-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore(rootfs): build custom openssl debs for nginx
this cleans up the image by avoiding to versions of openssl 1.1.1 in the same image by replacing the default ubuntu openssl packages with custom built ones that are fully backwards compatible.
- Loading branch information
1 parent
b75142d
commit 8338d41
Showing
1 changed file
with
27 additions
and
19 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -38,25 +38,38 @@ WORKDIR /tmp/build | |
| RUN set -x && \ | ||
| apt-get update && \ | ||
| apt-get install -y --no-install-recommends \ | ||
| g++ make patch perl | ||
| build-essential fakeroot software-properties-common devscripts | ||
|
|
||
| RUN set -x && \ | ||
| export OPENSSL_VERSION=1.1.1g OPENSSL_SIGNING_KEY=8657ABB260F056B1E5190839D9C4D26D0E604491 BUILD_PATH=$PWD PREFIX=/usr/local && \ | ||
| get_src_gpg $OPENSSL_SIGNING_KEY "https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz" && \ | ||
| export OPENSSL_VERSION=1.1.1g BUILD_PATH=$PWD DEBEMAIL="Team Hephy <[email protected]>" && \ | ||
| add-apt-repository --enable-source ppa:ondrej/nginx && \ | ||
| apt-get build-dep -y openssl=$OPENSSL_VERSION && \ | ||
| apt-get source -y openssl=$OPENSSL_VERSION && \ | ||
| # ChaCha20-Poly1305 Draft Support for older Android versions | ||
| get_src_file 5e082d46544915b0a580fe71a5e53cb22f535c7dc67a35221d292316701dc085 \ | ||
| https://raw.githubusercontent.com/hakasenyang/openssl-patch/3ea9038/openssl-1.1.1f-chacha_draft.patch && \ | ||
| # Allow setting equal preference and TLSv1.3 ciphers in NGINX | ||
| get_src_file 04f682c36405a908247c27e317fb0f5f5bb19cbac9699f5afa21fd81511e6be2 \ | ||
| https://raw.githubusercontent.com/hakasenyang/openssl-patch/e3bd4a8/openssl-equal-1.1.1e-dev_ciphers.patch && \ | ||
| cd "$BUILD_PATH/openssl-$OPENSSL_VERSION" && \ | ||
| patch -p1 -i "$BUILD_PATH/openssl-1.1.1f-chacha_draft.patch" && \ | ||
| patch -p1 -i "$BUILD_PATH/openssl-equal-1.1.1e-dev_ciphers.patch" && \ | ||
| ./config --prefix=/usr/local \ | ||
| --openssldir=/etc/ssl \ | ||
| shared enable-weak-ssl-ciphers && \ | ||
| make -j`nproc` && \ | ||
| make install_sw | ||
| sed -i '/^CONFARGS\s*=/ s/ enable-unit-test//' debian/rules && \ | ||
| dch -l hephy "Disable unit tests" && \ | ||
| sed -i '/^CONFARGS\s*=/ s/$/ enable-weak-ssl-ciphers/' debian/rules && \ | ||
| dch -l hephy "Enable weak SSL ciphers" && \ | ||
| cp "$BUILD_PATH/openssl-equal-1.1.1e-dev_ciphers.patch" debian/patches/ && \ | ||
| echo openssl-equal-1.1.1e-dev_ciphers.patch >> debian/patches/series && \ | ||
| dch -l hephy "Add BoringSSL port of equal preference cipher groups" && \ | ||
| cp "$BUILD_PATH/openssl-1.1.1f-chacha_draft.patch" debian/patches/ && \ | ||
| echo openssl-1.1.1f-chacha_draft.patch >> debian/patches/series && \ | ||
| # Add missing libcrypto 1.1.1f symbol mapping | ||
| sed -i '/^ \*@OPENSSL_1_1_1e 1\.1\.1e/p; s/e/f/g' debian/libssl1.1.symbols && \ | ||
| dch -l hephy "Add ChaCha-Draft cipher support" && \ | ||
| dch -r " " && \ | ||
| DEB_BUILD_OPTIONS=nocheck dpkg-buildpackage -uc -b -rfakeroot && \ | ||
| cd .. && \ | ||
| dpkg-scanpackages . > Packages && \ | ||
| mkdir ../repo && \ | ||
| mv Packages *.deb ../repo | ||
|
|
||
| FROM hephy/base:v0.4.1 | ||
|
|
||
|
|
@@ -68,30 +81,25 @@ RUN adduser --system \ | |
| router | ||
|
|
||
| COPY --from=modsecurity /usr/local /usr/local | ||
| COPY --from=openssl /usr/local /usr/local | ||
| COPY --from=openssl /tmp/repo /usr/local/repo | ||
|
|
||
| COPY /bin /bin | ||
|
|
||
| RUN set -x && \ | ||
| buildDeps='gcc make patch libgeoip-dev libmaxminddb-dev libpcre3-dev' \ | ||
| runtimeDeps='ca-certificates libcurl4 libxml2 libpcre3 libgeoip1 libmaxminddb0 libfuzzy2' && \ | ||
| buildDeps='gcc make patch libgeoip-dev libmaxminddb-dev libpcre3-dev libssl-dev' \ | ||
| runtimeDeps='ca-certificates libcurl4 libxml2 libpcre3 libgeoip1 libmaxminddb0 libfuzzy2 libssl1.1 openssl' && \ | ||
| echo 'deb [trusted=yes] file:/usr/local/repo ./' >> /etc/apt/sources.list && \ | ||
| apt-get update && \ | ||
| apt-get install -y --no-install-recommends \ | ||
| $buildDeps \ | ||
| $runtimeDeps && \ | ||
| # Remove openssl binaries from base image, will be provided by our custom build | ||
| apt-get remove -y openssl && \ | ||
| export NGINX_VERSION=1.18.0 SIGNING_KEY=B0F4253373F8F6F510D42178520A9993A1C052F8 \ | ||
| CLOUDFLARE_ZLIB_VERSION=372bcd151c901418c2721232bf09dc9cdbebafb5 \ | ||
| VTS_VERSION=0.1.18 GEOIP2_VERSION=3.3 \ | ||
| MOD_SECURITY_NGINX_VERSION=e50e43ee4cc87565922ed98b1b6c72751019c326 \ | ||
| OWASP_MOD_SECURITY_CRS_VERSION=cf57fd53de06b87b90d2cc5d61d602df81b2dd70 \ | ||
| BUILD_PATH=/tmp/build PREFIX=/opt/router && \ | ||
| ldconfig && \ | ||
| # Provide custom openssl binaries in standard /usr/bin location | ||
| update-alternatives --verbose \ | ||
| --install /usr/bin/openssl openssl /usr/local/bin/openssl 1 \ | ||
| --slave /usr/bin/c_rehash c_rehash /usr/local/bin/c_rehash && \ | ||
| rm -rf "$PREFIX" && \ | ||
| mkdir "$PREFIX" && \ | ||
| mkdir "$BUILD_PATH" && \ | ||
|
|
||