fix conf

noogen · noogen · commit 576bde7ebe4f · 2017-07-18T16:02:03.000-05:00
diff --git a/Dockerfile b/Dockerfile
@@ -58,10 +58,20 @@ ADD ./files /
 RUN \
 # generate fake ssl for server conf, allow for replacing it later
     bash /root/bin/placeholder-ssl.sh \
-    && chown -R www-data:www-data /var/log/nginx
+
+# redirect /etc/nginx
+    && mv /etc/nginx   /app-start/etc/nginx \
+    && rm -rf /etc/nginx \
+    && ln -s /app/etc/nginx /etc/nginx \
+
+# redirect logs
+    && mkdir -p /app-start/var/log \
+    && mv /var/log/nginx   /app-start/var/log/nginx \
+    && rm -rf /var/log/nginx \
+    && ln -s /app/var/log/nginx /var/log/nginx
 
 EXPOSE 80 443
 
-VOLUME ["/etc/nginx"]
+VOLUME ["/app"]
 
 CMD ["/sbin/my_init"]
diff --git a/files/etc/my_init.d/startup.sh b/files/etc/my_init.d/startup.sh
@@ -5,6 +5,11 @@ export TERM=xterm
 # save environment variables for use later
 env > /root/env.txt
 
+if [ -z "`ls /app --hide='lost+found'`" ]
+then
+    rsync -a /app-start/* /app
+fi
+
 mkdir -p /tmp/nginx/cache
 chown -R www-data:nginx /tmp/nginx
 
diff --git a/files/etc/nginx/cdn.conf b/files/etc/nginx/cdn.conf
@@ -0,0 +1,64 @@
+# this is example how to you can setup like a cdn
+proxy_cache_path /tmp/nginx/cache levels=1:2 keys_zone=cdn_diskcached:10m max_size=5g inactive=45m;
+
+server {
+    listen 80;
+    listen [::]:80 ipv6only=on;
+
+    listen 443 ssl;
+    listen [::]:443 ipv6only=on ssl;
+
+    ssl_stapling                     on;
+    ssl_stapling_verify              on;
+
+    ssl_certificate                  /etc/nginx/ssl/placeholder-fullchain.crt;
+    ssl_certificate_key              /etc/nginx/ssl/placeholder-privkey.key;
+
+    resolver                         8.8.8.8 8.8.4.4;
+    proxy_redirect                   off;
+    proxy_set_header                 X-Real-IP       $remote_addr;
+    proxy_set_header                 X-Forwarded-For $proxy_add_x_forwarded_for;
+
+    proxy_connect_timeout            30s;
+    proxy_send_timeout               30s;
+    proxy_read_timeout               30s;
+    proxy_temp_path                  /var/cache/nginx/temp;
+
+    # prevent client headers from going to origin
+    proxy_pass_request_headers       off;
+
+    proxy_ignore_headers             Vary Expires Set-Cookie Cache-Control;
+    proxy_pass_header                P3P;
+    proxy_cache_min_uses             2;
+    proxy_cache                      cdn_diskcached;
+    proxy_ssl_server_name            on;
+    proxy_intercept_errors           on;
+
+    location / {
+        expires 12h;
+
+        # ProxySettings
+
+        set $backend your.origin.com;
+
+        proxy_set_header             Host $backend;
+        proxy_hide_header            access-control-allow-origin;
+        add_header                   Access-Control-Allow-Origin "*";
+        add_header                   X-Cache $upstream_cache_status;
+
+        proxy_set_header             X-Forwarded-For $remote_addr;
+
+        include                      /etc/nginx/sites-enabled/proxy-hide-headers.common;
+
+        proxy_pass                   http://$backend$request_uri;
+        proxy_pass_header            P3P;
+        proxy_cache_min_uses         2;
+        proxy_cache_valid            200 12h;
+        proxy_cache_valid            403 404 500 501 502 503 5s;
+
+        proxy_cache_key              acme.mycachedefault$uri$is_args$args;
+        # END ProxySettings
+    }
+}
+
+
diff --git a/files/etc/nginx/nginx.new b/files/etc/nginx/nginx.new
@@ -75,7 +75,7 @@ http {
 
     # SSL PCI Compliance
     ssl_session_cache               shared:SSL:10m;
-    ssl_protocols                   TLSv1.0 TLSv1.1 TLSv1.2; # remove TLSv1.0 for PCI-DSS compliance
+    ssl_protocols                   TLSv1 TLSv1.1 TLSv1.2; # remove TLSv1 for PCI-DSS compliance
     ssl_prefer_server_ciphers       on;
     ssl_ciphers                     "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK";
 
