Dockerfile HEALTHCHECK (#171)

* `HEALTHCHECK` in the Dockerfile (relies on public access to the namespace document)
nginx `depends_on` with `service_healthy` condition

* `HEALTHCHECK` param adjustments

* Increased `HEALTHCHECK` interval

* Replaced the `atomgraph/nginx` Docker image with the official `nginx`
Rewrote nginx's `command` using `sed` instead of `envsubst`

* Reformatted placeholders in nginx.conf.template from $VAR to ${VAR}

Author: namedgraph

CHANGELOG.md

@@ -2,11 +2,13 @@
 ### Added
 - New Varnish proxy cache between nginx and LinkedDataHub (service `varnish-frontend`) in order to improve performance
 - New `lapp:frontendProxy` and `lapp:backendProxy` properties in the LAPP ontology
+- `HEALTHCHECK` configuration in Dockerfile (relies on public access to the namespace document)
 
 ### Changed
-- Replaced the `atomgraph/varnish:6.0.11` Docker image with the official `varnish:7.3.0` image
 - Fixed content drag and drop logic to only work in content mode and not affect dragging in map and graph modes
 - When `ENABLE_LINKED_DATA_PROXY=false`, `?uri=` proxy requests will return `400 Bad Request` unless the URI is already cached or mapped to file
+- Replaced the `atomgraph/varnish:6.0.11` Docker image with the official `varnish:7.3.0` image
+- Replaced the `atomgraph/nginx:1.23.3` Docker image with the official `nginx:1.23.3` image
 
 ## [4.0.4] - 2023-06-07
 ### Changed

Dockerfile

@@ -110,8 +110,6 @@ ENV GOOGLE_CLIENT_SECRET=
 
 ENV GENERATE_SITEMAP=true
 
-# HEALTHCHECK --start-period=80s CMD curl -f http://localhost:$HTTP_PORT || exit 1
-
 # remove default Tomcat webapps and install xmlstarlet (used for XPath queries) and envsubst (for variable substitution)
 
 RUN apt-get update --allow-releaseinfo-change && \
@@ -182,6 +180,9 @@ RUN useradd --no-log-init -U ldh && \
 
 RUN ./import-letsencrypt-stg-roots.sh
 
+HEALTHCHECK --start-period=80s --interval=60s --timeout=10s \
+    CMD curl -f -I "http://localhost:${HTTP_PORT}/ns" -H "Accept: application/n-triples" || exit 1 # relies on public access to the namespace document
+
 USER ldh
 
 ENTRYPOINT ["/bin/bash", "entrypoint.sh"]

docker-compose.yml

@@ -1,9 +1,12 @@
 version: "2.3"
 services:
   nginx:
-    image: atomgraph/nginx:1.23.3
+    image: nginx:1.23.3
     mem_limit: 128m
-    command: /bin/bash -c "envsubst '$$HTTPS_PORT $$UPSTREAM_SERVER $$UPSTREAM_HTTP_PORT $$SERVER_NAME $$SERVER_HTTPS_PORT $$SERVER_HTTP_PORT $$SERVER_CERT_FILE $$SERVER_KEY_FILE $$SSL_VERIFY_CLIENT $$MAX_BODY_SIZE $$SERVER_CLIENT_CERT_HTTPS_PORT' < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf && nginx -g 'daemon off;'"
+    command: /bin/sh -c "cp /etc/nginx/nginx.conf.template /etc/nginx/nginx.conf && sed -i 's|$${HTTPS_PORT}|'"$$HTTPS_PORT"'|g' /etc/nginx/nginx.conf && sed -i 's|$${UPSTREAM_SERVER}|'"$$UPSTREAM_SERVER"'|g' /etc/nginx/nginx.conf && sed -i 's|$${UPSTREAM_HTTP_PORT}|'"$$UPSTREAM_HTTP_PORT"'|g' /etc/nginx/nginx.conf && sed -i 's|$${SERVER_NAME}|'"$$SERVER_NAME"'|g' /etc/nginx/nginx.conf && sed -i 's|$${SERVER_HTTPS_PORT}|'"$$SERVER_HTTPS_PORT"'|g' /etc/nginx/nginx.conf && sed -i 's|$${SERVER_HTTP_PORT}|'"$$SERVER_HTTP_PORT"'|g' /etc/nginx/nginx.conf && sed -i 's|$${SERVER_CERT_FILE}|'"$$SERVER_CERT_FILE"'|g' /etc/nginx/nginx.conf && sed -i 's|$${SERVER_KEY_FILE}|'"$$SERVER_KEY_FILE"'|g' /etc/nginx/nginx.conf && sed -i 's|$${SSL_VERIFY_CLIENT}|'"$$SSL_VERIFY_CLIENT"'|g' /etc/nginx/nginx.conf && sed -i 's|$${MAX_BODY_SIZE}|'"$$MAX_BODY_SIZE"'|g' /etc/nginx/nginx.conf && sed -i 's|$${SERVER_CLIENT_CERT_HTTPS_PORT}|'"$$SERVER_CLIENT_CERT_HTTPS_PORT"'|g' /etc/nginx/nginx.conf && nginx -g 'daemon off;'"
+    depends_on:
+      linkeddatahub:
+        condition: service_healthy
     ports:
       - ${HTTP_PORT}:8080 # allow Tomcat to do HTTP to HTTPS redirect
       - ${HTTPS_PORT}:8443 # HTTPS

platform/nginx.conf.template

@@ -6,24 +6,24 @@ events {
 
 http {
     upstream linkeddatahub {
-        server $UPSTREAM_SERVER:$UPSTREAM_HTTP_PORT;
+        server ${UPSTREAM_SERVER}:${UPSTREAM_HTTP_PORT};
     }
 
     limit_req_zone $binary_remote_addr zone=linked_data:10m rate=6r/s;
     limit_req_zone $binary_remote_addr zone=static_files:10m rate=20r/s;
     limit_req_status 429;
 
-    client_max_body_size $MAX_BODY_SIZE;
+    client_max_body_size ${MAX_BODY_SIZE};
 
     # server with optional client cert authentication (depends on the $SSL_VERIFY_CLIENT value)
     server {
-        listen $SERVER_HTTPS_PORT ssl;
-        server_name $SERVER_NAME;
-        ssl_certificate $SERVER_CERT_FILE;
-        ssl_certificate_key $SERVER_KEY_FILE;
-        ssl_session_cache shared:SSL:1m;  
+        listen ${SERVER_HTTPS_PORT} ssl;
+        server_name ${SERVER_NAME};
+        ssl_certificate ${SERVER_CERT_FILE};
+        ssl_certificate_key ${SERVER_KEY_FILE};
+        ssl_session_cache shared:SSL:1m;
         ssl_prefer_server_ciphers on;
-        ssl_verify_client $SSL_VERIFY_CLIENT;
+        ssl_verify_client ${SSL_VERIFY_CLIENT};
 
         location / {
             proxy_pass http://linkeddatahub;
@@ -56,10 +56,10 @@ http {
 
     # server with client cert authentication on
     server {
-        listen $SERVER_CLIENT_CERT_HTTPS_PORT ssl;
-        server_name $SERVER_NAME;
-        ssl_certificate $SERVER_CERT_FILE;
-        ssl_certificate_key $SERVER_KEY_FILE;
+        listen ${SERVER_CLIENT_CERT_HTTPS_PORT} ssl;
+        server_name ${SERVER_NAME};
+        ssl_certificate ${SERVER_CERT_FILE};
+        ssl_certificate_key ${SERVER_KEY_FILE};
         ssl_session_cache shared:SSL:1m;  
         ssl_prefer_server_ciphers on;
         ssl_verify_client optional_no_ca;
@@ -80,11 +80,11 @@ http {
     }
 
     server {
-        listen $SERVER_HTTP_PORT;
-        server_name $SERVER_NAME;
+        listen ${SERVER_HTTP_PORT};
+        server_name ${SERVER_NAME};
 
         location / {
-            return 301 https://$server_name:$HTTPS_PORT$request_uri;
+            return 301 https://$server_name:${HTTPS_PORT}$request_uri;
         }
     }