Support/runtipi-appstore
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

feat(nginx): add hardened nginx app with security improvements
Some checks failed
Test / test (push) Has been cancelled
Details

Browse Source 
- Rate limiting (10 req/s per IP, burst 20)
- Modern security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy)
- Request body size limits (50m)
- Fixed header inheritance bug in static files location block
- Removed unused form fields (NGINX_INTERNAL_PORT, NGINX_ENABLE_ACCESS_LOG)
- SSL handled by Runtipi reverse proxy

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Gui-Gos
2026-02-12 11:00:24 +01:00
parent 698bccf49d
commit 430f6e2baa
10 changed files with 422 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
apps/nginx/README.md Normal file
View File

@@ -0,0 +1,78 @@
# Nginx Custom pour Runtipi
Application Nginx avec volumes personnalisables pour la configuration et le contenu des sites.
## Installation
### Option 1 : App Store personnel
1. Créez votre propre app store Runtipi
2. Copiez ce dossier `nginx-custom` dans le dossier `apps/` de votre store
3. Ajoutez votre app store dans Runtipi (Settings > App Stores)
4. Installez l'app depuis l'interface
### Option 2 : Installation manuelle
1. Copiez le contenu de `data/` vers `runtipi/app-data/<store>/nginx-custom/`
2. Utilisez `user-config` pour personnaliser si nécessaire
## Structure des volumes
```
app-data/nginx-custom/
├── nginx.conf # Configuration principale Nginx
├── conf.d/ # Virtual hosts (*.conf)
│ └── default.conf
├── www/ # Racine pour vos sites (/var/www)
├── html/ # Dossier HTML par défaut (/usr/share/nginx/html)
├── logs/ # Logs d'accès et d'erreur
└── ssl/ # Certificats SSL (lecture seule dans le conteneur)
```
## Personnalisation
### Ajouter un site
1. Créez `conf.d/monsite.conf` :
```nginx
server {
listen 80;
server_name monsite.local;
root /var/www/monsite;
index index.html;
}
```
2. Créez le dossier `www/monsite/` avec votre contenu
3. Redémarrez l'app depuis Runtipi
### Activer SSL
1. Placez vos certificats dans `ssl/` :
- `ssl/cert.pem`
- `ssl/key.pem`
2. Modifiez votre configuration de site :
```nginx
server {
listen 443 ssl;
server_name monsite.local;
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/key.pem;
root /var/www/monsite;
}
```
## Variables d'environnement
| Variable | Description | Défaut |
|----------|-------------|--------|
| `NGINX_SERVER_NAME` | Nom du serveur | localhost |
| `NGINX_INTERNAL_PORT` | Port interne | 80 |
| `TZ` | Fuseau horaire | Europe/Paris |
## Support
- Documentation Nginx : https://nginx.org/en/docs/
- Documentation Runtipi : https://runtipi.io/docs/

28
apps/nginx/config.json Normal file
View File

@@ -0,0 +1,28 @@
{
"$schema": "https://schemas.runtipi.io/config.json",
"name": "Nginx Custom",
"id": "nginx-custom",
"available": true,
"short_desc": "Serveur web Nginx avec configuration personnalisable",
"author": "Nginx Inc.",
"port": 8080,
"exposable": true,
"dynamic_config": true,
"min_tipi_version": "4.5.0",
"version": "1.0.0",
"tipiVersion": 1,
"categories": ["utilities", "network"],
"description": "Nginx est un serveur web haute performance avec des volumes montés pour la configuration et le contenu des sites.",
"website": "https://nginx.org",
"supported_architectures": ["amd64", "arm64"],
"form_fields": [
{
"type": "text",
"label": "Nom du serveur (server_name)",
"hint": "Ex: monsite.local ou localhost",
"required": false,
"env_variable": "NGINX_SERVER_NAME",
"default": "localhost"
}
]
}

42
apps/nginx/data/conf.d/default.conf Normal file
View File

@@ -0,0 +1,42 @@
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /usr/share/nginx/html;
index index.html index.htm;
# Headers de securite
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
# Rate limiting (burst de 20 requetes autorise)
limit_req zone=general burst=20 nodelay;
location / {
try_files $uri $uri/ =404;
}
# Desactiver l'acces aux fichiers caches
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
# Cache pour les fichiers statiques
# Note: on utilise uniquement "expires" ici pour ne pas ecraser
# les headers de securite du bloc server (comportement add_header de nginx)
location ~* \.(jpg|jpeg|png|gif|ico|css|js|pdf|txt|woff|woff2|ttf|svg)$ {
expires 7d;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}

110
apps/nginx/data/html/index.html Normal file
View File

@@ -0,0 +1,110 @@
<!DOCTYPE html>
<html lang="fr">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Nginx Custom - Runtipi</title>
<style>
* {
margin: 0;
padding: 0;
box-sizing: border-box;
}
body {
font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, sans-serif;
background: linear-gradient(135deg, #1a1a2e 0%, #16213e 100%);
min-height: 100vh;
display: flex;
align-items: center;
justify-content: center;
color: #e4e4e7;
}
.container {
text-align: center;
padding: 2rem;
max-width: 600px;
}
.logo {
font-size: 4rem;
margin-bottom: 1rem;
}
h1 {
font-size: 2.5rem;
margin-bottom: 0.5rem;
background: linear-gradient(90deg, #4ade80, #22d3ee);
-webkit-background-clip: text;
-webkit-text-fill-color: transparent;
}
.subtitle {
color: #a1a1aa;
margin-bottom: 2rem;
}
.card {
background: rgba(255, 255, 255, 0.05);
border: 1px solid rgba(255, 255, 255, 0.1);
border-radius: 12px;
padding: 1.5rem;
margin-bottom: 1rem;
text-align: left;
}
.card h3 {
color: #4ade80;
margin-bottom: 0.5rem;
}
.card code {
background: rgba(0, 0, 0, 0.3);
padding: 0.2rem 0.5rem;
border-radius: 4px;
font-size: 0.9rem;
}
.paths {
margin-top: 1rem;
font-size: 0.9rem;
}
.paths li {
list-style: none;
padding: 0.3rem 0;
border-bottom: 1px solid rgba(255, 255, 255, 0.05);
}
.paths li:last-child {
border-bottom: none;
}
.badge {
display: inline-block;
background: #22d3ee;
color: #1a1a2e;
padding: 0.2rem 0.6rem;
border-radius: 20px;
font-size: 0.75rem;
font-weight: 600;
margin-left: 0.5rem;
}
</style>
</head>
<body>
<div class="container">
<div class="logo">🚀</div>
<h1>Nginx Custom</h1>
<p class="subtitle">Votre serveur Nginx est opérationnel !</p>
<div class="card">
<h3>📁 Emplacements des fichiers</h3>
<ul class="paths">
<li><code>/etc/nginx/conf.d/</code> - Configurations des sites</li>
<li><code>/var/www/</code> - Contenu de vos sites</li>
<li><code>/usr/share/nginx/html/</code> - Dossier HTML par défaut</li>
<li><code>/var/log/nginx/</code> - Logs</li>
</ul>
</div>
<div class="card">
<h3>🛠️ Prochaines étapes</h3>
<p>Remplacez cette page par votre propre contenu dans le dossier <code>app-data</code> de Runtipi.</p>
</div>
<p style="margin-top: 2rem; color: #71717a; font-size: 0.85rem;">
Nginx <span class="badge">latest</span> • Runtipi App
</p>
</div>
</body>
</html>

0
apps/nginx/data/logs/.gitkeep Normal file
View File

46
apps/nginx/data/nginx.conf Normal file
View File

@@ -0,0 +1,46 @@
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
# Limiter la taille des requetes
client_max_body_size 50m;
client_body_buffer_size 16k;
# Rate limiting (10 req/s par IP)
limit_req_zone $binary_remote_addr zone=general:10m rate=10r/s;
limit_req_status 429;
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
# Securite de base
server_tokens off;
# Inclure les configurations des sites
include /etc/nginx/conf.d/*.conf;
}

0
apps/nginx/data/ssl/.gitkeep Normal file
View File

0
apps/nginx/data/www/.gitkeep Normal file
View File

60
apps/nginx/docker-compose.json Normal file
View File

@@ -0,0 +1,60 @@
{
"schemaVersion": 2,
"$schema": "https://schemas.runtipi.io/dynamic-compose.json",
"services": [
{
"name": "nginx-custom",
"image": "nginx:latest",
"isMain": true,
"internalPort": 80,
"volumes": [
{
"hostPath": "${APP_DATA_DIR}/conf.d",
"containerPath": "/etc/nginx/conf.d",
"readOnly": false
},
{
"hostPath": "${APP_DATA_DIR}/nginx.conf",
"containerPath": "/etc/nginx/nginx.conf",
"readOnly": false
},
{
"hostPath": "${APP_DATA_DIR}/www",
"containerPath": "/var/www",
"readOnly": false
},
{
"hostPath": "${APP_DATA_DIR}/html",
"containerPath": "/usr/share/nginx/html",
"readOnly": false
},
{
"hostPath": "${APP_DATA_DIR}/logs",
"containerPath": "/var/log/nginx",
"readOnly": false
},
{
"hostPath": "${APP_DATA_DIR}/ssl",
"containerPath": "/etc/nginx/ssl",
"readOnly": true
}
],
"environment": [
{
"key": "NGINX_HOST",
"value": "${NGINX_SERVER_NAME:-localhost}"
},
{
"key": "TZ",
"value": "${TZ:-Europe/Paris}"
}
],
"healthCheck": {
"test": "curl --fail http://localhost:80 || exit 1",
"interval": "30s",
"timeout": "10s",
"retries": 3
}
}
]
}

58
apps/nginx/metadata/description.md Normal file
View File

@@ -0,0 +1,58 @@
# Nginx Custom
Serveur web **Nginx** avec configuration entièrement personnalisable via des volumes montés.
## Volumes disponibles
| Chemin dans le conteneur | Description |
|--------------------------|-------------|
| `/etc/nginx/nginx.conf` | Fichier de configuration principal |
| `/etc/nginx/conf.d/` | Configurations des virtual hosts |
| `/var/www/` | Contenu de vos sites web |
| `/usr/share/nginx/html/` | Dossier html par défaut de Nginx |
| `/var/log/nginx/` | Logs d'accès et d'erreur |
| `/etc/nginx/ssl/` | Certificats SSL (lecture seule) |
## Utilisation
### Accéder aux fichiers
Les fichiers sont stockés dans le dossier `app-data` de votre installation Runtipi :
```
runtipi/app-data/<app-store>/nginx-custom/
├── conf.d/ # Vos configurations de sites
│ └── default.conf
├── nginx.conf # Config principale
├── www/ # Vos fichiers web
├── html/ # Dossier html par défaut
├── logs/ # Logs nginx
└── ssl/ # Certificats SSL
```
### Ajouter un nouveau site
1. Créez un fichier `.conf` dans `conf.d/`
2. Placez vos fichiers dans `www/monsite/`
3. Redémarrez l'application depuis Runtipi
### Exemple de configuration
```nginx
server {
listen 80;
server_name monsite.local;
root /var/www/monsite;
index index.html index.php;
location / {
try_files $uri $uri/ =404;
}
}
```
## Notes
- Les modifications de configuration nécessitent un redémarrage de l'app
- Pour le SSL, placez vos certificats dans le dossier `ssl/`
- Les logs sont persistés et accessibles dans `logs/`