Skip to content

Instantly share code, notes, and snippets.

@Zenithar

Zenithar/Dockerfile

Last active April 10, 2020 11:43
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Zenithar/9209968 to your computer and use it in GitHub Desktop.
Save Zenithar/9209968 to your computer and use it in GitHub Desktop.
Download ZIP
NGiNX Nano Dockerfile tarmaker
Raw
build-root.sh
#! /bin/bash
echo -e off
echo "> refresh package manager"
apt-get update
echo "> Installing busybox and default nginx"
apt-get install -qy busybox-static nginx
echo "> Prepare chroot"
mkdir -p bin etc dev dev/pts lib proc sys tmp usr
touch etc/resolv.conf
cp /etc/nsswitch.conf etc/nsswitch.conf
echo root:x:0:0:root:/:/bin/sh > etc/passwd
echo root:x:0: > etc/group
fgrep nobody /etc/passwd >> etc/passwd
fgrep nogroup /etc/group >> etc/group
ln -s lib lib64
ln -s usr/lib lib64
ln -s bin sbin
cp /bin/busybox bin
echo "> Link busybox tools"
ln -s busybox bin/sh
ln -s busybox bin/cp
ln -s busybox bin/mv
ln -s busybox bin/ping
ln -s busybox bin/ping6
ln -s busybox bin/nslookup
ln -s busybox bin/ps
ln -s busybox bin/traceroute
ln -s busybox bin/traceroute6
echo "> Copy shared libraries"
mkdir lib/x86_64-linux-gnu
cp -a /lib/x86_64-linux-gnu/lib{c,crypt,dl,pthread,nss_*,resolv,rt,m,gcc_s}.so.* lib/x86_64-linux-gnu
cp -a /lib/x86_64-linux-gnu/lib{c,crypt,dl,pthread,nss_*,resolv,rt,m}-* lib/x86_64-linux-gnu
cp -a /usr/lib/x86_64-linux-gnu/libstdc++.* lib/x86_64-linux-gnu
cp -a /usr/local/lib/libjemalloc.so.* lib/x86_64-linux-gnu
cp -a /usr/src/ngx_brotli/deps/brotli/bin/bro bin
cp -a /lib64/ld-linux-x86-64.so.2 lib
cp -a /lib/x86_64-linux-gnu/ld-*.so lib/x86_64-linux-gnu
echo "> Clean static libraries"
rm -f lib/x86_64-linux-gnu/*.a
echo "> Strip executables"
strip -s /rootfs/bin/bro
strip -s /rootfs/lib/x86_64-linux-gnu/*
echo "> Prepare nginx root"
strip -s /rootfs/usr/sbin/nginx
cp -r /etc/nginx /rootfs/etc/nginx
mkdir -p /rootfs/var/lib/nginx/{body,fastcgi,proxy,scgi,uwsgi}
mkdir /rootfs/www && bash -c "mkdir -p /rootfs/www/{empty,default}"
mv /rootfs/opt/nginx/html/* /rootfs/www/default
rm -Rf /rootfs/opt/nginx
chown -R nobody:nogroup /rootfs/www
echo "> Hardening"
find /rootfs/usr/sbin ! -type d \
-a ! -name nginx \
-delete
sysdirs="
/rootfs/bin
/rootfs/etc
/rootfs/lib
/rootfs/sbin
/rootfs/usr
"
find $sysdirs -xdev -type f -regex '.*-$' -exec rm -f {} +
find $sysdirs -xdev -type d -exec chown root:root {} \; -exec chmod 0755 {} \;
find $sysdirs -xdev \( \
-name hexdump -o \
-name chgrp -o \
-name chmod -o \
-name chown -o \
-name ln -o \
-name od -o \
-name strings -o \
-name su \
\) -delete
find $sysdirs -xdev -type l -exec test ! -e {} \; -delete
echo "> Building root image"
tar cf /rootfs.tar .
for X in console null ptmx random stdin stdout stderr tty urandom zero ; do tar uf /rootfs.tar -C/ ./dev/$X ; done
echo "> Compressing image"
xz /rootfs.tar
echo "> All Done"
Raw
Dockerfile
FROM scratch
LABEL maintainer="Thibault NORMAND <me@zenithar.org>" \
docker.from="scratch" \
built.on="ubuntu 19.04" \
hardened.flags="true" \
description="Nginx built from source" \
ssl.implementation="boringssl" \
boringssl.version="master" \
pcre.version="8.43" \
zlib.version="1.2.11" \
jemalloc.version="5.2.0" \
nginx.version="1.15.12" \
nginx.modules="HeadersMore|Brotli|Certificate Transparency|NAXSI|FancyIndex|SRCache" \
nginx.patches="" \
nist.cpe.list.nginx="cpe:2.3:a:nginx:nginx:1.15.12:*:*:*:*:*:*:*" \
nist.cpe.list.pcre="cpe:2.3:a:pcre:pcre:8.43:*:*:*:*:*:*:*" \
nist.cpe.list.zlib="cpe:2.3:a:gnu:zlib:1.2.11:*:*:*:*:*:*:*"
ADD rootfs.tar.xz /
VOLUME ["/var/log/nginx"]
VOLUME ["/www"]
VOLUME ["/etc/nginx"]
EXPOSE 80 443
ENTRYPOINT /usr/sbin/nginx
Raw
Dockerfile.boringssl
FROM ubuntu:19.04 AS build
MAINTAINER Thibault NORMAND <me@zenithar.org>
# Set the env variable DEBIAN_FRONTEND to noninteractive
ENV DEBIAN_FRONTEND noninteractive
# Run upgrades
RUN echo udev hold | dpkg --set-selections && \
echo initscripts hold | dpkg --set-selections &&\
echo upstart hold | dpkg --set-selections &&\
apt-get update -q &&\
apt-get -y upgrade
#RUN locale-gen en_US.UTF-8 && dpkg-reconfigure locales
# Install build tools for nginx
RUN apt-get -y install wget git unzip file build-essential automake autoconf gawk libtool binutils cmake golang
# Set hardened flags
ENV CFLAGS="-O3 -fPIE -fstack-protector-strong -D_FORTIFY_SOURCE=2 -fPIC -DPIC"
ENV LDFLAGS="-Wl,-z,now -Wl,-z,relro"
ENV CXXFLAGS=${CFLAGS}
# Download nginx
WORKDIR /usr/src
ENV PCRE_VERSION 8.43
RUN wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-${PCRE_VERSION}.tar.gz &&\
tar -xf pcre-${PCRE_VERSION}.tar.gz &&\
rm -f pcre-${PCRE_VERSION}.tar.gz &&\
cd /usr/src/pcre-${PCRE_VERSION} &&\
./configure --enable-jit --enable-utf8 --enable-unicode-properties &&\
make
ENV ZLIB_VERSION 1.2.11
RUN wget https://www.zlib.net/zlib-${ZLIB_VERSION}.tar.gz && \
tar -xf zlib-${ZLIB_VERSION}.tar.gz &&\
cd zlib-${ZLIB_VERSION} && \
./configure &&\
make
ENV JEMALLOC_VERSION 5.2.0
RUN wget https://github.com/jemalloc/jemalloc/releases/download/${JEMALLOC_VERSION}/jemalloc-${JEMALLOC_VERSION}.tar.bz2 && \
tar -xf jemalloc-${JEMALLOC_VERSION}.tar.bz2 && \
rm -f jemalloc-${JEMALLOC_VERSION}.tar.bz2 && \
cd jemalloc-${JEMALLOC_VERSION} && \
./configure &&\
make &&\
make install
# Modules
ENV NDK_VERSION 0.3.1rc1
RUN wget https://github.com/simpl/ngx_devel_kit/archive/v${NDK_VERSION}.tar.gz &&\
tar -xf v${NDK_VERSION}.tar.gz &&\
rm -f v${NDK_VERSION}.tar.gz
RUN git clone --recursive https://github.com/google/ngx_brotli &&\
cd /usr/src/ngx_brotli/deps/brotli &&\
make
RUN git clone https://github.com/openresty/headers-more-nginx-module
RUN git clone https://github.com/grahamedgecombe/nginx-ct
RUN git clone https://github.com/aperezdc/ngx-fancyindex
RUN git clone https://github.com/openresty/srcache-nginx-module
RUN git clone https://github.com/nbs-system/naxsi
RUN git clone https://github.com/nginx/njs
# NGINX
ENV NGINX_VERSION 1.15.12
RUN wget http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz &&\
tar -xf nginx-${NGINX_VERSION}.tar.gz &&\
rm -f nginx-${NGINX_VERSION}.tar.gz
# BoringSSL
RUN git clone -b master https://boringssl.googlesource.com/boringssl --depth=1 &&\
cd /usr/src/boringssl &&\
mkdir build &&\
cd build &&\
cmake -DCMAKE_BUILD_TYPE=Release .. &&\
make -j4 &&\
cd .. &&\
mkdir -p .openssl/lib &&\
cd .openssl &&\
ln -s ../include &&\
cd .. &&\
cp build/crypto/libcrypto.a build/ssl/libssl.a .openssl/lib &&\
cd /usr/src
# Apply custom patches
WORKDIR /usr/src/nginx-${NGINX_VERSION}
# SPDY CloudFlare
#RUN wget -O- https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_hpack_push.patch | patch -p1
RUN wget -O- https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/remove_nginx_server_header.patch | patch -p1
#RUN wget -O- https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_strict-sni.patch | patch -p1
# Configure
RUN cd /usr/src/nginx-${NGINX_VERSION} && ./configure \
--prefix=/opt/nginx \
--with-cc-opt="-O3 -fPIE -fexceptions -fstack-protector-strong -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -Wno-deprecated-declarations -DTCP_FASTOPEN=23" \
--with-ld-opt="-lrt -ljemalloc -Wl,-Bsymbolic-functions -Wl,-z,relro -L ../boringssl/.openssl/lib" \
--user=nobody \
--group=nogroup \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--sbin-path=/usr/sbin/nginx \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-log-path=/var/log/nginx/access.log \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--http-scgi-temp-path=/var/lib/nginx/scgi \
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
--lock-path=/var/lock/nginx.lock \
--pid-path=/var/run/nginx.pid \
--with-http_addition_module \
--with-http_secure_link_module \
--with-http_dav_module \
--with-http_gzip_static_module \
--with-http_realip_module \
--with-http_stub_status_module \
--with-http_slice_module \
--with-http_ssl_module \
--with-http_v2_module \
# --with-http_v2_hpack_enc \
--with-http_sub_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_realip_module \
--with-stream_ssl_module \
--with-stream_ssl_preread_module \
--with-file-aio \
--with-threads \
--without-http_autoindex_module \
--without-http_ssi_module \
--without-http_scgi_module \
--without-http_uwsgi_module \
--without-http_geo_module \
--without-http_map_module \
--without-http_split_clients_module \
--without-http_memcached_module \
--without-http_empty_gif_module \
--without-http_browser_module \
--with-openssl=/usr/src/boringssl \
--with-openssl-opt='no-async enable-ec_nistp_64_gcc_128 no-shared no-ssl3 no-comp no-idea no-weak-ssl-ciphers -DOPENSSL_NO_HEARTBEATS -O3 -fPIE -fstack-protector-strong -D_FORTIFY_SOURCE=2' \
--with-pcre=/usr/src/pcre-${PCRE_VERSION} \
--with-pcre-jit \
--with-zlib=/usr/src/zlib-${ZLIB_VERSION} \
--add-module=/usr/src/ngx_devel_kit-${NDK_VERSION} \
--add-module=/usr/src/naxsi/naxsi_src \
--add-module=/usr/src/headers-more-nginx-module \
--add-module=/usr/src/nginx-ct \
--add-module=/usr/src/ngx_brotli \
--add-module=/usr/src/ngx-fancyindex \
--add-module=/usr/src/srcache-nginx-module \
&& \
mkdir -p /var/lib/nginx &&\
mkdir -p /www &&\
touch /usr/src/boringssl/.openssl/include/openssl/ssl.h
RUN mkdir /rootfs
RUN cd /usr/src/nginx-${NGINX_VERSION} && make -j4 && make DESTDIR=/rootfs install
# Build Root FS for nano image creation
WORKDIR /rootfs
COPY build-root.sh /
RUN chmod +x /build-root.sh \
&& bash /build-root.sh
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment