cleanup up older and outdated code

Update to support alpine 3.18 and the latest nginx release

Author: tspicer

Dockerfile

@@ -1,5 +1,5 @@
-FROM alpine:3.12
-MAINTAINER Thomas Spicer (thomas@openbridge.com)
+FROM alpine:3.18
+LABEL maintainer="Thomas Spicer (thomas@openbridge.com)"
 
 ARG NGINX_VERSION
 ENV VAR_PREFIX=/var/run \
@@ -13,7 +13,6 @@ RUN set -x \
  && CONFIG="\
  --prefix=/usr/share/nginx/ \
  --sbin-path=/usr/sbin/nginx \
- --add-module=/tmp/naxsi/naxsi_src \
  --modules-path=/usr/lib/nginx/modules \
  --conf-path=${CONF_PREFIX}/nginx.conf \
  --error-log-path=${LOG_PREFIX}/error.log \
@@ -43,32 +42,30 @@ RUN set -x \
  --with-http_auth_request_module \
  --with-http_xslt_module=dynamic \
  --with-http_image_filter_module=dynamic \
- --with-http_geoip_module=dynamic \
  --with-threads \
  --with-stream \
  --with-stream_ssl_module \
  --with-stream_ssl_preread_module \
  --with-stream_realip_module \
- --with-stream_geoip_module=dynamic \
  --with-http_slice_module \
  --with-mail \
  --with-mail_ssl_module \
  --with-compat \
  --with-file-aio \
  --with-http_v2_module \
  --add-module=/tmp/ngx_cache_purge-2.3 \
- --add-module=/tmp/ngx_http_redis-0.3.9 \
+ --add-module=/tmp/ngx_http_redis-0.4.1-cmm \
  --add-module=/tmp/redis2-nginx-module-0.15 \
- --add-module=/tmp/srcache-nginx-module-0.31 \
+ --add-module=/tmp/srcache-nginx-module-0.33 \
  --add-module=/tmp/echo-nginx-module \
- --add-module=/tmp/ngx_devel_kit-0.3.1 \
- --add-module=/tmp/set-misc-nginx-module-0.32 \
+ --add-module=/tmp/ngx_devel_kit-0.3.2 \
+ --add-module=/tmp/set-misc-nginx-module-0.33 \
  --add-module=/tmp/ngx_brotli \
  --with-ld-opt='-L/usr/lib' \
  --with-cc-opt=-Wno-error \
  " \
- && addgroup -g 82 -S www-data \
- && adduser -u 82 -D -S -h /var/cache/nginx -s /sbin/nologin -G www-data www-data \
+ && if [ -z "$(getent group www-data)" ]; then addgroup -g 82 -S www-data; fi \
+ && if [ -z "$(getent passwd www-data)" ]; then adduser -u 82 -D -S -h /var/cache/nginx -s /sbin/nologin -G www-data www-data; fi \
  && apk add --no-cache --virtual .build-deps \
  alpine-sdk \
  autoconf \
@@ -81,7 +78,6 @@ RUN set -x \
  findutils \
  gcc \
  gd-dev \
- geoip-dev \
  gettext \
  git \
  gnupg \
@@ -108,7 +104,6 @@ RUN set -x \
  bash \
  bind-tools \
  rsync \
- geoip \
  openssl \
  pcre \
  tini \
@@ -118,29 +113,19 @@ RUN set -x \
  && cd ngx_brotli && git submodule update --init \
  && export NGX_BROTLI_STATIC_MODULE_ONLY=1 \
  && cd /tmp \
- && git clone https://github.com/nbs-system/naxsi.git \
- && echo 'adding /usr/local/share/GeoIP/GeoIP.dat database' \
- && wget -N https://raw.githubusercontent.com/openbridge/nginx/master/geoip/GeoLiteCity.dat.gz \
- && wget -N https://raw.githubusercontent.com/openbridge/nginx/master/geoip/GeoIP.dat.gz \
- && gzip -d GeoIP.dat.gz \
- && gzip -d GeoLiteCity.dat.gz \
- && mkdir /usr/local/share/GeoIP/ \
- && mv GeoIP.dat /usr/local/share/GeoIP/ \
- && mv GeoLiteCity.dat /usr/local/share/GeoIP/ \
- && chown -R www-data:www-data /usr/local/share/GeoIP/ \
  && curl -fSL http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz -o nginx.tar.gz \
  && mkdir -p /usr/src \
  && tar -zxC /usr/src -f nginx.tar.gz \
  && rm nginx.tar.gz \
  && cd /tmp \
  && git clone https://github.com/openresty/echo-nginx-module.git \
- && wget https://github.com/simpl/ngx_devel_kit/archive/v0.3.1.zip -O dev.zip \
- && wget https://github.com/openresty/set-misc-nginx-module/archive/v0.32.zip -O setmisc.zip \
- && wget https://people.freebsd.org/~osa/ngx_http_redis-0.3.9.tar.gz \
- && wget https://github.com/openresty/redis2-nginx-module/archive/v0.15.zip -O redis.zip \
- && wget https://github.com/openresty/srcache-nginx-module/archive/v0.31.zip -O cache.zip \
- && wget https://github.com/FRiCKLE/ngx_cache_purge/archive/2.3.zip -O purge.zip \
- && tar -zx -f ngx_http_redis-0.3.9.tar.gz \
+ && wget https://github.com/vision5/ngx_devel_kit/archive/refs/tags/v0.3.2.zip -O dev.zip \
+ && wget https://github.com/openresty/set-misc-nginx-module/archive/refs/tags/v0.33.zip -O setmisc.zip \
+ && wget https://github.com/centminmod/ngx_http_redis/archive/refs/tags/0.4.1-cmm.zip -O ngx.zip \
+ && wget https://github.com/openresty/redis2-nginx-module/archive/refs/tags/v0.15.zip -O redis.zip \
+ && wget https://github.com/openresty/srcache-nginx-module/archive/refs/tags/v0.33.zip -O cache.zip \
+ && wget https://github.com/FRiCKLE/ngx_cache_purge/archive/refs/tags/2.3.zip -O purge.zip \
+ && unzip ngx.zip \ 
  && unzip dev.zip \
  && unzip setmisc.zip \
  && unzip redis.zip \
@@ -152,7 +137,6 @@ RUN set -x \
  && mv objs/nginx objs/nginx-debug \
  && mv objs/ngx_http_xslt_filter_module.so objs/ngx_http_xslt_filter_module-debug.so \
  && mv objs/ngx_http_image_filter_module.so objs/ngx_http_image_filter_module-debug.so \
- && mv objs/ngx_stream_geoip_module.so objs/ngx_stream_geoip_module-debug.so \
  && ./configure $CONFIG \
  && make -j$(getconf _NPROCESSORS_ONLN) \
  && make install \
@@ -164,7 +148,6 @@ RUN set -x \
  && install -m755 objs/nginx-debug /usr/sbin/nginx-debug \
  && install -m755 objs/ngx_http_xslt_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_xslt_filter_module-debug.so \
  && install -m755 objs/ngx_http_image_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_image_filter_module-debug.so \
- && install -m755 objs/ngx_stream_geoip_module-debug.so /usr/lib/nginx/modules/ngx_stream_geoip_module-debug.so \
  && ln -s ../../usr/lib/nginx/modules /etc/nginx/modules \
  && strip /usr/sbin/nginx* \
  && strip /usr/lib/nginx/modules/*.so \
@@ -185,8 +168,6 @@ RUN set -x \
  && nice -n +5 openssl dhparam -out /etc/pki/tls/dhparam.pem.default 2048 \
  && apk add --no-cache $runDeps \
  && apk del .build-deps \
- && cd /tmp/naxsi \
- && mv naxsi_config/naxsi_core.rules /etc/nginx/naxsi_core.rules \
  && rm -rf /tmp/* \
  && rm -rf /usr/src/* \
  && ln -sf /dev/stdout ${LOG_PREFIX}/access.log \

conf/html/nginx/header.d/proxy.conf

@@ -22,16 +22,4 @@ proxy_set_header Range $slice_range;
 
 proxy_ignore_headers X-Accel-Expires Expires Cache-Control Set-Cookie;
 
-proxy_set_header GEOIP-COUNTRY-CODE $geoip_country_code;
-proxy_set_header GEOIP-COUNTRY-CODE3 $geoip_country_code3;
-proxy_set_header GEOIP-COUNTRY-NAME $geoip_country_name;
-
-proxy_set_header GEOIP-CITY-COUNTRY-CODE $geoip_city_country_code;
-proxy_set_header GEOIP-CITY-COUNTRY-CODE3 $geoip_city_country_code3;
-proxy_set_header GEOIP-CITY-COUNTRY-NAME $geoip_city_country_name;
-proxy_set_header GEOIP-REGION $geoip_region;
-proxy_set_header GEOIP-CITY $geoip_city;
-proxy_set_header GEOIP-POSTAL-CODE $geoip_postal_code;
-proxy_set_header GEOIP-CITY-CONTINENT-CODE $geoip_city_continent_code;
-proxy_set_header GEOIP-LATITUDE $geoip_latitude;
-proxy_set_header GEOIP-LONGITUDE $geoip_longitude;
+

conf/html/nginx/nginx.conf

@@ -1,5 +1,3 @@
-load_module /etc/nginx/modules/ngx_http_geoip_module.so;
-
 user www-data;
 worker_processes auto;
 worker_rlimit_nofile 65535;
@@ -15,7 +13,6 @@ events {
 
 http {
  include /etc/nginx/mime.type;
- include /etc/nginx/naxsi_core.rules;
 
  default_type application/octet-stream;
  charset UTF-8;
@@ -48,20 +45,16 @@ http {
 
  ignore_invalid_headers on;
 
- geoip_country /usr/local/share/GeoIP/GeoIP.dat;
- geoip_city /usr/local/share/GeoIP/GeoLiteCity.dat;
-
  map_hash_bucket_size 256;
  map_hash_max_size 4096;
  types_hash_max_size 2048;
  variables_hash_max_size 2048;
 
- geo $rate_limit {include /etc/nginx/geo.d/ratelimit.conf;}
- map $rate_limit $rate_limit_key {include /etc/nginx/map.d/access/*.map;}
+ #limit_req_zone $rate_limit_key zone=req_zone:10m rate=200r/s;
+ 
+ #map $rate_limit $rate_limit_key {include /etc/nginx/map.d/access/*.map;}
  map $http_user_agent $no_logs {include /etc/nginx/map.d/logs/ua.map;}
 
- limit_req_zone $rate_limit_key zone=req_zone:10m rate=200r/s;
-
  upstream proxy {include /etc/nginx/upstream.d/proxy.conf;}
  upstream redis {include /etc/nginx/upstream.d/redis.conf;}
 
@@ -81,8 +74,6 @@ http {
  '"http_forward": "$http_x_forwarded_for", '
  '"http_header": "$http_x_header", '
  '"body_bytes_sent": "$body_bytes_sent", '
- '"geo_country": "$geoip_country_code", '
- '"geo_city": "$geoip_city", '
  '"server_name": "$server_name", '
  '"upstream_addr": "$upstream_addr", '
  '"upstream_status": "$upstream_status", '
@@ -113,9 +104,7 @@ http {
  proxy_cache_key $scheme$request_method$http_host$request_uri$slice_range;
 
  map $request_method $purge_method {include /etc/nginx/map.d/purge/*.map;}
- geo $purge_allowed {include /etc/nginx/geo.d/purge.conf;}
 
- geo $whitelist {include /etc/nginx/geo.d/whitelist.conf;}
  map $whitelist $limit_access {include /etc/nginx/map.d/access/*.map;}
  expires $expires;
 

conf/html/nginx/sites-available/default.vhost

@@ -2,11 +2,10 @@ server {
  server_name {{NGINX_SERVER_NAME}} www.{{NGINX_SERVER_NAME}} *.{{NGINX_SERVER_NAME}};
  server_tokens off;
  server_name_in_redirect off;
+ http2 on;
  listen *:80 default_server;
  listen [::]:80 default_server reuseport;
  access_log {{LOG_PREFIX}}/access.log main_ext if=$no_logs;
- include /etc/nginx/bots.d/blockbots.conf;
- include /etc/nginx/bots.d/ddos.conf;
  include /etc/nginx/header.d/httpd.conf;
  return 301 https://$host$request_uri;
 }
@@ -15,18 +14,16 @@ server {
  server_name {{NGINX_SERVER_NAME}} www.{{NGINX_SERVER_NAME}} *.{{NGINX_SERVER_NAME}};
  server_tokens off;
  server_name_in_redirect off;
- root {{NGINX_DOCROOT}};
- listen *:443 default_server ssl http2;
- listen [::]:443 default_server ssl http2 reuseport;
- limit_req zone=req_zone burst=20 nodelay;
+ root {{NGINX_SERVER_NAME}} www.{{NGINX_SERVER_NAME}} *.{{NGINX_SERVER_NAME}};
+ http2 on;
+ listen *:443 default_server ssl;
+ listen [::]:443 default_server ssl reuseport;
+
  set $naxsi_flag_enable 0;
 
- http2_push_preload on;
  access_log {{LOG_PREFIX}}/access.log main_ext if=$no_logs;
 
  include /etc/nginx/conf.d/ssl.conf;
- include /etc/nginx/bots.d/blockbots.conf;
- include /etc/nginx/bots.d/ddos.conf;
 
  location / {
  include /etc/nginx/conf.d/secure.conf;
@@ -36,7 +33,7 @@ server {
  userid_name _uid;
  userid_path /;
  userid_expires max;
- userid_domain {{NGINX_SERVER_NAME}};
+ userid_domain {{NGINX_SERVER_NAME}} www.{{NGINX_SERVER_NAME}} *.{{NGINX_SERVER_NAME}};
  expires $expires;
  proxy_pass http://proxy/;
  proxy_redirect / /;

conf/php/nginx/conf.d/brotli.conf

@@ -11,7 +11,6 @@ brotli_types
  application/postscript
  application/font-woff
  application/font-woff2
- application/x-javascript
  application/vnd.ms-fontobject
  application/x-font-opentype
  application/x-font-truetype

conf/php/nginx/conf.d/proxy.conf

@@ -6,9 +6,9 @@ proxy_busy_buffers_size 256k;
 proxy_temp_file_write_size 256k;
 proxy_headers_hash_bucket_size 256;
 proxy_headers_hash_max_size 1024;
-proxy_read_timeout 30s;
-proxy_send_timeout 30s;
-proxy_connect_timeout 30s;
+proxy_read_timeout 60s;
+proxy_send_timeout 60s;
+proxy_connect_timeout 60s;
 
 slice 1m;
 proxy_cache proxycache;

conf/php/nginx/conf.d/seo.conf

@@ -6,6 +6,5 @@ location ~ ([^/]*)sitemap(.*)\.x(m|s)l$
 rewrite ^/([^/]+?)-sitemap([0-9]+)?\.xml$ /index.php?sitemap=$1&sitemap_n=$2 last;
 rewrite ^/news_sitemap\.xml$ /index.php?sitemap=wpseo_news last;
 rewrite ^/locations\.kml$ /index.php?sitemap=wpseo_local_kml last;
-rewrite ^/geo_sitemap\.xml$ /index.php?sitemap=wpseo_local last;
 rewrite ^/video-sitemap\.xsl$ /index.php?xsl=video last;
 }

conf/php/nginx/conf.d/ssl.conf

@@ -1,12 +1,12 @@
 ssl_certificate /etc/letsencrypt/live/{{NGINX_SERVER_NAME}}/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/{{NGINX_SERVER_NAME}}/privkey.pem;
 ssl_trusted_certificate /etc/letsencrypt/live/{{NGINX_SERVER_NAME}}/chain.pem;
-ssl_protocols TLSv1.2;
+ssl_protocols TLSv1.2 TLSv1.3;
 ssl_session_cache shared:SSL:50m;
 ssl_session_timeout 30m;
 ssl_dhparam /etc/pki/tls/dhparam.pem;
-ssl_ecdh_curve secp384r1;
-ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+ssl_ecdh_curve X25519:secp384r1;
+ssl_ciphers  'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
 ssl_prefer_server_ciphers on;
 ssl_buffer_size 1400;
 ssl_session_tickets off;

conf/php/nginx/fastcgi.d/fastcgi.conf

@@ -1,7 +1,7 @@
 fastcgi_split_path_info ^(.+\.php)(/.+)$;
-fastcgi_connect_timeout 120s;
-fastcgi_send_timeout 120s;
-fastcgi_read_timeout 120s;
+fastcgi_connect_timeout 60s;
+fastcgi_send_timeout 60s;
+fastcgi_read_timeout 60s;
 
 fastcgi_buffer_size 256k;
 fastcgi_buffers 4 256k;
@@ -34,7 +34,6 @@ fastcgi_param REQUEST_METHOD $request_method;
 fastcgi_param CONTENT_TYPE $content_type;
 fastcgi_param CONTENT_LENGTH $content_length;
 
-fastcgi_param SCRIPT_NAME $fastcgi_script_name;
 fastcgi_param REQUEST_URI $request_uri;
 fastcgi_param DOCUMENT_URI $document_uri;
 fastcgi_param DOCUMENT_ROOT $document_root;
@@ -48,16 +47,6 @@ fastcgi_param SERVER_ADDR $server_addr;
 fastcgi_param SERVER_PORT $server_port;
 fastcgi_param SERVER_NAME $server_name;
 
-fastcgi_param GEOIP_ADDR $remote_addr;
-fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code;
-fastcgi_param GEOIP_COUNTRY_NAME $geoip_country_name;
-fastcgi_param GEOIP_REGION $geoip_region;
-fastcgi_param GEOIP_REGION_NAME $geoip_region_name;
-fastcgi_param GEOIP_CITY $geoip_city;
-fastcgi_param GEOIP_AREA_CODE $geoip_area_code;
-fastcgi_param GEOIP_LATITUDE $geoip_latitude;
-fastcgi_param GEOIP_LONGITUDE $geoip_longitude;
-fastcgi_param GEOIP_POSTAL_CODE $geoip_postal_code;
 
 # PHP only, required if PHP was built with --enable-force-cgi-redirect
 fastcgi_param REDIRECT_STATUS 200;

conf/php/nginx/header.d/proxy.conf

@@ -20,18 +20,4 @@ proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
 
 proxy_set_header Range $slice_range;
 
-proxy_ignore_headers X-Accel-Expires Expires Cache-Control Set-Cookie;
-
-proxy_set_header GEOIP-COUNTRY-CODE $geoip_country_code;
-proxy_set_header GEOIP-COUNTRY-CODE3 $geoip_country_code3;
-proxy_set_header GEOIP-COUNTRY-NAME $geoip_country_name;
-
-proxy_set_header GEOIP-CITY-COUNTRY-CODE $geoip_city_country_code;
-proxy_set_header GEOIP-CITY-COUNTRY-CODE3 $geoip_city_country_code3;
-proxy_set_header GEOIP-CITY-COUNTRY-NAME $geoip_city_country_name;
-proxy_set_header GEOIP-REGION $geoip_region;
-proxy_set_header GEOIP-CITY $geoip_city;
-proxy_set_header GEOIP-POSTAL-CODE $geoip_postal_code;
-proxy_set_header GEOIP-CITY-CONTINENT-CODE $geoip_city_continent_code;
-proxy_set_header GEOIP-LATITUDE $geoip_latitude;
-proxy_set_header GEOIP-LONGITUDE $geoip_longitude;
+proxy_ignore_headers X-Accel-Expires Expires Cache-Control Set-Cookie;