Docker: Build NGINX from Source

Dockerfile

ARG ALPINE_VERSION=3.18
ARG NGINX_VERSION=1.25.1
ARG HEADERS_MORE_VERSION=0.37
ARG NJS_VERSION=0.8.5

FROM alpine:${ALPINE_VERSION}

ARG NGINX_DIR=nginx
ARG WORKSPACE_DIR=workspace
ARG MODULES_DIR=modules
ARG HEADERS_MORE_DIR=headers-more

ARG PID_PATH=/var/local/nginx.pid
ARG CACHE_PATH=/var/cache/nginx
ARG LOG_PATH=/var/log/nginx
ARG CONF_PATH=/etc/nginx/nginx.conf
ARG MODULES_PATH=/usr/lib/nginx/modules

ARG HEADERS_MORE_VERSION
ARG NGINX_VERSION
ARG NJS_VERSION

WORKDIR /

RUN apk update && \
    apk upgrade --no-cache && \
    mkdir -p /${WORKSPACE_DIR} && \

    cd /${WORKSPACE_DIR} && \

    apk add --no-cache --virtual .shared-deps curl openssl ca-certificates && \

    echo "Adding NGINX repository..." && \
    printf "%s%s%s\n" "http://nginx.org/packages/alpine/v" `egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release` "/main" | tee -a /etc/apk/repositories && \
    curl --verbose -o /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub && \
    openssl rsa -pubin -in /tmp/nginx_signing.rsa.pub -text -noout && \
    mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/ && \
    apk update && \

    # Download headers-more: https://github.com/openresty/headers-more-nginx-module
    HEADERS_MORE_TAR=${HEADERS_MORE_DIR}.tar.gz && \ 
    mkdir -p ${NGINX_DIR}/${MODULES_DIR}/${HEADERS_MORE_DIR} && \
    HEADERS_MORE_DIR=headers-more && \
    HEADERS_MORE_TAR=$HEADERS_MORE_DIR.tar.gz && \
    wget https://github.com/openresty/headers-more-nginx-module/archive/refs/tags/v${HEADERS_MORE_VERSION}.tar.gz -O $HEADERS_MORE_DIR.tar.gz && \
    mkdir -p ${MODULES_DIR}/$HEADERS_MORE_DIR && \
    tar -xzvf $HEADERS_MORE_TAR -C ${MODULES_DIR}/$HEADERS_MORE_DIR --strip-components=1 && \
    rm $HEADERS_MORE_TAR && \

    # Download nginx-module-njs: https://github.com/nginx/njs
    NJS_DIR=nginx-njs && \
    NJS_TAR=$NJS_DIR.tar.gz && \
    wget https://github.com/nginx/njs/archive/refs/tags/${NJS_VERSION}.tar.gz -O $NJS_DIR.tar.gz && \
    mkdir -p ${MODULES_DIR}/$NJS_DIR && \
    tar -xzvf $NJS_TAR -C ${MODULES_DIR}/$NJS_DIR --strip-components=1 && \
    rm $NJS_TAR && \

    # Download NGINX from source
    NGINX_TAR=${NGINX_DIR}.tar.gz && \
    mkdir -p ${NGINX_DIR} && \
    NGINX_TAR=${NGINX_DIR}.tar.gz && \
    wget http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -O $NGINX_TAR && \
    tar -xzvf $NGINX_TAR -C ${NGINX_DIR} --strip-components=1 && \
    rm $NGINX_TAR && \

    # Install build dependencies
    apk add --no-cache --virtual .nginx-required-build-deps \
        libgcc \
        pcre2 \
        gd \
        libressl \
        geoip \
        libxext \
        perl \
        zlib \
        libxslt && \
    apk add --no-cache --virtual .nginx-opt-build-deps \
        linux-headers \
        build-base \
        libxslt-dev \
        libressl-dev \
        gd-dev \
        pcre2-dev \
        geoip-dev \
        zlib-dev \
        make \
        perl-dev && \

    echo "Building NGINX from source..." && \

    cd ${NGINX_DIR} && \
    ./configure \
        --prefix=/etc/nginx \

        --add-dynamic-module=../${MODULES_DIR}/headers-more \
        --add-dynamic-module=../${MODULES_DIR}/nginx-njs/nginx \

        --sbin-path=/usr/sbin/nginx \
        --modules-path=${MODULES_PATH} \
        --conf-path=${CONF_PATH} \
        --error-log-path=${LOG_PATH}/error.log \
        --http-log-path=${LOG_PATH}/access.log \
        --pid-path=${PID_PATH} \
        --lock-path=/var/run/nginx.lock \
        --http-client-body-temp-path=${CACHE_PATH}/client_temp \
        --http-proxy-temp-path=${CACHE_PATH}/proxy_temp \
        --http-fastcgi-temp-path=${CACHE_PATH}/fastcgi_temp \
        --http-uwsgi-temp-path=${CACHE_PATH}/uwsgi_temp \
        --http-scgi-temp-path=${CACHE_PATH}/scgi_temp \
        --with-perl_modules_path=/usr/lib/perl5/vendor_perl \
        --user=nginx \
        --group=nginx \
        --with-compat \
        --with-debug \
        --with-file-aio \
        --with-threads \
        --with-http_addition_module \
        --with-http_auth_request_module \
        --with-http_dav_module \
        --with-http_flv_module \
        --with-http_image_filter_module \
        --with-http_geoip_module \
        --with-http_gunzip_module \
        --with-http_gzip_static_module \
        --with-http_mp4_module \
        --with-http_random_index_module \
        --with-http_realip_module \
        --with-http_secure_link_module \
        --with-http_slice_module \
        --with-http_ssl_module \
        --with-http_stub_status_module \
        --with-http_sub_module \
        --with-http_v2_module \
        --with-http_v3_module \
        --with-mail \
        --with-mail_ssl_module \
        --with-stream \
        --with-stream_realip_module \
        --with-stream_ssl_module \
        --with-stream_ssl_preread_module \
        --with-http_xslt_module \
        --with-cc-opt='-Os -fomit-frame-pointer -g' \
        --with-ld-opt=-Wl,--as-needed,-O1,--sort-common && \

    # Compile
    make && \
    make install && \

    # Install NGINX sigsci module
    wget -q https://apk.signalsciences.net/sigsci_apk.pub ; mv sigsci_apk.pub /etc/apk/keys && \
    echo https://apk.signalsciences.net/$(grep -oE '[0-9]+\.[0-9]{2}' /etc/alpine-release)/main | tee -a /etc/apk/repositories && apk update && \
    echo "Verifying certificate authenticity..." && \
    openssl rsa -pubin -in /etc/apk/keys/sigsci_apk.pub -text -noout && \
    apk add --no-cache nginx-module-sigsci-nxo-${NGINX_VERSION} && \

    # Cleanup
    apk del --purge \
        .nginx-opt-build-deps \
        .shared-deps && \
    apk cache clean

COPY ./nginx.base.conf ${CONF_PATH}

RUN addgroup -S nginx && \
    adduser -S nginx -G nginx && \
    mkdir -p ${CACHE_PATH} && \
    mkdir -p /usr/share/nginx/html && \
    touch ${PID_PATH} && \
    chown -R nginx:nginx ${CACHE_PATH} ${PID_PATH} /usr/share/nginx/html ${CONF_PATH} && \
    ln -s ${MODULES_PATH} /etc/nginx/modules && \
    nginx -c ${CONF_PATH} -t