Nginx reverse proxy combined with Starman server in one image (#46)

* feat: provide image with nginx

* Re-use parent container configuration and startup scripts

* Rewrite proxy Dockerfile:

* ARCH used to be hard-coded; is now set according to the architecture being built
* Build from the associated LedgerSMB base image (not from 'lsmb-split')
* More deletion of non-required files (/usr/share/doc/*)
* Fewer layers by combining RUN commands

* Use 'server-start' script generated by the installer instead of repeating ourselves

* Don't expose the status module

It won't be accessible anyway: the localhost address is the one inside the container...

* Ensure relative redirects

When the container port :80 is exposed as :8080 on the host,
nginx redirects to http://localhost:80/login.pl with a relative
path, instead of http://localhost:8080/login.pl; the container
isn't bound to :80, so that request fails...

* Rename proxy layer image

* Adjust 'build' script to publish base and regular images

---------

Co-authored-by: Walid Mujahid <walidmujahid@gmail.com>

base/Dockerfile

@@ -39,6 +39,7 @@ RUN set -x ; \
   cd /srv && \
   curl -s -o ledgersmb-installer -L https://get.ledgersmb.org/ledgersmb-installer && \
   ARTIFACT_LOCATION="$ARTIFACT_PATH" perl ledgersmb-installer install --yes --log-level=trace $LSMB_VERSION && \
+  mv /srv/ledgersmb/server-start /usr/local/bin/run.sh && \
   rm -rf ~/.cpanm/ /var/lib/apt/lists/* /usr/share/man/*
 
 WORKDIR /srv/ledgersmb
@@ -66,7 +67,6 @@ ENV DEFAULT_DB=lsmb
 
 COPY start.sh /usr/local/bin/start.sh
 COPY config.sh /usr/local/bin/config.sh
-COPY run.sh /usr/local/bin/run.sh
 
 RUN chmod +x /usr/local/bin/start.sh /usr/local/bin/config.sh /usr/local/bin/run.sh && \
   mkdir -p /var/www && \

build

@@ -6,9 +6,19 @@ ${DOCKER:-docker} buildx build \
    --progress plain \
    --platform ${PLATFORM:-linux/amd64,linux/arm64,linux/arm/v7} \
    --build-arg "ARTIFACT_PATH=$ARTIFACT_PATH" \
+   -t ledgersmb/ledgersmb:$BRANCH-base \
+   -t ledgersmb/ledgersmb:$VERSION-base \
+   -t ghcr.io/ledgersmb/ledgersmb:$BRANCH-base \
+   -t ghcr.io/ledgersmb/ledgersmb:$VERSION-base \
+   ${SET_LATEST_TAG:+ -t ledgersmb/ledgersmb:latest-base -t ghcr.io/ledgersmb/ledgersmb:latest-base} \
+   --push base/
+
+${DOCKER:-docker} buildx build \
+   --progress plain \
+   --platform ${PLATFORM:-linux/amd64,linux/arm64,linux/arm/v7} \
    -t ledgersmb/ledgersmb:$BRANCH \
    -t ledgersmb/ledgersmb:$VERSION \
    -t ghcr.io/ledgersmb/ledgersmb:$BRANCH \
    -t ghcr.io/ledgersmb/ledgersmb:$VERSION \
    ${SET_LATEST_TAG:+ -t ledgersmb/ledgersmb:latest -t ghcr.io/ledgersmb/ledgersmb:latest} \
-   --push .
+   --push proxy/

proxy/Dockerfile

@@ -0,0 +1,47 @@
+# Install LedgerSMB version
+ARG LSMB_VERSION=1.13.0-beta1
+# Install s6-overlay
+ARG S6_OVERLAY_VERSION=3.2.0.2
+
+FROM ledgersmb/ledgersmb:$LSMB_VERSION
+
+# Repeat args if we still want to use them
+ARG LSMB_VERSION
+ARG S6_OVERLAY_VERSION
+
+# Install nginx and other dependencies
+USER root
+RUN set -x && \
+    DEBIAN_FRONTEND=noninteractive apt-get update -y && \
+    DEBIAN_FRONTEND=noninteractive apt-get dist-upgrade -y && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends nginx wget xz-utils && \
+    mkdir -p /var/lib/nginx/body /var/cache/nginx && \
+    DEBIAN_FRONTEND=noninteractive apt-get autoremove -q -y && \
+    DEBIAN_FRONTEND=noninteractive apt-get clean -q && \
+    ARCH="$(case "$(dpkg --print-architecture)" in armv7*) echo "armhf" ;; arm64) echo "aarch64" ;; amd64) echo "x86_64" ;; *) exit 1 ;; esac)" && \
+    wget -O /tmp/s6-overlay-noarch.tar.xz https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz && \
+    wget -O /tmp/s6-overlay-noarch.tar.xz.sha256 https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz.sha256 && \
+    wget -O /tmp/s6-overlay-${ARCH}.tar.xz https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-${ARCH}.tar.xz && \
+    wget -O /tmp/s6-overlay-${ARCH}.tar.xz.sha256 https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-${ARCH}.tar.xz.sha256 && \
+    wget -O /tmp/s6-overlay-symlinks-noarch.tar.xz https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-symlinks-noarch.tar.xz && \
+    wget -O /tmp/s6-overlay-symlinks-noarch.tar.xz.sha256 https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-symlinks-noarch.tar.xz.sha256 && \
+    cd /tmp && \
+    sha256sum -c *.sha256 && \
+    tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz && \
+    tar -C / -Jxpf /tmp/s6-overlay-${ARCH}.tar.xz && \ 
+    tar -C / -Jxpf /tmp/s6-overlay-symlinks-noarch.tar.xz && \
+    rm -rf ~/.cpanm/ /var/lib/apt/lists/* /usr/share/man/* /usr/share/doc/* /tmp/s6-overlay-*.tar.xz*
+
+COPY nginx.conf /etc/nginx/nginx.conf
+
+# Configure nginx and starman with s6
+COPY services/starman/run /etc/services.d/starman/run
+COPY services/nginx/run /etc/services.d/nginx/run
+COPY scripts/ledgersmb_config /etc/s6-overlay/s6-rc.d/ledgersmb_config
+
+RUN chmod +x /etc/services.d/starman/run /etc/services.d/nginx/run /etc/s6-overlay/s6-rc.d/ledgersmb_config/up && \
+    touch /etc/s6-overlay/s6-rc.d/user/contents.d/ledgersmb_config
+
+EXPOSE 80
+
+ENTRYPOINT ["/init"]

proxy/nginx.conf

@@ -0,0 +1,74 @@
+# This is a full (minimal) nginx configuration file
+
+error_log /dev/stderr info;
+pid /tmp/nginx.pid;
+worker_processes 1;
+user www-data;
+
+
+events {
+   worker_connections 1024;
+}
+
+http {
+   client_body_temp_path /tmp/client_body;
+   proxy_temp_path /tmp/proxy_temp;
+   fastcgi_temp_path /tmp/fastcgi_temp;
+   scgi_temp_path /tmp/scgi_temp;
+   uwsgi_temp_path /tmp/uwsgi_temp;
+
+   sendfile on;
+   tcp_nopush on;
+   tcp_nodelay on;
+   keepalive_timeout 65;
+   types_hash_max_size 2048;
+   include /etc/nginx/mime.types;
+   default_type application/octet-stream;
+
+   access_log /dev/stdout;
+   error_log /dev/stderr info;
+
+   gzip off;
+   gzip_static on;
+
+   server {
+      listen 80 default_server;
+      listen [::]:80 default_server ipv6only=on;
+
+      root /srv/ledgersmb/UI;
+
+      access_log /dev/stdout;
+      error_log /dev/stderr info;
+
+      # Configuration files don't exist
+      location ^~ \.conf$ {
+         return 404;
+      }
+
+      # 'Hidden' files don't exist
+      location ~ /\. {
+         return 404;
+      }
+
+      location = / {
+         return 301 login.pl;
+      }
+
+      # JS & CSS
+      location ~* \.(js|css)$ {
+         add_header Pragma "public";
+         add_header Cache-Control "public, must-revalidate, proxy-revalidate"; # Production
+         expires     7d; # Indicate that the resource can be cached for 1 week # Production
+         try_files $uri =404;
+      }
+
+      location / {
+         proxy_set_header        Host $host;
+         proxy_set_header        X-Real-IP $remote_addr;
+         proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+         proxy_set_header        X-Forwarded-Proto $scheme;
+         proxy_read_timeout      300;
+         proxy_pass              http://127.0.0.1:5762;
+      }
+   }
+}

proxy/scripts/ledgersmb_config/type

@@ -0,0 +1 @@
+oneshot

proxy/scripts/ledgersmb_config/up

@@ -0,0 +1,3 @@
+foreground { echo "Running config..." }
+
+/usr/local/bin/config.sh

proxy/services/nginx/run

@@ -0,0 +1,3 @@
+#!/usr/bin/with-contenv /bin/bash
+
+exec nginx -g "daemon off;"

proxy/services/starman/run

@@ -0,0 +1,3 @@
+#!/usr/bin/with-contenv /bin/bash
+
+s6-setuidgid www-data /usr/local/bin/run.sh

run.sh

@@ -1,9 +0,0 @@
-#!/bin/bash
-
-cd /srv/ledgersmb
-
-# ':5762:' suppresses an uninitialized variable warning in starman
-# the last colon means "don't connect using tls"; without it, there's a warning
-exec starman --listen 0.0.0.0:5762 --workers ${LSMB_WORKERS:-5} \
-             -I lib -I old/lib \
-             --preload-app bin/ledgersmb-server.psgi