use official nginx entrypoint with envsubst and custom restart script

docker-compose.yml

@@ -54,9 +54,11 @@ services:
       - ./docker/data/certbot:/etc/letsencrypt
 
   nginx:
-    build:
-      context: ./docker/nginx
-      dockerfile: Dockerfile
+    # uncomment "build" and comment out "image" to build from sources
+    # build:
+    #   context: https://github.com/SkynetLabs/skynet-webportal.git#master
+    #   dockerfile: ./docker/nginx/Dockerfile
+    image: skynetlabs/nginx
     container_name: nginx
     restart: unless-stopped
     logging: *default-logging

docker/nginx/Dockerfile

@@ -2,25 +2,26 @@ FROM openresty/openresty:1.19.9.1-focal
 
 WORKDIR /
 
-RUN luarocks install lua-resty-http && \
-    luarocks install hasher && \
-    openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
-    -subj '/CN=local-certificate' \
-    -keyout /etc/ssl/local-certificate.key \
-    -out /etc/ssl/local-certificate.crt
+RUN apt-get update && apt-get --no-install-recommends install bc=1.07.1-2build1 && \
+    apt-get clean && rm -rf /var/lib/apt/lists/* && \
+    luarocks install lua-resty-http && \
+    luarocks install hasher
 
-COPY mo ./
-COPY libs /etc/nginx/libs
-COPY conf.d /etc/nginx/conf.d
-COPY conf.d.templates /etc/nginx/conf.d.templates
-COPY nginx.conf /usr/local/openresty/nginx/conf/nginx.conf
+# reload nginx every 6 hours (for reloading certificates)
+ENV NGINX_ENTRYPOINT_RELOAD_EVERY_X_HOURS 6
 
-CMD [ "bash", "-c", \
-      "./mo < /etc/nginx/conf.d.templates/server.account.conf > /etc/nginx/conf.d/server.account.conf ; \
-       ./mo < /etc/nginx/conf.d.templates/server.api.conf > /etc/nginx/conf.d/server.api.conf; \
-       ./mo < /etc/nginx/conf.d.templates/server.dnslink.conf > /etc/nginx/conf.d/server.dnslink.conf; \
-       ./mo < /etc/nginx/conf.d.templates/server.hns.conf > /etc/nginx/conf.d/server.hns.conf; \
-       ./mo < /etc/nginx/conf.d.templates/server.skylink.conf > /etc/nginx/conf.d/server.skylink.conf ; \
-       while :; do sleep 6h & wait ${!}; /usr/local/openresty/bin/openresty -s reload; done & \
-       /usr/local/openresty/bin/openresty '-g daemon off;'" \
-    ]
+# copy entrypoint and entrypoint scripts
+COPY docker/nginx/docker-entrypoint.sh /
+COPY docker/nginx/docker-entrypoint.d /docker-entrypoint.d
+
+# copy nginx configuration files and libraries
+COPY docker/nginx/libs /etc/nginx/libs
+COPY docker/nginx/conf.d /etc/nginx/conf.d
+COPY docker/nginx/conf.d.templates /etc/nginx/templates
+COPY docker/nginx/nginx.conf /usr/local/openresty/nginx/conf/nginx.conf
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
+
+STOPSIGNAL SIGQUIT
+
+CMD ["nginx", "-g", "daemon off;"]

docker/nginx/conf.d.templates/server.account.conf

@@ -1,45 +0,0 @@
-{{#ACCOUNTS_ENABLED}}
-	{{#PORTAL_DOMAIN}}
-	server {
-		server_name account.{{PORTAL_DOMAIN}}; # example: account.siasky.net
-		
-		include /etc/nginx/conf.d/server/server.http;
-	}
-
-	server {
-		server_name account.{{PORTAL_DOMAIN}}; # example: account.siasky.net
-
-		set_by_lua_block $skynet_portal_domain { return "{{PORTAL_DOMAIN}}" }
-		set_by_lua_block $skynet_server_domain {
-			-- fall back to portal domain if server domain is not defined
-			if "{{SERVER_DOMAIN}}" == "" then
-				return "{{PORTAL_DOMAIN}}"
-			end
-			return "{{SERVER_DOMAIN}}"
-		}
-
-		include /etc/nginx/conf.d/server/server.account;
-	}
-	{{/PORTAL_DOMAIN}}
-
-	{{#SERVER_DOMAIN}}
-	server {
-		server_name account.{{SERVER_DOMAIN}}; # example: account.eu-ger-1.siasky.net
-
-		include /etc/nginx/conf.d/server/server.http;
-
-		set_by_lua_block $server_alias { return string.match("{{SERVER_DOMAIN}}", "^([^.]+)") }
-	}
-
-	server {
-		server_name account.{{SERVER_DOMAIN}}; # example: account.eu-ger-1.siasky.net
-
-		set_by_lua_block $skynet_portal_domain { return "{{SERVER_DOMAIN}}" }
-		set_by_lua_block $skynet_server_domain { return "{{SERVER_DOMAIN}}" }
-
-		include /etc/nginx/conf.d/server/server.account;
-		
-		set_by_lua_block $server_alias { return string.match("{{SERVER_DOMAIN}}", "^([^.]+)") }
-	}
-	{{/SERVER_DOMAIN}}
-{{/ACCOUNTS_ENABLED}}

docker/nginx/conf.d.templates/server.account.conf.template

@@ -0,0 +1,39 @@
+server {
+	server_name account.${PORTAL_DOMAIN}; # example: account.siasky.net
+	
+	include /etc/nginx/conf.d/server/server.http;
+}
+
+server {
+	server_name account.${PORTAL_DOMAIN}; # example: account.siasky.net
+
+	set_by_lua_block $skynet_portal_domain { return "${PORTAL_DOMAIN}" }
+	set_by_lua_block $skynet_server_domain {
+		-- fall back to portal domain if server domain is not defined
+		if "${SERVER_DOMAIN}" == "" then
+			return "${PORTAL_DOMAIN}"
+		end
+		return "${SERVER_DOMAIN}"
+	}
+
+	include /etc/nginx/conf.d/server/server.account;
+}
+
+server {
+	server_name account.${SERVER_DOMAIN}; # example: account.eu-ger-1.siasky.net
+
+	include /etc/nginx/conf.d/server/server.http;
+
+	set_by_lua_block $server_alias { return string.match("${SERVER_DOMAIN}", "^([^.]+)") }
+}
+
+server {
+	server_name account.${SERVER_DOMAIN}; # example: account.eu-ger-1.siasky.net
+
+	set_by_lua_block $skynet_portal_domain { return "${SERVER_DOMAIN}" }
+	set_by_lua_block $skynet_server_domain { return "${SERVER_DOMAIN}" }
+
+	include /etc/nginx/conf.d/server/server.account;
+	
+	set_by_lua_block $server_alias { return string.match("${SERVER_DOMAIN}", "^([^.]+)") }
+}

docker/nginx/conf.d.templates/server.api.conf

@@ -1,43 +0,0 @@
-{{#PORTAL_DOMAIN}}
-server {
-	server_name {{PORTAL_DOMAIN}}; # example: siasky.net
-	
-	include /etc/nginx/conf.d/server/server.http;
-}
-
-server {
-	server_name {{PORTAL_DOMAIN}}; # example: siasky.net
-
-	set_by_lua_block $skynet_portal_domain { return "{{PORTAL_DOMAIN}}" }
-	set_by_lua_block $skynet_server_domain {
-		-- fall back to portal domain if server domain is not defined
-		if "{{SERVER_DOMAIN}}" == "" then
-			return "{{PORTAL_DOMAIN}}"
-		end
-		return "{{SERVER_DOMAIN}}"
-	}
-
-	include /etc/nginx/conf.d/server/server.api;
-}
-{{/PORTAL_DOMAIN}}
-
-{{#SERVER_DOMAIN}}
-server {
-	server_name {{SERVER_DOMAIN}}; # example: eu-ger-1.siasky.net
-
-	include /etc/nginx/conf.d/server/server.http;
-
-	set_by_lua_block $server_alias { return string.match("{{SERVER_DOMAIN}}", "^([^.]+)") }
-}
-
-server {
-	server_name {{SERVER_DOMAIN}}; # example: eu-ger-1.siasky.net
-
-	set_by_lua_block $skynet_portal_domain { return "{{SERVER_DOMAIN}}" }
-	set_by_lua_block $skynet_server_domain { return "{{SERVER_DOMAIN}}" }
-
-	include /etc/nginx/conf.d/server/server.api;
-	
-	set_by_lua_block $server_alias { return string.match("{{SERVER_DOMAIN}}", "^([^.]+)") }
-}
-{{/SERVER_DOMAIN}}

docker/nginx/conf.d.templates/server.api.conf.template

@@ -0,0 +1,39 @@
+server {
+	server_name ${PORTAL_DOMAIN}; # example: siasky.net
+	
+	include /etc/nginx/conf.d/server/server.http;
+}
+
+server {
+	server_name ${PORTAL_DOMAIN}; # example: siasky.net
+
+	set_by_lua_block $skynet_portal_domain { return "${PORTAL_DOMAIN}" }
+	set_by_lua_block $skynet_server_domain {
+		-- fall back to portal domain if server domain is not defined
+		if "${SERVER_DOMAIN}" == "" then
+			return "${PORTAL_DOMAIN}"
+		end
+		return "${SERVER_DOMAIN}"
+	}
+
+	include /etc/nginx/conf.d/server/server.api;
+}
+
+server {
+	server_name ${SERVER_DOMAIN}; # example: eu-ger-1.siasky.net
+
+	include /etc/nginx/conf.d/server/server.http;
+
+	set_by_lua_block $server_alias { return string.match("${SERVER_DOMAIN}", "^([^.]+)") }
+}
+
+server {
+	server_name ${SERVER_DOMAIN}; # example: eu-ger-1.siasky.net
+
+	set_by_lua_block $skynet_portal_domain { return "${SERVER_DOMAIN}" }
+	set_by_lua_block $skynet_server_domain { return "${SERVER_DOMAIN}" }
+
+	include /etc/nginx/conf.d/server/server.api;
+	
+	set_by_lua_block $server_alias { return string.match("${SERVER_DOMAIN}", "^([^.]+)") }
+}

docker/nginx/conf.d.templates/server.dnslink.conf.template

@@ -12,13 +12,13 @@ server {
     ssl_certificate     /etc/ssl/local-certificate.crt;
     ssl_certificate_key /etc/ssl/local-certificate.key;
 
-    set_by_lua_block $skynet_portal_domain { return "{{PORTAL_DOMAIN}}" }
+    set_by_lua_block $skynet_portal_domain { return "${PORTAL_DOMAIN}" }
     set_by_lua_block $skynet_server_domain {
         -- fall back to portal domain if server domain is not defined
-        if "{{SERVER_DOMAIN}}" == "" then
-            return "{{PORTAL_DOMAIN}}"
+        if "${SERVER_DOMAIN}" == "" then
+            return "${PORTAL_DOMAIN}"
         end
-        return "{{SERVER_DOMAIN}}"
+        return "${SERVER_DOMAIN}"
     }
 
     include /etc/nginx/conf.d/server/server.dnslink;

docker/nginx/conf.d.templates/server.hns.conf

@@ -1,45 +0,0 @@
-{{#PORTAL_DOMAIN}}
-server {
-	server_name *.hns.{{PORTAL_DOMAIN}}; # example: *.hns.siasky.net
-	
-	include /etc/nginx/conf.d/server/server.http;
-}
-
-server {
-	server_name *.hns.{{PORTAL_DOMAIN}}; # example: *.hns.siasky.net
-	
-	set_by_lua_block $skynet_portal_domain { return "{{PORTAL_DOMAIN}}" }
-	set_by_lua_block $skynet_server_domain {
-		-- fall back to portal domain if server domain is not defined
-		if "{{SERVER_DOMAIN}}" == "" then
-			return "{{PORTAL_DOMAIN}}"
-		end
-		return "{{SERVER_DOMAIN}}"
-	}
-
-	proxy_set_header Host {{PORTAL_DOMAIN}};
-	include /etc/nginx/conf.d/server/server.hns;
-}
-{{/PORTAL_DOMAIN}}
-
-{{#SERVER_DOMAIN}}
-server {
-	server_name *.hns.{{SERVER_DOMAIN}}; # example: *.hns.eu-ger-1.siasky.net
-	
-	include /etc/nginx/conf.d/server/server.http;
-
-	set_by_lua_block $server_alias { return string.match("{{SERVER_DOMAIN}}", "^([^.]+)") }
-}
-
-server {
-	server_name *.hns.{{SERVER_DOMAIN}}; # example: *.hns.eu-ger-1.siasky.net
-	
-	set_by_lua_block $skynet_portal_domain { return "{{SERVER_DOMAIN}}" }
-	set_by_lua_block $skynet_server_domain { return "{{SERVER_DOMAIN}}" }
-    
-	proxy_set_header Host {{SERVER_DOMAIN}};
-	include /etc/nginx/conf.d/server/server.hns;
-	
-	set_by_lua_block $server_alias { return string.match("{{SERVER_DOMAIN}}", "^([^.]+)") }
-}
-{{/SERVER_DOMAIN}}

docker/nginx/conf.d.templates/server.hns.conf.template

@@ -0,0 +1,41 @@
+server {
+	server_name *.hns.${PORTAL_DOMAIN}; # example: *.hns.siasky.net
+	
+	include /etc/nginx/conf.d/server/server.http;
+}
+
+server {
+	server_name *.hns.${PORTAL_DOMAIN}; # example: *.hns.siasky.net
+	
+	set_by_lua_block $skynet_portal_domain { return "${PORTAL_DOMAIN}" }
+	set_by_lua_block $skynet_server_domain {
+		-- fall back to portal domain if server domain is not defined
+		if "${SERVER_DOMAIN}" == "" then
+			return "${PORTAL_DOMAIN}"
+		end
+		return "${SERVER_DOMAIN}"
+	}
+
+	proxy_set_header Host ${PORTAL_DOMAIN};
+	include /etc/nginx/conf.d/server/server.hns;
+}
+
+server {
+	server_name *.hns.${SERVER_DOMAIN}; # example: *.hns.eu-ger-1.siasky.net
+	
+	include /etc/nginx/conf.d/server/server.http;
+
+	set_by_lua_block $server_alias { return string.match("${SERVER_DOMAIN}", "^([^.]+)") }
+}
+
+server {
+	server_name *.hns.${SERVER_DOMAIN}; # example: *.hns.eu-ger-1.siasky.net
+	
+	set_by_lua_block $skynet_portal_domain { return "${SERVER_DOMAIN}" }
+	set_by_lua_block $skynet_server_domain { return "${SERVER_DOMAIN}" }
+    
+	proxy_set_header Host ${SERVER_DOMAIN};
+	include /etc/nginx/conf.d/server/server.hns;
+	
+	set_by_lua_block $server_alias { return string.match("${SERVER_DOMAIN}", "^([^.]+)") }
+}

docker/nginx/conf.d.templates/server.skylink.conf

@@ -1,43 +0,0 @@
-{{#PORTAL_DOMAIN}}
-server {
-	server_name *.{{PORTAL_DOMAIN}}; # example: *.siasky.net
-
-	include /etc/nginx/conf.d/server/server.http;
-}
-
-server {
-	server_name *.{{PORTAL_DOMAIN}}; # example: *.siasky.net
-	
-	set_by_lua_block $skynet_portal_domain { return "{{PORTAL_DOMAIN}}" }
-	set_by_lua_block $skynet_server_domain {
-		-- fall back to portal domain if server domain is not defined
-		if "{{SERVER_DOMAIN}}" == "" then
-			return "{{PORTAL_DOMAIN}}"
-		end
-		return "{{SERVER_DOMAIN}}"
-	}
-
-	include /etc/nginx/conf.d/server/server.skylink;
-}
-{{/PORTAL_DOMAIN}}
-
-{{#SERVER_DOMAIN}}
-server {
-	server_name *.{{SERVER_DOMAIN}}; # example: *.eu-ger-1.siasky.net
-
-	include /etc/nginx/conf.d/server/server.http;
-
-	set_by_lua_block $server_alias { return string.match("{{SERVER_DOMAIN}}", "^([^.]+)") }
-}
-
-server {
-	server_name *.{{SERVER_DOMAIN}}; # example: *.eu-ger-1.siasky.net
-
-	set_by_lua_block $skynet_portal_domain { return "{{SERVER_DOMAIN}}" }
-	set_by_lua_block $skynet_server_domain { return "{{SERVER_DOMAIN}}" }
-	
-	include /etc/nginx/conf.d/server/server.skylink;
-	
-	set_by_lua_block $server_alias { return string.match("{{SERVER_DOMAIN}}", "^([^.]+)") }
-}
-{{/SERVER_DOMAIN}}

docker/nginx/conf.d.templates/server.skylink.conf.template

@@ -0,0 +1,39 @@
+server {
+	server_name *.${PORTAL_DOMAIN}; # example: *.siasky.net
+
+	include /etc/nginx/conf.d/server/server.http;
+}
+
+server {
+	server_name *.${PORTAL_DOMAIN}; # example: *.siasky.net
+	
+	set_by_lua_block $skynet_portal_domain { return "${PORTAL_DOMAIN}" }
+	set_by_lua_block $skynet_server_domain {
+		-- fall back to portal domain if server domain is not defined
+		if "${SERVER_DOMAIN}" == "" then
+			return "${PORTAL_DOMAIN}"
+		end
+		return "${SERVER_DOMAIN}"
+	}
+
+	include /etc/nginx/conf.d/server/server.skylink;
+}
+
+server {
+	server_name *.${SERVER_DOMAIN}; # example: *.eu-ger-1.siasky.net
+
+	include /etc/nginx/conf.d/server/server.http;
+
+	set_by_lua_block $server_alias { return string.match("${SERVER_DOMAIN}", "^([^.]+)") }
+}
+
+server {
+	server_name *.${SERVER_DOMAIN}; # example: *.eu-ger-1.siasky.net
+
+	set_by_lua_block $skynet_portal_domain { return "${SERVER_DOMAIN}" }
+	set_by_lua_block $skynet_server_domain { return "${SERVER_DOMAIN}" }
+	
+	include /etc/nginx/conf.d/server/server.skylink;
+	
+	set_by_lua_block $server_alias { return string.match("${SERVER_DOMAIN}", "^([^.]+)") }
+}

docker/nginx/docker-entrypoint.d/20-envsubst-on-templates.sh

@@ -0,0 +1,36 @@
+#!/bin/sh
+
+# https://github.com/nginxinc/docker-nginx/blob/master/entrypoint/20-envsubst-on-templates.sh
+# Copyright (C) 2011-2016 Nginx, Inc.
+# All rights reserved.
+
+set -e
+
+ME=$(basename $0)
+
+auto_envsubst() {
+  local template_dir="${NGINX_ENVSUBST_TEMPLATE_DIR:-/etc/nginx/templates}"
+  local suffix="${NGINX_ENVSUBST_TEMPLATE_SUFFIX:-.template}"
+  local output_dir="${NGINX_ENVSUBST_OUTPUT_DIR:-/etc/nginx/conf.d}"
+
+  local template defined_envs relative_path output_path subdir
+  defined_envs=$(printf '${%s} ' $(env | cut -d= -f1))
+  [ -d "$template_dir" ] || return 0
+  if [ ! -w "$output_dir" ]; then
+    echo >&3 "$ME: ERROR: $template_dir exists, but $output_dir is not writable"
+    return 0
+  fi
+  find "$template_dir" -follow -type f -name "*$suffix" -print | while read -r template; do
+    relative_path="${template#$template_dir/}"
+    output_path="$output_dir/${relative_path%$suffix}"
+    subdir=$(dirname "$relative_path")
+    # create a subdirectory where the template file exists
+    mkdir -p "$output_dir/$subdir"
+    echo >&3 "$ME: Running envsubst on $template to $output_path"
+    envsubst "$defined_envs" < "$template" > "$output_path"
+  done
+}
+
+auto_envsubst
+
+exit 0

docker/nginx/docker-entrypoint.d/40-reload-every-x-hours.sh

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+# source: https://github.com/nginxinc/docker-nginx/pull/509
+
+set -e
+
+ME=$(basename $0)
+
+[ "${NGINX_ENTRYPOINT_RELOAD_EVERY_X_HOURS:-}" ] || exit 0
+if [ $(echo "$NGINX_ENTRYPOINT_RELOAD_EVERY_X_HOURS > 0" | bc) = 0 ]; then
+  echo >&3 "$ME: Error. Provide integer or floating point number greater that 0. See 'man sleep'." 
+  exit 1
+fi
+
+start_background_reload() {
+  echo >&3 "$ME: Reloading Nginx every $NGINX_ENTRYPOINT_RELOAD_EVERY_X_HOURS hour(s)"
+  while :; do sleep ${NGINX_ENTRYPOINT_RELOAD_EVERY_X_HOURS}h; echo >&3 "$ME: Reloading Nginx ..." && nginx -s reload; done &
+}
+
+start_background_reload

docker/nginx/docker-entrypoint.d/50-generate-local-certificate.sh

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+# Generate locally signed ssl certificate to be used on routes
+# that do not require certificate issued by trusted CA
+
+set -e
+
+ME=$(basename $0)
+
+generate_local_certificate() {  
+  echo >&3 "$ME: Generating locally signed ssl certificate"
+  openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
+    -subj '/CN=local-certificate' \
+    -keyout /etc/ssl/local-certificate.key \
+    -out /etc/ssl/local-certificate.crt
+}
+
+generate_local_certificate

docker/nginx/docker-entrypoint.sh

@@ -0,0 +1,42 @@
+#!/bin/sh
+# vim:sw=4:ts=4:et
+
+# https://github.com/nginxinc/docker-nginx/blob/master/entrypoint/docker-entrypoint.sh
+# Copyright (C) 2011-2016 Nginx, Inc.
+# All rights reserved.
+
+set -e
+
+if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then
+    exec 3>&1
+else
+    exec 3>/dev/null
+fi
+
+if [ "$1" = "nginx" -o "$1" = "nginx-debug" ]; then
+    if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then
+        echo >&3 "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration"
+
+        echo >&3 "$0: Looking for shell scripts in /docker-entrypoint.d/"
+        find "/docker-entrypoint.d/" -follow -type f -print | sort -V | while read -r f; do
+            case "$f" in
+                *.sh)
+                    if [ -x "$f" ]; then
+                        echo >&3 "$0: Launching $f";
+                        "$f"
+                    else
+                        # warn on shell scripts without exec bit
+                        echo >&3 "$0: Ignoring $f, not executable";
+                    fi
+                    ;;
+                *) echo >&3 "$0: Ignoring $f";;
+            esac
+        done
+
+        echo >&3 "$0: Configuration complete; ready for start up"
+    else
+        echo >&3 "$0: No files found in /docker-entrypoint.d/, skipping configuration"
+    fi
+fi
+
+exec "$@"

docker/nginx/nginx.conf

@@ -19,6 +19,9 @@
 user root;
 worker_processes auto;
 
+# Enables the use of JIT for regular expressions to speed-up their processing.
+pcre_jit on;
+
 #error_log  logs/error.log;
 #error_log  logs/error.log  notice;
 #error_log  logs/error.log  info;