Move required files but 'nginx.tmpl' into a local 'app' folder and copy the
folder content into the image.
'nginx.tmpl' should be moved as well, but this is a breaking change for
configuration with a separate 'docker-gen' container.
Anonymous volumes are discouraged for reliable persistence.
Users should use named volumes or bind mounts instead. Potentially breaking change, users can also use explicit anonymous volumes instead of relying on implicit anonymous volumes.
`nginx-proxy` really should not be creating implicit anonymous volumes as in most cases it is undesirable.
`git blame` reveals this was added in 2014 by jwilder, with a message that implies implicit anonymous volumes was never intended..
- While the anonymous VOLUME can be dropped from Dockerfile, the path needs to be valid at run-time, might as well ensure it's available by creating the dhparam folder at build.
- Generation logic no longer necessary, dropped.
- Standardized RFC 7919 groups added (2048, 3072, 4096), with 4096-bit remaining the default size. The DH logic can live in the entrypoint script as well.
- Third-party supplied pre-generated DH params removed as they're not considered trustworthy compared to RFC 7919 groups.
This commit updates both 'Dockerfile' and 'Dockerfile.alpine' to use
'nginx 1.19.3'. This change was implemented after feedback from @buchdag
to be able to use dependabot.
This commit updates both 'Dockerfile' and 'Dockerfile.alpine' to use
'go.15.10' when building the dependencies. This change was implemented
after feedback from @buchdag to be able to use dependabot.
Previously, the Dockerfile downloaded 'docker-gen' and 'forego' binaries
during build time. This caused a problem as it hard-coded the amd64
architecture for the images.
This commit updates both 'Dockerfile' and 'Dockerfile.alpine' to build
the `forego` and `docker-gen` executables from scratch instead of
downloading binaries directly.
This is achieved using multi-stage builds [1]. Two seperate stages first
build the binaries, and are then copied over to the final stage.
The advantage of this change is two-fold: First, it enables building
this image on architectures other than amd64. Secondly it adds trust by
not adding external binaries to the docker image.
This modified version passes the test both a linux desktop (amd64) as
well as a raspberry pi (armv7) with some caveats:
- On armv7, a modified version of the `jwilder/docker-gen` image is
required. See a seperate PR at [2].
- The 'test_dhparam_is_generated_if_missing' test fails. This also
doesn't currently pass on master.
[1] https://docs.docker.com/develop/develop-images/multistage-build/ [2]
https://github.com/jwilder/docker-gen/pull/327
