From 2a1e54b40ba16335b35a8454e900fb6d50313453 Mon Sep 17 00:00:00 2001 From: Bibo Hao Date: Tue, 3 Feb 2026 05:21:09 +0000 Subject: [PATCH 1/6] add storebox --- .github/workflows/build-docker.yml | 14 ++++++++++- docker_storebox/storebox.Dockerfile | 20 +++++++++++++++ docker_storebox/work/script-setup-alist.sh | 23 ++++++++++++++++++ docker_storebox/work/script-setup-rclone.sh | 27 +++++++++++++++++++++ 4 files changed, 83 insertions(+), 1 deletion(-) create mode 100644 docker_storebox/storebox.Dockerfile create mode 100644 docker_storebox/work/script-setup-alist.sh create mode 100644 docker_storebox/work/script-setup-rclone.sh diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index 371ab38..58f67b7 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -77,7 +77,7 @@ jobs: - run: | source ./tool.sh && build_image openresty latest docker_openresty/Dockerfile && push_image - ## OpenResty as gateway + ## SearchNGX for searching job-searxng: name: 'searxng' runs-on: ubuntu-latest @@ -86,6 +86,18 @@ jobs: - run: | source ./tool.sh && build_image searxng latest docker_searxng/searxng.Dockerfile && push_image + ## StoreBox + job-storebox: + name: 'storebox' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - run: | + source ./tool.sh + build_image storebox latest docker_storebox/storebox.Dockerfile \ + --build-arg "BASE_IMG=node" + push_image + ## DevBox - base job-base-dev: diff --git a/docker_storebox/storebox.Dockerfile b/docker_storebox/storebox.Dockerfile new file mode 100644 index 0000000..581a992 --- /dev/null +++ b/docker_storebox/storebox.Dockerfile @@ -0,0 +1,20 @@ +# Distributed under the terms of the Modified BSD License. + +ARG BASE_NAMESPACE +ARG BASE_IMG="base" + +FROM ${BASE_NAMESPACE:+$BASE_NAMESPACE/}${BASE_IMG} + +COPY work /opt/utils + +RUN set -eux \ + # ----------------------------- Install supervisord + && source /opt/utils/script-setup-sys.sh && setup_supervisord \ + # ----------------------------- Install caddy + && source /opt/utils/script-setup-net.sh && setup_caddy \ + # ----------------------------- Install alist + && source /opt/utils/script-setup-alist.sh && setup_alist \ + # ----------------------------- Install rclone + && source /opt/utils/script-setup-rclone.sh && setup_rclone \ + # Clean up and display components version information... + && list_installed_packages && install__clean diff --git a/docker_storebox/work/script-setup-alist.sh b/docker_storebox/work/script-setup-alist.sh new file mode 100644 index 0000000..ae4e3c7 --- /dev/null +++ b/docker_storebox/work/script-setup-alist.sh @@ -0,0 +1,23 @@ +source /opt/utils/script-utils.sh + +setup_alist() { + local ARCH=$(dpkg --print-architecture) + local ALIST_ARCH + + case "$ARCH" in + amd64|x86_64) ALIST_ARCH="amd64" ;; + arm64|aarch64) ALIST_ARCH="arm64" ;; + armhf|armv7l) ALIST_ARCH="arm-7" ;; + *) echo "Unsupported architecture for alist: $ARCH"; return 1 ;; + esac + + local VER=$(curl -sL -o /dev/null -w "%{url_effective}" https://github.com/alist-org/alist/releases/latest | grep -oP 'v\K[\d.]+') + local URL="https://github.com/alist-org/alist/releases/download/v${VER}/alist-linux-${ALIST_ARCH}.tar.gz" + + echo "Installing alist v${VER} for arch ${ARCH} (${ALIST_ARCH})" \ + && curl -fSL "${URL}" | tar -xz -C /tmp/ \ + && install -m 0755 -D /tmp/alist /opt/alist/alist \ + && ln -sf /opt/alist/alist /usr/bin/alist \ + && rm -f /tmp/alist \ + && echo "@ Installed alist: $(alist version)" +} diff --git a/docker_storebox/work/script-setup-rclone.sh b/docker_storebox/work/script-setup-rclone.sh new file mode 100644 index 0000000..4382569 --- /dev/null +++ b/docker_storebox/work/script-setup-rclone.sh @@ -0,0 +1,27 @@ +source /opt/utils/script-utils.sh + +setup_rclone() { + local ARCH=$(dpkg --print-architecture) + local RCLONE_ARCH + + case "$ARCH" in + amd64|x86_64) RCLONE_ARCH="amd64" ;; + arm64|aarch64) RCLONE_ARCH="arm64" ;; + armhf|armv7l) RCLONE_ARCH="arm-v7" ;; + i386|i486|i686) RCLONE_ARCH="386" ;; + s390x) RCLONE_ARCH="s390x" ;; + ppc64el|ppc64le) RCLONE_ARCH="ppc64le" ;; + *) echo "Unsupported architecture for rclone: $ARCH"; return 1 ;; + esac + + local VER=$(curl -sL -o /dev/null -w "%{url_effective}" https://github.com/rclone/rclone/releases/latest | grep -oP 'v\K[\d.]+') + local URL="https://github.com/rclone/rclone/releases/download/v${VER}/rclone-v${VER}-linux-${RCLONE_ARCH}.zip" + + echo "Installing rclone v${VER} for arch ${ARCH} (${RCLONE_ARCH})" \ + && curl -fSL -o /tmp/rclone.zip "${URL}" \ + && unzip -oj /tmp/rclone.zip "*/rclone" -d /tmp/ \ + && install -m 0755 -D /tmp/rclone /opt/rclone/rclone \ + && ln -sf /opt/rclone/rclone /usr/bin/rclone \ + && rm -f /tmp/rclone.zip /tmp/rclone \ + && echo "@ Installed rclone: $(rclone --version | head -1)" +} From 435d9bad50e0a0029117a9c3914044b314dab2e8 Mon Sep 17 00:00:00 2001 From: Bibo Hao Date: Tue, 3 Feb 2026 06:08:45 +0000 Subject: [PATCH 2/6] update install path --- docker_app_clash/README.md | 3 ++- docker_app_clash/clash.Dockerfile | 2 +- docker_app_clash/work/clash/config.yaml | 2 +- docker_app_clash/work/clash/script-setup-clash.sh | 3 ++- docker_storebox/work/script-setup-alist.sh | 4 ++-- docker_storebox/work/script-setup-rclone.sh | 4 ++-- 6 files changed, 10 insertions(+), 8 deletions(-) diff --git a/docker_app_clash/README.md b/docker_app_clash/README.md index 23ac637..a69ddbf 100644 --- a/docker_app_clash/README.md +++ b/docker_app_clash/README.md @@ -1,6 +1,7 @@ # Clash / Mihomo - mihomo core: https://github.com/MetaCubeX/mihomo/tree/Alpha +- webui zashboard: https://github.com/Zephyruso/zashboard - webui matacubexd: https://github.com/MetaCubeX/metacubexd - webui verge / client: https://clash-verge-rev.github.io @@ -14,4 +15,4 @@ docker run -d \ labnow/app-clash ``` -After the container starts, visit this page to manage proxy: http://localhost:9090/ui/ui-xd/ +After the container starts, visit this page to manage proxy: http://localhost:9090/ui/ui-zashboard/ diff --git a/docker_app_clash/clash.Dockerfile b/docker_app_clash/clash.Dockerfile index 26fa3c3..545f8fb 100644 --- a/docker_app_clash/clash.Dockerfile +++ b/docker_app_clash/clash.Dockerfile @@ -11,7 +11,7 @@ FROM ${BASE_NAMESPACE:+$BASE_NAMESPACE/}${BASE_IMG_BUILD} AS builder COPY work/clash /opt/utils/ RUN set -eux && source /opt/utils/script-setup-clash.sh \ - && setup_clash && setup_clash_metacubexd && setup_clash_zashboard \ + && setup_clash && setup_clash_zashboard \ && mv /opt/utils/config.yaml /opt/clash/config \ && mv /opt/utils/start-clash.sh /opt/clash/ diff --git a/docker_app_clash/work/clash/config.yaml b/docker_app_clash/work/clash/config.yaml index e54dedb..15f4d3e 100644 --- a/docker_app_clash/work/clash/config.yaml +++ b/docker_app_clash/work/clash/config.yaml @@ -75,7 +75,7 @@ profile: external-controller: :9090 external-ui: /opt/clash/ -external-ui-name: ui-xd +external-ui-name: ui-zashboard # ------------------------- dns and network config ------------------------- diff --git a/docker_app_clash/work/clash/script-setup-clash.sh b/docker_app_clash/work/clash/script-setup-clash.sh index b29b62e..051ac46 100644 --- a/docker_app_clash/work/clash/script-setup-clash.sh +++ b/docker_app_clash/work/clash/script-setup-clash.sh @@ -25,13 +25,14 @@ setup_clash() { setup_clash_metacubexd() { # Install the latest release: https://github.com/MetaCubeX/metacubexd + ## Notice: metacube UI now requires a NodeJS backend to run. VER_XD=$(curl -sL https://github.com/MetaCubeX/metacubexd/releases.atom | grep 'releases/tag/v' | head -1 | grep -Po '\d[\d.]+' ) \ && URL_XD="https://github.com/MetaCubeX/metacubexd/archive/refs/tags/v$VER_XD.tar.gz" \ && echo "Downloading XD version ${VER_XD} from: ${URL_XD}" \ && install_tar_gz $URL_XD \ && mv /opt/metacubexd-* /tmp/xd && cd /tmp/xd \ && npx pnpm i && npx pnpm run build && ls -alh \ - && mv /tmp/xd/dist /opt/clash/ui-xd + && mv /tmp/xd/.output /opt/clash/ui-xd } setup_clash_zashboard() { diff --git a/docker_storebox/work/script-setup-alist.sh b/docker_storebox/work/script-setup-alist.sh index ae4e3c7..c790746 100644 --- a/docker_storebox/work/script-setup-alist.sh +++ b/docker_storebox/work/script-setup-alist.sh @@ -16,8 +16,8 @@ setup_alist() { echo "Installing alist v${VER} for arch ${ARCH} (${ALIST_ARCH})" \ && curl -fSL "${URL}" | tar -xz -C /tmp/ \ - && install -m 0755 -D /tmp/alist /opt/alist/alist \ - && ln -sf /opt/alist/alist /usr/bin/alist \ + && install -m 0755 -D /tmp/alist /opt/bin/alist \ + && ln -sf /opt/bin/alist /usr/bin/alist \ && rm -f /tmp/alist \ && echo "@ Installed alist: $(alist version)" } diff --git a/docker_storebox/work/script-setup-rclone.sh b/docker_storebox/work/script-setup-rclone.sh index 4382569..9e5e6fc 100644 --- a/docker_storebox/work/script-setup-rclone.sh +++ b/docker_storebox/work/script-setup-rclone.sh @@ -20,8 +20,8 @@ setup_rclone() { echo "Installing rclone v${VER} for arch ${ARCH} (${RCLONE_ARCH})" \ && curl -fSL -o /tmp/rclone.zip "${URL}" \ && unzip -oj /tmp/rclone.zip "*/rclone" -d /tmp/ \ - && install -m 0755 -D /tmp/rclone /opt/rclone/rclone \ - && ln -sf /opt/rclone/rclone /usr/bin/rclone \ + && install -m 0755 -D /tmp/rclone /opt/bin/rclone \ + && ln -sf /opt/bin/rclone /usr/bin/rclone \ && rm -f /tmp/rclone.zip /tmp/rclone \ && echo "@ Installed rclone: $(rclone --version | head -1)" } From eb9f3466771eeaa9827a2eb857aa76efa7dd6ea2 Mon Sep 17 00:00:00 2001 From: Peter Howe Date: Thu, 5 Feb 2026 21:45:50 +0800 Subject: [PATCH 3/6] update openresty configs --- docker_openresty/README.md | 11 ++-- .../10-listen-on-ipv6-by-default.sh | 2 +- .../15-local-resolvers.envsh | 3 + .../work/nginx/conf.d/include/force-ssl.conf | 3 + .../include/letsencrypt-acme-challenge.conf | 15 +++-- .../work/nginx/conf.d/include/log.conf | 39 +++++++++++- .../work/nginx/conf.d/include/map.conf | 7 +++ .../work/nginx/conf.d/include/proxy.conf | 6 +- docker_openresty/work/nginx/nginx.conf | 50 ++++++++-------- docker_openresty/work/script-acme-lego.sh | 59 ------------------- docker_openresty/work/script-acme-sh.sh | 1 - .../work/script-setup-openresty.sh | 4 +- 12 files changed, 94 insertions(+), 106 deletions(-) create mode 100644 docker_openresty/work/nginx/conf.d/include/map.conf delete mode 100644 docker_openresty/work/script-acme-lego.sh diff --git a/docker_openresty/README.md b/docker_openresty/README.md index 5e0b7fc..1f18e88 100644 --- a/docker_openresty/README.md +++ b/docker_openresty/README.md @@ -1,9 +1,8 @@ -# OpenResty with Lua, acme.sh and lego +# OpenResty with Lua, acme.sh -What's here: +What's inside this docker image: - Openresty, ref: https://github.com/openresty/docker-openresty/blob/master/bionic/Dockerfile - - acme.sh - - lego + - acme.sh, ref: https://github.com/acmesh-official/acme.sh ## How to apply for certificates using ACME.sh @@ -24,10 +23,11 @@ DOMAINS=$(printf "%s\n" *.crt *.key 2>/dev/null | sed 's/\.[^.]*$//' | sort -u) ## Custom Configs -- ref: https://nginxproxymanager.com/advanced-config/#custom-nginx-configurations +- Refer to [source code](https://github.com/NginxProxyManager/nginx-proxy-manager/tree/develop/docker/rootfs/etc/nginx/conf.d) and [docs](https://nginxproxymanager.com/advanced-config/#custom-nginx-configurations) of [Nginx Proxy Manager](https://nginxproxymanager.com/). You can add your custom configuration snippet files at /data/nginx/custom as follows: +- `/data/nginx/custom/root_top.conf`: Included at the top of nginx.conf - `conf/root.conf`: Included at the very end of nginx.conf - `conf/http_top.conf`: Included at the top of the main http block - `conf/http.conf`: Included at the end of the main http block @@ -38,6 +38,7 @@ You can add your custom configuration snippet files at /data/nginx/custom as fol - `conf/server_stream.conf`: Included at the end of every stream server block - `conf/server_stream_tcp.conf`: Included at the end of every TCP stream server block - `conf/server_stream_udp.conf`: Included at the end of every UDP stream server block +- `/data/nginx/custom/server_dead.conf`: Included at the end of every 404 server block ## Debug diff --git a/docker_openresty/work/entrypoint/docker-entrypoint.d/10-listen-on-ipv6-by-default.sh b/docker_openresty/work/entrypoint/docker-entrypoint.d/10-listen-on-ipv6-by-default.sh index b90bf0c..61a901d 100644 --- a/docker_openresty/work/entrypoint/docker-entrypoint.d/10-listen-on-ipv6-by-default.sh +++ b/docker_openresty/work/entrypoint/docker-entrypoint.d/10-listen-on-ipv6-by-default.sh @@ -27,7 +27,7 @@ fi touch /$DEFAULT_CONF_FILE 2>/dev/null || { entrypoint_log "$ME: info: can not modify /$DEFAULT_CONF_FILE (read-only file system?)"; exit 0; } # check if the file is already modified, e.g. on a container restart -grep -q "listen \[::]\:80;" /$DEFAULT_CONF_FILE && { entrypoint_log "$ME: info: IPv6 listen already enabled"; exit 0; } +grep -q "listen \[::\]:80;" /$DEFAULT_CONF_FILE && { entrypoint_log "$ME: info: IPv6 listen already enabled"; exit 0; } if [ -f "/etc/os-release" ]; then . /etc/os-release diff --git a/docker_openresty/work/entrypoint/docker-entrypoint.d/15-local-resolvers.envsh b/docker_openresty/work/entrypoint/docker-entrypoint.d/15-local-resolvers.envsh index 450a999..e830dda 100644 --- a/docker_openresty/work/entrypoint/docker-entrypoint.d/15-local-resolvers.envsh +++ b/docker_openresty/work/entrypoint/docker-entrypoint.d/15-local-resolvers.envsh @@ -9,4 +9,7 @@ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin [ "${NGINX_ENTRYPOINT_LOCAL_RESOLVERS:-}" ] || return 0 NGINX_LOCAL_RESOLVERS=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {if ($2 ~ ":") {print "["$2"]"} else {print $2}}' /etc/resolv.conf) + +NGINX_LOCAL_RESOLVERS="${NGINX_LOCAL_RESOLVERS% }" + export NGINX_LOCAL_RESOLVERS diff --git a/docker_openresty/work/nginx/conf.d/include/force-ssl.conf b/docker_openresty/work/nginx/conf.d/include/force-ssl.conf index aa52f33..e43c2fc 100644 --- a/docker_openresty/work/nginx/conf.d/include/force-ssl.conf +++ b/docker_openresty/work/nginx/conf.d/include/force-ssl.conf @@ -5,6 +5,9 @@ if ($scheme = "http") { if ($request_uri = /.well-known/acme-challenge/test-challenge) { set $test "${test}T"; } +if ($http_x_forwarded_proto = "https") { + set $test "${test}S"; +} if ($test = H) { return 301 https://$host$request_uri; } diff --git a/docker_openresty/work/nginx/conf.d/include/letsencrypt-acme-challenge.conf b/docker_openresty/work/nginx/conf.d/include/letsencrypt-acme-challenge.conf index 3b2007b..ff2a782 100644 --- a/docker_openresty/work/nginx/conf.d/include/letsencrypt-acme-challenge.conf +++ b/docker_openresty/work/nginx/conf.d/include/letsencrypt-acme-challenge.conf @@ -8,18 +8,23 @@ location ^~ /.well-known/acme-challenge/ { auth_request off; allow all; - # Set correct content type. According to this: https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29 - # Current specification requires "text/plain" or no content header at all. It seems that "text/plain" is a safe option. + # Set correct content type. According to this: + # https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29 + # Current specification requires "text/plain" or no content header at all. + # It seems that "text/plain" is a safe option. default_type "text/plain"; # This directory must be the same as in /etc/letsencrypt/cli.ini - # as "webroot-path" parameter. Also don't forget to set "authenticator" parameter there to "webroot". - # Do NOT use alias, use root! Target directory is located here: /var/www/common/letsencrypt/.well-known/acme-challenge/ + # as "webroot-path" parameter. Also don't forget to set "authenticator" parameter + # there to "webroot". + # Do NOT use alias, use root! Target directory is located here: + # /var/www/common/letsencrypt/.well-known/acme-challenge/ root /data/letsencrypt-acme-challenge; } # Hide /acme-challenge subdirectory and return 404 on all requests. -# It is somewhat more secure than letting Nginx return 403. Ending slash is important! +# It is somewhat more secure than letting Nginx return 403. +# Ending slash is important! location = /.well-known/acme-challenge/ { return 404; } diff --git a/docker_openresty/work/nginx/conf.d/include/log.conf b/docker_openresty/work/nginx/conf.d/include/log.conf index 092785c..8832e07 100644 --- a/docker_openresty/work/nginx/conf.d/include/log.conf +++ b/docker_openresty/work/nginx/conf.d/include/log.conf @@ -1,3 +1,38 @@ -log_format proxy escape=json '{"T":"$fmt_localtime","t":"$request_time","tr":"$upstream_response_time","s":"$status","m":"$request_method","e":"$scheme","h":"$host","u":"$request_uri","r":"$remote_addr","R":"$http_x_forwarded_for","L":"$body_bytes_sent","G":"$gzip_ratio","a":"$http_user_agent","f":"$http_referer","U":"$upstream_status","C":"$upstream_cache_status","S":"$server_name"}'; -log_format standard escape=json '{"T":"$fmt_localtime","t":"$request_time","tr":"$upstream_response_time","s":"$status","m":"$request_method","e":"$scheme","h":"$host","u":"$request_uri","r":"$remote_addr","R":"$http_x_forwarded_for","L":"$body_bytes_sent","G":"$gzip_ratio","a":"$http_user_agent","f":"$http_referer"}'; +log_format standard escape=json '{"T":"$fmt_localtime","t":"$request_time","tr":"$upstream_response_time","s":"$status","r":"$remote_addr","m":"$request_method","e":"$scheme","h":"$host","u":"$request_uri","R":"$http_x_forwarded_for","L":"$body_bytes_sent","G":"$gzip_ratio","a":"$http_user_agent","f":"$http_referer"}'; +log_format proxy escape=json '{"T":"$fmt_localtime","t":"$request_time","tr":"$upstream_response_time","s":"$status","r":"$remote_addr","m":"$request_method","e":"$scheme","h":"$host","u":"$request_uri","R":"$http_x_forwarded_for","L":"$body_bytes_sent","G":"$gzip_ratio","a":"$http_user_agent","f":"$http_referer","U":"$upstream_status","C":"$upstream_cache_status","S":"$server_name"}'; +log_format stream escape=json '{"T":"$fmt_localtime","ts":"$session_time","tc":"$upstream_connect_time","s":"$status","r":"$remote_addr","P":"$protocol","p":"$remote_port","bs":"$bytes_sent","br":"$bytes_received","ua":"$upstream_addr","ubs":"$upstream_bytes_sent","ubr":"$upstream_bytes_received","ssl_p":"$ssl_protocol","ssl_c":"$ssl_cipher"}'; + access_log /var/log/nginx/fallback_access.log proxy; +access_log /var/log/nginx/fallback_stream_access.log stream; + +## Log formats: +#| JSON key | standard | proxy | stream | +#| -------- | ------------------------- | ------------------------- | -------------------------- | +#| `T` | `$fmt_localtime` | `$fmt_localtime` | `$fmt_localtime` | +#| `t` | `$request_time` | `$request_time` | — | +#| `tr` | `$upstream_response_time` | `$upstream_response_time` | — | +#| `ts` | — | — | `$session_time` | +#| `tc` | — | — | `$upstream_connect_time` | +#| `s` | `$status` | `$status` | `$status` | +#| `r` | `$remote_addr` | `$remote_addr` | `$remote_addr` | +#| `m` | `$request_method` | `$request_method` | — | +#| `e` | `$scheme` | `$scheme` | — | +#| `h` | `$host` | `$host` | — | +#| `u` | `$request_uri` | `$request_uri` | — | +#| `R` | `$http_x_forwarded_for` | `$http_x_forwarded_for` | — | +#| `L` | `$body_bytes_sent` | `$body_bytes_sent` | — | +#| `G` | `$gzip_ratio` | `$gzip_ratio` | — | +#| `a` | `$http_user_agent` | `$http_user_agent` | — | +#| `f` | `$http_referer` | `$http_referer` | — | +#| `U` | — | `$upstream_status` | — | +#| `C` | — | `$upstream_cache_status` | — | +#| `S` | — | `$server_name` | — | +#| `P` | — | — | `$protocol` | +#| `p` | — | — | `$remote_port` | +#| `bs` | — | — | `$bytes_sent` | +#| `br` | — | — | `$bytes_received` | +#| `ua` | — | — | `$upstream_addr` | +#| `ubs` | — | — | `$upstream_bytes_sent` | +#| `ubr` | — | — | `$upstream_bytes_received` | +#| `ssl_p` | — | — | `$ssl_protocol` | +#| `ssl_c` | — | — | `$ssl_cipher` | diff --git a/docker_openresty/work/nginx/conf.d/include/map.conf b/docker_openresty/work/nginx/conf.d/include/map.conf new file mode 100644 index 0000000..1b85c17 --- /dev/null +++ b/docker_openresty/work/nginx/conf.d/include/map.conf @@ -0,0 +1,7 @@ +# Default upstream scheme +map $host $forward_scheme { default http; } +map $scheme $hsts_header { https "max-age=63072000; preload"; } +map $host $fmt_localtime { default ''; } +log_by_lua_block { + ngx.var.fmt_localtime = ngx.localtime(); +} diff --git a/docker_openresty/work/nginx/conf.d/include/proxy.conf b/docker_openresty/work/nginx/conf.d/include/proxy.conf index 4741aa0..2f9929a 100644 --- a/docker_openresty/work/nginx/conf.d/include/proxy.conf +++ b/docker_openresty/work/nginx/conf.d/include/proxy.conf @@ -1,8 +1,6 @@ add_header X-Served-By $host; proxy_set_header Host $host; -proxy_set_header X-Forwarded-Scheme $scheme; -proxy_set_header X-Forwarded-Proto $scheme; -proxy_set_header X-Forwarded-Host $host; -proxy_set_header X-Forwarded-Port $port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-Host $host; diff --git a/docker_openresty/work/nginx/nginx.conf b/docker_openresty/work/nginx/nginx.conf index 92762bb..ce72f9b 100644 --- a/docker_openresty/work/nginx/nginx.conf +++ b/docker_openresty/work/nginx/nginx.conf @@ -4,7 +4,7 @@ # run nginx in foreground daemon off; - +pid /var/run/nginx.pid; # user nginx; # Set number of worker processes automatically based on number of CPU cores. @@ -15,16 +15,18 @@ pcre_jit on; error_log /var/log/nginx/fallback_error.log warn; -pid /var/run/nginx.pid; - # Includes files with directives to load dynamic modules. include /etc/nginx/modules/*.conf; +# Custom +include /data/nginx/custom/root_top[.]conf; + events { include /etc/nginx/custom/events[.]conf; } http { + include /etc/nginx/conf.d/include/map.conf; include /etc/nginx/conf.d/include/log.conf; include /etc/nginx/mime.types; @@ -48,31 +50,28 @@ http { proxy_set_header X-Forwarded-Scheme $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Accept-Encoding ""; - proxy_cache_path /var/cache/nginx/public levels=1:2 keys_zone=public-cache:30m max_size=10g; - proxy_cache_path /var/cache/nginx/private levels=1:2 keys_zone=private-cache:5m max_size=10g; - proxy_cache private-cache; - # Default upstream scheme - map $host $forward_scheme { default http; } - map $host $fmt_localtime { default ''; } - log_by_lua_block { - ngx.var.fmt_localtime = ngx.localtime(); - } + # Cache zone for private (non-shared) cache: cookie, token, session based + proxy_cache_path /var/cache/nginx/private levels=1:2 keys_zone=private-cache:5m max_size=10g use_temp_path=off inactive=5m; + + # Cache zone for public (shared) cache: static assets, reusable resources + proxy_cache_path /var/cache/nginx/public levels=1:2 keys_zone=public-cache:30m max_size=20g use_temp_path=off inactive=7d; + + proxy_cache public-cache; + # Real IP Determination # Local subnets: set_real_ip_from 10.0.0.0/8; set_real_ip_from 172.16.0.0/12; # Includes Docker subnet set_real_ip_from 192.168.0.0/16; - - # NPM generated CDN ip ranges: + # NPM generated CDN ip ranges (if-any): include /etc/nginx/conf.d/include/ip_ranges.conf; - # always put the following 2 lines after ip subnets: real_ip_header X-Real-IP; real_ip_recursive on; - # Custom + # Custom http_top include /etc/nginx/custom/http_top[.]conf; # Files generated by NPM @@ -82,21 +81,18 @@ http { include /etc/nginx/dead_host/*.conf; include /etc/nginx/temp/*.conf; - # Custom - include /etc/nginx/custom/http[.]conf; - - - map $scheme $hsts_header { - https "max-age=63072000; preload"; - } + # http server files should generally be stored in conf.d include /etc/nginx/conf.d/*.conf; + + # Custom http + include /etc/nginx/custom/http[.]conf; } stream { - # Files generated by NPM - include /etc/nginx/stream/*.conf; - - # Custom + include /etc/nginx/conf.d/include/map.conf; + include /etc/nginx/conf.d/include/log.conf; + # http server files should generally be stored in stream-conf.d + include /etc/nginx/stream-conf.d/*.conf; include /etc/nginx/custom/stream[.]conf; } diff --git a/docker_openresty/work/script-acme-lego.sh b/docker_openresty/work/script-acme-lego.sh deleted file mode 100644 index 2e3dd13..0000000 --- a/docker_openresty/work/script-acme-lego.sh +++ /dev/null @@ -1,59 +0,0 @@ -#!/bin/bash -set -ex - -# Function to issue certificates using lego -issue_certificates_lego() { - local ACME_EMAIL=$1 - local LIST_DOMAINS=$2 - - echo "ACME_EMAIL set to ${ACME_EMAIL}" - echo "LIST_DOMAINS set to ${LIST_DOMAINS}" - - # Validate and define email address - ACME_EMAIL=${ACME_EMAIL:-"admin@example.com"} - - if [ -z "$LIST_DOMAINS" ]; then - echo "Please define variable LIST_DOMAINS: domain names separated by space" - echo "example: LIST_DOMAINS=\"example.com api.example.com\"" - exit 2 - fi - - # Split LIST_DOMAINS into array - local DOMAINS=($LIST_DOMAINS) - - # Check for wildcard domains - for DOMAIN in "${DOMAINS[@]}"; do - if [[ "$DOMAIN" == *"*"* ]]; then - echo "Wildcard domains (e.g., *.example.com) are not supported by this function." - exit 3 - fi - done - - # Define directories and commands - local DIR_CERT_INSTALL="/etc/nginx/ssl" - local DIR_WEB_ROOT="/data/letsencrypt-acme-challenge" - local RELOAD_CMD="nginx -t && nginx -s reload" - - # Create required directories - mkdir -pv "$DIR_CERT_INSTALL" "$DIR_WEB_ROOT" - - # Process each domain - for DOMAIN in "${DOMAINS[@]}"; do - echo "Applying for certificate for domain using lego HTTP-01 method for: ${DOMAIN}" - - lego --email "${ACME_EMAIL}" --accept-tos --dns "none" --http \ - --http.webroot="${DIR_WEB_ROOT}" \ - --domains "${DOMAIN}" run - - echo "Installing domain certificate to: ${DIR_CERT_INSTALL}" - cp "${DOMAIN}.key" "${DOMAIN}.crt" "${DIR_CERT_INSTALL}/ - - # Reload nginx to apply the certificate - ${RELOAD_CMD} - - echo "Certificate successfully applied for domain: ${DOMAIN}" - done -} - -# Call the function with parameters -issue_certificates_lego "$1" "$2" diff --git a/docker_openresty/work/script-acme-sh.sh b/docker_openresty/work/script-acme-sh.sh index 76605be..2edccb4 100644 --- a/docker_openresty/work/script-acme-sh.sh +++ b/docker_openresty/work/script-acme-sh.sh @@ -41,7 +41,6 @@ issue_certificates_acme_sh() { # Process each domain for DOMAIN in "${DOMAINS[@]}"; do echo "Applying for certificate for domain using acme.sh HTTP-01 method for: ${DOMAIN}" - "${PATH_ACME}/acme.sh" --issue --force \ --webroot "${DIR_WEB_ROOT}" \ -d "${DOMAIN}" \ diff --git a/docker_openresty/work/script-setup-openresty.sh b/docker_openresty/work/script-setup-openresty.sh index 6ab3321..e1ab4f8 100644 --- a/docker_openresty/work/script-setup-openresty.sh +++ b/docker_openresty/work/script-setup-openresty.sh @@ -38,10 +38,8 @@ setup_openresty() { --with-http_auth_request_module \ --with-http_dav_module \ --with-http_flv_module \ - --with-http_geoip_module=dynamic \ --with-http_gunzip_module \ --with-http_gzip_static_module \ - --with-http_image_filter_module=dynamic \ --with-http_mp4_module \ --with-http_random_index_module \ --with-http_realip_module \ @@ -52,6 +50,8 @@ setup_openresty() { --with-http_sub_module \ --with-http_v2_module \ --with-http_v3_module \ + --with-http_geoip_module=dynamic \ + --with-http_image_filter_module=dynamic \ --with-http_xslt_module=dynamic \ --with-mail \ --with-mail_ssl_module \ From ad68173fb349fc5bfafecaa4576ceca3e2f78e1d Mon Sep 17 00:00:00 2001 From: Peter Howe Date: Thu, 5 Feb 2026 22:20:21 +0800 Subject: [PATCH 4/6] update acme.sh --- .../include/{log.conf => log-standard.conf} | 2 - .../work/nginx/conf.d/include/log-stream.conf | 35 ++++ docker_openresty/work/nginx/nginx.conf | 4 +- docker_openresty/work/script-acme-sh.sh | 170 ++++++++++++------ 4 files changed, 156 insertions(+), 55 deletions(-) rename docker_openresty/work/nginx/conf.d/include/{log.conf => log-standard.conf} (90%) create mode 100644 docker_openresty/work/nginx/conf.d/include/log-stream.conf diff --git a/docker_openresty/work/nginx/conf.d/include/log.conf b/docker_openresty/work/nginx/conf.d/include/log-standard.conf similarity index 90% rename from docker_openresty/work/nginx/conf.d/include/log.conf rename to docker_openresty/work/nginx/conf.d/include/log-standard.conf index 8832e07..fb99f8e 100644 --- a/docker_openresty/work/nginx/conf.d/include/log.conf +++ b/docker_openresty/work/nginx/conf.d/include/log-standard.conf @@ -1,9 +1,7 @@ log_format standard escape=json '{"T":"$fmt_localtime","t":"$request_time","tr":"$upstream_response_time","s":"$status","r":"$remote_addr","m":"$request_method","e":"$scheme","h":"$host","u":"$request_uri","R":"$http_x_forwarded_for","L":"$body_bytes_sent","G":"$gzip_ratio","a":"$http_user_agent","f":"$http_referer"}'; log_format proxy escape=json '{"T":"$fmt_localtime","t":"$request_time","tr":"$upstream_response_time","s":"$status","r":"$remote_addr","m":"$request_method","e":"$scheme","h":"$host","u":"$request_uri","R":"$http_x_forwarded_for","L":"$body_bytes_sent","G":"$gzip_ratio","a":"$http_user_agent","f":"$http_referer","U":"$upstream_status","C":"$upstream_cache_status","S":"$server_name"}'; -log_format stream escape=json '{"T":"$fmt_localtime","ts":"$session_time","tc":"$upstream_connect_time","s":"$status","r":"$remote_addr","P":"$protocol","p":"$remote_port","bs":"$bytes_sent","br":"$bytes_received","ua":"$upstream_addr","ubs":"$upstream_bytes_sent","ubr":"$upstream_bytes_received","ssl_p":"$ssl_protocol","ssl_c":"$ssl_cipher"}'; access_log /var/log/nginx/fallback_access.log proxy; -access_log /var/log/nginx/fallback_stream_access.log stream; ## Log formats: #| JSON key | standard | proxy | stream | diff --git a/docker_openresty/work/nginx/conf.d/include/log-stream.conf b/docker_openresty/work/nginx/conf.d/include/log-stream.conf new file mode 100644 index 0000000..2044b87 --- /dev/null +++ b/docker_openresty/work/nginx/conf.d/include/log-stream.conf @@ -0,0 +1,35 @@ +log_format stream escape=json '{"T":"$fmt_localtime","ts":"$session_time","tc":"$upstream_connect_time","s":"$status","r":"$remote_addr","P":"$protocol","p":"$remote_port","bs":"$bytes_sent","br":"$bytes_received","ua":"$upstream_addr","ubs":"$upstream_bytes_sent","ubr":"$upstream_bytes_received","ssl_p":"$ssl_protocol","ssl_c":"$ssl_cipher"}'; + +access_log /var/log/nginx/fallback_stream_access.log stream; + +## Log formats: +#| JSON key | standard | proxy | stream | +#| -------- | ------------------------- | ------------------------- | -------------------------- | +#| `T` | `$fmt_localtime` | `$fmt_localtime` | `$fmt_localtime` | +#| `t` | `$request_time` | `$request_time` | — | +#| `tr` | `$upstream_response_time` | `$upstream_response_time` | — | +#| `ts` | — | — | `$session_time` | +#| `tc` | — | — | `$upstream_connect_time` | +#| `s` | `$status` | `$status` | `$status` | +#| `r` | `$remote_addr` | `$remote_addr` | `$remote_addr` | +#| `m` | `$request_method` | `$request_method` | — | +#| `e` | `$scheme` | `$scheme` | — | +#| `h` | `$host` | `$host` | — | +#| `u` | `$request_uri` | `$request_uri` | — | +#| `R` | `$http_x_forwarded_for` | `$http_x_forwarded_for` | — | +#| `L` | `$body_bytes_sent` | `$body_bytes_sent` | — | +#| `G` | `$gzip_ratio` | `$gzip_ratio` | — | +#| `a` | `$http_user_agent` | `$http_user_agent` | — | +#| `f` | `$http_referer` | `$http_referer` | — | +#| `U` | — | `$upstream_status` | — | +#| `C` | — | `$upstream_cache_status` | — | +#| `S` | — | `$server_name` | — | +#| `P` | — | — | `$protocol` | +#| `p` | — | — | `$remote_port` | +#| `bs` | — | — | `$bytes_sent` | +#| `br` | — | — | `$bytes_received` | +#| `ua` | — | — | `$upstream_addr` | +#| `ubs` | — | — | `$upstream_bytes_sent` | +#| `ubr` | — | — | `$upstream_bytes_received` | +#| `ssl_p` | — | — | `$ssl_protocol` | +#| `ssl_c` | — | — | `$ssl_cipher` | diff --git a/docker_openresty/work/nginx/nginx.conf b/docker_openresty/work/nginx/nginx.conf index ce72f9b..699aa9d 100644 --- a/docker_openresty/work/nginx/nginx.conf +++ b/docker_openresty/work/nginx/nginx.conf @@ -27,7 +27,7 @@ events { http { include /etc/nginx/conf.d/include/map.conf; - include /etc/nginx/conf.d/include/log.conf; + include /etc/nginx/conf.d/include/log-standard.conf; include /etc/nginx/mime.types; default_type application/octet-stream; @@ -90,7 +90,7 @@ http { stream { include /etc/nginx/conf.d/include/map.conf; - include /etc/nginx/conf.d/include/log.conf; + include /etc/nginx/conf.d/include/log-stream.conf; # http server files should generally be stored in stream-conf.d include /etc/nginx/stream-conf.d/*.conf; include /etc/nginx/custom/stream[.]conf; diff --git a/docker_openresty/work/script-acme-sh.sh b/docker_openresty/work/script-acme-sh.sh index 2edccb4..28b5555 100644 --- a/docker_openresty/work/script-acme-sh.sh +++ b/docker_openresty/work/script-acme-sh.sh @@ -1,61 +1,129 @@ #!/bin/bash set -ex -# Function to issue certificates using acme.sh -issue_certificates_acme_sh() { - local ACME_EMAIL=$1 - local LIST_DOMAINS=$2 +########################## +# Top-level global variables +########################## +ACME_SH_PATH="/opt/acme.sh" +DIR_CERT_INSTALL="/etc/nginx/ssl" +DIR_WEB_ROOT="/data/letsencrypt-acme-challenge" +RELOAD_CMD="nginx -t && nginx -s reload" +DEFAULT_ACME_EMAIL="admin@example.com" - echo "ACME_EMAIL set to ${ACME_EMAIL}" - echo "LIST_DOMAINS set to ${LIST_DOMAINS}" +########################## +# DNS provider environment variables template (https://github.com/acmesh-official/acme.sh/wiki/dnsapi) +# Export before running: +# Cloudflare: export CF_Key="xxx"; export CF_Email="xxx" +# DNSPod: export DP_Id="xxx"; export DP_Key="xxx" +# AWS Route53: export AWS_ACCESS_KEY_ID="xxx"; export AWS_SECRET_ACCESS_KEY="xxx" +########################## - # Validate and define email address - ACME_EMAIL=${ACME_EMAIL:-"admin@example.com"} +########################## +# HTTP-01 certificate issuance +# Parameters: email, domains +########################## +issue_cert_http01() { + local email=$1 + local domains=$2 - if [ -z "$LIST_DOMAINS" ]; then - echo "Please define variable LIST_DOMAINS: domain names separated by space" - echo "example: LIST_DOMAINS=\"example.com api.example.com\"" - exit 2 + mkdir -pv "$DIR_CERT_INSTALL" "$DIR_WEB_ROOT" + + for d in $domains; do + if [[ $d == *"*"* ]]; then + echo "Wildcard detected, HTTP-01 cannot be used for $d" + exit 3 fi - # Split LIST_DOMAINS into array - local DOMAINS=($LIST_DOMAINS) - - # Check for wildcard domains - for DOMAIN in "${DOMAINS[@]}"; do - if [[ "$DOMAIN" == *"*"* ]]; then - echo "Wildcard domains (e.g., *.example.com) are not supported by this function." - exit 3 - fi - done - - # Define directories and commands - local DIR_CERT_INSTALL="/etc/nginx/ssl" - local DIR_WEB_ROOT="/data/letsencrypt-acme-challenge" - local PATH_ACME="/opt/acme.sh" - local RELOAD_CMD="nginx -t && nginx -s reload" - - # Create required directories - mkdir -pv "$DIR_CERT_INSTALL" "$DIR_WEB_ROOT" - - # Process each domain - for DOMAIN in "${DOMAINS[@]}"; do - echo "Applying for certificate for domain using acme.sh HTTP-01 method for: ${DOMAIN}" - "${PATH_ACME}/acme.sh" --issue --force \ - --webroot "${DIR_WEB_ROOT}" \ - -d "${DOMAIN}" \ - --server letsencrypt - - echo "Installing domain certificate to: ${DIR_CERT_INSTALL}" - "${PATH_ACME}/acme.sh" --install-cert \ - -d "${DOMAIN}" \ - --key-file "${DIR_CERT_INSTALL}/${DOMAIN}.key" \ - --fullchain-file "${DIR_CERT_INSTALL}/${DOMAIN}.crt" \ - --reloadcmd "${RELOAD_CMD}" - - echo "Certificate successfully applied for domain: ${DOMAIN}" - done + echo "Issuing certificate via HTTP-01 for $d" + "$ACME_SH_PATH/acme.sh" --issue --force \ + --webroot "$DIR_WEB_ROOT" \ + -d "$d" \ + --server letsencrypt + + echo "Installing certificate for $d" + "$ACME_SH_PATH/acme.sh" --install-cert -d "$d" \ + --key-file "$DIR_CERT_INSTALL/$d.key" \ + --fullchain-file "$DIR_CERT_INSTALL/$d.crt" \ + --reloadcmd "$RELOAD_CMD" + done } -# Call the function with parameters -issue_certificates_acme_sh "$1" "$2" +########################## +# DNS-01 certificate issuance (single certificate for multiple domains) +# Parameters: email, domains, provider +########################## +issue_cert_dns01() { + local email=$1 + local domains=$2 + local provider=$3 + + if [[ -z "$provider" ]]; then + echo "DNS provider is required for DNS-01 method" + exit 2 + fi + + mkdir -pv "$DIR_CERT_INSTALL" + + # Split domains into array and build -d arguments + local D_ARGS="" + for d in $domains; do + D_ARGS="$D_ARGS -d $d" + done + + # Issue certificate once for all domains + echo "Issuing certificate via DNS-01 for domains: $domains using provider $provider" + "$ACME_SH_PATH/acme.sh" --issue --force \ + --dns "$provider" $D_ARGS \ + --server letsencrypt + + # Install certificate once (all domains together) + local FIRST_DOMAIN=$(echo $domains | awk '{print $1}') + "$ACME_SH_PATH/acme.sh" --install-cert -d $FIRST_DOMAIN \ + --key-file "$DIR_CERT_INSTALL/${FIRST_DOMAIN}_multi.key" \ + --fullchain-file "$DIR_CERT_INSTALL/${FIRST_DOMAIN}_multi.crt" \ + --reloadcmd "$RELOAD_CMD" + + echo "Certificate installed for all domains in one file: ${FIRST_DOMAIN}_multi.crt" +} + +########################## +# Auto-detect method based on domain wildcard +# Parameters: email, domains, provider +########################## +auto_issue_cert() { + local email=$1 + local domains=$2 + local provider=$3 + local use_dns01=false + + for d in $domains; do + if [[ $d == *"*"* ]]; then + use_dns01=true + break + fi + done + + if $use_dns01; then + echo "Wildcard domain detected, using DNS-01 method" + issue_cert_dns01 "$email" "$domains" "$provider" + else + echo "No wildcard detected, using HTTP-01 method" + issue_cert_http01 "$email" "$domains" + fi +} + +########################## +# Main +# Usage: +# ./script-acme-sh.sh "admin@example.com" "example.com www.example.com" [dns_provider_for_dns01] +########################## +EMAIL=${1:-$DEFAULT_ACME_EMAIL} +DOMAINS=$2 +DNS_PROVIDER=$3 + +if [[ -z "$DOMAINS" ]]; then + echo "Please specify domain names separated by space" + exit 1 +fi + +auto_issue_cert "$EMAIL" "$DOMAINS" "$DNS_PROVIDER" From 9a14bf82cd75aa2f4dba7ea8fe4304fac6cecfde Mon Sep 17 00:00:00 2001 From: Peter Howe Date: Thu, 5 Feb 2026 22:36:14 +0800 Subject: [PATCH 5/6] update acme.sh for mutli cert --- docker_casdoor/Dockerfile | 2 +- docker_keycloak/Dockerfile | 8 ++++---- docker_openresty/Dockerfile | 6 +++--- .../work/nginx/conf.d/include/map.conf | 7 ------- docker_openresty/work/nginx/nginx.conf | 15 +++++++++++++-- docker_openresty/work/script-acme-sh.sh | 8 ++++---- 6 files changed, 25 insertions(+), 21 deletions(-) delete mode 100644 docker_openresty/work/nginx/conf.d/include/map.conf diff --git a/docker_casdoor/Dockerfile b/docker_casdoor/Dockerfile index 0c799e9..56fee60 100644 --- a/docker_casdoor/Dockerfile +++ b/docker_casdoor/Dockerfile @@ -23,7 +23,7 @@ RUN set -eux \ && chmod +x /opt/casdoor/docker-entrypoint.sh && ls -alh /opt/casdoor LABEL maintainer="postmaster@labnow.ai" -ENV RUNNING_IN_DOCKER true +ENV RUNNING_IN_DOCKER=true WORKDIR /opt/casdoor EXPOSE 8000 # ENTRYPOINT ["/bin/bash"] diff --git a/docker_keycloak/Dockerfile b/docker_keycloak/Dockerfile index feb022c..3930f82 100644 --- a/docker_keycloak/Dockerfile +++ b/docker_keycloak/Dockerfile @@ -14,10 +14,10 @@ RUN set -eux \ && echo "keycloak:x:1000:0:keycloak user:/opt/keycloak:/sbin/nologin" >> /etc/passwd \ && chown -R 1000:0 /opt/keycloak -ENV KEYCLOAK_HOME /opt/keycloak -ENV KC_RUN_IN_CONTAINER true -ENV KC_HEALTH_ENABLED true -ENV KC_METRICS_ENABLED true +ENV KEYCLOAK_HOME=/opt/keycloak +ENV KC_RUN_IN_CONTAINER=true +ENV KC_HEALTH_ENABLED=true +ENV KC_METRICS_ENABLED=true USER 1000 EXPOSE 8080 diff --git a/docker_openresty/Dockerfile b/docker_openresty/Dockerfile index 8afc55e..fed334a 100644 --- a/docker_openresty/Dockerfile +++ b/docker_openresty/Dockerfile @@ -6,9 +6,9 @@ FROM ${BASE_NAMESPACE:+$BASE_NAMESPACE/}${BASE_IMG} LABEL maintainer="postmaster@labnow.ai" -ENV NGINX_ENVSUBST_OUTPUT_DIR /etc/nginx/conf.d -ENV NGINX_ENVSUBST_TEMPLATE_DIR /etc/nginx/templates -ENV NGINX_ENVSUBST_TEMPLATE_SUFFIX .template +ENV NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx/conf.d +ENV NGINX_ENVSUBST_TEMPLATE_DIR=/etc/nginx/templates +ENV NGINX_ENVSUBST_TEMPLATE_SUFFIX=.template COPY work /opt/utils/ diff --git a/docker_openresty/work/nginx/conf.d/include/map.conf b/docker_openresty/work/nginx/conf.d/include/map.conf deleted file mode 100644 index 1b85c17..0000000 --- a/docker_openresty/work/nginx/conf.d/include/map.conf +++ /dev/null @@ -1,7 +0,0 @@ -# Default upstream scheme -map $host $forward_scheme { default http; } -map $scheme $hsts_header { https "max-age=63072000; preload"; } -map $host $fmt_localtime { default ''; } -log_by_lua_block { - ngx.var.fmt_localtime = ngx.localtime(); -} diff --git a/docker_openresty/work/nginx/nginx.conf b/docker_openresty/work/nginx/nginx.conf index 699aa9d..0bf13c8 100644 --- a/docker_openresty/work/nginx/nginx.conf +++ b/docker_openresty/work/nginx/nginx.conf @@ -26,7 +26,14 @@ events { } http { - include /etc/nginx/conf.d/include/map.conf; + # Default upstream scheme + map $host $forward_scheme { default http; } + map $scheme $hsts_header { https "max-age=63072000; preload"; } + map "" $fmt_localtime { default ''; } + log_by_lua_block { + ngx.var.fmt_localtime = ngx.localtime(); + } + include /etc/nginx/conf.d/include/log-standard.conf; include /etc/nginx/mime.types; @@ -89,7 +96,11 @@ http { } stream { - include /etc/nginx/conf.d/include/map.conf; + map "" $fmt_localtime { default ''; } + log_by_lua_block { + ngx.var.fmt_localtime = ngx.localtime(); + } + include /etc/nginx/conf.d/include/log-stream.conf; # http server files should generally be stored in stream-conf.d include /etc/nginx/stream-conf.d/*.conf; diff --git a/docker_openresty/work/script-acme-sh.sh b/docker_openresty/work/script-acme-sh.sh index 28b5555..30fda25 100644 --- a/docker_openresty/work/script-acme-sh.sh +++ b/docker_openresty/work/script-acme-sh.sh @@ -50,7 +50,7 @@ issue_cert_http01() { ########################## # DNS-01 certificate issuance (single certificate for multiple domains) -# Parameters: email, domains, provider +# Parameters: email, domains, provider (e.g.: dns_cf, dns_dp) ########################## issue_cert_dns01() { local email=$1 @@ -79,11 +79,11 @@ issue_cert_dns01() { # Install certificate once (all domains together) local FIRST_DOMAIN=$(echo $domains | awk '{print $1}') "$ACME_SH_PATH/acme.sh" --install-cert -d $FIRST_DOMAIN \ - --key-file "$DIR_CERT_INSTALL/${FIRST_DOMAIN}_multi.key" \ - --fullchain-file "$DIR_CERT_INSTALL/${FIRST_DOMAIN}_multi.crt" \ + --key-file "$DIR_CERT_INSTALL/_${FIRST_DOMAIN}.key" \ + --fullchain-file "$DIR_CERT_INSTALL/_${FIRST_DOMAIN}.crt" \ --reloadcmd "$RELOAD_CMD" - echo "Certificate installed for all domains in one file: ${FIRST_DOMAIN}_multi.crt" + echo "Certificate installed for all domains in one file: _${FIRST_DOMAIN}.crt" } ########################## From bd587d49be1581a5b9d24183221631491b23bb2f Mon Sep 17 00:00:00 2001 From: Peter Howe Date: Thu, 5 Feb 2026 22:45:47 +0800 Subject: [PATCH 6/6] acme update --- docker_openresty/work/script-acme-sh.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docker_openresty/work/script-acme-sh.sh b/docker_openresty/work/script-acme-sh.sh index 30fda25..bf2bdc1 100644 --- a/docker_openresty/work/script-acme-sh.sh +++ b/docker_openresty/work/script-acme-sh.sh @@ -4,11 +4,11 @@ set -ex ########################## # Top-level global variables ########################## -ACME_SH_PATH="/opt/acme.sh" -DIR_CERT_INSTALL="/etc/nginx/ssl" -DIR_WEB_ROOT="/data/letsencrypt-acme-challenge" -RELOAD_CMD="nginx -t && nginx -s reload" -DEFAULT_ACME_EMAIL="admin@example.com" +ACME_SH_PATH="${ACME_SH_PATH:-/opt/acme.sh}" +DIR_CERT_INSTALL="${DIR_CERT_INSTALL:-/etc/nginx/ssl}" +DIR_WEB_ROOT="${DIR_WEB_ROOT:-/data/letsencrypt-acme-challenge}" +RELOAD_CMD="${RELOAD_CMD:-nginx -t && nginx -s reload}" +DEFAULT_ACME_EMAIL="${DEFAULT_ACME_EMAIL:-admin@example.com}" ########################## # DNS provider environment variables template (https://github.com/acmesh-official/acme.sh/wiki/dnsapi) @@ -79,11 +79,11 @@ issue_cert_dns01() { # Install certificate once (all domains together) local FIRST_DOMAIN=$(echo $domains | awk '{print $1}') "$ACME_SH_PATH/acme.sh" --install-cert -d $FIRST_DOMAIN \ - --key-file "$DIR_CERT_INSTALL/_${FIRST_DOMAIN}.key" \ - --fullchain-file "$DIR_CERT_INSTALL/_${FIRST_DOMAIN}.crt" \ + --key-file "$DIR_CERT_INSTALL/_.${FIRST_DOMAIN}.key" \ + --fullchain-file "$DIR_CERT_INSTALL/_.${FIRST_DOMAIN}.crt" \ --reloadcmd "$RELOAD_CMD" - echo "Certificate installed for all domains in one file: _${FIRST_DOMAIN}.crt" + echo "Certificate installed for all domains in one file: _.${FIRST_DOMAIN}.crt" } ##########################