-
Notifications
You must be signed in to change notification settings - Fork 351
/
Copy pathDockerfile
236 lines (227 loc) · 8.27 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
FROM debian:bookworm-slim
# add our user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added
#RUN groupadd -r www-data && useradd -r --create-home -g www-data www-data
ENV HTTPD_PREFIX /usr/local/apache2
ENV PATH $HTTPD_PREFIX/bin:$PATH
RUN mkdir -p "$HTTPD_PREFIX" \
&& chown www-data:www-data "$HTTPD_PREFIX"
WORKDIR $HTTPD_PREFIX
# install httpd runtime dependencies
# https://httpd.apache.org/docs/2.4/install.html#requirements
RUN set -eux; \
apt-get update; \
apt-get install -y --no-install-recommends \
# https://github.com/docker-library/httpd/issues/214
ca-certificates \
libaprutil1-ldap \
# https://github.com/docker-library/httpd/issues/209
libldap-common \
; \
rm -rf /var/lib/apt/lists/*
ENV HTTPD_VERSION 2.4.59
ENV HTTPD_SHA256 ec51501ec480284ff52f637258135d333230a7d229c3afa6f6c2f9040e321323
# https://httpd.apache.org/security/vulnerabilities_24.html
ENV HTTPD_PATCHES=""
# see https://httpd.apache.org/docs/2.4/install.html#requirements
RUN set -eux; \
\
# mod_http2 mod_lua mod_proxy_html mod_xml2enc
# https://anonscm.debian.org/cgit/pkg-apache/apache2.git/tree/debian/control?id=adb6f181257af28ee67af15fc49d2699a0080d4c
savedAptMark="$(apt-mark showmanual)"; \
apt-get update; \
apt-get install -y --no-install-recommends \
bzip2 \
dpkg-dev \
gcc \
gnupg \
libapr1-dev \
libaprutil1-dev \
libbrotli-dev \
libcurl4-openssl-dev \
libjansson-dev \
liblua5.2-dev \
libnghttp2-dev \
libpcre3-dev \
libssl-dev \
libxml2-dev \
make \
patch \
wget \
zlib1g-dev \
; \
rm -r /var/lib/apt/lists/*; \
\
ddist() { \
local f="$1"; shift; \
local distFile="$1"; shift; \
local success=; \
local distUrl=; \
for distUrl in \
# https://apache.org/history/mirror-history.html
https://dlcdn.apache.org/ \
# if the version is outdated, we have to pull from the archive
https://archive.apache.org/dist/ \
; do \
if wget -O "$f" "$distUrl$distFile" && [ -s "$f" ]; then \
success=1; \
break; \
fi; \
done; \
[ -n "$success" ]; \
}; \
\
ddist 'httpd.tar.bz2' "httpd/httpd-$HTTPD_VERSION.tar.bz2"; \
echo "$HTTPD_SHA256 *httpd.tar.bz2" | sha256sum -c -; \
\
# see https://httpd.apache.org/download.cgi#verify
ddist 'httpd.tar.bz2.asc' "httpd/httpd-$HTTPD_VERSION.tar.bz2.asc"; \
export GNUPGHOME="$(mktemp -d)"; \
# $ docker run --rm buildpack-deps:bookworm-curl bash -c 'wget -qO- https://downloads.apache.org/httpd/KEYS | gpg --batch --import &> /dev/null && gpg --batch --list-keys --with-fingerprint --with-colons' | awk -F: '$1 == "pub" && $2 == "-" { pub = 1 } pub && $1 == "fpr" { fpr = $10 } $1 == "sub" { pub = 0 } pub && fpr && $1 == "uid" && $2 == "-" { print "#", $10; print "\t\t" fpr " \\"; pub = 0 }'
for key in \
# Rodent of Unusual Size (DSA) <coar@ACM.Org>
DE29FB3971E71543FD2DC049508EAEC5302DA568 \
# Rodent of Unusual Size <coar@ACM.Org>
13155B0E9E634F42BF6C163FDDBA64BA2C312D2F \
# Jim Jagielski <jim@apache.org>
8B39757B1D8A994DF2433ED58B3A601F08C975E5 \
# Dean Gaudet <dgaudet@apache.org>
31EE1A81B8D066548156D37B7D6DBFD1F08E012A \
# Cliff Woolley <jwoolley@apache.org>
A10208FEC3152DD7C0C9B59B361522D782AB7BD1 \
# Cliff Woolley <jwoolley@virginia.edu>
3DE024AFDA7A4B15CB6C14410F81AA8AB0D5F771 \
# Graham Leggett <minfrin@apache.org>
EB138C6AF0FC691001B16D93344A844D751D7F27 \
# Roy T. Fielding <fielding@gbiv.com>
CBA5A7C21EC143314C41393E5B968010E04F9A89 \
# Justin R. Erenkrantz <jerenkrantz@apache.org>
3C016F2B764621BB549C66B516A96495E2226795 \
# Aaron Bannert <abannert@kuci.org>
937FB3994A242BA9BF49E93021454AF0CC8B0F7E \
# Brad Nicholes <bnicholes@novell.com>
EAD1359A4C0F2D37472AAF28F55DF0293A4E7AC9 \
# Sander Striker <striker@apache.org>
4C1EADADB4EF5007579C919C6635B6C0DE885DD3 \
# Greg Stein <gstein@lyra.org>
01E475360FCCF1D0F24B9D145D414AE1E005C9CB \
# Andre Malo <nd@apache.org>
92CCEF0AA7DD46AC3A0F498BCA6939748103A37E \
# Erik Abele <erik@codefaktor.de>
D395C7573A68B9796D38C258153FA0CD75A67692 \
# Astrid Kessler (Kess) <kess@kess-net.de>
FA39B617B61493FD283503E7EED1EA392261D073 \
# Joe Schaefer <joe@sunstarsys.com>
984FB3350C1D5C7A3282255BB31B213D208F5064 \
# Stas Bekman <stas@stason.org>
FE7A49DAA875E890B4167F76CCB2EB46E76CF6D0 \
# Paul Querna <chip@force-elite.com>
39F6691A0ECF0C50E8BB849CF78875F642721F00 \
# Colm MacCarthaigh <colm.maccarthaigh@heanet.ie>
29A2BA848177B73878277FA475CAA2A3F39B3750 \
# Ruediger Pluem <rpluem@apache.org>
120A8667241AEDD4A78B46104C042818311A3DE5 \
# Nick Kew <nick@webthing.com>
453510BDA6C5855624E009236D0BC73A40581837 \
# Philip M. Gollucci <pgollucci@p6m7g8.com>
0DE5C55C6BF3B2352DABB89E13249B4FEC88A0BF \
# Bojan Smojver <bojan@rexursive.com>
7CDBED100806552182F98844E8E7E00B4DAA1988 \
# Issac Goldstand <margol@beamartyr.net>
A8BA9617EF3BCCAC3B29B869EDB105896F9522D8 \
# "Guenter Knauf" ("CODE SIGNING KEY") <fuankg@apache.org>
3E6AC004854F3A7F03566B592FF06894E55B0D0E \
# Jeff Trawick (CODE SIGNING KEY) <trawick@apache.org>
5B5181C2C0AB13E59DA3F7A3EC582EB639FF092C \
# Jim Jagielski (Release Signing Key) <jim@apache.org>
A93D62ECC3C8EA12DB220EC934EA76E6791485A8 \
# Eric Covener <covener@apache.org>
65B2D44FE74BD5E3DE3AC3F082781DE46D5954FA \
# Yann Ylavic <ylavic@apache.org>
8935926745E1CE7E3ED748F6EC99EE267EB5F61A \
# Daniel Ruggeri (http\x3a//home.apache.org/~druggeri/) <druggeri@apache.org>
E3480043595621FE56105F112AB12A7ADC55C003 \
# Joe Orton (Release Signing Key) <jorton@apache.org>
93525CFCF6FDFFB3FD9700DD5A4B10AE43B56A27 \
# Christophe JAILLET <christophe.jaillet@wanadoo.fr>
C55AB7B9139EB2263CD1AABC19B033D1760C227B \
# Stefan Eissing (icing) <stefan@eissing.org>
26F51EF9A82F4ACB43F1903ED377C9E7D1944C66 \
; do \
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
done; \
gpg --batch --verify httpd.tar.bz2.asc httpd.tar.bz2; \
gpgconf --kill all; \
rm -rf "$GNUPGHOME" httpd.tar.bz2.asc; \
\
mkdir -p src; \
tar -xf httpd.tar.bz2 -C src --strip-components=1; \
rm httpd.tar.bz2; \
cd src; \
\
patches() { \
while [ "$#" -gt 0 ]; do \
local patchFile="$1"; shift; \
local patchSha256="$1"; shift; \
ddist "$patchFile" "httpd/patches/apply_to_$HTTPD_VERSION/$patchFile"; \
echo "$patchSha256 *$patchFile" | sha256sum -c -; \
patch -p0 < "$patchFile"; \
rm -f "$patchFile"; \
done; \
}; \
patches $HTTPD_PATCHES; \
\
gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
CFLAGS="$(dpkg-buildflags --get CFLAGS)"; \
CPPFLAGS="$(dpkg-buildflags --get CPPFLAGS)"; \
LDFLAGS="$(dpkg-buildflags --get LDFLAGS)"; \
./configure \
--build="$gnuArch" \
--prefix="$HTTPD_PREFIX" \
--enable-mods-shared=reallyall \
--enable-mpms-shared=all \
# enable the same hardening flags as Debian
# - https://salsa.debian.org/apache-team/apache2/blob/87db7de4e59683fb03e97900f078d06ef2292748/debian/rules#L19-21
# - https://salsa.debian.org/apache-team/apache2/blob/87db7de4e59683fb03e97900f078d06ef2292748/debian/rules#L115
--enable-pie \
CFLAGS="-pipe $CFLAGS" \
CPPFLAGS="$CPPFLAGS" \
LDFLAGS="-Wl,--as-needed $LDFLAGS" \
; \
make -j "$(nproc)"; \
make install; \
\
cd ..; \
rm -r src man manual; \
\
sed -ri \
-e 's!^(\s*CustomLog)\s+\S+!\1 /proc/self/fd/1!g' \
-e 's!^(\s*ErrorLog)\s+\S+!\1 /proc/self/fd/2!g' \
-e 's!^(\s*TransferLog)\s+\S+!\1 /proc/self/fd/1!g' \
-e 's!^(\s*User)\s+daemon\s*$!\1 www-data!g' \
-e 's!^(\s*Group)\s+daemon\s*$!\1 www-data!g' \
"$HTTPD_PREFIX/conf/httpd.conf" \
"$HTTPD_PREFIX/conf/extra/httpd-ssl.conf" \
; \
grep -E '^\s*User www-data$' "$HTTPD_PREFIX/conf/httpd.conf"; \
grep -E '^\s*Group www-data$' "$HTTPD_PREFIX/conf/httpd.conf"; \
\
# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
apt-mark auto '.*' > /dev/null; \
[ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; \
find /usr/local -type f -executable -exec ldd '{}' ';' \
| awk '/=>/ { so = $(NF-1); if (index(so, "/usr/local/") == 1) { next }; gsub("^/(usr/)?", "", so); printf "*%s\n", so }' \
| sort -u \
| xargs -r dpkg-query --search \
| cut -d: -f1 \
| sort -u \
| xargs -r apt-mark manual \
; \
apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
\
# smoke test
httpd -v
# https://httpd.apache.org/docs/2.4/stopping.html#gracefulstop
STOPSIGNAL SIGWINCH
COPY httpd-foreground /usr/local/bin/
EXPOSE 80
CMD ["httpd-foreground"]