diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..aa129f2 --- /dev/null +++ b/.dockerignore @@ -0,0 +1 @@ +parameters \ No newline at end of file diff --git a/.gitea/workflows/alpine-dockerio.yaml b/.gitea/workflows/alpine-dockerio.yaml deleted file mode 100644 index 59fd497..0000000 --- a/.gitea/workflows/alpine-dockerio.yaml +++ /dev/null @@ -1,56 +0,0 @@ -name: Build and Push Alpine NGINX Image to docker.io Registry -on: - push: - branches: - - master - -jobs: - build: - name: Build and push image - runs-on: ubuntu-latest - container: - image: ghcr.io/catthehacker/ubuntu:act-latest - steps: - - name: Check out repository code - uses: actions/checkout@v3 - - name: Login to docker.io Registry - uses: docker/login-action@v3 - with: - registry: docker.io - username: aprimediet - password: ${{ secrets.DOCKER_TOKEN }} - - name: Build and push 1.22 - uses: docker/build-push-action@v5 - with: - context: . - file: Dockerfile.alpine - build-args: | - ALPINE_VERSION=3.17 - push: true - tags: | - aprimediet/nginx:1.22-alpine - aprimediet/nginx:1.22 - - name: Build and push 1.24 - uses: docker/build-push-action@v5 - with: - context: . - file: Dockerfile.alpine - build-args: | - ALPINE_VERSION=3.19 - push: true - tags: | - aprimediet/nginx:1.24-alpine - aprimediet/nginx:1.24 - - name: Build and push 1.26 - uses: docker/build-push-action@v5 - with: - context: . - file: Dockerfile.alpine - build-args: | - ALPINE_VERSION=3.21 - push: true - tags: | - aprimediet/nginx:1.26-alpine - aprimediet/nginx:1.26 - aprimediet/nginx:alpine - aprimediet/nginx:latest diff --git a/.gitea/workflows/alpine-winter.yaml b/.gitea/workflows/alpine-winter.yaml deleted file mode 100644 index 8b85a70..0000000 --- a/.gitea/workflows/alpine-winter.yaml +++ /dev/null @@ -1,59 +0,0 @@ -name: Build and Push Alpine NGINX Image to docker.io Registry -on: - push: - branches: - - master - -jobs: - build: - name: Build and push image - runs-on: ubuntu-latest - container: - image: ghcr.io/catthehacker/ubuntu:act-latest - steps: - - name: Check out repository code - uses: actions/checkout@v3 - - name: Login to docker.io Registry - uses: docker/login-action@v3 - with: - registry: git.winteraccess.id - username: ${{ vars.REGISTRY_USERNAME }} - password: ${{ secrets.REGISTRY_TOKEN }} - - name: Build and push 1.22 - uses: docker/build-push-action@v5 - with: - context: . - file: Dockerfile.alpine - build-args: | - REGISTRY_URL=git.winteraccess.id/docker - ALPINE_VERSION=3.17 - push: true - tags: | - git.winteraccess.id/${{ gitea.repository }}:1.22-alpine - git.winteraccess.id/${{ gitea.repository }}:1.22 - - name: Build and push 1.24 - uses: docker/build-push-action@v5 - with: - context: . - file: Dockerfile.alpine - build-args: | - REGISTRY_URL=git.winteraccess.id/docker - ALPINE_VERSION=3.19 - push: true - tags: | - git.winteraccess.id/${{ gitea.repository }}:1.24-alpine - git.winteraccess.id/${{ gitea.repository }}:1.24 - - name: Build and push 1.26 - uses: docker/build-push-action@v5 - with: - context: . - file: Dockerfile.alpine - build-args: | - REGISTRY_URL=git.winteraccess.id/docker - ALPINE_VERSION=3.21 - push: true - tags: | - git.winteraccess.id/${{ gitea.repository }}:1.26-alpine - git.winteraccess.id/${{ gitea.repository }}:1.26 - git.winteraccess.id/${{ gitea.repository }}:alpine - git.winteraccess.id/${{ gitea.repository }}:latest diff --git a/.gitea/workflows/alpine.yaml b/.gitea/workflows/alpine.yaml new file mode 100644 index 0000000..a84b27c --- /dev/null +++ b/.gitea/workflows/alpine.yaml @@ -0,0 +1,85 @@ +name: Build and push Nginx on alpine based container images + +on: + push: + branches: + - master + +jobs: + build: + name: Build nginx container images + runs-on: ubuntu-latest + container: + image: ghcr.io/catthehacker/ubuntu:act-latest + strategy: + matrix: + version: + - alpine: "3.17" + nginx: "1.22.1" + nginx_short: "1.22" + - alpine: "3.19" + nginx: "1.24.0" + nginx_short: "1.24" + - alpine: "3.21" + nginx: "1.26.2" + nginx_short: "1.26" + steps: + - name: Check out repository code + uses: actions/checkout@v4 + - name: Login to docker.io + uses: docker/login-action@v3 + with: + username: ${{ vars.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + # - name: Set up QEMU + # uses: docker/setup-qemu-action@v3 + - name: Setup Docker buildx + uses: docker/setup-buildx-action@v3 + - name: Build and push nginx on alpine base + uses: docker/build-push-action@v5 + with: + # platforms: linux/amd64,linux/arm64 + push: true + context: . + file: Dockerfile.alpine + build-args: | + ALPINE_VERSION=${{ matrix.version.alpine }} + NGINX_VERSION=${{ matrix.version.nginx }} + tags: | + ${{ vars.DOCKERHUB_USERNAME }}/nginx:${{ matrix.version.nginx }}-alpine + ${{ vars.DOCKERHUB_USERNAME }}/nginx:${{ matrix.version.nginx_short }}-alpine + - name: Scan container image with Trivy + uses: aquasecurity/trivy-action@0.20.0 + with: + image-ref: '${{ vars.DOCKERHUB_USERNAME }}/nginx:${{ matrix.version.nginx }}-alpine' + format: 'sarif' + output: 'trivy-results.sarif' + build-latest: + name: Build latest nginx alpine based container images + runs-on: ubuntu-latest + needs: + - build + container: + image: ghcr.io/catthehacker/ubuntu:act-latest + steps: + - name: Check out repository code + uses: actions/checkout@v4 + - name: Login to docker.io + uses: docker/login-action@v3 + with: + username: ${{ vars.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + # - name: Set up QEMU + # uses: docker/setup-qemu-action@v3 + - name: Setup Docker buildx + uses: docker/setup-buildx-action@v3 + - name: Build and push latest nginx + uses: docker/build-push-action@v5 + with: + # platforms: linux/amd64,linux/arm64 + push: true + context: . + file: Dockerfile.alpine + tags: | + ${{ vars.DOCKERHUB_USERNAME }}/nginx:alpine + ${{ vars.DOCKERHUB_USERNAME }}/nginx:latest diff --git a/.gitea/workflows/ubi9-dockerio.yaml b/.gitea/workflows/ubi9-dockerio.yaml deleted file mode 100644 index 5073a2b..0000000 --- a/.gitea/workflows/ubi9-dockerio.yaml +++ /dev/null @@ -1,79 +0,0 @@ -name: Build and Push Alpine NGINX Image to docker.io Registry -on: - push: - branches: - - master - -jobs: - build: - name: Build and push ubi9 image - runs-on: ubuntu-latest - container: - image: ghcr.io/catthehacker/ubuntu:act-latest - steps: - - name: Check out repository code - uses: actions/checkout@v3 - - name: Login to docker.io Registry - uses: docker/login-action@v3 - with: - registry: docker.io - username: aprimediet - password: ${{ secrets.DOCKER_TOKEN }} - - name: Build and push 1.22 - uses: docker/build-push-action@v5 - with: - context: . - file: Dockerfile.ubi9 - build-args: | - NGINX_VERSION=1.22 - push: true - tags: | - aprimediet/nginx:1.22-ubi9 - - name: Build and push 1.24 - uses: docker/build-push-action@v5 - with: - context: . - file: Dockerfile.ubi9 - build-args: | - NGINX_VERSION=1.24 - push: true - tags: | - aprimediet/nginx:1.24-ubi9 - aprimediet/nginx:ubi9 - build-micro: - name: Build and push ubi9-micro image - runs-on: ubuntu-latest - container: - image: ghcr.io/catthehacker/ubuntu:act-latest - needs: - - build - steps: - - name: Check out repository code - uses: actions/checkout@v3 - - name: Login to docker.io Registry - uses: docker/login-action@v3 - with: - registry: docker.io - username: aprimediet - password: ${{ secrets.DOCKER_TOKEN }} - - name: Build and push 1.22 - uses: docker/build-push-action@v5 - with: - context: . - file: Dockerfile.ubi9-micro - build-args: | - NGINX_VERSION=1.22 - push: true - tags: | - aprimediet/nginx:1.22-ubi9-micro - - name: Build and push 1.24 - uses: docker/build-push-action@v5 - with: - context: . - file: Dockerfile.ubi9-micro - build-args: | - NGINX_VERSION=1.24 - push: true - tags: | - aprimediet/nginx:1.24-ubi9-micro - aprimediet/nginx:ubi9-micro \ No newline at end of file diff --git a/.gitea/workflows/ubi9-winter.yaml b/.gitea/workflows/ubi9-winter.yaml deleted file mode 100644 index 136fb48..0000000 --- a/.gitea/workflows/ubi9-winter.yaml +++ /dev/null @@ -1,83 +0,0 @@ -name: Build and Push Alpine NGINX Image to git.winteraccess.id Registry -on: - push: - branches: - - master - -jobs: - build: - name: Build and push ubi9 image - runs-on: ubuntu-latest - container: - image: ghcr.io/catthehacker/ubuntu:act-latest - steps: - - name: Check out repository code - uses: actions/checkout@v3 - - name: Login to git.winteraccess.id Registry - uses: docker/login-action@v3 - with: - registry: git.winteraccess.id - username: ${{ vars.REGISTRY_USERNAME }} - password: ${{ secrets.REGISTRY_TOKEN }} - - name: Build and push 1.22 - uses: docker/build-push-action@v5 - with: - context: . - file: Dockerfile.ubi9 - build-args: | - REGISTRY_URL=git.winteraccess.id/docker - NGINX_VERSION=1.22 - push: true - tags: | - git.winteraccess.id/${{ gitea.repository }}:1.22-ubi9 - - name: Build and push 1.24 - uses: docker/build-push-action@v5 - with: - context: . - file: Dockerfile.ubi9 - build-args: | - REGISTRY_URL=git.winteraccess.id/docker - NGINX_VERSION=1.24 - push: true - tags: | - git.winteraccess.id/${{ gitea.repository }}:1.24-ubi9 - git.winteraccess.id/${{ gitea.repository }}:ubi9 - build-micro: - name: Build and push ubi9-micro image - runs-on: ubuntu-latest - container: - image: ghcr.io/catthehacker/ubuntu:act-latest - needs: - - build - steps: - - name: Check out repository code - uses: actions/checkout@v3 - - name: Login to git.winteraccess.id Registry - uses: docker/login-action@v3 - with: - registry: git.winteraccess.id - username: ${{ vars.REGISTRY_USERNAME }} - password: ${{ secrets.REGISTRY_TOKEN }} - - name: Build and push 1.22 - uses: docker/build-push-action@v5 - with: - context: . - file: Dockerfile.ubi9-micro - build-args: | - REGISTRY_URL=git.winteraccess.id/docker - NGINX_VERSION=1.22 - push: true - tags: | - git.winteraccess.id/${{ gitea.repository }}:1.22-ubi9-micro - - name: Build and push 1.24 - uses: docker/build-push-action@v5 - with: - context: . - file: Dockerfile.ubi9-micro - build-args: | - REGISTRY_URL=git.winteraccess.id/docker - NGINX_VERSION=1.24 - push: true - tags: | - git.winteraccess.id/${{ gitea.repository }}:1.24-ubi9-micro - git.winteraccess.id/${{ gitea.repository }}:ubi9-micro \ No newline at end of file diff --git a/Dockerfile.alpine b/Dockerfile.alpine index 14fe977..107ad40 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -1,41 +1,59 @@ # 1.22.1 Alpine 3.17 # 1.24.0 Alpine 3.19 # 1.26.2 Alpine 3.21 -ARG REGISTRY_URL=docker.io/aprimediet ARG ALPINE_VERSION=3.21 -FROM ${REGISTRY_URL}/alpine:${ALPINE_VERSION} +FROM docker.io/aprimediet/alpine:${ALPINE_VERSION} AS builder LABEL maintainer=" aprimediet@gmail.com" USER root -# Add nginx user and group -RUN addgroup -g 10001 nginx && \ - adduser -D -u 10001 -G nginx -s /sbin/nologin -h /app nginx && \ - mkdir -p /var/run/nginx && \ - chown nginx:nginx /var/run/nginx +ENV NGINX_ROOT_DIR=/app -# INSTALL WGET AND REQUIRED BUILD TOOLS -RUN --mount=type=cache,target=/var/cache/apk \ - apk update && apk upgrade && apk add \ - nginx +# Add nginx user and group and install nginx +RUN /usr/sbin/addgroup -g 10001 nginx; \ + /usr/sbin/adduser -D -u 10001 -G nginx -s /sbin/nologin -h ${NGINX_ROOT_DIR}/htdocs nginx; \ + /sbin/apk --no-cache upgrade; \ + /sbin/apk --no-cache --update add \ + nginx; -# COPY CONFIGURATION FILES -ADD ./etc/alpine /etc/nginx -ADD ./app /app +# Required files +ADD ./etc/nginx /etc/nginx +ADD ./scripts/entrypoint.sh /usr/local/bin/ +ADD ./htdocs /app/htdocs -RUN chown -R nginx:nginx /app && \ - chown -R nginx:nginx /var/lib/nginx +RUN /bin/chmod +x /usr/local/bin/entrypoint.sh; \ + /bin/chown -R nginx:nginx /app ; \ + /sbin/apk del curl ; \ + /bin/rm -rf /var/cache/apk/* ; -# CLEAR CACHE -RUN apk del curl && \ - rm -rf /var/cache/apk/* && \ - rm -rf /etc/nginx/http.d +FROM scratch + +ARG NGINX_VERSION=1.26.2 + +ENV NGINX_VERSION=${NGINX_VERSION} + +LABEL maintainer="Muhamad Aditya Prima " +LABEL name="nginx" +LABEL version="${NGINX_VERSION}" +LABEL distribution-scope="public" + +#labels for container catalog +LABEL summary="Nginx ${NGINX_VERSION} on alpine based container image" +LABEL description="Provide nginx on alpine based container base image" +LABEL io.k8s.description="Very small alpine linux container image" +LABEL io.k8s.display-name="Nginx ${NGINX_VERSION}" + +COPY --from=builder / / USER nginx -WORKDIR /app +WORKDIR /app/htdocs EXPOSE 80 -CMD ["nginx"] +STOPSIGNAL SIGQUIT + +# ENTRYPOINT ["/bin/sh"] + +ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] \ No newline at end of file diff --git a/Dockerfile.ubi9-micro b/Dockerfile.ubi9-micro index fcadd3a..31097dd 100644 --- a/Dockerfile.ubi9-micro +++ b/Dockerfile.ubi9-micro @@ -10,6 +10,11 @@ LABEL maintainer=" aprimediet@gmail.com" USER root +# Create user and group +RUN echo "nginx:x:10001:" >> /etc/group && \ + echo "nginx:x:10001:10001:nginx:/app:/sbin/nologin" >> /etc/passwd && \ + echo "nginx:!!:20070::::::" >> /etc/shadow + # Create nginx run and logs directory RUN mkdir -p /var/run/nginx && \ mkdir -p /var/log/nginx && \ diff --git a/etc/alpine/nginx.conf b/etc/alpine/nginx.conf index 65ab6da..71306c0 100644 --- a/etc/alpine/nginx.conf +++ b/etc/alpine/nginx.conf @@ -8,7 +8,7 @@ worker_rlimit_nofile 100000; # Set log to stderr error_log stderr warn; -pid /var/run/nginx/nginx.pid; +pid #NGINX_RUN_DIR#/nginx.pid; include /etc/nginx/modules/*.conf; @@ -19,6 +19,7 @@ events { http { include /etc/nginx/mime.types; default_type application/octet-stream; + server_tokens off; keepalive_timeout 15; sendfile on; @@ -63,6 +64,30 @@ http { gzip_disable "msie6"; # gzip_types text/plain application/x-javascript text/xml text/css application/xml; gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon image/bmp; + + server { + listen 80 default_server; + listen [::]:80 default_server; + + server_name _; + root #NGINX_ROOT_DIR#; + index index.html; + + error_log stderr warn; + + location / { + try_files $uri $uri/ index.html; + } + + #NGINX_ENABLE_STATIC_CACHE#location ~* .(jpg|jpeg|png|gif|ico|css|js|flv|mp4)$ { + #NGINX_ENABLE_STATIC_CACHE# expires 30d; + #NGINX_ENABLE_STATIC_CACHE#} + + #NGINX_ENABLE_STUB#location /nginx-status { + #NGINX_ENABLE_STUB# stub_status on; + #NGINX_ENABLE_STUB# allow all; + #NGINX_ENABLE_STUB#} + } include /etc/nginx/conf.d/*.conf; } \ No newline at end of file diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf new file mode 100644 index 0000000..1dea165 --- /dev/null +++ b/etc/nginx/nginx.conf @@ -0,0 +1,93 @@ +# /etc/nginx/nginx.conf + +# Do not start as daemon +daemon off; + +worker_processes auto; +worker_rlimit_nofile 100000; + +# Set log to stderr +error_log stderr warn; +pid /var/run/nginx/nginx.pid; + +include /etc/nginx/modules/*.conf; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + server_tokens off; + keepalive_timeout 15; + sendfile on; + tcp_nodelay on; + + log_format custom_log '[$time_local] [NGINX] - $remote_addr - $remote_user - ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" "$http_x_forwarded_for" "$gzip_ratio"'; + + # Log access to stdout + access_log /dev/stdout custom_log; + + # SSL + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:2m; + + # buffering causes issues, disable it + # increase buffer size. still useful even when buffering is off + proxy_buffering off; + proxy_buffer_size 4k; + + # Buffer size + client_body_buffer_size 10k; + client_header_buffer_size 1k; + client_max_body_size 8m; + large_client_header_buffers 2 1k; + + # Timeouts + client_body_timeout 12; + client_header_timeout 12; + send_timeout 10; + + # GZip Compression + gzip on; + gzip_http_version 1.0; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 1280; + gzip_buffers 128 4k; + # gzip_proxied expired no-cache no-store private auth; + gzip_proxied any; + gzip_disable "msie6"; + # gzip_types text/plain application/x-javascript text/xml text/css application/xml; + gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon image/bmp; + + server { + listen 80 default_server; + listen [::]:80 default_server; + + server_name _; + root /app/htdocs; + index index.html; + + error_log stderr warn; + + location / { + try_files $uri $uri/ index.html; + } + + location ~* .(jpg|jpeg|png|gif|ico|css|js|flv|mp4)$ { + expires 30d; + } + + location /nginx-status { + stub_status on; + allow all; + } + } + + include /etc/nginx/conf.d/*.conf; +} \ No newline at end of file diff --git a/app/index.html b/htdocs/index.html similarity index 100% rename from app/index.html rename to htdocs/index.html diff --git a/scripts/entrypoint.sh b/scripts/entrypoint.sh new file mode 100644 index 0000000..033f8d4 --- /dev/null +++ b/scripts/entrypoint.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +/bin/echo "### Nginx version :$NGINX_VERSION ###"; +/bin/echo "### Maintainer: aprimediet@gmail.com ###"; +/bin/echo ""; +# /bin/echo "### Configuring nginx ###"; + +# /bin/mkdir -p $NGINX_RUN_DIR; + +# /bin/sed -i "s|#NGINX_RUN_DIR#|$NGINX_RUN_DIR|" /app/conf/nginx.conf; +# /bin/sed -i "s|#NGINX_ROOT_DIR#|$NGINX_ROOT_DIR|" /app/conf/nginx.conf; +# /bin/sed -i "s|#NGINX_RUN_DIR#|$NGINX_RUN_DIR|" /app/conf/nginx.conf; + +# if [[ "$ENABLE_STATIC_CACHE" == "true" ]]; then +# /bin/sed -i "s|#NGINX_ENABLE_STATIC_CACHE#||" /app/conf/nginx.conf; +# fi + +# if [[ "$ENABLE_STUB" == "true" ]]; then +# /bin/sed -i "s|#NGINX_ENABLE_STUB#||" /app/conf/nginx.conf; +# fi + +/bin/echo ""; +/bin/echo "### Starting Nginx $NGINX_VERSION ###"; +/bin/echo ""; + +/usr/sbin/nginx \ No newline at end of file