🐳 Improve Docker nginx

docker/images/Dockerfile.frontend

@@ -6,15 +6,18 @@ USER root
 RUN set -ex; \
     useradd -U -M -u 1001 -s /bin/false -d /opt/penpot penpot; \
     mkdir -p /opt/data/assets; \
-    chown -R penpot:penpot /opt/data;
+    chown -R penpot:penpot /opt/data; \
+    mkdir -p /etc/nginx/overrides/http.d/; \
+    mkdir -p /etc/nginx/overrides/server.d/; \
+    mkdir -p /etc/nginx/overrides/location.d/;
 
 ARG BUNDLE_PATH="./bundle-frontend/"
 ADD $BUNDLE_PATH /var/www/app/
 ADD ./files/config.js /var/www/app/js/config.js
-ADD ./files/nginx.conf /etc/nginx/nginx.conf.template
+ADD ./files/nginx.conf.template /tmp/nginx.conf.template
-ADD ./files/nginx-proxies.conf /etc/nginx/nginx-proxies.conf
+ADD ./files/nginx-resolvers.conf.template /tmp/resolvers.conf.template
-ADD ./files/resolvers.conf /etc/nginx/overrides.d/resolvers.conf.template
 ADD ./files/nginx-mime.types /etc/nginx/mime.types
+ADD ./files/nginx-external-locations.conf /etc/nginx/overrides/location.d/external-locations.conf
 ADD ./files/nginx-entrypoint.sh /entrypoint.sh
 
 RUN chown -R 1001:0 /var/cache/nginx; \

docker/images/files/nginx-entrypoint.sh

@@ -5,10 +5,8 @@
 #########################################
 
 if [[ $PENPOT_FLAGS == *"enable-air-gapped-conf"* ]]; then
-    export INCLUDE_PROXIES=""
+    rm /etc/nginx/overrides/location.d/external-locations.conf;
     export PENPOT_FLAGS="$PENPOT_FLAGS disable-google-fonts-provider disable-dashboard-templates-section"
-else
-    export INCLUDE_PROXIES="include /etc/nginx/nginx-proxies.conf;"
 fi
 
 #########################################
@@ -33,14 +31,13 @@ update_flags /var/www/app/js/config.js
 
 export PENPOT_BACKEND_URI=${PENPOT_BACKEND_URI:-http://penpot-backend:6060}
 export PENPOT_EXPORTER_URI=${PENPOT_EXPORTER_URI:-http://penpot-exporter:6061}
+export PENPOT_HTTP_SERVER_MAX_MULTIPART_BODY_SIZE=${PENPOT_HTTP_SERVER_MAX_MULTIPART_BODY_SIZE:-367001600} # Default to 350MiB
+envsubst "\$PENPOT_BACKEND_URI,\$PENPOT_EXPORTER_URI,\$PENPOT_HTTP_SERVER_MAX_MULTIPART_BODY_SIZE" \
+         < /tmp/nginx.conf.template > /etc/nginx/nginx.conf
+
 PENPOT_DEFAULT_INTERNAL_RESOLVER="$(awk 'BEGIN{ORS=" "} $1=="nameserver" { sub(/%.*$/,"",$2); print ($2 ~ ":")? "["$2"]": $2}' /etc/resolv.conf)"
 export PENPOT_INTERNAL_RESOLVER=${PENPOT_INTERNAL_RESOLVER:-$PENPOT_DEFAULT_INTERNAL_RESOLVER}
-export PENPOT_HTTP_SERVER_MAX_MULTIPART_BODY_SIZE=${PENPOT_HTTP_SERVER_MAX_MULTIPART_BODY_SIZE:-367001600} # Default to 350MiB
-
-envsubst "\$PENPOT_BACKEND_URI,\$PENPOT_EXPORTER_URI,\$PENPOT_HTTP_SERVER_MAX_MULTIPART_BODY_SIZE,\$INCLUDE_PROXIES" \
-         < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf
-
 envsubst "\$PENPOT_INTERNAL_RESOLVER" \
-         < /etc/nginx/overrides.d/resolvers.conf.template > /etc/nginx/overrides.d/resolvers.conf
+         < /tmp/resolvers.conf.template > /etc/nginx/overrides/http.d/resolvers.conf
 
 exec "$@";

docker/images/files/nginx.conf.template

@@ -1,10 +1,10 @@
 worker_processes auto;
 pid /tmp/nginx.pid;
-include /etc/nginx/modules-enabled/*.conf;
+include /etc/nginx/overrides/main.d/*.conf;
 
 events {
     worker_connections 2048;
-    # multi_accept on;
+    multi_accept on;
 }
 
 http {
@@ -33,6 +33,11 @@ http {
     error_log /dev/stderr;
     access_log /dev/stdout;
 
+    proxy_connect_timeout 300s;
+    proxy_send_timeout 300s;
+    proxy_read_timeout 300s;
+    send_timeout 300s;
+
     gzip on;
     gzip_vary on;
     gzip_proxied any;
@@ -41,7 +46,7 @@ http {
     gzip_buffers 16 8k;
     gzip_http_version 1.1;
 
-    gzip_types text/plain text/css text/javascript application/javascript application/json application/transit+json;
+    gzip_types text/plain text/css text/javascript application/javascript application/json application/transit+json image/svg+xml;
 
     proxy_buffer_size 16k;
     proxy_busy_buffers_size 24k; # essentially, proxy_buffer_size + 2 small buffers of 4k
@@ -57,7 +62,14 @@ http {
     proxy_cache_valid any 48h;
     proxy_cache_key "$host$request_uri";
 
-    include /etc/nginx/overrides.d/*.conf;
+    proxy_http_version 1.1;
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Scheme $scheme;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+    include /etc/nginx/overrides/http.d/*.conf;
 
     server {
         listen 8080 default_server;
@@ -66,13 +78,6 @@ http {
         client_max_body_size $PENPOT_HTTP_SERVER_MAX_MULTIPART_BODY_SIZE;
         charset utf-8;
 
-        proxy_http_version 1.1;
-        proxy_set_header Host $http_host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Scheme $scheme;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
         etag off;
 
         root /var/www/app/;
@@ -119,12 +124,10 @@ http {
 
         location /api {
             proxy_pass $PENPOT_BACKEND_URI/api;
+            proxy_buffering off;
         }
 
         location /readyz {
-            proxy_http_version 1.1;
-            proxy_set_header Host $http_host;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_pass $PENPOT_BACKEND_URI$request_uri;
         }
 
@@ -134,8 +137,10 @@ http {
             proxy_pass $PENPOT_BACKEND_URI/ws/notifications;
         }
 
+        include /etc/nginx/overrides/server.d/*.conf;
+
         location / {
-            $INCLUDE_PROXIES
+            include /etc/nginx/overrides/location.d/*.conf;
 
             location ~ ^/js/config.js$ {
                 add_header Cache-Control "no-store, no-cache, max-age=0" always;