From fa8f02e5f3e832eb458216bcdec2e7abe94d0eb8 Mon Sep 17 00:00:00 2001 From: Ville Pietarinen Date: Tue, 9 Jan 2018 15:12:35 +0200 Subject: [PATCH] initial commit for ubuntu-docker-wordpress --- LICENSE | 8 + README.md | 141 ++++++++ docker-compose.yml | 30 ++ ubuntu-7.1/.dockerignore | 12 + ubuntu-7.1/Dockerfile | 182 ++++++++++ ubuntu-7.1/rootfs/etc/ImageMagick | 11 + .../etc/cont-init.d/00-render-templates | 68 ++++ .../rootfs/etc/cont-init.d/01-create-web-user | 58 ++++ .../rootfs/etc/cont-init.d/02-init-crond | 30 ++ .../cont-init.d/02-init-directories-and-files | 18 + ubuntu-7.1/rootfs/etc/nginx/additional.types | 6 + .../rootfs/etc/nginx/cache/fastcgicache.conf | 13 + .../nginx/cache/fastcgicache_settings.conf | 8 + .../nginx/cache/fastcgicache_skip_rules.conf | 26 ++ .../etc/nginx/cache/helper_variables.conf | 15 + .../rootfs/etc/nginx/cache/redis_backend.conf | 45 +++ .../rootfs/etc/nginx/cache/skip_rules.conf | 30 ++ .../rootfs/etc/nginx/cache/srcache.conf | 20 ++ ubuntu-7.1/rootfs/etc/nginx/env.conf | 12 + ubuntu-7.1/rootfs/etc/nginx/error_pages.conf | 31 ++ ubuntu-7.1/rootfs/etc/nginx/fastcgi_params | 29 ++ .../rootfs/etc/nginx/fastcgi_settings.conf | 23 ++ ubuntu-7.1/rootfs/etc/nginx/gzip.conf | 58 ++++ ubuntu-7.1/rootfs/etc/nginx/log_format.conf | 16 + ubuntu-7.1/rootfs/etc/nginx/log_formats.conf | 19 ++ ubuntu-7.1/rootfs/etc/nginx/nginx.conf | 313 ++++++++++++++++++ .../rootfs/etc/nginx/pagespeed/locations.conf | 7 + .../rootfs/etc/nginx/pagespeed/settings.conf | 13 + .../etc/nginx/proxy_real_variables.conf | 35 ++ ubuntu-7.1/rootfs/etc/nginx/security.conf | 27 ++ .../rootfs/etc/nginx/security_headers.conf | 23 ++ ubuntu-7.1/rootfs/etc/nginx/static_files.conf | 13 + ubuntu-7.1/rootfs/etc/nginx/upstreams.conf | 4 + ubuntu-7.1/rootfs/etc/php/7.1/cli/php.ini | 70 ++++ .../rootfs/etc/php/7.1/fpm/conf.d/blocked.ini | 4 + .../rootfs/etc/php/7.1/fpm/conf.d/common.ini | 4 + .../rootfs/etc/php/7.1/fpm/conf.d/limits.ini | 7 + .../rootfs/etc/php/7.1/fpm/conf.d/logging.ini | 4 + .../rootfs/etc/php/7.1/fpm/conf.d/mail.ini | 3 + .../rootfs/etc/php/7.1/fpm/conf.d/opcache.ini | 24 ++ .../7.1/fpm/conf.d/opcache_invalidate.conf | 5 + .../etc/php/7.1/fpm/conf.d/sessions.ini | 6 + .../etc/php/7.1/fpm/conf.d/timezone.ini | 2 + .../rootfs/etc/php/7.1/fpm/php-fpm.conf | 35 ++ .../php/7.1/fpm/php-fpm.d/preserve-env.conf | 3 + ubuntu-7.1/rootfs/etc/php/7.1/fpm/php.ini | 46 +++ ubuntu-7.1/rootfs/etc/services.d/cron/run | 4 + ubuntu-7.1/rootfs/etc/services.d/nginx/run | 4 + ubuntu-7.1/rootfs/etc/services.d/php-fpm/run | 53 +++ ubuntu-7.1/rootfs/usr/bin/wp | 12 + ubuntu-7.1/rootfs/usr/local/bin/phinx | 27 ++ .../rootfs/usr/local/bin/print-smtp-password | 5 + ubuntu-7.1/rootfs/usr/local/bin/wp-run-cron | 42 +++ ubuntu-7.1/rootfs/usr/sbin/sendmail | 66 ++++ .../rootfs/usr/share/nginx/html/403.html | 89 +++++ .../rootfs/usr/share/nginx/html/500.html | 83 +++++ .../rootfs/usr/share/nginx/html/502.html | 92 +++++ .../rootfs/usr/share/nginx/html/504.html | 94 ++++++ web/info.php | 2 + 59 files changed, 2130 insertions(+) create mode 100644 LICENSE create mode 100644 README.md create mode 100644 docker-compose.yml create mode 100644 ubuntu-7.1/.dockerignore create mode 100644 ubuntu-7.1/Dockerfile create mode 100644 ubuntu-7.1/rootfs/etc/ImageMagick create mode 100755 ubuntu-7.1/rootfs/etc/cont-init.d/00-render-templates create mode 100755 ubuntu-7.1/rootfs/etc/cont-init.d/01-create-web-user create mode 100755 ubuntu-7.1/rootfs/etc/cont-init.d/02-init-crond create mode 100755 ubuntu-7.1/rootfs/etc/cont-init.d/02-init-directories-and-files create mode 100644 ubuntu-7.1/rootfs/etc/nginx/additional.types create mode 100644 ubuntu-7.1/rootfs/etc/nginx/cache/fastcgicache.conf create mode 100644 ubuntu-7.1/rootfs/etc/nginx/cache/fastcgicache_settings.conf create mode 100644 ubuntu-7.1/rootfs/etc/nginx/cache/fastcgicache_skip_rules.conf create mode 100644 ubuntu-7.1/rootfs/etc/nginx/cache/helper_variables.conf create mode 100644 ubuntu-7.1/rootfs/etc/nginx/cache/redis_backend.conf create mode 100644 ubuntu-7.1/rootfs/etc/nginx/cache/skip_rules.conf create mode 100644 ubuntu-7.1/rootfs/etc/nginx/cache/srcache.conf create mode 100644 ubuntu-7.1/rootfs/etc/nginx/env.conf create mode 100644 ubuntu-7.1/rootfs/etc/nginx/error_pages.conf create mode 100644 ubuntu-7.1/rootfs/etc/nginx/fastcgi_params create mode 100644 ubuntu-7.1/rootfs/etc/nginx/fastcgi_settings.conf create mode 100644 ubuntu-7.1/rootfs/etc/nginx/gzip.conf create mode 100644 ubuntu-7.1/rootfs/etc/nginx/log_format.conf create mode 100644 ubuntu-7.1/rootfs/etc/nginx/log_formats.conf create mode 100644 ubuntu-7.1/rootfs/etc/nginx/nginx.conf create mode 100644 ubuntu-7.1/rootfs/etc/nginx/pagespeed/locations.conf create mode 100644 ubuntu-7.1/rootfs/etc/nginx/pagespeed/settings.conf create mode 100644 ubuntu-7.1/rootfs/etc/nginx/proxy_real_variables.conf create mode 100644 ubuntu-7.1/rootfs/etc/nginx/security.conf create mode 100644 ubuntu-7.1/rootfs/etc/nginx/security_headers.conf create mode 100644 ubuntu-7.1/rootfs/etc/nginx/static_files.conf create mode 100644 ubuntu-7.1/rootfs/etc/nginx/upstreams.conf create mode 100644 ubuntu-7.1/rootfs/etc/php/7.1/cli/php.ini create mode 100644 ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/blocked.ini create mode 100644 ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/common.ini create mode 100644 ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/limits.ini create mode 100644 ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/logging.ini create mode 100644 ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/mail.ini create mode 100644 ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/opcache.ini create mode 100644 ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/opcache_invalidate.conf create mode 100644 ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/sessions.ini create mode 100644 ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/timezone.ini create mode 100644 ubuntu-7.1/rootfs/etc/php/7.1/fpm/php-fpm.conf create mode 100644 ubuntu-7.1/rootfs/etc/php/7.1/fpm/php-fpm.d/preserve-env.conf create mode 100644 ubuntu-7.1/rootfs/etc/php/7.1/fpm/php.ini create mode 100644 ubuntu-7.1/rootfs/etc/services.d/cron/run create mode 100755 ubuntu-7.1/rootfs/etc/services.d/nginx/run create mode 100644 ubuntu-7.1/rootfs/etc/services.d/php-fpm/run create mode 100755 ubuntu-7.1/rootfs/usr/bin/wp create mode 100755 ubuntu-7.1/rootfs/usr/local/bin/phinx create mode 100755 ubuntu-7.1/rootfs/usr/local/bin/print-smtp-password create mode 100755 ubuntu-7.1/rootfs/usr/local/bin/wp-run-cron create mode 100755 ubuntu-7.1/rootfs/usr/sbin/sendmail create mode 100644 ubuntu-7.1/rootfs/usr/share/nginx/html/403.html create mode 100644 ubuntu-7.1/rootfs/usr/share/nginx/html/500.html create mode 100644 ubuntu-7.1/rootfs/usr/share/nginx/html/502.html create mode 100644 ubuntu-7.1/rootfs/usr/share/nginx/html/504.html create mode 100644 web/info.php diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..2eba2d8 --- /dev/null +++ b/LICENSE @@ -0,0 +1,8 @@ +The MIT License (MIT) +Copyright (c) 2016 Geniem Oy + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..49b550e --- /dev/null +++ b/README.md @@ -0,0 +1,141 @@ +# Lightweight PHP-FPM & Nginx Docker Image for WordPress +[![devgeniem/alpine-wordpress docker image](http://dockeri.co/image/devgeniem/wordpress-server)](https://registry.hub.docker.com/u/devgeniem/wordpress-server/) + +[![License](https://img.shields.io/:license-mit-blue.svg?style=flat-square)](http://badges.mit-license.org) + +This is maintained repository. We use this project in production and recommend this for your projects too. This container doesn't have mysql or email, you need to provide them from elsewhere. This can be other container or your host machine. + +I tried to include all build, test and project tools in [docker-alpine-wordpress](https://github.com/devgeniem/docker-alpine-wordpress) image. I think that more modular design is better for docker and security as well. + +This project tries to be as minimal as possible and doesn't include anything that we don't absolutely need in the runtime. + +## Aren't you only supposed to run one process per container? +We think that docker container should be small set of processes which provide one service rather than one clumsy process. This container uses [s6-overlay](https://github.com/just-containers/s6-overlay) in order to run php-fpm and nginx together. + +## Container layout +Mount your wordpress project into: +``` +/var/www/project +``` + +Your project should define web root in: +``` +/var/www/project/web +``` +This is the place where nginx will serve requests. This is compatible with [bedrock layout](https://github.com/roots/bedrock). + +### Override project path +You can use `OVERRIDE_PROJECT_ROOT` variable to change project path with symlink. + +For example in `Drone CI` all mounts are done into `/drone/src` folder and we use `OVERRIDE_PROJECT_ROOT=/drone/src/project` in our testing. + +Container creates a symlink from /var/www/project into `$OVERRIDE_PROJECT_ROOT` which allows us to use custom path. + +## User permissions +You can use `WP_GID` and `WP_UID` env to change web user and group. + +If these are not set container will look for owner:group from files mounted in `/var/www/project/web/`. + +If these files are owned by root user or root group the container will automatically use 100:101 as permissions instead. This is so that we won't never run nginx and php-fpm as root. + +## Nginx includes +You can have custom nginx includes in your project mount `/var/www/project/nginx`. + +**Include into http {} block:** +`/var/www/project/nginx/http/*.conf` + +**Include into server {} block:** +`/var/www/project/nginx/server/*.conf` + +See more in our [wp-project template](https://github.com/devgeniem/wp-project). + +## Cron jobs +You can place cron file in `/var/www/project/tasks.cron`. This is symlinked to crond and run as user `wordpress`. + +For example: +``` +# do daily/weekly/monthly maintenance +* * * * * echo "test log from: $(whoami)..." >> /tmp/test.log +``` + +## Environment Variables + +### Timezone +This sets timezone for the environment and php. See candidates here: http://php.net/manual/en/timezones.php +``` +TZ # Default: 'Europe/Helsinki' +``` + +### Development/Production + +``` +WP_ENV # Default: '' Options: development,testing,production,pretty-much-anything-you-want +``` + +### Database variables (mysql/mariadb) + +``` +DB_NAME # Default: '' +DB_PASSWORD # Default: '' +DB_USER # Default: '' +DB_HOST # Default: '' +DB_PORT # Default: '' +``` + +Remember to set `DB_NAME`, `DB_PASSWORD` and `DB_USER` and use these variables in your wp-config.php. These are automatically added as envs in php context. + +### Email variables + +``` +SMTP_HOST +``` + +This variable changes the host where container tries to send mail from. By default this is docker host `172.17.0.1`. + +``` +SMTP_PORT +``` + +This variable changes the port where container tries to connect in order to send mail. By default this is `25`. + +``` +SMTP_TLS +``` + +If this is provided use username in authenticating to mail server. Default: null +``` +SMTP_USER +``` + +If this is provided use password in authenticating to mail server. Default: null +``` +SMTP_PASSWORD +``` + +If this is `on` mail will use username/password authentication in connections to smtp server. +This will automatically activate if you use `SMTP_USER` and `SMTP_PASSWORD`. Default: `off` +``` +SMTP_AUTH +``` + +See more about these variables in [msmtp docs](http://msmtp.sourceforge.net/doc/msmtp.html#Authentication). + +### PHP and Nginx Variables +You can change following env to change php configs: + +``` +# Variables and default values +PHP_MEMORY_LIMIT=128M +NGINX_MAX_BODY_SIZE=64M +NGINX_FASTCGI_TIMEOUT=30 +``` + +## What's inside container: +### For running WordPress +- php7 +- php-fpm7 +- nginx +- wp-cli + +### For sending emails with smtp server +- msmtp diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..ae2a3bb --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,30 @@ +# Use this if you're testing/debugging the build locally on OSX +web56: + build: ./php5.6/ + command: /init + ports: + - 80 + volumes: + - ./web:/var/www/project/web + environment: + WP_UID: 100 + WP_GID: 101 + + # For testing with gdev + VIRTUAL_HOST: php56.test + PORT: 80 + +web70: + build: ./php7.0/ + command: /init + ports: + - 80 + volumes: + - ./web:/var/www/project/web + environment: + WP_UID: 100 + WP_GID: 101 + + # For testing with gdev + VIRTUAL_HOST: php70.test + PORT: 80 diff --git a/ubuntu-7.1/.dockerignore b/ubuntu-7.1/.dockerignore new file mode 100644 index 0000000..a18daff --- /dev/null +++ b/ubuntu-7.1/.dockerignore @@ -0,0 +1,12 @@ +# These files are ignored from being uploaded to docker build context + +# Git is not needed in docker image building +.git + +# No OSX rubbish +.DS_Store + +# Development stuff +docker-compose.yml +.dockerignore +Dockerfile diff --git a/ubuntu-7.1/Dockerfile b/ubuntu-7.1/Dockerfile new file mode 100644 index 0000000..af75329 --- /dev/null +++ b/ubuntu-7.1/Dockerfile @@ -0,0 +1,182 @@ +FROM ci.gpilvi.com:5000/devgeniem/docker-openresty-pagespeed-ubuntu +MAINTAINER Ville Pietarinen - Geniem Oy + +## +# Only use these during installation +## +ARG LANG=C.UTF-8 +ARG DEBIAN_FRONTEND=noninteractive + +## +# Install php7 packages from dotdeb.org +# - Dotdeb is an extra repository providing up-to-date packages for your Debian servers +## +RUN \ + apt-get update \ +&& apt-get -y install software-properties-common \ + && add-apt-repository ppa:ondrej/php \ + && apt-get -y --no-install-recommends install \ + apt-utils \ + curl \ + nano \ + ca-certificates \ + git \ + mysql-client \ + postfix \ + netcat \ + less \ + libmcrypt-dev \ + && apt-get update \ + && apt-get -y install php7.1 \ + && apt-get -y --no-install-recommends install \ + php7.1-cli \ + php7.1-common \ + php7.1-apcu \ + php7.1-apcu-bc \ + php7.1-curl \ + php7.1-json \ + php7.1-mcrypt \ + php7.1-opcache \ + php7.1-readline \ + php7.1-xml \ + php7.1-zip \ + php7.1-fpm \ + php7.1-redis \ + php7.1-mongodb \ + php7.1-mysqli \ + php7.1-intl \ + php7.1-gd \ + php7.1-mbstring \ + php7.1-soap \ + php7.1-bcmath \ + php7.1-curl \ + php7.1-ldap \ + php7.1-mcrypt \ + # Force install only cron without extra mailing dependencies + && cd /tmp \ + && apt-get download cron \ + && dpkg --force-all -i cron*.deb \ + && mkdir -p /var/spool/cron/crontabs \ + # Cleanup + && apt-get clean \ + && apt-get autoremove \ + && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /usr/share/doc/* /var/log/apt/* /var/log/*.log + + +# Install helpers +RUN \ + ## + # Install composer + ## + curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer \ + && composer global require hirak/prestissimo \ + + ## + # Install wp-cli + # source: http://wp-cli.org/ + ## + && curl -L https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar -o /usr/local/bin/wp-cli \ + && chmod +rx /usr/local/bin/wp-cli \ + # Symlink it to /usr/bin as well so that cron can find this script with limited PATH + && ln -s /usr/local/bin/wp-cli /usr/bin/wp-cli \ + + ## + # Install cronlock for running cron correctly with multi container setups + # https://github.com/kvz/cronlock + ## + && curl -L https://raw.githubusercontent.com/kvz/cronlock/master/cronlock -o /usr/local/bin/cronlock \ + && chmod +rx /usr/local/bin/cronlock \ + # Symlink it to /usr/bin as well so that cron can find this script with limited PATH + && ln -s /usr/local/bin/cronlock /usr/bin/cronlock + +## +# Add Project files like nginx and php-fpm processes and configs +# Also custom scripts and bashrc +## +COPY rootfs/ / + +# Run small fixes +RUN set -x \ + && mkdir -p /var/www/uploads \ + && mkdir -p /dev/cache \ + && mkdir -p /tmp/php-opcache \ + && ln -sf /usr/sbin/php-fpm7.1 /usr/sbin/php-fpm \ + && ln -sf /usr/bin/wp /usr/local/bin/wp +# This is for your project root +ENV PROJECT_ROOT="/var/www/project" + +ENV \ + # Add interactive term + TERM="xterm" \ + # Set defaults which can be overriden + MYSQL_PORT="3306" \ + # Use default web port in nginx but allow it to be overridden + # This also works correctly with flynn: + # https://github.com/flynn/flynn/issues/3213#issuecomment-237307457 + PORT="8080" \ + # Use custom users for nginx and php-fpm + WEB_USER="wordpress" \ + WEB_GROUP="web" \ + WEB_UID=1000 \ + WEB_GID=1001 \ + # Set defaults for redis + REDIS_PORT="6379" \ + REDIS_DATABASE="0" \ + REDIS_PASSWORD="" \ + REDIS_SCHEME="tcp" \ + # Set defaults for NGINX redis cache + # This variable uses seconds by default + # Time units supported are "s"(seconds), "ms"(milliseconds), "y"(years), "M"(months), "w"(weeks), "d"(days), "h"(hours), and "m"(minutes). + NGINX_REDIS_CACHE_TTL_DEFAULT="900" \ + NGINX_REDIS_CACHE_TTL_MAX="4h" \ + # Cronlock is used to stop simultaneous cronjobs in clusterised environments + CRONLOCK_HOST="" \ + # This is used by nginx and php-fpm + WEB_ROOT="${PROJECT_ROOT}/web" \ + # This is used automatically by wp-cli + WP_CORE="${PROJECT_ROOT}/web/wp" \ + # Nginx include files + NGINX_INCLUDE_DIR="/var/www/project/nginx" \ + # Allow bigger file uploads + NGINX_MAX_BODY_SIZE="10M" \ + # Allow storing bigger body in memory + NGINX_BODY_BUFFER_SIZE="32k" \ + # Have sane fastcgi timeout by default + NGINX_FASTCGI_TIMEOUT="30" \ + # Have sane fastcgi timeout by default + NGINX_ERROR_LEVEL="warn" \ + # Have sane fastcgi timeout by default + NGINX_ERROR_LOG="stderr" \ + # Have sane fastcgi timeout by default + NGINX_ACCESS_LOG="/dev/stdout" \ + # Default cache key for nginx http cache + NGINX_CACHE_KEY='wp_:nginx:$real_scheme$request_method$host$request_uri' \ + # PHP settings + PHP_MEMORY_LIMIT="128M" \ + PHP_MAX_INPUT_VARS="1000" \ + PHP_ERROR_LOG="/proc/self/fd/1" \ + PHP_ERROR_LOG_LEVEL="warning" \ + PHP_ERROR_LOG_MAX_LEN="8192" \ + PHP_SESSION_REDIS_DB="0" \ + PHP_SESSION_HANDLER="files" \ + # You should count the *.php files in your project and set this number to be bigger + # $ find . -type f -print | grep php | wc -l + PHP_OPCACHE_MAX_FILES="8000" \ + # Amount of memory in MB to allocate for opcache + PHP_OPCACHE_MAX_MEMORY="128" \ + # Use host machine as default SMTP_HOST + SMTP_HOST="172.17.1.1" \ + # This folder is used to mount files into host machine + # You should use this path for your uploads since everything else should be ephemeral + UPLOADS_ROOT="/var/www/uploads" \ + # This can be overidden by you, it's just default for us + TZ="Europe/Helsinki" +# Setup $TZ. Remember to run this again in your own build + # Make sure that all files here have execute permissions +RUN dpkg-reconfigure tzdata && \ + chmod +x /etc/cont-init.d/* +# Set default path to project folder for easier running commands in project +WORKDIR ${PROJECT_ROOT} +EXPOSE ${PORT} +ENTRYPOINT ["/init"] + diff --git a/ubuntu-7.1/rootfs/etc/ImageMagick b/ubuntu-7.1/rootfs/etc/ImageMagick new file mode 100644 index 0000000..d88e8bf --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/ImageMagick @@ -0,0 +1,11 @@ + + + + + + + + + + + diff --git a/ubuntu-7.1/rootfs/etc/cont-init.d/00-render-templates b/ubuntu-7.1/rootfs/etc/cont-init.d/00-render-templates new file mode 100755 index 0000000..8d42af1 --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/cont-init.d/00-render-templates @@ -0,0 +1,68 @@ +#!/usr/bin/with-contenv bash +## +# This script uses clever heredoc hack to substitute env variables into static config files +# Source: http://stackoverflow.com/questions/2914220/bash-templating-how-to-build-configuration-files-from-templates-with-bash +## + +## +# Replaces ${ENV} placoholders from file with provided variables +# $1 - ':'' separated list of variables +# $2 - filename to render +## +function render_env_tmpl() { + vars=$1 + input_file=$2 + # If filename ends with .tmpl replace it without the .tmpl + filename=$(dirname $input_file)/$(basename $input_file .tmpl) + + tmp_file=/tmp/$(basename $filename) + + # render all provided $vars to temporary file + envsubst "$vars" < $input_file > $tmp_file + + # replace original file with rendered file + mv $tmp_file $filename +} + +echo "[cont-init.d] Substituting env into configuration files..." + +## +# Nginx doesn't support env variables in config files so we will have to do this in hacky way instead +## +VARS='$PORT:$WEB_ROOT:$WEB_USER:$WEB_GROUP:$NGINX_ACCESS_LOG:$NGINX_ERROR_LOG:$NGINX_ERROR_LEVEL:$NGINX_INCLUDE_DIR:$NGINX_MAX_BODY_SIZE:$NGINX_BODY_BUFFER_SIZE:$NGINX_FASTCGI_TIMEOUT:$WP_ENV:$NGINX_CACHE_KEY' +render_env_tmpl "$VARS" /etc/nginx/nginx.conf + +## +# Redis cache needs to know the redis instance and credentials +## + +# Set defaults if they are not set +export REDIS_HOST=${REDIS_HOST-$REDIS_1_PORT_6379_TCP_ADDR} +export REDIS_PORT=${REDIS_PORT-6379} +export REDIS_DATABASE=${REDIS_DATABASE-0} +export REDIS_PASSWORD=${REDIS_PASSWORD-''} +export REDIS_CACHE_TTL=${REDIS_CACHE_TTL-14400} + +# Add helper variables for AWS s3 bucket storage +VARS+='$AWS_S3_BUCKET_NAME:AWS_S3_REPLICA_BUCKET_NAME' + +# Add Redis variables +VARS+='$REDIS_HOST:$REDIS_PORT:$REDIS_DATABASE:$REDIS_PASSWORD:$NGINX_REDIS_CACHE_TTL_MAX:$NGINX_REDIS_CACHE_TTL_DEFAULT:$NGINX_REDIS_CACHE_PREFIX' + +render_env_tmpl "$VARS" /etc/nginx/cache/redis_backend.conf + +render_env_tmpl "$VARS" /etc/nginx/cache/srcache.conf +render_env_tmpl "$VARS" /etc/nginx/cache/fastcgicache_settings.conf +## +# Render all user provided nginx templates +## +VARS+='$BASIC_AUTH_USER:$BASIC_AUTH_PASSWORD_HASH' +for conf_file in $(find $NGINX_INCLUDE_DIR -type f -name '*.tmpl'); do + echo "[cont-init.d] Rendering env in $conf_file..." + + # Add helper variables for easier scripting + export __DIR__=$(dirname $conf_file) + + VARS_TMPL=$VARS':$__DIR__' + render_env_tmpl "$VARS_TMPL" $conf_file +done diff --git a/ubuntu-7.1/rootfs/etc/cont-init.d/01-create-web-user b/ubuntu-7.1/rootfs/etc/cont-init.d/01-create-web-user new file mode 100755 index 0000000..aeb0aa7 --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/cont-init.d/01-create-web-user @@ -0,0 +1,58 @@ +#!/usr/bin/with-contenv bash + +## +# If $WEB_USER user and web group already exists just skip the user creation +## +if id -u $WEB_USER > /dev/null 2>&1 && getent group $WEB_GROUP > /dev/null 2>&1; then + echo "[cont-init.d] user:$WEB_USER and group:$WEB_GROUP already exist, skipping..." + exit 0 +fi + +## +# Create $WEB_USER user with $WEB_UID and web group with $WEB_GID +## + +# Set defaults if they are not set +export WEB_USER=${WEB_USER-wordpress} +export WEB_GROUP=${WEB_GROUP-web} +export WEB_UID=${WEB_UID-1000} +export WEB_GID=${WEB_GID-1000} + +echo "[cont-init.d] Creating $WEB_USER user with id: $WEB_UID and group web with id: $WEB_GID" + +# Create web group +if [ -n "$WEB_GID" ]; then + + # Check if group with $WEB_GID already exists + web_group=$(getent group $WEB_GID | cut -d':' -f1) + + if [ -n "$web_group" ]; then + + # Replace the existing group name to web + # This is done so that in local development we can just lookup permissions from mounted folders + # This UID/GID can be same as something already existing inside container + # This way we can use same uid/gid in container and host machine + echo "[cont-init.d] Replacing pre-existing group name $web_group -> $WEB_GROUP" + sed -i "s|$web_group|$WEB_GROUP|g" /etc/group + + else + # Create new group + echo "$ groupadd -g $WEB_GID $WEB_GROUP" + groupadd -g $WEB_GID $WEB_GROUP + fi +else + echo "[cont-init.d] ERROR: Please set web user group id in WEB_GID" 1>&2 + exit 2 +fi + +# Create $WEB_USER user +if [ -n "$WEB_UID" ] && [ -n "$WEB_GID" ] ; then + echo "$ useradd -u $WEB_UID -g $WEB_GROUP --home $PROJECT_ROOT $WEB_USER" + useradd -u $WEB_UID -g $WEB_GROUP --home $PROJECT_ROOT $WEB_USER +else + echo "[cont-init.d] ERROR: Please set web user id in WEB_UID" 1>&2 + exit 2 +fi + +# Check that processes can write logs +chown $WEB_USER:$WEB_GROUP /var/log diff --git a/ubuntu-7.1/rootfs/etc/cont-init.d/02-init-crond b/ubuntu-7.1/rootfs/etc/cont-init.d/02-init-crond new file mode 100755 index 0000000..962a79e --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/cont-init.d/02-init-crond @@ -0,0 +1,30 @@ +#!/usr/bin/with-contenv bash + +# Copy cronjob from project and run as nginx +if [ -f $PROJECT_ROOT/tasks.cron ]; then + + # Setup all container env for cron + printenv | grep -v ^_= | grep -v "no_proxy" >> /etc/environment + + # Use default redis for cronlock if cronlock variables are not set + if [ -n "$REDIS_HOST" ] && [ -z "$CRONLOCK_HOST" ] ; then + echo "CRONLOCK_HOST=$REDIS_HOST" >> /etc/environment + fi + if [ -n "$REDIS_PASSWORD" ] && [ -z "$CRONLOCK_AUTH" ] ; then + echo "CRONLOCK_AUTH=$REDIS_PASSWORD" >> /etc/environment + fi + if [ -n "$REDIS_PORT" ] && [ -z "$CRONLOCK_PORT" ] ; then + echo "CRONLOCK_PORT=$REDIS_PORT" >> /etc/environment + fi + # env for running wp cron + echo "CRON_URL=$CRON_URL" >> /etc/environment; + # Copy cron template + cp $PROJECT_ROOT/tasks.cron /var/spool/cron/crontabs/$WEB_USER + chown $WEB_USER /var/spool/cron/crontabs/$WEB_USER + chmod 0600 /var/spool/cron/crontabs/$WEB_USER +else + # No cronjobs found remove crond from s6 + if [ -f /etc/services.d/cron ]; then + rm -r /etc/services.d/cron + fi +fi diff --git a/ubuntu-7.1/rootfs/etc/cont-init.d/02-init-directories-and-files b/ubuntu-7.1/rootfs/etc/cont-init.d/02-init-directories-and-files new file mode 100755 index 0000000..34df974 --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/cont-init.d/02-init-directories-and-files @@ -0,0 +1,18 @@ +#!/usr/bin/with-contenv bash + +# Create uploads directory if not exists +mkdir -p $UPLOADS_ROOT +chown $WEB_USER:$WEB_GROUP $UPLOADS_ROOT + +# Create dir for nginx tmp files +mkdir -p /tmp/nginx/body +chown -R $WEB_USER:$WEB_GROUP /tmp/nginx + +# Create log directories if they don't exist already +mkdir -p /var/log/{nginx,php,mail} + +# Create error.log so that php-fpm can write to it +touch /var/log/php/error.log + +# Chown all files to wordpress +chown -R $WEB_USER:$WEB_GROUP /var/log/{nginx,php,mail} diff --git a/ubuntu-7.1/rootfs/etc/nginx/additional.types b/ubuntu-7.1/rootfs/etc/nginx/additional.types new file mode 100644 index 0000000..ac8070e --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/nginx/additional.types @@ -0,0 +1,6 @@ +# If developers add .woff2 type font files we should provide good Content-Type headers +types { + # Add mime support for woff2 + # http://stackoverflow.com/questions/28235550/proper-mime-type-for-woff2-fonts + font/woff2 woff2; +} diff --git a/ubuntu-7.1/rootfs/etc/nginx/cache/fastcgicache.conf b/ubuntu-7.1/rootfs/etc/nginx/cache/fastcgicache.conf new file mode 100644 index 0000000..4229815 --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/nginx/cache/fastcgicache.conf @@ -0,0 +1,13 @@ +## +# Add few rules which deny using cache +## +include cache/fastcgicache_skip_rules.conf; +include cache/helper_variables.conf; +fastcgi_cache_bypass $skip_cache; +fastcgi_no_cache $skip_cache; + +fastcgi_cache WORDPRESS; +#proxy_ignore_headers Set-Cookie Expires Cache-Control; + +# Add header for easier cache debugging +add_header X-Cache $upstream_cache_status; diff --git a/ubuntu-7.1/rootfs/etc/nginx/cache/fastcgicache_settings.conf b/ubuntu-7.1/rootfs/etc/nginx/cache/fastcgicache_settings.conf new file mode 100644 index 0000000..1e8775b --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/nginx/cache/fastcgicache_settings.conf @@ -0,0 +1,8 @@ +## +# Basic settings of Fast cgi cache +## +fastcgi_cache_path /dev/cache levels=1:2 keys_zone=WORDPRESS:10m max_size=1000m inactive=600m; +fastcgi_cache_key $scheme$request_method$host$request_uri; +fastcgi_cache_lock on; +fastcgi_cache_use_stale error timeout invalid_header updating http_500; +fastcgi_cache_valid ${NGINX_REDIS_CACHE_TTL_DEFAULT}; \ No newline at end of file diff --git a/ubuntu-7.1/rootfs/etc/nginx/cache/fastcgicache_skip_rules.conf b/ubuntu-7.1/rootfs/etc/nginx/cache/fastcgicache_skip_rules.conf new file mode 100644 index 0000000..2a560d8 --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/nginx/cache/fastcgicache_skip_rules.conf @@ -0,0 +1,26 @@ +## +# Add few rules which deny using cache +## + +# Don't skip cache by default +set $skip_cache 0; + +# POST requests and urls with a query string should always go to PHP +if ($request_method = POST) { + set $skip_cache 1; +} + +# If theres any args skip cache +if ($query_string != "") { + set $skip_cache 1; +} + +# Don't use the cache for logged in users or recent commenters +if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|woocommerce_items_in_cart") { + set $skip_cache 1; +} + +# Don't cache responses from wp-admin, xmlrpc and wp-login.php +if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php") { + set $skip_cache 1; +} diff --git a/ubuntu-7.1/rootfs/etc/nginx/cache/helper_variables.conf b/ubuntu-7.1/rootfs/etc/nginx/cache/helper_variables.conf new file mode 100644 index 0000000..ea10fb9 --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/nginx/cache/helper_variables.conf @@ -0,0 +1,15 @@ +## +# This file creates few helper variables +# $prefer_language_slug - 2 first letters from accept-language header to determine the language redirects from cache +## + +## +# Parse first two letters from accept-language header to determine right cache key +## +set_by_lua_block $prefer_language_slug { + if ngx.var.http_accept_language then + return string.lower( string.match( ngx.var.http_accept_language, '%w%w' ) ) + else + return 'en' + end +} diff --git a/ubuntu-7.1/rootfs/etc/nginx/cache/redis_backend.conf b/ubuntu-7.1/rootfs/etc/nginx/cache/redis_backend.conf new file mode 100644 index 0000000..e9f86a3 --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/nginx/cache/redis_backend.conf @@ -0,0 +1,45 @@ +## +# Adds internal locations for storing and getting full page cache from redis +## + +srcache_default_expire '${NGINX_REDIS_CACHE_TTL_DEFAULT}'; +srcache_max_expire '${NGINX_REDIS_CACHE_TTL_MAX}'; + +location /redis-fetch { + internal; + + ## + # In order to use password authentication we use custom redis module which adds $redis_auth: + # - https://github.com/Yongke/ngx_http_redis-0.3.7 + ## + + # Read the configuration from system envs + set $redis_auth '${REDIS_PASSWORD}'; + set $redis_db ${REDIS_DATABASE}; + + set $redis_key $args; + + redis_pass ${REDIS_HOST}:${REDIS_PORT}; +} + +location /redis-store { + internal; + + set_unescape_uri $exptime $arg_exptime; + set_unescape_uri $key $arg_key; + + # Fix caching problem for now + # There's issue in github https://github.com/openresty/srcache-nginx-module/issues/61 + set_if_empty $srcache_expire '${NGINX_REDIS_CACHE_TTL_DEFAULT}'; + + # redis module pipelines these 3 commands into single request + redis2_query auth '${REDIS_PASSWORD}'; + redis2_query select ${REDIS_DATABASE}; + + # Set and expire with one command: http://redis.io/commands/setex + redis2_query setex $key $srcache_expire $echo_request_body; + + # Pass the request to redis + redis2_pass ${REDIS_HOST}:${REDIS_PORT}; + +} diff --git a/ubuntu-7.1/rootfs/etc/nginx/cache/skip_rules.conf b/ubuntu-7.1/rootfs/etc/nginx/cache/skip_rules.conf new file mode 100644 index 0000000..43344c8 --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/nginx/cache/skip_rules.conf @@ -0,0 +1,30 @@ +## +# Add few rules which deny using cache +## + +# Don't skip cache by default +set $skip_cache 0; + +# POST requests and urls with a query string should always go to PHP +if ($request_method = POST) { + set $skip_cache 1; +} + +# If theres any args skip cache +if ($query_string != "") { + set $skip_cache 1; +} + +# Don't use the cache for logged in users or recent commenters +if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|woocommerce_items_in_cart") { + set $skip_cache 1; +} + +# Don't cache responses from wp-admin, xmlrpc and wp-login.php +if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php") { + set $skip_cache 1; +} + +# Skip fetch and skip if conditions are met +srcache_fetch_skip $skip_cache; +srcache_store_skip $skip_cache; diff --git a/ubuntu-7.1/rootfs/etc/nginx/cache/srcache.conf b/ubuntu-7.1/rootfs/etc/nginx/cache/srcache.conf new file mode 100644 index 0000000..85027dd --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/nginx/cache/srcache.conf @@ -0,0 +1,20 @@ +## +# Add few rules which deny using cache +## +include cache/skip_rules.conf; +include cache/helper_variables.conf; + +# Use redis caching for all pages +# Allow different cache key from env +# Use 'wp_' prefix so that cache can be flushed with: +# $ wp cache flush +set $cache_key "${NGINX_CACHE_KEY}"; +set_escape_uri $escaped_cache_key $cache_key; + +srcache_response_cache_control on; + +srcache_fetch GET /redis-fetch $cache_key; +srcache_store PUT /redis-store key=$escaped_cache_key; + +# Add header for easier cache debugging +add_header X-Cache $srcache_fetch_status; diff --git a/ubuntu-7.1/rootfs/etc/nginx/env.conf b/ubuntu-7.1/rootfs/etc/nginx/env.conf new file mode 100644 index 0000000..8c57f76 --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/nginx/env.conf @@ -0,0 +1,12 @@ +# Set custom enviromental variables that we need with lua here +# These are used to dynamically load +env PORT; +env WEB_ROOT; +env NGINX_MAX_BODY_SIZE; +env NGINX_TIMEOUT; + +# For nginx redis cache +env REDIS_HOST; +env REDIS_PORT; +env REDIS_DATABASE; +env REDIS_PASSWORD; diff --git a/ubuntu-7.1/rootfs/etc/nginx/error_pages.conf b/ubuntu-7.1/rootfs/etc/nginx/error_pages.conf new file mode 100644 index 0000000..700cc6b --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/nginx/error_pages.conf @@ -0,0 +1,31 @@ +## +# Custom error pages +## + +## 403 - Forbidden +error_page 403 /403.html; +location = /403.html { + root /usr/share/nginx/html; + internal; +} + +## 500 - Internal Server Error +error_page 500 /500.html; +location = /500.html { + root /usr/share/nginx/html; + internal; +} + +## 502 - Bad Gateway +error_page 502 /502.html; +location = /502.html { + root /usr/share/nginx/html; + internal; +} + +## 504 - Gateway Timeout +error_page 504 /504.html; +location = /504.html { + root /usr/share/nginx/html; + internal; +} diff --git a/ubuntu-7.1/rootfs/etc/nginx/fastcgi_params b/ubuntu-7.1/rootfs/etc/nginx/fastcgi_params new file mode 100644 index 0000000..6fccf4f --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/nginx/fastcgi_params @@ -0,0 +1,29 @@ +# These are just basic things form request +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +## +# Set these using the knowledge that we are behind proxy +## +fastcgi_param REMOTE_ADDR $real_remote; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $real_port; +fastcgi_param SERVER_NAME $real_host; +fastcgi_param HTTPS $real_https; +fastcgi_param REQUEST_SCHEME $real_scheme; +fastcgi_param HTTP_HOST $real_host; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; diff --git a/ubuntu-7.1/rootfs/etc/nginx/fastcgi_settings.conf b/ubuntu-7.1/rootfs/etc/nginx/fastcgi_settings.conf new file mode 100644 index 0000000..25683fb --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/nginx/fastcgi_settings.conf @@ -0,0 +1,23 @@ +# regex to split $uri to $fastcgi_script_name and $fastcgi_path +fastcgi_split_path_info ^(.+\.php)(/.+)$; + +# Bypass the fact that try_files resets $fastcgi_path_info +# see: http://trac.nginx.org/nginx/ticket/321 +set $path_info $fastcgi_path_info; +fastcgi_param PATH_INFO $path_info; + +# Intercept errors from php-fpm +# These can be: +# - timeouts for long running requests +# - requested php file might be missing or not existing in the first place +fastcgi_intercept_errors on; + +fastcgi_index index.php; + +# Small optimisation on fastcgi buffer size +# defaults are 8k; +fastcgi_buffers 16 16k; +fastcgi_buffer_size 16k; + +# Include basic fastcgi settings +include fastcgi_params; diff --git a/ubuntu-7.1/rootfs/etc/nginx/gzip.conf b/ubuntu-7.1/rootfs/etc/nginx/gzip.conf new file mode 100644 index 0000000..69737cc --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/nginx/gzip.conf @@ -0,0 +1,58 @@ +# Compression + +# Enable Gzip compressed. +gzip on; + +# Compression level (1-9). +# 5 is a perfect compromise between size and cpu usage, offering about +# 75% reduction for most ascii files (almost identical to level 9). +gzip_comp_level 5; + +# Don't compress anything that's already small and unlikely to shrink much +# if at all (the default is 20 bytes, which is bad as that usually leads to +# larger files after gzipping). +gzip_min_length 256; + +# Compress data even for clients that are connecting to us via proxies, +# identified by the "Via" header (required for CloudFront). +gzip_proxied any; + +# Tell proxies to cache both the gzipped and regular version of a resource +# whenever the client's Accept-Encoding capabilities header varies; +# Avoids the issue where a non-gzip capable client (which is extremely rare +# today) would display gibberish if their proxy gave them the gzipped version. +gzip_vary on; + +# Compress all output labeled with one of the following MIME-types. +gzip_types + application/atom+xml + application/javascript + application/json + application/ld+json + application/manifest+json + application/rss+xml + application/vnd.geo+json + application/vnd.ms-fontobject + application/x-font-ttf + application/x-web-app-manifest+json + application/xhtml+xml + application/xml + font/opentype + image/bmp + image/svg+xml + image/x-icon + text/cache-manifest + text/css + text/plain + text/vcard + text/vnd.rim.location.xloc + text/vtt + text/x-component + text/x-cross-domain-policy; +# text/html is always compressed by HttpGzipModule + +# This should be turned on if you are going to have pre-compressed copies (.gz) of +# static files available. If not it should be left off as it will cause extra I/O +# for the check. It is best if you enable this in a location{} block for +# a specific directory, or on an individual server{} level. +# gzip_static on; diff --git a/ubuntu-7.1/rootfs/etc/nginx/log_format.conf b/ubuntu-7.1/rootfs/etc/nginx/log_format.conf new file mode 100644 index 0000000..c71ec6f --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/nginx/log_format.conf @@ -0,0 +1,16 @@ +# Log cache status +# Log real requester address +log_format custom '[$time_local] $http_x_real_ip ' + '"$request" $status $body_bytes_sent $request_time ' + '"$http_referer" "$http_user_agent" $srcache_fetch_status'; + +## +# Legacy formats which might be in use somewhere +## +# This log format makes it so we can see real requester's IP address \ +# not just the reverse proxy server's IP address. Also note, that \ +# "specialLog" can be replaced with any name you would like to \ +# give to this log format. +log_format specialLog '[$time_local] $http_x_real_ip ' + '"$request" $status $body_bytes_sent $request_time ' + '"$http_referer" "$http_user_agent"'; diff --git a/ubuntu-7.1/rootfs/etc/nginx/log_formats.conf b/ubuntu-7.1/rootfs/etc/nginx/log_formats.conf new file mode 100644 index 0000000..25f8b42 --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/nginx/log_formats.conf @@ -0,0 +1,19 @@ +# Log cache status +# Log real requester address +log_format custom '[$time_local] $http_x_forwarded_for ' + '"$request" $status $body_bytes_sent $request_time ' + '"$http_referer" "$http_user_agent" $srcache_fetch_status'; + +# A new log format for detecting bad bots. +log_format blocked '[$time_local] Blocked request from $http_x_forwarded_for $request'; + +## +# Legacy formats which might be in use somewhere +## +# This log format makes it so we can see real requester's IP address \ +# not just the reverse proxy server's IP address. Also note, that \ +# "specialLog" can be replaced with any name you would like to \ +# give to this log format. +log_format specialLog '[$time_local] $http_x_forwarded_for ' + '"$request" $status $body_bytes_sent $request_time ' + '"$http_referer" "$http_user_agent"'; diff --git a/ubuntu-7.1/rootfs/etc/nginx/nginx.conf b/ubuntu-7.1/rootfs/etc/nginx/nginx.conf new file mode 100644 index 0000000..b9a2906 --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/nginx/nginx.conf @@ -0,0 +1,313 @@ +# Default user and group for the nginx@index +user ${WEB_USER} ${WEB_GROUP}; + +# Default error log +error_log ${NGINX_ERROR_LOG} ${NGINX_ERROR_LEVEL}; + +# Write process id here +pid /var/run/nginx.pid; + + +# How many worker threads to run; +# "auto" sets it to the number of CPU cores available in the system, and +# offers the best performance. Don't set it higher than the number of CPU +# cores if changing this parameter. + +# The maximum number of connections for Nginx is calculated by: +# max_clients = worker_processes * worker_connections +worker_processes auto; + +# Maximum open file descriptors per process; +# should be > worker_connections. +worker_rlimit_nofile 8192; + +events { + # When you need > 8000 * cpu_cores connections, you start optimizing your OS, + # and this is probably the point at which you hire people who are smarter than + # you, as this is *a lot* of requests. + worker_connections 8000; +} + +http { + + # Configure hashmaps so that environment does not change defaults + map_hash_max_size 262144; + map_hash_bucket_size 262144; + server_names_hash_bucket_size 64; + + # Hide nginx version information. + server_tokens off; + + #Enable Fastcgicache + include cache/fastcgicache_settings.conf; + + # Remove Server header entirely + more_clear_headers Server; + + # How long to allow each connection to stay idle; longer values are better + # for each individual client, particularly for SSL, but means that worker + # connections are tied up longer. (Default: 65) + keepalive_timeout 20; + + # Speed up file transfers by using sendfile() to copy directly + # between descriptors rather than using read()/write(). + sendfile on; + + # Tell Nginx not to send out partial frames; this increases throughput + # since TCP frames are filled up before being sent out. (adds TCP_CORK) + tcp_nopush on; + + # Gzip all the assets + include gzip.conf; + + # Add default pagespeed settings + include pagespeed/settings.conf; + + # Add all default mime types and additional ones + include additional.types; + include mime.types; + + default_type application/octet-stream; + + client_body_temp_path /tmp/nginx/body 1 2; + fastcgi_temp_path /tmp/nginx/fastcgi_temp 1 2; + + # Include custom log formats + include log_formats.conf; + + # Allow bigger default file uploads + client_max_body_size ${NGINX_MAX_BODY_SIZE}; + + # Allow bigger body buffer size in memory + client_body_buffer_size ${NGINX_BODY_BUFFER_SIZE}; + + # Include custom nginx http additions from project + include ${NGINX_INCLUDE_DIR}/http/*.conf; + include ${NGINX_INCLUDE_DIR}/environments/${WP_ENV}/http/*.conf; + + # load upstreams from one file which can be overwritten depending on situation + include upstreams.conf; + + # Add few headers which make XSS harder + include security_headers.conf; + + # If ${PORT} != 80 means that we are behind reverse proxy as well + # This directive helps that we don't redirect clients into mysite.com:8080/resource type urls + port_in_redirect off; + + # Use theme assets straight from corresponding files for pagespeed + pagespeed ProcessScriptVariables on; + pagespeed LoadFromFile "$scheme://$host/app/themes/" "${WEB_ROOT}/app/themes/"; + pagespeed LoadFromFile "$scheme://$host/wp-content/themes/" "${WEB_ROOT}/wp/wp-content/themes/"; + + server { + # This is the default server for this container + listen ${PORT} default_server; + server_name _; + + root ${WEB_ROOT}; + + # Use index.php if it exists but also allow static websites in subfolders + index index.php index.html; + + access_log ${NGINX_ACCESS_LOG} custom; + + # Blocked log file + set $blocked_log /dev/stdout; + + disable_symlinks off; + + # Include custom nginx server additions from project + include ${NGINX_INCLUDE_DIR}/server/*.conf; + include ${NGINX_INCLUDE_DIR}/environments/${WP_ENV}/server/*.conf; + + # These variables are proxy conscious, so that they work even though we are behind reverse proxy + include proxy_real_variables.conf; + + # Include custom error pages + include error_pages.conf; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + try_files $uri @index; + } + + location = /favicon.ico { + allow all; + log_not_found off; + access_log off; + try_files $uri @index; + } + + # deny all dot-files including git + location ~ /\. { + deny all; + log_not_found off; + access_log off; + } + + location / { + try_files $uri $uri/ /wp/$uri /wp/$uri/ @index; + } + + # Static files + location ~* \.(css|js|jpe?g|gif|ico|png|otf|ttf|eot|woff?2|svg|webp)$ { + + ## Deny overriding Pagespeed + if ($arg_pagespeed != '') { access_log $blocked_log blocked; return 403; } + if ($arg_pagespeedspeedfilters != '') { access_log $blocked_log blocked; return 403; } + + include static_files.conf; + + # These files are probably exactly like $uri says but also try from /wp/ + try_files $uri /wp/$uri @index; + + # Deny requesting plain style.css from theme root directory + location ~ ^.*/themes/[^/]+/style\.css { + + # Preserve this url + pagespeed CssPreserveUrls true; + + # Minify and remove comments from css + pagespeed EnableFilters rewrite_css; + + # Wait that nginx has prepared the file + pagespeed InPlaceWaitForOptimized on; + + # Don't ever try to load non modified style.css + pagespeed InPlaceRewriteDeadlineMs 100000000; + + # Don't allow overriding pagespeed with pagespeed fixed urls + # Source: https://github.com/pagespeed/ngx_pagespeed/issues/1306 + location ~ ^(.*)/themes/([^/]+)/style.*pagespeed.* { + return 301 $1/themes/$2/style.css; + } + } + + ## + # Static WordPress files ~ wp-* + # These files are probably in /wp/ subfolder but also try from $uri + ## + location ~ ^wp- { + try_files /wp/$uri $uri @index; + } + } + + # App folder contains our plugins and themes + # We want to server assets from here but deny all php execution + location /app/ { + try_files $uri @index; + + ## + # Deny access into php files under /app/ + ## + location ~ \.php$ { + access_log $blocked_log blocked; + deny all; + } + } + + ## + # Run all php files from wp subfolder + # This is how wordpress is supposed to be run + # It also prevents direct access to possibly insecure code inside our plugins + ## + location ~ \.php$ { + try_files /wp/$uri @index; + + include fastcgi_settings.conf; + + # Append subfolder automatically + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + + # Handover 404 errors from php-fpm to WordPress + error_page 404 = @index; + + # Give sane max execution time to frontend + fastcgi_read_timeout ${NGINX_FASTCGI_TIMEOUT}; + fastcgi_pass php-fpm; + + ## Deny access to all php files in uploads folders + location ~* ^/uploads { access_log $blocked_log blocked; deny all; } + location ~* ^/content/uploads { access_log $blocked_log blocked; deny all; } + location ~* ^/wp-content/uploads { access_log $blocked_log blocked; deny all; } + + ## Fix Full Path Disclosures if display_errors is on + ## Don't allow straight access into core wp-includes + location ~* ^/wp-includes { access_log $blocked_log blocked; deny all; } + } + # Create purge location to empty fullpage cache + location ~ /purge(/.*) { + fastcgi_cache_purge WORDPRESS "$scheme$request_method$host$1"; + } + # Create health location for contena healthcheck + location /__health { + access_log off; + return 200; + } + + # Include redis interfaces /redis-fetch & /redis-store + # include cache/redis_backend.conf; + + location @index { + + ## Deny overriding Pagespeed + if ($arg_pagespeed != '') { access_log $blocked_log blocked; return 403; } + if ($arg_pagespeedspeedfilters != '') { access_log $blocked_log blocked; return 403; } + + # Use redis as proxy cache + #include cache/srcache.conf; + # Use fastcgi cache + include cache/fastcgicache.conf; + + + # Fallback into php + include fastcgi_settings.conf; + fastcgi_param SCRIPT_FILENAME $document_root/index.php; + + # Give sane max execution time to frontend + fastcgi_read_timeout ${NGINX_FASTCGI_TIMEOUT}; + fastcgi_pass php-fpm; + } + + # WordPress is stupid + location = /wp-admin { rewrite ^ /wp-admin/ permanent; } + + location = / { + + ## Block hackers from enumerating users + if ( $arg_author ~ [0-9]+ ) { access_log $blocked_log blocked; return 403; } + + ## Deny overriding Pagespeed + if ($arg_pagespeed != '') { access_log $blocked_log blocked; return 403; } + if ($arg_pagespeedspeedfilters != '') { access_log $blocked_log blocked; return 403; } + + # Use redis as proxy cache + #include cache/srcache.conf; + # Use fastcgi cache + include cache/fastcgicache.conf; + + # Fallback into php + include fastcgi_settings.conf; + fastcgi_param SCRIPT_FILENAME $document_root/index.php; + + # Give sane max execution time to frontend + fastcgi_read_timeout ${NGINX_FASTCGI_TIMEOUT}; + fastcgi_pass php-fpm; + } + + # Prevent /wp/wp/wp/... rewrite loops + location ^~ /wp/ { + rewrite ^/wp/(.*)$ $1$is_args$args last; + } + + # Block some vulnerabilities always + include security.conf; + + # Include basic pagespeed locations like beacons + include pagespeed/locations.conf; + } + +} diff --git a/ubuntu-7.1/rootfs/etc/nginx/pagespeed/locations.conf b/ubuntu-7.1/rootfs/etc/nginx/pagespeed/locations.conf new file mode 100644 index 0000000..46feb53 --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/nginx/pagespeed/locations.conf @@ -0,0 +1,7 @@ +# Ensure requests for pagespeed optimized resources go to the pagespeed handler +# and no extraneous headers get set. +location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" { + add_header "" ""; +} +location ~ "^/pagespeed_static/" { } +location ~ "^/ngx_pagespeed_beacon$" { } diff --git a/ubuntu-7.1/rootfs/etc/nginx/pagespeed/settings.conf b/ubuntu-7.1/rootfs/etc/nginx/pagespeed/settings.conf new file mode 100644 index 0000000..be5a0a8 --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/nginx/pagespeed/settings.conf @@ -0,0 +1,13 @@ +# Hide pagespeed version and provide this header instaed +pagespeed XHeaderValue "Enabled"; + +# Don't alter Cache-Control headers +pagespeed ModifyCachingHeaders off; + +# This is for pagespeed temporary files +# Needs to exist and be writable by nginx. Use tmpfs for best performance. +pagespeed FileCachePath /tmp/nginx/pagespeed; + +# Pagespeed sets default TTL from file to 300s, which is bad +# This sets the time to be 1 year +pagespeed LoadFromFileCacheTtlMs 2592000000; diff --git a/ubuntu-7.1/rootfs/etc/nginx/proxy_real_variables.conf b/ubuntu-7.1/rootfs/etc/nginx/proxy_real_variables.conf new file mode 100644 index 0000000..e380f1f --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/nginx/proxy_real_variables.conf @@ -0,0 +1,35 @@ +## +# Set few variables since we use jwilder/nginx-proxy in dev and proxy in production +# So the fastcgi params need to be the original ones or you +# will have redirect loops ('canonical_redirect' mostly) +## + +# Set $host first from proxy (if possible) +set $real_host $http_x_forwarded_host; +if ($real_host = '') { + set $real_host $http_host; +} + +# Set server port according to forwarded proto +set $real_port 80; +if ($http_x_forwarded_proto = 'https') { + set $real_port 443; +} + +# Set https according to used proto +set $real_https off; +if ($http_x_forwarded_proto = 'https') { + set $real_https on; +} + +# Set scheme according to used proto +set $real_scheme 'http'; +if ($http_x_forwarded_proto = 'https') { + set $real_scheme 'https'; +} + +# Set original remote +set $real_remote $http_x_forwarded_for; +if ($real_remote = '') { + set $real_remote $remote_addr; +} diff --git a/ubuntu-7.1/rootfs/etc/nginx/security.conf b/ubuntu-7.1/rootfs/etc/nginx/security.conf new file mode 100644 index 0000000..24afdeb --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/nginx/security.conf @@ -0,0 +1,27 @@ +## Block SQL injections +location ~* union.*select.*\( { access_log $blocked_log blocked; return 403; } +location ~* union.*all.*select.* { access_log $blocked_log blocked; return 403; } +location ~* concat.*\( { access_log $blocked_log blocked; return 403; } + +## Block common exploits +location ~* (<|%3C).*script.*(>|%3E) { access_log $blocked_log blocked; return 403; } +location ~* base64_(en|de)code\(.*\) { access_log $blocked_log blocked; return 403; } +location ~* (%24&x) { access_log $blocked_log blocked; return 403; } +location ~* (%0|%A|%B|%C|%D|%E|%F|127\.0) { access_log $blocked_log blocked; return 403; } +location ~* \.\.\/ { access_log $blocked_log blocked; return 403; } +location ~* ~$ { access_log $blocked_log blocked; return 403; } +location ~* proc/self/environ { access_log $blocked_log blocked; return 403; } +location ~* /\.(htaccess|htpasswd|svn|git) { access_log $blocked_log blocked; return 403; } + +## Block file injections +location ~* [a-zA-Z0-9_]=(\.\.//?)+ { access_log $blocked_log blocked; return 403; } +location ~* [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ { access_log $blocked_log blocked; return 403; } + +## wordpress security +location ~* wp-config.php { access_log $blocked_log blocked; return 403; } +location ~* wp-load.php { access_log $blocked_log blocked; return 403; } +location ~* wp-admin/includes { access_log $blocked_log blocked; return 403; } +location ~* wp-app\.log { access_log $blocked_log blocked; return 403; } +location ~* (licence|readme|license)\.(md|html|txt) { access_log $blocked_log blocked; return 403; } +location ~* composer.json { access_log $blocked_log blocked; return 403; } + diff --git a/ubuntu-7.1/rootfs/etc/nginx/security_headers.conf b/ubuntu-7.1/rootfs/etc/nginx/security_headers.conf new file mode 100644 index 0000000..be78f67 --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/nginx/security_headers.conf @@ -0,0 +1,23 @@ +## +# Security headers, source: https://gist.github.com/plentz/6737338 +## + +# config to don't allow the browser to render the page inside an frame or iframe +# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking +# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri +# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options +add_header X-Frame-Options SAMEORIGIN; + +# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header, +# to disable content-type sniffing on some browsers. +# https://www.owasp.org/index.php/List_of_useful_HTTP_headers +# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx +# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx +# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020 +add_header X-Content-Type-Options nosniff always; + +# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. +# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for +# this particular website if it was disabled by the user. +# https://www.owasp.org/index.php/List_of_useful_HTTP_headers +add_header X-XSS-Protection "1; mode=block"; diff --git a/ubuntu-7.1/rootfs/etc/nginx/static_files.conf b/ubuntu-7.1/rootfs/etc/nginx/static_files.conf new file mode 100644 index 0000000..fa9d42d --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/nginx/static_files.conf @@ -0,0 +1,13 @@ +# Use version numbers to bypass cache +# Try to cache as long as we can +expires max; + +## No need to bleed constant updates. Send the all shebang in one +## fell swoop. +tcp_nodelay off; + +## Set the OS file cache. +open_file_cache max=3000 inactive=120s; +open_file_cache_valid 45s; +open_file_cache_min_uses 2; +open_file_cache_errors off; diff --git a/ubuntu-7.1/rootfs/etc/nginx/upstreams.conf b/ubuntu-7.1/rootfs/etc/nginx/upstreams.conf new file mode 100644 index 0000000..395d445 --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/nginx/upstreams.conf @@ -0,0 +1,4 @@ +# Default php handler +upstream php-fpm { + server unix:/var/run/php-fpm.sock; +} diff --git a/ubuntu-7.1/rootfs/etc/php/7.1/cli/php.ini b/ubuntu-7.1/rootfs/etc/php/7.1/cli/php.ini new file mode 100644 index 0000000..5eede62 --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/php/7.1/cli/php.ini @@ -0,0 +1,70 @@ +[PHP] +; This directive determines whether or not PHP will recognize code between +; tags as PHP source which should be processed as such. +short_open_tag = Off + +; Implicit flush tells PHP to tell the output layer to flush itself +; automatically after every output block. +implicit_flush = Off + +; This directive allows you to disable certain functions for security reasons. +; It receives a comma-delimited list of function names. +; http://php.net/disable-functions +disable_functions = + +; Enables or disables the circular reference collector. +; http://php.net/zend.enable-gc +zend.enable_gc = On + +;;;;;;;;;;;;;;;;; +; Miscellaneous ; +;;;;;;;;;;;;;;;;; + + +; Deny executing anything else than the exact path passed from fastcgi +; This causes the PHP interpreter to only try the literal path given and to stop processing if the file is not found. +; This is for security. +; https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#passing-uncontrolled-requests-to-php +cgi.fix_pathinfo = 0 + +expose_php = Off + +;;;;;;;;;;;;;;;;;;; +; Resource Limits ; +;;;;;;;;;;;;;;;;;;; + +; Maximum execution time of each script, in seconds +max_execution_time = 600 + +; Maximum amount of time each script may spend parsing request data. +max_input_time = 60 + +; How many GET/POST/COOKIE input variables may be accepted +; max_input_vars = 1000 + +; Maximum amount of memory a script may consume (128MB) +memory_limit = ${PHP_MEMORY_LIMIT} + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +; Error handling and logging ; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +error_reporting = E_ALL + +display_errors = On + +display_startup_errors = On + +log_errors = On + +log_errors_max_len = 2048 + +ignore_repeated_errors = Off + +ignore_repeated_source = Off + +report_memleaks = On + +track_errors = On + +html_errors = Off diff --git a/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/blocked.ini b/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/blocked.ini new file mode 100644 index 0000000..4142569 --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/blocked.ini @@ -0,0 +1,4 @@ +; Disable some functions because they allow bad/vulnerable patterns +; We want to advocate good coding practises and these functions make it difficult +; You can use these with php cli but not with php-fpm +disable_functions = exec,passthru,shell_exec,show_source,system,pcntl_exec,popen,posix_getpwuid,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,posix_setuid,posix_uname,proc_nice,proc_open,proc_close,proc_get_status diff --git a/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/common.ini b/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/common.ini new file mode 100644 index 0000000..5600222 --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/common.ini @@ -0,0 +1,4 @@ +[PHP] + +; Don't brag that we have php 7.0 +expose_php = Off diff --git a/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/limits.ini b/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/limits.ini new file mode 100644 index 0000000..6ccc766 --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/limits.ini @@ -0,0 +1,7 @@ +; filesize, time and input limits +max_execution_time = ${NGINX_FASTCGI_TIMEOUT} +max_input_time = -1 +max_input_vars = ${PHP_MAX_INPUT_VARS} +memory_limit = ${PHP_MEMORY_LIMIT} +post_max_size = ${NGINX_MAX_BODY_SIZE} +upload_max_filesize = ${NGINX_MAX_BODY_SIZE} diff --git a/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/logging.ini b/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/logging.ini new file mode 100644 index 0000000..6db568d --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/logging.ini @@ -0,0 +1,4 @@ +; Log all warnings and errors +error_log = ${PHP_ERROR_LOG} +log_level = ${PHP_ERROR_LOG_LEVEL} +log_errors_max_len = ${PHP_ERROR_MAX_LEN} diff --git a/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/mail.ini b/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/mail.ini new file mode 100644 index 0000000..d54d6f8 --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/mail.ini @@ -0,0 +1,3 @@ +[PHP] +; Use msmtp to send mail instead of sendmail +sendmail_path = "/usr/sbin/sendmail" diff --git a/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/opcache.ini b/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/opcache.ini new file mode 100644 index 0000000..41a7d2a --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/opcache.ini @@ -0,0 +1,24 @@ +; Enable php opcache to make site faster +; These are taken from: https://www.scalingphpbook.com/blog/2014/02/14/best-zend-opcache-settings.html +[opcache] +opcache.enable = 1 +opcache.enable_cli = 1 + +; Provides a faster mechanism for calling the deconstructors in your code at the end of a single request to speed up the response and recycle php workers so they're ready for the next incoming request faster. +opcache.fast_shutdown = 1 + +; Give plenty of memory for php process for caching the code +opcache.memory_consumption = ${PHP_OPCACHE_MAX_MEMORY} + +; Log into container output +opcache.error_log = /dev/stderr + +; Log opcache warnings +opcache.log_verbosity_level = 2 + +; PHP uses a technique called string interning to improve performance— so, for example, if you have the string "foobar" 1000 times in your code, internally PHP will store 1 immutable variable for this string and just use a pointer to it for the other 999 times you use it. +; This reserves 16MB to storing the most used strings +opcache.interned_strings_buffer = 16 +opcache.max_accelerated_files = ${PHP_OPCACHE_MAX_FILES} + + diff --git a/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/opcache_invalidate.conf b/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/opcache_invalidate.conf new file mode 100644 index 0000000..d152afa --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/opcache_invalidate.conf @@ -0,0 +1,5 @@ +; Don't revalidate php files in this container +opcache.validate_timestamps = 0 + +; We don't need to cache php comments into opcache +opcache.save_comments = 0 diff --git a/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/sessions.ini b/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/sessions.ini new file mode 100644 index 0000000..d5fb56c --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/sessions.ini @@ -0,0 +1,6 @@ +;;;;;;;;;;;;;;;;;;;;;;;;;; +; Define Session backend ; +;;;;;;;;;;;;;;;;;;;;;;;;;; +; These env can also contain redis as backend +session.save_handler = ${PHP_SESSION_HANDLER} +session.save_path = ${PHP_SESSION_SAVE_PATH} diff --git a/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/timezone.ini b/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/timezone.ini new file mode 100644 index 0000000..dfb2fec --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/timezone.ini @@ -0,0 +1,2 @@ +; Timezone from env formatted like 'Europe/Helsinki' +date.timezone = ${TZ} diff --git a/ubuntu-7.1/rootfs/etc/php/7.1/fpm/php-fpm.conf b/ubuntu-7.1/rootfs/etc/php/7.1/fpm/php-fpm.conf new file mode 100644 index 0000000..ef307ec --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/php/7.1/fpm/php-fpm.conf @@ -0,0 +1,35 @@ +; Run this in foregroud so s6 can control it +daemonize = no + +; Log all warnings and errors +error_log = ${PHP_ERROR_LOG} +log_level = ${PHP_ERROR_LOG_LEVEL} + +[www] +user = ${WEB_USER} +group = ${WEB_GROUP} +listen = /var/run/php-fpm.sock +listen.owner = ${WEB_USER} +listen.group = ${WEB_GROUP} +pm = dynamic + +; Total RAM dedicated to the web server / Max child process size +pm.max_children = 30 + +pm.start_servers = 1 +pm.min_spare_servers = 1 +pm.max_spare_servers = 3 + +; Redirect worker stdout and stderr into main error log. If not set, stdout and +; stderr will be redirected to /dev/null according to FastCGI specs. +; Default Value: no +catch_workers_output = yes + +; Project web root +chdir = ${WEB_ROOT} + +pm.process_idle_timeout = 10s +pm.max_requests = 500 + +; Include extra configs +include=/etc/php/7.1/fpm/php-fpm.d/*.conf diff --git a/ubuntu-7.1/rootfs/etc/php/7.1/fpm/php-fpm.d/preserve-env.conf b/ubuntu-7.1/rootfs/etc/php/7.1/fpm/php-fpm.d/preserve-env.conf new file mode 100644 index 0000000..956d8ff --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/php/7.1/fpm/php-fpm.d/preserve-env.conf @@ -0,0 +1,3 @@ +; Just use all envs from system when php-fpm starts +; By default php-fpm flushes all envs and they need to be whitelisted +clear_env = no diff --git a/ubuntu-7.1/rootfs/etc/php/7.1/fpm/php.ini b/ubuntu-7.1/rootfs/etc/php/7.1/fpm/php.ini new file mode 100644 index 0000000..472d608 --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/php/7.1/fpm/php.ini @@ -0,0 +1,46 @@ +;;; +; Production settings for php and php-fpm +;;; +; All directives from /etc/php/7.0/fpm/conf.d are also included +;;; + +[PHP] + +; Don't display errors into frontend +display_errors = stderr + +; disable ignoring of repeat errors +ignore_repeated_errors = false + +; disable ignoring of unique source errors +ignore_repeated_source = false + +; enable logging of php memory leaks +report_memleaks = true + +; Deny executing anything else than the exact path passed from fastcgi +; This causes the PHP interpreter to only try the literal path given and to stop processing if the file is not found. +; This is for security. Source: https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#passing-uncontrolled-requests-to-php +cgi.fix_pathinfo = 0 + +; disable html markup of errors +html_errors = false + +; disable formatting of error reference links +docref_root = 0 + +; disable formatting of error reference links +docref_ext = 0 + +; disable max error string length ( by using so big number that bigger messages don't matter ) +log_errors_max_len = 10000 + +; Don't show startup errors +display_startup_errors = Off +track_errors = Off + +; Redirect worker stdout and stderr into main error log. If not set, stdout and +; stderr will be redirected to /dev/null according to FastCGI specs. +; Default Value: no +catch_workers_output = yes + diff --git a/ubuntu-7.1/rootfs/etc/services.d/cron/run b/ubuntu-7.1/rootfs/etc/services.d/cron/run new file mode 100644 index 0000000..444e2b9 --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/services.d/cron/run @@ -0,0 +1,4 @@ +#!/usr/bin/with-contenv sh +echo "[services.d] started cron daemon" +# Runs cron daemon in foreground +cron -l 2 -f diff --git a/ubuntu-7.1/rootfs/etc/services.d/nginx/run b/ubuntu-7.1/rootfs/etc/services.d/nginx/run new file mode 100755 index 0000000..ef92c7d --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/services.d/nginx/run @@ -0,0 +1,4 @@ +#!/usr/bin/with-contenv sh + +# Run nginx always in foreground +exec nginx -g "daemon off;" diff --git a/ubuntu-7.1/rootfs/etc/services.d/php-fpm/run b/ubuntu-7.1/rootfs/etc/services.d/php-fpm/run new file mode 100644 index 0000000..18b6baf --- /dev/null +++ b/ubuntu-7.1/rootfs/etc/services.d/php-fpm/run @@ -0,0 +1,53 @@ +#!/usr/bin/with-contenv bash + +## +# Check which kind of session backend we should be using +## +if [ -z "$PHP_SESSION_SAVE_PATH" ]; then + echo "[php-fpm] configuring php-fpm session backend..." + + # Use 'files' as default session handler + export PHP_SESSION_HANDLER=${PHP_SESSION_HANDLER-files} + + case "$PHP_SESSION_HANDLER" in + + files) + mkdir -p /tmp/php + chown $WEB_USER:$WEB_GROUP /tmp/php + + # export new env for php-fpm + export PHP_SESSION_SAVE_PATH='/tmp/php' + ;; + redis) + # Set defaults + REDIS_HOST=${REDIS_HOST-$REDIS_1_PORT_6379_TCP_ADDR} + REDIS_PORT=${REDIS_PORT-6379} + REDIS_SCHEME=${REDIS_SCHEME-tcp} + REDIS_PHP_SESSION_HOST=${REDIS_PHP_SESSION_HOST-$REDIS_1_PORT_6379_TCP_ADDR} + + # After this time php-fpm will timeout from requesting session data + PHP_SESSION_REDIS_TIMEOUT=${PHP_SESSION_REDIS_TIMEOUT-5} + + PHP_SESSION_REDIS_PARAMS="timeout=$PHP_SESSION_REDIS_TIMEOUT" + + # Set these only if they are not 0 and '' because they add complexity for the query + if [ "$PHP_SESSION_REDIS_DB" != "" ]; then + PHP_SESSION_REDIS_PARAMS+="&database=$PHP_SESSION_REDIS_DB" + fi + if [ "$REDIS_PASSWORD" != "" ]; then + PHP_SESSION_REDIS_PARAMS+="&auth=$REDIS_PASSWORD" + fi + if [ "$PHP_SESSION_REDIS_PREFIX" != "" ]; then + PHP_SESSION_REDIS_PARAMS+="&prefix=$PHP_SESSION_REDIS_PREFIX" + fi + + # export new env for php-fpm + export PHP_SESSION_SAVE_PATH="$REDIS_SCHEME://$REDIS_PHP_SESSION_HOST:$REDIS_PORT?$PHP_SESSION_REDIS_PARAMS" + ;; + esac +fi +echo "[php-fpm] using $PHP_SESSION_SAVE_PATH for php sessions..." + +echo "[php-fpm] started php-fpm" +exec php-fpm -c /etc/php/7.1/fpm/php.ini --fpm-config /etc/php/7.1/fpm/php-fpm.conf --pid /var/run/php-fpm.pid + diff --git a/ubuntu-7.1/rootfs/usr/bin/wp b/ubuntu-7.1/rootfs/usr/bin/wp new file mode 100755 index 0000000..e138ef0 --- /dev/null +++ b/ubuntu-7.1/rootfs/usr/bin/wp @@ -0,0 +1,12 @@ +#!/usr/bin/env bash +## +# WP-cli wrapper: Append path automatically so that user doesn't have to +## +if [ "$(whoami)" = "root" ]; then + # Run as wordpress user instead + # This helps that we don't install things as root + # Or run 3rd party code as root + gosu $WEB_USER /usr/local/bin/wp-cli "$@" --path=$WP_CORE +else + /usr/local/bin/wp-cli "$@" --path=$WP_CORE +fi diff --git a/ubuntu-7.1/rootfs/usr/local/bin/phinx b/ubuntu-7.1/rootfs/usr/local/bin/phinx new file mode 100755 index 0000000..854aa2f --- /dev/null +++ b/ubuntu-7.1/rootfs/usr/local/bin/phinx @@ -0,0 +1,27 @@ +#!/usr/bin/env bash +## +# Phinx wrapper +# You need to install phinx through composer first +## + +# Export database host in prod and dev +if [ ! -z "$MYSQL_HOST" ]; then + export PHINX_DBHOST=$MYSQL_HOST +elif [ ! -z "$DB_HOST" ]; then + export PHINX_DBHOST=$DB_HOST +elif [ ! -z "$DB_PORT_3306_TCP_ADDR" ]; then + export PHINX_DBHOST=$DB_PORT_3306_TCP_ADDR +else + echo "ERROR: You need to set DB_HOST!" +fi + +# Export phinx envs +# Default to MYSQL_ envs but fallback to DB_ +export PHINX_DBPORT=${MYSQL_PORT-$DB_PORT} +export PHINX_DBNAME=${MYSQL_DATABASE-$DB_NAME} +export PHINX_DBUSER=${MYSQL_USER-$DB_USER} +export PHINX_DBPASSWORD=${MYSQL_PWD-$DB_PASSWORD} +export PHINX_ENVIRONMENT=$WP_ENV + +# Run phinx +php $PROJECT_ROOT/vendor/bin/phinx $@ diff --git a/ubuntu-7.1/rootfs/usr/local/bin/print-smtp-password b/ubuntu-7.1/rootfs/usr/local/bin/print-smtp-password new file mode 100755 index 0000000..f59d906 --- /dev/null +++ b/ubuntu-7.1/rootfs/usr/local/bin/print-smtp-password @@ -0,0 +1,5 @@ +#!/bin/bash +# This is so that we can use msmtp without /etc/msmtprc config file +# msmtp doesn't have --password option and it only has --passwordeval option +# We use this script so that we can use it in passwordeval +echo $SMTP_PASSWORD diff --git a/ubuntu-7.1/rootfs/usr/local/bin/wp-run-cron b/ubuntu-7.1/rootfs/usr/local/bin/wp-run-cron new file mode 100755 index 0000000..e5c4aa8 --- /dev/null +++ b/ubuntu-7.1/rootfs/usr/local/bin/wp-run-cron @@ -0,0 +1,42 @@ +#!/bin/bash +# Copyright © 2015 Bjørn Johansen +# This work is free. You can redistribute it and/or modify it under the +# terms of the Do What The Fuck You Want To Public License, Version 2, +# as published by Sam Hocevar. See http://www.wtfpl.net/ for more details. +# Source: https://bjornjohansen.no/wordpress-cron-wp-cli +# Github: https://gist.github.com/bjornjohansen/a00a9fee5475c4dadb56#file-run-wp-cron-sh + +# This is modified for our container. In this container you don't need to use --path +# because it's automatically included + +# Check if WP-CLI is available +if ! hash wp 2>/dev/null; then + echo "[wp-cron] ERROR: WP-CLI is not available" + exit +fi + +# If WordPress isn’t installed here, we bail +if ! wp core is-installed --quiet >> /dev/null; then + echo "[wp-cron] ERROR: WordPress is not installed here: ${WP_CORE}" + exit +fi + +# Get a list of site URLs +if wp core is-installed --quiet --network >> /dev/null; +then + SITE_URLS=`wp site list --fields=url --archived=0 --deleted=0 --format=csv | sed 1d` +else + SITE_URLS=(`wp option get siteurl`) +fi + +# Loop through all the sites +for SITE_URL in $SITE_URLS +do + # replaced loop with better solution + wp cron event run --due-now --url="$SITE_URL" + # Run all event hooks that are due + #for EVENT_HOOK in $(wp cron event list --format=csv --fields=hook,next_run_relative --url="$SITE_URL" | grep now$ | awk -F ',' '{print $1}') + #do + # wp cron event run "$EVENT_HOOK" --url="$SITE_URL" --quiet + #done +done diff --git a/ubuntu-7.1/rootfs/usr/sbin/sendmail b/ubuntu-7.1/rootfs/usr/sbin/sendmail new file mode 100755 index 0000000..ec8c40f --- /dev/null +++ b/ubuntu-7.1/rootfs/usr/sbin/sendmail @@ -0,0 +1,66 @@ +#!/bin/bash +## +# This is custom wrapper for msmtp which acts like good old sendmail +# - It is used for php and cron +# - This is easier to configure for external mail server than sendmail +# - sendmail is just the default binary which other services will use +# - It needs following env: SMTP_HOST, SMTP_PASSWORD, SMTP_PORT, SMTP_AUTH, SMTP_USER +## + +# Deduce all used msmtp options from system ENVs +declare -a options + +# Act like sendmail +options+=("-t") + +# Use system tls chain +options+=("--tls-trust-file=/etc/ssl/certs/ca-certificates.crt") + +if [ -n "$SMTP_HOST" ]; then + options+=("--host=$SMTP_HOST") +else + echo "[mail error] SMTP_HOST is not defined, mail can't be sent" + exit 1 +fi + +# Log all mail requests +# try /var/log/mail/sent.log but use stdout when logfile is not available +if [ -n "$SMTP_LOG" ]; then + options+=("--logfile=$SMTP_LOG") +elif [ -f /var/log/mail/sent.log ]; then + options+=("--logfile=/var/log/mail/sent.log") +fi + +if [ -n "$SMTP_FROM" ]; then + options+=("--from=$SMTP_FROM") +fi + +# Default port for smtp is 25 and it will work even without this option +if [ -n "$SMTP_PORT" ]; then + options+=("--port=$SMTP_PORT") +fi + +# Setup credentials +if [ -n "$SMTP_USER" ]; then + options+=("--user=$SMTP_USER") +fi + +# msmtp doesn't provide password option because usually it's unsafe +# Use local hack for passwordeval +if [ -n "$SMTP_PASSWORD" ]; then + options+=("--passwordeval=/usr/local/bin/print-smtp-password") +fi + + +if [ -n "$SMTP_AUTH" ]; then + options+=("--auth=$SMTP_AUTH") +elif [ -n "$SMTP_USER" ] || [ -n "$SMTP_PASSWORD" ]; then + options+=("--auth=on") +fi + +if [ -n "$SMTP_TLS" ]; then + options+=("--tls=$SMTP_TLS") +fi + +# Add our options and command line options for msmtp +msmtp ${options[@]} "$@" diff --git a/ubuntu-7.1/rootfs/usr/share/nginx/html/403.html b/ubuntu-7.1/rootfs/usr/share/nginx/html/403.html new file mode 100644 index 0000000..7e7e78a --- /dev/null +++ b/ubuntu-7.1/rootfs/usr/share/nginx/html/403.html @@ -0,0 +1,89 @@ + + + + + + +403 Forbidden + + + + + + + + +
+
+

403 Forbidden

+

Sorry! You don't have access permissions for that on .

+

Take Me To The Homepage + +

+
+
+
+
+
+
+

What happened?

+

A 403 error status indicates that you don't have permission to access the file or page. In general, web servers and websites have directories and files that are not open to the public web for security reasons.

+
+
+

What can I do?

+

If you're a site visitor

+

Please use your browsers back button and check that you're in the right place. If you need immediate assistance, please send us an email instead.

+

If you're the site owner

+

Please check that you're in the right place and get in touch with your website provider if you believe this to be an error.

+
+
+
+
+ + + + + + + diff --git a/ubuntu-7.1/rootfs/usr/share/nginx/html/500.html b/ubuntu-7.1/rootfs/usr/share/nginx/html/500.html new file mode 100644 index 0000000..d80af19 --- /dev/null +++ b/ubuntu-7.1/rootfs/usr/share/nginx/html/500.html @@ -0,0 +1,83 @@ + + + + + + +500 Internal Server Error + + + + + + + + +
+ +
+

500 Internal Server Error

+

The web server is returning an internal error for .

+ Try This Page Again +
+
+
+
+
+
+

What happened?

+

A 500 error status implies there is a problem with the web server's software causing it to malfunction.

+
+
+

What can I do?

+

If you're a site visitor

+

Nothing you can do at the moment. If you need immediate assistance, please send us an email instead. We apologize for any inconvenience.

+

If you're the site owner

+

This error can only be fixed by server admins, please contact your website provider.

+
+
+
+
+ + + + + + + diff --git a/ubuntu-7.1/rootfs/usr/share/nginx/html/502.html b/ubuntu-7.1/rootfs/usr/share/nginx/html/502.html new file mode 100644 index 0000000..a5ee46d --- /dev/null +++ b/ubuntu-7.1/rootfs/usr/share/nginx/html/502.html @@ -0,0 +1,92 @@ + + + + + + + +502 Bad Gateway + + + + + + + + +
+ +
+

502 Bad Gateway

+

The web server is returning an unexpected networking error for .

+ Try This Page Again +
+
+
+
+
+
+

What happened?

+

A 502 error status implies that that the server received an invalid response from an upstream server it accessed to fulfill the request.

+
+
+

What can I do?

+

If you're a site visitor

+

Check to see if this website down for everyone or just you. +

+

Also, clearing your browser cache and refreshing the page may clear this issue. If the problem persists and you need immediate assistance, please send us an email instead.

+

If you're the site owner

+

Clearing your browser cache and refreshing the page may clear this issue. If the problem persists and you need immediate assistance, please contact your website provider.

+
+
+
+
+ + + + + + + + diff --git a/ubuntu-7.1/rootfs/usr/share/nginx/html/504.html b/ubuntu-7.1/rootfs/usr/share/nginx/html/504.html new file mode 100644 index 0000000..fe8b8f5 --- /dev/null +++ b/ubuntu-7.1/rootfs/usr/share/nginx/html/504.html @@ -0,0 +1,94 @@ + + + + + + + +504 Gateway Timeout + + + + + + + + +
+ +
+

504 Gateway Timeout

+

The web server is returning an unexpected networking error for .

+ Try This Page Again +
+
+
+
+ + +
+
+

What happened?

+

A 504 error status implies there is a slow IP communication problem between back-end servers attempting to fulfill this request.

+
+
+

What can I do?

+

If you're a site visitor

+

Check to see if this website down for everyone or just you. +

+

Also, clearing your browser cache and refreshing the page may clear this issue. If the problem persists and you need immediate assistance, please send us an email instead.

+

If you're the site owner

+

Clearing your browser cache and refreshing the page may clear this issue. If the problem persists and you need immediate assistance, please contact your website provider.

+
+
+
+
+ + + + + + + + diff --git a/web/info.php b/web/info.php new file mode 100644 index 0000000..61ace19 --- /dev/null +++ b/web/info.php @@ -0,0 +1,2 @@ +