1449: Updated docker compose setup

itk-dev · May 21, 2024 · 5e63aea · 5e63aea
1 parent 90a351d
commit 5e63aea
Show file tree

Hide file tree

Showing 6 changed files with 114 additions and 22 deletions.
diff --git a/.docker/nginx.conf b/.docker/nginx.conf
@@ -1,6 +1,6 @@
 worker_processes  auto;
 
-error_log  /var/log/nginx/error.log notice;
+error_log  /dev/stderr notice;
 pid        /tmp/nginx.pid;
 
 events {
@@ -26,11 +26,9 @@ http {
                       '$status $body_bytes_sent "$http_referer" '
                       '"$http_user_agent" "$http_x_forwarded_for"';
 
-    access_log  /var/log/nginx/access.log main;
+    access_log  /dev/stdout main;
 
     sendfile        on;
-    #tcp_nopush     on;
-
     keepalive_timeout  65;
 
     gzip  on;

diff --git a/.docker/templates/default.conf.template b/.docker/templates/default.conf.template
@@ -0,0 +1,94 @@
+server {
+    listen ${NGINX_PORT};
+    server_name localhost;
+
+    root ${NGINX_WEB_ROOT};
+
+    client_max_body_size ${NGINX_MAX_BODY_SIZE};
+
+    location = /favicon.ico {
+        log_not_found off;
+        access_log off;
+    }
+
+    location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+    }
+
+    location ~* \.(txt|log)$ {
+        deny all;
+    }
+
+    location ~ \..*/.*\.php$ {
+        return 403;
+    }
+
+    location ~ ^/sites/.*/private/ {
+        return 403;
+    }
+
+    # Block access to scripts in site files directory
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+
+    # Block access to "hidden" files and directories whose names begin with a
+    # period.
+    location ~ (^|/)\. {
+        return 403;
+    }
+
+    location / {
+        try_files $uri /index.php?$query_string;
+    }
+
+    location @rewrite {
+        rewrite ^ /index.php;
+    }
+
+    # Don't allow direct access to PHP files in the vendor directory.
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }
+
+    # Protect files and directories from prying eyes.
+    location ~* \.(engine|inc|install|make|module|profile|po|sh|.*sql|.tar|.gz|.bz2|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ {
+        deny all;
+        return 404;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        include fastcgi_params;
+
+        fastcgi_buffers 16 32k;
+        fastcgi_buffer_size 64k;
+        fastcgi_busy_buffers_size 64k;
+
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+
+        # Ensure the php file exists. Mitigates CVE-2019-11043
+        try_files $fastcgi_script_name =404;
+
+        fastcgi_param HTTP_PROXY "";
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $fastcgi_path_info;
+        fastcgi_param QUERY_STRING $query_string;
+
+        fastcgi_intercept_errors on;
+        fastcgi_pass ${NGINX_FPM_SERVICE};
+    }
+
+    # Enforce clean URLs
+    #
+    # Removes index.php from urls like www.example.com/index.php/my-page --> www.example.com/my-page
+    # Could be done with 301 for permanent or other redirect codes.
+    if ($request_uri ~* "^(.*/)index\.php/(.*)") {
+        return 307 $1$2;
+    }
+
+    error_log /dev/stderr;
+    access_log /dev/stdout main;
+}
diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
@@ -1,6 +1,4 @@
-# itk-version: 3.1.0
-version: "3"
-
+# itk-version: 3.2.1
 services:
   phpfpm:
     environment:

diff --git a/docker-compose.redirect.yml b/docker-compose.redirect.yml
@@ -1,6 +1,4 @@
-# itk-version: 3.1.0
-version: "3"
-
+# itk-version: 3.2.1
 services:
   nginx:
     labels:

diff --git a/docker-compose.server.yml b/docker-compose.server.yml
@@ -1,6 +1,4 @@
-# itk-version: 3.1.1
-version: "3"
-
+# itk-version: 3.2.1
 networks:
   frontend:
     external: true
@@ -33,12 +31,15 @@ services:
       - frontend
     depends_on:
       - phpfpm
-    ports:
-      - '8080'
     volumes:
-      - ./.docker/vhost.conf:/etc/nginx/conf.d/default.conf:ro
+      - ./.docker/templates:/etc/nginx/templates:ro
       - ./.docker/nginx.conf:/etc/nginx/nginx.conf:ro
-      - ./:/app:rw
+      - .:/app
+    environment:
+      NGINX_FPM_SERVICE: ${COMPOSE_PROJECT_NAME}-phpfpm-1:9000
+      NGINX_WEB_ROOT: /app/web
+      NGINX_PORT: 8080
+      NGINX_MAX_BODY_SIZE: 5M
     labels:
       - "traefik.enable=true"
       - "traefik.docker.network=frontend"

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,6 +1,4 @@
-# itk-version: 3.1.1
-version: "3"
-
+# itk-version: 3.2.1
 networks:
   frontend:
     external: true
@@ -35,7 +33,7 @@ services:
       - PHP_XDEBUG_MODE=${PHP_XDEBUG_MODE:-off}
       - PHP_MAX_EXECUTION_TIME=30
       - PHP_MEMORY_LIMIT=256M
-      # Depending on the setup you may have to remove --read-envelope-from from msmtp (cf. https://marlam.de/msmtp/msmtp.html) or use SMTP to send mail
+      # Depending on the setup, you may have to remove --read-envelope-from from msmtp (cf. https://marlam.de/msmtp/msmtp.html) or use SMTP to send mail
       - PHP_SENDMAIL_PATH=/usr/bin/msmtp --host=mail --port=1025 --read-recipients --read-envelope-from
       - DOCKER_HOST_DOMAIN=${COMPOSE_DOMAIN}
       - COMPOSER_VERSION=2
@@ -56,8 +54,13 @@ services:
     ports:
       - '8080'
     volumes:
-      - ./.docker/vhost.conf:/etc/nginx/conf.d/default.conf:ro
+      - ./.docker/templates:/etc/nginx/templates:ro
       - .:/app
+    environment:
+      NGINX_FPM_SERVICE: ${COMPOSE_PROJECT_NAME}-phpfpm-1:9000
+      NGINX_WEB_ROOT: /app/web
+      NGINX_PORT: 8080
+      NGINX_MAX_BODY_SIZE: 5M
     labels:
       - "traefik.enable=true"
       - "traefik.docker.network=frontend"