nginx
diff --git a/‎Dockerfile.buildkit.plus‎
Lines changed: 0 additions & 104 deletions b/‎Dockerfile.buildkit.plus‎
Lines changed: 0 additions & 104 deletions
diff --git a/‎Dockerfile.oss‎
Lines changed: 9 additions & 13 deletions b/‎Dockerfile.oss‎
Lines changed: 9 additions & 13 deletions
diff --git a/‎Dockerfile.plus‎
Lines changed: 19 additions & 76 deletions b/‎Dockerfile.plus‎
Lines changed: 19 additions & 76 deletions
diff --git a/‎common/docker-entrypoint.d/00-check-for-required-env.sh‎
Lines changed: 0 additions & 18 deletions b/‎common/docker-entrypoint.d/00-check-for-required-env.sh‎
Lines changed: 0 additions & 18 deletions
diff --git a/‎common/docker-entrypoint.sh‎ renamed to ‎common/docker-entrypoint.d/01-set-defaults.envsh‎
Lines changed: 13 additions & 49 deletions b/‎common/docker-entrypoint.sh‎ renamed to ‎common/docker-entrypoint.d/01-set-defaults.envsh‎
Lines changed: 13 additions & 49 deletions
@@ -1,8 +1,4 @@
-FROM nginx:1.29.0@sha256:f5c017fb33c6db484545793ffb67db51cdd7daebee472104612f73a85063f889
-
-# NJS env vars
-ENV NJS_VERSION=0.9.0
-ENV NJS_RELEASE=1~bookworm
+FROM nginx:1.29.1@sha256:d5f28ef21aabddd098f3dbc21fe5b7a7d7a184720bc07da0b6c9b9820e97f25e
 
 # Proxy cache env vars
 ENV PROXY_CACHE_MAX_SIZE=10g
@@ -27,20 +23,20 @@ ENV PREFIX_LEADING_DIRECTORY_PATH=""
 # 3. Adding a directory for proxied objects to be stored.
 # 4. Replacing the entrypoint script with a modified version that explicitly sets resolvers.
 
+# Note: the PKG_RELEASE environment variable is inherited
+
 RUN set -x \
-    && echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo $PKG_RELEASE | cut -f2 -d~) nginx" >> /etc/apt/sources.list.d/nginx.list; \
-    apt-get update \
+    && echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo $PKG_RELEASE | cut -f2 -d~) nginx" >> /etc/apt/sources.list.d/nginx.list \
+    && apt-get update \
     && apt-get install --no-install-recommends --no-install-suggests -y \
-      libedit2 \
-      nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_RELEASE} \
-    && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list
+      libedit2 nginx-module-njs nginx-module-xslt \
+    && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/*
 
-COPY oss/etc /etc
+COPY oss/etc/nginx /etc/nginx
 COPY common/etc /etc
-COPY common/docker-entrypoint.sh /docker-entrypoint.sh
 COPY common/docker-entrypoint.d /docker-entrypoint.d/
 
 RUN set -x \
     && mkdir -p /var/cache/nginx/s3_proxy \
     && chown nginx:nginx /var/cache/nginx/s3_proxy \
-    && chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh;
+    && find /docker-entrypoint.d -type f \( -name '*.sh' -or -name '*.envsh' \) -exec chmod -v +x {} \;
@@ -1,13 +1,7 @@
-FROM debian:bookworm-slim@sha256:b1211f6d19afd012477bd34fdcabb6b663d680e0f4b0537da6e6b0fd057a3ec3
+# Pull from NGINX image that provides the XSLT module and supporting libraries
+FROM private-registry.nginx.com/nginx-plus/modules:r35-xslt-debian@sha256:3eaa85dca47e31b9a6648bcaf6034f076cd59be9b1510b25fd1bbe1144f0bb48 AS xslt
 
-# Create RELEASE argument
-ARG RELEASE=bookworm
-
-# NJS env vars
-ENV NGINX_VERSION=34
-ENV NGINX_PKG_RELEASE=1~${RELEASE}
-ENV NJS_VERSION=0.9.0
-ENV NJS_PKG_RELEASE=1~${RELEASE}
+FROM private-registry.nginx.com/nginx-plus/base:r35-debian-bookworm@sha256:9a82ad3f96d58be861257efd621f215d599e226ebedd24d9f3211bdd743c3c27
 
 # Proxy cache env vars
 ENV PROXY_CACHE_MAX_SIZE=10g
@@ -26,76 +20,25 @@ ENV DIRECTORY_LISTING_PATH_PREFIX=""
 ENV STRIP_LEADING_DIRECTORY_PATH=""
 ENV PREFIX_LEADING_DIRECTORY_PATH=""
 
-# We create an NGINX Plus image based on the official NGINX Plus Dockerfiles (https://gist.github.com/nginx-gists/36e97fc87efb5cf0039978c8e41a34b5) and modify it by:
-# 1. Explicitly installing the version of njs coded in the environment variable above.
-# 2. Adding configuration files needed for proxying private S3 buckets.
-# 3. Adding a directory for proxied objects to be stored.
-# 4. Adding the entrypoint scripts found in the base NGINX OSS Docker image with a modified version that explicitly sets resolvers.
-
-# Download your NGINX license certificate and key from the F5 customer portal (https://account.f5.com) and copy it to the build context
-COPY plus/etc/ssl /etc/ssl
-
-RUN set -x \
-# Create nginx user/group first, to be consistent throughout Docker variants
-    && groupadd --system --gid 101 nginx \
-    && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
-    && apt-get update \
-    && apt-get install --no-install-recommends --no-install-suggests -y ca-certificates gnupg1 lsb-release \
-    && \
-    NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \
-    NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \
-    export GNUPGHOME="$(mktemp -d)"; \
-    found=''; \
-    for NGINX_GPGKEY in $NGINX_GPGKEYS; do \
-    for server in \
-        hkp://keyserver.ubuntu.com:80 \
-        pgp.mit.edu \
-    ; do \
-        echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
-        gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
-    done; \
-    test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
-    done; \
-    gpg1 --export $NGINX_GPGKEYS > "$NGINX_GPGKEY_PATH" ; \
-    rm -rf "$GNUPGHOME"; \
-    apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \
-# Install the latest release of NGINX Plus and/or NGINX Plus modules (written and maintained by F5)
-    && nginxPackages=" \
-        nginx-plus=${NGINX_VERSION}-${NGINX_PKG_RELEASE} \
-        nginx-plus-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_PKG_RELEASE} \
-        nginx-plus-module-xslt=${NGINX_VERSION}-${NGINX_PKG_RELEASE} \
-    " \
-    && echo "Acquire::https::pkgs.nginx.com::Verify-Peer \"true\";" > /etc/apt/apt.conf.d/90nginx \
-    && echo "Acquire::https::pkgs.nginx.com::Verify-Host \"true\";" >> /etc/apt/apt.conf.d/90nginx \
-    && echo "Acquire::https::pkgs.nginx.com::SslCert     \"/etc/ssl/nginx/nginx-repo.crt\";" >> /etc/apt/apt.conf.d/90nginx \
-    && echo "Acquire::https::pkgs.nginx.com::SslKey      \"/etc/ssl/nginx/nginx-repo.key\";" >> /etc/apt/apt.conf.d/90nginx \
-    && echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list \
-    && apt-get update \
-    && apt-get install --no-install-recommends --no-install-suggests -y $nginxPackages curl gettext-base \
-    && apt-get remove --purge -y lsb-release \
-    && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-plus.list \
-    && rm -rf /etc/apt/apt.conf.d/90nginx /etc/ssl/nginx \
-# Forward request logs to Docker log collector
-    && ln -sf /dev/stdout /var/log/nginx/access.log \
-    && ln -sf /dev/stderr /var/log/nginx/error.log
-
-EXPOSE 80
-
-STOPSIGNAL SIGTERM
-
-CMD ["nginx", "-g", "daemon off;"]
-
 # Copy files from the OSS NGINX Docker container such that the container
 # startup is the same.
+COPY --from=xslt /usr/lib/nginx/ /usr/lib/nginx/
+
 COPY plus/etc/nginx /etc/nginx
 COPY common/etc /etc
-COPY common/docker-entrypoint.sh /docker-entrypoint.sh
 COPY common/docker-entrypoint.d /docker-entrypoint.d/
-COPY plus/docker-entrypoint.d /docker-entrypoint.d/
-
-RUN set -x \
-    && mkdir -p /var/cache/nginx/s3_proxy \
-    && chown nginx:nginx /var/cache/nginx/s3_proxy \
-    && chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh;
 
-ENTRYPOINT ["/docker-entrypoint.sh"]
+RUN <<EOF
+    set -eux
+    apt-get update -qq
+    apt-get install --no-install-recommends --no-install-suggests -y \
+      gettext-base libxml2 libxslt1.1
+    apt-get remove --purge --auto-remove -y
+    rm -rf /usr/share/doc/ /usr/share/lintian /var/lib/apt/lists
+
+    cat /etc/nginx/nginx-license.conf >> /etc/nginx/nginx.conf; \
+    rm /etc/nginx/nginx-license.conf; \
+    mkdir -p /var/cache/nginx/s3_proxy; \
+    chown nginx:nginx /var/cache/nginx/s3_proxy; \
+    find /docker-entrypoint.d -type f \( -name '*.sh' -or -name '*.envsh' \) -exec chmod -v +x {} \;
+EOF
@@ -130,21 +130,3 @@ fi
 if [ $failed -gt 0 ]; then
   exit 1
 fi
-
-echo "S3 Backend Environment"
-echo "Service: ${S3_SERVICE:-s3}"
-echo "Access Key ID: ${AWS_ACCESS_KEY_ID}"
-echo "Origin: ${S3_SERVER_PROTO}://${S3_BUCKET_NAME}.${S3_SERVER}:${S3_SERVER_PORT}"
-echo "Region: ${S3_REGION}"
-echo "Addressing Style: ${S3_STYLE}"
-echo "AWS Signatures Version: v${AWS_SIGS_VERSION}"
-echo "DNS Resolvers: ${DNS_RESOLVERS}"
-echo "Directory Listing Enabled: ${ALLOW_DIRECTORY_LIST}"
-echo "Directory Listing Path Prefix: ${DIRECTORY_LISTING_PATH_PREFIX}"
-echo "Provide Index Pages Enabled: ${PROVIDE_INDEX_PAGE}"
-echo "Append slash for directory enabled: ${APPEND_SLASH_FOR_POSSIBLE_DIRECTORY}"
-echo "Stripping the following headers from responses: x-amz-;${HEADER_PREFIXES_TO_STRIP}"
-echo "Allow the following headers from responses (these take precedence over the above): ${HEADER_PREFIXES_ALLOWED}"
-echo "CORS Enabled: ${CORS_ENABLED}"
-echo "CORS Allow Private Network Access: ${CORS_ALLOW_PRIVATE_NETWORK_ACCESS}"
-echo "Proxy cache using stale setting: ${PROXY_CACHE_USE_STALE}"
@@ -1,4 +1,4 @@
-#!/usr/bin/bash
+#!/bin/sh
 #
 #  Copyright 2020 F5 Networks
 #
@@ -15,9 +15,7 @@
 #  limitations under the License.
 #
 
-# vim:sw=4:ts=4:et
-
-set -e
+set -eu
 
 parseBoolean() {
   case "$1" in
@@ -31,7 +29,7 @@ parseBoolean() {
 }
 
 # This line is an addition to the NGINX Docker image's entrypoint script.
-if [ -z ${DNS_RESOLVERS+x} ]; then
+if [ "${DNS_RESOLVERS+x}" = "" ]; then
     resolvers=""
 
     # This method of pulling individual nameservers from
@@ -46,31 +44,33 @@ if [ -z ${DNS_RESOLVERS+x} ]; then
           resolvers="$resolvers $ip"
         fi
     done
-    export DNS_RESOLVERS="${resolvers}"
+    DNS_RESOLVERS="${resolvers}"
+    export DNS_RESOLVERS
 fi
 
 # Normalize the CORS_ENABLED environment variable to a numeric value
 # so that it can be easily parsed in the nginx configuration.
-export CORS_ENABLED="$(parseBoolean "${CORS_ENABLED}")"
+CORS_ENABLED="$(parseBoolean "${CORS_ENABLED}")"
+export CORS_ENABLED
 
 # By enabling CORS, we also need to enable the OPTIONS method which
 # is not normally used as part of the gateway. The following variable
 # defines the set of acceptable headers.
-if [ "${CORS_ENABLED}" == "1" ]; then
+if [ "${CORS_ENABLED}" = "1" ]; then
   export LIMIT_METHODS_TO="GET HEAD OPTIONS"
   export LIMIT_METHODS_TO_CSV="GET, HEAD, OPTIONS"
 else
   export LIMIT_METHODS_TO="GET HEAD"
   export LIMIT_METHODS_TO_CSV="GET, HEAD"
 fi
 
-if [ -z "${CORS_ALLOWED_ORIGIN+x}" ]; then
+if [ "${CORS_ALLOWED_ORIGIN+x}" = "" ]; then
   export CORS_ALLOWED_ORIGIN="*"
 fi
 
 # See documentation for this feature. We do not parse this as a boolean
 # since "true" and "false" are the required values of the header this populates
-if [ "${CORS_ALLOW_PRIVATE_NETWORK_ACCESS}" != "true" ] && [ "${CORS_ALLOW_PRIVATE_NETWORK_ACCESS}" != "false" ]; then
+if [ "${CORS_ALLOW_PRIVATE_NETWORK_ACCESS+x}" != "true" ] && [ "${CORS_ALLOW_PRIVATE_NETWORK_ACCESS+x}" != "false" ]; then
   export CORS_ALLOW_PRIVATE_NETWORK_ACCESS=""
 fi
 
@@ -83,10 +83,10 @@ fi
 
 # S3_UPSTREAM needs the port specified. The port must
 # correspond to https/http in the proxy_pass directive.
-if [ "${S3_STYLE}" == "virtual-v2" ]; then
+if [ "${S3_STYLE}" = "virtual-v2" ]; then
   export S3_UPSTREAM="${S3_BUCKET_NAME}.${S3_SERVER}:${S3_SERVER_PORT}"
   export S3_HOST_HEADER="${S3_BUCKET_NAME}.${S3_SERVER}:${S3_SERVER_PORT}"
-elif [ "${S3_STYLE}" == "path" ]; then
+elif [ "${S3_STYLE}" = "path" ]; then
   export S3_UPSTREAM="${S3_SERVER}:${S3_SERVER_PORT}"
   export S3_HOST_HEADER="${S3_SERVER}:${S3_SERVER_PORT}"
 else
@@ -95,42 +95,6 @@ else
 fi
 
 # Use default proxy_cache_use_stale settings if the variable is not defined
-if [[ ! -v PROXY_CACHE_USE_STALE ]]; then
+if [ "${PROXY_CACHE_USE_STALE+x}" = "" ]; then
   export PROXY_CACHE_USE_STALE="error timeout http_500 http_502 http_503 http_504"
 fi
-
-# Nothing is modified under this line
-
-if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then
-    exec 3>&1
-else
-    exec 3>/dev/null
-fi
-
-if [ "$1" = "nginx" -o "$1" = "nginx-debug" ]; then
-    if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then
-        echo >&3 "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration"
-
-        echo >&3 "$0: Looking for shell scripts in /docker-entrypoint.d/"
-        find "/docker-entrypoint.d/" -follow -type f -print | sort -n | while read -r f; do
-            case "$f" in
-                *.sh)
-                    if [ -x "$f" ]; then
-                        echo >&3 "$0: Launching $f";
-                        "$f"
-                    else
-                        # warn on shell scripts without exec bit
-                        echo >&3 "$0: Ignoring $f, not executable";
-                    fi
-                    ;;
-                *) echo >&3 "$0: Ignoring $f";;
-            esac
-        done
-
-        echo >&3 "$0: Configuration complete; ready for start up"
-    else
-        echo >&3 "$0: No files found in /docker-entrypoint.d/, skipping configuration"
-    fi
-fi
-
-exec "$@"