diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 09b78ed..6c3c670 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -7,6 +7,9 @@ on: paths-ignore: - 'README.md' +env: + REPOSITORY: nginx + jobs: build: name: Build Testing @@ -25,5 +28,5 @@ jobs: platforms: | linux/amd64 linux/arm64/v8 - cache-to: type=gha, scope=nginx, mode=max - outputs: type=cacheonly + cache-to: type=gha, scope=${{ env.REPOSITORY }}, mode=max + outputs: type=cacheonly \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a532aca..0363be2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -44,6 +44,6 @@ jobs: platforms: | linux/amd64 linux/arm64/v8 - cache-from: type=gha, scope=nginx + cache-from: type=gha, scope=${{ env.REPOSITORY }} tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} + labels: ${{ steps.meta.outputs.labels }} \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index eae828c..0fcfc7a 100755 --- a/Dockerfile +++ b/Dockerfile @@ -1,39 +1,33 @@ -FROM rust:1.65.0-slim-bullseye AS builder +FROM rust:1.72.0-slim-bookworm AS builder -ARG NGINX_VERSION="1.23.2" +ARG NGINX_VERSION="1.25.2" ARG NGINX_GPG_KEY="13C82A63B603576156E30A4EA0EA981B66B0D967" ARG NGINX_URL="https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz" ARG NGINX_PGP_URL="https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz.asc" -# ARG NGINX_OTHER_PATCH="https://raw.githubusercontent.com/kn007/patch/master/nginx.patch" -# ARG NGINX_USE_OPENSSL_CRYPTO_PATCH="https://raw.githubusercontent.com/kn007/patch/master/use_openssl_md5_sha1.patch" -ARG NGINX_OTHER_WITH_QUIC_PATCH="https://raw.githubusercontent.com/kn007/patch/master/nginx_with_quic.patch" -ARG NGINX_BORINGSSL_OCSP_PATCH="https://raw.githubusercontent.com/kn007/patch/master/Enable_BoringSSL_OCSP.patch" +ARG NGINX_DYNAMIC_TLS_RECORDS_PATCH="https://github.com/kn007/patch/raw/master/nginx_dynamic_tls_records.patch" +ARG NGINX_USE_OPENSSL_CRYPTO_PATCH="https://github.com/kn007/patch/raw/master/use_openssl_md5_sha1.patch" ARG ZLIB_URL="https://github.com/cloudflare/zlib.git" -# ARG OPENSSL_VERSION="1.1.1k" -# ARG OPENSSL_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz" -# ARG OPENSSL_EQUAL_PATCH="https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/openssl-equal-1.1.1e-dev_ciphers.patch" -# ARG OPENSSL_CHACHA_DRAFT_PATCH="https://raw.githubusercontent.com/CarterLi/openssl-patch/master/openssl-1.1.1i-chacha_draft.patch" - -ARG QUICHE_VERSION="0.16.0" -ARG QUICHE_URL="https://github.com/cloudflare/quiche.git" +ARG OPENSSL_VERSION="1.1.1v" +ARG OPENSSL_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz" +ARG OPENSSL_PATCH="https://github.com/kn007/patch/raw/master/openssl-1.1.1.patch" ARG PCRE_VERSION="8.45" ARG PCRE_URL="https://downloads.sourceforge.net/project/pcre/pcre/${PCRE_VERSION}/pcre-${PCRE_VERSION}.tar.gz" -ARG LIBATOMIC_VERSION="7.6.14" +ARG LIBATOMIC_VERSION="7.8.0" ARG LIBATOMIC_URL="https://github.com/ivmai/libatomic_ops/releases/download/v${LIBATOMIC_VERSION}/libatomic_ops-${LIBATOMIC_VERSION}.tar.gz" ARG MODULE_BROTLI_URL="https://github.com/google/ngx_brotli.git" -ARG MODULE_STICKY_URL="https://github.com/dvershinin/nginx-sticky-module-ng.git" +ARG MODULE_STICKY_URL="https://github.com/liberatti/nginx-sticky-module-ng.git" ARG MODULE_HEADERS_MORE_VERSION="0.34" ARG MODULE_HEADERS_MORE_URL="https://github.com/openresty/headers-more-nginx-module/archive/refs/tags/v${MODULE_HEADERS_MORE_VERSION}.tar.gz" -ARG MODULE_HTTP_FLV_VERSION="1.2.10" +ARG MODULE_HTTP_FLV_VERSION="1.2.11" ARG MODULE_HTTP_FLV_URL="https://github.com/winshining/nginx-http-flv-module/archive/refs/tags/v${MODULE_HTTP_FLV_VERSION}.tar.gz" ARG MODULE_FANCYINDEX_VERSION="0.5.2" @@ -86,22 +80,14 @@ RUN set -eux \ cd zlib/; \ make -f Makefile.in distclean \ ) \ - # \ - # OpenSSL - # && wget -O openssl-${OPENSSL_VERSION}.tar.gz ${OPENSSL_URL} \ - # && tar -xzvf openssl-${OPENSSL_VERSION}.tar.gz \ - # && ( \ - # cd openssl-${OPENSSL_VERSION}/; \ - # wget -O - ${OPENSSL_EQUAL_PATCH} | patch -p1; \ - # wget -O - ${OPENSSL_CHACHA_DRAFT_PATCH} | patch -p1 \ - # ) \ \ - # quiche - && git clone --branch ${QUICHE_VERSION} --depth=1 --recurse-submodules --shallow-submodules ${QUICHE_URL} \ - # fix Cargo OOM - && mkdir -p ~/.cargo/ \ - && echo '[net]' > ~/.cargo/config \ - && echo 'git-fetch-with-cli = true' >> ~/.cargo/config \ + # OpenSSL + && wget -O openssl-${OPENSSL_VERSION}.tar.gz ${OPENSSL_URL} \ + && tar -xzvf openssl-${OPENSSL_VERSION}.tar.gz \ + && ( \ + cd openssl-${OPENSSL_VERSION}/; \ + wget -O - ${OPENSSL_PATCH} | patch -p1 \ + ) \ \ # PCRE && wget -O pcre-${PCRE_VERSION}.tar.gz ${PCRE_URL} \ @@ -122,6 +108,11 @@ RUN set -eux \ \ # nginx-sticky-module-ng && git clone --depth 1 ${MODULE_STICKY_URL} \ + && ( \ + # fix SHA_CBLOCK redefined + cd nginx-sticky-module-ng; \ + sed -i '/#define SHA_CBLOCK/d' ngx_http_sticky_misc.c \ + ) \ \ # headers-more-nginx && wget -O headers-more-nginx-module-${MODULE_HEADERS_MORE_VERSION}.tar.gz ${MODULE_HEADERS_MORE_URL} \ @@ -145,10 +136,8 @@ RUN set -eux \ RUN set -eux \ && cd /usr/src/nginx-${NGINX_VERSION}/ \ \ - # && wget -O - ${NGINX_OTHER_PATCH} | patch -p1 \ - # && wget -O - ${NGINX_USE_OPENSSL_CRYPTO_PATCH} | patch -p1 \ - && wget -O - ${NGINX_OTHER_WITH_QUIC_PATCH} | patch -p1 \ - && wget -O - ${NGINX_BORINGSSL_OCSP_PATCH} | patch -p1 \ + && wget -O - ${NGINX_DYNAMIC_TLS_RECORDS_PATCH} | patch -p1 \ + && wget -O - ${NGINX_USE_OPENSSL_CRYPTO_PATCH} | patch -p1 \ \ && ./configure \ --prefix=/etc/nginx \ @@ -168,6 +157,7 @@ RUN set -eux \ --group=nginx \ --with-http_ssl_module \ --with-http_v2_module \ + --with-http_v3_module \ --with-http_realip_module \ --with-http_addition_module \ --with-http_sub_module \ @@ -197,10 +187,8 @@ RUN set -eux \ --with-ld-opt="-Wl,-z,relro -Wl,-z,now -fPIC -ljemalloc -lrt" \ --with-cc-opt="-O3 -g -DTCP_FASTOPEN=23 -ffast-math -flto -fuse-ld=gold -fstack-protector-strong --param=ssp-buffer-size=4 -Wformat -Werror=format-security -fPIC -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations" \ --with-zlib=/usr/src/nginx-${NGINX_VERSION}/zlib \ - # --with-openssl=/usr/src/nginx-${NGINX_VERSION}/openssl-${OPENSSL_VERSION} \ - # --with-openssl-opt="zlib enable-weak-ssl-ciphers enable-ec_nistp_64_gcc_128 -ljemalloc -Wl,-flto" \ - --with-openssl=/usr/src/nginx-${NGINX_VERSION}/quiche/quiche/deps/boringssl \ - --with-quiche=/usr/src/nginx-${NGINX_VERSION}/quiche \ + --with-openssl=/usr/src/nginx-${NGINX_VERSION}/openssl-${OPENSSL_VERSION} \ + --with-openssl-opt="zlib enable-weak-ssl-ciphers enable-ec_nistp_64_gcc_128 -ljemalloc -Wl,-flto" \ --with-pcre=/usr/src/nginx-${NGINX_VERSION}/pcre-${PCRE_VERSION} \ --with-pcre-jit \ --with-libatomic=/usr/src/nginx-${NGINX_VERSION}/libatomic_ops-${LIBATOMIC_VERSION} \ @@ -211,8 +199,6 @@ RUN set -eux \ --add-module=/usr/src/nginx-${NGINX_VERSION}/ngx-fancyindex-${MODULE_FANCYINDEX_VERSION} \ --add-module=/usr/src/nginx-${NGINX_VERSION}/ngx_http_substitutions_filter_module \ --add-module=/usr/src/nginx-${NGINX_VERSION}/ngx_http_geoip2_module-${MODULE_GEOIP2_VERSION} \ - --with-http_v2_hpack_enc \ - --with-http_v3_module \ && make -j $(nproc) \ && make install \ \ @@ -233,7 +219,7 @@ COPY config/logrotate /etc/nginx/logrotate ###### -FROM debian:bullseye-slim +FROM debian:bookworm-slim COPY --from=builder /usr/sbin/nginx /usr/sbin/nginx COPY --from=builder /etc/nginx/ /etc/nginx/ @@ -275,4 +261,4 @@ EXPOSE 443/udp STOPSIGNAL SIGQUIT -CMD ["nginx", "-g", "daemon off;"] +CMD ["nginx", "-g", "daemon off;"] \ No newline at end of file diff --git a/README.md b/README.md index 91813f6..76e4310 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@

- + @@ -36,4 +36,4 @@ $ docker pull ghcr.io/akafeng/nginx ### Thanks - [@metowolf](http://github.com/metowolf) -- [@kn007](https://github.com/kn007) +- [@kn007](https://github.com/kn007) \ No newline at end of file diff --git a/config/logrotate b/config/logrotate index a191c13..5ca585d 100755 --- a/config/logrotate +++ b/config/logrotate @@ -12,4 +12,4 @@ kill -USR1 `cat /var/run/nginx.pid` fi endscript -} +} \ No newline at end of file diff --git a/config/nginx.conf b/config/nginx.conf index 3d3d757..211c419 100755 --- a/config/nginx.conf +++ b/config/nginx.conf @@ -55,4 +55,4 @@ http { brotli_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml; include /etc/nginx/conf.d/*.conf; -} +} \ No newline at end of file diff --git a/config/nginx.vhost.default.conf b/config/nginx.vhost.default.conf index f2281d0..4c24cf7 100755 --- a/config/nginx.vhost.default.conf +++ b/config/nginx.vhost.default.conf @@ -6,4 +6,4 @@ server { index index.html index.htm; error_page 500 502 503 504 /50x.html; -} +} \ No newline at end of file diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 204a2e9..5c136c2 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -10,4 +10,4 @@ if [ "${1#-}" != "$1" ]; then set -- nginx "$@" fi -exec "$@" +exec "$@" \ No newline at end of file