mirror of
https://github.com/casjaysdevdocker/bind
synced 2026-06-24 02:01:03 -04:00
🗃️ rootfs: shield internal entrypoint PID files from /run/*.pid sweeps 🗃️
Update the embedded entrypoint copies in rootfs/ to match the upstream template change. Internal state files renamed to dotfiles so they're not matched by `/run/*.pid` cleanup globs: - /run/init.d/entrypoint.pid -> /run/.entrypoint.pid - /run/no_exit.pid -> /run/.no_exit.pid - /run/backup.pid -> /run/.backup.pid - /run/__start_init_scripts.pid -> /run/.start_init_scripts.pid Per-service PIDs in /run/init.d/ are unchanged. .claude/ Dockerfile .env.scripts .gitattributes .gitea/workflows/docker.yaml .gitignore LICENSE.md rootfs/root/docker/setup/00-init.sh rootfs/root/docker/setup/01-system.sh rootfs/root/docker/setup/02-packages.sh rootfs/root/docker/setup/03-files.sh rootfs/root/docker/setup/04-users.sh rootfs/root/docker/setup/05-custom.sh rootfs/root/docker/setup/06-post.sh rootfs/root/docker/setup/07-cleanup.sh rootfs/tmp/etc/bind/named.conf rootfs/tmp/etc/nginx/fastcgi_params rootfs/tmp/etc/nginx/nginx.conf rootfs/usr/local/bin/entrypoint.sh rootfs/usr/local/bin/pkmgr rootfs/usr/local/etc/docker/functions/entrypoint.sh rootfs/usr/local/etc/docker/init.d/01-tor.sh rootfs/usr/local/etc/docker/init.d/02-named.sh rootfs/usr/local/etc/docker/init.d/03-nginx.sh rootfs/usr/local/etc/docker/init.d/04-php-fpm.sh rootfs/usr/local/share/template-files/config/env/default.sample rootfs/usr/local/share/template-files/config/env/examples/zz-entrypoint.sh
This commit is contained in:
@@ -1,5 +1,22 @@
|
||||
# default options - https://bind9.readthedocs.io/en/latest/chapter3.html
|
||||
#####################################################################
|
||||
# NOTE on client source IPs:
|
||||
#
|
||||
# If named's query log only shows the docker bridge gateway (e.g.
|
||||
# 172.17.0.1) as the client, that is a Docker NAT artifact - the default
|
||||
# userland docker-proxy rewrites the source IP of forwarded UDP/TCP.
|
||||
# To see real external client IPs, run the container with EITHER:
|
||||
#
|
||||
# docker run --network=host ... (skip port publishing)
|
||||
#
|
||||
# - or configure dockerd with userland-proxy disabled in
|
||||
# /etc/docker/daemon.json:
|
||||
# { "userland-proxy": false }
|
||||
# and restart docker. iptables DNAT then preserves source IPs.
|
||||
#
|
||||
# bind itself sees whatever the kernel hands it; it can't recover an IP
|
||||
# the proxy already discarded.
|
||||
#####################################################################
|
||||
# rndc keys
|
||||
key "dhcp-key" { algorithm hmac-sha512; secret "REPLACE_KEY_DHCP"; };
|
||||
key "rndc-key" { algorithm hmac-sha512; secret "REPLACE_KEY_RNDC"; };
|
||||
@@ -18,6 +35,12 @@ acl "forward" { 1.1.1.1; 8.8.8.8; 4.4.4.4; };
|
||||
controls { inet 127.0.0.1 allow { trusted; } keys { "rndc-key"; }; };
|
||||
#####################################################################
|
||||
options {
|
||||
directory "REPLACE_VAR_DIR";
|
||||
pid-file "REPLACE_RUN_DIR/named.pid";
|
||||
managed-keys-directory "REPLACE_ETC_DIR/keys";
|
||||
dump-file "REPLACE_DATA_DIR/stats/dump.txt";
|
||||
statistics-file "REPLACE_DATA_DIR/stats/stats.txt";
|
||||
memstatistics-file "REPLACE_DATA_DIR/stats/mem.txt";
|
||||
version "9";
|
||||
listen-on { any; };
|
||||
listen-on-v6 { any; };
|
||||
@@ -37,12 +60,7 @@ options {
|
||||
allow-query-cache { any; };
|
||||
auth-nxdomain no;
|
||||
dnssec-validation auto;
|
||||
directory "REPLACE_VAR_DIR";
|
||||
managed-keys-directory "REPLACE_ETC_DIR/keys";
|
||||
pid-file "REPLACE_RUN_DIR/named.pid";
|
||||
dump-file "REPLACE_DATA_DIR/stats/dump.txt";
|
||||
statistics-file "REPLACE_DATA_DIR/stats/stats.txt";
|
||||
memstatistics-file "REPLACE_DATA_DIR/stats/mem.txt";
|
||||
validate-except { "onion"; "exit"; };
|
||||
forwarders { 1.1.1.1; 8.8.8.8; 4.4.4.4; };
|
||||
};
|
||||
#####################################################################
|
||||
@@ -86,6 +104,11 @@ zone "." {
|
||||
# ********** end root info **********
|
||||
#####################################################################
|
||||
# ********** begin tor forwarding **********
|
||||
zone "exit" {
|
||||
type forward;
|
||||
forward only;
|
||||
forwarders { 127.0.0.1 port 9053; };
|
||||
};
|
||||
zone "onion" {
|
||||
type forward;
|
||||
forward only;
|
||||
|
||||
@@ -1,26 +0,0 @@
|
||||
# nginx fastcgi_params
|
||||
fastcgi_param QUERY_STRING $query_string;
|
||||
fastcgi_param REQUEST_METHOD $request_method;
|
||||
fastcgi_param CONTENT_TYPE $content_type;
|
||||
fastcgi_param CONTENT_LENGTH $content_length;
|
||||
|
||||
fastcgi_param SCRIPT_FILENAME $request_filename;
|
||||
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
|
||||
fastcgi_param REQUEST_URI $request_uri;
|
||||
fastcgi_param DOCUMENT_URI $document_uri;
|
||||
fastcgi_param DOCUMENT_ROOT $document_root;
|
||||
fastcgi_param SERVER_PROTOCOL $server_protocol;
|
||||
|
||||
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
|
||||
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
|
||||
|
||||
fastcgi_param REMOTE_ADDR $remote_addr;
|
||||
fastcgi_param REMOTE_PORT $remote_port;
|
||||
fastcgi_param SERVER_ADDR $server_addr;
|
||||
fastcgi_param SERVER_PORT $server_port;
|
||||
fastcgi_param SERVER_NAME $server_name;
|
||||
|
||||
fastcgi_param HTTPS $https if_not_empty;
|
||||
|
||||
# PHP only, required if PHP was built with --enable-force-cgi-redirect
|
||||
fastcgi_param REDIRECT_STATUS 200;
|
||||
@@ -18,6 +18,115 @@ http {
|
||||
access_log /data/logs/nginx/nginx.access.log;
|
||||
map $http_upgrade $connection_upgrade { default upgrade; '' close; }
|
||||
|
||||
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
||||
# Reverse-proxy header normalization
|
||||
#
|
||||
# Derive the real request scheme / host / port / prefix from upstream
|
||||
# headers, falling back to the local request if the header is absent.
|
||||
# Supports headers set by apache, haproxy, nginx, caddy, traefik, aws
|
||||
# elb/alb, gcp lb, cloudflare, fastly, akamai, varnish, kubernetes
|
||||
# ingress, and any RFC 7239 compliant proxy.
|
||||
#
|
||||
# Available downstream as $real_scheme, $real_host, $real_port,
|
||||
# $real_https, $real_prefix - and passed to fastcgi/PHP via
|
||||
# REQUEST_SCHEME, HTTP_HOST, SERVER_PORT, HTTPS, X-Forwarded-Prefix.
|
||||
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
||||
|
||||
# X-Forwarded-Proto (or fall back to local scheme)
|
||||
map $http_x_forwarded_proto $real_scheme {
|
||||
default $http_x_forwarded_proto;
|
||||
"" $scheme;
|
||||
}
|
||||
# HTTPS flag for CGI/PHP, derived from real scheme
|
||||
map $real_scheme $real_https {
|
||||
https on;
|
||||
default "";
|
||||
}
|
||||
# X-Forwarded-Host / Forwarded host= (or fall back to Host)
|
||||
map $http_x_forwarded_host $real_host {
|
||||
default $http_x_forwarded_host;
|
||||
"" $http_host;
|
||||
}
|
||||
# X-Forwarded-Port (or fall back to server port)
|
||||
map $http_x_forwarded_port $real_port {
|
||||
default $http_x_forwarded_port;
|
||||
"" $server_port;
|
||||
}
|
||||
# X-Forwarded-Prefix / X-Script-Name (path-based routing); empty if absent
|
||||
map $http_x_forwarded_prefix $real_prefix {
|
||||
default $http_x_forwarded_prefix;
|
||||
"" "";
|
||||
}
|
||||
|
||||
# Don't let nginx emit absolute redirects with the internal scheme/host;
|
||||
# send relative redirects that the browser resolves against its real URL.
|
||||
absolute_redirect off;
|
||||
port_in_redirect off;
|
||||
server_name_in_redirect off;
|
||||
|
||||
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
||||
# Real client IP detection (apache, haproxy, nginx, caddy, traefik,
|
||||
# aws elb/alb, gcp lb, cloudflare, fastly, etc.)
|
||||
#
|
||||
# set_real_ip_from declares which upstream IPs are trusted; nginx then
|
||||
# walks X-Forwarded-For right-to-left, skipping any address inside a
|
||||
# trusted CIDR, until it finds the first untrusted address - that becomes
|
||||
# $remote_addr (also REMOTE_ADDR for fastcgi/PHP, and what shows up in
|
||||
# access logs and any allow/deny / rate-limit / geoip rules).
|
||||
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
||||
|
||||
# loopback
|
||||
set_real_ip_from 127.0.0.0/8;
|
||||
set_real_ip_from ::1/128;
|
||||
|
||||
# RFC1918 private networks (covers internal proxy/LB, docker bridges,
|
||||
# kubernetes pod/service networks, vpn ranges, etc.)
|
||||
set_real_ip_from 10.0.0.0/8;
|
||||
set_real_ip_from 172.16.0.0/12;
|
||||
set_real_ip_from 192.168.0.0/16;
|
||||
|
||||
# RFC6598 carrier-grade NAT (sometimes used by cloud LBs)
|
||||
set_real_ip_from 100.64.0.0/10;
|
||||
|
||||
# Link-local
|
||||
set_real_ip_from 169.254.0.0/16;
|
||||
set_real_ip_from fe80::/10;
|
||||
|
||||
# IPv6 unique-local
|
||||
set_real_ip_from fc00::/7;
|
||||
|
||||
# Cloudflare IPv4 (https://www.cloudflare.com/ips-v4)
|
||||
set_real_ip_from 173.245.48.0/20;
|
||||
set_real_ip_from 103.21.244.0/22;
|
||||
set_real_ip_from 103.22.200.0/22;
|
||||
set_real_ip_from 103.31.4.0/22;
|
||||
set_real_ip_from 141.101.64.0/18;
|
||||
set_real_ip_from 108.162.192.0/18;
|
||||
set_real_ip_from 190.93.240.0/20;
|
||||
set_real_ip_from 188.114.96.0/20;
|
||||
set_real_ip_from 197.234.240.0/22;
|
||||
set_real_ip_from 198.41.128.0/17;
|
||||
set_real_ip_from 162.158.0.0/15;
|
||||
set_real_ip_from 104.16.0.0/13;
|
||||
set_real_ip_from 104.24.0.0/14;
|
||||
set_real_ip_from 172.64.0.0/13;
|
||||
set_real_ip_from 131.0.72.0/22;
|
||||
|
||||
# Cloudflare IPv6 (https://www.cloudflare.com/ips-v6)
|
||||
set_real_ip_from 2400:cb00::/32;
|
||||
set_real_ip_from 2606:4700::/32;
|
||||
set_real_ip_from 2803:f800::/32;
|
||||
set_real_ip_from 2405:b500::/32;
|
||||
set_real_ip_from 2405:8100::/32;
|
||||
set_real_ip_from 2a06:98c0::/29;
|
||||
set_real_ip_from 2c0f:f248::/32;
|
||||
|
||||
# X-Forwarded-For is the de-facto standard set by all major proxies and
|
||||
# CDNs. If you sit ONLY behind Cloudflare and want their authoritative
|
||||
# header, change this to: real_ip_header CF-Connecting-IP;
|
||||
real_ip_header X-Forwarded-For;
|
||||
real_ip_recursive on;
|
||||
|
||||
server {
|
||||
listen REPLACE_SERVER_PORT;
|
||||
root REPLACE_SERVER_WWW_DIR;
|
||||
@@ -84,11 +193,23 @@ http {
|
||||
fastcgi_param REMOTE_ADDR $remote_addr;
|
||||
fastcgi_param REMOTE_PORT $remote_port;
|
||||
fastcgi_param SERVER_ADDR $server_addr;
|
||||
fastcgi_param SERVER_PORT $server_port;
|
||||
fastcgi_param SERVER_NAME $server_name;
|
||||
fastcgi_param HTTPS $https if_not_empty;
|
||||
# Use the proxy-resolved values so $_SERVER reflects the actual
|
||||
# client-facing request, not the internal proxy hop.
|
||||
fastcgi_param SERVER_PORT $real_port;
|
||||
fastcgi_param SERVER_NAME $real_host;
|
||||
fastcgi_param HTTP_HOST $real_host;
|
||||
fastcgi_param REQUEST_SCHEME $real_scheme;
|
||||
fastcgi_param HTTPS $real_https if_not_empty;
|
||||
fastcgi_param QUERY_STRING $query_string;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
# Pass the original forwarded headers through so apps that read
|
||||
# them directly (instead of REMOTE_ADDR/etc.) still work.
|
||||
fastcgi_param HTTP_X_FORWARDED_FOR $proxy_add_x_forwarded_for;
|
||||
fastcgi_param HTTP_X_FORWARDED_PROTO $real_scheme;
|
||||
fastcgi_param HTTP_X_FORWARDED_HOST $real_host;
|
||||
fastcgi_param HTTP_X_FORWARDED_PORT $real_port;
|
||||
fastcgi_param HTTP_X_FORWARDED_PREFIX $real_prefix;
|
||||
fastcgi_param HTTP_X_REAL_IP $remote_addr;
|
||||
fastcgi_pass 127.0.0.1:9000;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user