nginx-proxy/docker-entrypoint.sh

#!/bin/bash
set -e

function _check_unix_socket() {
	# Warn if the DOCKER_HOST socket does not exist
	if [[ ${DOCKER_HOST} == unix://* ]]; then
		local SOCKET_FILE="${DOCKER_HOST#unix://}"

		if [[ ! -S ${SOCKET_FILE} ]]; then
			cat >&2 <<-EOT
				ERROR: you need to share your Docker host socket with a volume at ${SOCKET_FILE}
				Typically you should run your nginxproxy/nginx-proxy with: \`-v /var/run/docker.sock:${SOCKET_FILE}:ro\`
				See the documentation at: https://github.com/nginx-proxy/nginx-proxy/#usage
			EOT

			exit 1
		fi
	fi
}

function _resolvers() {
	# Compute the DNS resolvers for use in the templates - if the IP contains ":", it's IPv6 and must be enclosed in []
	RESOLVERS=$(awk '$1 == "nameserver" {print ($2 ~ ":")? "["$2"]": $2}' ORS=' ' /etc/resolv.conf | sed 's/ *$//g'); export RESOLVERS

	SCOPED_IPV6_REGEX='\[fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}\]'

	if [[ -z ${RESOLVERS} ]]; then
		echo 'Warning: unable to determine DNS resolvers for nginx' >&2
		unset RESOLVERS
	elif [[ ${RESOLVERS} =~ ${SCOPED_IPV6_REGEX} ]]; then
		echo -n 'Warning: Scoped IPv6 addresses removed from resolvers: ' >&2
		echo "${RESOLVERS}" | grep -Eo "$SCOPED_IPV6_REGEX" | paste -s -d ' ' >&2
		RESOLVERS=$(echo "${RESOLVERS}" | sed -r "s/${SCOPED_IPV6_REGEX}//g" | xargs echo -n); export RESOLVERS
	fi
}

function _setup_dhparam() {
	echo 'Setting up DH Parameters..'

	# DH params will be supplied for nginx here:
	local DHPARAM_FILE='/etc/nginx/dhparam/dhparam.pem'

	# Should be 2048, 3072, or 4096 (default):
	local FFDHE_GROUP="${DHPARAM_BITS:=4096}"

	# DH params may be provided by the user (rarely necessary)
	if [[ -f ${DHPARAM_FILE} ]]; then
		echo 'Warning: A custom dhparam.pem file was provided. Best practice is to use standardized RFC7919 DHE groups instead.' >&2
		return 0
	elif [[ ${DHPARAM_SKIP:=0} -eq 1 ]]; then
		echo 'Skipping Diffie-Hellman parameters setup.'
		return 0
	elif [[ ! ${DHPARAM_BITS} =~ ^(2048|3072|4096)$ ]]; then
		echo "ERROR: Unsupported DHPARAM_BITS size: ${DHPARAM_BITS}. Use: 2048, 3072, or 4096 (default)." >&2
		exit 1
	fi

	# Use an existing pre-generated DH group from RFC7919 (https://datatracker.ietf.org/doc/html/rfc7919#appendix-A):
	local RFC7919_DHPARAM_FILE="/app/dhparam/ffdhe${FFDHE_GROUP}.pem"

	# Provide the DH params file to nginx:
	cp "${RFC7919_DHPARAM_FILE}" "${DHPARAM_FILE}"
}

# Run the init logic if the default CMD was provided
if [[ $* == 'forego start -r' ]]; then
	_check_unix_socket

	_resolvers

	_setup_dhparam
fi

exec "$@"
refuse to start if the docker sock isn't available 2015-09-11 22:05:54 +00:00			`#!/bin/bash`
			`set -e`

chore: 4/6 - Extract grouped logic to their own methods 2021-09-28 20:48:41 +13:00			`function _check_unix_socket() {`
chore: 3/6 - Indent function content This is a white-space only change to ease review diff noise. 2021-09-25 15:47:20 +12:00			`# Warn if the DOCKER_HOST socket does not exist`
chore: 6/6 - Update shell syntax - `==` for string equality since we're using bash `[[ test ]]` already. - Uppercase `socket_file` variable to be consistent with other internal variables used in the script. - Convert `[ test ]` to `[[ test ]]` for consistency, improving maintenance. Double-bracket (_not posix compatible_) does not require quoted variables, ShellCheck lint knows this is safe too :) - `-z` test for `$RESOLVERS` is native syntax to check for empty string value. - Referenced variables should generally be wrapped like so `"${VAR}"`. - Variable assignments with string values should be double quotes for content with variables, otherwise use single quotes (_no interpolation_). - Converted my if statements to use the same style used in the rest of the file. 2021-09-25 16:06:11 +12:00			`if [[ ${DOCKER_HOST} == unix://* ]]; then`
			`local SOCKET_FILE="${DOCKER_HOST#unix://}"`

			`if [[ ! -S ${SOCKET_FILE} ]]; then`
chore: 3/6 - Indent function content This is a white-space only change to ease review diff noise. 2021-09-25 15:47:20 +12:00			`cat >&2 <<-EOT`
chore: 6/6 - Update shell syntax - `==` for string equality since we're using bash `[[ test ]]` already. - Uppercase `socket_file` variable to be consistent with other internal variables used in the script. - Convert `[ test ]` to `[[ test ]]` for consistency, improving maintenance. Double-bracket (_not posix compatible_) does not require quoted variables, ShellCheck lint knows this is safe too :) - `-z` test for `$RESOLVERS` is native syntax to check for empty string value. - Referenced variables should generally be wrapped like so `"${VAR}"`. - Variable assignments with string values should be double quotes for content with variables, otherwise use single quotes (_no interpolation_). - Converted my if statements to use the same style used in the rest of the file. 2021-09-25 16:06:11 +12:00			`ERROR: you need to share your Docker host socket with a volume at ${SOCKET_FILE}`
			Typically you should run your nginxproxy/nginx-proxy with: \`-v /var/run/docker.sock:${SOCKET_FILE}:ro\`
chore: Use direct URL instead of URL shortener Implicit URL is unnecessary (_and presently relies on Github redirecting from it's original mapped URL_). Use an explicit URL instead to reduce the guesswork/trust of where the shortener was going to redirect to. 2021-09-25 16:29:03 +12:00			`See the documentation at: https://github.com/nginx-proxy/nginx-proxy/#usage`
chore: 3/6 - Indent function content This is a white-space only change to ease review diff noise. 2021-09-25 15:47:20 +12:00			`EOT`
chore: 2/6 - Handle CMD check early, wrap init logic into a function 2021-09-28 11:11:49 +13:00
chore: 3/6 - Indent function content This is a white-space only change to ease review diff noise. 2021-09-25 15:47:20 +12:00			`exit 1`
			`fi`
refuse to start if the docker sock isn't available 2015-09-11 22:05:54 +00:00			`fi`
chore: 4/6 - Extract grouped logic to their own methods 2021-09-28 20:48:41 +13:00			`}`
conform to Docker official images best practices https://github.com/docker-library/official-images/blob/master/README.md#consistency 2015-09-12 10:37:21 +00:00
chore: 4/6 - Extract grouped logic to their own methods 2021-09-28 20:48:41 +13:00			`function _resolvers() {`
chore: 3/6 - Indent function content This is a white-space only change to ease review diff noise. 2021-09-25 15:47:20 +12:00			`# Compute the DNS resolvers for use in the templates - if the IP contains ":", it's IPv6 and must be enclosed in []`
			`RESOLVERS=$(awk '$1 == "nameserver" {print ($2 ~ ":")? "["$2"]": $2}' ORS=' ' /etc/resolv.conf \| sed 's/ *$//g'); export RESOLVERS`
remove scoped ipv6 resolvers 2021-02-05 19:56:56 +00:00
chore: 6/6 - Update shell syntax - `==` for string equality since we're using bash `[[ test ]]` already. - Uppercase `socket_file` variable to be consistent with other internal variables used in the script. - Convert `[ test ]` to `[[ test ]]` for consistency, improving maintenance. Double-bracket (_not posix compatible_) does not require quoted variables, ShellCheck lint knows this is safe too :) - `-z` test for `$RESOLVERS` is native syntax to check for empty string value. - Referenced variables should generally be wrapped like so `"${VAR}"`. - Variable assignments with string values should be double quotes for content with variables, otherwise use single quotes (_no interpolation_). - Converted my if statements to use the same style used in the rest of the file. 2021-09-25 16:06:11 +12:00			`SCOPED_IPV6_REGEX='\[fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}\]'`
remove scoped ipv6 resolvers 2021-02-05 19:56:56 +00:00
chore: 6/6 - Update shell syntax - `==` for string equality since we're using bash `[[ test ]]` already. - Uppercase `socket_file` variable to be consistent with other internal variables used in the script. - Convert `[ test ]` to `[[ test ]]` for consistency, improving maintenance. Double-bracket (_not posix compatible_) does not require quoted variables, ShellCheck lint knows this is safe too :) - `-z` test for `$RESOLVERS` is native syntax to check for empty string value. - Referenced variables should generally be wrapped like so `"${VAR}"`. - Variable assignments with string values should be double quotes for content with variables, otherwise use single quotes (_no interpolation_). - Converted my if statements to use the same style used in the rest of the file. 2021-09-25 16:06:11 +12:00			`if [[ -z ${RESOLVERS} ]]; then`
			`echo 'Warning: unable to determine DNS resolvers for nginx' >&2`
chore: 3/6 - Indent function content This is a white-space only change to ease review diff noise. 2021-09-25 15:47:20 +12:00			`unset RESOLVERS`
chore: 6/6 - Update shell syntax - `==` for string equality since we're using bash `[[ test ]]` already. - Uppercase `socket_file` variable to be consistent with other internal variables used in the script. - Convert `[ test ]` to `[[ test ]]` for consistency, improving maintenance. Double-bracket (_not posix compatible_) does not require quoted variables, ShellCheck lint knows this is safe too :) - `-z` test for `$RESOLVERS` is native syntax to check for empty string value. - Referenced variables should generally be wrapped like so `"${VAR}"`. - Variable assignments with string values should be double quotes for content with variables, otherwise use single quotes (_no interpolation_). - Converted my if statements to use the same style used in the rest of the file. 2021-09-25 16:06:11 +12:00			`elif [[ ${RESOLVERS} =~ ${SCOPED_IPV6_REGEX} ]]; then`
			`echo -n 'Warning: Scoped IPv6 addresses removed from resolvers: ' >&2`
			`echo "${RESOLVERS}" \| grep -Eo "$SCOPED_IPV6_REGEX" \| paste -s -d ' ' >&2`
			`RESOLVERS=$(echo "${RESOLVERS}" \| sed -r "s/${SCOPED_IPV6_REGEX}//g" \| xargs echo -n); export RESOLVERS`
chore: 3/6 - Indent function content This is a white-space only change to ease review diff noise. 2021-09-25 15:47:20 +12:00			`fi`
chore: 2/6 - Handle CMD check early, wrap init logic into a function 2021-09-28 11:11:49 +13:00			`}`

chore: 5/6 - Shift dhparam method to the bottom Minor change on error message. 2021-09-28 20:57:03 +13:00			`function _setup_dhparam() {`
			`echo 'Setting up DH Parameters..'`

			`# DH params will be supplied for nginx here:`
chore: Refactor `_setup_dh()` - `DHPARAM_FILE` is a local var not intended for overriding via ENV. Clarified that with `local` declaration. - `FFDHE_GROUP` var uses default assignment (_`:=4096` instead of only substitute `:-4096`_), so that `DHPARAM_BITS` retains the default 4096 value in subsequent references if no custom size was provided. - Refactored the conditional statements to only handle early failure conditions. Shifting out the RFC7919 support that can run after all checks have passed. - Revised comments. 2021-09-26 16:51:37 +13:00			`local DHPARAM_FILE='/etc/nginx/dhparam/dhparam.pem'`
chore: 5/6 - Shift dhparam method to the bottom Minor change on error message. 2021-09-28 20:57:03 +13:00
chore: Refactor `_setup_dh()` - `DHPARAM_FILE` is a local var not intended for overriding via ENV. Clarified that with `local` declaration. - `FFDHE_GROUP` var uses default assignment (_`:=4096` instead of only substitute `:-4096`_), so that `DHPARAM_BITS` retains the default 4096 value in subsequent references if no custom size was provided. - Refactored the conditional statements to only handle early failure conditions. Shifting out the RFC7919 support that can run after all checks have passed. - Revised comments. 2021-09-26 16:51:37 +13:00			`# Should be 2048, 3072, or 4096 (default):`
			`local FFDHE_GROUP="${DHPARAM_BITS:=4096}"`

			`# DH params may be provided by the user (rarely necessary)`
chore: 6/6 - Update shell syntax - `==` for string equality since we're using bash `[[ test ]]` already. - Uppercase `socket_file` variable to be consistent with other internal variables used in the script. - Convert `[ test ]` to `[[ test ]]` for consistency, improving maintenance. Double-bracket (_not posix compatible_) does not require quoted variables, ShellCheck lint knows this is safe too :) - `-z` test for `$RESOLVERS` is native syntax to check for empty string value. - Referenced variables should generally be wrapped like so `"${VAR}"`. - Variable assignments with string values should be double quotes for content with variables, otherwise use single quotes (_no interpolation_). - Converted my if statements to use the same style used in the rest of the file. 2021-09-25 16:06:11 +12:00			`if [[ -f ${DHPARAM_FILE} ]]; then`
chore: 5/6 - Shift dhparam method to the bottom Minor change on error message. 2021-09-28 20:57:03 +13:00			`echo 'Warning: A custom dhparam.pem file was provided. Best practice is to use standardized RFC7919 DHE groups instead.' >&2`
chore: Refactor `_setup_dh()` - `DHPARAM_FILE` is a local var not intended for overriding via ENV. Clarified that with `local` declaration. - `FFDHE_GROUP` var uses default assignment (_`:=4096` instead of only substitute `:-4096`_), so that `DHPARAM_BITS` retains the default 4096 value in subsequent references if no custom size was provided. - Refactored the conditional statements to only handle early failure conditions. Shifting out the RFC7919 support that can run after all checks have passed. - Revised comments. 2021-09-26 16:51:37 +13:00			`return 0`
feat: Bring back ability to skip default DH params Adds back the ability to avoid using DH params, provided no file was explicitly supplied. This used to be `DHPARAM_GENERATION=false`, the equivalent is now `DHPARAM_SKIP=1` (default 0). Previous name was no longer appropriate. Ensures that if a user has explicitly provided their own dhparam file to still output a warning instead of the skip message, since `DHPARAM_SKIP=1` doesn't disable the support in nginx. 2021-09-28 21:49:06 +13:00			`elif [[ ${DHPARAM_SKIP:=0} -eq 1 ]]; then`
			`echo 'Skipping Diffie-Hellman parameters setup.'`
			`return 0`
chore: Refactor `_setup_dh()` - `DHPARAM_FILE` is a local var not intended for overriding via ENV. Clarified that with `local` declaration. - `FFDHE_GROUP` var uses default assignment (_`:=4096` instead of only substitute `:-4096`_), so that `DHPARAM_BITS` retains the default 4096 value in subsequent references if no custom size was provided. - Refactored the conditional statements to only handle early failure conditions. Shifting out the RFC7919 support that can run after all checks have passed. - Revised comments. 2021-09-26 16:51:37 +13:00			`elif [[ ! ${DHPARAM_BITS} =~ ^(2048\|3072\|4096)$ ]]; then`
			`echo "ERROR: Unsupported DHPARAM_BITS size: ${DHPARAM_BITS}. Use: 2048, 3072, or 4096 (default)." >&2`
			`exit 1`
chore: 5/6 - Shift dhparam method to the bottom Minor change on error message. 2021-09-28 20:57:03 +13:00			`fi`
chore: Refactor `_setup_dh()` - `DHPARAM_FILE` is a local var not intended for overriding via ENV. Clarified that with `local` declaration. - `FFDHE_GROUP` var uses default assignment (_`:=4096` instead of only substitute `:-4096`_), so that `DHPARAM_BITS` retains the default 4096 value in subsequent references if no custom size was provided. - Refactored the conditional statements to only handle early failure conditions. Shifting out the RFC7919 support that can run after all checks have passed. - Revised comments. 2021-09-26 16:51:37 +13:00
			`# Use an existing pre-generated DH group from RFC7919 (https://datatracker.ietf.org/doc/html/rfc7919#appendix-A):`
			`local RFC7919_DHPARAM_FILE="/app/dhparam/ffdhe${FFDHE_GROUP}.pem"`

			`# Provide the DH params file to nginx:`
			`cp "${RFC7919_DHPARAM_FILE}" "${DHPARAM_FILE}"`
chore: 5/6 - Shift dhparam method to the bottom Minor change on error message. 2021-09-28 20:57:03 +13:00			`}`

chore: 2/6 - Handle CMD check early, wrap init logic into a function 2021-09-28 11:11:49 +13:00			`# Run the init logic if the default CMD was provided`
			`if [[ $* == 'forego start -r' ]]; then`
chore: 4/6 - Extract grouped logic to their own methods 2021-09-28 20:48:41 +13:00			`_check_unix_socket`

			`_resolvers`

			`_setup_dhparam`
chore: 2/6 - Handle CMD check early, wrap init logic into a function 2021-09-28 11:11:49 +13:00			`fi`
Add dynamically-computed DNS resolvers to nginx (for PR #574) 2016-10-01 10:42:58 -04:00
conform to Docker official images best practices https://github.com/docker-library/official-images/blob/master/README.md#consistency 2015-09-12 10:37:21 +00:00			`exec "$@"`