build on every push

.drone.yml

@@ -1,51 +0,0 @@
----
-kind: pipeline
-type: docker
-name: default
-
-steps:
-  - name: submodules
-    image: alpine/git
-    commands:
-      - git submodule update --init --recursive
-
-  - name: build_and_publish_tag
-    image: plugins/docker:linux-amd64
-    settings:
-      force_tag: true
-      password:
-        from_secret: docker_password
-      registry: docker.asperti.com
-      repo: docker.asperti.com/paspo/webserver-nginx
-      context: .
-      dockerfile: ./Dockerfile
-      username:
-        from_secret: docker_username
-      tags:
-        - latest
-        - ${DRONE_TAG}
-        - ${DRONE_SEMVER_MAJOR}.${DRONE_SEMVER_MINOR}
-    when:
-      event:
-        - tag
-
-  - name: build_and_publish
-    image: plugins/docker:linux-amd64
-    settings:
-      force_tag: true
-      password:
-        from_secret: docker_password
-      registry: docker.asperti.com
-      repo: docker.asperti.com/paspo/webserver-nginx
-      context: .
-      dockerfile: ./Dockerfile
-      username:
-        from_secret: docker_username
-      tags:
-        - latest
-    when:
-      branch:
-        - main
-      event:
-        - push
-        - cron

.gitea/workflows/build_and_publish.yaml

@@ -0,0 +1,75 @@
+---
+name: Container Publish
+
+env:
+  REGISTRY: docker.asperti.com
+  REPOSITORY: paspo/webserver-nginx
+
+on:
+  push:
+  schedule:
+    - cron: "0 12 * * 3"
+  workflow_dispatch:
+  workflow_call:
+  workflow_run:
+    workflows: [vulnscan.yaml]
+    types: [completed]
+
+jobs:
+  on-success-skip:
+    runs-on:
+      labels: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    steps:
+      - run: exit_with_success
+
+  build-image:
+    runs-on:
+      labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
+    container:
+      image: catthehacker/ubuntu:act-latest
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: Build and publish
+        run: |
+          docker build \
+            --tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }} \
+            --platform linux/${{ matrix.arch }} --no-cache -f Dockerfile .
+          docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }}
+
+
+  manifest:
+    name: update docker manifest
+    needs: build-image
+    runs-on: ubuntu-latest
+    container:
+      image: catthehacker/ubuntu:act-latest
+
+    steps:
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: latest
+        run: |
+          docker manifest create \
+            ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest \
+            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-amd64 \
+            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-arm64
+          docker manifest push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest
+

.gitea/workflows/build_and_publish_php74.yaml

@@ -0,0 +1,67 @@
+---
+name: Container Publish - php7.4 version
+
+env:
+  REGISTRY: docker.asperti.com
+  REPOSITORY: paspo/webserver-nginx
+
+on:
+  workflow_dispatch:
+
+jobs:
+  on-success-skip:
+    runs-on:
+      labels: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    steps:
+      - run: exit_with_success
+
+  build-image:
+    runs-on:
+      labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
+    container:
+      image: catthehacker/ubuntu:act-latest
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: Build and publish php74
+        run: |
+          docker build \
+            --tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-${{ matrix.arch }} \
+            --platform linux/${{ matrix.arch }} --no-cache -f Dockerfile-php74 .
+          docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-${{ matrix.arch }}
+
+
+  manifest:
+    name: update docker manifest
+    needs: build-image
+    runs-on: ubuntu-latest
+    container:
+      image: catthehacker/ubuntu:act-latest
+
+    steps:
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: latest
+        run: |
+          docker manifest create \
+            ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74 \
+            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-amd64 \
+            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-arm64
+          docker manifest push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74

.gitea/workflows/vulnscan.yaml

@@ -0,0 +1,65 @@
+---
+name: Vulnerability Scan
+
+env:
+  REGISTRY: docker.asperti.com
+  REPOSITORY: paspo/webserver-nginx
+
+on:
+  schedule:
+    - cron: "0 14 * * *"
+  workflow_dispatch:
+  workflow_call:
+  workflow_run:
+    workflows: [build_and_publish.yaml]
+    types: [completed]
+
+jobs:
+  scan:
+    name: Daily Vulnerability Scan
+    runs-on:
+      labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
+    container:
+      image: catthehacker/ubuntu:act-latest
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+        tag: [latest, latest-php74]
+
+    steps:
+      - name: Pull docker image
+        run: docker pull ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.tag }}
+
+      - name: Setup trivy
+        run: |
+          echo "Installing Trivy for arch: $(uname -m)"
+          case $(uname -m) in
+            x86_64)
+              wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-64bit.deb ;;
+            aarch64)
+              wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-ARM64.deb ;;
+            *) exit 1 ;;
+          esac
+          dpkg -i /tmp/trivy.deb
+
+      - name: Run Trivy vulnerability scanner
+        id: scan
+        run: |
+          trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.tag }} > trivy-results.json
+
+      # if some vulnerability is found, we fail
+      - name: check output
+        id: vulncount
+        run: |
+          echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities|length' trivy-results.json)" >> ${GITHUB_OUTPUT}
+          if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi
+
+      - name: send telegram notification
+        if: failure()
+        uses: appleboy/telegram-action@master
+        with:
+          to: ${{ secrets.TELEGRAM_TO }}
+          token: ${{ secrets.TELEGRAM_TOKEN }}
+          format: markdown
+          message: |
+            Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.tag }}`

Dockerfile

@@ -1,15 +1,28 @@
-FROM alpine:3.21
+FROM alpine:3.22
 
 RUN \
-  apk -U upgrade && \
-  apk add tini nginx gettext-envsubst openssh-server php84 php84-fpm php83 php83-fpm php82 php82-fpm
+  apk --no-cache upgrade && \
+  apk --no-cache add tini nginx curl logrotate openssh-server nginx-mod-http-dav-ext goaccess \
+    php84 php84-fpm php84-mbstring php84-curl php84-ctype php84-dom php84-gd php84-json php84-openssl php84-session php84-simplexml php84-xml php84-zip \
+    php84-apcu php84-opcache php84-pecl-yaml php84-sqlite3 php84-mysqli \
+    php83 php83-fpm php83-mbstring php83-curl php83-ctype php83-dom php83-gd php83-json php83-openssl php83-session php83-simplexml php83-xml php83-zip \
+    php83-apcu php83-opcache php83-pecl-yaml php83-sqlite3 php83-mysqli \
+    php82 php82-fpm php82-mbstring php82-curl php82-ctype php82-dom php82-gd php82-json php82-openssl php82-session php82-simplexml php82-xml php82-zip \
+    php82-apcu php82-opcache php82-pecl-yaml php82-sqlite3 php82-mysqli
 
 COPY rootfs /
 
-VOLUME [ "/data/www", "/ssh" ]
+VOLUME [ "/data" ]
 
 ENV \
   USERNAME=theuser \
-  PHP=none
+  GROUPNAME=thegroup \
+  PHP=none \
+  PUID=1000 \
+  PGID=1000 \
+  WEBDAV_PORT=8080 \
+  TZ=Etc/UTC
+
+HEALTHCHECK --timeout=10s --start-period=5s CMD curl --silent --fail -o /dev/null http://127.0.0.1:80/
 
 ENTRYPOINT [ "/sbin/tini", "/app/entrypoint.sh" ]

Dockerfile-php74

@@ -0,0 +1,22 @@
+FROM alpine:3.15
+
+RUN \
+  apk --no-cache upgrade && \
+  apk --no-cache add tini nginx openssh-server nginx-mod-http-dav-ext \
+    php7 php7-fpm php7-mbstring php7-curl php7-ctype php7-dom php7-gd php7-json php7-openssl php7-session php7-simplexml php7-xml php7-zip \
+    php7-apcu php7-opcache php7-pecl-yaml php7-sqlite3 php7-mysqli
+
+COPY rootfs-php74 /
+
+VOLUME [ "/data/www", "/ssh" ]
+
+ENV \
+  USERNAME=theuser \
+  GROUPNAME=thegroup \
+  PHP=none \
+  PUID=1000 \
+  PGID=1000 \
+  WEBDAV_PORT=8080 \
+  TZ=Etc/UTC
+
+ENTRYPOINT [ "/sbin/tini", "/app/entrypoint.sh" ]

README.md

@@ -1,7 +1,5 @@
 # webserver-nginx
 
-[![Build Status](https://drone.asperti.com/api/badges/paspo/docker-webserver-nginx/status.svg)](https://drone.asperti.com/paspo/docker-webserver-nginx)
-
 Small webserver with PHP support and SFTP access
 
 ## usage
@@ -13,11 +11,42 @@ services:
   web:
     image: docker.asperti.com/paspo/webserver-nginx
     ports:
-      - 8888:80
-      - 2222:22
+      - 8888:80 # web server
+      - 8890:8080 # webdav access
+      - 2222:22 # sftp access
     volumes:
-      - ./www:/data/www
-      - ./ssh:/ssh # add authorized_keys file here
+      - ./data:/data
+      - ./extra_nginx.conf:/etc/nginx/custom.d/extra.conf # optional
     environment:
-      PHP: php84 # none, php82, php83, php84
+      LOG_DAYS: 14              # default 7
+      WEBDAV_PORT: 8080         # default: 8080
+      PHP: php84                # none (default), php82, php83, php84
+      POSTSIZE: 256M            # default: 256M
+      PUID: 1000                # default: 1000
+      PGID: 1000                # default: 1000
+      USERNAME: theuser         # default: theuser
+      GROUPNAME: thegroup       # default: thegroup
+      TZ: Etc/UTC               # default: Etc/UTC
+      FPM_MAX_CHILDREN: 5       # default: 5
+      FPM_START_SERVERS: 1      # default: 1
+      FPM_MIN_SPARE_SERVERS: 1  # default: 1
+      FPM_MAX_SPARE_SERVERS: 3  # default: 3
+      DISABLE_WEBROOT_CHOWN: 1  # default: 0
+      DISABLE_SFTP: 1           # default: 0
+      DISABLE_STATS: 1          # default: 0
+      DISABLE_STATS_HOURLY: 1   # default: 0
+      DISABLE_WEBDAV: 1         # default: 0
 ```
+
+The `/data/www` and `/data/logs` directories and their contents will be chowned to `$PUID:$PGID` and chmodded to `0755` for directories and `0644` for files at container start.
+
+## data direcvtory layout
+
+| directory | content                                       |
+|-----------|-----------------------------------------------|
+| auth      | htpasswd files for stats and webdav           |
+| logs      | nginx access logs (logrotated) and error logs |
+| ssh       | host keys and authorized keys                 |
+| stats     | html statistical report                       |
+| stats.db  | internal statistical db                       |
+| www       | webroot                                       |

docker-compose-sample.yaml

@@ -1,11 +0,0 @@
-services:
-  web:
-    image: docker.asperti.com/paspo/webserver-nginx
-    ports:
-      - 8888:80
-      - 2222:22
-    volumes:
-      - ./www:/data/www
-      - ./ssh:/ssh # add authorized_keys file here
-    environment:
-      PHP: php84 # none, php82, php83, php84

rootfs-php74/app/entrypoint.sh

@@ -0,0 +1,118 @@
+#!/bin/sh
+
+WEBROOT=/data/www
+WEBDAV_PORT=${WEBDAV_PORT:-8080}
+PHP=${PHP:-none}
+POSTSIZE=${POSTSIZE:-256M}
+USERNAME=${USERNAME:-theuser}
+PUID=${PUID:-1000}
+GROUPNAME=${GROUPNAME:-thegroup}
+PGID=${PGID:-1000}
+RANDOMPWD=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 13)
+addgroup -g "${PGID}" "${GROUPNAME}"
+addgroup nginx "${GROUPNAME}"
+adduser -DH -h "${WEBROOT}" -G "${GROUPNAME}" -u "${PUID}" "${USERNAME}"
+printf '%s\n%s' "${RANDOMPWD}" "${RANDOMPWD}" | passwd "${USERNAME}"
+echo "password for the user \"${USERNAME}\" is: ${RANDOMPWD}"
+
+chown "${PUID}:${GROUPNAME}" "${WEBROOT}" -R
+find "${WEBROOT}" -type d -exec chmod 0755 {} \;
+find "${WEBROOT}" -type f -exec chmod 0644 {} \;
+
+FPM_MAX_CHILDREN=${FPM_MAX_CHILDREN:-5}
+FPM_START_SERVERS=${FPM_START_SERVERS:-1}
+FPM_MIN_SPARE_SERVERS=${FPM_MIN_SPARE_SERVERS:-1}
+FPM_MAX_SPARE_SERVERS=${FPM_MAX_SPARE_SERVERS:-3}
+
+# set php config
+case "${PHP}" in
+  "php7")
+    cat >"/etc/${PHP}/php-fpm.d/www.conf" <<EOF
+[www]
+user = ${USERNAME}
+group = ${GROUPNAME}
+listen = 127.0.0.1:9000
+pm = dynamic
+pm.max_children = ${FPM_MAX_CHILDREN}
+pm.start_servers = ${FPM_START_SERVERS}
+pm.min_spare_servers = ${FPM_MIN_SPARE_SERVERS}
+pm.max_spare_servers = ${FPM_MAX_SPARE_SERVERS}
+EOF
+    cat >"/etc/${PHP}/conf.d/post_size.ini" <<EOF
+upload_max_size = ${POSTSIZE}
+post_max_size = ${POSTSIZE}
+upload_max_filesize = ${POSTSIZE}    
+upload_tmp_dir = /tmp
+EOF
+    ;;
+    *) ;;
+esac
+
+cat >"/etc/nginx/custom.d/post_size.conf" <<EOF
+client_max_body_size ${POSTSIZE};
+EOF
+
+# start php
+case "${PHP}" in
+    "php7") 
+      cp /app/nginx/php7.conf /etc/nginx/custom.d/
+      cp /app/nginx/default_php.conf /etc/nginx/http.d/default.conf
+      /usr/sbin/php-fpm7 -D
+      ;;
+    *)
+      cp /app/nginx/default_nophp.conf /etc/nginx/http.d/default.conf
+      ;;
+esac
+
+# start ssh
+for keytype in ecdsa rsa ed25519 ; do
+  if [ ! -r "/ssh/ssh_host_${keytype}_key" ] ; then
+    /usr/bin/ssh-keygen -t "${keytype}" -f "/ssh/ssh_host_${keytype}_key" -N ""
+  fi
+  chmod 0600 "/ssh/ssh_host_${keytype}_key"
+  chmod 0644 "/ssh/ssh_host_${keytype}_key.pub"
+done
+
+# set authorized_keys permissions
+if [ -f /ssh/authorized_keys ] ; then
+  chmod 0600 /ssh/authorized_keys
+  chown "${USERNAME}:${GROUPNAME}" /ssh/authorized_keys
+fi
+
+if [ -d "${PATH_WEBROOT}/.ssh" ] ; then
+  chmod 0700 "${PATH_WEBROOT}/.ssh"
+fi
+/usr/sbin/sshd -e
+
+cat > /etc/nginx/conf.d/user.conf <<EOF
+user ${USERNAME} ${GROUPNAME};
+EOF
+
+# fix permissions for upload
+chown "${USERNAME}" /var/lib/nginx /var/lib/nginx/tmp
+
+cat > /etc/nginx/http.d/webdav.conf <<EOF
+server {
+    listen ${WEBDAV_PORT} default_server;
+    listen [::]:${WEBDAV_PORT} default_server;
+    root ${WEBROOT};
+
+    location / {
+        autoindex on;
+        autoindex_exact_size off;
+        autoindex_localtime on;
+        dav_methods             PUT DELETE MKCOL COPY MOVE;
+        dav_ext_methods         PROPFIND OPTIONS;
+        create_full_put_path    on;
+        dav_access              user:rw;
+    }
+
+    auth_basic "Restricted area";
+    auth_basic_user_file /app/htpasswd;
+}
+EOF
+
+touch /app/htpasswd
+
+# start nginx
+nginx

rootfs-php74/app/nginx/default_nophp.conf

@@ -7,10 +7,8 @@ server {
     root   /data/www;
     # server_name  localhost;
 
-    #access_log  /var/log/nginx/host.access.log  main;
-
     location / {
-        index  index.html index.htm;
+        index index.html index.htm;
 
         # autoindex on;
         # autoindex_exact_size off;
@@ -18,21 +16,6 @@ server {
         # autoindex_localtime on;
     }
 
-    #error_page  404              /404.html;
-
-    location = /404.html {
-            internal;
-    }
-
-    # redirect server error pages to the static page /50x.html
-    #
-    error_page   500 502 503 504  /50x.html;
-    location = /50x.html {
-        root   /usr/share/nginx/html;
-    }
-
-    include /etc/nginx/custom.d/${PHP}.conf;
-
     gzip on;
     gzip_proxied any;
     gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js image/x-icon font/woff2 font/woff application/x-font-woff;
@@ -43,4 +26,6 @@ server {
     if_modified_since exact;
     add_header Pragma "public";
     add_header Cache-Control "max-age=31536000, public";
+
+    include /etc/nginx/custom.d/*.conf;
 }

rootfs-php74/app/nginx/default_php.conf

@@ -0,0 +1,31 @@
+error_log /dev/stdout info;
+access_log /dev/stdout;
+
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    root   /data/www;
+    # server_name  localhost;
+
+    location / {
+        index index.php index.html index.htm;
+
+        # autoindex on;
+        # autoindex_exact_size off;
+        # autoindex_format html;
+        # autoindex_localtime on;
+    }
+
+    gzip on;
+    gzip_proxied any;
+    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js image/x-icon font/woff2 font/woff application/x-font-woff;
+    gzip_vary on;
+    gzip_disable "msie6";
+
+    etag on;
+    if_modified_since exact;
+    add_header Pragma "public";
+    add_header Cache-Control "max-age=31536000, public";
+
+    include /etc/nginx/custom.d/*.conf;
+}

rootfs-php74/etc/nginx/conf.d/nodaemon.conf

@@ -0,0 +1 @@
+daemon off;

rootfs-php74/etc/nginx/nginx.conf

@@ -0,0 +1,111 @@
+# /etc/nginx/nginx.conf
+
+# user nginx;
+
+# Set number of worker processes automatically based on number of CPU cores.
+worker_processes auto;
+
+# Enables the use of JIT for regular expressions to speed-up their processing.
+pcre_jit on;
+
+# Configures default error logger.
+error_log /var/log/nginx/error.log warn;
+
+# Includes files with directives to load dynamic modules.
+include /etc/nginx/modules/*.conf;
+
+# Uncomment to include files with config snippets into the root context.
+# NOTE: This will be enabled by default in Alpine 3.15.
+include /etc/nginx/conf.d/*.conf;
+
+events {
+        # The maximum number of simultaneous connections that can be opened by
+        # a worker process.
+        worker_connections 1024;
+}
+
+http {
+        # Includes mapping of file name extensions to MIME types of responses
+        # and defines the default type.
+        include /etc/nginx/mime.types;
+        default_type application/octet-stream;
+
+        # Name servers used to resolve names of upstream servers into addresses.
+        # It's also needed when using tcpsocket and udpsocket in Lua modules.
+        #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001;
+
+        # Don't tell nginx version to the clients. Default is 'on'.
+        server_tokens off;
+
+        # Specifies the maximum accepted body size of a client request, as
+        # indicated by the request header Content-Length. If the stated content
+        # length is greater than this size, then the client receives the HTTP
+        # error code 413. Set to 0 to disable. Default is '1m'.
+        client_max_body_size 1m;
+
+        # Sendfile copies data between one FD and other from within the kernel,
+        # which is more efficient than read() + write(). Default is off.
+        sendfile on;
+
+        # Causes nginx to attempt to send its HTTP response head in one packet,
+        # instead of using partial frames. Default is 'off'.
+        tcp_nopush on;
+
+
+        # Enables the specified protocols. Default is TLSv1 TLSv1.1 TLSv1.2.
+        # TIP: If you're not obligated to support ancient clients, remove TLSv1.1.
+        ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+
+        # Path of the file with Diffie-Hellman parameters for EDH ciphers.
+        # TIP: Generate with: `openssl dhparam -out /etc/ssl/nginx/dh2048.pem 2048`
+        #ssl_dhparam /etc/ssl/nginx/dh2048.pem;
+
+        # Specifies that our cipher suits should be preferred over client ciphers.
+        # Default is 'off'.
+        ssl_prefer_server_ciphers on;
+
+        # Enables a shared SSL cache with size that can hold around 8000 sessions.
+        # Default is 'none'.
+        ssl_session_cache shared:SSL:2m;
+
+        # Specifies a time during which a client may reuse the session parameters.
+        # Default is '5m'.
+        ssl_session_timeout 1h;
+
+        # Disable TLS session tickets (they are insecure). Default is 'on'.
+        ssl_session_tickets off;
+
+
+        # Enable gzipping of responses.
+        #gzip on;
+
+        # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
+        gzip_vary on;
+
+
+        # Helper variable for proxying websockets.
+        map $http_upgrade $connection_upgrade {
+                default upgrade;
+                '' close;
+        }
+
+	# use real IPs instead of docker ones
+	set_real_ip_from 172.18.0.0/16;
+	real_ip_header X-Forwarded-For;
+	real_ip_recursive on;
+
+        # Specifies the main log format.
+        log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                        '$status $body_bytes_sent "$http_referer" '
+                        '"$http_user_agent" "$http_x_forwarded_for"';
+
+        # Sets the path, format, and configuration for a buffered log write.
+        access_log /var/log/nginx/access.log main;
+
+
+        # Includes virtual hosts configs.
+        include /etc/nginx/http.d/*.conf;
+}
+
+# TIP: Uncomment if you use stream module.
+#include /etc/nginx/stream.conf;

rootfs-php74/etc/php7/php-fpm.d/errlog.conf

@@ -0,0 +1 @@
+error_log = /dev/stderr

rootfs-php74/etc/ssh/sshd_config

@@ -0,0 +1,116 @@
+Include /etc/ssh/sshd_config.d/*.conf
+
+#       $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin prohibit-password
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile      .ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+
+# Change to no to disable s/key passwords
+#KbdInteractiveAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+#UsePAM no
+
+#AllowAgentForwarding yes
+# Feel free to re-enable these if your use case requires them.
+AllowTcpForwarding no
+GatewayPorts no
+X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#       X11Forwarding no
+#       AllowTcpForwarding no
+#       PermitTTY no
+#       ForceCommand cvs server

rootfs-php74/etc/ssh/sshd_config.d/port.conf

@@ -0,0 +1 @@
+Port 22

rootfs/app/entrypoint.sh

@@ -1,37 +1,92 @@
 #!/bin/sh
 
-WEBROOT=/data/www
+PATH_BASE=/data
+PATH_WEBROOT=${PATH_BASE}/www
+PATH_STATS=${PATH_BASE}/stats
+PATH_STATSDB=${PATH_BASE}/stats.db
+PATH_LOGS=${PATH_BASE}/logs
+PATH_AUTH=${PATH_BASE}/auth
+PATH_SSH_HOST=${PATH_BASE}/ssh
+
+WEBDAV_PORT=${WEBDAV_PORT:-8080}
+LOG_DAYS=${LOG_DAYS:-7}
+
 PHP=${PHP:-none}
+POSTSIZE=${POSTSIZE:-256M}
 USERNAME=${USERNAME:-theuser}
-RANDOMPWD=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 13)
-adduser -DH -h "${WEBROOT}" -G "nginx" -u "1000" "${USERNAME}"
-printf '%s\n%s' "${RANDOMPWD}" "${RANDOMPWD}" | passwd "${USERNAME}"
-echo "password for the user \"${USERNAME}\" is: ${RANDOMPWD}"
+PUID=${PUID:-1000}
+GROUPNAME=${GROUPNAME:-thegroup}
+PGID=${PGID:-1000}
 
-chown "${USERNAME}:nginx" "${WEBROOT}" -R
-find "${WEBROOT}" -type d -exec chmod 0755 {} \;
-find "${WEBROOT}" -type f -exec chmod 0644 {} \;
+FPM_MAX_CHILDREN=${FPM_MAX_CHILDREN:-5}
+FPM_START_SERVERS=${FPM_START_SERVERS:-1}
+FPM_MIN_SPARE_SERVERS=${FPM_MIN_SPARE_SERVERS:-1}
+FPM_MAX_SPARE_SERVERS=${FPM_MAX_SPARE_SERVERS:-3}
 
-envsubst < /app/nginx.conf.tpl > /etc/nginx/http.d/default.conf
+DISABLE_WEBROOT_CHOWN=${DISABLE_WEBROOT_CHOWN:-0}
+DISABLE_SFTP=${DISABLE_SFTP:-0}
+DISABLE_STATS=${DISABLE_STATS:-0}
+DISABLE_STATS_HOURLY=${DISABLE_STATS_HOURLY:-0}
+DISABLE_WEBDAV=${DISABLE_WEBDAV:-0}
+
+export USERNAME
+export GROUPNAME
+export PATH_BASE
+export PATH_WEBROOT
+export PATH_STATS
+export PATH_STATSDB
+export PATH_LOGS
+export PATH_AUTH
+export PATH_SSH_HOST
+export WEBDAV_PORT
+export POSTSIZE
+export LOG_DAYS
+export PHP
+export PUID
+export PGID
+
+export FPM_MAX_CHILDREN
+export FPM_START_SERVERS
+export FPM_MIN_SPARE_SERVERS
+export FPM_MAX_SPARE_SERVERS
+
+export DISABLE_WEBROOT_CHOWN
+export DISABLE_SFTP
+export DISABLE_STATS
+export DISABLE_STATS_HOURLY
+export DISABLE_WEBDAV
+
+# run all scripts in order
+run-parts /app/entrypoint.sh.d
 
 # start php
 case "${PHP}" in
-    "php84") /usr/sbin/php-fpm84 -D ;;
-    "php83") /usr/sbin/php-fpm83 -D ;;
-    "php82") /usr/sbin/php-fpm82 -D ;;
-    *) ;;
+    "php84") 
+      echo "# Starting PH 8.4"
+      /usr/sbin/php-fpm84 -D
+      ;;
+    "php83") 
+      echo "# Starting PH 8.3"
+      /usr/sbin/php-fpm83 -D
+      ;;
+    "php82")
+      echo "# Starting PH 8.2"
+      /usr/sbin/php-fpm82 -D
+      ;;
+    *)
+      ;;
 esac
 
+# start cron
+echo "# Starting cron"
+crond -b
+
 # start ssh
-for keytype in ecdsa rsa ed25519 ; do
-  if [ ! -r "/ssh/ssh_host_${keytype}_key" ] ; then
-    /usr/bin/ssh-keygen -t "${keytype}" -f "/ssh/ssh_host_${keytype}_key" -N ""
-  fi
-  chmod 0600 "/ssh/ssh_host_${keytype}_key"
-  chmod 0644 "/ssh/ssh_host_${keytype}_key.pub"
-done
-chmod 0700 "${WEBROOT}/.ssh"
-/usr/sbin/sshd -e
+if [ "${DISABLE_SFTP}" -ne 1 ] ; then
+  echo "# Starting ssh"
+  /usr/sbin/sshd -e
+fi
 
 # start nginx
+echo "# Starting nginx"
 nginx

rootfs/app/entrypoint.sh.d/10_user.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+echo "# Creating user and group"
+
+RANDOMPWD=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 13)
+
+addgroup -g "${PGID}" "${GROUPNAME}"
+addgroup nginx "${GROUPNAME}"
+adduser -DH -h "${PATH_WEBROOT}" -G "${GROUPNAME}" -u "${PUID}" "${USERNAME}"
+printf '%s\n%s' "${RANDOMPWD}" "${RANDOMPWD}" | passwd "${USERNAME}"
+echo "password for the user \"${USERNAME}\" is: ${RANDOMPWD}"

rootfs/app/entrypoint.sh.d/90_chown_webroot.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+echo "# Started background chowning of ${PATH_WEBROOT} to ${USERNAME}:${GROUPNAME} (${PUID}:${PGID})..."
+
+if [ ${DISABLE_WEBROOT_CHOWN} -eq 1 ] ; then
+  echo chowning skipped because of DISABLE_WEBROOT_CHOWN
+  exit 0
+fi
+
+chown "${USERNAME}:${GROUPNAME}" "${PATH_WEBROOT}" -R
+find "${PATH_WEBROOT}" -type d -exec chmod 0755 {} \; &
+find "${PATH_WEBROOT}" -type f -exec chmod 0644 {} \; &

rootfs/app/entrypoint.sh.d/90_logs.sh

@@ -0,0 +1,25 @@
+#!/bin/sh
+
+echo "# Configuring logrotate"
+
+# make sure path exists
+mkdir -p "${PATH_LOGS}"
+chown -R "${USERNAME}:${GROUPNAME}" "${PATH_LOGS}"
+
+# configure logrotate
+cat >/etc/logrotate.d/nginx <<EOF
+${PATH_LOGS}/nginx-access.log {
+    missingok
+    daily
+    rotate ${LOG_DAYS}
+    compress
+    delaycompress
+    sharedscripts
+    nodateext
+    su ${USERNAME} ${GROUPNAME}
+    postrotate
+        /usr/sbin/nginx -s reopen
+        nice -n 19 /app/stats.sh
+    endscript
+}
+EOF

rootfs/app/entrypoint.sh.d/90_nginx.sh

@@ -0,0 +1,24 @@
+#!/bin/sh
+
+echo "# Configuring nginx"
+
+cat > /etc/nginx/conf.d/user.conf <<EOF
+user ${USERNAME} ${GROUPNAME};
+EOF
+
+# fix permissions for upload
+chown "${USERNAME}" /var/lib/nginx /var/lib/nginx/tmp
+
+cat >"/etc/nginx/custom.d/post_size.conf" <<EOF
+client_max_body_size ${POSTSIZE};
+EOF
+
+cat >"/etc/nginx/conf.d/errorlog.conf" <<EOF
+# Configures default error logger.
+error_log ${PATH_LOGS}/nginx-error.log warn;
+EOF
+
+cat >"/etc/nginx/http.d/accesslog.conf" <<EOF
+# Sets the path, format, and configuration for a buffered log write.
+access_log ${PATH_LOGS}/nginx-access.log main;
+EOF

rootfs/app/entrypoint.sh.d/90_php.sh

@@ -0,0 +1,45 @@
+#!/bin/sh
+
+echo "# Configuring PHP"
+
+# set php config
+case "${PHP}" in
+  "php84"|"php83"|"php82")
+    cat >"/etc/${PHP}/php-fpm.d/www.conf" <<EOF
+[www]
+user = ${USERNAME}
+group = ${GROUPNAME}
+listen = 127.0.0.1:9000
+pm = dynamic
+pm.max_children = ${FPM_MAX_CHILDREN}
+pm.start_servers = ${FPM_START_SERVERS}
+pm.min_spare_servers = ${FPM_MIN_SPARE_SERVERS}
+pm.max_spare_servers = ${FPM_MAX_SPARE_SERVERS}
+EOF
+    cat >"/etc/${PHP}/conf.d/post_size.ini" <<EOF
+upload_max_size = ${POSTSIZE}
+post_max_size = ${POSTSIZE}
+upload_max_filesize = ${POSTSIZE}    
+upload_tmp_dir = /tmp
+EOF
+    ;;
+    *) ;;
+esac
+
+case "${PHP}" in
+    "php84") 
+      cp /app/nginx/php84.conf /etc/nginx/custom.d/
+      cp /app/nginx/default_php.conf /etc/nginx/http.d/default.conf
+      ;;
+    "php83") 
+      cp /app/nginx/php83.conf /etc/nginx/custom.d/
+      cp /app/nginx/default_php.conf /etc/nginx/http.d/default.conf
+      ;;
+    "php82")
+      cp /app/nginx/php82.conf /etc/nginx/custom.d/
+      cp /app/nginx/default_php.conf /etc/nginx/http.d/default.conf
+      ;;
+    *)
+      cp /app/nginx/default_nophp.conf /etc/nginx/http.d/default.conf
+      ;;
+esac

rootfs/app/entrypoint.sh.d/90_ssh.sh

@@ -0,0 +1,56 @@
+#!/bin/sh
+
+if [ ${DISABLE_SFTP} -eq 1 ] ; then
+  exit 0
+fi
+
+echo "# Configuring ssh"
+
+# make sure directory exists
+mkdir -p "${PATH_SSH_HOST}"
+
+for keytype in ecdsa rsa ed25519 ; do
+  if [ ! -r "${PATH_SSH_HOST}/ssh_host_${keytype}_key" ] ; then
+    /usr/bin/ssh-keygen -t "${keytype}" -f "${PATH_SSH_HOST}/ssh_host_${keytype}_key" -N ""
+  fi
+  chmod 0600 "${PATH_SSH_HOST}/ssh_host_${keytype}_key"
+  chmod 0644 "${PATH_SSH_HOST}/ssh_host_${keytype}_key.pub"
+done
+
+# set authorized_keys permissions
+if [ -f "${PATH_SSH_HOST}/authorized_keys" ] ; then
+  chmod 0600 "${PATH_SSH_HOST}/authorized_keys"
+  chown "${USERNAME}:${GROUPNAME}" "${PATH_SSH_HOST}/authorized_keys"
+fi
+
+if [ -d "${PATH_WEBROOT}/.ssh" ] ; then
+  chmod 0700 "${PATH_WEBROOT}/.ssh"
+fi
+
+# configure sshd
+cat >/etc/ssh/sshd_config.d/sshd.conf <<EOF
+HostKey ${PATH_SSH_HOST}/ssh_host_rsa_key
+HostKey ${PATH_SSH_HOST}/ssh_host_ecdsa_key
+HostKey ${PATH_SSH_HOST}/ssh_host_ed25519_key
+
+#SyslogFacility AUTH
+LogLevel INFO
+LoginGraceTime 1m
+PermitRootLogin no
+PubkeyAuthentication yes
+MaxAuthTries 3
+PrintMotd no
+
+AuthorizedKeysFile      ${PATH_SSH_HOST}/authorized_keys
+PasswordAuthentication no
+
+AllowAgentForwarding no
+AllowTcpForwarding no
+GatewayPorts no
+X11Forwarding no
+
+Subsystem       sftp    internal-sftp
+
+ChrootDirectory ${PATH_BASE}
+ForceCommand internal-sftp -d ${PATH_WEBROOT}
+EOF

rootfs/app/entrypoint.sh.d/90_stats.sh

@@ -0,0 +1,22 @@
+#!/bin/sh
+
+if [ ${DISABLE_STATS} -eq 1 ] ; then
+  exit 0
+fi
+
+echo "# Configuring stats"
+
+# make sure paths exists
+mkdir -p "${PATH_AUTH}" "${PATH_STATS}" "${PATH_STATSDB}"
+touch "${PATH_AUTH}/stats"
+chown -R "${USERNAME}:${GROUPNAME}" "${PATH_AUTH}" "${PATH_STATS}" "${PATH_STATSDB}"
+
+# stats endpoint
+cat > /etc/nginx/local.d/stats.conf <<EOF
+location ^~ /stats {
+    root ${PATH_STATS};
+    auth_basic "Restricted area";
+    auth_basic_user_file ${PATH_AUTH}/stats;
+    try_files /index.html =404;
+}
+EOF

rootfs/app/entrypoint.sh.d/90_stats_hourly.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+if [ ${DISABLE_STATS} -eq 1 ] ; then
+  exit 0
+fi
+
+if [ ${DISABLE_STATS_HOURLY} -eq 1 ] ; then
+  exit 0
+fi
+
+echo "# Configuring hourly stats"
+
+# stats endpoint
+ln -s /app/stats_hourly.sh /etc/periodic/hourly/stats

rootfs/app/entrypoint.sh.d/90_webdav.sh

@@ -0,0 +1,33 @@
+#!/bin/sh
+
+if [ ${DISABLE_WEBDAV} -eq 1 ] ; then
+  exit 0
+fi
+
+echo "# Configuring webdav"
+
+cat > /etc/nginx/http.d/webdav.conf <<EOF
+server {
+    listen ${WEBDAV_PORT} default_server;
+    listen [::]:${WEBDAV_PORT} default_server;
+    root ${PATH_WEBROOT};
+
+    location / {
+        autoindex on;
+        autoindex_exact_size off;
+        autoindex_localtime on;
+        dav_methods             PUT DELETE MKCOL COPY MOVE;
+        dav_ext_methods         PROPFIND OPTIONS;
+        create_full_put_path    on;
+        dav_access              user:rw;
+    }
+
+    auth_basic "Restricted area";
+    auth_basic_user_file ${PATH_AUTH}/webdav;
+}
+EOF
+
+# authentication
+mkdir -p "${PATH_AUTH}"
+touch "${PATH_AUTH}/webdav"
+chown -R "${USERNAME}:${GROUPNAME}" "${PATH_AUTH}"

rootfs/app/nginx/default_nophp.conf

@@ -0,0 +1,32 @@
+error_log /dev/stdout info;
+access_log /dev/stdout;
+
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    root   /data/www;
+    # server_name  localhost;
+
+    location / {
+        index index.html index.htm;
+
+        # autoindex on;
+        # autoindex_exact_size off;
+        # autoindex_format html;
+        # autoindex_localtime on;
+    }
+
+    gzip on;
+    gzip_proxied any;
+    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js image/x-icon font/woff2 font/woff application/x-font-woff;
+    gzip_vary on;
+    gzip_disable "msie6";
+
+    etag on;
+    if_modified_since exact;
+    add_header Pragma "public";
+    add_header Cache-Control "max-age=31536000, public";
+
+    include /etc/nginx/local.d/*.conf;
+    include /etc/nginx/custom.d/*.conf;
+}

rootfs/app/nginx/default_php.conf

@@ -0,0 +1,32 @@
+error_log /dev/stdout info;
+access_log /dev/stdout;
+
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    root   /data/www;
+    # server_name  localhost;
+
+    location / {
+        index index.php index.html index.htm;
+
+        # autoindex on;
+        # autoindex_exact_size off;
+        # autoindex_format html;
+        # autoindex_localtime on;
+    }
+
+    gzip on;
+    gzip_proxied any;
+    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js image/x-icon font/woff2 font/woff application/x-font-woff;
+    gzip_vary on;
+    gzip_disable "msie6";
+
+    etag on;
+    if_modified_since exact;
+    add_header Pragma "public";
+    add_header Cache-Control "max-age=31536000, public";
+
+    include /etc/nginx/local.d/*.conf;
+    include /etc/nginx/custom.d/*.conf;
+}

rootfs/app/nginx/index.html

@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Welcome to nginx!</title>
+<style>
+html { color-scheme: light dark; }
+body { width: 35em; margin: 0 auto;
+font-family: Tahoma, Verdana, Arial, sans-serif; }
+</style>
+</head>
+<body>
+<h1>Welcome to nginx!</h1>
+<p>If you see this page, the nginx web server is successfully installed and
+working. Further configuration is required.</p>
+
+<p>For online documentation and support please refer to
+<a href="http://nginx.org/">nginx.org</a>.<br/>
+Commercial support is available at
+<a href="http://nginx.com/">nginx.com</a>.</p>
+
+<p><em>Thank you for using nginx.</em></p>
+</body>
+</html>

rootfs/app/nginx/php84.conf

@@ -0,0 +1,6 @@
+location ~ \.php$ {    
+    fastcgi_split_path_info     ^(.+\.php)(/.*)$;
+    fastcgi_pass                127.0.0.1:9000;
+    include                     fastcgi.conf;
+    fastcgi_param               SCRIPT_FILENAME $document_root$fastcgi_script_name;
+}

rootfs/app/stats.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+if [ "${DISABLE_STATS:-0}" -eq 1 ] ; then
+  exit 0
+fi
+
+PATH_BASE=/data
+PATH_STATS=${PATH_BASE}/stats
+PATH_STATSDB=${PATH_BASE}/stats.db
+PATH_LOGS=${PATH_BASE}/logs
+
+/usr/bin/goaccess "${PATH_LOGS}/nginx-access.log.1" \
+    --agent-list --anonymize-ip --real-os --exclude-ip 127.0.0.1 \
+    --output "${PATH_STATS}/index.html" --log-format COMBINED \
+    --tz="${TZ}" "--db-path=${PATH_STATSDB}" --persist --restore 

rootfs/app/stats_hourly.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+if [ "${DISABLE_STATS:-0}" -eq 1 ] ; then
+  exit 0
+fi
+
+PATH_BASE=/data
+PATH_STATS=${PATH_BASE}/stats
+PATH_STATSDB=${PATH_BASE}/stats.db
+PATH_LOGS=${PATH_BASE}/logs
+
+/usr/bin/goaccess "${PATH_LOGS}/nginx-access.log" \
+    --agent-list --anonymize-ip --real-os --exclude-ip 127.0.0.1 \
+    --output "${PATH_STATS}/index.html" --log-format COMBINED \
+    --tz="${TZ}" "--db-path=${PATH_STATSDB}" --persist --restore 

rootfs/etc/nginx/nginx.conf

@@ -0,0 +1,101 @@
+# /etc/nginx/nginx.conf
+
+# user nginx;
+
+# Set number of worker processes automatically based on number of CPU cores.
+worker_processes auto;
+
+# Enables the use of JIT for regular expressions to speed-up their processing.
+pcre_jit on;
+
+# Includes files with directives to load dynamic modules.
+include /etc/nginx/modules/*.conf;
+
+# Include files with config snippets into the root context.
+include /etc/nginx/conf.d/*.conf;
+
+events {
+	# The maximum number of simultaneous connections that can be opened by
+	# a worker process.
+	worker_connections 1024;
+}
+
+http {
+	# Includes mapping of file name extensions to MIME types of responses
+	# and defines the default type.
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	# Name servers used to resolve names of upstream servers into addresses.
+	# It's also needed when using tcpsocket and udpsocket in Lua modules.
+	#resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001];
+
+	# Don't tell nginx version to the clients. Default is 'on'.
+	server_tokens off;
+
+	# Specifies the maximum accepted body size of a client request, as
+	# indicated by the request header Content-Length. If the stated content
+	# length is greater than this size, then the client receives the HTTP
+	# error code 413. Set to 0 to disable. Default is '1m'.
+	client_max_body_size 1m;
+
+	# Sendfile copies data between one FD and other from within the kernel,
+	# which is more efficient than read() + write(). Default is off.
+	sendfile on;
+
+	# Causes nginx to attempt to send its HTTP response head in one packet,
+	# instead of using partial frames. Default is 'off'.
+	tcp_nopush on;
+
+
+	# Enables the specified protocols. Default is TLSv1 TLSv1.1 TLSv1.2.
+	# TIP: If you're not obligated to support ancient clients, remove TLSv1.1.
+	ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+
+	# Path of the file with Diffie-Hellman parameters for EDH ciphers.
+	# TIP: Generate with: `openssl dhparam -out /etc/ssl/nginx/dh2048.pem 2048`
+	#ssl_dhparam /etc/ssl/nginx/dh2048.pem;
+
+	# Specifies that our cipher suits should be preferred over client ciphers.
+	# Default is 'off'.
+	ssl_prefer_server_ciphers on;
+
+	# Enables a shared SSL cache with size that can hold around 8000 sessions.
+	# Default is 'none'.
+	ssl_session_cache shared:SSL:2m;
+
+	# Specifies a time during which a client may reuse the session parameters.
+	# Default is '5m'.
+	ssl_session_timeout 1h;
+
+	# Disable TLS session tickets (they are insecure). Default is 'on'.
+	ssl_session_tickets off;
+
+
+	# Enable gzipping of responses.
+	#gzip on;
+
+	# Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
+	gzip_vary on;
+
+
+	# Helper variable for proxying websockets.
+	map $http_upgrade $connection_upgrade {
+		default upgrade;
+		'' close;
+	}
+
+	# use real IPs instead of docker ones
+	set_real_ip_from 172.18.0.0/16;
+	real_ip_header X-Forwarded-For;
+	real_ip_recursive on;
+
+	# Specifies the main log format.
+	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+			'$status $body_bytes_sent "$http_referer" '
+			'"$http_user_agent" "$http_x_forwarded_for"';
+
+
+	# Includes virtual hosts configs.
+	include /etc/nginx/http.d/*.conf;
+}