diff --git a/Dockerfile b/Dockerfile index da700a2..abfa2ef 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,12 +17,6 @@ COPY --from=nlss/attr ["/usr/local/bin/attr", "/usr/local/bin/"] # Add crond service COPY --from=nlss/base-alpine:3.14 ["/etc/services.d/cron/", "/etc/services.d/cron/"] -# Add nginx service and configuration -COPY --from=nlss/php-nginx:7.4 ["/etc/services.d/nginx/", "/etc/services.d/nginx/"] -COPY --from=nlss/php-nginx:7.4 ["/etc/nginx/", "/etc/nginx/"] -COPY --from=nlss/php-nginx:7.4 ["/var/log/nginx/", "/var/log/nginx/"] -COPY --from=nlss/php-nginx:7.4 ["/var/www/", "/var/www/"] - # Install gomplate COPY --from=hairyhenderson/gomplate:v3.10.0-alpine ["/bin/gomplate", "/usr/local/bin/"] diff --git a/rootfs/etc/nginx/nginx.conf b/rootfs/etc/nginx/nginx.conf new file mode 100644 index 0000000..190afa7 --- /dev/null +++ b/rootfs/etc/nginx/nginx.conf @@ -0,0 +1,40 @@ +# Generated by nginxconfig.io +# https://www.digitalocean.com/community/tools/nginx#?0.domain=test.com&0.path=%2Fvar%2Fwww&0.non_www=false&0.https=false&0.access_log_domain&0.error_log_domain&php_server=%2Fvar%2Frun%2Fphp%2Fphp7.3-fpm.sock&php_server_backup=%2Fvar%2Frun%2Fphp%2Fphp7.3-fpm.sock&client_max_body_size=100 + +user www-data; +pid /run/nginx.pid; +worker_processes auto; +worker_rlimit_nofile 65535; + +events { + multi_accept on; + worker_connections 65535; +} + +http { + upstream php { + server unix:/var/run/php-fpm.sock; + #server unix:/var/run/php/php-fpm.sock backup; + } + + charset utf-8; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + server_tokens off; + log_not_found off; + types_hash_max_size 2048; + client_max_body_size 100M; + + # MIME + include mime.types; + default_type application/octet-stream; + + # logging + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log warn; + + # load configs + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} diff --git a/rootfs/etc/nginx/nginxconfig.io/general.conf b/rootfs/etc/nginx/nginxconfig.io/general.conf new file mode 100644 index 0000000..45a328a --- /dev/null +++ b/rootfs/etc/nginx/nginxconfig.io/general.conf @@ -0,0 +1,34 @@ +# favicon.ico +location = /favicon.ico { + log_not_found off; + access_log off; +} + +# robots.txt +location = /robots.txt { + log_not_found off; + access_log off; +} + +# assets, media +location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ { + expires 7d; + access_log off; +} + +# svg, fonts +location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ { + add_header Access-Control-Allow-Origin "*"; + expires 7d; + access_log off; +} + +# gzip +gzip on; +gzip_vary on; +gzip_proxied any; +gzip_comp_level 6; +gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; + +# Fix permission error on file(s) upload +client_body_temp_path /tmp; \ No newline at end of file diff --git a/rootfs/etc/nginx/nginxconfig.io/php_fastcgi.conf b/rootfs/etc/nginx/nginxconfig.io/php_fastcgi.conf new file mode 100644 index 0000000..1506dbe --- /dev/null +++ b/rootfs/etc/nginx/nginxconfig.io/php_fastcgi.conf @@ -0,0 +1,16 @@ +# 404 +try_files $fastcgi_script_name =404; + +# default fastcgi_params +include fastcgi_params; + +# fastcgi settings +fastcgi_pass php; +fastcgi_index index.php; +fastcgi_buffers 8 16k; +fastcgi_buffer_size 32k; + +# fastcgi params +fastcgi_param DOCUMENT_ROOT $realpath_root; +fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; +fastcgi_param PHP_ADMIN_VALUE "open_basedir=$base/:/usr/lib/php/:/tmp/"; diff --git a/rootfs/etc/nginx/nginxconfig.io/security.conf b/rootfs/etc/nginx/nginxconfig.io/security.conf new file mode 100644 index 0000000..82b8e2b --- /dev/null +++ b/rootfs/etc/nginx/nginxconfig.io/security.conf @@ -0,0 +1,11 @@ +# security headers +add_header X-Frame-Options "SAMEORIGIN" always; +add_header X-XSS-Protection "1; mode=block" always; +add_header X-Content-Type-Options "nosniff" always; +add_header Referrer-Policy "no-referrer-when-downgrade" always; +add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always; + +# . files +location ~ /\.(?!well-known) { + deny all; +} diff --git a/rootfs/etc/nginx/sites-available/app.conf b/rootfs/etc/nginx/sites-available/app.conf new file mode 100644 index 0000000..bf220ed --- /dev/null +++ b/rootfs/etc/nginx/sites-available/app.conf @@ -0,0 +1,31 @@ +server { + listen 80; + listen [::]:80; + + server_name ; + set $base /var/www; + root $base/html; + + # security + include nginxconfig.io/security.conf; + + # logging + access_log /var/log/nginx/app-access.log; + error_log /var/log/nginx/app-error.log warn; + + # index files + index index.php index.html index.htm index.nginx-debian.html; + + # index.php fallback + location / { + try_files $uri $uri/ /index.php?$query_string; + } + + # handle .php + location ~ \.php$ { + include nginxconfig.io/php_fastcgi.conf; + } + + # additional config + include nginxconfig.io/general.conf; +} diff --git a/rootfs/etc/nginx/sites-enabled/.gitkeep b/rootfs/etc/nginx/sites-enabled/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/rootfs/etc/services.d/nginx/run b/rootfs/etc/services.d/nginx/run new file mode 100755 index 0000000..7478cd7 --- /dev/null +++ b/rootfs/etc/services.d/nginx/run @@ -0,0 +1,3 @@ +#!/bin/execlineb -P + +nginx -g "daemon off;" \ No newline at end of file diff --git a/rootfs/var/log/nginx/.gitkeep b/rootfs/var/log/nginx/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/rootfs/var/www/html/index.php b/rootfs/var/www/html/index.php new file mode 100644 index 0000000..0615691 --- /dev/null +++ b/rootfs/var/www/html/index.php @@ -0,0 +1,3 @@ +