initial commit

.dockerignore

@@ -0,0 +1,2 @@
+j2cfg/__pycache__
+j2cfg/j2cfg/__pycache__

.gitignore

@@ -0,0 +1,4 @@
+/.mypy_cache
+/.vscode
+__pycache__
+*.py[co]

Dockerfile

@@ -0,0 +1,224 @@
+FROM docker.io/rockdrilla/angie-conv:v0.0.1-deps AS deps
+
+## ---
+
+FROM deps AS certs
+SHELL [ "/bin/sh", "-ec" ]
+
+COPY /scripts/*       /usr/local/sbin/
+COPY /extra-scripts/* /usr/local/sbin/
+
+## consult https://github.com/certifi/python-certifi/
+ENV CERTIFI_COMMIT=bd8153872e9c6fc98f4023df9c2deaffea2fa463
+
+RUN apt-install.sh ca-certificates ; \
+    ## process certifi
+    ca_file='/etc/ssl/certs/ca-certificates.crt' ; \
+    openssl-cert-fingerprint.sh "${ca_file}" | sort -uV > "${ca_file}.fp.orig" ; \
+    ls -l "${ca_file}" ; \
+    certifi-extras.sh ; \
+    openssl-cert-fingerprint.sh "${ca_file}" | sort -uV > "${ca_file}.fp" ; \
+    chmod 0444 "${ca_file}" "${ca_file}.fp" "${ca_file}.fp.orig" ; \
+    ls -l "${ca_file}" "${ca_file}.fp" "${ca_file}.fp.orig"
+
+## ---
+
+FROM deps AS pycache
+SHELL [ "/bin/sh", "-ec" ]
+
+COPY --from=certs /etc/ssl/certs/ca-certificates.crt  /etc/ssl/certs/
+
+COPY /scripts/*       /usr/local/sbin/
+COPY /extra-scripts/* /usr/local/sbin/
+
+COPY /j2cfg/ /usr/local/lib/j2cfg/
+
+ENV PYTHONDONTWRITEBYTECODE=''
+
+## Python cache preseed
+
+RUN python3 -m compileall -q -j 2 /usr/local/lib/j2cfg/
+
+RUN libpython="${PYTHON_SITE_PACKAGES%/*}" ; \
+    find "${libpython}/" -mindepth 1 -maxdepth 1 -printf '%P\0' \
+    | sed -zEn \
+      -e '/^(collections|importlib|json|re)$/p' \
+    | sort -zV \
+    | env -C "${libpython}" xargs -0r \
+      python3 -m compileall -q -j 2 ; \
+    find "${PYTHON_SITE_PACKAGES}/" -mindepth 1 -maxdepth 1 -printf '%P\0' \
+    | sed -zE \
+      -e '/\.(dist-info|pth|txt)$/d' \
+      -e '/^(pip|pkg_resources|setuptools|wheel)$/d' \
+    | sort -zV \
+    | env -C "${PYTHON_SITE_PACKAGES}" xargs -0r \
+      python3 -m compileall -q -j 2
+
+## Python cache warmup
+RUN j2cfg-single /usr/local/lib/j2cfg/test.j2 /tmp/test ; \
+    cat /tmp/test ; echo ; echo ; \
+    rm -f /tmp/test
+
+## Python cache adjustments
+RUN d="@$(date '+%s')" ; \
+    find /usr/local/lib/ -name '*.pyc' -exec touch -m -d "$d" {} + ; \
+    find /usr/local/lib/ -name __pycache__ -exec touch -m -d "$d" {} +
+
+## ---
+
+FROM deps
+SHELL [ "/bin/sh", "-ec" ]
+
+## NB: NGX_DEBUG is set via build script
+
+COPY /Dockerfile /usr/local/share/
+
+COPY --from=certs /etc/ssl/certs/ca-certificates.*  /etc/ssl/certs/
+
+## RFC: Python cache
+## TODO: reduce load by selecting only __pycache__ directories in either way
+COPY --from=pycache /usr/local/lib/  /usr/local/lib/
+
+## already copied by statement above
+# COPY /j2cfg/ /usr/local/lib/j2cfg/
+
+ENV ANGIE_MODULES_DIR=/usr/lib/angie/modules
+
+COPY /scripts/* /usr/local/bin/
+
+RUN _UID=11111 _GID=11111 ; \
+    echo "angie:x:${_UID}:${_GID}:Angie:/etc/angie:/bin/false" >> /etc/passwd ; \
+    echo "angie:x:${_GID}:" >> /etc/group ; \
+    echo 'angie:!:::::::' >> /etc/shadow
+
+RUN apt-install.sh angie ; \
+    apt-clean.sh ; \
+    ## verify Angie layout
+    [ -d "${ANGIE_MODULES_DIR}" ] ; \
+    n='/usr/sbin/angie' ; \
+    [ -x "$n-debug" ] ; \
+    [ -x "$n-nodebug" ] ; \
+    ## adjust Angie binaries
+    rm -fv "$n" ; \
+    if [ "${NGX_DEBUG}" = 0 ] ; then \
+        rm -fv "$n-debug" ; \
+        mv -fv "$n-nodebug" "$n" ; \
+    else \
+        rm -fv "$n-nodebug" ; \
+        mv -fv "$n-debug" "$n" ; \
+    fi
+
+## preserve snippets from Angie config directory
+## ref: https://git.angie.software/web-server/angie/src/tag/Angie-1.6.2/conf
+RUN d=/etc/angie ; t=$(mktemp -d) ; \
+    tar -C "$d" -cf - \
+      fastcgi_params \
+      fastcgi.conf \
+      mime.types \
+      prometheus_all.conf \
+      scgi_params \
+      uwsgi_params \
+    | tar -C "$t" -xf - ; \
+    rm -rf "$d" ; \
+    install -d "$d" "$d/snip.dist" ; \
+    tar -C "$t" -cf - . | tar -C "$d/snip.dist" -xf - ; \
+    rm -rf "$t"
+
+## copy directory structure
+COPY /angie/ /etc/angie/
+
+## produce own layout for Angie >:)
+## /angie/ is persistence store
+RUN install -d -o angie -g angie -m 03777 /angie /run/angie ; \
+    ## adjust paths across filesystem
+    rm -rfv /var/cache/angie/ /var/lib/angie/ /var/log/angie/ ; \
+    ln -sv /run/angie/cache  /var/cache/angie ; \
+    ln -sv /run/angie/lib    /var/lib/angie ; \
+    ln -sv /run/angie/log    /var/log/angie ; \
+    ## adjust paths in config directory
+    cd /etc/angie || exit 1 ; \
+    ln -sv /run/angie            run ; \
+    ln -sv /run/angie/load       load ; \
+    ln -sv /run/angie/lock       lock ; \
+    ln -sv ${ANGIE_MODULES_DIR}  modules.dist ; \
+    ## hyper-modular paths:
+    data='autoconf conf j2cfg mod modules site snip static tls' ; \
+    vardata='cache lib log' ; \
+    for n in ${data} ; do \
+        for d in "$n" "$n.dist" ; do \
+            [ -e "$d" ] || install -d "$d" ; \
+        done ; \
+    done ; \
+    for n in ${data} ${vardata} ; do \
+        ln -sv "/run/angie/$n" "$n.d" ; \
+    done
+
+## special empty directory
+RUN d='/var/lib/empty' ; \
+    rm -rf "$d" ; \
+    if [ -d "$d" ] ; then exit 1 ; fi ; \
+    install -d -m 0555 "$d"
+
+## prepare DH params for TLS
+## NB: disabled in pipeline for now
+## reason: too slow (and too much effort)
+# RUN cd /etc/angie/tls.dist || exit 1 ; \
+#     openssl-generate-dh-bundle.sh
+
+## future quirk for angie-module-modsecurity >:)
+RUN n='modsecurity' ; \
+    d="/etc/angie/$n" ; \
+    ln -sv "/run/angie/$n" "$d.d" ; \
+    dpkg-divert --divert "$d.dist" --rename "$d" ; \
+    for p in modsecurity.conf unicode.mapping ; do \
+        dpkg-divert --divert "$d.dist/$p" --rename "$d/$p" ; \
+    done ; \
+    p='rules.conf' ; \
+    dpkg-divert --divert "$d.dist/$p.dist" --rename "$d/$p"
+
+VOLUME [ "/run/angie" ]
+
+## preseed builtin modules list
+RUN x='angie-builtin-modules.sh' ; \
+    "$x" ; \
+    rm -fv "$(which "$x")"
+
+## relatively lightweight modules
+RUN apt-install-angie-mod.sh \
+      brotli \
+      cache-purge \
+      echo \
+      geoip2 \
+      headers-more \
+      subs \
+      upload \
+      zip \
+      zstd \
+    ; \
+    apt-clean.sh
+
+## adjust permissions/ownership
+RUN d='/etc/angie' ; \
+    chown -hR 0:0 "$d" ; \
+    find "$d/" -name .gitkeep -type f -delete ; \
+    find "$d/" -type d -exec chmod 0755 {} + ; \
+    find "$d/" -type f -exec chmod 0644 {} +
+
+## image-entry.sh is placed into /usr/local/bin/ to allow custom entrypoint/chaining:
+## - there's no need to change ENTRYPOINT/CMD
+## - custom entrypoint should be placed in /usr/local/sbin/
+## - custom entrypoint should "exec" /usr/local/bin/image-entry.sh
+COPY /image-entry.sh  /usr/local/bin/
+COPY /image-entry.d/  /image-entry.d/
+
+## must be bind-mounted only for local customization/overrides!
+# RUN install -d /image-entry
+
+## misc defaults
+ENV DUMB_INIT_SETSID=0 \
+    MALLOC_ARENA_MAX=4
+
+STOPSIGNAL SIGQUIT
+
+ENTRYPOINT [ "image-entry.sh" ]
+CMD [ "angie" ]

Dockerfile.base

@@ -0,0 +1,227 @@
+# FROM docker.io/debian:bookworm-slim as base-upstream
+ARG PYTHONTAG=3.11.10-slim-bookworm
+FROM docker.io/python:${PYTHONTAG} AS base-upstream
+
+FROM base-upstream AS base
+SHELL [ "/bin/sh", "-ec" ]
+
+COPY /Dockerfile.base /usr/local/share/
+
+COPY /scripts/*        /usr/local/sbin/
+COPY /extra-scripts/*  /usr/local/sbin/
+
+## PATH: remove /sbin and /bin (/usr is merged)
+ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
+    TMPDIR=/tmp \
+    LANG=C.UTF-8 \
+    LC_ALL=C.UTF-8 \
+    TERM=linux \
+    TZ=Etc/UTC \
+    MALLOC_ARENA_MAX=2 \
+    PYTHONUNBUFFERED=1 \
+    PYTHONDONTWRITEBYTECODE=1
+
+## local development
+# ENV PIP_INDEX="http://127.0.0.1:8081/repository/proxy_pypi/pypi/" \
+#     PIP_INDEX_URL="http://127.0.0.1:8081/repository/proxy_pypi/simple/" \
+#     PIP_TRUSTED_HOST="localhost"
+
+COPY /apt/prefs.backports /etc/apt/preferences.d/backports
+COPY /apt/sources.debian /etc/apt/sources.list.d/debian.sources
+
+## prevent services from auto-starting, part 1
+RUN s='/usr/sbin/policy-rc.d' ; b='/usr/bin/policy-rc.d' ; \
+    rm -f "$s" "$b" ; \
+    echo '#!/bin/sh' > "$b" ; \
+    echo 'exit 101' >> "$b" ; \
+    chmod 0755 "$b" ; \
+    ln -s "$b" "$s"
+
+RUN divert_true() { divert-rm.sh "$1" ; ln -sv /bin/true "$1" ; } ; \
+    ## prevent services from auto-starting, part 2
+    divert_true /sbin/start-stop-daemon ; \
+    ## always report that we're in chroot
+    divert_true /usr/bin/ischroot ; \
+    ## hide systemd helpers
+    divert_true /usr/bin/deb-systemd-helper ; \
+    divert_true /usr/bin/deb-systemd-invoke
+
+RUN apt-env.sh apt-get update ; \
+    apt-env.sh apt-get upgrade -y ; \
+    apt-clean.sh
+
+## perl-base: hardlink->symlink
+RUN d=/usr/bin ; \
+    find "$d/" -wholename "$d/perl5*" -exec ln -fsv perl {} ';' ; \
+    ls -li "$d/perl"*
+
+## remove unwanted binaries
+RUN set -f ; \
+    for i in \
+      addgroup \
+      addpart \
+      adduser \
+      apt-ftparchive \
+      agetty \
+      badblocks \
+      blkdiscard \
+      blkid \
+      blkzone \
+      blockdev \
+      bsd-write \
+      chage \
+      chcpu \
+      chfn \
+      chgpasswd \
+      chmem \
+      chpasswd \
+      chsh \
+      cpgr \
+      cppw \
+      ctrlaltdel \
+      debugfs \
+      delgroup \
+      delpart \
+      deluser \
+      dmesg \
+      dumpe2fs \
+      e2freefrag \
+      e2fsck \
+      e2image \
+      e2label \
+      e2mmpstatus \
+      e2scrub \
+     'e2scrub*' \
+      e2undo \
+      e4crypt \
+      e4defrag \
+      expiry \
+      faillock \
+      fdformat \
+      fincore \
+      findfs \
+      fsck \
+     'fsck.*' \
+      fsfreeze \
+      fstrim \
+      getty \
+      gpasswd \
+      groupadd \
+      groupdel \
+      groupmems \
+      groupmod \
+      grpck \
+      grpconv \
+      grpunconv \
+      hwclock \
+      isosize \
+      last \
+      lastb \
+      ldattach \
+      losetup \
+      lsblk \
+      lsirq \
+      lslogins \
+      mcookie \
+      mesg \
+      mke2fs \
+      mkfs \
+     'mkfs.*' \
+      mkhomedir_helper \
+      mklost+found \
+      mkswap \
+      mount \
+      newgrp \
+      newusers \
+      pam-auth-update \
+      pam_getenv \
+      pam_namespace_helper \
+      pam_timestamp_check \
+      partx \
+      passwd \
+      pivot_root \
+      pwck \
+      pwconv \
+      pwhistory_helper \
+      pwunconv \
+      raw \
+      readprofile \
+      resize2fs \
+      resizepart \
+      rtcwake \
+      sg \
+      shadowconfig \
+      su \
+      sulogin \
+      swaplabel \
+      swapoff \
+      swapon \
+      switch_root \
+      tune2fs \
+      umount \
+      unix_chkpwd \
+      unix_update \
+      update-passwd \
+      useradd \
+      userdel \
+      usermod \
+      utmpdump \
+      vigr \
+      vipw \
+      wall \
+      wdctl \
+      wipefs \
+      write \
+     'write.*' \
+      zramctl \
+    ; do \
+        for d in /usr/sbin /usr/bin /sbin /bin ; do \
+            find "$d/" ! -type d -wholename "$d/$i" \
+            | while read -r p ; do \
+                [ -n "$p" ] || continue ; \
+                [ -e "$p" ] || continue ; \
+                dpkg -S "$p" >/dev/null 2>&1 || continue ; \
+                divert-rm.sh "$p" ; \
+            done ; \
+        done ; \
+        for d in /usr/sbin /usr/bin /sbin /bin ; do \
+            find "$d/" ! -type d -wholename "$d/$i" \
+            | while read -r p ; do \
+                [ -n "$p" ] || continue ; \
+                [ -e "$p" ] || continue ; \
+                rm -fv "$p" ; \
+            done ; \
+        done ; \
+    done
+
+RUN apt-remove.sh \
+      ca-certificates \
+      e2fsprogs \
+    ; \
+    apt-clean.sh
+
+## "docker.io/python"-specific cleanup
+RUN rm -f /root/.wget-hsts
+
+RUN pip-env.sh pip list --format freeze \
+    | grep -F '==' | awk -F= '{print $1}' \
+    | xargs -r pip-env.sh pip install -U ; \
+    python-rm-cache.sh "${PYTHON_SITE_PACKAGES}"
+
+RUN libpython="${PYTHON_SITE_PACKAGES%/*}" ; \
+    rm -rfv \
+      /usr/local/bin/idle* \
+      "${libpython}/ensurepip/_bundled" \
+      "${libpython}/idlelib" \
+      "${libpython}/tkinter" \
+      "${libpython}/turtle.py" \
+      "${libpython}/turtledemo" \
+    ; \
+    python-rm-cache.sh /usr/local
+
+RUN find /usr/local/sbin/ ! -type d -ls -delete ; \
+    find /run/ -mindepth 1 -ls -delete || : ; \
+    install -d -m 01777 /run/lock
+
+ENTRYPOINT [ ]
+CMD [ "bash" ]

Dockerfile.deps

@@ -0,0 +1,100 @@
+FROM docker.io/rockdrilla/angie-conv:v0.0.1-base AS base
+
+## ---
+
+FROM base AS setup
+SHELL [ "/bin/sh", "-ec" ]
+
+COPY /scripts/*       /usr/local/sbin/
+COPY /extra-scripts/* /usr/local/sbin/
+
+ADD https://angie.software/keys/angie-signing.gpg /tmp/angie.gpg.bin
+COPY /apt/sources.angie /etc/apt/sources.list.d/angie.txt
+
+RUN pkg='gnupg' ; \
+    apt-install.sh ${pkg} ; \
+    ## process Angie GPG keyring / APT sources
+    gpg-export.sh /tmp/angie.gpg.bin /etc/apt/keyrings/angie.gpg.asc ; \
+    rm -f /tmp/angie.gpg.bin ; \
+    env -C /etc/apt/sources.list.d mv angie.txt angie.sources ; \
+    ## verify sources!
+    apt-env.sh apt-get update ; \
+    apt-remove.sh ${pkg} ; \
+    apt-clean.sh
+
+ENV INSTALL_WHEELS='jinja2 netaddr psutil pyyaml wcmatch'
+ENV DEV_PACKAGES='libyaml-dev'
+# markupsafe, psutil
+ENV CIBUILDWHEEL=1
+# pyyaml
+ENV PYYAML_FORCE_CYTHON=1
+
+RUN w=$(mktemp -d) ; : "${w:?}" ; \
+    { apt-mark showauto ; apt-mark showmanual ; } | sort -uV > "$w/t0" ; \
+    printf '%s\n' ${DEV_PACKAGES} | sort -uV > "$w/t1" ; \
+    apt-install.sh ${DEV_PACKAGES} ; \
+    { apt-mark showauto ; apt-mark showmanual ; } | sort -uV > "$w/t2" ; \
+    set +e ; \
+    grep -Fxv -f "$w/t0" "$w/t2" > "$w/t3" ; \
+    grep -Fxv -f "$w/t1" "$w/t3" > "$w/t4" ; \
+    grep -Ev -e '-(dev|doc)$' "$w/t4" > "${PYTHON_SITE_PACKAGES}/apt-deps.txt" ; \
+    set -e ; \
+    rm -rf "$w/" ; unset w ; \
+    apt-install.sh build-essential ; \
+    pip-env.sh pip install 'cython' ; \
+    pip-env.sh pip install --no-binary :all: ${INSTALL_WHEELS} ; \
+    pip-env.sh pip uninstall -y 'cython' ; \
+    python-rm-cache.sh "${PYTHON_SITE_PACKAGES}" ; \
+    rm -rf \
+      "${PYTHON_SITE_PACKAGES}/netaddr/tests" \
+      "${PYTHON_SITE_PACKAGES}/psutil/tests" \
+    ; \
+    find "${PYTHON_SITE_PACKAGES}/" -type f -name '*.so*' -exec ls -l {} + ; \
+    echo ; \
+    find "${PYTHON_SITE_PACKAGES}/" -type f -name '*.so*' -printf '%p\0' \
+    | sed -zE '/rust/d' \
+    | xargs -0r strip --verbose --strip-debug ; \
+    echo ; \
+    find "${PYTHON_SITE_PACKAGES}/" -type f -name '*.so*' -exec ls -l {} + ; \
+    apt-remove.sh build-essential ; \
+    apt-clean.sh
+
+## ---
+
+FROM base AS deps
+SHELL [ "/bin/sh", "-ec" ]
+
+COPY /Dockerfile.deps /usr/local/share/
+
+COPY --from=setup /etc/apt/keyrings/angie.gpg.asc        /etc/apt/keyrings/
+COPY --from=setup /etc/apt/sources.list.d/angie.sources  /etc/apt/sources.list.d/
+
+## Python: site-packages
+COPY --from=setup /usr/local/bin/            /usr/local/bin/
+COPY --from=setup /${PYTHON_SITE_PACKAGES}/  /${PYTHON_SITE_PACKAGES}/
+
+COPY /scripts/* /usr/local/sbin/
+
+## install missing dependencies for Python site-packages
+RUN f="${PYTHON_SITE_PACKAGES}/apt-deps.txt" ; \
+    [ -s "$f" ] || exit 0 ; \
+    xargs -a "$f" apt-install.sh ; \
+    apt-clean.sh
+
+## common deps
+RUN apt-install.sh \
+      brotli \
+      curl \
+      dumb-init \
+      gettext-base \
+      jq \
+      netbase \
+      netcat-openbsd \
+      openssl \
+      procps \
+      psmisc \
+      zstd \
+    ; \
+    apt-clean.sh
+
+RUN find /usr/local/sbin/ ! -type d -ls -delete

LICENSE

@@ -0,0 +1,175 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.

TODO

@@ -0,0 +1,3 @@
+- documentation
+- examples
+- "light" NJS module (request: https://t.me/angie_support/3315)

angie/angie.conf

@@ -0,0 +1,22 @@
+daemon off;
+pid run/angie.pid;
+
+## almost useless
+include load/mod-core-*.conf;
+
+# mod-http.conf
+# mod-mail.conf
+# mod-stream.conf
+include run/mod-*.conf;
+
+events {
+    include autoconf.d/core_ev-*.conf;
+    include load/core_ev-*.conf;
+}
+include autoconf.d/core-*.conf;
+include load/core-*.conf;
+
+# ctx-http.conf
+# ctx-mail.conf
+# ctx-stream.conf
+include run/ctx-*.conf;

angie/autoconf.dist/core-error-log.conf

@@ -0,0 +1 @@
+error_log log.d/error.log warn;

angie/autoconf.dist/core-lock-file.conf

@@ -0,0 +1 @@
+lock_file lock/angie.lock;

angie/autoconf.dist/core-pcre-jit.conf

@@ -0,0 +1 @@
+pcre_jit on;

angie/autoconf.dist/core-user.conf.in

@@ -0,0 +1,3 @@
+## if container is running in non-privileged mode,
+## then this file is going to be removed by /image-entry.d/76-adjust-core-user.sh
+user ${NGX_USER} ${NGX_GROUP};

angie/autoconf.dist/core-worker-env.conf.j2

@@ -0,0 +1,31 @@
+{#- prologue -#}
+{#- NB: "TZ" is always provided by Angie itself -#}
+{%- set c_env = ( j2cfg.core_worker_env or [] ) | any_to_env_dict -%}
+{%- set c_vars = c_env | dict_keys -%}
+{%- set c_vars_passthrough = c_env | dict_empty_keys -%}
+{%- set c_vars_override = c_env | dict_non_empty_keys -%}
+{%- set vars_passthrough = (env_passthrough + c_vars_passthrough) | uniq | list_intersect(env | dict_keys) -%}
+
+{#- main part -#}
+## preserve
+{%- for k in env_preserve %}
+env {{ k }};
+{%- endfor %}
+
+## passthrough
+{%- for k in vars_passthrough %}
+env {{ k }};
+{%- endfor %}
+
+{% if c_vars_override %}
+## WARNING!
+## explicit environment variables are NOT implemented
+## reason: envs are supported only for http_perl but not for http_js/stream_js
+## solution: provide environment variables explicitly
+##   and then list them in "core_worker_env" key in config
+##
+  {%- for k in c_vars_override %}
+    {#- {%- set v = c_env[k] %} #}
+## env {{ k }}={{ c_env[k].__repr__() }};
+  {%- endfor %}
+{%- endif %}

angie/autoconf.dist/core-worker.conf.j2

@@ -0,0 +1,10 @@
+worker_processes {{ env.NGX_WORKER_PROCESSES }};
+{%- if env.NGX_WORKER_CPU_AFFINITY %}
+worker_cpu_affinity {{ env.NGX_WORKER_CPU_AFFINITY }};
+{%- endif %}
+{%- if env.NGX_WORKER_PRIORITY %}
+worker_priority {{ env.NGX_WORKER_PRIORITY }};
+{%- endif %}
+{%- if env.NGX_WORKER_RLIMIT_NOFILE %}
+worker_rlimit_nofile {{ env.NGX_WORKER_RLIMIT_NOFILE }};
+{%- endif %}

angie/autoconf.dist/core_ev-worker.conf.j2

@@ -0,0 +1,7 @@
+worker_connections {{ env.NGX_WORKER_CONNECTIONS }};
+{%- if env.NGX_WORKER_AIO_REQUESTS %}
+worker_aio_requests {{ env.NGX_WORKER_AIO_REQUESTS }};
+{%- endif %}
+{%- if env.NGX_WORKER_PRIORITY %}
+worker_priority {{ env.NGX_WORKER_PRIORITY }};
+{%- endif %}

angie/autoconf.dist/http-access-log.conf

@@ -0,0 +1,12 @@
+log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                  '$status $body_bytes_sent "$http_referer" '
+                  '"$http_user_agent" "$http_x_forwarded_for"';
+
+log_format extended '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" rt="$request_time" '
+                    '"$http_user_agent" "$http_x_forwarded_for" '
+                    'h="$host" sn="$server_name" ru="$request_uri" u="$uri" '
+                    'ucs="$upstream_cache_status" ua="$upstream_addr" us="$upstream_status" '
+                    'uct="$upstream_connect_time" urt="$upstream_response_time"';
+
+access_log log.d/access.log main;

angie/autoconf.dist/http-alt-svc.conf.j2

@@ -0,0 +1,12 @@
+{#- prologue -#}
+{%- set extra_proto = ['v3', 'v2'] -%}
+{%- set confload = ( env.NGX_HTTP_CONFLOAD or '' ) | str_split_to_list -%}
+{%- set proto = confload | list_intersect(extra_proto) -%}
+{#- ALPN mapping -#}
+{%- set proto = proto | re_sub('^v2$', 'h2=":443"; ma=3600') -%}
+{%- set proto = proto | re_sub('^v3$', 'h3=":443"; ma=3600') -%}
+{#- main part -#}
+{%- if proto %}
+{#- TODO: precise quotation #}
+add_header  Alt-Svc  {{ (proto | join(', ')).__repr__() }};
+{%- endif %}

angie/autoconf.dist/http-buffers.conf

@@ -0,0 +1,4 @@
+subrequest_output_buffer_size     16k;
+client_body_buffer_size           16k;
+client_header_buffer_size          4k;
+large_client_header_buffers    8  16k;

angie/autoconf.dist/http-max-ranges.conf.j2

@@ -0,0 +1,3 @@
+{%- if env.NGX_HTTP_MAX_RANGES %}
+max_ranges {{ env.NGX_HTTP_MAX_RANGES }};
+{%- endif %}

angie/autoconf.dist/http-mime-types.conf

@@ -0,0 +1,8 @@
+include snip.d/mime.types;
+
+types {
+    font/ttf               ttf;
+    application/font-sfnt  otf;
+}
+
+default_type  application/octet-stream;

angie/autoconf.dist/http-request-headers-basic.conf.j2

@@ -0,0 +1,26 @@
+map $http_upgrade
+    $req_connection
+{
+    default  upgrade;
+    ""       "";
+}
+
+map $http_user_agent
+    $req_user_agent
+{
+    default  $http_user_agent;
+{%- if env.NGX_HTTP_FAKE_UA %}
+    ## merely fake
+    ""  {{ env.NGX_HTTP_FAKE_UA.__repr__() }};
+{%- else %}
+    ""  "Angie/$angie_version";
+{%- endif %}
+}
+
+map $http_accept
+    $req_accept
+{
+    volatile;
+    default  $http_accept;
+    ""       "*/*";
+}

angie/autoconf.dist/http-request-headers-forwarded.conf

@@ -0,0 +1,27 @@
+## ref:
+## - https://www.digitalocean.com/community/tools/nginx?domains.0.reverseProxy.reverseProxy=true
+map $remote_addr
+    $proxy_forwarded_elem
+{
+    ## IPv4 addresses can be sent as-is
+    ~^[0-9.]+$         "for=$remote_addr";
+    ## IPv6 addresses need to be bracketed and quoted
+    ~^[0-9A-Fa-f:.]+$  "for=\"[$remote_addr]\"";
+    ## Unix domain socket names cannot be represented in RFC 7239 syntax
+    default            "for=unknown";
+}
+
+## ref:
+## - https://www.digitalocean.com/community/tools/nginx?domains.0.reverseProxy.reverseProxy=true
+## - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
+map $http_forwarded
+    $proxy_add_forwarded
+{
+    volatile;
+
+    ## if the incoming Forwarded header is syntactically valid, append to it
+    "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
+
+    ## otherwise, replace it
+    default  "$proxy_forwarded_elem";
+}

angie/autoconf.dist/http-response-headers.conf.j2

@@ -0,0 +1,6 @@
+## add response headers
+{%- set resp_hdr_dict = j2cfg.response_headers or {} -%}
+{%- for h, v in resp_hdr_dict.items() %}
+{#- TODO: precise quotation #}
+add_header  {{ h }}  {{ v.__repr__() }};
+{%- endfor %}

angie/autoconf.dist/http-webroot.conf.in

@@ -0,0 +1 @@
+root ${NGX_HTTP_WEBROOT};

angie/conf.dist/brotli/buffers.conf

@@ -0,0 +1,5 @@
+brotli_comp_level   5; # default: 6
+brotli_window     64k; # default: 512k
+
+brotli_min_length     1024;
+brotli_buffers     32  16k;

angie/conf.dist/brotli/types.conf.j2

@@ -0,0 +1,9 @@
+{%- set mime_types = j2cfg.compress_types or [] -%}
+{%- set mime_types = mime_types | any_to_str_list | uniq_str_list -%}
+{%- if mime_types -%}
+brotli_types
+{%- for t in mime_types %}
+    {{ t }}
+{%- endfor %}
+;
+{%- endif -%}

angie/conf.dist/core-quic-bpf.conf

@@ -0,0 +1 @@
+quic_bpf on;

angie/conf.dist/core_ev-accept-mutex-delay.conf

@@ -0,0 +1 @@
+accept_mutex_delay 200ms;

angie/conf.dist/core_ev-accept-mutex.conf

@@ -0,0 +1 @@
+accept_mutex on;

angie/conf.dist/core_ev-multi-accept.conf

@@ -0,0 +1 @@
+multi_accept on;

angie/conf.dist/fastcgi/buffers.conf

@@ -0,0 +1,4 @@
+fastcgi_buffers           16  16k;
+fastcgi_buffer_size           16k;
+fastcgi_busy_buffers_size     32k;
+fastcgi_temp_file_write_size  32k;

angie/conf.dist/fastcgi/cache-bypass.conf.j2

@@ -0,0 +1,15 @@
+{#- TODO: precise quotation -#}
+{%- set cache_bypass = j2cfg.cache_bypass or [] -%}
+{%- if cache_bypass -%}
+## disable (response) cache under following conditions
+fastcgi_cache_bypass
+{%- for v in cache_bypass %}
+    {{ v.__repr__() }}
+{%- endfor %}
+;
+fastcgi_no_cache
+{%- for v in cache_bypass %}
+    {{ v.__repr__() }}
+{%- endfor %}
+;
+{%- endif -%}

angie/conf.dist/fastcgi/headers.conf.j2

@@ -0,0 +1,13 @@
+## hide/remove request headers
+{%- set req_hdr_dict = j2cfg.request_headers or {} -%}
+{%- for h, v in req_hdr_dict.items() %}
+{#- TODO: precise quotation #}
+fastcgi_param  {{ h | as_cgi_header }}  {{ v.__repr__() }};
+{%- endfor %}
+
+## hide response headers
+{%- set resp_hdr_dict = j2cfg.response_headers or {} -%}
+{%- set resp_hdr_list = resp_hdr_dict | dict_keys -%}
+{%- for h in resp_hdr_list %}
+fastcgi_hide_header  {{ h }};
+{%- endfor %}

angie/conf.dist/fastcgi/param.conf

@@ -0,0 +1,7 @@
+include snip.d/fastcgi.conf;
+
+fastcgi_param  PATH_INFO    $path_info;
+
+fastcgi_param  AUTH_USER    $remote_user;
+fastcgi_param  REMOTE_USER  $remote_user;
+fastcgi_param  HTTP_HOST    $host;

angie/conf.dist/grpc/buffers.conf

@@ -0,0 +1 @@
+grpc_buffer_size  16k;

angie/conf.dist/grpc/headers.conf.j2

@@ -0,0 +1,13 @@
+## hide/remove request headers
+{%- set req_hdr_dict = j2cfg.request_headers or {} -%}
+{%- for h, v in req_hdr_dict.items() %}
+{#- TODO: precise quotation #}
+grpc_set_header  {{ h }}  {{ v.__repr__() }};
+{%- endfor %}
+
+## hide response headers
+{%- set resp_hdr_dict = j2cfg.response_headers or {} -%}
+{%- set resp_hdr_list = resp_hdr_dict | dict_keys -%}
+{%- for h in resp_hdr_list %}
+grpc_hide_header  {{ h }};
+{%- endfor %}

angie/conf.dist/grpc/ssl-cmd.conf.j2

@@ -0,0 +1,4 @@
+{%- for k, v in j2cfg.tls.conf_cmd.items() %}
+{#- TODO: precise quotation #}
+grpc_ssl_conf_command  {{ k }}  {{ v.__repr__() }};
+{%- endfor %}

angie/conf.dist/grpc/ssl-verify.conf

@@ -0,0 +1 @@
+grpc_ssl_verify on;

angie/conf.dist/grpc/tls-ca-file.conf.in

@@ -0,0 +1 @@
+grpc_ssl_trusted_certificate ${NGX_SSL_CERT_FILE};

angie/conf.dist/gzip/buffers.conf

@@ -0,0 +1,4 @@
+gzip_comp_level  2; # default: 1
+
+gzip_min_length     1024;
+gzip_buffers     32  16k;

angie/conf.dist/gzip/proxied.conf

@@ -0,0 +1 @@
+gzip_proxied any;

angie/conf.dist/gzip/types.conf.j2

@@ -0,0 +1,9 @@
+{%- set mime_types = j2cfg.compress_types or [] -%}
+{%- set mime_types = mime_types | any_to_str_list | uniq_str_list -%}
+{%- if mime_types -%}
+gzip_types
+{%- for t in mime_types %}
+    {{ t }}
+{%- endfor %}
+;
+{%- endif -%}

angie/conf.dist/gzip/vary.conf

@@ -0,0 +1 @@
+gzip_vary on;

angie/conf.dist/http-brotli-static.conf

@@ -0,0 +1 @@
+brotli_static on;

angie/conf.dist/http-brotli.conf

@@ -0,0 +1,2 @@
+include conf.d/brotli/*.conf;
+brotli on;

angie/conf.dist/http-fastcgi.conf

@@ -0,0 +1 @@
+include conf.d/fastcgi/*.conf;

angie/conf.dist/http-grpc.conf

@@ -0,0 +1 @@
+include conf.d/grpc/*.conf;

angie/conf.dist/http-gunzip.conf

@@ -0,0 +1,2 @@
+gunzip_buffers  16  16k;
+gunzip on;

angie/conf.dist/http-gzip-static.conf

@@ -0,0 +1 @@
+gzip_static on;

angie/conf.dist/http-gzip.conf

@@ -0,0 +1,2 @@
+include conf.d/gzip/*.conf;
+gzip on;

angie/conf.dist/http-modsecurity.conf

@@ -0,0 +1,4 @@
+modsecurity_rules_file /etc/angie/modsecurity.d/rules.conf;
+
+## NOT enabling ModSecurity by default!
+# modsecurity on;

angie/conf.dist/http-njs.conf

@@ -0,0 +1 @@
+include conf.d/njs/*.conf;

angie/conf.dist/http-perl.conf

@@ -0,0 +1 @@
+perl_modules /etc/angie/site.d;

angie/conf.dist/http-proxy.conf

@@ -0,0 +1,2 @@
+include conf.d/proxy/*.conf;
+include conf.d/proxy-http/*.conf;

angie/conf.dist/http-quic-gso.conf.j2

@@ -0,0 +1,5 @@
+quic_gso on;
+
+{%- if env.NGX_HTTP_NO_PROXY == '0' %}
+proxy_quic_gso on;
+{%- endif %}

angie/conf.dist/http-scgi.conf

@@ -0,0 +1 @@
+include conf.d/scgi/*.conf;

angie/conf.dist/http-ssl.conf.j2

@@ -0,0 +1,27 @@
+include conf.d/ssl/*.conf;
+
+## lowering from 16k to 4k to improve time-to-first-byte
+ssl_buffer_size  4k;
+
+{%- if env.NGX_HTTP_SSL_PROFILE %}
+include snip.d/ssl-{{ env.NGX_HTTP_SSL_PROFILE }};
+{%- endif %}
+
+{%- if j2cfg.tls.stapling.enable %}
+ssl_stapling on;
+  {%- if j2cfg.tls.stapling.verify %}
+ssl_stapling_verify on;
+  {%- else %}
+ssl_stapling_verify off;
+  {%- endif %}
+  {%- if j2cfg.tls.stapling.file %}
+{#- TODO: precise quotation #}
+ssl_stapling_file {{ j2cfg.tls.stapling.file.__repr__() }};
+  {%- endif %}
+  {%- if j2cfg.tls.stapling.responder %}
+{#- TODO: precise quotation #}
+ssl_stapling_responder {{ j2cfg.tls.stapling.responder.__repr__() }};
+  {%- endif %}
+{%- else %}
+ssl_stapling off;
+{%- endif %}

angie/conf.dist/http-uwsgi.conf

@@ -0,0 +1 @@
+include conf.d/uwsgi/*.conf;

angie/conf.dist/http-v2.conf

@@ -0,0 +1,2 @@
+include conf.d/http2/*.conf;
+http2 on;

angie/conf.dist/http-v3.conf

@@ -0,0 +1,2 @@
+include conf.d/http3/*.conf;
+http3 on;

angie/conf.dist/http-zstd-static.conf

@@ -0,0 +1 @@
+zstd_static on;

angie/conf.dist/http-zstd.conf

@@ -0,0 +1,2 @@
+include conf.d/zstd/*.conf;
+zstd on;

angie/conf.dist/http2/param.conf

@@ -0,0 +1,2 @@
+http2_chunk_size 16k;
+http2_body_preread_size 64k;

angie/conf.dist/http3/param.conf.j2

@@ -0,0 +1,9 @@
+http3_max_concurrent_streams 128; #default
+http3_stream_buffer_size 64k; #default
+quic_active_connection_id_limit 3;
+
+{%- if env.NGX_HTTP_NO_PROXY == '0' %}
+proxy_http3_max_concurrent_streams 128; #default
+proxy_http3_stream_buffer_size 64k; #default
+proxy_quic_active_connection_id_limit 3;
+{%- endif %}

angie/conf.dist/mail-ssl.conf.j2

@@ -0,0 +1,5 @@
+include conf.d/ssl/*.conf;
+
+{%- if env.NGX_MAIL_SSL_PROFILE %}
+include snip.d/ssl-{{ env.NGX_MAIL_SSL_PROFILE }};
+{%- endif %}

angie/conf.dist/njs/path.conf

@@ -0,0 +1 @@
+js_path /etc/angie/site.d;

angie/conf.dist/njs/tls-ca-file.conf.in

@@ -0,0 +1 @@
+js_fetch_trusted_certificate ${NGX_SSL_CERT_FILE};

angie/conf.dist/proxy-http/buffers.conf

@@ -0,0 +1,4 @@
+proxy_buffers           16  16k;
+proxy_buffer_size           16k;
+proxy_busy_buffers_size     32k;
+proxy_temp_file_write_size  32k;

angie/conf.dist/proxy-http/cache-bypass.conf.j2

@@ -0,0 +1,15 @@
+{#- TODO: precise quotation -#}
+{%- set cache_bypass = j2cfg.cache_bypass or [] -%}
+{%- if cache_bypass -%}
+## disable (response) cache under following conditions
+proxy_cache_bypass
+{%- for v in cache_bypass %}
+    {{ v.__repr__() }}
+{%- endfor %}
+;
+proxy_no_cache
+{%- for v in cache_bypass %}
+    {{ v.__repr__() }}
+{%- endfor %}
+;
+{%- endif -%}

angie/conf.dist/proxy-http/headers.conf.j2

@@ -0,0 +1,13 @@
+## hide/remove request headers
+{%- set req_hdr_dict = j2cfg.request_headers or {} -%}
+{%- for h, v in req_hdr_dict.items() %}
+{#- TODO: precise quotation #}
+proxy_set_header  {{ h }}  {{ v.__repr__() }};
+{%- endfor %}
+
+## hide response headers
+{%- set resp_hdr_dict = j2cfg.response_headers or {} -%}
+{%- set resp_hdr_list = resp_hdr_dict | dict_keys -%}
+{%- for h in resp_hdr_list %}
+proxy_hide_header  {{ h }};
+{%- endfor %}

angie/conf.dist/proxy-http/version.conf

@@ -0,0 +1 @@
+proxy_http_version 1.1;

angie/conf.dist/proxy/ssl-cmd.conf.j2

@@ -0,0 +1,4 @@
+{%- for k, v in j2cfg.tls.conf_cmd.items() %}
+{#- TODO: precise quotation #}
+proxy_ssl_conf_command  {{ k }}  {{ v.__repr__() }};
+{%- endfor %}

angie/conf.dist/proxy/ssl-verify.conf

@@ -0,0 +1 @@
+proxy_ssl_verify on;

angie/conf.dist/scgi/buffers.conf

@@ -0,0 +1,4 @@
+scgi_buffers           16  16k;
+scgi_buffer_size           16k;
+scgi_busy_buffers_size     32k;
+scgi_temp_file_write_size  32k;

angie/conf.dist/scgi/cache-bypass.conf.j2

@@ -0,0 +1,15 @@
+{#- TODO: precise quotation -#}
+{%- set cache_bypass = j2cfg.cache_bypass or [] -%}
+{%- if cache_bypass -%}
+## disable (response) cache under following conditions
+scgi_cache_bypass
+{%- for v in cache_bypass %}
+    {{ v.__repr__() }}
+{%- endfor %}
+;
+scgi_no_cache
+{%- for v in cache_bypass %}
+    {{ v.__repr__() }}
+{%- endfor %}
+;
+{%- endif -%}

angie/conf.dist/scgi/headers.conf.j2

@@ -0,0 +1,13 @@
+## hide/remove request headers
+{%- set req_hdr_dict = j2cfg.request_headers or {} -%}
+{%- for h, v in req_hdr_dict.items() %}
+{#- TODO: precise quotation #}
+scgi_param  {{ h | as_cgi_header }}  {{ v.__repr__() }};
+{%- endfor %}
+
+## hide response headers
+{%- set resp_hdr_dict = j2cfg.response_headers or {} -%}
+{%- set resp_hdr_list = resp_hdr_dict | dict_keys -%}
+{%- for h in resp_hdr_list %}
+scgi_hide_header  {{ h }};
+{%- endfor %}

angie/conf.dist/scgi/param.conf

@@ -0,0 +1,7 @@
+include snip.d/scgi_params;
+
+scgi_param  PATH_INFO    $path_info;
+
+scgi_param  AUTH_USER    $remote_user;
+scgi_param  REMOTE_USER  $remote_user;
+scgi_param  HTTP_HOST    $host;

angie/conf.dist/ssl/cmd.conf.j2

@@ -0,0 +1,4 @@
+{%- for k, v in j2cfg.tls.conf_cmd.items() %}
+{#- TODO: precise quotation #}
+ssl_conf_command  {{ k }}  {{ v.__repr__() }};
+{%- endfor %}

angie/conf.dist/stream-njs.conf

@@ -0,0 +1 @@
+include conf.d/njs/*.conf;

angie/conf.dist/stream-proxy.conf

@@ -0,0 +1,2 @@
+include conf.d/proxy/*.conf;
+include conf.d/proxy-stream/*.conf;

angie/conf.dist/stream-ssl.conf.j2

@@ -0,0 +1,5 @@
+include conf.d/ssl/*.conf;
+
+{%- if env.NGX_STREAM_SSL_PROFILE %}
+include snip.d/ssl-{{ env.NGX_STREAM_SSL_PROFILE }};
+{%- endif %}

angie/conf.dist/uwsgi/buffers.conf

@@ -0,0 +1,4 @@
+uwsgi_buffers           16  16k;
+uwsgi_buffer_size           16k;
+uwsgi_busy_buffers_size     32k;
+uwsgi_temp_file_write_size  32k;

angie/conf.dist/uwsgi/cache-bypass.conf.j2

@@ -0,0 +1,15 @@
+{#- TODO: precise quotation -#}
+{%- set cache_bypass = j2cfg.cache_bypass or [] -%}
+{%- if cache_bypass -%}
+## disable (response) cache under following conditions
+uwsgi_cache_bypass
+{%- for v in cache_bypass %}
+    {{ v.__repr__() }}
+{%- endfor %}
+;
+uwsgi_no_cache
+{%- for v in cache_bypass %}
+    {{ v.__repr__() }}
+{%- endfor %}
+;
+{%- endif -%}

angie/conf.dist/uwsgi/headers.conf.j2

@@ -0,0 +1,13 @@
+## hide/remove request headers
+{%- set req_hdr_dict = j2cfg.request_headers or {} -%}
+{%- for h, v in req_hdr_dict.items() %}
+{#- TODO: precise quotation #}
+uwsgi_param  {{ h | as_cgi_header }}  {{ v.__repr__() }};
+{%- endfor %}
+
+## hide response headers
+{%- set resp_hdr_dict = j2cfg.response_headers or {} -%}
+{%- set resp_hdr_list = resp_hdr_dict | dict_keys -%}
+{%- for h in resp_hdr_list %}
+uwsgi_hide_header  {{ h }};
+{%- endfor %}

angie/conf.dist/uwsgi/param.conf

@@ -0,0 +1,7 @@
+include snip.d/uwsgi_params;
+
+uwsgi_param  PATH_INFO    $path_info;
+
+uwsgi_param  AUTH_USER    $remote_user;
+uwsgi_param  REMOTE_USER  $remote_user;
+uwsgi_param  HTTP_HOST    $host;

angie/conf.dist/uwsgi/ssl-cmd.conf.j2

@@ -0,0 +1,4 @@
+{%- for k, v in j2cfg.tls.conf_cmd.items() %}
+{#- TODO: precise quotation #}
+uwsgi_ssl_conf_command  {{ k }}  {{ v.__repr__() }};
+{%- endfor %}

angie/conf.dist/uwsgi/tls-ca-file.conf.in

@@ -0,0 +1 @@
+uwsgi_ssl_trusted_certificate ${NGX_SSL_CERT_FILE};

angie/conf.dist/zstd/buffers.conf

@@ -0,0 +1,4 @@
+zstd_comp_level  2; # default: 1
+
+zstd_min_length  1024;
+zstd_buffers     32  16k;

angie/conf.dist/zstd/types.conf.j2

@@ -0,0 +1,9 @@
+{%- set mime_types = j2cfg.compress_types or [] -%}
+{%- set mime_types = mime_types | any_to_str_list | uniq_str_list -%}
+{%- if mime_types -%}
+zstd_types
+{%- for t in mime_types %}
+    {{ t }}
+{%- endfor %}
+;
+{%- endif -%}

angie/ctx-http.conf

@@ -0,0 +1,5 @@
+http {
+    include autoconf.d/http-*.conf;
+    include load/http-*.conf;
+    include site.d/http-*.conf;
+}

angie/ctx-mail.conf

@@ -0,0 +1,5 @@
+mail {
+    include autoconf.d/mail-*.conf;
+    include load/mail-*.conf;
+    include site.d/mail-*.conf;
+}

angie/ctx-stream.conf

@@ -0,0 +1,5 @@
+stream {
+    include autoconf.d/stream-*.conf;
+    include load/stream-*.conf;
+    include site.d/stream-*.conf;
+}

angie/j2cfg.dist/00-defaults.yml.j2

@@ -0,0 +1,93 @@
+cache_bypass:
+- '$http_authorization'
+- '$http_pragma'
+- '$http_upgrade'
+
+compress_types:
+- application/atom+xml
+- application/javascript
+- application/json
+- application/vnd.api+json
+- application/rss+xml
+- application/x-javascript
+- application/xhtml+xml
+- application/xml
+- image/svg+xml
+- image/x-icon
+- text/css
+- text/javascript
+- text/plain
+- text/xml
+
+request_headers:
+{% if env.NGX_HTTP_TRANSPARENT_PROXY == '0' %}
+  Host: '$proxy_host'
+  X-Real-IP: '$remote_addr'
+  ## '$proxy_add_forwarded' is defined in /angie/autoconf.dist/http-request-headers-forwarded.conf
+  Forwarded: '$proxy_add_forwarded'
+{% elif env.NGX_HTTP_TRANSPARENT_PROXY == '1' %}
+  Host: '$host'
+  X-Real-IP: ''
+  Forwarded: ''
+{% endif %}
+
+request_headers:
+  ## do not pass Accept-Encoding to backend
+  Accept-Encoding: ""
+  ## '$req_accept' is defined in /angie/autoconf.dist/http-request-headers-basic.conf.j2
+  Accept: '$req_accept'
+  ## '$req_connection' is defined in /angie/autoconf.dist/http-request-headers-basic.conf.j2
+  Connection: '$req_connection'
+  Upgrade: '$http_upgrade'
+  Early-Data: '$ssl_early_data'
+  ## '$req_user_agent' is defined in /angie/autoconf.dist/http-request-headers-basic.conf.j2
+  User-Agent: '$req_user_agent'
+{% if env.NGX_HTTP_X_FORWARDED == 'pass' %}
+  X-Forwarded-Proto: '$scheme'
+  X-Forwarded-Host: '$host'
+  X-Forwarded-Port: '$server_port'
+  X-Forwarded-For: '$proxy_add_x_forwarded_for'
+{% elif env.NGX_HTTP_X_FORWARDED == 'remove' %}
+  X-Forwarded-Proto: ''
+  X-Forwarded-Host: ''
+  X-Forwarded-Port: ''
+  X-Forwarded-For: ''
+{% endif %}
+
+response_headers:
+{% if env.NGX_HTTP_TRANSPARENT_PROXY == '0' %}
+  Permissions-Policy: "accelerometer=(), autoplay=(), browsing-topics=(), camera=(), clipboard-read=(), clipboard-write=(), geolocation=(), gyroscope=(), hid=(), interest-cohort=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), sync-xhr=(), usb=()"
+  Referrer-Policy: "no-referrer-when-downgrade"
+  Strict-Transport-Security: "max-age=15724800; includeSubDomains; preload"
+  X-Content-Type-Options: "nosniff"
+  X-Frame-Options: "SAMEORIGIN"
+  X-XSS-Protection: "1; mode=block"
+{% endif %}
+
+tls:
+  ## https://docs.openssl.org/3.0/man3/SSL_CONF_cmd/#supported-configuration-file-commands
+  conf_cmd:
+    Options: PrioritizeChaCha
+  stapling:
+    enable: false
+    verify: true
+  profiles:
+    modern:
+      protocols: TLSv1.3
+     #prefer_server_ciphers: false
+      session_tickets: false
+      session_timeout: 1d
+    intermediate:
+      protocols: TLSv1.2 TLSv1.3
+     #prefer_server_ciphers: false
+      ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+      dhparam: /etc/angie/tls.d/ffdhe2048.pem
+      session_tickets: false
+      session_timeout: 1d
+    old:
+      protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
+      prefer_server_ciphers: true
+      ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
+      dhparam: /etc/angie/tls.d/dh1024.pem
+      session_tickets: false
+      session_timeout: 1d

angie/mod-http.conf

@@ -0,0 +1 @@
+include load/mod-http-*.conf;

angie/mod-mail.conf

@@ -0,0 +1 @@
+include load/mod-mail-*.conf;

angie/mod-stream.conf

@@ -0,0 +1 @@
+include load/mod-stream-*.conf;