├── LICENSE ├── README.md ├── debian-php7.0 ├── .dockerignore ├── Dockerfile └── rootfs │ ├── etc │ ├── ImageMagick │ ├── cont-init.d │ │ ├── 00-render-templates │ │ ├── 01-create-web-user │ │ ├── 02-init-crond │ │ └── 02-init-directories-and-files │ ├── nginx │ │ ├── additional.types │ │ ├── cache │ │ │ ├── helper_variables.conf │ │ │ ├── redis_backend.conf │ │ │ ├── skip_rules.conf │ │ │ └── srcache.conf │ │ ├── env.conf │ │ ├── error_pages.conf │ │ ├── fastcgi_params │ │ ├── fastcgi_settings.conf │ │ ├── gzip.conf │ │ ├── log_format.conf │ │ ├── log_formats.conf │ │ ├── nginx.conf │ │ ├── pagespeed │ │ │ ├── locations.conf │ │ │ └── settings.conf │ │ ├── proxy_real_variables.conf │ │ ├── security.conf │ │ ├── security_headers.conf │ │ ├── static_files.conf │ │ └── upstreams.conf │ ├── php │ │ └── 7.0 │ │ │ ├── cli │ │ │ └── php.ini │ │ │ └── fpm │ │ │ ├── conf.d │ │ │ ├── blocked.ini │ │ │ ├── common.ini │ │ │ ├── limits.ini │ │ │ ├── logging.ini │ │ │ ├── mail.ini │ │ │ ├── opcache.ini │ │ │ ├── opcache_invalidate.conf │ │ │ ├── sessions.ini │ │ │ └── timezone.ini │ │ │ ├── php-fpm.conf │ │ │ ├── php-fpm.d │ │ │ └── preserve-env.conf │ │ │ └── php.ini │ └── services.d │ │ ├── cron │ │ └── run │ │ ├── nginx │ │ └── run │ │ └── php-fpm │ │ └── run │ └── usr │ ├── bin │ └── wp │ ├── local │ └── bin │ │ ├── phinx │ │ ├── print-smtp-password │ │ └── wp-run-cron │ ├── sbin │ └── sendmail │ └── share │ └── nginx │ └── html │ ├── 403.html │ ├── 500.html │ ├── 502.html │ └── 504.html ├── docker-compose.yml ├── php5.6 ├── .dockerignore ├── Dockerfile └── rootfs │ ├── etc │ ├── ImageMagick │ ├── cont-init.d │ │ ├── 00-maybe-symlink-root │ │ ├── 00-render-templates │ │ ├── 01-create-web-user │ │ ├── 01-set-timezone │ │ ├── 02-init-crond │ │ ├── 02-init-directories-and-files │ │ └── 03-init-php-sessions │ ├── nginx │ │ ├── fastcgi_params │ │ ├── gzip.conf │ │ ├── nginx.conf │ │ ├── security.conf │ │ ├── upstreams.conf │ │ └── wordpress.conf │ ├── php5 │ │ ├── conf.d │ │ │ ├── common.ini │ │ │ ├── limits.ini │ │ │ ├── logging.ini │ │ │ └── mail.ini │ │ ├── fpm.d │ │ │ └── preserve-env.conf │ │ ├── php-fpm.conf │ │ └── php-fpm.ini │ └── services.d │ │ ├── crond │ │ └── run │ │ ├── nginx │ │ └── run │ │ └── php-fpm │ │ ├── finish │ │ └── run │ ├── root │ └── .bashrc │ └── usr │ ├── local │ └── bin │ │ ├── phinx │ │ ├── print-smtp-password │ │ ├── wp │ │ └── wp-run-cron │ └── sbin │ └── sendmail ├── php7.0 ├── .dockerignore ├── Dockerfile └── rootfs │ ├── etc │ ├── ImageMagick │ ├── cont-init.d │ │ ├── 00-maybe-symlink-root │ │ ├── 00-render-templates │ │ ├── 01-create-web-user │ │ ├── 01-set-timezone │ │ ├── 02-init-crond │ │ ├── 02-init-directories-and-files │ │ └── 03-init-php-sessions │ ├── nginx │ │ ├── fastcgi_params │ │ ├── fastcgi_settings.conf │ │ ├── gzip.conf │ │ ├── nginx.conf │ │ ├── security.conf │ │ ├── security_headers.conf │ │ ├── static_files.conf │ │ └── upstreams.conf │ ├── php7 │ │ ├── conf.d │ │ │ ├── common.ini │ │ │ ├── limits.ini │ │ │ ├── logging.ini │ │ │ └── mail.ini │ │ ├── php-fpm.conf │ │ ├── php-fpm.d │ │ │ └── preserve-env.conf │ │ └── php-fpm.ini │ └── services.d │ │ ├── crond │ │ └── run │ │ ├── logger │ │ └── run │ │ ├── nginx │ │ └── run │ │ └── php-fpm │ │ ├── finish │ │ └── run │ ├── root │ └── .bashrc │ └── usr │ ├── local │ └── bin │ │ ├── phinx │ │ ├── print-smtp-password │ │ ├── wp │ │ └── wp-run-cron │ └── sbin │ └── sendmail └── web └── info.php /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | Copyright (c) 2016 Geniem Oy 3 | 4 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 5 | 6 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 7 | 8 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Lightweight PHP-FPM & Nginx Docker Image for WordPress 2 | [![devgeniem/alpine-wordpress docker image](http://dockeri.co/image/devgeniem/wordpress-server)](https://registry.hub.docker.com/u/devgeniem/wordpress-server/) 3 | 4 | [![License](https://img.shields.io/:license-mit-blue.svg?style=flat-square)](http://badges.mit-license.org) 5 | 6 | This is maintained repository. We use this project in production and recommend this for your projects too. This container doesn't have mysql or email, you need to provide them from elsewhere. This can be other container or your host machine. 7 | 8 | I tried to include all build, test and project tools in [docker-alpine-wordpress](https://github.com/devgeniem/docker-alpine-wordpress) image. I think that more modular design is better for docker and security as well. 9 | 10 | This project tries to be as minimal as possible and doesn't include anything that we don't absolutely need in the runtime. 11 | 12 | ## Aren't you only supposed to run one process per container? 13 | We think that docker container should be small set of processes which provide one service rather than one clumsy process. This container uses [s6-overlay](https://github.com/just-containers/s6-overlay) in order to run php-fpm and nginx together. 14 | 15 | ## Container layout 16 | Mount your wordpress project into: 17 | ``` 18 | /var/www/project 19 | ``` 20 | 21 | Your project should define web root in: 22 | ``` 23 | /var/www/project/web 24 | ``` 25 | This is the place where nginx will serve requests. This is compatible with [bedrock layout](https://github.com/roots/bedrock). 26 | 27 | ### Override project path 28 | You can use `OVERRIDE_PROJECT_ROOT` variable to change project path with symlink. 29 | 30 | For example in `Drone CI` all mounts are done into `/drone/src` folder and we use `OVERRIDE_PROJECT_ROOT=/drone/src/project` in our testing. 31 | 32 | Container creates a symlink from /var/www/project into `$OVERRIDE_PROJECT_ROOT` which allows us to use custom path. 33 | 34 | ## User permissions 35 | You can use `WP_GID` and `WP_UID` env to change web user and group. 36 | 37 | If these are not set container will look for owner:group from files mounted in `/var/www/project/web/`. 38 | 39 | If these files are owned by root user or root group the container will automatically use 100:101 as permissions instead. This is so that we won't never run nginx and php-fpm as root. 40 | 41 | ## Nginx includes 42 | You can have custom nginx includes in your project mount `/var/www/project/nginx`. 43 | 44 | **Include into http {} block:** 45 | `/var/www/project/nginx/http/*.conf` 46 | 47 | **Include into server {} block:** 48 | `/var/www/project/nginx/server/*.conf` 49 | 50 | See more in our [wp-project template](https://github.com/devgeniem/wp-project). 51 | 52 | ## Cron jobs 53 | You can place cron file in `/var/www/project/tasks.cron`. This is symlinked to crond and run as user `wordpress`. 54 | 55 | For example: 56 | ``` 57 | # do daily/weekly/monthly maintenance 58 | * * * * * echo "test log from: $(whoami)..." >> /tmp/test.log 59 | ``` 60 | 61 | ## Environment Variables 62 | 63 | ### Timezone 64 | This sets timezone for the environment and php. See candidates here: http://php.net/manual/en/timezones.php 65 | ``` 66 | TZ # Default: 'Europe/Helsinki' 67 | ``` 68 | 69 | ### Development/Production 70 | 71 | ``` 72 | WP_ENV # Default: '' Options: development,testing,production,pretty-much-anything-you-want 73 | ``` 74 | 75 | ### Database variables (mysql/mariadb) 76 | 77 | ``` 78 | DB_NAME # Default: '' 79 | DB_PASSWORD # Default: '' 80 | DB_USER # Default: '' 81 | DB_HOST # Default: '' 82 | DB_PORT # Default: '' 83 | ``` 84 | 85 | Remember to set `DB_NAME`, `DB_PASSWORD` and `DB_USER` and use these variables in your wp-config.php. These are automatically added as envs in php context. 86 | 87 | ### Email variables 88 | 89 | ``` 90 | SMTP_HOST 91 | ``` 92 | 93 | This variable changes the host where container tries to send mail from. By default this is docker host `172.17.0.1`. 94 | 95 | ``` 96 | SMTP_PORT 97 | ``` 98 | 99 | This variable changes the port where container tries to connect in order to send mail. By default this is `25`. 100 | 101 | ``` 102 | SMTP_TLS 103 | ``` 104 | 105 | If this is provided use username in authenticating to mail server. Default: null 106 | ``` 107 | SMTP_USER 108 | ``` 109 | 110 | If this is provided use password in authenticating to mail server. Default: null 111 | ``` 112 | SMTP_PASSWORD 113 | ``` 114 | 115 | If this is `on` mail will use username/password authentication in connections to smtp server. 116 | This will automatically activate if you use `SMTP_USER` and `SMTP_PASSWORD`. Default: `off` 117 | ``` 118 | SMTP_AUTH 119 | ``` 120 | 121 | See more about these variables in [msmtp docs](http://msmtp.sourceforge.net/doc/msmtp.html#Authentication). 122 | 123 | ### PHP and Nginx Variables 124 | You can change following env to change php configs: 125 | 126 | ``` 127 | # Variables and default values 128 | PHP_MEMORY_LIMIT=128M 129 | NGINX_MAX_BODY_SIZE=64M 130 | NGINX_FASTCGI_TIMEOUT=30 131 | ``` 132 | 133 | ## What's inside container: 134 | ### For running WordPress 135 | - php7 136 | - php-fpm7 137 | - nginx 138 | - wp-cli 139 | 140 | ### For sending emails with smtp server 141 | - msmtp 142 | -------------------------------------------------------------------------------- /debian-php7.0/.dockerignore: -------------------------------------------------------------------------------- 1 | # These files are ignored from being uploaded to docker build context 2 | 3 | # Git is not needed in docker image building 4 | .git 5 | 6 | # No OSX rubbish 7 | .DS_Store 8 | 9 | # Development stuff 10 | docker-compose.yml 11 | .dockerignore 12 | Dockerfile 13 | -------------------------------------------------------------------------------- /debian-php7.0/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM devgeniem/openresty-pagespeed 2 | MAINTAINER Onni Hakala 3 | 4 | ## 5 | # Only use these during installation 6 | ## 7 | ARG LANG=C.UTF-8 8 | ARG DEBIAN_FRONTEND=noninteractive 9 | 10 | ## 11 | # Install php7 packages from dotdeb.org 12 | # - Dotdeb is an extra repository providing up-to-date packages for your Debian servers 13 | ## 14 | RUN \ 15 | apt-get update \ 16 | && apt-get -y --no-install-recommends install \ 17 | curl \ 18 | nano \ 19 | ca-certificates \ 20 | git \ 21 | mysql-client \ 22 | msmtp \ 23 | netcat \ 24 | less \ 25 | libmcrypt-dev \ 26 | && echo "deb http://packages.dotdeb.org jessie all" > /etc/apt/sources.list.d/dotdeb.list \ 27 | && curl -sS https://www.dotdeb.org/dotdeb.gpg | apt-key add - \ 28 | && apt-get update \ 29 | && apt-get -y --no-install-recommends install \ 30 | php7.0-cli \ 31 | php7.0-common \ 32 | php7.0-apcu \ 33 | php7.0-apcu-bc \ 34 | php7.0-curl \ 35 | php7.0-json \ 36 | php7.0-mcrypt \ 37 | php7.0-opcache \ 38 | php7.0-readline \ 39 | php7.0-xml \ 40 | php7.0-zip \ 41 | php7.0-fpm \ 42 | php7.0-redis \ 43 | php7.0-mongodb \ 44 | php7.0-mysqli \ 45 | php7.0-intl \ 46 | php7.0-gd \ 47 | php7.0-mbstring \ 48 | php7.0-soap \ 49 | php7.0-bcmath \ 50 | php7.0-curl \ 51 | php7.0-ldap \ 52 | php7.0-mcrypt \ 53 | php7.0-imagick \ 54 | libmagickwand-dev \ 55 | 56 | # Force install only cron without extra mailing dependencies 57 | && cd /tmp \ 58 | && apt-get download cron \ 59 | && dpkg --force-all -i cron*.deb \ 60 | && mkdir -p /var/spool/cron/crontabs \ 61 | 62 | # Cleanup 63 | && apt-get clean \ 64 | && apt-get autoremove \ 65 | && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /usr/share/doc/* /var/log/apt/* /var/log/*.log 66 | 67 | 68 | # Install helpers 69 | RUN \ 70 | ## 71 | # Install composer 72 | ## 73 | curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer \ 74 | && composer global require hirak/prestissimo \ 75 | 76 | ## 77 | # Install wp-cli 78 | # source: http://wp-cli.org/ 79 | ## 80 | && curl -L https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar -o /usr/local/bin/wp-cli \ 81 | && chmod +rx /usr/local/bin/wp-cli \ 82 | # Symlink it to /usr/bin as well so that cron can find this script with limited PATH 83 | && ln -s /usr/local/bin/wp-cli /usr/bin/wp-cli \ 84 | 85 | ## 86 | # Install cronlock for running cron correctly with multi container setups 87 | # https://github.com/kvz/cronlock 88 | ## 89 | && curl -L https://raw.githubusercontent.com/kvz/cronlock/master/cronlock -o /usr/local/bin/cronlock \ 90 | && chmod +rx /usr/local/bin/cronlock \ 91 | # Symlink it to /usr/bin as well so that cron can find this script with limited PATH 92 | && ln -s /usr/local/bin/cronlock /usr/bin/cronlock 93 | 94 | ## 95 | # Add Project files like nginx and php-fpm processes and configs 96 | # Also custom scripts and bashrc 97 | ## 98 | COPY rootfs/ / 99 | 100 | # Run small fixes 101 | RUN set -x \ 102 | && mkdir -p /var/www/uploads \ 103 | && ln -sf /usr/sbin/php-fpm7.0 /usr/sbin/php-fpm \ 104 | && ln -sf /usr/bin/wp /usr/local/bin/wp 105 | 106 | # This is for your project root 107 | ENV PROJECT_ROOT="/var/www/project" 108 | 109 | ENV \ 110 | 111 | # Add interactive term 112 | TERM="xterm" \ 113 | 114 | # Set defaults which can be overriden 115 | MYSQL_PORT="3306" \ 116 | 117 | # Use default web port in nginx but allow it to be overridden 118 | # This also works correctly with flynn: 119 | # https://github.com/flynn/flynn/issues/3213#issuecomment-237307457 120 | PORT="8080" \ 121 | 122 | # Use custom users for nginx and php-fpm 123 | WEB_USER="wordpress" \ 124 | WEB_GROUP="web" \ 125 | WEB_UID=1000 \ 126 | WEB_GID=1001 \ 127 | 128 | # Set defaults for redis 129 | REDIS_PORT="6379" \ 130 | REDIS_DATABASE="0" \ 131 | REDIS_PASSWORD="" \ 132 | REDIS_SCHEME="tcp" \ 133 | 134 | # Set defaults for NGINX redis cache 135 | # This variable uses seconds by default 136 | # Time units supported are "s"(seconds), "ms"(milliseconds), "y"(years), "M"(months), "w"(weeks), "d"(days), "h"(hours), and "m"(minutes). 137 | NGINX_REDIS_CACHE_TTL_DEFAULT="900" \ 138 | NGINX_REDIS_CACHE_TTL_MAX="4h" \ 139 | 140 | # Cronlock is used to stop simultaneous cronjobs in clusterised environments 141 | CRONLOCK_HOST="" \ 142 | 143 | # This is used by nginx and php-fpm 144 | WEB_ROOT="${PROJECT_ROOT}/web" \ 145 | # This is used automatically by wp-cli 146 | WP_CORE="${PROJECT_ROOT}/web/wp" \ 147 | 148 | # Nginx include files 149 | NGINX_INCLUDE_DIR="/var/www/project/nginx" \ 150 | # Allow bigger file uploads 151 | NGINX_MAX_BODY_SIZE="10M" \ 152 | # Allow storing bigger body in memory 153 | NGINX_BODY_BUFFER_SIZE="32k" \ 154 | # Have sane fastcgi timeout by default 155 | NGINX_FASTCGI_TIMEOUT="30" \ 156 | 157 | # Have sane fastcgi timeout by default 158 | NGINX_ERROR_LEVEL="warn" \ 159 | # Have sane fastcgi timeout by default 160 | NGINX_ERROR_LOG="stderr" \ 161 | # Have sane fastcgi timeout by default 162 | NGINX_ACCESS_LOG="/dev/stdout" \ 163 | 164 | # Default cache key for nginx http cache 165 | NGINX_CACHE_KEY='wp_:nginx:$real_scheme$request_method$host$request_uri' \ 166 | 167 | # PHP settings 168 | PHP_MEMORY_LIMIT="128M" \ 169 | PHP_MAX_INPUT_VARS="1000" \ 170 | PHP_ERROR_LOG="/proc/self/fd/1" \ 171 | PHP_ERROR_LOG_LEVEL="warning" \ 172 | PHP_ERROR_LOG_MAX_LEN="8192" \ 173 | PHP_SESSION_REDIS_DB="0" \ 174 | PHP_SESSION_HANDLER="files" \ 175 | 176 | # You should count the *.php files in your project and set this number to be bigger 177 | # $ find . -type f -print | grep php | wc -l 178 | PHP_OPCACHE_MAX_FILES="8000" \ 179 | 180 | # Amount of memory in MB to allocate for opcache 181 | PHP_OPCACHE_MAX_MEMORY="128" \ 182 | 183 | # Use host machine as default SMTP_HOST 184 | SMTP_HOST="172.17.0.1" \ 185 | 186 | # This folder is used to mount files into host machine 187 | # You should use this path for your uploads since everything else should be ephemeral 188 | UPLOADS_ROOT="/var/www/uploads" \ 189 | 190 | # This can be overidden by you, it's just default for us 191 | TZ="Europe/Helsinki" 192 | 193 | # Setup $TZ. Remember to run this again in your own build 194 | RUN dpkg-reconfigure tzdata && \ 195 | # Make sure that all files here have execute permissions 196 | chmod +x /etc/cont-init.d/* 197 | 198 | # Set default path to project folder for easier running commands in project 199 | WORKDIR ${PROJECT_ROOT} 200 | 201 | EXPOSE ${PORT} 202 | 203 | ENTRYPOINT ["/init"] 204 | 205 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/ImageMagick: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/cont-init.d/00-render-templates: -------------------------------------------------------------------------------- 1 | #!/usr/bin/with-contenv bash 2 | ## 3 | # This script uses clever heredoc hack to substitute env variables into static config files 4 | # Source: http://stackoverflow.com/questions/2914220/bash-templating-how-to-build-configuration-files-from-templates-with-bash 5 | ## 6 | 7 | ## 8 | # Replaces ${ENV} placoholders from file with provided variables 9 | # $1 - ':'' separated list of variables 10 | # $2 - filename to render 11 | ## 12 | function render_env_tmpl() { 13 | vars=$1 14 | input_file=$2 15 | # If filename ends with .tmpl replace it without the .tmpl 16 | filename=$(dirname $input_file)/$(basename $input_file .tmpl) 17 | 18 | tmp_file=/tmp/$(basename $filename) 19 | 20 | # render all provided $vars to temporary file 21 | envsubst "$vars" < $input_file > $tmp_file 22 | 23 | # replace original file with rendered file 24 | mv $tmp_file $filename 25 | } 26 | 27 | echo "[cont-init.d] Substituting env into configuration files..." 28 | 29 | ## 30 | # Nginx doesn't support env variables in config files so we will have to do this in hacky way instead 31 | ## 32 | VARS='$PORT:$WEB_ROOT:$WEB_USER:$WEB_GROUP:$NGINX_ACCESS_LOG:$NGINX_ERROR_LOG:$NGINX_ERROR_LEVEL:$NGINX_INCLUDE_DIR:$NGINX_MAX_BODY_SIZE:$NGINX_BODY_BUFFER_SIZE:$NGINX_FASTCGI_TIMEOUT:$WP_ENV:$NGINX_CACHE_KEY' 33 | render_env_tmpl "$VARS" /etc/nginx/nginx.conf 34 | 35 | ## 36 | # Redis cache needs to know the redis instance and credentials 37 | ## 38 | 39 | # Set defaults if they are not set 40 | export REDIS_HOST=${REDIS_HOST-$REDIS_1_PORT_6379_TCP_ADDR} 41 | export REDIS_PORT=${REDIS_PORT-6379} 42 | export REDIS_DATABASE=${REDIS_DATABASE-0} 43 | export REDIS_PASSWORD=${REDIS_PASSWORD-''} 44 | export REDIS_CACHE_TTL=${REDIS_CACHE_TTL-14400} 45 | 46 | # Add helper variables for AWS s3 bucket storage 47 | VARS+='$AWS_S3_BUCKET_NAME:AWS_S3_REPLICA_BUCKET_NAME' 48 | 49 | # Add Redis variables 50 | VARS+='$REDIS_HOST:$REDIS_PORT:$REDIS_DATABASE:$REDIS_PASSWORD:$NGINX_REDIS_CACHE_TTL_MAX:$NGINX_REDIS_CACHE_TTL_DEFAULT:$NGINX_REDIS_CACHE_PREFIX' 51 | 52 | render_env_tmpl "$VARS" /etc/nginx/cache/redis_backend.conf 53 | 54 | render_env_tmpl "$VARS" /etc/nginx/cache/srcache.conf 55 | 56 | ## 57 | # Render all user provided nginx templates 58 | ## 59 | VARS+='$BASIC_AUTH_USER:$BASIC_AUTH_PASSWORD_HASH' 60 | for conf_file in $(find $NGINX_INCLUDE_DIR -type f -name '*.tmpl'); do 61 | echo "[cont-init.d] Rendering env in $conf_file..." 62 | 63 | # Add helper variables for easier scripting 64 | export __DIR__=$(dirname $conf_file) 65 | 66 | VARS_TMPL=$VARS':$__DIR__' 67 | render_env_tmpl "$VARS_TMPL" $conf_file 68 | done 69 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/cont-init.d/01-create-web-user: -------------------------------------------------------------------------------- 1 | #!/usr/bin/with-contenv bash 2 | 3 | ## 4 | # If $WEB_USER user and web group already exists just skip the user creation 5 | ## 6 | if id -u $WEB_USER > /dev/null 2>&1 && getent group $WEB_GROUP > /dev/null 2>&1; then 7 | echo "[cont-init.d] user:$WEB_USER and group:$WEB_GROUP already exist, skipping..." 8 | exit 0 9 | fi 10 | 11 | ## 12 | # Create $WEB_USER user with $WEB_UID and web group with $WEB_GID 13 | ## 14 | 15 | # Set defaults if they are not set 16 | export WEB_USER=${WEB_USER-wordpress} 17 | export WEB_GROUP=${WEB_GROUP-web} 18 | export WEB_UID=${WEB_UID-1000} 19 | export WEB_GID=${WEB_GID-1000} 20 | 21 | echo "[cont-init.d] Creating $WEB_USER user with id: $WEB_UID and group web with id: $WEB_GID" 22 | 23 | # Create web group 24 | if [ -n "$WEB_GID" ]; then 25 | 26 | # Check if group with $WEB_GID already exists 27 | web_group=$(getent group $WEB_GID | cut -d':' -f1) 28 | 29 | if [ -n "$web_group" ]; then 30 | 31 | # Replace the existing group name to web 32 | # This is done so that in local development we can just lookup permissions from mounted folders 33 | # This UID/GID can be same as something already existing inside container 34 | # This way we can use same uid/gid in container and host machine 35 | echo "[cont-init.d] Replacing pre-existing group name $web_group -> $WEB_GROUP" 36 | sed -i "s|$web_group|$WEB_GROUP|g" /etc/group 37 | 38 | else 39 | # Create new group 40 | echo "$ groupadd -g $WEB_GID $WEB_GROUP" 41 | groupadd -g $WEB_GID $WEB_GROUP 42 | fi 43 | else 44 | echo "[cont-init.d] ERROR: Please set web user group id in WEB_GID" 1>&2 45 | exit 2 46 | fi 47 | 48 | # Create $WEB_USER user 49 | if [ -n "$WEB_UID" ] && [ -n "$WEB_GID" ] ; then 50 | echo "$ useradd -u $WEB_UID -g $WEB_GROUP --home $PROJECT_ROOT $WEB_USER" 51 | useradd -u $WEB_UID -g $WEB_GROUP --home $PROJECT_ROOT $WEB_USER 52 | else 53 | echo "[cont-init.d] ERROR: Please set web user id in WEB_UID" 1>&2 54 | exit 2 55 | fi 56 | 57 | # Check that processes can write logs 58 | chown $WEB_USER:$WEB_GROUP /var/log 59 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/cont-init.d/02-init-crond: -------------------------------------------------------------------------------- 1 | #!/usr/bin/with-contenv bash 2 | 3 | # Copy cronjob from project and run as nginx 4 | if [ -f $PROJECT_ROOT/tasks.cron ]; then 5 | 6 | # Setup all container env for cron 7 | printenv | grep -v ^_= | grep -v "no_proxy" >> /etc/environment 8 | 9 | # Use default redis for cronlock if cronlock variables are not set 10 | if [ -n "$REDIS_HOST" ] && [ -z "$CRONLOCK_HOST" ] ; then 11 | echo "CRONLOCK_HOST=$REDIS_HOST" >> /etc/environment 12 | fi 13 | if [ -n "$REDIS_PASSWORD" ] && [ -z "$CRONLOCK_AUTH" ] ; then 14 | echo "CRONLOCK_AUTH=$REDIS_PASSWORD" >> /etc/environment 15 | fi 16 | if [ -n "$REDIS_PORT" ] && [ -z "$CRONLOCK_PORT" ] ; then 17 | echo "CRONLOCK_PORT=$REDIS_PORT" >> /etc/environment 18 | fi 19 | 20 | # Copy cron template 21 | cp $PROJECT_ROOT/tasks.cron /var/spool/cron/crontabs/$WEB_USER 22 | chown $WEB_USER /var/spool/cron/crontabs/$WEB_USER 23 | chmod 0600 /var/spool/cron/crontabs/$WEB_USER 24 | else 25 | # No cronjobs found remove crond from s6 26 | if [ -f /etc/services.d/cron ]; then 27 | rm -r /etc/services.d/cron 28 | fi 29 | fi 30 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/cont-init.d/02-init-directories-and-files: -------------------------------------------------------------------------------- 1 | #!/usr/bin/with-contenv bash 2 | 3 | # Create uploads directory if not exists 4 | mkdir -p $UPLOADS_ROOT 5 | chown $WEB_USER:$WEB_GROUP $UPLOADS_ROOT 6 | 7 | # Create dir for nginx tmp files 8 | mkdir -p /tmp/nginx/body 9 | chown -R $WEB_USER:$WEB_GROUP /tmp/nginx 10 | 11 | # Create log directories if they don't exist already 12 | mkdir -p /var/log/{nginx,php,mail} 13 | 14 | # Create error.log so that php-fpm can write to it 15 | touch /var/log/php/error.log 16 | 17 | # Chown all files to wordpress 18 | chown -R $WEB_USER:$WEB_GROUP /var/log/{nginx,php,mail} 19 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/nginx/additional.types: -------------------------------------------------------------------------------- 1 | # If developers add .woff2 type font files we should provide good Content-Type headers 2 | types { 3 | # Add mime support for woff2 4 | # http://stackoverflow.com/questions/28235550/proper-mime-type-for-woff2-fonts 5 | font/woff2 woff2; 6 | } 7 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/nginx/cache/helper_variables.conf: -------------------------------------------------------------------------------- 1 | ## 2 | # This file creates few helper variables 3 | # $prefer_language_slug - 2 first letters from accept-language header to determine the language redirects from cache 4 | ## 5 | 6 | ## 7 | # Parse first two letters from accept-language header to determine right cache key 8 | ## 9 | set_by_lua_block $prefer_language_slug { 10 | if ngx.var.http_accept_language then 11 | return string.lower( string.match( ngx.var.http_accept_language, '%w%w' ) ) 12 | else 13 | return 'en' 14 | end 15 | } 16 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/nginx/cache/redis_backend.conf: -------------------------------------------------------------------------------- 1 | ## 2 | # Adds internal locations for storing and getting full page cache from redis 3 | ## 4 | 5 | srcache_default_expire '${NGINX_REDIS_CACHE_TTL_DEFAULT}'; 6 | srcache_max_expire '${NGINX_REDIS_CACHE_TTL_MAX}'; 7 | 8 | location /redis-fetch { 9 | internal; 10 | 11 | ## 12 | # In order to use password authentication we use custom redis module which adds $redis_auth: 13 | # - https://github.com/Yongke/ngx_http_redis-0.3.7 14 | ## 15 | 16 | # Read the configuration from system envs 17 | set $redis_auth '${REDIS_PASSWORD}'; 18 | set $redis_db ${REDIS_DATABASE}; 19 | 20 | set $redis_key $args; 21 | 22 | redis_pass ${REDIS_HOST}:${REDIS_PORT}; 23 | } 24 | 25 | location /redis-store { 26 | internal; 27 | 28 | set_unescape_uri $exptime $arg_exptime; 29 | set_unescape_uri $key $arg_key; 30 | 31 | # Fix caching problem for now 32 | # There's issue in github https://github.com/openresty/srcache-nginx-module/issues/61 33 | set_if_empty $srcache_expire '${NGINX_REDIS_CACHE_TTL_DEFAULT}'; 34 | 35 | # redis module pipelines these 3 commands into single request 36 | redis2_query auth '${REDIS_PASSWORD}'; 37 | redis2_query select ${REDIS_DATABASE}; 38 | 39 | # Set and expire with one command: http://redis.io/commands/setex 40 | redis2_query setex $key $srcache_expire $echo_request_body; 41 | 42 | # Pass the request to redis 43 | redis2_pass ${REDIS_HOST}:${REDIS_PORT}; 44 | 45 | } 46 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/nginx/cache/skip_rules.conf: -------------------------------------------------------------------------------- 1 | ## 2 | # Add few rules which deny using cache 3 | ## 4 | 5 | # Don't skip cache by default 6 | set $skip_cache 0; 7 | 8 | # POST requests and urls with a query string should always go to PHP 9 | if ($request_method = POST) { 10 | set $skip_cache 1; 11 | } 12 | 13 | # If theres any args skip cache 14 | if ($query_string != "") { 15 | set $skip_cache 1; 16 | } 17 | 18 | # Don't use the cache for logged in users or recent commenters 19 | if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|woocommerce_items_in_cart") { 20 | set $skip_cache 1; 21 | } 22 | 23 | # Don't cache responses from wp-admin, xmlrpc and wp-login.php 24 | if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php") { 25 | set $skip_cache 1; 26 | } 27 | 28 | # Skip fetch and skip if conditions are met 29 | srcache_fetch_skip $skip_cache; 30 | srcache_store_skip $skip_cache; 31 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/nginx/cache/srcache.conf: -------------------------------------------------------------------------------- 1 | ## 2 | # Add few rules which deny using cache 3 | ## 4 | include cache/skip_rules.conf; 5 | include cache/helper_variables.conf; 6 | 7 | # Use redis caching for all pages 8 | # Allow different cache key from env 9 | # Use 'wp_' prefix so that cache can be flushed with: 10 | # $ wp cache flush 11 | set $cache_key "${NGINX_CACHE_KEY}"; 12 | set_escape_uri $escaped_cache_key $cache_key; 13 | 14 | srcache_response_cache_control on; 15 | 16 | srcache_fetch GET /redis-fetch $cache_key; 17 | srcache_store PUT /redis-store key=$escaped_cache_key; 18 | 19 | # Add header for easier cache debugging 20 | add_header X-Cache $srcache_fetch_status; 21 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/nginx/env.conf: -------------------------------------------------------------------------------- 1 | # Set custom enviromental variables that we need with lua here 2 | # These are used to dynamically load 3 | env PORT; 4 | env WEB_ROOT; 5 | env NGINX_MAX_BODY_SIZE; 6 | env NGINX_TIMEOUT; 7 | 8 | # For nginx redis cache 9 | env REDIS_HOST; 10 | env REDIS_PORT; 11 | env REDIS_DATABASE; 12 | env REDIS_PASSWORD; 13 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/nginx/error_pages.conf: -------------------------------------------------------------------------------- 1 | ## 2 | # Custom error pages 3 | ## 4 | 5 | ## 403 - Forbidden 6 | error_page 403 /403.html; 7 | location = /403.html { 8 | root /usr/share/nginx/html; 9 | internal; 10 | } 11 | 12 | ## 500 - Internal Server Error 13 | error_page 500 /500.html; 14 | location = /500.html { 15 | root /usr/share/nginx/html; 16 | internal; 17 | } 18 | 19 | ## 502 - Bad Gateway 20 | error_page 502 /502.html; 21 | location = /502.html { 22 | root /usr/share/nginx/html; 23 | internal; 24 | } 25 | 26 | ## 504 - Gateway Timeout 27 | error_page 504 /504.html; 28 | location = /504.html { 29 | root /usr/share/nginx/html; 30 | internal; 31 | } 32 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/nginx/fastcgi_params: -------------------------------------------------------------------------------- 1 | # These are just basic things form request 2 | fastcgi_param QUERY_STRING $query_string; 3 | fastcgi_param REQUEST_METHOD $request_method; 4 | fastcgi_param CONTENT_TYPE $content_type; 5 | fastcgi_param CONTENT_LENGTH $content_length; 6 | 7 | fastcgi_param SCRIPT_NAME $fastcgi_script_name; 8 | fastcgi_param REQUEST_URI $request_uri; 9 | fastcgi_param DOCUMENT_URI $document_uri; 10 | fastcgi_param DOCUMENT_ROOT $document_root; 11 | fastcgi_param SERVER_PROTOCOL $server_protocol; 12 | 13 | fastcgi_param GATEWAY_INTERFACE CGI/1.1; 14 | fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; 15 | 16 | ## 17 | # Set these using the knowledge that we are behind proxy 18 | ## 19 | fastcgi_param REMOTE_ADDR $real_remote; 20 | fastcgi_param REMOTE_PORT $remote_port; 21 | fastcgi_param SERVER_ADDR $server_addr; 22 | fastcgi_param SERVER_PORT $real_port; 23 | fastcgi_param SERVER_NAME $real_host; 24 | fastcgi_param HTTPS $real_https; 25 | fastcgi_param REQUEST_SCHEME $real_scheme; 26 | fastcgi_param HTTP_HOST $real_host; 27 | 28 | # PHP only, required if PHP was built with --enable-force-cgi-redirect 29 | fastcgi_param REDIRECT_STATUS 200; 30 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/nginx/fastcgi_settings.conf: -------------------------------------------------------------------------------- 1 | # regex to split $uri to $fastcgi_script_name and $fastcgi_path 2 | fastcgi_split_path_info ^(.+\.php)(/.+)$; 3 | 4 | # Bypass the fact that try_files resets $fastcgi_path_info 5 | # see: http://trac.nginx.org/nginx/ticket/321 6 | set $path_info $fastcgi_path_info; 7 | fastcgi_param PATH_INFO $path_info; 8 | 9 | # Intercept errors from php-fpm 10 | # These can be: 11 | # - timeouts for long running requests 12 | # - requested php file might be missing or not existing in the first place 13 | fastcgi_intercept_errors on; 14 | 15 | fastcgi_index index.php; 16 | 17 | # Small optimisation on fastcgi buffer size 18 | # defaults are 8k; 19 | fastcgi_buffers 16 16k; 20 | fastcgi_buffer_size 16k; 21 | 22 | # Include basic fastcgi settings 23 | include fastcgi_params; 24 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/nginx/gzip.conf: -------------------------------------------------------------------------------- 1 | # Compression 2 | 3 | # Enable Gzip compressed. 4 | gzip on; 5 | 6 | # Compression level (1-9). 7 | # 5 is a perfect compromise between size and cpu usage, offering about 8 | # 75% reduction for most ascii files (almost identical to level 9). 9 | gzip_comp_level 5; 10 | 11 | # Don't compress anything that's already small and unlikely to shrink much 12 | # if at all (the default is 20 bytes, which is bad as that usually leads to 13 | # larger files after gzipping). 14 | gzip_min_length 256; 15 | 16 | # Compress data even for clients that are connecting to us via proxies, 17 | # identified by the "Via" header (required for CloudFront). 18 | gzip_proxied any; 19 | 20 | # Tell proxies to cache both the gzipped and regular version of a resource 21 | # whenever the client's Accept-Encoding capabilities header varies; 22 | # Avoids the issue where a non-gzip capable client (which is extremely rare 23 | # today) would display gibberish if their proxy gave them the gzipped version. 24 | gzip_vary on; 25 | 26 | # Compress all output labeled with one of the following MIME-types. 27 | gzip_types 28 | application/atom+xml 29 | application/javascript 30 | application/json 31 | application/ld+json 32 | application/manifest+json 33 | application/rss+xml 34 | application/vnd.geo+json 35 | application/vnd.ms-fontobject 36 | application/x-font-ttf 37 | application/x-web-app-manifest+json 38 | application/xhtml+xml 39 | application/xml 40 | font/opentype 41 | image/bmp 42 | image/svg+xml 43 | image/x-icon 44 | text/cache-manifest 45 | text/css 46 | text/plain 47 | text/vcard 48 | text/vnd.rim.location.xloc 49 | text/vtt 50 | text/x-component 51 | text/x-cross-domain-policy; 52 | # text/html is always compressed by HttpGzipModule 53 | 54 | # This should be turned on if you are going to have pre-compressed copies (.gz) of 55 | # static files available. If not it should be left off as it will cause extra I/O 56 | # for the check. It is best if you enable this in a location{} block for 57 | # a specific directory, or on an individual server{} level. 58 | # gzip_static on; 59 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/nginx/log_format.conf: -------------------------------------------------------------------------------- 1 | # Log cache status 2 | # Log real requester address 3 | log_format custom '[$time_local] $http_x_real_ip ' 4 | '"$request" $status $body_bytes_sent $request_time ' 5 | '"$http_referer" "$http_user_agent" $srcache_fetch_status'; 6 | 7 | ## 8 | # Legacy formats which might be in use somewhere 9 | ## 10 | # This log format makes it so we can see real requester's IP address \ 11 | # not just the reverse proxy server's IP address. Also note, that \ 12 | # "specialLog" can be replaced with any name you would like to \ 13 | # give to this log format. 14 | log_format specialLog '[$time_local] $http_x_real_ip ' 15 | '"$request" $status $body_bytes_sent $request_time ' 16 | '"$http_referer" "$http_user_agent"'; 17 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/nginx/log_formats.conf: -------------------------------------------------------------------------------- 1 | # Log cache status 2 | # Log real requester address 3 | log_format custom '[$time_local] $http_x_forwarded_for ' 4 | '"$request" $status $body_bytes_sent $request_time ' 5 | '"$http_referer" "$http_user_agent" $srcache_fetch_status'; 6 | 7 | # A new log format for detecting bad bots. 8 | log_format blocked '[$time_local] Blocked request from $http_x_forwarded_for $request'; 9 | 10 | ## 11 | # Legacy formats which might be in use somewhere 12 | ## 13 | # This log format makes it so we can see real requester's IP address \ 14 | # not just the reverse proxy server's IP address. Also note, that \ 15 | # "specialLog" can be replaced with any name you would like to \ 16 | # give to this log format. 17 | log_format specialLog '[$time_local] $http_x_forwarded_for ' 18 | '"$request" $status $body_bytes_sent $request_time ' 19 | '"$http_referer" "$http_user_agent"'; 20 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/nginx/nginx.conf: -------------------------------------------------------------------------------- 1 | # Default user and group for the nginx@index 2 | user ${WEB_USER} ${WEB_GROUP}; 3 | 4 | # Default error log 5 | error_log ${NGINX_ERROR_LOG} ${NGINX_ERROR_LEVEL}; 6 | 7 | # Write process id here 8 | pid /var/run/nginx.pid; 9 | 10 | # How many worker threads to run; 11 | # "auto" sets it to the number of CPU cores available in the system, and 12 | # offers the best performance. Don't set it higher than the number of CPU 13 | # cores if changing this parameter. 14 | 15 | # The maximum number of connections for Nginx is calculated by: 16 | # max_clients = worker_processes * worker_connections 17 | worker_processes auto; 18 | 19 | # Maximum open file descriptors per process; 20 | # should be > worker_connections. 21 | worker_rlimit_nofile 8192; 22 | 23 | events { 24 | # When you need > 8000 * cpu_cores connections, you start optimizing your OS, 25 | # and this is probably the point at which you hire people who are smarter than 26 | # you, as this is *a lot* of requests. 27 | worker_connections 8000; 28 | } 29 | 30 | http { 31 | 32 | # Configure hashmaps so that environment does not change defaults 33 | map_hash_max_size 262144; 34 | map_hash_bucket_size 262144; 35 | server_names_hash_bucket_size 64; 36 | 37 | # Hide nginx version information. 38 | server_tokens off; 39 | 40 | # Remove Server header entirely 41 | more_clear_headers Server; 42 | 43 | # How long to allow each connection to stay idle; longer values are better 44 | # for each individual client, particularly for SSL, but means that worker 45 | # connections are tied up longer. (Default: 65) 46 | keepalive_timeout 20; 47 | 48 | # Speed up file transfers by using sendfile() to copy directly 49 | # between descriptors rather than using read()/write(). 50 | sendfile on; 51 | 52 | # Tell Nginx not to send out partial frames; this increases throughput 53 | # since TCP frames are filled up before being sent out. (adds TCP_CORK) 54 | tcp_nopush on; 55 | 56 | # Gzip all the assets 57 | include gzip.conf; 58 | 59 | # Add default pagespeed settings 60 | include pagespeed/settings.conf; 61 | 62 | # Add all default mime types and additional ones 63 | include additional.types; 64 | include mime.types; 65 | 66 | default_type application/octet-stream; 67 | 68 | client_body_temp_path /tmp/nginx/body 1 2; 69 | fastcgi_temp_path /tmp/nginx/fastcgi_temp 1 2; 70 | 71 | # Include custom log formats 72 | include log_formats.conf; 73 | 74 | # Allow bigger default file uploads 75 | client_max_body_size ${NGINX_MAX_BODY_SIZE}; 76 | 77 | # Allow bigger body buffer size in memory 78 | client_body_buffer_size ${NGINX_BODY_BUFFER_SIZE}; 79 | 80 | # Include custom nginx http additions from project 81 | include ${NGINX_INCLUDE_DIR}/http/*.conf; 82 | include ${NGINX_INCLUDE_DIR}/environments/${WP_ENV}/http/*.conf; 83 | 84 | # load upstreams from one file which can be overwritten depending on situation 85 | include upstreams.conf; 86 | 87 | # Add few headers which make XSS harder 88 | include security_headers.conf; 89 | 90 | # If ${PORT} != 80 means that we are behind reverse proxy as well 91 | # This directive helps that we don't redirect clients into mysite.com:8080/resource type urls 92 | port_in_redirect off; 93 | 94 | # Use theme assets straight from corresponding files for pagespeed 95 | pagespeed ProcessScriptVariables on; 96 | pagespeed LoadFromFile "$scheme://$host/app/themes/" "${WEB_ROOT}/app/themes/"; 97 | pagespeed LoadFromFile "$scheme://$host/wp-content/themes/" "${WEB_ROOT}/wp/wp-content/themes/"; 98 | 99 | server { 100 | # This is the default server for this container 101 | listen ${PORT} default_server; 102 | server_name _; 103 | 104 | root ${WEB_ROOT}; 105 | 106 | # Use index.php if it exists but also allow static websites in subfolders 107 | index index.php index.html; 108 | 109 | access_log ${NGINX_ACCESS_LOG} custom; 110 | 111 | # Blocked log file 112 | set $blocked_log /dev/stdout; 113 | 114 | disable_symlinks off; 115 | 116 | # Include custom nginx server additions from project 117 | include ${NGINX_INCLUDE_DIR}/server/*.conf; 118 | include ${NGINX_INCLUDE_DIR}/environments/${WP_ENV}/server/*.conf; 119 | 120 | # These variables are proxy conscious, so that they work even though we are behind reverse proxy 121 | include proxy_real_variables.conf; 122 | 123 | # Include custom error pages 124 | include error_pages.conf; 125 | 126 | location = /robots.txt { 127 | allow all; 128 | log_not_found off; 129 | access_log off; 130 | try_files $uri @index; 131 | } 132 | 133 | location = /favicon.ico { 134 | allow all; 135 | log_not_found off; 136 | access_log off; 137 | try_files $uri @index; 138 | } 139 | 140 | # deny all dot-files including git 141 | location ~ /\. { 142 | deny all; 143 | log_not_found off; 144 | access_log off; 145 | } 146 | 147 | location / { 148 | try_files $uri $uri/ /wp/$uri /wp/$uri/ @index; 149 | } 150 | 151 | # Static files 152 | location ~* \.(css|js|jpe?g|gif|ico|png|otf|ttf|eot|woff?2|svg|webp)$ { 153 | 154 | ## Deny overriding Pagespeed 155 | if ($arg_pagespeed != '') { access_log $blocked_log blocked; return 403; } 156 | if ($arg_pagespeedspeedfilters != '') { access_log $blocked_log blocked; return 403; } 157 | 158 | include static_files.conf; 159 | 160 | # These files are probably exactly like $uri says but also try from /wp/ 161 | try_files $uri /wp/$uri @index; 162 | 163 | # Deny requesting plain style.css from theme root directory 164 | location ~ ^.*/themes/[^/]+/style\.css { 165 | 166 | # Preserve this url 167 | pagespeed CssPreserveUrls true; 168 | 169 | # Minify and remove comments from css 170 | pagespeed EnableFilters rewrite_css; 171 | 172 | # Wait that nginx has prepared the file 173 | pagespeed InPlaceWaitForOptimized on; 174 | 175 | # Don't ever try to load non modified style.css 176 | pagespeed InPlaceRewriteDeadlineMs 100000000; 177 | 178 | # Don't allow overriding pagespeed with pagespeed fixed urls 179 | # Source: https://github.com/pagespeed/ngx_pagespeed/issues/1306 180 | location ~ ^(.*)/themes/([^/]+)/style.*pagespeed.* { 181 | return 301 $1/themes/$2/style.css; 182 | } 183 | } 184 | 185 | ## 186 | # Static WordPress files ~ wp-* 187 | # These files are probably in /wp/ subfolder but also try from $uri 188 | ## 189 | location ~ ^wp- { 190 | try_files /wp/$uri $uri @index; 191 | } 192 | } 193 | 194 | # App folder contains our plugins and themes 195 | # We want to server assets from here but deny all php execution 196 | location /app/ { 197 | try_files $uri @index; 198 | 199 | ## 200 | # Deny access into php files under /app/ 201 | ## 202 | location ~ \.php$ { 203 | access_log $blocked_log blocked; 204 | deny all; 205 | } 206 | } 207 | 208 | ## 209 | # Run all php files from wp subfolder 210 | # This is how wordpress is supposed to be run 211 | # It also prevents direct access to possibly insecure code inside our plugins 212 | ## 213 | location ~ \.php$ { 214 | try_files /wp/$uri @index; 215 | 216 | include fastcgi_settings.conf; 217 | 218 | # Append subfolder automatically 219 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 220 | 221 | # Handover 404 errors from php-fpm to WordPress 222 | error_page 404 = @index; 223 | 224 | # Give sane max execution time to frontend 225 | fastcgi_read_timeout ${NGINX_FASTCGI_TIMEOUT}; 226 | fastcgi_pass php-fpm; 227 | 228 | ## Deny access to all php files in uploads folders 229 | location ~* ^/uploads { access_log $blocked_log blocked; deny all; } 230 | location ~* ^/content/uploads { access_log $blocked_log blocked; deny all; } 231 | location ~* ^/wp-content/uploads { access_log $blocked_log blocked; deny all; } 232 | 233 | ## Fix Full Path Disclosures if display_errors is on 234 | ## Don't allow straight access into core wp-includes 235 | location ~* ^/wp-includes { access_log $blocked_log blocked; deny all; } 236 | } 237 | 238 | # Include redis interfaces /redis-fetch & /redis-store 239 | include cache/redis_backend.conf; 240 | 241 | location @index { 242 | 243 | ## Deny overriding Pagespeed 244 | if ($arg_pagespeed != '') { access_log $blocked_log blocked; return 403; } 245 | if ($arg_pagespeedspeedfilters != '') { access_log $blocked_log blocked; return 403; } 246 | 247 | # Use redis as proxy cache 248 | include cache/srcache.conf; 249 | 250 | # Fallback into php 251 | include fastcgi_settings.conf; 252 | fastcgi_param SCRIPT_FILENAME $document_root/index.php; 253 | 254 | # Give sane max execution time to frontend 255 | fastcgi_read_timeout ${NGINX_FASTCGI_TIMEOUT}; 256 | fastcgi_pass php-fpm; 257 | } 258 | 259 | # WordPress is stupid 260 | location = /wp-admin { rewrite ^ /wp-admin/ permanent; } 261 | 262 | location = / { 263 | 264 | ## Block hackers from enumerating users 265 | if ( $arg_author ~ [0-9]+ ) { access_log $blocked_log blocked; return 403; } 266 | 267 | ## Deny overriding Pagespeed 268 | if ($arg_pagespeed != '') { access_log $blocked_log blocked; return 403; } 269 | if ($arg_pagespeedspeedfilters != '') { access_log $blocked_log blocked; return 403; } 270 | 271 | # Use redis as proxy cache 272 | include cache/srcache.conf; 273 | 274 | # Fallback into php 275 | include fastcgi_settings.conf; 276 | fastcgi_param SCRIPT_FILENAME $document_root/index.php; 277 | 278 | # Give sane max execution time to frontend 279 | fastcgi_read_timeout ${NGINX_FASTCGI_TIMEOUT}; 280 | fastcgi_pass php-fpm; 281 | } 282 | 283 | # Prevent /wp/wp/wp/... rewrite loops 284 | location ^~ /wp/ { 285 | rewrite ^/wp/(.*)$ $1$is_args$args last; 286 | } 287 | 288 | # Block some vulnerabilities always 289 | include security.conf; 290 | 291 | # Include basic pagespeed locations like beacons 292 | include pagespeed/locations.conf; 293 | } 294 | 295 | } 296 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/nginx/pagespeed/locations.conf: -------------------------------------------------------------------------------- 1 | # Ensure requests for pagespeed optimized resources go to the pagespeed handler 2 | # and no extraneous headers get set. 3 | location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" { 4 | add_header "" ""; 5 | } 6 | location ~ "^/pagespeed_static/" { } 7 | location ~ "^/ngx_pagespeed_beacon$" { } 8 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/nginx/pagespeed/settings.conf: -------------------------------------------------------------------------------- 1 | # Hide pagespeed version and provide this header instaed 2 | pagespeed XHeaderValue "Enabled"; 3 | 4 | # Don't alter Cache-Control headers 5 | pagespeed ModifyCachingHeaders off; 6 | 7 | # This is for pagespeed temporary files 8 | # Needs to exist and be writable by nginx. Use tmpfs for best performance. 9 | pagespeed FileCachePath /tmp/nginx/pagespeed; 10 | 11 | # Pagespeed sets default TTL from file to 300s, which is bad 12 | # This sets the time to be 1 year 13 | pagespeed LoadFromFileCacheTtlMs 2592000000; 14 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/nginx/proxy_real_variables.conf: -------------------------------------------------------------------------------- 1 | ## 2 | # Set few variables since we use jwilder/nginx-proxy in dev and proxy in production 3 | # So the fastcgi params need to be the original ones or you 4 | # will have redirect loops ('canonical_redirect' mostly) 5 | ## 6 | 7 | # Set $host first from proxy (if possible) 8 | set $real_host $http_x_forwarded_host; 9 | if ($real_host = '') { 10 | set $real_host $http_host; 11 | } 12 | 13 | # Set server port according to forwarded proto 14 | set $real_port 80; 15 | if ($http_x_forwarded_proto = 'https') { 16 | set $real_port 443; 17 | } 18 | 19 | # Set https according to used proto 20 | set $real_https off; 21 | if ($http_x_forwarded_proto = 'https') { 22 | set $real_https on; 23 | } 24 | 25 | # Set scheme according to used proto 26 | set $real_scheme 'http'; 27 | if ($http_x_forwarded_proto = 'https') { 28 | set $real_scheme 'https'; 29 | } 30 | 31 | # Set original remote 32 | set $real_remote $http_x_forwarded_for; 33 | if ($real_remote = '') { 34 | set $real_remote $remote_addr; 35 | } 36 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/nginx/security.conf: -------------------------------------------------------------------------------- 1 | ## Block SQL injections 2 | location ~* union.*select.*\( { access_log $blocked_log blocked; return 403; } 3 | location ~* union.*all.*select.* { access_log $blocked_log blocked; return 403; } 4 | location ~* concat.*\( { access_log $blocked_log blocked; return 403; } 5 | 6 | ## Block common exploits 7 | location ~* (<|%3C).*script.*(>|%3E) { access_log $blocked_log blocked; return 403; } 8 | location ~* base64_(en|de)code\(.*\) { access_log $blocked_log blocked; return 403; } 9 | location ~* (%24&x) { access_log $blocked_log blocked; return 403; } 10 | location ~* (%0|%A|%B|%C|%D|%E|%F|127\.0) { access_log $blocked_log blocked; return 403; } 11 | location ~* \.\.\/ { access_log $blocked_log blocked; return 403; } 12 | location ~* ~$ { access_log $blocked_log blocked; return 403; } 13 | location ~* proc/self/environ { access_log $blocked_log blocked; return 403; } 14 | location ~* /\.(htaccess|htpasswd|svn|git) { access_log $blocked_log blocked; return 403; } 15 | 16 | ## Block file injections 17 | location ~* [a-zA-Z0-9_]=(\.\.//?)+ { access_log $blocked_log blocked; return 403; } 18 | location ~* [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ { access_log $blocked_log blocked; return 403; } 19 | 20 | ## wordpress security 21 | location ~* wp-config.php { access_log $blocked_log blocked; return 403; } 22 | location ~* wp-load.php { access_log $blocked_log blocked; return 403; } 23 | location ~* wp-admin/includes { access_log $blocked_log blocked; return 403; } 24 | location ~* wp-app\.log { access_log $blocked_log blocked; return 403; } 25 | location ~* (licence|readme|license)\.(md|html|txt) { access_log $blocked_log blocked; return 403; } 26 | location ~* composer.json { access_log $blocked_log blocked; return 403; } 27 | 28 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/nginx/security_headers.conf: -------------------------------------------------------------------------------- 1 | ## 2 | # Security headers, source: https://gist.github.com/plentz/6737338 3 | ## 4 | 5 | # config to don't allow the browser to render the page inside an frame or iframe 6 | # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking 7 | # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri 8 | # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options 9 | add_header X-Frame-Options SAMEORIGIN; 10 | 11 | # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header, 12 | # to disable content-type sniffing on some browsers. 13 | # https://www.owasp.org/index.php/List_of_useful_HTTP_headers 14 | # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx 15 | # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx 16 | # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020 17 | add_header X-Content-Type-Options nosniff always; 18 | 19 | # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. 20 | # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for 21 | # this particular website if it was disabled by the user. 22 | # https://www.owasp.org/index.php/List_of_useful_HTTP_headers 23 | add_header X-XSS-Protection "1; mode=block"; 24 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/nginx/static_files.conf: -------------------------------------------------------------------------------- 1 | # Use version numbers to bypass cache 2 | # Try to cache as long as we can 3 | expires max; 4 | 5 | ## No need to bleed constant updates. Send the all shebang in one 6 | ## fell swoop. 7 | tcp_nodelay off; 8 | 9 | ## Set the OS file cache. 10 | open_file_cache max=3000 inactive=120s; 11 | open_file_cache_valid 45s; 12 | open_file_cache_min_uses 2; 13 | open_file_cache_errors off; 14 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/nginx/upstreams.conf: -------------------------------------------------------------------------------- 1 | # Default php handler 2 | upstream php-fpm { 3 | server unix:/var/run/php-fpm.sock; 4 | } 5 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/php/7.0/cli/php.ini: -------------------------------------------------------------------------------- 1 | [PHP] 2 | ; This directive determines whether or not PHP will recognize code between 3 | ; tags as PHP source which should be processed as such. 4 | short_open_tag = Off 5 | 6 | ; Implicit flush tells PHP to tell the output layer to flush itself 7 | ; automatically after every output block. 8 | implicit_flush = Off 9 | 10 | ; This directive allows you to disable certain functions for security reasons. 11 | ; It receives a comma-delimited list of function names. 12 | ; http://php.net/disable-functions 13 | disable_functions = 14 | 15 | ; Enables or disables the circular reference collector. 16 | ; http://php.net/zend.enable-gc 17 | zend.enable_gc = On 18 | 19 | ;;;;;;;;;;;;;;;;; 20 | ; Miscellaneous ; 21 | ;;;;;;;;;;;;;;;;; 22 | 23 | 24 | ; Deny executing anything else than the exact path passed from fastcgi 25 | ; This causes the PHP interpreter to only try the literal path given and to stop processing if the file is not found. 26 | ; This is for security. 27 | ; https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#passing-uncontrolled-requests-to-php 28 | cgi.fix_pathinfo = 0 29 | 30 | expose_php = Off 31 | 32 | ;;;;;;;;;;;;;;;;;;; 33 | ; Resource Limits ; 34 | ;;;;;;;;;;;;;;;;;;; 35 | 36 | ; Maximum execution time of each script, in seconds 37 | max_execution_time = 600 38 | 39 | ; Maximum amount of time each script may spend parsing request data. 40 | max_input_time = 60 41 | 42 | ; How many GET/POST/COOKIE input variables may be accepted 43 | ; max_input_vars = 1000 44 | 45 | ; Maximum amount of memory a script may consume (128MB) 46 | memory_limit = ${PHP_MEMORY_LIMIT} 47 | 48 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; 49 | ; Error handling and logging ; 50 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; 51 | 52 | error_reporting = E_ALL 53 | 54 | display_errors = On 55 | 56 | display_startup_errors = On 57 | 58 | log_errors = On 59 | 60 | log_errors_max_len = 2048 61 | 62 | ignore_repeated_errors = Off 63 | 64 | ignore_repeated_source = Off 65 | 66 | report_memleaks = On 67 | 68 | track_errors = On 69 | 70 | html_errors = Off 71 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/php/7.0/fpm/conf.d/blocked.ini: -------------------------------------------------------------------------------- 1 | ; Disable some functions because they allow bad/vulnerable patterns 2 | ; We want to advocate good coding practises and these functions make it difficult 3 | ; You can use these with php cli but not with php-fpm 4 | disable_functions = exec,passthru,shell_exec,show_source,system,pcntl_exec,popen,posix_getpwuid,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,posix_setuid,posix_uname,proc_nice,proc_open,proc_close,proc_get_status 5 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/php/7.0/fpm/conf.d/common.ini: -------------------------------------------------------------------------------- 1 | [PHP] 2 | 3 | ; Don't brag that we have php 7.0 4 | expose_php = Off 5 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/php/7.0/fpm/conf.d/limits.ini: -------------------------------------------------------------------------------- 1 | ; filesize, time and input limits 2 | max_execution_time = ${NGINX_FASTCGI_TIMEOUT} 3 | max_input_time = -1 4 | max_input_vars = ${PHP_MAX_INPUT_VARS} 5 | memory_limit = ${PHP_MEMORY_LIMIT} 6 | post_max_size = ${NGINX_MAX_BODY_SIZE} 7 | upload_max_filesize = ${NGINX_MAX_BODY_SIZE} 8 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/php/7.0/fpm/conf.d/logging.ini: -------------------------------------------------------------------------------- 1 | ; Log all warnings and errors 2 | error_log = ${PHP_ERROR_LOG} 3 | log_level = ${PHP_ERROR_LOG_LEVEL} 4 | log_errors_max_len = ${PHP_ERROR_MAX_LEN} 5 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/php/7.0/fpm/conf.d/mail.ini: -------------------------------------------------------------------------------- 1 | [PHP] 2 | ; Use msmtp to send mail instead of sendmail 3 | sendmail_path = "/usr/sbin/sendmail" 4 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/php/7.0/fpm/conf.d/opcache.ini: -------------------------------------------------------------------------------- 1 | ; Enable php opcache to make site faster 2 | ; These are taken from: https://www.scalingphpbook.com/blog/2014/02/14/best-zend-opcache-settings.html 3 | [opcache] 4 | opcache.enable = 1 5 | opcache.enable_cli = 1 6 | 7 | ; Provides a faster mechanism for calling the deconstructors in your code at the end of a single request to speed up the response and recycle php workers so they're ready for the next incoming request faster. 8 | opcache.fast_shutdown = 1 9 | 10 | ; Give plenty of memory for php process for caching the code 11 | opcache.memory_consumption = ${PHP_OPCACHE_MAX_MEMORY} 12 | 13 | ; Log into container output 14 | opcache.error_log = /dev/stderr 15 | 16 | ; Log opcache warnings 17 | opcache.log_verbosity_level = 2 18 | 19 | ; PHP uses a technique called string interning to improve performance— so, for example, if you have the string "foobar" 1000 times in your code, internally PHP will store 1 immutable variable for this string and just use a pointer to it for the other 999 times you use it. 20 | ; This reserves 16MB to storing the most used strings 21 | opcache.interned_strings_buffer = 16 22 | opcache.max_accelerated_files = ${PHP_OPCACHE_MAX_FILES} 23 | 24 | 25 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/php/7.0/fpm/conf.d/opcache_invalidate.conf: -------------------------------------------------------------------------------- 1 | ; Don't revalidate php files in this container 2 | opcache.validate_timestamps = 0 3 | 4 | ; We don't need to cache php comments into opcache 5 | opcache.save_comments = 0 6 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/php/7.0/fpm/conf.d/sessions.ini: -------------------------------------------------------------------------------- 1 | ;;;;;;;;;;;;;;;;;;;;;;;;;; 2 | ; Define Session backend ; 3 | ;;;;;;;;;;;;;;;;;;;;;;;;;; 4 | ; These env can also contain redis as backend 5 | session.save_handler = ${PHP_SESSION_HANDLER} 6 | session.save_path = ${PHP_SESSION_SAVE_PATH} 7 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/php/7.0/fpm/conf.d/timezone.ini: -------------------------------------------------------------------------------- 1 | ; Timezone from env formatted like 'Europe/Helsinki' 2 | date.timezone = ${TZ} 3 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/php/7.0/fpm/php-fpm.conf: -------------------------------------------------------------------------------- 1 | ; Run this in foregroud so s6 can control it 2 | daemonize = no 3 | 4 | ; Log all warnings and errors 5 | error_log = ${PHP_ERROR_LOG} 6 | log_level = ${PHP_ERROR_LOG_LEVEL} 7 | 8 | [www] 9 | user = ${WEB_USER} 10 | group = ${WEB_GROUP} 11 | listen = /var/run/php-fpm.sock 12 | listen.owner = ${WEB_USER} 13 | listen.group = ${WEB_GROUP} 14 | pm = dynamic 15 | 16 | ; Total RAM dedicated to the web server / Max child process size 17 | pm.max_children = 30 18 | 19 | pm.start_servers = 1 20 | pm.min_spare_servers = 1 21 | pm.max_spare_servers = 3 22 | 23 | ; Redirect worker stdout and stderr into main error log. If not set, stdout and 24 | ; stderr will be redirected to /dev/null according to FastCGI specs. 25 | ; Default Value: no 26 | catch_workers_output = yes 27 | 28 | ; Project web root 29 | chdir = ${WEB_ROOT} 30 | 31 | pm.process_idle_timeout = 10s 32 | pm.max_requests = 500 33 | 34 | ; Include extra configs 35 | include=/etc/php/7.0/fpm/php-fpm.d/*.conf 36 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/php/7.0/fpm/php-fpm.d/preserve-env.conf: -------------------------------------------------------------------------------- 1 | ; Just use all envs from system when php-fpm starts 2 | ; By default php-fpm flushes all envs and they need to be whitelisted 3 | clear_env = no 4 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/php/7.0/fpm/php.ini: -------------------------------------------------------------------------------- 1 | ;;; 2 | ; Production settings for php and php-fpm 3 | ;;; 4 | ; All directives from /etc/php/7.0/fpm/conf.d are also included 5 | ;;; 6 | 7 | [PHP] 8 | 9 | ; Don't display errors into frontend 10 | display_errors = stderr 11 | 12 | ; disable ignoring of repeat errors 13 | ignore_repeated_errors = false 14 | 15 | ; disable ignoring of unique source errors 16 | ignore_repeated_source = false 17 | 18 | ; enable logging of php memory leaks 19 | report_memleaks = true 20 | 21 | ; Deny executing anything else than the exact path passed from fastcgi 22 | ; This causes the PHP interpreter to only try the literal path given and to stop processing if the file is not found. 23 | ; This is for security. Source: https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#passing-uncontrolled-requests-to-php 24 | cgi.fix_pathinfo = 0 25 | 26 | ; disable html markup of errors 27 | html_errors = false 28 | 29 | ; disable formatting of error reference links 30 | docref_root = 0 31 | 32 | ; disable formatting of error reference links 33 | docref_ext = 0 34 | 35 | ; disable max error string length ( by using so big number that bigger messages don't matter ) 36 | log_errors_max_len = 10000 37 | 38 | ; Don't show startup errors 39 | display_startup_errors = Off 40 | track_errors = Off 41 | 42 | ; Redirect worker stdout and stderr into main error log. If not set, stdout and 43 | ; stderr will be redirected to /dev/null according to FastCGI specs. 44 | ; Default Value: no 45 | catch_workers_output = yes 46 | 47 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/services.d/cron/run: -------------------------------------------------------------------------------- 1 | #!/usr/bin/with-contenv sh 2 | echo "[services.d] started cron daemon" 3 | # Runs cron daemon in foreground 4 | cron -l 2 -f 5 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/services.d/nginx/run: -------------------------------------------------------------------------------- 1 | #!/usr/bin/with-contenv sh 2 | 3 | # Run nginx always in foreground 4 | exec nginx -g "daemon off;" 5 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/etc/services.d/php-fpm/run: -------------------------------------------------------------------------------- 1 | #!/usr/bin/with-contenv bash 2 | 3 | ## 4 | # Check which kind of session backend we should be using 5 | ## 6 | if [ -z "$PHP_SESSION_SAVE_PATH" ]; then 7 | echo "[php-fpm] configuring php-fpm session backend..." 8 | 9 | # Use 'files' as default session handler 10 | export PHP_SESSION_HANDLER=${PHP_SESSION_HANDLER-files} 11 | 12 | case "$PHP_SESSION_HANDLER" in 13 | 14 | files) 15 | mkdir -p /tmp/php 16 | chown $WEB_USER:$WEB_GROUP /tmp/php 17 | 18 | # export new env for php-fpm 19 | export PHP_SESSION_SAVE_PATH='/tmp/php' 20 | ;; 21 | redis) 22 | # Set defaults 23 | REDIS_HOST=${REDIS_HOST-$REDIS_1_PORT_6379_TCP_ADDR} 24 | REDIS_PORT=${REDIS_PORT-6379} 25 | REDIS_SCHEME=${REDIS_SCHEME-tcp} 26 | 27 | # After this time php-fpm will timeout from requesting session data 28 | PHP_SESSION_REDIS_TIMEOUT=${PHP_SESSION_REDIS_TIMEOUT-5} 29 | 30 | PHP_SESSION_REDIS_PARAMS="timeout=$PHP_SESSION_REDIS_TIMEOUT" 31 | 32 | # Set these only if they are not 0 and '' because they add complexity for the query 33 | if [ "$PHP_SESSION_REDIS_DB" != "" ]; then 34 | PHP_SESSION_REDIS_PARAMS+="&database=$PHP_SESSION_REDIS_DB" 35 | fi 36 | if [ "$REDIS_PASSWORD" != "" ]; then 37 | PHP_SESSION_REDIS_PARAMS+="&auth=$REDIS_PASSWORD" 38 | fi 39 | if [ "$PHP_SESSION_REDIS_PREFIX" != "" ]; then 40 | PHP_SESSION_REDIS_PARAMS+="&prefix=$PHP_SESSION_REDIS_PREFIX" 41 | fi 42 | 43 | # export new env for php-fpm 44 | export PHP_SESSION_SAVE_PATH="$REDIS_SCHEME://$REDIS_HOST:$REDIS_PORT?$PHP_SESSION_REDIS_PARAMS" 45 | ;; 46 | esac 47 | fi 48 | echo "[php-fpm] using $PHP_SESSION_SAVE_PATH for php sessions..." 49 | 50 | echo "[php-fpm] started php-fpm" 51 | exec php-fpm -c /etc/php/7.0/fpm/php.ini --fpm-config /etc/php/7.0/fpm/php-fpm.conf --pid /var/run/php-fpm.pid 52 | 53 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/usr/bin/wp: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | ## 3 | # WP-cli wrapper: Append path automatically so that user doesn't have to 4 | ## 5 | if [ "$(whoami)" = "root" ]; then 6 | # Run as wordpress user instead 7 | # This helps that we don't install things as root 8 | # Or run 3rd party code as root 9 | gosu $WEB_USER /usr/local/bin/wp-cli "$@" --path=$WP_CORE 10 | else 11 | /usr/local/bin/wp-cli "$@" --path=$WP_CORE 12 | fi 13 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/usr/local/bin/phinx: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | ## 3 | # Phinx wrapper 4 | # You need to install phinx through composer first 5 | ## 6 | 7 | # Export database host in prod and dev 8 | if [ ! -z "$MYSQL_HOST" ]; then 9 | export PHINX_DBHOST=$MYSQL_HOST 10 | elif [ ! -z "$DB_HOST" ]; then 11 | export PHINX_DBHOST=$DB_HOST 12 | elif [ ! -z "$DB_PORT_3306_TCP_ADDR" ]; then 13 | export PHINX_DBHOST=$DB_PORT_3306_TCP_ADDR 14 | else 15 | echo "ERROR: You need to set DB_HOST!" 16 | fi 17 | 18 | # Export phinx envs 19 | # Default to MYSQL_ envs but fallback to DB_ 20 | export PHINX_DBPORT=${MYSQL_PORT-$DB_PORT} 21 | export PHINX_DBNAME=${MYSQL_DATABASE-$DB_NAME} 22 | export PHINX_DBUSER=${MYSQL_USER-$DB_USER} 23 | export PHINX_DBPASSWORD=${MYSQL_PWD-$DB_PASSWORD} 24 | export PHINX_ENVIRONMENT=$WP_ENV 25 | 26 | # Run phinx 27 | php $PROJECT_ROOT/vendor/bin/phinx $@ 28 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/usr/local/bin/print-smtp-password: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # This is so that we can use msmtp without /etc/msmtprc config file 3 | # msmtp doesn't have --password option and it only has --passwordeval option 4 | # We use this script so that we can use it in passwordeval 5 | echo $SMTP_PASSWORD 6 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/usr/local/bin/wp-run-cron: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright © 2015 Bjørn Johansen 3 | # This work is free. You can redistribute it and/or modify it under the 4 | # terms of the Do What The Fuck You Want To Public License, Version 2, 5 | # as published by Sam Hocevar. See http://www.wtfpl.net/ for more details. 6 | # Source: https://bjornjohansen.no/wordpress-cron-wp-cli 7 | # Github: https://gist.github.com/bjornjohansen/a00a9fee5475c4dadb56#file-run-wp-cron-sh 8 | 9 | # This is modified for our container. In this container you don't need to use --path 10 | # because it's automatically included 11 | 12 | # Check if WP-CLI is available 13 | if ! hash wp 2>/dev/null; then 14 | echo "[wp-cron] ERROR: WP-CLI is not available" 15 | exit 16 | fi 17 | 18 | # If WordPress isn’t installed here, we bail 19 | if ! wp core is-installed --quiet >> /dev/null; then 20 | echo "[wp-cron] ERROR: WordPress is not installed here: ${WP_CORE}" 21 | exit 22 | fi 23 | 24 | # Get a list of site URLs 25 | if wp core is-installed --quiet --network >> /dev/null; 26 | then 27 | SITE_URLS=`wp site list --fields=url --archived=0 --deleted=0 --format=csv | sed 1d` 28 | else 29 | SITE_URLS=(`wp option get siteurl`) 30 | fi 31 | 32 | # Loop through all the sites 33 | for SITE_URL in $SITE_URLS 34 | do 35 | # Run all event hooks that are due 36 | for EVENT_HOOK in $(wp cron event list --format=csv --fields=hook,next_run_relative --url="$SITE_URL" | grep now$ | awk -F ',' '{print $1}') 37 | do 38 | wp cron event run "$EVENT_HOOK" --url="$SITE_URL" --quiet 39 | done 40 | done 41 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/usr/sbin/sendmail: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ## 3 | # This is custom wrapper for msmtp which acts like good old sendmail 4 | # - It is used for php and cron 5 | # - This is easier to configure for external mail server than sendmail 6 | # - sendmail is just the default binary which other services will use 7 | # - It needs following env: SMTP_HOST, SMTP_PASSWORD, SMTP_PORT, SMTP_AUTH, SMTP_USER 8 | ## 9 | 10 | # Deduce all used msmtp options from system ENVs 11 | declare -a options 12 | 13 | # Act like sendmail 14 | options+=("-t") 15 | 16 | # Use system tls chain 17 | options+=("--tls-trust-file=/etc/ssl/certs/ca-certificates.crt") 18 | 19 | if [ -n "$SMTP_HOST" ]; then 20 | options+=("--host=$SMTP_HOST") 21 | else 22 | echo "[mail error] SMTP_HOST is not defined, mail can't be sent" 23 | exit 1 24 | fi 25 | 26 | # Log all mail requests 27 | # try /var/log/mail/sent.log but use stdout when logfile is not available 28 | if [ -n "$SMTP_LOG" ]; then 29 | options+=("--logfile=$SMTP_LOG") 30 | elif [ -f /var/log/mail/sent.log ]; then 31 | options+=("--logfile=/var/log/mail/sent.log") 32 | fi 33 | 34 | if [ -n "$SMTP_FROM" ]; then 35 | options+=("--from=$SMTP_FROM") 36 | fi 37 | 38 | # Default port for smtp is 25 and it will work even without this option 39 | if [ -n "$SMTP_PORT" ]; then 40 | options+=("--port=$SMTP_PORT") 41 | fi 42 | 43 | # Setup credentials 44 | if [ -n "$SMTP_USER" ]; then 45 | options+=("--user=$SMTP_USER") 46 | fi 47 | 48 | # msmtp doesn't provide password option because usually it's unsafe 49 | # Use local hack for passwordeval 50 | if [ -n "$SMTP_PASSWORD" ]; then 51 | options+=("--passwordeval=/usr/local/bin/print-smtp-password") 52 | fi 53 | 54 | 55 | if [ -n "$SMTP_AUTH" ]; then 56 | options+=("--auth=$SMTP_AUTH") 57 | elif [ -n "$SMTP_USER" ] || [ -n "$SMTP_PASSWORD" ]; then 58 | options+=("--auth=on") 59 | fi 60 | 61 | if [ -n "$SMTP_TLS" ]; then 62 | options+=("--tls=$SMTP_TLS") 63 | fi 64 | 65 | # Add our options and command line options for msmtp 66 | msmtp ${options[@]} "$@" 67 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/usr/share/nginx/html/403.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 403 Forbidden 8 | 9 | 10 | 11 | 43 | 49 | 50 | 51 | 52 |
53 |
54 |

403 Forbidden

55 |

Sorry! You don't have access permissions for that on .

56 |

Take Me To The Homepage 57 | 63 |

64 |
65 |
66 |
67 |
68 |
69 |
70 |

What happened?

71 |

A 403 error status indicates that you don't have permission to access the file or page. In general, web servers and websites have directories and files that are not open to the public web for security reasons.

72 |
73 |
74 |

What can I do?

75 |

If you're a site visitor

76 |

Please use your browsers back button and check that you're in the right place. If you need immediate assistance, please send us an email instead.

77 |

If you're the site owner

78 |

Please check that you're in the right place and get in touch with your website provider if you believe this to be an error.

79 |
80 |
81 |
82 |
83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/usr/share/nginx/html/500.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 500 Internal Server Error 8 | 9 | 10 | 11 | 43 | 49 | 50 | 51 | 52 |
53 | 54 |
55 |

500 Internal Server Error

56 |

The web server is returning an internal error for .

57 | Try This Page Again 58 |
59 |
60 |
61 |
62 |
63 |
64 |

What happened?

65 |

A 500 error status implies there is a problem with the web server's software causing it to malfunction.

66 |
67 |
68 |

What can I do?

69 |

If you're a site visitor

70 |

Nothing you can do at the moment. If you need immediate assistance, please send us an email instead. We apologize for any inconvenience.

71 |

If you're the site owner

72 |

This error can only be fixed by server admins, please contact your website provider.

73 |
74 |
75 |
76 |
77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/usr/share/nginx/html/502.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 502 Bad Gateway 9 | 10 | 11 | 12 | 44 | 50 | 51 | 52 | 53 |
54 | 55 |
56 |

502 Bad Gateway

57 |

The web server is returning an unexpected networking error for .

58 | Try This Page Again 59 |
60 |
61 |
62 |
63 |
64 |
65 |

What happened?

66 |

A 502 error status implies that that the server received an invalid response from an upstream server it accessed to fulfill the request.

67 |
68 |
69 |

What can I do?

70 |

If you're a site visitor

71 |

Check to see if this website down for everyone or just you. 72 |

78 |

Also, clearing your browser cache and refreshing the page may clear this issue. If the problem persists and you need immediate assistance, please send us an email instead.

79 |

If you're the site owner

80 |

Clearing your browser cache and refreshing the page may clear this issue. If the problem persists and you need immediate assistance, please contact your website provider.

81 |
82 |
83 |
84 |
85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | -------------------------------------------------------------------------------- /debian-php7.0/rootfs/usr/share/nginx/html/504.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 504 Gateway Timeout 9 | 10 | 11 | 12 | 44 | 50 | 51 | 52 | 53 |
54 | 55 |
56 |

504 Gateway Timeout

57 |

The web server is returning an unexpected networking error for .

58 | Try This Page Again 59 |
60 |
61 |
62 |
63 | 64 | 65 |
66 |
67 |

What happened?

68 |

A 504 error status implies there is a slow IP communication problem between back-end servers attempting to fulfill this request.

69 |
70 |
71 |

What can I do?

72 |

If you're a site visitor

73 |

Check to see if this website down for everyone or just you. 74 |

80 |

Also, clearing your browser cache and refreshing the page may clear this issue. If the problem persists and you need immediate assistance, please send us an email instead.

81 |

If you're the site owner

82 |

Clearing your browser cache and refreshing the page may clear this issue. If the problem persists and you need immediate assistance, please contact your website provider.

83 |
84 |
85 |
86 |
87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | # Use this if you're testing/debugging the build locally on OSX 2 | web56: 3 | build: ./php5.6/ 4 | command: /init 5 | ports: 6 | - 80 7 | volumes: 8 | - ./web:/var/www/project/web 9 | environment: 10 | WP_UID: 100 11 | WP_GID: 101 12 | 13 | # For testing with gdev 14 | VIRTUAL_HOST: php56.test 15 | PORT: 80 16 | 17 | web70: 18 | build: ./php7.0/ 19 | command: /init 20 | ports: 21 | - 80 22 | volumes: 23 | - ./web:/var/www/project/web 24 | environment: 25 | WP_UID: 100 26 | WP_GID: 101 27 | 28 | # For testing with gdev 29 | VIRTUAL_HOST: php70.test 30 | PORT: 80 31 | -------------------------------------------------------------------------------- /php5.6/.dockerignore: -------------------------------------------------------------------------------- 1 | # These files are ignored from being uploaded to docker build context 2 | 3 | # Git is not needed in docker image building 4 | .git 5 | 6 | # Development stuff 7 | docker-compose.yml 8 | .dockerignore 9 | Dockerfile 10 | -------------------------------------------------------------------------------- /php5.6/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:edge 2 | MAINTAINER Onni Hakala - Geniem Oy. 3 | 4 | # Install dependencies and small amount of devtools 5 | RUN apk add --update curl bash nano nginx ca-certificates \ 6 | # Libs for php 7 | libssh2 libpng freetype libjpeg-turbo libgcc libxml2 libstdc++ icu-libs libltdl libmcrypt \ 8 | # WP-CLI will try to use interactive mode and causes few errors in output 9 | # when ncurses is not installed 10 | ncurses \ 11 | # For mails 12 | msmtp \ 13 | # Install gettext 14 | gettext \ 15 | # For mysql import/export 16 | mysql-client \ 17 | # Set timezone according your location 18 | tzdata \ 19 | 20 | ## 21 | # PHP 5.X 22 | ## 23 | php5 php5-fpm php5-json php5-zlib php5-xml php5-pdo php5-phar php5-openssl \ 24 | php5-pdo_mysql php5-mysqli php5-gd php5-mcrypt php5-curl php5-opcache php5-ctype \ 25 | php5-intl php5-bcmath php5-dom php5-xmlreader php5-apcu php5-mysql php5-iconv && \ 26 | 27 | # Small fixes to php & nginx 28 | ln -s /etc/php5 /etc/php && \ 29 | ln -s /usr/lib/php5 /usr/lib/php && \ 30 | mkdir -p /var/log/php/ && \ 31 | 32 | # Create directory for msmtp mail logging 33 | mkdir -p /var/log/mail && \ 34 | 35 | # Upgrade musl 36 | apk add -u musl && \ 37 | 38 | # Remove nginx user because we will create a user with correct permissions dynamically 39 | deluser nginx && \ 40 | mkdir -p /var/log/nginx && \ 41 | mkdir -p /tmp/nginx/body && \ 42 | 43 | # Remove default localhost folder 44 | rm -rf /var/www/localhost && \ 45 | 46 | # Create uploads folder and project folder 47 | mkdir -p /var/www/uploads && \ 48 | mkdir -p /var/www/project/web && \ 49 | 50 | # Remove default crontab 51 | rm /var/spool/cron/crontabs/root && \ 52 | 53 | ## 54 | # Add S6-overlay to use S6 process manager 55 | # source: https://github.com/just-containers/s6-overlay/#the-docker-way 56 | ## 57 | curl -L https://github.com/just-containers/s6-overlay/releases/download/v1.17.2.0/s6-overlay-amd64.tar.gz \ 58 | | tar -xvzC / && \ 59 | 60 | ## 61 | # Install wp-cli 62 | # source: http://wp-cli.org/ 63 | ## 64 | curl -L https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar -o /usr/local/bin/wp-cli && \ 65 | chmod +rx /usr/local/bin/wp-cli && \ 66 | # Install Depencies for wp-cli 67 | # - It uses less internally to output help pages 68 | apk add less && \ 69 | 70 | ## 71 | # Install cronlock for running cron correctly with mulitple container setups 72 | # https://github.com/kvz/cronlock 73 | ## 74 | curl -L https://raw.githubusercontent.com/kvz/cronlock/master/cronlock -o /usr/local/bin/cronlock && \ 75 | chmod +rx /usr/local/bin/cronlock && \ 76 | 77 | # Remove cache and tmp files 78 | rm -rf /var/cache/apk/* && \ 79 | rm -rf /tmp/* 80 | 81 | ## 82 | # Add Project files like nginx and php-fpm processes and configs 83 | # Also custom scripts and bashrc 84 | ## 85 | COPY rootfs/ / 86 | 87 | # Update path with composer files + wpcs 88 | ENV TERM="xterm" \ 89 | DB_HOST="" \ 90 | DB_NAME="" \ 91 | DB_USER=""\ 92 | DB_PASSWORD=""\ 93 | # Set defaults which can be overriden 94 | DB_PORT="3306" \ 95 | # Use default web port in nginx but allow it to be overridden 96 | # This also works correctly with flynn: 97 | # https://github.com/flynn/flynn/issues/3213#issuecomment-237307457 98 | PORT="80" \ 99 | # Set defaults for redis 100 | WP_REDIS_PORT="6379" \ 101 | WP_REDIS_DATABASE="0" \ 102 | WP_REDIS_SCHEME="tcp" \ 103 | WP_REDIS_CLIENT="pecl" \ 104 | # Cronlock is used to stop simultaneous cronjobs in clusterised environments 105 | CRONLOCK_HOST="" \ 106 | # This is for your project root 107 | PROJECT_ROOT="/var/www/project" \ 108 | # This is used by nginx and php-fpm 109 | WEB_ROOT="/var/www/project/web" \ 110 | # Nginx include files 111 | NGINX_INCLUDE_DIR="/var/www/project/nginx" \ 112 | # Allow bigger file uploads 113 | NGINX_MAX_BODY_SIZE="64M" \ 114 | # Have sane fastcgi timeout by default 115 | NGINX_FASTCGI_TIMEOUT="30" \ 116 | 117 | # Default php memory limit 118 | PHP_MEMORY_LIMIT="128M" \ 119 | 120 | # This is used automatically by wp-cli 121 | WP_CORE="/var/www/project/web/wp"\ 122 | # Use host machine as default SMTP_HOST 123 | SMTP_HOST="172.17.0.1" \ 124 | # This folder is used to mount files into host machine 125 | # You should use this path for your uploads since everything else should be ephemeral 126 | UPLOADS_ROOT="/var/www/uploads"\ 127 | # This can be overidden by you, it's just default for us 128 | TZ="Europe/Helsinki" 129 | 130 | # Set default path to project folder for easier running commands in project 131 | WORKDIR ${PROJECT_ROOT} 132 | 133 | EXPOSE ${PORT} 134 | 135 | ENTRYPOINT ["/init"] 136 | -------------------------------------------------------------------------------- /php5.6/rootfs/etc/ImageMagick: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /php5.6/rootfs/etc/cont-init.d/00-maybe-symlink-root: -------------------------------------------------------------------------------- 1 | #!/usr/bin/with-contenv bash 2 | 3 | # Allow different project root with clever symlink 4 | # This is used to trick drone CI to mount the files elsewhere than $PROJECT_ROOT 5 | if [ "$OVERRIDE_ROOT" != "" ] && [ "$OVERRIDE_ROOT" != "$PROJECT_ROOT" ]; then 6 | echo "INFO: Changing project path using symlink $PROJECT_ROOT -> $OVERRIDE_ROOT..." 7 | # Remove current dir if it exists 8 | rmdir $PROJECT_ROOT 9 | 10 | # Create symlink to real project root 11 | ln -sf $OVERRIDE_ROOT $PROJECT_ROOT 12 | fi 13 | -------------------------------------------------------------------------------- /php5.6/rootfs/etc/cont-init.d/00-render-templates: -------------------------------------------------------------------------------- 1 | #!/usr/bin/with-contenv bash 2 | ## 3 | # This script uses clever heredoc hack to substitute env variables into static config files 4 | # Source: http://stackoverflow.com/questions/2914220/bash-templating-how-to-build-configuration-files-from-templates-with-bash 5 | ## 6 | 7 | ## 8 | # Replaces ${ENV} placoholders from file with provided variables 9 | # $1 - ':'' separated list of variables 10 | # $2 - filename to render 11 | ## 12 | function render_env_tmpl() { 13 | vars=$1 14 | input_file=$2 15 | # If filename ends with .tmpl replace it without the .tmpl 16 | filename=$(dirname $input_file)/$(basename $input_file .tmpl) 17 | 18 | tmp_file=/tmp/$(basename $filename) 19 | 20 | # render all provided $vars to temporary file 21 | envsubst "$vars" < $input_file > $tmp_file 22 | 23 | # replace original file with rendered file 24 | mv $tmp_file $filename 25 | } 26 | 27 | echo "[cont-init.d] Substituting env into configuration files..." 28 | 29 | ## 30 | # Nginx doesn't support env variables in config files so we will have to do this in hacky way instead 31 | ## 32 | VARS='$PORT:$WEB_ROOT:$WEB_USER:$WEB_GROUP:$NGINX_ACCESS_LOG:$NGINX_ERROR_LOG:$NGINX_ERROR_LEVEL:$NGINX_INCLUDE_DIR:$NGINX_MAX_BODY_SIZE:$NGINX_FASTCGI_TIMEOUT:$WP_ENV:$NGINX_CACHE_KEY' 33 | render_env_tmpl "$VARS" /etc/nginx/nginx.conf 34 | 35 | ## 36 | # Render all user provided nginx templates 37 | ## 38 | VARS+='$BASIC_AUTH_USER:$BASIC_AUTH_PASSWORD_HASH' 39 | for conf_file in $(find $NGINX_INCLUDE_DIR -type f -name '*.tmpl'); do 40 | echo "[cont-init.d] Rendering env in $conf_file..." 41 | 42 | # Add helper variables for easier scripting 43 | export __DIR__=$(dirname $conf_file) 44 | 45 | VARS_TMPL=$VARS':$__DIR__' 46 | render_env_tmpl "$VARS_TMPL" $conf_file 47 | done 48 | -------------------------------------------------------------------------------- /php5.6/rootfs/etc/cont-init.d/01-create-web-user: -------------------------------------------------------------------------------- 1 | #!/usr/bin/with-contenv bash 2 | 3 | ## 4 | # If wordpress user and web group already exists just skip the user creation 5 | ## 6 | if id -u wordpress > /dev/null 2>&1 && getent group web > /dev/null 2>&1; then 7 | echo "INFO: user:wordpress and group:web already exists, skipping..." 8 | exit 0 9 | fi 10 | 11 | 12 | ## 13 | # Create wordpress user with $UID and web group with $GID 14 | ## 15 | 16 | # If permissions were not defined get GID/UID from web files 17 | if [ -z "$WP_UID" ]; then 18 | WP_UID=$(ls -n $WEB_ROOT | tail -n1 | xargs echo | cut -d' ' -f3) 19 | fi 20 | 21 | if [ -z "$WP_GID" ]; then 22 | WP_GID=$(ls -n $WEB_ROOT | tail -n1 | xargs echo | cut -d' ' -f4) 23 | fi 24 | 25 | # If web files were owned by root use 100:101 as permissions instead 26 | if [ "$WP_GID" = "0" ] || [ "$WP_UID" = "0" ]; then 27 | 28 | echo "ERROR: Your web root files are owned by root. I'm running processes as uid/gid 100:101 instead" 29 | 30 | # These are default if container was accidentally mounted with root owned files 31 | WP_UID=100 32 | WP_GID=101 33 | fi 34 | 35 | echo "INFO: Creating wordpress user with id: $WP_UID and group web with id: $WP_GID" 36 | 37 | # Create web group 38 | if [ -n "$WP_GID" ]; then 39 | 40 | # Check if group with $GID already exists 41 | web_group=$(getent group $WP_GID | cut -d':' -f1) 42 | 43 | if [ -n "$web_group" ]; then 44 | 45 | # Replace the existing group name to web 46 | # This is done so that in local development we can just lookup permissions from mounted folders 47 | # This UID/GID can be same as something already existing inside container 48 | # This way we can use same uid/gid in container and host machine 49 | 50 | echo "Replacing pre-existing group name $web_group -> web" 51 | sed -i "s|$web_group|web|g" /etc/group 52 | 53 | # We just changed this in /etc/group remember? 54 | web_group="web" 55 | 56 | else 57 | # Create new group 58 | web_group="web" 59 | addgroup -g $WP_GID $web_group 60 | fi 61 | else 62 | echo "ERROR: Please set correct permissions into $WEB_ROOT" 1>&2 63 | exit 2 64 | fi 65 | 66 | # Create wordpress user 67 | if [ -n "$WP_UID" ] && [ -n "$WP_GID" ] ; then 68 | web_user="wordpress" 69 | adduser -u $WP_UID -h $PROJECT_ROOT -G $web_group -S -D $web_user 70 | else 71 | echo "ERROR: Please set correct permissions into $WEB_ROOT" 1>&2 72 | exit 2 73 | fi 74 | 75 | # Check that processes can write logs 76 | chown wordpress:web /var/log 77 | -------------------------------------------------------------------------------- /php5.6/rootfs/etc/cont-init.d/01-set-timezone: -------------------------------------------------------------------------------- 1 | #!/usr/bin/with-contenv bash 2 | 3 | # Default TZ is set in Dockerfile to Europe/Helsinki 4 | echo "$TZ" > /etc/timezone 5 | 6 | # Set timezone for php too 7 | echo "; Set timezone according to system env TZ" > /etc/php5/conf.d/timezone.ini 8 | echo "date.timezone = '$TZ'" >> /etc/php5/conf.d/timezone.ini 9 | -------------------------------------------------------------------------------- /php5.6/rootfs/etc/cont-init.d/02-init-crond: -------------------------------------------------------------------------------- 1 | #!/usr/bin/with-contenv bash 2 | 3 | # Copy cronjob from project and run as nginx 4 | if [ -f $PROJECT_ROOT/tasks.cron ]; then 5 | cp $PROJECT_ROOT/tasks.cron /var/spool/cron/crontabs/wordpress 6 | else 7 | # No cronjobs found remove crond from s6 8 | if [ -f /etc/services.d/crond ]; then 9 | rm -r /etc/services.d/crond 10 | fi 11 | fi 12 | -------------------------------------------------------------------------------- /php5.6/rootfs/etc/cont-init.d/02-init-directories-and-files: -------------------------------------------------------------------------------- 1 | #!/usr/bin/with-contenv bash 2 | 3 | # Create uploads directory if not exists 4 | if [ ! -d $UPLOADS_ROOT ] ; then 5 | mkdir -p $UPLOADS_ROOT 6 | fi 7 | 8 | chown wordpress:web $UPLOADS_ROOT 9 | 10 | # Create dir for nginx tmp files 11 | if [ ! -d /tmp/nginx/body ] ; then 12 | mkdir -p /tmp/nginx/body 13 | fi 14 | chown wordpress:web /tmp/nginx 15 | chown wordpress:web /tmp/nginx/body 16 | 17 | # Create log directories if they don't exist already 18 | if [ ! -d /var/log/nginx ] ; then 19 | mkdir -p /var/log/nginx 20 | fi 21 | if [ ! -d /var/log/php ] ; then 22 | mkdir -p /var/log/php 23 | fi 24 | if [ ! -d /var/log/mail ] ; then 25 | mkdir -p /var/log/mail 26 | fi 27 | 28 | # Create log directory for php 29 | touch /var/log/php/error.log 30 | 31 | # Give wordpress user access to all log files 32 | chown -R wordpress:web /var/log/ 33 | -------------------------------------------------------------------------------- /php5.6/rootfs/etc/cont-init.d/03-init-php-sessions: -------------------------------------------------------------------------------- 1 | #!/usr/bin/with-contenv bash 2 | 3 | # Setup sessions 4 | echo "; This file contains php session backend (default: files)" > /etc/php5/conf.d/sessions.ini 5 | 6 | if [ "$PHP_SESSION_HANDLER" == "redis" ]; then 7 | echo "session.save_handler = redis" >> /etc/php5/conf.d/sessions.ini 8 | 9 | redis_resource_string="$WP_REDIS_SCHEME://" 10 | 11 | # Use different setup in dev/prod 12 | if [ "$WP_REDIS_HOST" != "" ]; then 13 | redis_resource_string+="$WP_REDIS_HOST:$WP_REDIS_PORT" 14 | elif [ "$REDIS_PORT_6379_TCP_ADDR" != "" ]; then 15 | redis_resource_string+="$REDIS_PORT_6379_TCP_ADDR:$WP_REDIS_PORT" 16 | fi 17 | 18 | # Use password or different database when user provides them 19 | redis_resource_string+="?database=$PHP_SESSION_REDIS_DB" 20 | 21 | if [ "$WP_REDIS_PASSWORD" != "" ]; then 22 | redis_resource_string+="&auth=$WP_REDIS_PASSWORD" 23 | fi 24 | 25 | echo "session.save_path = \"$redis_resource_string\"" >> /etc/php5/conf.d/sessions.ini 26 | 27 | else # Use normal file based sessions if redis is not configured 28 | echo "session.save_handler = files" >> /etc/php5/conf.d/sessions.ini 29 | echo "session.save_path = /tmp" >> /etc/php5/conf.d/sessions.ini 30 | fi 31 | -------------------------------------------------------------------------------- /php5.6/rootfs/etc/nginx/fastcgi_params: -------------------------------------------------------------------------------- 1 | ## 2 | # Set few variables since we use jwilder/nginx-proxy in dev and proxy in production 3 | # So the fastcgi params need to be the original ones or you 4 | # will have redirect loops ('canonical_redirect' mostly) 5 | ## 6 | 7 | # Set $host first from proxy (if possible) 8 | set $real_host $http_x_forwarded_host; 9 | if ($real_host = '') { 10 | set $real_host $http_host; 11 | } 12 | 13 | # Set server port according to forwarded proto 14 | set $real_port 80; 15 | if ($http_x_forwarded_proto = 'https') { 16 | set $real_port 443; 17 | } 18 | 19 | # Set https according to used proto 20 | set $real_https off; 21 | if ($http_x_forwarded_proto = 'https') { 22 | set $real_https on; 23 | } 24 | 25 | # Set scheme according to used proto 26 | set $real_scheme 'http'; 27 | if ($http_x_forwarded_proto = 'https') { 28 | set $real_scheme 'https'; 29 | } 30 | 31 | # Set original remote 32 | set $real_remote $http_x_forwarded_for; 33 | if ($real_remote = '') { 34 | set $real_remote $remote_addr; 35 | } 36 | 37 | # These are just basic things form request 38 | fastcgi_param QUERY_STRING $query_string; 39 | fastcgi_param REQUEST_METHOD $request_method; 40 | fastcgi_param CONTENT_TYPE $content_type; 41 | fastcgi_param CONTENT_LENGTH $content_length; 42 | 43 | fastcgi_param SCRIPT_NAME $fastcgi_script_name; 44 | fastcgi_param REQUEST_URI $request_uri; 45 | fastcgi_param DOCUMENT_URI $document_uri; 46 | fastcgi_param DOCUMENT_ROOT $document_root; 47 | fastcgi_param SERVER_PROTOCOL $server_protocol; 48 | 49 | fastcgi_param GATEWAY_INTERFACE CGI/1.1; 50 | fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; 51 | 52 | ## 53 | # Set these using the knowledge that we are behind proxy 54 | ## 55 | fastcgi_param REMOTE_ADDR $real_remote; 56 | fastcgi_param REMOTE_PORT $remote_port; 57 | fastcgi_param SERVER_ADDR $server_addr; 58 | fastcgi_param SERVER_PORT $real_port; 59 | fastcgi_param SERVER_NAME $real_host; 60 | fastcgi_param HTTPS $real_https; 61 | fastcgi_param REQUEST_SCHEME $real_scheme; 62 | fastcgi_param HTTP_HOST $real_host; 63 | 64 | # PHP only, required if PHP was built with --enable-force-cgi-redirect 65 | fastcgi_param REDIRECT_STATUS 200; 66 | -------------------------------------------------------------------------------- /php5.6/rootfs/etc/nginx/gzip.conf: -------------------------------------------------------------------------------- 1 | # Compression 2 | 3 | # Enable Gzip compressed. 4 | gzip on; 5 | 6 | # Compression level (1-9). 7 | # 5 is a perfect compromise between size and cpu usage, offering about 8 | # 75% reduction for most ascii files (almost identical to level 9). 9 | gzip_comp_level 5; 10 | 11 | # Don't compress anything that's already small and unlikely to shrink much 12 | # if at all (the default is 20 bytes, which is bad as that usually leads to 13 | # larger files after gzipping). 14 | gzip_min_length 256; 15 | 16 | # Compress data even for clients that are connecting to us via proxies, 17 | # identified by the "Via" header (required for CloudFront). 18 | gzip_proxied any; 19 | 20 | # Tell proxies to cache both the gzipped and regular version of a resource 21 | # whenever the client's Accept-Encoding capabilities header varies; 22 | # Avoids the issue where a non-gzip capable client (which is extremely rare 23 | # today) would display gibberish if their proxy gave them the gzipped version. 24 | gzip_vary on; 25 | 26 | # Compress all output labeled with one of the following MIME-types. 27 | gzip_types 28 | application/atom+xml 29 | application/javascript 30 | application/json 31 | application/ld+json 32 | application/manifest+json 33 | application/rss+xml 34 | application/vnd.geo+json 35 | application/vnd.ms-fontobject 36 | application/x-font-ttf 37 | application/x-web-app-manifest+json 38 | application/xhtml+xml 39 | application/xml 40 | font/opentype 41 | image/bmp 42 | image/svg+xml 43 | image/x-icon 44 | text/cache-manifest 45 | text/css 46 | text/plain 47 | text/vcard 48 | text/vnd.rim.location.xloc 49 | text/vtt 50 | text/x-component 51 | text/x-cross-domain-policy; 52 | # text/html is always compressed by HttpGzipModule 53 | 54 | # This should be turned on if you are going to have pre-compressed copies (.gz) of 55 | # static files available. If not it should be left off as it will cause extra I/O 56 | # for the check. It is best if you enable this in a location{} block for 57 | # a specific directory, or on an individual server{} level. 58 | # gzip_static on; 59 | -------------------------------------------------------------------------------- /php5.6/rootfs/etc/nginx/nginx.conf: -------------------------------------------------------------------------------- 1 | # run nginx in foreground 2 | daemon off; 3 | 4 | # Run nginx with the user created just for this container 5 | user wordpress web; 6 | 7 | error_log /var/log/nginx/nginx-error.log warn; 8 | 9 | pid /var/run/nginx.pid; 10 | 11 | env DB_HOST; 12 | env DB_NAME; 13 | env DB_USER; 14 | env DB_PASS; 15 | env DB_PASSWORD; 16 | 17 | # Serve projects from here 18 | env WEB_ROOT; 19 | 20 | # How many worker threads to run; 21 | # "auto" sets it to the number of CPU cores available in the system, and 22 | # offers the best performance. Don't set it higher than the number of CPU 23 | # cores if changing this parameter. 24 | 25 | # The maximum number of connections for Nginx is calculated by: 26 | # max_clients = worker_processes * worker_connections 27 | worker_processes auto; 28 | 29 | # Maximum open file descriptors per process; 30 | # should be > worker_connections. 31 | worker_rlimit_nofile 8192; 32 | 33 | events { 34 | # When you need > 8000 * cpu_cores connections, you start optimizing your OS, 35 | # and this is probably the point at which you hire people who are smarter than 36 | # you, as this is *a lot* of requests. 37 | worker_connections 8000; 38 | } 39 | 40 | http { 41 | # Hide nginx version information. 42 | server_tokens off; 43 | 44 | # How long to allow each connection to stay idle; longer values are better 45 | # for each individual client, particularly for SSL, but means that worker 46 | # connections are tied up longer. (Default: 65) 47 | keepalive_timeout 20; 48 | 49 | # Speed up file transfers by using sendfile() to copy directly 50 | # between descriptors rather than using read()/write(). 51 | sendfile on; 52 | 53 | # Tell Nginx not to send out partial frames; this increases throughput 54 | # since TCP frames are filled up before being sent out. (adds TCP_CORK) 55 | tcp_nopush on; 56 | 57 | # Gzip all the assets 58 | include gzip.conf; 59 | 60 | include /etc/nginx/mime.types; 61 | include /etc/nginx/fastcgi.conf; 62 | default_type application/octet-stream; 63 | client_body_temp_path /tmp/nginx/body 1 2; 64 | fastcgi_temp_path /tmp/nginx/fastcgi_temp 1 2; 65 | 66 | # A new log format for detecting bad bots. 67 | log_format blocked '$time_local: Blocked request from $http_x_real_ip $request'; 68 | 69 | # This log format makes it so we can see real requester's IP address \ 70 | # not just the reverse proxy server's IP address. Also note, that \ 71 | # "specialLog" can be replaced with any name you would like to \ 72 | # give to this log format. 73 | log_format specialLog '$http_x_real_ip - $remote_user [$time_local] ' 74 | '"$request" $status $body_bytes_sent ' 75 | '"$http_referer" "$http_user_agent"'; 76 | 77 | # Allow default file uploads up to 256M; 78 | client_max_body_size ${NGINX_MAX_BODY_SIZE}; 79 | 80 | # Include custom nginx http additions from project 81 | include ${NGINX_INCLUDE_DIR}/http/*.conf; 82 | include ${NGINX_INCLUDE_DIR}/environments/${WP_ENV}/http/*.conf; 83 | 84 | server { 85 | listen ${PORT} default_server; 86 | server_name _; 87 | 88 | root ${WEB_ROOT}; 89 | index index.php index.html index.htm; 90 | access_log /var/log/nginx/access.log specialLog; 91 | error_log /var/log/nginx/error.log; 92 | 93 | # Blocked log file 94 | set $blocked_log /var/log/nginx/blocked.log; 95 | 96 | disable_symlinks off; 97 | 98 | location = /robots.txt { 99 | allow all; 100 | log_not_found off; 101 | access_log off; 102 | } 103 | 104 | # deny dot-files 105 | location ~ /\. { 106 | deny all; 107 | access_log off; 108 | log_not_found off; 109 | } 110 | 111 | # Include custom nginx server additions from project 112 | include ${NGINX_INCLUDE_DIR}/server/*.conf; 113 | include ${NGINX_INCLUDE_DIR}/environments/${WP_ENV}/server/*.conf; 114 | 115 | # A few wordpress specific rules for subdirectory installations 116 | include wordpress.conf; 117 | 118 | # pass the PHP scripts to FastCGI server listening on /var/run/php-fpm.sock 119 | location ~ [^/]\.php(/|$) { 120 | fastcgi_split_path_info ^(.+?\.php)(/.*)$; 121 | if (!-f $document_root$fastcgi_script_name) { 122 | return 404; 123 | } 124 | fastcgi_keep_conn on; 125 | fastcgi_read_timeout 180; 126 | fastcgi_pass unix:/var/run/php-fpm.sock; 127 | fastcgi_index index.php; 128 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 129 | include fastcgi_params; 130 | } 131 | 132 | # Include Rules which deny using hacks and accessing important files 133 | include security.conf; 134 | 135 | } 136 | 137 | } 138 | -------------------------------------------------------------------------------- /php5.6/rootfs/etc/nginx/security.conf: -------------------------------------------------------------------------------- 1 | ## Block SQL injections 2 | location ~* union.*select.*\( { access_log $blocked_log blocked; deny all; } 3 | location ~* union.*all.*select.* { access_log $blocked_log blocked; deny all; } 4 | location ~* concat.*\( { access_log $blocked_log blocked; deny all; } 5 | 6 | ## Block common exploits 7 | location ~* (<|%3C).*script.*(>|%3E) { access_log $blocked_log blocked; deny all; } 8 | location ~* base64_(en|de)code\(.*\) { access_log $blocked_log blocked; deny all; } 9 | location ~* (%24&x) { access_log $blocked_log blocked; deny all; } 10 | location ~* (%0|%A|%B|%C|%D|%E|%F|127\.0) { access_log $blocked_log blocked; deny all; } 11 | location ~* \.\.\/ { access_log $blocked_log blocked; deny all; } 12 | location ~* ~$ { access_log $blocked_log blocked; deny all; } 13 | location ~* proc/self/environ { access_log $blocked_log blocked; deny all; } 14 | location ~* /\.(htaccess|htpasswd|svn|git) { access_log $blocked_log blocked; deny all; } 15 | 16 | ## Block file injections 17 | location ~* [a-zA-Z0-9_]=(\.\.//?)+ { access_log $blocked_log blocked; deny all; } 18 | location ~* [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ { access_log $blocked_log blocked; deny all; } 19 | 20 | ## wordpress security 21 | location ~* wp-config.php { access_log $blocked_log blocked; deny all; } 22 | location = /wp-config.php { access_log $blocked_log blocked; deny all; } 23 | location ~* wp-load.php { access_log $blocked_log blocked; deny all; } 24 | location ~* wp-admin/includes { access_log $blocked_log blocked; deny all; } 25 | location ~* wp-app\.log { access_log $blocked_log blocked; deny all; } 26 | location ~* (licence|readme|license)\.(md|html|txt) { access_log $blocked_log blocked; deny all; } 27 | 28 | ## Deny access to all php files in uploads folder 29 | location ~* ^/uploads\.php { access_log $blocked_log blocked; deny all; } 30 | location ~* ^/content/uploads\.php { access_log $blocked_log blocked; deny all; } 31 | location ~* ^/wp-content/uploads\.php { access_log $blocked_log blocked; deny all; } 32 | -------------------------------------------------------------------------------- /php5.6/rootfs/etc/nginx/upstreams.conf: -------------------------------------------------------------------------------- 1 | # Default php handler 2 | upstream php-fpm { 3 | server unix:/var/run/php-fpm.sock; 4 | } 5 | -------------------------------------------------------------------------------- /php5.6/rootfs/etc/nginx/wordpress.conf: -------------------------------------------------------------------------------- 1 | ## 2 | # File includes Wordpress specific nginx-rules. 3 | ## 4 | 5 | # Rewrite rules to allow for an application-like wordpress directory structure 6 | if (!-e $request_filename) { 7 | rewrite /wp-admin$ $scheme://$host$uri/ permanent; 8 | rewrite ^/(wp-.*.php)$ /wp/$1 last; 9 | rewrite ^/(wp-(content|admin|includes).*) /wp/$1 last; 10 | } 11 | 12 | # Enable XML-RPC for WordPress 13 | rewrite ^/(xmlrpc\.php)$ /wp/$1 last; 14 | 15 | location / { 16 | try_files $uri $uri/ /index.php?$args; 17 | } 18 | 19 | # Yoast SEO sitemap configuration 20 | # source: https://rtcamp.com/wordpress-nginx/tutorials/plugins/yoast-seo-sitemap/ 21 | location ~ ([^/]*)sitemap(.*)\.x(m|s)l$ { 22 | rewrite ^/sitemap\.xml$ /sitemap_index.xml permanent; 23 | rewrite ^/([a-z]+)?-?sitemap\.xsl$ /index.php?xsl=$1 last; 24 | rewrite ^/sitemap_index\.xml$ /index.php?sitemap=1 last; 25 | rewrite ^/([^/]+?)-sitemap([0-9]+)?\.xml$ /index.php?sitemap=$1&sitemap_n=$2 last; 26 | 27 | # The following lines are for optional addons 28 | rewrite ^/news_sitemap\.xml$ /index.php?sitemap=wpseo_news last; 29 | rewrite ^/locations\.kml$ /index.php?sitemap=wpseo_local_kml last; 30 | rewrite ^/geo_sitemap\.xml$ /index.php?sitemap=wpseo_local last; 31 | rewrite ^/video-sitemap\.xsl$ /index.php?xsl=video last; 32 | } 33 | 34 | # Deny access to any files with a .php extension in the uploads directory 35 | # Works in sub-directory installs and also in multisite network 36 | # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) 37 | location ~* /(?:uploads|files)/.*\.php$ { 38 | deny all; 39 | } 40 | -------------------------------------------------------------------------------- /php5.6/rootfs/etc/php5/conf.d/common.ini: -------------------------------------------------------------------------------- 1 | [PHP] 2 | 3 | ; Don't brag that we have php 7.0 4 | expose_php = Off 5 | -------------------------------------------------------------------------------- /php5.6/rootfs/etc/php5/conf.d/limits.ini: -------------------------------------------------------------------------------- 1 | ; filesize, time and input limits 2 | max_execution_time = 120 3 | max_input_time = 300 4 | max_input_vars = 1000 5 | memory_limit = ${PHP_MEMORY_LIMIT} 6 | post_max_size = ${NGINX_MAX_BODY_SIZE} 7 | upload_max_filesize = ${NGINX_MAX_BODY_SIZE} 8 | -------------------------------------------------------------------------------- /php5.6/rootfs/etc/php5/conf.d/logging.ini: -------------------------------------------------------------------------------- 1 | ; always log errors in production and development 2 | log_errors = On 3 | log_errors_max_len = 8192 4 | error_log = /var/log/php/error.log 5 | 6 | ; Use changed error log path 7 | php_admin_value[error_log] = /var/log/php/error.log 8 | php_admin_flag[log_errors] = on 9 | -------------------------------------------------------------------------------- /php5.6/rootfs/etc/php5/conf.d/mail.ini: -------------------------------------------------------------------------------- 1 | [PHP] 2 | ; Use msmtp to send mail instead of sendmail 3 | sendmail_path = "/usr/sbin/sendmail" 4 | -------------------------------------------------------------------------------- /php5.6/rootfs/etc/php5/fpm.d/preserve-env.conf: -------------------------------------------------------------------------------- 1 | ; Just use all envs from system when php-fpm starts 2 | ; By default php-fpm flushes all envs and they need to be whitelisted 3 | clear_env = no 4 | -------------------------------------------------------------------------------- /php5.6/rootfs/etc/php5/php-fpm.conf: -------------------------------------------------------------------------------- 1 | ; Run this in foregroud so s6 can control it 2 | daemonize = no 3 | 4 | ; Log all warnings and errors 5 | error_log = /var/log/php/error.log 6 | log_level = warning 7 | 8 | [www] 9 | user = wordpress 10 | group = web 11 | listen = /var/run/php-fpm.sock 12 | listen.owner = wordpress 13 | listen.group = web 14 | pm = dynamic 15 | 16 | ; Total RAM dedicated to the web server / Max child process size 17 | pm.max_children = 10 18 | 19 | ; Log errors please 20 | php_admin_value[error_log] = /var/log/php/error.log 21 | php_admin_flag[log_errors] = on 22 | 23 | pm.start_servers = 1 24 | pm.min_spare_servers = 1 25 | pm.max_spare_servers = 3 26 | 27 | ; Redirect worker stdout and stderr into main error log. If not set, stdout and 28 | ; stderr will be redirected to /dev/null according to FastCGI specs. 29 | ; Default Value: no 30 | catch_workers_output = yes 31 | 32 | ; Project web root 33 | chdir = ${WEB_ROOT} 34 | 35 | pm.process_idle_timeout = 10s 36 | pm.max_requests = 500 37 | 38 | include=/etc/php5/fpm.d/*.conf 39 | -------------------------------------------------------------------------------- /php5.6/rootfs/etc/php5/php-fpm.ini: -------------------------------------------------------------------------------- 1 | ;;; 2 | ; Production settings for php and php-fpm 3 | ;;; 4 | ; All directives from /etc/php5/conf.d are also included 5 | ;;; 6 | 7 | [PHP] 8 | 9 | ; Don't display errors in production 10 | display_errors = Off 11 | 12 | display_startup_errors = Off 13 | track_errors = Off 14 | 15 | ; Disable some functions because they allow bad/vulnerable patterns 16 | ; We want to advocate good coding practises and these functions make it difficult 17 | ; You can use these with php cli but not with php-fpm 18 | ; We need system() with phinx through php cli 19 | disable_functions =exec,passthru,shell_exec,system,proc_open,popen,pcntl_exec,parse_ini_file,show_source 20 | 21 | [opcache] 22 | opcache.enable = 1 23 | opcache.enable_cli = 1 24 | opcache.fast_shutdown = 1 25 | opcache.memory_consumption = 128 26 | opcache.interned_strings_buffer = 8 27 | opcache.max_accelerated_files = 4000 28 | opcache.revalidate_freq = 60 29 | 30 | -------------------------------------------------------------------------------- /php5.6/rootfs/etc/services.d/crond/run: -------------------------------------------------------------------------------- 1 | #!/usr/bin/with-contenv sh 2 | 3 | # Runs cron daemon in foreground 4 | crond -l 2 -f 5 | -------------------------------------------------------------------------------- /php5.6/rootfs/etc/services.d/nginx/run: -------------------------------------------------------------------------------- 1 | #!/usr/bin/execlineb -P 2 | 3 | # Run nginx processes as wordpress:web 4 | nginx 5 | -------------------------------------------------------------------------------- /php5.6/rootfs/etc/services.d/php-fpm/finish: -------------------------------------------------------------------------------- 1 | #!/usr/bin/execlineb -S1 2 | 3 | # only tell s6 to bring down the entire container, if it isn't already doing so 4 | # http://skarnet.org/software/s6/s6-supervise.html 5 | if { s6-test ${1} -ne 0 } 6 | if { s6-test ${1} -ne 256 } 7 | 8 | s6-svscanctl -t /var/run/s6/services -------------------------------------------------------------------------------- /php5.6/rootfs/etc/services.d/php-fpm/run: -------------------------------------------------------------------------------- 1 | #!/usr/bin/with-contenv bash 2 | echo "[services.d] started php-fpm" 3 | exec /usr/bin/php-fpm -c /etc/php/php-fpm.ini --fpm-config /etc/php/php-fpm.conf --pid /var/run/php-fpm.pid 4 | 5 | -------------------------------------------------------------------------------- /php5.6/rootfs/root/.bashrc: -------------------------------------------------------------------------------- 1 | # ~/.bashrc: executed by bash(1) for non-login shells. 2 | # see /usr/share/doc/bash/examples/startup-files (in the package bash-doc) 3 | # for examples 4 | 5 | # If not running interactively, don't do anything 6 | [ -z "$PS1" ] && return 7 | 8 | # don't put duplicate lines in the history. See bash(1) for more options 9 | # ... or force ignoredups and ignorespace 10 | HISTCONTROL=ignoredups:ignorespace 11 | 12 | # append to the history file, don't overwrite it 13 | shopt -s histappend 14 | 15 | # for setting history length see HISTSIZE and HISTFILESIZE in bash(1) 16 | HISTSIZE=1000 17 | HISTFILESIZE=2000 18 | 19 | # check the window size after each command and, if necessary, 20 | # update the values of LINES and COLUMNS. 21 | shopt -s checkwinsize 22 | 23 | # make less more friendly for non-text input files, see lesspipe(1) 24 | [ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)" 25 | 26 | # set variable identifying the chroot you work in (used in the prompt below) 27 | if [ -z "$debian_chroot" ] && [ -r /etc/debian_chroot ]; then 28 | debian_chroot=$(cat /etc/debian_chroot) 29 | fi 30 | 31 | # set a fancy prompt (non-color, unless we know we "want" color) 32 | case "$TERM" in 33 | xterm-color) color_prompt=yes;; 34 | esac 35 | 36 | # uncomment for a colored prompt, if the terminal has the capability; turned 37 | # off by default to not distract the user: the focus in a terminal window 38 | # should be on the output of commands, not on the prompt 39 | #force_color_prompt=yes 40 | 41 | if [ -n "$force_color_prompt" ]; then 42 | if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then 43 | # We have color support; assume it's compliant with Ecma-48 44 | # (ISO/IEC-6429). (Lack of such support is extremely rare, and such 45 | # a case would tend to support setf rather than setaf.) 46 | color_prompt=yes 47 | else 48 | color_prompt= 49 | fi 50 | fi 51 | 52 | if [ "$color_prompt" = yes ]; then 53 | PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@$CONTAINER\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ ' 54 | else 55 | PS1='${debian_chroot:+($debian_chroot)}\u@$CONTAINER:\w\$ ' 56 | fi 57 | unset color_prompt force_color_prompt 58 | 59 | # If this is an xterm set the title to user@host:dir 60 | case "$TERM" in 61 | xterm*|rxvt*) 62 | PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1" 63 | ;; 64 | *) 65 | ;; 66 | esac 67 | 68 | # enable color support of ls and also add handy aliases 69 | if [ -x /usr/bin/dircolors ]; then 70 | test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)" 71 | alias ls='ls --color=auto' 72 | #alias dir='dir --color=auto' 73 | #alias vdir='vdir --color=auto' 74 | 75 | alias grep='grep --color=auto' 76 | alias fgrep='fgrep --color=auto' 77 | alias egrep='egrep --color=auto' 78 | fi 79 | 80 | # some more ls aliases 81 | alias ll='ls -alF' 82 | alias la='ls -A' 83 | alias l='ls -CF' 84 | 85 | 86 | # Fuck this shit, I don't want to learn vim today or tomorrow 87 | export EDITOR=nano 88 | -------------------------------------------------------------------------------- /php5.6/rootfs/usr/local/bin/phinx: -------------------------------------------------------------------------------- 1 | #!/usr/bin/with-contenv bash 2 | ## 3 | # Phinx wrapper 4 | # You need to install phinx through composer first 5 | ## 6 | 7 | # Export database host in prod and dev 8 | if [ ! -z "$MYSQL_HOST" ]; then 9 | export PHINX_DBHOST=$MYSQL_HOST 10 | elif [ ! -z "$DB_HOST" ]; then 11 | export PHINX_DBHOST=$DB_HOST 12 | elif [ ! -z "$DB_PORT_3306_TCP_ADDR" ]; then 13 | export PHINX_DBHOST=$DB_PORT_3306_TCP_ADDR 14 | else 15 | echo "ERROR: You need to set DB_HOST!" 16 | fi 17 | 18 | # Export phinx envs 19 | # Default to MYSQL_ envs but fallback to DB_ 20 | export PHINX_DBPORT=${MYSQL_PORT-$DB_PORT} 21 | export PHINX_DBNAME=${MYSQL_DATABASE-$DB_NAME} 22 | export PHINX_DBUSER=${MYSQL_USER-$DB_USER} 23 | export PHINX_DBPASSWORD=${MYSQL_PWD-$DB_PASSWORD} 24 | export PHINX_ENVIRONMENT=$WP_ENV 25 | 26 | # Run phinx 27 | php $PROJECT_ROOT/vendor/bin/phinx $@ 28 | -------------------------------------------------------------------------------- /php5.6/rootfs/usr/local/bin/print-smtp-password: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # This is so that we can use msmtp without /etc/msmtprc config file 3 | # msmtp doesn't have --password option and it only has --passwordeval option 4 | # We use this script so that we can use it in passwordeval 5 | echo $SMTP_PASSWORD 6 | -------------------------------------------------------------------------------- /php5.6/rootfs/usr/local/bin/wp: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | ## 3 | # WP-cli wrapper: Append path automatically so that user doesn't have to 4 | ## 5 | if [ "$(whoami)" = "root" ]; then 6 | 7 | # Gather all arguments because string interpolation doesn't work for $@ 8 | args="" 9 | for i in "$@"; do 10 | args="$args \"$i\"" 11 | done 12 | 13 | # Run as wordpress user instead 14 | # This helps that we don't install things as root 15 | su -s /bin/bash wordpress -c "/usr/local/bin/wp-cli $args --path=$WP_CORE" 16 | else 17 | /usr/local/bin/wp-cli "$@" --path=$WP_CORE 18 | fi 19 | -------------------------------------------------------------------------------- /php5.6/rootfs/usr/local/bin/wp-run-cron: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright © 2015 Bjørn Johansen 3 | # This work is free. You can redistribute it and/or modify it under the 4 | # terms of the Do What The Fuck You Want To Public License, Version 2, 5 | # as published by Sam Hocevar. See http://www.wtfpl.net/ for more details. 6 | # Source: https://bjornjohansen.no/wordpress-cron-wp-cli 7 | # Github: https://gist.github.com/bjornjohansen/a00a9fee5475c4dadb56#file-run-wp-cron-sh 8 | 9 | # This is modified for our container. In this container you don't need to use --path 10 | # because it's automatically included 11 | 12 | # Check if WP-CLI is available 13 | if ! hash wp 2>/dev/null; then 14 | echo "WP-CLI is not available" 15 | exit 16 | fi 17 | 18 | # If WordPress isn’t installed here, we bail 19 | if ! $(wp core is-installed --quiet); then 20 | echo "WordPress is not installed here: ${WP_CORE}" 21 | exit 22 | fi 23 | 24 | # Get a list of site URLs 25 | if $(wp core is-installed --quiet --network); 26 | then 27 | SITE_URLS=`wp site list --fields=url --archived=0 --deleted=0 --format=csv | sed 1d` 28 | else 29 | SITE_URLS=(`wp option get siteurl`) 30 | fi 31 | 32 | # Loop through all the sites 33 | for SITE_URL in $SITE_URLS 34 | do 35 | # Run all event hooks that are due 36 | for EVENT_HOOK in $(wp cron event list --format=csv --fields=hook,next_run_relative --url="$SITE_URL" | grep now$ | awk -F ',' '{print $1}') 37 | do 38 | wp cron event run "$EVENT_HOOK" --url="$SITE_URL" --quiet 39 | done 40 | done 41 | -------------------------------------------------------------------------------- /php5.6/rootfs/usr/sbin/sendmail: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ## 3 | # This is custom wrapper for msmtp which acts like good old sendmail 4 | # - It is used for php and cron 5 | # - This is easier to configure for external mail server than sendmail 6 | # - sendmail is just the default binary which other services will use 7 | # - It needs following env: SMTP_HOST, SMTP_PASSWORD, SMTP_PORT, SMTP_USER 8 | ## 9 | 10 | # Deduce all used msmtp options from system ENVs 11 | declare -a options 12 | 13 | # Act like sendmail 14 | options+=("-t") 15 | 16 | # Use system tls chain 17 | options+=("--tls-trust-file=/etc/ssl/certs/ca-certificates.crt") 18 | 19 | if [ -n "$SMTP_HOST" ]; then 20 | options+=("--host=$SMTP_HOST") 21 | else 22 | echo "[mail error] SMTP_HOST is not defined, mail can't be sent" 23 | exit 1 24 | fi 25 | 26 | # Log all mail requests 27 | if [ -n "$SMTP_LOG" ]; then 28 | options+=("--logfile=$SMTP_LOG") 29 | else 30 | options+=("--logfile=/var/log/mail/sent.log") 31 | fi 32 | 33 | if [ -n "$SMTP_FROM" ]; then 34 | options+=("--from=$SMTP_FROM") 35 | fi 36 | 37 | # Default port for smtp is 25 and it will work even without this option 38 | if [ -n "$SMTP_PORT" ]; then 39 | options+=("--port=$SMTP_PORT") 40 | fi 41 | 42 | # Setup credentials 43 | if [ -n "$SMTP_USER" ]; then 44 | options+=("--user=$SMTP_USER") 45 | fi 46 | 47 | # msmtp doesn't provide password option because usually it's unsafe 48 | # Use local hack for passwordeval 49 | if [ -n "$SMTP_PASSWORD" ]; then 50 | options+=("--passwordeval=/usr/local/bin/print-smtp-password") 51 | fi 52 | 53 | if [ -n "$SMTP_TLS" ]; then 54 | 55 | # msmtp only understands on / off 56 | # Translate any random trueish or falseish value 57 | # For example ansible converts SMTP_TLS: on -> SMTP_TLS: "True" which is super annoying 58 | # So only use SMTP_AUTH: "on" ok? 59 | case "$SMTP_TLS" in 60 | "True" | "on" | "On" | "ON" | "1") 61 | options+=("--tls=on") 62 | echo "--tls=on" 63 | ;; 64 | "False" | "off" | "Off" | "OFF" | "0") 65 | options+=("--tls=off") 66 | echo "--tls=off" 67 | ;; 68 | *) 69 | echo "[mail error] Sorry SMTP_TLS: $SMTP_TLS is not viable option: on/off" 70 | ;; 71 | esac 72 | 73 | fi 74 | 75 | if [ -n "$SMTP_AUTH" ]; then 76 | 77 | # msmtp only understands on / off 78 | # Translate any random trueish or falseish value 79 | # For example ansible converts SMTP_AUTH: on -> SMTP_AUTH: "True" which is super annoying 80 | # So only use SMTP_AUTH: "on" ok? 81 | case "$SMTP_AUTH" in 82 | "True" | "on" | "On" | "ON" | "1") 83 | options+=("--auth=on") 84 | ;; 85 | "False" | "off" | "Off" | "OFF" | "0") 86 | options+=("--auth=off") 87 | ;; 88 | *) 89 | echo "[mail error] Sorry SMTP_AUTH: $SMTP_AUTH is not viable option: on/off" 90 | ;; 91 | esac 92 | 93 | elif [ -n "$SMTP_USER" ] || [ -n "$SMTP_PASSWORD" ]; then 94 | options+=("--auth=on") 95 | fi 96 | 97 | # Add our options and command line options for msmtp 98 | msmtp ${options[@]} "$@" 99 | -------------------------------------------------------------------------------- /php7.0/.dockerignore: -------------------------------------------------------------------------------- 1 | # These files are ignored from being uploaded to docker build context 2 | 3 | # Git is not needed in docker image building 4 | .git 5 | 6 | # Development stuff 7 | docker-compose.yml 8 | .dockerignore 9 | Dockerfile 10 | -------------------------------------------------------------------------------- /php7.0/Dockerfile: -------------------------------------------------------------------------------- 1 | # Dependency for php7: libwebp library doesn't work correctly with alpine:v3.3 so we are using alpine:edge 2 | FROM alpine:edge 3 | MAINTAINER Onni Hakala - Geniem Oy. 4 | 5 | # Install dependencies and small amount of devtools 6 | RUN apk add --update curl bash git openssh-client nano nginx ca-certificates \ 7 | # Libs for php 8 | libssh2 libpng freetype libjpeg-turbo libgcc libxml2 libstdc++ icu-libs libltdl libmcrypt \ 9 | # WP-CLI will try to use interactive mode and causes few errors in output 10 | # when ncurses is not installed 11 | ncurses \ 12 | # For mails 13 | msmtp \ 14 | # For mysql import/export 15 | mysql-client \ 16 | # Install gettext 17 | gettext \ 18 | # Set timezone according your location 19 | tzdata && \ 20 | # Upgrade musl 21 | apk add -u musl && \ 22 | 23 | ## 24 | # Install php7 25 | # - These repositories are in 'testing' repositories but it's much more stable/easier than compiling our own php. 26 | ## 27 | apk add --update-cache --repository http://dl-4.alpinelinux.org/alpine/edge/testing/ \ 28 | php7-pdo_mysql php7-mysqli php7-mysqlnd php7-mcrypt \ 29 | php7 php7-session php7-fpm php7-json php7-zlib php7-xml php7-pdo \ 30 | php7-gd php7-curl php7-opcache php7-ctype php7-mbstring php7-soap \ 31 | php7-intl php7-bcmath php7-dom php7-xmlreader php7-openssl php7-phar php7-redis php7-mongodb && \ 32 | 33 | # Small fixes to php & nginx 34 | ln -s /etc/php7 /etc/php && \ 35 | ln -s /usr/bin/php7 /usr/bin/php && \ 36 | ln -s /usr/sbin/php-fpm7 /usr/bin/php-fpm && \ 37 | ln -s /usr/lib/php7 /usr/lib/php && \ 38 | rm -rf /var/log/php7 && \ 39 | mkdir -p /var/log/php/ && \ 40 | 41 | # No need for the default configs 42 | rm -f /etc/php/php-fpm.d/www.conf && \ 43 | 44 | # Remove nginx user because we will create a user with correct permissions dynamically 45 | deluser nginx && \ 46 | mkdir -p /var/log/nginx && \ 47 | mkdir -p /tmp/nginx/body && \ 48 | 49 | # Remove default localhost folder 50 | rm -rf /var/www/localhost && \ 51 | 52 | # Create uploads folder and project folder 53 | mkdir -p /var/www/uploads && \ 54 | mkdir -p /var/www/project/web && \ 55 | 56 | # Remove default crontab 57 | rm /var/spool/cron/crontabs/root && \ 58 | 59 | ## 60 | # Add S6-overlay to use S6 process manager 61 | # source: https://github.com/just-containers/s6-overlay/#the-docker-way 62 | ## 63 | curl -L https://github.com/just-containers/s6-overlay/releases/download/v1.17.2.0/s6-overlay-amd64.tar.gz \ 64 | | tar -xvzC / && \ 65 | 66 | ## 67 | # Install wp-cli 68 | # source: http://wp-cli.org/ 69 | ## 70 | curl -L https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar -o /usr/local/bin/wp-cli && \ 71 | chmod +rx /usr/local/bin/wp-cli && \ 72 | # wp-cli uses less internally to output it's help pages 73 | apk add less && \ 74 | 75 | ## 76 | # Install cronlock for running cron correctly with mulitple container setups 77 | # https://github.com/kvz/cronlock 78 | ## 79 | curl -L https://raw.githubusercontent.com/kvz/cronlock/master/cronlock -o /usr/local/bin/cronlock && \ 80 | chmod +rx /usr/local/bin/cronlock && \ 81 | 82 | ## 83 | # Install Composer 84 | ## 85 | curl -L -sS https://getcomposer.org/installer | \ 86 | php -- --install-dir=/usr/local/bin --filename=composer && \ 87 | chmod +rx /usr/local/bin/composer && \ 88 | # composer parallel install plugin 89 | composer global require hirak/prestissimo && \ 90 | 91 | # Remove cache and tmp files 92 | rm -rf /var/cache/apk/* && \ 93 | rm -rf /tmp/* 94 | 95 | ## 96 | # Add Project files like nginx and php-fpm processes and configs 97 | # Also custom scripts and bashrc 98 | ## 99 | COPY rootfs/ / 100 | 101 | # Update path with composer files + wpcs 102 | ENV TERM="xterm" \ 103 | DB_HOST="" \ 104 | DB_NAME="" \ 105 | DB_USER=""\ 106 | DB_PASSWORD=""\ 107 | # Set defaults which can be overriden 108 | DB_PORT="3306" \ 109 | # Use default web port in nginx but allow it to be overridden 110 | # This also works correctly with flynn: 111 | # https://github.com/flynn/flynn/issues/3213#issuecomment-237307457 112 | PORT="80" \ 113 | # Set defaults for redis 114 | WP_REDIS_PORT="6379" \ 115 | WP_REDIS_DATABASE="0" \ 116 | WP_REDIS_SCHEME="tcp" \ 117 | WP_REDIS_CLIENT="pecl" \ 118 | # Cronlock is used to stop simultaneous cronjobs in clusterised environments 119 | CRONLOCK_HOST="" \ 120 | # This is for your project root 121 | PROJECT_ROOT="/var/www/project" \ 122 | # This is used by nginx and php-fpm 123 | WEB_ROOT="/var/www/project/web" \ 124 | # Nginx include files 125 | NGINX_INCLUDE_DIR="/var/www/project/nginx" \ 126 | # Allow bigger file uploads 127 | NGINX_MAX_BODY_SIZE="64M" \ 128 | # Have sane fastcgi timeout by default 129 | NGINX_FASTCGI_TIMEOUT="30" \ 130 | 131 | # Default php memory limit 132 | PHP_MEMORY_LIMIT="128M" \ 133 | 134 | # This is used automatically by wp-cli 135 | WP_CORE="/var/www/project/web/wp" \ 136 | # Use host machine as default SMTP_HOST 137 | SMTP_HOST="172.17.0.1" \ 138 | # This folder is used to mount files into host machine 139 | # You should use this path for your uploads since everything else should be ephemeral 140 | UPLOADS_ROOT="/var/www/uploads"\ 141 | # This can be overidden by you, it's just default for us 142 | TZ="Europe/Helsinki" 143 | 144 | # Set default path to project folder for easier running commands in project 145 | WORKDIR ${PROJECT_ROOT} 146 | 147 | EXPOSE ${PORT} 148 | 149 | ENTRYPOINT ["/init"] 150 | -------------------------------------------------------------------------------- /php7.0/rootfs/etc/ImageMagick: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /php7.0/rootfs/etc/cont-init.d/00-maybe-symlink-root: -------------------------------------------------------------------------------- 1 | #!/usr/bin/with-contenv bash 2 | 3 | # Allow different project root with clever symlink 4 | # This is used to trick drone CI to mount the files elsewhere than $PROJECT_ROOT 5 | if [ "$OVERRIDE_ROOT" != "" ] && [ "$OVERRIDE_ROOT" != "$PROJECT_ROOT" ]; then 6 | echo "INFO: Changing project path using symlink $PROJECT_ROOT -> $OVERRIDE_ROOT..." 7 | # Remove current dir if it exists 8 | rmdir $PROJECT_ROOT 9 | 10 | # Create symlink to real project root 11 | ln -sf $OVERRIDE_ROOT $PROJECT_ROOT 12 | fi 13 | -------------------------------------------------------------------------------- /php7.0/rootfs/etc/cont-init.d/00-render-templates: -------------------------------------------------------------------------------- 1 | #!/usr/bin/with-contenv bash 2 | ## 3 | # This script uses clever heredoc hack to substitute env variables into static config files 4 | # Source: http://stackoverflow.com/questions/2914220/bash-templating-how-to-build-configuration-files-from-templates-with-bash 5 | ## 6 | 7 | ## 8 | # Replaces ${ENV} placoholders from file with provided variables 9 | # $1 - ':'' separated list of variables 10 | # $2 - filename to render 11 | ## 12 | function render_env_tmpl() { 13 | vars=$1 14 | input_file=$2 15 | # If filename ends with .tmpl replace it without the .tmpl 16 | filename=$(dirname $input_file)/$(basename $input_file .tmpl) 17 | 18 | tmp_file=/tmp/$(basename $filename) 19 | 20 | # render all provided $vars to temporary file 21 | envsubst "$vars" < $input_file > $tmp_file 22 | 23 | # replace original file with rendered file 24 | mv $tmp_file $filename 25 | } 26 | 27 | echo "[cont-init.d] Substituting env into configuration files..." 28 | 29 | ## 30 | # Nginx doesn't support env variables in config files so we will have to do this in hacky way instead 31 | ## 32 | VARS='$PORT:$WEB_ROOT:$WEB_USER:$WEB_GROUP:$NGINX_ACCESS_LOG:$NGINX_ERROR_LOG:$NGINX_ERROR_LEVEL:$NGINX_INCLUDE_DIR:$NGINX_MAX_BODY_SIZE:$NGINX_FASTCGI_TIMEOUT:$WP_ENV:$NGINX_CACHE_KEY' 33 | render_env_tmpl "$VARS" /etc/nginx/nginx.conf 34 | 35 | ## 36 | # Render all user provided nginx templates 37 | ## 38 | VARS+='$BASIC_AUTH_USER:$BASIC_AUTH_PASSWORD_HASH' 39 | for conf_file in $(find $NGINX_INCLUDE_DIR -type f -name '*.tmpl'); do 40 | echo "[cont-init.d] Rendering env in $conf_file..." 41 | 42 | # Add helper variables for easier scripting 43 | export __DIR__=$(dirname $conf_file) 44 | 45 | VARS_TMPL=$VARS':$__DIR__' 46 | render_env_tmpl "$VARS_TMPL" $conf_file 47 | done 48 | -------------------------------------------------------------------------------- /php7.0/rootfs/etc/cont-init.d/01-create-web-user: -------------------------------------------------------------------------------- 1 | #!/usr/bin/with-contenv bash 2 | 3 | ## 4 | # If wordpress user and web group already exists just skip the user creation 5 | ## 6 | if id -u wordpress > /dev/null 2>&1 && getent group web > /dev/null 2>&1; then 7 | echo "[cont-init.d] user:wordpress and group:web already exists, skipping..." 8 | exit 0 9 | fi 10 | 11 | 12 | ## 13 | # Create wordpress user with $UID and web group with $GID 14 | ## 15 | 16 | # If permissions were not defined get GID/UID from web files 17 | if [ -z "$WP_UID" ]; then 18 | WP_UID=$(ls -n $WEB_ROOT | tail -n1 | xargs echo | cut -d' ' -f3) 19 | fi 20 | 21 | if [ -z "$WP_GID" ]; then 22 | WP_GID=$(ls -n $WEB_ROOT | tail -n1 | xargs echo | cut -d' ' -f4) 23 | fi 24 | 25 | # If web files were owned by root use 100:101 as permissions instead 26 | if [ "$WP_GID" = "0" ] || [ "$WP_UID" = "0" ]; then 27 | 28 | echo "[cont-init.d] ERROR: Your web root files are owned by root. I'm running processes as uid/gid 100:101 instead" 29 | 30 | # These are default if container was accidentally mounted with root owned files 31 | WP_UID=100 32 | WP_GID=101 33 | fi 34 | 35 | echo "[cont-init.d] Creating wordpress user with id: $WP_UID and group web with id: $WP_GID" 36 | 37 | # Create web group 38 | if [ -n "$WP_GID" ]; then 39 | 40 | # Check if group with $GID already exists 41 | web_group=$(getent group $WP_GID | cut -d':' -f1) 42 | 43 | if [ -n "$web_group" ]; then 44 | 45 | # Replace the existing group name to web 46 | # This is done so that in local development we can just lookup permissions from mounted folders 47 | # This UID/GID can be same as something already existing inside container 48 | # This way we can use same uid/gid in container and host machine 49 | 50 | echo "[cont-init.d] Replacing pre-existing group name $web_group -> web" 51 | sed -i "s|$web_group|web|g" /etc/group 52 | 53 | # We just changed this in /etc/group remember? 54 | web_group="web" 55 | 56 | else 57 | # Create new group 58 | web_group="web" 59 | addgroup -g $WP_GID $web_group 60 | fi 61 | else 62 | echo "[cont-init.d] ERROR: Please set correct permissions into $WEB_ROOT" 1>&2 63 | exit 2 64 | fi 65 | 66 | # Create wordpress user 67 | if [ -n "$WP_UID" ] && [ -n "$WP_GID" ] ; then 68 | web_user="wordpress" 69 | adduser -u $WP_UID -h $PROJECT_ROOT -G $web_group -S -D $web_user 70 | else 71 | echo "[cont-init.d] ERROR: Please set correct permissions into $WEB_ROOT" 1>&2 72 | exit 2 73 | fi 74 | 75 | # Check that processes can write logs 76 | chown wordpress:web /var/log 77 | -------------------------------------------------------------------------------- /php7.0/rootfs/etc/cont-init.d/01-set-timezone: -------------------------------------------------------------------------------- 1 | #!/usr/bin/with-contenv bash 2 | 3 | # Default TZ is set in Dockerfile to Europe/Helsinki 4 | echo "$TZ" > /etc/timezone 5 | 6 | # Set timezone for php too 7 | echo "; Set timezone according to system env TZ" > /etc/php7/conf.d/timezone.ini 8 | echo "date.timezone = '$TZ'" >> /etc/php7/conf.d/timezone.ini 9 | -------------------------------------------------------------------------------- /php7.0/rootfs/etc/cont-init.d/02-init-crond: -------------------------------------------------------------------------------- 1 | #!/usr/bin/with-contenv bash 2 | 3 | # Copy cronjob from project and run as nginx 4 | if [ -f $PROJECT_ROOT/tasks.cron ]; then 5 | cp $PROJECT_ROOT/tasks.cron /var/spool/cron/crontabs/wordpress 6 | else 7 | # No cronjobs found remove crond from s6 8 | if [ -f /etc/services.d/crond ]; then 9 | rm -r /etc/services.d/crond 10 | fi 11 | fi 12 | -------------------------------------------------------------------------------- /php7.0/rootfs/etc/cont-init.d/02-init-directories-and-files: -------------------------------------------------------------------------------- 1 | #!/usr/bin/with-contenv bash 2 | 3 | # Create uploads directory if not exists 4 | if [ ! -d $UPLOADS_ROOT ] ; then 5 | mkdir -p $UPLOADS_ROOT 6 | fi 7 | 8 | chown wordpress:web $UPLOADS_ROOT 9 | 10 | # Create dir for nginx tmp files 11 | if [ ! -d /tmp/nginx/body ] ; then 12 | mkdir -p /tmp/nginx/body 13 | fi 14 | chown wordpress:web /tmp/nginx 15 | chown wordpress:web /tmp/nginx/body 16 | 17 | # Create log directories if they don't exist already 18 | if [ ! -d /var/log/nginx ] ; then 19 | mkdir -p /var/log/nginx 20 | fi 21 | if [ ! -d /var/log/php ] ; then 22 | mkdir -p /var/log/php 23 | fi 24 | if [ ! -d /var/log/mail ] ; then 25 | mkdir -p /var/log/mail 26 | fi 27 | 28 | # Create log directory for php 29 | touch /var/log/php/error.log 30 | 31 | # Give wordpress user access to all log files 32 | chown -R wordpress:web /var/log/ 33 | -------------------------------------------------------------------------------- /php7.0/rootfs/etc/cont-init.d/03-init-php-sessions: -------------------------------------------------------------------------------- 1 | #!/usr/bin/with-contenv bash 2 | 3 | # Setup sessions 4 | echo "; This file contains php session backend (default: files)" > /etc/php7/conf.d/sessions.ini 5 | 6 | if [ "$PHP_SESSION_HANDLER" == "redis" ]; then 7 | echo "session.save_handler = redis" >> /etc/php7/conf.d/sessions.ini 8 | 9 | redis_resource_string="$WP_REDIS_SCHEME://" 10 | 11 | # Use different setup in dev/prod 12 | if [ "$WP_REDIS_HOST" != "" ]; then 13 | redis_resource_string+="$WP_REDIS_HOST:$WP_REDIS_PORT" 14 | elif [ "$REDIS_PORT_6379_TCP_ADDR" != "" ]; then 15 | redis_resource_string+="$REDIS_PORT_6379_TCP_ADDR:$WP_REDIS_PORT" 16 | fi 17 | 18 | # Use password or different database when user provides them 19 | redis_resource_string+="?database=$PHP_SESSION_REDIS_DB" 20 | 21 | if [ "$WP_REDIS_PASSWORD" != "" ]; then 22 | redis_resource_string+="&auth=$WP_REDIS_PASSWORD" 23 | fi 24 | 25 | echo "session.save_path = \"$redis_resource_string\"" >> /etc/php7/conf.d/sessions.ini 26 | 27 | else # Use normal file based sessions if redis is not configured 28 | echo "session.save_handler = files" >> /etc/php7/conf.d/sessions.ini 29 | echo "session.save_path = /tmp" >> /etc/php7/conf.d/sessions.ini 30 | fi 31 | -------------------------------------------------------------------------------- /php7.0/rootfs/etc/nginx/fastcgi_params: -------------------------------------------------------------------------------- 1 | ## 2 | # Set few variables since we use jwilder/nginx-proxy in dev and proxy in production 3 | # So the fastcgi params need to be the original ones or you 4 | # will have redirect loops ('canonical_redirect' mostly) 5 | ## 6 | 7 | # Set $host first from proxy (if possible) 8 | set $real_host $http_x_forwarded_host; 9 | if ($real_host = '') { 10 | set $real_host $http_host; 11 | } 12 | 13 | # Set server port according to forwarded proto 14 | set $real_port 80; 15 | if ($http_x_forwarded_proto = 'https') { 16 | set $real_port 443; 17 | } 18 | 19 | # Set https according to used proto 20 | set $real_https off; 21 | if ($http_x_forwarded_proto = 'https') { 22 | set $real_https on; 23 | } 24 | 25 | # Set scheme according to used proto 26 | set $real_scheme 'http'; 27 | if ($http_x_forwarded_proto = 'https') { 28 | set $real_scheme 'https'; 29 | } 30 | 31 | # Set original remote 32 | set $real_remote $http_x_forwarded_for; 33 | if ($real_remote = '') { 34 | set $real_remote $remote_addr; 35 | } 36 | 37 | # These are just basic things form request 38 | fastcgi_param QUERY_STRING $query_string; 39 | fastcgi_param REQUEST_METHOD $request_method; 40 | fastcgi_param CONTENT_TYPE $content_type; 41 | fastcgi_param CONTENT_LENGTH $content_length; 42 | 43 | fastcgi_param SCRIPT_NAME $fastcgi_script_name; 44 | fastcgi_param REQUEST_URI $request_uri; 45 | fastcgi_param DOCUMENT_URI $document_uri; 46 | fastcgi_param DOCUMENT_ROOT $document_root; 47 | fastcgi_param SERVER_PROTOCOL $server_protocol; 48 | 49 | fastcgi_param GATEWAY_INTERFACE CGI/1.1; 50 | fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; 51 | 52 | ## 53 | # Set these using the knowledge that we are behind proxy 54 | ## 55 | fastcgi_param REMOTE_ADDR $real_remote; 56 | fastcgi_param REMOTE_PORT $remote_port; 57 | fastcgi_param SERVER_ADDR $server_addr; 58 | fastcgi_param SERVER_PORT $real_port; 59 | fastcgi_param SERVER_NAME $real_host; 60 | fastcgi_param HTTPS $real_https; 61 | fastcgi_param REQUEST_SCHEME $real_scheme; 62 | fastcgi_param HTTP_HOST $real_host; 63 | 64 | # PHP only, required if PHP was built with --enable-force-cgi-redirect 65 | fastcgi_param REDIRECT_STATUS 200; 66 | -------------------------------------------------------------------------------- /php7.0/rootfs/etc/nginx/fastcgi_settings.conf: -------------------------------------------------------------------------------- 1 | # regex to split $uri to $fastcgi_script_name and $fastcgi_path 2 | fastcgi_split_path_info ^(.+\.php)(/.+)$; 3 | 4 | # Bypass the fact that try_files resets $fastcgi_path_info 5 | # see: http://trac.nginx.org/nginx/ticket/321 6 | set $path_info $fastcgi_path_info; 7 | fastcgi_param PATH_INFO $path_info; 8 | 9 | # Intercept errors from php-fpm 10 | # These can be: 11 | # - timeouts for long running requests 12 | # - requested php file might be missing or not existing in the first place 13 | fastcgi_intercept_errors on; 14 | 15 | fastcgi_index index.php; 16 | 17 | # Small optimisation on fastcgi buffer size 18 | # defaults are 8k; 19 | fastcgi_buffers 16 16k; 20 | fastcgi_buffer_size 16k; 21 | 22 | # Include basic fastcgi settings 23 | include fastcgi_params; 24 | -------------------------------------------------------------------------------- /php7.0/rootfs/etc/nginx/gzip.conf: -------------------------------------------------------------------------------- 1 | # Compression 2 | 3 | # Enable Gzip compressed. 4 | gzip on; 5 | 6 | # Compression level (1-9). 7 | # 5 is a perfect compromise between size and cpu usage, offering about 8 | # 75% reduction for most ascii files (almost identical to level 9). 9 | gzip_comp_level 5; 10 | 11 | # Don't compress anything that's already small and unlikely to shrink much 12 | # if at all (the default is 20 bytes, which is bad as that usually leads to 13 | # larger files after gzipping). 14 | gzip_min_length 256; 15 | 16 | # Compress data even for clients that are connecting to us via proxies, 17 | # identified by the "Via" header (required for CloudFront). 18 | gzip_proxied any; 19 | 20 | # Tell proxies to cache both the gzipped and regular version of a resource 21 | # whenever the client's Accept-Encoding capabilities header varies; 22 | # Avoids the issue where a non-gzip capable client (which is extremely rare 23 | # today) would display gibberish if their proxy gave them the gzipped version. 24 | gzip_vary on; 25 | 26 | # Compress all output labeled with one of the following MIME-types. 27 | gzip_types 28 | application/atom+xml 29 | application/javascript 30 | application/json 31 | application/ld+json 32 | application/manifest+json 33 | application/rss+xml 34 | application/vnd.geo+json 35 | application/vnd.ms-fontobject 36 | application/x-font-ttf 37 | application/x-web-app-manifest+json 38 | application/xhtml+xml 39 | application/xml 40 | font/opentype 41 | image/bmp 42 | image/svg+xml 43 | image/x-icon 44 | text/cache-manifest 45 | text/css 46 | text/plain 47 | text/vcard 48 | text/vnd.rim.location.xloc 49 | text/vtt 50 | text/x-component 51 | text/x-cross-domain-policy; 52 | # text/html is always compressed by HttpGzipModule 53 | 54 | # This should be turned on if you are going to have pre-compressed copies (.gz) of 55 | # static files available. If not it should be left off as it will cause extra I/O 56 | # for the check. It is best if you enable this in a location{} block for 57 | # a specific directory, or on an individual server{} level. 58 | # gzip_static on; 59 | -------------------------------------------------------------------------------- /php7.0/rootfs/etc/nginx/nginx.conf: -------------------------------------------------------------------------------- 1 | # run nginx in foreground 2 | daemon off; 3 | 4 | # Run nginx with the user created just for this container 5 | user wordpress web; 6 | 7 | error_log /var/log/nginx/error.log warn; 8 | 9 | pid /var/run/nginx.pid; 10 | 11 | # How many worker threads to run; 12 | # "auto" sets it to the number of CPU cores available in the system, and 13 | # offers the best performance. Don't set it higher than the number of CPU 14 | # cores if changing this parameter. 15 | 16 | # The maximum number of connections for Nginx is calculated by: 17 | # max_clients = worker_processes * worker_connections 18 | worker_processes auto; 19 | 20 | # Maximum open file descriptors per process; 21 | # should be > worker_connections. 22 | worker_rlimit_nofile 8192; 23 | 24 | events { 25 | # When you need > 8000 * cpu_cores connections, you start optimizing your OS, 26 | # and this is probably the point at which you hire people who are smarter than 27 | # you, as this is *a lot* of requests. 28 | worker_connections 8000; 29 | } 30 | 31 | http { 32 | # Hide nginx version information. 33 | server_tokens off; 34 | 35 | # How long to allow each connection to stay idle; longer values are better 36 | # for each individual client, particularly for SSL, but means that worker 37 | # connections are tied up longer. (Default: 65) 38 | keepalive_timeout 20; 39 | 40 | # Speed up file transfers by using sendfile() to copy directly 41 | # between descriptors rather than using read()/write(). 42 | sendfile on; 43 | 44 | # Tell Nginx not to send out partial frames; this increases throughput 45 | # since TCP frames are filled up before being sent out. (adds TCP_CORK) 46 | tcp_nopush on; 47 | 48 | # Gzip all the assets 49 | include gzip.conf; 50 | 51 | include /etc/nginx/mime.types; 52 | include /etc/nginx/fastcgi.conf; 53 | default_type application/octet-stream; 54 | client_body_temp_path /tmp/nginx/body 1 2; 55 | fastcgi_temp_path /tmp/nginx/fastcgi_temp 1 2; 56 | 57 | # A new log format for detecting bad bots. 58 | log_format blocked '[$time_local] Blocked request from $http_x_real_ip $request'; 59 | 60 | # This log format makes it so we can see real requester's IP address \ 61 | # not just the reverse proxy server's IP address. Also note, that \ 62 | # "specialLog" can be replaced with any name you would like to \ 63 | # give to this log format. 64 | log_format specialLog '[$time_local] $http_x_real_ip ' 65 | '"$request" $status $body_bytes_sent $request_time ' 66 | '"$http_referer" "$http_user_agent"'; 67 | 68 | # Allow bigger default file uploads 69 | client_max_body_size ${NGINX_MAX_BODY_SIZE}; 70 | 71 | # Include custom nginx http additions from project 72 | include ${NGINX_INCLUDE_DIR}/http/*.conf; 73 | include ${NGINX_INCLUDE_DIR}/environments/${WP_ENV}/http/*.conf; 74 | 75 | # load upstreams from one file which can be overwritten depending on situation 76 | include upstreams.conf; 77 | 78 | # Add few headers which make XSS harder 79 | include security_headers.conf; 80 | 81 | # If ${PORT} != 80 means that we are behind reverse proxy as well 82 | # This directive helps that we don't redirect clients into mysite.com:8080/resource type urls 83 | port_in_redirect off; 84 | 85 | server { 86 | listen ${PORT} default_server; 87 | server_name _; 88 | 89 | root ${WEB_ROOT}; 90 | 91 | # Use index.php if it exists but also allow static websites in subfolders 92 | index index.php index.html; 93 | 94 | access_log /var/log/nginx/access.log specialLog; 95 | error_log stderr; 96 | 97 | # Blocked log file 98 | set $blocked_log /var/log/nginx/blocked.log; 99 | 100 | disable_symlinks off; 101 | 102 | # Include custom nginx server additions from project 103 | include ${NGINX_INCLUDE_DIR}/server/*.conf; 104 | include ${NGINX_INCLUDE_DIR}/environments/${WP_ENV}/server/*.conf; 105 | 106 | # Return 404 page from wordpress instead of nginx "403 Forbidden" page 107 | error_page 403 = @index; 108 | 109 | location = /robots.txt { 110 | allow all; 111 | log_not_found off; 112 | access_log off; 113 | try_files $uri @index; 114 | } 115 | 116 | location = /favicon.ico { 117 | allow all; 118 | log_not_found off; 119 | access_log off; 120 | try_files $uri @index; 121 | } 122 | 123 | # deny all dot-files including git 124 | location ~ /\. { 125 | deny all; 126 | log_not_found off; 127 | access_log off; 128 | } 129 | 130 | location / { 131 | try_files $uri $uri/ /wp/$uri /wp/$uri/ @index; 132 | } 133 | 134 | # Static WordPress files - try wp- files from /wp/ first to save file access 135 | location ~* ^wp-(.*)\.(css|js|jpe?g|gif|ico|png|otf|ttf|eot|woff|svg|webp)$ { 136 | 137 | include static_files.conf; 138 | 139 | try_files /wp/$uri $uri @index; 140 | } 141 | 142 | # Static Normal files - try direct access first and then inside /wp/ folder 143 | location ~* \.(css|js|jpe?g|gif|ico|png|otf|ttf|eot|woff|svg|webp)$ { 144 | 145 | include static_files.conf; 146 | 147 | try_files $uri /wp/$uri @index; 148 | } 149 | 150 | # App folder contains our plugins and themes 151 | # We want to server assets here but deny php execution 152 | location /app/ { 153 | try_files $uri @index; 154 | 155 | ## 156 | # Deny access into php files under /app/ 157 | ## 158 | location ~ \.php$ { 159 | access_log $blocked_log blocked; 160 | deny all; 161 | } 162 | } 163 | 164 | # Uploads folder contains our uploaded files 165 | location /uploads/ { 166 | try_files $uri $uri/ @index; 167 | 168 | ## 169 | # Deny access into php files under /uploads/ 170 | ## 171 | location ~ \.php$ { 172 | access_log $blocked_log blocked; 173 | deny all; 174 | } 175 | } 176 | 177 | ## 178 | # Run all php files from wp subfolder 179 | # This is how wordpress is supposed to be run 180 | # It also prevents direct access to possibly insecure code inside our plugins 181 | ## 182 | location ~ \.php$ { 183 | try_files /wp/$uri @index; 184 | 185 | include fastcgi_settings.conf; 186 | 187 | # Append subfolder automatically 188 | fastcgi_param SCRIPT_FILENAME $document_root/wp$fastcgi_script_name; 189 | 190 | # Handover 404 errors from php-fpm to WordPress 191 | error_page 404 = @index; 192 | 193 | fastcgi_pass php-fpm; 194 | } 195 | 196 | location @index { 197 | include fastcgi_settings.conf; 198 | fastcgi_param SCRIPT_FILENAME $document_root/wp/index.php; 199 | 200 | # Give sane max execution time to frontend 201 | fastcgi_read_timeout ${NGINX_FASTCGI_TIMEOUT}; 202 | fastcgi_pass php-fpm; 203 | } 204 | 205 | # WordPress is stupid 206 | location = /wp-admin { rewrite ^ /wp-admin/ permanent; } 207 | 208 | location = / { 209 | rewrite ^ /index.php$is_args$args last; 210 | } 211 | 212 | # Prevent /wp/wp/wp/... rewrite loops 213 | location ^~ /wp/ { 214 | rewrite ^/wp/(.*)$ $1$is_args$args last; 215 | } 216 | 217 | # Block some vulnerabilities always 218 | include security.conf; 219 | } 220 | 221 | } 222 | -------------------------------------------------------------------------------- /php7.0/rootfs/etc/nginx/security.conf: -------------------------------------------------------------------------------- 1 | ## Block SQL injections 2 | location ~* union.*select.*\( { access_log $blocked_log blocked; deny all; } 3 | location ~* union.*all.*select.* { access_log $blocked_log blocked; deny all; } 4 | location ~* concat.*\( { access_log $blocked_log blocked; deny all; } 5 | 6 | ## Block common exploits 7 | location ~* (<|%3C).*script.*(>|%3E) { access_log $blocked_log blocked; deny all; } 8 | location ~* base64_(en|de)code\(.*\) { access_log $blocked_log blocked; deny all; } 9 | location ~* (%24&x) { access_log $blocked_log blocked; deny all; } 10 | location ~* (%0|%A|%B|%C|%D|%E|%F|127\.0) { access_log $blocked_log blocked; deny all; } 11 | location ~* \.\.\/ { access_log $blocked_log blocked; deny all; } 12 | location ~* ~$ { access_log $blocked_log blocked; deny all; } 13 | location ~* proc/self/environ { access_log $blocked_log blocked; deny all; } 14 | location ~* /\.(htaccess|htpasswd|svn|git) { access_log $blocked_log blocked; deny all; } 15 | 16 | ## Block file injections 17 | location ~* [a-zA-Z0-9_]=(\.\.//?)+ { access_log $blocked_log blocked; deny all; } 18 | location ~* [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ { access_log $blocked_log blocked; deny all; } 19 | 20 | ## wordpress security 21 | location ~* wp-config.php { access_log $blocked_log blocked; deny all; } 22 | location ~* wp-load.php { access_log $blocked_log blocked; deny all; } 23 | location ~* wp-admin/includes { access_log $blocked_log blocked; deny all; } 24 | location ~* wp-app\.log { access_log $blocked_log blocked; deny all; } 25 | location ~* (licence|readme|license)\.(md|html|txt) { access_log $blocked_log blocked; deny all; } 26 | location ~* composer.json { access_log $blocked_log blocked; deny all; } 27 | 28 | ## Deny access to all php files in uploads folder 29 | location ~* ^/uploads\.php { access_log $blocked_log blocked; deny all; } 30 | location ~* ^/content/uploads\.php { access_log $blocked_log blocked; deny all; } 31 | location ~* ^/wp-content/uploads\.php { access_log $blocked_log blocked; deny all; } 32 | -------------------------------------------------------------------------------- /php7.0/rootfs/etc/nginx/security_headers.conf: -------------------------------------------------------------------------------- 1 | ## 2 | # Security headers, source: https://gist.github.com/plentz/6737338 3 | ## 4 | 5 | # config to don't allow the browser to render the page inside an frame or iframe 6 | # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking 7 | # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri 8 | # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options 9 | add_header X-Frame-Options SAMEORIGIN; 10 | 11 | # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header, 12 | # to disable content-type sniffing on some browsers. 13 | # https://www.owasp.org/index.php/List_of_useful_HTTP_headers 14 | # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx 15 | # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx 16 | # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020 17 | add_header X-Content-Type-Options nosniff always; 18 | 19 | # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. 20 | # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for 21 | # this particular website if it was disabled by the user. 22 | # https://www.owasp.org/index.php/List_of_useful_HTTP_headers 23 | add_header X-XSS-Protection "1; mode=block"; 24 | -------------------------------------------------------------------------------- /php7.0/rootfs/etc/nginx/static_files.conf: -------------------------------------------------------------------------------- 1 | # Use version numbers to bypass cache 2 | # Try to cache as long as we can 3 | expires max; 4 | 5 | ## No need to bleed constant updates. Send the all shebang in one 6 | ## fell swoop. 7 | tcp_nodelay off; 8 | 9 | ## Set the OS file cache. 10 | open_file_cache max=3000 inactive=120s; 11 | open_file_cache_valid 45s; 12 | open_file_cache_min_uses 2; 13 | open_file_cache_errors off; 14 | -------------------------------------------------------------------------------- /php7.0/rootfs/etc/nginx/upstreams.conf: -------------------------------------------------------------------------------- 1 | # Default php handler 2 | upstream php-fpm { 3 | server unix:/var/run/php-fpm.sock; 4 | } 5 | -------------------------------------------------------------------------------- /php7.0/rootfs/etc/php7/conf.d/common.ini: -------------------------------------------------------------------------------- 1 | [PHP] 2 | 3 | ; Don't brag that we have php 7.0 4 | expose_php = Off 5 | -------------------------------------------------------------------------------- /php7.0/rootfs/etc/php7/conf.d/limits.ini: -------------------------------------------------------------------------------- 1 | ; filesize, time and input limits 2 | max_execution_time = 120 3 | max_input_time = 300 4 | max_input_vars = 1000 5 | memory_limit = ${PHP_MEMORY_LIMIT} 6 | post_max_size = ${NGINX_MAX_BODY_SIZE} 7 | upload_max_filesize = ${NGINX_MAX_BODY_SIZE} 8 | -------------------------------------------------------------------------------- /php7.0/rootfs/etc/php7/conf.d/logging.ini: -------------------------------------------------------------------------------- 1 | ; always log errors in production and development 2 | log_errors = On 3 | log_errors_max_len = 8192 4 | error_log = /var/log/php/error.log 5 | 6 | ; Use changed error log path 7 | php_admin_value[error_log] = /var/log/php/error.log 8 | php_admin_flag[log_errors] = on 9 | -------------------------------------------------------------------------------- /php7.0/rootfs/etc/php7/conf.d/mail.ini: -------------------------------------------------------------------------------- 1 | [PHP] 2 | ; Use msmtp to send mail instead of sendmail 3 | sendmail_path = "/usr/sbin/sendmail" 4 | -------------------------------------------------------------------------------- /php7.0/rootfs/etc/php7/php-fpm.conf: -------------------------------------------------------------------------------- 1 | ; Run this in foregroud so s6 can control it 2 | daemonize = no 3 | 4 | ; Log all warnings and errors 5 | error_log = /var/log/php/error.log 6 | log_level = warning 7 | 8 | [www] 9 | user = wordpress 10 | group = web 11 | listen = /var/run/php-fpm.sock 12 | listen.owner = wordpress 13 | listen.group = web 14 | pm = dynamic 15 | 16 | ; Total RAM dedicated to the web server / Max child process size 17 | pm.max_children = 10 18 | 19 | ; Log errors please 20 | php_admin_value[error_log] = /var/log/php/error.log 21 | php_admin_flag[log_errors] = on 22 | 23 | pm.start_servers = 1 24 | pm.min_spare_servers = 1 25 | pm.max_spare_servers = 3 26 | 27 | ; Redirect worker stdout and stderr into main error log. If not set, stdout and 28 | ; stderr will be redirected to /dev/null according to FastCGI specs. 29 | ; Default Value: no 30 | catch_workers_output = yes 31 | 32 | ; Project web root 33 | chdir = ${WEB_ROOT} 34 | 35 | pm.process_idle_timeout = 10s 36 | pm.max_requests = 500 37 | 38 | include=/etc/php7/php-fpm.d/*.conf 39 | -------------------------------------------------------------------------------- /php7.0/rootfs/etc/php7/php-fpm.d/preserve-env.conf: -------------------------------------------------------------------------------- 1 | ; Just use all envs from system when php-fpm starts 2 | ; By default php-fpm flushes all envs and they need to be whitelisted 3 | clear_env = no 4 | -------------------------------------------------------------------------------- /php7.0/rootfs/etc/php7/php-fpm.ini: -------------------------------------------------------------------------------- 1 | ;;; 2 | ; Production settings for php and php-fpm 3 | ;;; 4 | ; All directives from /etc/php7/conf.d are also included 5 | ;;; 6 | 7 | [PHP] 8 | 9 | ; Don't display errors in production 10 | display_errors = Off 11 | 12 | ; disable ignoring of repeat errors 13 | ignore_repeated_errors = false 14 | 15 | ; disable ignoring of unique source errors 16 | ignore_repeated_source = false 17 | 18 | ; enable logging of php memory leaks 19 | report_memleaks = true 20 | 21 | ; Deny executing anything else than the exact path passed from fastcgi 22 | ; This causes the PHP interpreter to only try the literal path given and to stop processing if the file is not found. 23 | ; This is for security. Source: https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#passing-uncontrolled-requests-to-php 24 | cgi.fix_pathinfo = 0 25 | 26 | ; disable html markup of errors 27 | html_errors = false 28 | 29 | ; disable formatting of error reference links 30 | docref_root = 0 31 | 32 | ; disable formatting of error reference links 33 | docref_ext = 0 34 | 35 | ; disable max error string length ( by using so big number that bigger messages don't matter ) 36 | log_errors_max_len = 10000 37 | 38 | ; Don't show startup errors 39 | display_startup_errors = Off 40 | track_errors = Off 41 | 42 | ; Redirect worker stdout and stderr into main error log. If not set, stdout and 43 | ; stderr will be redirected to /dev/null according to FastCGI specs. 44 | ; Default Value: no 45 | catch_workers_output = yes 46 | 47 | ; Disable some functions because they allow bad/vulnerable patterns 48 | ; We want to advocate good coding practises and these functions make it difficult 49 | ; You can use these with php cli but not with php-fpm 50 | ; We need system() with phinx through php cli 51 | disable_functions = exec,passthru,shell_exec,system,proc_open,popen,pcntl_exec,parse_ini_file,show_source 52 | 53 | ; Enable php opcache to make site faster 54 | [opcache] 55 | opcache.enable = 1 56 | opcache.enable_cli = 1 57 | opcache.fast_shutdown = 1 58 | 59 | ; Give 128Mb for php process for caching the op code 60 | opcache.memory_consumption = 128 61 | 62 | ; Log opcache warnings 63 | opcache.log_verbosity_level = 2 64 | 65 | ; Log into container output 66 | opcache.error_log = /proc/self/fd/2 67 | 68 | opcache.interned_strings_buffer = 8 69 | opcache.max_accelerated_files = 4000 70 | 71 | ; Don't revalidate php files in this container 72 | ; Set revalidating time for 1 year 73 | opcache.revalidate_freq = 31556926 74 | 75 | -------------------------------------------------------------------------------- /php7.0/rootfs/etc/services.d/crond/run: -------------------------------------------------------------------------------- 1 | #!/usr/bin/with-contenv sh 2 | echo "[services.d] started cron daemon" 3 | # Runs cron daemon in foreground 4 | crond -l 2 -f 5 | -------------------------------------------------------------------------------- /php7.0/rootfs/etc/services.d/logger/run: -------------------------------------------------------------------------------- 1 | #!/usr/bin/with-contenv bash 2 | 3 | # Give other processes a moment to startup 4 | sleep 2 5 | 6 | echo "[services.d] starting logging helpers" 7 | 8 | PIDS= 9 | PID_COUNTER=0 10 | 11 | # start log helper for all log files in /var/log 12 | for log_file in /var/log/*/*.log; do 13 | application=$(basename $(dirname $log_file)) 14 | application_length=${#application} 15 | filename=$(basename $log_file); 16 | log_type="${filename%.*}" 17 | 18 | log_header=$(printf "[%s] " "$application $log_type") 19 | 20 | # Start log watcher process 21 | echo "[services.d] using logging helper for $application/$filename" 22 | 23 | tail -f $log_file | while read line; do echo "$log_header $line"; done & 24 | PIDS[$PID_COUNTER]=$! 25 | 26 | # Increment PID number 27 | let "PID_COUNTER++" 28 | done 29 | 30 | 31 | # Stop all tailing processes when container is stopped 32 | trap "kill ${PIDS[*]}" SIGINT TERM INT 33 | 34 | wait 35 | -------------------------------------------------------------------------------- /php7.0/rootfs/etc/services.d/nginx/run: -------------------------------------------------------------------------------- 1 | #!/usr/bin/with-contenv bash 2 | echo "[services.d] started nginx" 3 | # Run nginx processes as wordpress:web 4 | nginx 5 | -------------------------------------------------------------------------------- /php7.0/rootfs/etc/services.d/php-fpm/finish: -------------------------------------------------------------------------------- 1 | #!/usr/bin/execlineb -S1 2 | 3 | # only tell s6 to bring down the entire container, if it isn't already doing so 4 | # http://skarnet.org/software/s6/s6-supervise.html 5 | if { s6-test ${1} -ne 0 } 6 | if { s6-test ${1} -ne 256 } 7 | 8 | s6-svscanctl -t /var/run/s6/services -------------------------------------------------------------------------------- /php7.0/rootfs/etc/services.d/php-fpm/run: -------------------------------------------------------------------------------- 1 | #!/usr/bin/with-contenv bash 2 | echo "[services.d] started php-fpm" 3 | exec /usr/bin/php-fpm -c /etc/php7/php-fpm.ini --fpm-config /etc/php7/php-fpm.conf --pid /var/run/php-fpm.pid 4 | 5 | -------------------------------------------------------------------------------- /php7.0/rootfs/root/.bashrc: -------------------------------------------------------------------------------- 1 | # ~/.bashrc: executed by bash(1) for non-login shells. 2 | # see /usr/share/doc/bash/examples/startup-files (in the package bash-doc) 3 | # for examples 4 | 5 | # If not running interactively, don't do anything 6 | [ -z "$PS1" ] && return 7 | 8 | # don't put duplicate lines in the history. See bash(1) for more options 9 | # ... or force ignoredups and ignorespace 10 | HISTCONTROL=ignoredups:ignorespace 11 | 12 | # append to the history file, don't overwrite it 13 | shopt -s histappend 14 | 15 | # for setting history length see HISTSIZE and HISTFILESIZE in bash(1) 16 | HISTSIZE=1000 17 | HISTFILESIZE=2000 18 | 19 | # check the window size after each command and, if necessary, 20 | # update the values of LINES and COLUMNS. 21 | shopt -s checkwinsize 22 | 23 | # make less more friendly for non-text input files, see lesspipe(1) 24 | [ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)" 25 | 26 | # set variable identifying the chroot you work in (used in the prompt below) 27 | if [ -z "$debian_chroot" ] && [ -r /etc/debian_chroot ]; then 28 | debian_chroot=$(cat /etc/debian_chroot) 29 | fi 30 | 31 | # set a fancy prompt (non-color, unless we know we "want" color) 32 | case "$TERM" in 33 | xterm-color) color_prompt=yes;; 34 | esac 35 | 36 | # uncomment for a colored prompt, if the terminal has the capability; turned 37 | # off by default to not distract the user: the focus in a terminal window 38 | # should be on the output of commands, not on the prompt 39 | #force_color_prompt=yes 40 | 41 | if [ -n "$force_color_prompt" ]; then 42 | if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then 43 | # We have color support; assume it's compliant with Ecma-48 44 | # (ISO/IEC-6429). (Lack of such support is extremely rare, and such 45 | # a case would tend to support setf rather than setaf.) 46 | color_prompt=yes 47 | else 48 | color_prompt= 49 | fi 50 | fi 51 | 52 | if [ "$color_prompt" = yes ]; then 53 | PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@$CONTAINER\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ ' 54 | else 55 | PS1='${debian_chroot:+($debian_chroot)}\u@$CONTAINER:\w\$ ' 56 | fi 57 | unset color_prompt force_color_prompt 58 | 59 | # If this is an xterm set the title to user@host:dir 60 | case "$TERM" in 61 | xterm*|rxvt*) 62 | PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1" 63 | ;; 64 | *) 65 | ;; 66 | esac 67 | 68 | # enable color support of ls and also add handy aliases 69 | if [ -x /usr/bin/dircolors ]; then 70 | test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)" 71 | alias ls='ls --color=auto' 72 | #alias dir='dir --color=auto' 73 | #alias vdir='vdir --color=auto' 74 | 75 | alias grep='grep --color=auto' 76 | alias fgrep='fgrep --color=auto' 77 | alias egrep='egrep --color=auto' 78 | fi 79 | 80 | # some more ls aliases 81 | alias ll='ls -alF' 82 | alias la='ls -A' 83 | alias l='ls -CF' 84 | 85 | 86 | # Fuck this shit, I don't want to learn vim today or tomorrow 87 | export EDITOR=nano 88 | -------------------------------------------------------------------------------- /php7.0/rootfs/usr/local/bin/phinx: -------------------------------------------------------------------------------- 1 | #!/usr/bin/with-contenv bash 2 | ## 3 | # Phinx wrapper 4 | # You need to install phinx through composer first 5 | ## 6 | 7 | # Export database host in prod and dev 8 | if [ ! -z "$MYSQL_HOST" ]; then 9 | export PHINX_DBHOST=$MYSQL_HOST 10 | elif [ ! -z "$DB_HOST" ]; then 11 | export PHINX_DBHOST=$DB_HOST 12 | elif [ ! -z "$DB_PORT_3306_TCP_ADDR" ]; then 13 | export PHINX_DBHOST=$DB_PORT_3306_TCP_ADDR 14 | else 15 | echo "ERROR: You need to set DB_HOST!" 16 | fi 17 | 18 | # Export phinx envs 19 | # Default to MYSQL_ envs but fallback to DB_ 20 | export PHINX_DBPORT=${MYSQL_PORT-$DB_PORT} 21 | export PHINX_DBNAME=${MYSQL_DATABASE-$DB_NAME} 22 | export PHINX_DBUSER=${MYSQL_USER-$DB_USER} 23 | export PHINX_DBPASSWORD=${MYSQL_PWD-$DB_PASSWORD} 24 | export PHINX_ENVIRONMENT=$WP_ENV 25 | 26 | # Run phinx 27 | php $PROJECT_ROOT/vendor/bin/phinx $@ 28 | -------------------------------------------------------------------------------- /php7.0/rootfs/usr/local/bin/print-smtp-password: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # This is so that we can use msmtp without /etc/msmtprc config file 3 | # msmtp doesn't have --password option and it only has --passwordeval option 4 | # We use this script so that we can use it in passwordeval 5 | echo $SMTP_PASSWORD 6 | -------------------------------------------------------------------------------- /php7.0/rootfs/usr/local/bin/wp: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | ## 3 | # WP-cli wrapper: Append path automatically so that user doesn't have to 4 | ## 5 | if [ "$(whoami)" = "root" ]; then 6 | 7 | # Gather all arguments because string interpolation doesn't work for $@ 8 | args="" 9 | for i in "$@"; do 10 | args="$args \"$i\"" 11 | done 12 | 13 | # Run as wordpress user instead 14 | # This helps that we don't install things as root 15 | su -s /bin/bash wordpress -c "/usr/local/bin/wp-cli $args --path=$WP_CORE" 16 | else 17 | /usr/local/bin/wp-cli "$@" --path=$WP_CORE 18 | fi 19 | -------------------------------------------------------------------------------- /php7.0/rootfs/usr/local/bin/wp-run-cron: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright © 2015 Bjørn Johansen 3 | # This work is free. You can redistribute it and/or modify it under the 4 | # terms of the Do What The Fuck You Want To Public License, Version 2, 5 | # as published by Sam Hocevar. See http://www.wtfpl.net/ for more details. 6 | # Source: https://bjornjohansen.no/wordpress-cron-wp-cli 7 | # Github: https://gist.github.com/bjornjohansen/a00a9fee5475c4dadb56#file-run-wp-cron-sh 8 | 9 | # This is modified for our container. In this container you don't need to use --path 10 | # because it's automatically included 11 | 12 | # Check if WP-CLI is available 13 | if ! hash wp 2>/dev/null; then 14 | echo "[wp-cron] ERROR: WP-CLI is not available" 15 | exit 16 | fi 17 | 18 | # If WordPress isn’t installed here, we bail 19 | if ! wp core is-installed --quiet >> /dev/null; then 20 | echo "[wp-cron] ERROR: WordPress is not installed here: ${WP_CORE}" 21 | exit 22 | fi 23 | 24 | # Get a list of site URLs 25 | if wp core is-installed --quiet --network >> /dev/null; 26 | then 27 | SITE_URLS=`wp site list --fields=url --archived=0 --deleted=0 --format=csv | sed 1d` 28 | else 29 | SITE_URLS=(`wp option get siteurl`) 30 | fi 31 | 32 | # Loop through all the sites 33 | for SITE_URL in $SITE_URLS 34 | do 35 | # Run all event hooks that are due 36 | for EVENT_HOOK in $(wp cron event list --format=csv --fields=hook,next_run_relative --url="$SITE_URL" | grep now$ | awk -F ',' '{print $1}') 37 | do 38 | wp cron event run "$EVENT_HOOK" --url="$SITE_URL" --quiet 39 | done 40 | done 41 | -------------------------------------------------------------------------------- /php7.0/rootfs/usr/sbin/sendmail: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ## 3 | # This is custom wrapper for msmtp which acts like good old sendmail 4 | # - It is used for php and cron 5 | # - This is easier to configure for external mail server than sendmail 6 | # - sendmail is just the default binary which other services will use 7 | # - It needs following env: SMTP_HOST, SMTP_PASSWORD, SMTP_PORT, SMTP_USER 8 | ## 9 | 10 | # Deduce all used msmtp options from system ENVs 11 | declare -a options 12 | 13 | # Act like sendmail 14 | options+=("-t") 15 | 16 | # Use system tls chain 17 | options+=("--tls-trust-file=/etc/ssl/certs/ca-certificates.crt") 18 | 19 | if [ -n "$SMTP_HOST" ]; then 20 | options+=("--host=$SMTP_HOST") 21 | else 22 | echo "[mail error] SMTP_HOST is not defined, mail can't be sent" 23 | exit 1 24 | fi 25 | 26 | # Log all mail requests 27 | if [ -n "$SMTP_LOG" ]; then 28 | options+=("--logfile=$SMTP_LOG") 29 | else 30 | options+=("--logfile=/var/log/mail/sent.log") 31 | fi 32 | 33 | if [ -n "$SMTP_FROM" ]; then 34 | options+=("--from=$SMTP_FROM") 35 | fi 36 | 37 | # Default port for smtp is 25 and it will work even without this option 38 | if [ -n "$SMTP_PORT" ]; then 39 | options+=("--port=$SMTP_PORT") 40 | fi 41 | 42 | # Setup credentials 43 | if [ -n "$SMTP_USER" ]; then 44 | options+=("--user=$SMTP_USER") 45 | fi 46 | 47 | # msmtp doesn't provide password option because usually it's unsafe 48 | # Use local hack for passwordeval 49 | if [ -n "$SMTP_PASSWORD" ]; then 50 | options+=("--passwordeval=/usr/local/bin/print-smtp-password") 51 | fi 52 | 53 | if [ -n "$SMTP_TLS" ]; then 54 | 55 | # msmtp only understands on / off 56 | # Translate any random trueish or falseish value 57 | # For example ansible converts SMTP_TLS: on -> SMTP_TLS: "True" which is super annoying 58 | # So only use SMTP_AUTH: "on" ok? 59 | case "$SMTP_TLS" in 60 | "True" | "on" | "On" | "ON" | "1") 61 | options+=("--tls=on") 62 | echo "--tls=on" 63 | ;; 64 | "False" | "off" | "Off" | "OFF" | "0") 65 | options+=("--tls=off") 66 | echo "--tls=off" 67 | ;; 68 | *) 69 | echo "[mail error] Sorry SMTP_TLS: $SMTP_TLS is not viable option: on/off" 70 | ;; 71 | esac 72 | 73 | fi 74 | 75 | if [ -n "$SMTP_AUTH" ]; then 76 | 77 | # msmtp only understands on / off 78 | # Translate any random trueish or falseish value 79 | # For example ansible converts SMTP_AUTH: on -> SMTP_AUTH: "True" which is super annoying 80 | # So only use SMTP_AUTH: "on" ok? 81 | case "$SMTP_AUTH" in 82 | "True" | "on" | "On" | "ON" | "1") 83 | options+=("--auth=on") 84 | ;; 85 | "False" | "off" | "Off" | "OFF" | "0") 86 | options+=("--auth=off") 87 | ;; 88 | *) 89 | echo "[mail error] Sorry SMTP_AUTH: $SMTP_AUTH is not viable option: on/off" 90 | ;; 91 | esac 92 | 93 | elif [ -n "$SMTP_USER" ] || [ -n "$SMTP_PASSWORD" ]; then 94 | options+=("--auth=on") 95 | fi 96 | 97 | # Add our options and command line options for msmtp 98 | msmtp ${options[@]} "$@" 99 | -------------------------------------------------------------------------------- /web/info.php: -------------------------------------------------------------------------------- 1 |