docker
/
nginx
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial Commit

This commit is contained in:
Aditya Prima 2024-07-22 18:52:48 +07:00
commit 58f6b20625
11 changed files with 485 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
.gitea/workflows/alpine-dockerio.yaml Normal file
View File

@ -0,0 +1,60 @@
name: Build and Push Alpine NGINX Image to docker.io Registry
on:
push:
branches:
- master
jobs:
build:
name: Build and push image (root user)
runs-on: ubuntu-latest
container:
image: ghcr.io/catthehacker/ubuntu:act-latest
steps:
- name: Check out repository code
uses: actions/checkout@v3
- name: Login to docker.io Registry
uses: docker/login-action@v3
with:
registry: docker.io
username: aprimediet
password: ${{ secrets.DOCKER_TOKEN }}
- name: Build and push
uses: docker/build-push-action@v5
with:
context: .
file: Dockerfile.alpine
build-args: |
REGISTRY_URL=aprimediet
push: true
tags: |
aprimediet/nginx:alpine
aprimediet/nginx:latest-alpine
aprimediet/nginx:latest
build-rootless:
name: Build and push image (rootless)
runs-on: ubuntu-latest
container:
image: ghcr.io/catthehacker/ubuntu:act-latest
steps:
- name: Check out repository code
uses: actions/checkout@v3
- name: Login to docker.io Registry
uses: docker/login-action@v3
with:
registry: docker.io
username: aprimediet
password: ${{ secrets.DOCKER_TOKEN }}
- name: Build and push
uses: docker/build-push-action@v5
with:
context: .
file: Dockerfile.alpine-rootless
build-args: |
REGISTRY_URL=aprimediet
push: true
tags: |
aprimediet/nginx:rootless-alpine
aprimediet/nginx:rootless
aprimediet/nginx:latest-rootless-alpine
aprimediet/nginx:latest-rootless

56
.gitea/workflows/alpine-winter.yaml Normal file
View File

@ -0,0 +1,56 @@
name: Build and Push Alpine NodeJS Image to Winter Access Registry
on:
push:
branches:
- master
jobs:
build:
name: Build and push image (Root User)
runs-on: ubuntu-latest
container:
image: ghcr.io/catthehacker/ubuntu:act-latest
steps:
- name: Check out repository code
uses: actions/checkout@v3
- name: Login to Docker Winter Access Git Registry
uses: docker/login-action@v3
with:
registry: git.winteraccess.id
username: aditya.prima
password: ${{ secrets.PATOKEN }}
- name: Build and push
uses: docker/build-push-action@v5
with:
context: .
file: Dockerfile.alpine
push: true
tags: |
git.winteraccess.id/${{ gitea.repository }}:alpine
git.winteraccess.id/${{ gitea.repository }}:latest-alpine
git.winteraccess.id/${{ gitea.repository }}:latest
build-rootless:
name: Build and push image (rootless)
runs-on: ubuntu-latest
container:
image: ghcr.io/catthehacker/ubuntu:act-latest
steps:
- name: Check out repository code
uses: actions/checkout@v3
- name: Login to Docker Winter Access Git Registry
uses: docker/login-action@v3
with:
registry: git.winteraccess.id
username: aditya.prima
password: ${{ secrets.PATOKEN }}
- name: Build and push
uses: docker/build-push-action@v5
with:
context: .
file: Dockerfile.alpine-rootless
push: true
tags: |
git.winteraccess.id/${{ gitea.repository }}:rootless-alpine
git.winteraccess.id/${{ gitea.repository }}:rootless
git.winteraccess.id/${{ gitea.repository }}:latest-rootless-alpine
git.winteraccess.id/${{ gitea.repository }}:latest-rootless

29
Dockerfile.alpine Normal file
View File

@ -0,0 +1,29 @@
ARG REGISTRY_URL=git.winteraccess.id/docker
ARG ALPINE_VERSION=3.20
FROM ${REGISTRY_URL}/alpine:${ALPINE_VERSION}
LABEL maintainer="<Muhamad Aditya Prima> aprimediet@gmail.com"
WORKDIR /
# INSTALL WGET AND REQUIRED BUILD TOOLS
RUN --mount=type=cache,target=/var/cache/apk \
apk update && apk upgrade && apk add \
nginx nginx-mod-http-naxsi
# COPY CONFIGURATION FILES
ADD ./etc/nginx/nginx.conf /etc/nginx/
ADD ./etc/nginx/naxsi_core.rules /etc/nginx/
ADD ./etc/nginx/proxy_params /etc/nginx/
ADD ./etc/nginx/ssl_params /etc/nginx/
ADD ./etc/nginx/conf.d /etc/nginx/conf.d
ADD ./app /app
# CLEAR CACHE
RUN apk del curl && \
rm -rf /var/cache/apk/*
CMD ["nginx"]
EXPOSE 80

38
Dockerfile.alpine-rootless Normal file
View File

@ -0,0 +1,38 @@
ARG REGISTRY_URL=git.winteraccess.id/docker
ARG ALPINE_VERSION=3.20
FROM ${REGISTRY_URL}/alpine:${ALPINE_VERSION}
LABEL maintainer="<Muhamad Aditya Prima> aprimediet@gmail.com"
WORKDIR /
# ADD USER
RUN addgroup -g 1001 nginx && adduser -D -u 1001 -G nginx -s /bin/bash -h /app nginx
# INSTALL WGET AND REQUIRED BUILD TOOLS
RUN --mount=type=cache,target=/var/cache/apk \
apk update && apk upgrade && apk add \
nginx nginx-mod-http-naxsi
# COPY CONFIGURATION FILES
ADD ./etc/nginx/nginx-rootless.conf /etc/nginx/nginx.conf
ADD ./etc/nginx/naxsi_core.rules /etc/nginx/
ADD ./etc/nginx/proxy_params /etc/nginx/
ADD ./etc/nginx/ssl_params /etc/nginx/
ADD ./etc/nginx/conf.d /etc/nginx/conf.d
ADD ./app /app
RUN touch /var/run/nginx.pid && chown nginx:nginx /var/run/nginx.pid
# CLEAR CACHE
RUN apk del curl && \
rm -rf /var/cache/apk/*
# SET AS USER NODE
WORKDIR /app
USER nginx
# CMD ["nginx"]
EXPOSE 80

29
app/index.html Normal file
View File

@ -0,0 +1,29 @@
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<h2>The aprimediet/nginx variant.</h2>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p>For online documentation specific to the aprimediet/nginx,<br/>
please refer to <a href="https://github.com/aprimediet/docker-nginx">aprimediet/docker-nginx</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>

16
etc/nginx/conf.d/default.conf Normal file
View File

@ -0,0 +1,16 @@
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /app;
index index.html;
location / {
try_files $uri $uri/ =404;
}
location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
expires 30d;
}
}

91
etc/nginx/naxsi_core.rules Normal file
View File

@ -0,0 +1,91 @@
##################################
## INTERNAL RULES IDS:1-999 ##
##################################
#@MainRule "msg:weird request, unable to parse" id:1;
#@MainRule "msg:request too big, stored on disk and not parsed" id:2;
#@MainRule "msg:invalid hex encoding, null bytes" id:10;
#@MainRule "msg:unknown content-type" id:11;
#@MainRule "msg:invalid formatted url" id:12;
#@MainRule "msg:invalid POST format" id:13;
#@MainRule "msg:invalid POST boundary" id:14;
#@MainRule "msg:invalid JSON" id:15;
#@MainRule "msg:empty POST" id:16;
#@MainRule "msg:libinjection_sql" id:17;
#@MainRule "msg:libinjection_xss" id:18;
#@MainRule "msg:no generic rules" id:19;
#@MainRule "msg:bad utf8" id:20;
##################################
## SQL Injections IDs:1000-1099 ##
##################################
MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop|load_file|substr|group_concat|dumpfile" "msg:sql keywords" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000;
MainRule "str:\"" "msg:double quote" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001;
MainRule "str:0x" "msg:0x, possible hex encoding" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:2" id:1002;
## Hardcore rules
MainRule "str:/*" "msg:mysql comment (/*)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1003;
MainRule "str:*/" "msg:mysql comment (*/)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1004;
MainRule "str:|" "msg:mysql keyword (|)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1005;
MainRule "str:&&" "msg:mysql keyword (&&)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1006;
## end of hardcore rules
MainRule "str:--" "msg:mysql comment (--)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1007;
MainRule "str:;" "msg:semicolon" "mz:BODY|URL|ARGS" "s:$SQL:4,$XSS:8" id:1008;
MainRule "str:=" "msg:equal sign in var, probable sql/xss" "mz:ARGS|BODY" "s:$SQL:2" id:1009;
MainRule "str:(" "msg:open parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1010;
MainRule "str:)" "msg:close parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1011;
MainRule "str:'" "msg:simple quote" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1013;
MainRule "str:," "msg:comma" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1015;
MainRule "str:#" "msg:mysql comment (#)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1016;
MainRule "str:@@" "msg:double arobase (@@)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1017;
###############################
## OBVIOUS RFI IDs:1100-1199 ##
###############################
MainRule "str:http://" "msg:http:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1100;
MainRule "str:https://" "msg:https:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1101;
MainRule "str:ftp://" "msg:ftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1102;
MainRule "str:php://" "msg:php:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1103;
MainRule "str:sftp://" "msg:sftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1104;
MainRule "str:zlib://" "msg:zlib:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1105;
MainRule "str:data://" "msg:data:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1106;
MainRule "str:glob://" "msg:glob:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1107;
MainRule "str:phar://" "msg:phar:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1108;
MainRule "str:file://" "msg:file:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1109;
MainRule "str:gopher://" "msg:gopher:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1110;
MainRule "str:zip://" "msg:zip:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1111;
MainRule "str:expect://" "msg:expect:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1112;
MainRule "str:input://" "msg:input:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1113;
#######################################
## Directory traversal IDs:1200-1299 ##
#######################################
MainRule "str:.." "msg:double dot" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1200;
MainRule "str:/etc/passwd" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1202;
MainRule "str:c:\\" "msg:obvious windows path" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1203;
MainRule "str:cmd.exe" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1204;
MainRule "str:\\" "msg:backslash" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1205;
#MainRule "str:/" "msg:slash in args" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1206;
MainRule "str:/..;/" "msg:dir traversal bypass" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1207;
########################################
## Cross Site Scripting IDs:1300-1399 ##
########################################
MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1302;
MainRule "str:>" "msg:html close tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1303;
MainRule "str:[" "msg:open square backet ([), possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1310;
MainRule "str:]" "msg:close square bracket (]), possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1311;
MainRule "str:~" "msg:tilde (~) character" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1312;
MainRule "str:`" "msg:grave accent (`)" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1314;
MainRule "rx:%[23]." "msg:double encoding" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1315;
####################################
## Evading tricks IDs: 1400-1500 ##
####################################
MainRule "str:&#" "msg:utf7/8 encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1400;
MainRule "str:%U" "msg:M$ encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1401;
#############################
## File uploads: 1500-1600 ##
#############################
MainRule "rx:\.ph|\.asp|\.ht|\.jsp" "msg:asp/php/jsp file upload" "mz:FILE_EXT" "s:$UPLOAD:8" id:1500;

69
etc/nginx/nginx-rootless.conf Normal file
View File

@ -0,0 +1,69 @@
# /etc/nginx/nginx.conf
# Do not start as daemon
daemon off;
worker_processes auto;
worker_rlimit_nofile 100000;
# Set log to stderr
error_log stderr warn;
pid /var/run/nginx.pid;
include /etc/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
include /etc/nginx/naxsi_core.rules;
default_type application/octet-stream;
server_tokens off;
keepalive_timeout 15;
sendfile on;
tcp_nodelay on;
log_format custom_log '[$time_local] [NGINX] - $remote_addr - $remote_user - '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" "$gzip_ratio"';
# Do not log access
access_log /dev/stdout custom_log;
# SSL
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:2m;
# buffering causes issues, disable it
# increase buffer size. still useful even when buffering is off
proxy_buffering off;
proxy_buffer_size 4k;
# Buffer size
client_body_buffer_size 10k;
client_header_buffer_size 1k;
client_max_body_size 8m;
large_client_header_buffers 2 1k;
# Timeouts
client_body_timeout 12;
client_header_timeout 12;
send_timeout 10;
# GZip Compression
gzip on;
gzip_http_version 1.0;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 1280;
gzip_buffers 128 4k;
# gzip_proxied expired no-cache no-store private auth;
gzip_proxied any;
gzip_disable "msie6";
# gzip_types text/plain application/x-javascript text/xml text/css application/xml;
gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon image/bmp;
include /etc/nginx/conf.d/*.conf;
}

71
etc/nginx/nginx.conf Normal file
View File

@ -0,0 +1,71 @@
# /etc/nginx/nginx.conf
user root;
# Do not start as daemon
daemon off;
worker_processes auto;
worker_rlimit_nofile 100000;
# Set log to stderr
error_log stderr warn;
pid /var/run/nginx.pid;
include /etc/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
include /etc/nginx/naxsi_core.rules;
default_type application/octet-stream;
server_tokens off;
keepalive_timeout 15;
sendfile on;
tcp_nodelay on;
log_format custom_log '[$time_local] [NGINX] - $remote_addr - $remote_user - '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" "$gzip_ratio"';
# Do not log access
access_log /dev/stdout custom_log;
# SSL
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:2m;
# buffering causes issues, disable it
# increase buffer size. still useful even when buffering is off
proxy_buffering off;
proxy_buffer_size 4k;
# Buffer size
client_body_buffer_size 10k;
client_header_buffer_size 1k;
client_max_body_size 8m;
large_client_header_buffers 2 1k;
# Timeouts
client_body_timeout 12;
client_header_timeout 12;
send_timeout 10;
# GZip Compression
gzip on;
gzip_http_version 1.0;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 1280;
gzip_buffers 128 4k;
# gzip_proxied expired no-cache no-store private auth;
gzip_proxied any;
gzip_disable "msie6";
# gzip_types text/plain application/x-javascript text/xml text/css application/xml;
gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon image/bmp;
include /etc/nginx/conf.d/*.conf;
}

4
etc/nginx/proxy_params Normal file
View File

@ -0,0 +1,4 @@
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

22
etc/nginx/ssl_params Normal file
View File

@ -0,0 +1,22 @@
# secure nginx, see https://cipherli.st/
ssl_protocols TLSv1.3
ssl_prefer_server_ciphers off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# https://hstspreload.org
add_header Strict-Transport-Security "max-age=63072000" always;
# By default, HSTS header is not added to subdomain requests. If you have subdomains and want
# HSTS to apply to all of them, you should add the includeSubDomains variable like this:
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;