Skip to content

Commit

Permalink
changed: initial commit
Browse files Browse the repository at this point in the history
  • Loading branch information
@ammnt
ammnt committed Sep 21, 2023
0 parents commit 5f22874
Show file tree
Hide file tree
Showing 4 changed files with 269 additions and 0 deletions.
117 changes: 117 additions & 0 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
name: Build and push image📦

on:
workflow_dispatch:
schedule:
- cron: "00 17 * * SAT"
# push:
# branches: ["http3"]
# pull_request:
# branches: [ "http3" ]

env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}

jobs:
build:
if: github.actor == 'ammnt'
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write

steps:
- name: Checkout repository
uses: actions/[email protected]

- name: Install cosign
if: github.event_name != 'pull_request'
uses: sigstore/[email protected]

- name: Setup Docker buildx
uses: docker/[email protected]

- name: Log into ${{ env.REGISTRY }}
if: github.event_name != 'pull_request'
uses: docker/[email protected]
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Log into Docker Hub
uses: docker/[email protected]
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Extract Docker metadata
id: meta
uses: docker/[email protected]
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

- name: Build the Docker image
id: build
uses: docker/[email protected]
with:
provenance: false
context: .
platforms: linux/amd64
load: ${{ github.event_name != 'pull_request' }}
tags: |
${{ steps.meta.outputs.tags }}
ammnt/angie:http3
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max

- name: Test the Docker image
run: |
docker run --name angie --restart unless-stopped -p 127.0.0.1:8080:8080/tcp -d ammnt/angie:http3
curl -vki http://127.0.0.1:8080
- name: Push the Docker image
id: push
uses: docker/[email protected]
with:
provenance: false
context: .
platforms: linux/amd64
push: ${{ github.event_name != 'pull_request' }}
tags: |
${{ steps.meta.outputs.tags }}
ammnt/angie:http3
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max

- name: Sign the published Docker image
if: ${{ github.event_name != 'pull_request' }}
env:
COSIGN_EXPERIMENTAL: "true"
run: |
cosign sign -y \
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \
-a "ref=${{ github.sha }}" \
ghcr.io/ammnt/angie:@${{ steps.push.outputs.digest }}
cosign sign -y \
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \
-a "ref=${{ github.sha }}" \
ammnt/ngiangienx:@${{ steps.push.outputs.digest }}
- name: Run deploy update on the server
uses: appleboy/[email protected]
with:
host: ${{ secrets.SERVER_HOST }}
username: ${{ secrets.SERVER_USERNAME }}
key: ${{ secrets.SERVER_KEY }}
port: ${{ secrets.SERVER_PORT }}
script: |
cd /home/${{ secrets.SERVER_USERNAME }}/agh
docker-compose pull web dns
docker-compose up -d web dns
4 changes: 4 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
.DS_Store
.vscode
.git
.env
116 changes: 116 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,116 @@
FROM --platform=linux/amd64 docker.io/library/alpine:latest
RUN NB_CORES="${BUILD_CORES-$(getconf _NPROCESSORS_CONF)}" \
&& apk -U upgrade && apk add --no-cache \
openssl \
pcre \
zlib \
libgcc \
libstdc++ \
g++ \
make \
build-base \
linux-headers \
ca-certificates \
automake \
autoconf \
git \
talloc \
talloc-dev \
libtool \
pcre-dev \
zlib-dev \
binutils \
gnupg \
cmake \
go \
mercurial \
libxslt \
libxslt-dev \
tini \
&& cd /tmp && git clone --recursive --depth 1 https://github.com/webserver-llc/angie.git \
&& sed -i -e 's@"angie/"@" "@g' /tmp/angie/src/core/angie.h \
&& sed -i -e 's@r->headers_out.server == NULL@0@g' /tmp/angie/src/http/ngx_http_header_filter_module.c \
&& sed -i -e 's@r->headers_out.server == NULL@0@g' /tmp/angie/src/http/v2/ngx_http_v2_filter_module.c \
&& sed -i -e 's@r->headers_out.server == NULL@0@g' /tmp/angie/src/http/v3/ngx_http_v3_filter_module.c \
&& sed -i -e 's@<hr><center>angie</center>@@g' /tmp/angie/src/http/ngx_http_special_response.c \
&& sed -i -e 's@NGINX_VERSION ".*"@NGINX_VERSION " "@g' /tmp/angie/src/core/nginx.h \
&& sed -i -e 's@ANGIE_VERSION ".*"@ANGIE_VERSION " "@g' /tmp/angie/src/core/angie.h \
&& sed -i -e 's/listen 80;/listen 8080;/g' /tmp/angie/conf/angie.conf \
&& sed -i -e '1i pid /tmp/angie.pid;\n' /tmp/angie/conf/angie.conf \
&& sed -i -e 's/SSL_OP_CIPHER_SERVER_PREFERENCE);/SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_PRIORITIZE_CHACHA);/g' /tmp/angie/src/event/ngx_event_openssl.c \
&& addgroup -S angie && adduser -S angie -s /sbin/nologin -G angie --no-create-home \
&& cd /tmp && git clone --recursive --depth 1 https://github.com/quictls/openssl && hg clone http://hg.nginx.org/njs \
&& cd /tmp/njs && ./configure && make -j "${NB_CORES}" && make clean \
&& mkdir /var/cache/angie && cd /tmp/angie && ./auto/configure \
--prefix=/etc/angie \
--sbin-path=/usr/sbin/angie \
--user=angie \
--group=angie \
--http-log-path=/tmp/access.log \
--error-log-path=/tmp/error.log \
--conf-path=/etc/angie/angie.conf \
--pid-path=/tmp/angie.pid \
--lock-path=/tmp/angie.lock \
--http-client-body-temp-path=/var/cache/angie/client_temp \
--http-proxy-temp-path=/var/cache/angie/proxy_temp \
--http-fastcgi-temp-path=/var/cache/angie/fastcgi_temp \
--with-openssl="/tmp/openssl" \
--with-openssl-opt=enable-ktls \
--with-openssl-opt=enable-ec_nistp_64_gcc_128 \
--with-cc-opt="-O2 -g -m64 -march=westmere -falign-functions=32 -flto -funsafe-math-optimizations -fstack-protector-strong --param=ssp-buffer-size=4 -Wimplicit-fallthrough=0 -Wno-error=strict-aliasing -Wformat -Wno-error=pointer-sign -Wno-implicit-function-declaration -Wno-int-conversion -Wno-error=unused-result -Wno-unused-result -fcode-hoisting -Werror=format-security -Wno-deprecated-declarations -Wp,-D_FORTIFY_SOURCE=2 -DTCP_FASTOPEN=23 -fPIC" \
--with-ld-opt="-lrt -ltalloc -Wl,-Bsymbolic-functions -lpcre -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie" \
--with-compat \
--with-file-aio \
--with-pcre-jit \
--with-threads \
--with-http_realip_module \
--with-http_stub_status_module \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_v3_module \
--with-stream \
--with-stream_realip_module \
--with-stream_ssl_module \
--with-stream_ssl_preread_module \
--without-stream_split_clients_module \
--without-stream_set_module \
--without-stream_map_module \
--without-http_geo_module \
--without-http_scgi_module \
--without-http_uwsgi_module \
--without-http_autoindex_module \
--without-http_split_clients_module \
--without-http_memcached_module \
--without-http_ssi_module \
--without-http_empty_gif_module \
--without-http_browser_module \
--without-http_userid_module \
--without-http_mirror_module \
--without-http_referer_module \
--without-mail_pop3_module \
--without-mail_imap_module \
--without-mail_smtp_module \
--add-module=/tmp/njs/nginx \
&& make -j "${NB_CORES}" && make install && make clean && strip /usr/sbin/angie* \
&& chown -R angie:angie /var/cache/angie && chmod -R g+w /var/cache/angie \
&& chown -R angie:angie /etc/angie && chmod -R g+w /etc/angie \
&& update-ca-certificates && apk --purge del libgcc libstdc++ g++ make build-base linux-headers automake autoconf git talloc talloc-dev libtool zlib-dev binutils gnupg cmake mercurial go pcre-dev ca-certificates openssl libxslt-dev apk-tools \
&& rm -rf /tmp/* /var/cache/apk/ /var/cache/misc /root/.gnupg /root/.cache /root/go /etc/apk \
&& ln -sf /dev/stdout /tmp/access.log && ln -sf /dev/stderr /tmp/error.log

HEALTHCHECK --interval=3s --timeout=1s \
CMD ["/usr/bin/nc", "-vz", "-w1", "127.0.0.1", "8080"]

ENTRYPOINT [ "/sbin/tini", "--" ]

EXPOSE 8080/tcp 8443/tcp 8443/udp
LABEL description="Angie built with QUIC and HTTP/3 support🚀" \
maintainer="ammnt <[email protected]>" \
org.opencontainers.image.description="Angie built with QUIC and HTTP/3 support🚀" \
org.opencontainers.image.authors="ammnt, [email protected]" \
org.opencontainers.image.title="Angie built with QUIC and HTTP/3 support🚀" \
org.opencontainers.image.source="https://github.com/ammnt/angie/"

STOPSIGNAL SIGQUIT
USER angie
CMD ["/usr/sbin/angie", "-g", "daemon off;"]
32 changes: 32 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# Angie with HTTP/3 and QUIC support🚀

The Docker image is ready to use:<br>
<code>docker pull ghcr.io/ammnt/angie:http3</code><br>
or<br>
<code>docker pull ammnt/angie:http3</code>

# Description:

- Based on latest version of Alpine Linux - low size (~8 MB);
- QuicTLS with kTLS module:<br>
https://github.com/quictls/openssl
- HTTP/3 + QUIC native support;
- HTTP/2 with ALPN support;
- TLS 1.3 and 0-RTT support;
- TLS 1.2 and TCP Fast Open (TFO) support;
- Built using hardening GCC flags;
- NJS support;
- PCRE with JIT compilation;
- zlib library latest version;
- Rootless master process - unprivileged container;
- Async I/O threads module;
- Healthcheck added;
- Removed unnecessary modules;
- Added OCI labels and annotations;
- No excess ENTRYPOINT in the image;
- Prioritize ChaCha cipher patch and anonymous signature - removed "Server" header ("banner"):<br>
https://github.com/ammnt/angie/blob/http3/Dockerfile

# Note:

Feel free to <a href="https://github.com/ammnt/angie/issues/new">contact me</a> with more security improvements🙋

0 comments on commit 5f22874

Please sign in to comment.