update and fix (#8)

- update nginx to latest 1.19 - hide nginx version - add support new environment variables
kheeklab · Mar 26, 2021 · 36d801e · 36d801e
1 parent 8eefedb
commit 36d801e
Show file tree

Hide file tree

Showing 6 changed files with 18 additions and 10 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -26,14 +26,11 @@ COPY ./configs/uwsgi.ini /etc/uwsgi/
 
 # Install Supervisord
 RUN set -xe; \
-    apt-get update && apt-get install -y ca-certificates gosu; \
-    gosu nobody true; \
-    rm -rf /var/lib/apt/lists/*
-
-# Install uWSGI and PrivacyIdea
-RUN pip install supervisor uwsgi pymysql-sa PyMySQL;\
+    apt-get update && apt-get install -y ca-certificates; \
+    pip install supervisor uwsgi pymysql-sa PyMySQL;\
     pip install -r https://raw.githubusercontent.com/privacyidea/privacyidea/v${PI_VERSION}/requirements.txt; \
-    pip install git+https://github.com/privacyidea/privacyidea.git@v${PI_VERSION}
+    pip install git+https://github.com/privacyidea/privacyidea.git@v${PI_VERSION}; \
+    apt-get remove --purge --auto-remove -y ca-certificates && rm -rf /var/lib/apt/lists/*
 
 # Custom Supervisord config
 COPY ./configs/supervisord-debian.conf /etc/supervisor/supervisord.conf
@@ -56,6 +53,9 @@ ENV NGINX_MAX_UPLOAD 0
 # will create a worker for each CPU core
 ENV NGINX_WORKER_PROCESSES 1
 
+# By default, NGINX show NGINX version on error page and HTTP header
+ENV NGINX_SERVER_TOKENS 'off'
+
 # By default, Nginx listens on port 80.
 # To modify this, change LISTEN_PORT environment variable.
 # (in a Dockerfile or with an option for `docker run`)

diff --git a/configs/app/uwsgi.ini b/configs/app/uwsgi.ini
@@ -1,2 +1,3 @@
 [uwsgi]
 wsgi-file=/app/main.py
+buffer-size=8192
diff --git a/configs/config.py b/configs/config.py
@@ -27,3 +27,5 @@
 # PI_LOGO = "otherlogo.png"
 # PI_AUDIT_SQL_URI = sqlite://
 PI_VASCO_LIBRARY = None
+PI_ENGINE_REGISTRY_CLASS = os.environ.get("PI_ENGINE_REGISTRY_CLASS", "shared")
+PI_PAGE_TITLE = os.environ.get("PI_PAGE_TITLE", "privacyIDEA Authentication System")
diff --git a/configs/entrypoint.sh b/configs/entrypoint.sh
@@ -11,6 +11,9 @@ USE_NGINX_WORKER_PROCESSES=${NGINX_WORKER_PROCESSES:-1}
 # Cannot exceed worker_rlimit_nofile, see NGINX_WORKER_OPEN_FILES below
 NGINX_WORKER_CONNECTIONS=${NGINX_WORKER_CONNECTIONS:-1024}
 
+# Hide Nginx server version on error pages and in the “Server HTTP” response header field
+NGINX_SERVER_TOKENS=${NGINX_SERVER_TOKENS:-off}
+
 # Get the listen port for Nginx, default to 80
 USE_LISTEN_PORT=${LISTEN_PORT:-80}
 
@@ -34,6 +37,7 @@ else
     content=$content'    access_log  /var/log/nginx/access.log  main;\n'
     content=$content'    sendfile        on;\n'
     content=$content'    keepalive_timeout  65;\n'
+    content=$content"    server_tokens ${NGINX_SERVER_TOKENS};\n"
     content=$content'    include /etc/nginx/conf.d/*.conf;\n'
     content=$content'}\n'
     content=$content'daemon off;\n'

diff --git a/configs/install-nginx-debian.sh b/configs/install-nginx-debian.sh
@@ -4,8 +4,8 @@
 # Ref: https://github.com/nginxinc/docker-nginx/blob/594ce7a8bc26c85af88495ac94d5cd0096b306f7/mainline/buster/Dockerfile
 
 # Standard set up Nginx
-export NGINX_VERSION=1.17.10
-export NJS_VERSION=0.3.9
+export NGINX_VERSION=1.19.8
+export NJS_VERSION=0.5.2
 export PKG_RELEASE=1~buster
 
 set -x \
@@ -31,7 +31,7 @@ set -x \
         nginx-module-xslt=${NGINX_VERSION}-${PKG_RELEASE} \
         nginx-module-geoip=${NGINX_VERSION}-${PKG_RELEASE} \
         nginx-module-image-filter=${NGINX_VERSION}-${PKG_RELEASE} \
-        nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-${PKG_RELEASE} \
+        nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${PKG_RELEASE} \
     " \
     && case "$dpkgArch" in \
         amd64|i386) \

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -23,5 +23,6 @@ services:
       - DB_PASSWORD=privacyidea
       - SECRET_KEY=suppersecretkey
       - PI_PEPPER=secretworduseforadminencrypt
+      - PI_PAGE_TITLE=pivacyIDEA
     depends_on:
       - mariadb