Initial Commit

.dockerignore

@@ -0,0 +1,3 @@
+.git/
+.gitignore
+node_modules/

Dockerfile

@@ -0,0 +1,58 @@
+#@IgnoreInspection BashAddShebang
+FROM debian:jessie
+
+MAINTAINER Franz Josef Kaiser <[email protected]>
+
+ENV DEBIAN_FRONTEND noninteractive
+ENV NGINX_VERSION 1.9.10-1~jessie
+ENV TIMEZONE Europe/Vienna
+
+# @TODO NGX_PAGESPEED https://github.com/yappabe/docker-nginx/blob/master/1.9-pagespeed/Dockerfile
+
+# Install nginx, reduce image size
+# Remove man pages
+# (not yet) Exchange full i18n with English-only debconf
+# Remove not needed APT lists and temp files
+RUN apt-key adv \
+		--keyserver hkp://pgp.mit.edu:80 \
+		--recv-keys 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 \
+	&& echo "deb http://nginx.org/packages/mainline/debian/ jessie nginx" >> /etc/apt/sources.list \
+	&& apt-get update \
+	&& apt-get install -y -q --no-install-recommends \
+		lsb-release \
+		ca-certificates \
+		nginx=${NGINX_VERSION} \
+		gettext-base \
+	&& apt-get clean \
+	&& rm -rf /usr/share/man/?? \
+		/usr/share/man/??_* \
+		/var/lib/apt/lists/* \
+		/tmp/* \
+		/var/tmp/*
+
+# Sets timezone
+# Add logs folder for nginx
+# Forward request and error logs to docker log collector
+RUN echo ${TIMEZONE} > /etc/timezone \
+    && dpkg-reconfigure --frontend noninteractive tzdata
+
+# Add Logs directory
+# Symlink StdOut/StdErr to files for use in volumes
+RUN mkdir /etc/nginx/logs \
+	&& ln -sf /dev/stdout /var/log/nginx/access.log \
+	&& ln -sf /dev/stderr /var/log/nginx/error.log
+
+RUN mkdir /var/cache/nginx/temp
+
+# Add available and enabled sites dir
+# Symlink all available sites to enable them
+RUN mkdir /etc/nginx/sites-available/ \
+	&& ln -sf /etc/nginx/sites-available/ /etc/nginx/sites-enabled
+
+VOLUME [ "/var/www", "/var/log/nginx" , "/etc/nginx" ]
+
+#WORKDIR /etc/nginx
+
+EXPOSE 80
+
+CMD [ "nginx", "-g", "daemon off;" ]

Dockspec.rb

@@ -0,0 +1,92 @@
+require "serverspec"
+require "docker-api"
+
+describe "Dockerfile" do
+	before( :all ) do
+		print "Running Tests for Docker\n"
+		print " ---> Docker Version " + Docker.version["Version"] + "\n\n"
+
+		@image = Docker::Image.build_from_dir( "." )
+
+		set :os, family: :debian, :release => '8'
+		set :backend, :docker
+		set :docker_image, @image.id
+
+		@container = Docker::Container.create(
+			'Image' => @image.id
+		)
+		@container.start
+
+		print " ---> Details\n"
+		print "  OS: " + host_inventory["platform"]
+			print " " + host_inventory["platform_version"] + "\n"
+		print "  Docker Container: " + host_inventory["hostname"] + "\n"
+		print "  Memory: " + host_inventory["memory"]["total"] + "\n\n"
+
+		print " ---> Running tests\n"
+	end
+
+	after( :all ) do
+		print "\n\n ---> Cleaning up. Removing container."
+		@container.stop
+		@container.kill
+		@container.delete( :force => true )
+		@image.remove( :force => true )
+	end
+
+	it "Image should exist" do
+		expect( @image ).to_not be_nil
+	end
+
+	it "Installs the right OS" do
+		expect( command( "lsb_release -a" ).stdout ).to include( "Debian" )
+		expect( command( "lsb_release -a" ).stdout ).to include( "jessie" )
+	end
+
+	it "Installs the right OS Version" do
+		expect( command( "cat /etc/debian_version" ).stdout ).to include( "8" )
+	end
+
+	it "Installs 'lsb-release' package" do
+		expect( package( "lsb-release" ) ).to be_installed
+	end
+
+	it "Installs 'ca-certificates' package" do
+		expect( package( "ca-certificates" ) ).to be_installed
+	end
+
+	it "Installs 'gettext-base' package" do
+		expect( package( "gettext-base" ) ).to be_installed
+	end
+
+	it "Installs Nginx" do
+		expect( package( "nginx" ) ).to be_installed
+	end
+
+	it "Nginx service should be enabled and running" do
+		expect( service( "nginx" ) ).to be_enabled
+		expect( service( "nginx" ) ).to be_running
+	end
+
+	it "Nginx process should be running" do
+		expect( process( "nginx" ) ).to be_running
+	end
+
+	it "Has a logs directory and routes stdout to log files" do
+		expect( file( "/etc/nginx/logs" ) ).to exist
+		expect( file( "/etc/nginx/logs" ) ).to be_directory
+		expect( file( "/var/log/nginx/access.log" ) ).to be_symlink
+		expect( file( "/var/log/nginx/error.log" ) ).to be_symlink
+	end
+
+	it "Has a cache directory" do
+		expect( file( "/var/cache/nginx/temp" ) ).to exist
+		expect( file( "/var/cache/nginx/temp" ) ).to be_directory
+	end
+
+	it "Has a sites config and sites enabled directory" do
+		expect( file( "/etc/nginx/sites-available" ) ).to exist
+		expect( file( "/etc/nginx/sites-available" ) ).to be_directory
+		expect( file( "/etc/nginx/sites-enabled" ) ).to be_symlink
+	end
+end

README.md

@@ -0,0 +1,39 @@
+## How To
+
+Test Nginx `.conf` file syntax
+
+	docker exec <CONTAINER NAME> nginx -t
+
+should print
+
+```shell
+nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
+nginx: configuration file /etc/nginx/nginx.conf test is successful
+```
+
+Restart Nginx after `.conf` file changes
+
+	docker exec <CONTAINER NAME> nginx -s reload
+
+## Tests
+
+Currently there are acceptance tests shipped with this package. The specs 
+are run using Ruby and the following Gems:
+
+ * rspec
+ * serverspec
+ * docker-api
+
+To run tests, you need Ruby and the listed Gems installed. The test can 
+be run on the command line:
+
+```shell
+$ Print progress bar/dots while running tests
+$ rspec --format progress Dockspec.rb
+# Short notation
+$ rspec -f p Dockspec.rb
+# Verbose output (Print spec titles) while running tests
+$ rspec --format documentation Dockspec.rb
+# Short notation
+$ rspec -f d Dockspec.rb
+```

compose.yml

@@ -0,0 +1,15 @@
+version: '2'
+
+services:
+    nginx:
+        container_name: nginx
+        build:
+            context: .
+        volumes:
+            - ./sites-available/:/etc/nginx/sites-available/
+            - ./nginx.conf:/etc/nginx/nginx.conf
+            - ./global:/etc/nginx/global/
+        ports:
+            - "80:80"       # Static file server
+            - "3000:3000"   # Nodejs
+        restart: on-failure:3

default.ssl

@@ -0,0 +1,10 @@
+server {
+	listen 443;
+
+	root /var/www/${NGINX_ROOT};
+	index index.html index.htm;
+
+	ssl on;
+	ssl_certificate /etc/nginx/ssl/server.crt;
+	ssl_certificate_key /etc/nginx/ssl/server.key;
+}

global/basic.conf

@@ -0,0 +1,8 @@
+# Basic configuration
+
+include global/directive-only/x-ua-compatible.conf;
+include global/location/expires.conf;
+include global/location/cross-domain-fonts.conf;
+include global/location/protect-system-files.conf;
+include global/location/robots.conf;
+include global/location/favicons.conf;

global/directive-only/cache-file-descriptors.conf

@@ -0,0 +1,19 @@
+# This tells Nginx to cache open file handles, "not found" errors, metadata about files and their permissions, etc.
+#
+# The upside of this is that Nginx can immediately begin sending data when a popular file is requested,
+# and will also know to immediately send a 404 if a file is missing on disk, and so on.
+#
+# However, it also means that the server won't react immediately to changes on disk, which may be undesirable.
+#
+# In the below configuration, inactive files are released from the cache after 20 seconds, whereas
+# active (recently requested) files are re-validated every 30 seconds.
+#
+# Descriptors will not be cached unless they are used at least 2 times within 20 seconds (the inactive time).
+#
+# A maximum of the 1000 most recently used file descriptors can be cached at any time.
+#
+# Production servers with stable file collections will definitely want to enable the cache.
+open_file_cache          max=1000 inactive=20s;
+open_file_cache_valid    30s;
+open_file_cache_min_uses 2;
+open_file_cache_errors   on;

global/directive-only/charset.conf

@@ -0,0 +1,13 @@
+# Specify a charset
+charset utf-8;
+
+# Update charset_types due to updated mime-types
+charset_types
+	text/plain
+	text/xml
+	text/vnd.wap.wml
+	application/x-javascript
+	application/rss+xml
+	text/css
+	application/javascript
+	application/json;

global/directive-only/cookies.conf

@@ -0,0 +1,4 @@
+
+# <domain> <replacement> for "Set-Cookie" header field responses
+proxy_cookie_domain      www.$host $host;
+proxy_cookie_domain      localhost $host;

global/directive-only/cross-domain-insecure.conf

@@ -0,0 +1,14 @@
+# Cross domain AJAX requests
+
+# http://www.w3.org/TR/cors/#access-control-allow-origin-response-header
+
+# **Security Warning**
+# Do not use this without understanding the consequences.
+# This will permit access from any other website.
+#
+add_header "Access-Control-Allow-Origin" "*";
+
+# Instead of using this file, consider using a specific rule such as:
+#
+# Allow access based on [sub]domain:
+#    add_header "Access-Control-Allow-Origin" "subdomain.example.com";

global/directive-only/extra-security.conf

@@ -0,0 +1,25 @@
+# The X-Frame-Options header indicates whether a browser should be allowed
+# to render a page within a frame or iframe.
+add_header X-Frame-Options SAMEORIGIN;
+
+# MIME type sniffing security protection
+# There are very few edge cases where you wouldn't want this enabled.
+add_header X-Content-Type-Options nosniff;
+
+# The X-XSS-Protection header is used by Internet Explorer version 8+
+# The header instructs IE to enable its inbuilt anti-cross-site scripting filter.
+add_header X-XSS-Protection "1; mode=block";
+
+# CSP/Content-Security-Policy to prevent Cross-site scripting (XSS)
+# attacks and malicious eval executions
+# @link http://www.html5rocks.com/en/tutorials/security/content-security-policy/
+
+# with Content Security Policy (CSP) enabled (and a browser that supports it (http://caniuse.com/#feat=contentsecuritypolicy),
+# you can tell the browser that it can only download content from the domains you explicitly allow
+# CSP can be quite difficult to configure, and cause real issues if you get it wrong
+# There is website that helps you generate a policy here http://cspisawesome.com/
+
+# Add logs
+add_header  Content-Security-Policy-Report-Only "default-src 'self'; report-uri /$log_root/csp.warn.log;";
+
+# add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;";

global/directive-only/gzip.conf

@@ -0,0 +1,45 @@
+# Compression
+
+gzip on;
+
+# Enable compression both for HTTP/1.0 and HTTP/1.1
+gzip_http_version 1.0;
+
+# Tell proxies to cache both the gzipped and regular version of a resource
+# whenever the client's Accept-Encoding capabilities header varies;
+# Avoids the issue where a non-gzip capable client (which is extremely rare
+# today) would display gibberish if their proxy gave them the gzipped version
+gzip_vary on;
+
+# Compression level (1-9).
+# 5 is a perfect compromise between size and cpu usage, offering about
+# 75% reduction for most ascii files (almost identical to level 9)
+gzip_comp_level 5;
+
+# Enable Gzip compression for files larger than 0.25Mb in file size
+gzip_min_length 256;
+
+# Compress data even for clients that are connecting to us via proxies,
+# identified by the "Via" header (required for CloudFront).
+gzip_proxied any;
+
+# Compress all output labeled with one of the following MIME-types
+gzip_types
+	text/plain
+	text/css
+	# application/rss+xml
+	# application/atom+xml
+	# application/xhtml+xml
+	# application/xml
+	# text/xml
+	application/vnd.ms-fontobject
+	application/x-font-ttf
+	font/opentype
+	image/svg+xml
+	text/javascript
+	application/javascript
+	application/x-javascript
+	image/x-icon;
+
+# Ignore what Microsoft ignores itself: Internet Explorer
+gzip_disable "MSIE [1-6]\.";

global/directive-only/log.cache.conf

@@ -0,0 +1,8 @@
+# Stores the file descriptors of frequently used logs whose names contain variables
+# At least 2 file uses in 20 seconds to keep the descriptor stay open in cache
+# Maximum 1000 descriptors; Oldest get dropped first
+open_log_file_cache
+	max=1000
+	inactive=20s
+	valid=1m
+	min_uses=2;