initial commit
This commit is contained in:
commit
5606e66ba4
2
.dockerignore
Normal file
2
.dockerignore
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
j2cfg/__pycache__
|
||||||
|
j2cfg/j2cfg/__pycache__
|
4
.gitignore
vendored
Normal file
4
.gitignore
vendored
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
/.mypy_cache
|
||||||
|
/.vscode
|
||||||
|
__pycache__
|
||||||
|
*.py[co]
|
224
Dockerfile
Normal file
224
Dockerfile
Normal file
@ -0,0 +1,224 @@
|
|||||||
|
FROM docker.io/rockdrilla/angie-conv:v0.0.1-deps AS deps
|
||||||
|
|
||||||
|
## ---
|
||||||
|
|
||||||
|
FROM deps AS certs
|
||||||
|
SHELL [ "/bin/sh", "-ec" ]
|
||||||
|
|
||||||
|
COPY /scripts/* /usr/local/sbin/
|
||||||
|
COPY /extra-scripts/* /usr/local/sbin/
|
||||||
|
|
||||||
|
## consult https://github.com/certifi/python-certifi/
|
||||||
|
ENV CERTIFI_COMMIT=bd8153872e9c6fc98f4023df9c2deaffea2fa463
|
||||||
|
|
||||||
|
RUN apt-install.sh ca-certificates ; \
|
||||||
|
## process certifi
|
||||||
|
ca_file='/etc/ssl/certs/ca-certificates.crt' ; \
|
||||||
|
openssl-cert-fingerprint.sh "${ca_file}" | sort -uV > "${ca_file}.fp.orig" ; \
|
||||||
|
ls -l "${ca_file}" ; \
|
||||||
|
certifi-extras.sh ; \
|
||||||
|
openssl-cert-fingerprint.sh "${ca_file}" | sort -uV > "${ca_file}.fp" ; \
|
||||||
|
chmod 0444 "${ca_file}" "${ca_file}.fp" "${ca_file}.fp.orig" ; \
|
||||||
|
ls -l "${ca_file}" "${ca_file}.fp" "${ca_file}.fp.orig"
|
||||||
|
|
||||||
|
## ---
|
||||||
|
|
||||||
|
FROM deps AS pycache
|
||||||
|
SHELL [ "/bin/sh", "-ec" ]
|
||||||
|
|
||||||
|
COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
|
||||||
|
|
||||||
|
COPY /scripts/* /usr/local/sbin/
|
||||||
|
COPY /extra-scripts/* /usr/local/sbin/
|
||||||
|
|
||||||
|
COPY /j2cfg/ /usr/local/lib/j2cfg/
|
||||||
|
|
||||||
|
ENV PYTHONDONTWRITEBYTECODE=''
|
||||||
|
|
||||||
|
## Python cache preseed
|
||||||
|
|
||||||
|
RUN python3 -m compileall -q -j 2 /usr/local/lib/j2cfg/
|
||||||
|
|
||||||
|
RUN libpython="${PYTHON_SITE_PACKAGES%/*}" ; \
|
||||||
|
find "${libpython}/" -mindepth 1 -maxdepth 1 -printf '%P\0' \
|
||||||
|
| sed -zEn \
|
||||||
|
-e '/^(collections|importlib|json|re)$/p' \
|
||||||
|
| sort -zV \
|
||||||
|
| env -C "${libpython}" xargs -0r \
|
||||||
|
python3 -m compileall -q -j 2 ; \
|
||||||
|
find "${PYTHON_SITE_PACKAGES}/" -mindepth 1 -maxdepth 1 -printf '%P\0' \
|
||||||
|
| sed -zE \
|
||||||
|
-e '/\.(dist-info|pth|txt)$/d' \
|
||||||
|
-e '/^(pip|pkg_resources|setuptools|wheel)$/d' \
|
||||||
|
| sort -zV \
|
||||||
|
| env -C "${PYTHON_SITE_PACKAGES}" xargs -0r \
|
||||||
|
python3 -m compileall -q -j 2
|
||||||
|
|
||||||
|
## Python cache warmup
|
||||||
|
RUN j2cfg-single /usr/local/lib/j2cfg/test.j2 /tmp/test ; \
|
||||||
|
cat /tmp/test ; echo ; echo ; \
|
||||||
|
rm -f /tmp/test
|
||||||
|
|
||||||
|
## Python cache adjustments
|
||||||
|
RUN d="@$(date '+%s')" ; \
|
||||||
|
find /usr/local/lib/ -name '*.pyc' -exec touch -m -d "$d" {} + ; \
|
||||||
|
find /usr/local/lib/ -name __pycache__ -exec touch -m -d "$d" {} +
|
||||||
|
|
||||||
|
## ---
|
||||||
|
|
||||||
|
FROM deps
|
||||||
|
SHELL [ "/bin/sh", "-ec" ]
|
||||||
|
|
||||||
|
## NB: NGX_DEBUG is set via build script
|
||||||
|
|
||||||
|
COPY /Dockerfile /usr/local/share/
|
||||||
|
|
||||||
|
COPY --from=certs /etc/ssl/certs/ca-certificates.* /etc/ssl/certs/
|
||||||
|
|
||||||
|
## RFC: Python cache
|
||||||
|
## TODO: reduce load by selecting only __pycache__ directories in either way
|
||||||
|
COPY --from=pycache /usr/local/lib/ /usr/local/lib/
|
||||||
|
|
||||||
|
## already copied by statement above
|
||||||
|
# COPY /j2cfg/ /usr/local/lib/j2cfg/
|
||||||
|
|
||||||
|
ENV ANGIE_MODULES_DIR=/usr/lib/angie/modules
|
||||||
|
|
||||||
|
COPY /scripts/* /usr/local/bin/
|
||||||
|
|
||||||
|
RUN _UID=11111 _GID=11111 ; \
|
||||||
|
echo "angie:x:${_UID}:${_GID}:Angie:/etc/angie:/bin/false" >> /etc/passwd ; \
|
||||||
|
echo "angie:x:${_GID}:" >> /etc/group ; \
|
||||||
|
echo 'angie:!:::::::' >> /etc/shadow
|
||||||
|
|
||||||
|
RUN apt-install.sh angie ; \
|
||||||
|
apt-clean.sh ; \
|
||||||
|
## verify Angie layout
|
||||||
|
[ -d "${ANGIE_MODULES_DIR}" ] ; \
|
||||||
|
n='/usr/sbin/angie' ; \
|
||||||
|
[ -x "$n-debug" ] ; \
|
||||||
|
[ -x "$n-nodebug" ] ; \
|
||||||
|
## adjust Angie binaries
|
||||||
|
rm -fv "$n" ; \
|
||||||
|
if [ "${NGX_DEBUG}" = 0 ] ; then \
|
||||||
|
rm -fv "$n-debug" ; \
|
||||||
|
mv -fv "$n-nodebug" "$n" ; \
|
||||||
|
else \
|
||||||
|
rm -fv "$n-nodebug" ; \
|
||||||
|
mv -fv "$n-debug" "$n" ; \
|
||||||
|
fi
|
||||||
|
|
||||||
|
## preserve snippets from Angie config directory
|
||||||
|
## ref: https://git.angie.software/web-server/angie/src/tag/Angie-1.6.2/conf
|
||||||
|
RUN d=/etc/angie ; t=$(mktemp -d) ; \
|
||||||
|
tar -C "$d" -cf - \
|
||||||
|
fastcgi_params \
|
||||||
|
fastcgi.conf \
|
||||||
|
mime.types \
|
||||||
|
prometheus_all.conf \
|
||||||
|
scgi_params \
|
||||||
|
uwsgi_params \
|
||||||
|
| tar -C "$t" -xf - ; \
|
||||||
|
rm -rf "$d" ; \
|
||||||
|
install -d "$d" "$d/snip.dist" ; \
|
||||||
|
tar -C "$t" -cf - . | tar -C "$d/snip.dist" -xf - ; \
|
||||||
|
rm -rf "$t"
|
||||||
|
|
||||||
|
## copy directory structure
|
||||||
|
COPY /angie/ /etc/angie/
|
||||||
|
|
||||||
|
## produce own layout for Angie >:)
|
||||||
|
## /angie/ is persistence store
|
||||||
|
RUN install -d -o angie -g angie -m 03777 /angie /run/angie ; \
|
||||||
|
## adjust paths across filesystem
|
||||||
|
rm -rfv /var/cache/angie/ /var/lib/angie/ /var/log/angie/ ; \
|
||||||
|
ln -sv /run/angie/cache /var/cache/angie ; \
|
||||||
|
ln -sv /run/angie/lib /var/lib/angie ; \
|
||||||
|
ln -sv /run/angie/log /var/log/angie ; \
|
||||||
|
## adjust paths in config directory
|
||||||
|
cd /etc/angie || exit 1 ; \
|
||||||
|
ln -sv /run/angie run ; \
|
||||||
|
ln -sv /run/angie/load load ; \
|
||||||
|
ln -sv /run/angie/lock lock ; \
|
||||||
|
ln -sv ${ANGIE_MODULES_DIR} modules.dist ; \
|
||||||
|
## hyper-modular paths:
|
||||||
|
data='autoconf conf j2cfg mod modules site snip static tls' ; \
|
||||||
|
vardata='cache lib log' ; \
|
||||||
|
for n in ${data} ; do \
|
||||||
|
for d in "$n" "$n.dist" ; do \
|
||||||
|
[ -e "$d" ] || install -d "$d" ; \
|
||||||
|
done ; \
|
||||||
|
done ; \
|
||||||
|
for n in ${data} ${vardata} ; do \
|
||||||
|
ln -sv "/run/angie/$n" "$n.d" ; \
|
||||||
|
done
|
||||||
|
|
||||||
|
## special empty directory
|
||||||
|
RUN d='/var/lib/empty' ; \
|
||||||
|
rm -rf "$d" ; \
|
||||||
|
if [ -d "$d" ] ; then exit 1 ; fi ; \
|
||||||
|
install -d -m 0555 "$d"
|
||||||
|
|
||||||
|
## prepare DH params for TLS
|
||||||
|
## NB: disabled in pipeline for now
|
||||||
|
## reason: too slow (and too much effort)
|
||||||
|
# RUN cd /etc/angie/tls.dist || exit 1 ; \
|
||||||
|
# openssl-generate-dh-bundle.sh
|
||||||
|
|
||||||
|
## future quirk for angie-module-modsecurity >:)
|
||||||
|
RUN n='modsecurity' ; \
|
||||||
|
d="/etc/angie/$n" ; \
|
||||||
|
ln -sv "/run/angie/$n" "$d.d" ; \
|
||||||
|
dpkg-divert --divert "$d.dist" --rename "$d" ; \
|
||||||
|
for p in modsecurity.conf unicode.mapping ; do \
|
||||||
|
dpkg-divert --divert "$d.dist/$p" --rename "$d/$p" ; \
|
||||||
|
done ; \
|
||||||
|
p='rules.conf' ; \
|
||||||
|
dpkg-divert --divert "$d.dist/$p.dist" --rename "$d/$p"
|
||||||
|
|
||||||
|
VOLUME [ "/run/angie" ]
|
||||||
|
|
||||||
|
## preseed builtin modules list
|
||||||
|
RUN x='angie-builtin-modules.sh' ; \
|
||||||
|
"$x" ; \
|
||||||
|
rm -fv "$(which "$x")"
|
||||||
|
|
||||||
|
## relatively lightweight modules
|
||||||
|
RUN apt-install-angie-mod.sh \
|
||||||
|
brotli \
|
||||||
|
cache-purge \
|
||||||
|
echo \
|
||||||
|
geoip2 \
|
||||||
|
headers-more \
|
||||||
|
subs \
|
||||||
|
upload \
|
||||||
|
zip \
|
||||||
|
zstd \
|
||||||
|
; \
|
||||||
|
apt-clean.sh
|
||||||
|
|
||||||
|
## adjust permissions/ownership
|
||||||
|
RUN d='/etc/angie' ; \
|
||||||
|
chown -hR 0:0 "$d" ; \
|
||||||
|
find "$d/" -name .gitkeep -type f -delete ; \
|
||||||
|
find "$d/" -type d -exec chmod 0755 {} + ; \
|
||||||
|
find "$d/" -type f -exec chmod 0644 {} +
|
||||||
|
|
||||||
|
## image-entry.sh is placed into /usr/local/bin/ to allow custom entrypoint/chaining:
|
||||||
|
## - there's no need to change ENTRYPOINT/CMD
|
||||||
|
## - custom entrypoint should be placed in /usr/local/sbin/
|
||||||
|
## - custom entrypoint should "exec" /usr/local/bin/image-entry.sh
|
||||||
|
COPY /image-entry.sh /usr/local/bin/
|
||||||
|
COPY /image-entry.d/ /image-entry.d/
|
||||||
|
|
||||||
|
## must be bind-mounted only for local customization/overrides!
|
||||||
|
# RUN install -d /image-entry
|
||||||
|
|
||||||
|
## misc defaults
|
||||||
|
ENV DUMB_INIT_SETSID=0 \
|
||||||
|
MALLOC_ARENA_MAX=4
|
||||||
|
|
||||||
|
STOPSIGNAL SIGQUIT
|
||||||
|
|
||||||
|
ENTRYPOINT [ "image-entry.sh" ]
|
||||||
|
CMD [ "angie" ]
|
227
Dockerfile.base
Normal file
227
Dockerfile.base
Normal file
@ -0,0 +1,227 @@
|
|||||||
|
# FROM docker.io/debian:bookworm-slim as base-upstream
|
||||||
|
ARG PYTHONTAG=3.11.10-slim-bookworm
|
||||||
|
FROM docker.io/python:${PYTHONTAG} AS base-upstream
|
||||||
|
|
||||||
|
FROM base-upstream AS base
|
||||||
|
SHELL [ "/bin/sh", "-ec" ]
|
||||||
|
|
||||||
|
COPY /Dockerfile.base /usr/local/share/
|
||||||
|
|
||||||
|
COPY /scripts/* /usr/local/sbin/
|
||||||
|
COPY /extra-scripts/* /usr/local/sbin/
|
||||||
|
|
||||||
|
## PATH: remove /sbin and /bin (/usr is merged)
|
||||||
|
ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
|
||||||
|
TMPDIR=/tmp \
|
||||||
|
LANG=C.UTF-8 \
|
||||||
|
LC_ALL=C.UTF-8 \
|
||||||
|
TERM=linux \
|
||||||
|
TZ=Etc/UTC \
|
||||||
|
MALLOC_ARENA_MAX=2 \
|
||||||
|
PYTHONUNBUFFERED=1 \
|
||||||
|
PYTHONDONTWRITEBYTECODE=1
|
||||||
|
|
||||||
|
## local development
|
||||||
|
# ENV PIP_INDEX="http://127.0.0.1:8081/repository/proxy_pypi/pypi/" \
|
||||||
|
# PIP_INDEX_URL="http://127.0.0.1:8081/repository/proxy_pypi/simple/" \
|
||||||
|
# PIP_TRUSTED_HOST="localhost"
|
||||||
|
|
||||||
|
COPY /apt/prefs.backports /etc/apt/preferences.d/backports
|
||||||
|
COPY /apt/sources.debian /etc/apt/sources.list.d/debian.sources
|
||||||
|
|
||||||
|
## prevent services from auto-starting, part 1
|
||||||
|
RUN s='/usr/sbin/policy-rc.d' ; b='/usr/bin/policy-rc.d' ; \
|
||||||
|
rm -f "$s" "$b" ; \
|
||||||
|
echo '#!/bin/sh' > "$b" ; \
|
||||||
|
echo 'exit 101' >> "$b" ; \
|
||||||
|
chmod 0755 "$b" ; \
|
||||||
|
ln -s "$b" "$s"
|
||||||
|
|
||||||
|
RUN divert_true() { divert-rm.sh "$1" ; ln -sv /bin/true "$1" ; } ; \
|
||||||
|
## prevent services from auto-starting, part 2
|
||||||
|
divert_true /sbin/start-stop-daemon ; \
|
||||||
|
## always report that we're in chroot
|
||||||
|
divert_true /usr/bin/ischroot ; \
|
||||||
|
## hide systemd helpers
|
||||||
|
divert_true /usr/bin/deb-systemd-helper ; \
|
||||||
|
divert_true /usr/bin/deb-systemd-invoke
|
||||||
|
|
||||||
|
RUN apt-env.sh apt-get update ; \
|
||||||
|
apt-env.sh apt-get upgrade -y ; \
|
||||||
|
apt-clean.sh
|
||||||
|
|
||||||
|
## perl-base: hardlink->symlink
|
||||||
|
RUN d=/usr/bin ; \
|
||||||
|
find "$d/" -wholename "$d/perl5*" -exec ln -fsv perl {} ';' ; \
|
||||||
|
ls -li "$d/perl"*
|
||||||
|
|
||||||
|
## remove unwanted binaries
|
||||||
|
RUN set -f ; \
|
||||||
|
for i in \
|
||||||
|
addgroup \
|
||||||
|
addpart \
|
||||||
|
adduser \
|
||||||
|
apt-ftparchive \
|
||||||
|
agetty \
|
||||||
|
badblocks \
|
||||||
|
blkdiscard \
|
||||||
|
blkid \
|
||||||
|
blkzone \
|
||||||
|
blockdev \
|
||||||
|
bsd-write \
|
||||||
|
chage \
|
||||||
|
chcpu \
|
||||||
|
chfn \
|
||||||
|
chgpasswd \
|
||||||
|
chmem \
|
||||||
|
chpasswd \
|
||||||
|
chsh \
|
||||||
|
cpgr \
|
||||||
|
cppw \
|
||||||
|
ctrlaltdel \
|
||||||
|
debugfs \
|
||||||
|
delgroup \
|
||||||
|
delpart \
|
||||||
|
deluser \
|
||||||
|
dmesg \
|
||||||
|
dumpe2fs \
|
||||||
|
e2freefrag \
|
||||||
|
e2fsck \
|
||||||
|
e2image \
|
||||||
|
e2label \
|
||||||
|
e2mmpstatus \
|
||||||
|
e2scrub \
|
||||||
|
'e2scrub*' \
|
||||||
|
e2undo \
|
||||||
|
e4crypt \
|
||||||
|
e4defrag \
|
||||||
|
expiry \
|
||||||
|
faillock \
|
||||||
|
fdformat \
|
||||||
|
fincore \
|
||||||
|
findfs \
|
||||||
|
fsck \
|
||||||
|
'fsck.*' \
|
||||||
|
fsfreeze \
|
||||||
|
fstrim \
|
||||||
|
getty \
|
||||||
|
gpasswd \
|
||||||
|
groupadd \
|
||||||
|
groupdel \
|
||||||
|
groupmems \
|
||||||
|
groupmod \
|
||||||
|
grpck \
|
||||||
|
grpconv \
|
||||||
|
grpunconv \
|
||||||
|
hwclock \
|
||||||
|
isosize \
|
||||||
|
last \
|
||||||
|
lastb \
|
||||||
|
ldattach \
|
||||||
|
losetup \
|
||||||
|
lsblk \
|
||||||
|
lsirq \
|
||||||
|
lslogins \
|
||||||
|
mcookie \
|
||||||
|
mesg \
|
||||||
|
mke2fs \
|
||||||
|
mkfs \
|
||||||
|
'mkfs.*' \
|
||||||
|
mkhomedir_helper \
|
||||||
|
mklost+found \
|
||||||
|
mkswap \
|
||||||
|
mount \
|
||||||
|
newgrp \
|
||||||
|
newusers \
|
||||||
|
pam-auth-update \
|
||||||
|
pam_getenv \
|
||||||
|
pam_namespace_helper \
|
||||||
|
pam_timestamp_check \
|
||||||
|
partx \
|
||||||
|
passwd \
|
||||||
|
pivot_root \
|
||||||
|
pwck \
|
||||||
|
pwconv \
|
||||||
|
pwhistory_helper \
|
||||||
|
pwunconv \
|
||||||
|
raw \
|
||||||
|
readprofile \
|
||||||
|
resize2fs \
|
||||||
|
resizepart \
|
||||||
|
rtcwake \
|
||||||
|
sg \
|
||||||
|
shadowconfig \
|
||||||
|
su \
|
||||||
|
sulogin \
|
||||||
|
swaplabel \
|
||||||
|
swapoff \
|
||||||
|
swapon \
|
||||||
|
switch_root \
|
||||||
|
tune2fs \
|
||||||
|
umount \
|
||||||
|
unix_chkpwd \
|
||||||
|
unix_update \
|
||||||
|
update-passwd \
|
||||||
|
useradd \
|
||||||
|
userdel \
|
||||||
|
usermod \
|
||||||
|
utmpdump \
|
||||||
|
vigr \
|
||||||
|
vipw \
|
||||||
|
wall \
|
||||||
|
wdctl \
|
||||||
|
wipefs \
|
||||||
|
write \
|
||||||
|
'write.*' \
|
||||||
|
zramctl \
|
||||||
|
; do \
|
||||||
|
for d in /usr/sbin /usr/bin /sbin /bin ; do \
|
||||||
|
find "$d/" ! -type d -wholename "$d/$i" \
|
||||||
|
| while read -r p ; do \
|
||||||
|
[ -n "$p" ] || continue ; \
|
||||||
|
[ -e "$p" ] || continue ; \
|
||||||
|
dpkg -S "$p" >/dev/null 2>&1 || continue ; \
|
||||||
|
divert-rm.sh "$p" ; \
|
||||||
|
done ; \
|
||||||
|
done ; \
|
||||||
|
for d in /usr/sbin /usr/bin /sbin /bin ; do \
|
||||||
|
find "$d/" ! -type d -wholename "$d/$i" \
|
||||||
|
| while read -r p ; do \
|
||||||
|
[ -n "$p" ] || continue ; \
|
||||||
|
[ -e "$p" ] || continue ; \
|
||||||
|
rm -fv "$p" ; \
|
||||||
|
done ; \
|
||||||
|
done ; \
|
||||||
|
done
|
||||||
|
|
||||||
|
RUN apt-remove.sh \
|
||||||
|
ca-certificates \
|
||||||
|
e2fsprogs \
|
||||||
|
; \
|
||||||
|
apt-clean.sh
|
||||||
|
|
||||||
|
## "docker.io/python"-specific cleanup
|
||||||
|
RUN rm -f /root/.wget-hsts
|
||||||
|
|
||||||
|
RUN pip-env.sh pip list --format freeze \
|
||||||
|
| grep -F '==' | awk -F= '{print $1}' \
|
||||||
|
| xargs -r pip-env.sh pip install -U ; \
|
||||||
|
python-rm-cache.sh "${PYTHON_SITE_PACKAGES}"
|
||||||
|
|
||||||
|
RUN libpython="${PYTHON_SITE_PACKAGES%/*}" ; \
|
||||||
|
rm -rfv \
|
||||||
|
/usr/local/bin/idle* \
|
||||||
|
"${libpython}/ensurepip/_bundled" \
|
||||||
|
"${libpython}/idlelib" \
|
||||||
|
"${libpython}/tkinter" \
|
||||||
|
"${libpython}/turtle.py" \
|
||||||
|
"${libpython}/turtledemo" \
|
||||||
|
; \
|
||||||
|
python-rm-cache.sh /usr/local
|
||||||
|
|
||||||
|
RUN find /usr/local/sbin/ ! -type d -ls -delete ; \
|
||||||
|
find /run/ -mindepth 1 -ls -delete || : ; \
|
||||||
|
install -d -m 01777 /run/lock
|
||||||
|
|
||||||
|
ENTRYPOINT [ ]
|
||||||
|
CMD [ "bash" ]
|
100
Dockerfile.deps
Normal file
100
Dockerfile.deps
Normal file
@ -0,0 +1,100 @@
|
|||||||
|
FROM docker.io/rockdrilla/angie-conv:v0.0.1-base AS base
|
||||||
|
|
||||||
|
## ---
|
||||||
|
|
||||||
|
FROM base AS setup
|
||||||
|
SHELL [ "/bin/sh", "-ec" ]
|
||||||
|
|
||||||
|
COPY /scripts/* /usr/local/sbin/
|
||||||
|
COPY /extra-scripts/* /usr/local/sbin/
|
||||||
|
|
||||||
|
ADD https://angie.software/keys/angie-signing.gpg /tmp/angie.gpg.bin
|
||||||
|
COPY /apt/sources.angie /etc/apt/sources.list.d/angie.txt
|
||||||
|
|
||||||
|
RUN pkg='gnupg' ; \
|
||||||
|
apt-install.sh ${pkg} ; \
|
||||||
|
## process Angie GPG keyring / APT sources
|
||||||
|
gpg-export.sh /tmp/angie.gpg.bin /etc/apt/keyrings/angie.gpg.asc ; \
|
||||||
|
rm -f /tmp/angie.gpg.bin ; \
|
||||||
|
env -C /etc/apt/sources.list.d mv angie.txt angie.sources ; \
|
||||||
|
## verify sources!
|
||||||
|
apt-env.sh apt-get update ; \
|
||||||
|
apt-remove.sh ${pkg} ; \
|
||||||
|
apt-clean.sh
|
||||||
|
|
||||||
|
ENV INSTALL_WHEELS='jinja2 netaddr psutil pyyaml wcmatch'
|
||||||
|
ENV DEV_PACKAGES='libyaml-dev'
|
||||||
|
# markupsafe, psutil
|
||||||
|
ENV CIBUILDWHEEL=1
|
||||||
|
# pyyaml
|
||||||
|
ENV PYYAML_FORCE_CYTHON=1
|
||||||
|
|
||||||
|
RUN w=$(mktemp -d) ; : "${w:?}" ; \
|
||||||
|
{ apt-mark showauto ; apt-mark showmanual ; } | sort -uV > "$w/t0" ; \
|
||||||
|
printf '%s\n' ${DEV_PACKAGES} | sort -uV > "$w/t1" ; \
|
||||||
|
apt-install.sh ${DEV_PACKAGES} ; \
|
||||||
|
{ apt-mark showauto ; apt-mark showmanual ; } | sort -uV > "$w/t2" ; \
|
||||||
|
set +e ; \
|
||||||
|
grep -Fxv -f "$w/t0" "$w/t2" > "$w/t3" ; \
|
||||||
|
grep -Fxv -f "$w/t1" "$w/t3" > "$w/t4" ; \
|
||||||
|
grep -Ev -e '-(dev|doc)$' "$w/t4" > "${PYTHON_SITE_PACKAGES}/apt-deps.txt" ; \
|
||||||
|
set -e ; \
|
||||||
|
rm -rf "$w/" ; unset w ; \
|
||||||
|
apt-install.sh build-essential ; \
|
||||||
|
pip-env.sh pip install 'cython' ; \
|
||||||
|
pip-env.sh pip install --no-binary :all: ${INSTALL_WHEELS} ; \
|
||||||
|
pip-env.sh pip uninstall -y 'cython' ; \
|
||||||
|
python-rm-cache.sh "${PYTHON_SITE_PACKAGES}" ; \
|
||||||
|
rm -rf \
|
||||||
|
"${PYTHON_SITE_PACKAGES}/netaddr/tests" \
|
||||||
|
"${PYTHON_SITE_PACKAGES}/psutil/tests" \
|
||||||
|
; \
|
||||||
|
find "${PYTHON_SITE_PACKAGES}/" -type f -name '*.so*' -exec ls -l {} + ; \
|
||||||
|
echo ; \
|
||||||
|
find "${PYTHON_SITE_PACKAGES}/" -type f -name '*.so*' -printf '%p\0' \
|
||||||
|
| sed -zE '/rust/d' \
|
||||||
|
| xargs -0r strip --verbose --strip-debug ; \
|
||||||
|
echo ; \
|
||||||
|
find "${PYTHON_SITE_PACKAGES}/" -type f -name '*.so*' -exec ls -l {} + ; \
|
||||||
|
apt-remove.sh build-essential ; \
|
||||||
|
apt-clean.sh
|
||||||
|
|
||||||
|
## ---
|
||||||
|
|
||||||
|
FROM base AS deps
|
||||||
|
SHELL [ "/bin/sh", "-ec" ]
|
||||||
|
|
||||||
|
COPY /Dockerfile.deps /usr/local/share/
|
||||||
|
|
||||||
|
COPY --from=setup /etc/apt/keyrings/angie.gpg.asc /etc/apt/keyrings/
|
||||||
|
COPY --from=setup /etc/apt/sources.list.d/angie.sources /etc/apt/sources.list.d/
|
||||||
|
|
||||||
|
## Python: site-packages
|
||||||
|
COPY --from=setup /usr/local/bin/ /usr/local/bin/
|
||||||
|
COPY --from=setup /${PYTHON_SITE_PACKAGES}/ /${PYTHON_SITE_PACKAGES}/
|
||||||
|
|
||||||
|
COPY /scripts/* /usr/local/sbin/
|
||||||
|
|
||||||
|
## install missing dependencies for Python site-packages
|
||||||
|
RUN f="${PYTHON_SITE_PACKAGES}/apt-deps.txt" ; \
|
||||||
|
[ -s "$f" ] || exit 0 ; \
|
||||||
|
xargs -a "$f" apt-install.sh ; \
|
||||||
|
apt-clean.sh
|
||||||
|
|
||||||
|
## common deps
|
||||||
|
RUN apt-install.sh \
|
||||||
|
brotli \
|
||||||
|
curl \
|
||||||
|
dumb-init \
|
||||||
|
gettext-base \
|
||||||
|
jq \
|
||||||
|
netbase \
|
||||||
|
netcat-openbsd \
|
||||||
|
openssl \
|
||||||
|
procps \
|
||||||
|
psmisc \
|
||||||
|
zstd \
|
||||||
|
; \
|
||||||
|
apt-clean.sh
|
||||||
|
|
||||||
|
RUN find /usr/local/sbin/ ! -type d -ls -delete
|
175
LICENSE
Normal file
175
LICENSE
Normal file
@ -0,0 +1,175 @@
|
|||||||
|
|
||||||
|
Apache License
|
||||||
|
Version 2.0, January 2004
|
||||||
|
http://www.apache.org/licenses/
|
||||||
|
|
||||||
|
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
||||||
|
|
||||||
|
1. Definitions.
|
||||||
|
|
||||||
|
"License" shall mean the terms and conditions for use, reproduction,
|
||||||
|
and distribution as defined by Sections 1 through 9 of this document.
|
||||||
|
|
||||||
|
"Licensor" shall mean the copyright owner or entity authorized by
|
||||||
|
the copyright owner that is granting the License.
|
||||||
|
|
||||||
|
"Legal Entity" shall mean the union of the acting entity and all
|
||||||
|
other entities that control, are controlled by, or are under common
|
||||||
|
control with that entity. For the purposes of this definition,
|
||||||
|
"control" means (i) the power, direct or indirect, to cause the
|
||||||
|
direction or management of such entity, whether by contract or
|
||||||
|
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
||||||
|
outstanding shares, or (iii) beneficial ownership of such entity.
|
||||||
|
|
||||||
|
"You" (or "Your") shall mean an individual or Legal Entity
|
||||||
|
exercising permissions granted by this License.
|
||||||
|
|
||||||
|
"Source" form shall mean the preferred form for making modifications,
|
||||||
|
including but not limited to software source code, documentation
|
||||||
|
source, and configuration files.
|
||||||
|
|
||||||
|
"Object" form shall mean any form resulting from mechanical
|
||||||
|
transformation or translation of a Source form, including but
|
||||||
|
not limited to compiled object code, generated documentation,
|
||||||
|
and conversions to other media types.
|
||||||
|
|
||||||
|
"Work" shall mean the work of authorship, whether in Source or
|
||||||
|
Object form, made available under the License, as indicated by a
|
||||||
|
copyright notice that is included in or attached to the work
|
||||||
|
(an example is provided in the Appendix below).
|
||||||
|
|
||||||
|
"Derivative Works" shall mean any work, whether in Source or Object
|
||||||
|
form, that is based on (or derived from) the Work and for which the
|
||||||
|
editorial revisions, annotations, elaborations, or other modifications
|
||||||
|
represent, as a whole, an original work of authorship. For the purposes
|
||||||
|
of this License, Derivative Works shall not include works that remain
|
||||||
|
separable from, or merely link (or bind by name) to the interfaces of,
|
||||||
|
the Work and Derivative Works thereof.
|
||||||
|
|
||||||
|
"Contribution" shall mean any work of authorship, including
|
||||||
|
the original version of the Work and any modifications or additions
|
||||||
|
to that Work or Derivative Works thereof, that is intentionally
|
||||||
|
submitted to Licensor for inclusion in the Work by the copyright owner
|
||||||
|
or by an individual or Legal Entity authorized to submit on behalf of
|
||||||
|
the copyright owner. For the purposes of this definition, "submitted"
|
||||||
|
means any form of electronic, verbal, or written communication sent
|
||||||
|
to the Licensor or its representatives, including but not limited to
|
||||||
|
communication on electronic mailing lists, source code control systems,
|
||||||
|
and issue tracking systems that are managed by, or on behalf of, the
|
||||||
|
Licensor for the purpose of discussing and improving the Work, but
|
||||||
|
excluding communication that is conspicuously marked or otherwise
|
||||||
|
designated in writing by the copyright owner as "Not a Contribution."
|
||||||
|
|
||||||
|
"Contributor" shall mean Licensor and any individual or Legal Entity
|
||||||
|
on behalf of whom a Contribution has been received by Licensor and
|
||||||
|
subsequently incorporated within the Work.
|
||||||
|
|
||||||
|
2. Grant of Copyright License. Subject to the terms and conditions of
|
||||||
|
this License, each Contributor hereby grants to You a perpetual,
|
||||||
|
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||||
|
copyright license to reproduce, prepare Derivative Works of,
|
||||||
|
publicly display, publicly perform, sublicense, and distribute the
|
||||||
|
Work and such Derivative Works in Source or Object form.
|
||||||
|
|
||||||
|
3. Grant of Patent License. Subject to the terms and conditions of
|
||||||
|
this License, each Contributor hereby grants to You a perpetual,
|
||||||
|
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||||
|
(except as stated in this section) patent license to make, have made,
|
||||||
|
use, offer to sell, sell, import, and otherwise transfer the Work,
|
||||||
|
where such license applies only to those patent claims licensable
|
||||||
|
by such Contributor that are necessarily infringed by their
|
||||||
|
Contribution(s) alone or by combination of their Contribution(s)
|
||||||
|
with the Work to which such Contribution(s) was submitted. If You
|
||||||
|
institute patent litigation against any entity (including a
|
||||||
|
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
||||||
|
or a Contribution incorporated within the Work constitutes direct
|
||||||
|
or contributory patent infringement, then any patent licenses
|
||||||
|
granted to You under this License for that Work shall terminate
|
||||||
|
as of the date such litigation is filed.
|
||||||
|
|
||||||
|
4. Redistribution. You may reproduce and distribute copies of the
|
||||||
|
Work or Derivative Works thereof in any medium, with or without
|
||||||
|
modifications, and in Source or Object form, provided that You
|
||||||
|
meet the following conditions:
|
||||||
|
|
||||||
|
(a) You must give any other recipients of the Work or
|
||||||
|
Derivative Works a copy of this License; and
|
||||||
|
|
||||||
|
(b) You must cause any modified files to carry prominent notices
|
||||||
|
stating that You changed the files; and
|
||||||
|
|
||||||
|
(c) You must retain, in the Source form of any Derivative Works
|
||||||
|
that You distribute, all copyright, patent, trademark, and
|
||||||
|
attribution notices from the Source form of the Work,
|
||||||
|
excluding those notices that do not pertain to any part of
|
||||||
|
the Derivative Works; and
|
||||||
|
|
||||||
|
(d) If the Work includes a "NOTICE" text file as part of its
|
||||||
|
distribution, then any Derivative Works that You distribute must
|
||||||
|
include a readable copy of the attribution notices contained
|
||||||
|
within such NOTICE file, excluding those notices that do not
|
||||||
|
pertain to any part of the Derivative Works, in at least one
|
||||||
|
of the following places: within a NOTICE text file distributed
|
||||||
|
as part of the Derivative Works; within the Source form or
|
||||||
|
documentation, if provided along with the Derivative Works; or,
|
||||||
|
within a display generated by the Derivative Works, if and
|
||||||
|
wherever such third-party notices normally appear. The contents
|
||||||
|
of the NOTICE file are for informational purposes only and
|
||||||
|
do not modify the License. You may add Your own attribution
|
||||||
|
notices within Derivative Works that You distribute, alongside
|
||||||
|
or as an addendum to the NOTICE text from the Work, provided
|
||||||
|
that such additional attribution notices cannot be construed
|
||||||
|
as modifying the License.
|
||||||
|
|
||||||
|
You may add Your own copyright statement to Your modifications and
|
||||||
|
may provide additional or different license terms and conditions
|
||||||
|
for use, reproduction, or distribution of Your modifications, or
|
||||||
|
for any such Derivative Works as a whole, provided Your use,
|
||||||
|
reproduction, and distribution of the Work otherwise complies with
|
||||||
|
the conditions stated in this License.
|
||||||
|
|
||||||
|
5. Submission of Contributions. Unless You explicitly state otherwise,
|
||||||
|
any Contribution intentionally submitted for inclusion in the Work
|
||||||
|
by You to the Licensor shall be under the terms and conditions of
|
||||||
|
this License, without any additional terms or conditions.
|
||||||
|
Notwithstanding the above, nothing herein shall supersede or modify
|
||||||
|
the terms of any separate license agreement you may have executed
|
||||||
|
with Licensor regarding such Contributions.
|
||||||
|
|
||||||
|
6. Trademarks. This License does not grant permission to use the trade
|
||||||
|
names, trademarks, service marks, or product names of the Licensor,
|
||||||
|
except as required for reasonable and customary use in describing the
|
||||||
|
origin of the Work and reproducing the content of the NOTICE file.
|
||||||
|
|
||||||
|
7. Disclaimer of Warranty. Unless required by applicable law or
|
||||||
|
agreed to in writing, Licensor provides the Work (and each
|
||||||
|
Contributor provides its Contributions) on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||||
|
implied, including, without limitation, any warranties or conditions
|
||||||
|
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
||||||
|
PARTICULAR PURPOSE. You are solely responsible for determining the
|
||||||
|
appropriateness of using or redistributing the Work and assume any
|
||||||
|
risks associated with Your exercise of permissions under this License.
|
||||||
|
|
||||||
|
8. Limitation of Liability. In no event and under no legal theory,
|
||||||
|
whether in tort (including negligence), contract, or otherwise,
|
||||||
|
unless required by applicable law (such as deliberate and grossly
|
||||||
|
negligent acts) or agreed to in writing, shall any Contributor be
|
||||||
|
liable to You for damages, including any direct, indirect, special,
|
||||||
|
incidental, or consequential damages of any character arising as a
|
||||||
|
result of this License or out of the use or inability to use the
|
||||||
|
Work (including but not limited to damages for loss of goodwill,
|
||||||
|
work stoppage, computer failure or malfunction, or any and all
|
||||||
|
other commercial damages or losses), even if such Contributor
|
||||||
|
has been advised of the possibility of such damages.
|
||||||
|
|
||||||
|
9. Accepting Warranty or Additional Liability. While redistributing
|
||||||
|
the Work or Derivative Works thereof, You may choose to offer,
|
||||||
|
and charge a fee for, acceptance of support, warranty, indemnity,
|
||||||
|
or other liability obligations and/or rights consistent with this
|
||||||
|
License. However, in accepting such obligations, You may act only
|
||||||
|
on Your own behalf and on Your sole responsibility, not on behalf
|
||||||
|
of any other Contributor, and only if You agree to indemnify,
|
||||||
|
defend, and hold each Contributor harmless for any liability
|
||||||
|
incurred by, or claims asserted against, such Contributor by reason
|
||||||
|
of your accepting any such warranty or additional liability.
|
3
TODO
Normal file
3
TODO
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
- documentation
|
||||||
|
- examples
|
||||||
|
- "light" NJS module (request: https://t.me/angie_support/3315)
|
22
angie/angie.conf
Normal file
22
angie/angie.conf
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
daemon off;
|
||||||
|
pid run/angie.pid;
|
||||||
|
|
||||||
|
## almost useless
|
||||||
|
include load/mod-core-*.conf;
|
||||||
|
|
||||||
|
# mod-http.conf
|
||||||
|
# mod-mail.conf
|
||||||
|
# mod-stream.conf
|
||||||
|
include run/mod-*.conf;
|
||||||
|
|
||||||
|
events {
|
||||||
|
include autoconf.d/core_ev-*.conf;
|
||||||
|
include load/core_ev-*.conf;
|
||||||
|
}
|
||||||
|
include autoconf.d/core-*.conf;
|
||||||
|
include load/core-*.conf;
|
||||||
|
|
||||||
|
# ctx-http.conf
|
||||||
|
# ctx-mail.conf
|
||||||
|
# ctx-stream.conf
|
||||||
|
include run/ctx-*.conf;
|
1
angie/autoconf.dist/core-error-log.conf
Normal file
1
angie/autoconf.dist/core-error-log.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
error_log log.d/error.log warn;
|
1
angie/autoconf.dist/core-lock-file.conf
Normal file
1
angie/autoconf.dist/core-lock-file.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
lock_file lock/angie.lock;
|
1
angie/autoconf.dist/core-pcre-jit.conf
Normal file
1
angie/autoconf.dist/core-pcre-jit.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
pcre_jit on;
|
3
angie/autoconf.dist/core-user.conf.in
Normal file
3
angie/autoconf.dist/core-user.conf.in
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
## if container is running in non-privileged mode,
|
||||||
|
## then this file is going to be removed by /image-entry.d/76-adjust-core-user.sh
|
||||||
|
user ${NGX_USER} ${NGX_GROUP};
|
31
angie/autoconf.dist/core-worker-env.conf.j2
Normal file
31
angie/autoconf.dist/core-worker-env.conf.j2
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
{#- prologue -#}
|
||||||
|
{#- NB: "TZ" is always provided by Angie itself -#}
|
||||||
|
{%- set c_env = ( j2cfg.core_worker_env or [] ) | any_to_env_dict -%}
|
||||||
|
{%- set c_vars = c_env | dict_keys -%}
|
||||||
|
{%- set c_vars_passthrough = c_env | dict_empty_keys -%}
|
||||||
|
{%- set c_vars_override = c_env | dict_non_empty_keys -%}
|
||||||
|
{%- set vars_passthrough = (env_passthrough + c_vars_passthrough) | uniq | list_intersect(env | dict_keys) -%}
|
||||||
|
|
||||||
|
{#- main part -#}
|
||||||
|
## preserve
|
||||||
|
{%- for k in env_preserve %}
|
||||||
|
env {{ k }};
|
||||||
|
{%- endfor %}
|
||||||
|
|
||||||
|
## passthrough
|
||||||
|
{%- for k in vars_passthrough %}
|
||||||
|
env {{ k }};
|
||||||
|
{%- endfor %}
|
||||||
|
|
||||||
|
{% if c_vars_override %}
|
||||||
|
## WARNING!
|
||||||
|
## explicit environment variables are NOT implemented
|
||||||
|
## reason: envs are supported only for http_perl but not for http_js/stream_js
|
||||||
|
## solution: provide environment variables explicitly
|
||||||
|
## and then list them in "core_worker_env" key in config
|
||||||
|
##
|
||||||
|
{%- for k in c_vars_override %}
|
||||||
|
{#- {%- set v = c_env[k] %} #}
|
||||||
|
## env {{ k }}={{ c_env[k].__repr__() }};
|
||||||
|
{%- endfor %}
|
||||||
|
{%- endif %}
|
10
angie/autoconf.dist/core-worker.conf.j2
Normal file
10
angie/autoconf.dist/core-worker.conf.j2
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
worker_processes {{ env.NGX_WORKER_PROCESSES }};
|
||||||
|
{%- if env.NGX_WORKER_CPU_AFFINITY %}
|
||||||
|
worker_cpu_affinity {{ env.NGX_WORKER_CPU_AFFINITY }};
|
||||||
|
{%- endif %}
|
||||||
|
{%- if env.NGX_WORKER_PRIORITY %}
|
||||||
|
worker_priority {{ env.NGX_WORKER_PRIORITY }};
|
||||||
|
{%- endif %}
|
||||||
|
{%- if env.NGX_WORKER_RLIMIT_NOFILE %}
|
||||||
|
worker_rlimit_nofile {{ env.NGX_WORKER_RLIMIT_NOFILE }};
|
||||||
|
{%- endif %}
|
7
angie/autoconf.dist/core_ev-worker.conf.j2
Normal file
7
angie/autoconf.dist/core_ev-worker.conf.j2
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
worker_connections {{ env.NGX_WORKER_CONNECTIONS }};
|
||||||
|
{%- if env.NGX_WORKER_AIO_REQUESTS %}
|
||||||
|
worker_aio_requests {{ env.NGX_WORKER_AIO_REQUESTS }};
|
||||||
|
{%- endif %}
|
||||||
|
{%- if env.NGX_WORKER_PRIORITY %}
|
||||||
|
worker_priority {{ env.NGX_WORKER_PRIORITY }};
|
||||||
|
{%- endif %}
|
12
angie/autoconf.dist/http-access-log.conf
Normal file
12
angie/autoconf.dist/http-access-log.conf
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||||
|
'$status $body_bytes_sent "$http_referer" '
|
||||||
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||||
|
|
||||||
|
log_format extended '$remote_addr - $remote_user [$time_local] "$request" '
|
||||||
|
'$status $body_bytes_sent "$http_referer" rt="$request_time" '
|
||||||
|
'"$http_user_agent" "$http_x_forwarded_for" '
|
||||||
|
'h="$host" sn="$server_name" ru="$request_uri" u="$uri" '
|
||||||
|
'ucs="$upstream_cache_status" ua="$upstream_addr" us="$upstream_status" '
|
||||||
|
'uct="$upstream_connect_time" urt="$upstream_response_time"';
|
||||||
|
|
||||||
|
access_log log.d/access.log main;
|
12
angie/autoconf.dist/http-alt-svc.conf.j2
Normal file
12
angie/autoconf.dist/http-alt-svc.conf.j2
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
{#- prologue -#}
|
||||||
|
{%- set extra_proto = ['v3', 'v2'] -%}
|
||||||
|
{%- set confload = ( env.NGX_HTTP_CONFLOAD or '' ) | str_split_to_list -%}
|
||||||
|
{%- set proto = confload | list_intersect(extra_proto) -%}
|
||||||
|
{#- ALPN mapping -#}
|
||||||
|
{%- set proto = proto | re_sub('^v2$', 'h2=":443"; ma=3600') -%}
|
||||||
|
{%- set proto = proto | re_sub('^v3$', 'h3=":443"; ma=3600') -%}
|
||||||
|
{#- main part -#}
|
||||||
|
{%- if proto %}
|
||||||
|
{#- TODO: precise quotation #}
|
||||||
|
add_header Alt-Svc {{ (proto | join(', ')).__repr__() }};
|
||||||
|
{%- endif %}
|
4
angie/autoconf.dist/http-buffers.conf
Normal file
4
angie/autoconf.dist/http-buffers.conf
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
subrequest_output_buffer_size 16k;
|
||||||
|
client_body_buffer_size 16k;
|
||||||
|
client_header_buffer_size 4k;
|
||||||
|
large_client_header_buffers 8 16k;
|
3
angie/autoconf.dist/http-max-ranges.conf.j2
Normal file
3
angie/autoconf.dist/http-max-ranges.conf.j2
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
{%- if env.NGX_HTTP_MAX_RANGES %}
|
||||||
|
max_ranges {{ env.NGX_HTTP_MAX_RANGES }};
|
||||||
|
{%- endif %}
|
8
angie/autoconf.dist/http-mime-types.conf
Normal file
8
angie/autoconf.dist/http-mime-types.conf
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
include snip.d/mime.types;
|
||||||
|
|
||||||
|
types {
|
||||||
|
font/ttf ttf;
|
||||||
|
application/font-sfnt otf;
|
||||||
|
}
|
||||||
|
|
||||||
|
default_type application/octet-stream;
|
26
angie/autoconf.dist/http-request-headers-basic.conf.j2
Normal file
26
angie/autoconf.dist/http-request-headers-basic.conf.j2
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
map $http_upgrade
|
||||||
|
$req_connection
|
||||||
|
{
|
||||||
|
default upgrade;
|
||||||
|
"" "";
|
||||||
|
}
|
||||||
|
|
||||||
|
map $http_user_agent
|
||||||
|
$req_user_agent
|
||||||
|
{
|
||||||
|
default $http_user_agent;
|
||||||
|
{%- if env.NGX_HTTP_FAKE_UA %}
|
||||||
|
## merely fake
|
||||||
|
"" {{ env.NGX_HTTP_FAKE_UA.__repr__() }};
|
||||||
|
{%- else %}
|
||||||
|
"" "Angie/$angie_version";
|
||||||
|
{%- endif %}
|
||||||
|
}
|
||||||
|
|
||||||
|
map $http_accept
|
||||||
|
$req_accept
|
||||||
|
{
|
||||||
|
volatile;
|
||||||
|
default $http_accept;
|
||||||
|
"" "*/*";
|
||||||
|
}
|
27
angie/autoconf.dist/http-request-headers-forwarded.conf
Normal file
27
angie/autoconf.dist/http-request-headers-forwarded.conf
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
## ref:
|
||||||
|
## - https://www.digitalocean.com/community/tools/nginx?domains.0.reverseProxy.reverseProxy=true
|
||||||
|
map $remote_addr
|
||||||
|
$proxy_forwarded_elem
|
||||||
|
{
|
||||||
|
## IPv4 addresses can be sent as-is
|
||||||
|
~^[0-9.]+$ "for=$remote_addr";
|
||||||
|
## IPv6 addresses need to be bracketed and quoted
|
||||||
|
~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
|
||||||
|
## Unix domain socket names cannot be represented in RFC 7239 syntax
|
||||||
|
default "for=unknown";
|
||||||
|
}
|
||||||
|
|
||||||
|
## ref:
|
||||||
|
## - https://www.digitalocean.com/community/tools/nginx?domains.0.reverseProxy.reverseProxy=true
|
||||||
|
## - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
|
||||||
|
map $http_forwarded
|
||||||
|
$proxy_add_forwarded
|
||||||
|
{
|
||||||
|
volatile;
|
||||||
|
|
||||||
|
## if the incoming Forwarded header is syntactically valid, append to it
|
||||||
|
"~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
|
||||||
|
|
||||||
|
## otherwise, replace it
|
||||||
|
default "$proxy_forwarded_elem";
|
||||||
|
}
|
6
angie/autoconf.dist/http-response-headers.conf.j2
Normal file
6
angie/autoconf.dist/http-response-headers.conf.j2
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
## add response headers
|
||||||
|
{%- set resp_hdr_dict = j2cfg.response_headers or {} -%}
|
||||||
|
{%- for h, v in resp_hdr_dict.items() %}
|
||||||
|
{#- TODO: precise quotation #}
|
||||||
|
add_header {{ h }} {{ v.__repr__() }};
|
||||||
|
{%- endfor %}
|
1
angie/autoconf.dist/http-webroot.conf.in
Normal file
1
angie/autoconf.dist/http-webroot.conf.in
Normal file
@ -0,0 +1 @@
|
|||||||
|
root ${NGX_HTTP_WEBROOT};
|
5
angie/conf.dist/brotli/buffers.conf
Normal file
5
angie/conf.dist/brotli/buffers.conf
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
brotli_comp_level 5; # default: 6
|
||||||
|
brotli_window 64k; # default: 512k
|
||||||
|
|
||||||
|
brotli_min_length 1024;
|
||||||
|
brotli_buffers 32 16k;
|
9
angie/conf.dist/brotli/types.conf.j2
Normal file
9
angie/conf.dist/brotli/types.conf.j2
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
{%- set mime_types = j2cfg.compress_types or [] -%}
|
||||||
|
{%- set mime_types = mime_types | any_to_str_list | uniq_str_list -%}
|
||||||
|
{%- if mime_types -%}
|
||||||
|
brotli_types
|
||||||
|
{%- for t in mime_types %}
|
||||||
|
{{ t }}
|
||||||
|
{%- endfor %}
|
||||||
|
;
|
||||||
|
{%- endif -%}
|
1
angie/conf.dist/core-quic-bpf.conf
Normal file
1
angie/conf.dist/core-quic-bpf.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
quic_bpf on;
|
1
angie/conf.dist/core_ev-accept-mutex-delay.conf
Normal file
1
angie/conf.dist/core_ev-accept-mutex-delay.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
accept_mutex_delay 200ms;
|
1
angie/conf.dist/core_ev-accept-mutex.conf
Normal file
1
angie/conf.dist/core_ev-accept-mutex.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
accept_mutex on;
|
1
angie/conf.dist/core_ev-multi-accept.conf
Normal file
1
angie/conf.dist/core_ev-multi-accept.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
multi_accept on;
|
4
angie/conf.dist/fastcgi/buffers.conf
Normal file
4
angie/conf.dist/fastcgi/buffers.conf
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
fastcgi_buffers 16 16k;
|
||||||
|
fastcgi_buffer_size 16k;
|
||||||
|
fastcgi_busy_buffers_size 32k;
|
||||||
|
fastcgi_temp_file_write_size 32k;
|
15
angie/conf.dist/fastcgi/cache-bypass.conf.j2
Normal file
15
angie/conf.dist/fastcgi/cache-bypass.conf.j2
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
{#- TODO: precise quotation -#}
|
||||||
|
{%- set cache_bypass = j2cfg.cache_bypass or [] -%}
|
||||||
|
{%- if cache_bypass -%}
|
||||||
|
## disable (response) cache under following conditions
|
||||||
|
fastcgi_cache_bypass
|
||||||
|
{%- for v in cache_bypass %}
|
||||||
|
{{ v.__repr__() }}
|
||||||
|
{%- endfor %}
|
||||||
|
;
|
||||||
|
fastcgi_no_cache
|
||||||
|
{%- for v in cache_bypass %}
|
||||||
|
{{ v.__repr__() }}
|
||||||
|
{%- endfor %}
|
||||||
|
;
|
||||||
|
{%- endif -%}
|
13
angie/conf.dist/fastcgi/headers.conf.j2
Normal file
13
angie/conf.dist/fastcgi/headers.conf.j2
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
## hide/remove request headers
|
||||||
|
{%- set req_hdr_dict = j2cfg.request_headers or {} -%}
|
||||||
|
{%- for h, v in req_hdr_dict.items() %}
|
||||||
|
{#- TODO: precise quotation #}
|
||||||
|
fastcgi_param {{ h | as_cgi_header }} {{ v.__repr__() }};
|
||||||
|
{%- endfor %}
|
||||||
|
|
||||||
|
## hide response headers
|
||||||
|
{%- set resp_hdr_dict = j2cfg.response_headers or {} -%}
|
||||||
|
{%- set resp_hdr_list = resp_hdr_dict | dict_keys -%}
|
||||||
|
{%- for h in resp_hdr_list %}
|
||||||
|
fastcgi_hide_header {{ h }};
|
||||||
|
{%- endfor %}
|
7
angie/conf.dist/fastcgi/param.conf
Normal file
7
angie/conf.dist/fastcgi/param.conf
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
include snip.d/fastcgi.conf;
|
||||||
|
|
||||||
|
fastcgi_param PATH_INFO $path_info;
|
||||||
|
|
||||||
|
fastcgi_param AUTH_USER $remote_user;
|
||||||
|
fastcgi_param REMOTE_USER $remote_user;
|
||||||
|
fastcgi_param HTTP_HOST $host;
|
1
angie/conf.dist/grpc/buffers.conf
Normal file
1
angie/conf.dist/grpc/buffers.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
grpc_buffer_size 16k;
|
13
angie/conf.dist/grpc/headers.conf.j2
Normal file
13
angie/conf.dist/grpc/headers.conf.j2
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
## hide/remove request headers
|
||||||
|
{%- set req_hdr_dict = j2cfg.request_headers or {} -%}
|
||||||
|
{%- for h, v in req_hdr_dict.items() %}
|
||||||
|
{#- TODO: precise quotation #}
|
||||||
|
grpc_set_header {{ h }} {{ v.__repr__() }};
|
||||||
|
{%- endfor %}
|
||||||
|
|
||||||
|
## hide response headers
|
||||||
|
{%- set resp_hdr_dict = j2cfg.response_headers or {} -%}
|
||||||
|
{%- set resp_hdr_list = resp_hdr_dict | dict_keys -%}
|
||||||
|
{%- for h in resp_hdr_list %}
|
||||||
|
grpc_hide_header {{ h }};
|
||||||
|
{%- endfor %}
|
4
angie/conf.dist/grpc/ssl-cmd.conf.j2
Normal file
4
angie/conf.dist/grpc/ssl-cmd.conf.j2
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
{%- for k, v in j2cfg.tls.conf_cmd.items() %}
|
||||||
|
{#- TODO: precise quotation #}
|
||||||
|
grpc_ssl_conf_command {{ k }} {{ v.__repr__() }};
|
||||||
|
{%- endfor %}
|
1
angie/conf.dist/grpc/ssl-verify.conf
Normal file
1
angie/conf.dist/grpc/ssl-verify.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
grpc_ssl_verify on;
|
1
angie/conf.dist/grpc/tls-ca-file.conf.in
Normal file
1
angie/conf.dist/grpc/tls-ca-file.conf.in
Normal file
@ -0,0 +1 @@
|
|||||||
|
grpc_ssl_trusted_certificate ${NGX_SSL_CERT_FILE};
|
4
angie/conf.dist/gzip/buffers.conf
Normal file
4
angie/conf.dist/gzip/buffers.conf
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
gzip_comp_level 2; # default: 1
|
||||||
|
|
||||||
|
gzip_min_length 1024;
|
||||||
|
gzip_buffers 32 16k;
|
1
angie/conf.dist/gzip/proxied.conf
Normal file
1
angie/conf.dist/gzip/proxied.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
gzip_proxied any;
|
9
angie/conf.dist/gzip/types.conf.j2
Normal file
9
angie/conf.dist/gzip/types.conf.j2
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
{%- set mime_types = j2cfg.compress_types or [] -%}
|
||||||
|
{%- set mime_types = mime_types | any_to_str_list | uniq_str_list -%}
|
||||||
|
{%- if mime_types -%}
|
||||||
|
gzip_types
|
||||||
|
{%- for t in mime_types %}
|
||||||
|
{{ t }}
|
||||||
|
{%- endfor %}
|
||||||
|
;
|
||||||
|
{%- endif -%}
|
1
angie/conf.dist/gzip/vary.conf
Normal file
1
angie/conf.dist/gzip/vary.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
gzip_vary on;
|
1
angie/conf.dist/http-brotli-static.conf
Normal file
1
angie/conf.dist/http-brotli-static.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
brotli_static on;
|
2
angie/conf.dist/http-brotli.conf
Normal file
2
angie/conf.dist/http-brotli.conf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
include conf.d/brotli/*.conf;
|
||||||
|
brotli on;
|
1
angie/conf.dist/http-fastcgi.conf
Normal file
1
angie/conf.dist/http-fastcgi.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
include conf.d/fastcgi/*.conf;
|
1
angie/conf.dist/http-grpc.conf
Normal file
1
angie/conf.dist/http-grpc.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
include conf.d/grpc/*.conf;
|
2
angie/conf.dist/http-gunzip.conf
Normal file
2
angie/conf.dist/http-gunzip.conf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
gunzip_buffers 16 16k;
|
||||||
|
gunzip on;
|
1
angie/conf.dist/http-gzip-static.conf
Normal file
1
angie/conf.dist/http-gzip-static.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
gzip_static on;
|
2
angie/conf.dist/http-gzip.conf
Normal file
2
angie/conf.dist/http-gzip.conf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
include conf.d/gzip/*.conf;
|
||||||
|
gzip on;
|
4
angie/conf.dist/http-modsecurity.conf
Normal file
4
angie/conf.dist/http-modsecurity.conf
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
modsecurity_rules_file /etc/angie/modsecurity.d/rules.conf;
|
||||||
|
|
||||||
|
## NOT enabling ModSecurity by default!
|
||||||
|
# modsecurity on;
|
1
angie/conf.dist/http-njs.conf
Normal file
1
angie/conf.dist/http-njs.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
include conf.d/njs/*.conf;
|
1
angie/conf.dist/http-perl.conf
Normal file
1
angie/conf.dist/http-perl.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
perl_modules /etc/angie/site.d;
|
2
angie/conf.dist/http-proxy.conf
Normal file
2
angie/conf.dist/http-proxy.conf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
include conf.d/proxy/*.conf;
|
||||||
|
include conf.d/proxy-http/*.conf;
|
5
angie/conf.dist/http-quic-gso.conf.j2
Normal file
5
angie/conf.dist/http-quic-gso.conf.j2
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
quic_gso on;
|
||||||
|
|
||||||
|
{%- if env.NGX_HTTP_NO_PROXY == '0' %}
|
||||||
|
proxy_quic_gso on;
|
||||||
|
{%- endif %}
|
1
angie/conf.dist/http-scgi.conf
Normal file
1
angie/conf.dist/http-scgi.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
include conf.d/scgi/*.conf;
|
27
angie/conf.dist/http-ssl.conf.j2
Normal file
27
angie/conf.dist/http-ssl.conf.j2
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
include conf.d/ssl/*.conf;
|
||||||
|
|
||||||
|
## lowering from 16k to 4k to improve time-to-first-byte
|
||||||
|
ssl_buffer_size 4k;
|
||||||
|
|
||||||
|
{%- if env.NGX_HTTP_SSL_PROFILE %}
|
||||||
|
include snip.d/ssl-{{ env.NGX_HTTP_SSL_PROFILE }};
|
||||||
|
{%- endif %}
|
||||||
|
|
||||||
|
{%- if j2cfg.tls.stapling.enable %}
|
||||||
|
ssl_stapling on;
|
||||||
|
{%- if j2cfg.tls.stapling.verify %}
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
{%- else %}
|
||||||
|
ssl_stapling_verify off;
|
||||||
|
{%- endif %}
|
||||||
|
{%- if j2cfg.tls.stapling.file %}
|
||||||
|
{#- TODO: precise quotation #}
|
||||||
|
ssl_stapling_file {{ j2cfg.tls.stapling.file.__repr__() }};
|
||||||
|
{%- endif %}
|
||||||
|
{%- if j2cfg.tls.stapling.responder %}
|
||||||
|
{#- TODO: precise quotation #}
|
||||||
|
ssl_stapling_responder {{ j2cfg.tls.stapling.responder.__repr__() }};
|
||||||
|
{%- endif %}
|
||||||
|
{%- else %}
|
||||||
|
ssl_stapling off;
|
||||||
|
{%- endif %}
|
1
angie/conf.dist/http-uwsgi.conf
Normal file
1
angie/conf.dist/http-uwsgi.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
include conf.d/uwsgi/*.conf;
|
2
angie/conf.dist/http-v2.conf
Normal file
2
angie/conf.dist/http-v2.conf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
include conf.d/http2/*.conf;
|
||||||
|
http2 on;
|
2
angie/conf.dist/http-v3.conf
Normal file
2
angie/conf.dist/http-v3.conf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
include conf.d/http3/*.conf;
|
||||||
|
http3 on;
|
1
angie/conf.dist/http-zstd-static.conf
Normal file
1
angie/conf.dist/http-zstd-static.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
zstd_static on;
|
2
angie/conf.dist/http-zstd.conf
Normal file
2
angie/conf.dist/http-zstd.conf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
include conf.d/zstd/*.conf;
|
||||||
|
zstd on;
|
2
angie/conf.dist/http2/param.conf
Normal file
2
angie/conf.dist/http2/param.conf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
http2_chunk_size 16k;
|
||||||
|
http2_body_preread_size 64k;
|
9
angie/conf.dist/http3/param.conf.j2
Normal file
9
angie/conf.dist/http3/param.conf.j2
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
http3_max_concurrent_streams 128; #default
|
||||||
|
http3_stream_buffer_size 64k; #default
|
||||||
|
quic_active_connection_id_limit 3;
|
||||||
|
|
||||||
|
{%- if env.NGX_HTTP_NO_PROXY == '0' %}
|
||||||
|
proxy_http3_max_concurrent_streams 128; #default
|
||||||
|
proxy_http3_stream_buffer_size 64k; #default
|
||||||
|
proxy_quic_active_connection_id_limit 3;
|
||||||
|
{%- endif %}
|
5
angie/conf.dist/mail-ssl.conf.j2
Normal file
5
angie/conf.dist/mail-ssl.conf.j2
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
include conf.d/ssl/*.conf;
|
||||||
|
|
||||||
|
{%- if env.NGX_MAIL_SSL_PROFILE %}
|
||||||
|
include snip.d/ssl-{{ env.NGX_MAIL_SSL_PROFILE }};
|
||||||
|
{%- endif %}
|
1
angie/conf.dist/njs/path.conf
Normal file
1
angie/conf.dist/njs/path.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
js_path /etc/angie/site.d;
|
1
angie/conf.dist/njs/tls-ca-file.conf.in
Normal file
1
angie/conf.dist/njs/tls-ca-file.conf.in
Normal file
@ -0,0 +1 @@
|
|||||||
|
js_fetch_trusted_certificate ${NGX_SSL_CERT_FILE};
|
4
angie/conf.dist/proxy-http/buffers.conf
Normal file
4
angie/conf.dist/proxy-http/buffers.conf
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
proxy_buffers 16 16k;
|
||||||
|
proxy_buffer_size 16k;
|
||||||
|
proxy_busy_buffers_size 32k;
|
||||||
|
proxy_temp_file_write_size 32k;
|
15
angie/conf.dist/proxy-http/cache-bypass.conf.j2
Normal file
15
angie/conf.dist/proxy-http/cache-bypass.conf.j2
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
{#- TODO: precise quotation -#}
|
||||||
|
{%- set cache_bypass = j2cfg.cache_bypass or [] -%}
|
||||||
|
{%- if cache_bypass -%}
|
||||||
|
## disable (response) cache under following conditions
|
||||||
|
proxy_cache_bypass
|
||||||
|
{%- for v in cache_bypass %}
|
||||||
|
{{ v.__repr__() }}
|
||||||
|
{%- endfor %}
|
||||||
|
;
|
||||||
|
proxy_no_cache
|
||||||
|
{%- for v in cache_bypass %}
|
||||||
|
{{ v.__repr__() }}
|
||||||
|
{%- endfor %}
|
||||||
|
;
|
||||||
|
{%- endif -%}
|
13
angie/conf.dist/proxy-http/headers.conf.j2
Normal file
13
angie/conf.dist/proxy-http/headers.conf.j2
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
## hide/remove request headers
|
||||||
|
{%- set req_hdr_dict = j2cfg.request_headers or {} -%}
|
||||||
|
{%- for h, v in req_hdr_dict.items() %}
|
||||||
|
{#- TODO: precise quotation #}
|
||||||
|
proxy_set_header {{ h }} {{ v.__repr__() }};
|
||||||
|
{%- endfor %}
|
||||||
|
|
||||||
|
## hide response headers
|
||||||
|
{%- set resp_hdr_dict = j2cfg.response_headers or {} -%}
|
||||||
|
{%- set resp_hdr_list = resp_hdr_dict | dict_keys -%}
|
||||||
|
{%- for h in resp_hdr_list %}
|
||||||
|
proxy_hide_header {{ h }};
|
||||||
|
{%- endfor %}
|
1
angie/conf.dist/proxy-http/version.conf
Normal file
1
angie/conf.dist/proxy-http/version.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
proxy_http_version 1.1;
|
0
angie/conf.dist/proxy-stream/.gitkeep
Normal file
0
angie/conf.dist/proxy-stream/.gitkeep
Normal file
4
angie/conf.dist/proxy/ssl-cmd.conf.j2
Normal file
4
angie/conf.dist/proxy/ssl-cmd.conf.j2
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
{%- for k, v in j2cfg.tls.conf_cmd.items() %}
|
||||||
|
{#- TODO: precise quotation #}
|
||||||
|
proxy_ssl_conf_command {{ k }} {{ v.__repr__() }};
|
||||||
|
{%- endfor %}
|
1
angie/conf.dist/proxy/ssl-verify.conf
Normal file
1
angie/conf.dist/proxy/ssl-verify.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
proxy_ssl_verify on;
|
4
angie/conf.dist/scgi/buffers.conf
Normal file
4
angie/conf.dist/scgi/buffers.conf
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
scgi_buffers 16 16k;
|
||||||
|
scgi_buffer_size 16k;
|
||||||
|
scgi_busy_buffers_size 32k;
|
||||||
|
scgi_temp_file_write_size 32k;
|
15
angie/conf.dist/scgi/cache-bypass.conf.j2
Normal file
15
angie/conf.dist/scgi/cache-bypass.conf.j2
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
{#- TODO: precise quotation -#}
|
||||||
|
{%- set cache_bypass = j2cfg.cache_bypass or [] -%}
|
||||||
|
{%- if cache_bypass -%}
|
||||||
|
## disable (response) cache under following conditions
|
||||||
|
scgi_cache_bypass
|
||||||
|
{%- for v in cache_bypass %}
|
||||||
|
{{ v.__repr__() }}
|
||||||
|
{%- endfor %}
|
||||||
|
;
|
||||||
|
scgi_no_cache
|
||||||
|
{%- for v in cache_bypass %}
|
||||||
|
{{ v.__repr__() }}
|
||||||
|
{%- endfor %}
|
||||||
|
;
|
||||||
|
{%- endif -%}
|
13
angie/conf.dist/scgi/headers.conf.j2
Normal file
13
angie/conf.dist/scgi/headers.conf.j2
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
## hide/remove request headers
|
||||||
|
{%- set req_hdr_dict = j2cfg.request_headers or {} -%}
|
||||||
|
{%- for h, v in req_hdr_dict.items() %}
|
||||||
|
{#- TODO: precise quotation #}
|
||||||
|
scgi_param {{ h | as_cgi_header }} {{ v.__repr__() }};
|
||||||
|
{%- endfor %}
|
||||||
|
|
||||||
|
## hide response headers
|
||||||
|
{%- set resp_hdr_dict = j2cfg.response_headers or {} -%}
|
||||||
|
{%- set resp_hdr_list = resp_hdr_dict | dict_keys -%}
|
||||||
|
{%- for h in resp_hdr_list %}
|
||||||
|
scgi_hide_header {{ h }};
|
||||||
|
{%- endfor %}
|
7
angie/conf.dist/scgi/param.conf
Normal file
7
angie/conf.dist/scgi/param.conf
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
include snip.d/scgi_params;
|
||||||
|
|
||||||
|
scgi_param PATH_INFO $path_info;
|
||||||
|
|
||||||
|
scgi_param AUTH_USER $remote_user;
|
||||||
|
scgi_param REMOTE_USER $remote_user;
|
||||||
|
scgi_param HTTP_HOST $host;
|
4
angie/conf.dist/ssl/cmd.conf.j2
Normal file
4
angie/conf.dist/ssl/cmd.conf.j2
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
{%- for k, v in j2cfg.tls.conf_cmd.items() %}
|
||||||
|
{#- TODO: precise quotation #}
|
||||||
|
ssl_conf_command {{ k }} {{ v.__repr__() }};
|
||||||
|
{%- endfor %}
|
1
angie/conf.dist/stream-njs.conf
Normal file
1
angie/conf.dist/stream-njs.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
include conf.d/njs/*.conf;
|
2
angie/conf.dist/stream-proxy.conf
Normal file
2
angie/conf.dist/stream-proxy.conf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
include conf.d/proxy/*.conf;
|
||||||
|
include conf.d/proxy-stream/*.conf;
|
5
angie/conf.dist/stream-ssl.conf.j2
Normal file
5
angie/conf.dist/stream-ssl.conf.j2
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
include conf.d/ssl/*.conf;
|
||||||
|
|
||||||
|
{%- if env.NGX_STREAM_SSL_PROFILE %}
|
||||||
|
include snip.d/ssl-{{ env.NGX_STREAM_SSL_PROFILE }};
|
||||||
|
{%- endif %}
|
4
angie/conf.dist/uwsgi/buffers.conf
Normal file
4
angie/conf.dist/uwsgi/buffers.conf
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
uwsgi_buffers 16 16k;
|
||||||
|
uwsgi_buffer_size 16k;
|
||||||
|
uwsgi_busy_buffers_size 32k;
|
||||||
|
uwsgi_temp_file_write_size 32k;
|
15
angie/conf.dist/uwsgi/cache-bypass.conf.j2
Normal file
15
angie/conf.dist/uwsgi/cache-bypass.conf.j2
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
{#- TODO: precise quotation -#}
|
||||||
|
{%- set cache_bypass = j2cfg.cache_bypass or [] -%}
|
||||||
|
{%- if cache_bypass -%}
|
||||||
|
## disable (response) cache under following conditions
|
||||||
|
uwsgi_cache_bypass
|
||||||
|
{%- for v in cache_bypass %}
|
||||||
|
{{ v.__repr__() }}
|
||||||
|
{%- endfor %}
|
||||||
|
;
|
||||||
|
uwsgi_no_cache
|
||||||
|
{%- for v in cache_bypass %}
|
||||||
|
{{ v.__repr__() }}
|
||||||
|
{%- endfor %}
|
||||||
|
;
|
||||||
|
{%- endif -%}
|
13
angie/conf.dist/uwsgi/headers.conf.j2
Normal file
13
angie/conf.dist/uwsgi/headers.conf.j2
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
## hide/remove request headers
|
||||||
|
{%- set req_hdr_dict = j2cfg.request_headers or {} -%}
|
||||||
|
{%- for h, v in req_hdr_dict.items() %}
|
||||||
|
{#- TODO: precise quotation #}
|
||||||
|
uwsgi_param {{ h | as_cgi_header }} {{ v.__repr__() }};
|
||||||
|
{%- endfor %}
|
||||||
|
|
||||||
|
## hide response headers
|
||||||
|
{%- set resp_hdr_dict = j2cfg.response_headers or {} -%}
|
||||||
|
{%- set resp_hdr_list = resp_hdr_dict | dict_keys -%}
|
||||||
|
{%- for h in resp_hdr_list %}
|
||||||
|
uwsgi_hide_header {{ h }};
|
||||||
|
{%- endfor %}
|
7
angie/conf.dist/uwsgi/param.conf
Normal file
7
angie/conf.dist/uwsgi/param.conf
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
include snip.d/uwsgi_params;
|
||||||
|
|
||||||
|
uwsgi_param PATH_INFO $path_info;
|
||||||
|
|
||||||
|
uwsgi_param AUTH_USER $remote_user;
|
||||||
|
uwsgi_param REMOTE_USER $remote_user;
|
||||||
|
uwsgi_param HTTP_HOST $host;
|
4
angie/conf.dist/uwsgi/ssl-cmd.conf.j2
Normal file
4
angie/conf.dist/uwsgi/ssl-cmd.conf.j2
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
{%- for k, v in j2cfg.tls.conf_cmd.items() %}
|
||||||
|
{#- TODO: precise quotation #}
|
||||||
|
uwsgi_ssl_conf_command {{ k }} {{ v.__repr__() }};
|
||||||
|
{%- endfor %}
|
1
angie/conf.dist/uwsgi/tls-ca-file.conf.in
Normal file
1
angie/conf.dist/uwsgi/tls-ca-file.conf.in
Normal file
@ -0,0 +1 @@
|
|||||||
|
uwsgi_ssl_trusted_certificate ${NGX_SSL_CERT_FILE};
|
4
angie/conf.dist/zstd/buffers.conf
Normal file
4
angie/conf.dist/zstd/buffers.conf
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
zstd_comp_level 2; # default: 1
|
||||||
|
|
||||||
|
zstd_min_length 1024;
|
||||||
|
zstd_buffers 32 16k;
|
9
angie/conf.dist/zstd/types.conf.j2
Normal file
9
angie/conf.dist/zstd/types.conf.j2
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
{%- set mime_types = j2cfg.compress_types or [] -%}
|
||||||
|
{%- set mime_types = mime_types | any_to_str_list | uniq_str_list -%}
|
||||||
|
{%- if mime_types -%}
|
||||||
|
zstd_types
|
||||||
|
{%- for t in mime_types %}
|
||||||
|
{{ t }}
|
||||||
|
{%- endfor %}
|
||||||
|
;
|
||||||
|
{%- endif -%}
|
5
angie/ctx-http.conf
Normal file
5
angie/ctx-http.conf
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
http {
|
||||||
|
include autoconf.d/http-*.conf;
|
||||||
|
include load/http-*.conf;
|
||||||
|
include site.d/http-*.conf;
|
||||||
|
}
|
5
angie/ctx-mail.conf
Normal file
5
angie/ctx-mail.conf
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
mail {
|
||||||
|
include autoconf.d/mail-*.conf;
|
||||||
|
include load/mail-*.conf;
|
||||||
|
include site.d/mail-*.conf;
|
||||||
|
}
|
5
angie/ctx-stream.conf
Normal file
5
angie/ctx-stream.conf
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
stream {
|
||||||
|
include autoconf.d/stream-*.conf;
|
||||||
|
include load/stream-*.conf;
|
||||||
|
include site.d/stream-*.conf;
|
||||||
|
}
|
93
angie/j2cfg.dist/00-defaults.yml.j2
Normal file
93
angie/j2cfg.dist/00-defaults.yml.j2
Normal file
@ -0,0 +1,93 @@
|
|||||||
|
cache_bypass:
|
||||||
|
- '$http_authorization'
|
||||||
|
- '$http_pragma'
|
||||||
|
- '$http_upgrade'
|
||||||
|
|
||||||
|
compress_types:
|
||||||
|
- application/atom+xml
|
||||||
|
- application/javascript
|
||||||
|
- application/json
|
||||||
|
- application/vnd.api+json
|
||||||
|
- application/rss+xml
|
||||||
|
- application/x-javascript
|
||||||
|
- application/xhtml+xml
|
||||||
|
- application/xml
|
||||||
|
- image/svg+xml
|
||||||
|
- image/x-icon
|
||||||
|
- text/css
|
||||||
|
- text/javascript
|
||||||
|
- text/plain
|
||||||
|
- text/xml
|
||||||
|
|
||||||
|
request_headers:
|
||||||
|
{% if env.NGX_HTTP_TRANSPARENT_PROXY == '0' %}
|
||||||
|
Host: '$proxy_host'
|
||||||
|
X-Real-IP: '$remote_addr'
|
||||||
|
## '$proxy_add_forwarded' is defined in /angie/autoconf.dist/http-request-headers-forwarded.conf
|
||||||
|
Forwarded: '$proxy_add_forwarded'
|
||||||
|
{% elif env.NGX_HTTP_TRANSPARENT_PROXY == '1' %}
|
||||||
|
Host: '$host'
|
||||||
|
X-Real-IP: ''
|
||||||
|
Forwarded: ''
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
request_headers:
|
||||||
|
## do not pass Accept-Encoding to backend
|
||||||
|
Accept-Encoding: ""
|
||||||
|
## '$req_accept' is defined in /angie/autoconf.dist/http-request-headers-basic.conf.j2
|
||||||
|
Accept: '$req_accept'
|
||||||
|
## '$req_connection' is defined in /angie/autoconf.dist/http-request-headers-basic.conf.j2
|
||||||
|
Connection: '$req_connection'
|
||||||
|
Upgrade: '$http_upgrade'
|
||||||
|
Early-Data: '$ssl_early_data'
|
||||||
|
## '$req_user_agent' is defined in /angie/autoconf.dist/http-request-headers-basic.conf.j2
|
||||||
|
User-Agent: '$req_user_agent'
|
||||||
|
{% if env.NGX_HTTP_X_FORWARDED == 'pass' %}
|
||||||
|
X-Forwarded-Proto: '$scheme'
|
||||||
|
X-Forwarded-Host: '$host'
|
||||||
|
X-Forwarded-Port: '$server_port'
|
||||||
|
X-Forwarded-For: '$proxy_add_x_forwarded_for'
|
||||||
|
{% elif env.NGX_HTTP_X_FORWARDED == 'remove' %}
|
||||||
|
X-Forwarded-Proto: ''
|
||||||
|
X-Forwarded-Host: ''
|
||||||
|
X-Forwarded-Port: ''
|
||||||
|
X-Forwarded-For: ''
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
response_headers:
|
||||||
|
{% if env.NGX_HTTP_TRANSPARENT_PROXY == '0' %}
|
||||||
|
Permissions-Policy: "accelerometer=(), autoplay=(), browsing-topics=(), camera=(), clipboard-read=(), clipboard-write=(), geolocation=(), gyroscope=(), hid=(), interest-cohort=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), sync-xhr=(), usb=()"
|
||||||
|
Referrer-Policy: "no-referrer-when-downgrade"
|
||||||
|
Strict-Transport-Security: "max-age=15724800; includeSubDomains; preload"
|
||||||
|
X-Content-Type-Options: "nosniff"
|
||||||
|
X-Frame-Options: "SAMEORIGIN"
|
||||||
|
X-XSS-Protection: "1; mode=block"
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
tls:
|
||||||
|
## https://docs.openssl.org/3.0/man3/SSL_CONF_cmd/#supported-configuration-file-commands
|
||||||
|
conf_cmd:
|
||||||
|
Options: PrioritizeChaCha
|
||||||
|
stapling:
|
||||||
|
enable: false
|
||||||
|
verify: true
|
||||||
|
profiles:
|
||||||
|
modern:
|
||||||
|
protocols: TLSv1.3
|
||||||
|
#prefer_server_ciphers: false
|
||||||
|
session_tickets: false
|
||||||
|
session_timeout: 1d
|
||||||
|
intermediate:
|
||||||
|
protocols: TLSv1.2 TLSv1.3
|
||||||
|
#prefer_server_ciphers: false
|
||||||
|
ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
|
||||||
|
dhparam: /etc/angie/tls.d/ffdhe2048.pem
|
||||||
|
session_tickets: false
|
||||||
|
session_timeout: 1d
|
||||||
|
old:
|
||||||
|
protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
|
||||||
|
prefer_server_ciphers: true
|
||||||
|
ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
|
||||||
|
dhparam: /etc/angie/tls.d/dh1024.pem
|
||||||
|
session_tickets: false
|
||||||
|
session_timeout: 1d
|
1
angie/mod-http.conf
Normal file
1
angie/mod-http.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
include load/mod-http-*.conf;
|
1
angie/mod-mail.conf
Normal file
1
angie/mod-mail.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
include load/mod-mail-*.conf;
|
1
angie/mod-stream.conf
Normal file
1
angie/mod-stream.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
include load/mod-stream-*.conf;
|
0
angie/mod.dist/.brotli.preseed
Normal file
0
angie/mod.dist/.brotli.preseed
Normal file
0
angie/mod.dist/.otel.preseed
Normal file
0
angie/mod.dist/.otel.preseed
Normal file
0
angie/mod.dist/.postgres.preseed
Normal file
0
angie/mod.dist/.postgres.preseed
Normal file
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user