From e7bbb862aa272c537514523d5a956862ce78b2b7 Mon Sep 17 00:00:00 2001 From: Hugo Thunnissen Date: Tue, 29 Mar 2022 20:31:29 +0200 Subject: [PATCH] Initial Commit --- .drone.yml | 14 +++++++ Dockerfile | 20 ++++++++++ acme-challenge.conf | 44 ++++++++++++++++++++++ nginx.conf | 89 +++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 167 insertions(+) create mode 100644 .drone.yml create mode 100644 Dockerfile create mode 100644 acme-challenge.conf create mode 100644 nginx.conf diff --git a/.drone.yml b/.drone.yml new file mode 100644 index 0000000..b475c4b --- /dev/null +++ b/.drone.yml @@ -0,0 +1,14 @@ +kind: pipeline +name: default + +steps: +- name: docker-build + image: plugins/docker + exlude: + - master + settings: + username: hugotty + password: + from_secret: docker_password + repo: "hugotty/nginx" + tags: latest diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..2eb947d --- /dev/null +++ b/Dockerfile @@ -0,0 +1,20 @@ +FROM debian:sid + +# Set the env variables to non-interactive +ENV DEBIAN_FRONTEND noninteractive +ENV DEBIAN_PRIORITY critical +ENV DEBCONF_NOWARNINGS yes + +RUN apt-get update && apt-get -y install nginx + +RUN mkdir -p /var/lib/nginx + +RUN chown -R www-data:www-data /var/lib/nginx + +ADD ./acme-challenge.conf /etc/nginx/snippets/acme-challenge.conf + +ADD ./nginx.conf /etc/nginx/nginx.conf + +RUN mkdir /etc/nginx/streams-enabled && chown -R www-data:www-data /etc/nginx/streams-enabled + +CMD [ "/usr/sbin/nginx", "-g", "daemon off; master_process on;" ] diff --git a/acme-challenge.conf b/acme-challenge.conf new file mode 100644 index 0000000..869705e --- /dev/null +++ b/acme-challenge.conf @@ -0,0 +1,44 @@ +############################################################################# +# Configuration file for Let's Encrypt ACME Challenge location +# This file is already included in listen_xxx.conf files. +# Do NOT include it separately! +############################################################################# +# +# This config enables to access /.well-known/acme-challenge/xxxxxxxxxxx +# on all our sites (HTTP), including all subdomains. +# This is required by ACME Challenge (webroot authentication). +# You can check that this location is working by placing ping.txt here: +# /var/www/letsencrypt/.well-known/acme-challenge/ping.txt +# And pointing your browser to: +# http://xxx.domain.tld/.well-known/acme-challenge/ping.txt +# +# Sources: +# https://community.letsencrypt.org/t/howto-easy-cert-generation-and-renewal-with-nginx/3491 +# +############################################################################# + +# Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx) +# We use ^~ here, so that we don't check other regexes (for speed-up). We actually MUST cancel +# other regex checks, because in our other config files have regex rule that denies access to files with dotted names. +location ^~ /.well-known/acme-challenge/ { + + # Set correct content type. According to this: + # https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29 + # Current specification requires "text/plain" or no content header at all. + # It seems that "text/plain" is a safe option. + default_type "text/plain"; + + # This directory must be the same as in /etc/letsencrypt/cli.ini + # as "webroot-path" parameter. Also don't forget to set "authenticator" parameter + # there to "webroot". + # Do NOT use alias, use root! Target directory is located here: + # /var/www/common/letsencrypt/.well-known/acme-challenge/ + root /var/www/letsencrypt; +} + +# Hide /acme-challenge subdirectory and return 404 on all requests. +# It is somewhat more secure than letting Nginx return 403. +# Ending slash is important! +location = /.well-known/acme-challenge/ { + return 404; +} diff --git a/nginx.conf b/nginx.conf new file mode 100644 index 0000000..097583b --- /dev/null +++ b/nginx.conf @@ -0,0 +1,89 @@ +user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + # server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # SSL Settings + ## + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + + ## + # Logging Settings + ## + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + ## + # Gzip Settings + ## + + gzip on; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + ## + # Virtual Host Configs + ## + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} + + +#mail { +# # See sample authentication script at: +# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript +# +# # auth_http localhost/auth.php; +# # pop3_capabilities "TOP" "USER"; +# # imap_capabilities "IMAP4rev1" "UIDPLUS"; +# +# server { +# listen localhost:110; +# protocol pop3; +# proxy on; +# } +# +# server { +# listen localhost:143; +# protocol imap; +# proxy on; +# } +#} + +stream { + include /etc/nginx/streams-enabled/*; +}