Basic setup for Nginx with Lua

In order to achieve the goal of gett ssl certs from Letsencrypt.

This docker image has been put together

Dockerfile

@@ -0,0 +1,66 @@
+# Start with a base Ubuntu 14:04 image
+FROM ubuntu:trusty
+
+MAINTAINER Ikenna N. Okpala <[email protected]>
+
+# Set up user environment
+
+# Two users are defined one created by nginx and the other the host. This is for security reason www-data is configure accordingly with login disabled:
+# sudo adduser --system --no-create-home --user-group --disabled-login --disabled-password www-data
+#sudo adduser --system --no-create-home --user-group -s /sbin/nologin www-data
+
+# Check before upgrade lua here https://github.com/openresty/lua-nginx-module#installation
+
+ENV MY_USER=gfb WEB_USER=www-data DEBIAN_FRONTEND=noninteractive GFB_SCHEME=https SERVER_URLS="globalfoodbook.com www.globalfoodbook.com globalfoodbook.net www.globalfoodbook.net globalfoodbook.org www.globalfoodbook.org globalfoodbook.co.uk www.globalfoodbook.co.uk" LOCAL_HOST_IP=0.0.0.0 LANG=en_US.UTF-8 LANGUAGE=en_US.en LC_ALL=en_US.UTF-8 NGINX_VERSION=1.9.15 OPENRESTY_VERSION=1.9.15.1  OPENRESTY_PATH=/etc/openresty LUAROCKS_VERSION=2.3.0 LUA_MAIN_VERSION=5.1 RESTY_AUTO_SSL_PATH=/etc/resty-auto-ssl OPENSSL_VERSION=1.0.2h SSL_ROOT=/etc/ssl LUAJIT_VERSION=2.1 LUA_SUFFIX=jit-2.1.0-beta2
+
+ENV OPENRESTY_PATH_PREFIX=${OPENRESTY_PATH}/ngxl NGINX_USER=${MY_USER} HOME=/home/${MY_USER}
+ENV NGINX_PATH_PREFIX=${OPENRESTY_PATH_PREFIX}/nginx
+ENV LUAJIT_ROOT=${OPENRESTY_PATH_PREFIX}/luajit NGINX_LOG_PATH=${NGINX_PATH_PREFIX}/logs NGINX_CONF_PATH=${NGINX_PATH_PREFIX}/conf USER_TEMPLATES_PATH=${HOME}/templates
+ENV NGINX_USER_CONF_PATH=${NGINX_CONF_PATH}/${MY_USER} OPENSSL_ROOT=${NGINX_PATH_PREFIX}/openssl-${OPENSSL_VERSION} NGINX_USER_LOG_PATH=${NGINX_LOG_PATH}/${MY_USER} PATH="${PATH}:${OPENRESTY_PATH}/bin:${NGINX_PATH_PREFIX}/sbin:${NGINX_PATH_PREFIX}/bin:${LUAJIT_ROOT}/bin" LUAJIT_PACKAGE_PATH=${LUAJIT_ROOT}/share/lua/${LUA_MAIN_VERSION}
+
+ENV NGINX_FLAGS="--with-file-aio --with-ipv6 --with-http_ssl_module  --with-luajit-xcflags=-DLUAJIT_ENABLE_LUA52COMPAT --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_geoip_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_stub_status_module --with-http_perl_module --with-mail --with-mail_ssl_module --with-pcre --with-google_perftools_module --with-debug --with-openssl=${OPENSSL_ROOT} --with-md5=${OPENSSL_ROOT} --with-md5-asm --with-sha1=${OPENSSL_ROOT}" PS_NGX_EXTRA_FLAGS="--with-cc=/usr/bin/gcc --with-ld-opt=-static-libstdc++"
+
+RUN adduser --disabled-password --gecos "" $MY_USER && echo "$MY_USER ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
+
+USER $MY_USER
+
+# Add all base dependencies
+RUN sudo apt-get update -y && sudo apt-get install -y build-essential \
+  checkinstall language-pack-en-base musl-dev \
+  vim curl tmux wget unzip libnotify-dev imagemagick libmagickwand-dev \
+  libfuse-dev libcurl4-openssl-dev mime-support automake libtool \
+  python-docutils libreadline-dev libxslt1-dev libgd2-xpm-dev libgeoip-dev \
+  libgoogle-perftools-dev libperl-dev pkg-config libssl-dev git-core \
+  libgmp-dev zlib1g-dev libxslt-dev libxml2-dev libpcre3 libpcre3-dev \
+  freetds-dev openjdk-7-jdk software-properties-common libstdc++-4.8-dev \
+  && sudo mkdir -p ${OPENSSL_ROOT} ${NGINX_USER_CONF_PATH}/enabled ${NGINX_USER_CONF_PATH}/configs ${NGINX_USER_CONF_PATH}/lua ${USER_TEMPLATES_PATH}/enabled ${USER_TEMPLATES_PATH}/configs ${USER_TEMPLATES_PATH}/conf ${USER_TEMPLATES_PATH}/lua ${NGX_PAGESPEED_PATH} ${NGINX_LOG_PATH} ${NGINX_USER_LOG_PATH}
+
+ADD templates/nginx/init.sh /etc/init.d/nginx
+ADD templates/entrypoint.sh /etc/entrypoint.sh
+
+RUN /bin/bash -l -c "sudo wget https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz -O ${NGINX_PATH_PREFIX}/openssl-${OPENSSL_VERSION}.tar.gz && sudo tar -xzvf ${NGINX_PATH_PREFIX}/openssl-${OPENSSL_VERSION}.tar.gz -C ${NGINX_PATH_PREFIX}/" \
+  && /bin/bash -l -c "sudo wget https://openresty.org/download/openresty-${OPENRESTY_VERSION}.tar.gz -O /etc/openresty-${OPENRESTY_VERSION}.tar.gz && sudo tar -xzvf /etc/openresty-${OPENRESTY_VERSION}.tar.gz -C /etc && cd /etc/openresty-${OPENRESTY_VERSION} && sudo ./configure --prefix=${OPENRESTY_PATH_PREFIX} ${PS_NGX_EXTRA_FLAGS} ${NGINX_FLAGS} && sudo make && sudo make install && sudo ln -sf ${LUAJIT_ROOT}/bin/${LUA_SUFFIX} ${LUAJIT_ROOT}/bin/lua && sudo ln -sf ${LUAJIT_ROOT}/bin/lua /usr/local/bin/lua" \
+  && /bin/bash -l -c "sudo wget https://github.com/keplerproject/luarocks/archive/v${LUAROCKS_VERSION}.tar.gz -O ${OPENRESTY_PATH}/v${LUAROCKS_VERSION}.tar.gz && sudo tar -xzvf ${OPENRESTY_PATH}/v${LUAROCKS_VERSION}.tar.gz -C ${OPENRESTY_PATH} && cd ${OPENRESTY_PATH}/luarocks-${LUAROCKS_VERSION} && sudo ./configure --prefix=${LUAJIT_ROOT} --with-lua=${LUAJIT_ROOT} --lua-suffix=${LUA_SUFFIX} --sysconfdir=${LUAJIT_ROOT}/luarocks --with-lua-lib=${LUAJIT_ROOT}/lib --with-lua-include=${LUAJIT_ROOT}/include/luajit-${LUAJIT_VERSION} --force-config && sudo make build && sudo make install && sudo ${LUAJIT_ROOT}/bin/luarocks install lua-resty-auto-ssl && sudo mkdir -p ${RESTY_AUTO_SSL_PATH} && sudo chown -R ${NGINX_USER}:${NGINX_USER} ${RESTY_AUTO_SSL_PATH} && sudo chown -R ${NGINX_USER}:${NGINX_USER} ${OPENRESTY_PATH} && sudo rm -rf ${OPENRESTY_PATH}/*.zip  ${OPENRESTY_PATH}/*.tar.gz ${NGINX_CONF_PATH}/*.tar.gz ${NGINX_CONF_PATH}/*.zip ${NGINX_USER_CONF_PATH}/*.tar.gz ${NGINX_USER_CONF_PATH}/*.zip ${OPENRESTY_PATH}/luarocks-${LUAROCKS_VERSION} /etc/openresty-*" \
+  # && sudo sed -i s"/if exit_code == 0 then/if exit_code == 0 or exit_code == true then/" "${LUAJIT_PACKAGE_PATH}/resty/auto-ssl/utils/start_sockproc.lua" \
+  && sudo openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 \
+  -subj '/CN=sni-support-required-for-valid-ssl' \
+  -keyout ${SSL_ROOT}/resty-auto-ssl-fallback.key \
+  -out ${SSL_ROOT}/resty-auto-ssl-fallback.crt \
+  && sudo cp ${NGINX_CONF_PATH}/nginx.conf ${NGINX_CONF_PATH}/nginx.conf.default \
+  && /bin/bash -l -c "sudo chmod +x /etc/init.d/nginx && sudo update-rc.d nginx defaults" \
+  && /bin/bash -l -c "sudo echo 'Europe/London' | sudo tee /etc/timezone && sudo dpkg-reconfigure --frontend $DEBIAN_FRONTEND tzdata" \
+  && sudo chmod +x /etc/entrypoint.sh
+
+ADD templates/nginx/conf/*.conf ${USER_TEMPLATES_PATH}/conf/
+ADD templates/nginx/enabled/*.conf ${USER_TEMPLATES_PATH}/enabled/
+ADD templates/nginx/configs/*.conf ${USER_TEMPLATES_PATH}/configs/
+ADD templates/nginx/lua/* ${USER_TEMPLATES_PATH}/lua/
+
+WORKDIR ~/
+
+EXPOSE 80
+EXPOSE 443
+
+# Setup the entrypoint
+ENTRYPOINT ["/bin/bash", "-l", "-c"]
+CMD ["/etc/entrypoint.sh"]

templates/entrypoint.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+# set -e
+# set -x
+
+export WP_HOST_IP=`awk 'NR==1 {print $1}' /etc/hosts`
+export GFB_PIPED_DOMAINS=`echo ${SERVER_URLS}|awk '{gsub (" ", "\|",$0); print}'`
+
+sudo cp ${USER_TEMPLATES_PATH}/configs/*.conf ${NGINX_USER_CONF_PATH}/configs;
+sudo cp ${USER_TEMPLATES_PATH}/enabled/*.conf ${NGINX_USER_CONF_PATH}/enabled;
+sudo cp ${USER_TEMPLATES_PATH}/conf/*.conf ${NGINX_CONF_PATH};
+sudo cp ${USER_TEMPLATES_PATH}/lua/*.conf ${NGINX_USER_CONF_PATH}/lua;
+
+for name in NGINX_USER NGINX_PATH_PREFIX SERVER_URLS MY_USER GFB_PIPED_DOMAINS LUA_ROOT_PATH LUAJIT_ROOT LUA_MAIN_VERSION SSL_ROOT NGINX_USER_CONF_PATH NGINX_CONF_PATH NGINX_LOG_PATH NGINX_USER_LOG_PATH VARNISH_PORT_80_TCP_ADDR VARNISH_PORT_80_TCP_PORT LUAJIT_PACKAGE_PATH
+do
+    eval value=\$$name;
+    sudo sed -i "s|\${${name}}|${value}|g" ${NGINX_CONF_PATH}/nginx.conf;
+    sudo sed -i "s|\${${name}}|${value}|g" ${NGINX_USER_CONF_PATH}/lua/default.conf;
+    sudo sed -i "s|\${${name}}|${value}|g" ${NGINX_USER_CONF_PATH}/configs/default.conf;
+    sudo sed -i "s|\${${name}}|${value}|g" ${NGINX_USER_CONF_PATH}/enabled/80.conf;
+    sudo sed -i "s|\${${name}}|${value}|g" ${NGINX_USER_CONF_PATH}/enabled/443.conf;
+done
+
+sudo ln -s ${NGINX_USER_CONF_PATH}/configs/${GFB_SCHEME}.conf ${NGINX_USER_CONF_PATH}/configs/scheme.conf
+
+echo -e Environment variables setup completed;
+sudo service nginx start > /dev/null 2>&1 &
+
+echo -e Ngnix start up is complete;
+
+sudo touch ${NGINX_USER_LOG_PATH}/access.log ${NGINX_USER_LOG_PATH}/error.log ${NGINX_LOG_PATH}/access.log ${NGINX_LOG_PATH}/error.log
+sudo tail -F ${NGINX_USER_LOG_PATH}/access.log ${NGINX_USER_LOG_PATH}/error.log ${NGINX_LOG_PATH}/access.log ${NGINX_LOG_PATH}/error.log

templates/nginx/conf/nginx.conf

@@ -0,0 +1,96 @@
+daemon off;
+user ${NGINX_USER};
+worker_processes 7;
+
+events {
+	worker_connections 1024;
+	# multi_accept on;
+}
+
+http {
+
+	##
+	# SSL configuration setup
+	##
+
+	include ${NGINX_USER_CONF_PATH}/lua/*;
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+  server_tokens off;
+
+	##
+	# Timeout Settings
+	##
+
+	proxy_connect_timeout  3000s;
+	proxy_send_timeout  3000s;
+	proxy_read_timeout  3000s;
+	client_header_timeout 3000;
+	client_body_timeout 3000;
+	fastcgi_read_timeout 3000;
+	fastcgi_send_timeout 3000;
+	fastcgi_connect_timeout 3000;
+
+	##
+	# Buffer Settings
+	##
+
+	client_max_body_size 400m;
+	fastcgi_buffers 16 128k;
+	fastcgi_buffer_size 128k;
+	proxy_buffers 16 128k;
+	proxy_buffer_size 128k;
+
+	##
+	# Stream Settings
+	##
+
+	include ${NGINX_CONF_PATH}/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# Logging Settings
+	##
+
+	access_log ${NGINX_LOG_PATH}/access.log;
+	error_log ${NGINX_LOG_PATH}/error.log;
+
+	##
+	# Make use of Environment via Perl Module
+	##
+
+	# perl_set $my_user 'sub { return $ENV{"MY_USER"}; }';
+
+	##
+	# Gzip Settings
+	##
+	gzip  on;
+	#gzip_disable "MSIE [1-6]\.(?!.*SV1)";
+
+	gzip_comp_level 9;
+	gzip_http_version 1.1;
+	gzip_proxied any;
+	gzip_min_length 10;
+	gzip_buffers 16 8k;
+	#gzip_types text/plain text/css application/javascript text/xml application/xml application/xml+rss text/javascript application/xhtml+xml;
+	gzip_types text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon;
+
+	# Disable for IE < 6 because there are some known problems
+	gzip_disable “MSIE [1-6].(?!.*SV1)”;
+
+	# Add a vary header for downstream proxies to avoid sending cached gzipped files to IE6
+	gzip_vary on;
+
+	##
+	# Virtual Host Configs
+	##
+	include ${NGINX_USER_CONF_PATH}/enabled/*;
+}

templates/nginx/configs/default.conf

@@ -0,0 +1,26 @@
+server_name ${SERVER_URLS};
+access_log ${NGINX_USER_LOG_PATH}/access.log;
+error_log ${NGINX_USER_LOG_PATH}/error.log;
+error_page 404 = /error/404;
+port_in_redirect off;
+
+rewrite ^/recipe-items/(.*)$ /recipes/$1 permanent;
+rewrite ^(/de/detail/)(.*)$ http:// permanent;
+rewrite ^/sitemapindex\.xml$ /index.php?sitemap=1 last;
+rewrite ^/([^/]+?)_part([0-9]+)?\.xml$ /index.php?sitemap=$1&sitemap_n=$2 last;
+rewrite ^/([^/]+?)\.xml$ /index.php?sitemap=$1 last;
+rewrite ^/sitemap(-+([a-zA-Z0-9_-]+))?\.xml$ "/index.php?xml_sitemap=params=$2" last;
+rewrite ^/sitemap(-+([a-zA-Z0-9_-]+))?\.xml\.gz$ "/index.php?xml_sitemap=params=$2; zip=true" last;
+rewrite ^/sitemap(-+([a-zA-Z0-9_-]+))?\.html$ "/index.php?xml_sitemap=params=$2;html=true" last;
+rewrite ^/sitemap(-+([a-zA-Z0-9_-]+))?\.html.gz$ "/index.php?xml_sitemap=params=$2;html=true;zip=true" last;
+expires 30d;
+
+location / {
+  include ${NGINX_USER_CONF_PATH}/configs/scheme.conf;
+  proxy_pass http://${VARNISH_PORT_80_TCP_ADDR}:${VARNISH_PORT_80_TCP_PORT};
+  proxy_set_header X-Real-IP  $remote_addr;
+  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+  proxy_set_header X-Forwarded-Proto https;
+  proxy_set_header X-Forwarded-Port 443;
+  proxy_set_header Host $host;
+}

templates/nginx/configs/http.conf

@@ -0,0 +1,3 @@
+if ($scheme = https) {
+  return 301 http://$host$request_uri;
+}

templates/nginx/configs/https.conf

@@ -0,0 +1,5 @@
+rewrite_by_lua_block {
+  if ngx.var.scheme == "http" and ngx.var.request_uri:match("^/.well%-known.*$") == nil then
+    return ngx.redirect("https://"..ngx.var.host..ngx.var.request_uri, 301);
+  end
+}

templates/nginx/enabled/443.conf

@@ -0,0 +1,12 @@
+server {
+  listen 443 ssl;
+
+  # Dynamic handler for issuing or returning certs for SNI domains.
+  ssl_certificate_by_lua_block {
+    auto_ssl:ssl_certificate()
+  }
+  ssl_certificate ${SSL_ROOT}/resty-auto-ssl-fallback.crt;
+  ssl_certificate_key ${SSL_ROOT}/resty-auto-ssl-fallback.key;
+
+  include ${NGINX_USER_CONF_PATH}/configs/default.conf;
+}

templates/nginx/enabled/80.conf

@@ -0,0 +1,22 @@
+server {
+  listen 80;
+
+  location ^~ /.well-known/ {
+    access_log           off;
+    log_not_found        off;
+    auth_basic           off;
+    root                 /var/www/html;
+    autoindex            off;
+    allow                all;
+    index                index.html; # "no-such-file.txt",if expected protos don't need it
+    try_files            $uri $uri/ =404;
+  }
+
+  # Endpoint used for performing domain verification with Let's Encrypt.
+  location /.well-known/acme-challenge/ {
+    content_by_lua_block {
+      auto_ssl:challenge_server()
+    }
+  }
+  include ${NGINX_USER_CONF_PATH}/configs/default.conf;
+}