucket }}/{{ $this.bucket }}/${repo}$uri;
{{- if $this.upstream_use_tls }}
proxy_ssl_name {{ $upstream_host }};
proxy_ssl_server_name on;
proxy_ssl_verify on;
proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
proxy_ssl_protocols {{ $this.proxy_ssl_protocols }};
{{- end }}
proxy_http_version 1.1;
proxy_buffering off;
proxy_connect_timeout 300;
proxy_intercept_errors on;
port_in_redirect off;
{{ if $this.upstream_use_tls -}}
proxy_set_header Host "{{ $upstream_host }}";
{{- else }}
proxy_set_header Host $host;
{{- end }}
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
{{- with $this.proxy_hide_header }}
{{ range $this.proxy_hide_header }}
more_clear_headers {{ . }};
{{- end }}
{{- end }}
proxy_ignore_headers Set-Cookie;
rewrite ^([^.]*[^/])$ $1/ permanent;
rewrite ^(.*)/$ $1/index.html break;
rewrite ^(.*/[^./]+)$ $1/index.html break;
}
}
{{- end -}}

9
overlay/usr/local/bin/entrypoint
View File

@ -1,5 +1,8 @@
#!/usr/bin/env sh #!/usr/bin/env sh
# shellcheck disable=SC3040
set -eo pipefail
# shellcheck disable=SC1091 # shellcheck disable=SC1091
. /usr/local/lib/log.sh . /usr/local/lib/log.sh
@ -33,11 +36,11 @@ start_server() {
run_config() { run_config() {
log_info "Start nginx config service" log_info "Start nginx config service"
/usr/local/bin/gomplate -d vhost=/etc/proxy-config/vhost.yml -o /etc/nginx/conf.d/vhost.conf -f /etc/templates/vhost.conf.tmpl --chmod "0640" /usr/local/bin/gomplate -d config=/etc/nginx-s3/config.yaml -o /etc/nginx/conf.d/vhosts.conf -f /etc/templates/vhosts.conf.tmpl --chmod "0640"
while inotifywait -q --timefmt "%F %T" --format "%T [INFO] [$(basename "$0")] %e %f" -e modify,move,create,delete /etc/proxy-config/vhost.yml; do while inotifywait -q --timefmt "%F %T" --format "%T [INFO] [$(basename "$0")] %e %f" -e modify,move,create,delete /etc/nginx-s3/config.yaml; do
log_info "Regenerate nginx config" log_info "Regenerate nginx config"
/usr/local/bin/gomplate -d vhost=/etc/proxy-config/vhost.yml -o /etc/nginx/conf.d/vhost.conf -f /etc/templates/vhost.conf.tmpl --chmod "0640" /usr/local/bin/gomplate -d config=/etc/nginx-s3/config.yaml -o /etc/nginx/conf.d/vhosts.conf -f /etc/templates/vhosts.conf.tmpl --chmod "0640"
done done
} }