bisco/php-app
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
bisco 2020-09-04 23:31:05 +02:00
commit b326f21a77
11 changed files with 375 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
app/Dockerfile Normal file
View File

@ -0,0 +1,50 @@
FROM alpine:3.12
LABEL maintainer = "bisco - <bisco@younerd.org>"
RUN addgroup -g 82 www-data &&\
adduser -u 82 -G www-data -g 'World Wide Web user' \
-s /sbin/nologin -D www-data
RUN apk add --update --no-cache \
bash \
php7-bcmath \
php7-bz2 \
php7-cgi \
php7-cli \
php7-common \
php7-curl \
php7-fpm \
php7-gd \
php7-gmp \
php7-intl \
php7-json \
php7-mbstring \
php7-mysqli \
php7-odbc \
php7-opcache \
php7-phpdbg \
php7-pspell \
php7-recode \
php7-snmp \
php7-sqlite3 \
php7-tidy \
php7-xml \
php7-xmlrpc \
php7-xsl \
php7-zip \
php7-pecl-apcu \
php7-common \
php7-pecl-igbinary \
php7-pecl-imagick \
php7-pecl-memcached \
php7-pecl-memcache \
php7-pecl-msgpack
ADD docker-entrypoint.sh /
EXPOSE 9000
STOPSIGNAL SIGTERM
ENTRYPOINT ["/docker-entrypoint.sh"]

18
app/docker-entrypoint.sh Executable file
View File

@ -0,0 +1,18 @@
#!/bin/sh
# This script will be executed every time the container spin up
#
# Author: bisco <bisco@younerd.org>
set -e
echo "Enabling PHP over network"
sed -i 's/listen\ =\ 127.0.0.1:9000/listen\ =\ 0.0.0.0:9000/g' /etc/php7/php-fpm.d/www.conf
echo "Changing user and group"
sed -i 's/user\ = nobody/user\ = www-data/g' /etc/php7/php-fpm.d/www.conf
sed -i 's/group\ = nobody/group\ = www-data/g' /etc/php7/php-fpm.d/www.conf
echo "Starting PHP-FPM"
php-fpm7 -F

54
docker-compose.yml Normal file
View File

@ -0,0 +1,54 @@
version: "2"
services:
app:
image: app:latest
build: app
expose:
- "9000"
ports:
- "9000:9000"
volumes:
- /home/bisco/stuff/data/docker/volumes/nginx/htdocs:/var/www/localhost/htdocs
networks:
webnet:
aliases:
- app
db:
image: mariadb:latest
build: mariadb
env_file: mariadb/envs/prod
volumes:
- /home/bisco/stuff/data/docker/volumes/mysql:/var/lib/mysql
expose:
- "3306"
ports:
- "3306:3306"
networks:
webnet:
aliases:
- db
www:
image: nginx:latest
build: nginx
expose:
- "80"
- "443"
ports:
- "80:80"
- "443:443"
volumes:
- /home/bisco/stuff/data/docker/volumes/nginx/certs:/etc/nginx/certs
- /home/bisco/stuff/data/docker/volumes/nginx/htdocs:/var/www/localhost/htdocs
networks:
webnet:
aliases:
- www
depends_on:
- app
- db
networks:
webnet:

17
mariadb/Dockerfile Normal file
View File

@ -0,0 +1,17 @@
FROM alpine:3.12
LABEL maintainer = "bisco - <bisco@younerd.org>"
RUN apk add --update --no-cache \
bash \
mariadb \
mariadb-client
ADD docker-entrypoint.sh /
EXPOSE 3306
VOLUME ["/var/lib/mysql"]
STOPSIGNAL SIGTERM
ENTRYPOINT ["/docker-entrypoint.sh"]

64
mariadb/docker-entrypoint.sh Executable file
View File

@ -0,0 +1,64 @@
#!/bin/sh
# This script will be executed every time the container spin up
# It will check if the database is properly set up:
# - main schema is present
# - anonymous login is disabled
# - remote root login is disabled
# - remote login is allowed
#
# TODO:
# - import every SQL file found into a specific volume
#
# Author: bisco <bisco@younerd.org>
set -e
if [ -z $(ls -A /var/lib/mysql) ];
then
echo "MySQL Datadir not found. Creating a new MySQL database"
mysql_install_db --user=mysql --datadir=/var/lib/mysql
echo "Starting MySQL for setup process...."
$(which mysqld_safe) --no-defaults --syslog --nowatch --pid-file=/tmp/mysqld.pid
sleep 3
echo "Disallow anonymous login...."
$(which mysql) -e "DELETE FROM mysql.global_priv WHERE User='';"
echo "Disallow remote root login...."
$(which mysql) -e "DELETE FROM mysql.global_priv WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');"
echo "Deleting test database...."
$(which mysql) -e "DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%'"
echo "Creating new database...."
$(which mysql) -e "CREATE DATABASE IF NOT EXISTS \`${MYSQL_DATABASE}\` CHARACTER SET 'utf8' COLLATE 'utf8_general_ci';"
$(which mysql) -e "GRANT ALL ON \`${MYSQL_DATABASE}\`.* TO '${MYSQL_USER}'@'%' IDENTIFIED BY '${MYSQL_PASSWORD}';"
echo "Flushing all privileges...."
$(which mysql) -e "FLUSH PRIVILEGES;"
echo "Enabling remote login...."
sed -i 's/^skip-networking/#skip-networking/g' /etc/my.cnf.d/mariadb-server.cnf
sed -i 's/#bind-address/bind-address/g' /etc/my.cnf.d/mariadb-server.cnf
echo "Stopping MySQL for setup process...."
kill -9 $(cat /tmp/mysqld.pid)
echo "Starting MySQL with production environment...."
$(which mysqld_safe) --syslog
else
echo "MySQL Datadir found. Skipping creation..."
echo "Enabling remote login...."
sed -i 's/^skip-networking/#skip-networking/g' /etc/my.cnf.d/mariadb-server.cnf
sed -i 's/#bind-address/bind-address/g' /etc/my.cnf.d/mariadb-server.cnf
echo "Starting MySQL with production environment...."
$(which mysqld_safe) --syslog
fi

3
mariadb/envs/prod Normal file
View File

@ -0,0 +1,3 @@
MYSQL_DATABASE=mysql_db_1
MYSQL_USER=mysql_user_1
MYSQL_PASSWORD=cicciopasticcio123

25
nginx/Dockerfile Normal file
View File

@ -0,0 +1,25 @@
FROM alpine:3.12
LABEL maintainer = "bisco - <bisco@younerd.org>"
RUN addgroup -g 82 www-data &&\
adduser -u 82 -G www-data -g 'World Wide Web user' \
-s /sbin/nologin -D www-data
RUN apk add --update --no-cache \
bash \
nginx nginx-mod-http-image-filter \
nginx-mod-http-headers-more \
nginx-mod-http-xslt-filter
COPY nginx.conf ssl_params gzip_params /etc/nginx/
COPY nginx.vh.default.conf /etc/nginx/conf.d/default.conf
VOLUME ["/etc/nginx/"]
EXPOSE 80 443
STOPSIGNAL SIGTERM
CMD ["nginx", "-g", "daemon off;"]

46
nginx/gzip_params Normal file
View File

@ -0,0 +1,46 @@
# Compression
# Enable Gzip compressed.
gzip on;
# Enable compression both for HTTP/1.0 and HTTP/1.1.
gzip_http_version 1.1;
# Compression level (1-9).
# 5 is a perfect compromise between size and cpu usage, offering about
# 75% reduction for most ascii files (almost identical to level 9).
gzip_comp_level 5;
# Don't compress anything that's already small and unlikely to shrink much
# if at all (the default is 20 bytes, which is bad as that usually leads to
# larger files after gzipping).
gzip_min_length 256;
# Compress data even for clients that are connecting to us via proxies,
# identified by the "Via" header (required for CloudFront).
gzip_proxied any;
# Tell proxies to cache both the gzipped and regular version of a resource
# whenever the client's Accept-Encoding capabilities header varies;
# Avoids the issue where a non-gzip capable client (which is extremely rare
# today) would display gibberish if their proxy gave them the gzipped version.
gzip_vary on;
# Compress all output labeled with one of the following MIME-types.
gzip_types
application/atom+xml
application/javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/svg+xml
image/x-icon
text/css
text/plain
text/x-component;
# text/html is always compressed by HttpGzipModule

31
nginx/nginx.conf Normal file
View File

@ -0,0 +1,31 @@
user www-data;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}

43
nginx/nginx.vh.default.conf Normal file
View File

@ -0,0 +1,43 @@
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log /var/log/nginx/host.access.log main;
location / {
root /var/www/localhost/htdocs/;
index index.html index.htm index.php;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/www/localhost/htdocs/;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ .*\.php$ {
fastcgi_pass app:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/localhost/htdocs$fastcgi_script_name;
include fastcgi_params;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}

24
nginx/ssl_params Normal file
View File

@ -0,0 +1,24 @@
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
## ssl_dhparam /path/to/dhparam.pem;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
## ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
## resolver <IP DNS resolver>;