fix: update NGINX Plus Dockerfile

Dockerfile.buildkit.plus

@@ -1,83 +1,105 @@
-FROM debian:bookworm-slim@sha256:f528891ab1aa484bf7233dbcc84f3c806c3e427571d75510a9d74bb5ec535b33
+ARG RELEASE=bookworm
+FROM debian:${RELEASE}-slim@sha256:f528891ab1aa484bf7233dbcc84f3c806c3e427571d75510a9d74bb5ec535b33
 
-ENV NGINX_PLUS_VERSION   30-2
-ENV NGINX_VERSION        1.25.1
-ENV NJS_VERSION          30+0.8.0-1
-ENV XSLT_VERSION         30-1
+# Persist RELEASE argument
+ARG RELEASE
 
-ENV PROXY_CACHE_MAX_SIZE "10g"
-ENV PROXY_CACHE_INACTIVE "60m"
-ENV PROXY_CACHE_SLICE_SIZE "1m"
-ENV PROXY_CACHE_VALID_OK "1h"
-ENV PROXY_CACHE_VALID_NOTFOUND "1m"
-ENV PROXY_CACHE_VALID_FORBIDDEN "30s"
-ENV CORS_ENABLED 0
-ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS ""
-ENV DIRECTORY_LISTING_PATH_PREFIX ""
-ENV STRIP_LEADING_DIRECTORY_PATH ""
-ENV PREFIX_LEADING_DIRECTORY_PATH ""
+# NJS env vars
+ENV NGINX_VERSION=32
+ENV NGINX_PKG_RELEASE=1~${RELEASE}
+ENV NJS_VERSION=0.8.4
+ENV NJS_PKG_RELEASE=1~${RELEASE}
 
-COPY plus/usr /usr
+# Proxy cache env vars
+ENV PROXY_CACHE_MAX_SIZE=10g
+ENV PROXY_CACHE_INACTIVE=60m
+ENV PROXY_CACHE_SLICE_SIZE=1m
+ENV PROXY_CACHE_VALID_OK=1h
+ENV PROXY_CACHE_VALID_NOTFOUND=1m
+ENV PROXY_CACHE_VALID_FORBIDDEN=30s
 
-# Copy files from the OSS NGINX Docker container such that the container
-# startup is the same.
-# Source: https://github.com/nginxinc/docker-nginx/tree/1.19.2/stable/buster
-COPY common/docker-entrypoint.sh /docker-entrypoint.sh
-COPY common/docker-entrypoint.d /docker-entrypoint.d/
-COPY plus/docker-entrypoint.d /docker-entrypoint.d/
-# Add NGINX Plus package repository keyring
-COPY plus/usr/share/keyrings/nginx-archive-keyring.gpg /usr/share/keyrings/nginx-archive-keyring.gpg
+# CORS env vars
+ENV CORS_ENABLED=0
+ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS=""
 
-RUN --mount=type=secret,id=nginx-crt --mount=type=secret,id=nginx-key \
-    set -eux \
-    export DEBIAN_FRONTEND=noninteractive; \
-    mkdir -p /etc/ssl/nginx; \
-    cp /run/secrets/nginx-crt /etc/ssl/nginx/nginx-repo.crt; \
-    chmod 0664 /etc/ssl/nginx/nginx-repo.crt; \
-    cp /run/secrets/nginx-key /etc/ssl/nginx/nginx-repo.key; \
-    chmod 0664 /etc/ssl/nginx/nginx-repo.key; \
-    # create nginx user/group first, to be consistent throughout docker variants
-    addgroup --system --gid 101 nginx; \
-    adduser --system --disabled-login --ingroup nginx --no-create-home --home /nonexistent --gecos "nginx user" --shell /bin/false --uid 101 nginx; \
-    apt-get -qq update; \
-    apt-get -qq upgrade --yes; \
-    apt-get -qq install --yes \
-      ca-certificates \
-      curl \
-      libedit2; \
-    sh -a /usr/local/bin/add_nginx_plus_repo.sh; \
-    rm /usr/local/bin/add_nginx_plus_repo.sh; \
-    apt-get -qq update; \
-    export DISTRO_VERSION="$(grep '^VERSION_CODENAME=' /etc/os-release | awk -v FS='=' '{print $2}')" && \
-    apt-get -qq install --no-install-recommends --no-install-suggests -y \
-        nginx-plus=${NGINX_PLUS_VERSION}~${DISTRO_VERSION} \
-        nginx-plus-module-njs=${NJS_VERSION}~${DISTRO_VERSION} \
-        nginx-plus-module-xslt=${XSLT_VERSION}~${DISTRO_VERSION} \
-        gettext-base; \
-    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
-    rm -rf /etc/apt/sources.list.d/nginx-plus.list /var/lib/apt/lists/* /var/tmp/* /tmp/* /etc/ssl/nginx; \
-    # forward request and error logs to docker log collector
-    ln -sf /dev/stdout /var/log/nginx/access.log; \
-    ln -sf /dev/stderr /var/log/nginx/error.log; \
-    chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh
+# S3 proxy env vars
+ENV DIRECTORY_LISTING_PATH_PREFIX=""
+ENV STRIP_LEADING_DIRECTORY_PATH=""
+ENV PREFIX_LEADING_DIRECTORY_PATH=""
 
-ENTRYPOINT ["/docker-entrypoint.sh"]
+# We create an NGINX Plus image based on the official NGINX Plus Dockerfiles (https://gist.github.com/nginx-gists/36e97fc87efb5cf0039978c8e41a34b5) and modify it by:
+# 1. Explicitly installing the version of njs coded in the environment variable above.
+# 2. Adding configuration files needed for proxying private S3 buckets.
+# 3. Adding a directory for proxied objects to be stored.
+# 4. Adding the entrypoint scripts found in the base NGINX OSS Docker image with a modified version that explicitly sets resolvers.
+
+# Download your NGINX license certificate and key from the F5 customer portal (https://account.f5.com) and copy it to the build context
+RUN --mount=type=secret,id=nginx-crt,dst=nginx-repo.crt \
+    --mount=type=secret,id=nginx-key,dst=nginx-repo.key \
+    set -x \
+# Create nginx user/group first, to be consistent throughout Docker variants
+    && groupadd --system --gid 101 nginx \
+    && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
+    && apt-get update \
+    && apt-get install --no-install-recommends --no-install-suggests -y ca-certificates gnupg1 lsb-release \
+    && \
+    NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \
+    NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \
+    export GNUPGHOME="$(mktemp -d)"; \
+    found=''; \
+    for NGINX_GPGKEY in $NGINX_GPGKEYS; do \
+    for server in \
+        hkp://keyserver.ubuntu.com:80 \
+        pgp.mit.edu \
+    ; do \
+        echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
+        gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
+    done; \
+    test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
+    done; \
+    gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \
+    rm -rf "$GNUPGHOME"; \
+    apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \
+# Install the latest release of NGINX Plus and/or NGINX Plus modules (written and maintained by F5)
+    && nginxPackages=" \
+        nginx-plus=${NGINX_VERSION}-${NGINX_PKG_RELEASE} \
+        nginx-plus-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_PKG_RELEASE} \
+        nginx-plus-module-xslt=${NGINX_VERSION}-${NGINX_PKG_RELEASE} \
+    " \
+    && echo "Acquire::https::pkgs.nginx.com::Verify-Peer \"true\";" > /etc/apt/apt.conf.d/90nginx \
+    && echo "Acquire::https::pkgs.nginx.com::Verify-Host \"true\";" >> /etc/apt/apt.conf.d/90nginx \
+    && echo "Acquire::https::pkgs.nginx.com::SslCert     \"/etc/ssl/nginx/nginx-repo.crt\";" >> /etc/apt/apt.conf.d/90nginx \
+    && echo "Acquire::https::pkgs.nginx.com::SslKey      \"/etc/ssl/nginx/nginx-repo.key\";" >> /etc/apt/apt.conf.d/90nginx \
+    && echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list \
+    && mkdir -p /etc/ssl/nginx \
+    && cat nginx-repo.crt > /etc/ssl/nginx/nginx-repo.crt \
+    && cat nginx-repo.key > /etc/ssl/nginx/nginx-repo.key \
+    && apt-get update \
+    && apt-get install --no-install-recommends --no-install-suggests -y $nginxPackages curl gettext-base \
+    && apt-get remove --purge -y lsb-release \
+    && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-plus.list \
+    && rm -rf /etc/apt/apt.conf.d/90nginx /etc/ssl/nginx \
+# Forward request logs to Docker log collector
+    && ln -sf /dev/stdout /var/log/nginx/access.log \
+    && ln -sf /dev/stderr /var/log/nginx/error.log
 
 EXPOSE 80
 
 STOPSIGNAL SIGTERM
 
 CMD ["nginx", "-g", "daemon off;"]
 
-# NGINX Docker image setup complete, everything below is specific for
-# the S3 Gateway use case.
-
+# Copy files from the OSS NGINX Docker container such that the container
+# startup is the same.
 COPY plus/etc/nginx /etc/nginx
 COPY common/etc /etc
-COPY common/docker-entrypoint.d/00-check-for-required-env.sh /docker-entrypoint.d/00-check-for-required-env.sh
+COPY common/docker-entrypoint.sh /docker-entrypoint.sh
+COPY common/docker-entrypoint.d /docker-entrypoint.d/
+COPY plus/docker-entrypoint.d /docker-entrypoint.d/
+
+RUN set -x \
+    && mkdir -p /var/cache/nginx/s3_proxy \
+    && chown nginx:nginx /var/cache/nginx/s3_proxy \
+    && chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh;
 
-RUN set -eux \
-    export DEBIAN_FRONTEND=noninteractive; \
-    mkdir -p /var/cache/nginx/s3_proxy; \
-    chown nginx:nginx /var/cache/nginx/s3_proxy; \
-    chmod -R +x /docker-entrypoint.d/*
+ENTRYPOINT ["/docker-entrypoint.sh"]

Dockerfile.oss

@@ -1,63 +1,46 @@
 FROM nginx:1.27.0@sha256:67682bda769fae1ccf5183192b8daf37b64cae99c6c3302650f6f8bf5f0f95df
 
 # NJS env vars
-ENV NJS_VERSION     0.8.4
-ENV NJS_RELEASE     2~bookworm
+ENV NJS_VERSION=0.8.4
+ENV NJS_RELEASE=2~bookworm
 
 # Proxy cache env vars
-ENV PROXY_CACHE_MAX_SIZE "10g"
-ENV PROXY_CACHE_INACTIVE "60m"
-ENV PROXY_CACHE_SLICE_SIZE "1m"
-ENV PROXY_CACHE_VALID_OK "1h"
-ENV PROXY_CACHE_VALID_NOTFOUND "1m"
-ENV PROXY_CACHE_VALID_FORBIDDEN "30s"
+ENV PROXY_CACHE_MAX_SIZE=10g
+ENV PROXY_CACHE_INACTIVE=60m
+ENV PROXY_CACHE_SLICE_SIZE=1m
+ENV PROXY_CACHE_VALID_OK=1h
+ENV PROXY_CACHE_VALID_NOTFOUND=1m
+ENV PROXY_CACHE_VALID_FORBIDDEN=30s
 
 # CORS env vars
-ENV CORS_ENABLED 0
-ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS ""
+ENV CORS_ENABLED=0
+ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS=""
 
 # S3 proxy env vars
-ENV DIRECTORY_LISTING_PATH_PREFIX ""
-ENV STRIP_LEADING_DIRECTORY_PATH ""
-ENV PREFIX_LEADING_DIRECTORY_PATH ""
-
-# We modify the nginx base image by:
-# 1. Explicitly install the version of njs coded in the environment variable above.
-# 2. Adding configuration files needed for proxying private S3 buckets
-# 3. Adding a directory for proxied objects to be stored
+ENV DIRECTORY_LISTING_PATH_PREFIX=""
+ENV STRIP_LEADING_DIRECTORY_PATH=""
+ENV PREFIX_LEADING_DIRECTORY_PATH=""
+
+# We modify the NGINX base image by:
+# 1. Explicitly installing the version of njs coded in the environment variable above.
+# 2. Adding configuration files needed for proxying private S3 buckets.
+# 3. Adding a directory for proxied objects to be stored.
 # 4. Replacing the entrypoint script with a modified version that explicitly sets resolvers.
 
 RUN set -x \
-    && apt-get update \
-    && apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \
-    && \
-    NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \
-    NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \
-    export GNUPGHOME="$(mktemp -d)"; \
-    found=''; \
-    for server in \
-        hkp://keyserver.ubuntu.com:80 \
-        pgp.mit.edu \
-    ; do \
-        echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
-        gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
-    done; \
-    test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
-    gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \
-    rm -rf "$GNUPGHOME"; \
-    apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/*; \
-    echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo $PKG_RELEASE | cut -f2 -d~) nginx" >> /etc/apt/sources.list.d/nginx.list; \
+    && echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo $PKG_RELEASE | cut -f2 -d~) nginx" >> /etc/apt/sources.list.d/nginx.list; \
     apt-get update \
     && apt-get install --no-install-recommends --no-install-suggests -y \
       libedit2 \
       nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_RELEASE} \
     && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list
 
-COPY common/etc /etc
 COPY oss/etc /etc
+COPY common/etc /etc
 COPY common/docker-entrypoint.sh /docker-entrypoint.sh
 COPY common/docker-entrypoint.d /docker-entrypoint.d/
 
-RUN mkdir -p /var/cache/nginx/s3_proxy \
+RUN set -x \
+    && mkdir -p /var/cache/nginx/s3_proxy \
     && chown nginx:nginx /var/cache/nginx/s3_proxy \
     && chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh;