diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml new file mode 100644 index 0000000..581f665 --- /dev/null +++ b/.github/workflows/build.yaml @@ -0,0 +1,196 @@ +name: Build and Push Docker Image + +on: + push: + branches: + - master + - main + tags: + - '*.*.*.*-*' # Format: 1.27.1.2-0 + pull_request: + branches: + - master + - main + workflow_dispatch: + +env: + DOCKER_IMAGE: intimatemerger/openresty + +jobs: + build: + name: Build ${{ matrix.platform }} + if: github.event_name != 'pull_request' + runs-on: ${{ matrix.runner }} + permissions: + contents: read + + strategy: + fail-fast: true + matrix: + include: + - platform: linux/amd64 + runner: ubuntu-latest + arch: amd64 + - platform: linux/arm64 + runner: ubuntu-latest-arm + arch: arm64 + + steps: + - name: Checkout code + uses: actions/checkout@v6 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ vars.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN_READ_WRITE }} + + - name: Build and push by digest + id: build + uses: docker/build-push-action@v6 + with: + context: . + platforms: ${{ matrix.platform }} + outputs: type=image,name=${{ env.DOCKER_IMAGE }},push-by-digest=true,name-canonical=true,push=true + sbom: true + provenance: false + cache-from: type=gha,scope=${{ matrix.arch }} + cache-to: type=gha,mode=max,scope=${{ matrix.arch }} + + - name: Export digest + run: | + mkdir -p /tmp/digests + digest="${{ steps.build.outputs.digest }}" + touch "/tmp/digests/${digest#sha256:}" + + - name: Upload digest + uses: actions/upload-artifact@v6 + with: + name: digests-${{ matrix.arch }} + path: /tmp/digests/* + if-no-files-found: error + retention-days: 1 + + merge: + name: Create manifest list + needs: build + runs-on: ubuntu-latest + permissions: + contents: read + + steps: + - name: Download digests + uses: actions/download-artifact@v7 + with: + path: /tmp/digests + pattern: digests-* + merge-multiple: true + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ vars.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN_READ_WRITE }} + + - name: Extract version from tag + id: version + if: startsWith(github.ref, 'refs/tags/') + run: | + TAG=${GITHUB_REF#refs/tags/} + echo "Original tag: $TAG" + + # Extract version parts from tag format: 1.27.1.2-0 + if [[ $TAG =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)-[0-9]+$ ]]; then + MAJOR=${BASH_REMATCH[1]} + MINOR=${BASH_REMATCH[2]} + PATCH=${BASH_REMATCH[3]} + + # Docker tags: MAJOR.MINOR.PATCH and MAJOR.MINOR + PATCH_VERSION="${MAJOR}.${MINOR}.${PATCH}" # e.g., 1.27.1 + MINOR_VERSION="${MAJOR}.${MINOR}" # e.g., 1.27 + + echo "patch_version=$PATCH_VERSION" >> $GITHUB_OUTPUT + echo "minor_version=$MINOR_VERSION" >> $GITHUB_OUTPUT + + echo "Generated Docker tags: $PATCH_VERSION, $MINOR_VERSION" + else + echo "Tag format does not match expected pattern (X.X.X.X-X)" + fi + + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.DOCKER_IMAGE }} + tags: | + type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'master') || github.ref == format('refs/heads/{0}', 'main') }} + type=raw,value=${{ steps.version.outputs.patch_version }},enable=${{ startsWith(github.ref, 'refs/tags/') && steps.version.outputs.patch_version != '' }} + type=raw,value=${{ steps.version.outputs.minor_version }},enable=${{ startsWith(github.ref, 'refs/tags/') && steps.version.outputs.minor_version != '' }} + + - name: Create manifest list and push + working-directory: /tmp/digests + run: | + set -euo pipefail + + # metadata-action からタグを取得 + TAGS=$(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") + + if [ -z "${TAGS}" ]; then + echo "No tags to create" + exit 1 + fi + + echo "Creating manifest list with tags: ${TAGS}" + echo "From digests:" + ls -la + + docker buildx imagetools create ${TAGS} \ + $(printf '${{ env.DOCKER_IMAGE }}@sha256:%s ' *) + + echo "Successfully created and pushed manifest lists" + + - name: Inspect manifest + if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/main' + run: | + docker buildx imagetools inspect ${{ env.DOCKER_IMAGE }}:${{ steps.meta.outputs.version }} + + - name: Docker Scout CVE scan + if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/main' + uses: docker/scout-action@v1 + continue-on-error: true + with: + command: cves + image: ${{ env.DOCKER_IMAGE }}:${{ steps.meta.outputs.version }} + only-severities: critical,high + exit-code: false + + security-scan: + runs-on: ubuntu-latest + if: github.event_name == 'pull_request' + permissions: + contents: read + security-events: write + + steps: + - name: Checkout code + uses: actions/checkout@v6 + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + scan-type: 'config' + scan-ref: '.' + format: 'sarif' + output: 'trivy-results.sarif' + + - name: Upload Trivy results to GitHub Security + uses: github/codeql-action/upload-sarif@v4 + if: always() + with: + sarif_file: 'trivy-results.sarif' diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..d074a91 --- /dev/null +++ b/.trivyignore @@ -0,0 +1,4 @@ +# non-root user +AVD-DS-0002 +# no health check +AVD-DS-0026 diff --git a/CLAUDE.md b/CLAUDE.md new file mode 100644 index 0000000..16aecd6 --- /dev/null +++ b/CLAUDE.md @@ -0,0 +1,204 @@ +# CLAUDE.md + +This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository. + +## Project Overview + +This repository builds and publishes multi-platform Docker images for OpenResty (nginx + LuaJIT) with custom dependencies including OpenSSL 3.4.3 (FIPS-enabled), PCRE2 10.44, and the GeoIP2 module. + +**Docker Hub**: `intimatemerger/openresty` +**Platforms**: `linux/amd64`, `linux/arm64` + +## Build Commands + +### Local Development + +```bash +# Build for specific platform (recommended) +# Use linux/arm64 for Apple Silicon, linux/amd64 for Intel/x86_64 +docker build --platform=linux/arm64 -t dev-resty:local . + +# Build for current platform without specifying (not recommended) +docker build -t dev-resty:local . + +# Alternative: Use full repository name +docker build --platform=linux/arm64 -t intimatemerger/openresty:local . + +# Build for multiple platforms (requires buildx) +docker buildx build \ + --platform linux/amd64,linux/arm64 \ + -t dev-resty:local . + +# Test the built image +docker run -d -p 80:80 dev-resty:local +``` + +### Testing Configuration Changes + +```bash +# Run with custom nginx.conf +docker run -d -p 80:80 \ + -v $(pwd)/nginx.conf:/usr/local/openresty/nginx/conf/nginx.conf:ro \ + dev-resty:local +``` + +## Architecture + +### Multi-Stage Build Process + +The Dockerfile performs a complex multi-stage build in a single RUN command to minimize layer size: + +1. **Dependency Installation**: Installs Alpine build dependencies and runtime libraries +2. **OpenSSL Build**: Downloads, patches (for OpenResty compatibility), and compiles OpenSSL 3.4.3 with FIPS support +3. **PCRE2 Build**: Compiles PCRE2 10.44 with JIT support +4. **GeoIP2 Module**: Downloads ngx_http_geoip2_module +5. **OpenResty Build**: Compiles OpenResty with custom configure options linking to the built OpenSSL and PCRE2 +6. **Binary Stripping**: Removes debug symbols and unnecessary files to reduce image size +7. **Cleanup**: Removes build dependencies and temporary files + +### Key Build Arguments + +- `RESTY_VERSION`: OpenResty version (currently 1.27.1.2) +- `RESTY_OPENSSL_VERSION`: OpenSSL version (currently 3.4.3) +- `RESTY_PCRE_VERSION`: PCRE2 version (currently 10.44) +- `RESTY_GEOIP2_VERSION`: GeoIP2 module version (currently 3.4) + +### OpenResty Configuration + +The build enables the following nginx modules: +- HTTP/2 and HTTP/3 support (`--with-http_v2_module`, `--with-http_v3_module`) +- Dynamic image filter module (`--with-http_image_filter_module=dynamic`) +- Auth request, real IP, gzip static, SSL modules +- GeoIP2 for geographical location detection + +LuaJIT is configured with `LUAJIT_NUMMODE=2` (number mode) and Lua 5.2 compatibility. + +## CI/CD Pipeline + +### GitHub Actions Workflow + +The repository uses `.github/workflows/docker-build.yml` for automated builds with a multi-stage digest-based approach: + +**Triggers**: +- Push to `master`/`main` branch → Build & push to Docker Hub +- Tags matching `*.*.*.*-*` (e.g., `1.27.1.2-0`) → Build & push with version tags +- Pull requests → Security scan only (no build) +- Manual dispatch → Build & push + +**Generated Docker Tags**: +- `latest` - Latest build from main/master +- `1.27.1` - Three-part version (from git tag `1.27.1.2-0`) +- `1.27` - Two-part version + +**Required Secrets**: +- `DOCKER_HUB_USERNAME` - Docker Hub username +- `DOCKER_HUB_TOKEN` - Docker Hub access token with Read & Write permissions + +### Build Architecture + +The workflow uses a three-stage process for efficient multi-platform builds: + +1. **build** (matrix job): + - Runs on native runners: `ubuntu-latest` (amd64), `ubuntu-latest-arm` (arm64) + - Each platform builds independently in parallel + - Uses digest-based push (`push-by-digest=true`) for reliable multi-arch images + - Platform-specific cache scopes for optimal cache utilization + - Skipped for pull requests + +2. **merge**: + - Downloads all platform digests + - Creates manifest list using `docker buildx imagetools create` + - Pushes unified multi-platform image with appropriate tags + - Runs Docker Scout CVE scan on final image + +3. **security-scan** (PR only): + - Runs Trivy configuration scanner + - Uploads results to GitHub Security tab + - Provides fast feedback without building images + +### Security Features + +- **SBOM Generation**: Enabled (`sbom: true`) for all builds to track dependencies +- **Provenance**: Disabled (`provenance: false`) for maximum compatibility with cloud services (ECR, ACR, GCR) +- **Vulnerability Scanning**: + - Docker Scout (post-merge): Scans final multi-platform image for critical/high CVEs + - Trivy (PRs only): Scans Dockerfile and configuration, uploads to GitHub Security +- **Pull Request Isolation**: PRs run security scans only, no Docker builds or Docker Hub access + +### Build Optimization + +- **Native Runners**: No QEMU emulation—each platform builds on native architecture for maximum speed +- **Parallel Execution**: Matrix strategy runs amd64 and arm64 builds simultaneously +- **Platform-Specific Caching**: Each architecture maintains separate GitHub Actions cache (`scope=${{ matrix.arch }}`) +- **Digest-Based Merging**: Ensures atomic multi-platform manifest creation +- **Estimated Build Times**: + - First build (cold cache): 15-30 minutes per platform (parallel) + - Subsequent builds (warm cache): 5-10 minutes per platform + - Total wall time: Similar to slowest platform (due to parallelization) + +## Version Update Process + +When updating OpenResty or dependencies: + +1. Update version variables in `Dockerfile`: + - `RESTY_VERSION` - OpenResty version + - `RESTY_OPENSSL_VERSION` - OpenSSL version + - `RESTY_OPENSSL_PATCH_VERSION` - OpenSSL patch version for OpenResty compatibility + - `RESTY_PCRE_VERSION` and `RESTY_PCRE_SHA256` - PCRE2 version and checksum + - `RESTY_GEOIP2_VERSION` - GeoIP2 module version + +2. Update `README.md` if version tags change + +3. Create a feature branch (e.g., `feature-1.27.1.2`) and push + +4. After merge to master, tag with version number and revision: + ```bash + # Initial release: use -0 + git tag 1.27.1.2-0 + git push origin 1.27.1.2-0 + + # Rebuild with same OpenResty version (e.g., OpenSSL update): increment revision + git tag 1.27.1.2-1 + git push origin 1.27.1.2-1 + ``` + +### Tagging Strategy + +**Git Tags** (with revision number): +- Format: `1.27.1.2-0`, `1.27.1.2-1`, etc. +- Always include revision number for consistency +- Maintains complete build history + +**Docker Tags** (generated automatically): +- `1.27.1` - Three-part version (tracks latest patch within 1.27.1.x) +- `1.27` - Two-part version (tracks latest minor) +- `latest` - Latest build from master branch + +**Example**: Pushing git tag `1.27.1.2-0` generates Docker tags: +- `intimatemerger/openresty:1.27.1` +- `intimatemerger/openresty:1.27` +- `intimatemerger/openresty:latest` + +**Note**: Four-part version tags (e.g., `1.27.1.2`) are not published to Docker Hub. Users should use `1.27.1` to get the latest patch version within the 1.27.1.x series. + +## Testing + +```bash +# Verify the container starts +docker run --rm dev-resty:local -t + +# Check OpenResty version +docker run --rm dev-resty:local -v + +# Test HTTP access +docker run -it --rm -p 8080:80 --name dev-resty dev-resty:local +curl http://localhost:8080 +``` + +## Important Notes + +- The entire build happens in a single `RUN` command to minimize Docker layer size +- OpenSSL requires OpenResty-specific patches for session callback yielding support +- Binary stripping is performed when `RESTY_STRIP_BINARIES="1"` to reduce image size +- Logs are symlinked to stdout/stderr for Docker-native logging +- Uses `SIGQUIT` instead of `SIGTERM` for graceful shutdown diff --git a/Dockerfile b/Dockerfile index b724242..cdb61ac 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,20 +1,33 @@ -ARG RESTY_IMAGE_TAG="3.20" -FROM alpine:${RESTY_IMAGE_TAG} +ARG RESTY_BASE_IMAGE_TAG="3.22.3" +FROM alpine:${RESTY_BASE_IMAGE_TAG} +ARG RESTY_BASE_IMAGE_TAG # Docker Build Arguments -ARG RESTY_IMAGE_TAG -ARG RESTY_VERSION="1.21.4.4" -ARG RESTY_OPENSSL_VERSION="1.1.1w" -ARG RESTY_OPENSSL_PATCH_VERSION="1.1.1f" -ARG RESTY_PCRE_VERSION="8.45" -ARG RESTY_PCRE_SHA1="a19402ce56d770da1557cf331b109d33adb74062" -ARG RESTY_GEOIP2_VERSION="3.4" +ARG RESTY_VERSION="1.27.1.2" + +# https://github.com/openresty/openresty-packaging/blob/master/alpine/openresty-openssl3/APKBUILD +ARG RESTY_OPENSSL_VERSION="3.4.3" +ARG RESTY_OPENSSL_PATCH_VERSION="3.4.1" +ARG RESTY_OPENSSL_URL_BASE="https://github.com/openssl/openssl/releases/download/openssl-${RESTY_OPENSSL_VERSION}" +ARG RESTY_OPENSSL_BUILD_OPTIONS="enable-camellia enable-rfc3779 enable-ktls enable-fips \ + disable-md2 disable-rc5 disable-weak-ssl-ciphers disable-ssl3 disable-ssl3-method" + +# https://github.com/openresty/openresty-packaging/blob/master/alpine/openresty-pcre2/APKBUILD +ARG RESTY_PCRE_VERSION="10.44" +ARG RESTY_PCRE_SHA256="86b9cb0aa3bcb7994faa88018292bc704cdbb708e785f7c74352ff6ea7d3175b" +ARG RESTY_PCRE_BUILD_OPTIONS="--enable-jit --enable-pcre2grep-jit --disable-bsr-anycrlf --disable-coverage --disable-ebcdic --disable-fuzz-support \ + --disable-jit-sealloc --disable-never-backslash-C --enable-newline-is-lf --enable-pcre2-8 --enable-pcre2-16 --enable-pcre2-32 \ + --enable-pcre2grep-callout --enable-pcre2grep-callout-fork --disable-pcre2grep-libbz2 --disable-pcre2grep-libz --disable-pcre2test-libedit \ + --enable-percent-zt --disable-rebuild-chartables --enable-shared --disable-static --disable-silent-rules --enable-unicode --disable-valgrind \ + " + ARG RESTY_J="1" +ARG RESTY_STRIP_BINARIES="1" +ARG RESTY_GEOIP2_VERSION="3.4" # These are not intended to be user-specified -ARG _RESTY_CONFIG_OPTIONS="\ +ARG RESTY_CONFIG_OPTIONS="\ --with-compat \ - --with-file-aio \ --with-http_addition_module \ --with-http_auth_request_module \ --with-http_gunzip_module \ @@ -25,6 +38,7 @@ ARG _RESTY_CONFIG_OPTIONS="\ --with-http_stub_status_module \ --with-http_sub_module \ --with-http_v2_module \ + --with-http_v3_module \ --with-ipv6 \ --with-md5-asm \ --with-pcre-jit \ @@ -41,30 +55,25 @@ ARG _RESTY_CONFIG_OPTIONS="\ --error-log-path=/var/log/openresty/error.log \ " -ARG RESTY_CONFIG_OPTIONS="" +ARG RESTY_CONFIG_OPTIONS_MORE="--add-module=/tmp/ngx_http_geoip2_module-${RESTY_GEOIP2_VERSION}" ARG RESTY_LUAJIT_OPTIONS="--with-luajit-xcflags='-DLUAJIT_NUMMODE=2 -DLUAJIT_ENABLE_LUA52COMPAT'" +ARG RESTY_PCRE_OPTIONS="--with-pcre-jit" -ARG RESTY_ADD_PACKAGE_BUILDDEPS="" -ARG RESTY_ADD_PACKAGE_RUNDEPS="" -ARG RESTY_EVAL_PRE_CONFIGURE="" -ARG RESTY_EVAL_POST_MAKE="" # These are not intended to be user-specified ARG _RESTY_CONFIG_DEPS="--with-pcre \ - --with-cc-opt='-DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl/include' \ - --with-ld-opt='-L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl/lib -Wl,-rpath,/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl/lib' \ + --with-cc-opt='-DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/pcre2/include -I/usr/local/openresty/openssl3/include' \ + --with-ld-opt='-L/usr/local/openresty/pcre2/lib -L/usr/local/openresty/openssl3/lib -Wl,-rpath,/usr/local/openresty/pcre2/lib:/usr/local/openresty/openssl3/lib' \ " -LABEL resty.image="alpine:${RESTY_IMAGE_TAG}" \ - resty.version="${RESTY_VERSION}" \ +LABEL resty.version="${RESTY_VERSION}" \ + resty.base_image="alpine:${RESTY_BASE_IMAGE_TAG}" \ resty.openssl_version="${RESTY_OPENSSL_VERSION}" \ + resty.openssl_patch_version="${RESTY_OPENSSL_PATCH_VERSION}" \ resty.pcre_version="${RESTY_PCRE_VERSION}" \ + resty.pcre_sha256="${RESTY_PCRE_SHA256}" \ resty.geoip2_version="${RESTY_GEOIP2_VERSION}" \ - resty.config_options="${_RESTY_CONFIG_OPTIONS} ${RESTY_CONFIG_OPTIONS}" \ - resty.add_package_builddeps="${RESTY_ADD_PACKAGE_BUILDDEPS}" \ - resty.add_package_rundeps="${RESTY_ADD_PACKAGE_RUNDEPS}" \ - resty.eval_pre_configure="${RESTY_EVAL_PRE_CONFIGURE}" \ - resty.eval_post_make="${RESTY_EVAL_POST_MAKE}" + resty.config_options="${RESTY_CONFIG_OPTIONS}" # 1) Install apk dependencies # 2) Download and untar OpenSSL, PCRE, and OpenResty @@ -72,81 +81,87 @@ LABEL resty.image="alpine:${RESTY_IMAGE_TAG}" \ # 4) Cleanup RUN set -x && apk update && apk add --no-cache --virtual .build-deps \ - build-base \ - coreutils \ - curl \ - gd-dev \ - libmaxminddb-dev \ - linux-headers \ - make \ - perl-dev \ - readline-dev \ - zlib-dev \ - ${RESTY_ADD_PACKAGE_BUILDDEPS} \ + build-base \ + binutils \ + coreutils \ + curl \ + gd-dev \ + libmaxminddb-dev \ + linux-headers \ + make \ + perl-dev \ + readline-dev \ + zlib-dev \ && apk add --no-cache \ - gd \ - libgcc \ - libmaxminddb \ - tzdata \ - zlib \ - ${RESTY_ADD_PACKAGE_RUNDEPS} \ + gd \ + libgcc \ + libmaxminddb \ + tzdata \ + zlib \ && cd /tmp \ - && if [ -n "${RESTY_EVAL_PRE_CONFIGURE}" ]; then eval $(echo ${RESTY_EVAL_PRE_CONFIGURE}); fi \ - && cd /tmp \ - && curl -sfSL https://www.openssl.org/source/openssl-${RESTY_OPENSSL_VERSION}.tar.gz -o openssl-${RESTY_OPENSSL_VERSION}.tar.gz \ + && curl -fSL "${RESTY_OPENSSL_URL_BASE}/openssl-${RESTY_OPENSSL_VERSION}.tar.gz" -o openssl-${RESTY_OPENSSL_VERSION}.tar.gz \ && tar xzf openssl-${RESTY_OPENSSL_VERSION}.tar.gz \ && cd openssl-${RESTY_OPENSSL_VERSION} \ + && if [ $(echo ${RESTY_OPENSSL_VERSION} | cut -c 1-2) = "3." ] ; then \ + echo 'patching OpenSSL 3.x for OpenResty' \ + && curl -s https://raw.githubusercontent.com/openresty/openresty/master/patches/openssl-${RESTY_OPENSSL_PATCH_VERSION}-sess_set_get_cb_yield.patch | patch -p1 ; \ + fi \ && if [ $(echo ${RESTY_OPENSSL_VERSION} | cut -c 1-5) = "1.1.1" ] ; then \ - echo 'patching OpenSSL 1.1.1 for OpenResty' \ - && curl -s https://raw.githubusercontent.com/openresty/openresty/master/patches/openssl-${RESTY_OPENSSL_PATCH_VERSION}-sess_set_get_cb_yield.patch | patch -p1 ; \ + echo 'patching OpenSSL 1.1.1 for OpenResty' \ + && curl -s https://raw.githubusercontent.com/openresty/openresty/master/patches/openssl-${RESTY_OPENSSL_PATCH_VERSION}-sess_set_get_cb_yield.patch | patch -p1 ; \ fi \ && if [ $(echo ${RESTY_OPENSSL_VERSION} | cut -c 1-5) = "1.1.0" ] ; then \ - echo 'patching OpenSSL 1.1.0 for OpenResty' \ - && curl -s https://raw.githubusercontent.com/openresty/openresty/ed328977028c3ec3033bc25873ee360056e247cd/patches/openssl-1.1.0j-parallel_build_fix.patch | patch -p1 \ - && curl -s https://raw.githubusercontent.com/openresty/openresty/master/patches/openssl-${RESTY_OPENSSL_PATCH_VERSION}-sess_set_get_cb_yield.patch | patch -p1 ; \ + echo 'patching OpenSSL 1.1.0 for OpenResty' \ + && curl -s https://raw.githubusercontent.com/openresty/openresty/ed328977028c3ec3033bc25873ee360056e247cd/patches/openssl-1.1.0j-parallel_build_fix.patch | patch -p1 \ + && curl -s https://raw.githubusercontent.com/openresty/openresty/master/patches/openssl-${RESTY_OPENSSL_PATCH_VERSION}-sess_set_get_cb_yield.patch | patch -p1 ; \ fi \ && ./config \ - no-threads shared zlib -g \ - enable-ssl3 enable-ssl3-method \ - --prefix=/usr/local/openresty/openssl \ - --libdir=lib \ - -Wl,-rpath,/usr/local/openresty/openssl/lib \ + shared zlib -g \ + --prefix=/usr/local/openresty/openssl3 \ + --libdir=lib \ + -Wl,-rpath,/usr/local/openresty/openssl3/lib \ + ${RESTY_OPENSSL_BUILD_OPTIONS} \ && make -j${RESTY_J} \ && make -j${RESTY_J} install_sw \ && cd /tmp \ - && curl -sfSL https://downloads.sourceforge.net/project/pcre/pcre/${RESTY_PCRE_VERSION}/pcre-${RESTY_PCRE_VERSION}.tar.gz -o pcre-${RESTY_PCRE_VERSION}.tar.gz \ - && echo "${RESTY_PCRE_SHA1} pcre-${RESTY_PCRE_VERSION}.tar.gz" | sha1sum -c - \ - && tar xzf pcre-${RESTY_PCRE_VERSION}.tar.gz \ - && cd /tmp/pcre-${RESTY_PCRE_VERSION} \ - && ./configure \ - --prefix=/usr/local/openresty/pcre \ - --disable-cpp \ - --enable-jit \ - --enable-utf \ - --enable-unicode-properties \ - && make -j${RESTY_J} \ - && make -j${RESTY_J} install \ + && curl -fSL "https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${RESTY_PCRE_VERSION}/pcre2-${RESTY_PCRE_VERSION}.tar.gz" -o pcre2-${RESTY_PCRE_VERSION}.tar.gz \ + && echo "${RESTY_PCRE_SHA256} pcre2-${RESTY_PCRE_VERSION}.tar.gz" | shasum -a 256 --check \ + && tar xzf pcre2-${RESTY_PCRE_VERSION}.tar.gz \ + && cd /tmp/pcre2-${RESTY_PCRE_VERSION} \ + && CFLAGS="-g -O3" ./configure \ + --prefix=/usr/local/openresty/pcre2 \ + --libdir=/usr/local/openresty/pcre2/lib \ + ${RESTY_PCRE_BUILD_OPTIONS} \ + && CFLAGS="-g -O3" make -j${RESTY_J} \ + && CFLAGS="-g -O3" make -j${RESTY_J} install \ && cd /tmp \ && curl -sfSL https://github.com/leev/ngx_http_geoip2_module/archive/${RESTY_GEOIP2_VERSION}.tar.gz -o ngx_http_geoip2_module-${RESTY_GEOIP2_VERSION}.tar.gz \ && tar xzf ngx_http_geoip2_module-${RESTY_GEOIP2_VERSION}.tar.gz \ && cd /tmp \ - && curl -sfSL https://openresty.org/download/openresty-${RESTY_VERSION}.tar.gz -o openresty-${RESTY_VERSION}.tar.gz \ + && curl -fSL https://openresty.org/download/openresty-${RESTY_VERSION}.tar.gz -o openresty-${RESTY_VERSION}.tar.gz \ && tar xzf openresty-${RESTY_VERSION}.tar.gz \ && cd /tmp/openresty-${RESTY_VERSION} \ - && eval ./configure -j${RESTY_J} ${_RESTY_CONFIG_DEPS} ${_RESTY_CONFIG_OPTIONS} ${RESTY_CONFIG_OPTIONS} ${RESTY_LUAJIT_OPTIONS} \ - --add-module=/tmp/ngx_http_geoip2_module-${RESTY_GEOIP2_VERSION} \ + && eval ./configure -j${RESTY_J} ${_RESTY_CONFIG_DEPS} ${RESTY_CONFIG_OPTIONS} ${RESTY_CONFIG_OPTIONS_MORE} ${RESTY_LUAJIT_OPTIONS} ${RESTY_PCRE_OPTIONS} \ && make -j${RESTY_J} \ && make -j${RESTY_J} install \ && cd /tmp \ - && if [ -n "${RESTY_EVAL_POST_MAKE}" ]; then eval $(echo ${RESTY_EVAL_POST_MAKE}); fi \ && rm -rf \ - openssl-${RESTY_OPENSSL_VERSION}.tar.gz openssl-${RESTY_OPENSSL_VERSION} \ - pcre-${RESTY_PCRE_VERSION}.tar.gz pcre-${RESTY_PCRE_VERSION} \ - ngx_http_geoip2_module-${RESTY_GEOIP2_VERSION}.tar.gz ngx_http_geoip2_module-${RESTY_GEOIP2_VERSION} \ - openresty-${RESTY_VERSION}.tar.gz openresty-${RESTY_VERSION} \ - && strip /usr/local/openresty/nginx/sbin/nginx \ - && strip /usr/local/openresty/nginx/modules/*.so \ + openssl-${RESTY_OPENSSL_VERSION}.tar.gz openssl-${RESTY_OPENSSL_VERSION} \ + pcre2-${RESTY_PCRE_VERSION}.tar.gz pcre2-${RESTY_PCRE_VERSION} \ + openresty-${RESTY_VERSION}.tar.gz openresty-${RESTY_VERSION} \ + ngx_http_geoip2_module-${RESTY_GEOIP2_VERSION}.tar.gz ngx_http_geoip2_module-${RESTY_GEOIP2_VERSION} \ + && if [ -n "${RESTY_STRIP_BINARIES}" ]; then \ + echo 'stripping OpenResty binaries' \ + && rm -Rf /usr/local/openresty/openssl3/bin/c_rehash /usr/local/openresty/openssl3/lib/*.a /usr/local/openresty/openssl3/include \ + && find /usr/local/openresty/openssl3 -type f -perm -u+x -exec strip --strip-unneeded '{}' \; \ + && rm -Rf /usr/local/openresty/pcre2/bin /usr/local/openresty/pcre2/share \ + && find /usr/local/openresty/pcre2 -type f -perm -u+x -exec strip --strip-unneeded '{}' \; \ + && rm -Rf /usr/local/openresty/luajit/lib/*.a /usr/local/openresty/luajit/share/man \ + && find /usr/local/openresty/luajit -type f -perm -u+x -exec strip --strip-unneeded '{}' \; \ + && find /usr/local/openresty/nginx -type f -perm -u+x -exec strip --strip-unneeded '{}' \; ; \ + fi \ && apk del .build-deps \ + && rm -f /etc/periodic/weekly/libmaxminddb /etc/libmaxminddb.cron.conf \ && mkdir -p /var/log/openresty \ && ln -sf /dev/stdout /var/log/openresty/access.log \ && ln -sf /dev/stderr /var/log/openresty/error.log