tcjlj/nginx-proxy-manager-zh
1
0
Fork 0
mirror of https://github.com/xiaoxinpro/nginx-proxy-manager-zh.git synced 2025-02-02 09:48:13 -05:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bring up to recent v2 changes around s6

Browse Source
This commit is contained in:
Jamie Curnow 2023-05-11 09:58:20 +10:00
parent e7ef809b10
commit fb8ca0b02f
No known key found for this signature in database
GPG Key ID: FFBB624C43388E9E
19 changed files with 175 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
docker/Dockerfile
View File

@ -18,8 +18,6 @@ ARG SENTRY_DSN
ENV BUILD_COMMIT="${BUILD_COMMIT:-dev}" \ ENV BUILD_COMMIT="${BUILD_COMMIT:-dev}" \
BUILD_VERSION="${BUILD_VERSION:-0.0.0}" \ BUILD_VERSION="${BUILD_VERSION:-0.0.0}" \
CGO_ENABLED=0 \
GO111MODULE=on \
GOPRIVATE="${GOPRIVATE:-}" \ GOPRIVATE="${GOPRIVATE:-}" \
GOPROXY="${GOPROXY:-}" \ GOPROXY="${GOPROXY:-}" \
SENTRY_DSN="${SENTRY_DSN:-}" SENTRY_DSN="${SENTRY_DSN:-}"
@ -43,19 +41,22 @@ COPY --from=pebbleca /test/certs/pebble.minica.pem /etc/ssl/certs/pebble.minica.
COPY --from=testca /home/step/certs/root_ca.crt /etc/ssl/certs/NginxProxyManager.crt COPY --from=testca /home/step/certs/root_ca.crt /etc/ssl/certs/NginxProxyManager.crt
# These acmesh vars are defined in the base image # These acmesh vars are defined in the base image
ENV SUPPRESS_NO_CONFIG_WARNING=1 \ ENV ACMESH_CONFIG_HOME=/data/.acme.sh/config \
S6_LOGGING=0 \
ACMESH_CONFIG_HOME=/data/.acme.sh/config \
ACMESH_HOME=/data/.acme.sh \ ACMESH_HOME=/data/.acme.sh \
CERT_HOME=/data/.acme.sh/certs \ CERT_HOME=/data/.acme.sh/certs \
LE_CONFIG_HOME=/data/.acme.sh/config \ LE_CONFIG_HOME=/data/.acme.sh/config \
LE_WORKING_DIR=/data/.acme.sh LE_WORKING_DIR=/data/.acme.sh \
S6_BEHAVIOUR_IF_STAGE2_FAILS=1 \
S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0 \
S6_FIX_ATTRS_HIDDEN=1 \
S6_KILL_FINISH_MAXTIME=10000 \
S6_VERBOSITY=1
RUN echo "fs.file-max = 65535" > /etc/sysctl.conf RUN echo "fs.file-max = 65535" > /etc/sysctl.conf
# fail2ban # fail2ban
RUN apt-get update \ RUN apt-get update \
&& apt-get install -y --no-install-recommends fail2ban \ && apt-get install -y --no-install-recommends fail2ban logrotate \
&& apt-get clean \ && apt-get clean \
&& rm -rf /var/lib/apt/lists/* /etc/fail2ban && rm -rf /var/lib/apt/lists/* /etc/fail2ban

17
docker/dev/Dockerfile
View File

@ -8,24 +8,25 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
ARG GOPROXY ARG GOPROXY
ARG GOPRIVATE ARG GOPRIVATE
ENV GOPROXY=$GOPROXY \ ENV ACMESH_CONFIG_HOME=/data/.acme.sh/config \
GOPRIVATE=$GOPRIVATE \
S6_LOGGING=0 \
SUPPRESS_NO_CONFIG_WARNING=1 \
ACMESH_CONFIG_HOME=/data/.acme.sh/config \
ACMESH_HOME=/data/.acme.sh \ ACMESH_HOME=/data/.acme.sh \
CERT_HOME=/data/.acme.sh/certs \ CERT_HOME=/data/.acme.sh/certs \
GOPROXY=$GOPROXY \
GOPRIVATE=$GOPRIVATE \
LE_CONFIG_HOME=/data/.acme.sh/config \ LE_CONFIG_HOME=/data/.acme.sh/config \
LE_WORKING_DIR=/data/.acme.sh \ LE_WORKING_DIR=/data/.acme.sh \
CGO_ENABLED=0 \ S6_BEHAVIOUR_IF_STAGE2_FAILS=1 \
GO111MODULE=on S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0 \
S6_FIX_ATTRS_HIDDEN=1 \
S6_KILL_FINISH_MAXTIME=10000 \
S6_VERBOSITY=2
RUN echo "fs.file-max = 65535" > /etc/sysctl.conf RUN echo "fs.file-max = 65535" > /etc/sysctl.conf
# node, fail2ban # node, fail2ban
RUN curl -fsSL https://deb.nodesource.com/setup_18.x | bash - \ RUN curl -fsSL https://deb.nodesource.com/setup_18.x | bash - \
&& apt-get update \ && apt-get update \
&& apt-get install -y --no-install-recommends nodejs vim dnsutils fail2ban \ && apt-get install -y --no-install-recommends nodejs vim dnsutils fail2ban logrotate \
&& npm install --location=global yarn \ && npm install --location=global yarn \
&& apt-get clean \ && apt-get clean \
&& rm -rf /var/lib/apt/lists/* /etc/fail2ban && rm -rf /var/lib/apt/lists/* /etc/fail2ban

3
docker/docker-compose.ci.yml
View File

@ -1,5 +1,5 @@
# WARNING: This is a CI docker-compose file used for building and testing of the entire app, it should not be used for production. # WARNING: This is a CI docker-compose file used for building and testing of the entire app, it should not be used for production.
version: "3.8" version: '3.8'
services: services:
fullstack: fullstack:
@ -7,6 +7,7 @@ services:
environment: environment:
- NPM_LOG_LEVEL=debug - NPM_LOG_LEVEL=debug
- NPM_LOG_FORMAT=json - NPM_LOG_FORMAT=json
- DISABLE_IPV6=true
volumes: volumes:
- '/etc/localtime:/etc/localtime:ro' - '/etc/localtime:/etc/localtime:ro'
- npm_data_ci:/data - npm_data_ci:/data

5
docker/docker-compose.dev.yml
View File

@ -1,10 +1,10 @@
# WARNING: This is a DEVELOPMENT docker-compose file used for development of the entire app, it should not be used for production. # WARNING: This is a DEVELOPMENT docker-compose file used for development of the entire app, it should not be used for production.
version: "3.8" version: '3.8'
services: services:
npm: npm:
image: nginxproxymanager:dev image: nginxproxymanager:dev
container_name: "npm.dev" container_name: 'npm.dev'
build: build:
context: ../ context: ../
dockerfile: ./docker/dev/Dockerfile dockerfile: ./docker/dev/Dockerfile
@ -16,6 +16,7 @@ services:
- 3081:81 - 3081:81
- 3443:443 - 3443:443
environment: environment:
#DEBUG: 'true'
DEVELOPMENT: 'true' DEVELOPMENT: 'true'
GOPROXY: "${GOPROXY:-}" GOPROXY: "${GOPROXY:-}"
GOPRIVATE: "${GOPRIVATE:-}" GOPRIVATE: "${GOPRIVATE:-}"

17
docker/rootfs/bin/common.sh
View File

@ -12,6 +12,11 @@ export CYAN BLUE YELLOW RED RESET
PUID=${PUID:-0} PUID=${PUID:-0}
PGID=${PGID:-0} PGID=${PGID:-0}
NPMUSER=npm
NPMGROUP=npm
NPMHOME=/tmp/npmuserhome
export NPMUSER NPMGROUP NPMHOME
if [[ "$PUID" -ne '0' ]] && [ "$PGID" = '0' ]; then if [[ "$PUID" -ne '0' ]] && [ "$PGID" = '0' ]; then
# set group id to same as user id, # set group id to same as user id,
# the user probably forgot to specify the group id and # the user probably forgot to specify the group id and
@ -38,8 +43,16 @@ log_fatal () {
exit 1 exit 1
} }
disable_ipv6 () { # param $1: group_name
if [ "$DISABLE_IPV6" == 'true' ] || [ "$DISABLE_IPV6" == 'on' ] || [ "$DISABLE_IPV6" == '1' ] || [ "$DISABLE_IPV6" == 'yes' ]; then get_group_id () {
if [ "${1:-}" != '' ]; then
getent group "$1" | cut -d: -f3
fi
}
# param $1: value
is_true () {
if [ "$1" == 'true' ] || [ "$1" == 'on' ] || [ "$1" == '1' ] || [ "$1" == 'yes' ]; then
echo '1' echo '1'
else else
echo '0' echo '0'

25
docker/rootfs/etc/logrotate.d/nginx-proxy-manager Normal file
View File

@ -0,0 +1,25 @@
/data/logs/*_access.log /data/logs/*/access.log {
create 0644 root root
weekly
rotate 4
missingok
notifempty
compress
sharedscripts
postrotate
/bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true
endscript
}
/data/logs/*_error.log /data/logs/*/error.log {
create 0644 root root
weekly
rotate 10
missingok
notifempty
compress
sharedscripts
postrotate
/bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true
endscript
}

14
docker/rootfs/etc/s6-overlay/s6-rc.d/backend/run
View File

@ -5,18 +5,22 @@ set -e
. /bin/common.sh . /bin/common.sh
if [ "$(is_true "$DEBUG")" = '1' ]; then
set -x
fi
log_info 'Starting backend ...' log_info 'Starting backend ...'
if [ "$DEVELOPMENT" == "true" ]; then if [ "$(is_true "$DEVELOPMENT")" = '1' ]; then
HOME=/tmp/npmuserhome HOME=$NPMHOME
GOPATH="$HOME/go" GOPATH="$HOME/go"
mkdir -p "$GOPATH" mkdir -p "$GOPATH"
chown -R npmuser:npmuser "$GOPATH" chown -R "$PUID:$PGID" "$GOPATH"
export HOME GOPATH export HOME GOPATH
rm -rf /app/backend/.task rm -rf /app/backend/.task
cd /app/backend || exit 1 cd /app/backend || exit 1
exec s6-setuidgid npmuser task -w exec s6-setuidgid "$PUID:$PGID" task -w
else else
cd /app/bin || exit 1 cd /app/bin || exit 1
exec s6-setuidgid npmuser /app/bin/server exec s6-setuidgid "$PUID:$PGID" /app/bin/server
fi fi

4
docker/rootfs/etc/s6-overlay/s6-rc.d/fail2ban/run
View File

@ -3,5 +3,9 @@
. /bin/common.sh . /bin/common.sh
if [ "$(is_true "$DEBUG")" = '1' ]; then
set -x
fi
log_info 'Starting fail2ban ...' log_info 'Starting fail2ban ...'
exec /usr/bin/fail2ban-client -c /fail2ban -x -vv -f start exec /usr/bin/fail2ban-client -c /fail2ban -x -vv -f start

18
docker/rootfs/etc/s6-overlay/s6-rc.d/frontend/run
View File

@ -3,22 +3,24 @@
set -e set -e
# This service is DEVELOPMENT only. . /bin/common.sh
if [ "$DEVELOPMENT" == "true" ]; then if [ "$(is_true "$DEBUG")" = '1' ]; then
set -x
fi
# This service is DEVELOPMENT only.
if [ "$(is_true "$DEVELOPMENT")" = '1' ]; then
CI=true CI=true
HOME=/tmp/npmuserhome HOME=$NPMHOME
export CI export CI
export HOME export HOME
. /bin/common.sh
cd /app/frontend || exit 1 cd /app/frontend || exit 1
HOME=/tmp/npmuserhome
export HOME
log_info 'Starting frontend ...' log_info 'Starting frontend ...'
s6-setuidgid npmuser yarn install s6-setuidgid "$PUID:$PGID" yarn install
exec s6-setuidgid npmuser yarn start exec s6-setuidgid "$PUID:$PGID" yarn start
else else
exit 0 exit 0
fi fi

6
docker/rootfs/etc/s6-overlay/s6-rc.d/nginx/run
View File

@ -5,5 +5,9 @@ set -e
. /bin/common.sh . /bin/common.sh
if [ "$(is_true "$DEBUG")" = '1' ]; then
set -x
fi
log_info 'Starting nginx ...' log_info 'Starting nginx ...'
exec s6-setuidgid npmuser nginx exec s6-setuidgid "$PUID:$PGID" nginx

6
docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/00-all.sh
View File

@ -9,7 +9,11 @@ if [ "$(id -u)" != "0" ]; then
log_fatal "This docker container must be run as root, do not specify a user.\nYou can specify PUID and PGID env vars to run processes as that user and group after initialization." log_fatal "This docker container must be run as root, do not specify a user.\nYou can specify PUID and PGID env vars to run processes as that user and group after initialization."
fi fi
. /etc/s6-overlay/s6-rc.d/prepare/10-npmuser.sh if [ "$(is_true "$DEBUG")" = '1' ]; then
set -x
fi
. /etc/s6-overlay/s6-rc.d/prepare/10-usergroup.sh
. /etc/s6-overlay/s6-rc.d/prepare/20-paths.sh . /etc/s6-overlay/s6-rc.d/prepare/20-paths.sh
. /etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh . /etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh
. /etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh . /etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh

40
docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-usergroup.sh Executable file
View File

@ -0,0 +1,40 @@
#!/command/with-contenv bash
# shellcheck shell=bash
set -e
log_info "Configuring $NPMUSER user ..."
if id -u "$NPMUSER" 2>/dev/null; then
# user already exists
usermod -u "$PUID" "$NPMUSER"
else
# Add user
useradd -o -u "$PUID" -U -d "$NPMHOME" -s /bin/false "$NPMUSER"
fi
log_info "Configuring $NPMGROUP group ..."
if [ "$(get_group_id "$NPMGROUP")" = '' ]; then
# Add group. This will not set the id properly if it's already taken
groupadd -f -g "$PGID" "$NPMGROUP"
else
groupmod -o -g "$PGID" "$NPMGROUP"
fi
# Set the group ID and check it
groupmod -o -g "$PGID" "$NPMGROUP"
if [ "$(get_group_id "$NPMGROUP")" != "$PGID" ]; then
echo "ERROR: Unable to set group id properly"
exit 1
fi
# Set the group against the user and check it
usermod -G "$PGID" "$NPMGROUP"
if [ "$(id -g "$NPMUSER")" != "$PGID" ] ; then
echo "ERROR: Unable to set group against the user properly"
exit 1
fi
# Home for user
mkdir -p "$NPMHOME"
chown -R "$PUID:$PGID" "$NPMHOME"

10
docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/20-paths.sh
View File

@ -11,15 +11,17 @@ if [ ! -d '/data' ]; then
fi fi
# Create required folders # Create required folders
mkdir -p /tmp/nginx/body \ mkdir -p \
/data/logs \
/data/nginx \
/run/nginx \ /run/nginx \
/tmp/nginx/body \
/var/log/nginx \ /var/log/nginx \
/var/lib/nginx/cache/public \ /var/lib/nginx/cache/public \
/var/lib/nginx/cache/private \ /var/lib/nginx/cache/private \
/var/cache/nginx/proxy_temp \ /var/cache/nginx/proxy_temp
/data/logs \
/data/nginx
touch /var/log/nginx/error.log || true touch /var/log/nginx/error.log || true
chmod 777 /var/log/nginx/error.log || true chmod 777 /var/log/nginx/error.log || true
chmod -R 777 /var/cache/nginx || true chmod -R 777 /var/cache/nginx || true
chmod 644 /etc/logrotate.d/nginx-proxy-manager

21
docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh
View File

@ -8,15 +8,16 @@ log_info 'Setting ownership ...'
# root # root
chown root /tmp/nginx chown root /tmp/nginx
# npmuser # npm user and group
chown -R "$PUID:$PGID" /data \ chown -R "$PUID:$PGID" /data
/run/nginx \ chown -R "$PUID:$PGID" /run/nginx
/tmp/nginx \ chown -R "$PUID:$PGID" /tmp/nginx
/var/cache/nginx \ chown -R "$PUID:$PGID" /var/cache/nginx
/var/lib/nginx \ chown -R "$PUID:$PGID" /var/lib/logrotate
/var/log/nginx chown -R "$PUID:$PGID" /var/lib/nginx
chown -R "$PUID:$PGID" /var/log/nginx
# Don't chown entire /etc/nginx folder as this causes crashes on some systems # Don't chown entire /etc/nginx folder as this causes crashes on some systems
chown -R "$PUID:$PGID" /etc/nginx/nginx \ chown -R "$PUID:$PGID" /etc/nginx/nginx
/etc/nginx/nginx.conf \ chown -R "$PUID:$PGID" /etc/nginx/nginx.conf
/etc/nginx/conf.d chown -R "$PUID:$PGID" /etc/nginx/conf.d

2
docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh
View File

@ -9,7 +9,7 @@ DISABLE_IPV6=$(echo "${DISABLE_IPV6:-}" | tr '[:upper:]' '[:lower:]')
# Dynamically generate resolvers file, if resolver is IPv6, enclose in `[]` # Dynamically generate resolvers file, if resolver is IPv6, enclose in `[]`
# thanks @tfmm # thanks @tfmm
if [ "$(disable_ipv6)" == '1' ]; then if [ "$(is_true "$DISABLE_IPV6")" = '1' ]; then
echo resolver "$(awk 'BEGIN{ORS=" "} $1=="nameserver" { sub(/%.*$/,"",$2); print ($2 ~ ":")? "["$2"]": $2}' /etc/resolv.conf) ipv6=off valid=10s;" > /etc/nginx/conf.d/include/resolvers.conf echo resolver "$(awk 'BEGIN{ORS=" "} $1=="nameserver" { sub(/%.*$/,"",$2); print ($2 ~ ":")? "["$2"]": $2}' /etc/resolv.conf) ipv6=off valid=10s;" > /etc/nginx/conf.d/include/resolvers.conf
else else
echo resolver "$(awk 'BEGIN{ORS=" "} $1=="nameserver" { sub(/%.*$/,"",$2); print ($2 ~ ":")? "["$2"]": $2}' /etc/resolv.conf) valid=10s;" > /etc/nginx/conf.d/include/resolvers.conf echo resolver "$(awk 'BEGIN{ORS=" "} $1=="nameserver" { sub(/%.*$/,"",$2); print ($2 ~ ":")? "["$2"]": $2}' /etc/resolv.conf) valid=10s;" > /etc/nginx/conf.d/include/resolvers.conf

13
docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh
View File

@ -1,8 +1,11 @@
#!/bin/bash #!/command/with-contenv bash
# shellcheck shell=bash
# This command reads the `DISABLE_IPV6` env var and will either enable # This command reads the `DISABLE_IPV6` env var and will either enable
# or disable ipv6 in all nginx configs based on this setting. # or disable ipv6 in all nginx configs based on this setting.
set -e
log_info 'IPv6 ...' log_info 'IPv6 ...'
# Lowercase # Lowercase
@ -12,13 +15,13 @@ process_folder () {
FILES=$(find "$1" -type f -name "*.conf") FILES=$(find "$1" -type f -name "*.conf")
SED_REGEX= SED_REGEX=
if [ "$(disable_ipv6)" == '1' ]; then if [ "$DISABLE_IPV6" == "true" ] || [ "$DISABLE_IPV6" == "on" ] || [ "$DISABLE_IPV6" == "1" ] || [ "$DISABLE_IPV6" == "yes" ]; then
# IPV6 is disabled # IPV6 is disabled
echo " Disabling IPV6 in hosts in: $1" echo "Disabling IPV6 in hosts in: $1"
SED_REGEX='s/^([^#]*)listen \[::\]/\1#listen [::]/g' SED_REGEX='s/^([^#]*)listen \[::\]/\1#listen [::]/g'
else else
# IPV6 is enabled # IPV6 is enabled
echo " Enabling IPV6 in hosts in: $1" echo "Enabling IPV6 in hosts in: $1"
SED_REGEX='s/^(\s*)#listen \[::\]/\1listen [::]/g' SED_REGEX='s/^(\s*)#listen \[::\]/\1listen [::]/g'
fi fi
@ -28,7 +31,7 @@ process_folder () {
sed -E -i "$SED_REGEX" "$FILE" || true sed -E -i "$SED_REGEX" "$FILE" || true
done done
# ensure the files are still owned by the npmuser # ensure the files are still owned by the npm user
chown -R "$PUID:$PGID" "$1" chown -R "$PUID:$PGID" "$1"
} }

6
docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/60-fail2ban.sh
View File

@ -3,11 +3,11 @@
set -e set -e
log_info 'fail2ban ...' log_info 'Fail2ban configuration ...'
mkdir -p /fail2ban/{action.d,filter.d,jail.d,log} mkdir -p /fail2ban/{action.d,filter.d,jail.d,log}
chown -R "$PUID:$PGID" /fail2ban chown -R "$PUID:$PGID" /fail2ban
mkdir -p /var/run/fail2ban \ mkdir -p /var/run/fail2ban
/data/logs/fail2ban mkdir -p /data/logs/fail2ban
chown nobody:nogroup /data/logs/fail2ban chown nobody:nogroup /data/logs/fail2ban
chmod 02755 /data/logs/fail2ban chmod 02755 /data/logs/fail2ban

11
docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/90-banner.sh
View File

@ -2,6 +2,9 @@
# shellcheck shell=bash # shellcheck shell=bash
set -e set -e
set +x
. /etc/os-release
echo " echo "
------------------------------------- -------------------------------------
@ -11,7 +14,11 @@ echo "
| |\ | __/| | | | | |\ | __/| | | |
|_| \_|_| |_| |_| |_| \_|_| |_| |_|
------------------------------------- -------------------------------------
User ID: $PUID Version: ${NPM_BUILD_VERSION:-3.0.0-dev} (${NPM_BUILD_COMMIT:-dev}) ${NPM_BUILD_DATE:-0000-00-00}
Group ID: $PGID User: $NPMUSER PUID:$PUID ID:$(id -u "$NPMUSER") GROUP:$(id -g "$NPMUSER")
Group: $NPMGROUP PGID:$PGID ID:$(get_group_id "$NPMGROUP")
OpenResty: ${OPENRESTY_VERSION:-unknown}
Debian: ${VERSION_ID:-unknown}
Kernel: $(uname -r)
------------------------------------- -------------------------------------
" "

4
scripts/install-s6
View File

@ -8,8 +8,8 @@ BLUE='\E[1;34m'
GREEN='\E[1;32m' GREEN='\E[1;32m'
RESET='\E[0m' RESET='\E[0m'
S6_OVERLAY_VERSION=3.1.4.1 S6_OVERLAY_VERSION=3.1.5.0
TARGETPLATFORM=${1:unspecified} TARGETPLATFORM=${1:-linux/amd64}
# Determine the correct binary file for the architecture given # Determine the correct binary file for the architecture given
case $TARGETPLATFORM in case $TARGETPLATFORM in