diff --git a/.docker/nginx.conf b/.docker/nginx.conf index 43dbd195..d0a557b1 100644 --- a/.docker/nginx.conf +++ b/.docker/nginx.conf @@ -1,6 +1,6 @@ worker_processes auto; -error_log /var/log/nginx/error.log notice; +error_log /dev/stderr notice; pid /tmp/nginx.pid; events { @@ -26,11 +26,9 @@ http { '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; - access_log /var/log/nginx/access.log main; + access_log /dev/stdout main; sendfile on; - #tcp_nopush on; - keepalive_timeout 65; gzip on; diff --git a/.docker/templates/default.conf.template b/.docker/templates/default.conf.template new file mode 100644 index 00000000..2da35cc2 --- /dev/null +++ b/.docker/templates/default.conf.template @@ -0,0 +1,94 @@ +server { + listen ${NGINX_PORT}; + server_name localhost; + + root ${NGINX_WEB_ROOT}; + + client_max_body_size ${NGINX_MAX_BODY_SIZE}; + + location = /favicon.ico { + log_not_found off; + access_log off; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location ~* \.(txt|log)$ { + deny all; + } + + location ~ \..*/.*\.php$ { + return 403; + } + + location ~ ^/sites/.*/private/ { + return 403; + } + + # Block access to scripts in site files directory + location ~ ^/sites/[^/]+/files/.*\.php$ { + deny all; + } + + # Block access to "hidden" files and directories whose names begin with a + # period. + location ~ (^|/)\. { + return 403; + } + + location / { + try_files $uri /index.php?$query_string; + } + + location @rewrite { + rewrite ^ /index.php; + } + + # Don't allow direct access to PHP files in the vendor directory. + location ~ /vendor/.*\.php$ { + deny all; + return 404; + } + + # Protect files and directories from prying eyes. + location ~* \.(engine|inc|install|make|module|profile|po|sh|.*sql|.tar|.gz|.bz2|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ { + deny all; + return 404; + } + + location ~ '\.php$|^/update.php' { + include fastcgi_params; + + fastcgi_buffers 16 32k; + fastcgi_buffer_size 64k; + fastcgi_busy_buffers_size 64k; + + fastcgi_split_path_info ^(.+?\.php)(|/.*)$; + + # Ensure the php file exists. Mitigates CVE-2019-11043 + try_files $fastcgi_script_name =404; + + fastcgi_param HTTP_PROXY ""; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param QUERY_STRING $query_string; + + fastcgi_intercept_errors on; + fastcgi_pass ${NGINX_FPM_SERVICE}; + } + + # Enforce clean URLs + # + # Removes index.php from urls like www.example.com/index.php/my-page --> www.example.com/my-page + # Could be done with 301 for permanent or other redirect codes. + if ($request_uri ~* "^(.*/)index\.php/(.*)") { + return 307 $1$2; + } + + error_log /dev/stderr; + access_log /dev/stdout main; +} diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml index 7693fef4..4ac6fe33 100644 --- a/docker-compose.dev.yml +++ b/docker-compose.dev.yml @@ -1,6 +1,4 @@ -# itk-version: 3.1.0 -version: "3" - +# itk-version: 3.2.1 services: phpfpm: environment: diff --git a/docker-compose.redirect.yml b/docker-compose.redirect.yml index ac81f43c..66f26e97 100644 --- a/docker-compose.redirect.yml +++ b/docker-compose.redirect.yml @@ -1,6 +1,4 @@ -# itk-version: 3.1.0 -version: "3" - +# itk-version: 3.2.1 services: nginx: labels: diff --git a/docker-compose.server.yml b/docker-compose.server.yml index 1de16a25..d6f1b07d 100644 --- a/docker-compose.server.yml +++ b/docker-compose.server.yml @@ -1,6 +1,4 @@ -# itk-version: 3.1.1 -version: "3" - +# itk-version: 3.2.1 networks: frontend: external: true @@ -33,12 +31,15 @@ services: - frontend depends_on: - phpfpm - ports: - - '8080' volumes: - - ./.docker/vhost.conf:/etc/nginx/conf.d/default.conf:ro + - ./.docker/templates:/etc/nginx/templates:ro - ./.docker/nginx.conf:/etc/nginx/nginx.conf:ro - - ./:/app:rw + - .:/app + environment: + NGINX_FPM_SERVICE: ${COMPOSE_PROJECT_NAME}-phpfpm-1:9000 + NGINX_WEB_ROOT: /app/web + NGINX_PORT: 8080 + NGINX_MAX_BODY_SIZE: 5M labels: - "traefik.enable=true" - "traefik.docker.network=frontend" diff --git a/docker-compose.yml b/docker-compose.yml index eb6c2f86..dd90e9a6 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,6 +1,4 @@ -# itk-version: 3.1.1 -version: "3" - +# itk-version: 3.2.1 networks: frontend: external: true @@ -35,7 +33,7 @@ services: - PHP_XDEBUG_MODE=${PHP_XDEBUG_MODE:-off} - PHP_MAX_EXECUTION_TIME=30 - PHP_MEMORY_LIMIT=256M - # Depending on the setup you may have to remove --read-envelope-from from msmtp (cf. https://marlam.de/msmtp/msmtp.html) or use SMTP to send mail + # Depending on the setup, you may have to remove --read-envelope-from from msmtp (cf. https://marlam.de/msmtp/msmtp.html) or use SMTP to send mail - PHP_SENDMAIL_PATH=/usr/bin/msmtp --host=mail --port=1025 --read-recipients --read-envelope-from - DOCKER_HOST_DOMAIN=${COMPOSE_DOMAIN} - COMPOSER_VERSION=2 @@ -56,8 +54,13 @@ services: ports: - '8080' volumes: - - ./.docker/vhost.conf:/etc/nginx/conf.d/default.conf:ro + - ./.docker/templates:/etc/nginx/templates:ro - .:/app + environment: + NGINX_FPM_SERVICE: ${COMPOSE_PROJECT_NAME}-phpfpm-1:9000 + NGINX_WEB_ROOT: /app/web + NGINX_PORT: 8080 + NGINX_MAX_BODY_SIZE: 5M labels: - "traefik.enable=true" - "traefik.docker.network=frontend"