fholzer / docker-nginx-brotli Goto Github PK

I cloned this repo to my local, got the terminal into the repo folder and ran this command:

docker build -t nginx-brotli-server . 

And it errored out here:

tep 14/31 : RUN 	mkdir -p /usr/src/ngx_brotli 	&& cd /usr/src/ngx_brotli 	&& git init 	&& git remote add origin https://github.com/google/ngx_brotli.git 	&& git fetch --depth 1 origin $NGX_BROTLI_COMMIT 	&& git checkout --recurse-submodules -q FETCH_HEAD 	&& git submodule update --init --depth 1 	&& cd .. 	&& curl -fSL https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz -o nginx.tar.gz 	&& curl -fSL https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz.asc  -o nginx.tar.gz.asc         && sha512sum nginx.tar.gz nginx.tar.gz.asc 	&& export GNUPGHOME="$(mktemp -d)" 	&& gpg --import /tmp/gpg/* 	&& gpg --batch --verify nginx.tar.gz.asc nginx.tar.gz 	&& mkdir -p /usr/src 	&& tar -zxC /usr/src -f nginx.tar.gz
 ---> Running in 0713b66bffd1
+ mkdir -p /usr/src/ngx_brotli
+ cd /usr/src/ngx_brotli
+ git init
hint: Using 'master' as the name for the initial branch. This default branch name
hint: is subject to change. To configure the initial branch name to use in all
hint: of your new repositories, which will suppress this warning, call:
hint: 
hint: 	git config --global init.defaultBranch <name>
hint: 
hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
hint: 'development'. The just-created branch can be renamed via this command:
hint: 
hint: 	git branch -m <name>
Initialized empty Git repository in /usr/src/ngx_brotli/.git/
+ git remote add origin https://github.com/google/ngx_brotli.git
+ git fetch --depth 1 origin 6e975bcb015f62e1f303054897783355e2a877dc
fatal: unable to access 'https://github.com/google/ngx_brotli.git/': Could not resolve host: github.com
The command '/bin/bash -x -c mkdir -p /usr/src/ngx_brotli 	&& cd /usr/src/ngx_brotli 	&& git init 	&& git remote add origin https://github.com/google/ngx_brotli.git 	&& git fetch --depth 1 origin $NGX_BROTLI_COMMIT 	&& git checkout --recurse-submodules -q FETCH_HEAD 	&& git submodule update --init --depth 1 	&& cd .. 	&& curl -fSL https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz -o nginx.tar.gz 	&& curl -fSL https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz.asc  -o nginx.tar.gz.asc         && sha512sum nginx.tar.gz nginx.tar.gz.asc 	&& export GNUPGHOME="$(mktemp -d)" 	&& gpg --import /tmp/gpg/* 	&& gpg --batch --verify nginx.tar.gz.asc nginx.tar.gz 	&& mkdir -p /usr/src 	&& tar -zxC /usr/src -f nginx.tar.gz' returned a non-zero code: 128

As a quick workaround to having to update the Dockerfile for every point release of nginx, it might be nice to be able to provide an version at build time from a Compose file (or command line) like:

nginx_brotli:
    image: fholzer/nginx-brotli
    container_name: nginx_brotli
    build:
      args:
        NGINX_VERSION: '1.17.5'

I believe the Dockerfile could be constructed like:

ARG NGINX_VERSION=1.16.1
ARG NGX_BROTLI_COMMIT=e505dce68acc190cc5a1e780a3b0275e39f160ca 

and keep the same bracket syntax in the RUN command. I can't see where these version numbers are needed inside the images after build.

with the release of AWS's new graviton2 instances, it's becoming more important for popular packages to support ARM64 architecture to benefit from the new servers,

can we consider building this image for arm64 to support running nginx on the new servers?

Although SIGTERM generally allows for graceful shutdown, nginx responds to POSIX signals unconventionally (docs):

TERM, INT fast shutdown
QUIT graceful shutdown

Since nginxinc/docker-nginx@3fb70dd, the official image uses STOPSIGNAL SIGQUIT.

Related issue: nginxinc/docker-nginx#377

My last command at dockerfile is CMD ["/bin/ash", "run.sh"]
And I am getting an error - nginx: invalid option: "ash"

Hi,
Thanks for making this handy package. I appreciate the minimal touch.

I see the Nginx maintainers have released 1.15.4 recently.
Was wondering if there was a plan to update this repo?

I'd like to use some of your work, so I hoped you would consider licensing it under a FOSS license.

Thanks

Hi,

I'm using your image for docker composer, but in my nginx.conf I have to comment "brotli on", so that I can up the nginx service, if nginx doesn't work.

This is my Dockerfile:

FROM fholzer/nginx-brotli:v1.14.0

RUN apk add --update nginx
RUN rm -rf /var/cache/apk/* && rm -rf /tmp/*

ADD nginx.conf /etc/nginx/
ADD symfony.conf /etc/nginx/conf.d/
ADD gzip.conf /etc/nginx/conf.d/
#ADD brotli.conf /etc/nginx/conf.d/

RUN adduser -D -g '' -G www-data www-data

CMD ["nginx"]

EXPOSE 80
EXPOSE 443

nginx.conf

user www-data;
worker_processes 4;
pid /run/nginx.pid;

events {
  worker_connections  2048;
  multi_accept on;
  use epoll;
}

http {
  server_tokens off;
  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  keepalive_timeout 15;
  types_hash_max_size 2048;
  include /etc/nginx/mime.types;
  default_type application/octet-stream;
  access_log off;
  #error_log off;
  open_file_cache max=100;
  #brotli on;
  gzip on;
  gzip_disable "msie6";
  include /etc/nginx/conf.d/*.conf;
  include /etc/nginx/sites-enabled/*;
}

daemon off;

Current version has vulnerabilities leading to DDOS.

Colleagues,

The docker image, assembled via https://github.com/fholzer/docker-nginx-brotli/blob/master/Dockerfile contains critical security issues:

Vulnerability CVE-2022-37434 Severity: CRITICAL Package: zlib Fixed Version: 1.2.12-r2 Link: CVE-2022-37434 zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).

Vulnerability CVE-2022-27404 Severity: CRITICAL Package: freetype Fixed Version: 2.10.4-r2 Link: CVE-2022-27404 FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovered to contain a heap buffer overflow via the function sfnt_init_face.

There are also 17 issues with HIGH severity in packages:

[email protected] (Critical, High)
[email protected] (High, Medium)
[email protected] (Critical)
[email protected] (High)
[email protected] (High, Medium)

Steps to reproduce:

1. Create docker image based on the Dockerfile.
2. Scan it with Trivy (https://aquasecurity.github.io/trivy/v0.45/)

It would be nice to do the same thing that the official nginx images do and split out perl builds. Perl alone more than doubles the size of the image.

Hi!

After recent updates to the image's entrypoint/run commands 2a6e0eb#diff-dd2c0eb6ea5cfc6c4bd4eac30934e2d5746747af48fef6da689e85b752f39557R164-R165, our installation of the image became broken.

One of the reasons was that we weren't able to pin the version of the image that we use to a specific version. The latest tag just doesn't have any specific tag to pin to. Would be great to have such a tag that we can pin to the latest version and don't be afraid that it will become broken again.

Currently the image is built on top of Alpine 3.12.0 which contains many reported vulnerabilities, including critical ones.
Image should be rebuilt with the latest Alpine 3.12.9.

Running trivy on fholzer/nginx-brotli:v1.19.1 outputs:

trivy fholzer/nginx-brotli:v1.19.1                                
2021-12-20T11:41:52.638-0300	INFO	Detected OS: alpine
2021-12-20T11:41:52.638-0300	INFO	Detecting Alpine vulnerabilities...
2021-12-20T11:41:52.640-0300	INFO	Number of language-specific files: 0

fholzer/nginx-brotli:v1.19.1 (alpine 3.12.0)
============================================
Total: 52 (UNKNOWN: 0, LOW: 2, MEDIUM: 17, HIGH: 30, CRITICAL: 3)

Hello, we faced a critical issue using the recently updated image.

Running envsubst leads to the following errors

#18 0.322 Error loading shared library libintl.so.8: No such file or directory (needed by /usr/local/bin/envsubst)
--
884 | #18 0.322 Error relocating /usr/local/bin/envsubst: libintl_bindtextdomain: symbol not found
885 | #18 0.322 Error relocating /usr/local/bin/envsubst: libintl_gettext: symbol not found
886 | #18 0.322 Error relocating /usr/local/bin/envsubst: libintl_textdomain: symbol not found

Current nginx version is 1.20.2 which is outdated & below vulnerability is identified on it :-
https://nvd.nist.gov/vuln/detail/CVE-2021-3618

Already raised PR to update nginx to latest stable version which is 1.22.0.
Ref: http://nginx.org/en/download.html

Because of trouble with CircleCI and to enable build for other platforms I'd like to switch to Github Actions. I started working on this in https://github.com/fholzer/docker-nginx-brotli/tree/test-github-actions though having trouble setting things up the way I want to.

Ideally the workflow would

1. build images for all platforms
2. run tests
3. push all images to Docker hub

I was planning to use buildx for this, though ran into issues about how to test the built images before pushing them to Docker hub. Builtx supports build & push in a single action, from what i can tell. You can also just build the images without pushing them, though I haven't found any way to actually access those images after they're built, which prevents me from running tests.

Any input, pointers in the right direction would be highly appreciated. (just pointer to documentation, or better, some specific section in the documentation would do.)

Hello,
I recently used the docker image fholzer/nginx-brotli:v1.21.6 but my entrypoint is not working anymore. I don't understand why. I previously was on nginx::1.21.0-alpine

echo "Replacing env constants in JS"

for file in $ROOT_DIR/js/app.*.js* $ROOT_DIR/js/chunk-*.*.js* $ROOT_DIR/js/*.js* $ROOT_DIR/index.html $ROOT_DIR/precache-manifest*.js;
do
  echo "Processing $file ...";

  sed -i 's|will_change_for_VUE_APP_API_URL|'${VUE_APP_API_URL}'|g' $file
  sed -i 's|will_change_for_BASE_URL|'${BASE_URL}'|g' $file

done

echo "Starting Nginx"
nginx -g 'daemon off;'

The sed command seems to replace the value. But when I run my container, the env var is not correct one, and I still get 'will_change_for_..."