From 79223d93d2f2cc8d4a32dc519df3cbe6d3560682 Mon Sep 17 00:00:00 2001 From: nginx-bot <68849795+nginx-bot@users.noreply.github.com> Date: Mon, 9 Sep 2024 03:03:23 -0700 Subject: [PATCH 1/2] Docker image update ac1e3d05 (#6371) Update docker images ac1e3d05 Co-authored-by: Jakub Jarosz <99677300+jjngx@users.noreply.github.com> --- build/Dockerfile | 10 +++++----- tests/Dockerfile | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index 4e90fd369a..f07a3be4ee 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -17,11 +17,11 @@ FROM ghcr.io/nginxinc/dependencies/nginx-ubi-ppc64le:nginx-1.27.1@sha256:0bab61e FROM ghcr.io/nginxinc/alpine-fips:0.2.2-alpine3.17@sha256:0dcd9149b66a6b35c1253b7662c8ed7ef0e0172ceae893a82058c30668799bf2 AS alpine-fips-3.17 FROM ghcr.io/nginxinc/alpine-fips:0.2.2-alpine3.20@sha256:0ddcfb906a5dc931336db5ba6e0d09d5f77cc48c67e3781aba66a0a27dc14605 AS alpine-fips-3.20 FROM redhat/ubi9-minimal@sha256:f182b500ff167918ca1010595311cf162464f3aa1cab755383d38be61b4d30aa AS ubi-minimal -FROM golang:1.22-alpine@sha256:c02e4518720baaa7657c2b3845452778cf83cf828accf2b5c7afef31ccb8073a AS golang-builder +FROM golang:1.22-alpine@sha256:48eab5e3505d8c8b42a06fe5f1cf4c346c167cc6a89e772f31cb9e5c301dcf60 AS golang-builder ############################################# Base image for Alpine ############################################# -FROM nginx:1.27.1-alpine@sha256:c04c18adc2a407740a397c8407c011fc6c90026a9b65cceddef7ae5484360158 AS alpine +FROM nginx:1.27.1-alpine@sha256:a5127daff3d6f4606be3100a252419bfa84fd6ee5cd74d0feaca1a5068f97dcf AS alpine RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ apk add --no-cache libcap libstdc++ \ @@ -102,7 +102,7 @@ USER 101 ############################################# Base image for Alpine with NGINX Plus ############################################# -FROM alpine:3.20@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5 AS alpine-plus +FROM alpine:3.20@sha256:beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d AS alpine-plus ARG NGINX_PLUS_VERSION ARG PACKAGE_REPO @@ -135,7 +135,7 @@ RUN --mount=type=bind,from=alpine-fips-3.20,target=/tmp/fips/ \ ############################################# Base image for Alpine with NGINX Plus, App Protect WAF and FIPS ############################################# -FROM alpine:3.17@sha256:ef813b2faa3dd1a37f9ef6ca98347b72cd0f55e4ab29fb90946f1b853bf032d9 AS alpine-plus-nap-fips +FROM alpine:3.17@sha256:3451da08fc6ef554a100da3e2df5ac6d598c82f2a774d5f6ed465c3d80cd163a AS alpine-plus-nap-fips ARG NGINX_PLUS_VERSION ARG NGINX_AGENT ARG NGINX_PLUS_VERSION @@ -172,7 +172,7 @@ RUN --mount=type=bind,from=alpine-fips-3.17,target=/tmp/fips/ \ ############################################# Base image for Alpine with NGINX Plus, App Protect WAFv5 and FIPS ############################################# -FROM alpine:3.17@sha256:ef813b2faa3dd1a37f9ef6ca98347b72cd0f55e4ab29fb90946f1b853bf032d9 AS alpine-plus-nap-v5-fips +FROM alpine:3.17@sha256:3451da08fc6ef554a100da3e2df5ac6d598c82f2a774d5f6ed465c3d80cd163a AS alpine-plus-nap-v5-fips ARG NGINX_PLUS_VERSION ARG NGINX_AGENT ARG NGINX_PLUS_VERSION diff --git a/tests/Dockerfile b/tests/Dockerfile index bd38d0ed49..91772f1c69 100644 --- a/tests/Dockerfile +++ b/tests/Dockerfile @@ -5,7 +5,7 @@ FROM kindest/node:v1.31.0@sha256:53df588e04085fd41ae12de0c3fe4c72f7013bba32a20e7 # this is here so we can grab the latest version of skopeo and have dependabot keep it up to date FROM quay.io/skopeo/stable:v1.16.1 -FROM python:3.12@sha256:b7552a9f6cb77632e9ec6f714ed9846fb43bd32d17a7ad82bccac88f5e2cd333 +FROM python:3.12@sha256:11aa4b620c15f855f66f02a7f3c1cd9cf843cc10f3edbcf158e5ebcd98d1f549 RUN apt-get update \ && apt-get install -y curl git \ From 5a319da010055c5dde8b60123b9247aa28649b3f Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Mon, 9 Sep 2024 16:49:49 +0100 Subject: [PATCH 2/2] Listener directive refactor (#6377) --- internal/configs/version2/template_helper.go | 116 ++++++++++++------- 1 file changed, 77 insertions(+), 39 deletions(-) diff --git a/internal/configs/version2/template_helper.go b/internal/configs/version2/template_helper.go index b81ad28978..65b674f679 100644 --- a/internal/configs/version2/template_helper.go +++ b/internal/configs/version2/template_helper.go @@ -23,6 +23,15 @@ const ( ipv6 ) +type listen struct { + ipAddress string + port string + tls bool + proxyProtocol bool + udp bool + ipType ipType +} + const spacing = " " func headerListToCIMap(headers []Header) map[string]string { @@ -69,16 +78,44 @@ func buildListenerDirectives(listenerType protocol, s Server, port string) strin var directives string if listenerType == http { - directives += buildListenDirective(s.HTTPIPv4, port, s.ProxyProtocol, ipv4) + directives += buildListenDirective(listen{ + ipAddress: s.HTTPIPv4, + port: port, + tls: false, + proxyProtocol: s.ProxyProtocol, + udp: false, + ipType: ipv4, + }) if !s.DisableIPV6 { directives += spacing - directives += buildListenDirective(s.HTTPIPv6, port, s.ProxyProtocol, ipv6) + directives += buildListenDirective(listen{ + ipAddress: s.HTTPIPv6, + port: port, + tls: false, + proxyProtocol: s.ProxyProtocol, + udp: false, + ipType: ipv6, + }) } } else { - directives += buildListenDirective(s.HTTPSIPv4, port, s.ProxyProtocol, ipv4) + directives += buildListenDirective(listen{ + ipAddress: s.HTTPSIPv4, + port: port, + tls: true, + proxyProtocol: s.ProxyProtocol, + udp: false, + ipType: ipv4, + }) if !s.DisableIPV6 { directives += spacing - directives += buildListenDirective(s.HTTPSIPv6, port, s.ProxyProtocol, ipv6) + directives += buildListenDirective(listen{ + ipAddress: s.HTTPSIPv6, + port: port, + tls: true, + proxyProtocol: s.ProxyProtocol, + udp: false, + ipType: ipv6, + }) } } @@ -86,60 +123,47 @@ func buildListenerDirectives(listenerType protocol, s Server, port string) strin } func getDefaultPort(listenerType protocol) string { - if listenerType == http { - return "80" + s := Server{ + HTTPPort: 80, + HTTPSPort: 443, } - return "443 ssl" + + return getCustomPort(listenerType, s) } func getCustomPort(listenerType protocol, s Server) string { if listenerType == http { return strconv.Itoa(s.HTTPPort) } - return strconv.Itoa(s.HTTPSPort) + " ssl" + return strconv.Itoa(s.HTTPSPort) } -func buildListenDirective(ip string, port string, proxyProtocol bool, ipType ipType) string { +func buildListenDirective(l listen) string { base := "listen" var directive string - if ipType == ipv6 { - if ip != "" { - directive = fmt.Sprintf("%s [%s]:%s", base, ip, port) - } else { - directive = fmt.Sprintf("%s [::]:%s", base, port) - } - } else { - if ip != "" { - directive = fmt.Sprintf("%s %s:%s", base, ip, port) - } else { - directive = fmt.Sprintf("%s %s", base, port) + if l.ipType == ipv6 { + if l.ipAddress == "" { + l.ipAddress = "::" } + l.ipAddress = fmt.Sprintf("[%s]", l.ipAddress) } - if proxyProtocol { - directive += " proxy_protocol" - } - - directive += ";\n" - return directive -} - -func buildTransportListenDirective(ipType ipType, port string, ssl *StreamSSL, udp bool) string { - base := "listen" - var directive string - - if ipType == ipv6 { - directive = base + " [::]:" + port + if l.ipAddress != "" { + directive = fmt.Sprintf("%s %s:%s", base, l.ipAddress, l.port) } else { - directive = base + " " + port + directive = fmt.Sprintf("%s %s", base, l.port) } - if ssl.Enabled { + if l.tls { directive += " ssl" } - if udp { + if l.proxyProtocol { + directive += " proxy_protocol" + } + + if l.udp { directive += " udp" } @@ -159,11 +183,25 @@ func makeTransportListener(s StreamServer) string { var directives string port := strconv.Itoa(s.Port) - directives += buildTransportListenDirective(ipv4, port, s.SSL, s.UDP) + directives += buildListenDirective(listen{ + ipAddress: "", + port: port, + tls: s.SSL.Enabled, + proxyProtocol: false, + udp: s.UDP, + ipType: ipv4, + }) if !s.DisableIPV6 { directives += spacing - directives += buildTransportListenDirective(ipv6, port, s.SSL, s.UDP) + directives += buildListenDirective(listen{ + ipAddress: "", + port: port, + tls: s.SSL.Enabled, + proxyProtocol: false, + udp: s.UDP, + ipType: ipv6, + }) } return directives