Post

Nginx

Introduction

Il est nécessaire d’avoir installé au préalable Docker sur votre Archlinux.

Pour construire une image Docker compatible ARM64 pour le Raspberry PI vous aurez besoin de 5 fichiers:

  • build.sh
  • platform.sh
  • Dockerfile
  • fastcgi.conf (à placer dans le dossier files)
  • nginx.conf (à placer dans le dossier files)

Fichiers requis

platform.sh

[Fichier]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#!/bin/bash

# Used in Docker build to set platform dependent variables

case $TARGETARCH in

    "amd64")
	echo "x86_64-unknown-linux-gnu" > /.platform
	echo "" > /.compiler
	;;
    "arm64")
	echo "aarch64-unknown-linux-gnu" > /.platform
	echo "gcc-aarch64-linux-gnu" > /.compiler
	;;
    "arm")
	echo "armv7-unknown-linux-gnueabihf" > /.platform
	echo "gcc-arm-linux-gnueabihf" > /.compiler
	;;
esac

build.sh

[Fichier]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#!/bin/bash

#
# https://github.com/VanBerlo/docker-nginx-with-modules
# https://github.com/Pon57/docker-php-nginx-mysql-memcached
# https://www.nginx.com/resources/wiki/modules/
# https://github.com/bpaquet/ngx_http_enhanced_memcached_module
#

clear
cd "$(dirname "$0")" || exit 1

IMAGE_BASE=zogg/nginx
IMAGE_NAME_LATEST=${IMAGE_BASE}:latest

export DOCKER_CLI_EXPERIMENTAL=enabled
docker run --privileged --rm tonistiigi/binfmt --install all

NGINX_VERSION=1.23.1

export DOCKER_DEFAULT_PLATFORM=linux/amd64
docker buildx build --pull \
    --platform=linux/amd64 \
    --output=type=docker \
    --build-arg TZ=Europe/Paris \
    --build-arg CONCURRENCY=$(nproc) \
    --build-arg NGINX_VERSION=$NGINX_VERSION \
    -t "${IMAGE_NAME_LATEST}" \
    . 2>&1 | tee build.log

exit 0

fastcgi.conf

[Fichier]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# fastcgi.conf

fastcgi_param                           QUERY_STRING            $query_string;
fastcgi_param                           REQUEST_METHOD          $request_method;
fastcgi_param                           CONTENT_TYPE            $content_type;
fastcgi_param                           CONTENT_LENGTH          $content_length;

fastcgi_param                           SCRIPT_FILENAME         $document_root$fastcgi_script_name;
fastcgi_param                           SCRIPT_NAME             $fastcgi_script_name;
fastcgi_param                           PATH_INFO               $fastcgi_path_info;
fastcgi_param                           PATH_TRANSLATED         $document_root$fastcgi_path_info;
fastcgi_param                           REQUEST_URI             $request_uri;
fastcgi_param                           DOCUMENT_URI            $document_uri;
fastcgi_param                           DOCUMENT_ROOT           $document_root;
fastcgi_param                           SERVER_PROTOCOL         $server_protocol;
fastcgi_param                           REQUEST_SCHEME          $scheme;
fastcgi_param                           HTTPS                   $https if_not_empty;

fastcgi_param                           GATEWAY_INTERFACE       CGI/1.1;
fastcgi_param                           SERVER_SOFTWARE         nginx/$nginx_version;

fastcgi_param                           REMOTE_ADDR             $remote_addr;
fastcgi_param                           REMOTE_PORT             $remote_port;
fastcgi_param                           SERVER_ADDR             $server_addr;
fastcgi_param                           SERVER_PORT             $server_port;
fastcgi_param                           SERVER_NAME             $host;

fastcgi_buffers                         8 64k;
fastcgi_buffer_size                     32k;

nginx.conf

[Fichier]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
# nginx.conf

# https://www.tweaked.io/guide/nginx/
# https://www.tweaked.io/guide/nginx-proxying/
# https://medium.com/website-performance-optimization/6-best-practices-for-optimizing-your-nginx-performance-4e800785ad42
# https://www.rosehosting.com/blog/how-to-speed-up-your-nginx-website/
# https://hostadvice.com/how-to/how-to-tune-and-optimize-performance-of-nginx-web-server/
# https://kinsta.com/blog/enable-gzip-compression/
# https://devdocs.prestashop-project.org/1.7/scale/webservers/nginx/
# https://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html

user                                    nginx;
pid                                     /var/run/nginx.pid;

worker_processes                        auto;
worker_rlimit_nofile                    40000;

include                                 /etc/nginx/modules-enabled/*.conf;

error_log                               /var/log/nginx/error.log;

events {
    worker_connections                  1024;
    multi_accept                        on;
    use                                 epoll;
}

http {
    include                             /etc/nginx/mime.types;
    default_type                        application/octet-stream;

    server_tokens                       off;

    sendfile                            on;
    tcp_nopush                          on;
    tcp_nodelay                         on;

    access_log                          off;
    #access_log                          /var/log/nginx/access.log;

    types_hash_max_size                 2048;

    client_body_buffer_size             64K;
    client_header_buffer_size           64k;
    client_max_body_size                128k;
    large_client_header_buffers         8 16k;

    keepalive_timeout                   65;
    keepalive_requests                  100000;
    send_timeout                        30;
    client_body_timeout                 30;
    client_header_timeout               30;
    reset_timedout_connection           on;

    open_file_cache                     max=2000 inactive=20s;
    open_file_cache_valid               60s;
    open_file_cache_min_uses            5;
    open_file_cache_errors              off;

    add_header                          X-XSS-Protection "1; mode=block";
    add_header                          X-Frame-Options "SAMEORIGIN";
    add_header                          X-Content-Type-Options nosniff;
    add_header                          Strict-Transport-Security "max-age=63072000" always;

    gzip                                on;
    gzip_static                         on;
    gzip_min_length                     1024;
    gzip_comp_level                     6;
    gzip_http_version                   1.1;
    gzip_vary                           on;
    gzip_disable                        msie6;
    gzip_disable                        "MSIE [1-6]\.";
    gzip_proxied                        any;
    gzip_buffers                        16 8k;
    gzip_types
        text/plain
        text/css
        text/xml
        text/javascript
        text/x-component
        application/x-javascript
        application/xml
        application/javascript
        application/json
        application/xml+rss
        application/rss+xml
        application/atom+xml
        font/truetype
        font/opentype
        application/vnd.ms-fontobject
        image/svg+xml
        application/geo+json
        application/ld+json
        application/manifest+json
        application/rdf+xml
        application/wasm
        application/x-web-app-manifest+json
        application/xhtml+xml
        font/eot
        font/otf
        font/ttf
        image/bmp
        text/cache-manifest
        text/calendar
        text/markdown
        text/vcard
        text/vnd.rim.location.xloc
        text/vtt
        text/x-cross-domain-policy
        application/x-font-ttf
        image/x-icon;

    ssl_protocols                       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers                         ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers           on;
    ssl_session_timeout                 10m;
    ssl_session_cache                   shared:MySSL:10m;
    ssl_session_tickets                 off;

    ssl_stapling                        on;
    ssl_stapling_verify                 on;

    include                             /etc/nginx/conf.d/*.conf;
}

Dockerfile

[Fichier]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
#
# Add additionnal modules
#

FROM	--platform=linux/amd64 nginx:latest AS builder

ARG     TARGETPLATFORM
ARG     TARGETOS
ARG     TARGETARCH
ARG     BUILDPLATFORM
ARG     BUILDOS
ARG     BUILDARCH
ARG     BUILDVARIANT

ARG	NGINX_VERSION

COPY	platform.sh .
RUN	./platform.sh

RUN	apt-get update -y && \
	DEBIAN_FRONTEND=noninteractive \
	apt-get install -y \
		libc-dev \
		make \
		libssl-dev \
		libpcre3-dev \
		zlib1g-dev \
		curl \
		gnupg \
		libxslt-dev \
		libgd-dev \
		libgeoip-dev \
		wget \
		gcc

RUN	wget --inet4-only "http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz" -O nginx.tar.gz && \
	mkdir /tmp/nginx && \
	tar -xzvf nginx.tar.gz -C /tmp/nginx --strip-components=1

RUN	CONFARGS=$(nginx -V 2>&1 | sed -n -e 's/^.*arguments: //p') \
	tar -zxC /usr/src -f nginx.tar.gz && \
	cd /usr/src/nginx-$NGINX_VERSION && \
	./configure \
		--with-compat $CONFARGS \
		--user=nginx \
		--with-debug \
		--group=nginx \
		--prefix=/usr/share/nginx \
		--sbin-path=/usr/sbin/nginx \
		--conf-path=/etc/nginx/nginx.conf \
		--pid-path=/run/nginx.pid \
		--lock-path=/run/lock/subsys/nginx \
		--error-log-path=/var/log/nginx/error.log \
		--http-log-path=/var/log/nginx/access.log \
		--with-http_gzip_static_module \
		--with-http_stub_status_module \
		--with-http_ssl_module \
		--with-pcre \
		--with-http_image_filter_module \
		--with-file-aio \
		--with-ipv6 \
		--with-http_dav_module \
		--with-http_flv_module \
		--with-http_mp4_module \
		--with-http_gunzip_module \
		--with-threads \
		--with-http_ssl_module \
		--with-http_v2_module \
		--with-http_realip_module \
		--with-http_image_filter_module \
		--with-http_image_filter_module=dynamic \
		--with-http_geoip_module \
		--with-http_geoip_module=dynamic \
		--with-http_gunzip_module \
		--with-http_gzip_static_module \
		--with-stream \
		--with-stream=dynamic \
		--with-stream_ssl_module \
		--with-stream_realip_module \
		--with-stream_geoip_module \
		--with-stream_geoip_module=dynamic \
		--with-stream_ssl_preread_module \
		&& \
	make  && \
	make install


#
# Setup Nginx image
#

FROM --platform=linux/amd64 nginx:latest

ARG     TARGETPLATFORM
ARG     TARGETOS
ARG     TARGETARCH
ARG     BUILDPLATFORM
ARG     BUILDOS
ARG     BUILDARCH
ARG     BUILDVARIANT

COPY --from=builder	\
	/usr/share/nginx/modules/*.so	/usr/lib/nginx/modules/

ADD files/fastcgi.conf	/etc/nginx/fastcgi.conf
ADD files/nginx.conf	/etc/nginx/nginx.conf

LABEL   author              "Olivier Le Bris"
LABEL   maintainer          "zogg"
LABEL   com.centurylinklabs.watchtower.enable=false
LABEL   org.opencontainers.image.source     "https://zogg.fr"
LABEL   org.opencontainers.image.licenses   MIT

Procédure

Pour lancer la construction de l’image, il suffit de donner au script shell build.sh les droits d’éxécution puis de le lancer :

1
sudo chmod +x build.sh && sudo bash build.sh

Conclusion

Vous avez maintenant une image Docker compatible AMD64 à lancer sous Docker (ou avec Portainer :p).

Cet article est sous licence CC BY 4.0 par l'auteur.

© 2022- Olivier. Certains droits réservés.

Propulsé par τζ avec le thème Χ