krd/angie-conv-image
1
0
Fork 0
Code

Compare commits

base: krd:8fac571d2054d6348d860b5d7021b5f31ffb3403
Branches Tags
krd:main
..
compare: krd:3c0a74f206fac7f6ee9c10ef0f199b6077b02c72
Branches Tags
krd:main

No commits in common. "8fac571d2054d6348d860b5d7021b5f31ffb3403" and "3c0a74f206fac7f6ee9c10ef0f199b6077b02c72" have entirely different histories.
8fac571d20 ... 3c0a74f206

114 changed files with 518 additions and 1103 deletions
Show Stats Expand all files Collapse all files

24
Dockerfile
View File

@ -51,7 +51,7 @@ RUN libpython="${PYTHON_SITE_PACKAGES%/*}" ; \
## Python cache warmup
RUN j2cfg-single /usr/local/lib/j2cfg/test.j2 /tmp/test ; \
cat /tmp/test ; echo ; echo ; \
cat /tmp/test ; echo ; \
rm -f /tmp/test
## Python cache adjustments
@ -99,9 +99,13 @@ RUN apt-install.sh angie ; \
if [ "${NGX_DEBUG}" = 0 ] ; then \
rm -fv "$n-debug" ; \
mv -fv "$n-nodebug" "$n" ; \
ln -fsv "${n##*/}" "$n-nodebug" ; \
ln -fsv /bin/false "$n-debug" ; \
else \
rm -fv "$n-nodebug" ; \
mv -fv "$n-debug" "$n" ; \
ln -fsv "${n##*/}" "$n-debug" ; \
ln -fsv /bin/false "$n-nodebug" ; \
fi
## preserve snippets from Angie config directory
@ -134,11 +138,10 @@ RUN install -d -o angie -g angie -m 03777 /angie /run/angie ; \
## adjust paths in config directory
cd /etc/angie || exit 1 ; \
ln -sv /run/angie run ; \
ln -sv /run/angie/load load ; \
ln -sv /run/angie/lock lock ; \
ln -sv /run/angie/lock lock.d ; \
ln -sv ${ANGIE_MODULES_DIR} modules.dist ; \
## hyper-modular paths:
data='autoconf conf j2cfg mod modules site snip static' ; \
data='conf j2cfg mod modules site snip static' ; \
vardata='cache lib log' ; \
for n in ${data} ; do \
for d in "$n" "$n.dist" ; do \
@ -149,17 +152,6 @@ RUN install -d -o angie -g angie -m 03777 /angie /run/angie ; \
ln -sv "/run/angie/$n" "$n.d" ; \
done
## future quirk for angie-module-modsecurity >:)
RUN n='modsecurity' ; \
d="/etc/angie/$n" ; \
ln -sv "/run/angie/$n" "$d.d" ; \
dpkg-divert --divert "$d.dist" --rename "$d" ; \
for p in modsecurity.conf unicode.mapping ; do \
dpkg-divert --divert "$d.dist/$p" --rename "$d/$p" ; \
done ; \
p='rules.conf' ; \
dpkg-divert --divert "$d.dist/$p.dist" --rename "$d/$p"
VOLUME [ "/run/angie" ]
COPY /angie/ /etc/angie/
@ -169,7 +161,7 @@ RUN find /etc/angie/ -name .gitkeep -delete ; \
## preseed builtin modules list
RUN x='angie-builtin-modules.sh' ; \
"$x" ; \
rm -fv "$(which "$x")"
chmod a-x "$(which "$x")"
## misc tools
RUN apt-install.sh \

23
angie/angie.conf
View File

@ -1,22 +1,23 @@
daemon off;
pid run/angie.pid;
lock_file lock.d/angie.lock;
## almost useless
include load/mod-core-*.conf;
include mod.d/core-*.load;
# mod-http.conf
# mod-mail.conf
# mod-stream.conf
# mod-http.conf.in
# mod-mail.conf.in
# mod-stream.conf.in
include run/mod-*.conf;
events {
include autoconf.d/core_ev-*.conf;
include load/core_ev-*.conf;
include conf.d/core_ev-*.conf;
include snip.d/core_ev-*.load;
}
include autoconf.d/core-*.conf;
include load/core-*.conf;
include conf.d/core-*.conf;
include snip.d/core-*.load;
# ctx-http.conf
# ctx-mail.conf
# ctx-stream.conf
# ctx-http.conf.in
# ctx-mail.conf.in
# ctx-stream.conf.in
include run/ctx-*.conf;

1
angie/autoconf.dist/core-lock-file.conf
View File

@ -1 +0,0 @@
lock_file lock/angie.lock;

3
angie/autoconf.dist/core-user.conf.in
View File

@ -1,3 +0,0 @@
## if container is running in non-privileged mode,
## then this file is going to be removed by /image-entry.d/76-adjust-core-user.sh
user ${NGX_USER} ${NGX_GROUP};

10
angie/autoconf.dist/core-worker.conf.j2
View File

@ -1,10 +0,0 @@
worker_processes {{ env.NGX_WORKER_PROCESSES }};
{%- if env.NGX_WORKER_CPU_AFFINITY %}
worker_cpu_affinity {{ env.NGX_WORKER_CPU_AFFINITY }};
{%- endif %}
{%- if env.NGX_WORKER_PRIORITY %}
worker_priority {{ env.NGX_WORKER_PRIORITY }};
{%- endif %}
{%- if env.NGX_WORKER_RLIMIT_NOFILE %}
worker_rlimit_nofile {{ env.NGX_WORKER_RLIMIT_NOFILE }};
{%- endif %}

7
angie/autoconf.dist/core_ev-worker.conf.j2
View File

@ -1,7 +0,0 @@
worker_connections {{ env.NGX_WORKER_CONNECTIONS }};
{%- if env.NGX_WORKER_AIO_REQUESTS %}
worker_aio_requests {{ env.NGX_WORKER_AIO_REQUESTS }};
{%- endif %}
{%- if env.NGX_WORKER_PRIORITY %}
worker_priority {{ env.NGX_WORKER_PRIORITY }};
{%- endif %}

3
angie/autoconf.dist/http-max-ranges.conf.j2
View File

@ -1,3 +0,0 @@
{%- if env.NGX_HTTP_MAX_RANGES %}
max_ranges {{ env.NGX_HTTP_MAX_RANGES }};
{%- endif %}

1
angie/autoconf.dist/http-webroot.conf.in
View File

@ -1 +0,0 @@
root ${NGX_HTTP_WEBROOT};

9
angie/conf.dist/brotli/types.conf.j2
View File

@ -1,9 +0,0 @@
{%- set mime_types = j2cfg.brotli_compress_types or j2cfg.compress_types or [] -%}
{%- set mime_types = mime_types | any_to_str_list | uniq_str_list -%}
{%- if mime_types -%}
brotli_types
{%- for t in mime_types %}
{{ t }}
{%- endfor %}
;
{%- endif -%}

0
angie/autoconf.dist/core-error-log.conf → angie/conf.dist/core-error-log.conf
View File

0
angie/autoconf.dist/core-pcre-jit.conf → angie/conf.dist/core-pcre-jit.conf
View File

1
angie/conf.dist/core-user.conf.in Normal file
View File

@ -0,0 +1 @@
user ${NGX_USER} ${NGX_GROUP};

12
angie/autoconf.dist/core-worker-env.conf.j2 → angie/conf.dist/core-worker-env.conf.j2
View File

@ -1,19 +1,15 @@
{#- prologue -#}
{#- NB: "TZ" is always provided by Angie itself -#}
{%- set s_vars = ['MALLOC_ARENA_MAX', 'GLIBC_TUNABLES', 'MALLOC_CONF'] -%}
{%- set c_env = ( j2cfg.core_worker_env or [] ) | any_to_env_dict -%}
{%- set c_vars = c_env | dict_keys -%}
{%- set c_vars_passthrough = c_env | dict_empty_keys -%}
{%- set c_vars_preserve = c_env | dict_empty_keys -%}
{%- set c_vars_override = c_env | dict_non_empty_keys -%}
{%- set vars_passthrough = (env_passthrough + c_vars_passthrough) | uniq | list_intersect(env | dict_keys) -%}
{%- set vars_preserve = ( c_vars_preserve + s_vars ) | uniq | sort -%}
{#- main part -#}
## preserve
{%- for k in env_preserve %}
env {{ k }};
{%- endfor %}
## passthrough
{%- for k in vars_passthrough %}
{%- for k in vars_preserve %}
env {{ k }};
{%- endfor %}

3
angie/conf.dist/core-worker.conf.in Normal file
View File

@ -0,0 +1,3 @@
worker_processes ${NGX_WORKER_PROCESSES};
worker_priority ${NGX_WORKER_PRIORITY};
worker_rlimit_nofile ${NGX_WORKER_RLIMIT_NOFILE};

1
angie/conf.dist/core_ev-worker.conf.in Normal file
View File

@ -0,0 +1 @@
worker_connections ${NGX_WORKER_CONNECTIONS};

4
angie/conf.dist/fastcgi/buffers.conf
View File

@ -1,4 +0,0 @@
fastcgi_buffers 16 16k;
fastcgi_buffer_size 16k;
fastcgi_busy_buffers_size 32k;
fastcgi_temp_file_write_size 32k;

13
angie/conf.dist/fastcgi/headers.conf.j2
View File

@ -1,13 +0,0 @@
## hide/remove request headers
{%- set req_hdr_list = j2cfg.fastcgi_remove_request_headers or j2cfg.remove_request_headers or [] -%}
{%- set req_hdr_list = req_hdr_list | any_to_str_list | as_cgi_header -%}
{%- for h in req_hdr_list %}
fastcgi_param {{ h }} "";
{%- endfor %}
## hide response headers
{%- set resp_hdr_list = j2cfg.fastcgi_remove_response_headers or j2cfg.remove_response_headers or [] -%}
{%- set resp_hdr_list = resp_hdr_list | any_to_str_list | uniq_str_list -%}
{%- for h in resp_hdr_list %}
fastcgi_hide_header {{ h }};
{%- endfor %}

7
angie/conf.dist/fastcgi/param.conf
View File

@ -1,7 +0,0 @@
include snip.d/fastcgi.conf;
fastcgi_param PATH_INFO $path_info;
fastcgi_param AUTH_USER $remote_user;
fastcgi_param REMOTE_USER $remote_user;
fastcgi_param HTTP_HOST $host;

1
angie/conf.dist/grpc/buffers.conf
View File

@ -1 +0,0 @@
grpc_buffer_size 16k;

13
angie/conf.dist/grpc/headers.conf.j2
View File

@ -1,13 +0,0 @@
## hide/remove request headers
{%- set req_hdr_list = j2cfg.grpc_remove_request_headers or j2cfg.remove_request_headers or [] -%}
{%- set req_hdr_list = req_hdr_list | any_to_str_list | uniq_str_list -%}
{%- for h in req_hdr_list %}
grpc_set_header {{ h }} "";
{%- endfor %}
## hide response headers
{%- set resp_hdr_list = j2cfg.grpc_remove_response_headers or j2cfg.remove_response_headers or [] -%}
{%- set resp_hdr_list = resp_hdr_list | any_to_str_list | uniq_str_list -%}
{%- for h in resp_hdr_list %}
grpc_hide_header {{ h }};
{%- endfor %}

9
angie/conf.dist/gzip/types.conf.j2
View File

@ -1,9 +0,0 @@
{%- set mime_types = j2cfg.gzip_compress_types or j2cfg.compress_types or [] -%}
{%- set mime_types = mime_types | any_to_str_list | uniq_str_list -%}
{%- if mime_types -%}
gzip_types
{%- for t in mime_types %}
{{ t }}
{%- endfor %}
;
{%- endif -%}

0
angie/autoconf.dist/http-access-log.conf → angie/conf.dist/http-access-log.conf
View File

2
angie/conf.dist/http-brotli.conf
View File

@ -1,2 +0,0 @@
include conf.d/brotli/*.conf;
brotli on;

0
angie/autoconf.dist/http-buffers.conf → angie/conf.dist/http-buffers.conf
View File

1
angie/conf.dist/http-fastcgi.conf
View File

@ -1 +0,0 @@
include conf.d/fastcgi/*.conf;

4
angie/conf.dist/http-grpc.conf
View File

@ -1,4 +0,0 @@
## this should be enabled explicitly to avoid config mess
# include conf.d/http-v2.conf;
include conf.d/grpc/*.conf;

2
angie/conf.dist/http-gunzip.conf
View File

@ -1,2 +0,0 @@
gunzip_buffers 16 16k;
gunzip on;

2
angie/conf.dist/http-gzip.conf
View File

@ -1,2 +0,0 @@
include conf.d/gzip/*.conf;
gzip on;

1
angie/conf.dist/http-max-ranges.conf.in Normal file
View File

@ -0,0 +1 @@
max_ranges ${NGX_HTTP_MAX_RANGES};

0
angie/autoconf.dist/http-mime-types.conf → angie/conf.dist/http-mime-types.conf
View File

4
angie/conf.dist/http-modsecurity.conf
View File

@ -1,4 +0,0 @@
modsecurity_rules_file /etc/angie/modsecurity.d/rules.conf;
## NOT enabling ModSecurity by default!
# modsecurity on;

1
angie/conf.dist/http-njs.conf
View File

@ -1 +0,0 @@
js_path /etc/angie/site.d;

1
angie/conf.dist/http-perl.conf
View File

@ -1 +0,0 @@
perl_modules /etc/angie/site.d;

6
angie/conf.dist/http-response-headers.conf.j2
View File

@ -1,6 +0,0 @@
## add response headers
{%- set resp_hdr_list = ( j2cfg.add_response_headers or {} ) -%}
{%- for h, v in resp_hdr_list.items() %}
{#- TODO: precise quotation #}
add_header {{ h }} {{ v.__repr__() }};
{%- endfor %}

1
angie/conf.dist/http-scgi.conf
View File

@ -1 +0,0 @@
include conf.d/scgi/*.conf;

1
angie/conf.dist/http-uwsgi.conf
View File

@ -1 +0,0 @@
include conf.d/uwsgi/*.conf;

2
angie/conf.dist/http-v2.conf
View File

@ -1,2 +0,0 @@
http2_chunk_size 16k;
http2 on;

2
angie/conf.dist/http-zstd.conf
View File

@ -1,2 +0,0 @@
include conf.d/zstd/*.conf;
zstd on;

13
angie/conf.dist/proxy/headers.conf.j2
View File

@ -1,13 +0,0 @@
## hide/remove request headers
{%- set req_hdr_list = j2cfg.proxy_remove_request_headers or j2cfg.remove_request_headers or [] -%}
{%- set req_hdr_list = req_hdr_list | any_to_str_list | uniq_str_list -%}
{%- for h in req_hdr_list %}
proxy_set_header {{ h }} "";
{%- endfor %}
## hide response headers
{%- set resp_hdr_list = j2cfg.proxy_remove_response_headers or j2cfg.remove_response_headers or [] -%}
{%- set resp_hdr_list = resp_hdr_list | any_to_str_list | uniq_str_list -%}
{%- for h in resp_hdr_list %}
proxy_hide_header {{ h }};
{%- endfor %}

4
angie/conf.dist/scgi/buffers.conf
View File

@ -1,4 +0,0 @@
scgi_buffers 16 16k;
scgi_buffer_size 16k;
scgi_busy_buffers_size 32k;
scgi_temp_file_write_size 32k;

13
angie/conf.dist/scgi/headers.conf.j2
View File

@ -1,13 +0,0 @@
## hide/remove request headers
{%- set req_hdr_list = j2cfg.scgi_remove_request_headers or j2cfg.remove_request_headers or [] -%}
{%- set req_hdr_list = req_hdr_list | any_to_str_list | as_cgi_header -%}
{%- for h in req_hdr_list %}
scgi_param {{ h }} "";
{%- endfor %}
## hide response headers
{%- set resp_hdr_list = j2cfg.scgi_remove_response_headers or j2cfg.remove_response_headers or [] -%}
{%- set resp_hdr_list = resp_hdr_list | any_to_str_list | uniq_str_list -%}
{%- for h in resp_hdr_list %}
scgi_hide_header {{ h }};
{%- endfor %}

7
angie/conf.dist/scgi/param.conf
View File

@ -1,7 +0,0 @@
include snip.d/scgi_params;
scgi_param PATH_INFO $path_info;
scgi_param AUTH_USER $remote_user;
scgi_param REMOTE_USER $remote_user;
scgi_param HTTP_HOST $host;

4
angie/conf.dist/uwsgi/buffers.conf
View File

@ -1,4 +0,0 @@
uwsgi_buffers 16 16k;
uwsgi_buffer_size 16k;
uwsgi_busy_buffers_size 32k;
uwsgi_temp_file_write_size 32k;

13
angie/conf.dist/uwsgi/headers.conf.j2
View File

@ -1,13 +0,0 @@
## hide/remove request headers
{%- set req_hdr_list = j2cfg.uwsgi_remove_request_headers or j2cfg.remove_request_headers or [] -%}
{%- set req_hdr_list = req_hdr_list | any_to_str_list | as_cgi_header -%}
{%- for h in req_hdr_list %}
uwsgi_param {{ h }} "";
{%- endfor %}
## hide response headers
{%- set resp_hdr_list = j2cfg.uwsgi_remove_response_headers or j2cfg.remove_response_headers or [] -%}
{%- set resp_hdr_list = resp_hdr_list | any_to_str_list | uniq_str_list -%}
{%- for h in resp_hdr_list %}
uwsgi_hide_header {{ h }};
{%- endfor %}

7
angie/conf.dist/uwsgi/param.conf
View File

@ -1,7 +0,0 @@
include snip.d/uwsgi_params;
uwsgi_param PATH_INFO $path_info;
uwsgi_param AUTH_USER $remote_user;
uwsgi_param REMOTE_USER $remote_user;
uwsgi_param HTTP_HOST $host;

9
angie/conf.dist/zstd/types.conf.j2
View File

@ -1,9 +0,0 @@
{%- set mime_types = j2cfg.zstd_compress_types or j2cfg.compress_types or [] -%}
{%- set mime_types = mime_types | any_to_str_list | uniq_str_list -%}
{%- if mime_types -%}
zstd_types
{%- for t in mime_types %}
{{ t }}
{%- endfor %}
;
{%- endif -%}

4
angie/ctx-http.conf
View File

@ -1,5 +1,5 @@
http {
include autoconf.d/http-*.conf;
include load/http-*.conf;
include conf.d/http-*.conf;
include snip.d/http-*.load;
include site.d/http-*.conf;
}

4
angie/ctx-mail.conf
View File

@ -1,5 +1,5 @@
mail {
include autoconf.d/mail-*.conf;
include load/mail-*.conf;
include conf.d/mail-*.conf;
include snip.d/mail-*.load;
include site.d/mail-*.conf;
}

4
angie/ctx-stream.conf
View File

@ -1,5 +1,5 @@
stream {
include autoconf.d/stream-*.conf;
include load/stream-*.conf;
include conf.d/stream-*.conf;
include snip.d/stream-*.load;
include site.d/stream-*.conf;
}

11
angie/j2cfg.dist/add-response-headers.yml
View File

@ -1,11 +0,0 @@
add_response_headers:
Access-Control-Allow-Origin: "*"
Access-Control-Allow-Headers: "Origin, X-Requested-With, Content-Type, Accept, Authorization"
Access-Control-Allow-Methods: "GET, HEAD, POST, PUT, DELETE, OPTIONS"
Content-Security-Policy: "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline' 'unsafe-eval' ; frame-ancestors 'self';"
Permissions-Policy: "microphone=(), camera=(), geolocation=(), interest-cohort=()"
Referrer-Policy: "no-referrer-when-downgrade"
Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload"
X-Content-Type-Options: "nosniff"
X-Frame-Options: "SAMEORIGIN"
X-XSS-Protection: "1; mode=block"

7
angie/j2cfg.dist/core-worker-env.txt.j2
View File

@ -1,9 +1,10 @@
{#- prologue -#}
{%- set s_vars = ['MALLOC_ARENA_MAX', 'GLIBC_TUNABLES', 'MALLOC_CONF'] -%}
{%- set c_env = ( j2cfg.core_worker_env or [] ) | any_to_env_dict -%}
{%- set c_vars = c_env | dict_keys -%}
{%- set c_vars_passthrough = c_env | dict_empty_keys -%}
{%- set vars_passthrough = ((env_passthrough | list_diff(c_vars)) + c_vars_passthrough) | uniq | list_intersect(env | dict_keys) -%}
{%- set c_vars_preserve = c_env | dict_empty_keys -%}
{%- set vars_preserve = ( c_vars_preserve + ( s_vars | list_diff(c_vars) )) | sort -%}
{#- main part -#}
{%- for k in vars_passthrough -%}
{%- for k in vars_preserve -%}
{{ k }}
{% endfor -%}

3
angie/j2cfg.dist/remove-request-headers.yml
View File

@ -1,3 +0,0 @@
remove_request_headers:
## do not pass Accept-Encoding to backend
- Accept-Encoding

12
angie/j2cfg.dist/remove-response-headers.yml
View File

@ -1,12 +0,0 @@
remove_response_headers:
- Access-Control-Allow-Headers
- Access-Control-Allow-Methods
- Access-Control-Allow-Origin
- Content-Security-Policy
- Permissions-Policy
- Referrer-Policy
- Strict-Transport-Security
- Vary
- X-Content-Type-Options
- X-Frame-Options
- X-XSS-Protection

2
angie/mod-http.conf
View File

@ -1 +1 @@
include load/mod-http-*.conf;
include mod.d/http-*.load;

2
angie/mod-mail.conf
View File

@ -1 +1 @@
include load/mod-mail-*.conf;
include mod.d/mail-*.load;

2
angie/mod-stream.conf
View File

@ -1 +1 @@
include load/mod-stream-*.conf;
include mod.d/stream-*.load;

33
angie/modsecurity.dist/rules.conf
View File

@ -1,33 +0,0 @@
Include modsecurity.conf
# To enable the OWASP CRS, please perform the following steps:
#
# 1. Checkout Core Rule Set from GitHub and create config files as shown below:
#
# version='v4.5.0'
# uri="https://github.com/coreruleset/coreruleset/archive/refs/tags/${version}.tar.gz"
# dst_dir='/etc/angie/modsecurity/coreruleset'
# w=$(mktemp -d) ; : "${w:?}"
# cd "$w/"
# tarball="coreruleset.tar.gz"
# /usr/lib/apt/apt-helper download-file "${uri}" "${tarball}"
# mkdir coreruleset
# tar -C ./coreruleset --strip-components=1 -xf "${tarball}"
# rm -f "${tarball}" ; unset tarball
# for p in \
# crs-setup.conf \
# rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf \
# rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf \
# ; do
# src="coreruleset/$p.example"
# dst="${dst_dir}/$p"
# [ -f "${src}" ] || continue
# [ -d "${dst%/*}" ] || mkdir -p "${dst%/*}"
# cp -nv "${src}" "${dst}"
# done
# rm -rf "${w:?}/" ; unset w
#
# 2. Uncomment both 'Include' directives below
#Include coreruleset/crs-setup.conf
#Include coreruleset/rules/*.conf

0
angie/conf.dist/brotli/buffers.conf → angie/snip.dist/brotli/buffers.conf
View File

1
angie/snip.dist/brotli/gzip.conf Normal file
View File

@ -0,0 +1 @@
include snip.d/gzip/vary.conf;

8
angie/snip.dist/brotli/types.conf.j2 Normal file
View File

@ -0,0 +1,8 @@
{%- set mime_types = ( j2cfg.compress_types or [] )|any_to_str_list|uniq_str_list -%}
{%- if mime_types %}
brotli_types
{%- for t in mime_types %}
{{ t }}
{%- endfor %}
;
{%- endif %}

0
angie/conf.dist/core-quic-bpf.conf → angie/snip.dist/core-quic-bpf.conf
View File

0
angie/conf.dist/core_ev-accept-mutex-delay.conf → angie/snip.dist/core_ev-accept-mutex-delay.conf
View File

0
angie/conf.dist/core_ev-accept-mutex.conf → angie/snip.dist/core_ev-accept-mutex.conf
View File

0
angie/conf.dist/core_ev-multi-accept.conf → angie/snip.dist/core_ev-multi-accept.conf
View File

3
angie/snip.dist/deny-dotfiles
View File

@ -1,3 +0,0 @@
location ~ /\. {
include snip.d/internal-area;
}

8
angie/snip.dist/disable-compression.j2
View File

@ -1,8 +0,0 @@
{#- safe to specify all the time -#}
gzip off;
{%- set modules = ( env.NGX_HTTP_MODULES or '' ) | str_split_to_list -%}
{%- for ext_comp in ['brotli', 'zstd'] %}
{%- if ext_comp in modules %}
{{ ext_comp }} off;
{%- endif %}
{%- endfor %}

4
angie/snip.dist/empty-favicon
View File

@ -1,4 +0,0 @@
location = /favicon.ico {
empty_gif;
expires 1d;
}

5
angie/snip.dist/fastcgi-location
View File

@ -1,5 +0,0 @@
try_files $fastcgi_script_name =444;
## bypass the fact that try_files resets $fastcgi_path_info
## see: https://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;

0
angie/conf.dist/gzip/buffers.conf → angie/snip.dist/gzip/buffers.conf
View File

0
angie/conf.dist/gzip/proxied.conf → angie/snip.dist/gzip/proxied.conf
View File

8
angie/snip.dist/gzip/types.conf.j2 Normal file
View File

@ -0,0 +1,8 @@
{%- set mime_types = ( j2cfg.compress_types or [] )|any_to_str_list|uniq_str_list -%}
{%- if mime_types %}
gzip_types
{%- for t in mime_types %}
{{ t }}
{%- endfor %}
;
{%- endif %}

0
angie/conf.dist/gzip/vary.conf → angie/snip.dist/gzip/vary.conf
View File

0
angie/conf.dist/http-brotli-static.conf → angie/snip.dist/http-brotli-static.conf
View File

2
angie/snip.dist/http-brotli.conf Normal file
View File

@ -0,0 +1,2 @@
include snip.d/brotli/*.conf;
brotli on;

2
angie/snip.dist/http-gunzip.conf Normal file
View File

@ -0,0 +1,2 @@
include snip.d/http-gunzip.modconf;
gunzip on;

1
angie/snip.dist/http-gunzip.modconf Normal file
View File

@ -0,0 +1 @@
gunzip_buffers 16 16k;

0
angie/conf.dist/http-gzip-static.conf → angie/snip.dist/http-gzip-static.conf
View File

2
angie/snip.dist/http-gzip.conf Normal file
View File

@ -0,0 +1,2 @@
include snip.d/gzip/*.conf;
gzip on;

0
angie/conf.dist/http-zstd-static.conf → angie/snip.dist/http-zstd-static.conf
View File

2
angie/snip.dist/http-zstd.conf Normal file
View File

@ -0,0 +1,2 @@
include snip.d/zstd/*.conf;
zstd on;

5
angie/snip.dist/internal-area
View File

@ -1,5 +0,0 @@
## always sourced by snip.d/deny-dotfiles
access_log off;
log_not_found off;
internal;

0
angie/conf.dist/zstd/buffers.conf → angie/snip.dist/zstd/buffers.conf
View File

1
angie/snip.dist/zstd/gzip.conf Normal file
View File

@ -0,0 +1 @@
include snip.d/gzip/vary.conf;

8
angie/snip.dist/zstd/types.conf.j2 Normal file
View File

@ -0,0 +1,8 @@
{%- set mime_types = ( j2cfg.compress_types or [] )|any_to_str_list|uniq_str_list -%}
{%- if mime_types %}
zstd_types
{%- for t in mime_types %}
{{ t }}
{%- endfor %}
;
{%- endif %}

14
image-entry.d/00-common.envsh
View File

@ -82,7 +82,7 @@ untemplate_path() {
"${volume_root}"/* | /etc/angie/run/* )
strip_suffix "$1" "$2"
;;
/etc/angie/autoconf.d/* | /etc/angie/conf.d/* | /etc/angie/j2cfg.d/* | /etc/angie/mod.d/* | /etc/angie/modules.d/* | /etc/angie/site.d/* | /etc/angie/snip.d/* )
/etc/angie/conf.d/* | /etc/angie/j2cfg.d/* | /etc/angie/mod.d/* | /etc/angie/modules.d/* | /etc/angie/site.d/* | /etc/angie/snip.d/* )
strip_suffix "$1" "$2"
;;
/etc/angie/static.d/* )
@ -212,10 +212,6 @@ remap_path() {
[ -n "$1" ] || return
case "$1" in
## autoconf
/etc/angie/autoconf.dist/* ) echo "${2:-/etc/angie/autoconf.d}${1#/etc/angie/autoconf.dist}" ;;
/etc/angie/autoconf/* ) echo "${2:-/etc/angie/autoconf.d}${1#/etc/angie/autoconf}" ;;
/angie/autoconf/* ) echo "${2:-/etc/angie/autoconf.d}${1#/angie/autoconf}" ;;
## conf
/etc/angie/conf.dist/* ) echo "${2:-/etc/angie/conf.d}${1#/etc/angie/conf.dist}" ;;
/etc/angie/conf/* ) echo "${2:-/etc/angie/conf.d}${1#/etc/angie/conf}" ;;
@ -281,14 +277,6 @@ is_builtin_module() {
grep -Fxq -e "$2" "/etc/angie/builtin.$1" || return 1
}
normalize_list() {
[ -n "$1" ] || return 0
printf '%s' "$1" \
| tr -s '[:space:]' ' ' \
| sed -zE 's/^ //;s/ $//'
}
sort_dedup_list() {
[ -n "$1" ] || return 0

22
image-entry.d/01-defaults.envsh
View File

@ -19,7 +19,7 @@ if [ "${NGX_HTTP}${NGX_MAIL}${NGX_STREAM}" = '000' ] ; then
fi
unset default_dirs_merge default_dirs_link
default_dirs_merge='autoconf conf j2cfg mod modules site snip'
default_dirs_merge='conf j2cfg mod modules site snip'
default_dirs_link=''
if [ "${NGX_PROCESS_STATIC}" = 1 ] ; then
@ -34,23 +34,3 @@ NGX_DIRS_LINK=$(sort_dedup_list "${default_dirs_link} ${NGX_DIRS_LINK:-}")
set +a
unset default_dirs_merge default_dirs_link
unset i dirs_link
dirs_link=
for i in ${NGX_DIRS_LINK:-} ; do
[ -n "$i" ] || continue
## naive deduplication
case " ${NGX_DIRS_MERGE} " in
*" $i "* )
log "$i is already specified in NGX_DIRS_MERGE - removing from NGX_DIRS_LINK"
continue
;;
esac
dirs_link="${dirs_link}${dirs_link:+ }$i"
done
unset i
export NGX_DIRS_LINK="${dirs_link}"
unset dirs_link

0
image-entry.d/02-nonroot.envsh → image-entry.d/02-detect-nonroot.envsh
View File

0
image-entry.d/03-local-override.envsh → image-entry.d/03-detect-local-override.envsh
View File

0
image-entry.d/04-local-ip-addresses.envsh → image-entry.d/04-detect-local-ip-addresses.envsh
View File

4
image-entry.d/10-core.envsh
View File

@ -3,7 +3,7 @@
set -a
NGX_CORE_MODULES="${NGX_CORE_MODULES:-}"
NGX_CORE_CONFLOAD="${NGX_CORE_CONFLOAD:-}"
NGX_CORE_EVENTS_CONFLOAD="${NGX_CORE_EVENTS_CONFLOAD:-}"
NGX_CORE_EVENTS_SNIPPETS="${NGX_CORE_EVENTS_SNIPPETS:-}"
NGX_CORE_SNIPPETS="${NGX_CORE_SNIPPETS:-}"
set +a

21
image-entry.d/11-core-modules.envsh
View File

@ -1,24 +1,17 @@
#!/bin/sh
unset core_modules core_confload
unset core_modules core_snippets
core_modules=
core_confload="${NGX_CORE_CONFLOAD:-}"
core_snippets="${NGX_CORE_SNIPPETS:-}"
## filter out builtin core modules
unset i
for i in ${NGX_CORE_MODULES:-} ; do
[ -n "$i" ] || continue
case "$i" in
*/* | *\** | *\?* )
log_always "module '$i' is not legal, skipping"
continue
;;
esac
if is_builtin_module core "$i" ; then
log "$i is builtin module, moving to NGX_CORE_CONFLOAD"
core_confload="${core_confload} $i"
log "$i is builtin module, moving to snippets"
core_snippets="${core_snippets} $i"
continue
fi
@ -36,8 +29,8 @@ unset i
set -a
NGX_CORE_MODULES="${core_modules}"
NGX_CORE_CONFLOAD=$(sort_dedup_list "${core_confload}")
NGX_CORE_EVENTS_CONFLOAD=$(sort_dedup_list "${NGX_CORE_EVENTS_CONFLOAD}")
NGX_CORE_SNIPPETS=$(sort_dedup_list "${core_snippets}")
NGX_CORE_EVENTS_SNIPPETS=$(sort_dedup_list "${NGX_CORE_EVENTS_SNIPPETS}")
set +a
unset core_modules core_confload
unset core_modules core_snippets

146
image-entry.d/13-core-worker-defaults.envsh Executable file
View File

@ -0,0 +1,146 @@
#!/bin/sh
unset _NGX_WORKER_PROCESSES _NGX_WORKER_PRIORITY _NGX_WORKER_RLIMIT_NOFILE _NGX_WORKER_CONNECTIONS
## here should be SANE defaults (!)
_NGX_WORKER_PROCESSES=2
_NGX_WORKER_PRIORITY=0
_NGX_WORKER_RLIMIT_NOFILE=16384
_NGX_WORKER_CONNECTIONS=4096
[ -n "${NGX_WORKER_PROCESSES:-}" ] || NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
case "${NGX_WORKER_PROCESSES}" in
"${_NGX_WORKER_PROCESSES}" ) ;;
## allow values within [1;999]
[1-9] | [1-9][0-9] | [1-9][0-9][0-9] ) ;;
[Aa][Uu][Tt][Oo] )
## adjust
NGX_WORKER_PROCESSES=auto
log_always "NGX_WORKER_PROCESSES: \"auto\" isn't supported by container yet"
log_always "offloading decision to Angie (this could be a problem!)"
;;
0 )
log_always "NGX_WORKER_PROCESSES: \"0\" isn't supported by container yet"
log_always "setting NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}"
NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
;;
* )
log_always "NGX_WORKER_PROCESSES: unrecognized value: ${NGX_WORKER_PROCESSES}"
log_always "setting NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}"
NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
;;
esac
[ -n "${NGX_WORKER_PRIORITY:-}" ] || NGX_WORKER_PRIORITY=${_NGX_WORKER_PRIORITY}
case "${NGX_WORKER_PRIORITY}" in
"${_NGX_WORKER_PRIORITY}" ) ;;
-[1-9] | -1[0-9] | -20 ) ;;
[0-9] | 1[0-9] | 20 ) ;;
-0 )
log_always "NGX_WORKER_PRIORITY: likely an error: '-0'"
log_always "adjusting NGX_WORKER_PRIORITY=0"
NGX_WORKER_PRIORITY=0
;;
* )
log_always "NGX_WORKER_PRIORITY: unrecognized value: ${NGX_WORKER_PRIORITY}"
log_always "setting NGX_WORKER_PRIORITY=${_NGX_WORKER_PRIORITY}"
NGX_WORKER_PRIORITY=${_NGX_WORKER_PRIORITY}
;;
esac
[ -n "${NGX_WORKER_RLIMIT_NOFILE:-}" ] || NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}
case "${NGX_WORKER_RLIMIT_NOFILE}" in
"${_NGX_WORKER_RLIMIT_NOFILE}" ) ;;
[0-9] | [1-9][0-9] )
log_always "NGX_WORKER_RLIMIT_NOFILE: too low: ${NGX_WORKER_RLIMIT_NOFILE}"
log_always "setting NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}"
NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}
;;
## allow values within [100;9999999]
[1-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9][0-9][0-9] ) ;;
* )
log_always "NGX_WORKER_RLIMIT_NOFILE: unrecognized value: ${NGX_WORKER_RLIMIT_NOFILE}"
log_always "setting NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}"
NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}
;;
esac
[ -n "${NGX_WORKER_CONNECTIONS:-}" ] || NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
case "${NGX_WORKER_CONNECTIONS}" in
"${_NGX_WORKER_CONNECTIONS}" ) ;;
[0-9] | [1-9][0-9] )
log_always "NGX_WORKER_CONNECTIONS: too low: ${NGX_WORKER_CONNECTIONS}"
log_always "setting NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}"
NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
;;
## allow values within [100;9999999]
[1-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9][0-9][0-9] ) ;;
* )
log_always "NGX_WORKER_CONNECTIONS: unrecognized value: ${NGX_WORKER_CONNECTIONS}"
log_always "setting NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}"
NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
;;
esac
nofile_soft=$(ulimit -Sn)
nofile_hard=$(ulimit -Hn)
if [ "${nofile_hard}" = unlimited ] ; then
## minor hack (if applicable) :)
nofile_hard=$((NGX_WORKER_RLIMIT_NOFILE * 2))
fi
nofile_ok=0
while : ; do
[ ${nofile_hard} -ge ${NGX_WORKER_RLIMIT_NOFILE} ] || break
[ ${nofile_soft} -ge ${NGX_WORKER_RLIMIT_NOFILE} ] || break
nofile_ok=1
break ; done
if [ ${nofile_ok} = 0 ] ; then
log_always "adjusting 'nofile' limits"
log_always "Limits before:"
sed -En '1p;/open files/p' < /proc/$$/limits >&2
if [ ${nofile_hard} -lt ${NGX_WORKER_RLIMIT_NOFILE} ] ; then
ulimit -Hn "${NGX_WORKER_RLIMIT_NOFILE}"
nofile_hard=$(ulimit -Hn)
fi
if [ ${nofile_hard} -lt ${NGX_WORKER_RLIMIT_NOFILE} ] ; then
log_always "lowering NGX_WORKER_RLIMIT_NOFILE to ${nofile_hard} due to hard limit"
NGX_WORKER_RLIMIT_NOFILE=${nofile_hard}
fi
if [ ${nofile_soft} -lt ${NGX_WORKER_RLIMIT_NOFILE} ] ; then
ulimit -Sn "${NGX_WORKER_RLIMIT_NOFILE}"
fi
log_always "Limits after:"
sed -En '1p;/open files/p' < /proc/$$/limits >&2
fi
unset nofile_soft nofile_hard nofile_ok
export NGX_WORKER_PROCESSES NGX_WORKER_PRIORITY NGX_WORKER_RLIMIT_NOFILE NGX_WORKER_CONNECTIONS
unset _NGX_WORKER_PROCESSES _NGX_WORKER_PRIORITY _NGX_WORKER_RLIMIT_NOFILE _NGX_WORKER_CONNECTIONS
if [ ${NGX_WORKER_RLIMIT_NOFILE} -lt ${NGX_WORKER_CONNECTIONS} ] ; then
log_always "WARNING: NGX_WORKER_RLIMIT_NOFILE is less than NGX_WORKER_CONNECTIONS (${NGX_WORKER_RLIMIT_NOFILE} < ${NGX_WORKER_CONNECTIONS})"
else
ratio=$(mawk -v "a=${NGX_WORKER_RLIMIT_NOFILE}" -v "b=${NGX_WORKER_CONNECTIONS}" 'BEGIN{print a/b;exit;}' </dev/null)
case "${ratio}" in
1 | 1.* )
log_always "WARNING: \"NGX_WORKER_RLIMIT_NOFILE/NGX_WORKER_CONNECTIONS\" ratio is too low (=${ratio})"
;;
esac
unset ratio
fi

195
image-entry.d/13-core-worker.envsh
View File

@ -1,195 +0,0 @@
#!/bin/sh
unset _NGX_WORKER_PROCESSES _NGX_WORKER_PRIORITY _NGX_WORKER_RLIMIT_NOFILE _NGX_WORKER_CONNECTIONS _NGX_WORKER_AIO_REQUESTS
## here should be SANE defaults (!)
_NGX_WORKER_PROCESSES=2
_NGX_WORKER_PRIORITY=0
_NGX_WORKER_RLIMIT_NOFILE=16384
_NGX_WORKER_CONNECTIONS=4096
_NGX_WORKER_AIO_REQUESTS=64
[ -n "${NGX_WORKER_PROCESSES:-}" ] || NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
case "${NGX_WORKER_PROCESSES}" in
## allow values within [1;999]
[1-9] | [1-9][0-9] | [1-9][0-9][0-9] ) ;;
[Aa][Uu][Tt][Oo] )
## adjust
NGX_WORKER_PROCESSES=auto
log_always "NGX_WORKER_PROCESSES: \"auto\" isn't supported by container yet"
log_always "offloading decision to Angie (this could be a problem!)"
;;
0 )
log_always "NGX_WORKER_PROCESSES: \"0\" isn't supported by container yet"
log_always "setting NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}"
NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
;;
* )
log_always "NGX_WORKER_PROCESSES: unrecognized value: ${NGX_WORKER_PROCESSES}"
log_always "setting NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}"
NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
;;
esac
export NGX_WORKER_PROCESSES
if [ -z "${NGX_WORKER_CPU_AFFINITY:-}" ] ; then
unset NGX_WORKER_CPU_AFFINITY
else
## offload handling to Angie
set -a
NGX_WORKER_CPU_AFFINITY=$(normalize_list "${NGX_WORKER_CPU_AFFINITY}")
set +a
fi
[ -n "${NGX_WORKER_CONNECTIONS:-}" ] || NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
case "${NGX_WORKER_CONNECTIONS}" in
[0-9] | [1-9][0-9] )
log_always "NGX_WORKER_CONNECTIONS: too low: ${NGX_WORKER_CONNECTIONS}"
log_always "setting NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}"
NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
;;
## allow values within [100;9999999]
[1-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9][0-9][0-9] ) ;;
* )
log_always "NGX_WORKER_CONNECTIONS: unrecognized value: ${NGX_WORKER_CONNECTIONS}"
log_always "setting NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}"
NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
;;
esac
export NGX_WORKER_CONNECTIONS
if [ -z "${NGX_WORKER_PRIORITY:-}" ] ; then
unset NGX_WORKER_PRIORITY
else
case "${NGX_WORKER_PRIORITY}" in
-[1-9] | -1[0-9] | -20 ) ;;
[0-9] | 1[0-9] | 20 ) ;;
-0 )
log_always "NGX_WORKER_PRIORITY: likely an error: '-0'"
log_always "adjusting NGX_WORKER_PRIORITY=0"
NGX_WORKER_PRIORITY=0
;;
* )
log_always "NGX_WORKER_PRIORITY: unrecognized value: ${NGX_WORKER_PRIORITY}"
log_always "setting NGX_WORKER_PRIORITY=${_NGX_WORKER_PRIORITY}"
NGX_WORKER_PRIORITY=${_NGX_WORKER_PRIORITY}
;;
esac
export NGX_WORKER_PRIORITY
fi
if [ -z "${NGX_WORKER_RLIMIT_NOFILE:-}" ] ; then
unset NGX_WORKER_RLIMIT_NOFILE
else
case "${NGX_WORKER_RLIMIT_NOFILE}" in
[0-9] | [1-9][0-9] )
log_always "NGX_WORKER_RLIMIT_NOFILE: too low: ${NGX_WORKER_RLIMIT_NOFILE}"
log_always "setting NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}"
NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}
;;
## allow values within [100;9999999]
[1-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9][0-9][0-9] ) ;;
* )
log_always "NGX_WORKER_RLIMIT_NOFILE: unrecognized value: ${NGX_WORKER_RLIMIT_NOFILE}"
log_always "setting NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}"
NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}
;;
esac
export NGX_WORKER_RLIMIT_NOFILE
fi
if [ -z "${NGX_WORKER_AIO_REQUESTS:-}" ] ; then
unset NGX_WORKER_AIO_REQUESTS
else
case "${NGX_WORKER_AIO_REQUESTS}" in
[0-9] )
log_always "NGX_WORKER_AIO_REQUESTS: too low: ${NGX_WORKER_AIO_REQUESTS}"
log_always "setting NGX_WORKER_AIO_REQUESTS=${_NGX_WORKER_AIO_REQUESTS}"
NGX_WORKER_AIO_REQUESTS=${_NGX_WORKER_AIO_REQUESTS}
;;
## allow values within [10;99999]
[1-9][0-9] ) ;;
[1-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9] ) ;;
* )
log_always "NGX_WORKER_AIO_REQUESTS: unrecognized value: ${NGX_WORKER_AIO_REQUESTS}"
log_always "setting NGX_WORKER_AIO_REQUESTS=${_NGX_WORKER_AIO_REQUESTS}"
NGX_WORKER_AIO_REQUESTS=${_NGX_WORKER_AIO_REQUESTS}
;;
esac
export NGX_WORKER_AIO_REQUESTS
fi
if [ -n "${NGX_WORKER_RLIMIT_NOFILE:-}" ] ; then
nofile_soft=$(ulimit -Sn)
nofile_hard=$(ulimit -Hn)
if [ "${nofile_hard}" = unlimited ] ; then
## minor hack (if applicable) :)
nofile_hard=$((NGX_WORKER_RLIMIT_NOFILE + 1))
fi
nofile_ok=0
while : ; do
[ ${nofile_hard} -ge ${NGX_WORKER_RLIMIT_NOFILE} ] || break
[ ${nofile_soft} -ge ${NGX_WORKER_RLIMIT_NOFILE} ] || break
nofile_ok=1
break ; done
if [ ${nofile_ok} = 0 ] ; then
log_always "adjusting 'nofile' limits"
log_always "Limits before:"
sed -En '1p;/open files/p' < /proc/$$/limits >&2
if [ ${nofile_hard} -lt ${NGX_WORKER_RLIMIT_NOFILE} ] ; then
ulimit -Hn "${NGX_WORKER_RLIMIT_NOFILE}"
nofile_hard=$(ulimit -Hn)
fi
if [ ${nofile_hard} -lt ${NGX_WORKER_RLIMIT_NOFILE} ] ; then
log_always "lowering NGX_WORKER_RLIMIT_NOFILE to ${nofile_hard} due to hard limit"
NGX_WORKER_RLIMIT_NOFILE=${nofile_hard}
fi
if [ ${nofile_soft} -lt ${NGX_WORKER_RLIMIT_NOFILE} ] ; then
ulimit -Sn "${NGX_WORKER_RLIMIT_NOFILE}"
fi
log_always "Limits after:"
sed -En '1p;/open files/p' < /proc/$$/limits >&2
fi
unset nofile_soft nofile_hard nofile_ok
export NGX_WORKER_RLIMIT_NOFILE
fi
if [ -z "${NGX_WORKER_RLIMIT_NOFILE:-}" ] ; then
nofile_limit=$(ulimit -Hn)
nofile_kind="'ulimit:nofile'"
else
nofile_limit=${NGX_WORKER_RLIMIT_NOFILE}
nofile_kind='NGX_WORKER_RLIMIT_NOFILE'
fi
if [ ${nofile_limit} -lt ${NGX_WORKER_CONNECTIONS} ] ; then
log_always "WARNING: ${nofile_kind} is less than NGX_WORKER_CONNECTIONS (${nofile_limit} < ${NGX_WORKER_CONNECTIONS})"
else
ratio=$(mawk -v "a=${nofile_limit}" -v "b=${NGX_WORKER_CONNECTIONS}" 'BEGIN{print a/b;exit;}' </dev/null)
case "${ratio}" in
1 | 1.* )
log_always "WARNING: \"${nofile_kind}/NGX_WORKER_CONNECTIONS\" ratio is too low (=${ratio})"
;;
esac
unset ratio
fi
unset nofile_limit nofile_kind
unset _NGX_WORKER_PROCESSES _NGX_WORKER_PRIORITY _NGX_WORKER_RLIMIT_NOFILE _NGX_WORKER_CONNECTIONS _NGX_WORKER_AIO_REQUESTS

11
image-entry.d/20-http.envsh
View File

@ -1,17 +1,10 @@
#!/bin/sh
if [ "${NGX_HTTP}" = 0 ] ; then
unset NGX_HTTP_MODULES NGX_HTTP_CONFLOAD NGX_HTTP_CACHES NGX_HTTP_WEBROOT
unset NGX_HTTP_MODULES NGX_HTTP_SNIPPETS
else
unset default_caches
default_caches='client_temp fastcgi_temp proxy_temp scgi_temp uwsgi_temp'
set -a
NGX_HTTP_MODULES="${NGX_HTTP_MODULES:-}"
NGX_HTTP_CONFLOAD="${NGX_HTTP_CONFLOAD:-}"
NGX_HTTP_CACHES=$(sort_dedup_list "${default_caches} ${NGX_HTTP_CACHES:-}")
NGX_HTTP_WEBROOT="${NGX_HTTP_WEBROOT:-/etc/angie/static.d}"
NGX_HTTP_SNIPPETS="${NGX_HTTP_SNIPPETS:-}"
set +a
unset default_caches
fi

44
image-entry.d/21-http-modules.envsh
View File

@ -1,9 +1,9 @@
#!/bin/sh
if [ "${NGX_HTTP}" = 1 ] ; then
unset http_modules http_confload
unset http_modules http_snippets
http_modules=
http_confload="${NGX_HTTP_CONFLOAD:-}"
http_snippets="${NGX_HTTP_SNIPPETS:-}"
if [ -n "${NGX_HTTP_MODULES}" ] ; then
## angie-module-lua: depends on angie-module-ndk
@ -19,16 +19,9 @@ if [ "${NGX_HTTP}" = 1 ] ; then
for i in ${NGX_HTTP_MODULES:-} ; do
[ -n "$i" ] || continue
case "$i" in
*/* | *\** | *\?* )
log_always "module '$i' is not legal, skipping"
continue
;;
esac
if is_builtin_module http "$i" ; then
log "$i is builtin module, moving to NGX_HTTP_CONFLOAD"
http_confload="${http_confload} $i"
log "$i is builtin module, moving to snippets"
http_snippets="${http_snippets} $i"
continue
fi
@ -46,33 +39,8 @@ if [ "${NGX_HTTP}" = 1 ] ; then
set -a
NGX_HTTP_MODULES="${http_modules}"
NGX_HTTP_CONFLOAD=$(sort_dedup_list "${http_confload}")
NGX_HTTP_SNIPPETS=$(sort_dedup_list "${http_snippets}")
set +a
unset http_modules http_confload
## quirk: angie-module-modsecurity
unset NGX_HTTP_WITH_MODSECURITY
NGX_HTTP_WITH_MODSECURITY=0
while : ; do
case " ${NGX_HTTP_MODULES} " in
*" modsecurity "* ) ;;
* ) break ;;
esac
for d in /angie/modules /etc/angie/modules /etc/angie/modules.dist ; do
[ -d "$d" ] || continue
if [ -f "$d/ngx_http_modsecurity_module.so" ] ; then
NGX_HTTP_WITH_MODSECURITY=1
break
fi
done ; unset d
break ; done
export NGX_HTTP_WITH_MODSECURITY
if [ "${NGX_HTTP_WITH_MODSECURITY}" = 1 ] ; then
set -a
NGX_DIRS_MERGE=$(sort_dedup_list "${NGX_DIRS_MERGE} modsecurity")
set +a
fi
unset http_modules http_snippets
fi

32
image-entry.d/22-http-max-ranges.envsh
View File

@ -7,24 +7,22 @@ else
## here should be SANE defaults (!)
_NGX_HTTP_MAX_RANGES=16
if [ -z "${NGX_HTTP_MAX_RANGES:-}" ] ; then
unset NGX_HTTP_MAX_RANGES
else
case "${NGX_HTTP_MAX_RANGES}" in
## allow values within [1;999]
[1-9] | [1-9][0-9] | [1-9][0-9][0-9] ) ;;
0 )
log_always "HTTP: Range/If-Range/Accept-Ranges support is disabled by NGX_HTTP_MAX_RANGES=0"
;;
* )
log_always "NGX_HTTP_MAX_RANGES: unrecognized value: ${NGX_HTTP_MAX_RANGES}"
log_always "setting NGX_HTTP_MAX_RANGES=${_NGX_HTTP_MAX_RANGES}"
NGX_HTTP_MAX_RANGES=${_NGX_HTTP_MAX_RANGES}
;;
esac
[ -n "${NGX_HTTP_MAX_RANGES:-}" ] || NGX_HTTP_MAX_RANGES=${_NGX_HTTP_MAX_RANGES}
case "${NGX_HTTP_MAX_RANGES}" in
"${_NGX_HTTP_MAX_RANGES}" ) ;;
## allow values within [1;999]
[1-9] | [1-9][0-9] | [1-9][0-9][0-9] ) ;;
0 )
log_always "HTTP: Range/If-Range/Accept-Ranges support is disabled by NGX_HTTP_MAX_RANGES=0"
;;
* )
log_always "NGX_HTTP_MAX_RANGES: unrecognized value: ${NGX_HTTP_MAX_RANGES}"
log_always "setting NGX_HTTP_MAX_RANGES=${_NGX_HTTP_MAX_RANGES}"
NGX_HTTP_MAX_RANGES=${_NGX_HTTP_MAX_RANGES}
;;
esac
export NGX_HTTP_MAX_RANGES
fi
export NGX_HTTP_MAX_RANGES
unset _NGX_HTTP_MAX_RANGES
fi

4
image-entry.d/30-mail.envsh
View File

@ -1,10 +1,10 @@
#!/bin/sh
if [ "${NGX_MAIL}" = 0 ] ; then
unset NGX_MAIL_MODULES NGX_MAIL_CONFLOAD
unset NGX_MAIL_MODULES NGX_MAIL_SNIPPETS
else
set -a
NGX_MAIL_MODULES="${NGX_MAIL_MODULES:-}"
NGX_MAIL_CONFLOAD="${NGX_MAIL_CONFLOAD:-}"
NGX_MAIL_SNIPPETS="${NGX_MAIL_SNIPPETS:-}"
set +a
fi

19
image-entry.d/31-mail-modules.envsh
View File

@ -1,25 +1,18 @@
#!/bin/sh
if [ "${NGX_MAIL}" = 1 ] ; then
unset mail_modules mail_confload
unset mail_modules mail_snippets
mail_modules=
mail_confload="${NGX_MAIL_CONFLOAD:-}"
mail_snippets="${NGX_MAIL_SNIPPETS:-}"
## filter out builtin mail modules
unset i
for i in ${NGX_MAIL_MODULES:-} ; do
[ -n "$i" ] || continue
case "$i" in
*/* | *\** | *\?* )
log_always "module '$i' is not legal, skipping"
continue
;;
esac
if is_builtin_module mail "$i" ; then
log "$i is builtin module, moving to NGX_MAIL_CONFLOAD"
mail_confload="${mail_confload} $i"
log "$i is builtin module, moving to snippets"
mail_snippets="${mail_snippets} $i"
continue
fi
@ -37,8 +30,8 @@ if [ "${NGX_MAIL}" = 1 ] ; then
set -a
NGX_MAIL_MODULES="${mail_modules}"
NGX_MAIL_CONFLOAD=$(sort_dedup_list "${mail_confload}")
NGX_MAIL_SNIPPETS=$(sort_dedup_list "${mail_snippets}")
set +a
unset mail_modules mail_confload
unset mail_modules mail_snippets
fi

4
image-entry.d/40-stream.envsh
View File

@ -1,10 +1,10 @@
#!/bin/sh
if [ "${NGX_STREAM}" = 0 ] ; then
unset NGX_STREAM_MODULES NGX_STREAM_CONFLOAD
unset NGX_STREAM_MODULES NGX_STREAM_SNIPPETS
else
set -a
NGX_STREAM_MODULES="${NGX_STREAM_MODULES:-}"
NGX_STREAM_CONFLOAD="${NGX_STREAM_CONFLOAD:-}"
NGX_STREAM_SNIPPETS="${NGX_STREAM_SNIPPETS:-}"
set +a
fi

19
image-entry.d/41-stream-modules.envsh
View File

@ -1,25 +1,18 @@
#!/bin/sh
if [ "${NGX_STREAM}" = 1 ] ; then
unset stream_modules stream_confload
unset stream_modules stream_snippets
stream_modules=
stream_confload="${NGX_STREAM_CONFLOAD:-}"
stream_snippets="${NGX_STREAM_SNIPPETS:-}"
## filter out builtin stream modules
unset i
for i in ${NGX_STREAM_MODULES:-} ; do
[ -n "$i" ] || continue
case "$i" in
*/* | *\** | *\?* )
log_always "module '$i' is not legal, skipping"
continue
;;
esac
if is_builtin_module stream "$i" ; then
log "$i is builtin module, moving to NGX_STREAM_CONFLOAD"
stream_confload="${stream_confload} $i"
log "$i is builtin module, moving to snippets"
stream_snippets="${stream_snippets} $i"
continue
fi
@ -37,8 +30,8 @@ if [ "${NGX_STREAM}" = 1 ] ; then
set -a
NGX_STREAM_MODULES="${stream_modules}"
NGX_STREAM_CONFLOAD=$(sort_dedup_list "${stream_confload}")
NGX_STREAM_SNIPPETS=$(sort_dedup_list "${stream_snippets}")
set +a
unset stream_modules stream_confload
unset stream_modules stream_snippets
fi

Some files were not shown because too many files have changed in this diff Show More