forked from tsuru/docker-nginx-with-modules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Dockerfile
148 lines (132 loc) · 5.37 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
ARG nginx_version=stable
FROM nginx:${nginx_version} AS build
SHELL ["/bin/bash", "-c"]
RUN set -x \
&& apt-get update \
&& apt-get install -y --no-install-suggests \
libluajit-5.1-dev libpam0g-dev zlib1g-dev libpcre3-dev \
libexpat1-dev git curl build-essential libxml2 libxslt1.1 libxslt1-dev autoconf libtool libssl-dev \
unzip libmaxminddb-dev
ARG modsecurity_version=v3.0.3
RUN set -x \
&& git clone --depth 1 -b ${modsecurity_version} https://github.com/SpiderLabs/ModSecurity.git /usr/local/src/modsecurity \
&& cd /usr/local/src/modsecurity \
&& git submodule init \
&& git submodule update \
&& ./build.sh \
&& ./configure --prefix=/usr/local \
&& make \
&& make install
ARG owasp_modsecurity_crs_version=v3.1.0
RUN set -x \
&& nginx_modsecurity_conf_dir="/usr/local/etc/modsecurity" \
&& mkdir -p ${nginx_modsecurity_conf_dir} \
&& cd ${nginx_modsecurity_conf_dir} \
&& curl -fSL "https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/${owasp_modsecurity_crs_version}.tar.gz" \
| tar -xvzf - \
&& mv owasp-modsecurity-crs{-${owasp_modsecurity_crs_version#v},} \
&& cd -
ARG openresty_package_version=1.19.9.1-1~buster1
RUN set -x \
&& curl -sS https://openresty.org/package/pubkey.gpg | apt-key add - \
&& echo 'deb https://openresty.org/package/debian buster openresty' | tee -a /etc/apt/sources.list.d/openresty.list \
&& apt-get update \
&& apt-get install -y --no-install-suggests openresty=${openresty_package_version} \
&& cd /usr/local/openresty \
&& cp -vr ./luajit/* /usr/local/ \
&& rm -d /usr/local/share/lua/5.1 \
&& ln -sf /usr/local/lib/lua/5.1 /usr/local/share/lua/ \
&& cp -vr ./lualib/* /usr/local/lib/lua/5.1
ENV LUAJIT_LIB=/usr/local/lib \
LUAJIT_INC=/usr/local/include/luajit-2.1
ARG modules
RUN set -x \
&& nginx_version=$(echo ${NGINX_VERSION} | sed 's/-.*//g') \
&& curl -fSL "https://nginx.org/download/nginx-${nginx_version}.tar.gz" \
| tar -C /usr/local/src -xzvf- \
&& ln -s /usr/local/src/nginx-${nginx_version} /usr/local/src/nginx \
&& cd /usr/local/src/nginx \
&& configure_args=$(nginx -V 2>&1 | grep "configure arguments:" | awk -F 'configure arguments:' '{print $2}'); \
IFS=','; \
for module in ${modules}; do \
module_repo=$(echo $module | sed -E 's@^(((https?|git)://)?[^:]+).*@\1@g'); \
module_tag=$(echo $module | sed -E 's@^(((https?|git)://)?[^:]+):?([^:/]*)@\4@g'); \
dirname=$(echo "${module_repo}" | sed -E 's@^.*/|\..*$@@g'); \
git clone "${module_repo}"; \
cd ${dirname}; \
git fetch --tags; \
if [ -n "${module_tag}" ]; then \
if [[ "${module_tag}" =~ ^(pr-[0-9]+.*)$ ]]; then \
pr_numbers="${BASH_REMATCH[1]//pr-/}"; \
IFS=';'; \
for pr_number in ${pr_numbers}; do \
git fetch origin "pull/${pr_number}/head:pr-${pr_number}"; \
git merge --no-commit pr-${pr_number} master; \
done; \
IFS=','; \
else \
git checkout "${module_tag}"; \
fi; \
fi; \
cd ..; \
configure_args="${configure_args} --add-dynamic-module=./${dirname}"; \
done; unset IFS \
&& eval ./configure ${configure_args} \
&& make modules \
&& cp -v objs/*.so /usr/lib/nginx/modules/
ARG luarocks_version=3.3.1
RUN set -x \
&& curl -fSL "https://luarocks.org/releases/luarocks-${luarocks_version}.tar.gz" \
| tar -C /usr/local/src -xzvf- \
&& ln -s /usr/local/src/luarocks-${luarocks_version} /usr/local/src/luarocks \
&& cd /usr/local/src/luarocks \
&& ./configure && make && make install
ARG lua_modules
RUN set -x \
&& IFS=","; \
for lua_module in ${lua_modules}; do \
unset IFS; \
luarocks install ${lua_module}; \
done
FROM nginx:${nginx_version}
COPY --from=build /usr/local/bin /usr/local/bin
COPY --from=build /usr/local/include /usr/local/include
COPY --from=build /usr/local/lib /usr/local/lib
COPY --from=build /usr/local/etc /usr/local/etc
COPY --from=build /usr/local/share /usr/local/share
COPY --from=build /usr/lib/nginx/modules /usr/lib/nginx/modules
ENV LUAJIT_LIB=/usr/local/lib \
LUAJIT_INC=/usr/local/include/luajit-2.1
RUN set -x \
&& apt-get update \
&& apt-get install -y --no-install-suggests \
ca-certificates \
curl \
dnsutils \
iputils-ping \
libcurl4-openssl-dev \
libyajl-dev \
libxml2 \
lua5.1-dev \
net-tools \
procps \
tcpdump \
rsync \
unzip \
vim-tiny \
libmaxminddb0 \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/* \
&& ldconfig -v \
&& ls /etc/nginx/modules/*.so | grep -v debug \
| xargs -I{} sh -c 'echo "load_module {};" | tee -a /etc/nginx/modules/all.conf' \
&& sed -i -E 's|listen\s+80|&80|g' /etc/nginx/conf.d/default.conf \
&& ln -sf /dev/stdout /var/log/modsec_audit.log \
&& touch /var/run/nginx.pid \
&& mkdir -p /var/cache/nginx \
&& mkdir -p /var/cache/cache-heater \
&& chown -R root:root /etc/nginx /var/log/nginx /var/cache/nginx /var/run/nginx.pid /var/log/modsec_audit.log /var/cache/cache-heater
SHELL ["/bin/bash","-c"]
RUN echo -e "include modules/all.conf;\n$(cat /etc/nginx/nginx.conf)" > /etc/nginx/nginx.conf
EXPOSE 8080 8443
WORKDIR /etc/nginx