Update openresty and certs

docker_devbox/work/start--pre.sh

@@ -2,7 +2,8 @@
 set -e
 
 # Generate a SSH id for git if it does not exist.
-[ -e ~/.ssh/id_rsa.pub ] || ssh-keygen -t rsa -b 4096 -N "" -C `hostname -f` -f ~/.ssh/id_rsa
+# [ -e ~/.ssh/id_rsa.pub ] || ssh-keygen -t rsa -b 4096 -N "" -C `hostname -f` -f ~/.ssh/id_rsa
+[ -e ~/.ssh/id_rsa.pub ] || ssh-keygen -t ed25519 -N "" -C `hostname -f` -f ~/.ssh/id_ed25519
 
 # Generate a self-signed certificate for jupyter if it does not exist (only when GEN_CERT or USE_SSL is set to yes).
 JUPYTER_PEM_FILE="/opt/conda/etc/jupyter/certificate.pem"

docker_openresty/Dockerfile

@@ -6,9 +6,9 @@ FROM ${BASE_NAMESPACE:+$BASE_NAMESPACE/}${BASE_IMG}
 
 LABEL maintainer="[email protected]"
 
-ENV NGINX_ENVSUBST_OUTPUT_DIR /etc/nginx/conf.d
-ENV NGINX_ENVSUBST_TEMPLATE_DIR /etc/nginx/templates
-ENV NGINX_ENVSUBST_TEMPLATE_SUFFIX .template
+ENV NGINX_ENVSUBST_OUTPUT_DIR       /etc/nginx/conf.d
+ENV NGINX_ENVSUBST_TEMPLATE_DIR     /etc/nginx/templates
+ENV NGINX_ENVSUBST_TEMPLATE_SUFFIX  .template
 
 COPY work /opt/utils/
 
@@ -18,15 +18,14 @@ RUN set -eux \
  && chown -R nginx:www-data /var/cache/nginx /var/log/nginx \
  && source /opt/utils/script-setup.sh && setup_lua_base && setup_lua_rocks \
  && source /opt/utils/script-setup-openresty.sh && setup_openresty \
- && source /opt/utils/script-setup-acme.sh      && setup_acme && setup_lego \
- && pip install certbot \
- && mv     /opt/utils/entrypoint/* /           && rm -rf /opt/utils/entrypoint \
- && cp -rf /opt/utils/nginx/*      /etc/nginx/ && rm -rf /opt/utils/nginx \
+ && source /opt/utils/script-setup-acme.sh      && setup_acme \
+ && mv     /opt/utils/entrypoint/* /            && rm -rf /opt/utils/entrypoint \
+ && cp -rf /opt/utils/nginx/*      /etc/nginx/  && rm -rf /opt/utils/nginx \
  && chmod -R +x /docker-entrypoint.* && ls -alh /docker-entrypoint.* /etc/nginx/* \
  && nginx -t \
  && install__clean
 
-VOLUME [ "/var/log/nginx", "/var/cache/nginx", "/etc/nginx/templates/"]
+VOLUME ["/var/log/nginx", "/var/cache/nginx", "/etc/nginx/templates/", "/etc/nginx/ssl", "/root/.acme.sh"]
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["nginx"]

docker_openresty/README.md

@@ -1,6 +1,9 @@
-# OpenResty with Lua and certbot
+# OpenResty with Lua, acme.sh and lego
 
-ref: https://github.com/openresty/docker-openresty/blob/master/bionic/Dockerfile
+What's here:
+ - Openresty, ref: https://github.com/openresty/docker-openresty/blob/master/bionic/Dockerfile
+ - acme.sh
+ - lego
 
 ## Debug
 

docker_openresty/work/nginx/conf.d/include/assets.conf

@@ -0,0 +1,31 @@
+location ~* ^.*\.(css|js|jpe?g|gif|png|webp|woff|woff2|eot|ttf|svg|ico|css\.map|js\.map)$ {
+	if_modified_since off;
+
+	# use the public cache
+	proxy_cache public-cache;
+	proxy_cache_key $host$request_uri;
+
+	# ignore these headers for media
+	proxy_ignore_headers Set-Cookie Cache-Control Expires X-Accel-Expires;
+
+	# cache 200s and also 404s (not ideal but there are a few 404 images for some reason)
+	proxy_cache_valid any 30m;
+	proxy_cache_valid 404 1m;
+
+	# strip this header to avoid If-Modified-Since requests
+	proxy_hide_header Last-Modified;
+	proxy_hide_header Cache-Control;
+	proxy_hide_header Vary;
+
+	proxy_cache_bypass 0;
+	proxy_no_cache 0;
+
+	proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_404;
+	proxy_connect_timeout 5s;
+	proxy_read_timeout 45s;
+
+	expires @30m;
+	access_log  off;
+
+	include conf.d/include/proxy.conf;
+}

docker_openresty/work/script-acme-lego.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+set -ex
+
+# Function to issue certificates using lego
+issue_certificates_lego() {
+    local ACME_EMAIL=$1
+    local LIST_DOMAINS=$2
+
+    echo "ACME_EMAIL set to ${ACME_EMAIL}"
+    echo "LIST_DOMAINS set to ${LIST_DOMAINS}"
+
+    # Validate and define email address
+    ACME_EMAIL=${ACME_EMAIL:-"[email protected]"}
+
+    if [ -z "$LIST_DOMAINS" ]; then
+        echo "Please define variable LIST_DOMAINS: domain names separated by space"
+        echo "example: LIST_DOMAINS=\"example.com api.example.com\""
+        exit 2
+    fi
+
+    # Split LIST_DOMAINS into array
+    local DOMAINS=($LIST_DOMAINS)
+
+    # Check for wildcard domains
+    for DOMAIN in "${DOMAINS[@]}"; do
+        if [[ "$DOMAIN" == *"*"* ]]; then
+            echo "Wildcard domains (e.g., *.example.com) are not supported by this function."
+            exit 3
+        fi
+    done
+
+    # Define directories and commands
+    local DIR_CERT_INSTALL="/etc/nginx/ssl"
+    local DIR_WEB_ROOT="/data/letsencrypt-acme-challenge"
+    local RELOAD_CMD="nginx -t && nginx -s reload"
+
+    # Create required directories
+    mkdir -pv "$DIR_CERT_INSTALL" "$DIR_WEB_ROOT"
+
+    # Process each domain
+    for DOMAIN in "${DOMAINS[@]}"; do
+        echo "Applying for certificate for domain using lego HTTP-01 method for: ${DOMAIN}"
+
+        lego --email "${ACME_EMAIL}" --accept-tos --dns "none" --http \
+            --http.webroot="${DIR_WEB_ROOT}" \
+            --domains "${DOMAIN}" run
+
+        echo "Installing domain certificate to: ${DIR_CERT_INSTALL}"
+        cp "${DOMAIN}.key" "${DOMAIN}.crt" "${DIR_CERT_INSTALL}/
+
+        # Reload nginx to apply the certificate
+        ${RELOAD_CMD}
+
+        echo "Certificate successfully applied for domain: ${DOMAIN}"
+    done
+}
+
+# Call the function with parameters
+issue_certificates_lego "$1" "$2"

docker_openresty/work/script-acme-sh.sh

@@ -0,0 +1,62 @@
+#!/bin/bash
+set -ex
+
+# Function to issue certificates using acme.sh
+issue_certificates_acme_sh() {
+    local ACME_EMAIL=$1
+    local LIST_DOMAINS=$2
+
+    echo "ACME_EMAIL set to ${ACME_EMAIL}"
+    echo "LIST_DOMAINS set to ${LIST_DOMAINS}"
+
+    # Validate and define email address
+    ACME_EMAIL=${ACME_EMAIL:-"[email protected]"}
+
+    if [ -z "$LIST_DOMAINS" ]; then
+        echo "Please define variable LIST_DOMAINS: domain names separated by space"
+        echo "example: LIST_DOMAINS=\"example.com api.example.com\""
+        exit 2
+    fi
+
+    # Split LIST_DOMAINS into array
+    local DOMAINS=($LIST_DOMAINS)
+
+    # Check for wildcard domains
+    for DOMAIN in "${DOMAINS[@]}"; do
+        if [[ "$DOMAIN" == *"*"* ]]; then
+            echo "Wildcard domains (e.g., *.example.com) are not supported by this function."
+            exit 3
+        fi
+    done
+
+    # Define directories and commands
+    local DIR_CERT_INSTALL="/etc/nginx/ssl"
+    local DIR_WEB_ROOT="/data/letsencrypt-acme-challenge"
+    local PATH_ACME="/opt/acme.sh"
+    local RELOAD_CMD="nginx -t && nginx -s reload"
+
+    # Create required directories
+    mkdir -pv "$DIR_CERT_INSTALL" "$DIR_WEB_ROOT"
+
+    # Process each domain
+    for DOMAIN in "${DOMAINS[@]}"; do
+        echo "Applying for certificate for domain using acme.sh HTTP-01 method for: ${DOMAIN}"
+
+        "${PATH_ACME}/acme.sh" --issue --force \
+            --webroot "${DIR_WEB_ROOT}" \
+            -d "${DOMAIN}" \
+            --server letsencrypt
+
+        echo "Installing domain certificate to: ${DIR_CERT_INSTALL}"
+        "${PATH_ACME}/acme.sh" --install-cert \
+            -d "${DOMAIN}" \
+            --key-file "${DIR_CERT_INSTALL}/${DOMAIN}.key" \
+            --fullchain-file "${DIR_CERT_INSTALL}/${DOMAIN}.crt" \
+            --reloadcmd "${RELOAD_CMD}"
+
+        echo "Certificate successfully applied for domain: ${DOMAIN}"
+    done
+}
+
+# Call the function with parameters
+issue_certificates_acme_sh "$1" "$2"