generated from bisco/codex-bootstrap
fix: harden wordpress edge exposure
This commit is contained in:
Executable
+28
@@ -0,0 +1,28 @@
|
||||
#!/bin/sh
|
||||
set -eu
|
||||
|
||||
compose_file="${1:-/workspace/docker-compose.yml}"
|
||||
|
||||
awk '
|
||||
/^[[:space:]]{2}wordpress:/ {
|
||||
in_wordpress = 1
|
||||
next
|
||||
}
|
||||
in_wordpress && /^[[:space:]]{2}[A-Za-z0-9_-]+:/ {
|
||||
in_wordpress = 0
|
||||
}
|
||||
in_wordpress && /^[[:space:]]{4}ports:/ {
|
||||
print "The wordpress service must not publish host ports; route traffic through proxy only." > "/dev/stderr"
|
||||
exit 1
|
||||
}
|
||||
' "$compose_file"
|
||||
|
||||
grep -q 'azionelab-apache-hardening.conf' /workspace/wordpress/Dockerfile || {
|
||||
echo "The WordPress image must install Apache hardening rules." >&2
|
||||
exit 1
|
||||
}
|
||||
|
||||
grep -q 'wp-content/(uploads|files)' /workspace/wordpress/apache-hardening.conf || {
|
||||
echo "Apache hardening must block PHP execution below uploads/files." >&2
|
||||
exit 1
|
||||
}
|
||||
Reference in New Issue
Block a user