Notification: Significant changes to nginx based images

Most images using our alpine-nginx base image are being updated to alpine 3.15 with php8 and some significant changes to the nginx configs.

Changes you will likely notice:

• Bring our default shipped configs as close as possible to alpine upstream defaults
  • https://git.alpinelinux.org/aports/tree/main/nginx/nginx.conf?h=3.15-stable
• Include worker_processes.conf and init script to generate it in the base
• Include resolver.conf and init script to generate it in the base
• Include ssl.conf in the base (the same as what is currently shipped in SWAG, but adjusted to use the self-signed certs generated by the base)
• include /config/nginx/site-confs/*.conf; with *.conf extension (rename existing user files automatically)
• Rework default.conf
  • Expect applications inside containers to exist at /app/www/public/, and if that does not exist, use /config/www
  • Include ipv6 support
  • deny access to .htaccess/.htpasswd files
  • adjust php location and fastcgi_params to use PATH_INFO and mitigate HTTP_PROXY vulnerability
• Restructure nginx configs
  • Configs in /defaults/nginx/ are recursively copied to the user’s /config/nginx/ (maintaining the structure)
  • All configs are now named *.sample and all include ## Version YYYY/MM/DD - Changelog: <url to repo history> used by /etc/cont-init.d/85-version-checks
    • Required configs (/config/nginx/nginx.conf, /config/nginx/server-confs/ssl.conf and /config/nginx/site-confs/default.conf) are enabled by default. Downstream images can include and/or enable others as needed (ex: SWAG will enable /config/nginx/location-confs/proxy.conf and /config/nginx/server-confs/502.conf)
  • Folder structure is as follows (in the /config/nginx/ context):
    • All nginx based images:
      • Includes nginx.conf (enabled by default)
      • Includes resolver.conf (enabled by default)
      • Includes ssl.conf (enabled by default)
      • Includes worker_processes.conf (enabled by default)
      • /config/nginx/site-confs/* included inside the http context in /config/nginx/nginx.conf
        • Includes default.conf (enabled by default)
    • SWAG:
      • Includes 502.conf (enabled by default)
      • Includes authelia-location.conf
      • Includes authelia-server.conf
      • Includes ldap-location.conf
      • Includes ldap-server.conf
      • Includes proxy.conf (enabled by default)

Under the hood:

• Split out init scripts
  • root/migrations/01-nginx-site-confs-default migrate existing default to default.conf
  • root/etc/cont-init.d/11-folders creates all the folders needed in /config
  • root/etc/cont-init.d/12-samples removes existing *.sample files from /config/nginx and copies any included *.sample files from the image
  • root/etc/cont-init.d/13-nginx enable required configs (nginx.conf, ssl.conf and default.conf) if they don’t exist, setup dhparams.pem, setup resolver.conf, setup worker_processes.conf
  • root/etc/cont-init.d/14-php configure php
  • root/etc/cont-init.d/15-keygen create self signed certificates for ssl.conf
  • root/etc/cont-init.d/20-permissions set /config permissions
  • root/etc/cont-init.d/85-version-checks check all enabled *.conf files against all *.sample files shipped with the image and alert the user about updates

Status of affected images:

Any images with notes above may not be merged. We will make efforts to update this page if any of the images with notes above are merged at a later date. We may also make individual announcements about status updates regarding these images.