|
| 1 | +FROM alpine:3.19 as nginx-builder |
| 2 | + |
| 3 | +ENV NGINX_VERSION=1.26.1 |
| 4 | +# pin nginx modules versions |
| 5 | +# see https://github.com/google/ngx_brotli/issues/120 for the lack of tags |
| 6 | +# BROKEN HASH: ENV NGX_BROTLI_COMMIT_HASH=63ca02abdcf79c9e788d2eedcc388d2335902e52 |
| 7 | +ENV NGX_BROTLI_COMMIT_HASH=6e975bcb015f62e1f303054897783355e2a877dc |
| 8 | +# https://github.com/openresty/headers-more-nginx-module/tags |
| 9 | +ENV HEADERS_MORE_VERSION=v0.37 |
| 10 | +# releases can be signed by any key on this page https://nginx.org/en/pgp_keys.html |
| 11 | +# so this might need to be updated for a new release |
| 12 | +# available keys: mdounin, maxim, sb, thresh |
| 13 | +# the "signing key" is used for linux packages, see https://trac.nginx.org/nginx/ticket/205 |
| 14 | +ENV PGP_SIGNING_KEY_OWNER=thresh |
| 15 | + |
| 16 | +# install dependencies: here we use brotli-dev, newer brotli versions we can remove that and build it |
| 17 | +RUN apk add --no-cache git libc-dev pcre2-dev make gcc zlib-dev openssl-dev binutils gnupg cmake brotli-dev |
| 18 | + |
| 19 | +# create a builder user and group |
| 20 | +RUN addgroup -S -g 3148 builder && adduser -D -S -G builder -u 3148 builder |
| 21 | +RUN mkdir /build && chown builder:builder /build |
| 22 | +WORKDIR /build |
| 23 | +USER builder |
| 24 | + |
| 25 | +# clone the nginx modules |
| 26 | +RUN git clone https://github.com/google/ngx_brotli && cd ngx_brotli && git reset --hard $NGX_BROTLI_COMMIT_HASH && cd .. |
| 27 | +RUN git clone --depth 1 -b $HEADERS_MORE_VERSION https://github.com/openresty/headers-more-nginx-module |
| 28 | + |
| 29 | +# now start the build |
| 30 | +# get nginx source |
| 31 | +ADD --chown=builder:builder https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz nginx.tgz |
| 32 | +# get nginx signature file |
| 33 | +ADD --chown=builder:builder https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz.asc nginx.tgz.asc |
| 34 | +# get the corresponding public key |
| 35 | +ADD --chown=builder:builder https://nginx.org/keys/$PGP_SIGNING_KEY_OWNER.key nginx-signing.key |
| 36 | +# import it and verify the tarball |
| 37 | +RUN gpg --import nginx-signing.key |
| 38 | +# only run on amd64 because it fails on arm64 for some weird unknown reason |
| 39 | +RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then gpg --verify nginx.tgz.asc; fi |
| 40 | +# all good now untar and build! |
| 41 | +RUN tar xzf nginx.tgz |
| 42 | +WORKDIR /build/nginx-$NGINX_VERSION |
| 43 | +# Compilation flags |
| 44 | +# -g0: Disable debugging symbols generation (decreases binary size) |
| 45 | +# -O3: Enable aggressive optimization level 3 (improves code execution speed) |
| 46 | +# -fstack-protector-strong: Enable stack protection mechanisms (prevents stack-based buffer overflows) |
| 47 | +# -flto: Enable Link Time Optimization (LTO) (allows cross-source-file optimization) |
| 48 | +# -pie: Generate position-independent executables (PIE) (enhances security) |
| 49 | +# --param=ssp-buffer-size=4: Set the size of the stack buffer for stack smashing protection to 4 bytes |
| 50 | +# -Wformat -Werror=format-security: Enable warnings for potentially insecure usage of format strings (treats them as errors) |
| 51 | +# -D_FORTIFY_SOURCE=2: Enable additional security features provided by fortified library functions |
| 52 | +# -Wl,-z,relro,-z,now: Enforce memory protections at runtime: |
| 53 | +# - Mark the Global Offset Table (GOT) as read-only after relocation |
| 54 | +# - Resolve all symbols at load time, making them harder to manipulate |
| 55 | +# -Wl,-z,noexecstack: Mark the stack as non-executable (prevents execution of code placed on the stack) |
| 56 | +# -fPIC: Generate position-independent code (PIC) (suitable for building shared libraries) |
| 57 | +RUN ./configure \ |
| 58 | + --prefix=/var/lib/nginx \ |
| 59 | + --sbin-path=/usr/sbin/nginx \ |
| 60 | + --with-cc-opt='-g0 -O3 -fstack-protector-strong -flto -pie --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-z,relro,-z,now -Wl,-z,noexecstack -fPIC'\ |
| 61 | + --modules-path=/usr/lib/nginx/modules \ |
| 62 | + --conf-path=/etc/nginx/nginx.conf \ |
| 63 | + --pid-path=/run/nginx.pid \ |
| 64 | + --error-log-path=/var/log/nginx/error.log \ |
| 65 | + --http-log-path=/var/log/nginx/access.log \ |
| 66 | + --lock-path=/run/nginx.lock \ |
| 67 | + --http-client-body-temp-path=/run/nginx-client_body \ |
| 68 | + --http-fastcgi-temp-path=/run/nginx-fastcgi \ |
| 69 | + --user=nginx \ |
| 70 | + --group=nginx \ |
| 71 | + --with-threads \ |
| 72 | + --with-http_ssl_module \ |
| 73 | + --with-http_v2_module \ |
| 74 | + --with-http_realip_module \ |
| 75 | + --with-http_gzip_static_module \ |
| 76 | + --with-http_stub_status_module \ |
| 77 | + --add-module=/build/ngx_brotli \ |
| 78 | + --add-module=/build/headers-more-nginx-module \ |
| 79 | + --without-http_autoindex_module \ |
| 80 | + --without-http_browser_module \ |
| 81 | + --without-http_empty_gif_module \ |
| 82 | + --without-http_geo_module \ |
| 83 | + --without-http_limit_conn_module \ |
| 84 | + --without-http_limit_req_module \ |
| 85 | + --without-http_map_module \ |
| 86 | + --without-http_memcached_module \ |
| 87 | + --without-http_proxy_module \ |
| 88 | + --without-http_referer_module \ |
| 89 | + --without-http_scgi_module \ |
| 90 | + --without-http_split_clients_module \ |
| 91 | + --without-http_ssi_module \ |
| 92 | + --without-http_upstream_ip_hash_module \ |
| 93 | + --without-http_userid_module \ |
| 94 | + --without-http_uwsgi_module \ |
| 95 | + && make -j$(getconf _NPROCESSORS_ONLN) \ |
| 96 | + && strip -s objs/nginx |
| 97 | + |
| 98 | +USER root |
| 99 | +RUN make install |
0 commit comments