nginx
2015-06-22
Child:ac9c19126939
nginx/Dockerfile
First basic pass at JWT auth. Mostly just a fork of https://github.com/ficusio/openresty, with a few twists: * We've narrowed down some of the configuration options, and we're passing more headers (essentially exposing all the data in the JWT as headers). * We no longer automatically return a 401 unauthorized if the JWT verification fails; we just don't assign it the headers. The consuming service can decide whether or not they want to accept the request. * We automatically fail the verification of a JWT if the token has expired in the last minute (or shouldn't be used for the next minute). If the token has expired, we return a 401 that our clients can catch and use a refresh token automatically from. If the token can't be used for another minute, we quietly just refuse to add auth headers to the request.
| paddy@0 | 1 FROM alpine:3.1 |
| paddy@0 | 2 |
| paddy@0 | 3 ENV OPENRESTY_VERSION 1.7.10.1 |
| paddy@0 | 4 ENV OPENRESTY_PREFIX /opt/secondbit |
| paddy@0 | 5 ENV NGINX_PREFIX /opt/secondbit/nginx |
| paddy@0 | 6 ENV VAR_PREFIX /var/nginx |
| paddy@0 | 7 |
| paddy@0 | 8 # NginX prefix is automatically set by OpenResty to $OPENRESTY_PREFIX/nginx |
| paddy@0 | 9 # look for $ngx_prefix in https://github.com/openresty/ngx_openresty/blob/master/util/configure |
| paddy@0 | 10 |
| paddy@0 | 11 ADD nginx-jwt.lua $OPENRESTY_PREFIX/lualib/nginx-jwt.lua |
| paddy@0 | 12 ADD jwt-lib/basexx.lua $OPENRESTY_PREFIX/lualib/basexx.lua |
| paddy@0 | 13 ADD jwt-lib/resty/hmac.lua $OPENRESTY_PREFIX/lualib/resty/hmac.lua |
| paddy@0 | 14 ADD jwt-lib/resty/jwt.lua $OPENRESTY_PREFIX/lualib/resty/jwt.lua |
| paddy@0 | 15 |
| paddy@0 | 16 RUN echo "==> Installing dependencies..." \ |
| paddy@0 | 17 && apk update \ |
| paddy@0 | 18 && apk add make gcc musl-dev \ |
| paddy@0 | 19 pcre-dev openssl-dev zlib-dev ncurses-dev readline-dev \ |
| paddy@0 | 20 curl perl \ |
| paddy@0 | 21 && mkdir -p /root/ngx_openresty \ |
| paddy@0 | 22 && cd /root/ngx_openresty \ |
| paddy@0 | 23 && echo "==> Downloading OpenResty..." \ |
| paddy@0 | 24 && curl -sSL http://openresty.org/download/ngx_openresty-${OPENRESTY_VERSION}.tar.gz | tar -xvz \ |
| paddy@0 | 25 && cd ngx_openresty-* \ |
| paddy@0 | 26 && echo "==> Configuring OpenResty..." \ |
| paddy@0 | 27 && readonly NPROC=$(grep -c ^processor /proc/cpuinfo 2>/dev/null || 1) \ |
| paddy@0 | 28 && echo "using upto $NPROC threads" \ |
| paddy@0 | 29 && ./configure \ |
| paddy@0 | 30 --prefix=$OPENRESTY_PREFIX \ |
| paddy@0 | 31 --http-client-body-temp-path=$VAR_PREFIX/client_body_temp \ |
| paddy@0 | 32 --http-proxy-temp-path=$VAR_PREFIX/proxy_temp \ |
| paddy@0 | 33 --http-log-path=$VAR_PREFIX/access.log \ |
| paddy@0 | 34 --error-log-path=$VAR_PREFIX/error.log \ |
| paddy@0 | 35 --pid-path=$VAR_PREFIX/nginx.pid \ |
| paddy@0 | 36 --lock-path=$VAR_PREFIX/nginx.lock \ |
| paddy@0 | 37 --with-luajit \ |
| paddy@0 | 38 --with-pcre-jit \ |
| paddy@0 | 39 --with-ipv6 \ |
| paddy@0 | 40 --with-http_ssl_module \ |
| paddy@0 | 41 --without-http_ssi_module \ |
| paddy@0 | 42 --without-http_userid_module \ |
| paddy@0 | 43 --without-http_fastcgi_module \ |
| paddy@0 | 44 --without-http_uwsgi_module \ |
| paddy@0 | 45 --without-http_scgi_module \ |
| paddy@0 | 46 --without-http_memcached_module \ |
| paddy@0 | 47 -j${NPROC} \ |
| paddy@0 | 48 && echo "==> Building OpenResty..." \ |
| paddy@0 | 49 && make -j${NPROC} \ |
| paddy@0 | 50 && echo "==> Installing OpenResty..." \ |
| paddy@0 | 51 && make install \ |
| paddy@0 | 52 && echo "==> Finishing..." \ |
| paddy@0 | 53 && ln -sf $NGINX_PREFIX/sbin/nginx /usr/local/bin/nginx \ |
| paddy@0 | 54 && ln -sf $NGINX_PREFIX/sbin/nginx /usr/local/bin/openresty \ |
| paddy@0 | 55 && ln -sf $OPENRESTY_PREFIX/bin/resty /usr/local/bin/resty \ |
| paddy@0 | 56 && ln -sf $OPENRESTY_PREFIX/luajit/bin/luajit-* $OPENRESTY_PREFIX/luajit/bin/lua \ |
| paddy@0 | 57 && ln -sf $OPENRESTY_PREFIX/luajit/bin/luajit-* /usr/local/bin/lua \ |
| paddy@0 | 58 && apk del \ |
| paddy@0 | 59 make gcc musl-dev pcre-dev openssl-dev zlib-dev ncurses-dev readline-dev curl perl \ |
| paddy@0 | 60 && apk add \ |
| paddy@0 | 61 libpcrecpp libpcre16 libpcre32 openssl libssl1.0 pcre libgcc libstdc++ \ |
| paddy@0 | 62 && rm -rf /var/cache/apk/* \ |
| paddy@0 | 63 && rm -rf /root/ngx_openresty |
| paddy@0 | 64 |
| paddy@0 | 65 WORKDIR $NGINX_PREFIX/ |
| paddy@0 | 66 |
| paddy@0 | 67 ONBUILD RUN rm -rf conf/* html/* |
| paddy@0 | 68 ONBUILD COPY nginx $NGINX_PREFIX/ |
| paddy@0 | 69 |
| paddy@0 | 70 CMD ["nginx", "-g", "daemon off; error_log /dev/stderr info;"] |