generated from bisco/codex-bootstrap
feat: add wordpress site variant
This commit is contained in:
@@ -0,0 +1,88 @@
|
||||
#!/bin/sh
|
||||
set -eu
|
||||
|
||||
enabled="${LETSENCRYPT_ENABLED:-0}"
|
||||
domain="${LETSENCRYPT_DOMAIN:-azionelab.org}"
|
||||
interval="${TLS_RELOAD_INTERVAL_SECONDS:-30}"
|
||||
trust_proxy_headers="${TRUST_PROXY_HEADERS:-0}"
|
||||
certificate="/etc/letsencrypt/live/${domain}/fullchain.pem"
|
||||
private_key="/etc/letsencrypt/live/${domain}/privkey.pem"
|
||||
http_config="/etc/nginx/http-enabled/site.conf"
|
||||
tls_config="/etc/nginx/tls-enabled/site.conf"
|
||||
tls_template="/etc/nginx/templates/tls.conf.template.source"
|
||||
base_template="/etc/nginx/templates/default.conf.template.source"
|
||||
base_config="/etc/nginx/conf.d/default.conf"
|
||||
proxy_template="/etc/nginx/templates/proxy-routes.conf.template.source"
|
||||
proxy_routes="/etc/nginx/snippets/proxy-routes.conf"
|
||||
|
||||
case "$domain" in
|
||||
"" | *[!A-Za-z0-9.-]* | .* | *. | *..* | -* | *- | *.-* | *-.*)
|
||||
echo "Invalid LETSENCRYPT_DOMAIN: $domain" >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
case "$domain" in *.*) ;; *) echo "LETSENCRYPT_DOMAIN must be a fully qualified domain name." >&2; exit 1 ;; esac
|
||||
case "$enabled" in 0 | 1) ;; *) echo "LETSENCRYPT_ENABLED must be 0 or 1." >&2; exit 1 ;; esac
|
||||
case "$trust_proxy_headers" in
|
||||
0) forwarded_for='$remote_addr'; forwarded_proto='$scheme' ;;
|
||||
1) forwarded_for='$proxy_add_x_forwarded_for'; forwarded_proto='$effective_forwarded_proto' ;;
|
||||
*) echo "TRUST_PROXY_HEADERS must be 0 or 1." >&2; exit 1 ;;
|
||||
esac
|
||||
case "$interval" in "" | *[!0-9]*) echo "TLS_RELOAD_INTERVAL_SECONDS must be a positive integer." >&2; exit 1 ;; esac
|
||||
[ "$interval" -gt 0 ] || { echo "TLS_RELOAD_INTERVAL_SECONDS must be positive." >&2; exit 1; }
|
||||
|
||||
certificate_state() {
|
||||
if [ ! -s "$certificate" ] || [ ! -s "$private_key" ]; then
|
||||
echo missing
|
||||
return
|
||||
fi
|
||||
cksum "$certificate" "$private_key" | cksum | awk '{print $1 ":" $2}'
|
||||
}
|
||||
|
||||
render_http() {
|
||||
printf 'include %s;\n' "$proxy_routes" > "$http_config"
|
||||
rm -f "$tls_config"
|
||||
}
|
||||
|
||||
render_pending() {
|
||||
cat > "$http_config" <<'EOF'
|
||||
location / {
|
||||
add_header Retry-After "60" always;
|
||||
return 503;
|
||||
}
|
||||
EOF
|
||||
rm -f "$tls_config"
|
||||
}
|
||||
|
||||
render_https() {
|
||||
sed "s|__DOMAIN__|${domain}|g" "$tls_template" > "${tls_config}.tmp"
|
||||
mv "${tls_config}.tmp" "$tls_config"
|
||||
printf 'location ^~ / { return 301 https://$host$request_uri; }\n' > "$http_config"
|
||||
}
|
||||
|
||||
sed -e "s|__X_FORWARDED_FOR__|${forwarded_for}|g" -e "s|__X_FORWARDED_PROTO__|${forwarded_proto}|g" "$proxy_template" > "${proxy_routes}.tmp"
|
||||
mv "${proxy_routes}.tmp" "$proxy_routes"
|
||||
sed "s|__DOMAIN__|${domain}|g" "$base_template" > "${base_config}.tmp"
|
||||
mv "${base_config}.tmp" "$base_config"
|
||||
|
||||
if [ "$enabled" = 0 ]; then
|
||||
render_http
|
||||
exit 0
|
||||
fi
|
||||
|
||||
state="$(certificate_state)"
|
||||
if [ "$state" = missing ]; then render_pending; else render_https; fi
|
||||
|
||||
(
|
||||
while sleep "$interval"; do
|
||||
next_state="$(certificate_state)"
|
||||
[ "$next_state" = "$state" ] && continue
|
||||
if [ "$next_state" = missing ]; then render_pending; else render_https; fi
|
||||
if nginx -t; then
|
||||
nginx -s reload
|
||||
state="$next_state"
|
||||
else
|
||||
echo "TLS configuration reload failed; retrying after ${interval}s." >&2
|
||||
fi
|
||||
done
|
||||
) &
|
||||
@@ -0,0 +1,10 @@
|
||||
FROM nginx:1.30.2-alpine
|
||||
|
||||
COPY default.conf /etc/nginx/templates/default.conf.template.source
|
||||
COPY proxy-routes.conf /etc/nginx/templates/proxy-routes.conf.template.source
|
||||
COPY tls.conf.template /etc/nginx/templates/tls.conf.template.source
|
||||
COPY 40-configure-tls.sh /docker-entrypoint.d/40-configure-tls.sh
|
||||
|
||||
RUN chmod 755 /docker-entrypoint.d/40-configure-tls.sh \
|
||||
&& rm -f /etc/nginx/conf.d/default.conf \
|
||||
&& mkdir -p /etc/nginx/http-enabled /etc/nginx/tls-enabled /etc/nginx/snippets /var/www/certbot
|
||||
@@ -0,0 +1,54 @@
|
||||
map $http_x_forwarded_proto $effective_forwarded_proto {
|
||||
default $scheme;
|
||||
https https;
|
||||
}
|
||||
|
||||
server_tokens off;
|
||||
limit_req_status 429;
|
||||
limit_req_zone $binary_remote_addr zone=site:10m rate=30r/s;
|
||||
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
|
||||
|
||||
resolver 127.0.0.11 valid=10s ipv6=off;
|
||||
|
||||
upstream wordpress_backend {
|
||||
zone wordpress_backend 64k;
|
||||
server wordpress:80 resolve;
|
||||
keepalive 16;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80 default_server;
|
||||
server_name _;
|
||||
|
||||
location = /nginx-health {
|
||||
access_log off;
|
||||
return 200 "ok\n";
|
||||
}
|
||||
|
||||
location = /wordpress-health {
|
||||
access_log off;
|
||||
allow 127.0.0.1;
|
||||
deny all;
|
||||
proxy_set_header Host __DOMAIN__;
|
||||
proxy_pass http://wordpress_backend/wp-login.php;
|
||||
}
|
||||
|
||||
location / {
|
||||
return 404;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
server_name __DOMAIN__;
|
||||
|
||||
location ^~ /.well-known/acme-challenge/ {
|
||||
root /var/www/certbot;
|
||||
default_type text/plain;
|
||||
try_files $uri =404;
|
||||
}
|
||||
|
||||
include /etc/nginx/http-enabled/site.conf;
|
||||
}
|
||||
|
||||
include /etc/nginx/tls-enabled/*.conf;
|
||||
@@ -0,0 +1,51 @@
|
||||
client_max_body_size 16m;
|
||||
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For __X_FORWARDED_FOR__;
|
||||
proxy_set_header X-Forwarded-Proto __X_FORWARDED_PROTO__;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header Connection "";
|
||||
proxy_read_timeout 60s;
|
||||
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||
add_header Permissions-Policy "camera=(), geolocation=(), microphone=(), payment=(), usb=()" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
|
||||
location = /xmlrpc.php {
|
||||
return 403;
|
||||
}
|
||||
|
||||
location = /wp-login.php {
|
||||
limit_req zone=login burst=5 nodelay;
|
||||
proxy_pass http://wordpress_backend;
|
||||
}
|
||||
|
||||
location ^~ /wp-admin/ {
|
||||
limit_req zone=site burst=60 nodelay;
|
||||
proxy_pass http://wordpress_backend;
|
||||
}
|
||||
|
||||
location ~* ^/(?:wp-content/uploads|wp-content/files)/.*\.php$ {
|
||||
return 403;
|
||||
}
|
||||
|
||||
location ~ (^|/)\. {
|
||||
return 404;
|
||||
}
|
||||
|
||||
location = /wp-config.php {
|
||||
return 404;
|
||||
}
|
||||
|
||||
location / {
|
||||
limit_req zone=site burst=60 nodelay;
|
||||
add_header Content-Security-Policy "default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'self'; form-action 'self'; img-src 'self' data: https:; font-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; connect-src 'self'" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||
add_header Permissions-Policy "camera=(), geolocation=(), microphone=(), payment=(), usb=()" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
proxy_pass http://wordpress_backend;
|
||||
}
|
||||
@@ -0,0 +1,26 @@
|
||||
server {
|
||||
listen 443 ssl default_server;
|
||||
http2 on;
|
||||
server_name _;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
|
||||
ssl_reject_handshake on;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
http2 on;
|
||||
server_name __DOMAIN__;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_prefer_server_ciphers off;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=15552000" always;
|
||||
|
||||
include /etc/nginx/snippets/proxy-routes.conf;
|
||||
}
|
||||
Reference in New Issue
Block a user