-
Notifications
You must be signed in to change notification settings - Fork 129
/
Dockerfile.buildkit.plus
104 lines (91 loc) · 4.85 KB
/
Dockerfile.buildkit.plus
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
FROM debian:bookworm-slim@sha256:ca3372ce30b03a591ec573ea975ad8b0ecaf0eb17a354416741f8001bbcae33d
# Create RELEASE argument
ARG RELEASE=bookworm
# NJS env vars
ENV NGINX_VERSION=32
ENV NGINX_PKG_RELEASE=1~${RELEASE}
ENV NJS_VERSION=0.8.4
ENV NJS_PKG_RELEASE=1~${RELEASE}
# Proxy cache env vars
ENV PROXY_CACHE_MAX_SIZE=10g
ENV PROXY_CACHE_INACTIVE=60m
ENV PROXY_CACHE_SLICE_SIZE=1m
ENV PROXY_CACHE_VALID_OK=1h
ENV PROXY_CACHE_VALID_NOTFOUND=1m
ENV PROXY_CACHE_VALID_FORBIDDEN=30s
# CORS env vars
ENV CORS_ENABLED=0
ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS=""
# S3 proxy env vars
ENV DIRECTORY_LISTING_PATH_PREFIX=""
ENV STRIP_LEADING_DIRECTORY_PATH=""
ENV PREFIX_LEADING_DIRECTORY_PATH=""
# We create an NGINX Plus image based on the official NGINX Plus Dockerfiles (https://gist.github.com/nginx-gists/36e97fc87efb5cf0039978c8e41a34b5) and modify it by:
# 1. Explicitly installing the version of njs coded in the environment variable above.
# 2. Adding configuration files needed for proxying private S3 buckets.
# 3. Adding a directory for proxied objects to be stored.
# 4. Adding the entrypoint scripts found in the base NGINX OSS Docker image with a modified version that explicitly sets resolvers.
# Download your NGINX license certificate and key from the F5 customer portal (https://account.f5.com) and copy it to the build context
RUN --mount=type=secret,id=nginx-crt,dst=nginx-repo.crt \
--mount=type=secret,id=nginx-key,dst=nginx-repo.key \
set -x \
# Create nginx user/group first, to be consistent throughout Docker variants
&& groupadd --system --gid 101 nginx \
&& useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
&& apt-get update \
&& apt-get install --no-install-recommends --no-install-suggests -y ca-certificates gnupg1 lsb-release \
&& \
NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \
NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \
export GNUPGHOME="$(mktemp -d)"; \
found=''; \
for NGINX_GPGKEY in $NGINX_GPGKEYS; do \
for server in \
hkp://keyserver.ubuntu.com:80 \
pgp.mit.edu \
; do \
echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
done; \
test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
done; \
gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \
rm -rf "$GNUPGHOME"; \
apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \
# Install the latest release of NGINX Plus and/or NGINX Plus modules (written and maintained by F5)
&& nginxPackages=" \
nginx-plus=${NGINX_VERSION}-${NGINX_PKG_RELEASE} \
nginx-plus-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_PKG_RELEASE} \
nginx-plus-module-xslt=${NGINX_VERSION}-${NGINX_PKG_RELEASE} \
" \
&& echo "Acquire::https::pkgs.nginx.com::Verify-Peer \"true\";" > /etc/apt/apt.conf.d/90nginx \
&& echo "Acquire::https::pkgs.nginx.com::Verify-Host \"true\";" >> /etc/apt/apt.conf.d/90nginx \
&& echo "Acquire::https::pkgs.nginx.com::SslCert \"/etc/ssl/nginx/nginx-repo.crt\";" >> /etc/apt/apt.conf.d/90nginx \
&& echo "Acquire::https::pkgs.nginx.com::SslKey \"/etc/ssl/nginx/nginx-repo.key\";" >> /etc/apt/apt.conf.d/90nginx \
&& echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list \
&& mkdir -p /etc/ssl/nginx \
&& cat nginx-repo.crt > /etc/ssl/nginx/nginx-repo.crt \
&& cat nginx-repo.key > /etc/ssl/nginx/nginx-repo.key \
&& apt-get update \
&& apt-get install --no-install-recommends --no-install-suggests -y $nginxPackages curl gettext-base \
&& apt-get remove --purge -y lsb-release \
&& apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-plus.list \
&& rm -rf /etc/apt/apt.conf.d/90nginx /etc/ssl/nginx \
# Forward request logs to Docker log collector
&& ln -sf /dev/stdout /var/log/nginx/access.log \
&& ln -sf /dev/stderr /var/log/nginx/error.log
EXPOSE 80
STOPSIGNAL SIGTERM
CMD ["nginx", "-g", "daemon off;"]
# Copy files from the OSS NGINX Docker container such that the container
# startup is the same.
COPY plus/etc/nginx /etc/nginx
COPY common/etc /etc
COPY common/docker-entrypoint.sh /docker-entrypoint.sh
COPY common/docker-entrypoint.d /docker-entrypoint.d/
COPY plus/docker-entrypoint.d /docker-entrypoint.d/
RUN set -x \
&& mkdir -p /var/cache/nginx/s3_proxy \
&& chown nginx:nginx /var/cache/nginx/s3_proxy \
&& chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh;
ENTRYPOINT ["/docker-entrypoint.sh"]