Skip to content
Snippets Groups Projects
Verified Commit 6085ff65 authored by Sheogorath's avatar Sheogorath :european_castle:
Browse files

Initial working version

Adds the initial version of libravatar-nginx an container image, that
provides a libravatar implementation using nginx config files. The
minimal setup should allow secure and static avatar shipping.
parents
No related branches found
No related tags found
No related merge requests found
Pipeline #1423 failed
image: quay.io/sheogorath/build-ah-engine
before_script:
- podman login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
build-master:
stage: build
script:
- podman build --pull -t "CI_REGISTRY_IMAGE" .
- podman push "$CI_REGISTRY_IMAGE"
only:
- master
build:
stage: build
script:
- podman build --pull -t "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG" .
- podman push "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG"
except:
- master
FROM nginx:alpine
RUN true \
&& apk add --no-cache imagemagick \
&& mkdir /var/libravatar.d/ \
&& true
COPY ./default.conf /etc/nginx/conf.d/
COPY ./docker-entrypoint.sh /usr/local/bin/docker-entrypoint
ENTRYPOINT ["/usr/local/bin/docker-entrypoint"]
CMD ["nginx", "-g", "daemon off;"]
This diff is collapsed.
Libravatar-nginx
===
Libravatar-nginx is a project that aims to provide an easy and static way to provide your avatars using not more than nginx. This provides a massively reduced attack surface and maxium performance since all images are pre-genrated and no further code has to run on the server-side.
To achive this the image uses a shell script, imagemagick's `convert` command and an extended nginx config.
Supported features:
|Feature |Support |
|-----------------------|--------------------------------|
|size parameter | ✔ |
|default parameter | ✔ |
|forcedefault parameter | ✖ |
|SHA256 hash | ✔ |
|MD5 hash | ✔ |
|Gravatar fallback | ✔ (implicit through libravatar)|
|Libravatar fallback | ✔ |
|Generated default icons| ✔ (implicit through libravatar)|
|XMLRPC API | ✖ |
|WebFrontend | ✖ |
|OpenID | ✖ |
How to use
---
Here is a minimal `docker-compose.yml` to run the container:
```yaml
---
version: '2'
services:
libravatar:
image: quay.io/shivering-isles/libravatar-nginx:latest
mem_limit: 50mb
memswap_limit: 100mb
volumes:
- ./avatars:/var/libravatar.d/
ports:
- 80:80
restart: always
```
Before starting the image using `docker-compose up -d`, drop your avatar into the ./avatars directory. The avatars should have your email address as image name followed by their file extension (currently only JPG is supported). Example: `me@example.com.jpg`
Finally you have to setup SRV records for your domain (`example.com`), so that libravatar libraries are able to find you. Those should have the following format:
```
_avatars._tcp.example.com. IN SRV 0 0 80 avatars.example.com
_avatars-sec._tcp.example.com. IN SRV 0 0 443 avatars.example.com
```
`avatars.example.com` should be DNS name where the libravatar-nginx is available on. For `_avatars-sec._tcp.example.com` it's required to add a reverse-proxy in front of libravatar-nginx that does the HTTPS handling.
Further details can be found in the [libravatar wiki](https://wiki.libravatar.org/running_your_own/).
avatar/me@example.com.jpg

31.1 KiB

avatar/me@example.org.jpg

343 KiB

# Expires map
map $sent_http_content_type $expires {
default off;
text/html epoch;
text/css max;
application/javascript max;
~image/ max;
~font/ max;
}
proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=STATIC:10m inactive=24h max_size=1g;
server {
root /usr/share/nginx/html;
listen 80;
server_name shivering-isles.com;
expires $expires;
charset UTF-8;
set_real_ip_from 172.16.0.0/12;
add_header Allow "GET, HEAD" always;
if ( $request_method !~ ^(GET|HEAD)$ ) {
return 405;
}
location /avatar/ {
root /usr/share/nginx/html;
autoindex off;
expires 30d;
add_header Pragma public;
add_header Cache-Control "public";
#if ($arg_s) {
# set $size $arg_s;
#}
#if ($arg_size) {
# set $size $arg_size;
#}
#if ($arg_d) {
# set $default_image $arg_d;
#}
#if ($arg_default) {
# set $default_image $arg_default;
#}
#if ($arg_default) {}
try_files $uri/$arg_size.jpg $uri/$arg_s.jpg $uri/$arg_size.png $uri/$arg_s.png $uri/80.jpg $uri/80.png @defaultimage;
}
location @defaultimage {
if ($arg_default = 404) {
return 404;
}
if ($arg_default) {
return 302 $arg_default;
}
if ($arg_default = 404) {
return 404;
}
if ($arg_d) {
return 302 $arg_d;
}
return 302 https://seccdn.libravatar.org$request_uri;
}
location / {
root /usr/share/nginx/html;
index index.html index.htm;
try_files $uri $uri/index.html $uri.html =404;
}
error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
#!/bin/sh
set -e
SCALE_START=${SCALE_START:-10}
SCALE_STEP=${SCALE_STEP:-2}
SCALE_STOP=${SCALE_STOP:-512}
IMAGE_TYPE=${IMAGE_TYPE:-jpg}
WWW_BASE=/usr/share/nginx/html
for picture in /var/libravatar.d/*."${IMAGE_TYPE}"; do
HASH_MD5=$(echo -n "$(basename "$picture" .${IMAGE_TYPE})" | md5sum | awk '{print $1}')
HASH_SHA256=$(echo -n "$(basename "$picture" .${IMAGE_TYPE})" | sha256sum | awk '{print $1}')
HASH_MD5_PATH="$WWW_BASE/avatar/$HASH_MD5"
HASH_SHA256_PATH="$WWW_BASE/avatar/$HASH_SHA256"
mkdir -p "$HASH_MD5_PATH" "$HASH_SHA256_PATH"
for s in $(seq $SCALE_START $SCALE_STEP $SCALE_STOP); do
convert -resize "${s}x${s}" $picture "$HASH_MD5_PATH/${s}.${IMAGE_TYPE}"
ln "$HASH_MD5_PATH/${s}.${IMAGE_TYPE}" "$HASH_SHA256_PATH/${s}.${IMAGE_TYPE}"
done
done
exec "$@"
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment