mirror of
https://github.com/casjaysdevdocker/bind
synced 2026-06-24 14:01:05 -04:00
🗃️ rootfs: shield internal entrypoint PID files from /run/*.pid sweeps 🗃️
Update the embedded entrypoint copies in rootfs/ to match the upstream template change. Internal state files renamed to dotfiles so they're not matched by `/run/*.pid` cleanup globs: - /run/init.d/entrypoint.pid -> /run/.entrypoint.pid - /run/no_exit.pid -> /run/.no_exit.pid - /run/backup.pid -> /run/.backup.pid - /run/__start_init_scripts.pid -> /run/.start_init_scripts.pid Per-service PIDs in /run/init.d/ are unchanged. .claude/ Dockerfile .env.scripts .gitattributes .gitea/workflows/docker.yaml .gitignore LICENSE.md rootfs/root/docker/setup/00-init.sh rootfs/root/docker/setup/01-system.sh rootfs/root/docker/setup/02-packages.sh rootfs/root/docker/setup/03-files.sh rootfs/root/docker/setup/04-users.sh rootfs/root/docker/setup/05-custom.sh rootfs/root/docker/setup/06-post.sh rootfs/root/docker/setup/07-cleanup.sh rootfs/tmp/etc/bind/named.conf rootfs/tmp/etc/nginx/fastcgi_params rootfs/tmp/etc/nginx/nginx.conf rootfs/usr/local/bin/entrypoint.sh rootfs/usr/local/bin/pkmgr rootfs/usr/local/etc/docker/functions/entrypoint.sh rootfs/usr/local/etc/docker/init.d/01-tor.sh rootfs/usr/local/etc/docker/init.d/02-named.sh rootfs/usr/local/etc/docker/init.d/03-nginx.sh rootfs/usr/local/etc/docker/init.d/04-php-fpm.sh rootfs/usr/local/share/template-files/config/env/default.sample rootfs/usr/local/share/template-files/config/env/examples/zz-entrypoint.sh
This commit is contained in:
@@ -18,6 +18,115 @@ http {
|
||||
access_log /data/logs/nginx/nginx.access.log;
|
||||
map $http_upgrade $connection_upgrade { default upgrade; '' close; }
|
||||
|
||||
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
||||
# Reverse-proxy header normalization
|
||||
#
|
||||
# Derive the real request scheme / host / port / prefix from upstream
|
||||
# headers, falling back to the local request if the header is absent.
|
||||
# Supports headers set by apache, haproxy, nginx, caddy, traefik, aws
|
||||
# elb/alb, gcp lb, cloudflare, fastly, akamai, varnish, kubernetes
|
||||
# ingress, and any RFC 7239 compliant proxy.
|
||||
#
|
||||
# Available downstream as $real_scheme, $real_host, $real_port,
|
||||
# $real_https, $real_prefix - and passed to fastcgi/PHP via
|
||||
# REQUEST_SCHEME, HTTP_HOST, SERVER_PORT, HTTPS, X-Forwarded-Prefix.
|
||||
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
||||
|
||||
# X-Forwarded-Proto (or fall back to local scheme)
|
||||
map $http_x_forwarded_proto $real_scheme {
|
||||
default $http_x_forwarded_proto;
|
||||
"" $scheme;
|
||||
}
|
||||
# HTTPS flag for CGI/PHP, derived from real scheme
|
||||
map $real_scheme $real_https {
|
||||
https on;
|
||||
default "";
|
||||
}
|
||||
# X-Forwarded-Host / Forwarded host= (or fall back to Host)
|
||||
map $http_x_forwarded_host $real_host {
|
||||
default $http_x_forwarded_host;
|
||||
"" $http_host;
|
||||
}
|
||||
# X-Forwarded-Port (or fall back to server port)
|
||||
map $http_x_forwarded_port $real_port {
|
||||
default $http_x_forwarded_port;
|
||||
"" $server_port;
|
||||
}
|
||||
# X-Forwarded-Prefix / X-Script-Name (path-based routing); empty if absent
|
||||
map $http_x_forwarded_prefix $real_prefix {
|
||||
default $http_x_forwarded_prefix;
|
||||
"" "";
|
||||
}
|
||||
|
||||
# Don't let nginx emit absolute redirects with the internal scheme/host;
|
||||
# send relative redirects that the browser resolves against its real URL.
|
||||
absolute_redirect off;
|
||||
port_in_redirect off;
|
||||
server_name_in_redirect off;
|
||||
|
||||
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
||||
# Real client IP detection (apache, haproxy, nginx, caddy, traefik,
|
||||
# aws elb/alb, gcp lb, cloudflare, fastly, etc.)
|
||||
#
|
||||
# set_real_ip_from declares which upstream IPs are trusted; nginx then
|
||||
# walks X-Forwarded-For right-to-left, skipping any address inside a
|
||||
# trusted CIDR, until it finds the first untrusted address - that becomes
|
||||
# $remote_addr (also REMOTE_ADDR for fastcgi/PHP, and what shows up in
|
||||
# access logs and any allow/deny / rate-limit / geoip rules).
|
||||
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
||||
|
||||
# loopback
|
||||
set_real_ip_from 127.0.0.0/8;
|
||||
set_real_ip_from ::1/128;
|
||||
|
||||
# RFC1918 private networks (covers internal proxy/LB, docker bridges,
|
||||
# kubernetes pod/service networks, vpn ranges, etc.)
|
||||
set_real_ip_from 10.0.0.0/8;
|
||||
set_real_ip_from 172.16.0.0/12;
|
||||
set_real_ip_from 192.168.0.0/16;
|
||||
|
||||
# RFC6598 carrier-grade NAT (sometimes used by cloud LBs)
|
||||
set_real_ip_from 100.64.0.0/10;
|
||||
|
||||
# Link-local
|
||||
set_real_ip_from 169.254.0.0/16;
|
||||
set_real_ip_from fe80::/10;
|
||||
|
||||
# IPv6 unique-local
|
||||
set_real_ip_from fc00::/7;
|
||||
|
||||
# Cloudflare IPv4 (https://www.cloudflare.com/ips-v4)
|
||||
set_real_ip_from 173.245.48.0/20;
|
||||
set_real_ip_from 103.21.244.0/22;
|
||||
set_real_ip_from 103.22.200.0/22;
|
||||
set_real_ip_from 103.31.4.0/22;
|
||||
set_real_ip_from 141.101.64.0/18;
|
||||
set_real_ip_from 108.162.192.0/18;
|
||||
set_real_ip_from 190.93.240.0/20;
|
||||
set_real_ip_from 188.114.96.0/20;
|
||||
set_real_ip_from 197.234.240.0/22;
|
||||
set_real_ip_from 198.41.128.0/17;
|
||||
set_real_ip_from 162.158.0.0/15;
|
||||
set_real_ip_from 104.16.0.0/13;
|
||||
set_real_ip_from 104.24.0.0/14;
|
||||
set_real_ip_from 172.64.0.0/13;
|
||||
set_real_ip_from 131.0.72.0/22;
|
||||
|
||||
# Cloudflare IPv6 (https://www.cloudflare.com/ips-v6)
|
||||
set_real_ip_from 2400:cb00::/32;
|
||||
set_real_ip_from 2606:4700::/32;
|
||||
set_real_ip_from 2803:f800::/32;
|
||||
set_real_ip_from 2405:b500::/32;
|
||||
set_real_ip_from 2405:8100::/32;
|
||||
set_real_ip_from 2a06:98c0::/29;
|
||||
set_real_ip_from 2c0f:f248::/32;
|
||||
|
||||
# X-Forwarded-For is the de-facto standard set by all major proxies and
|
||||
# CDNs. If you sit ONLY behind Cloudflare and want their authoritative
|
||||
# header, change this to: real_ip_header CF-Connecting-IP;
|
||||
real_ip_header X-Forwarded-For;
|
||||
real_ip_recursive on;
|
||||
|
||||
server {
|
||||
listen REPLACE_SERVER_PORT;
|
||||
root REPLACE_SERVER_WWW_DIR;
|
||||
@@ -84,11 +193,23 @@ http {
|
||||
fastcgi_param REMOTE_ADDR $remote_addr;
|
||||
fastcgi_param REMOTE_PORT $remote_port;
|
||||
fastcgi_param SERVER_ADDR $server_addr;
|
||||
fastcgi_param SERVER_PORT $server_port;
|
||||
fastcgi_param SERVER_NAME $server_name;
|
||||
fastcgi_param HTTPS $https if_not_empty;
|
||||
# Use the proxy-resolved values so $_SERVER reflects the actual
|
||||
# client-facing request, not the internal proxy hop.
|
||||
fastcgi_param SERVER_PORT $real_port;
|
||||
fastcgi_param SERVER_NAME $real_host;
|
||||
fastcgi_param HTTP_HOST $real_host;
|
||||
fastcgi_param REQUEST_SCHEME $real_scheme;
|
||||
fastcgi_param HTTPS $real_https if_not_empty;
|
||||
fastcgi_param QUERY_STRING $query_string;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
# Pass the original forwarded headers through so apps that read
|
||||
# them directly (instead of REMOTE_ADDR/etc.) still work.
|
||||
fastcgi_param HTTP_X_FORWARDED_FOR $proxy_add_x_forwarded_for;
|
||||
fastcgi_param HTTP_X_FORWARDED_PROTO $real_scheme;
|
||||
fastcgi_param HTTP_X_FORWARDED_HOST $real_host;
|
||||
fastcgi_param HTTP_X_FORWARDED_PORT $real_port;
|
||||
fastcgi_param HTTP_X_FORWARDED_PREFIX $real_prefix;
|
||||
fastcgi_param HTTP_X_REAL_IP $remote_addr;
|
||||
fastcgi_pass 127.0.0.1:9000;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user