diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..f98f6e0 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,36 @@ +FROM alpine:3.5 +MAINTAINER kolaente - mowie.cc + +ENV TZ "Europe/Berlin" + +RUN apk update && \ + apk --no-cache add bash tzdata curl ca-certificates s6 ssmtp mysql-client \ + nginx nginx-mod-http-headers-more + +RUN ln -sf "/usr/share/zoneinfo/$TZ" /etc/localtime && \ + echo "$TZ" > /etc/timezone && date + +RUN apk --no-cache add \ + php7 php7-phar php7-curl php7-fpm php7-json php7-zlib php7-gd \ + php7-xml php7-dom php7-ctype php7-opcache php7-zip php7-iconv \ + php7-pdo php7-pdo_mysql php7-mysqli php7-mbstring php7-session \ + php7-mcrypt php7-openssl php7-sockets php7-posix + +RUN rm -rf /var/cache/apk/* && \ + ln -s /usr/bin/php7 /usr/bin/php && \ + rm -f /etc/php7/php-fpm.d/www.conf && \ + touch /etc/php7/php-fpm.d/env.conf + +RUN rm -rf /var/www + +COPY conf/services.d /etc/services.d +COPY conf/nginx/nginx.conf /etc/nginx/nginx.conf +COPY conf/php/php-fpm.conf /etc/php7/ +COPY conf/php/conf.d/php.ini /etc/php7/conf.d/zphp.ini + +VOLUME /var/www/content + +EXPOSE 80 + +ENTRYPOINT ["/bin/s6-svscan", "/etc/services.d"] +CMD [] diff --git a/conf/nginx/nginx.conf b/conf/nginx/nginx.conf new file mode 100644 index 0000000..9a682d3 --- /dev/null +++ b/conf/nginx/nginx.conf @@ -0,0 +1,88 @@ +load_module modules/ngx_http_headers_more_filter_module.so; + +user nginx; +worker_processes auto; +pid /var/run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + + include mime.types; + default_type application/octet-stream; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + server_tokens off; + + log_format main_timed '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for" ' + '$request_time $upstream_response_time $pipe $upstream_cache_status'; + + #access_log off; + #error_log /dev/stderr; + access_log /dev/stdout main_timed; + error_log /dev/stderr; + + server { + listen [::]:80 default_server; + listen 80 default_server; + server_name _; + index index.php; + root /var/www; + client_max_body_size 1G; + + location / { + try_files $uri $uri/ /index.php; + } + + location ~ \.php$ { + try_files $uri =404; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:/var/run/php-fpm.sock; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_index index.php; + include fastcgi_params; + } + + location ~* ^.+\.(log|sqlite|yml|yaml|ini)$ { + return 404; + } + + location ~ /\.ht { + return 404; + } + + location ~* ^.+\.(ico|jpg|gif|png|css|js|svg|eot|ttf|woff|woff2|otf)$ { + log_not_found off; + expires 7d; + etag on; + } + + gzip on; + gzip_comp_level 3; + gzip_disable "msie6"; + gzip_vary on; + gzip_types + text/plain + text/css + text/javascript + text/xml + application/javascript + application/json + application/xml + application/rss+xml; + } + + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + + more_clear_headers 'X-Powered-By'; + more_clear_headers 'Server'; +} diff --git a/conf/nginx/security.conf b/conf/nginx/security.conf new file mode 100644 index 0000000..02e6bd8 --- /dev/null +++ b/conf/nginx/security.conf @@ -0,0 +1,9 @@ +server_tokens off; + +add_header X-Frame-Options SAMEORIGIN; +add_header X-Content-Type-Options nosniff; +add_header X-XSS-Protection "1; mode=block"; + +more_clear_headers 'X-Powered-By'; +more_clear_headers 'Server'; + diff --git a/conf/php/conf.d/php.ini b/conf/php/conf.d/php.ini new file mode 100644 index 0000000..ae34c3b --- /dev/null +++ b/conf/php/conf.d/php.ini @@ -0,0 +1,17 @@ +expose_php = Off +error_reporting = E_ALL +display_errors = Off +log_errors = On +error_log = /dev/stderr +cgi.fix_pathinfo=0 +date.timezone = Europe/Berlin +allow_url_fopen = On +post_max_size = 1300M +upload_max_filesize = 1024M +opcache.max_accelerated_files = 7963 +opcache.validate_timestamps = Off +opcache.save_comments = 0 +opcache.load_comments = 0 +opcache.fast_shutdown = 1 +opcache.enable_file_override = On +session.save_path = "/var/session" diff --git a/conf/php/php-fpm.conf b/conf/php/php-fpm.conf new file mode 100644 index 0000000..1a187a9 --- /dev/null +++ b/conf/php/php-fpm.conf @@ -0,0 +1,20 @@ +[global] +error_log = /proc/self/fd/2 +log_level = error +daemonize = no + +[www] +catch_workers_output = yes +user = nginx +group = nginx +listen.owner = nginx +listen.group = nginx +listen = /var/run/php-fpm.sock +pm = dynamic +pm.max_children = 20 +pm.start_servers = 1 +pm.min_spare_servers = 1 +pm.max_spare_servers = 3 +pm.max_requests = 2048 +include = /etc/php7/php-fpm.d/env.conf + diff --git a/conf/services.d/.s6-svscan/crash b/conf/services.d/.s6-svscan/crash new file mode 100755 index 0000000..1dadeea --- /dev/null +++ b/conf/services.d/.s6-svscan/crash @@ -0,0 +1,2 @@ +#!/bin/sh +/bin/true diff --git a/conf/services.d/.s6-svscan/finish b/conf/services.d/.s6-svscan/finish new file mode 100755 index 0000000..1dadeea --- /dev/null +++ b/conf/services.d/.s6-svscan/finish @@ -0,0 +1,2 @@ +#!/bin/sh +/bin/true diff --git a/conf/services.d/nginx/run b/conf/services.d/nginx/run new file mode 100755 index 0000000..40a8b54 --- /dev/null +++ b/conf/services.d/nginx/run @@ -0,0 +1,2 @@ +#!/bin/execlineb -P +nginx -g "daemon off;" \ No newline at end of file diff --git a/conf/services.d/php/run b/conf/services.d/php/run new file mode 100755 index 0000000..6b09323 --- /dev/null +++ b/conf/services.d/php/run @@ -0,0 +1,2 @@ +#!/bin/execlineb -P +php-fpm7 -F \ No newline at end of file