1
0

huge refactoring

This commit is contained in:
Konstantin Demin 2024-07-24 22:47:53 +03:00
parent 985c42a7d2
commit 8fac571d20
Signed by: krd
GPG Key ID: 4D56F87A8BA65FD0
106 changed files with 827 additions and 286 deletions

View File

@ -51,7 +51,7 @@ RUN libpython="${PYTHON_SITE_PACKAGES%/*}" ; \
## Python cache warmup
RUN j2cfg-single /usr/local/lib/j2cfg/test.j2 /tmp/test ; \
cat /tmp/test ; echo ; \
cat /tmp/test ; echo ; echo ; \
rm -f /tmp/test
## Python cache adjustments
@ -99,13 +99,9 @@ RUN apt-install.sh angie ; \
if [ "${NGX_DEBUG}" = 0 ] ; then \
rm -fv "$n-debug" ; \
mv -fv "$n-nodebug" "$n" ; \
ln -fsv "${n##*/}" "$n-nodebug" ; \
ln -fsv /bin/false "$n-debug" ; \
else \
rm -fv "$n-nodebug" ; \
mv -fv "$n-debug" "$n" ; \
ln -fsv "${n##*/}" "$n-debug" ; \
ln -fsv /bin/false "$n-nodebug" ; \
fi
## preserve snippets from Angie config directory
@ -142,7 +138,7 @@ RUN install -d -o angie -g angie -m 03777 /angie /run/angie ; \
ln -sv /run/angie/lock lock ; \
ln -sv ${ANGIE_MODULES_DIR} modules.dist ; \
## hyper-modular paths:
data='conf j2cfg mod modules site snip static' ; \
data='autoconf conf j2cfg mod modules site snip static' ; \
vardata='cache lib log' ; \
for n in ${data} ; do \
for d in "$n" "$n.dist" ; do \
@ -153,6 +149,17 @@ RUN install -d -o angie -g angie -m 03777 /angie /run/angie ; \
ln -sv "/run/angie/$n" "$n.d" ; \
done
## future quirk for angie-module-modsecurity >:)
RUN n='modsecurity' ; \
d="/etc/angie/$n" ; \
ln -sv "/run/angie/$n" "$d.d" ; \
dpkg-divert --divert "$d.dist" --rename "$d" ; \
for p in modsecurity.conf unicode.mapping ; do \
dpkg-divert --divert "$d.dist/$p" --rename "$d/$p" ; \
done ; \
p='rules.conf' ; \
dpkg-divert --divert "$d.dist/$p.dist" --rename "$d/$p"
VOLUME [ "/run/angie" ]
COPY /angie/ /etc/angie/

View File

@ -10,10 +10,10 @@ include load/mod-core-*.conf;
include run/mod-*.conf;
events {
include conf.d/core_ev-*.conf;
include autoconf.d/core_ev-*.conf;
include load/core_ev-*.conf;
}
include conf.d/core-*.conf;
include autoconf.d/core-*.conf;
include load/core-*.conf;
# ctx-http.conf

View File

@ -1,15 +1,19 @@
{#- prologue -#}
{#- NB: "TZ" is always provided by Angie itself -#}
{%- set s_vars = ['MALLOC_ARENA_MAX', 'GLIBC_TUNABLES', 'MALLOC_CONF'] -%}
{%- set c_env = ( j2cfg.core_worker_env or [] ) | any_to_env_dict -%}
{%- set c_vars = c_env | dict_keys -%}
{%- set c_vars_preserve = c_env | dict_empty_keys -%}
{%- set c_vars_passthrough = c_env | dict_empty_keys -%}
{%- set c_vars_override = c_env | dict_non_empty_keys -%}
{%- set vars_preserve = ( c_vars_preserve + s_vars ) | uniq | sort -%}
{%- set vars_passthrough = (env_passthrough + c_vars_passthrough) | uniq | list_intersect(env | dict_keys) -%}
{#- main part -#}
## preserve
{%- for k in vars_preserve %}
{%- for k in env_preserve %}
env {{ k }};
{%- endfor %}
## passthrough
{%- for k in vars_passthrough %}
env {{ k }};
{%- endfor %}

View File

@ -0,0 +1,10 @@
worker_processes {{ env.NGX_WORKER_PROCESSES }};
{%- if env.NGX_WORKER_CPU_AFFINITY %}
worker_cpu_affinity {{ env.NGX_WORKER_CPU_AFFINITY }};
{%- endif %}
{%- if env.NGX_WORKER_PRIORITY %}
worker_priority {{ env.NGX_WORKER_PRIORITY }};
{%- endif %}
{%- if env.NGX_WORKER_RLIMIT_NOFILE %}
worker_rlimit_nofile {{ env.NGX_WORKER_RLIMIT_NOFILE }};
{%- endif %}

View File

@ -0,0 +1,7 @@
worker_connections {{ env.NGX_WORKER_CONNECTIONS }};
{%- if env.NGX_WORKER_AIO_REQUESTS %}
worker_aio_requests {{ env.NGX_WORKER_AIO_REQUESTS }};
{%- endif %}
{%- if env.NGX_WORKER_PRIORITY %}
worker_priority {{ env.NGX_WORKER_PRIORITY }};
{%- endif %}

View File

@ -0,0 +1,3 @@
{%- if env.NGX_HTTP_MAX_RANGES %}
max_ranges {{ env.NGX_HTTP_MAX_RANGES }};
{%- endif %}

View File

@ -0,0 +1 @@
root ${NGX_HTTP_WEBROOT};

View File

@ -0,0 +1,9 @@
{%- set mime_types = j2cfg.brotli_compress_types or j2cfg.compress_types or [] -%}
{%- set mime_types = mime_types | any_to_str_list | uniq_str_list -%}
{%- if mime_types -%}
brotli_types
{%- for t in mime_types %}
{{ t }}
{%- endfor %}
;
{%- endif -%}

View File

@ -1,3 +0,0 @@
worker_processes ${NGX_WORKER_PROCESSES};
worker_priority ${NGX_WORKER_PRIORITY};
worker_rlimit_nofile ${NGX_WORKER_RLIMIT_NOFILE};

View File

@ -1 +0,0 @@
worker_connections ${NGX_WORKER_CONNECTIONS};

View File

@ -0,0 +1,4 @@
fastcgi_buffers 16 16k;
fastcgi_buffer_size 16k;
fastcgi_busy_buffers_size 32k;
fastcgi_temp_file_write_size 32k;

View File

@ -0,0 +1,13 @@
## hide/remove request headers
{%- set req_hdr_list = j2cfg.fastcgi_remove_request_headers or j2cfg.remove_request_headers or [] -%}
{%- set req_hdr_list = req_hdr_list | any_to_str_list | as_cgi_header -%}
{%- for h in req_hdr_list %}
fastcgi_param {{ h }} "";
{%- endfor %}
## hide response headers
{%- set resp_hdr_list = j2cfg.fastcgi_remove_response_headers or j2cfg.remove_response_headers or [] -%}
{%- set resp_hdr_list = resp_hdr_list | any_to_str_list | uniq_str_list -%}
{%- for h in resp_hdr_list %}
fastcgi_hide_header {{ h }};
{%- endfor %}

View File

@ -0,0 +1,7 @@
include snip.d/fastcgi.conf;
fastcgi_param PATH_INFO $path_info;
fastcgi_param AUTH_USER $remote_user;
fastcgi_param REMOTE_USER $remote_user;
fastcgi_param HTTP_HOST $host;

View File

@ -0,0 +1 @@
grpc_buffer_size 16k;

View File

@ -0,0 +1,13 @@
## hide/remove request headers
{%- set req_hdr_list = j2cfg.grpc_remove_request_headers or j2cfg.remove_request_headers or [] -%}
{%- set req_hdr_list = req_hdr_list | any_to_str_list | uniq_str_list -%}
{%- for h in req_hdr_list %}
grpc_set_header {{ h }} "";
{%- endfor %}
## hide response headers
{%- set resp_hdr_list = j2cfg.grpc_remove_response_headers or j2cfg.remove_response_headers or [] -%}
{%- set resp_hdr_list = resp_hdr_list | any_to_str_list | uniq_str_list -%}
{%- for h in resp_hdr_list %}
grpc_hide_header {{ h }};
{%- endfor %}

View File

@ -0,0 +1,9 @@
{%- set mime_types = j2cfg.gzip_compress_types or j2cfg.compress_types or [] -%}
{%- set mime_types = mime_types | any_to_str_list | uniq_str_list -%}
{%- if mime_types -%}
gzip_types
{%- for t in mime_types %}
{{ t }}
{%- endfor %}
;
{%- endif -%}

View File

@ -0,0 +1,2 @@
include conf.d/brotli/*.conf;
brotli on;

View File

@ -0,0 +1 @@
include conf.d/fastcgi/*.conf;

View File

@ -0,0 +1,4 @@
## this should be enabled explicitly to avoid config mess
# include conf.d/http-v2.conf;
include conf.d/grpc/*.conf;

View File

@ -0,0 +1,2 @@
gunzip_buffers 16 16k;
gunzip on;

View File

@ -0,0 +1,2 @@
include conf.d/gzip/*.conf;
gzip on;

View File

@ -1 +0,0 @@
max_ranges ${NGX_HTTP_MAX_RANGES};

View File

@ -0,0 +1,4 @@
modsecurity_rules_file /etc/angie/modsecurity.d/rules.conf;
## NOT enabling ModSecurity by default!
# modsecurity on;

View File

@ -0,0 +1 @@
js_path /etc/angie/site.d;

View File

@ -0,0 +1 @@
perl_modules /etc/angie/site.d;

View File

@ -0,0 +1,6 @@
## add response headers
{%- set resp_hdr_list = ( j2cfg.add_response_headers or {} ) -%}
{%- for h, v in resp_hdr_list.items() %}
{#- TODO: precise quotation #}
add_header {{ h }} {{ v.__repr__() }};
{%- endfor %}

View File

@ -0,0 +1 @@
include conf.d/scgi/*.conf;

View File

@ -0,0 +1 @@
include conf.d/uwsgi/*.conf;

View File

@ -0,0 +1,2 @@
http2_chunk_size 16k;
http2 on;

View File

@ -0,0 +1,2 @@
include conf.d/zstd/*.conf;
zstd on;

View File

@ -0,0 +1,13 @@
## hide/remove request headers
{%- set req_hdr_list = j2cfg.proxy_remove_request_headers or j2cfg.remove_request_headers or [] -%}
{%- set req_hdr_list = req_hdr_list | any_to_str_list | uniq_str_list -%}
{%- for h in req_hdr_list %}
proxy_set_header {{ h }} "";
{%- endfor %}
## hide response headers
{%- set resp_hdr_list = j2cfg.proxy_remove_response_headers or j2cfg.remove_response_headers or [] -%}
{%- set resp_hdr_list = resp_hdr_list | any_to_str_list | uniq_str_list -%}
{%- for h in resp_hdr_list %}
proxy_hide_header {{ h }};
{%- endfor %}

View File

@ -0,0 +1,4 @@
scgi_buffers 16 16k;
scgi_buffer_size 16k;
scgi_busy_buffers_size 32k;
scgi_temp_file_write_size 32k;

View File

@ -0,0 +1,13 @@
## hide/remove request headers
{%- set req_hdr_list = j2cfg.scgi_remove_request_headers or j2cfg.remove_request_headers or [] -%}
{%- set req_hdr_list = req_hdr_list | any_to_str_list | as_cgi_header -%}
{%- for h in req_hdr_list %}
scgi_param {{ h }} "";
{%- endfor %}
## hide response headers
{%- set resp_hdr_list = j2cfg.scgi_remove_response_headers or j2cfg.remove_response_headers or [] -%}
{%- set resp_hdr_list = resp_hdr_list | any_to_str_list | uniq_str_list -%}
{%- for h in resp_hdr_list %}
scgi_hide_header {{ h }};
{%- endfor %}

View File

@ -0,0 +1,7 @@
include snip.d/scgi_params;
scgi_param PATH_INFO $path_info;
scgi_param AUTH_USER $remote_user;
scgi_param REMOTE_USER $remote_user;
scgi_param HTTP_HOST $host;

View File

@ -0,0 +1,4 @@
uwsgi_buffers 16 16k;
uwsgi_buffer_size 16k;
uwsgi_busy_buffers_size 32k;
uwsgi_temp_file_write_size 32k;

View File

@ -0,0 +1,13 @@
## hide/remove request headers
{%- set req_hdr_list = j2cfg.uwsgi_remove_request_headers or j2cfg.remove_request_headers or [] -%}
{%- set req_hdr_list = req_hdr_list | any_to_str_list | as_cgi_header -%}
{%- for h in req_hdr_list %}
uwsgi_param {{ h }} "";
{%- endfor %}
## hide response headers
{%- set resp_hdr_list = j2cfg.uwsgi_remove_response_headers or j2cfg.remove_response_headers or [] -%}
{%- set resp_hdr_list = resp_hdr_list | any_to_str_list | uniq_str_list -%}
{%- for h in resp_hdr_list %}
uwsgi_hide_header {{ h }};
{%- endfor %}

View File

@ -0,0 +1,7 @@
include snip.d/uwsgi_params;
uwsgi_param PATH_INFO $path_info;
uwsgi_param AUTH_USER $remote_user;
uwsgi_param REMOTE_USER $remote_user;
uwsgi_param HTTP_HOST $host;

View File

@ -0,0 +1,9 @@
{%- set mime_types = j2cfg.zstd_compress_types or j2cfg.compress_types or [] -%}
{%- set mime_types = mime_types | any_to_str_list | uniq_str_list -%}
{%- if mime_types -%}
zstd_types
{%- for t in mime_types %}
{{ t }}
{%- endfor %}
;
{%- endif -%}

View File

@ -1,5 +1,5 @@
http {
include conf.d/http-*.conf;
include autoconf.d/http-*.conf;
include load/http-*.conf;
include site.d/http-*.conf;
}

View File

@ -1,5 +1,5 @@
mail {
include conf.d/mail-*.conf;
include autoconf.d/mail-*.conf;
include load/mail-*.conf;
include site.d/mail-*.conf;
}

View File

@ -1,5 +1,5 @@
stream {
include conf.d/stream-*.conf;
include autoconf.d/stream-*.conf;
include load/stream-*.conf;
include site.d/stream-*.conf;
}

View File

@ -0,0 +1,11 @@
add_response_headers:
Access-Control-Allow-Origin: "*"
Access-Control-Allow-Headers: "Origin, X-Requested-With, Content-Type, Accept, Authorization"
Access-Control-Allow-Methods: "GET, HEAD, POST, PUT, DELETE, OPTIONS"
Content-Security-Policy: "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline' 'unsafe-eval' ; frame-ancestors 'self';"
Permissions-Policy: "microphone=(), camera=(), geolocation=(), interest-cohort=()"
Referrer-Policy: "no-referrer-when-downgrade"
Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload"
X-Content-Type-Options: "nosniff"
X-Frame-Options: "SAMEORIGIN"
X-XSS-Protection: "1; mode=block"

View File

@ -1,10 +1,9 @@
{#- prologue -#}
{%- set s_vars = ['MALLOC_ARENA_MAX', 'GLIBC_TUNABLES', 'MALLOC_CONF'] -%}
{%- set c_env = ( j2cfg.core_worker_env or [] ) | any_to_env_dict -%}
{%- set c_vars = c_env | dict_keys -%}
{%- set c_vars_preserve = c_env | dict_empty_keys -%}
{%- set vars_preserve = ( c_vars_preserve + ( s_vars | list_diff(c_vars) )) | sort -%}
{%- set c_vars_passthrough = c_env | dict_empty_keys -%}
{%- set vars_passthrough = ((env_passthrough | list_diff(c_vars)) + c_vars_passthrough) | uniq | list_intersect(env | dict_keys) -%}
{#- main part -#}
{%- for k in vars_preserve -%}
{%- for k in vars_passthrough -%}
{{ k }}
{% endfor -%}

View File

@ -0,0 +1,3 @@
remove_request_headers:
## do not pass Accept-Encoding to backend
- Accept-Encoding

View File

@ -0,0 +1,12 @@
remove_response_headers:
- Access-Control-Allow-Headers
- Access-Control-Allow-Methods
- Access-Control-Allow-Origin
- Content-Security-Policy
- Permissions-Policy
- Referrer-Policy
- Strict-Transport-Security
- Vary
- X-Content-Type-Options
- X-Frame-Options
- X-XSS-Protection

View File

@ -0,0 +1,33 @@
Include modsecurity.conf
# To enable the OWASP CRS, please perform the following steps:
#
# 1. Checkout Core Rule Set from GitHub and create config files as shown below:
#
# version='v4.5.0'
# uri="https://github.com/coreruleset/coreruleset/archive/refs/tags/${version}.tar.gz"
# dst_dir='/etc/angie/modsecurity/coreruleset'
# w=$(mktemp -d) ; : "${w:?}"
# cd "$w/"
# tarball="coreruleset.tar.gz"
# /usr/lib/apt/apt-helper download-file "${uri}" "${tarball}"
# mkdir coreruleset
# tar -C ./coreruleset --strip-components=1 -xf "${tarball}"
# rm -f "${tarball}" ; unset tarball
# for p in \
# crs-setup.conf \
# rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf \
# rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf \
# ; do
# src="coreruleset/$p.example"
# dst="${dst_dir}/$p"
# [ -f "${src}" ] || continue
# [ -d "${dst%/*}" ] || mkdir -p "${dst%/*}"
# cp -nv "${src}" "${dst}"
# done
# rm -rf "${w:?}/" ; unset w
#
# 2. Uncomment both 'Include' directives below
#Include coreruleset/crs-setup.conf
#Include coreruleset/rules/*.conf

View File

@ -1 +0,0 @@
include snip.d/gzip/vary.conf;

View File

@ -1,8 +0,0 @@
{%- set mime_types = ( j2cfg.compress_types or [] )|any_to_str_list|uniq_str_list -%}
{%- if mime_types %}
brotli_types
{%- for t in mime_types %}
{{ t }}
{%- endfor %}
;
{%- endif %}

View File

@ -0,0 +1,3 @@
location ~ /\. {
include snip.d/internal-area;
}

View File

@ -0,0 +1,8 @@
{#- safe to specify all the time -#}
gzip off;
{%- set modules = ( env.NGX_HTTP_MODULES or '' ) | str_split_to_list -%}
{%- for ext_comp in ['brotli', 'zstd'] %}
{%- if ext_comp in modules %}
{{ ext_comp }} off;
{%- endif %}
{%- endfor %}

View File

@ -0,0 +1,4 @@
location = /favicon.ico {
empty_gif;
expires 1d;
}

View File

@ -0,0 +1,5 @@
try_files $fastcgi_script_name =444;
## bypass the fact that try_files resets $fastcgi_path_info
## see: https://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;

View File

@ -1,8 +0,0 @@
{%- set mime_types = ( j2cfg.compress_types or [] )|any_to_str_list|uniq_str_list -%}
{%- if mime_types %}
gzip_types
{%- for t in mime_types %}
{{ t }}
{%- endfor %}
;
{%- endif %}

View File

@ -1,2 +0,0 @@
include snip.d/brotli/*.conf;
brotli on;

View File

@ -1,2 +0,0 @@
include snip.d/http-gunzip.modconf;
gunzip on;

View File

@ -1 +0,0 @@
gunzip_buffers 16 16k;

View File

@ -1,2 +0,0 @@
include snip.d/gzip/*.conf;
gzip on;

View File

@ -1,2 +0,0 @@
include snip.d/zstd/*.conf;
zstd on;

View File

@ -0,0 +1,5 @@
## always sourced by snip.d/deny-dotfiles
access_log off;
log_not_found off;
internal;

View File

@ -1 +0,0 @@
include snip.d/gzip/vary.conf;

View File

@ -1,8 +0,0 @@
{%- set mime_types = ( j2cfg.compress_types or [] )|any_to_str_list|uniq_str_list -%}
{%- if mime_types %}
zstd_types
{%- for t in mime_types %}
{{ t }}
{%- endfor %}
;
{%- endif %}

View File

@ -82,7 +82,7 @@ untemplate_path() {
"${volume_root}"/* | /etc/angie/run/* )
strip_suffix "$1" "$2"
;;
/etc/angie/conf.d/* | /etc/angie/j2cfg.d/* | /etc/angie/mod.d/* | /etc/angie/modules.d/* | /etc/angie/site.d/* | /etc/angie/snip.d/* )
/etc/angie/autoconf.d/* | /etc/angie/conf.d/* | /etc/angie/j2cfg.d/* | /etc/angie/mod.d/* | /etc/angie/modules.d/* | /etc/angie/site.d/* | /etc/angie/snip.d/* )
strip_suffix "$1" "$2"
;;
/etc/angie/static.d/* )
@ -212,6 +212,10 @@ remap_path() {
[ -n "$1" ] || return
case "$1" in
## autoconf
/etc/angie/autoconf.dist/* ) echo "${2:-/etc/angie/autoconf.d}${1#/etc/angie/autoconf.dist}" ;;
/etc/angie/autoconf/* ) echo "${2:-/etc/angie/autoconf.d}${1#/etc/angie/autoconf}" ;;
/angie/autoconf/* ) echo "${2:-/etc/angie/autoconf.d}${1#/angie/autoconf}" ;;
## conf
/etc/angie/conf.dist/* ) echo "${2:-/etc/angie/conf.d}${1#/etc/angie/conf.dist}" ;;
/etc/angie/conf/* ) echo "${2:-/etc/angie/conf.d}${1#/etc/angie/conf}" ;;
@ -277,6 +281,14 @@ is_builtin_module() {
grep -Fxq -e "$2" "/etc/angie/builtin.$1" || return 1
}
normalize_list() {
[ -n "$1" ] || return 0
printf '%s' "$1" \
| tr -s '[:space:]' ' ' \
| sed -zE 's/^ //;s/ $//'
}
sort_dedup_list() {
[ -n "$1" ] || return 0

View File

@ -19,7 +19,7 @@ if [ "${NGX_HTTP}${NGX_MAIL}${NGX_STREAM}" = '000' ] ; then
fi
unset default_dirs_merge default_dirs_link
default_dirs_merge='conf j2cfg mod modules site snip'
default_dirs_merge='autoconf conf j2cfg mod modules site snip'
default_dirs_link=''
if [ "${NGX_PROCESS_STATIC}" = 1 ] ; then

View File

@ -9,8 +9,15 @@ unset i
for i in ${NGX_CORE_MODULES:-} ; do
[ -n "$i" ] || continue
case "$i" in
*/* | *\** | *\?* )
log_always "module '$i' is not legal, skipping"
continue
;;
esac
if is_builtin_module core "$i" ; then
log "$i is builtin module, moving to confload"
log "$i is builtin module, moving to NGX_CORE_CONFLOAD"
core_confload="${core_confload} $i"
continue
fi

View File

@ -1,146 +0,0 @@
#!/bin/sh
unset _NGX_WORKER_PROCESSES _NGX_WORKER_PRIORITY _NGX_WORKER_RLIMIT_NOFILE _NGX_WORKER_CONNECTIONS
## here should be SANE defaults (!)
_NGX_WORKER_PROCESSES=2
_NGX_WORKER_PRIORITY=0
_NGX_WORKER_RLIMIT_NOFILE=16384
_NGX_WORKER_CONNECTIONS=4096
[ -n "${NGX_WORKER_PROCESSES:-}" ] || NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
case "${NGX_WORKER_PROCESSES}" in
"${_NGX_WORKER_PROCESSES}" ) ;;
## allow values within [1;999]
[1-9] | [1-9][0-9] | [1-9][0-9][0-9] ) ;;
[Aa][Uu][Tt][Oo] )
## adjust
NGX_WORKER_PROCESSES=auto
log_always "NGX_WORKER_PROCESSES: \"auto\" isn't supported by container yet"
log_always "offloading decision to Angie (this could be a problem!)"
;;
0 )
log_always "NGX_WORKER_PROCESSES: \"0\" isn't supported by container yet"
log_always "setting NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}"
NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
;;
* )
log_always "NGX_WORKER_PROCESSES: unrecognized value: ${NGX_WORKER_PROCESSES}"
log_always "setting NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}"
NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
;;
esac
[ -n "${NGX_WORKER_PRIORITY:-}" ] || NGX_WORKER_PRIORITY=${_NGX_WORKER_PRIORITY}
case "${NGX_WORKER_PRIORITY}" in
"${_NGX_WORKER_PRIORITY}" ) ;;
-[1-9] | -1[0-9] | -20 ) ;;
[0-9] | 1[0-9] | 20 ) ;;
-0 )
log_always "NGX_WORKER_PRIORITY: likely an error: '-0'"
log_always "adjusting NGX_WORKER_PRIORITY=0"
NGX_WORKER_PRIORITY=0
;;
* )
log_always "NGX_WORKER_PRIORITY: unrecognized value: ${NGX_WORKER_PRIORITY}"
log_always "setting NGX_WORKER_PRIORITY=${_NGX_WORKER_PRIORITY}"
NGX_WORKER_PRIORITY=${_NGX_WORKER_PRIORITY}
;;
esac
[ -n "${NGX_WORKER_RLIMIT_NOFILE:-}" ] || NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}
case "${NGX_WORKER_RLIMIT_NOFILE}" in
"${_NGX_WORKER_RLIMIT_NOFILE}" ) ;;
[0-9] | [1-9][0-9] )
log_always "NGX_WORKER_RLIMIT_NOFILE: too low: ${NGX_WORKER_RLIMIT_NOFILE}"
log_always "setting NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}"
NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}
;;
## allow values within [100;9999999]
[1-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9][0-9][0-9] ) ;;
* )
log_always "NGX_WORKER_RLIMIT_NOFILE: unrecognized value: ${NGX_WORKER_RLIMIT_NOFILE}"
log_always "setting NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}"
NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}
;;
esac
[ -n "${NGX_WORKER_CONNECTIONS:-}" ] || NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
case "${NGX_WORKER_CONNECTIONS}" in
"${_NGX_WORKER_CONNECTIONS}" ) ;;
[0-9] | [1-9][0-9] )
log_always "NGX_WORKER_CONNECTIONS: too low: ${NGX_WORKER_CONNECTIONS}"
log_always "setting NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}"
NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
;;
## allow values within [100;9999999]
[1-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9][0-9][0-9] ) ;;
* )
log_always "NGX_WORKER_CONNECTIONS: unrecognized value: ${NGX_WORKER_CONNECTIONS}"
log_always "setting NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}"
NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
;;
esac
nofile_soft=$(ulimit -Sn)
nofile_hard=$(ulimit -Hn)
if [ "${nofile_hard}" = unlimited ] ; then
## minor hack (if applicable) :)
nofile_hard=$((NGX_WORKER_RLIMIT_NOFILE * 2))
fi
nofile_ok=0
while : ; do
[ ${nofile_hard} -ge ${NGX_WORKER_RLIMIT_NOFILE} ] || break
[ ${nofile_soft} -ge ${NGX_WORKER_RLIMIT_NOFILE} ] || break
nofile_ok=1
break ; done
if [ ${nofile_ok} = 0 ] ; then
log_always "adjusting 'nofile' limits"
log_always "Limits before:"
sed -En '1p;/open files/p' < /proc/$$/limits >&2
if [ ${nofile_hard} -lt ${NGX_WORKER_RLIMIT_NOFILE} ] ; then
ulimit -Hn "${NGX_WORKER_RLIMIT_NOFILE}"
nofile_hard=$(ulimit -Hn)
fi
if [ ${nofile_hard} -lt ${NGX_WORKER_RLIMIT_NOFILE} ] ; then
log_always "lowering NGX_WORKER_RLIMIT_NOFILE to ${nofile_hard} due to hard limit"
NGX_WORKER_RLIMIT_NOFILE=${nofile_hard}
fi
if [ ${nofile_soft} -lt ${NGX_WORKER_RLIMIT_NOFILE} ] ; then
ulimit -Sn "${NGX_WORKER_RLIMIT_NOFILE}"
fi
log_always "Limits after:"
sed -En '1p;/open files/p' < /proc/$$/limits >&2
fi
unset nofile_soft nofile_hard nofile_ok
export NGX_WORKER_PROCESSES NGX_WORKER_PRIORITY NGX_WORKER_RLIMIT_NOFILE NGX_WORKER_CONNECTIONS
unset _NGX_WORKER_PROCESSES _NGX_WORKER_PRIORITY _NGX_WORKER_RLIMIT_NOFILE _NGX_WORKER_CONNECTIONS
if [ ${NGX_WORKER_RLIMIT_NOFILE} -lt ${NGX_WORKER_CONNECTIONS} ] ; then
log_always "WARNING: NGX_WORKER_RLIMIT_NOFILE is less than NGX_WORKER_CONNECTIONS (${NGX_WORKER_RLIMIT_NOFILE} < ${NGX_WORKER_CONNECTIONS})"
else
ratio=$(mawk -v "a=${NGX_WORKER_RLIMIT_NOFILE}" -v "b=${NGX_WORKER_CONNECTIONS}" 'BEGIN{print a/b;exit;}' </dev/null)
case "${ratio}" in
1 | 1.* )
log_always "WARNING: \"NGX_WORKER_RLIMIT_NOFILE/NGX_WORKER_CONNECTIONS\" ratio is too low (=${ratio})"
;;
esac
unset ratio
fi

View File

@ -0,0 +1,195 @@
#!/bin/sh
unset _NGX_WORKER_PROCESSES _NGX_WORKER_PRIORITY _NGX_WORKER_RLIMIT_NOFILE _NGX_WORKER_CONNECTIONS _NGX_WORKER_AIO_REQUESTS
## here should be SANE defaults (!)
_NGX_WORKER_PROCESSES=2
_NGX_WORKER_PRIORITY=0
_NGX_WORKER_RLIMIT_NOFILE=16384
_NGX_WORKER_CONNECTIONS=4096
_NGX_WORKER_AIO_REQUESTS=64
[ -n "${NGX_WORKER_PROCESSES:-}" ] || NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
case "${NGX_WORKER_PROCESSES}" in
## allow values within [1;999]
[1-9] | [1-9][0-9] | [1-9][0-9][0-9] ) ;;
[Aa][Uu][Tt][Oo] )
## adjust
NGX_WORKER_PROCESSES=auto
log_always "NGX_WORKER_PROCESSES: \"auto\" isn't supported by container yet"
log_always "offloading decision to Angie (this could be a problem!)"
;;
0 )
log_always "NGX_WORKER_PROCESSES: \"0\" isn't supported by container yet"
log_always "setting NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}"
NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
;;
* )
log_always "NGX_WORKER_PROCESSES: unrecognized value: ${NGX_WORKER_PROCESSES}"
log_always "setting NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}"
NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
;;
esac
export NGX_WORKER_PROCESSES
if [ -z "${NGX_WORKER_CPU_AFFINITY:-}" ] ; then
unset NGX_WORKER_CPU_AFFINITY
else
## offload handling to Angie
set -a
NGX_WORKER_CPU_AFFINITY=$(normalize_list "${NGX_WORKER_CPU_AFFINITY}")
set +a
fi
[ -n "${NGX_WORKER_CONNECTIONS:-}" ] || NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
case "${NGX_WORKER_CONNECTIONS}" in
[0-9] | [1-9][0-9] )
log_always "NGX_WORKER_CONNECTIONS: too low: ${NGX_WORKER_CONNECTIONS}"
log_always "setting NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}"
NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
;;
## allow values within [100;9999999]
[1-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9][0-9][0-9] ) ;;
* )
log_always "NGX_WORKER_CONNECTIONS: unrecognized value: ${NGX_WORKER_CONNECTIONS}"
log_always "setting NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}"
NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
;;
esac
export NGX_WORKER_CONNECTIONS
if [ -z "${NGX_WORKER_PRIORITY:-}" ] ; then
unset NGX_WORKER_PRIORITY
else
case "${NGX_WORKER_PRIORITY}" in
-[1-9] | -1[0-9] | -20 ) ;;
[0-9] | 1[0-9] | 20 ) ;;
-0 )
log_always "NGX_WORKER_PRIORITY: likely an error: '-0'"
log_always "adjusting NGX_WORKER_PRIORITY=0"
NGX_WORKER_PRIORITY=0
;;
* )
log_always "NGX_WORKER_PRIORITY: unrecognized value: ${NGX_WORKER_PRIORITY}"
log_always "setting NGX_WORKER_PRIORITY=${_NGX_WORKER_PRIORITY}"
NGX_WORKER_PRIORITY=${_NGX_WORKER_PRIORITY}
;;
esac
export NGX_WORKER_PRIORITY
fi
if [ -z "${NGX_WORKER_RLIMIT_NOFILE:-}" ] ; then
unset NGX_WORKER_RLIMIT_NOFILE
else
case "${NGX_WORKER_RLIMIT_NOFILE}" in
[0-9] | [1-9][0-9] )
log_always "NGX_WORKER_RLIMIT_NOFILE: too low: ${NGX_WORKER_RLIMIT_NOFILE}"
log_always "setting NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}"
NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}
;;
## allow values within [100;9999999]
[1-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9][0-9][0-9] ) ;;
* )
log_always "NGX_WORKER_RLIMIT_NOFILE: unrecognized value: ${NGX_WORKER_RLIMIT_NOFILE}"
log_always "setting NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}"
NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}
;;
esac
export NGX_WORKER_RLIMIT_NOFILE
fi
if [ -z "${NGX_WORKER_AIO_REQUESTS:-}" ] ; then
unset NGX_WORKER_AIO_REQUESTS
else
case "${NGX_WORKER_AIO_REQUESTS}" in
[0-9] )
log_always "NGX_WORKER_AIO_REQUESTS: too low: ${NGX_WORKER_AIO_REQUESTS}"
log_always "setting NGX_WORKER_AIO_REQUESTS=${_NGX_WORKER_AIO_REQUESTS}"
NGX_WORKER_AIO_REQUESTS=${_NGX_WORKER_AIO_REQUESTS}
;;
## allow values within [10;99999]
[1-9][0-9] ) ;;
[1-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9] ) ;;
* )
log_always "NGX_WORKER_AIO_REQUESTS: unrecognized value: ${NGX_WORKER_AIO_REQUESTS}"
log_always "setting NGX_WORKER_AIO_REQUESTS=${_NGX_WORKER_AIO_REQUESTS}"
NGX_WORKER_AIO_REQUESTS=${_NGX_WORKER_AIO_REQUESTS}
;;
esac
export NGX_WORKER_AIO_REQUESTS
fi
if [ -n "${NGX_WORKER_RLIMIT_NOFILE:-}" ] ; then
nofile_soft=$(ulimit -Sn)
nofile_hard=$(ulimit -Hn)
if [ "${nofile_hard}" = unlimited ] ; then
## minor hack (if applicable) :)
nofile_hard=$((NGX_WORKER_RLIMIT_NOFILE + 1))
fi
nofile_ok=0
while : ; do
[ ${nofile_hard} -ge ${NGX_WORKER_RLIMIT_NOFILE} ] || break
[ ${nofile_soft} -ge ${NGX_WORKER_RLIMIT_NOFILE} ] || break
nofile_ok=1
break ; done
if [ ${nofile_ok} = 0 ] ; then
log_always "adjusting 'nofile' limits"
log_always "Limits before:"
sed -En '1p;/open files/p' < /proc/$$/limits >&2
if [ ${nofile_hard} -lt ${NGX_WORKER_RLIMIT_NOFILE} ] ; then
ulimit -Hn "${NGX_WORKER_RLIMIT_NOFILE}"
nofile_hard=$(ulimit -Hn)
fi
if [ ${nofile_hard} -lt ${NGX_WORKER_RLIMIT_NOFILE} ] ; then
log_always "lowering NGX_WORKER_RLIMIT_NOFILE to ${nofile_hard} due to hard limit"
NGX_WORKER_RLIMIT_NOFILE=${nofile_hard}
fi
if [ ${nofile_soft} -lt ${NGX_WORKER_RLIMIT_NOFILE} ] ; then
ulimit -Sn "${NGX_WORKER_RLIMIT_NOFILE}"
fi
log_always "Limits after:"
sed -En '1p;/open files/p' < /proc/$$/limits >&2
fi
unset nofile_soft nofile_hard nofile_ok
export NGX_WORKER_RLIMIT_NOFILE
fi
if [ -z "${NGX_WORKER_RLIMIT_NOFILE:-}" ] ; then
nofile_limit=$(ulimit -Hn)
nofile_kind="'ulimit:nofile'"
else
nofile_limit=${NGX_WORKER_RLIMIT_NOFILE}
nofile_kind='NGX_WORKER_RLIMIT_NOFILE'
fi
if [ ${nofile_limit} -lt ${NGX_WORKER_CONNECTIONS} ] ; then
log_always "WARNING: ${nofile_kind} is less than NGX_WORKER_CONNECTIONS (${nofile_limit} < ${NGX_WORKER_CONNECTIONS})"
else
ratio=$(mawk -v "a=${nofile_limit}" -v "b=${NGX_WORKER_CONNECTIONS}" 'BEGIN{print a/b;exit;}' </dev/null)
case "${ratio}" in
1 | 1.* )
log_always "WARNING: \"${nofile_kind}/NGX_WORKER_CONNECTIONS\" ratio is too low (=${ratio})"
;;
esac
unset ratio
fi
unset nofile_limit nofile_kind
unset _NGX_WORKER_PROCESSES _NGX_WORKER_PRIORITY _NGX_WORKER_RLIMIT_NOFILE _NGX_WORKER_CONNECTIONS _NGX_WORKER_AIO_REQUESTS

View File

@ -1,10 +1,17 @@
#!/bin/sh
if [ "${NGX_HTTP}" = 0 ] ; then
unset NGX_HTTP_MODULES NGX_HTTP_CONFLOAD
unset NGX_HTTP_MODULES NGX_HTTP_CONFLOAD NGX_HTTP_CACHES NGX_HTTP_WEBROOT
else
unset default_caches
default_caches='client_temp fastcgi_temp proxy_temp scgi_temp uwsgi_temp'
set -a
NGX_HTTP_MODULES="${NGX_HTTP_MODULES:-}"
NGX_HTTP_CONFLOAD="${NGX_HTTP_CONFLOAD:-}"
NGX_HTTP_CACHES=$(sort_dedup_list "${default_caches} ${NGX_HTTP_CACHES:-}")
NGX_HTTP_WEBROOT="${NGX_HTTP_WEBROOT:-/etc/angie/static.d}"
set +a
unset default_caches
fi

View File

@ -19,8 +19,15 @@ if [ "${NGX_HTTP}" = 1 ] ; then
for i in ${NGX_HTTP_MODULES:-} ; do
[ -n "$i" ] || continue
case "$i" in
*/* | *\** | *\?* )
log_always "module '$i' is not legal, skipping"
continue
;;
esac
if is_builtin_module http "$i" ; then
log "$i is builtin module, moving to confload"
log "$i is builtin module, moving to NGX_HTTP_CONFLOAD"
http_confload="${http_confload} $i"
continue
fi
@ -43,4 +50,29 @@ if [ "${NGX_HTTP}" = 1 ] ; then
set +a
unset http_modules http_confload
## quirk: angie-module-modsecurity
unset NGX_HTTP_WITH_MODSECURITY
NGX_HTTP_WITH_MODSECURITY=0
while : ; do
case " ${NGX_HTTP_MODULES} " in
*" modsecurity "* ) ;;
* ) break ;;
esac
for d in /angie/modules /etc/angie/modules /etc/angie/modules.dist ; do
[ -d "$d" ] || continue
if [ -f "$d/ngx_http_modsecurity_module.so" ] ; then
NGX_HTTP_WITH_MODSECURITY=1
break
fi
done ; unset d
break ; done
export NGX_HTTP_WITH_MODSECURITY
if [ "${NGX_HTTP_WITH_MODSECURITY}" = 1 ] ; then
set -a
NGX_DIRS_MERGE=$(sort_dedup_list "${NGX_DIRS_MERGE} modsecurity")
set +a
fi
fi

View File

@ -7,22 +7,24 @@ else
## here should be SANE defaults (!)
_NGX_HTTP_MAX_RANGES=16
[ -n "${NGX_HTTP_MAX_RANGES:-}" ] || NGX_HTTP_MAX_RANGES=${_NGX_HTTP_MAX_RANGES}
case "${NGX_HTTP_MAX_RANGES}" in
"${_NGX_HTTP_MAX_RANGES}" ) ;;
## allow values within [1;999]
[1-9] | [1-9][0-9] | [1-9][0-9][0-9] ) ;;
0 )
log_always "HTTP: Range/If-Range/Accept-Ranges support is disabled by NGX_HTTP_MAX_RANGES=0"
;;
* )
log_always "NGX_HTTP_MAX_RANGES: unrecognized value: ${NGX_HTTP_MAX_RANGES}"
log_always "setting NGX_HTTP_MAX_RANGES=${_NGX_HTTP_MAX_RANGES}"
NGX_HTTP_MAX_RANGES=${_NGX_HTTP_MAX_RANGES}
;;
esac
if [ -z "${NGX_HTTP_MAX_RANGES:-}" ] ; then
unset NGX_HTTP_MAX_RANGES
else
case "${NGX_HTTP_MAX_RANGES}" in
## allow values within [1;999]
[1-9] | [1-9][0-9] | [1-9][0-9][0-9] ) ;;
0 )
log_always "HTTP: Range/If-Range/Accept-Ranges support is disabled by NGX_HTTP_MAX_RANGES=0"
;;
* )
log_always "NGX_HTTP_MAX_RANGES: unrecognized value: ${NGX_HTTP_MAX_RANGES}"
log_always "setting NGX_HTTP_MAX_RANGES=${_NGX_HTTP_MAX_RANGES}"
NGX_HTTP_MAX_RANGES=${_NGX_HTTP_MAX_RANGES}
;;
esac
export NGX_HTTP_MAX_RANGES
export NGX_HTTP_MAX_RANGES
fi
unset _NGX_HTTP_MAX_RANGES
fi

View File

@ -10,8 +10,15 @@ if [ "${NGX_MAIL}" = 1 ] ; then
for i in ${NGX_MAIL_MODULES:-} ; do
[ -n "$i" ] || continue
case "$i" in
*/* | *\** | *\?* )
log_always "module '$i' is not legal, skipping"
continue
;;
esac
if is_builtin_module mail "$i" ; then
log "$i is builtin module, moving to confload"
log "$i is builtin module, moving to NGX_MAIL_CONFLOAD"
mail_confload="${mail_confload} $i"
continue
fi

View File

@ -10,8 +10,15 @@ if [ "${NGX_STREAM}" = 1 ] ; then
for i in ${NGX_STREAM_MODULES:-} ; do
[ -n "$i" ] || continue
case "$i" in
*/* | *\** | *\?* )
log_always "module '$i' is not legal, skipping"
continue
;;
esac
if is_builtin_module stream "$i" ; then
log "$i is builtin module, moving to confload"
log "$i is builtin module, moving to NGX_STREAM_CONFLOAD"
stream_confload="${stream_confload} $i"
continue
fi

View File

@ -35,6 +35,25 @@ for n in ${dirs} ; do
fi
done
d="${target_root}/cache"
for p in ${NGX_HTTP_CACHES:-} ; do
[ -d "$d/$p" ] || install_userdir "$d/$p" || load_error
done
d="${target_root}/lib"
dirs='acme'
[ "${NGX_HTTP_WITH_MODSECURITY:-}" != 1 ] || dirs="${dirs} modsecurity"
for p in ${dirs} ; do
[ -d "$d/$p" ] || install_userdir "$d/$p" || load_error
done
if [ "${NGX_HTTP_WITH_MODSECURITY}" = 1 ] ; then
d="${target_root}/log"
for p in modsecurity modsecurity/concurrent ; do
[ -d "$d/$p" ] || install_userdir "$d/$p" || load_error
done
fi
## provide same symlinks as upstream (both Angie and nginx) docker images do
d="${target_root}/log"
[ -e "$d/access.log" ] || ln_s /dev/stdout "$d/access.log" || load_error
@ -100,7 +119,7 @@ combine_modules() {
case "$m" in
/* | */../* | *\** | *\?* )
log_always "module name '$m' is not legal, skipping"
log_always "module config filename '$m' is not legal, skipping"
continue
;;
esac
@ -135,7 +154,7 @@ combine_confload() {
[ $# -ne 0 ] || return 0
local s src_dir dst_dir src_name dst_name src_path dst_path
src_dir="${merged_root}/snip"
src_dir="${merged_root}/conf"
dst_dir="${volume_root}/load"
for s ; do
@ -143,7 +162,7 @@ combine_confload() {
case "$s" in
/* | */../* | *\** | *\?* )
log_always "snippet name '$s' is not legal, skipping"
log_always "config filename '$s' is not legal, skipping"
continue
;;
esac

Some files were not shown because too many files have changed in this diff Show More