Add 7.5, bump versions

.github/workflows/build.yml

@@ -15,14 +15,16 @@ jobs:
   build:
     strategy:
       matrix:
-        version: ["6.0", "7.3", "7.4"]
+        version: ["6.0", "7.3", "7.4", "7.5"]
         include:
           - version: "6.0"
-            tag: "6.0.12"
+            tag: "6.0.13"
           - version: "7.3"
-            tag: "7.3.1"
+            tag: "7.3.2"
           - version: "7.4"
-            tag: "7.4.2"
+            tag: "7.4.3"
+          - version: "7.5"
+            tag: "7.5.0"
 
     runs-on: ubuntu-latest
     steps:

6.0/Dockerfile

@@ -30,8 +30,8 @@ RUN apt-get update \
 #
 # install varnish
 #
-ENV VARNISH_VERSION=6.0.12
-ENV VARNISH_SHA256SUM=387cebd3abb34373065ac0e26e6f2bda2140c410a8b5203e115f5a672b2bd6a5
+ENV VARNISH_VERSION=6.0.13
+ENV VARNISH_SHA256SUM=0dca6295f9c69d47a7208598c415385c590c66863ebd42bfeb08a367b788a9ba
 
 RUN mkdir -p /usr/local/src && \
     cd /usr/local/src && \

7.3/Dockerfile

@@ -35,8 +35,8 @@ RUN apt-get update \
 #
 # install varnish
 #
-ENV VARNISH_VERSION=7.3.1
-ENV VARNISH_SHA256SUM=a3dec46e6a8a4f472bb33da99be5068279d6924c475cce8ce7e03615ec0b972b
+ENV VARNISH_VERSION=7.3.2
+ENV VARNISH_SHA256SUM=94b28d75c9178c07b5772cde3a16cab75cff5b7e5b62aefda2f03f3322e6ec23
 ENV VARNISHSRC=/usr/local/src/varnish-${VARNISH_VERSION}
 
 RUN mkdir -p /usr/local/src && \

7.4/Dockerfile

@@ -35,8 +35,8 @@ RUN apt-get update \
 #
 # install varnish
 #
-ENV VARNISH_VERSION=7.4.2
-ENV VARNISH_SHA256SUM=6d3d03c67514e6bb4e8584e40a381f51e708607d39337a63dc4ae42061d9a46f
+ENV VARNISH_VERSION=7.4.3
+ENV VARNISH_SHA256SUM=eb9e43507f836eef2e32802d46dd3cf92eca3d547ba4b640fda59b407cdb1b88
 ENV VARNISHSRC=/usr/local/src/varnish-${VARNISH_VERSION}
 
 RUN mkdir -p /usr/local/src && \

7.5/Dockerfile

@@ -0,0 +1,155 @@
+# syntax=docker/dockerfile:experimental
+FROM debian:bookworm-slim
+LABEL org.opencontainers.image.source = "https://github.com/emgag/docker-varnish"
+
+#
+# install varnish build deps
+#
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends \
+        autoconf-archive \
+        automake \
+        autotools-dev \
+        build-essential \
+        ca-certificates \
+        curl \
+        git \
+        libedit-dev \
+        libgetdns-dev \
+        libjemalloc-dev \
+        libmhash-dev \
+        libncurses-dev \
+        libpcre2-8-0 \
+        libpcre2-dev \
+        libpcre3-dev \
+        libreadline-dev \
+        libtool \
+        liburing-dev \
+        libxxhash-dev \
+        pkg-config \
+        python3 \
+        python3-docutils \
+        python3-sphinx \
+    && apt-get autoremove -y
+
+#
+# install varnish
+#
+ENV VARNISH_VERSION=7.5.0
+ENV VARNISH_SHA256SUM=fca61b983139e1aac61c4546d12a1a3ab9807dbb1d8314571e3148c93ff72b5d
+ENV VARNISHSRC=/usr/local/src/varnish-${VARNISH_VERSION}
+
+RUN mkdir -p /usr/local/src && \
+    cd /usr/local/src && \
+    curl -sfLO https://varnish-cache.org/_downloads/varnish-${VARNISH_VERSION}.tgz && \
+    echo "${VARNISH_SHA256SUM} varnish-${VARNISH_VERSION}.tgz" | sha256sum -c - && \
+    tar -xzf varnish-${VARNISH_VERSION}.tgz && \
+    rm varnish-${VARNISH_VERSION}.tgz && \
+    cd varnish-${VARNISH_VERSION} && \
+    ./autogen.sh && \
+    ./configure && \
+    make install
+
+#
+# install stock varnish module library
+#
+ENV VARNISHMODULES_VERSION=0.24.0
+ENV VARNISHMODULES_SHA256SUM=b44fc6d99a057ab85c01fc1dad1a625608d76971700201ec0f186fff147fe798
+
+RUN cd /usr/local/src/ && \
+    curl -sfLO https://github.com/varnish/varnish-modules/archive/${VARNISHMODULES_VERSION}.tar.gz && \
+    echo "${VARNISHMODULES_SHA256SUM} ${VARNISHMODULES_VERSION}.tar.gz" | sha256sum -c - && \
+    tar -xzf ${VARNISHMODULES_VERSION}.tar.gz && \
+    cd varnish-modules-${VARNISHMODULES_VERSION} && \
+    ./bootstrap && \
+    ./configure && \
+    make install && \
+    cd /usr/local/src && \
+    rm ${VARNISHMODULES_VERSION}.tar.gz \
+    rm -rf varnish-modules-${VARNISHMODULES_VERSION} && \
+    ldconfig
+
+#
+# install libvmod-dynamic
+#
+ENV LIBVMOD_DYNAMIC_BRANCH=master
+ENV LIBVMOD_DYNAMIC_COMMIT=32c331e79dba857b0309ba0d527ba17bf64ff2c7
+
+RUN cd /usr/local/src/ && \
+    git clone -b ${LIBVMOD_DYNAMIC_BRANCH} https://github.com/nigoroll/libvmod-dynamic.git && \
+    cd libvmod-dynamic && \
+    git reset --hard ${LIBVMOD_DYNAMIC_COMMIT} && \
+    ./autogen.sh && \
+    ./configure && \
+    make install && \
+    cd /usr/local/src && \
+    rm -rf libvmod-dynamic && \
+    ldconfig
+
+#
+# install libvmod-digest
+#
+ENV LIBVMOD_DIGEST_VERSION=1.0.3
+ENV LIBVMOD_DIGEST_SHA256SUM=872fd18aa672609195c0dc128ca29e1a1b3a11924c71a34ed7fd956f9177111c
+
+RUN cd /usr/local/src/ && \
+    curl -sfLO https://github.com/varnish/libvmod-digest/archive/libvmod-digest-${LIBVMOD_DIGEST_VERSION}.tar.gz && \
+    echo "${LIBVMOD_DIGEST_SHA256SUM} libvmod-digest-${LIBVMOD_DIGEST_VERSION}.tar.gz" | sha256sum -c - && \
+    tar -xzf libvmod-digest-${LIBVMOD_DIGEST_VERSION}.tar.gz && \
+    cd libvmod-digest-libvmod-digest-${LIBVMOD_DIGEST_VERSION} && \
+    ./autogen.sh && \
+    ./configure && \
+    make install && \
+    cd /usr/local/src && \
+    rm -rf libvmod-digest* && \
+    ldconfig
+
+#
+# install libvmod-querystring
+#
+ENV LIBVMOD_QUERYSTRING_VERSION=2.0.3
+ENV LIBVMOD_QUERYSTRING_SHA256SUM=ec325d64241580ed136660f1d27cecd874b663431ac3abdb2d28e1ac6f4811e4
+
+RUN cd /usr/local/src/ && \
+    curl -sfLO https://github.com/Dridi/libvmod-querystring/releases/download/v${LIBVMOD_QUERYSTRING_VERSION}/vmod-querystring-${LIBVMOD_QUERYSTRING_VERSION}.tar.gz && \
+    echo "${LIBVMOD_QUERYSTRING_SHA256SUM} vmod-querystring-${LIBVMOD_QUERYSTRING_VERSION}.tar.gz" | sha256sum -c - && \
+    tar -xzf vmod-querystring-${LIBVMOD_QUERYSTRING_VERSION}.tar.gz && \
+    cd vmod-querystring-${LIBVMOD_QUERYSTRING_VERSION} && \
+    ./configure && \
+    make install && \
+    cd /usr/local/src && \
+    rm -rf vmod-querystring* && \
+    ldconfig
+
+#
+# install slash storage engines
+#
+#ENV SLASH_BRANCH=master
+#ENV SLASH_COMMIT=c250c9cd3cbb9b751aa230ca6b72c2937b5ff656
+#
+#RUN cd /usr/local/src/ && \
+#    git clone -b ${SLASH_BRANCH} https://gitlab.com/uplex/varnish/slash.git && \
+#    cd slash && \
+#    git reset --hard ${SLASH_COMMIT} && \
+#    ./bootstrap && \
+#    make check && \
+#    make install && \
+#    cd /usr/local/src && \
+#    rm -rf slash && \
+#    ldconfig
+
+# init
+COPY init.sh /init.sh
+
+RUN useradd -r -s /bin/false vcache
+RUN mkdir /etc/varnish
+
+ENV VARNISH_CONFIG  /etc/varnish/default.vcl
+ENV VARNISH_STORAGE malloc,100m
+ENV VARNISH_LISTEN  :80
+ENV VARNISH_MANAGEMENT_LISTEN 127.0.0.1:6082
+
+EXPOSE 80
+EXPOSE 6082
+
+CMD ["/init.sh"]

7.5/init.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+exec varnishd \
+    -j unix,user=vcache \
+    -F \
+    -f ${VARNISH_CONFIG} \
+    -s ${VARNISH_STORAGE} \
+    -a ${VARNISH_LISTEN} \
+    -T ${VARNISH_MANAGEMENT_LISTEN} \
+    ${VARNISH_DAEMON_OPTS}

CHANGELOG.md

@@ -1,3 +1,8 @@
+## 2024-05-30
+
+* Add [7.5](https://varnish-cache.org/releases/rel7.5.0.html) release.
+* Update to 6.0.13, 7.3.2, 7.4.3 and 7.5 to address [VSV00014 Varnish HTTP/2 Broke Window Attack](https://varnish-cache.org/security/VSV00014.html#vsv00014).
+
 ## 2023-12-28
 
 * Add [7.4](https://varnish-cache.org/releases/rel7.4.0.html#rel7-4-0) release.

README.md

@@ -5,7 +5,7 @@
 
 **WARNING:** Dockerhub images are no longer maintained. Please use ghcr.io! 
 
-[Varnish](http://varnish-cache.org/) container image used within EMGAG environments. Originally based on [newsdev/docker-varnish](https://github.com/newsdev) (not available anymore), but updated to recent varnish versions (6.0, 7.3 and 7.4), shipped with some additional [vmods](http://varnish-cache.org/vmods/#vmods), better support for custom configuration and built for multiple architectures.
+[Varnish](http://varnish-cache.org/) container image used within EMGAG environments. Originally based on [newsdev/docker-varnish](https://github.com/newsdev) (not available anymore), but updated to recent varnish versions (6.0, 7.4 and 7.5), shipped with some additional [vmods](http://varnish-cache.org/vmods/#vmods), better support for custom configuration and built for multiple architectures.
 
 Shipped VMODs:
 * [libvmod-digest](https://github.com/varnish/libvmod-digest): HMAC, hash and base64 functions
@@ -20,19 +20,22 @@ Shipped VMODs:
 
 ## Supported tags and respective `Dockerfile` links
 
-* [`7.4.2` (*7.4.2/Dockerfile*)](https://github.com/emgag/docker-varnish/blob/master/7.4/Dockerfile), based on debian:bookworm-slim.
+* [`7.5.0` (*7.5.0/Dockerfile*)](https://github.com/emgag/docker-varnish/blob/master/7.5/Dockerfile), based on debian:bookworm-slim.
   * linux/amd64
   * linux/arm64
-* [`7.3.1` (*7.3.1/Dockerfile*)](https://github.com/emgag/docker-varnish/blob/master/7.3/Dockerfile), based on debian:bookworm-slim.
+* [`7.4.3` (*7.4.3/Dockerfile*)](https://github.com/emgag/docker-varnish/blob/master/7.4/Dockerfile), based on debian:bookworm-slim.
   * linux/amd64
   * linux/arm64
-* [`6.0.12` (*6.0.11-1/Dockerfile*)](https://github.com/emgag/docker-varnish/blob/master/6.0/Dockerfile), based on debian:bookworm-slim.
+* [`7.3.2` (*7.3.2/Dockerfile*)](https://github.com/emgag/docker-varnish/blob/master/7.3/Dockerfile), based on debian:bookworm-slim.
+  * linux/amd64
+  * linux/arm64
+* [`6.0.13` (*6.0.13/Dockerfile*)](https://github.com/emgag/docker-varnish/blob/master/6.0/Dockerfile), based on debian:bookworm-slim.
   * linux/amd64
   * linux/arm64
 
 **Notes:** 
 * This repository does **not contain shorthand tags** (e.g. latest, 6, 6.1, etc.), just fully qualified versions corresponding to shipped varnish version and occasionally an additional package version (e.g. 6.0.3-1) if something in the image changed within a varnish release. This is because it might happen that a specific vmod stopped being supported for whatever reason and removing it will break future releases, which is outside of our control (e.g. old releases contained libvmod-geoip, which isn't supported anymore).
-* **Only 7.4, 7.3 and 6.0** are [versions supported by varnish](https://varnish-cache.org/releases/index.html), maintained in this repo.
+* **Only 7.4, 7.3 and 6.0** are [versions supported by varnish](https://varnish-cache.org/releases/index.html) and maintained in this repo.
 
 ## Varnish
 
@@ -43,7 +46,7 @@ From [varnish-cache.org](https://varnish-cache.org/intro/index.html): _Varnish C
 By default, varnish reads `/etc/varnish/default.vcl` on startup. Either copy your VCL file in your Dockerfile  
 
 ```
-FROM ghcr.io/emgag/varnish:7.4.2
+FROM ghcr.io/emgag/varnish:7.5.0
 COPY default.vcl /etc/varnish/default.vcl
 ```
 
@@ -53,7 +56,7 @@ or mount a volume containing the varnish configuration to `/etc/varnish`, e.g wi
 version: '3'
 services:
   varnish:
-    image: ghcr.io/emgag/varnish:7.4.2
+    image: ghcr.io/emgag/varnish:7.5.0
     volumes:
       - ./varnish:/etc/varnish
     ports:

test/7.5.vcl

@@ -0,0 +1,30 @@
+vcl 4.0;
+
+import blob;
+import bodyaccess;
+import cookie;
+import debug;
+import digest;
+import directors;
+import dynamic;
+import header;
+import proxy;
+import purge;
+import querystring;
+import saintmode;
+import std;
+import tcp;
+import unix;
+import var;
+import vsthrottle;
+import vtc;
+import xkey;
+
+backend default {
+    .host = "127.0.0.1";
+    .port = "8080";
+}
+
+sub vcl_recv {
+    std.log("you can't stop the signal!");
+}