Last active
April 10, 2020 11:43
-
-
Save Zenithar/9209968 to your computer and use it in GitHub Desktop.
NGiNX Nano Dockerfile tarmaker
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! /bin/bash | |
echo -e off | |
echo "> refresh package manager" | |
apt-get update | |
echo "> Installing busybox and default nginx" | |
apt-get install -qy busybox-static nginx | |
echo "> Prepare chroot" | |
mkdir -p bin etc dev dev/pts lib proc sys tmp usr | |
touch etc/resolv.conf | |
cp /etc/nsswitch.conf etc/nsswitch.conf | |
echo root:x:0:0:root:/:/bin/sh > etc/passwd | |
echo root:x:0: > etc/group | |
fgrep nobody /etc/passwd >> etc/passwd | |
fgrep nogroup /etc/group >> etc/group | |
ln -s lib lib64 | |
ln -s usr/lib lib64 | |
ln -s bin sbin | |
cp /bin/busybox bin | |
echo "> Link busybox tools" | |
ln -s busybox bin/sh | |
ln -s busybox bin/cp | |
ln -s busybox bin/mv | |
ln -s busybox bin/ping | |
ln -s busybox bin/ping6 | |
ln -s busybox bin/nslookup | |
ln -s busybox bin/ps | |
ln -s busybox bin/traceroute | |
ln -s busybox bin/traceroute6 | |
echo "> Copy shared libraries" | |
mkdir lib/x86_64-linux-gnu | |
cp -a /lib/x86_64-linux-gnu/lib{c,crypt,dl,pthread,nss_*,resolv,rt,m,gcc_s}.so.* lib/x86_64-linux-gnu | |
cp -a /lib/x86_64-linux-gnu/lib{c,crypt,dl,pthread,nss_*,resolv,rt,m}-* lib/x86_64-linux-gnu | |
cp -a /usr/lib/x86_64-linux-gnu/libstdc++.* lib/x86_64-linux-gnu | |
cp -a /usr/local/lib/libjemalloc.so.* lib/x86_64-linux-gnu | |
cp -a /usr/src/ngx_brotli/deps/brotli/bin/bro bin | |
cp -a /lib64/ld-linux-x86-64.so.2 lib | |
cp -a /lib/x86_64-linux-gnu/ld-*.so lib/x86_64-linux-gnu | |
echo "> Clean static libraries" | |
rm -f lib/x86_64-linux-gnu/*.a | |
echo "> Strip executables" | |
strip -s /rootfs/bin/bro | |
strip -s /rootfs/lib/x86_64-linux-gnu/* | |
echo "> Prepare nginx root" | |
strip -s /rootfs/usr/sbin/nginx | |
cp -r /etc/nginx /rootfs/etc/nginx | |
mkdir -p /rootfs/var/lib/nginx/{body,fastcgi,proxy,scgi,uwsgi} | |
mkdir /rootfs/www && bash -c "mkdir -p /rootfs/www/{empty,default}" | |
mv /rootfs/opt/nginx/html/* /rootfs/www/default | |
rm -Rf /rootfs/opt/nginx | |
chown -R nobody:nogroup /rootfs/www | |
echo "> Hardening" | |
find /rootfs/usr/sbin ! -type d \ | |
-a ! -name nginx \ | |
-delete | |
sysdirs=" | |
/rootfs/bin | |
/rootfs/etc | |
/rootfs/lib | |
/rootfs/sbin | |
/rootfs/usr | |
" | |
find $sysdirs -xdev -type f -regex '.*-$' -exec rm -f {} + | |
find $sysdirs -xdev -type d -exec chown root:root {} \; -exec chmod 0755 {} \; | |
find $sysdirs -xdev \( \ | |
-name hexdump -o \ | |
-name chgrp -o \ | |
-name chmod -o \ | |
-name chown -o \ | |
-name ln -o \ | |
-name od -o \ | |
-name strings -o \ | |
-name su \ | |
\) -delete | |
find $sysdirs -xdev -type l -exec test ! -e {} \; -delete | |
echo "> Building root image" | |
tar cf /rootfs.tar . | |
for X in console null ptmx random stdin stdout stderr tty urandom zero ; do tar uf /rootfs.tar -C/ ./dev/$X ; done | |
echo "> Compressing image" | |
xz /rootfs.tar | |
echo "> All Done" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
FROM scratch | |
LABEL maintainer="Thibault NORMAND <me@zenithar.org>" \ | |
docker.from="scratch" \ | |
built.on="ubuntu 19.04" \ | |
hardened.flags="true" \ | |
description="Nginx built from source" \ | |
ssl.implementation="boringssl" \ | |
boringssl.version="master" \ | |
pcre.version="8.43" \ | |
zlib.version="1.2.11" \ | |
jemalloc.version="5.2.0" \ | |
nginx.version="1.15.12" \ | |
nginx.modules="HeadersMore|Brotli|Certificate Transparency|NAXSI|FancyIndex|SRCache" \ | |
nginx.patches="" \ | |
nist.cpe.list.nginx="cpe:2.3:a:nginx:nginx:1.15.12:*:*:*:*:*:*:*" \ | |
nist.cpe.list.pcre="cpe:2.3:a:pcre:pcre:8.43:*:*:*:*:*:*:*" \ | |
nist.cpe.list.zlib="cpe:2.3:a:gnu:zlib:1.2.11:*:*:*:*:*:*:*" | |
ADD rootfs.tar.xz / | |
VOLUME ["/var/log/nginx"] | |
VOLUME ["/www"] | |
VOLUME ["/etc/nginx"] | |
EXPOSE 80 443 | |
ENTRYPOINT /usr/sbin/nginx |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
FROM ubuntu:19.04 AS build | |
MAINTAINER Thibault NORMAND <me@zenithar.org> | |
# Set the env variable DEBIAN_FRONTEND to noninteractive | |
ENV DEBIAN_FRONTEND noninteractive | |
# Run upgrades | |
RUN echo udev hold | dpkg --set-selections && \ | |
echo initscripts hold | dpkg --set-selections &&\ | |
echo upstart hold | dpkg --set-selections &&\ | |
apt-get update -q &&\ | |
apt-get -y upgrade | |
#RUN locale-gen en_US.UTF-8 && dpkg-reconfigure locales | |
# Install build tools for nginx | |
RUN apt-get -y install wget git unzip file build-essential automake autoconf gawk libtool binutils cmake golang | |
# Set hardened flags | |
ENV CFLAGS="-O3 -fPIE -fstack-protector-strong -D_FORTIFY_SOURCE=2 -fPIC -DPIC" | |
ENV LDFLAGS="-Wl,-z,now -Wl,-z,relro" | |
ENV CXXFLAGS=${CFLAGS} | |
# Download nginx | |
WORKDIR /usr/src | |
ENV PCRE_VERSION 8.43 | |
RUN wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-${PCRE_VERSION}.tar.gz &&\ | |
tar -xf pcre-${PCRE_VERSION}.tar.gz &&\ | |
rm -f pcre-${PCRE_VERSION}.tar.gz &&\ | |
cd /usr/src/pcre-${PCRE_VERSION} &&\ | |
./configure --enable-jit --enable-utf8 --enable-unicode-properties &&\ | |
make | |
ENV ZLIB_VERSION 1.2.11 | |
RUN wget https://www.zlib.net/zlib-${ZLIB_VERSION}.tar.gz && \ | |
tar -xf zlib-${ZLIB_VERSION}.tar.gz &&\ | |
cd zlib-${ZLIB_VERSION} && \ | |
./configure &&\ | |
make | |
ENV JEMALLOC_VERSION 5.2.0 | |
RUN wget https://github.com/jemalloc/jemalloc/releases/download/${JEMALLOC_VERSION}/jemalloc-${JEMALLOC_VERSION}.tar.bz2 && \ | |
tar -xf jemalloc-${JEMALLOC_VERSION}.tar.bz2 && \ | |
rm -f jemalloc-${JEMALLOC_VERSION}.tar.bz2 && \ | |
cd jemalloc-${JEMALLOC_VERSION} && \ | |
./configure &&\ | |
make &&\ | |
make install | |
# Modules | |
ENV NDK_VERSION 0.3.1rc1 | |
RUN wget https://github.com/simpl/ngx_devel_kit/archive/v${NDK_VERSION}.tar.gz &&\ | |
tar -xf v${NDK_VERSION}.tar.gz &&\ | |
rm -f v${NDK_VERSION}.tar.gz | |
RUN git clone --recursive https://github.com/google/ngx_brotli &&\ | |
cd /usr/src/ngx_brotli/deps/brotli &&\ | |
make | |
RUN git clone https://github.com/openresty/headers-more-nginx-module | |
RUN git clone https://github.com/grahamedgecombe/nginx-ct | |
RUN git clone https://github.com/aperezdc/ngx-fancyindex | |
RUN git clone https://github.com/openresty/srcache-nginx-module | |
RUN git clone https://github.com/nbs-system/naxsi | |
RUN git clone https://github.com/nginx/njs | |
# NGINX | |
ENV NGINX_VERSION 1.15.12 | |
RUN wget http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz &&\ | |
tar -xf nginx-${NGINX_VERSION}.tar.gz &&\ | |
rm -f nginx-${NGINX_VERSION}.tar.gz | |
# BoringSSL | |
RUN git clone -b master https://boringssl.googlesource.com/boringssl --depth=1 &&\ | |
cd /usr/src/boringssl &&\ | |
mkdir build &&\ | |
cd build &&\ | |
cmake -DCMAKE_BUILD_TYPE=Release .. &&\ | |
make -j4 &&\ | |
cd .. &&\ | |
mkdir -p .openssl/lib &&\ | |
cd .openssl &&\ | |
ln -s ../include &&\ | |
cd .. &&\ | |
cp build/crypto/libcrypto.a build/ssl/libssl.a .openssl/lib &&\ | |
cd /usr/src | |
# Apply custom patches | |
WORKDIR /usr/src/nginx-${NGINX_VERSION} | |
# SPDY CloudFlare | |
#RUN wget -O- https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_hpack_push.patch | patch -p1 | |
RUN wget -O- https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/remove_nginx_server_header.patch | patch -p1 | |
#RUN wget -O- https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_strict-sni.patch | patch -p1 | |
# Configure | |
RUN cd /usr/src/nginx-${NGINX_VERSION} && ./configure \ | |
--prefix=/opt/nginx \ | |
--with-cc-opt="-O3 -fPIE -fexceptions -fstack-protector-strong -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -Wno-deprecated-declarations -DTCP_FASTOPEN=23" \ | |
--with-ld-opt="-lrt -ljemalloc -Wl,-Bsymbolic-functions -Wl,-z,relro -L ../boringssl/.openssl/lib" \ | |
--user=nobody \ | |
--group=nogroup \ | |
--conf-path=/etc/nginx/nginx.conf \ | |
--error-log-path=/var/log/nginx/error.log \ | |
--sbin-path=/usr/sbin/nginx \ | |
--http-client-body-temp-path=/var/lib/nginx/body \ | |
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \ | |
--http-log-path=/var/log/nginx/access.log \ | |
--http-proxy-temp-path=/var/lib/nginx/proxy \ | |
--http-scgi-temp-path=/var/lib/nginx/scgi \ | |
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi \ | |
--lock-path=/var/lock/nginx.lock \ | |
--pid-path=/var/run/nginx.pid \ | |
--with-http_addition_module \ | |
--with-http_secure_link_module \ | |
--with-http_dav_module \ | |
--with-http_gzip_static_module \ | |
--with-http_realip_module \ | |
--with-http_stub_status_module \ | |
--with-http_slice_module \ | |
--with-http_ssl_module \ | |
--with-http_v2_module \ | |
# --with-http_v2_hpack_enc \ | |
--with-http_sub_module \ | |
--with-mail \ | |
--with-mail_ssl_module \ | |
--with-stream \ | |
--with-stream_realip_module \ | |
--with-stream_ssl_module \ | |
--with-stream_ssl_preread_module \ | |
--with-file-aio \ | |
--with-threads \ | |
--without-http_autoindex_module \ | |
--without-http_ssi_module \ | |
--without-http_scgi_module \ | |
--without-http_uwsgi_module \ | |
--without-http_geo_module \ | |
--without-http_map_module \ | |
--without-http_split_clients_module \ | |
--without-http_memcached_module \ | |
--without-http_empty_gif_module \ | |
--without-http_browser_module \ | |
--with-openssl=/usr/src/boringssl \ | |
--with-openssl-opt='no-async enable-ec_nistp_64_gcc_128 no-shared no-ssl3 no-comp no-idea no-weak-ssl-ciphers -DOPENSSL_NO_HEARTBEATS -O3 -fPIE -fstack-protector-strong -D_FORTIFY_SOURCE=2' \ | |
--with-pcre=/usr/src/pcre-${PCRE_VERSION} \ | |
--with-pcre-jit \ | |
--with-zlib=/usr/src/zlib-${ZLIB_VERSION} \ | |
--add-module=/usr/src/ngx_devel_kit-${NDK_VERSION} \ | |
--add-module=/usr/src/naxsi/naxsi_src \ | |
--add-module=/usr/src/headers-more-nginx-module \ | |
--add-module=/usr/src/nginx-ct \ | |
--add-module=/usr/src/ngx_brotli \ | |
--add-module=/usr/src/ngx-fancyindex \ | |
--add-module=/usr/src/srcache-nginx-module \ | |
&& \ | |
mkdir -p /var/lib/nginx &&\ | |
mkdir -p /www &&\ | |
touch /usr/src/boringssl/.openssl/include/openssl/ssl.h | |
RUN mkdir /rootfs | |
RUN cd /usr/src/nginx-${NGINX_VERSION} && make -j4 && make DESTDIR=/rootfs install | |
# Build Root FS for nano image creation | |
WORKDIR /rootfs | |
COPY build-root.sh / | |
RUN chmod +x /build-root.sh \ | |
&& bash /build-root.sh |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment