Compare commits
3 Commits
3c0a74f206
...
8fac571d20
Author | SHA1 | Date | |
---|---|---|---|
8fac571d20 | |||
985c42a7d2 | |||
7425ac403a |
24
Dockerfile
24
Dockerfile
@ -51,7 +51,7 @@ RUN libpython="${PYTHON_SITE_PACKAGES%/*}" ; \
|
||||
|
||||
## Python cache warmup
|
||||
RUN j2cfg-single /usr/local/lib/j2cfg/test.j2 /tmp/test ; \
|
||||
cat /tmp/test ; echo ; \
|
||||
cat /tmp/test ; echo ; echo ; \
|
||||
rm -f /tmp/test
|
||||
|
||||
## Python cache adjustments
|
||||
@ -99,13 +99,9 @@ RUN apt-install.sh angie ; \
|
||||
if [ "${NGX_DEBUG}" = 0 ] ; then \
|
||||
rm -fv "$n-debug" ; \
|
||||
mv -fv "$n-nodebug" "$n" ; \
|
||||
ln -fsv "${n##*/}" "$n-nodebug" ; \
|
||||
ln -fsv /bin/false "$n-debug" ; \
|
||||
else \
|
||||
rm -fv "$n-nodebug" ; \
|
||||
mv -fv "$n-debug" "$n" ; \
|
||||
ln -fsv "${n##*/}" "$n-debug" ; \
|
||||
ln -fsv /bin/false "$n-nodebug" ; \
|
||||
fi
|
||||
|
||||
## preserve snippets from Angie config directory
|
||||
@ -138,10 +134,11 @@ RUN install -d -o angie -g angie -m 03777 /angie /run/angie ; \
|
||||
## adjust paths in config directory
|
||||
cd /etc/angie || exit 1 ; \
|
||||
ln -sv /run/angie run ; \
|
||||
ln -sv /run/angie/lock lock.d ; \
|
||||
ln -sv /run/angie/load load ; \
|
||||
ln -sv /run/angie/lock lock ; \
|
||||
ln -sv ${ANGIE_MODULES_DIR} modules.dist ; \
|
||||
## hyper-modular paths:
|
||||
data='conf j2cfg mod modules site snip static' ; \
|
||||
data='autoconf conf j2cfg mod modules site snip static' ; \
|
||||
vardata='cache lib log' ; \
|
||||
for n in ${data} ; do \
|
||||
for d in "$n" "$n.dist" ; do \
|
||||
@ -152,6 +149,17 @@ RUN install -d -o angie -g angie -m 03777 /angie /run/angie ; \
|
||||
ln -sv "/run/angie/$n" "$n.d" ; \
|
||||
done
|
||||
|
||||
## future quirk for angie-module-modsecurity >:)
|
||||
RUN n='modsecurity' ; \
|
||||
d="/etc/angie/$n" ; \
|
||||
ln -sv "/run/angie/$n" "$d.d" ; \
|
||||
dpkg-divert --divert "$d.dist" --rename "$d" ; \
|
||||
for p in modsecurity.conf unicode.mapping ; do \
|
||||
dpkg-divert --divert "$d.dist/$p" --rename "$d/$p" ; \
|
||||
done ; \
|
||||
p='rules.conf' ; \
|
||||
dpkg-divert --divert "$d.dist/$p.dist" --rename "$d/$p"
|
||||
|
||||
VOLUME [ "/run/angie" ]
|
||||
|
||||
COPY /angie/ /etc/angie/
|
||||
@ -161,7 +169,7 @@ RUN find /etc/angie/ -name .gitkeep -delete ; \
|
||||
## preseed builtin modules list
|
||||
RUN x='angie-builtin-modules.sh' ; \
|
||||
"$x" ; \
|
||||
chmod a-x "$(which "$x")"
|
||||
rm -fv "$(which "$x")"
|
||||
|
||||
## misc tools
|
||||
RUN apt-install.sh \
|
||||
|
@ -1,23 +1,22 @@
|
||||
daemon off;
|
||||
pid run/angie.pid;
|
||||
lock_file lock.d/angie.lock;
|
||||
|
||||
## almost useless
|
||||
include mod.d/core-*.load;
|
||||
include load/mod-core-*.conf;
|
||||
|
||||
# mod-http.conf.in
|
||||
# mod-mail.conf.in
|
||||
# mod-stream.conf.in
|
||||
# mod-http.conf
|
||||
# mod-mail.conf
|
||||
# mod-stream.conf
|
||||
include run/mod-*.conf;
|
||||
|
||||
events {
|
||||
include conf.d/core_ev-*.conf;
|
||||
include snip.d/core_ev-*.load;
|
||||
include autoconf.d/core_ev-*.conf;
|
||||
include load/core_ev-*.conf;
|
||||
}
|
||||
include conf.d/core-*.conf;
|
||||
include snip.d/core-*.load;
|
||||
include autoconf.d/core-*.conf;
|
||||
include load/core-*.conf;
|
||||
|
||||
# ctx-http.conf.in
|
||||
# ctx-mail.conf.in
|
||||
# ctx-stream.conf.in
|
||||
# ctx-http.conf
|
||||
# ctx-mail.conf
|
||||
# ctx-stream.conf
|
||||
include run/ctx-*.conf;
|
1
angie/autoconf.dist/core-lock-file.conf
Normal file
1
angie/autoconf.dist/core-lock-file.conf
Normal file
@ -0,0 +1 @@
|
||||
lock_file lock/angie.lock;
|
3
angie/autoconf.dist/core-user.conf.in
Normal file
3
angie/autoconf.dist/core-user.conf.in
Normal file
@ -0,0 +1,3 @@
|
||||
## if container is running in non-privileged mode,
|
||||
## then this file is going to be removed by /image-entry.d/76-adjust-core-user.sh
|
||||
user ${NGX_USER} ${NGX_GROUP};
|
@ -1,15 +1,19 @@
|
||||
{#- prologue -#}
|
||||
{#- NB: "TZ" is always provided by Angie itself -#}
|
||||
{%- set s_vars = ['MALLOC_ARENA_MAX', 'GLIBC_TUNABLES', 'MALLOC_CONF'] -%}
|
||||
{%- set c_env = ( j2cfg.core_worker_env or [] ) | any_to_env_dict -%}
|
||||
{%- set c_vars = c_env | dict_keys -%}
|
||||
{%- set c_vars_preserve = c_env | dict_empty_keys -%}
|
||||
{%- set c_vars_passthrough = c_env | dict_empty_keys -%}
|
||||
{%- set c_vars_override = c_env | dict_non_empty_keys -%}
|
||||
{%- set vars_preserve = ( c_vars_preserve + s_vars ) | uniq | sort -%}
|
||||
{%- set vars_passthrough = (env_passthrough + c_vars_passthrough) | uniq | list_intersect(env | dict_keys) -%}
|
||||
|
||||
{#- main part -#}
|
||||
## preserve
|
||||
{%- for k in vars_preserve %}
|
||||
{%- for k in env_preserve %}
|
||||
env {{ k }};
|
||||
{%- endfor %}
|
||||
|
||||
## passthrough
|
||||
{%- for k in vars_passthrough %}
|
||||
env {{ k }};
|
||||
{%- endfor %}
|
||||
|
10
angie/autoconf.dist/core-worker.conf.j2
Normal file
10
angie/autoconf.dist/core-worker.conf.j2
Normal file
@ -0,0 +1,10 @@
|
||||
worker_processes {{ env.NGX_WORKER_PROCESSES }};
|
||||
{%- if env.NGX_WORKER_CPU_AFFINITY %}
|
||||
worker_cpu_affinity {{ env.NGX_WORKER_CPU_AFFINITY }};
|
||||
{%- endif %}
|
||||
{%- if env.NGX_WORKER_PRIORITY %}
|
||||
worker_priority {{ env.NGX_WORKER_PRIORITY }};
|
||||
{%- endif %}
|
||||
{%- if env.NGX_WORKER_RLIMIT_NOFILE %}
|
||||
worker_rlimit_nofile {{ env.NGX_WORKER_RLIMIT_NOFILE }};
|
||||
{%- endif %}
|
7
angie/autoconf.dist/core_ev-worker.conf.j2
Normal file
7
angie/autoconf.dist/core_ev-worker.conf.j2
Normal file
@ -0,0 +1,7 @@
|
||||
worker_connections {{ env.NGX_WORKER_CONNECTIONS }};
|
||||
{%- if env.NGX_WORKER_AIO_REQUESTS %}
|
||||
worker_aio_requests {{ env.NGX_WORKER_AIO_REQUESTS }};
|
||||
{%- endif %}
|
||||
{%- if env.NGX_WORKER_PRIORITY %}
|
||||
worker_priority {{ env.NGX_WORKER_PRIORITY }};
|
||||
{%- endif %}
|
3
angie/autoconf.dist/http-max-ranges.conf.j2
Normal file
3
angie/autoconf.dist/http-max-ranges.conf.j2
Normal file
@ -0,0 +1,3 @@
|
||||
{%- if env.NGX_HTTP_MAX_RANGES %}
|
||||
max_ranges {{ env.NGX_HTTP_MAX_RANGES }};
|
||||
{%- endif %}
|
1
angie/autoconf.dist/http-webroot.conf.in
Normal file
1
angie/autoconf.dist/http-webroot.conf.in
Normal file
@ -0,0 +1 @@
|
||||
root ${NGX_HTTP_WEBROOT};
|
9
angie/conf.dist/brotli/types.conf.j2
Normal file
9
angie/conf.dist/brotli/types.conf.j2
Normal file
@ -0,0 +1,9 @@
|
||||
{%- set mime_types = j2cfg.brotli_compress_types or j2cfg.compress_types or [] -%}
|
||||
{%- set mime_types = mime_types | any_to_str_list | uniq_str_list -%}
|
||||
{%- if mime_types -%}
|
||||
brotli_types
|
||||
{%- for t in mime_types %}
|
||||
{{ t }}
|
||||
{%- endfor %}
|
||||
;
|
||||
{%- endif -%}
|
@ -1 +0,0 @@
|
||||
user ${NGX_USER} ${NGX_GROUP};
|
@ -1,3 +0,0 @@
|
||||
worker_processes ${NGX_WORKER_PROCESSES};
|
||||
worker_priority ${NGX_WORKER_PRIORITY};
|
||||
worker_rlimit_nofile ${NGX_WORKER_RLIMIT_NOFILE};
|
@ -1 +0,0 @@
|
||||
worker_connections ${NGX_WORKER_CONNECTIONS};
|
4
angie/conf.dist/fastcgi/buffers.conf
Normal file
4
angie/conf.dist/fastcgi/buffers.conf
Normal file
@ -0,0 +1,4 @@
|
||||
fastcgi_buffers 16 16k;
|
||||
fastcgi_buffer_size 16k;
|
||||
fastcgi_busy_buffers_size 32k;
|
||||
fastcgi_temp_file_write_size 32k;
|
13
angie/conf.dist/fastcgi/headers.conf.j2
Normal file
13
angie/conf.dist/fastcgi/headers.conf.j2
Normal file
@ -0,0 +1,13 @@
|
||||
## hide/remove request headers
|
||||
{%- set req_hdr_list = j2cfg.fastcgi_remove_request_headers or j2cfg.remove_request_headers or [] -%}
|
||||
{%- set req_hdr_list = req_hdr_list | any_to_str_list | as_cgi_header -%}
|
||||
{%- for h in req_hdr_list %}
|
||||
fastcgi_param {{ h }} "";
|
||||
{%- endfor %}
|
||||
|
||||
## hide response headers
|
||||
{%- set resp_hdr_list = j2cfg.fastcgi_remove_response_headers or j2cfg.remove_response_headers or [] -%}
|
||||
{%- set resp_hdr_list = resp_hdr_list | any_to_str_list | uniq_str_list -%}
|
||||
{%- for h in resp_hdr_list %}
|
||||
fastcgi_hide_header {{ h }};
|
||||
{%- endfor %}
|
7
angie/conf.dist/fastcgi/param.conf
Normal file
7
angie/conf.dist/fastcgi/param.conf
Normal file
@ -0,0 +1,7 @@
|
||||
include snip.d/fastcgi.conf;
|
||||
|
||||
fastcgi_param PATH_INFO $path_info;
|
||||
|
||||
fastcgi_param AUTH_USER $remote_user;
|
||||
fastcgi_param REMOTE_USER $remote_user;
|
||||
fastcgi_param HTTP_HOST $host;
|
1
angie/conf.dist/grpc/buffers.conf
Normal file
1
angie/conf.dist/grpc/buffers.conf
Normal file
@ -0,0 +1 @@
|
||||
grpc_buffer_size 16k;
|
13
angie/conf.dist/grpc/headers.conf.j2
Normal file
13
angie/conf.dist/grpc/headers.conf.j2
Normal file
@ -0,0 +1,13 @@
|
||||
## hide/remove request headers
|
||||
{%- set req_hdr_list = j2cfg.grpc_remove_request_headers or j2cfg.remove_request_headers or [] -%}
|
||||
{%- set req_hdr_list = req_hdr_list | any_to_str_list | uniq_str_list -%}
|
||||
{%- for h in req_hdr_list %}
|
||||
grpc_set_header {{ h }} "";
|
||||
{%- endfor %}
|
||||
|
||||
## hide response headers
|
||||
{%- set resp_hdr_list = j2cfg.grpc_remove_response_headers or j2cfg.remove_response_headers or [] -%}
|
||||
{%- set resp_hdr_list = resp_hdr_list | any_to_str_list | uniq_str_list -%}
|
||||
{%- for h in resp_hdr_list %}
|
||||
grpc_hide_header {{ h }};
|
||||
{%- endfor %}
|
9
angie/conf.dist/gzip/types.conf.j2
Normal file
9
angie/conf.dist/gzip/types.conf.j2
Normal file
@ -0,0 +1,9 @@
|
||||
{%- set mime_types = j2cfg.gzip_compress_types or j2cfg.compress_types or [] -%}
|
||||
{%- set mime_types = mime_types | any_to_str_list | uniq_str_list -%}
|
||||
{%- if mime_types -%}
|
||||
gzip_types
|
||||
{%- for t in mime_types %}
|
||||
{{ t }}
|
||||
{%- endfor %}
|
||||
;
|
||||
{%- endif -%}
|
2
angie/conf.dist/http-brotli.conf
Normal file
2
angie/conf.dist/http-brotli.conf
Normal file
@ -0,0 +1,2 @@
|
||||
include conf.d/brotli/*.conf;
|
||||
brotli on;
|
1
angie/conf.dist/http-fastcgi.conf
Normal file
1
angie/conf.dist/http-fastcgi.conf
Normal file
@ -0,0 +1 @@
|
||||
include conf.d/fastcgi/*.conf;
|
4
angie/conf.dist/http-grpc.conf
Normal file
4
angie/conf.dist/http-grpc.conf
Normal file
@ -0,0 +1,4 @@
|
||||
## this should be enabled explicitly to avoid config mess
|
||||
# include conf.d/http-v2.conf;
|
||||
|
||||
include conf.d/grpc/*.conf;
|
2
angie/conf.dist/http-gunzip.conf
Normal file
2
angie/conf.dist/http-gunzip.conf
Normal file
@ -0,0 +1,2 @@
|
||||
gunzip_buffers 16 16k;
|
||||
gunzip on;
|
2
angie/conf.dist/http-gzip.conf
Normal file
2
angie/conf.dist/http-gzip.conf
Normal file
@ -0,0 +1,2 @@
|
||||
include conf.d/gzip/*.conf;
|
||||
gzip on;
|
@ -1 +0,0 @@
|
||||
max_ranges ${NGX_HTTP_MAX_RANGES};
|
4
angie/conf.dist/http-modsecurity.conf
Normal file
4
angie/conf.dist/http-modsecurity.conf
Normal file
@ -0,0 +1,4 @@
|
||||
modsecurity_rules_file /etc/angie/modsecurity.d/rules.conf;
|
||||
|
||||
## NOT enabling ModSecurity by default!
|
||||
# modsecurity on;
|
1
angie/conf.dist/http-njs.conf
Normal file
1
angie/conf.dist/http-njs.conf
Normal file
@ -0,0 +1 @@
|
||||
js_path /etc/angie/site.d;
|
1
angie/conf.dist/http-perl.conf
Normal file
1
angie/conf.dist/http-perl.conf
Normal file
@ -0,0 +1 @@
|
||||
perl_modules /etc/angie/site.d;
|
6
angie/conf.dist/http-response-headers.conf.j2
Normal file
6
angie/conf.dist/http-response-headers.conf.j2
Normal file
@ -0,0 +1,6 @@
|
||||
## add response headers
|
||||
{%- set resp_hdr_list = ( j2cfg.add_response_headers or {} ) -%}
|
||||
{%- for h, v in resp_hdr_list.items() %}
|
||||
{#- TODO: precise quotation #}
|
||||
add_header {{ h }} {{ v.__repr__() }};
|
||||
{%- endfor %}
|
1
angie/conf.dist/http-scgi.conf
Normal file
1
angie/conf.dist/http-scgi.conf
Normal file
@ -0,0 +1 @@
|
||||
include conf.d/scgi/*.conf;
|
1
angie/conf.dist/http-uwsgi.conf
Normal file
1
angie/conf.dist/http-uwsgi.conf
Normal file
@ -0,0 +1 @@
|
||||
include conf.d/uwsgi/*.conf;
|
2
angie/conf.dist/http-v2.conf
Normal file
2
angie/conf.dist/http-v2.conf
Normal file
@ -0,0 +1,2 @@
|
||||
http2_chunk_size 16k;
|
||||
http2 on;
|
2
angie/conf.dist/http-zstd.conf
Normal file
2
angie/conf.dist/http-zstd.conf
Normal file
@ -0,0 +1,2 @@
|
||||
include conf.d/zstd/*.conf;
|
||||
zstd on;
|
13
angie/conf.dist/proxy/headers.conf.j2
Normal file
13
angie/conf.dist/proxy/headers.conf.j2
Normal file
@ -0,0 +1,13 @@
|
||||
## hide/remove request headers
|
||||
{%- set req_hdr_list = j2cfg.proxy_remove_request_headers or j2cfg.remove_request_headers or [] -%}
|
||||
{%- set req_hdr_list = req_hdr_list | any_to_str_list | uniq_str_list -%}
|
||||
{%- for h in req_hdr_list %}
|
||||
proxy_set_header {{ h }} "";
|
||||
{%- endfor %}
|
||||
|
||||
## hide response headers
|
||||
{%- set resp_hdr_list = j2cfg.proxy_remove_response_headers or j2cfg.remove_response_headers or [] -%}
|
||||
{%- set resp_hdr_list = resp_hdr_list | any_to_str_list | uniq_str_list -%}
|
||||
{%- for h in resp_hdr_list %}
|
||||
proxy_hide_header {{ h }};
|
||||
{%- endfor %}
|
4
angie/conf.dist/scgi/buffers.conf
Normal file
4
angie/conf.dist/scgi/buffers.conf
Normal file
@ -0,0 +1,4 @@
|
||||
scgi_buffers 16 16k;
|
||||
scgi_buffer_size 16k;
|
||||
scgi_busy_buffers_size 32k;
|
||||
scgi_temp_file_write_size 32k;
|
13
angie/conf.dist/scgi/headers.conf.j2
Normal file
13
angie/conf.dist/scgi/headers.conf.j2
Normal file
@ -0,0 +1,13 @@
|
||||
## hide/remove request headers
|
||||
{%- set req_hdr_list = j2cfg.scgi_remove_request_headers or j2cfg.remove_request_headers or [] -%}
|
||||
{%- set req_hdr_list = req_hdr_list | any_to_str_list | as_cgi_header -%}
|
||||
{%- for h in req_hdr_list %}
|
||||
scgi_param {{ h }} "";
|
||||
{%- endfor %}
|
||||
|
||||
## hide response headers
|
||||
{%- set resp_hdr_list = j2cfg.scgi_remove_response_headers or j2cfg.remove_response_headers or [] -%}
|
||||
{%- set resp_hdr_list = resp_hdr_list | any_to_str_list | uniq_str_list -%}
|
||||
{%- for h in resp_hdr_list %}
|
||||
scgi_hide_header {{ h }};
|
||||
{%- endfor %}
|
7
angie/conf.dist/scgi/param.conf
Normal file
7
angie/conf.dist/scgi/param.conf
Normal file
@ -0,0 +1,7 @@
|
||||
include snip.d/scgi_params;
|
||||
|
||||
scgi_param PATH_INFO $path_info;
|
||||
|
||||
scgi_param AUTH_USER $remote_user;
|
||||
scgi_param REMOTE_USER $remote_user;
|
||||
scgi_param HTTP_HOST $host;
|
4
angie/conf.dist/uwsgi/buffers.conf
Normal file
4
angie/conf.dist/uwsgi/buffers.conf
Normal file
@ -0,0 +1,4 @@
|
||||
uwsgi_buffers 16 16k;
|
||||
uwsgi_buffer_size 16k;
|
||||
uwsgi_busy_buffers_size 32k;
|
||||
uwsgi_temp_file_write_size 32k;
|
13
angie/conf.dist/uwsgi/headers.conf.j2
Normal file
13
angie/conf.dist/uwsgi/headers.conf.j2
Normal file
@ -0,0 +1,13 @@
|
||||
## hide/remove request headers
|
||||
{%- set req_hdr_list = j2cfg.uwsgi_remove_request_headers or j2cfg.remove_request_headers or [] -%}
|
||||
{%- set req_hdr_list = req_hdr_list | any_to_str_list | as_cgi_header -%}
|
||||
{%- for h in req_hdr_list %}
|
||||
uwsgi_param {{ h }} "";
|
||||
{%- endfor %}
|
||||
|
||||
## hide response headers
|
||||
{%- set resp_hdr_list = j2cfg.uwsgi_remove_response_headers or j2cfg.remove_response_headers or [] -%}
|
||||
{%- set resp_hdr_list = resp_hdr_list | any_to_str_list | uniq_str_list -%}
|
||||
{%- for h in resp_hdr_list %}
|
||||
uwsgi_hide_header {{ h }};
|
||||
{%- endfor %}
|
7
angie/conf.dist/uwsgi/param.conf
Normal file
7
angie/conf.dist/uwsgi/param.conf
Normal file
@ -0,0 +1,7 @@
|
||||
include snip.d/uwsgi_params;
|
||||
|
||||
uwsgi_param PATH_INFO $path_info;
|
||||
|
||||
uwsgi_param AUTH_USER $remote_user;
|
||||
uwsgi_param REMOTE_USER $remote_user;
|
||||
uwsgi_param HTTP_HOST $host;
|
9
angie/conf.dist/zstd/types.conf.j2
Normal file
9
angie/conf.dist/zstd/types.conf.j2
Normal file
@ -0,0 +1,9 @@
|
||||
{%- set mime_types = j2cfg.zstd_compress_types or j2cfg.compress_types or [] -%}
|
||||
{%- set mime_types = mime_types | any_to_str_list | uniq_str_list -%}
|
||||
{%- if mime_types -%}
|
||||
zstd_types
|
||||
{%- for t in mime_types %}
|
||||
{{ t }}
|
||||
{%- endfor %}
|
||||
;
|
||||
{%- endif -%}
|
@ -1,5 +1,5 @@
|
||||
http {
|
||||
include conf.d/http-*.conf;
|
||||
include snip.d/http-*.load;
|
||||
include autoconf.d/http-*.conf;
|
||||
include load/http-*.conf;
|
||||
include site.d/http-*.conf;
|
||||
}
|
@ -1,5 +1,5 @@
|
||||
mail {
|
||||
include conf.d/mail-*.conf;
|
||||
include snip.d/mail-*.load;
|
||||
include autoconf.d/mail-*.conf;
|
||||
include load/mail-*.conf;
|
||||
include site.d/mail-*.conf;
|
||||
}
|
@ -1,5 +1,5 @@
|
||||
stream {
|
||||
include conf.d/stream-*.conf;
|
||||
include snip.d/stream-*.load;
|
||||
include autoconf.d/stream-*.conf;
|
||||
include load/stream-*.conf;
|
||||
include site.d/stream-*.conf;
|
||||
}
|
11
angie/j2cfg.dist/add-response-headers.yml
Normal file
11
angie/j2cfg.dist/add-response-headers.yml
Normal file
@ -0,0 +1,11 @@
|
||||
add_response_headers:
|
||||
Access-Control-Allow-Origin: "*"
|
||||
Access-Control-Allow-Headers: "Origin, X-Requested-With, Content-Type, Accept, Authorization"
|
||||
Access-Control-Allow-Methods: "GET, HEAD, POST, PUT, DELETE, OPTIONS"
|
||||
Content-Security-Policy: "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline' 'unsafe-eval' ; frame-ancestors 'self';"
|
||||
Permissions-Policy: "microphone=(), camera=(), geolocation=(), interest-cohort=()"
|
||||
Referrer-Policy: "no-referrer-when-downgrade"
|
||||
Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload"
|
||||
X-Content-Type-Options: "nosniff"
|
||||
X-Frame-Options: "SAMEORIGIN"
|
||||
X-XSS-Protection: "1; mode=block"
|
@ -1,10 +1,9 @@
|
||||
{#- prologue -#}
|
||||
{%- set s_vars = ['MALLOC_ARENA_MAX', 'GLIBC_TUNABLES', 'MALLOC_CONF'] -%}
|
||||
{%- set c_env = ( j2cfg.core_worker_env or [] ) | any_to_env_dict -%}
|
||||
{%- set c_vars = c_env | dict_keys -%}
|
||||
{%- set c_vars_preserve = c_env | dict_empty_keys -%}
|
||||
{%- set vars_preserve = ( c_vars_preserve + ( s_vars | list_diff(c_vars) )) | sort -%}
|
||||
{%- set c_vars_passthrough = c_env | dict_empty_keys -%}
|
||||
{%- set vars_passthrough = ((env_passthrough | list_diff(c_vars)) + c_vars_passthrough) | uniq | list_intersect(env | dict_keys) -%}
|
||||
{#- main part -#}
|
||||
{%- for k in vars_preserve -%}
|
||||
{%- for k in vars_passthrough -%}
|
||||
{{ k }}
|
||||
{% endfor -%}
|
||||
|
3
angie/j2cfg.dist/remove-request-headers.yml
Normal file
3
angie/j2cfg.dist/remove-request-headers.yml
Normal file
@ -0,0 +1,3 @@
|
||||
remove_request_headers:
|
||||
## do not pass Accept-Encoding to backend
|
||||
- Accept-Encoding
|
12
angie/j2cfg.dist/remove-response-headers.yml
Normal file
12
angie/j2cfg.dist/remove-response-headers.yml
Normal file
@ -0,0 +1,12 @@
|
||||
remove_response_headers:
|
||||
- Access-Control-Allow-Headers
|
||||
- Access-Control-Allow-Methods
|
||||
- Access-Control-Allow-Origin
|
||||
- Content-Security-Policy
|
||||
- Permissions-Policy
|
||||
- Referrer-Policy
|
||||
- Strict-Transport-Security
|
||||
- Vary
|
||||
- X-Content-Type-Options
|
||||
- X-Frame-Options
|
||||
- X-XSS-Protection
|
@ -1 +1 @@
|
||||
include mod.d/http-*.load;
|
||||
include load/mod-http-*.conf;
|
@ -1 +1 @@
|
||||
include mod.d/mail-*.load;
|
||||
include load/mod-mail-*.conf;
|
@ -1 +1 @@
|
||||
include mod.d/stream-*.load;
|
||||
include load/mod-stream-*.conf;
|
33
angie/modsecurity.dist/rules.conf
Normal file
33
angie/modsecurity.dist/rules.conf
Normal file
@ -0,0 +1,33 @@
|
||||
Include modsecurity.conf
|
||||
|
||||
# To enable the OWASP CRS, please perform the following steps:
|
||||
#
|
||||
# 1. Checkout Core Rule Set from GitHub and create config files as shown below:
|
||||
#
|
||||
# version='v4.5.0'
|
||||
# uri="https://github.com/coreruleset/coreruleset/archive/refs/tags/${version}.tar.gz"
|
||||
# dst_dir='/etc/angie/modsecurity/coreruleset'
|
||||
# w=$(mktemp -d) ; : "${w:?}"
|
||||
# cd "$w/"
|
||||
# tarball="coreruleset.tar.gz"
|
||||
# /usr/lib/apt/apt-helper download-file "${uri}" "${tarball}"
|
||||
# mkdir coreruleset
|
||||
# tar -C ./coreruleset --strip-components=1 -xf "${tarball}"
|
||||
# rm -f "${tarball}" ; unset tarball
|
||||
# for p in \
|
||||
# crs-setup.conf \
|
||||
# rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf \
|
||||
# rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf \
|
||||
# ; do
|
||||
# src="coreruleset/$p.example"
|
||||
# dst="${dst_dir}/$p"
|
||||
# [ -f "${src}" ] || continue
|
||||
# [ -d "${dst%/*}" ] || mkdir -p "${dst%/*}"
|
||||
# cp -nv "${src}" "${dst}"
|
||||
# done
|
||||
# rm -rf "${w:?}/" ; unset w
|
||||
#
|
||||
# 2. Uncomment both 'Include' directives below
|
||||
|
||||
#Include coreruleset/crs-setup.conf
|
||||
#Include coreruleset/rules/*.conf
|
@ -1 +0,0 @@
|
||||
include snip.d/gzip/vary.conf;
|
@ -1,8 +0,0 @@
|
||||
{%- set mime_types = ( j2cfg.compress_types or [] )|any_to_str_list|uniq_str_list -%}
|
||||
{%- if mime_types %}
|
||||
brotli_types
|
||||
{%- for t in mime_types %}
|
||||
{{ t }}
|
||||
{%- endfor %}
|
||||
;
|
||||
{%- endif %}
|
3
angie/snip.dist/deny-dotfiles
Normal file
3
angie/snip.dist/deny-dotfiles
Normal file
@ -0,0 +1,3 @@
|
||||
location ~ /\. {
|
||||
include snip.d/internal-area;
|
||||
}
|
8
angie/snip.dist/disable-compression.j2
Normal file
8
angie/snip.dist/disable-compression.j2
Normal file
@ -0,0 +1,8 @@
|
||||
{#- safe to specify all the time -#}
|
||||
gzip off;
|
||||
{%- set modules = ( env.NGX_HTTP_MODULES or '' ) | str_split_to_list -%}
|
||||
{%- for ext_comp in ['brotli', 'zstd'] %}
|
||||
{%- if ext_comp in modules %}
|
||||
{{ ext_comp }} off;
|
||||
{%- endif %}
|
||||
{%- endfor %}
|
4
angie/snip.dist/empty-favicon
Normal file
4
angie/snip.dist/empty-favicon
Normal file
@ -0,0 +1,4 @@
|
||||
location = /favicon.ico {
|
||||
empty_gif;
|
||||
expires 1d;
|
||||
}
|
5
angie/snip.dist/fastcgi-location
Normal file
5
angie/snip.dist/fastcgi-location
Normal file
@ -0,0 +1,5 @@
|
||||
try_files $fastcgi_script_name =444;
|
||||
|
||||
## bypass the fact that try_files resets $fastcgi_path_info
|
||||
## see: https://trac.nginx.org/nginx/ticket/321
|
||||
set $path_info $fastcgi_path_info;
|
@ -1,8 +0,0 @@
|
||||
{%- set mime_types = ( j2cfg.compress_types or [] )|any_to_str_list|uniq_str_list -%}
|
||||
{%- if mime_types %}
|
||||
gzip_types
|
||||
{%- for t in mime_types %}
|
||||
{{ t }}
|
||||
{%- endfor %}
|
||||
;
|
||||
{%- endif %}
|
@ -1,2 +0,0 @@
|
||||
include snip.d/brotli/*.conf;
|
||||
brotli on;
|
@ -1,2 +0,0 @@
|
||||
include snip.d/http-gunzip.modconf;
|
||||
gunzip on;
|
@ -1 +0,0 @@
|
||||
gunzip_buffers 16 16k;
|
@ -1,2 +0,0 @@
|
||||
include snip.d/gzip/*.conf;
|
||||
gzip on;
|
@ -1,2 +0,0 @@
|
||||
include snip.d/zstd/*.conf;
|
||||
zstd on;
|
5
angie/snip.dist/internal-area
Normal file
5
angie/snip.dist/internal-area
Normal file
@ -0,0 +1,5 @@
|
||||
## always sourced by snip.d/deny-dotfiles
|
||||
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
internal;
|
@ -1 +0,0 @@
|
||||
include snip.d/gzip/vary.conf;
|
@ -1,8 +0,0 @@
|
||||
{%- set mime_types = ( j2cfg.compress_types or [] )|any_to_str_list|uniq_str_list -%}
|
||||
{%- if mime_types %}
|
||||
zstd_types
|
||||
{%- for t in mime_types %}
|
||||
{{ t }}
|
||||
{%- endfor %}
|
||||
;
|
||||
{%- endif %}
|
@ -82,7 +82,7 @@ untemplate_path() {
|
||||
"${volume_root}"/* | /etc/angie/run/* )
|
||||
strip_suffix "$1" "$2"
|
||||
;;
|
||||
/etc/angie/conf.d/* | /etc/angie/j2cfg.d/* | /etc/angie/mod.d/* | /etc/angie/modules.d/* | /etc/angie/site.d/* | /etc/angie/snip.d/* )
|
||||
/etc/angie/autoconf.d/* | /etc/angie/conf.d/* | /etc/angie/j2cfg.d/* | /etc/angie/mod.d/* | /etc/angie/modules.d/* | /etc/angie/site.d/* | /etc/angie/snip.d/* )
|
||||
strip_suffix "$1" "$2"
|
||||
;;
|
||||
/etc/angie/static.d/* )
|
||||
@ -212,6 +212,10 @@ remap_path() {
|
||||
[ -n "$1" ] || return
|
||||
|
||||
case "$1" in
|
||||
## autoconf
|
||||
/etc/angie/autoconf.dist/* ) echo "${2:-/etc/angie/autoconf.d}${1#/etc/angie/autoconf.dist}" ;;
|
||||
/etc/angie/autoconf/* ) echo "${2:-/etc/angie/autoconf.d}${1#/etc/angie/autoconf}" ;;
|
||||
/angie/autoconf/* ) echo "${2:-/etc/angie/autoconf.d}${1#/angie/autoconf}" ;;
|
||||
## conf
|
||||
/etc/angie/conf.dist/* ) echo "${2:-/etc/angie/conf.d}${1#/etc/angie/conf.dist}" ;;
|
||||
/etc/angie/conf/* ) echo "${2:-/etc/angie/conf.d}${1#/etc/angie/conf}" ;;
|
||||
@ -277,6 +281,14 @@ is_builtin_module() {
|
||||
grep -Fxq -e "$2" "/etc/angie/builtin.$1" || return 1
|
||||
}
|
||||
|
||||
normalize_list() {
|
||||
[ -n "$1" ] || return 0
|
||||
|
||||
printf '%s' "$1" \
|
||||
| tr -s '[:space:]' ' ' \
|
||||
| sed -zE 's/^ //;s/ $//'
|
||||
}
|
||||
|
||||
sort_dedup_list() {
|
||||
[ -n "$1" ] || return 0
|
||||
|
||||
|
@ -19,7 +19,7 @@ if [ "${NGX_HTTP}${NGX_MAIL}${NGX_STREAM}" = '000' ] ; then
|
||||
fi
|
||||
|
||||
unset default_dirs_merge default_dirs_link
|
||||
default_dirs_merge='conf j2cfg mod modules site snip'
|
||||
default_dirs_merge='autoconf conf j2cfg mod modules site snip'
|
||||
default_dirs_link=''
|
||||
|
||||
if [ "${NGX_PROCESS_STATIC}" = 1 ] ; then
|
||||
@ -34,3 +34,23 @@ NGX_DIRS_LINK=$(sort_dedup_list "${default_dirs_link} ${NGX_DIRS_LINK:-}")
|
||||
set +a
|
||||
|
||||
unset default_dirs_merge default_dirs_link
|
||||
|
||||
unset i dirs_link
|
||||
dirs_link=
|
||||
for i in ${NGX_DIRS_LINK:-} ; do
|
||||
[ -n "$i" ] || continue
|
||||
|
||||
## naive deduplication
|
||||
case " ${NGX_DIRS_MERGE} " in
|
||||
*" $i "* )
|
||||
log "$i is already specified in NGX_DIRS_MERGE - removing from NGX_DIRS_LINK"
|
||||
continue
|
||||
;;
|
||||
esac
|
||||
|
||||
dirs_link="${dirs_link}${dirs_link:+ }$i"
|
||||
done
|
||||
unset i
|
||||
|
||||
export NGX_DIRS_LINK="${dirs_link}"
|
||||
unset dirs_link
|
||||
|
@ -3,7 +3,7 @@
|
||||
set -a
|
||||
|
||||
NGX_CORE_MODULES="${NGX_CORE_MODULES:-}"
|
||||
NGX_CORE_EVENTS_SNIPPETS="${NGX_CORE_EVENTS_SNIPPETS:-}"
|
||||
NGX_CORE_SNIPPETS="${NGX_CORE_SNIPPETS:-}"
|
||||
NGX_CORE_CONFLOAD="${NGX_CORE_CONFLOAD:-}"
|
||||
NGX_CORE_EVENTS_CONFLOAD="${NGX_CORE_EVENTS_CONFLOAD:-}"
|
||||
|
||||
set +a
|
||||
|
@ -1,17 +1,24 @@
|
||||
#!/bin/sh
|
||||
|
||||
unset core_modules core_snippets
|
||||
unset core_modules core_confload
|
||||
core_modules=
|
||||
core_snippets="${NGX_CORE_SNIPPETS:-}"
|
||||
core_confload="${NGX_CORE_CONFLOAD:-}"
|
||||
|
||||
## filter out builtin core modules
|
||||
unset i
|
||||
for i in ${NGX_CORE_MODULES:-} ; do
|
||||
[ -n "$i" ] || continue
|
||||
|
||||
case "$i" in
|
||||
*/* | *\** | *\?* )
|
||||
log_always "module '$i' is not legal, skipping"
|
||||
continue
|
||||
;;
|
||||
esac
|
||||
|
||||
if is_builtin_module core "$i" ; then
|
||||
log "$i is builtin module, moving to snippets"
|
||||
core_snippets="${core_snippets} $i"
|
||||
log "$i is builtin module, moving to NGX_CORE_CONFLOAD"
|
||||
core_confload="${core_confload} $i"
|
||||
continue
|
||||
fi
|
||||
|
||||
@ -29,8 +36,8 @@ unset i
|
||||
|
||||
set -a
|
||||
NGX_CORE_MODULES="${core_modules}"
|
||||
NGX_CORE_SNIPPETS=$(sort_dedup_list "${core_snippets}")
|
||||
NGX_CORE_EVENTS_SNIPPETS=$(sort_dedup_list "${NGX_CORE_EVENTS_SNIPPETS}")
|
||||
NGX_CORE_CONFLOAD=$(sort_dedup_list "${core_confload}")
|
||||
NGX_CORE_EVENTS_CONFLOAD=$(sort_dedup_list "${NGX_CORE_EVENTS_CONFLOAD}")
|
||||
set +a
|
||||
|
||||
unset core_modules core_snippets
|
||||
unset core_modules core_confload
|
||||
|
@ -1,146 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
unset _NGX_WORKER_PROCESSES _NGX_WORKER_PRIORITY _NGX_WORKER_RLIMIT_NOFILE _NGX_WORKER_CONNECTIONS
|
||||
## here should be SANE defaults (!)
|
||||
_NGX_WORKER_PROCESSES=2
|
||||
_NGX_WORKER_PRIORITY=0
|
||||
_NGX_WORKER_RLIMIT_NOFILE=16384
|
||||
_NGX_WORKER_CONNECTIONS=4096
|
||||
|
||||
[ -n "${NGX_WORKER_PROCESSES:-}" ] || NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
|
||||
case "${NGX_WORKER_PROCESSES}" in
|
||||
"${_NGX_WORKER_PROCESSES}" ) ;;
|
||||
## allow values within [1;999]
|
||||
[1-9] | [1-9][0-9] | [1-9][0-9][0-9] ) ;;
|
||||
[Aa][Uu][Tt][Oo] )
|
||||
## adjust
|
||||
NGX_WORKER_PROCESSES=auto
|
||||
log_always "NGX_WORKER_PROCESSES: \"auto\" isn't supported by container yet"
|
||||
log_always "offloading decision to Angie (this could be a problem!)"
|
||||
;;
|
||||
0 )
|
||||
log_always "NGX_WORKER_PROCESSES: \"0\" isn't supported by container yet"
|
||||
log_always "setting NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}"
|
||||
NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
|
||||
;;
|
||||
* )
|
||||
log_always "NGX_WORKER_PROCESSES: unrecognized value: ${NGX_WORKER_PROCESSES}"
|
||||
log_always "setting NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}"
|
||||
NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
|
||||
;;
|
||||
esac
|
||||
|
||||
[ -n "${NGX_WORKER_PRIORITY:-}" ] || NGX_WORKER_PRIORITY=${_NGX_WORKER_PRIORITY}
|
||||
case "${NGX_WORKER_PRIORITY}" in
|
||||
"${_NGX_WORKER_PRIORITY}" ) ;;
|
||||
-[1-9] | -1[0-9] | -20 ) ;;
|
||||
[0-9] | 1[0-9] | 20 ) ;;
|
||||
-0 )
|
||||
log_always "NGX_WORKER_PRIORITY: likely an error: '-0'"
|
||||
log_always "adjusting NGX_WORKER_PRIORITY=0"
|
||||
NGX_WORKER_PRIORITY=0
|
||||
;;
|
||||
* )
|
||||
log_always "NGX_WORKER_PRIORITY: unrecognized value: ${NGX_WORKER_PRIORITY}"
|
||||
log_always "setting NGX_WORKER_PRIORITY=${_NGX_WORKER_PRIORITY}"
|
||||
NGX_WORKER_PRIORITY=${_NGX_WORKER_PRIORITY}
|
||||
;;
|
||||
esac
|
||||
|
||||
[ -n "${NGX_WORKER_RLIMIT_NOFILE:-}" ] || NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}
|
||||
case "${NGX_WORKER_RLIMIT_NOFILE}" in
|
||||
"${_NGX_WORKER_RLIMIT_NOFILE}" ) ;;
|
||||
[0-9] | [1-9][0-9] )
|
||||
log_always "NGX_WORKER_RLIMIT_NOFILE: too low: ${NGX_WORKER_RLIMIT_NOFILE}"
|
||||
log_always "setting NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}"
|
||||
NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}
|
||||
;;
|
||||
## allow values within [100;9999999]
|
||||
[1-9][0-9][0-9] ) ;;
|
||||
[1-9][0-9][0-9][0-9] ) ;;
|
||||
[1-9][0-9][0-9][0-9][0-9] ) ;;
|
||||
[1-9][0-9][0-9][0-9][0-9][0-9] ) ;;
|
||||
[1-9][0-9][0-9][0-9][0-9][0-9][0-9] ) ;;
|
||||
* )
|
||||
log_always "NGX_WORKER_RLIMIT_NOFILE: unrecognized value: ${NGX_WORKER_RLIMIT_NOFILE}"
|
||||
log_always "setting NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}"
|
||||
NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}
|
||||
;;
|
||||
esac
|
||||
|
||||
[ -n "${NGX_WORKER_CONNECTIONS:-}" ] || NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
|
||||
case "${NGX_WORKER_CONNECTIONS}" in
|
||||
"${_NGX_WORKER_CONNECTIONS}" ) ;;
|
||||
[0-9] | [1-9][0-9] )
|
||||
log_always "NGX_WORKER_CONNECTIONS: too low: ${NGX_WORKER_CONNECTIONS}"
|
||||
log_always "setting NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}"
|
||||
NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
|
||||
;;
|
||||
## allow values within [100;9999999]
|
||||
[1-9][0-9][0-9] ) ;;
|
||||
[1-9][0-9][0-9][0-9] ) ;;
|
||||
[1-9][0-9][0-9][0-9][0-9] ) ;;
|
||||
[1-9][0-9][0-9][0-9][0-9][0-9] ) ;;
|
||||
[1-9][0-9][0-9][0-9][0-9][0-9][0-9] ) ;;
|
||||
* )
|
||||
log_always "NGX_WORKER_CONNECTIONS: unrecognized value: ${NGX_WORKER_CONNECTIONS}"
|
||||
log_always "setting NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}"
|
||||
NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
|
||||
;;
|
||||
esac
|
||||
|
||||
nofile_soft=$(ulimit -Sn)
|
||||
nofile_hard=$(ulimit -Hn)
|
||||
|
||||
if [ "${nofile_hard}" = unlimited ] ; then
|
||||
## minor hack (if applicable) :)
|
||||
nofile_hard=$((NGX_WORKER_RLIMIT_NOFILE * 2))
|
||||
fi
|
||||
|
||||
nofile_ok=0
|
||||
while : ; do
|
||||
[ ${nofile_hard} -ge ${NGX_WORKER_RLIMIT_NOFILE} ] || break
|
||||
[ ${nofile_soft} -ge ${NGX_WORKER_RLIMIT_NOFILE} ] || break
|
||||
|
||||
nofile_ok=1
|
||||
break ; done
|
||||
|
||||
if [ ${nofile_ok} = 0 ] ; then
|
||||
log_always "adjusting 'nofile' limits"
|
||||
|
||||
log_always "Limits before:"
|
||||
sed -En '1p;/open files/p' < /proc/$$/limits >&2
|
||||
|
||||
if [ ${nofile_hard} -lt ${NGX_WORKER_RLIMIT_NOFILE} ] ; then
|
||||
ulimit -Hn "${NGX_WORKER_RLIMIT_NOFILE}"
|
||||
nofile_hard=$(ulimit -Hn)
|
||||
fi
|
||||
if [ ${nofile_hard} -lt ${NGX_WORKER_RLIMIT_NOFILE} ] ; then
|
||||
log_always "lowering NGX_WORKER_RLIMIT_NOFILE to ${nofile_hard} due to hard limit"
|
||||
NGX_WORKER_RLIMIT_NOFILE=${nofile_hard}
|
||||
fi
|
||||
|
||||
if [ ${nofile_soft} -lt ${NGX_WORKER_RLIMIT_NOFILE} ] ; then
|
||||
ulimit -Sn "${NGX_WORKER_RLIMIT_NOFILE}"
|
||||
fi
|
||||
|
||||
log_always "Limits after:"
|
||||
sed -En '1p;/open files/p' < /proc/$$/limits >&2
|
||||
fi
|
||||
unset nofile_soft nofile_hard nofile_ok
|
||||
|
||||
export NGX_WORKER_PROCESSES NGX_WORKER_PRIORITY NGX_WORKER_RLIMIT_NOFILE NGX_WORKER_CONNECTIONS
|
||||
|
||||
unset _NGX_WORKER_PROCESSES _NGX_WORKER_PRIORITY _NGX_WORKER_RLIMIT_NOFILE _NGX_WORKER_CONNECTIONS
|
||||
|
||||
if [ ${NGX_WORKER_RLIMIT_NOFILE} -lt ${NGX_WORKER_CONNECTIONS} ] ; then
|
||||
log_always "WARNING: NGX_WORKER_RLIMIT_NOFILE is less than NGX_WORKER_CONNECTIONS (${NGX_WORKER_RLIMIT_NOFILE} < ${NGX_WORKER_CONNECTIONS})"
|
||||
else
|
||||
ratio=$(mawk -v "a=${NGX_WORKER_RLIMIT_NOFILE}" -v "b=${NGX_WORKER_CONNECTIONS}" 'BEGIN{print a/b;exit;}' </dev/null)
|
||||
case "${ratio}" in
|
||||
1 | 1.* )
|
||||
log_always "WARNING: \"NGX_WORKER_RLIMIT_NOFILE/NGX_WORKER_CONNECTIONS\" ratio is too low (=${ratio})"
|
||||
;;
|
||||
esac
|
||||
unset ratio
|
||||
fi
|
195
image-entry.d/13-core-worker.envsh
Executable file
195
image-entry.d/13-core-worker.envsh
Executable file
@ -0,0 +1,195 @@
|
||||
#!/bin/sh
|
||||
|
||||
unset _NGX_WORKER_PROCESSES _NGX_WORKER_PRIORITY _NGX_WORKER_RLIMIT_NOFILE _NGX_WORKER_CONNECTIONS _NGX_WORKER_AIO_REQUESTS
|
||||
## here should be SANE defaults (!)
|
||||
_NGX_WORKER_PROCESSES=2
|
||||
_NGX_WORKER_PRIORITY=0
|
||||
_NGX_WORKER_RLIMIT_NOFILE=16384
|
||||
_NGX_WORKER_CONNECTIONS=4096
|
||||
_NGX_WORKER_AIO_REQUESTS=64
|
||||
|
||||
[ -n "${NGX_WORKER_PROCESSES:-}" ] || NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
|
||||
case "${NGX_WORKER_PROCESSES}" in
|
||||
## allow values within [1;999]
|
||||
[1-9] | [1-9][0-9] | [1-9][0-9][0-9] ) ;;
|
||||
[Aa][Uu][Tt][Oo] )
|
||||
## adjust
|
||||
NGX_WORKER_PROCESSES=auto
|
||||
log_always "NGX_WORKER_PROCESSES: \"auto\" isn't supported by container yet"
|
||||
log_always "offloading decision to Angie (this could be a problem!)"
|
||||
;;
|
||||
0 )
|
||||
log_always "NGX_WORKER_PROCESSES: \"0\" isn't supported by container yet"
|
||||
log_always "setting NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}"
|
||||
NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
|
||||
;;
|
||||
* )
|
||||
log_always "NGX_WORKER_PROCESSES: unrecognized value: ${NGX_WORKER_PROCESSES}"
|
||||
log_always "setting NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}"
|
||||
NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
|
||||
;;
|
||||
esac
|
||||
export NGX_WORKER_PROCESSES
|
||||
|
||||
if [ -z "${NGX_WORKER_CPU_AFFINITY:-}" ] ; then
|
||||
unset NGX_WORKER_CPU_AFFINITY
|
||||
else
|
||||
## offload handling to Angie
|
||||
set -a
|
||||
NGX_WORKER_CPU_AFFINITY=$(normalize_list "${NGX_WORKER_CPU_AFFINITY}")
|
||||
set +a
|
||||
fi
|
||||
|
||||
[ -n "${NGX_WORKER_CONNECTIONS:-}" ] || NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
|
||||
case "${NGX_WORKER_CONNECTIONS}" in
|
||||
[0-9] | [1-9][0-9] )
|
||||
log_always "NGX_WORKER_CONNECTIONS: too low: ${NGX_WORKER_CONNECTIONS}"
|
||||
log_always "setting NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}"
|
||||
NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
|
||||
;;
|
||||
## allow values within [100;9999999]
|
||||
[1-9][0-9][0-9] ) ;;
|
||||
[1-9][0-9][0-9][0-9] ) ;;
|
||||
[1-9][0-9][0-9][0-9][0-9] ) ;;
|
||||
[1-9][0-9][0-9][0-9][0-9][0-9] ) ;;
|
||||
[1-9][0-9][0-9][0-9][0-9][0-9][0-9] ) ;;
|
||||
* )
|
||||
log_always "NGX_WORKER_CONNECTIONS: unrecognized value: ${NGX_WORKER_CONNECTIONS}"
|
||||
log_always "setting NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}"
|
||||
NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
|
||||
;;
|
||||
esac
|
||||
export NGX_WORKER_CONNECTIONS
|
||||
|
||||
if [ -z "${NGX_WORKER_PRIORITY:-}" ] ; then
|
||||
unset NGX_WORKER_PRIORITY
|
||||
else
|
||||
case "${NGX_WORKER_PRIORITY}" in
|
||||
-[1-9] | -1[0-9] | -20 ) ;;
|
||||
[0-9] | 1[0-9] | 20 ) ;;
|
||||
-0 )
|
||||
log_always "NGX_WORKER_PRIORITY: likely an error: '-0'"
|
||||
log_always "adjusting NGX_WORKER_PRIORITY=0"
|
||||
NGX_WORKER_PRIORITY=0
|
||||
;;
|
||||
* )
|
||||
log_always "NGX_WORKER_PRIORITY: unrecognized value: ${NGX_WORKER_PRIORITY}"
|
||||
log_always "setting NGX_WORKER_PRIORITY=${_NGX_WORKER_PRIORITY}"
|
||||
NGX_WORKER_PRIORITY=${_NGX_WORKER_PRIORITY}
|
||||
;;
|
||||
esac
|
||||
export NGX_WORKER_PRIORITY
|
||||
fi
|
||||
|
||||
if [ -z "${NGX_WORKER_RLIMIT_NOFILE:-}" ] ; then
|
||||
unset NGX_WORKER_RLIMIT_NOFILE
|
||||
else
|
||||
case "${NGX_WORKER_RLIMIT_NOFILE}" in
|
||||
[0-9] | [1-9][0-9] )
|
||||
log_always "NGX_WORKER_RLIMIT_NOFILE: too low: ${NGX_WORKER_RLIMIT_NOFILE}"
|
||||
log_always "setting NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}"
|
||||
NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}
|
||||
;;
|
||||
## allow values within [100;9999999]
|
||||
[1-9][0-9][0-9] ) ;;
|
||||
[1-9][0-9][0-9][0-9] ) ;;
|
||||
[1-9][0-9][0-9][0-9][0-9] ) ;;
|
||||
[1-9][0-9][0-9][0-9][0-9][0-9] ) ;;
|
||||
[1-9][0-9][0-9][0-9][0-9][0-9][0-9] ) ;;
|
||||
* )
|
||||
log_always "NGX_WORKER_RLIMIT_NOFILE: unrecognized value: ${NGX_WORKER_RLIMIT_NOFILE}"
|
||||
log_always "setting NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}"
|
||||
NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}
|
||||
;;
|
||||
esac
|
||||
export NGX_WORKER_RLIMIT_NOFILE
|
||||
fi
|
||||
|
||||
if [ -z "${NGX_WORKER_AIO_REQUESTS:-}" ] ; then
|
||||
unset NGX_WORKER_AIO_REQUESTS
|
||||
else
|
||||
case "${NGX_WORKER_AIO_REQUESTS}" in
|
||||
[0-9] )
|
||||
log_always "NGX_WORKER_AIO_REQUESTS: too low: ${NGX_WORKER_AIO_REQUESTS}"
|
||||
log_always "setting NGX_WORKER_AIO_REQUESTS=${_NGX_WORKER_AIO_REQUESTS}"
|
||||
NGX_WORKER_AIO_REQUESTS=${_NGX_WORKER_AIO_REQUESTS}
|
||||
;;
|
||||
## allow values within [10;99999]
|
||||
[1-9][0-9] ) ;;
|
||||
[1-9][0-9][0-9] ) ;;
|
||||
[1-9][0-9][0-9][0-9] ) ;;
|
||||
[1-9][0-9][0-9][0-9][0-9] ) ;;
|
||||
* )
|
||||
log_always "NGX_WORKER_AIO_REQUESTS: unrecognized value: ${NGX_WORKER_AIO_REQUESTS}"
|
||||
log_always "setting NGX_WORKER_AIO_REQUESTS=${_NGX_WORKER_AIO_REQUESTS}"
|
||||
NGX_WORKER_AIO_REQUESTS=${_NGX_WORKER_AIO_REQUESTS}
|
||||
;;
|
||||
esac
|
||||
export NGX_WORKER_AIO_REQUESTS
|
||||
fi
|
||||
|
||||
if [ -n "${NGX_WORKER_RLIMIT_NOFILE:-}" ] ; then
|
||||
nofile_soft=$(ulimit -Sn)
|
||||
nofile_hard=$(ulimit -Hn)
|
||||
|
||||
if [ "${nofile_hard}" = unlimited ] ; then
|
||||
## minor hack (if applicable) :)
|
||||
nofile_hard=$((NGX_WORKER_RLIMIT_NOFILE + 1))
|
||||
fi
|
||||
|
||||
nofile_ok=0
|
||||
while : ; do
|
||||
[ ${nofile_hard} -ge ${NGX_WORKER_RLIMIT_NOFILE} ] || break
|
||||
[ ${nofile_soft} -ge ${NGX_WORKER_RLIMIT_NOFILE} ] || break
|
||||
|
||||
nofile_ok=1
|
||||
break ; done
|
||||
|
||||
if [ ${nofile_ok} = 0 ] ; then
|
||||
log_always "adjusting 'nofile' limits"
|
||||
|
||||
log_always "Limits before:"
|
||||
sed -En '1p;/open files/p' < /proc/$$/limits >&2
|
||||
|
||||
if [ ${nofile_hard} -lt ${NGX_WORKER_RLIMIT_NOFILE} ] ; then
|
||||
ulimit -Hn "${NGX_WORKER_RLIMIT_NOFILE}"
|
||||
nofile_hard=$(ulimit -Hn)
|
||||
fi
|
||||
if [ ${nofile_hard} -lt ${NGX_WORKER_RLIMIT_NOFILE} ] ; then
|
||||
log_always "lowering NGX_WORKER_RLIMIT_NOFILE to ${nofile_hard} due to hard limit"
|
||||
NGX_WORKER_RLIMIT_NOFILE=${nofile_hard}
|
||||
fi
|
||||
|
||||
if [ ${nofile_soft} -lt ${NGX_WORKER_RLIMIT_NOFILE} ] ; then
|
||||
ulimit -Sn "${NGX_WORKER_RLIMIT_NOFILE}"
|
||||
fi
|
||||
|
||||
log_always "Limits after:"
|
||||
sed -En '1p;/open files/p' < /proc/$$/limits >&2
|
||||
fi
|
||||
unset nofile_soft nofile_hard nofile_ok
|
||||
|
||||
export NGX_WORKER_RLIMIT_NOFILE
|
||||
fi
|
||||
|
||||
if [ -z "${NGX_WORKER_RLIMIT_NOFILE:-}" ] ; then
|
||||
nofile_limit=$(ulimit -Hn)
|
||||
nofile_kind="'ulimit:nofile'"
|
||||
else
|
||||
nofile_limit=${NGX_WORKER_RLIMIT_NOFILE}
|
||||
nofile_kind='NGX_WORKER_RLIMIT_NOFILE'
|
||||
fi
|
||||
if [ ${nofile_limit} -lt ${NGX_WORKER_CONNECTIONS} ] ; then
|
||||
log_always "WARNING: ${nofile_kind} is less than NGX_WORKER_CONNECTIONS (${nofile_limit} < ${NGX_WORKER_CONNECTIONS})"
|
||||
else
|
||||
ratio=$(mawk -v "a=${nofile_limit}" -v "b=${NGX_WORKER_CONNECTIONS}" 'BEGIN{print a/b;exit;}' </dev/null)
|
||||
case "${ratio}" in
|
||||
1 | 1.* )
|
||||
log_always "WARNING: \"${nofile_kind}/NGX_WORKER_CONNECTIONS\" ratio is too low (=${ratio})"
|
||||
;;
|
||||
esac
|
||||
unset ratio
|
||||
fi
|
||||
unset nofile_limit nofile_kind
|
||||
|
||||
unset _NGX_WORKER_PROCESSES _NGX_WORKER_PRIORITY _NGX_WORKER_RLIMIT_NOFILE _NGX_WORKER_CONNECTIONS _NGX_WORKER_AIO_REQUESTS
|
@ -1,10 +1,17 @@
|
||||
#!/bin/sh
|
||||
|
||||
if [ "${NGX_HTTP}" = 0 ] ; then
|
||||
unset NGX_HTTP_MODULES NGX_HTTP_SNIPPETS
|
||||
unset NGX_HTTP_MODULES NGX_HTTP_CONFLOAD NGX_HTTP_CACHES NGX_HTTP_WEBROOT
|
||||
else
|
||||
unset default_caches
|
||||
default_caches='client_temp fastcgi_temp proxy_temp scgi_temp uwsgi_temp'
|
||||
|
||||
set -a
|
||||
NGX_HTTP_MODULES="${NGX_HTTP_MODULES:-}"
|
||||
NGX_HTTP_SNIPPETS="${NGX_HTTP_SNIPPETS:-}"
|
||||
NGX_HTTP_CONFLOAD="${NGX_HTTP_CONFLOAD:-}"
|
||||
NGX_HTTP_CACHES=$(sort_dedup_list "${default_caches} ${NGX_HTTP_CACHES:-}")
|
||||
NGX_HTTP_WEBROOT="${NGX_HTTP_WEBROOT:-/etc/angie/static.d}"
|
||||
set +a
|
||||
|
||||
unset default_caches
|
||||
fi
|
||||
|
@ -1,9 +1,9 @@
|
||||
#!/bin/sh
|
||||
|
||||
if [ "${NGX_HTTP}" = 1 ] ; then
|
||||
unset http_modules http_snippets
|
||||
unset http_modules http_confload
|
||||
http_modules=
|
||||
http_snippets="${NGX_HTTP_SNIPPETS:-}"
|
||||
http_confload="${NGX_HTTP_CONFLOAD:-}"
|
||||
|
||||
if [ -n "${NGX_HTTP_MODULES}" ] ; then
|
||||
## angie-module-lua: depends on angie-module-ndk
|
||||
@ -19,9 +19,16 @@ if [ "${NGX_HTTP}" = 1 ] ; then
|
||||
for i in ${NGX_HTTP_MODULES:-} ; do
|
||||
[ -n "$i" ] || continue
|
||||
|
||||
case "$i" in
|
||||
*/* | *\** | *\?* )
|
||||
log_always "module '$i' is not legal, skipping"
|
||||
continue
|
||||
;;
|
||||
esac
|
||||
|
||||
if is_builtin_module http "$i" ; then
|
||||
log "$i is builtin module, moving to snippets"
|
||||
http_snippets="${http_snippets} $i"
|
||||
log "$i is builtin module, moving to NGX_HTTP_CONFLOAD"
|
||||
http_confload="${http_confload} $i"
|
||||
continue
|
||||
fi
|
||||
|
||||
@ -39,8 +46,33 @@ if [ "${NGX_HTTP}" = 1 ] ; then
|
||||
|
||||
set -a
|
||||
NGX_HTTP_MODULES="${http_modules}"
|
||||
NGX_HTTP_SNIPPETS=$(sort_dedup_list "${http_snippets}")
|
||||
NGX_HTTP_CONFLOAD=$(sort_dedup_list "${http_confload}")
|
||||
set +a
|
||||
|
||||
unset http_modules http_snippets
|
||||
unset http_modules http_confload
|
||||
|
||||
## quirk: angie-module-modsecurity
|
||||
unset NGX_HTTP_WITH_MODSECURITY
|
||||
NGX_HTTP_WITH_MODSECURITY=0
|
||||
while : ; do
|
||||
case " ${NGX_HTTP_MODULES} " in
|
||||
*" modsecurity "* ) ;;
|
||||
* ) break ;;
|
||||
esac
|
||||
|
||||
for d in /angie/modules /etc/angie/modules /etc/angie/modules.dist ; do
|
||||
[ -d "$d" ] || continue
|
||||
if [ -f "$d/ngx_http_modsecurity_module.so" ] ; then
|
||||
NGX_HTTP_WITH_MODSECURITY=1
|
||||
break
|
||||
fi
|
||||
done ; unset d
|
||||
break ; done
|
||||
export NGX_HTTP_WITH_MODSECURITY
|
||||
|
||||
if [ "${NGX_HTTP_WITH_MODSECURITY}" = 1 ] ; then
|
||||
set -a
|
||||
NGX_DIRS_MERGE=$(sort_dedup_list "${NGX_DIRS_MERGE} modsecurity")
|
||||
set +a
|
||||
fi
|
||||
fi
|
||||
|
@ -7,22 +7,24 @@ else
|
||||
## here should be SANE defaults (!)
|
||||
_NGX_HTTP_MAX_RANGES=16
|
||||
|
||||
[ -n "${NGX_HTTP_MAX_RANGES:-}" ] || NGX_HTTP_MAX_RANGES=${_NGX_HTTP_MAX_RANGES}
|
||||
case "${NGX_HTTP_MAX_RANGES}" in
|
||||
"${_NGX_HTTP_MAX_RANGES}" ) ;;
|
||||
## allow values within [1;999]
|
||||
[1-9] | [1-9][0-9] | [1-9][0-9][0-9] ) ;;
|
||||
0 )
|
||||
log_always "HTTP: Range/If-Range/Accept-Ranges support is disabled by NGX_HTTP_MAX_RANGES=0"
|
||||
;;
|
||||
* )
|
||||
log_always "NGX_HTTP_MAX_RANGES: unrecognized value: ${NGX_HTTP_MAX_RANGES}"
|
||||
log_always "setting NGX_HTTP_MAX_RANGES=${_NGX_HTTP_MAX_RANGES}"
|
||||
NGX_HTTP_MAX_RANGES=${_NGX_HTTP_MAX_RANGES}
|
||||
;;
|
||||
esac
|
||||
if [ -z "${NGX_HTTP_MAX_RANGES:-}" ] ; then
|
||||
unset NGX_HTTP_MAX_RANGES
|
||||
else
|
||||
case "${NGX_HTTP_MAX_RANGES}" in
|
||||
## allow values within [1;999]
|
||||
[1-9] | [1-9][0-9] | [1-9][0-9][0-9] ) ;;
|
||||
0 )
|
||||
log_always "HTTP: Range/If-Range/Accept-Ranges support is disabled by NGX_HTTP_MAX_RANGES=0"
|
||||
;;
|
||||
* )
|
||||
log_always "NGX_HTTP_MAX_RANGES: unrecognized value: ${NGX_HTTP_MAX_RANGES}"
|
||||
log_always "setting NGX_HTTP_MAX_RANGES=${_NGX_HTTP_MAX_RANGES}"
|
||||
NGX_HTTP_MAX_RANGES=${_NGX_HTTP_MAX_RANGES}
|
||||
;;
|
||||
esac
|
||||
|
||||
export NGX_HTTP_MAX_RANGES
|
||||
export NGX_HTTP_MAX_RANGES
|
||||
fi
|
||||
|
||||
unset _NGX_HTTP_MAX_RANGES
|
||||
fi
|
||||
|
@ -1,10 +1,10 @@
|
||||
#!/bin/sh
|
||||
|
||||
if [ "${NGX_MAIL}" = 0 ] ; then
|
||||
unset NGX_MAIL_MODULES NGX_MAIL_SNIPPETS
|
||||
unset NGX_MAIL_MODULES NGX_MAIL_CONFLOAD
|
||||
else
|
||||
set -a
|
||||
NGX_MAIL_MODULES="${NGX_MAIL_MODULES:-}"
|
||||
NGX_MAIL_SNIPPETS="${NGX_MAIL_SNIPPETS:-}"
|
||||
NGX_MAIL_CONFLOAD="${NGX_MAIL_CONFLOAD:-}"
|
||||
set +a
|
||||
fi
|
||||
|
@ -1,18 +1,25 @@
|
||||
#!/bin/sh
|
||||
|
||||
if [ "${NGX_MAIL}" = 1 ] ; then
|
||||
unset mail_modules mail_snippets
|
||||
unset mail_modules mail_confload
|
||||
mail_modules=
|
||||
mail_snippets="${NGX_MAIL_SNIPPETS:-}"
|
||||
mail_confload="${NGX_MAIL_CONFLOAD:-}"
|
||||
|
||||
## filter out builtin mail modules
|
||||
unset i
|
||||
for i in ${NGX_MAIL_MODULES:-} ; do
|
||||
[ -n "$i" ] || continue
|
||||
|
||||
case "$i" in
|
||||
*/* | *\** | *\?* )
|
||||
log_always "module '$i' is not legal, skipping"
|
||||
continue
|
||||
;;
|
||||
esac
|
||||
|
||||
if is_builtin_module mail "$i" ; then
|
||||
log "$i is builtin module, moving to snippets"
|
||||
mail_snippets="${mail_snippets} $i"
|
||||
log "$i is builtin module, moving to NGX_MAIL_CONFLOAD"
|
||||
mail_confload="${mail_confload} $i"
|
||||
continue
|
||||
fi
|
||||
|
||||
@ -30,8 +37,8 @@ if [ "${NGX_MAIL}" = 1 ] ; then
|
||||
|
||||
set -a
|
||||
NGX_MAIL_MODULES="${mail_modules}"
|
||||
NGX_MAIL_SNIPPETS=$(sort_dedup_list "${mail_snippets}")
|
||||
NGX_MAIL_CONFLOAD=$(sort_dedup_list "${mail_confload}")
|
||||
set +a
|
||||
|
||||
unset mail_modules mail_snippets
|
||||
unset mail_modules mail_confload
|
||||
fi
|
||||
|
@ -1,10 +1,10 @@
|
||||
#!/bin/sh
|
||||
|
||||
if [ "${NGX_STREAM}" = 0 ] ; then
|
||||
unset NGX_STREAM_MODULES NGX_STREAM_SNIPPETS
|
||||
unset NGX_STREAM_MODULES NGX_STREAM_CONFLOAD
|
||||
else
|
||||
set -a
|
||||
NGX_STREAM_MODULES="${NGX_STREAM_MODULES:-}"
|
||||
NGX_STREAM_SNIPPETS="${NGX_STREAM_SNIPPETS:-}"
|
||||
NGX_STREAM_CONFLOAD="${NGX_STREAM_CONFLOAD:-}"
|
||||
set +a
|
||||
fi
|
||||
|
@ -1,18 +1,25 @@
|
||||
#!/bin/sh
|
||||
|
||||
if [ "${NGX_STREAM}" = 1 ] ; then
|
||||
unset stream_modules stream_snippets
|
||||
unset stream_modules stream_confload
|
||||
stream_modules=
|
||||
stream_snippets="${NGX_STREAM_SNIPPETS:-}"
|
||||
stream_confload="${NGX_STREAM_CONFLOAD:-}"
|
||||
|
||||
## filter out builtin stream modules
|
||||
unset i
|
||||
for i in ${NGX_STREAM_MODULES:-} ; do
|
||||
[ -n "$i" ] || continue
|
||||
|
||||
case "$i" in
|
||||
*/* | *\** | *\?* )
|
||||
log_always "module '$i' is not legal, skipping"
|
||||
continue
|
||||
;;
|
||||
esac
|
||||
|
||||
if is_builtin_module stream "$i" ; then
|
||||
log "$i is builtin module, moving to snippets"
|
||||
stream_snippets="${stream_snippets} $i"
|
||||
log "$i is builtin module, moving to NGX_STREAM_CONFLOAD"
|
||||
stream_confload="${stream_confload} $i"
|
||||
continue
|
||||
fi
|
||||
|
||||
@ -30,8 +37,8 @@ if [ "${NGX_STREAM}" = 1 ] ; then
|
||||
|
||||
set -a
|
||||
NGX_STREAM_MODULES="${stream_modules}"
|
||||
NGX_STREAM_SNIPPETS=$(sort_dedup_list "${stream_snippets}")
|
||||
NGX_STREAM_CONFLOAD=$(sort_dedup_list "${stream_confload}")
|
||||
set +a
|
||||
|
||||
unset stream_modules stream_snippets
|
||||
unset stream_modules stream_confload
|
||||
fi
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user