新增geoip,Brotli,headers-more模块,改为非root执行.

vla · vla · commit d526ab471df8 · 2017-07-23T19:05:56.000+08:00
diff --git a/Dockerfile b/Dockerfile
@@ -1,15 +1,18 @@
 FROM alpine:3.5
 LABEL maintainer "v.la@live.cn"
 
+ENV UID=1000 GID=1000 \ 
+    GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8
+
 ENV NGINX_VERSION=1.12.1 \
     LUA_MODULE_VERSION=0.10.9rc8  \
     NGINX_DEVEL_KIT_VERSION=0.3.0 \
     NGINX_CACHE_PURGE_VERSION=2.3 \
-    GEOIP_VERSION=1.6.11\
-    NGINX_USER=nginx \
+    GEOIP_VERSION=1.6.11 \
+    HEADERS_MORE_VERSION=0.32 \
     NGINX_SITECONF_DIR=/etc/nginx/sites-enabled \
     NGINX_LOG_DIR=/var/log/nginx \
-    NGINX_TEMP_DIR=/var/lib/nginx \
+    NGINX_TEMP_DIR=/var/cache/nginx \
     NGINX_SETUP_DIR=/usr/src/nginx
 
 ARG WITH_DEBUG=false
@@ -18,14 +21,15 @@ ARG WITH_LUA=true
 ARG WITH_PURGE=true
 ARG WITH_UPSTREAM_CHECK=true
 
-
 COPY setup/ ${NGINX_SETUP_DIR}/
 RUN sh ${NGINX_SETUP_DIR}/install.sh
 
 COPY entrypoint.sh /sbin/entrypoint.sh
 RUN chmod 755 /sbin/entrypoint.sh
 
-EXPOSE 80/tcp 443/tcp
+COPY nginx.conf /etc/nginx/nginx.conf
+
+EXPOSE 8000/tcp 4430/tcp
 
 VOLUME ["${NGINX_SITECONF_DIR}"]
 ENTRYPOINT ["/sbin/entrypoint.sh"]
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -1,25 +1,10 @@
 #!/bin/sh
 set -e
 
-create_log_dir() {
-  mkdir -p ${NGINX_LOG_DIR}
-  chmod -R 0755 ${NGINX_LOG_DIR}
-  chown -R ${NGINX_USER}:root ${NGINX_LOG_DIR}
-}
-
-create_tmp_dir(){
-  mkdir -p ${NGINX_TEMP_DIR}
-  chown -R ${NGINX_USER}:root ${NGINX_TEMP_DIR}
-}
-
-create_siteconf_dir() {
-  mkdir -p ${NGINX_SITECONF_DIR}
-  chmod -R 755 ${NGINX_SITECONF_DIR}
-}
-
-create_log_dir
-create_tmp_dir
-create_siteconf_dir
+mkdir -p ${NGINX_LOG_DIR} ${NGINX_TEMP_DIR} ${NGINX_SITECONF_DIR}
+chmod -R 0755 ${NGINX_LOG_DIR} 
+chmod -R 0755 ${NGINX_SITECONF_DIR}
+chown -R $UID:$GID $NGINX_LOG_DIR $NGINX_TEMP_DIR /etc/nginx /var/www
 
 #允许参数传递到nginx
 if [[ "${1:0:1}" = '-' ]]; then
@@ -35,7 +20,8 @@ fi
 
 if [[ -z "${1}" ]]; then
   echo "Starting nginx..."
-  exec $(which nginx) -c /etc/nginx/nginx.conf -g "daemon off;" ${EXTRA_ARGS}
+  #exec su-exec $UID:$GID /sbin/tini -- nginx
+  exec su-exec $UID:$GID $(which nginx) -g "daemon off;" ${EXTRA_ARGS}
 else
   exec "$@"
 fi
diff --git a/setup/install.sh b/setup/install.sh
@@ -1,24 +1,30 @@
 #!/bin/sh
 set -e
 
-#sed '1i\http://mirrors.ustc.edu.cn/alpine/v3.5/main/' /etc/apk/repositories
+# cat > /etc/apk/repositories <<EOF
+# https://mirrors.ustc.edu.cn/alpine/latest-stable/main
+# https://mirrors.ustc.edu.cn/alpine/latest-stable/community
+# EOF
+# apk update 
 
 NGINX_DOWNLOAD_URL="http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz"
 NGINX_DEVEL_KIT_URL="https://github.com/simpl/ngx_devel_kit/archive/v${NGINX_DEVEL_KIT_VERSION}.tar.gz"
 LUA_URL="https://github.com/openresty/lua-nginx-module/archive/v${LUA_MODULE_VERSION}.tar.gz"
 NGINX_CACHE_PURGE_URL="https://github.com/FRiCKLE/ngx_cache_purge/archive/${NGINX_CACHE_PURGE_VERSION}.tar.gz"
 NGINX_UPSTREAM_CHECK_URL="https://github.com/yaoweibin/nginx_upstream_check_module/archive/master.tar.gz"
 MAXMIND_URL="https://github.com/maxmind/geoip-api-c/releases/download/v${GEOIP_VERSION}/GeoIP-${GEOIP_VERSION}.tar.gz"
+HEADERS_MORE_URL="https://github.com/openresty/headers-more-nginx-module/archive/v${HEADERS_MORE_VERSION}.tar.gz"
 
-BUILD_DEPENDENCIES="gcc patch libc-dev make openssl-dev \
-curl pcre-dev zlib-dev linux-headers luajit-dev \
-gnupg libxslt-dev gd-dev perl-dev git geoip-dev ca-certificates"
+BUILD_DEPENDENCIES="build-base linux-headers ca-certificates \
+patch openssl-dev cmake autoconf automake go \
+curl pcre-dev zlib-dev luajit-dev libtool \
+gnupg libxslt-dev gd-dev perl-dev git geoip-dev git"
 
 ${WITH_DEBUG} && {
   EXTRA_ARGS="${EXTRA_ARGS} --with-debug"
 }
 
-#mkdir -p ${NGINX_SETUP_DIR}
+mkdir -p ${NGINX_SETUP_DIR}
 cd ${NGINX_SETUP_DIR}
 
 #build dependencies
@@ -46,6 +52,7 @@ ${WITH_UPSTREAM_CHECK} && {
   tar -zxC "${NGINX_SETUP_DIR}" -f "${NGINX_SETUP_DIR}/ngx_upstream_check.tar"
 }
 
+#lua module support
 ${WITH_LUA} && {
   EXTRA_ARGS="${EXTRA_ARGS} --add-module=${NGINX_SETUP_DIR}/lua-nginx-module-${LUA_MODULE_VERSION}"
 
@@ -56,24 +63,54 @@ ${WITH_LUA} && {
   export LUAJIT_INC=/usr/include/luajit-2.1
 }
 
+#headers-more module support
+EXTRA_ARGS="${EXTRA_ARGS} --add-module=${NGINX_SETUP_DIR}/headers-more-nginx-module-${HEADERS_MORE_VERSION}"
+curl -fSL "${HEADERS_MORE_URL}" -o "${NGINX_SETUP_DIR}/headers-more-nginx-module-${HEADERS_MORE_VERSION}.tar.gz"
+tar -zxC "${NGINX_SETUP_DIR}" -f "${NGINX_SETUP_DIR}/headers-more-nginx-module-${HEADERS_MORE_VERSION}.tar.gz"
+
+#ngx_brotli module support
+EXTRA_ARGS="${EXTRA_ARGS} --add-module=${NGINX_SETUP_DIR}/ngx_brotli"
+git clone https://github.com/bagder/libbrotli --depth=1 ${NGINX_SETUP_DIR}/libbrotli
+cd "${NGINX_SETUP_DIR}/libbrotli"
+./autogen.sh && ./configure && make -j $(getconf _NPROCESSORS_ONLN) && make install
+git clone --depth=1 https://github.com/google/ngx_brotli  "${NGINX_SETUP_DIR}/ngx_brotli"
+cd "${NGINX_SETUP_DIR}/ngx_brotli"
+git submodule update --init
+
 # install geoip
 curl -fSL $MAXMIND_URL -o "${NGINX_SETUP_DIR}/geoip_module.tar"
 tar -zxC "${NGINX_SETUP_DIR}" -f "${NGINX_SETUP_DIR}/geoip_module.tar"
 cd ${NGINX_SETUP_DIR}/GeoIP-${GEOIP_VERSION}
-./configure && make && make check && make install 
+./configure && make -j $(getconf _NPROCESSORS_ONLN) && make check && make install 
 
-#nginx user role
+#nginx default www
 mkdir -p /var/www/nginx
-addgroup -S ${NGINX_USER}
-adduser -D -S -h /var/www/nginx \
-  -u 1000 -s /sbin/nologin -G ${NGINX_USER} ${NGINX_USER}
 
 #build nginx
 curl -fSL "${NGINX_DOWNLOAD_URL}" -o "${NGINX_SETUP_DIR}/nginx.tar"
 tar -zxC "${NGINX_SETUP_DIR}" -f "${NGINX_SETUP_DIR}/nginx.tar"
 
 cd ${NGINX_SETUP_DIR}/nginx-${NGINX_VERSION}
 
+curl -fSL http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz.asc  -o "${NGINX_SETUP_DIR}/nginx.tar.gz.asc" 
+export GNUPGHOME="$(mktemp -d)"
+found='';
+for server in \
+		ha.pool.sks-keyservers.net \
+		hkp://keyserver.ubuntu.com:80 \
+		hkp://p80.pool.sks-keyservers.net:80 \
+		pgp.mit.edu \
+	; do \
+		echo "Fetching GPG key $GPG_KEYS from $server"; \
+		gpg --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$GPG_KEYS" && found=yes && break; \
+	done;
+
+test -z "$found" && echo >&2 "error: failed to fetch GPG key $GPG_KEYS" && exit 1;
+gpg --batch --verify "${NGINX_SETUP_DIR}/nginx.tar.gz.asc"  "${NGINX_SETUP_DIR}/nginx.tar"
+rm -r "$GNUPGHOME" "${NGINX_SETUP_DIR}/nginx.tar.gz.asc"
+
+
+#nginx_upstream_check_module patch
 if [[ ${WITH_UPSTREAM_CHECK} ]];then
    patch -p0 < ${NGINX_SETUP_DIR}/nginx_upstream_check_module-master/check_1.11.5+.patch
 fi
@@ -86,9 +123,7 @@ fi
   --http-log-path=/var/log/nginx/access.log \
   --error-log-path=/var/log/nginx/error.log \
   --lock-path=/var/lock/nginx.lock \
-  --pid-path=/run/nginx.pid \
-  --user=${NGINX_USER} \
-  --group=${NGINX_USER} \
+  --pid-path=/tmp/nginx.pid \
   --http-client-body-temp-path=${NGINX_TEMP_DIR}/body \
   --http-fastcgi-temp-path=${NGINX_TEMP_DIR}/fastcgi \
   --http-proxy-temp-path=${NGINX_TEMP_DIR}/proxy \
@@ -137,8 +172,8 @@ cp ${NGINX_SETUP_DIR}/test.conf /etc/nginx/
 
 cat > ${NGINX_SITECONF_DIR}/default.conf <<EOF
 server {
-  listen 80 default_server;
-  listen [::]:80 default_server ipv6only=on;
+  listen 8000 default_server;
+  listen [::]:8000 default_server ipv6only=on;
   server_name localhost;
 
   root /var/www/nginx/html;
@@ -171,6 +206,7 @@ RUN_DEPENDENCIES="$( \
 			| xargs -r apk info --installed \
 			| sort -u \
 )"
+RUN_DEPENDENCIES="$RUN_DEPENDENCIES su-exec"
 echo "install rundeps $RUN_DEPENDENCIES"
 apk add --no-cache --virtual .nginx-rundeps $RUN_DEPENDENCIES
 
@@ -180,7 +216,3 @@ apk del .gettext
 mv /tmp/envsubst /usr/local/bin/
 cd /
 rm -rf ${NGINX_SETUP_DIR}/
-
-# forward request and error logs to docker log collector
-ln -sf /dev/stdout /var/log/nginx/access.log
-ln -sf /dev/stderr /var/log/nginx/error.log
