diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..a2ac922 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,66 @@ +# Start with a base Ubuntu 14:04 image +FROM ubuntu:trusty + +MAINTAINER Ikenna N. Okpala + +# Set up user environment + +# Two users are defined one created by nginx and the other the host. This is for security reason www-data is configure accordingly with login disabled: +# sudo adduser --system --no-create-home --user-group --disabled-login --disabled-password www-data +#sudo adduser --system --no-create-home --user-group -s /sbin/nologin www-data + +# Check before upgrade lua here https://github.com/openresty/lua-nginx-module#installation + +ENV MY_USER=gfb WEB_USER=www-data DEBIAN_FRONTEND=noninteractive GFB_SCHEME=https SERVER_URLS="globalfoodbook.com www.globalfoodbook.com globalfoodbook.net www.globalfoodbook.net globalfoodbook.org www.globalfoodbook.org globalfoodbook.co.uk www.globalfoodbook.co.uk" LOCAL_HOST_IP=0.0.0.0 LANG=en_US.UTF-8 LANGUAGE=en_US.en LC_ALL=en_US.UTF-8 NGINX_VERSION=1.9.15 OPENRESTY_VERSION=1.9.15.1 OPENRESTY_PATH=/etc/openresty LUAROCKS_VERSION=2.3.0 LUA_MAIN_VERSION=5.1 RESTY_AUTO_SSL_PATH=/etc/resty-auto-ssl OPENSSL_VERSION=1.0.2h SSL_ROOT=/etc/ssl LUAJIT_VERSION=2.1 LUA_SUFFIX=jit-2.1.0-beta2 + +ENV OPENRESTY_PATH_PREFIX=${OPENRESTY_PATH}/ngxl NGINX_USER=${MY_USER} HOME=/home/${MY_USER} +ENV NGINX_PATH_PREFIX=${OPENRESTY_PATH_PREFIX}/nginx +ENV LUAJIT_ROOT=${OPENRESTY_PATH_PREFIX}/luajit NGINX_LOG_PATH=${NGINX_PATH_PREFIX}/logs NGINX_CONF_PATH=${NGINX_PATH_PREFIX}/conf USER_TEMPLATES_PATH=${HOME}/templates +ENV NGINX_USER_CONF_PATH=${NGINX_CONF_PATH}/${MY_USER} OPENSSL_ROOT=${NGINX_PATH_PREFIX}/openssl-${OPENSSL_VERSION} NGINX_USER_LOG_PATH=${NGINX_LOG_PATH}/${MY_USER} PATH="${PATH}:${OPENRESTY_PATH}/bin:${NGINX_PATH_PREFIX}/sbin:${NGINX_PATH_PREFIX}/bin:${LUAJIT_ROOT}/bin" LUAJIT_PACKAGE_PATH=${LUAJIT_ROOT}/share/lua/${LUA_MAIN_VERSION} + +ENV NGINX_FLAGS="--with-file-aio --with-ipv6 --with-http_ssl_module --with-luajit-xcflags=-DLUAJIT_ENABLE_LUA52COMPAT --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_geoip_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_stub_status_module --with-http_perl_module --with-mail --with-mail_ssl_module --with-pcre --with-google_perftools_module --with-debug --with-openssl=${OPENSSL_ROOT} --with-md5=${OPENSSL_ROOT} --with-md5-asm --with-sha1=${OPENSSL_ROOT}" PS_NGX_EXTRA_FLAGS="--with-cc=/usr/bin/gcc --with-ld-opt=-static-libstdc++" + +RUN adduser --disabled-password --gecos "" $MY_USER && echo "$MY_USER ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers + +USER $MY_USER + +# Add all base dependencies +RUN sudo apt-get update -y && sudo apt-get install -y build-essential \ + checkinstall language-pack-en-base musl-dev \ + vim curl tmux wget unzip libnotify-dev imagemagick libmagickwand-dev \ + libfuse-dev libcurl4-openssl-dev mime-support automake libtool \ + python-docutils libreadline-dev libxslt1-dev libgd2-xpm-dev libgeoip-dev \ + libgoogle-perftools-dev libperl-dev pkg-config libssl-dev git-core \ + libgmp-dev zlib1g-dev libxslt-dev libxml2-dev libpcre3 libpcre3-dev \ + freetds-dev openjdk-7-jdk software-properties-common libstdc++-4.8-dev \ + && sudo mkdir -p ${OPENSSL_ROOT} ${NGINX_USER_CONF_PATH}/enabled ${NGINX_USER_CONF_PATH}/configs ${NGINX_USER_CONF_PATH}/lua ${USER_TEMPLATES_PATH}/enabled ${USER_TEMPLATES_PATH}/configs ${USER_TEMPLATES_PATH}/conf ${USER_TEMPLATES_PATH}/lua ${NGX_PAGESPEED_PATH} ${NGINX_LOG_PATH} ${NGINX_USER_LOG_PATH} + +ADD templates/nginx/init.sh /etc/init.d/nginx +ADD templates/entrypoint.sh /etc/entrypoint.sh + +RUN /bin/bash -l -c "sudo wget https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz -O ${NGINX_PATH_PREFIX}/openssl-${OPENSSL_VERSION}.tar.gz && sudo tar -xzvf ${NGINX_PATH_PREFIX}/openssl-${OPENSSL_VERSION}.tar.gz -C ${NGINX_PATH_PREFIX}/" \ + && /bin/bash -l -c "sudo wget https://openresty.org/download/openresty-${OPENRESTY_VERSION}.tar.gz -O /etc/openresty-${OPENRESTY_VERSION}.tar.gz && sudo tar -xzvf /etc/openresty-${OPENRESTY_VERSION}.tar.gz -C /etc && cd /etc/openresty-${OPENRESTY_VERSION} && sudo ./configure --prefix=${OPENRESTY_PATH_PREFIX} ${PS_NGX_EXTRA_FLAGS} ${NGINX_FLAGS} && sudo make && sudo make install && sudo ln -sf ${LUAJIT_ROOT}/bin/${LUA_SUFFIX} ${LUAJIT_ROOT}/bin/lua && sudo ln -sf ${LUAJIT_ROOT}/bin/lua /usr/local/bin/lua" \ + && /bin/bash -l -c "sudo wget https://github.com/keplerproject/luarocks/archive/v${LUAROCKS_VERSION}.tar.gz -O ${OPENRESTY_PATH}/v${LUAROCKS_VERSION}.tar.gz && sudo tar -xzvf ${OPENRESTY_PATH}/v${LUAROCKS_VERSION}.tar.gz -C ${OPENRESTY_PATH} && cd ${OPENRESTY_PATH}/luarocks-${LUAROCKS_VERSION} && sudo ./configure --prefix=${LUAJIT_ROOT} --with-lua=${LUAJIT_ROOT} --lua-suffix=${LUA_SUFFIX} --sysconfdir=${LUAJIT_ROOT}/luarocks --with-lua-lib=${LUAJIT_ROOT}/lib --with-lua-include=${LUAJIT_ROOT}/include/luajit-${LUAJIT_VERSION} --force-config && sudo make build && sudo make install && sudo ${LUAJIT_ROOT}/bin/luarocks install lua-resty-auto-ssl && sudo mkdir -p ${RESTY_AUTO_SSL_PATH} && sudo chown -R ${NGINX_USER}:${NGINX_USER} ${RESTY_AUTO_SSL_PATH} && sudo chown -R ${NGINX_USER}:${NGINX_USER} ${OPENRESTY_PATH} && sudo rm -rf ${OPENRESTY_PATH}/*.zip ${OPENRESTY_PATH}/*.tar.gz ${NGINX_CONF_PATH}/*.tar.gz ${NGINX_CONF_PATH}/*.zip ${NGINX_USER_CONF_PATH}/*.tar.gz ${NGINX_USER_CONF_PATH}/*.zip ${OPENRESTY_PATH}/luarocks-${LUAROCKS_VERSION} /etc/openresty-*" \ + # && sudo sed -i s"/if exit_code == 0 then/if exit_code == 0 or exit_code == true then/" "${LUAJIT_PACKAGE_PATH}/resty/auto-ssl/utils/start_sockproc.lua" \ + && sudo openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 \ + -subj '/CN=sni-support-required-for-valid-ssl' \ + -keyout ${SSL_ROOT}/resty-auto-ssl-fallback.key \ + -out ${SSL_ROOT}/resty-auto-ssl-fallback.crt \ + && sudo cp ${NGINX_CONF_PATH}/nginx.conf ${NGINX_CONF_PATH}/nginx.conf.default \ + && /bin/bash -l -c "sudo chmod +x /etc/init.d/nginx && sudo update-rc.d nginx defaults" \ + && /bin/bash -l -c "sudo echo 'Europe/London' | sudo tee /etc/timezone && sudo dpkg-reconfigure --frontend $DEBIAN_FRONTEND tzdata" \ + && sudo chmod +x /etc/entrypoint.sh + +ADD templates/nginx/conf/*.conf ${USER_TEMPLATES_PATH}/conf/ +ADD templates/nginx/enabled/*.conf ${USER_TEMPLATES_PATH}/enabled/ +ADD templates/nginx/configs/*.conf ${USER_TEMPLATES_PATH}/configs/ +ADD templates/nginx/lua/* ${USER_TEMPLATES_PATH}/lua/ + +WORKDIR ~/ + +EXPOSE 80 +EXPOSE 443 + +# Setup the entrypoint +ENTRYPOINT ["/bin/bash", "-l", "-c"] +CMD ["/etc/entrypoint.sh"] diff --git a/templates/entrypoint.sh b/templates/entrypoint.sh new file mode 100644 index 0000000..e533d26 --- /dev/null +++ b/templates/entrypoint.sh @@ -0,0 +1,32 @@ +#!/bin/bash + +# set -e +# set -x + +export WP_HOST_IP=`awk 'NR==1 {print $1}' /etc/hosts` +export GFB_PIPED_DOMAINS=`echo ${SERVER_URLS}|awk '{gsub (" ", "\|",$0); print}'` + +sudo cp ${USER_TEMPLATES_PATH}/configs/*.conf ${NGINX_USER_CONF_PATH}/configs; +sudo cp ${USER_TEMPLATES_PATH}/enabled/*.conf ${NGINX_USER_CONF_PATH}/enabled; +sudo cp ${USER_TEMPLATES_PATH}/conf/*.conf ${NGINX_CONF_PATH}; +sudo cp ${USER_TEMPLATES_PATH}/lua/*.conf ${NGINX_USER_CONF_PATH}/lua; + +for name in NGINX_USER NGINX_PATH_PREFIX SERVER_URLS MY_USER GFB_PIPED_DOMAINS LUA_ROOT_PATH LUAJIT_ROOT LUA_MAIN_VERSION SSL_ROOT NGINX_USER_CONF_PATH NGINX_CONF_PATH NGINX_LOG_PATH NGINX_USER_LOG_PATH VARNISH_PORT_80_TCP_ADDR VARNISH_PORT_80_TCP_PORT LUAJIT_PACKAGE_PATH +do + eval value=\$$name; + sudo sed -i "s|\${${name}}|${value}|g" ${NGINX_CONF_PATH}/nginx.conf; + sudo sed -i "s|\${${name}}|${value}|g" ${NGINX_USER_CONF_PATH}/lua/default.conf; + sudo sed -i "s|\${${name}}|${value}|g" ${NGINX_USER_CONF_PATH}/configs/default.conf; + sudo sed -i "s|\${${name}}|${value}|g" ${NGINX_USER_CONF_PATH}/enabled/80.conf; + sudo sed -i "s|\${${name}}|${value}|g" ${NGINX_USER_CONF_PATH}/enabled/443.conf; +done + +sudo ln -s ${NGINX_USER_CONF_PATH}/configs/${GFB_SCHEME}.conf ${NGINX_USER_CONF_PATH}/configs/scheme.conf + +echo -e Environment variables setup completed; +sudo service nginx start > /dev/null 2>&1 & + +echo -e Ngnix start up is complete; + +sudo touch ${NGINX_USER_LOG_PATH}/access.log ${NGINX_USER_LOG_PATH}/error.log ${NGINX_LOG_PATH}/access.log ${NGINX_LOG_PATH}/error.log +sudo tail -F ${NGINX_USER_LOG_PATH}/access.log ${NGINX_USER_LOG_PATH}/error.log ${NGINX_LOG_PATH}/access.log ${NGINX_LOG_PATH}/error.log diff --git a/templates/nginx/conf/nginx.conf b/templates/nginx/conf/nginx.conf new file mode 100644 index 0000000..c921856 --- /dev/null +++ b/templates/nginx/conf/nginx.conf @@ -0,0 +1,96 @@ +daemon off; +user ${NGINX_USER}; +worker_processes 7; + +events { + worker_connections 1024; + # multi_accept on; +} + +http { + + ## + # SSL configuration setup + ## + + include ${NGINX_USER_CONF_PATH}/lua/*; + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + server_tokens off; + + ## + # Timeout Settings + ## + + proxy_connect_timeout 3000s; + proxy_send_timeout 3000s; + proxy_read_timeout 3000s; + client_header_timeout 3000; + client_body_timeout 3000; + fastcgi_read_timeout 3000; + fastcgi_send_timeout 3000; + fastcgi_connect_timeout 3000; + + ## + # Buffer Settings + ## + + client_max_body_size 400m; + fastcgi_buffers 16 128k; + fastcgi_buffer_size 128k; + proxy_buffers 16 128k; + proxy_buffer_size 128k; + + ## + # Stream Settings + ## + + include ${NGINX_CONF_PATH}/mime.types; + default_type application/octet-stream; + + ## + # Logging Settings + ## + + access_log ${NGINX_LOG_PATH}/access.log; + error_log ${NGINX_LOG_PATH}/error.log; + + ## + # Make use of Environment via Perl Module + ## + + # perl_set $my_user 'sub { return $ENV{"MY_USER"}; }'; + + ## + # Gzip Settings + ## + gzip on; + #gzip_disable "MSIE [1-6]\.(?!.*SV1)"; + + gzip_comp_level 9; + gzip_http_version 1.1; + gzip_proxied any; + gzip_min_length 10; + gzip_buffers 16 8k; + #gzip_types text/plain text/css application/javascript text/xml application/xml application/xml+rss text/javascript application/xhtml+xml; + gzip_types text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon; + + # Disable for IE < 6 because there are some known problems + gzip_disable “MSIE [1-6].(?!.*SV1)”; + + # Add a vary header for downstream proxies to avoid sending cached gzipped files to IE6 + gzip_vary on; + + ## + # Virtual Host Configs + ## + include ${NGINX_USER_CONF_PATH}/enabled/*; +} diff --git a/templates/nginx/configs/default.conf b/templates/nginx/configs/default.conf new file mode 100644 index 0000000..6ce3dd8 --- /dev/null +++ b/templates/nginx/configs/default.conf @@ -0,0 +1,26 @@ +server_name ${SERVER_URLS}; +access_log ${NGINX_USER_LOG_PATH}/access.log; +error_log ${NGINX_USER_LOG_PATH}/error.log; +error_page 404 = /error/404; +port_in_redirect off; + +rewrite ^/recipe-items/(.*)$ /recipes/$1 permanent; +rewrite ^(/de/detail/)(.*)$ http:// permanent; +rewrite ^/sitemapindex\.xml$ /index.php?sitemap=1 last; +rewrite ^/([^/]+?)_part([0-9]+)?\.xml$ /index.php?sitemap=$1&sitemap_n=$2 last; +rewrite ^/([^/]+?)\.xml$ /index.php?sitemap=$1 last; +rewrite ^/sitemap(-+([a-zA-Z0-9_-]+))?\.xml$ "/index.php?xml_sitemap=params=$2" last; +rewrite ^/sitemap(-+([a-zA-Z0-9_-]+))?\.xml\.gz$ "/index.php?xml_sitemap=params=$2; zip=true" last; +rewrite ^/sitemap(-+([a-zA-Z0-9_-]+))?\.html$ "/index.php?xml_sitemap=params=$2;html=true" last; +rewrite ^/sitemap(-+([a-zA-Z0-9_-]+))?\.html.gz$ "/index.php?xml_sitemap=params=$2;html=true;zip=true" last; +expires 30d; + +location / { + include ${NGINX_USER_CONF_PATH}/configs/scheme.conf; + proxy_pass http://${VARNISH_PORT_80_TCP_ADDR}:${VARNISH_PORT_80_TCP_PORT}; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-Port 443; + proxy_set_header Host $host; +} diff --git a/templates/nginx/configs/http.conf b/templates/nginx/configs/http.conf new file mode 100644 index 0000000..da34f35 --- /dev/null +++ b/templates/nginx/configs/http.conf @@ -0,0 +1,3 @@ +if ($scheme = https) { + return 301 http://$host$request_uri; +} diff --git a/templates/nginx/configs/https.conf b/templates/nginx/configs/https.conf new file mode 100644 index 0000000..9c0fa4c --- /dev/null +++ b/templates/nginx/configs/https.conf @@ -0,0 +1,5 @@ +rewrite_by_lua_block { + if ngx.var.scheme == "http" and ngx.var.request_uri:match("^/.well%-known.*$") == nil then + return ngx.redirect("https://"..ngx.var.host..ngx.var.request_uri, 301); + end +} diff --git a/templates/nginx/enabled/443.conf b/templates/nginx/enabled/443.conf new file mode 100644 index 0000000..9ca1676 --- /dev/null +++ b/templates/nginx/enabled/443.conf @@ -0,0 +1,12 @@ +server { + listen 443 ssl; + + # Dynamic handler for issuing or returning certs for SNI domains. + ssl_certificate_by_lua_block { + auto_ssl:ssl_certificate() + } + ssl_certificate ${SSL_ROOT}/resty-auto-ssl-fallback.crt; + ssl_certificate_key ${SSL_ROOT}/resty-auto-ssl-fallback.key; + + include ${NGINX_USER_CONF_PATH}/configs/default.conf; +} diff --git a/templates/nginx/enabled/80.conf b/templates/nginx/enabled/80.conf new file mode 100644 index 0000000..d197c92 --- /dev/null +++ b/templates/nginx/enabled/80.conf @@ -0,0 +1,22 @@ +server { + listen 80; + + location ^~ /.well-known/ { + access_log off; + log_not_found off; + auth_basic off; + root /var/www/html; + autoindex off; + allow all; + index index.html; # "no-such-file.txt",if expected protos don't need it + try_files $uri $uri/ =404; + } + + # Endpoint used for performing domain verification with Let's Encrypt. + location /.well-known/acme-challenge/ { + content_by_lua_block { + auto_ssl:challenge_server() + } + } + include ${NGINX_USER_CONF_PATH}/configs/default.conf; +} diff --git a/templates/nginx/init.sh b/templates/nginx/init.sh new file mode 100644 index 0000000..3d52d7d --- /dev/null +++ b/templates/nginx/init.sh @@ -0,0 +1,408 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: nginx +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: nginx init.d dash script for Ubuntu or other *nix. +# Description: nginx init.d dash script for Ubuntu or other *nix. +### END INIT INFO +#------------------------------------------------------------------------------ +# nginx - this Debian Almquist shell (dash) script, starts and stops the nginx +# daemon for Ubuntu and other *nix releases. +# +# description: Nginx is an HTTP(S) server, HTTP(S) reverse \ +# proxy and IMAP/POP3 proxy server. This \ +# script will manage the initiation of the \ +# server and it's process state. +# +# processname: nginx +# config: /usr/local/nginx/conf/nginx.conf +# pidfile: /usr/local/nginx/logs/nginx.pid +# Provides: nginx +# +# Author: Jason Giedymin +# . +# +# Version: 3.9.0 12-MAY-2015 jason.giedymin AT gmail.com +# Notes: nginx init.d dash script for Ubuntu. +# Tested with: Ubuntu 14.10, nginx-1.7.9 +# +# This script's project home is: +# http://github.com/JasonGiedymin/nginx-init-ubuntu +# +#------------------------------------------------------------------------------ +# MIT X11 License +#------------------------------------------------------------------------------ +# +# Copyright (c) 2008-2013 Jason Giedymin, http://jasongiedymin.com +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and associated documentation files (the +# "Software"), to deal in the Software without restriction, including +# without limitation the rights to use, copy, modify, merge, publish, +# distribute, sublicense, and/or sell copies of the Software, and to +# permit persons to whom the Software is furnished to do so, subject to +# the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +#------------------------------------------------------------------------------ + +#------------------------------------------------------------------------------ +# Functions +#------------------------------------------------------------------------------ +LSB_FUNC=/lib/lsb/init-functions + +# Test that init functions exists +test -r $LSB_FUNC || { + echo "$0: Cannot find $LSB_FUNC! Script exiting." 1>&2 + exit 5 +} + +. $LSB_FUNC + +#------------------------------------------------------------------------------ +# Consts +#------------------------------------------------------------------------------ +# Include nginx defaults if available +if [ -f /etc/default/nginx ]; then + . /etc/default/nginx +fi + +# Minimize path +PATH=/etc/openresty/bin:/etc/openresty/ngxl/nginx/sbin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin + +PS=${PS:-"nginx"} # process name +DESCRIPTION=${DESCRIPTION:-"Openresty Nginx-Lua Server..."} # process description +NGINXPATH=${NGINXPATH:-/etc/openresty/ngxl/nginx} # root path where installed +DAEMON=${DAEMON:-$NGINXPATH/sbin/nginx} # path to daemon binary +NGINX_CONF_FILE=${NGINX_CONF_FILE:-$NGINXPATH/conf/nginx.conf} # config file path + +PIDNAME=${PIDNAME:-"nginx"} # lets you do $PS-slave +PIDFILE=${PIDFILE:-$PIDNAME.pid} # pid file +PIDSPATH=${PIDSPATH:-$NGINXPATH/logs} # default pid location, you should change it +RUNAS=${RUNAS:-root} # user to run as + +SCRIPT_OK=0 # ala error codes +SCRIPT_ERROR=1 # ala error codes +TRUE=1 # boolean +FALSE=0 # boolean + +#------------------------------------------------------------------------------ +# Simple Tests +#------------------------------------------------------------------------------ + +# Test if nginx is a file and executable +test -x $DAEMON || { + echo "$0: You don't have permissions to execute nginx." 1>&2 + exit 4 +} + +# You can also set your conditions like so: +# set exit condition +# set -e + +#------------------------------------------------------------------------------ +# Functions +#------------------------------------------------------------------------------ + +setFilePerms(){ + if [ -f $PIDSPATH/$PIDFILE ]; then + chmod 400 $PIDSPATH/$PIDFILE + fi +} + +configtest() { + $DAEMON -t -c $NGINX_CONF_FILE +} + +getPSCount() { + return `pgrep -f $PS | wc -l` +} + +isRunning() { + if [ $1 ]; then + pidof_daemon $1 + PID=$? + + if [ $PID -gt 0 ]; then + return 1 + else + return 0 + fi + else + pidof_daemon + PID=$? + + if [ $PID -gt 0 ]; then + return 1 + else + return 0 + fi + fi +} + +#courtesy of php-fpm +wait_for_pid () { + try=0 + + while test $try -lt 35 ; do + case "$1" in + 'created') + if [ -f "$2" ]; then + try='' + break + fi + ;; + + 'removed') + if [ ! -f "$2" ]; then + try='' + break + fi + ;; + esac + + try=`expr $try + 1` + sleep 1 + done +} + +status(){ + isRunning + isAlive=$? + + if [ "${isAlive}" -eq $TRUE ]; then + log_warning_msg "$DESCRIPTION found running with processes: `pidof $PS`" + rc=0 + else + log_warning_msg "$DESCRIPTION is NOT running." + rc=3 + fi + + return +} + +removePIDFile(){ + if [ $1 ]; then + if [ -f $1 ]; then + rm -f $1 + fi + else + #Do default removal + if [ -f $PIDSPATH/$PIDFILE ]; then + rm -f $PIDSPATH/$PIDFILE + fi + fi +} + +start() { + log_daemon_msg "Starting $DESCRIPTION" + + isRunning + isAlive=$? + + if [ "${isAlive}" -eq $TRUE ]; then + log_end_msg $SCRIPT_ERROR + rc=0 + else + start-stop-daemon --start --quiet --chuid \ + $RUNAS --pidfile $PIDSPATH/$PIDFILE --exec $DAEMON \ + -- -c $NGINX_CONF_FILE + status=$? + setFilePerms + + if [ "${status}" -eq 0 ]; then + log_end_msg $SCRIPT_OK + rc=0 + else + log_end_msg $SCRIPT_ERROR + rc=7 + fi + fi + + return +} + +stop() { + log_daemon_msg "Stopping $DESCRIPTION" + + isRunning + isAlive=$? + + if [ "${isAlive}" -eq $TRUE ]; then + start-stop-daemon --stop --quiet --pidfile $PIDSPATH/$PIDFILE + + wait_for_pid 'removed' $PIDSPATH/$PIDFILE + + if [ -n "$try" ]; then + log_end_msg $SCRIPT_ERROR + rc=0 # lsb states 1, but under status it is 2 (which is more prescriptive). Deferring to standard. + else + removePIDFile + log_end_msg $SCRIPT_OK + rc=0 + fi + else + log_end_msg $SCRIPT_ERROR + rc=7 + fi + + return +} + +reload() { + configtest || return $? + + log_daemon_msg "Reloading (via HUP) $DESCRIPTION" + + isRunning + + if [ $? -eq $TRUE ]; then + kill -HUP `cat $PIDSPATH/$PIDFILE` + log_end_msg $SCRIPT_OK + rc=0 + else + log_end_msg $SCRIPT_ERROR + rc=7 + fi + + return +} + +quietupgrade() { + log_daemon_msg "Peforming Quiet Upgrade $DESCRIPTION" + + isRunning + isAlive=$? + + if [ "${isAlive}" -eq $TRUE ]; then + kill -USR2 `cat $PIDSPATH/$PIDFILE` + kill -WINCH `cat $PIDSPATH/$PIDFILE.oldbin` + + isRunning + isAlive=$? + + if [ "${isAlive}" -eq $TRUE ]; then + kill -QUIT `cat $PIDSPATH/$PIDFILE.oldbin` + wait_for_pid 'removed' $PIDSPATH/$PIDFILE.oldbin + removePIDFile $PIDSPATH/$PIDFILE.oldbin + + log_end_msg $SCRIPT_OK + rc=0 + else + log_end_msg $SCRIPT_ERROR + + log_daemon_msg "ERROR! Reverting back to original $DESCRIPTION" + + kill -HUP `cat $PIDSPATH/$PIDFILE` + kill -TERM `cat $PIDSPATH/$PIDFILE.oldbin` + kill -QUIT `cat $PIDSPATH/$PIDFILE.oldbin` + + wait_for_pid 'removed' $PIDSPATH/$PIDFILE.oldbin + removePIDFile $PIDSPATH/$PIDFILE.oldbin + + log_end_msg $SCRIPT_OK + rc=0 + fi + else + log_end_msg $SCRIPT_ERROR + rc=7 + fi + + return +} + +terminate() { + log_daemon_msg "Force terminating (via KILL) $DESCRIPTION" + + PIDS=`pidof $PS` || true + + [ -e $PIDSPATH/$PIDFILE ] && PIDS2=`cat $PIDSPATH/$PIDFILE` + + for i in $PIDS; do + if [ "$i" = "$PIDS2" ]; then + kill $i + wait_for_pid 'removed' $PIDSPATH/$PIDFILE + removePIDFile + fi + done + + log_end_msg $SCRIPT_OK + rc=0 +} + +destroy() { + log_daemon_msg "Force terminating and may include self (via KILLALL) $DESCRIPTION" + killall $PS -q >> /dev/null 2>&1 + log_end_msg $SCRIPT_OK + rc=0 +} + +pidof_daemon() { + PIDS=`pidof $PS` || true + + [ -e $PIDSPATH/$PIDFILE ] && PIDS2=`cat $PIDSPATH/$PIDFILE` + + for i in $PIDS; do + if [ "$i" = "$PIDS2" ]; then + return 1 + fi + done + + return 0 +} + +action="$1" +case "$1" in + start) + start + ;; + stop) + stop + ;; + restart|force-reload) + stop + # if [ $rc -ne 0 ]; then + # script_exit + # fi + sleep 1 + start + ;; + reload) + $1 + ;; + status) + status + ;; + configtest) + $1 + ;; + quietupgrade) + $1 + ;; + terminate) + $1 + ;; + destroy) + $1 + ;; + *) + FULLPATH=/etc/init.d/$PS + echo "Usage: $FULLPATH {start|stop|restart|force-reload|reload|status|configtest|quietupgrade|terminate|destroy}" + echo " The 'destroy' command should only be used as a last resort." + exit 3 + ;; +esac + +exit $rc diff --git a/templates/nginx/lua/8999.conf b/templates/nginx/lua/8999.conf new file mode 100644 index 0000000..cd0adcf --- /dev/null +++ b/templates/nginx/lua/8999.conf @@ -0,0 +1,9 @@ +# Internal server running on port 8999 for handling certificate tasks. +server { + listen 127.0.0.1:8999; + location / { + content_by_lua_block { + auto_ssl:hook_server() + } + } +} diff --git a/templates/nginx/lua/default.conf b/templates/nginx/lua/default.conf new file mode 100644 index 0000000..f76ecfa --- /dev/null +++ b/templates/nginx/lua/default.conf @@ -0,0 +1,19 @@ +lua_package_path "${LUAJIT_PACKAGE_PATH}/?.lua;;"; +lua_shared_dict auto_ssl 1m; +resolver 8.8.8.8; + +init_by_lua_block { + auto_ssl = (require "resty.auto-ssl").new() + + auto_ssl:set("allow_domain", function(domain) + return true + end) + + auto_ssl:set("renew_check_interval", 172800) + + auto_ssl:init() +} + +init_worker_by_lua_block { + auto_ssl:init_worker() +}