trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
4e7bb096df265baf656361146c99d8a5327c9b3f
DetectionLab/Vagrant/resources/malcolm/Dockerfiles/nginx.Dockerfile
Trinitor 70f1922e80 added Malcolm
2021-08-06 10:35:01 +02:00

253 lines
10 KiB
Docker
Raw Blame History

# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
####################################################################################
# thanks to: nginx - https://github.com/nginxinc/docker-nginx/blob/master/mainline/alpine/Dockerfile
# kvspb/nginx-auth-ldap - https://github.com/kvspb/nginx-auth-ldap
# tiredofit/docker-nginx-ldap - https://github.com/tiredofit/docker-nginx-ldap/blob/master/Dockerfile
# jwilder/nginx-proxy - https://github.com/jwilder/nginx-proxy/blob/master/Dockerfile.alpine
####################################################################################
FROM alpine:3.13 as stunnel_build
ARG DEFAULT_UID=1000
ARG DEFAULT_GID=300
ENV DEFAULT_UID $DEFAULT_UID
ENV DEFAULT_GID $DEFAULT_GID
ENV PUSER "builder"
ENV PGROUP "abuild"
ADD https://codeload.github.com/alpinelinux/aports/tar.gz/master /aports-master.tar.gz
USER root
RUN set -x ; \
apk add --no-cache alpine-sdk sudo openssl-dev linux-headers; \
sed -i 's/^#\s*\(%wheel\s\+ALL=(ALL)\s\+NOPASSWD:\s\+ALL\)/\1/' /etc/sudoers ; \
adduser -D -u ${DEFAULT_UID} -h /apkbuild -G ${PGROUP} ${PUSER} ; \
addgroup ${PUSER} wheel ; \
chmod 644 /aports-master.tar.gz
USER ${PUSER}
RUN set -x ; \
cd /apkbuild ; \
tar xvf /aports-master.tar.gz aports-master/community/stunnel ; \
cd /apkbuild/aports-master/community/stunnel ; \
abuild-keygen -a -i -n ; \
abuild checksum ; \
abuild -R
####################################################################################
FROM alpine:3.13
LABEL maintainer="malcolm.netsec@gmail.com"
LABEL org.opencontainers.image.authors='malcolm.netsec@gmail.com'
LABEL org.opencontainers.image.url='https://github.com/cisagov/Malcolm'
LABEL org.opencontainers.image.documentation='https://github.com/cisagov/Malcolm/blob/master/README.md'
LABEL org.opencontainers.image.source='https://github.com/cisagov/Malcolm'
LABEL org.opencontainers.image.vendor='Cybersecurity and Infrastructure Security Agency'
LABEL org.opencontainers.image.title='malcolmnetsec/nginx-proxy'
LABEL org.opencontainers.image.description='Malcolm container providing an NGINX reverse proxy for the other services'
ARG DEFAULT_UID=101
ARG DEFAULT_GID=101
ENV DEFAULT_UID $DEFAULT_UID
ENV DEFAULT_GID $DEFAULT_GID
ENV PUSER "nginx"
ENV PGROUP "nginx"
# not dropping privileges globally so nginx and stunnel can bind privileged ports internally.
# nginx itself will drop privileges to "nginx" user for worker processes
ENV PUSER_PRIV_DROP false
ENV TERM xterm
USER root
# authentication method: encrypted HTTP basic authentication ('true') vs nginx-auth-ldap ('false')
ARG NGINX_BASIC_AUTH=true
# NGINX LDAP (NGINX_BASIC_AUTH=false) can support LDAP, LDAPS, or LDAP+StartTLS.
# For StartTLS, set NGINX_LDAP_TLS_STUNNEL=true to issue the StartTLS command
# and use stunnel to tunnel the connection.
ARG NGINX_LDAP_TLS_STUNNEL=false
# stunnel will require and verify certificates for StartTLS when one or more
# trusted CA certificate files are placed in the ./nginx/ca-trust directory.
# For additional security, hostname or IP address checking of the associated
# CA certificate(s) can be enabled by providing these values.
# see https://www.stunnel.org/howto.html
# https://www.openssl.org/docs/man1.1.1/man3/X509_check_host.html
ARG NGINX_LDAP_TLS_STUNNEL_CHECK_HOST=
ARG NGINX_LDAP_TLS_STUNNEL_CHECK_IP=
ARG NGINX_LDAP_TLS_STUNNEL_VERIFY_LEVEL=2
ENV NGINX_BASIC_AUTH $NGINX_BASIC_AUTH
ENV NGINX_LDAP_TLS_STUNNEL $NGINX_LDAP_TLS_STUNNEL
ENV NGINX_LDAP_TLS_STUNNEL_CHECK_HOST $NGINX_LDAP_TLS_STUNNEL_CHECK_HOST
ENV NGINX_LDAP_TLS_STUNNEL_CHECK_IP $NGINX_LDAP_TLS_STUNNEL_CHECK_IP
ENV NGINX_LDAP_TLS_STUNNEL_VERIFY_LEVEL $NGINX_LDAP_TLS_STUNNEL_VERIFY_LEVEL
# build latest nginx with nginx-auth-ldap
ENV NGINX_VERSION=1.20.1
ENV NGINX_AUTH_LDAP_BRANCH=master
ADD https://codeload.github.com/mmguero-dev/nginx-auth-ldap/tar.gz/$NGINX_AUTH_LDAP_BRANCH /nginx-auth-ldap.tar.gz
ADD http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz /nginx.tar.gz
COPY --from=stunnel_build /apkbuild/packages/community/x86_64/stunnel-*.apk /tmp/
RUN set -x ; \
CONFIG="\
--prefix=/etc/nginx \
--sbin-path=/usr/sbin/nginx \
--modules-path=/usr/lib/nginx/modules \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--http-client-body-temp-path=/var/cache/nginx/client_temp \
--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
--user=${PUSER} \
--group=${PGROUP} \
--with-http_ssl_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_stub_status_module \
--with-http_auth_request_module \
--with-http_xslt_module=dynamic \
--with-http_image_filter_module=dynamic \
--with-http_geoip_module=dynamic \
--with-http_perl_module=dynamic \
--with-threads \
--with-stream \
--with-stream_ssl_module \
--with-stream_ssl_preread_module \
--with-stream_realip_module \
--with-stream_geoip_module=dynamic \
--with-http_slice_module \
--with-mail \
--with-mail_ssl_module \
--with-compat \
--with-file-aio \
--with-http_v2_module \
--add-module=/usr/src/nginx-auth-ldap \
" ; \
apk add --no-cache curl shadow; \
addgroup -g ${DEFAULT_GID} -S ${PGROUP} ; \
adduser -S -D -H -u ${DEFAULT_UID} -h /var/cache/nginx -s /sbin/nologin -G ${PGROUP} -g ${PUSER} ${PUSER} ; \
addgroup ${PUSER} shadow ; \
mkdir -p /var/cache/nginx ; \
chown ${PUSER}:${PGROUP} /var/cache/nginx ; \
apk add --no-cache --virtual .nginx-build-deps \
gcc \
gd-dev \
geoip-dev \
gnupg \
libc-dev \
libressl-dev \
libxslt-dev \
linux-headers \
make \
openldap-dev \
pcre-dev \
perl-dev \
tar \
zlib-dev \
; \
\
mkdir -p /usr/src/nginx-auth-ldap /www /www/logs/nginx ; \
tar -zxC /usr/src -f /nginx.tar.gz ; \
tar -zxC /usr/src/nginx-auth-ldap --strip=1 -f /nginx-auth-ldap.tar.gz ; \
cd /usr/src/nginx-$NGINX_VERSION ; \
./configure $CONFIG --with-debug ; \
make -j$(getconf _NPROCESSORS_ONLN) ; \
mv objs/nginx objs/nginx-debug ; \
mv objs/ngx_http_xslt_filter_module.so objs/ngx_http_xslt_filter_module-debug.so ; \
mv objs/ngx_http_image_filter_module.so objs/ngx_http_image_filter_module-debug.so ; \
mv objs/ngx_http_geoip_module.so objs/ngx_http_geoip_module-debug.so ; \
mv objs/ngx_http_perl_module.so objs/ngx_http_perl_module-debug.so ; \
mv objs/ngx_stream_geoip_module.so objs/ngx_stream_geoip_module-debug.so ; \
./configure $CONFIG ; \
make -j$(getconf _NPROCESSORS_ONLN) ; \
make install ; \
rm -rf /etc/nginx/html/ ; \
mkdir -p /etc/nginx/conf.d/ ; \
mkdir -p /usr/share/nginx/html/ ; \
install -m644 html/index.html /usr/share/nginx/html/ ; \
install -m644 html/50x.html /usr/share/nginx/html/ ; \
install -m755 objs/nginx-debug /usr/sbin/nginx-debug ; \
install -m755 objs/ngx_http_xslt_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_xslt_filter_module-debug.so ; \
install -m755 objs/ngx_http_image_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_image_filter_module-debug.so ; \
install -m755 objs/ngx_http_geoip_module-debug.so /usr/lib/nginx/modules/ngx_http_geoip_module-debug.so ; \
install -m755 objs/ngx_http_perl_module-debug.so /usr/lib/nginx/modules/ngx_http_perl_module-debug.so ; \
install -m755 objs/ngx_stream_geoip_module-debug.so /usr/lib/nginx/modules/ngx_stream_geoip_module-debug.so ; \
ln -s ../../usr/lib/nginx/modules /etc/nginx/modules ; \
strip /usr/sbin/nginx* ; \
strip /usr/lib/nginx/modules/*.so ; \
rm -rf /usr/src/nginx-$NGINX_VERSION ; \
\
# Bring in gettext so we can get `envsubst`, then throw
# the rest away. To do this, we need to install `gettext`
# then move `envsubst` out of the way so `gettext` can
# be deleted completely, then move `envsubst` back.
apk add --no-cache --virtual .gettext gettext ; \
mv /usr/bin/envsubst /tmp/ ; \
\
runDeps="$( \
scanelf --needed --nobanner /usr/sbin/nginx /usr/lib/nginx/modules/*.so /tmp/envsubst \
| awk '{ gsub(/,/, "\nso:", $2); print "so:" $2 }' \
| sort -u \
| xargs -r apk info --installed \
| sort -u \
)" ; \
apk add --no-cache --virtual .nginx-rundeps $runDeps ca-certificates bash wget openssl apache2-utils openldap supervisor tzdata; \
update-ca-certificates; \
apk add --no-cache --allow-untrusted /tmp/stunnel-*.apk; \
apk del .nginx-build-deps ; \
apk del .gettext ; \
mv /tmp/envsubst /usr/local/bin/ ; \
rm -rf /usr/src/* /var/tmp/* /var/cache/apk/* /tmp/stunnel-*.apk /nginx.tar.gz /nginx-auth-ldap.tar.gz; \
touch /etc/nginx/nginx_ldap.conf /etc/nginx/nginx_blank.conf;
COPY --from=jwilder/nginx-proxy:alpine /app/nginx.tmpl /etc/nginx/
COPY --from=jwilder/nginx-proxy:alpine /etc/nginx/network_internal.conf /etc/nginx/
COPY --from=jwilder/nginx-proxy:alpine /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/
ADD shared/bin/docker-uid-gid-setup.sh /usr/local/bin/
ADD nginx/scripts /usr/local/bin/
ADD nginx/*.conf /etc/nginx/
ADD nginx/supervisord.conf /etc/
ADD docs/images/icon/favicon.ico /etc/nginx/favicon.ico
EXPOSE 80
VOLUME ["/etc/nginx/certs", "/etc/nginx/dhparam"]
ENTRYPOINT ["/usr/local/bin/docker-uid-gid-setup.sh", "/usr/local/bin/docker_entrypoint.sh"]
CMD ["supervisord", "-c", "/etc/supervisord.conf", "-u", "root", "-n"]
# to be populated at build-time:
ARG BUILD_DATE
ARG MALCOLM_VERSION
ARG VCS_REVISION
LABEL org.opencontainers.image.created=$BUILD_DATE
LABEL org.opencontainers.image.version=$MALCOLM_VERSION
LABEL org.opencontainers.image.revision=$VCS_REVISION
Reference in New Issue View Git Blame Copy Permalink