This repository has been archived by the owner on Nov 15, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 3
/
dockerfile_nginx
executable file
·37 lines (29 loc) · 2.2 KB
/
dockerfile_nginx
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
FROM nginx:1.10.3
RUN apt-get update && \
apt-get -y install fail2ban logrotate cron && \
apt-get -y install vim telnet && \
apt-get -y install nginx-extras
ARG ENV_TYPE=${ENV_TYPE:-production}
ARG NGINX_ERRORLOG=/var/log/nginx/ara_nginx.error.log
#Ajout du repertoire ssl si environnement production
#Pointe la conf nginx de l'environnement visé
RUN if [ "$ENV_TYPE" = "production" ]; then \
ln -sfn /home/nginx/$ENV_TYPE/ssl /etc/nginx/ssl; \
fi; \
rm -f /etc/nginx/conf.d/*; \
ln -sf /home/nginx/$ENV_TYPE/clara.conf /etc/nginx/conf.d/clara.conf; \
ln -sf /home/nginx/$ENV_TYPE/html/custom_404.html /usr/share/nginx/html/custom_404.html; \
ln -sf /home/nginx/$ENV_TYPE/html/custom_50x.html /usr/share/nginx/html/custom_50x.html;
#Conf fail2ban: surveillance du log d'erreur nginx
RUN echo "[ssh]\nenabled = false\n\n[nginx-req-limit]\nenabled = true\nfilter = nginx-req-limit\naction = iptables-multiport[name=ReqLimit, port=\"http,https\", protocol=tcp]\nport = http,https\nlogpath = $NGINX_ERRORLOG\nfindtime = 600\nbantime = 7200\nmaxretry = 10\n\n[nginx-conn-limit]\nenabled = true\nfilter = nginx-conn-limit\naction = iptables-multiport[name=ConnLimit, port=\"http,https\", protocol=tcp]\nport = http,https\nlogpath = $NGINX_ERRORLOG\nfindtime = 300\nbantime = 7200\nmaxretry = 100\n" >/etc/fail2ban/jail.d/nginx.conf;\
echo "[Definition]\nfailregex = limiting requests, excess:.* by zone.*client: <HOST>" >/etc/fail2ban/filter.d/nginx-req-limit.conf; \
echo "[Definition]\nfailregex = ^ \[error\] \d+#\d+: \*\d+ user \"\S+\":? (password mismatch|was not found in \".*\"), client: <HOST>, server: \S+, request: \"\S+ \S+ HTTP/\d+\.\d+\", host: \"\S+\"\s*\$\nignoreregex =" >/etc/fail2ban/filter.d/nginx-http-auth.conf; \
echo "[Definition]\nfailregex = limiting connections by zone.*client: <HOST>" >/etc/fail2ban/filter.d/nginx-conn-limit.conf;
# Suppression de la version de NginX
RUN sed -i.bak 's/# server_tokens off;/server_tokens off;\n\tmore_set_headers "Server:";/' /etc/nginx/nginx.conf;
# Pour logrotate sous docker
RUN echo -e '#!/bin/sh\nexit 0' > /usr/sbin/policy-rc.d
CMD service cron start; \
service nginx start; \
service fail2ban start; \
sleep infinity;