1
0

initial commit

This commit is contained in:
Konstantin Demin 2025-04-23 03:14:29 +03:00
commit 1279570b8d
Signed by: krd
GPG Key ID: 4D56F87A8BA65FD0
263 changed files with 7313 additions and 0 deletions
.gitignoreDockerfileDockerfile.baseDockerfile.depsLICENSE
angie
angie.conf
autoconf.dist
conf.dist
ctx-http.confctx-mail.confctx-stream.conf
j2cfg.dist
j2cfg.ymlmod-http.confmod-mail.confmod-stream.conf
mod.dist

2
.gitignore vendored Normal file

@ -0,0 +1,2 @@
/.mypy_cache/
/.vscode/

208
Dockerfile Normal file

@ -0,0 +1,208 @@
ARG IMAGE_VERSION
FROM docker.io/rockdrilla/angie-conv:${IMAGE_VERSION}-deps AS deps
## ---
FROM deps AS pycache
SHELL [ "/bin/sh", "-ec" ]
COPY /scripts/* /usr/local/sbin/
COPY /scripts-extra/* /usr/local/sbin/
COPY /j2cfg/ /usr/local/lib/j2cfg/
ENV PYTHONDONTWRITEBYTECODE=''
## Python cache preseed
RUN python3 -m compileall -q -j 2 /usr/local/lib/j2cfg/
RUN libpython="${PYTHON_SITE_PACKAGES%/*}" ; \
find "${libpython}/" -mindepth 1 -maxdepth 1 -printf '%P\0' \
| sed -zEn \
-e '/^(collections|concurrent|encodings|importlib|json|logging|multiprocessing|re|urllib)$/p' \
| sort -zV \
| env -C "${libpython}" xargs -0r \
python3 -m compileall -q -j 2 ; \
find "${PYTHON_SITE_PACKAGES}/" -mindepth 1 -maxdepth 1 -printf '%P\0' \
| sed -zE \
-e '/\.(dist-info|pth|txt)$/d' \
-e '/^pip$/d' \
| sort -zV \
| env -C "${PYTHON_SITE_PACKAGES}" xargs -0r \
python3 -m compileall -q -j 2
## Python cache warmup
RUN j2cfg-single /usr/local/lib/j2cfg/test.j2 /tmp/test ; \
cat /tmp/test ; echo ; echo ; \
rm -f /tmp/test
## Python cache adjustments
RUN d="@$(date '+%s')" ; \
find /usr/local/lib/ -name '*.pyc' -exec touch -m -d "$d" {} + ; \
find /usr/local/lib/ -name __pycache__ -exec touch -m -d "$d" {} +
WORKDIR /pycache
RUN find /usr/local/ -type f -name '*.py[co]' -printf '%P\0' \
| sort -zV \
| tar -C /usr/local --null -T - -cf - \
| tar -xf -
## ---
FROM deps
SHELL [ "/bin/sh", "-ec" ]
## NB: NGX_DEBUG is set via build script
COPY /Dockerfile /usr/local/share/
COPY /j2cfg/ /usr/local/lib/j2cfg/
## RFC: Python cache
COPY --from=pycache /pycache/ /usr/local/
ENV ANGIE_MODULES_DIR=/usr/lib/angie/modules
COPY /scripts/* /usr/local/bin/
RUN _UID=11111 _GID=11111 ; \
echo "angie:x:${_UID}:${_GID}:Angie:/etc/angie:/bin/false" >> /etc/passwd ; \
echo "angie:x:${_GID}:" >> /etc/group ; \
echo 'angie:!:::::::' >> /etc/shadow
COPY /apt/sources.angie /etc/apt/sources.list.d/angie.sources
RUN apt-install.sh \
angie \
angie-console-light \
; \
apt-clean.sh ; \
## verify Angie layout
[ -d "${ANGIE_MODULES_DIR}" ] ; \
n='/usr/sbin/angie' ; \
[ -x "$n-debug" ] ; \
[ -x "$n-nodebug" ] ; \
## adjust Angie binaries
rm -fv "$n" ; \
if [ "${NGX_DEBUG}" = 0 ] ; then \
rm -fv "$n-debug" ; \
mv -fv "$n-nodebug" "$n" ; \
else \
rm -fv "$n-nodebug" ; \
mv -fv "$n-debug" "$n" ; \
fi
## preserve snippets from Angie config directory
## ref: https://git.angie.software/web-server/angie/src/tag/Angie-1.9.0/conf
RUN d=/etc/angie ; t=$(mktemp -d) ; \
tar -C "$d" -cf - \
fastcgi_params \
fastcgi.conf \
mime.types \
prometheus_all.conf \
scgi_params \
uwsgi_params \
| tar -C "$t" -xf - ; \
rm -rf "$d" ; \
install -d "$d" "$d/snip.dist" ; \
tar -C "$t" -cf - . | tar -C "$d/snip.dist" -xf - ; \
rm -rf "$t"
## copy directory structure
COPY /angie/ /etc/angie/
## produce own layout for Angie >:)
## /angie/ is persistence store
RUN install -d -o angie -g angie -m 03777 /angie /run/angie ; \
## adjust paths across filesystem
rm -rfv /var/cache/angie/ /var/lib/angie/ /var/log/angie/ ; \
ln -sv /run/angie/cache /var/cache/angie ; \
ln -sv /run/angie/lib /var/lib/angie ; \
ln -sv /run/angie/log /var/log/angie ; \
## adjust paths in config directory
cd /etc/angie || exit 1 ; \
ln -sv /run/angie run ; \
ln -sv /run/angie/load load ; \
ln -sv /run/angie/lock lock ; \
ln -sv ${ANGIE_MODULES_DIR} modules.dist ; \
## hyper-modular paths:
data='autoconf conf j2cfg mod modules site snip static tls' ; \
vardata='cache lib log' ; \
for n in ${data} ; do \
for d in "$n" "$n.dist" ; do \
[ -e "$d" ] || install -d "$d" ; \
done ; \
done ; \
for n in ${data} ${vardata} ; do \
ln -sv "/run/angie/$n" "$n.d" ; \
done
## special empty directory
RUN d='/var/lib/empty' ; \
rm -rf "$d" ; \
if [ -d "$d" ] ; then exit 1 ; fi ; \
install -d -m 0555 "$d"
## prepare DH params for TLS
## NB: disabled in pipeline for now
## reason: too slow (and too much effort)
# RUN cd /etc/angie/tls.dist || exit 1 ; \
# openssl-generate-dh-bundle.sh
## future quirk for angie-module-modsecurity >:)
RUN n='modsecurity' ; \
d="/etc/angie/$n" ; \
ln -sv "/run/angie/$n" "$d.d" ; \
dpkg-divert --divert "$d.dist" --rename "$d" ; \
for p in modsecurity.conf unicode.mapping ; do \
dpkg-divert --divert "$d.dist/$p" --rename "$d/$p" ; \
done ; \
p='rules.conf' ; \
dpkg-divert --divert "$d.dist/$p.dist" --rename "$d/$p"
VOLUME [ "/run/angie" ]
## preseed builtin modules list
RUN x='angie-builtin-modules.sh' ; \
"$x" ; \
rm -fv "$(which "$x")"
## relatively lightweight modules
RUN apt-install-angie-mod.sh \
brotli \
cache-purge \
echo \
geoip2 \
headers-more \
subs \
upload \
zip \
zstd \
; \
apt-clean.sh
## adjust permissions/ownership
RUN d='/etc/angie' ; \
chown -hR 0:0 "$d" ; \
find "$d/" -name .gitkeep -type f -delete ; \
find "$d/" -type d -exec chmod 0755 {} + ; \
find "$d/" -type f -exec chmod 0644 {} +
## image-entry.sh is placed into /usr/local/bin/ to allow custom entrypoint/chaining:
## - there's no need to change ENTRYPOINT/CMD
## - custom entrypoint should be placed in /usr/local/sbin/
## - custom entrypoint should "exec" /usr/local/bin/image-entry.sh
COPY /image-entry.sh /usr/local/bin/
COPY /image-entry.d/ /image-entry.d/
## must be bind-mounted only for local customization/overrides!
# RUN install -d /image-entry
## misc defaults
ENV MALLOC_ARENA_MAX=4
STOPSIGNAL SIGQUIT
ENTRYPOINT [ "image-entry.sh" ]
CMD [ "angie" ]

361
Dockerfile.base Normal file

@ -0,0 +1,361 @@
# FROM docker.io/debian:bookworm-slim as base-upstream
ARG PYTHONTAG=3.12.10-slim-bookworm
FROM docker.io/python:${PYTHONTAG} AS base-upstream
FROM base-upstream AS base-intermediate
SHELL [ "/bin/sh", "-ec" ]
COPY /scripts/* /usr/local/sbin/
COPY /scripts-extra/* /usr/local/sbin/
## PATH: remove /sbin and /bin (/usr is merged for Debian 12 and newer)
ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
TMPDIR=/tmp \
LANG=C.UTF-8 \
LC_ALL=C.UTF-8 \
TERM=linux \
TZ=Etc/UTC \
MALLOC_ARENA_MAX=2 \
PYTHONUNBUFFERED=1 \
PYTHONDONTWRITEBYTECODE=1
COPY /apt/prefs.backports /etc/apt/preferences.d/backports
COPY /apt/sources.debian /etc/apt/sources.list.d/debian.sources
## prevent services from auto-starting, part 1
RUN s='/usr/sbin/policy-rc.d' ; b='/usr/bin/policy-rc.d' ; \
rm -f "$s" "$b" ; \
echo '#!/bin/sh' > "$b" ; \
echo 'exit 101' >> "$b" ; \
chmod 0755 "$b" ; \
ln -s "$b" "$s"
RUN divert_true() { divert-rm.sh "$1" ; ln -sv /bin/true "$1" ; } ; \
## prevent services from auto-starting, part 2
divert_true /sbin/start-stop-daemon ; \
## always report that we're in chroot
divert_true /usr/bin/ischroot ; \
## hide systemd helpers
divert_true /usr/bin/deb-systemd-helper ; \
divert_true /usr/bin/deb-systemd-invoke
RUN apt-env.sh apt-get update ; \
apt-remove.sh \
ca-certificates \
e2fsprogs \
; \
apt-env.sh apt-get upgrade -y ; \
apt-install.sh \
apt-utils \
brotli \
cron \
curl \
gettext-base \
jdupes \
jq \
libcap2-bin \
libjemalloc2 \
logrotate \
netbase \
netcat-openbsd \
openssl \
procps \
psmisc \
tzdata \
zstd \
; \
apt-clean.sh
## perl-base: hardlink->symlink
RUN set +e ; \
d=/usr/bin ; \
ls -li "$d/perl" ; \
find "$d/" -xdev -samefile "$d/perl" 2>/dev/null \
| grep -Fxv -e "$d/perl" \
| while read -r p ; do \
[ -n "$p" ] || continue ; \
[ -e "$p" ] || continue ; \
ls -li "$p" ; \
rm -fv "$p" ; \
ln -fsv perl "$p" ; \
ls -li "$p" ; \
echo ; \
done
## remove unwanted binaries
RUN set -f ; \
for i in \
addgroup \
addpart \
adduser \
apt-ftparchive \
agetty \
badblocks \
blkdiscard \
blkid \
blkzone \
blockdev \
bsd-write \
chage \
chcpu \
chfn \
chgpasswd \
chmem \
chpasswd \
chsh \
cpgr \
cppw \
crontab \
ctrlaltdel \
debugfs \
delgroup \
delpart \
deluser \
dmesg \
dumpe2fs \
e2freefrag \
e2fsck \
e2image \
e2label \
e2mmpstatus \
e2scrub \
'e2scrub*' \
e2undo \
e4crypt \
e4defrag \
expiry \
faillock \
fdformat \
fincore \
findfs \
fsck \
'fsck.*' \
fsfreeze \
fstrim \
getty \
gpasswd \
groupadd \
groupdel \
groupmems \
groupmod \
grpck \
grpconv \
grpunconv \
hwclock \
isosize \
last \
lastb \
ldattach \
losetup \
lsblk \
lsirq \
lslogins \
mcookie \
mesg \
mke2fs \
mkfs \
'mkfs.*' \
mkhomedir_helper \
mklost+found \
mkswap \
mount \
newgrp \
newusers \
pam-auth-update \
pam_getenv \
pam_namespace_helper \
pam_timestamp_check \
partx \
passwd \
pivot_root \
pwck \
pwconv \
pwhistory_helper \
pwunconv \
raw \
readprofile \
resize2fs \
resizepart \
rtcwake \
sg \
shadowconfig \
su \
sulogin \
swaplabel \
swapoff \
swapon \
switch_root \
tune2fs \
umount \
unix_chkpwd \
unix_update \
update-passwd \
useradd \
userdel \
usermod \
utmpdump \
vigr \
vipw \
wall \
wdctl \
wipefs \
write \
'write.*' \
zramctl \
; do \
## try dpkg-divert first
for d in /usr/sbin /usr/bin ; do \
find "$d/" ! -type d -wholename "$d/$i" ; \
done \
| while read -r p ; do \
[ -n "$p" ] || continue ; \
[ -e "$p" ] || continue ; \
dpkg-search.sh "$p" || continue ; \
done \
| sed -E '/^diversion by/d' \
| sort -uV \
| while read -r pkg path ; do \
[ -n "${pkg}" ] || continue ; \
[ -e "${path}" ] || continue ; \
divert-rm.sh "${path}" ; \
done ; \
## remove if still exists
for d in /usr/sbin /usr/bin ; do \
find "$d/" ! -type d -wholename "$d/$i" ; \
done \
| while read -r p ; do \
[ -n "$p" ] || continue ; \
[ -e "$p" ] || continue ; \
rm -fv "$p" ; \
done ; \
done
## remove excessive privileges from binaries: setuid/setgid
RUN find / -xdev -type f -perm /7000 \
| sort -V \
| while read -r p ; do \
[ -n "$p" ] || continue ; \
## clear setuid/setgid bit
m=$(env stat -c '0%a' "$p") ; \
m=$(printf '0%o\n' $((m & 00777)) ) ; \
## try to lookup in dpkg database
n=$(set +e ; dpkg-search.sh "$p" | sed -E '/^diversion by/d' | cut -d ' ' -f2-) ; \
if [ "$p" = "$n" ] ; then \
o=$(env stat -c '%U' "$n") ; \
g=$(env stat -c '%G' "$n") ; \
dpkg-statoverride --force --update --add "$o" "$g" "$m" "$n" ; \
else \
env printf 'unable to find in dpkg database: %q\n' "$n" ; \
chmod "$m" "$p" ; \
fi ; \
ls -l "$p" ; \
done
## remove excessive privileges from binaries: setcap
RUN find / -xdev -type f -executable -exec getcap {} + \
| sort -V \
| while read -r path caps ; do \
[ -n "${path}" ] || continue ; \
setcap -r "${path}" "${caps}" 2>/dev/null ; \
getcap -v "${path}" ; \
done
## "docker.io/python"-specific cleanup
RUN env -C /root rm -f .bash_history .python_history .wget-hsts
## ---
FROM base-intermediate AS certs
SHELL [ "/bin/sh", "-ec" ]
## "2025.01.31"
ENV CERTIFI_COMMIT=088f93122ea7c91cfdaeea7fa76ab2f850b8064d
# ARG CERTIFI_BASE_URI='https://raw.githubusercontent.com/certifi/python-certifi'
ARG CERTIFI_BASE_URI='https://github.com/certifi/python-certifi/raw'
ARG CERTIFI_URI="${CERTIFI_BASE_URI}/${CERTIFI_COMMIT}/certifi/cacert.pem"
# hadolint ignore=DL3020
ADD "${CERTIFI_URI}" /tmp/certifi.crt
RUN apt-install.sh ca-certificates ; \
apt-clean.sh ; \
ca_file='/etc/ssl/certs/ca-certificates.crt' ; \
ls -l "${ca_file}" ; \
## process certifi
certifi-extras.sh /tmp/certifi.crt ; \
openssl-cert-auto-pem.sh "${ca_file}" "${ca_file}.new" "${ca_file}.fp" ; \
mv -f "${ca_file}.new" "${ca_file}" ; \
chmod 0444 "${ca_file}" "${ca_file}.fp" ; \
ls -l "${ca_file}" "${ca_file}.fp"
## ---
FROM base-intermediate AS apt-gpg
SHELL [ "/bin/sh", "-ec" ]
COPY --from=certs /etc/ssl/certs/ca-certificates.* /etc/ssl/certs/
ADD https://angie.software/keys/angie-signing.gpg /tmp/angie.gpg.bin
COPY /apt/sources.angie /etc/apt/angie.sources
RUN pkg='gnupg' ; \
apt-install.sh ${pkg} ; \
## process Angie GPG keyring / APT sources
gpg-export.sh /tmp/angie.gpg.bin /etc/apt/keyrings/angie.gpg.asc ; \
rm -f /tmp/angie.gpg.bin ; \
env -C /etc/apt mv angie.sources sources.list.d/ ; \
## verify sources!
apt-env.sh apt-get update ; \
apt-remove.sh ${pkg} ; \
apt-clean.sh
## ---
FROM base-intermediate AS base
SHELL [ "/bin/sh", "-ec" ]
COPY /Dockerfile.base /usr/local/share/
COPY --from=certs /etc/ssl/certs/ca-certificates.* /etc/ssl/certs/
COPY --from=apt-gpg /etc/apt/keyrings/ /etc/apt/keyrings/
RUN python-rm-cache.sh /usr/local
RUN pip-env.sh pip list --format freeze \
| grep -F '==' | awk -F= '{print $1}' \
| xargs -r pip-env.sh pip install -U ; \
python-rm-cache.sh /usr/local
RUN libpython="${PYTHON_SITE_PACKAGES%/*}" ; \
rm -rfv \
/usr/local/bin/idle* \
/usr/local/bin/pydoc* \
"${libpython}/ensurepip/_bundled" \
"${libpython}/idlelib" \
"${libpython}/pydoc.py" \
"${libpython}/pydoc_data" \
"${libpython}/tkinter" \
"${libpython}/turtle.py" \
"${libpython}/turtledemo" \
; \
find "${PYTHON_SITE_PACKAGES}/" -iname '*.exe' -ls -delete
## adjust pip/certifi
RUN certifi_pem="${PYTHON_SITE_PACKAGES}/pip/_vendor/certifi/cacert.pem" ; \
[ -d "${certifi_pem%/*}" ] || exit 0 ; \
rm -f "${certifi_pem}" ; \
ln -sv /etc/ssl/certs/ca-certificates.crt "${certifi_pem}"
RUN apt-clean.sh
RUN find /usr/local/sbin/ ! -type d -ls -delete ; \
find /run/ -mindepth 1 -ls -delete || : ; \
install -d -m 01777 /run/lock ; \
jdupes -1LSpr /usr/local/ ; \
jdupes -1LSpr /usr/
ENTRYPOINT [ ]
CMD [ "bash" ]

132
Dockerfile.deps Normal file

@ -0,0 +1,132 @@
ARG IMAGE_VERSION
FROM docker.io/rockdrilla/angie-conv:${IMAGE_VERSION}-base AS base
## ---
FROM base AS catatonit
SHELL [ "/bin/sh", "-ec" ]
COPY /scripts/* /usr/local/sbin/
COPY /scripts-extra/* /usr/local/sbin/
## current HEAD: "main: don't use secure_getenv", December 14, 2024
ENV CATATONIT_COMMIT=56579adbb42c0c7ad94fc12d844b38fc5b37b3ce
# ARG CATATONIT_BASE_URI='https://codeload.github.com/openSUSE/catatonit/tar.gz'
# ARG CATATONIT_URI="${CATATONIT_BASE_URI}/${CATATONIT_COMMIT}"
ARG CATATONIT_BASE_URI='https://github.com/openSUSE/catatonit/archive'
ARG CATATONIT_URI="${CATATONIT_BASE_URI}/${CATATONIT_COMMIT}.tar.gz"
# hadolint ignore=DL3020
ADD "${CATATONIT_URI}" /tmp/catatonit.tar.gz
RUN pkg='build-essential debhelper musl-dev autoconf autoconf-archive' ; \
apt-install.sh ${pkg} ; \
## build catatonit
d=/tmp/catatonit ; \
rm -rf "$d" ; \
mkdir -p "$d" ; \
( \
cd "$d" ; \
tar --strip-components=1 -xf /tmp/catatonit.tar.gz ; \
commit_abbrev=$(printf '%s' "${CATATONIT_COMMIT}" | cut -c1-8) ; \
sed -i "s/+dev/+git.${commit_abbrev}/" configure.ac ; \
# DEB_HOST_GNU_TYPE=$(dpkg-architecture -q DEB_HOST_GNU_TYPE) ; \
# export HOSTCC="${DEB_HOST_GNU_TYPE}-gcc" ; \
DEB_TARGET_GNU_TYPE=$(dpkg-architecture -q DEB_TARGET_GNU_TYPE) ; \
DEB_TARGET_MUSL_TYPE=$(printf '%s' "${DEB_TARGET_GNU_TYPE}" | sed -E 's/-gnu$/-musl/') ; \
export CC="${DEB_TARGET_MUSL_TYPE}-gcc" ; \
export CFLAGS='-Os -g -pipe -fpie -fstack-protector-strong -fstack-clash-protection -fcf-protection -D_FORTIFY_SOURCE=2' ; \
export LDFLAGS='-static-pie -Wl,-z -Wl,relro' ; \
autoreconf -fiv ; \
./configure ; \
make -j1 ; \
ls -l catatonit ; \
# "${DEB_TARGET_GNU_TYPE}-strip" --strip-debug --strip-unneeded catatonit ; \
strip --strip-debug --strip-unneeded catatonit ; \
ls -l catatonit ; \
cp catatonit /usr/local/bin/ ; \
) ; \
## cleanup
rm -rf "$d" ; \
apt-remove.sh ${pkg} ; \
apt-clean.sh
## ---
FROM base AS python-ext
SHELL [ "/bin/sh", "-ec" ]
COPY /scripts/* /usr/local/sbin/
COPY /scripts-extra/* /usr/local/sbin/
COPY /requirements.txt /tmp/
ENV DEV_PACKAGES='libyaml-dev'
# markupsafe, psutil
ENV CIBUILDWHEEL=1
# pyyaml
ENV PYYAML_FORCE_CYTHON=1
RUN w=$(mktemp -d) ; : "${w:?}" ; \
{ apt-mark showauto ; apt-mark showmanual ; } | sort -uV > "$w/t0" ; \
printf '%s\n' ${DEV_PACKAGES} | sort -uV > "$w/t1" ; \
apt-install.sh ${DEV_PACKAGES} ; \
{ apt-mark showauto ; apt-mark showmanual ; } | sort -uV > "$w/t2" ; \
set +e ; \
grep -Fxv -f "$w/t0" "$w/t2" > "$w/t3" ; \
grep -Fxv -f "$w/t1" "$w/t3" > "$w/t4" ; \
grep -Ev -e '-(dev|doc)$' "$w/t4" > "${PYTHON_SITE_PACKAGES}/apt-deps.txt" ; \
set -e ; \
rm -rf "$w/" ; unset w ; \
apt-install.sh build-essential ; \
pip-env.sh pip install 'cython~=3.0.12' ; \
pip-env.sh pip install --no-binary :all: -r /tmp/requirements.txt ; \
pip-env.sh pip uninstall -y 'cython' ; \
python-rm-cache.sh "${PYTHON_SITE_PACKAGES}" ; \
rm -rf \
"${PYTHON_SITE_PACKAGES}/psutil/tests" \
; \
find "${PYTHON_SITE_PACKAGES}/" -type f -name '*.so*' -exec ls -l {} + ; \
echo ; \
find "${PYTHON_SITE_PACKAGES}/" -type f -name '*.so*' -printf '%p\0' \
| sed -zE '/rust/d' \
| xargs -0r strip --strip-debug --strip-unneeded ; \
echo ; \
find "${PYTHON_SITE_PACKAGES}/" -type f -name '*.so*' -exec ls -l {} + ; \
apt-remove.sh build-essential ; \
apt-clean.sh
## avoid changing already present packages
RUN rm -rfv \
/usr/local/bin/pip \
/usr/local/bin/pip3* \
; \
find "${PYTHON_SITE_PACKAGES}/" -mindepth 1 -maxdepth 1 -printf '%P\0' \
| sed -zEn \
-e '/^pip(|-.+\.dist-info)$/p' \
| env -C "${PYTHON_SITE_PACKAGES}" xargs -0r rm -rf
## ---
FROM base AS deps
SHELL [ "/bin/sh", "-ec" ]
COPY /Dockerfile.deps /usr/local/share/
COPY --from=catatonit /usr/local/bin/catatonit /usr/local/bin/
## Python: site-packages
COPY --from=python-ext /usr/local/bin/ /usr/local/bin/
COPY --from=python-ext /${PYTHON_SITE_PACKAGES}/ /${PYTHON_SITE_PACKAGES}/
COPY /scripts/* /usr/local/sbin/
## install missing dependencies for Python site-packages
RUN f="${PYTHON_SITE_PACKAGES}/apt-deps.txt" ; \
[ -s "$f" ] || exit 0 ; \
xargs -a "$f" apt-install.sh ; \
apt-clean.sh
RUN find /usr/local/sbin/ ! -type d -ls -delete

175
LICENSE Normal file

@ -0,0 +1,175 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.

22
angie/angie.conf Normal file

@ -0,0 +1,22 @@
daemon off;
pid run/angie.pid;
## almost useless
include load/mod-core-*.conf;
# mod-http.conf
# mod-mail.conf
# mod-stream.conf
include run/mod-*.conf;
events {
include autoconf.d/core_ev-*.conf;
include load/core_ev-*.conf;
}
include autoconf.d/core-*.conf;
include load/core-*.conf;
# ctx-http.conf
# ctx-mail.conf
# ctx-stream.conf
include run/ctx-*.conf;

@ -0,0 +1 @@
error_log log.d/error.log warn;

@ -0,0 +1 @@
lock_file lock/angie.lock;

@ -0,0 +1 @@
pcre_jit on;

@ -0,0 +1,3 @@
## if container is running in non-privileged mode,
## then this file is going to be removed by /image-entry.d/76-adjust-core-user.sh
user ${NGX_USER} ${NGX_GROUP};

@ -0,0 +1,31 @@
{#- prologue -#}
{#- NB: "TZ" is always provided by Angie itself -#}
{%- set c_env = ( j2cfg.core_worker_env or [] ) | any_to_env_dict -%}
{%- set c_vars = c_env | dict_keys -%}
{%- set c_vars_passthrough = c_env | dict_empty_keys -%}
{%- set c_vars_override = c_env | dict_non_empty_keys -%}
{%- set vars_passthrough = (env_passthrough + c_vars_passthrough) | uniq | list_intersect(env | dict_keys) -%}
{#- main part -#}
## preserve
{%- for k in env_preserve %}
env {{ k }};
{%- endfor %}
## passthrough
{%- for k in vars_passthrough %}
env {{ k }};
{%- endfor %}
{% if c_vars_override %}
## WARNING!
## explicit environment variables are NOT implemented
## reason: envs are supported only for http_perl but not for http_js/stream_js
## solution: provide environment variables explicitly
## and then list them in "core_worker_env" key in config
##
{%- for k in c_vars_override %}
{#- {%- set v = c_env[k] %} #}
## env {{ k }}={{ c_env[k] | ngx_esc }};
{%- endfor %}
{%- endif %}

@ -0,0 +1,10 @@
worker_processes {{ env.NGX_WORKER_PROCESSES }};
{%- if env.NGX_WORKER_CPU_AFFINITY %}
worker_cpu_affinity {{ env.NGX_WORKER_CPU_AFFINITY }};
{%- endif %}
{%- if env.NGX_WORKER_PRIORITY %}
worker_priority {{ env.NGX_WORKER_PRIORITY }};
{%- endif %}
{%- if env.NGX_WORKER_RLIMIT_NOFILE %}
worker_rlimit_nofile {{ env.NGX_WORKER_RLIMIT_NOFILE }};
{%- endif %}

@ -0,0 +1,7 @@
worker_connections {{ env.NGX_WORKER_CONNECTIONS }};
{%- if env.NGX_WORKER_AIO_REQUESTS %}
worker_aio_requests {{ env.NGX_WORKER_AIO_REQUESTS }};
{%- endif %}
{%- if env.NGX_WORKER_PRIORITY %}
worker_priority {{ env.NGX_WORKER_PRIORITY }};
{%- endif %}

@ -0,0 +1,12 @@
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format extended '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" rt="$request_time" '
'"$http_user_agent" "$http_x_forwarded_for" '
'h="$host" sn="$server_name" ru="$request_uri" u="$uri" '
'ucs="$upstream_cache_status" ua="$upstream_addr" us="$upstream_status" '
'uct="$upstream_connect_time" urt="$upstream_response_time"';
access_log log.d/access.log main;

@ -0,0 +1 @@
include snip.d/http-alt-svc;

@ -0,0 +1,4 @@
subrequest_output_buffer_size 16k;
client_body_buffer_size 16k;
client_header_buffer_size 4k;
large_client_header_buffers 8 16k;

@ -0,0 +1,3 @@
{%- if env.NGX_HTTP_MAX_RANGES %}
max_ranges {{ env.NGX_HTTP_MAX_RANGES }};
{%- endif %}

@ -0,0 +1,8 @@
include snip.d/mime.types;
types {
font/ttf ttf;
application/font-sfnt otf;
}
default_type application/octet-stream;

@ -0,0 +1,26 @@
map $http_upgrade
$req_connection
{
default upgrade;
"" "";
}
map $http_user_agent
$req_user_agent
{
default $http_user_agent;
{%- if env.NGX_HTTP_FAKE_UA %}
## merely fake
"" {{ env.NGX_HTTP_FAKE_UA | ngx_esc }};
{%- else %}
"" "Angie/$angie_version";
{%- endif %}
}
map $http_accept
$req_accept
{
volatile;
default $http_accept;
"" "*/*";
}

@ -0,0 +1,27 @@
## ref:
## - https://www.digitalocean.com/community/tools/nginx?domains.0.reverseProxy.reverseProxy=true
map $remote_addr
$proxy_forwarded_elem
{
## IPv4 addresses can be sent as-is
~^[0-9.]+$ "for=$remote_addr";
## IPv6 addresses need to be bracketed and quoted
~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
## Unix domain socket names cannot be represented in RFC 7239 syntax
default "for=unknown";
}
## ref:
## - https://www.digitalocean.com/community/tools/nginx?domains.0.reverseProxy.reverseProxy=true
## - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
map $http_forwarded
$proxy_add_forwarded
{
volatile;
## if the incoming Forwarded header is syntactically valid, append to it
"~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
## otherwise, replace it
default "$proxy_forwarded_elem";
}

@ -0,0 +1,2 @@
{%- set resolver_status_zone = 'http_resolver' -%}
{% include 'resolver.j2m' %}

@ -0,0 +1 @@
include snip.d/http-response-headers;

@ -0,0 +1 @@
root ${NGX_HTTP_WEBROOT};

@ -0,0 +1,13 @@
{%- if env.NGX_RESOLVERS %}
{%- if env.NGX_RESOLVER_STACK == 'any' %}
resolver {{ env.NGX_RESOLVERS }} status_zone={{ resolver_status_zone }};
{%- elif env.NGX_RESOLVER_STACK == 'ipv4' %}
resolver {{ env.NGX_RESOLVERS }} status_zone={{ resolver_status_zone }} ipv4=on ipv6=off;
{%- elif env.NGX_RESOLVER_STACK == 'ipv6' %}
resolver {{ env.NGX_RESOLVERS }} status_zone={{ resolver_status_zone }} ipv4=off ipv6=on;
{%- endif %}
{%- endif %}
{%- if env.NGX_RESOLVER_TIMEOUT %}
resolver_timeout {{ env.NGX_RESOLVER_TIMEOUT }};
{%- endif %}

@ -0,0 +1,2 @@
{%- set resolver_status_zone = 'stream_resolver' -%}
{% include 'resolver.j2m' %}

@ -0,0 +1,5 @@
brotli_comp_level 5; # default: 6
brotli_window 64k; # default: 512k
brotli_min_length 1024;
brotli_buffers 32 16k;

@ -0,0 +1,9 @@
{%- set mime_types = j2cfg.compress_types or [] -%}
{%- set mime_types = mime_types | any_to_str_list | uniq_str_list -%}
{%- if mime_types -%}
brotli_types
{%- for t in mime_types %}
{{ t }}
{%- endfor %}
;
{%- endif -%}

@ -0,0 +1 @@
quic_bpf on;

@ -0,0 +1 @@
accept_mutex_delay 200ms;

@ -0,0 +1 @@
accept_mutex on;

@ -0,0 +1 @@
multi_accept on;

@ -0,0 +1,4 @@
fastcgi_buffers 16 16k;
fastcgi_buffer_size 16k;
fastcgi_busy_buffers_size 32k;
fastcgi_temp_file_write_size 32k;

@ -0,0 +1,14 @@
{%- set cache_bypass = j2cfg.cache_bypass or [] -%}
{%- if cache_bypass -%}
## disable (response) cache under following conditions
fastcgi_cache_bypass
{%- for v in cache_bypass %}
{{ v | ngx_esc }}
{%- endfor %}
;
fastcgi_no_cache
{%- for v in cache_bypass %}
{{ v | ngx_esc }}
{%- endfor %}
;
{%- endif -%}

@ -0,0 +1,2 @@
include snip.d/fastcgi-request-headers;
include snip.d/fastcgi-response-headers;

@ -0,0 +1,7 @@
include snip.d/fastcgi.conf;
fastcgi_param PATH_INFO $path_info;
fastcgi_param AUTH_USER $remote_user;
fastcgi_param REMOTE_USER $remote_user;
fastcgi_param HTTP_HOST $host;

@ -0,0 +1 @@
grpc_buffer_size 16k;

@ -0,0 +1,2 @@
include snip.d/grpc-request-headers;
include snip.d/grpc-response-headers;

@ -0,0 +1,7 @@
{%- for k, v in j2cfg.tls.conf_cmd.items() %}
grpc_ssl_conf_command {{ k }} {{ v | ngx_esc }};
{%- endfor %}
grpc_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
grpc_ssl_verify on;
grpc_ssl_server_name on;

@ -0,0 +1,4 @@
gzip_comp_level 2; # default: 1
gzip_min_length 1024;
gzip_buffers 32 16k;

@ -0,0 +1 @@
gzip_proxied any;

@ -0,0 +1,9 @@
{%- set mime_types = j2cfg.compress_types or [] -%}
{%- set mime_types = mime_types | any_to_str_list | uniq_str_list -%}
{%- if mime_types -%}
gzip_types
{%- for t in mime_types %}
{{ t }}
{%- endfor %}
;
{%- endif -%}

@ -0,0 +1 @@
gzip_vary on;

@ -0,0 +1 @@
brotli_static on;

@ -0,0 +1,2 @@
include conf.d/brotli/*.conf;
brotli on;

@ -0,0 +1 @@
include conf.d/fastcgi/*.conf;

@ -0,0 +1 @@
include conf.d/grpc/*.conf;

@ -0,0 +1,2 @@
gunzip_buffers 16 16k;
gunzip on;

@ -0,0 +1 @@
gzip_static on;

@ -0,0 +1,2 @@
include conf.d/gzip/*.conf;
gzip on;

@ -0,0 +1,4 @@
modsecurity_rules_file /etc/angie/modsecurity.d/rules.conf;
## NOT enabling ModSecurity by default!
# modsecurity on;

@ -0,0 +1 @@
include conf.d/njs/*.conf;

@ -0,0 +1 @@
perl_modules /etc/angie/site.d;

@ -0,0 +1,2 @@
include conf.d/proxy/*.conf;
include conf.d/proxy-http/*.conf;

@ -0,0 +1,5 @@
quic_gso on;
{%- if env.NGX_HTTP_NO_PROXY == '0' %}
proxy_quic_gso on;
{%- endif %}

@ -0,0 +1 @@
include conf.d/scgi/*.conf;

@ -0,0 +1,25 @@
include conf.d/ssl/*.conf;
## lowering from 16k to 4k to improve time-to-first-byte
ssl_buffer_size 4k;
{%- if env.NGX_HTTP_SSL_PROFILE %}
include snip.d/ssl-{{ env.NGX_HTTP_SSL_PROFILE }};
{%- endif %}
{%- if j2cfg.tls.stapling.enable %}
ssl_stapling on;
{%- if j2cfg.tls.stapling.verify %}
ssl_stapling_verify on;
{%- else %}
ssl_stapling_verify off;
{%- endif %}
{%- if j2cfg.tls.stapling.file %}
ssl_stapling_file {{ j2cfg.tls.stapling.file | ngx_esc }};
{%- endif %}
{%- if j2cfg.tls.stapling.responder %}
ssl_stapling_responder {{ j2cfg.tls.stapling.responder | ngx_esc }};
{%- endif %}
{%- else %}
ssl_stapling off;
{%- endif %}

@ -0,0 +1 @@
include conf.d/uwsgi/*.conf;

@ -0,0 +1,2 @@
include conf.d/http2/*.conf;
http2 on;

@ -0,0 +1,2 @@
include conf.d/http3/*.conf;
http3 on;

@ -0,0 +1 @@
zstd_static on;

@ -0,0 +1,2 @@
include conf.d/zstd/*.conf;
zstd on;

@ -0,0 +1,2 @@
http2_chunk_size 16k;
http2_body_preread_size 64k;

@ -0,0 +1,9 @@
http3_max_concurrent_streams 128; #default
http3_stream_buffer_size 64k; #default
quic_active_connection_id_limit 3;
{%- if env.NGX_HTTP_NO_PROXY == '0' %}
proxy_http3_max_concurrent_streams 128; #default
proxy_http3_stream_buffer_size 64k; #default
proxy_quic_active_connection_id_limit 3;
{%- endif %}

@ -0,0 +1,5 @@
include conf.d/ssl/*.conf;
{%- if env.NGX_MAIL_SSL_PROFILE %}
include snip.d/ssl-{{ env.NGX_MAIL_SSL_PROFILE }};
{%- endif %}

@ -0,0 +1 @@
js_path /etc/angie/site.d;

@ -0,0 +1 @@
js_fetch_trusted_certificate ${NGX_SSL_CERT_FILE};

@ -0,0 +1,4 @@
proxy_buffers 16 16k;
proxy_buffer_size 16k;
proxy_busy_buffers_size 32k;
proxy_temp_file_write_size 32k;

@ -0,0 +1,14 @@
{%- set cache_bypass = j2cfg.cache_bypass or [] -%}
{%- if cache_bypass -%}
## disable (response) cache under following conditions
proxy_cache_bypass
{%- for v in cache_bypass %}
{{ v | ngx_esc }}
{%- endfor %}
;
proxy_no_cache
{%- for v in cache_bypass %}
{{ v | ngx_esc }}
{%- endfor %}
;
{%- endif -%}

@ -0,0 +1,2 @@
include snip.d/proxy-request-headers;
include snip.d/proxy-response-headers;

@ -0,0 +1 @@
proxy_http_version 1.1;

@ -0,0 +1,7 @@
{%- for k, v in j2cfg.tls.conf_cmd.items() %}
proxy_ssl_conf_command {{ k }} {{ v | ngx_esc }};
{%- endfor %}
proxy_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
proxy_ssl_verify on;
proxy_ssl_server_name on;

@ -0,0 +1,4 @@
scgi_buffers 16 16k;
scgi_buffer_size 16k;
scgi_busy_buffers_size 32k;
scgi_temp_file_write_size 32k;

@ -0,0 +1,14 @@
{%- set cache_bypass = j2cfg.cache_bypass or [] -%}
{%- if cache_bypass -%}
## disable (response) cache under following conditions
scgi_cache_bypass
{%- for v in cache_bypass %}
{{ v | ngx_esc }}
{%- endfor %}
;
scgi_no_cache
{%- for v in cache_bypass %}
{{ v | ngx_esc }}
{%- endfor %}
;
{%- endif -%}

@ -0,0 +1,2 @@
include snip.d/scgi-request-headers;
include snip.d/scgi-response-headers;

@ -0,0 +1,7 @@
include snip.d/scgi_params;
scgi_param PATH_INFO $path_info;
scgi_param AUTH_USER $remote_user;
scgi_param REMOTE_USER $remote_user;
scgi_param HTTP_HOST $host;

@ -0,0 +1,3 @@
{%- for k, v in j2cfg.tls.conf_cmd.items() %}
ssl_conf_command {{ k }} {{ v | ngx_esc }};
{%- endfor %}

@ -0,0 +1 @@
include conf.d/njs/*.conf;

@ -0,0 +1,2 @@
include conf.d/proxy/*.conf;
include conf.d/proxy-stream/*.conf;

@ -0,0 +1,5 @@
include conf.d/ssl/*.conf;
{%- if env.NGX_STREAM_SSL_PROFILE %}
include snip.d/ssl-{{ env.NGX_STREAM_SSL_PROFILE }};
{%- endif %}

@ -0,0 +1,4 @@
uwsgi_buffers 16 16k;
uwsgi_buffer_size 16k;
uwsgi_busy_buffers_size 32k;
uwsgi_temp_file_write_size 32k;

@ -0,0 +1,14 @@
{%- set cache_bypass = j2cfg.cache_bypass or [] -%}
{%- if cache_bypass -%}
## disable (response) cache under following conditions
uwsgi_cache_bypass
{%- for v in cache_bypass %}
{{ v | ngx_esc }}
{%- endfor %}
;
uwsgi_no_cache
{%- for v in cache_bypass %}
{{ v | ngx_esc }}
{%- endfor %}
;
{%- endif -%}

@ -0,0 +1,2 @@
include snip.d/uwsgi-request-headers;
include snip.d/uwsgi-response-headers;

@ -0,0 +1,7 @@
include snip.d/uwsgi_params;
uwsgi_param PATH_INFO $path_info;
uwsgi_param AUTH_USER $remote_user;
uwsgi_param REMOTE_USER $remote_user;
uwsgi_param HTTP_HOST $host;

@ -0,0 +1,7 @@
{%- for k, v in j2cfg.tls.conf_cmd.items() %}
uwsgi_ssl_conf_command {{ k }} {{ v | ngx_esc }};
{%- endfor %}
uwsgi_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
uwsgi_ssl_verify on;
uwsgi_ssl_server_name on;

@ -0,0 +1,4 @@
zstd_comp_level 2; # default: 1
zstd_min_length 1024;
zstd_buffers 32 16k;

@ -0,0 +1,9 @@
{%- set mime_types = j2cfg.compress_types or [] -%}
{%- set mime_types = mime_types | any_to_str_list | uniq_str_list -%}
{%- if mime_types -%}
zstd_types
{%- for t in mime_types %}
{{ t }}
{%- endfor %}
;
{%- endif -%}

5
angie/ctx-http.conf Normal file

@ -0,0 +1,5 @@
http {
include autoconf.d/http-*.conf;
include load/http-*.conf;
include site.d/http-*.conf;
}

5
angie/ctx-mail.conf Normal file

@ -0,0 +1,5 @@
mail {
include autoconf.d/mail-*.conf;
include load/mail-*.conf;
include site.d/mail-*.conf;
}

5
angie/ctx-stream.conf Normal file

@ -0,0 +1,5 @@
stream {
include autoconf.d/stream-*.conf;
include load/stream-*.conf;
include site.d/stream-*.conf;
}

@ -0,0 +1,56 @@
{%- set transparent = false -%}
{%- if env.NGX_HTTP_TRANSPARENT_PROXY != None -%}
{%- set transparent = (env.NGX_HTTP_TRANSPARENT_PROXY | from_gobool) -%}
{%- endif -%}
---
request_headers:
{%- if transparent %}
Host: '$proxy_host'
## do not pass Accept-Encoding to backend
Accept-Encoding: ""
Early-Data: '$ssl_early_data'
## '$req_accept' is defined in /angie/autoconf.dist/http-request-headers-basic.conf.j2
Accept: '$req_accept'
## '$req_user_agent' is defined in /angie/autoconf.dist/http-request-headers-basic.conf.j2
User-Agent: '$req_user_agent'
{%- else %}
Host: '$host'
{%- endif %}
---
request_headers:
{%- if env.NGX_HTTP_FORWARDED == 'pass' %}
## '$proxy_add_forwarded' is defined in /angie/autoconf.dist/http-request-headers-forwarded.conf
Forwarded: '$proxy_add_forwarded'
{%- elif env.NGX_HTTP_FORWARDED == 'remove' %}
Forwarded: ''
{%- endif %}
---
request_headers:
{%- if env.NGX_HTTP_X_FORWARDED == 'pass' %}
X-Forwarded-Proto: '$scheme'
X-Forwarded-Host: '$host'
X-Forwarded-Server: '$host'
X-Forwarded-Port: '$server_port'
X-Forwarded-For: '$proxy_add_x_forwarded_for'
{%- elif env.NGX_HTTP_X_FORWARDED == 'remove' %}
X-Forwarded-Proto: ''
X-Forwarded-Host: ''
X-Forwarded-Server: ''
X-Forwarded-Port: ''
X-Forwarded-For: ''
{%- endif %}
---
request_headers:
{%- if env.NGX_HTTP_X_REAL_IP == 'pass' %}
X-Real-IP: '$remote_addr'
{%- elif env.NGX_HTTP_X_REAL_IP == 'remove' %}
X-Real-IP: ''
{%- endif %}

55
angie/j2cfg.yml Normal file

@ -0,0 +1,55 @@
cache_bypass:
- '$http_authorization'
- '$http_pragma'
- '$http_upgrade'
compress_types:
- application/atom+xml
- application/javascript
- application/json
- application/vnd.api+json
- application/rss+xml
- application/x-javascript
- application/xhtml+xml
- application/xml
- image/svg+xml
- image/x-icon
- text/css
- text/javascript
- text/plain
- text/xml
request_headers:
## '$req_connection' is defined in /angie/autoconf.dist/http-request-headers-basic.conf.j2
Connection: '$req_connection'
Upgrade: '$http_upgrade'
response_headers: {}
tls:
## https://docs.openssl.org/3.0/man3/SSL_CONF_cmd/#supported-configuration-file-commands
conf_cmd:
Options: PrioritizeChaCha
stapling:
enable: false
verify: true
profiles:
modern:
protocols: TLSv1.3
#prefer_server_ciphers: off
session_tickets: off
session_timeout: 1d
intermediate:
protocols: TLSv1.2 TLSv1.3
#prefer_server_ciphers: off
ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
dhparam: tls.d/ffdhe2048.pem
session_tickets: off
session_timeout: 1d
old:
protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
prefer_server_ciphers: on
ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
dhparam: tls.d/dh1024.pem
session_tickets: off
session_timeout: 1d

1
angie/mod-http.conf Normal file

@ -0,0 +1 @@
include load/mod-http-*.conf;

1
angie/mod-mail.conf Normal file

@ -0,0 +1 @@
include load/mod-mail-*.conf;

1
angie/mod-stream.conf Normal file

@ -0,0 +1 @@
include load/mod-stream-*.conf;

Some files were not shown because too many files have changed in this diff Show More