Merge pull request #2041 from SkynetLabs/nginx-docker-improvements

Nginx docker improvements

.github/workflows/lint-dockerfiles.yml

@@ -14,6 +14,7 @@ jobs:
       matrix:
         dockerfile:
           - docker/nginx/Dockerfile
+          - docker/nginx/testing/Dockerfile
           - docker/sia/Dockerfile
           - packages/dashboard/Dockerfile
           - packages/dashboard-v2/Dockerfile

docker-compose.yml

@@ -54,9 +54,11 @@ services:
       - ./docker/data/certbot:/etc/letsencrypt
 
   nginx:
-    build:
+    # uncomment "build" and comment out "image" to build from sources
-      context: ./docker/nginx
+    # build:
-      dockerfile: Dockerfile
+    #   context: https://github.com/SkynetLabs/skynet-webportal.git#master
+    #   dockerfile: ./docker/nginx/Dockerfile
+    image: skynetlabs/nginx
     container_name: nginx
     restart: unless-stopped
     logging: *default-logging
@@ -69,6 +71,10 @@ services:
       - ./docker/data/nginx/skynet:/data/nginx/skynet:ro
       - ./docker/data/sia/apipassword:/data/sia/apipassword:ro
       - ./docker/data/certbot:/etc/letsencrypt
+      - ./docker/nginx/libs:/etc/nginx/libs
+      - ./docker/nginx/conf.d:/etc/nginx/conf.d
+      - ./docker/nginx/conf.d.templates:/etc/nginx/templates
+      - ./docker/nginx/nginx.conf:/usr/local/openresty/nginx/conf/nginx.conf
     networks:
       shared:
         ipv4_address: 10.10.10.30

docker/nginx/Dockerfile

@@ -2,25 +2,20 @@ FROM openresty/openresty:1.19.9.1-focal
 
 WORKDIR /
 
-RUN luarocks install lua-resty-http && \
+RUN apt-get update && apt-get --no-install-recommends -y install bc=1.07.1-2build1 && \
-    luarocks install hasher && \
+    apt-get clean && rm -rf /var/lib/apt/lists/* && \
-    openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
+    luarocks install lua-resty-http && \
-    -subj '/CN=local-certificate' \
+    luarocks install hasher
-    -keyout /etc/ssl/local-certificate.key \
-    -out /etc/ssl/local-certificate.crt
 
-COPY mo ./
+# reload nginx every 6 hours (for reloading certificates)
-COPY libs /etc/nginx/libs
+ENV NGINX_ENTRYPOINT_RELOAD_EVERY_X_HOURS 6
-COPY conf.d /etc/nginx/conf.d
-COPY conf.d.templates /etc/nginx/conf.d.templates
-COPY nginx.conf /usr/local/openresty/nginx/conf/nginx.conf
 
-CMD [ "bash", "-c", \
+# copy entrypoint and entrypoint scripts
-      "./mo < /etc/nginx/conf.d.templates/server.account.conf > /etc/nginx/conf.d/server.account.conf ; \
+COPY docker/nginx/docker-entrypoint.sh /
-       ./mo < /etc/nginx/conf.d.templates/server.api.conf > /etc/nginx/conf.d/server.api.conf; \
+COPY docker/nginx/docker-entrypoint.d /docker-entrypoint.d
-       ./mo < /etc/nginx/conf.d.templates/server.dnslink.conf > /etc/nginx/conf.d/server.dnslink.conf; \
+
-       ./mo < /etc/nginx/conf.d.templates/server.hns.conf > /etc/nginx/conf.d/server.hns.conf; \
+ENTRYPOINT ["/docker-entrypoint.sh"]
-       ./mo < /etc/nginx/conf.d.templates/server.skylink.conf > /etc/nginx/conf.d/server.skylink.conf ; \
+
-       while :; do sleep 6h & wait ${!}; /usr/local/openresty/bin/openresty -s reload; done & \
+STOPSIGNAL SIGQUIT
-       /usr/local/openresty/bin/openresty '-g daemon off;'" \
+
-    ]
+CMD ["nginx", "-g", "daemon off;"]

docker/nginx/conf.d.templates/server.account.conf

@@ -1,45 +0,0 @@
-{{#ACCOUNTS_ENABLED}}
-	{{#PORTAL_DOMAIN}}
-	server {
-		server_name account.{{PORTAL_DOMAIN}}; # example: account.siasky.net
-		
-		include /etc/nginx/conf.d/server/server.http;
-	}
-
-	server {
-		server_name account.{{PORTAL_DOMAIN}}; # example: account.siasky.net
-
-		set_by_lua_block $skynet_portal_domain { return "{{PORTAL_DOMAIN}}" }
-		set_by_lua_block $skynet_server_domain {
-			-- fall back to portal domain if server domain is not defined
-			if "{{SERVER_DOMAIN}}" == "" then
-				return "{{PORTAL_DOMAIN}}"
-			end
-			return "{{SERVER_DOMAIN}}"
-		}
-
-		include /etc/nginx/conf.d/server/server.account;
-	}
-	{{/PORTAL_DOMAIN}}
-
-	{{#SERVER_DOMAIN}}
-	server {
-		server_name account.{{SERVER_DOMAIN}}; # example: account.eu-ger-1.siasky.net
-
-		include /etc/nginx/conf.d/server/server.http;
-
-		set_by_lua_block $server_alias { return string.match("{{SERVER_DOMAIN}}", "^([^.]+)") }
-	}
-
-	server {
-		server_name account.{{SERVER_DOMAIN}}; # example: account.eu-ger-1.siasky.net
-
-		set_by_lua_block $skynet_portal_domain { return "{{SERVER_DOMAIN}}" }
-		set_by_lua_block $skynet_server_domain { return "{{SERVER_DOMAIN}}" }
-
-		include /etc/nginx/conf.d/server/server.account;
-		
-		set_by_lua_block $server_alias { return string.match("{{SERVER_DOMAIN}}", "^([^.]+)") }
-	}
-	{{/SERVER_DOMAIN}}
-{{/ACCOUNTS_ENABLED}}

docker/nginx/conf.d.templates/server.account.conf.template

@@ -0,0 +1,44 @@
+server {
+	server_name account.${PORTAL_DOMAIN}; # example: account.siasky.net
+	
+	include /etc/nginx/conf.d/server/server.http;
+}
+
+server {
+	server_name account.${PORTAL_DOMAIN}; # example: account.siasky.net
+
+	set_by_lua_block $skynet_portal_domain { return "${PORTAL_DOMAIN}" }
+	set_by_lua_block $skynet_server_domain {
+		-- fall back to portal domain if server domain is not defined
+		if "${SERVER_DOMAIN}" == "" then
+			return "${PORTAL_DOMAIN}"
+		end
+		return "${SERVER_DOMAIN}"
+	}
+
+	include /etc/nginx/conf.d/server/server.account;
+}
+
+server {
+	server_name account.${SERVER_DOMAIN}; # example: account.eu-ger-1.siasky.net
+
+	include /etc/nginx/conf.d/server/server.http;
+
+	set_by_lua_block $server_alias { return string.match("${SERVER_DOMAIN}", "^([^.]+)") }
+}
+
+server {
+	server_name account.${SERVER_DOMAIN}; # example: account.eu-ger-1.siasky.net
+
+	set_by_lua_block $skynet_portal_domain {
+		-- when accessing portal directly through server domain, portal domain should be set to server domain
+		-- motivation: skynet-js uses Skynet-Portal-Api header (that is set to $skynet_portal_domain) to detect current
+		-- portal address and it should be server domain when accessing specific server by its domain address
+		return "${SERVER_DOMAIN}"
+	}
+	set_by_lua_block $skynet_server_domain { return "${SERVER_DOMAIN}" }
+
+	include /etc/nginx/conf.d/server/server.account;
+	
+	set_by_lua_block $server_alias { return string.match("${SERVER_DOMAIN}", "^([^.]+)") }
+}

docker/nginx/conf.d.templates/server.api.conf

@@ -1,43 +0,0 @@
-{{#PORTAL_DOMAIN}}
-server {
-	server_name {{PORTAL_DOMAIN}}; # example: siasky.net
-	
-	include /etc/nginx/conf.d/server/server.http;
-}
-
-server {
-	server_name {{PORTAL_DOMAIN}}; # example: siasky.net
-
-	set_by_lua_block $skynet_portal_domain { return "{{PORTAL_DOMAIN}}" }
-	set_by_lua_block $skynet_server_domain {
-		-- fall back to portal domain if server domain is not defined
-		if "{{SERVER_DOMAIN}}" == "" then
-			return "{{PORTAL_DOMAIN}}"
-		end
-		return "{{SERVER_DOMAIN}}"
-	}
-
-	include /etc/nginx/conf.d/server/server.api;
-}
-{{/PORTAL_DOMAIN}}
-
-{{#SERVER_DOMAIN}}
-server {
-	server_name {{SERVER_DOMAIN}}; # example: eu-ger-1.siasky.net
-
-	include /etc/nginx/conf.d/server/server.http;
-
-	set_by_lua_block $server_alias { return string.match("{{SERVER_DOMAIN}}", "^([^.]+)") }
-}
-
-server {
-	server_name {{SERVER_DOMAIN}}; # example: eu-ger-1.siasky.net
-
-	set_by_lua_block $skynet_portal_domain { return "{{SERVER_DOMAIN}}" }
-	set_by_lua_block $skynet_server_domain { return "{{SERVER_DOMAIN}}" }
-
-	include /etc/nginx/conf.d/server/server.api;
-	
-	set_by_lua_block $server_alias { return string.match("{{SERVER_DOMAIN}}", "^([^.]+)") }
-}
-{{/SERVER_DOMAIN}}

docker/nginx/conf.d.templates/server.api.conf.template

@@ -0,0 +1,44 @@
+server {
+	server_name ${PORTAL_DOMAIN}; # example: siasky.net
+	
+	include /etc/nginx/conf.d/server/server.http;
+}
+
+server {
+	server_name ${PORTAL_DOMAIN}; # example: siasky.net
+
+	set_by_lua_block $skynet_portal_domain { return "${PORTAL_DOMAIN}" }
+	set_by_lua_block $skynet_server_domain {
+		-- fall back to portal domain if server domain is not defined
+		if "${SERVER_DOMAIN}" == "" then
+			return "${PORTAL_DOMAIN}"
+		end
+		return "${SERVER_DOMAIN}"
+	}
+
+	include /etc/nginx/conf.d/server/server.api;
+}
+
+server {
+	server_name ${SERVER_DOMAIN}; # example: eu-ger-1.siasky.net
+
+	include /etc/nginx/conf.d/server/server.http;
+
+	set_by_lua_block $server_alias { return string.match("${SERVER_DOMAIN}", "^([^.]+)") }
+}
+
+server {
+	server_name ${SERVER_DOMAIN}; # example: eu-ger-1.siasky.net
+
+	set_by_lua_block $skynet_portal_domain {
+		-- when accessing portal directly through server domain, portal domain should be set to server domain
+		-- motivation: skynet-js uses Skynet-Portal-Api header (that is set to $skynet_portal_domain) to detect current
+		-- portal address and it should be server domain when accessing specific server by its domain address
+		return "${SERVER_DOMAIN}"
+	}
+	set_by_lua_block $skynet_server_domain { return "${SERVER_DOMAIN}" }
+
+	include /etc/nginx/conf.d/server/server.api;
+	
+	set_by_lua_block $server_alias { return string.match("${SERVER_DOMAIN}", "^([^.]+)") }
+}

docker/nginx/conf.d.templates/server.dnslink.conf.template

@@ -12,13 +12,13 @@ server {
     ssl_certificate     /etc/ssl/local-certificate.crt;
     ssl_certificate_key /etc/ssl/local-certificate.key;
 
-    set_by_lua_block $skynet_portal_domain { return "{{PORTAL_DOMAIN}}" }
+    set_by_lua_block $skynet_portal_domain { return "${PORTAL_DOMAIN}" }
     set_by_lua_block $skynet_server_domain {
         -- fall back to portal domain if server domain is not defined
-        if "{{SERVER_DOMAIN}}" == "" then
+        if "${SERVER_DOMAIN}" == "" then
-            return "{{PORTAL_DOMAIN}}"
+            return "${PORTAL_DOMAIN}"
         end
-        return "{{SERVER_DOMAIN}}"
+        return "${SERVER_DOMAIN}"
     }
 
     include /etc/nginx/conf.d/server/server.dnslink;

docker/nginx/conf.d.templates/server.hns.conf

@@ -1,45 +0,0 @@
-{{#PORTAL_DOMAIN}}
-server {
-	server_name *.hns.{{PORTAL_DOMAIN}}; # example: *.hns.siasky.net
-	
-	include /etc/nginx/conf.d/server/server.http;
-}
-
-server {
-	server_name *.hns.{{PORTAL_DOMAIN}}; # example: *.hns.siasky.net
-	
-	set_by_lua_block $skynet_portal_domain { return "{{PORTAL_DOMAIN}}" }
-	set_by_lua_block $skynet_server_domain {
-		-- fall back to portal domain if server domain is not defined
-		if "{{SERVER_DOMAIN}}" == "" then
-			return "{{PORTAL_DOMAIN}}"
-		end
-		return "{{SERVER_DOMAIN}}"
-	}
-
-	proxy_set_header Host {{PORTAL_DOMAIN}};
-	include /etc/nginx/conf.d/server/server.hns;
-}
-{{/PORTAL_DOMAIN}}
-
-{{#SERVER_DOMAIN}}
-server {
-	server_name *.hns.{{SERVER_DOMAIN}}; # example: *.hns.eu-ger-1.siasky.net
-	
-	include /etc/nginx/conf.d/server/server.http;
-
-	set_by_lua_block $server_alias { return string.match("{{SERVER_DOMAIN}}", "^([^.]+)") }
-}
-
-server {
-	server_name *.hns.{{SERVER_DOMAIN}}; # example: *.hns.eu-ger-1.siasky.net
-	
-	set_by_lua_block $skynet_portal_domain { return "{{SERVER_DOMAIN}}" }
-	set_by_lua_block $skynet_server_domain { return "{{SERVER_DOMAIN}}" }
-    
-	proxy_set_header Host {{SERVER_DOMAIN}};
-	include /etc/nginx/conf.d/server/server.hns;
-	
-	set_by_lua_block $server_alias { return string.match("{{SERVER_DOMAIN}}", "^([^.]+)") }
-}
-{{/SERVER_DOMAIN}}

docker/nginx/conf.d.templates/server.hns.conf.template

@@ -0,0 +1,46 @@
+server {
+	server_name *.hns.${PORTAL_DOMAIN}; # example: *.hns.siasky.net
+	
+	include /etc/nginx/conf.d/server/server.http;
+}
+
+server {
+	server_name *.hns.${PORTAL_DOMAIN}; # example: *.hns.siasky.net
+	
+	set_by_lua_block $skynet_portal_domain { return "${PORTAL_DOMAIN}" }
+	set_by_lua_block $skynet_server_domain {
+		-- fall back to portal domain if server domain is not defined
+		if "${SERVER_DOMAIN}" == "" then
+			return "${PORTAL_DOMAIN}"
+		end
+		return "${SERVER_DOMAIN}"
+	}
+
+	proxy_set_header Host ${PORTAL_DOMAIN};
+	include /etc/nginx/conf.d/server/server.hns;
+}
+
+server {
+	server_name *.hns.${SERVER_DOMAIN}; # example: *.hns.eu-ger-1.siasky.net
+	
+	include /etc/nginx/conf.d/server/server.http;
+
+	set_by_lua_block $server_alias { return string.match("${SERVER_DOMAIN}", "^([^.]+)") }
+}
+
+server {
+	server_name *.hns.${SERVER_DOMAIN}; # example: *.hns.eu-ger-1.siasky.net
+	
+	set_by_lua_block $skynet_portal_domain {
+		-- when accessing portal directly through server domain, portal domain should be set to server domain
+		-- motivation: skynet-js uses Skynet-Portal-Api header (that is set to $skynet_portal_domain) to detect current
+		-- portal address and it should be server domain when accessing specific server by its domain address
+		return "${SERVER_DOMAIN}"
+	}
+	set_by_lua_block $skynet_server_domain { return "${SERVER_DOMAIN}" }
+    
+	proxy_set_header Host ${SERVER_DOMAIN};
+	include /etc/nginx/conf.d/server/server.hns;
+	
+	set_by_lua_block $server_alias { return string.match("${SERVER_DOMAIN}", "^([^.]+)") }
+}

docker/nginx/conf.d.templates/server.skylink.conf

@@ -1,43 +0,0 @@
-{{#PORTAL_DOMAIN}}
-server {
-	server_name *.{{PORTAL_DOMAIN}}; # example: *.siasky.net
-
-	include /etc/nginx/conf.d/server/server.http;
-}
-
-server {
-	server_name *.{{PORTAL_DOMAIN}}; # example: *.siasky.net
-	
-	set_by_lua_block $skynet_portal_domain { return "{{PORTAL_DOMAIN}}" }
-	set_by_lua_block $skynet_server_domain {
-		-- fall back to portal domain if server domain is not defined
-		if "{{SERVER_DOMAIN}}" == "" then
-			return "{{PORTAL_DOMAIN}}"
-		end
-		return "{{SERVER_DOMAIN}}"
-	}
-
-	include /etc/nginx/conf.d/server/server.skylink;
-}
-{{/PORTAL_DOMAIN}}
-
-{{#SERVER_DOMAIN}}
-server {
-	server_name *.{{SERVER_DOMAIN}}; # example: *.eu-ger-1.siasky.net
-
-	include /etc/nginx/conf.d/server/server.http;
-
-	set_by_lua_block $server_alias { return string.match("{{SERVER_DOMAIN}}", "^([^.]+)") }
-}
-
-server {
-	server_name *.{{SERVER_DOMAIN}}; # example: *.eu-ger-1.siasky.net
-
-	set_by_lua_block $skynet_portal_domain { return "{{SERVER_DOMAIN}}" }
-	set_by_lua_block $skynet_server_domain { return "{{SERVER_DOMAIN}}" }
-	
-	include /etc/nginx/conf.d/server/server.skylink;
-	
-	set_by_lua_block $server_alias { return string.match("{{SERVER_DOMAIN}}", "^([^.]+)") }
-}
-{{/SERVER_DOMAIN}}

docker/nginx/conf.d.templates/server.skylink.conf.template

@@ -0,0 +1,44 @@
+server {
+	server_name *.${PORTAL_DOMAIN}; # example: *.siasky.net
+
+	include /etc/nginx/conf.d/server/server.http;
+}
+
+server {
+	server_name *.${PORTAL_DOMAIN}; # example: *.siasky.net
+	
+	set_by_lua_block $skynet_portal_domain { return "${PORTAL_DOMAIN}" }
+	set_by_lua_block $skynet_server_domain {
+		-- fall back to portal domain if server domain is not defined
+		if "${SERVER_DOMAIN}" == "" then
+			return "${PORTAL_DOMAIN}"
+		end
+		return "${SERVER_DOMAIN}"
+	}
+
+	include /etc/nginx/conf.d/server/server.skylink;
+}
+
+server {
+	server_name *.${SERVER_DOMAIN}; # example: *.eu-ger-1.siasky.net
+
+	include /etc/nginx/conf.d/server/server.http;
+
+	set_by_lua_block $server_alias { return string.match("${SERVER_DOMAIN}", "^([^.]+)") }
+}
+
+server {
+	server_name *.${SERVER_DOMAIN}; # example: *.eu-ger-1.siasky.net
+
+	set_by_lua_block $skynet_portal_domain {
+		-- when accessing portal directly through server domain, portal domain should be set to server domain
+		-- motivation: skynet-js uses Skynet-Portal-Api header (that is set to $skynet_portal_domain) to detect current
+		-- portal address and it should be server domain when accessing specific server by its domain address
+		return "${SERVER_DOMAIN}"
+	}
+	set_by_lua_block $skynet_server_domain { return "${SERVER_DOMAIN}" }
+	
+	include /etc/nginx/conf.d/server/server.skylink;
+	
+	set_by_lua_block $server_alias { return string.match("${SERVER_DOMAIN}", "^([^.]+)") }
+}

docker/nginx/docker-entrypoint.d/20-envsubst-on-templates.sh

@@ -0,0 +1,59 @@
+#!/bin/sh
+
+# https://github.com/nginxinc/docker-nginx/blob/master/entrypoint/20-envsubst-on-templates.sh
+# https://github.com/nginxinc/docker-nginx/blob/master/LICENSE
+
+# Copyright (C) 2011-2016 Nginx, Inc.
+# All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+set -e
+
+ME=$(basename $0)
+
+auto_envsubst() {
+  local template_dir="${NGINX_ENVSUBST_TEMPLATE_DIR:-/etc/nginx/templates}"
+  local suffix="${NGINX_ENVSUBST_TEMPLATE_SUFFIX:-.template}"
+  local output_dir="${NGINX_ENVSUBST_OUTPUT_DIR:-/etc/nginx/conf.d}"
+
+  local template defined_envs relative_path output_path subdir
+  defined_envs=$(printf '${%s} ' $(env | cut -d= -f1))
+  [ -d "$template_dir" ] || return 0
+  if [ ! -w "$output_dir" ]; then
+    echo >&3 "$ME: ERROR: $template_dir exists, but $output_dir is not writable"
+    return 0
+  fi
+  find "$template_dir" -follow -type f -name "*$suffix" -print | while read -r template; do
+    relative_path="${template#$template_dir/}"
+    output_path="$output_dir/${relative_path%$suffix}"
+    subdir=$(dirname "$relative_path")
+    # create a subdirectory where the template file exists
+    mkdir -p "$output_dir/$subdir"
+    echo >&3 "$ME: Running envsubst on $template to $output_path"
+    envsubst "$defined_envs" < "$template" > "$output_path"
+  done
+}
+
+auto_envsubst
+
+exit 0

docker/nginx/docker-entrypoint.d/40-reload-every-x-hours.sh

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+# source: https://github.com/nginxinc/docker-nginx/pull/509
+
+set -e
+
+ME=$(basename $0)
+
+[ "${NGINX_ENTRYPOINT_RELOAD_EVERY_X_HOURS:-}" ] || exit 0
+if [ $(echo "$NGINX_ENTRYPOINT_RELOAD_EVERY_X_HOURS > 0" | bc) = 0 ]; then
+  echo >&3 "$ME: Error. Provide integer or floating point number greater that 0. See 'man sleep'." 
+  exit 1
+fi
+
+start_background_reload() {
+  echo >&3 "$ME: Reloading Nginx every $NGINX_ENTRYPOINT_RELOAD_EVERY_X_HOURS hour(s)"
+  while :; do sleep ${NGINX_ENTRYPOINT_RELOAD_EVERY_X_HOURS}h; echo >&3 "$ME: Reloading Nginx ..." && nginx -s reload; done &
+}
+
+start_background_reload

docker/nginx/docker-entrypoint.d/50-generate-local-certificate.sh

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+# Generate locally signed ssl certificate to be used on routes
+# that do not require certificate issued by trusted CA
+
+set -e
+
+ME=$(basename $0)
+
+generate_local_certificate() {
+  echo >&3 "$ME: Generating locally signed ssl certificate"
+  openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
+    -subj '/CN=local-certificate' \
+    -keyout /etc/ssl/local-certificate.key \
+    -out /etc/ssl/local-certificate.crt
+}
+
+generate_local_certificate

docker/nginx/docker-entrypoint.sh

@@ -0,0 +1,65 @@
+#!/bin/sh
+# vim:sw=4:ts=4:et
+
+# https://github.com/nginxinc/docker-nginx/blob/master/entrypoint/docker-entrypoint.sh
+# https://github.com/nginxinc/docker-nginx/blob/master/LICENSE
+
+# Copyright (C) 2011-2016 Nginx, Inc.
+# All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+set -e
+
+if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then
+    exec 3>&1
+else
+    exec 3>/dev/null
+fi
+
+if [ "$1" = "nginx" -o "$1" = "nginx-debug" ]; then
+    if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then
+        echo >&3 "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration"
+
+        echo >&3 "$0: Looking for shell scripts in /docker-entrypoint.d/"
+        find "/docker-entrypoint.d/" -follow -type f -print | sort -V | while read -r f; do
+            case "$f" in
+                *.sh)
+                    if [ -x "$f" ]; then
+                        echo >&3 "$0: Launching $f";
+                        "$f"
+                    else
+                        # warn on shell scripts without exec bit
+                        echo >&3 "$0: Ignoring $f, not executable";
+                    fi
+                    ;;
+                *) echo >&3 "$0: Ignoring $f";;
+            esac
+        done
+
+        echo >&3 "$0: Configuration complete; ready for start up"
+    else
+        echo >&3 "$0: No files found in /docker-entrypoint.d/, skipping configuration"
+    fi
+fi
+
+exec "$@"

docker/nginx/nginx.conf

@@ -19,6 +19,9 @@
 user root;
 worker_processes auto;
 
+# Enables the use of JIT for regular expressions to speed-up their processing.
+pcre_jit on;
+
 #error_log  logs/error.log;
 #error_log  logs/error.log  notice;
 #error_log  logs/error.log  info;

docker/nginx/testing/Dockerfile

@@ -8,4 +8,4 @@ RUN luarocks install lua-resty-http && \
 
 COPY rbusted /etc/nginx/
 
-CMD /etc/nginx/rbusted --verbose --pattern=spec /usr/local/openresty/site/lualib
+CMD ["/etc/nginx/rbusted", "--verbose", "--pattern=spec", "/usr/local/openresty/site/lualib"]