feat: initial commit

Author: Bennett Goble

.dockerignore

@@ -0,0 +1 @@
+.git

.editorconfig

@@ -0,0 +1,9 @@
+root = true
+
+[*]
+end_of_line = lf
+insert_final_newline = true
+
+[*.sh]
+indent_style = space
+indent_size = 2 

.gitignore

@@ -0,0 +1,103 @@
+
+# Created by https://www.toptal.com/developers/gitignore/api/linux,macos,windows,go
+# Edit at https://www.toptal.com/developers/gitignore?templates=linux,macos,windows,go
+
+### Go ###
+# If you prefer the allow list template instead of the deny list, see community template:
+# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore
+#
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Dependency directories (remove the comment below to include it)
+# vendor/
+
+# Go workspace file
+go.work
+
+### Go Patch ###
+/vendor/
+/Godeps/
+
+### Linux ###
+*~
+
+# temporary files which can be created if a process still has a handle open of a deleted file
+.fuse_hidden*
+
+# KDE directory preferences
+.directory
+
+# Linux trash folder which might appear on any partition or disk
+.Trash-*
+
+# .nfs files are created when an open file is removed but is still being accessed
+.nfs*
+
+### macOS ###
+# General
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+### Windows ###
+# Windows thumbnail cache files
+Thumbs.db
+Thumbs.db:encryptable
+ehthumbs.db
+ehthumbs_vista.db
+
+# Dump file
+*.stackdump
+
+# Folder config file
+[Dd]esktop.ini
+
+# Recycle Bin used on file shares
+$RECYCLE.BIN/
+
+# Windows Installer files
+*.cab
+*.msi
+*.msix
+*.msm
+*.msp
+
+# Windows shortcuts
+*.lnk
+
+# End of https://www.toptal.com/developers/gitignore/api/linux,macos,windows,go
+test/test

Dockerfile

@@ -0,0 +1,28 @@
+############
+# Base 
+############
+FROM artifactory.secondlife.io/dockerhub/alpine:3 AS base
+RUN apk add --no-cache \
+    bash \
+    nginx \
+    nginx-mod-http-headers-more
+COPY src /
+ENV LISTEN_PORT=80
+EXPOSE 80
+STOPSIGNAL SIGQUIT
+ENTRYPOINT ["/docker-entrypoint.sh"]
+CMD ["nginx", "-g", "daemon off;"]
+
+############
+# Run tests
+############
+FROM base AS test
+RUN apk add --no-cache curl go
+COPY test /test
+WORKDIR /test
+RUN /test/test.sh
+
+############
+# Final 
+############
+FROM base

README.md

@@ -0,0 +1,32 @@
+# nginx-proxy
+
+A reverse proxy container with safe defaults for production environments.
+
+## Use
+
+Pair nginx-proxy with your favorite upstream server (wsgi, uwsgi, asgi, et al.)
+
+| Environment Variable | Description | Required | Default | Example |
+|----------------------|-------------|----------|---------|---------|
+| `PROXY_REVERSE_URL` | Upstream server URL | Yes | | http://myapp:8080 |
+| `LISTEN_PORT` | Server port | Yes | 8080 | |
+| `SILENT` | Silence entrypoint output | No | | |
+
+## Development
+
+A test suite is baked into nginx-proxy's Dockerfile. You can run it by building
+the test layer: `docker build --target test .`
+
+[nginx container]: https://hub.docker.com/_/nginx
+[mo]: https://github.com/tests-always-included/mo
+
+### Differences from standard nginx container
+
+Notable differences from the official [nginx container][]
+
+- [mo][] is used to render nginx configuration templates so that image startup
+  is aborted if a template variable is missing. This is an improvement over the
+  official image, which uses `envsubst`. 
+- alpine's official nginx package is used in order to ensure compatibility with
+  distro-provided nginx modules. This is another enhancement, as the official
+  image cannot be used with alpine's nginx modules.

src/docker-entrypoint.d/00-render-templates.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -eo pipefail
+
+source /docker-entrypoint.d/functions
+
+for f in /etc/nginx/templates/*.template
+do
+  final=$(basename "$f")
+  final=${final%.template}
+  final="/etc/nginx/conf.d/$final"
+  cat "$f" | mo --fail-not-set --fail-on-function > "$final"
+  log "$0: Rendered $f and moved it to $final"
+done

src/docker-entrypoint.d/functions

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# Shared functions for docker-entrypoint.d scripts
+
+log() {
+  if [ -z "$SILENT" ]; then
+    echo "$(basename $0) $@"
+  fi
+}

src/docker-entrypoint.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+set -e
+
+run-parts --exit-on-error /docker-entrypoint.d
+
+exec "$@"

src/etc/nginx/conf.d/00-log-format.conf

@@ -0,0 +1,39 @@
+log_format json_analytics escape=json '{'
+  '"msec": "$msec", '                                         # request unixtime in seconds with a milliseconds resolution
+  '"connection": "$connection", '                             # connection serial number
+  '"connection_requests": "$connection_requests", '           # number of requests made in connection
+  '"pid": "$pid", '                                           # process pid
+  '"request_id": "$request_id", '                             # unique request id
+  '"request_length": "$request_length", '                     # request length (including headers and body)
+  '"remote_addr": "$remote_addr", '                           # client IP
+  '"remote_user": "$remote_user", '                           # client HTTP username
+  '"remote_port": "$remote_port", '                           # client port
+  '"time_local": "$time_local", '
+  '"time_iso8601": "$time_iso8601", '                         # local time in the ISO 8601 standard format
+  '"request": "$request", '                                   # full path no arguments if the request
+  '"request_uri": "$request_uri", '                           # full path and arguments if the request
+  '"args": "$args", '                                         # args
+  '"status": "$status", '                                     # response status code
+  '"body_bytes_sent": "$body_bytes_sent", '                   # number of body bytes exclude headers sent to a client
+  '"bytes_sent": "$bytes_sent", '                             # number of bytes sent to a client
+  '"http_referer": "$http_referer", '                         # HTTP referer
+  '"http_user_agent": "$http_user_agent", '                   # user agent
+  '"http_x_forwarded_for": "$http_x_forwarded_for", '         # http_x_forwarded_for
+  '"http_host": "$http_host", '                               # request Host: header
+  '"server_name": "$server_name", '                           # name of the vhost serving the request
+  '"request_time": "$request_time", '                         # request processing time in seconds with msec resolution
+  '"upstream": "$upstream_addr", '                            # upstream backend server for proxied requests
+  '"upstream_connect_time": "$upstream_connect_time", '       # upstream handshake time incl. TLS
+  '"upstream_header_time": "$upstream_header_time", '         # time spent receiving upstream headers
+  '"upstream_response_time": "$upstream_response_time", '     # time spend receiving upstream body
+  '"upstream_response_length": "$upstream_response_length", ' # upstream response length
+  '"upstream_cache_status": "$upstream_cache_status", '       # cache HIT/MISS where applicable
+  '"ssl_protocol": "$ssl_protocol", '                         # TLS protocol
+  '"ssl_cipher": "$ssl_cipher", '                             # TLS cipher
+  '"scheme": "$scheme", '                                     # http or https
+  '"request_method": "$request_method", '                     # request method
+  '"server_protocol": "$server_protocol", '                   # request protocol, like HTTP/1.1 or HTTP/2.0
+  '"pipe": "$pipe", '                                         # "p" if request was pipelined, "." otherwise
+  '"gzip_ratio": "$gzip_ratio", '
+  '"http_cf_ray": "$http_cf_ray",'
+'}';

src/etc/nginx/nginx.conf

@@ -0,0 +1,55 @@
+user  nginx;
+worker_processes  auto;
+
+error_log  /dev/stderr;
+pid        /var/run/nginx.pid;
+
+# Used to zap Server header
+load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    # log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+    #                   '$status $body_bytes_sent "$http_referer" '
+    #                   '"$http_user_agent" "$http_x_forwarded_for"';
+
+    #access_log  /var/log/nginx/access.log  main;
+
+    #sendfile       on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+    #gzip  on;
+
+    # Don't leak information about this server.
+    server_tokens off;
+
+    # Disable etag
+    etag off;
+
+    # Lower buffer size to possibly prevent DoS attacks and buffer overflow vulnerabilities.
+    client_body_buffer_size 1k;
+    client_header_buffer_size 1k;
+
+    # Nuke some headers we don't want leaking out
+    more_clear_headers "X-Powered-By";
+    more_clear_headers "X-Rack-Cache";
+    more_clear_headers "X-Runtime";
+
+    # Nuke 'Server' header which is aggresively set on noncommercial nginx distributions
+    # http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens
+    # https://github.com/openresty/headers-more-nginx-module
+    more_clear_headers "Server";
+    more_clear_headers "server";
+
+    include /etc/nginx/conf.d/*.conf;
+
+    # For docker logs to work, we need to output to stdout/stderr
+    access_log /dev/stdout json_analytics;
+}