Verified Commit 6085ff65 authored by Sheogorath's avatar Sheogorath 🏰
Browse files

Initial working version

Adds the initial version of libravatar-nginx an container image, that
provides a libravatar implementation using nginx config files. The
minimal setup should allow secure and static avatar shipping.
parents
Pipeline #1423 failed with stage
in 2 minutes and 25 seconds
image: quay.io/sheogorath/build-ah-engine
before_script:
- podman login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
build-master:
stage: build
script:
- podman build --pull -t "CI_REGISTRY_IMAGE" .
- podman push "$CI_REGISTRY_IMAGE"
only:
- master
build:
stage: build
script:
- podman build --pull -t "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG" .
- podman push "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG"
except:
- master
FROM nginx:alpine
RUN true \
&& apk add --no-cache imagemagick \
&& mkdir /var/libravatar.d/ \
&& true
COPY ./default.conf /etc/nginx/conf.d/
COPY ./docker-entrypoint.sh /usr/local/bin/docker-entrypoint
ENTRYPOINT ["/usr/local/bin/docker-entrypoint"]
CMD ["nginx", "-g", "daemon off;"]
This diff is collapsed.
Libravatar-nginx
===
Libravatar-nginx is a project that aims to provide an easy and static way to provide your avatars using not more than nginx. This provides a massively reduced attack surface and maxium performance since all images are pre-genrated and no further code has to run on the server-side.
To achive this the image uses a shell script, imagemagick's `convert` command and an extended nginx config.
Supported features:
|Feature |Support |
|-----------------------|--------------------------------|
|size parameter | ✔ |
|default parameter | ✔ |
|forcedefault parameter | ✖ |
|SHA256 hash | ✔ |
|MD5 hash | ✔ |
|Gravatar fallback | ✔ (implicit through libravatar)|
|Libravatar fallback | ✔ |
|Generated default icons| ✔ (implicit through libravatar)|
|XMLRPC API | ✖ |
|WebFrontend | ✖ |
|OpenID | ✖ |
How to use
---
Here is a minimal `docker-compose.yml` to run the container:
```yaml
---
version: '2'
services:
libravatar:
image: quay.io/shivering-isles/libravatar-nginx:latest
mem_limit: 50mb
memswap_limit: 100mb
volumes:
- ./avatars:/var/libravatar.d/
ports:
- 80:80
restart: always
```
Before starting the image using `docker-compose up -d`, drop your avatar into the ./avatars directory. The avatars should have your email address as image name followed by their file extension (currently only JPG is supported). Example: `me@example.com.jpg`
Finally you have to setup SRV records for your domain (`example.com`), so that libravatar libraries are able to find you. Those should have the following format:
```
_avatars._tcp.example.com. IN SRV 0 0 80 avatars.example.com
_avatars-sec._tcp.example.com. IN SRV 0 0 443 avatars.example.com
```
`avatars.example.com` should be DNS name where the libravatar-nginx is available on. For `_avatars-sec._tcp.example.com` it's required to add a reverse-proxy in front of libravatar-nginx that does the HTTPS handling.
Further details can be found in the [libravatar wiki](https://wiki.libravatar.org/running_your_own/).
# Expires map
map $sent_http_content_type $expires {
default off;
text/html epoch;
text/css max;
application/javascript max;
~image/ max;
~font/ max;
}
proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=STATIC:10m inactive=24h max_size=1g;
server {
root /usr/share/nginx/html;
listen 80;
server_name shivering-isles.com;
expires $expires;
charset UTF-8;
set_real_ip_from 172.16.0.0/12;
add_header Allow "GET, HEAD" always;
if ( $request_method !~ ^(GET|HEAD)$ ) {
return 405;
}
location /avatar/ {
root /usr/share/nginx/html;
autoindex off;
expires 30d;
add_header Pragma public;
add_header Cache-Control "public";
#if ($arg_s) {
# set $size $arg_s;
#}
#if ($arg_size) {
# set $size $arg_size;
#}
#if ($arg_d) {
# set $default_image $arg_d;
#}
#if ($arg_default) {
# set $default_image $arg_default;
#}
#if ($arg_default) {}
try_files $uri/$arg_size.jpg $uri/$arg_s.jpg $uri/$arg_size.png $uri/$arg_s.png $uri/80.jpg $uri/80.png @defaultimage;
}
location @defaultimage {
if ($arg_default = 404) {
return 404;
}
if ($arg_default) {
return 302 $arg_default;
}
if ($arg_default = 404) {
return 404;
}
if ($arg_d) {
return 302 $arg_d;
}
return 302 https://seccdn.libravatar.org$request_uri;
}
location / {
root /usr/share/nginx/html;
index index.html index.htm;
try_files $uri $uri/index.html $uri.html =404;
}
error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
#!/bin/sh
set -e
SCALE_START=${SCALE_START:-10}
SCALE_STEP=${SCALE_STEP:-2}
SCALE_STOP=${SCALE_STOP:-512}
IMAGE_TYPE=${IMAGE_TYPE:-jpg}
WWW_BASE=/usr/share/nginx/html
for picture in /var/libravatar.d/*."${IMAGE_TYPE}"; do
HASH_MD5=$(echo -n "$(basename "$picture" .${IMAGE_TYPE})" | md5sum | awk '{print $1}')
HASH_SHA256=$(echo -n "$(basename "$picture" .${IMAGE_TYPE})" | sha256sum | awk '{print $1}')
HASH_MD5_PATH="$WWW_BASE/avatar/$HASH_MD5"
HASH_SHA256_PATH="$WWW_BASE/avatar/$HASH_SHA256"
mkdir -p "$HASH_MD5_PATH" "$HASH_SHA256_PATH"
for s in $(seq $SCALE_START $SCALE_STEP $SCALE_STOP); do
convert -resize "${s}x${s}" $picture "$HASH_MD5_PATH/${s}.${IMAGE_TYPE}"
ln "$HASH_MD5_PATH/${s}.${IMAGE_TYPE}" "$HASH_SHA256_PATH/${s}.${IMAGE_TYPE}"
done
done
exec "$@"
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment