Upload 24 files

Dockerfile

@@ -1,7 +1,58 @@
-FROM hnc-web:latest
+FROM hnc-base:latest
+LABEL name="hnc-web"
+LABEL description="HashNet Container for a reverse proxy web server"
+LABEL maintainer="hashsploit <hashsploit@protonmail.com>"
 
+ARG NGINX_WORKER_CONNECTIONS=1024
+ARG NGINX_MULTI_ACCEPT=yes
+ARG NGINX_WORKER_PRIORITY=-11
 
-RUN apt-get install python3
+ENV NGINX_WORKER_CONNECTIONS $NGINX_WORKER_CONNECTIONS
+ENV NGINX_MULTI_ACCEPT $NGINX_MULTI_ACCEPT
+ENV NGINX_WORKER_PRIORITY $NGINX_WORKER_PRIORITY
 
+# Install dependencies
+RUN echo "Updating system ..." \
+	&& apt-get update >/dev/null 2>&1 \
+	&& echo "Installing dependencies ..." \
+	&& apt-get install -y \
+	ca-certificates \
+	nginx \
+	gettext \
+	>/dev/null 2>&1
 
-CMD ["python3 -m http.server"]
+
+# Remove generated configs
+RUN rm -rf /etc/nginx/sites-available/* /etc/nginx/sites-enabled/* /var/www/*
+
+
+# Copy file system
+COPY fs/ /
+
+
+# Configure nginx
+RUN cd /etc/nginx/ \
+	&& envsubst '${NGINX_WORKER_CONNECTIONS},${NGINX_MULTI_ACCEPT},${NGINX_WORKER_PRIORITY}' < /etc/nginx/nginx.conf > /tmp/nginx.conf \
+	&& mv /tmp/nginx.conf /etc/nginx/nginx.conf \
+	&& openssl req -x509 -nodes \
+		-newkey rsa:4096 \
+		-keyout /etc/nginx/certs/default.key \
+		-out /etc/nginx/certs/default.crt \
+		-days 9999 \
+		-subj "/C=US/ST=California/L=San Francisco/O=localhost/OU=Org/CN=localhost/emailAddress=root@localhost"
+
+# Install docker-gen
+ENV DOCKER_GEN_VERSION 0.7.4
+RUN curl -s -L -o docker-gen.tar.gz https://github.com/jwilder/docker-gen/releases/download/$DOCKER_GEN_VERSION/docker-gen-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \
+	&& tar -C /usr/local/bin -xvzf docker-gen.tar.gz \
+	&& rm docker-gen.tar.gz \
+	&& chmod +x /usr/local/bin/docker-gen
+
+
+# Expose service
+EXPOSE 80
+EXPOSE 443
+
+
+# Set image starting point
+CMD ["bash", "/srv/launch.sh"]

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020 hashsploit
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -1,10 +1,29 @@
----
-title: Testing
-emoji: 🦀
-colorFrom: green
-colorTo: red
-sdk: docker
-pinned: false
----
-
-Check out the configuration reference at https://huggingface.co/docs/hub/spaces-config-reference
+# HashNet Container for a reverse proxy web server
+
+This Docker image generates a high-performance nginx server
+to use as a reverse-proxy web server for hosted web-applications.
+
+This container dynamically generates configs using [docker-gen](https://github.com/jwilder/docker-gen) 
+for other virtual host web containers.
+
+## Installation
+
+### 1. Configure image
+
+- Configure image in the `settings.sh` file.
+- If you have static sites you want to add, you can add their nginx `.config`'s in `fs/etc/nginx/conf.d/`. Do not name your config `dynamic.conf` as that is what is used by docker-gen.
+
+### 2. Build the image
+
+Run the `build.sh` file to generate the Docker image `hnc-web`.
+
+### 2. Deploy the container
+
+To spawn a temporary container run `test.sh`.
+You can manually start the services via executing `/srv/launch.sh`.
+
+To deploy a dedicated container run `deploy.sh`.
+The dedicated container will also create a mounted volume which is mounted at `/etc/nginx` in the container. This volume can be useful if you need to manually backup/restore certs from the `/etc/nginx/certs` directory in the container.
+
+From here on you can use `docker start hnc-web` and `docker stop hnc-web` to control the container.
+

build.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Set the directory to this script's current directory
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+cd $DIR
+
+source ./settings.sh
+
+docker rmi ${IMAGE_NAME}
+docker build \
+	--force-rm \
+	--rm \
+	--build-arg NGINX_WORKER_CONNECTIONS=${NGINX_WORKER_CONNECTIONS} \
+	--build-arg NGINX_MULTI_ACCEPT=${NGINX_MULTI_ACCEPT} \
+	--build-arg NGINX_WORKER_PRIORITY=${NGINX_WORKER_PRIORITY} \
+	--tag ${IMAGE_NAME} .
+

deploy.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# Set the directory to this script's current directory
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+cd $DIR
+
+source ./settings.sh
+
+docker run -d -i -t \
+	-e CONTAINER_NAME=${CONTAINER_NAME} \
+	--memory=${MEMORY_MAX} \
+	--memory-swap=${MEMORY_MAX} \
+	--memory-swappiness=0 \
+	--restart always \
+	--name ${CONTAINER_NAME} \
+	--mount "type=volume,src=${VOLUME_NAME},dst=/etc/nginx,volume-driver=local" \
+	-v /var/run/docker.sock:/var/run/docker.sock:ro \
+	-p 80:80 \
+	-p 443:443 \
+	${IMAGE_NAME}
+

fs/etc/nginx/fastcgi.conf

@@ -0,0 +1,27 @@
+
+fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  REQUEST_SCHEME     $scheme;
+fastcgi_param  HTTPS              $https if_not_empty;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  REMOTE_USER        $remote_user;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param  REDIRECT_STATUS    200;

fs/etc/nginx/fastcgi_params

@@ -0,0 +1,26 @@
+
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  REQUEST_SCHEME     $scheme;
+fastcgi_param  HTTPS              $https if_not_empty;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  REMOTE_USER        $remote_user;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param  REDIRECT_STATUS    200;

fs/etc/nginx/koi-utf

@@ -0,0 +1,109 @@
+
+# This map is not a full koi8-r <> utf8 map: it does not contain
+# box-drawing and some other characters.  Besides this map contains
+# several koi8-u and Byelorussian letters which are not in koi8-r.
+# If you need a full and standard map, use contrib/unicode2nginx/koi-utf
+# map instead.
+
+charset_map  koi8-r  utf-8 {
+
+    80  E282AC ; # euro
+
+    95  E280A2 ; # bullet
+
+    9A  C2A0 ;   # &nbsp;
+
+    9E  C2B7 ;   # &middot;
+
+    A3  D191 ;   # small yo
+    A4  D194 ;   # small Ukrainian ye
+
+    A6  D196 ;   # small Ukrainian i
+    A7  D197 ;   # small Ukrainian yi
+
+    AD  D291 ;   # small Ukrainian soft g
+    AE  D19E ;   # small Byelorussian short u
+
+    B0  C2B0 ;   # &deg;
+
+    B3  D081 ;   # capital YO
+    B4  D084 ;   # capital Ukrainian YE
+
+    B6  D086 ;   # capital Ukrainian I
+    B7  D087 ;   # capital Ukrainian YI
+
+    B9  E28496 ; # numero sign
+
+    BD  D290 ;   # capital Ukrainian soft G
+    BE  D18E ;   # capital Byelorussian short U
+
+    BF  C2A9 ;   # (C)
+
+    C0  D18E ;   # small yu
+    C1  D0B0 ;   # small a
+    C2  D0B1 ;   # small b
+    C3  D186 ;   # small ts
+    C4  D0B4 ;   # small d
+    C5  D0B5 ;   # small ye
+    C6  D184 ;   # small f
+    C7  D0B3 ;   # small g
+    C8  D185 ;   # small kh
+    C9  D0B8 ;   # small i
+    CA  D0B9 ;   # small j
+    CB  D0BA ;   # small k
+    CC  D0BB ;   # small l
+    CD  D0BC ;   # small m
+    CE  D0BD ;   # small n
+    CF  D0BE ;   # small o
+
+    D0  D0BF ;   # small p
+    D1  D18F ;   # small ya
+    D2  D180 ;   # small r
+    D3  D181 ;   # small s
+    D4  D182 ;   # small t
+    D5  D183 ;   # small u
+    D6  D0B6 ;   # small zh
+    D7  D0B2 ;   # small v
+    D8  D18C ;   # small soft sign
+    D9  D18B ;   # small y
+    DA  D0B7 ;   # small z
+    DB  D188 ;   # small sh
+    DC  D18D ;   # small e
+    DD  D189 ;   # small shch
+    DE  D187 ;   # small ch
+    DF  D18A ;   # small hard sign
+
+    E0  D0AE ;   # capital YU
+    E1  D090 ;   # capital A
+    E2  D091 ;   # capital B
+    E3  D0A6 ;   # capital TS
+    E4  D094 ;   # capital D
+    E5  D095 ;   # capital YE
+    E6  D0A4 ;   # capital F
+    E7  D093 ;   # capital G
+    E8  D0A5 ;   # capital KH
+    E9  D098 ;   # capital I
+    EA  D099 ;   # capital J
+    EB  D09A ;   # capital K
+    EC  D09B ;   # capital L
+    ED  D09C ;   # capital M
+    EE  D09D ;   # capital N
+    EF  D09E ;   # capital O
+
+    F0  D09F ;   # capital P
+    F1  D0AF ;   # capital YA
+    F2  D0A0 ;   # capital R
+    F3  D0A1 ;   # capital S
+    F4  D0A2 ;   # capital T
+    F5  D0A3 ;   # capital U
+    F6  D096 ;   # capital ZH
+    F7  D092 ;   # capital V
+    F8  D0AC ;   # capital soft sign
+    F9  D0AB ;   # capital Y
+    FA  D097 ;   # capital Z
+    FB  D0A8 ;   # capital SH
+    FC  D0AD ;   # capital E
+    FD  D0A9 ;   # capital SHCH
+    FE  D0A7 ;   # capital CH
+    FF  D0AA ;   # capital hard sign
+}

fs/etc/nginx/koi-win

@@ -0,0 +1,103 @@
+
+charset_map  koi8-r  windows-1251 {
+
+    80  88 ; # euro
+
+    95  95 ; # bullet
+
+    9A  A0 ; #  
+
+    9E  B7 ; # ·
+
+    A3  B8 ; # small yo
+    A4  BA ; # small Ukrainian ye
+
+    A6  B3 ; # small Ukrainian i
+    A7  BF ; # small Ukrainian yi
+
+    AD  B4 ; # small Ukrainian soft g
+    AE  A2 ; # small Byelorussian short u
+
+    B0  B0 ; # °
+
+    B3  A8 ; # capital YO
+    B4  AA ; # capital Ukrainian YE
+
+    B6  B2 ; # capital Ukrainian I
+    B7  AF ; # capital Ukrainian YI
+
+    B9  B9 ; # numero sign
+
+    BD  A5 ; # capital Ukrainian soft G
+    BE  A1 ; # capital Byelorussian short U
+
+    BF  A9 ; # (C)
+
+    C0  FE ; # small yu
+    C1  E0 ; # small a
+    C2  E1 ; # small b
+    C3  F6 ; # small ts
+    C4  E4 ; # small d
+    C5  E5 ; # small ye
+    C6  F4 ; # small f
+    C7  E3 ; # small g
+    C8  F5 ; # small kh
+    C9  E8 ; # small i
+    CA  E9 ; # small j
+    CB  EA ; # small k
+    CC  EB ; # small l
+    CD  EC ; # small m
+    CE  ED ; # small n
+    CF  EE ; # small o
+
+    D0  EF ; # small p
+    D1  FF ; # small ya
+    D2  F0 ; # small r
+    D3  F1 ; # small s
+    D4  F2 ; # small t
+    D5  F3 ; # small u
+    D6  E6 ; # small zh
+    D7  E2 ; # small v
+    D8  FC ; # small soft sign
+    D9  FB ; # small y
+    DA  E7 ; # small z
+    DB  F8 ; # small sh
+    DC  FD ; # small e
+    DD  F9 ; # small shch
+    DE  F7 ; # small ch
+    DF  FA ; # small hard sign
+
+    E0  DE ; # capital YU
+    E1  C0 ; # capital A
+    E2  C1 ; # capital B
+    E3  D6 ; # capital TS
+    E4  C4 ; # capital D
+    E5  C5 ; # capital YE
+    E6  D4 ; # capital F
+    E7  C3 ; # capital G
+    E8  D5 ; # capital KH
+    E9  C8 ; # capital I
+    EA  C9 ; # capital J
+    EB  CA ; # capital K
+    EC  CB ; # capital L
+    ED  CC ; # capital M
+    EE  CD ; # capital N
+    EF  CE ; # capital O
+
+    F0  CF ; # capital P
+    F1  DF ; # capital YA
+    F2  D0 ; # capital R
+    F3  D1 ; # capital S
+    F4  D2 ; # capital T
+    F5  D3 ; # capital U
+    F6  C6 ; # capital ZH
+    F7  C2 ; # capital V
+    F8  DC ; # capital soft sign
+    F9  DB ; # capital Y
+    FA  C7 ; # capital Z
+    FB  D8 ; # capital SH
+    FC  DD ; # capital E
+    FD  D9 ; # capital SHCH
+    FE  D7 ; # capital CH
+    FF  DA ; # capital hard sign
+}

fs/etc/nginx/mime.types

@@ -0,0 +1,89 @@
+
+types {
+    text/html                             html htm shtml;
+    text/css                              css;
+    text/xml                              xml;
+    image/gif                             gif;
+    image/jpeg                            jpeg jpg;
+    application/javascript                js;
+    application/atom+xml                  atom;
+    application/rss+xml                   rss;
+
+    text/mathml                           mml;
+    text/plain                            txt;
+    text/vnd.sun.j2me.app-descriptor      jad;
+    text/vnd.wap.wml                      wml;
+    text/x-component                      htc;
+
+    image/png                             png;
+    image/tiff                            tif tiff;
+    image/vnd.wap.wbmp                    wbmp;
+    image/x-icon                          ico;
+    image/x-jng                           jng;
+    image/x-ms-bmp                        bmp;
+    image/svg+xml                         svg svgz;
+    image/webp                            webp;
+
+    application/font-woff                 woff;
+    application/java-archive              jar war ear;
+    application/json                      json;
+    application/mac-binhex40              hqx;
+    application/msword                    doc;
+    application/pdf                       pdf;
+    application/postscript                ps eps ai;
+    application/rtf                       rtf;
+    application/vnd.apple.mpegurl         m3u8;
+    application/vnd.ms-excel              xls;
+    application/vnd.ms-fontobject         eot;
+    application/vnd.ms-powerpoint         ppt;
+    application/vnd.wap.wmlc              wmlc;
+    application/vnd.google-earth.kml+xml  kml;
+    application/vnd.google-earth.kmz      kmz;
+    application/x-7z-compressed           7z;
+    application/x-cocoa                   cco;
+    application/x-java-archive-diff       jardiff;
+    application/x-java-jnlp-file          jnlp;
+    application/x-makeself                run;
+    application/x-perl                    pl pm;
+    application/x-pilot                   prc pdb;
+    application/x-rar-compressed          rar;
+    application/x-redhat-package-manager  rpm;
+    application/x-sea                     sea;
+    application/x-shockwave-flash         swf;
+    application/x-stuffit                 sit;
+    application/x-tcl                     tcl tk;
+    application/x-x509-ca-cert            der pem crt;
+    application/x-xpinstall               xpi;
+    application/xhtml+xml                 xhtml;
+    application/xspf+xml                  xspf;
+    application/zip                       zip;
+
+    application/octet-stream              bin exe dll;
+    application/x-debian-package-manager  deb;
+    application/octet-stream              dmg;
+    application/octet-stream              iso img;
+    application/octet-stream              msi msp msm;
+
+    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
+    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
+    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;
+
+    audio/midi                            mid midi kar;
+    audio/mpeg                            mp3;
+    audio/ogg                             ogg;
+    audio/x-m4a                           m4a;
+    audio/x-realaudio                     ra;
+
+    video/3gpp                            3gpp 3gp;
+    video/mp2t                            ts;
+    video/mp4                             mp4;
+    video/mpeg                            mpeg mpg;
+    video/quicktime                       mov;
+    video/webm                            webm;
+    video/x-flv                           flv;
+    video/x-m4v                           m4v;
+    video/x-mng                           mng;
+    video/x-ms-asf                        asx asf;
+    video/x-ms-wmv                        wmv;
+    video/x-msvideo                       avi;
+}

fs/etc/nginx/network_internal.conf

@@ -0,0 +1,6 @@
+# Only allow traffic from internal clients
+allow 127.0.0.0/8;
+allow 10.0.0.0/8;
+allow 192.168.0.0/16;
+allow 172.16.0.0/12;
+deny all;

fs/etc/nginx/nginx.conf

@@ -0,0 +1,82 @@
+user www-data;
+worker_processes auto;
+worker_priority ${NGINX_WORKER_PRIORITY};
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+#daemon off;
+
+events {
+	worker_connections ${NGINX_WORKER_CONNECTIONS};
+	multi_accept ${NGINX_MULTI_ACCEPT};
+	use epoll;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	server_tokens off;
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# SSL Settings
+	##
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+	ssl_prefer_server_ciphers on;
+
+	##
+	# Logging Settings
+	##
+	access_log /var/log/nginx/access.log;
+	error_log /var/log/nginx/error.log;
+
+	##
+	# Gzip Settings
+	##
+	gzip on;
+	#gzip_vary on;
+	#gzip_proxied any;
+	#gzip_comp_level 6;
+	#gzip_buffers 16 8k;
+	#gzip_http_version 1.1;
+	#gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+	##
+	# Cloudflare
+	##
+	set_real_ip_from 103.21.244.0/22;
+	set_real_ip_from 103.22.200.0/22;
+	set_real_ip_from 103.31.4.0/22;
+	set_real_ip_from 104.16.0.0/12;
+	set_real_ip_from 108.162.192.0/18;
+	set_real_ip_from 131.0.72.0/22;
+	set_real_ip_from 141.101.64.0/18;
+	set_real_ip_from 162.158.0.0/15;
+	set_real_ip_from 172.64.0.0/13;
+	set_real_ip_from 173.245.48.0/20;
+	set_real_ip_from 188.114.96.0/20;
+	set_real_ip_from 190.93.240.0/20;
+	set_real_ip_from 197.234.240.0/22;
+	set_real_ip_from 198.41.128.0/17;
+	set_real_ip_from 2400:cb00::/32;
+	set_real_ip_from 2606:4700::/32;
+	set_real_ip_from 2803:f800::/32;
+	set_real_ip_from 2405:b500::/32;
+	set_real_ip_from 2405:8100::/32;
+	set_real_ip_from 2c0f:f248::/32;
+	set_real_ip_from 2a06:98c0::/29;
+	real_ip_header X-Forwarded-For;
+
+	##
+	# Virtual Host Configs
+	##
+	include /etc/nginx/conf.d/*.conf;
+}
+

fs/etc/nginx/nginx.tmpl

@@ -0,0 +1,485 @@
+# DO NOT EDIT !!! DO NOT EDIT !!! DO NOT EDIT
+# 
+# This configuration file is dynamically
+# generated by docker-gen for nginx. It
+# will wipe out these changes every time
+# a web-container is started or stopped.
+#
+# DO NOT EDIT !!! DO NOT EDIT !!! DO NOT EDIT
+#
+#
+#
+{{ $CurrentContainer := where $ "ID" .Docker.CurrentContainerID | first }}
+
+{{ $external_http_port := coalesce $.Env.HTTP_PORT "80" }}
+{{ $external_https_port := coalesce $.Env.HTTPS_PORT "443" }}
+
+{{ define "upstream" }}
+	{{ if .Address }}
+		{{/* If we got the containers from swarm and this container's port is published to host, use host IP:PORT */}}
+		{{ if and .Container.Node.ID .Address.HostPort }}
+
+	# CONTAINER: {{ .Container.Node.Name }}/{{ .Container.Name }}
+	server {{ .Container.Node.Address.IP }}:{{ .Address.HostPort }};
+
+		{{/* If there is no swarm node or the port is not published on host, use container's IP:PORT */}}
+		{{ else if .Network }}
+
+	# CONTAINER: {{ .Container.Name }}
+	server {{ .Network.IP }}:{{ .Address.Port }};
+
+		{{ end }}
+	{{ else if .Network }}
+
+	# CONTAINER: {{ .Container.Name }}
+
+		{{ if .Network.IP }}
+
+	server {{ .Network.IP }};
+
+		{{ else }}
+
+	server 127.0.0.1 down;
+
+		{{ end }}
+	{{ end }}
+
+{{ end }}
+
+{{ define "ssl_policy" }}
+
+{{ end }}
+
+# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
+# scheme used to connect to this server
+map $http_x_forwarded_proto $proxy_x_forwarded_proto {
+  default $http_x_forwarded_proto;
+  ''      $scheme;
+}
+
+# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
+# server port the client connected to
+map $http_x_forwarded_port $proxy_x_forwarded_port {
+  default $http_x_forwarded_port;
+  ''      $server_port;
+}
+
+# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
+# Connection header that may have been passed to this server
+map $http_upgrade $proxy_connection {
+  default upgrade;
+  '' close;
+}
+
+# Apply fix for very long server names
+server_names_hash_bucket_size 128;
+
+# Default dhparam
+{{ if (exists "/etc/nginx/dhparam/dhparam.pem") }}
+ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
+{{ end }}
+
+# Set appropriate X-Forwarded-Ssl header
+map $scheme $proxy_x_forwarded_ssl {
+  default off;
+  https on;
+}
+
+gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+
+log_format vhost '$host $remote_addr - $remote_user [$time_local] '
+                 '"$request" $status $body_bytes_sent '
+                 '"$http_referer" "$http_user_agent"';
+
+access_log off;
+
+{{/* Get the SSL_POLICY defined by this container, falling back to "Mozilla-Intermediate" */}}
+{{ $ssl_policy := or ($.Env.SSL_POLICY) "Mozilla-Intermediate" }}
+{{ template "ssl_policy" (dict "ssl_policy" $ssl_policy) }}
+
+{{ if $.Env.RESOLVERS }}
+resolver {{ $.Env.RESOLVERS }};
+{{ end }}
+
+{{ if (exists "/etc/nginx/proxy.conf") }}
+include /etc/nginx/proxy.conf;
+{{ else }}
+# HTTP 1.1 support
+proxy_http_version 1.1;
+proxy_buffering off;
+proxy_set_header Host $http_host;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection $proxy_connection;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
+proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
+proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
+
+# Mitigate httpoxy attack (see README for details)
+proxy_set_header Proxy "";
+{{ end }}
+
+{{ $access_log := (or (and (not $.Env.DISABLE_ACCESS_LOGS) "access_log /var/log/nginx/access.log vhost;") "") }}
+
+{{ $enable_ipv6 := eq (or ($.Env.ENABLE_IPV6) "") "true" }}
+server {
+	# This is just an invalid value which will never trigger on a real hostname.
+	server_name _;
+	listen {{ $external_http_port }};
+	{{ if $enable_ipv6 }}
+	listen [::]:{{ $external_http_port }};
+	{{ end }}
+	{{ $access_log }}
+	return 444;
+}
+
+{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
+server {
+	# This is just an invalid value which will never trigger on a real hostname.
+	server_name _;
+	listen {{ $external_https_port }} ssl http2;
+	{{ if $enable_ipv6 }}
+	listen [::]:{{ $external_https_port }} ssl http2;
+	{{ end }}
+	{{ $access_log }}
+	return 444;
+
+	ssl_session_cache shared:SSL:50m;
+	ssl_session_tickets off;
+	ssl_certificate /etc/nginx/certs/default.crt;
+	ssl_certificate_key /etc/nginx/certs/default.key;
+}
+{{ end }}
+
+{{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }}
+
+{{ $host := trim $host }}
+{{ $is_regexp := hasPrefix "~" $host }}
+{{ $upstream_name := when $is_regexp (sha1 $host) $host }}
+
+# HOST: {{ $host }}
+upstream {{ $upstream_name }} {
+
+{{ range $container := $containers }}
+	{{ $addrLen := len $container.Addresses }}
+
+	{{ range $knownNetwork := $CurrentContainer.Networks }}
+		{{ range $containerNetwork := $container.Networks }}
+			{{ if (and (ne $containerNetwork.Name "ingress") (or (eq $knownNetwork.Name $containerNetwork.Name) (eq $knownNetwork.Name "host"))) }}
+	# Can be connected with "{{ $containerNetwork.Name }}" network
+
+				{{/* If only 1 port exposed, use that */}}
+				{{ if eq $addrLen 1 }}
+					{{ $address := index $container.Addresses 0 }}
+					{{ template "upstream" (dict "Container" $container "Address" $address "Network" $containerNetwork) }}
+				{{/* If more than one port exposed, use the one matching VIRTUAL_PORT env var, falling back to standard web port 80 */}}
+				{{ else }}
+					{{ $port := coalesce $container.Env.VIRTUAL_PORT "80" }}
+					{{ $address := where $container.Addresses "Port" $port | first }}
+					{{ template "upstream" (dict "Container" $container "Address" $address "Network" $containerNetwork) }}
+				{{ end }}
+			{{ else }}
+				# Cannot connect to network of this container
+				server 127.0.0.1 down;
+			{{ end }}
+		{{ end }}
+	{{ end }}
+{{ end }}
+}
+
+{{ $default_host := or ($.Env.DEFAULT_HOST) "" }}
+{{ $default_server := index (dict $host "" $default_host "default_server") $host }}
+
+{{/* Get the VIRTUAL_PROTO defined by containers w/ the same vhost, falling back to "http" */}}
+{{ $proto := trim (or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http") }}
+
+{{/* Get the NETWORK_ACCESS defined by containers w/ the same vhost, falling back to "external" */}}
+{{ $network_tag := or (first (groupByKeys $containers "Env.NETWORK_ACCESS")) "external" }}
+
+{{/* Get the HTTPS_METHOD defined by containers w/ the same vhost, falling back to "redirect" */}}
+{{ $https_method := or (first (groupByKeys $containers "Env.HTTPS_METHOD")) "redirect" }}
+
+{{/* Get the SSL_POLICY defined by containers w/ the same vhost, falling back to empty string (use default) */}}
+{{ $ssl_policy := or (first (groupByKeys $containers "Env.SSL_POLICY")) "" }}
+
+{{/* Get the HSTS defined by containers w/ the same vhost, falling back to "max-age=31536000" */}}
+{{ $hsts := or (first (groupByKeys $containers "Env.HSTS")) "max-age=31536000" }}
+
+{{/* Get the VIRTUAL_ROOT By containers w/ use fastcgi root */}}
+{{ $vhost_root := or (first (groupByKeys $containers "Env.VIRTUAL_ROOT")) "/var/www/public" }}
+
+
+{{/* Get the first cert name defined by containers w/ the same vhost */}}
+{{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }}
+
+{{/* Get the best matching cert  by name for the vhost. */}}
+{{ $vhostCert := (closest (dir "/etc/nginx/certs") (printf "%s.crt" $host))}}
+
+{{/* vhostCert is actually a filename so remove any suffixes since they are added later */}}
+{{ $vhostCert := trimSuffix ".crt" $vhostCert }}
+{{ $vhostCert := trimSuffix ".key" $vhostCert }}
+
+{{/* Use the cert specified on the container or fallback to the best vhost match */}}
+{{ $cert := (coalesce $certName $vhostCert) }}
+
+{{ $is_https := (and (ne $https_method "nohttps") (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}
+
+{{ if $is_https }}
+
+{{ if eq $https_method "redirect" }}
+server {
+	server_name {{ $host }};
+	listen {{ $external_http_port }} {{ $default_server }};
+	{{ if $enable_ipv6 }}
+	listen [::]:{{ $external_http_port }} {{ $default_server }};
+	{{ end }}
+	{{ $access_log }}
+	
+	# Do not HTTPS redirect Let's Encrypt ACME challenge
+	location /.well-known/acme-challenge/ {
+		auth_basic off;
+		allow all;
+		root /usr/share/nginx/html;
+		try_files $uri =404;
+		break;
+	}
+	
+	location / {
+		return 301 https://$host$request_uri;
+	}
+}
+{{ end }}
+
+server {
+	server_name {{ $host }};
+	listen {{ $external_https_port }} ssl http2 {{ $default_server }};
+	{{ if $enable_ipv6 }}
+	listen [::]:{{ $external_https_port }} ssl http2 {{ $default_server }};
+	{{ end }}
+	{{ $access_log }}
+
+	{{ if eq $network_tag "internal" }}
+	# Only allow traffic from internal clients
+	include /etc/nginx/network_internal.conf;
+	{{ end }}
+
+	{{ template "ssl_policy" (dict "ssl_policy" $ssl_policy) }}
+
+	ssl_session_timeout 5m;
+	ssl_session_cache shared:SSL:50m;
+	ssl_session_tickets off;
+
+	ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }};
+	ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }};
+
+	{{ if (exists (printf "/etc/nginx/certs/%s.dhparam.pem" $cert)) }}
+	ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }};
+	{{ end }}
+
+	{{ if (exists (printf "/etc/nginx/certs/%s.chain.pem" $cert)) }}
+	ssl_stapling on;
+	ssl_stapling_verify on;
+	ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.pem" $cert }};
+	{{ end }}
+
+	{{ if (not (or (eq $https_method "noredirect") (eq $hsts "off"))) }}
+	add_header Strict-Transport-Security "{{ trim $hsts }}" always;
+	{{ end }}
+
+	{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
+	include {{ printf "/etc/nginx/vhost.d/%s" $host }};
+	{{ else if (exists "/etc/nginx/vhost.d/default") }}
+	include /etc/nginx/vhost.d/default;
+	{{ end }}
+
+	location / {
+		{{ if eq $proto "uwsgi" }}
+		include uwsgi_params;
+		uwsgi_pass {{ trim $proto }}://{{ trim $upstream_name }};
+		{{ else if eq $proto "fastcgi" }}
+		root   {{ trim $vhost_root }};
+		include fastcgi_params;
+		fastcgi_pass {{ trim $upstream_name }};
+		{{ else if eq $proto "grpc" }}
+		grpc_pass {{ trim $proto }}://{{ trim $upstream_name }};
+		{{ else }}
+		proxy_pass {{ trim $proto }}://{{ trim $upstream_name }};
+		{{ end }}
+
+		{{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}
+		auth_basic	"Restricted {{ $host }}";
+		auth_basic_user_file	{{ (printf "/etc/nginx/htpasswd/%s" $host) }};
+		{{ end }}
+		{{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }}
+		include {{ printf "/etc/nginx/vhost.d/%s_location" $host}};
+		{{ else if (exists "/etc/nginx/vhost.d/default_location") }}
+		include /etc/nginx/vhost.d/default_location;
+		{{ end }}
+	}
+
+	# 6G Perishable Press: Queries String
+	# @ https://perishablepress.com/6g/
+	location ~* "(eval\()"  { return 444; }
+	location ~* "(127\.0\.0\.1)"  { return 444; }
+	location ~* "([a-z0-9]{2000})"  { return 444; }
+	location ~* "(javascript\:)(.*)(\;)"  { return 444; }
+	location ~* "(base64_encode)(.*)(\()"  { return 444; }
+	location ~* "(GLOBALS|REQUEST)(=|\[|%)"  { return 444; }
+	location ~* "(<|%3C).*script.*(>|%3)" { return 444; }
+	location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" { return 444; }
+	location ~* "(boot\.ini|etc/passwd|self/environ)" { return 444; }
+	location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" { return 444; }
+	location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" { return 444; }
+
+	# 6G Perishable Press: Request String
+	# @ https://perishablepress.com/6g/
+	location ~* "(https?|ftp|php):/" { return 444; }
+	location ~* "(=\\\'|=\\%27|/\\\'/?)\." { return 444; }
+	location ~* "/(\$(\&)?|\*|\"|\.|,|&|&amp;?)/?$" { return 444; }
+	location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" { return 444; }
+	location ~ "(~|`|<|>|:|;|,|%|\\|\s|\{|\}|\[|\]|\|)" { return 444; }
+	location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" { return 444; }
+	location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" { return 444; }
+
+}
+
+{{ end }}
+
+{{ if or (not $is_https) (eq $https_method "noredirect") }}
+
+server {
+	server_name {{ $host }};
+	listen {{ $external_http_port }} {{ $default_server }};
+	{{ if $enable_ipv6 }}
+	listen [::]:80 {{ $default_server }};
+	{{ end }}
+	{{ $access_log }}
+
+	{{ if eq $network_tag "internal" }}
+	# Only allow traffic from internal clients
+	include /etc/nginx/network_internal.conf;
+	{{ end }}
+
+	{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
+	include {{ printf "/etc/nginx/vhost.d/%s" $host }};
+	{{ else if (exists "/etc/nginx/vhost.d/default") }}
+	include /etc/nginx/vhost.d/default;
+	{{ end }}
+
+	location / {
+		{{ if eq $proto "uwsgi" }}
+		include uwsgi_params;
+		uwsgi_pass {{ trim $proto }}://{{ trim $upstream_name }};
+		{{ else if eq $proto "fastcgi" }}
+		root   {{ trim $vhost_root }};
+		include fastcgi_params;
+		fastcgi_pass {{ trim $upstream_name }};
+		{{ else if eq $proto "grpc" }}
+		grpc_pass {{ trim $proto }}://{{ trim $upstream_name }};
+		{{ else }}
+		proxy_pass {{ trim $proto }}://{{ trim $upstream_name }};
+		{{ end }}
+		{{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}
+		auth_basic	"Restricted {{ $host }}";
+		auth_basic_user_file	{{ (printf "/etc/nginx/htpasswd/%s" $host) }};
+		{{ end }}
+		{{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }}
+		include {{ printf "/etc/nginx/vhost.d/%s_location" $host}};
+		{{ else if (exists "/etc/nginx/vhost.d/default_location") }}
+		include /etc/nginx/vhost.d/default_location;
+		{{ end }}
+	}
+
+	# 6G Perishable Press: Queries String
+	# @ https://perishablepress.com/6g/
+	location ~* "(eval\()"  { return 444; }
+	location ~* "(127\.0\.0\.1)"  { return 444; }
+	location ~* "([a-z0-9]{2000})"  { return 444; }
+	location ~* "(javascript\:)(.*)(\;)"  { return 444; }
+	location ~* "(base64_encode)(.*)(\()"  { return 444; }
+	location ~* "(GLOBALS|REQUEST)(=|\[|%)"  { return 444; }
+	location ~* "(<|%3C).*script.*(>|%3)" { return 444; }
+	location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" { return 444; }
+	location ~* "(boot\.ini|etc/passwd|self/environ)" { return 444; }
+	location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" { return 444; }
+	location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" { return 444; }
+
+	# 6G Perishable Press: Request String
+	# @ https://perishablepress.com/6g/
+	location ~* "(https?|ftp|php):/" { return 444; }
+	location ~* "(=\\\'|=\\%27|/\\\'/?)\." { return 444; }
+	location ~* "/(\$(\&)?|\*|\"|\.|,|&|&amp;?)/?$" { return 444; }
+	location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" { return 444; }
+	location ~ "(~|`|<|>|:|;|,|%|\\|\s|\{|\}|\[|\]|\|)" { return 444; }
+	location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" { return 444; }
+	location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" { return 444; }
+
+}
+
+{{ if (and (not $is_https) (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
+server {
+	server_name {{ $host }};
+	listen {{ $external_https_port }} ssl http2 {{ $default_server }};
+	{{ if $enable_ipv6 }}
+	listen [::]:{{ $external_https_port }} ssl http2 {{ $default_server }};
+	{{ end }}
+	{{ $access_log }}
+
+	ssl_certificate /etc/nginx/certs/default.crt;
+	ssl_certificate_key /etc/nginx/certs/default.key;
+
+	location / {
+		{{ if eq $proto "uwsgi" }}
+		include uwsgi_params;
+		uwsgi_pass {{ trim $proto }}://{{ trim $upstream_name }};
+		{{ else if eq $proto "fastcgi" }}
+		root   {{ trim $vhost_root }};
+		include fastcgi_params;
+		fastcgi_pass {{ trim $upstream_name }};
+		{{ else if eq $proto "grpc" }}
+		grpc_pass {{ trim $proto }}://{{ trim $upstream_name }};
+		{{ else }}
+		proxy_pass {{ trim $proto }}://{{ trim $upstream_name }};
+		{{ end }}
+
+		{{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}
+		auth_basic	"Restricted {{ $host }}";
+		auth_basic_user_file	{{ (printf "/etc/nginx/htpasswd/%s" $host) }};
+		{{ end }}
+		{{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }}
+		include {{ printf "/etc/nginx/vhost.d/%s_location" $host}};
+		{{ else if (exists "/etc/nginx/vhost.d/default_location") }}
+		include /etc/nginx/vhost.d/default_location;
+		{{ end }}
+	}
+
+	# 6G Perishable Press: Queries String
+	# @ https://perishablepress.com/6g/
+	location ~* "(eval\()"  { return 444; }
+	location ~* "(127\.0\.0\.1)"  { return 444; }
+	location ~* "([a-z0-9]{2000})"  { return 444; }
+	location ~* "(javascript\:)(.*)(\;)"  { return 444; }
+	location ~* "(base64_encode)(.*)(\()"  { return 444; }
+	location ~* "(GLOBALS|REQUEST)(=|\[|%)"  { return 444; }
+	location ~* "(<|%3C).*script.*(>|%3)" { return 444; }
+	location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" { return 444; }
+	location ~* "(boot\.ini|etc/passwd|self/environ)" { return 444; }
+	location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" { return 444; }
+	location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" { return 444; }
+
+	# 6G Perishable Press: Request String
+	# @ https://perishablepress.com/6g/
+	location ~* "(https?|ftp|php):/" { return 444; }
+	location ~* "(=\\\'|=\\%27|/\\\'/?)\." { return 444; }
+	location ~* "/(\$(\&)?|\*|\"|\.|,|&|&amp;?)/?$" { return 444; }
+	location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" { return 444; }
+	location ~ "(~|`|<|>|:|;|,|%|\\|\s|\{|\}|\[|\]|\|)" { return 444; }
+	location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" { return 444; }
+	location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" { return 444; }
+
+}
+{{ end }}
+
+{{ end }}
+{{ end }}

fs/etc/nginx/proxy_params

@@ -0,0 +1,4 @@
+proxy_set_header Host $http_host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;

fs/etc/nginx/scgi_params

@@ -0,0 +1,17 @@
+
+scgi_param  REQUEST_METHOD     $request_method;
+scgi_param  REQUEST_URI        $request_uri;
+scgi_param  QUERY_STRING       $query_string;
+scgi_param  CONTENT_TYPE       $content_type;
+
+scgi_param  DOCUMENT_URI       $document_uri;
+scgi_param  DOCUMENT_ROOT      $document_root;
+scgi_param  SCGI               1;
+scgi_param  SERVER_PROTOCOL    $server_protocol;
+scgi_param  REQUEST_SCHEME     $scheme;
+scgi_param  HTTPS              $https if_not_empty;
+
+scgi_param  REMOTE_ADDR        $remote_addr;
+scgi_param  REMOTE_PORT        $remote_port;
+scgi_param  SERVER_PORT        $server_port;
+scgi_param  SERVER_NAME        $server_name;

fs/etc/nginx/uwsgi_params

@@ -0,0 +1,17 @@
+
+uwsgi_param  QUERY_STRING       $query_string;
+uwsgi_param  REQUEST_METHOD     $request_method;
+uwsgi_param  CONTENT_TYPE       $content_type;
+uwsgi_param  CONTENT_LENGTH     $content_length;
+
+uwsgi_param  REQUEST_URI        $request_uri;
+uwsgi_param  PATH_INFO          $document_uri;
+uwsgi_param  DOCUMENT_ROOT      $document_root;
+uwsgi_param  SERVER_PROTOCOL    $server_protocol;
+uwsgi_param  REQUEST_SCHEME     $scheme;
+uwsgi_param  HTTPS              $https if_not_empty;
+
+uwsgi_param  REMOTE_ADDR        $remote_addr;
+uwsgi_param  REMOTE_PORT        $remote_port;
+uwsgi_param  SERVER_PORT        $server_port;
+uwsgi_param  SERVER_NAME        $server_name;

fs/etc/nginx/win-utf

@@ -0,0 +1,125 @@
+# This map is not a full windows-1251 <> utf8 map: it does not
+# contain Serbian and Macedonian letters.	If you need a full map,
+# use contrib/unicode2nginx/win-utf map instead.
+
+charset_map	windows-1251	utf-8 {
+
+	82	E2809A; # single low-9 quotation mark
+
+	84	E2809E; # double low-9 quotation mark
+	85	E280A6; # ellipsis
+	86	E280A0; # dagger
+	87	E280A1; # double dagger
+	88	E282AC; # euro
+	89	E280B0; # per mille
+
+	91	E28098; # left single quotation mark
+	92	E28099; # right single quotation mark
+	93	E2809C; # left double quotation mark
+	94	E2809D; # right double quotation mark
+	95	E280A2; # bullet
+	96	E28093; # en dash
+	97	E28094; # em dash
+
+	99	E284A2; # trade mark sign
+
+	A0	C2A0;   # &nbsp;
+	A1	D18E;   # capital Byelorussian short U
+	A2	D19E;   # small Byelorussian short u
+
+	A4	C2A4;   # currency sign
+	A5	D290;   # capital Ukrainian soft G
+	A6	C2A6;   # borken bar
+	A7	C2A7;   # section sign
+	A8	D081;   # capital YO
+	A9	C2A9;   # (C)
+	AA	D084;   # capital Ukrainian YE
+	AB	C2AB;   # left-pointing double angle quotation mark
+	AC	C2AC;   # not sign
+	AD	C2AD;   # soft hypen
+	AE	C2AE;   # (R)
+	AF	D087;   # capital Ukrainian YI
+
+	B0	C2B0;   # &deg;
+	B1	C2B1;   # plus-minus sign
+	B2	D086;   # capital Ukrainian I
+	B3	D196;   # small Ukrainian i
+	B4	D291;   # small Ukrainian soft g
+	B5	C2B5;   # micro sign
+	B6	C2B6;   # pilcrow sign
+	B7	C2B7;   # &middot;
+	B8	D191;   # small yo
+	B9	E28496; # numero sign
+	BA	D194;   # small Ukrainian ye
+	BB	C2BB;   # right-pointing double angle quotation mark
+
+	BF	D197;   # small Ukrainian yi
+
+	C0	D090;   # capital A
+	C1	D091;   # capital B
+	C2	D092;   # capital V
+	C3	D093;   # capital G
+	C4	D094;   # capital D
+	C5	D095;   # capital YE
+	C6	D096;   # capital ZH
+	C7	D097;   # capital Z
+	C8	D098;   # capital I
+	C9	D099;   # capital J
+	CA	D09A;   # capital K
+	CB	D09B;   # capital L
+	CC	D09C;   # capital M
+	CD	D09D;   # capital N
+	CE	D09E;   # capital O
+	CF	D09F;   # capital P
+
+	D0	D0A0;   # capital R
+	D1	D0A1;   # capital S
+	D2	D0A2;   # capital T
+	D3	D0A3;   # capital U
+	D4	D0A4;   # capital F
+	D5	D0A5;   # capital KH
+	D6	D0A6;   # capital TS
+	D7	D0A7;   # capital CH
+	D8	D0A8;   # capital SH
+	D9	D0A9;   # capital SHCH
+	DA	D0AA;   # capital hard sign
+	DB	D0AB;   # capital Y
+	DC	D0AC;   # capital soft sign
+	DD	D0AD;   # capital E
+	DE	D0AE;   # capital YU
+	DF	D0AF;   # capital YA
+
+	E0	D0B0;   # small a
+	E1	D0B1;   # small b
+	E2	D0B2;   # small v
+	E3	D0B3;   # small g
+	E4	D0B4;   # small d
+	E5	D0B5;   # small ye
+	E6	D0B6;   # small zh
+	E7	D0B7;   # small z
+	E8	D0B8;   # small i
+	E9	D0B9;   # small j
+	EA	D0BA;   # small k
+	EB	D0BB;   # small l
+	EC	D0BC;   # small m
+	ED	D0BD;   # small n
+	EE	D0BE;   # small o
+	EF	D0BF;   # small p
+
+	F0	D180;   # small r
+	F1	D181;   # small s
+	F2	D182;   # small t
+	F3	D183;   # small u
+	F4	D184;   # small f
+	F5	D185;   # small kh
+	F6	D186;   # small ts
+	F7	D187;   # small ch
+	F8	D188;   # small sh
+	F9	D189;   # small shch
+	FA	D18A;   # small hard sign
+	FB	D18B;   # small y
+	FC	D18C;   # small soft sign
+	FD	D18D;   # small e
+	FE	D18E;   # small yu
+	FF	D18F;   # small ya
+}

fs/srv/launch.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# Start docker-gen
+/usr/local/bin/docker-gen -watch -only-exposed -notify "nginx -s reload" /etc/nginx/nginx.tmpl /etc/nginx/conf.d/dynamic.conf &
+
+# Start nginx
+exec /usr/sbin/nginx -g "daemon off;"

settings.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# Docker image name
+IMAGE_NAME="hnc-web:latest"
+
+# The container's name when using ./run.sh
+CONTAINER_NAME="hnc-web"
+
+# The maximum memory allowed in this container
+MEMORY_MAX="1024m"
+
+# The mounted volume name when using ./run.sh
+VOLUME_NAME=${CONTAINER_NAME}
+
+# Enable or disable `multi_accept` mode for workers (on or off)
+NGINX_MULTI_ACCEPT="on"
+
+# Max number of nginx worker connections
+NGINX_WORKER_CONNECTIONS="2048"
+
+# Niceness (-20 to 20)
+NGINX_WORKER_PRIORITY="-10"
+

test.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# Set the directory to this script's current directory
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+cd $DIR
+
+source ./settings.sh
+
+docker run --rm -i -t \
+	-e CONTAINER_NAME=${CONTAINER_NAME} \
+	--memory=${MEMORY_MAX} \
+	--memory-swap=${MEMORY_MAX} \
+	--memory-swappiness="0" \
+	-v /var/run/docker.sock:/var/run/docker.sock:ro \
+	-p 80:80 \
+	-p 443:443 \
+	${IMAGE_NAME} bash
+