├── .gitignore
├── CHANGELOG.md
├── LICENSE
├── README.md
├── docker-compose.yml
├── ubuntu-7.0
├── .dockerignore
├── Dockerfile
└── rootfs
│ ├── etc
│ ├── ImageMagick
│ ├── cont-init.d
│ │ ├── 00-render-templates
│ │ ├── 01-create-web-user
│ │ ├── 02-init-crond
│ │ └── 02-init-directories-and-files
│ ├── nginx
│ │ ├── additional.types
│ │ ├── cache
│ │ │ ├── fastcgicache.conf
│ │ │ ├── fastcgicache_settings.conf
│ │ │ ├── fastcgicache_skip_rules.conf
│ │ │ ├── helper_variables.conf
│ │ │ ├── redis_backend.conf
│ │ │ ├── skip_rules.conf
│ │ │ └── srcache.conf
│ │ ├── env.conf
│ │ ├── error_pages.conf
│ │ ├── fastcgi_params
│ │ ├── fastcgi_settings.conf
│ │ ├── gzip.conf
│ │ ├── log_format.conf
│ │ ├── log_formats.conf
│ │ ├── nginx.conf
│ │ ├── pagespeed
│ │ │ ├── locations.conf
│ │ │ └── settings.conf
│ │ ├── proxy_real_variables.conf
│ │ ├── security.conf
│ │ ├── security_headers.conf
│ │ ├── static_files.conf
│ │ └── upstreams.conf
│ ├── php
│ │ └── 7.0
│ │ │ ├── cli
│ │ │ └── php.ini
│ │ │ └── fpm
│ │ │ ├── conf.d
│ │ │ ├── blocked.ini
│ │ │ ├── common.ini
│ │ │ ├── limits.ini
│ │ │ ├── logging.ini
│ │ │ ├── mail.ini
│ │ │ ├── opcache.ini
│ │ │ ├── opcache_invalidate.conf
│ │ │ ├── sessions.ini
│ │ │ └── timezone.ini
│ │ │ ├── php-fpm.conf
│ │ │ ├── php-fpm.d
│ │ │ └── preserve-env.conf
│ │ │ └── php.ini
│ └── services.d
│ │ ├── cron
│ │ └── run
│ │ ├── nginx
│ │ └── run
│ │ └── php-fpm
│ │ └── run
│ └── usr
│ ├── bin
│ └── wp
│ ├── local
│ └── bin
│ │ ├── phinx
│ │ ├── print-smtp-password
│ │ └── wp-run-cron
│ ├── sbin
│ └── sendmail
│ └── share
│ └── nginx
│ └── html
│ ├── 403.html
│ ├── 500.html
│ ├── 502.html
│ └── 504.html
├── ubuntu-7.1
├── .dockerignore
├── Dockerfile
└── rootfs
│ ├── etc
│ ├── ImageMagick
│ ├── cont-init.d
│ │ ├── 00-render-templates
│ │ ├── 01-create-web-user
│ │ ├── 02-init-crond
│ │ └── 02-init-directories-and-files
│ ├── nginx
│ │ ├── additional.types
│ │ ├── cache
│ │ │ ├── fastcgicache.conf
│ │ │ ├── fastcgicache_settings.conf
│ │ │ ├── fastcgicache_skip_rules.conf
│ │ │ ├── helper_variables.conf
│ │ │ ├── redis_backend.conf
│ │ │ ├── skip_rules.conf
│ │ │ └── srcache.conf
│ │ ├── env.conf
│ │ ├── error_pages.conf
│ │ ├── fastcgi_params
│ │ ├── fastcgi_settings.conf
│ │ ├── gzip.conf
│ │ ├── log_format.conf
│ │ ├── log_formats.conf
│ │ ├── nginx.conf
│ │ ├── pagespeed
│ │ │ ├── locations.conf
│ │ │ └── settings.conf
│ │ ├── proxy_real_variables.conf
│ │ ├── security.conf
│ │ ├── security_headers.conf
│ │ ├── static_files.conf
│ │ └── upstreams.conf
│ ├── php
│ │ └── 7.1
│ │ │ ├── cli
│ │ │ └── php.ini
│ │ │ └── fpm
│ │ │ ├── conf.d
│ │ │ ├── blocked.ini
│ │ │ ├── common.ini
│ │ │ ├── limits.ini
│ │ │ ├── logging.ini
│ │ │ ├── mail.ini
│ │ │ ├── opcache.ini
│ │ │ ├── opcache_invalidate.conf
│ │ │ ├── sessions.ini
│ │ │ └── timezone.ini
│ │ │ ├── php-fpm.conf
│ │ │ ├── php-fpm.d
│ │ │ └── preserve-env.conf
│ │ │ └── php.ini
│ └── services.d
│ │ ├── cron
│ │ └── run
│ │ ├── nginx
│ │ └── run
│ │ └── php-fpm
│ │ └── run
│ └── usr
│ ├── bin
│ └── wp
│ ├── local
│ └── bin
│ │ ├── phinx
│ │ ├── print-smtp-password
│ │ └── wp-run-cron
│ ├── sbin
│ └── sendmail
│ └── share
│ └── nginx
│ └── html
│ ├── 403.html
│ ├── 500.html
│ ├── 502.html
│ └── 504.html
├── ubuntu-7.2
├── Dockerfile
└── rootfs
│ ├── etc
│ ├── ImageMagick
│ ├── cont-init.d
│ │ ├── 00-render-templates
│ │ ├── 01-create-web-user
│ │ ├── 02-init-crond
│ │ └── 02-init-directories-and-files
│ ├── nginx
│ │ ├── additional.types
│ │ ├── cache
│ │ │ ├── fastcgicache.conf
│ │ │ ├── fastcgicache_settings.conf
│ │ │ ├── fastcgicache_skip_rules.conf
│ │ │ ├── helper_variables.conf
│ │ │ ├── redis_backend.conf
│ │ │ ├── skip_rules.conf
│ │ │ └── srcache.conf
│ │ ├── env.conf
│ │ ├── error_pages.conf
│ │ ├── fastcgi_params
│ │ ├── fastcgi_settings.conf
│ │ ├── gzip.conf
│ │ ├── log_format.conf
│ │ ├── log_formats.conf
│ │ ├── nginx.conf
│ │ ├── pagespeed
│ │ │ ├── locations.conf
│ │ │ └── settings.conf
│ │ ├── proxy_real_variables.conf
│ │ ├── security.conf
│ │ ├── security_headers.conf
│ │ ├── static_files.conf
│ │ └── upstreams.conf
│ ├── php
│ │ └── 7.2
│ │ │ ├── cli
│ │ │ └── php.ini
│ │ │ └── fpm
│ │ │ ├── conf.d
│ │ │ ├── blocked.ini
│ │ │ ├── common.ini
│ │ │ ├── limits.ini
│ │ │ ├── logging.ini
│ │ │ ├── mail.ini
│ │ │ ├── opcache.ini
│ │ │ ├── opcache_invalidate.conf
│ │ │ ├── sessions.ini
│ │ │ └── timezone.ini
│ │ │ ├── php-fpm.conf
│ │ │ ├── php-fpm.d
│ │ │ └── preserve-env.conf
│ │ │ └── php.ini
│ └── services.d
│ │ ├── cron
│ │ └── run
│ │ ├── nginx
│ │ └── run
│ │ └── php-fpm
│ │ └── run
│ └── usr
│ ├── bin
│ └── wp
│ ├── local
│ └── bin
│ │ ├── phinx
│ │ ├── print-smtp-password
│ │ └── wp-run-cron
│ ├── sbin
│ └── sendmail
│ └── share
│ └── nginx
│ └── html
│ ├── 403.html
│ ├── 500.html
│ ├── 502.html
│ └── 504.html
├── ubuntu-7.3
├── Dockerfile
└── rootfs
│ ├── etc
│ ├── ImageMagick
│ ├── cont-init.d
│ │ ├── 00-render-templates
│ │ ├── 01-create-web-user
│ │ ├── 02-init-crond
│ │ └── 02-init-directories-and-files
│ ├── nginx
│ │ ├── additional.types
│ │ ├── cache
│ │ │ ├── fastcgicache.conf
│ │ │ ├── fastcgicache_settings.conf
│ │ │ ├── fastcgicache_skip_rules.conf
│ │ │ ├── helper_variables.conf
│ │ │ ├── redis_backend.conf
│ │ │ ├── skip_rules.conf
│ │ │ └── srcache.conf
│ │ ├── env.conf
│ │ ├── error_pages.conf
│ │ ├── fastcgi_params
│ │ ├── fastcgi_settings.conf
│ │ ├── gzip.conf
│ │ ├── log_format.conf
│ │ ├── log_formats.conf
│ │ ├── nginx.conf
│ │ ├── pagespeed
│ │ │ ├── locations.conf
│ │ │ └── settings.conf
│ │ ├── proxy_real_variables.conf
│ │ ├── security.conf
│ │ ├── security_headers.conf
│ │ ├── static_files.conf
│ │ └── upstreams.conf
│ ├── php
│ │ └── 7.3
│ │ │ ├── cli
│ │ │ └── php.ini
│ │ │ └── fpm
│ │ │ ├── conf.d
│ │ │ ├── blocked.ini
│ │ │ ├── common.ini
│ │ │ ├── limits.ini
│ │ │ ├── logging.ini
│ │ │ ├── mail.ini
│ │ │ ├── opcache.ini
│ │ │ ├── opcache_invalidate.conf
│ │ │ ├── sessions.ini
│ │ │ └── timezone.ini
│ │ │ ├── php-fpm.conf
│ │ │ ├── php-fpm.d
│ │ │ └── preserve-env.conf
│ │ │ └── php.ini
│ └── services.d
│ │ ├── cron
│ │ └── run
│ │ ├── nginx
│ │ └── run
│ │ └── php-fpm
│ │ └── run
│ └── usr
│ ├── bin
│ └── wp
│ ├── local
│ └── bin
│ │ ├── phinx
│ │ ├── print-smtp-password
│ │ └── wp-run-cron
│ ├── sbin
│ └── sendmail
│ └── share
│ └── nginx
│ └── html
│ ├── 403.html
│ ├── 500.html
│ ├── 502.html
│ └── 504.html
├── ubuntu-7.4
├── Dockerfile
└── rootfs
│ ├── etc
│ ├── ImageMagick
│ ├── cont-init.d
│ │ ├── 00-render-templates
│ │ ├── 01-create-web-user
│ │ ├── 02-init-crond
│ │ └── 02-init-directories-and-files
│ ├── nginx
│ │ ├── additional.types
│ │ ├── cache
│ │ │ ├── fastcgicache.conf
│ │ │ ├── fastcgicache_settings.conf
│ │ │ ├── fastcgicache_skip_rules.conf
│ │ │ ├── helper_variables.conf
│ │ │ ├── redis_backend.conf
│ │ │ ├── skip_rules.conf
│ │ │ └── srcache.conf
│ │ ├── env.conf
│ │ ├── error_pages.conf
│ │ ├── fastcgi_params
│ │ ├── fastcgi_settings.conf
│ │ ├── gzip.conf
│ │ ├── log_format.conf
│ │ ├── log_formats.conf
│ │ ├── nginx.conf
│ │ ├── pagespeed
│ │ │ ├── locations.conf
│ │ │ └── settings.conf
│ │ ├── proxy_real_variables.conf
│ │ ├── security.conf
│ │ ├── security_headers.conf
│ │ ├── static_files.conf
│ │ └── upstreams.conf
│ ├── php
│ │ └── 7.4
│ │ │ ├── cli
│ │ │ └── php.ini
│ │ │ └── fpm
│ │ │ ├── conf.d
│ │ │ ├── blocked.ini
│ │ │ ├── common.ini
│ │ │ ├── limits.ini
│ │ │ ├── logging.ini
│ │ │ ├── mail.ini
│ │ │ ├── opcache.ini
│ │ │ ├── opcache_invalidate.conf
│ │ │ ├── sessions.ini
│ │ │ └── timezone.ini
│ │ │ ├── php-fpm.conf
│ │ │ ├── php-fpm.d
│ │ │ └── preserve-env.conf
│ │ │ └── php.ini
│ └── services.d
│ │ ├── cron
│ │ └── run
│ │ ├── nginx
│ │ └── run
│ │ └── php-fpm
│ │ └── run
│ └── usr
│ ├── bin
│ └── wp
│ ├── local
│ └── bin
│ │ ├── phinx
│ │ ├── print-smtp-password
│ │ └── wp-run-cron
│ ├── sbin
│ └── sendmail
│ └── share
│ └── nginx
│ └── html
│ ├── 403.html
│ ├── 500.html
│ ├── 502.html
│ └── 504.html
└── web
└── info.php
/.gitignore:
--------------------------------------------------------------------------------
1 | .vscode/
2 | .DS_Store
3 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | The MIT License (MIT)
2 | Copyright (c) 2016 Geniem Oy
3 |
4 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
5 |
6 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
7 |
8 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
--------------------------------------------------------------------------------
/docker-compose.yml:
--------------------------------------------------------------------------------
1 | # Use this if you're testing/debugging the build locally on OSX
2 | web56:
3 | build: ./php5.6/
4 | command: /init
5 | ports:
6 | - 80
7 | volumes:
8 | - ./web:/var/www/project/web
9 | environment:
10 | WP_UID: 100
11 | WP_GID: 101
12 |
13 | # For testing with gdev
14 | VIRTUAL_HOST: php56.test
15 | PORT: 80
16 |
17 | web70:
18 | build: ./php7.0/
19 | command: /init
20 | ports:
21 | - 80
22 | volumes:
23 | - ./web:/var/www/project/web
24 | environment:
25 | WP_UID: 100
26 | WP_GID: 101
27 |
28 | # For testing with gdev
29 | VIRTUAL_HOST: php70.test
30 | PORT: 80
31 |
--------------------------------------------------------------------------------
/ubuntu-7.0/.dockerignore:
--------------------------------------------------------------------------------
1 | # These files are ignored from being uploaded to docker build context
2 |
3 | # Git is not needed in docker image building
4 | .git
5 |
6 | # No OSX rubbish
7 | .DS_Store
8 |
9 | # Development stuff
10 | docker-compose.yml
11 | .dockerignore
12 | Dockerfile
13 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/ImageMagick:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/cont-init.d/01-create-web-user:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 |
3 | ##
4 | # If $WEB_USER user and web group already exists just skip the user creation
5 | ##
6 | if id -u $WEB_USER > /dev/null 2>&1 && getent group $WEB_GROUP > /dev/null 2>&1; then
7 | echo "[cont-init.d] user:$WEB_USER and group:$WEB_GROUP already exist, skipping..."
8 | exit 0
9 | fi
10 |
11 | ##
12 | # Create $WEB_USER user with $WEB_UID and web group with $WEB_GID
13 | ##
14 |
15 | # Set defaults if they are not set
16 | export WEB_USER=${WEB_USER-wordpress}
17 | export WEB_GROUP=${WEB_GROUP-web}
18 | export WEB_UID=${WEB_UID-1000}
19 | export WEB_GID=${WEB_GID-1000}
20 |
21 | echo "[cont-init.d] Creating $WEB_USER user with id: $WEB_UID and group web with id: $WEB_GID"
22 |
23 | # Create web group
24 | if [ -n "$WEB_GID" ]; then
25 |
26 | # Check if group with $WEB_GID already exists
27 | web_group=$(getent group $WEB_GID | cut -d':' -f1)
28 |
29 | if [ -n "$web_group" ]; then
30 |
31 | # Replace the existing group name to web
32 | # This is done so that in local development we can just lookup permissions from mounted folders
33 | # This UID/GID can be same as something already existing inside container
34 | # This way we can use same uid/gid in container and host machine
35 | echo "[cont-init.d] Replacing pre-existing group name $web_group -> $WEB_GROUP"
36 | sed -i "s|$web_group|$WEB_GROUP|g" /etc/group
37 |
38 | else
39 | # Create new group
40 | echo "$ groupadd -g $WEB_GID $WEB_GROUP"
41 | groupadd -g $WEB_GID $WEB_GROUP
42 | fi
43 | else
44 | echo "[cont-init.d] ERROR: Please set web user group id in WEB_GID" 1>&2
45 | exit 2
46 | fi
47 |
48 | # Create $WEB_USER user
49 | if [ -n "$WEB_UID" ] && [ -n "$WEB_GID" ] ; then
50 | echo "$ useradd -u $WEB_UID -g $WEB_GROUP --home $PROJECT_ROOT $WEB_USER"
51 | useradd -u $WEB_UID -g $WEB_GROUP --home $PROJECT_ROOT $WEB_USER
52 | else
53 | echo "[cont-init.d] ERROR: Please set web user id in WEB_UID" 1>&2
54 | exit 2
55 | fi
56 |
57 | # Check that processes can write logs
58 | chown $WEB_USER:$WEB_GROUP /var/log
59 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/cont-init.d/02-init-crond:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 |
3 | # Copy cronjob from project and run as nginx
4 | if [ -f $PROJECT_ROOT/tasks.cron ]; then
5 |
6 | # Setup all container env for cron
7 | printenv | grep -v ^_= | grep -v "no_proxy" >> /etc/environment
8 |
9 | # Use default redis for cronlock if cronlock variables are not set
10 | if [ -n "$REDIS_HOST" ] && [ -z "$CRONLOCK_HOST" ] ; then
11 | echo "CRONLOCK_HOST=$REDIS_HOST" >> /etc/environment
12 | fi
13 | if [ -n "$REDIS_PASSWORD" ] && [ -z "$CRONLOCK_AUTH" ] ; then
14 | echo "CRONLOCK_AUTH=$REDIS_PASSWORD" >> /etc/environment
15 | fi
16 | if [ -n "$REDIS_PORT" ] && [ -z "$CRONLOCK_PORT" ] ; then
17 | echo "CRONLOCK_PORT=$REDIS_PORT" >> /etc/environment
18 | fi
19 | # env for running wp cron
20 | echo "CRON_URL=$CRON_URL" >> /etc/environment;
21 | # Copy cron template
22 | cp $PROJECT_ROOT/tasks.cron /var/spool/cron/crontabs/$WEB_USER
23 | chown $WEB_USER /var/spool/cron/crontabs/$WEB_USER
24 | chmod 0600 /var/spool/cron/crontabs/$WEB_USER
25 | else
26 | # No cronjobs found remove crond from s6
27 | if [ -f /etc/services.d/cron ]; then
28 | rm -r /etc/services.d/cron
29 | fi
30 | fi
31 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/cont-init.d/02-init-directories-and-files:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 |
3 | # Create uploads directory if not exists
4 | mkdir -p $UPLOADS_ROOT
5 | chown $WEB_USER:$WEB_GROUP $UPLOADS_ROOT
6 |
7 | # Create dir for nginx tmp files
8 | mkdir -p /tmp/nginx/body
9 | chown -R $WEB_USER:$WEB_GROUP /tmp/nginx
10 |
11 | # Create log directories if they don't exist already
12 | mkdir -p /var/log/{nginx,php,mail}
13 |
14 | # Create error.log so that php-fpm can write to it
15 | touch /var/log/php/error.log
16 |
17 | # Chown all files to wordpress
18 | chown -R $WEB_USER:$WEB_GROUP /var/log/{nginx,php,mail}
19 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/nginx/additional.types:
--------------------------------------------------------------------------------
1 | # If developers add .woff2 type font files we should provide good Content-Type headers
2 | types {
3 | # Add mime support for woff2
4 | # http://stackoverflow.com/questions/28235550/proper-mime-type-for-woff2-fonts
5 | font/woff2 woff2;
6 | }
7 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/nginx/cache/fastcgicache.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Add few rules which deny using cache
3 | ##
4 | include cache/fastcgicache_skip_rules.conf;
5 | include cache/helper_variables.conf;
6 | fastcgi_cache_bypass $skip_cache;
7 | fastcgi_no_cache $skip_cache;
8 |
9 | fastcgi_cache WORDPRESS;
10 | #proxy_ignore_headers Set-Cookie Expires Cache-Control;
11 |
12 | # Add header for easier cache debugging
13 | add_header X-Cache $upstream_cache_status always;
14 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/nginx/cache/fastcgicache_settings.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Basic settings of Fast cgi cache
3 | ##
4 | fastcgi_cache_path ${NGINX_CACHE_DIRECTORY} levels=1:2 keys_zone=WORDPRESS:100m max_size=1000m inactive=730h;
5 | fastcgi_cache_key $scheme$request_method$host$request_uri;
6 | fastcgi_cache_lock on;
7 | fastcgi_cache_valid ${NGINX_REDIS_CACHE_TTL_DEFAULT};
8 | add_header 'Cache-Control' ${NGINX_CACHE_CONTROL};
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/nginx/cache/fastcgicache_skip_rules.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Add few rules which deny using cache
3 | ##
4 |
5 | # Don't skip cache by default
6 | set $skip_cache 0;
7 | # insert project specific cache rules to this file (delete this row when all projects are updated)
8 | include /var/www/project/nginx/server/skip_cache.conf;
9 | # insert project specific cache rules to this folder
10 | include ${NGINX_INCLUDE_DIR}/skipcache/*.conf;
11 |
12 | # POST requests and urls with a query string should always go to PHP
13 | if ($request_method = POST) {
14 | set $skip_cache 1;
15 | }
16 |
17 | # Deal with accepted query vars
18 | set $without $query_string;
19 |
20 | set_by_lua_block $cache_args {
21 | -- Helper split string function
22 | function split( inputstr, sep )
23 | if sep == nil then
24 | sep = "%s"
25 | end
26 | local t={} ; i=1
27 | for str in string.gmatch(inputstr, "([^" .. sep .. "]+)") do
28 | t[ i ] = str
29 | i = i + 1
30 | end
31 | return t
32 | end
33 |
34 | -- Helper escape special chars function
35 | function esc( str )
36 | return str:gsub( "([^%w])", "%%%1" )
37 | end
38 |
39 | local with = {}
40 | local without = ngx.var.without
41 |
42 | -- Get a list of accepted query vars from env variable
43 | local accepted = split( ( os.getenv( 'CACHE_QUERYVARS' ) or "" ), "," )
44 |
45 | -- Loop through the list
46 | for key, accept in pairs(accepted) do
47 | -- If there is a value present for the variable, store it in a variable
48 | if ngx.decode_args( without )[ accept ] then
49 | table.insert( with, accept .. "=" .. ngx.decode_args( without )[ accept ] )
50 | end
51 | -- Remove the accepted key-value pair from the string
52 | without = string.gsub( without, "&?" .. esc( accept ) .. "=[^&]+", "" )
53 | end
54 |
55 | -- Store all non-accepted query vars to checked later
56 | ngx.var.without = without
57 |
58 | -- Return accepted query var key-value pairs to be used in the cache key
59 | return "?" .. table.concat( with, "&" )
60 | }
61 |
62 | # If there were any unaccepted query vars, skip cache
63 | if ($without != "") {
64 | set $skip_cache 1;
65 | }
66 |
67 | # Don't use the cache for logged in users or recent commenters
68 | if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|woocommerce_items_in_cart") {
69 | set $skip_cache 1;
70 | }
71 |
72 | # Don't cache responses from wp-admin, xmlrpc and wp-login.php
73 | if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php") {
74 | set $skip_cache 1;
75 | }
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/nginx/cache/helper_variables.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # This file creates few helper variables
3 | # $prefer_language_slug - 2 first letters from accept-language header to determine the language redirects from cache
4 | ##
5 |
6 | ##
7 | # Parse first two letters from accept-language header to determine right cache key
8 | ##
9 | set_by_lua_block $prefer_language_slug {
10 | if ngx.var.http_accept_language then
11 | return string.lower( string.match( ngx.var.http_accept_language, '%w%w' ) )
12 | else
13 | return 'en'
14 | end
15 | }
16 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/nginx/cache/redis_backend.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Adds internal locations for storing and getting full page cache from redis
3 | ##
4 |
5 | srcache_default_expire '${NGINX_REDIS_CACHE_TTL_DEFAULT}';
6 | srcache_max_expire '${NGINX_REDIS_CACHE_TTL_MAX}';
7 |
8 | location /redis-fetch {
9 | internal;
10 |
11 | ##
12 | # In order to use password authentication we use custom redis module which adds $redis_auth:
13 | # - https://github.com/Yongke/ngx_http_redis-0.3.7
14 | ##
15 |
16 | # Read the configuration from system envs
17 | set $redis_auth '${REDIS_PASSWORD}';
18 | set $redis_db ${REDIS_DATABASE};
19 |
20 | set $redis_key $args;
21 |
22 | redis_pass ${REDIS_HOST}:${REDIS_PORT};
23 | }
24 |
25 | location /redis-store {
26 | internal;
27 |
28 | set_unescape_uri $exptime $arg_exptime;
29 | set_unescape_uri $key $arg_key;
30 |
31 | # Fix caching problem for now
32 | # There's issue in github https://github.com/openresty/srcache-nginx-module/issues/61
33 | set_if_empty $srcache_expire '${NGINX_REDIS_CACHE_TTL_DEFAULT}';
34 |
35 | # redis module pipelines these 3 commands into single request
36 | redis2_query auth '${REDIS_PASSWORD}';
37 | redis2_query select ${REDIS_DATABASE};
38 |
39 | # Set and expire with one command: http://redis.io/commands/setex
40 | redis2_query setex $key $srcache_expire $echo_request_body;
41 |
42 | # Pass the request to redis
43 | redis2_pass ${REDIS_HOST}:${REDIS_PORT};
44 |
45 | }
46 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/nginx/cache/skip_rules.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Add few rules which deny using cache
3 | ##
4 |
5 | # Don't skip cache by default
6 | set $skip_cache 0;
7 |
8 | # POST requests and urls with a query string should always go to PHP
9 | if ($request_method = POST) {
10 | set $skip_cache 1;
11 | }
12 |
13 | # If theres any args skip cache
14 | if ($query_string != "") {
15 | set $skip_cache 1;
16 | }
17 |
18 | # Don't use the cache for logged in users or recent commenters
19 | if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|woocommerce_items_in_cart") {
20 | set $skip_cache 1;
21 | }
22 |
23 | # Don't cache responses from wp-admin, xmlrpc and wp-login.php
24 | if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php") {
25 | set $skip_cache 1;
26 | }
27 |
28 | # Skip fetch and skip if conditions are met
29 | srcache_fetch_skip $skip_cache;
30 | srcache_store_skip $skip_cache;
31 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/nginx/cache/srcache.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Add few rules which deny using cache
3 | ##
4 | include cache/skip_rules.conf;
5 | include cache/helper_variables.conf;
6 |
7 | # Use redis caching for all pages
8 | # Allow different cache key from env
9 | # Use 'wp_' prefix so that cache can be flushed with:
10 | # $ wp cache flush
11 | set $cache_key "${NGINX_CACHE_KEY}";
12 | set_escape_uri $escaped_cache_key $cache_key;
13 |
14 | srcache_response_cache_control on;
15 |
16 | srcache_fetch GET /redis-fetch $cache_key;
17 | srcache_store PUT /redis-store key=$escaped_cache_key;
18 |
19 | # Add header for easier cache debugging
20 | add_header X-Cache $srcache_fetch_status;
21 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/nginx/env.conf:
--------------------------------------------------------------------------------
1 | # Set custom enviromental variables that we need with lua here
2 | # These are used to dynamically load
3 | env PORT;
4 | env WEB_ROOT;
5 | env NGINX_MAX_BODY_SIZE;
6 | env NGINX_TIMEOUT;
7 |
8 | # For nginx redis cache
9 | env REDIS_HOST;
10 | env REDIS_PORT;
11 | env REDIS_DATABASE;
12 | env REDIS_PASSWORD;
13 | env CACHE_QUERYVARS;
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/nginx/error_pages.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Custom error pages
3 | ##
4 |
5 | ## 403 - Forbidden
6 | error_page 403 /403.html;
7 | location = /403.html {
8 | root /usr/share/nginx/html;
9 | internal;
10 | }
11 |
12 | ## 500 - Internal Server Error
13 | error_page 500 /500.html;
14 | location = /500.html {
15 | root /usr/share/nginx/html;
16 | internal;
17 | }
18 |
19 | ## 502 - Bad Gateway
20 | error_page 502 /502.html;
21 | location = /502.html {
22 | root /usr/share/nginx/html;
23 | internal;
24 | }
25 |
26 | ## 504 - Gateway Timeout
27 | error_page 504 /504.html;
28 | location = /504.html {
29 | root /usr/share/nginx/html;
30 | internal;
31 | }
32 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/nginx/fastcgi_params:
--------------------------------------------------------------------------------
1 | # These are just basic things form request
2 | fastcgi_param QUERY_STRING $query_string;
3 | fastcgi_param REQUEST_METHOD $request_method;
4 | fastcgi_param CONTENT_TYPE $content_type;
5 | fastcgi_param CONTENT_LENGTH $content_length;
6 |
7 | fastcgi_param SCRIPT_NAME $fastcgi_script_name;
8 | fastcgi_param REQUEST_URI $request_uri;
9 | fastcgi_param DOCUMENT_URI $document_uri;
10 | fastcgi_param DOCUMENT_ROOT $document_root;
11 | fastcgi_param SERVER_PROTOCOL $server_protocol;
12 |
13 | fastcgi_param GATEWAY_INTERFACE CGI/1.1;
14 | fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
15 |
16 | ##
17 | # Set these using the knowledge that we are behind proxy
18 | ##
19 | fastcgi_param REMOTE_ADDR $real_remote;
20 | fastcgi_param REMOTE_PORT $remote_port;
21 | fastcgi_param SERVER_ADDR $server_addr;
22 | fastcgi_param SERVER_PORT $real_port;
23 | fastcgi_param SERVER_NAME $real_host;
24 | fastcgi_param HTTPS $real_https;
25 | fastcgi_param REQUEST_SCHEME $real_scheme;
26 | fastcgi_param HTTP_HOST $real_host;
27 |
28 | # PHP only, required if PHP was built with --enable-force-cgi-redirect
29 | fastcgi_param REDIRECT_STATUS 200;
30 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/nginx/fastcgi_settings.conf:
--------------------------------------------------------------------------------
1 | # regex to split $uri to $fastcgi_script_name and $fastcgi_path
2 | fastcgi_split_path_info ^(.+\.php)(/.+)$;
3 |
4 | # Bypass the fact that try_files resets $fastcgi_path_info
5 | # see: http://trac.nginx.org/nginx/ticket/321
6 | set $path_info $fastcgi_path_info;
7 | fastcgi_param PATH_INFO $path_info;
8 |
9 | # Intercept errors from php-fpm
10 | # These can be:
11 | # - timeouts for long running requests
12 | # - requested php file might be missing or not existing in the first place
13 | fastcgi_intercept_errors on;
14 |
15 | fastcgi_index index.php;
16 |
17 | # Small optimisation on fastcgi buffer size
18 | # defaults are 8k;
19 | fastcgi_buffers 16 16k;
20 | fastcgi_buffer_size 16k;
21 |
22 | # Include basic fastcgi settings
23 | include fastcgi_params;
24 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/nginx/gzip.conf:
--------------------------------------------------------------------------------
1 | # Compression
2 |
3 | # Enable Gzip compressed.
4 | gzip on;
5 |
6 | # Compression level (1-9).
7 | # 5 is a perfect compromise between size and cpu usage, offering about
8 | # 75% reduction for most ascii files (almost identical to level 9).
9 | gzip_comp_level 5;
10 |
11 | # Don't compress anything that's already small and unlikely to shrink much
12 | # if at all (the default is 20 bytes, which is bad as that usually leads to
13 | # larger files after gzipping).
14 | gzip_min_length 256;
15 |
16 | # Compress data even for clients that are connecting to us via proxies,
17 | # identified by the "Via" header (required for CloudFront).
18 | gzip_proxied any;
19 |
20 | # Tell proxies to cache both the gzipped and regular version of a resource
21 | # whenever the client's Accept-Encoding capabilities header varies;
22 | # Avoids the issue where a non-gzip capable client (which is extremely rare
23 | # today) would display gibberish if their proxy gave them the gzipped version.
24 | gzip_vary on;
25 |
26 | # Compress all output labeled with one of the following MIME-types.
27 | gzip_types
28 | application/atom+xml
29 | application/javascript
30 | application/json
31 | application/ld+json
32 | application/manifest+json
33 | application/rss+xml
34 | application/vnd.geo+json
35 | application/vnd.ms-fontobject
36 | application/x-font-ttf
37 | application/x-web-app-manifest+json
38 | application/xhtml+xml
39 | application/xml
40 | font/opentype
41 | image/bmp
42 | image/svg+xml
43 | image/x-icon
44 | text/cache-manifest
45 | text/css
46 | text/plain
47 | text/vcard
48 | text/vnd.rim.location.xloc
49 | text/vtt
50 | text/x-component
51 | text/x-cross-domain-policy;
52 | # text/html is always compressed by HttpGzipModule
53 |
54 | # This should be turned on if you are going to have pre-compressed copies (.gz) of
55 | # static files available. If not it should be left off as it will cause extra I/O
56 | # for the check. It is best if you enable this in a location{} block for
57 | # a specific directory, or on an individual server{} level.
58 | # gzip_static on;
59 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/nginx/log_format.conf:
--------------------------------------------------------------------------------
1 | # Log cache status
2 | # Log real requester address
3 | log_format custom '[$time_local] $http_x_real_ip '
4 | '$host "$request" $status $body_bytes_sent $request_time '
5 | '"$http_referer" "$http_user_agent" $upstream_cache_status';
6 |
7 | ##
8 | # Legacy formats which might be in use somewhere
9 | ##
10 | # This log format makes it so we can see real requester's IP address \
11 | # not just the reverse proxy server's IP address. Also note, that \
12 | # "specialLog" can be replaced with any name you would like to \
13 | # give to this log format.
14 | log_format specialLog '[$time_local] $http_x_real_ip '
15 | '$host "$request" $status $body_bytes_sent $request_time '
16 | '"$http_referer" "$http_user_agent" $upstream_cache_status';
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/nginx/log_formats.conf:
--------------------------------------------------------------------------------
1 | # Log cache status
2 | # Log real requester address
3 | log_format custom '[$time_local] $http_x_forwarded_for '
4 | '$host "$request" $status $body_bytes_sent $request_time '
5 | '"$http_referer" "$http_user_agent" $upstream_cache_status';
6 |
7 | # A new log format for detecting bad bots.
8 | log_format blocked '[$time_local] Blocked request from $http_x_forwarded_for $request';
9 |
10 | ##
11 | # Legacy formats which might be in use somewhere
12 | ##
13 | # This log format makes it so we can see real requester's IP address \
14 | # not just the reverse proxy server's IP address. Also note, that \
15 | # "specialLog" can be replaced with any name you would like to \
16 | # give to this log format.
17 | log_format specialLog '[$time_local] $http_x_forwarded_for '
18 | '$host "$request" $status $body_bytes_sent $request_time '
19 | '"$http_referer" "$http_user_agent" $upstream_cache_status';
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/nginx/pagespeed/locations.conf:
--------------------------------------------------------------------------------
1 | # Ensure requests for pagespeed optimized resources go to the pagespeed handler
2 | # and no extraneous headers get set.
3 | location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" {
4 | add_header "" "";
5 | }
6 | location ~ "^/pagespeed_static/" { }
7 | location ~ "^/ngx_pagespeed_beacon$" { }
8 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/nginx/pagespeed/settings.conf:
--------------------------------------------------------------------------------
1 | # Hide pagespeed version and provide this header instaed
2 | pagespeed XHeaderValue "Enabled";
3 |
4 | # Don't alter Cache-Control headers
5 | pagespeed ModifyCachingHeaders off;
6 |
7 | # This is for pagespeed temporary files
8 | # Needs to exist and be writable by nginx. Use tmpfs for best performance.
9 | pagespeed FileCachePath /tmp/nginx/pagespeed;
10 |
11 | # Pagespeed sets default TTL from file to 300s, which is bad
12 | # This sets the time to be 1 year
13 | pagespeed LoadFromFileCacheTtlMs 2592000000;
14 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/nginx/proxy_real_variables.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Set few variables since we use jwilder/nginx-proxy in dev and proxy in production
3 | # So the fastcgi params need to be the original ones or you
4 | # will have redirect loops ('canonical_redirect' mostly)
5 | ##
6 |
7 | # Set $host first from proxy (if possible)
8 | set $real_host $http_x_forwarded_host;
9 | if ($real_host = '') {
10 | set $real_host $http_host;
11 | }
12 |
13 | # Set server port according to forwarded proto
14 | set $real_port 80;
15 | if ($http_x_forwarded_proto = 'https') {
16 | set $real_port 443;
17 | }
18 |
19 | # Set https according to used proto
20 | set $real_https off;
21 | if ($http_x_forwarded_proto = 'https') {
22 | set $real_https on;
23 | }
24 |
25 | # Set scheme according to used proto
26 | set $real_scheme 'http';
27 | if ($http_x_forwarded_proto = 'https') {
28 | set $real_scheme 'https';
29 | }
30 |
31 | # Set original remote
32 | set $real_remote $http_x_forwarded_for;
33 | if ($real_remote = '') {
34 | set $real_remote $remote_addr;
35 | }
36 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/nginx/security.conf:
--------------------------------------------------------------------------------
1 | ## Block SQL injections
2 | location ~* union.*select.*\( { access_log $blocked_log blocked; return 403; }
3 | location ~* union.*all.*select.* { access_log $blocked_log blocked; return 403; }
4 | location ~* concat.*\( { access_log $blocked_log blocked; return 403; }
5 |
6 | ## Block common exploits
7 | location ~* (<|%3C).*script.*(>|%3E) { access_log $blocked_log blocked; return 403; }
8 | location ~* base64_(en|de)code\(.*\) { access_log $blocked_log blocked; return 403; }
9 | location ~* (%24&x) { access_log $blocked_log blocked; return 403; }
10 | location ~* (%0|%A|%B|%C|%D|%E|%F|127\.0) { access_log $blocked_log blocked; return 403; }
11 | location ~* \.\.\/ { access_log $blocked_log blocked; return 403; }
12 | location ~* ~$ { access_log $blocked_log blocked; return 403; }
13 | location ~* proc/self/environ { access_log $blocked_log blocked; return 403; }
14 | location ~* /\.(htaccess|htpasswd|svn|git) { access_log $blocked_log blocked; return 403; }
15 |
16 | ## Block file injections
17 | location ~* [a-zA-Z0-9_]=(\.\.//?)+ { access_log $blocked_log blocked; return 403; }
18 | location ~* [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ { access_log $blocked_log blocked; return 403; }
19 |
20 | ## wordpress security
21 | location ~* wp-config.php { access_log $blocked_log blocked; return 403; }
22 | location ~* wp-load.php { access_log $blocked_log blocked; return 403; }
23 | location ~* wp-admin/includes { access_log $blocked_log blocked; return 403; }
24 | location ~* wp-app\.log { access_log $blocked_log blocked; return 403; }
25 | location ~* (licence|readme|license)\.(md|html|txt) { access_log $blocked_log blocked; return 403; }
26 | location ~* composer.json { access_log $blocked_log blocked; return 403; }
27 |
28 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/nginx/security_headers.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Security headers, source: https://gist.github.com/plentz/6737338
3 | ##
4 |
5 | # config to don't allow the browser to render the page inside an frame or iframe
6 | # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
7 | # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
8 | # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
9 | add_header X-Frame-Options SAMEORIGIN;
10 |
11 | # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
12 | # to disable content-type sniffing on some browsers.
13 | # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
14 | # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
15 | # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
16 | # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
17 | add_header X-Content-Type-Options nosniff always;
18 |
19 | # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
20 | # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
21 | # this particular website if it was disabled by the user.
22 | # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
23 | add_header X-XSS-Protection "1; mode=block";
24 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/nginx/static_files.conf:
--------------------------------------------------------------------------------
1 | # Use version numbers to bypass cache
2 | # Try to cache as long as we can
3 | expires max;
4 |
5 | ## No need to bleed constant updates. Send the all shebang in one
6 | ## fell swoop.
7 | tcp_nodelay off;
8 |
9 | ## Set the OS file cache.
10 | open_file_cache max=3000 inactive=120s;
11 | open_file_cache_valid 45s;
12 | open_file_cache_min_uses 2;
13 | open_file_cache_errors off;
14 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/nginx/upstreams.conf:
--------------------------------------------------------------------------------
1 | # Default php handler
2 | upstream php-fpm {
3 | server unix:/var/run/php-fpm.sock;
4 | }
5 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/php/7.0/cli/php.ini:
--------------------------------------------------------------------------------
1 | [PHP]
2 | ; This directive determines whether or not PHP will recognize code between
3 | ; tags as PHP source which should be processed as such.
4 | short_open_tag = Off
5 |
6 | ; Implicit flush tells PHP to tell the output layer to flush itself
7 | ; automatically after every output block.
8 | implicit_flush = Off
9 |
10 | ; This directive allows you to disable certain functions for security reasons.
11 | ; It receives a comma-delimited list of function names.
12 | ; http://php.net/disable-functions
13 | disable_functions =
14 |
15 | ; Enables or disables the circular reference collector.
16 | ; http://php.net/zend.enable-gc
17 | zend.enable_gc = On
18 |
19 | ;;;;;;;;;;;;;;;;;
20 | ; Miscellaneous ;
21 | ;;;;;;;;;;;;;;;;;
22 |
23 |
24 | ; Deny executing anything else than the exact path passed from fastcgi
25 | ; This causes the PHP interpreter to only try the literal path given and to stop processing if the file is not found.
26 | ; This is for security.
27 | ; https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#passing-uncontrolled-requests-to-php
28 | cgi.fix_pathinfo = 0
29 |
30 | expose_php = Off
31 |
32 | ;;;;;;;;;;;;;;;;;;;
33 | ; Resource Limits ;
34 | ;;;;;;;;;;;;;;;;;;;
35 |
36 | ; Maximum execution time of each script, in seconds
37 | max_execution_time = 600
38 |
39 | ; Maximum amount of time each script may spend parsing request data.
40 | max_input_time = 60
41 |
42 | ; How many GET/POST/COOKIE input variables may be accepted
43 | ; max_input_vars = 1000
44 |
45 | ; Maximum amount of memory a script may consume (128MB)
46 | memory_limit = ${PHP_MEMORY_LIMIT}
47 |
48 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
49 | ; Error handling and logging ;
50 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
51 |
52 | error_reporting = E_ALL
53 |
54 | display_errors = On
55 |
56 | display_startup_errors = On
57 |
58 | log_errors = On
59 |
60 | log_errors_max_len = 2048
61 |
62 | ignore_repeated_errors = Off
63 |
64 | ignore_repeated_source = Off
65 |
66 | report_memleaks = On
67 |
68 | track_errors = On
69 |
70 | html_errors = Off
71 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/php/7.0/fpm/conf.d/blocked.ini:
--------------------------------------------------------------------------------
1 | ; Disable some functions because they allow bad/vulnerable patterns
2 | ; We want to advocate good coding practises and these functions make it difficult
3 | ; You can use these with php cli but not with php-fpm
4 | disable_functions = exec,passthru,shell_exec,show_source,system,pcntl_exec,popen,posix_getpwuid,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,posix_setuid,posix_uname,proc_nice,proc_open,proc_close,proc_get_status
5 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/php/7.0/fpm/conf.d/common.ini:
--------------------------------------------------------------------------------
1 | [PHP]
2 |
3 | ; Don't brag that we have php 7.0
4 | expose_php = Off
5 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/php/7.0/fpm/conf.d/limits.ini:
--------------------------------------------------------------------------------
1 | ; filesize, time and input limits
2 | max_execution_time = ${NGINX_FASTCGI_TIMEOUT}
3 | max_input_time = -1
4 | max_input_vars = ${PHP_MAX_INPUT_VARS}
5 | memory_limit = ${PHP_MEMORY_LIMIT}
6 | post_max_size = ${NGINX_MAX_BODY_SIZE}
7 | upload_max_filesize = ${NGINX_MAX_BODY_SIZE}
8 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/php/7.0/fpm/conf.d/logging.ini:
--------------------------------------------------------------------------------
1 | ; Log all warnings and errors
2 | error_log = ${PHP_ERROR_LOG}
3 | log_level = ${PHP_ERROR_LOG_LEVEL}
4 | log_errors_max_len = ${PHP_ERROR_MAX_LEN}
5 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/php/7.0/fpm/conf.d/mail.ini:
--------------------------------------------------------------------------------
1 | [PHP]
2 | ; Use msmtp to send mail instead of sendmail
3 | sendmail_path = "/usr/sbin/sendmail"
4 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/php/7.0/fpm/conf.d/opcache.ini:
--------------------------------------------------------------------------------
1 | ; Enable php opcache to make site faster
2 | ; These are taken from: https://www.scalingphpbook.com/blog/2014/02/14/best-zend-opcache-settings.html
3 | [opcache]
4 | opcache.enable = 1
5 | opcache.enable_cli = 1
6 |
7 | ; Provides a faster mechanism for calling the deconstructors in your code at the end of a single request to speed up the response and recycle php workers so they're ready for the next incoming request faster.
8 | opcache.fast_shutdown = 1
9 |
10 | ; Give plenty of memory for php process for caching the code
11 | opcache.memory_consumption = ${PHP_OPCACHE_MAX_MEMORY}
12 |
13 | ; Log into container output
14 | opcache.error_log = /dev/stderr
15 |
16 | ; Log opcache warnings
17 | opcache.log_verbosity_level = 2
18 |
19 | ; PHP uses a technique called string interning to improve performance— so, for example, if you have the string "foobar" 1000 times in your code, internally PHP will store 1 immutable variable for this string and just use a pointer to it for the other 999 times you use it.
20 | ; This reserves 16MB to storing the most used strings
21 | opcache.interned_strings_buffer = 16
22 | opcache.max_accelerated_files = ${PHP_OPCACHE_MAX_FILES}
23 |
24 |
25 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/php/7.0/fpm/conf.d/opcache_invalidate.conf:
--------------------------------------------------------------------------------
1 | ; Don't revalidate php files in this container
2 | opcache.validate_timestamps = 0
3 |
4 | ; We don't need to cache php comments into opcache
5 | opcache.save_comments = 0
6 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/php/7.0/fpm/conf.d/sessions.ini:
--------------------------------------------------------------------------------
1 | ;;;;;;;;;;;;;;;;;;;;;;;;;;
2 | ; Define Session backend ;
3 | ;;;;;;;;;;;;;;;;;;;;;;;;;;
4 | ; These env can also contain redis as backend
5 | session.save_handler = ${PHP_SESSION_HANDLER}
6 | session.save_path = ${PHP_SESSION_SAVE_PATH}
7 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/php/7.0/fpm/conf.d/timezone.ini:
--------------------------------------------------------------------------------
1 | ; Timezone from env formatted like 'Europe/Helsinki'
2 | date.timezone = ${TZ}
3 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/php/7.0/fpm/php-fpm.conf:
--------------------------------------------------------------------------------
1 | ; Run this in foregroud so s6 can control it
2 | daemonize = no
3 |
4 | ; Log all warnings and errors
5 | error_log = ${PHP_ERROR_LOG}
6 | log_level = ${PHP_ERROR_LOG_LEVEL}
7 |
8 | [www]
9 | user = ${WEB_USER}
10 | group = ${WEB_GROUP}
11 | listen = /var/run/php-fpm.sock
12 | listen.owner = ${WEB_USER}
13 | listen.group = ${WEB_GROUP}
14 | pm = dynamic
15 |
16 | ; Total RAM dedicated to the web server / Max child process size
17 | pm.max_children = 30
18 |
19 | pm.start_servers = 1
20 | pm.min_spare_servers = 1
21 | pm.max_spare_servers = 3
22 |
23 | ; Redirect worker stdout and stderr into main error log. If not set, stdout and
24 | ; stderr will be redirected to /dev/null according to FastCGI specs.
25 | ; Default Value: no
26 | catch_workers_output = yes
27 |
28 | ; Project web root
29 | chdir = ${WEB_ROOT}
30 |
31 | pm.process_idle_timeout = 10s
32 | pm.max_requests = 500
33 |
34 | ; Include extra configs
35 | include=/etc/php/7.0/fpm/php-fpm.d/*.conf
36 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/php/7.0/fpm/php-fpm.d/preserve-env.conf:
--------------------------------------------------------------------------------
1 | ; Just use all envs from system when php-fpm starts
2 | ; By default php-fpm flushes all envs and they need to be whitelisted
3 | clear_env = no
4 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/php/7.0/fpm/php.ini:
--------------------------------------------------------------------------------
1 | ;;;
2 | ; Production settings for php and php-fpm
3 | ;;;
4 | ; All directives from /etc/php/7.0/fpm/conf.d are also included
5 | ;;;
6 |
7 | [PHP]
8 |
9 | ; Don't display errors into frontend
10 | display_errors = stderr
11 |
12 | ; disable ignoring of repeat errors
13 | ignore_repeated_errors = false
14 |
15 | ; disable ignoring of unique source errors
16 | ignore_repeated_source = false
17 |
18 | ; enable logging of php memory leaks
19 | report_memleaks = true
20 |
21 | ; Deny executing anything else than the exact path passed from fastcgi
22 | ; This causes the PHP interpreter to only try the literal path given and to stop processing if the file is not found.
23 | ; This is for security. Source: https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#passing-uncontrolled-requests-to-php
24 | cgi.fix_pathinfo = 0
25 |
26 | ; disable html markup of errors
27 | html_errors = false
28 |
29 | ; disable formatting of error reference links
30 | docref_root = 0
31 |
32 | ; disable formatting of error reference links
33 | docref_ext = 0
34 |
35 | ; disable max error string length ( by using so big number that bigger messages don't matter )
36 | log_errors_max_len = 10000
37 |
38 | ; Don't show startup errors
39 | display_startup_errors = Off
40 | track_errors = Off
41 |
42 | ; Redirect worker stdout and stderr into main error log. If not set, stdout and
43 | ; stderr will be redirected to /dev/null according to FastCGI specs.
44 | ; Default Value: no
45 | catch_workers_output = yes
46 |
47 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/services.d/cron/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv sh
2 | echo "[services.d] started cron daemon"
3 | # Runs cron daemon in foreground
4 | cron -l 2 -f
5 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/services.d/nginx/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv sh
2 |
3 | # Run nginx always in foreground
4 | exec nginx -g "daemon off;"
5 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/etc/services.d/php-fpm/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 |
3 | ##
4 | # Check which kind of session backend we should be using
5 | ##
6 | if [ -z "$PHP_SESSION_SAVE_PATH" ]; then
7 | echo "[php-fpm] configuring php-fpm session backend..."
8 |
9 | # Use 'files' as default session handler
10 | export PHP_SESSION_HANDLER=${PHP_SESSION_HANDLER-files}
11 |
12 | case "$PHP_SESSION_HANDLER" in
13 |
14 | files)
15 | mkdir -p /tmp/php
16 | chown $WEB_USER:$WEB_GROUP /tmp/php
17 |
18 | # export new env for php-fpm
19 | export PHP_SESSION_SAVE_PATH='/tmp/php'
20 | ;;
21 | redis)
22 | # Set defaults
23 | REDIS_HOST=${REDIS_HOST-$REDIS_1_PORT_6379_TCP_ADDR}
24 | REDIS_PORT=${REDIS_PORT-6379}
25 | REDIS_SCHEME=${REDIS_SCHEME-tcp}
26 | REDIS_PHP_SESSION_HOST=${REDIS_PHP_SESSION_HOST-$REDIS_1_PORT_6379_TCP_ADDR}
27 |
28 | # After this time php-fpm will timeout from requesting session data
29 | PHP_SESSION_REDIS_TIMEOUT=${PHP_SESSION_REDIS_TIMEOUT-5}
30 |
31 | PHP_SESSION_REDIS_PARAMS="timeout=$PHP_SESSION_REDIS_TIMEOUT"
32 |
33 | # Set these only if they are not 0 and '' because they add complexity for the query
34 | if [ "$PHP_SESSION_REDIS_DB" != "" ]; then
35 | PHP_SESSION_REDIS_PARAMS+="&database=$PHP_SESSION_REDIS_DB"
36 | fi
37 | if [ "$REDIS_PASSWORD" != "" ]; then
38 | PHP_SESSION_REDIS_PARAMS+="&auth=$REDIS_PASSWORD"
39 | fi
40 | if [ "$PHP_SESSION_REDIS_PREFIX" != "" ]; then
41 | PHP_SESSION_REDIS_PARAMS+="&prefix=$PHP_SESSION_REDIS_PREFIX"
42 | fi
43 |
44 | # export new env for php-fpm
45 | export PHP_SESSION_SAVE_PATH="$REDIS_SCHEME://$REDIS_PHP_SESSION_HOST:$REDIS_PORT?$PHP_SESSION_REDIS_PARAMS"
46 | ;;
47 | esac
48 | fi
49 | echo "[php-fpm] using $PHP_SESSION_SAVE_PATH for php sessions..."
50 |
51 | echo "[php-fpm] started php-fpm"
52 | exec php-fpm -c /etc/php/7.0/fpm/php.ini --fpm-config /etc/php/7.0/fpm/php-fpm.conf --pid /var/run/php-fpm.pid
53 |
54 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/usr/bin/wp:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | ##
3 | # WP-cli wrapper: Append path automatically so that user doesn't have to
4 | ##
5 | if [ "$(whoami)" = "root" ]; then
6 | # Run as wordpress user instead
7 | # This helps that we don't install things as root
8 | # Or run 3rd party code as root
9 | gosu $WEB_USER /usr/local/bin/wp-cli "$@" --path=$WP_CORE
10 | else
11 | /usr/local/bin/wp-cli "$@" --path=$WP_CORE
12 | fi
13 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/usr/local/bin/phinx:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | ##
3 | # Phinx wrapper
4 | # You need to install phinx through composer first
5 | ##
6 |
7 | # Export database host in prod and dev
8 | if [ ! -z "$MYSQL_HOST" ]; then
9 | export PHINX_DBHOST=$MYSQL_HOST
10 | elif [ ! -z "$DB_HOST" ]; then
11 | export PHINX_DBHOST=$DB_HOST
12 | elif [ ! -z "$DB_PORT_3306_TCP_ADDR" ]; then
13 | export PHINX_DBHOST=$DB_PORT_3306_TCP_ADDR
14 | else
15 | echo "ERROR: You need to set DB_HOST!"
16 | fi
17 |
18 | # Export phinx envs
19 | # Default to MYSQL_ envs but fallback to DB_
20 | export PHINX_DBPORT=${MYSQL_PORT-$DB_PORT}
21 | export PHINX_DBNAME=${MYSQL_DATABASE-$DB_NAME}
22 | export PHINX_DBUSER=${MYSQL_USER-$DB_USER}
23 | export PHINX_DBPASSWORD=${MYSQL_PWD-$DB_PASSWORD}
24 | export PHINX_ENVIRONMENT=$WP_ENV
25 |
26 | # Run phinx
27 | php $PROJECT_ROOT/vendor/bin/phinx $@
28 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/usr/local/bin/print-smtp-password:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # This is so that we can use msmtp without /etc/msmtprc config file
3 | # msmtp doesn't have --password option and it only has --passwordeval option
4 | # We use this script so that we can use it in passwordeval
5 | echo $SMTP_PASSWORD
6 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/usr/local/bin/wp-run-cron:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # Copyright © 2015 Bjørn Johansen
3 | # This work is free. You can redistribute it and/or modify it under the
4 | # terms of the Do What The Fuck You Want To Public License, Version 2,
5 | # as published by Sam Hocevar. See http://www.wtfpl.net/ for more details.
6 | # Source: https://bjornjohansen.no/wordpress-cron-wp-cli
7 | # Github: https://gist.github.com/bjornjohansen/a00a9fee5475c4dadb56#file-run-wp-cron-sh
8 |
9 | # This is modified for our container. In this container you don't need to use --path
10 | # because it's automatically included
11 |
12 | # Check if WP-CLI is available
13 | if ! hash wp 2>/dev/null; then
14 | echo "[wp-cron] ERROR: WP-CLI is not available"
15 | exit
16 | fi
17 |
18 | # If WordPress isn’t installed here, we bail
19 | if ! wp core is-installed --quiet >> /dev/null; then
20 | echo "[wp-cron] ERROR: WordPress is not installed here: ${WP_CORE}"
21 | exit
22 | fi
23 |
24 | # Get a list of site URLs
25 | if wp core is-installed --quiet --network >> /dev/null;
26 | then
27 | SITE_URLS=`wp site list --fields=url --archived=0 --deleted=0 --format=csv | sed 1d`
28 | else
29 | SITE_URLS=(`wp option get siteurl`)
30 | fi
31 |
32 | # Loop through all the sites
33 | for SITE_URL in $SITE_URLS
34 | do
35 | # replaced loop with better solution
36 | wp cron event run --due-now --url="$SITE_URL"
37 | # Run all event hooks that are due
38 | #for EVENT_HOOK in $(wp cron event list --format=csv --fields=hook,next_run_relative --url="$SITE_URL" | grep now$ | awk -F ',' '{print $1}')
39 | #do
40 | # wp cron event run "$EVENT_HOOK" --url="$SITE_URL" --quiet
41 | #done
42 | done
43 |
--------------------------------------------------------------------------------
/ubuntu-7.0/rootfs/usr/sbin/sendmail:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | ##
3 | # This is custom wrapper for msmtp which acts like good old sendmail
4 | # - It is used for php and cron
5 | # - This is easier to configure for external mail server than sendmail
6 | # - sendmail is just the default binary which other services will use
7 | # - It needs following env: SMTP_HOST, SMTP_PASSWORD, SMTP_PORT, SMTP_AUTH, SMTP_USER
8 | ##
9 |
10 | # Deduce all used msmtp options from system ENVs
11 | declare -a options
12 |
13 | # Act like sendmail
14 | options+=("-t")
15 |
16 | # Use system tls chain
17 | options+=("--tls-trust-file=/etc/ssl/certs/ca-certificates.crt")
18 |
19 | if [ -n "$SMTP_HOST" ]; then
20 | options+=("--host=$SMTP_HOST")
21 | else
22 | echo "[mail error] SMTP_HOST is not defined, mail can't be sent"
23 | exit 1
24 | fi
25 |
26 | # Log all mail requests
27 | # try /var/log/mail/sent.log but use stdout when logfile is not available
28 | if [ -n "$SMTP_LOG" ]; then
29 | options+=("--logfile=$SMTP_LOG")
30 | elif [ -f /var/log/mail/sent.log ]; then
31 | options+=("--logfile=/var/log/mail/sent.log")
32 | fi
33 |
34 | if [ -n "$SMTP_FROM" ]; then
35 | options+=("--from=$SMTP_FROM")
36 | fi
37 |
38 | # Default port for smtp is 25 and it will work even without this option
39 | if [ -n "$SMTP_PORT" ]; then
40 | options+=("--port=$SMTP_PORT")
41 | fi
42 |
43 | # Setup credentials
44 | if [ -n "$SMTP_USER" ]; then
45 | options+=("--user=$SMTP_USER")
46 | fi
47 |
48 | # msmtp doesn't provide password option because usually it's unsafe
49 | # Use local hack for passwordeval
50 | if [ -n "$SMTP_PASSWORD" ]; then
51 | options+=("--passwordeval=/usr/local/bin/print-smtp-password")
52 | fi
53 |
54 |
55 | if [ -n "$SMTP_AUTH" ]; then
56 | options+=("--auth=$SMTP_AUTH")
57 | elif [ -n "$SMTP_USER" ] || [ -n "$SMTP_PASSWORD" ]; then
58 | options+=("--auth=on")
59 | fi
60 |
61 | if [ -n "$SMTP_TLS" ]; then
62 | options+=("--tls=$SMTP_TLS")
63 | fi
64 |
65 | # Add our options and command line options for msmtp
66 | msmtp ${options[@]} "$@"
67 |
--------------------------------------------------------------------------------
/ubuntu-7.1/.dockerignore:
--------------------------------------------------------------------------------
1 | # These files are ignored from being uploaded to docker build context
2 |
3 | # Git is not needed in docker image building
4 | .git
5 |
6 | # No OSX rubbish
7 | .DS_Store
8 |
9 | # Development stuff
10 | docker-compose.yml
11 | .dockerignore
12 | Dockerfile
13 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/ImageMagick:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/cont-init.d/01-create-web-user:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 |
3 | ##
4 | # If $WEB_USER user and web group already exists just skip the user creation
5 | ##
6 | if id -u $WEB_USER > /dev/null 2>&1 && getent group $WEB_GROUP > /dev/null 2>&1; then
7 | echo "[cont-init.d] user:$WEB_USER and group:$WEB_GROUP already exist, skipping..."
8 | exit 0
9 | fi
10 |
11 | ##
12 | # Create $WEB_USER user with $WEB_UID and web group with $WEB_GID
13 | ##
14 |
15 | # Set defaults if they are not set
16 | export WEB_USER=${WEB_USER-wordpress}
17 | export WEB_GROUP=${WEB_GROUP-web}
18 | export WEB_UID=${WEB_UID-1000}
19 | export WEB_GID=${WEB_GID-1000}
20 |
21 | echo "[cont-init.d] Creating $WEB_USER user with id: $WEB_UID and group web with id: $WEB_GID"
22 |
23 | # Create web group
24 | if [ -n "$WEB_GID" ]; then
25 |
26 | # Check if group with $WEB_GID already exists
27 | web_group=$(getent group $WEB_GID | cut -d':' -f1)
28 |
29 | if [ -n "$web_group" ]; then
30 |
31 | # Replace the existing group name to web
32 | # This is done so that in local development we can just lookup permissions from mounted folders
33 | # This UID/GID can be same as something already existing inside container
34 | # This way we can use same uid/gid in container and host machine
35 | echo "[cont-init.d] Replacing pre-existing group name $web_group -> $WEB_GROUP"
36 | sed -i "s|$web_group|$WEB_GROUP|g" /etc/group
37 |
38 | else
39 | # Create new group
40 | echo "$ groupadd -g $WEB_GID $WEB_GROUP"
41 | groupadd -g $WEB_GID $WEB_GROUP
42 | fi
43 | else
44 | echo "[cont-init.d] ERROR: Please set web user group id in WEB_GID" 1>&2
45 | exit 2
46 | fi
47 |
48 | # Create $WEB_USER user
49 | if [ -n "$WEB_UID" ] && [ -n "$WEB_GID" ] ; then
50 | echo "$ useradd -u $WEB_UID -g $WEB_GROUP --home $PROJECT_ROOT $WEB_USER"
51 | useradd -u $WEB_UID -g $WEB_GROUP --home $PROJECT_ROOT $WEB_USER
52 | else
53 | echo "[cont-init.d] ERROR: Please set web user id in WEB_UID" 1>&2
54 | exit 2
55 | fi
56 |
57 | # Check that processes can write logs
58 | chown $WEB_USER:$WEB_GROUP /var/log
59 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/cont-init.d/02-init-crond:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 |
3 | # Copy cronjob from project and run as nginx
4 | if [ -f $PROJECT_ROOT/tasks.cron ]; then
5 |
6 | # Setup all container env for cron
7 | printenv | grep -v ^_= | grep -v "no_proxy" >> /etc/environment
8 |
9 | # Use default redis for cronlock if cronlock variables are not set
10 | if [ -n "$REDIS_HOST" ] && [ -z "$CRONLOCK_HOST" ] ; then
11 | echo "CRONLOCK_HOST=$REDIS_HOST" >> /etc/environment
12 | fi
13 | if [ -n "$REDIS_PASSWORD" ] && [ -z "$CRONLOCK_AUTH" ] ; then
14 | echo "CRONLOCK_AUTH=$REDIS_PASSWORD" >> /etc/environment
15 | fi
16 | if [ -n "$REDIS_PORT" ] && [ -z "$CRONLOCK_PORT" ] ; then
17 | echo "CRONLOCK_PORT=$REDIS_PORT" >> /etc/environment
18 | fi
19 | # env for running wp cron
20 | echo "CRON_URL=$CRON_URL" >> /etc/environment;
21 | # Copy cron template
22 | cp $PROJECT_ROOT/tasks.cron /var/spool/cron/crontabs/$WEB_USER
23 | chown $WEB_USER /var/spool/cron/crontabs/$WEB_USER
24 | chmod 0600 /var/spool/cron/crontabs/$WEB_USER
25 | else
26 | # No cronjobs found remove crond from s6
27 | if [ -f /etc/services.d/cron ]; then
28 | rm -r /etc/services.d/cron
29 | fi
30 | fi
31 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/cont-init.d/02-init-directories-and-files:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 |
3 | # Create uploads directory if not exists
4 | mkdir -p $UPLOADS_ROOT
5 | chown $WEB_USER:$WEB_GROUP $UPLOADS_ROOT
6 |
7 | # Create dir for nginx tmp files
8 | mkdir -p /tmp/nginx/body
9 | chown -R $WEB_USER:$WEB_GROUP /tmp/nginx
10 |
11 | # Create log directories if they don't exist already
12 | mkdir -p /var/log/{nginx,php,mail}
13 |
14 | # Create error.log so that php-fpm can write to it
15 | touch /var/log/php/error.log
16 |
17 | # Chown all files to wordpress
18 | chown -R $WEB_USER:$WEB_GROUP /var/log/{nginx,php,mail}
19 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/nginx/additional.types:
--------------------------------------------------------------------------------
1 | # If developers add .woff2 type font files we should provide good Content-Type headers
2 | types {
3 | # Add mime support for woff2
4 | # http://stackoverflow.com/questions/28235550/proper-mime-type-for-woff2-fonts
5 | font/woff2 woff2;
6 | }
7 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/nginx/cache/fastcgicache.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Add few rules which deny using cache
3 | ##
4 | include cache/fastcgicache_skip_rules.conf;
5 | include cache/helper_variables.conf;
6 | fastcgi_cache_bypass $skip_cache;
7 | fastcgi_no_cache $skip_cache;
8 |
9 | fastcgi_cache WORDPRESS;
10 | #proxy_ignore_headers Set-Cookie Expires Cache-Control;
11 |
12 | # Add header for easier cache debugging
13 | add_header X-Cache $upstream_cache_status always;
14 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/nginx/cache/fastcgicache_settings.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Basic settings of Fast cgi cache
3 | ##
4 | fastcgi_cache_path ${NGINX_CACHE_DIRECTORY} levels=1:2 keys_zone=WORDPRESS:100m max_size=1000m inactive=730h;
5 | fastcgi_cache_key $scheme$request_method$host$request_uri;
6 | fastcgi_cache_lock on;
7 | fastcgi_cache_use_stale ${NGINX_CACHE_USE_STALE};
8 | fastcgi_cache_valid ${NGINX_REDIS_CACHE_TTL_DEFAULT};
9 | add_header 'Cache-Control' ${NGINX_CACHE_CONTROL};
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/nginx/cache/fastcgicache_skip_rules.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Add few rules which deny using cache
3 | ##
4 |
5 | # Don't skip cache by default
6 | set $skip_cache 0;
7 | # insert project specific cache rules to this file (delete this row when all projects are updated)
8 | include /var/www/project/nginx/server/skip_cache.conf;
9 | # insert project specific cache rules to this folder
10 | include ${NGINX_INCLUDE_DIR}/skipcache/*.conf;
11 |
12 | # POST requests and urls with a query string should always go to PHP
13 | if ($request_method = POST) {
14 | set $skip_cache 1;
15 | }
16 |
17 | # Deal with accepted query vars
18 | set $without $query_string;
19 |
20 | set_by_lua_block $cache_args {
21 | -- Helper split string function
22 | function split( inputstr, sep )
23 | if sep == nil then
24 | sep = "%s"
25 | end
26 | local t={} ; i=1
27 | for str in string.gmatch(inputstr, "([^" .. sep .. "]+)") do
28 | t[ i ] = str
29 | i = i + 1
30 | end
31 | return t
32 | end
33 |
34 | -- Helper escape special chars function
35 | function esc( str )
36 | return str:gsub( "([^%w])", "%%%1" )
37 | end
38 |
39 | local with = {}
40 | local without = ngx.var.without
41 |
42 | -- Get a list of accepted query vars from env variable
43 | local accepted = split( ( os.getenv( 'CACHE_QUERYVARS' ) or "" ), "," )
44 |
45 | -- Loop through the list
46 | for key, accept in pairs(accepted) do
47 | -- If there is a value present for the variable, store it in a variable
48 | if ngx.decode_args( without )[ accept ] then
49 | table.insert( with, accept .. "=" .. ngx.decode_args( without )[ accept ] )
50 | end
51 | -- Remove the accepted key-value pair from the string
52 | without = string.gsub( without, "&?" .. esc( accept ) .. "=[^&]+", "" )
53 | end
54 |
55 | -- Store all non-accepted query vars to checked later
56 | ngx.var.without = without
57 |
58 | -- Return accepted query var key-value pairs to be used in the cache key
59 | return "?" .. table.concat( with, "&" )
60 | }
61 |
62 | # If there were any unaccepted query vars, skip cache
63 | if ($without != "") {
64 | set $skip_cache 1;
65 | }
66 |
67 | # Don't use the cache for logged in users or recent commenters
68 | if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|woocommerce_items_in_cart") {
69 | set $skip_cache 1;
70 | }
71 |
72 | # Don't cache responses from wp-admin, xmlrpc and wp-login.php
73 | if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php") {
74 | set $skip_cache 1;
75 | }
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/nginx/cache/helper_variables.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # This file creates few helper variables
3 | # $prefer_language_slug - 2 first letters from accept-language header to determine the language redirects from cache
4 | ##
5 |
6 | ##
7 | # Parse first two letters from accept-language header to determine right cache key
8 | ##
9 | set_by_lua_block $prefer_language_slug {
10 | if ngx.var.http_accept_language then
11 | return string.lower( string.match( ngx.var.http_accept_language, '%w%w' ) )
12 | else
13 | return 'en'
14 | end
15 | }
16 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/nginx/cache/redis_backend.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Adds internal locations for storing and getting full page cache from redis
3 | ##
4 |
5 | srcache_default_expire '${NGINX_REDIS_CACHE_TTL_DEFAULT}';
6 | srcache_max_expire '${NGINX_REDIS_CACHE_TTL_MAX}';
7 |
8 | location /redis-fetch {
9 | internal;
10 |
11 | ##
12 | # In order to use password authentication we use custom redis module which adds $redis_auth:
13 | # - https://github.com/Yongke/ngx_http_redis-0.3.7
14 | ##
15 |
16 | # Read the configuration from system envs
17 | set $redis_auth '${REDIS_PASSWORD}';
18 | set $redis_db ${REDIS_DATABASE};
19 |
20 | set $redis_key $args;
21 |
22 | redis_pass ${REDIS_HOST}:${REDIS_PORT};
23 | }
24 |
25 | location /redis-store {
26 | internal;
27 |
28 | set_unescape_uri $exptime $arg_exptime;
29 | set_unescape_uri $key $arg_key;
30 |
31 | # Fix caching problem for now
32 | # There's issue in github https://github.com/openresty/srcache-nginx-module/issues/61
33 | set_if_empty $srcache_expire '${NGINX_REDIS_CACHE_TTL_DEFAULT}';
34 |
35 | # redis module pipelines these 3 commands into single request
36 | redis2_query auth '${REDIS_PASSWORD}';
37 | redis2_query select ${REDIS_DATABASE};
38 |
39 | # Set and expire with one command: http://redis.io/commands/setex
40 | redis2_query setex $key $srcache_expire $echo_request_body;
41 |
42 | # Pass the request to redis
43 | redis2_pass ${REDIS_HOST}:${REDIS_PORT};
44 |
45 | }
46 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/nginx/cache/skip_rules.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Add few rules which deny using cache
3 | ##
4 |
5 | # Don't skip cache by default
6 | set $skip_cache 0;
7 |
8 | # POST requests and urls with a query string should always go to PHP
9 | if ($request_method = POST) {
10 | set $skip_cache 1;
11 | }
12 |
13 | # If theres any args skip cache
14 | if ($query_string != "") {
15 | set $skip_cache 1;
16 | }
17 |
18 | # Don't use the cache for logged in users or recent commenters
19 | if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|woocommerce_items_in_cart") {
20 | set $skip_cache 1;
21 | }
22 |
23 | # Don't cache responses from wp-admin, xmlrpc and wp-login.php
24 | if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php") {
25 | set $skip_cache 1;
26 | }
27 |
28 | # Skip fetch and skip if conditions are met
29 | srcache_fetch_skip $skip_cache;
30 | srcache_store_skip $skip_cache;
31 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/nginx/cache/srcache.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Add few rules which deny using cache
3 | ##
4 | include cache/skip_rules.conf;
5 | include cache/helper_variables.conf;
6 |
7 | # Use redis caching for all pages
8 | # Allow different cache key from env
9 | # Use 'wp_' prefix so that cache can be flushed with:
10 | # $ wp cache flush
11 | set $cache_key "${NGINX_CACHE_KEY}";
12 | set_escape_uri $escaped_cache_key $cache_key;
13 |
14 | srcache_response_cache_control on;
15 |
16 | srcache_fetch GET /redis-fetch $cache_key;
17 | srcache_store PUT /redis-store key=$escaped_cache_key;
18 |
19 | # Add header for easier cache debugging
20 | add_header X-Cache $srcache_fetch_status;
21 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/nginx/env.conf:
--------------------------------------------------------------------------------
1 | # Set custom enviromental variables that we need with lua here
2 | # These are used to dynamically load
3 | env PORT;
4 | env WEB_ROOT;
5 | env NGINX_MAX_BODY_SIZE;
6 | env NGINX_TIMEOUT;
7 |
8 | # For nginx redis cache
9 | env REDIS_HOST;
10 | env REDIS_PORT;
11 | env REDIS_DATABASE;
12 | env REDIS_PASSWORD;
13 | env CACHE_QUERYVARS;
14 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/nginx/error_pages.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Custom error pages
3 | ##
4 |
5 | ## 403 - Forbidden
6 | error_page 403 /403.html;
7 | location = /403.html {
8 | root /usr/share/nginx/html;
9 | internal;
10 | }
11 |
12 | ## 500 - Internal Server Error
13 | error_page 500 /500.html;
14 | location = /500.html {
15 | root /usr/share/nginx/html;
16 | internal;
17 | }
18 |
19 | ## 502 - Bad Gateway
20 | error_page 502 /502.html;
21 | location = /502.html {
22 | root /usr/share/nginx/html;
23 | internal;
24 | }
25 |
26 | ## 504 - Gateway Timeout
27 | error_page 504 /504.html;
28 | location = /504.html {
29 | root /usr/share/nginx/html;
30 | internal;
31 | }
32 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/nginx/fastcgi_params:
--------------------------------------------------------------------------------
1 | # These are just basic things form request
2 | fastcgi_param QUERY_STRING $query_string;
3 | fastcgi_param REQUEST_METHOD $request_method;
4 | fastcgi_param CONTENT_TYPE $content_type;
5 | fastcgi_param CONTENT_LENGTH $content_length;
6 |
7 | fastcgi_param SCRIPT_NAME $fastcgi_script_name;
8 | fastcgi_param REQUEST_URI $request_uri;
9 | fastcgi_param DOCUMENT_URI $document_uri;
10 | fastcgi_param DOCUMENT_ROOT $document_root;
11 | fastcgi_param SERVER_PROTOCOL $server_protocol;
12 |
13 | fastcgi_param GATEWAY_INTERFACE CGI/1.1;
14 | fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
15 |
16 | ##
17 | # Set these using the knowledge that we are behind proxy
18 | ##
19 | fastcgi_param REMOTE_ADDR $real_remote;
20 | fastcgi_param REMOTE_PORT $remote_port;
21 | fastcgi_param SERVER_ADDR $server_addr;
22 | fastcgi_param SERVER_PORT $real_port;
23 | fastcgi_param SERVER_NAME $real_host;
24 | fastcgi_param HTTPS $real_https;
25 | fastcgi_param REQUEST_SCHEME $real_scheme;
26 | fastcgi_param HTTP_HOST $real_host;
27 |
28 | # PHP only, required if PHP was built with --enable-force-cgi-redirect
29 | fastcgi_param REDIRECT_STATUS 200;
30 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/nginx/fastcgi_settings.conf:
--------------------------------------------------------------------------------
1 | # regex to split $uri to $fastcgi_script_name and $fastcgi_path
2 | fastcgi_split_path_info ^(.+\.php)(/.+)$;
3 |
4 | # Bypass the fact that try_files resets $fastcgi_path_info
5 | # see: http://trac.nginx.org/nginx/ticket/321
6 | set $path_info $fastcgi_path_info;
7 | fastcgi_param PATH_INFO $path_info;
8 |
9 | # Intercept errors from php-fpm
10 | # These can be:
11 | # - timeouts for long running requests
12 | # - requested php file might be missing or not existing in the first place
13 | fastcgi_intercept_errors on;
14 |
15 | fastcgi_index index.php;
16 |
17 | # Small optimisation on fastcgi buffer size
18 | # defaults are 8k;
19 | fastcgi_buffers 16 16k;
20 | fastcgi_buffer_size 16k;
21 |
22 | # Include basic fastcgi settings
23 | include fastcgi_params;
24 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/nginx/gzip.conf:
--------------------------------------------------------------------------------
1 | # Compression
2 |
3 | # Enable Gzip compressed.
4 | gzip on;
5 |
6 | # Compression level (1-9).
7 | # 5 is a perfect compromise between size and cpu usage, offering about
8 | # 75% reduction for most ascii files (almost identical to level 9).
9 | gzip_comp_level 5;
10 |
11 | # Don't compress anything that's already small and unlikely to shrink much
12 | # if at all (the default is 20 bytes, which is bad as that usually leads to
13 | # larger files after gzipping).
14 | gzip_min_length 256;
15 |
16 | # Compress data even for clients that are connecting to us via proxies,
17 | # identified by the "Via" header (required for CloudFront).
18 | gzip_proxied any;
19 |
20 | # Tell proxies to cache both the gzipped and regular version of a resource
21 | # whenever the client's Accept-Encoding capabilities header varies;
22 | # Avoids the issue where a non-gzip capable client (which is extremely rare
23 | # today) would display gibberish if their proxy gave them the gzipped version.
24 | gzip_vary on;
25 |
26 | # Compress all output labeled with one of the following MIME-types.
27 | gzip_types
28 | application/atom+xml
29 | application/javascript
30 | application/json
31 | application/ld+json
32 | application/manifest+json
33 | application/rss+xml
34 | application/vnd.geo+json
35 | application/vnd.ms-fontobject
36 | application/x-font-ttf
37 | application/x-web-app-manifest+json
38 | application/xhtml+xml
39 | application/xml
40 | font/opentype
41 | image/bmp
42 | image/svg+xml
43 | image/x-icon
44 | text/cache-manifest
45 | text/css
46 | text/plain
47 | text/vcard
48 | text/vnd.rim.location.xloc
49 | text/vtt
50 | text/x-component
51 | text/x-cross-domain-policy;
52 | # text/html is always compressed by HttpGzipModule
53 |
54 | # This should be turned on if you are going to have pre-compressed copies (.gz) of
55 | # static files available. If not it should be left off as it will cause extra I/O
56 | # for the check. It is best if you enable this in a location{} block for
57 | # a specific directory, or on an individual server{} level.
58 | # gzip_static on;
59 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/nginx/log_format.conf:
--------------------------------------------------------------------------------
1 | # Log cache status
2 | # Log real requester address
3 | log_format custom '[$time_local] $http_x_real_ip '
4 | '$host "$request" $status $body_bytes_sent $request_time '
5 | '"$http_referer" "$http_user_agent" $upstream_cache_status';
6 |
7 | ##
8 | # Legacy formats which might be in use somewhere
9 | ##
10 | # This log format makes it so we can see real requester's IP address \
11 | # not just the reverse proxy server's IP address. Also note, that \
12 | # "specialLog" can be replaced with any name you would like to \
13 | # give to this log format.
14 | log_format specialLog '[$time_local] $http_x_real_ip '
15 | '$host "$request" $status $body_bytes_sent $request_time '
16 | '"$http_referer" "$http_user_agent" $upstream_cache_status';
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/nginx/log_formats.conf:
--------------------------------------------------------------------------------
1 | # Log cache status
2 | # Log real requester address
3 | log_format custom '[$time_local] $http_x_forwarded_for '
4 | '$host "$request" $status $body_bytes_sent $request_time '
5 | '"$http_referer" "$http_user_agent" $upstream_cache_status';
6 |
7 | # A new log format for detecting bad bots.
8 | log_format blocked '[$time_local] Blocked request from $http_x_forwarded_for $request';
9 |
10 | ##
11 | # Legacy formats which might be in use somewhere
12 | ##
13 | # This log format makes it so we can see real requester's IP address \
14 | # not just the reverse proxy server's IP address. Also note, that \
15 | # "specialLog" can be replaced with any name you would like to \
16 | # give to this log format.
17 | log_format specialLog '[$time_local] $http_x_forwarded_for '
18 | '$host "$request" $status $body_bytes_sent $request_time '
19 | '"$http_referer" "$http_user_agent" $upstream_cache_status';
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/nginx/pagespeed/locations.conf:
--------------------------------------------------------------------------------
1 | # Ensure requests for pagespeed optimized resources go to the pagespeed handler
2 | # and no extraneous headers get set.
3 | location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" {
4 | add_header "" "";
5 | }
6 | location ~ "^/pagespeed_static/" { }
7 | location ~ "^/ngx_pagespeed_beacon$" { }
8 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/nginx/pagespeed/settings.conf:
--------------------------------------------------------------------------------
1 | # Hide pagespeed version and provide this header instaed
2 | pagespeed XHeaderValue "Enabled";
3 |
4 | # Don't alter Cache-Control headers
5 | pagespeed ModifyCachingHeaders off;
6 |
7 | # This is for pagespeed temporary files
8 | # Needs to exist and be writable by nginx. Use tmpfs for best performance.
9 | pagespeed FileCachePath /tmp/nginx/pagespeed;
10 |
11 | # Pagespeed sets default TTL from file to 300s, which is bad
12 | # This sets the time to be 1 year
13 | pagespeed LoadFromFileCacheTtlMs 2592000000;
14 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/nginx/proxy_real_variables.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Set few variables since we use jwilder/nginx-proxy in dev and proxy in production
3 | # So the fastcgi params need to be the original ones or you
4 | # will have redirect loops ('canonical_redirect' mostly)
5 | ##
6 |
7 | # Set $host first from proxy (if possible)
8 | set $real_host $http_x_forwarded_host;
9 | if ($real_host = '') {
10 | set $real_host $http_host;
11 | }
12 |
13 | # Set server port according to forwarded proto
14 | set $real_port 80;
15 | if ($http_x_forwarded_proto = 'https') {
16 | set $real_port 443;
17 | }
18 |
19 | # Set https according to used proto
20 | set $real_https off;
21 | if ($http_x_forwarded_proto = 'https') {
22 | set $real_https on;
23 | }
24 |
25 | # Set scheme according to used proto
26 | set $real_scheme 'http';
27 | if ($http_x_forwarded_proto = 'https') {
28 | set $real_scheme 'https';
29 | }
30 |
31 | # Set original remote
32 | set $real_remote $http_x_forwarded_for;
33 | if ($real_remote = '') {
34 | set $real_remote $remote_addr;
35 | }
36 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/nginx/security.conf:
--------------------------------------------------------------------------------
1 | ## Block SQL injections
2 | location ~* union.*select.*\( { access_log $blocked_log blocked; return 403; }
3 | location ~* union.*all.*select.* { access_log $blocked_log blocked; return 403; }
4 | location ~* concat.*\( { access_log $blocked_log blocked; return 403; }
5 |
6 | ## Block common exploits
7 | location ~* (<|%3C).*script.*(>|%3E) { access_log $blocked_log blocked; return 403; }
8 | location ~* base64_(en|de)code\(.*\) { access_log $blocked_log blocked; return 403; }
9 | location ~* (%24&x) { access_log $blocked_log blocked; return 403; }
10 | location ~* (%0|%A|%B|%C|%D|%E|%F|127\.0) { access_log $blocked_log blocked; return 403; }
11 | location ~* \.\.\/ { access_log $blocked_log blocked; return 403; }
12 | location ~* ~$ { access_log $blocked_log blocked; return 403; }
13 | location ~* proc/self/environ { access_log $blocked_log blocked; return 403; }
14 | location ~* /\.(htaccess|htpasswd|svn|git) { access_log $blocked_log blocked; return 403; }
15 |
16 | ## Block file injections
17 | location ~* [a-zA-Z0-9_]=(\.\.//?)+ { access_log $blocked_log blocked; return 403; }
18 | location ~* [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ { access_log $blocked_log blocked; return 403; }
19 |
20 | ## wordpress security
21 | location ~* wp-config.php { access_log $blocked_log blocked; return 403; }
22 | location ~* wp-load.php { access_log $blocked_log blocked; return 403; }
23 | location ~* wp-admin/includes { access_log $blocked_log blocked; return 403; }
24 | location ~* wp-app\.log { access_log $blocked_log blocked; return 403; }
25 | location ~* (licence|readme|license)\.(md|html|txt) { access_log $blocked_log blocked; return 403; }
26 | location ~* composer.json { access_log $blocked_log blocked; return 403; }
27 |
28 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/nginx/security_headers.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Security headers, source: https://gist.github.com/plentz/6737338
3 | ##
4 |
5 | # config to don't allow the browser to render the page inside an frame or iframe
6 | # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
7 | # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
8 | # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
9 | add_header X-Frame-Options SAMEORIGIN;
10 |
11 | # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
12 | # to disable content-type sniffing on some browsers.
13 | # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
14 | # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
15 | # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
16 | # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
17 | add_header X-Content-Type-Options nosniff always;
18 |
19 | # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
20 | # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
21 | # this particular website if it was disabled by the user.
22 | # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
23 | add_header X-XSS-Protection "1; mode=block";
24 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/nginx/static_files.conf:
--------------------------------------------------------------------------------
1 | # Use version numbers to bypass cache
2 | # Try to cache as long as we can
3 | expires max;
4 |
5 | ## No need to bleed constant updates. Send the all shebang in one
6 | ## fell swoop.
7 | tcp_nodelay off;
8 |
9 | ## Set the OS file cache.
10 | open_file_cache max=3000 inactive=120s;
11 | open_file_cache_valid 45s;
12 | open_file_cache_min_uses 2;
13 | open_file_cache_errors off;
14 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/nginx/upstreams.conf:
--------------------------------------------------------------------------------
1 | # Default php handler
2 | upstream php-fpm {
3 | server unix:/var/run/php-fpm.sock;
4 | }
5 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/php/7.1/cli/php.ini:
--------------------------------------------------------------------------------
1 | [PHP]
2 | ; This directive determines whether or not PHP will recognize code between
3 | ; tags as PHP source which should be processed as such.
4 | short_open_tag = Off
5 |
6 | ; Implicit flush tells PHP to tell the output layer to flush itself
7 | ; automatically after every output block.
8 | implicit_flush = Off
9 |
10 | ; This directive allows you to disable certain functions for security reasons.
11 | ; It receives a comma-delimited list of function names.
12 | ; http://php.net/disable-functions
13 | disable_functions =
14 |
15 | ; Enables or disables the circular reference collector.
16 | ; http://php.net/zend.enable-gc
17 | zend.enable_gc = On
18 |
19 | ;;;;;;;;;;;;;;;;;
20 | ; Miscellaneous ;
21 | ;;;;;;;;;;;;;;;;;
22 |
23 |
24 | ; Deny executing anything else than the exact path passed from fastcgi
25 | ; This causes the PHP interpreter to only try the literal path given and to stop processing if the file is not found.
26 | ; This is for security.
27 | ; https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#passing-uncontrolled-requests-to-php
28 | cgi.fix_pathinfo = 0
29 |
30 | expose_php = Off
31 |
32 | ;;;;;;;;;;;;;;;;;;;
33 | ; Resource Limits ;
34 | ;;;;;;;;;;;;;;;;;;;
35 |
36 | ; Maximum execution time of each script, in seconds
37 | max_execution_time = 600
38 |
39 | ; Maximum amount of time each script may spend parsing request data.
40 | max_input_time = 60
41 |
42 | ; How many GET/POST/COOKIE input variables may be accepted
43 | ; max_input_vars = 1000
44 |
45 | ; Maximum amount of memory a script may consume (128MB)
46 | memory_limit = ${PHP_MEMORY_LIMIT}
47 |
48 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
49 | ; Error handling and logging ;
50 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
51 |
52 | error_reporting = E_ALL
53 |
54 | display_errors = On
55 |
56 | display_startup_errors = On
57 |
58 | log_errors = On
59 |
60 | log_errors_max_len = 2048
61 |
62 | ignore_repeated_errors = Off
63 |
64 | ignore_repeated_source = Off
65 |
66 | report_memleaks = On
67 |
68 | track_errors = On
69 |
70 | html_errors = Off
71 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/blocked.ini:
--------------------------------------------------------------------------------
1 | ; Disable some functions because they allow bad/vulnerable patterns
2 | ; We want to advocate good coding practises and these functions make it difficult
3 | ; You can use these with php cli but not with php-fpm
4 | disable_functions = exec,passthru,shell_exec,show_source,system,pcntl_exec,popen,posix_getpwuid,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,posix_setuid,posix_uname,proc_nice,proc_open,proc_close,proc_get_status
5 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/common.ini:
--------------------------------------------------------------------------------
1 | [PHP]
2 |
3 | ; Don't brag that we have php 7.0
4 | expose_php = Off
5 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/limits.ini:
--------------------------------------------------------------------------------
1 | ; filesize, time and input limits
2 | max_execution_time = ${NGINX_FASTCGI_TIMEOUT}
3 | max_input_time = -1
4 | max_input_vars = ${PHP_MAX_INPUT_VARS}
5 | memory_limit = ${PHP_MEMORY_LIMIT}
6 | post_max_size = ${NGINX_MAX_BODY_SIZE}
7 | upload_max_filesize = ${NGINX_MAX_BODY_SIZE}
8 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/logging.ini:
--------------------------------------------------------------------------------
1 | ; Log all warnings and errors
2 | error_log = ${PHP_ERROR_LOG}
3 | log_level = ${PHP_ERROR_LOG_LEVEL}
4 | log_errors_max_len = ${PHP_ERROR_MAX_LEN}
5 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/mail.ini:
--------------------------------------------------------------------------------
1 | [PHP]
2 | ; Use msmtp to send mail instead of sendmail
3 | sendmail_path = "/usr/sbin/sendmail"
4 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/opcache.ini:
--------------------------------------------------------------------------------
1 | ; Enable php opcache to make site faster
2 | ; These are taken from: https://www.scalingphpbook.com/blog/2014/02/14/best-zend-opcache-settings.html
3 | [opcache]
4 | opcache.enable = 1
5 | opcache.enable_cli = 1
6 |
7 | ; Provides a faster mechanism for calling the deconstructors in your code at the end of a single request to speed up the response and recycle php workers so they're ready for the next incoming request faster.
8 | opcache.fast_shutdown = 1
9 |
10 | ; Give plenty of memory for php process for caching the code
11 | opcache.memory_consumption = ${PHP_OPCACHE_MAX_MEMORY}
12 |
13 | ; Log into container output
14 | opcache.error_log = /dev/stderr
15 |
16 | ; Log opcache warnings
17 | opcache.log_verbosity_level = 2
18 |
19 | ; PHP uses a technique called string interning to improve performance— so, for example, if you have the string "foobar" 1000 times in your code, internally PHP will store 1 immutable variable for this string and just use a pointer to it for the other 999 times you use it.
20 | ; This reserves 16MB to storing the most used strings
21 | opcache.interned_strings_buffer = 16
22 | opcache.max_accelerated_files = ${PHP_OPCACHE_MAX_FILES}
23 |
24 |
25 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/opcache_invalidate.conf:
--------------------------------------------------------------------------------
1 | ; Don't revalidate php files in this container
2 | opcache.validate_timestamps = 0
3 |
4 | ; We don't need to cache php comments into opcache
5 | opcache.save_comments = 0
6 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/sessions.ini:
--------------------------------------------------------------------------------
1 | ;;;;;;;;;;;;;;;;;;;;;;;;;;
2 | ; Define Session backend ;
3 | ;;;;;;;;;;;;;;;;;;;;;;;;;;
4 | ; These env can also contain redis as backend
5 | session.save_handler = ${PHP_SESSION_HANDLER}
6 | session.save_path = ${PHP_SESSION_SAVE_PATH}
7 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/php/7.1/fpm/conf.d/timezone.ini:
--------------------------------------------------------------------------------
1 | ; Timezone from env formatted like 'Europe/Helsinki'
2 | date.timezone = ${TZ}
3 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/php/7.1/fpm/php-fpm.conf:
--------------------------------------------------------------------------------
1 | ; Run this in foregroud so s6 can control it
2 | daemonize = no
3 |
4 | ; Log all warnings and errors
5 | error_log = ${PHP_ERROR_LOG}
6 | log_level = ${PHP_ERROR_LOG_LEVEL}
7 |
8 | [www]
9 | user = ${WEB_USER}
10 | group = ${WEB_GROUP}
11 | listen = /var/run/php-fpm.sock
12 | listen.owner = ${WEB_USER}
13 | listen.group = ${WEB_GROUP}
14 | pm = dynamic
15 |
16 | ; Total RAM dedicated to the web server / Max child process size
17 | pm.max_children = 30
18 |
19 | pm.start_servers = 1
20 | pm.min_spare_servers = 1
21 | pm.max_spare_servers = 3
22 |
23 | ; Redirect worker stdout and stderr into main error log. If not set, stdout and
24 | ; stderr will be redirected to /dev/null according to FastCGI specs.
25 | ; Default Value: no
26 | catch_workers_output = yes
27 |
28 | ; Project web root
29 | chdir = ${WEB_ROOT}
30 |
31 | pm.process_idle_timeout = 10s
32 | pm.max_requests = 500
33 |
34 | ; Include extra configs
35 | include=/etc/php/7.1/fpm/php-fpm.d/*.conf
36 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/php/7.1/fpm/php-fpm.d/preserve-env.conf:
--------------------------------------------------------------------------------
1 | ; Just use all envs from system when php-fpm starts
2 | ; By default php-fpm flushes all envs and they need to be whitelisted
3 | clear_env = no
4 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/php/7.1/fpm/php.ini:
--------------------------------------------------------------------------------
1 | ;;;
2 | ; Production settings for php and php-fpm
3 | ;;;
4 | ; All directives from /etc/php/7.0/fpm/conf.d are also included
5 | ;;;
6 |
7 | [PHP]
8 |
9 | ; Don't display errors into frontend
10 | display_errors = stderr
11 |
12 | ; disable ignoring of repeat errors
13 | ignore_repeated_errors = false
14 |
15 | ; disable ignoring of unique source errors
16 | ignore_repeated_source = false
17 |
18 | ; enable logging of php memory leaks
19 | report_memleaks = true
20 |
21 | ; Deny executing anything else than the exact path passed from fastcgi
22 | ; This causes the PHP interpreter to only try the literal path given and to stop processing if the file is not found.
23 | ; This is for security. Source: https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#passing-uncontrolled-requests-to-php
24 | cgi.fix_pathinfo = 0
25 |
26 | ; disable html markup of errors
27 | html_errors = false
28 |
29 | ; disable formatting of error reference links
30 | docref_root = 0
31 |
32 | ; disable formatting of error reference links
33 | docref_ext = 0
34 |
35 | ; disable max error string length ( by using so big number that bigger messages don't matter )
36 | log_errors_max_len = 10000
37 |
38 | ; Don't show startup errors
39 | display_startup_errors = Off
40 | track_errors = Off
41 |
42 | ; Redirect worker stdout and stderr into main error log. If not set, stdout and
43 | ; stderr will be redirected to /dev/null according to FastCGI specs.
44 | ; Default Value: no
45 | catch_workers_output = yes
46 |
47 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/services.d/cron/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv sh
2 | echo "[services.d] started cron daemon"
3 | # Runs cron daemon in foreground
4 | cron -l 2 -f
5 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/services.d/nginx/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv sh
2 |
3 | # Run nginx always in foreground
4 | exec nginx -g "daemon off;"
5 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/etc/services.d/php-fpm/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 |
3 | ##
4 | # Check which kind of session backend we should be using
5 | ##
6 | if [ -z "$PHP_SESSION_SAVE_PATH" ]; then
7 | echo "[php-fpm] configuring php-fpm session backend..."
8 |
9 | # Use 'files' as default session handler
10 | export PHP_SESSION_HANDLER=${PHP_SESSION_HANDLER-files}
11 |
12 | case "$PHP_SESSION_HANDLER" in
13 |
14 | files)
15 | mkdir -p /tmp/php
16 | chown $WEB_USER:$WEB_GROUP /tmp/php
17 |
18 | # export new env for php-fpm
19 | export PHP_SESSION_SAVE_PATH='/tmp/php'
20 | ;;
21 | redis)
22 | # Set defaults
23 | REDIS_HOST=${REDIS_HOST-$REDIS_1_PORT_6379_TCP_ADDR}
24 | REDIS_PORT=${REDIS_PORT-6379}
25 | REDIS_SCHEME=${REDIS_SCHEME-tcp}
26 | REDIS_PHP_SESSION_HOST=${REDIS_PHP_SESSION_HOST-$REDIS_1_PORT_6379_TCP_ADDR}
27 |
28 | # After this time php-fpm will timeout from requesting session data
29 | PHP_SESSION_REDIS_TIMEOUT=${PHP_SESSION_REDIS_TIMEOUT-5}
30 |
31 | PHP_SESSION_REDIS_PARAMS="timeout=$PHP_SESSION_REDIS_TIMEOUT"
32 |
33 | # Set these only if they are not 0 and '' because they add complexity for the query
34 | if [ "$PHP_SESSION_REDIS_DB" != "" ]; then
35 | PHP_SESSION_REDIS_PARAMS+="&database=$PHP_SESSION_REDIS_DB"
36 | fi
37 | if [ "$REDIS_PASSWORD" != "" ]; then
38 | PHP_SESSION_REDIS_PARAMS+="&auth=$REDIS_PASSWORD"
39 | fi
40 | if [ "$PHP_SESSION_REDIS_PREFIX" != "" ]; then
41 | PHP_SESSION_REDIS_PARAMS+="&prefix=$PHP_SESSION_REDIS_PREFIX"
42 | fi
43 |
44 | # export new env for php-fpm
45 | export PHP_SESSION_SAVE_PATH="$REDIS_SCHEME://$REDIS_PHP_SESSION_HOST:$REDIS_PORT?$PHP_SESSION_REDIS_PARAMS"
46 | ;;
47 | esac
48 | fi
49 | echo "[php-fpm] using $PHP_SESSION_SAVE_PATH for php sessions..."
50 |
51 | echo "[php-fpm] started php-fpm"
52 | exec php-fpm -c /etc/php/7.1/fpm/php.ini --fpm-config /etc/php/7.1/fpm/php-fpm.conf --pid /var/run/php-fpm.pid
53 |
54 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/usr/bin/wp:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | ##
3 | # WP-cli wrapper: Append path automatically so that user doesn't have to
4 | ##
5 | if [ "$(whoami)" = "root" ]; then
6 | # Run as wordpress user instead
7 | # This helps that we don't install things as root
8 | # Or run 3rd party code as root
9 | gosu $WEB_USER /usr/local/bin/wp-cli "$@" --path=$WP_CORE
10 | else
11 | /usr/local/bin/wp-cli "$@" --path=$WP_CORE
12 | fi
13 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/usr/local/bin/phinx:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | ##
3 | # Phinx wrapper
4 | # You need to install phinx through composer first
5 | ##
6 |
7 | # Export database host in prod and dev
8 | if [ ! -z "$MYSQL_HOST" ]; then
9 | export PHINX_DBHOST=$MYSQL_HOST
10 | elif [ ! -z "$DB_HOST" ]; then
11 | export PHINX_DBHOST=$DB_HOST
12 | elif [ ! -z "$DB_PORT_3306_TCP_ADDR" ]; then
13 | export PHINX_DBHOST=$DB_PORT_3306_TCP_ADDR
14 | else
15 | echo "ERROR: You need to set DB_HOST!"
16 | fi
17 |
18 | # Export phinx envs
19 | # Default to MYSQL_ envs but fallback to DB_
20 | export PHINX_DBPORT=${MYSQL_PORT-$DB_PORT}
21 | export PHINX_DBNAME=${MYSQL_DATABASE-$DB_NAME}
22 | export PHINX_DBUSER=${MYSQL_USER-$DB_USER}
23 | export PHINX_DBPASSWORD=${MYSQL_PWD-$DB_PASSWORD}
24 | export PHINX_ENVIRONMENT=$WP_ENV
25 |
26 | # Run phinx
27 | php $PROJECT_ROOT/vendor/bin/phinx $@
28 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/usr/local/bin/print-smtp-password:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # This is so that we can use msmtp without /etc/msmtprc config file
3 | # msmtp doesn't have --password option and it only has --passwordeval option
4 | # We use this script so that we can use it in passwordeval
5 | echo $SMTP_PASSWORD
6 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/usr/local/bin/wp-run-cron:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # Copyright © 2015 Bjørn Johansen
3 | # This work is free. You can redistribute it and/or modify it under the
4 | # terms of the Do What The Fuck You Want To Public License, Version 2,
5 | # as published by Sam Hocevar. See http://www.wtfpl.net/ for more details.
6 | # Source: https://bjornjohansen.no/wordpress-cron-wp-cli
7 | # Github: https://gist.github.com/bjornjohansen/a00a9fee5475c4dadb56#file-run-wp-cron-sh
8 |
9 | # This is modified for our container. In this container you don't need to use --path
10 | # because it's automatically included
11 |
12 | # Check if WP-CLI is available
13 | if ! hash wp 2>/dev/null; then
14 | echo "[wp-cron] ERROR: WP-CLI is not available"
15 | exit
16 | fi
17 |
18 | # If WordPress isn’t installed here, we bail
19 | if ! wp core is-installed --quiet >> /dev/null; then
20 | echo "[wp-cron] ERROR: WordPress is not installed here: ${WP_CORE}"
21 | exit
22 | fi
23 |
24 | # Get a list of site URLs
25 | if wp core is-installed --quiet --network >> /dev/null;
26 | then
27 | SITE_URLS=`wp site list --fields=url --archived=0 --deleted=0 --format=csv | sed 1d`
28 | else
29 | SITE_URLS=(`wp option get siteurl`)
30 | fi
31 |
32 | # Loop through all the sites
33 | for SITE_URL in $SITE_URLS
34 | do
35 | # replaced loop with better solution
36 | wp cron event run --due-now --url="$SITE_URL"
37 | # Run all event hooks that are due
38 | #for EVENT_HOOK in $(wp cron event list --format=csv --fields=hook,next_run_relative --url="$SITE_URL" | grep now$ | awk -F ',' '{print $1}')
39 | #do
40 | # wp cron event run "$EVENT_HOOK" --url="$SITE_URL" --quiet
41 | #done
42 | done
43 |
--------------------------------------------------------------------------------
/ubuntu-7.1/rootfs/usr/sbin/sendmail:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | ##
3 | # This is custom wrapper for msmtp which acts like good old sendmail
4 | # - It is used for php and cron
5 | # - This is easier to configure for external mail server than sendmail
6 | # - sendmail is just the default binary which other services will use
7 | # - It needs following env: SMTP_HOST, SMTP_PASSWORD, SMTP_PORT, SMTP_AUTH, SMTP_USER
8 | ##
9 |
10 | # Deduce all used msmtp options from system ENVs
11 | declare -a options
12 |
13 | # Act like sendmail
14 | options+=("-t")
15 |
16 | # Use system tls chain
17 | options+=("--tls-trust-file=/etc/ssl/certs/ca-certificates.crt")
18 |
19 | if [ -n "$SMTP_HOST" ]; then
20 | options+=("--host=$SMTP_HOST")
21 | else
22 | echo "[mail error] SMTP_HOST is not defined, mail can't be sent"
23 | exit 1
24 | fi
25 |
26 | # Log all mail requests
27 | # try /var/log/mail/sent.log but use stdout when logfile is not available
28 | if [ -n "$SMTP_LOG" ]; then
29 | options+=("--logfile=$SMTP_LOG")
30 | elif [ -f /var/log/mail/sent.log ]; then
31 | options+=("--logfile=/var/log/mail/sent.log")
32 | fi
33 |
34 | if [ -n "$SMTP_FROM" ]; then
35 | options+=("--from=$SMTP_FROM")
36 | fi
37 |
38 | # Default port for smtp is 25 and it will work even without this option
39 | if [ -n "$SMTP_PORT" ]; then
40 | options+=("--port=$SMTP_PORT")
41 | fi
42 |
43 | # Setup credentials
44 | if [ -n "$SMTP_USER" ]; then
45 | options+=("--user=$SMTP_USER")
46 | fi
47 |
48 | # msmtp doesn't provide password option because usually it's unsafe
49 | # Use local hack for passwordeval
50 | if [ -n "$SMTP_PASSWORD" ]; then
51 | options+=("--passwordeval=/usr/local/bin/print-smtp-password")
52 | fi
53 |
54 |
55 | if [ -n "$SMTP_AUTH" ]; then
56 | options+=("--auth=$SMTP_AUTH")
57 | elif [ -n "$SMTP_USER" ] || [ -n "$SMTP_PASSWORD" ]; then
58 | options+=("--auth=on")
59 | fi
60 |
61 | if [ -n "$SMTP_TLS" ]; then
62 | options+=("--tls=$SMTP_TLS")
63 | fi
64 |
65 | # Add our options and command line options for msmtp
66 | msmtp ${options[@]} "$@"
67 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/ImageMagick:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/cont-init.d/01-create-web-user:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 |
3 | ##
4 | # If $WEB_USER user and web group already exists just skip the user creation
5 | ##
6 | if id -u $WEB_USER > /dev/null 2>&1 && getent group $WEB_GROUP > /dev/null 2>&1; then
7 | echo "[cont-init.d] user:$WEB_USER and group:$WEB_GROUP already exist, skipping..."
8 | exit 0
9 | fi
10 |
11 | ##
12 | # Create $WEB_USER user with $WEB_UID and web group with $WEB_GID
13 | ##
14 |
15 | # Set defaults if they are not set
16 | export WEB_USER=${WEB_USER-wordpress}
17 | export WEB_GROUP=${WEB_GROUP-web}
18 | export WEB_UID=${WEB_UID-1000}
19 | export WEB_GID=${WEB_GID-1000}
20 |
21 | echo "[cont-init.d] Creating $WEB_USER user with id: $WEB_UID and group web with id: $WEB_GID"
22 |
23 | # Create web group
24 | if [ -n "$WEB_GID" ]; then
25 |
26 | # Check if group with $WEB_GID already exists
27 | web_group=$(getent group $WEB_GID | cut -d':' -f1)
28 |
29 | if [ -n "$web_group" ]; then
30 |
31 | # Replace the existing group name to web
32 | # This is done so that in local development we can just lookup permissions from mounted folders
33 | # This UID/GID can be same as something already existing inside container
34 | # This way we can use same uid/gid in container and host machine
35 | echo "[cont-init.d] Replacing pre-existing group name $web_group -> $WEB_GROUP"
36 | sed -i "s|$web_group|$WEB_GROUP|g" /etc/group
37 |
38 | else
39 | # Create new group
40 | echo "$ groupadd -g $WEB_GID $WEB_GROUP"
41 | groupadd -g $WEB_GID $WEB_GROUP
42 | fi
43 | else
44 | echo "[cont-init.d] ERROR: Please set web user group id in WEB_GID" 1>&2
45 | exit 2
46 | fi
47 |
48 | # Create $WEB_USER user
49 | if [ -n "$WEB_UID" ] && [ -n "$WEB_GID" ] ; then
50 | echo "$ useradd -u $WEB_UID -g $WEB_GROUP --home $PROJECT_ROOT $WEB_USER"
51 | useradd -u $WEB_UID -g $WEB_GROUP --home $PROJECT_ROOT $WEB_USER
52 | else
53 | echo "[cont-init.d] ERROR: Please set web user id in WEB_UID" 1>&2
54 | exit 2
55 | fi
56 |
57 | # Check that processes can write logs
58 | chown $WEB_USER:$WEB_GROUP /var/log
59 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/cont-init.d/02-init-crond:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 |
3 | # Copy cronjob from project and run as nginx
4 | if [ -f $PROJECT_ROOT/tasks.cron ]; then
5 |
6 | # Setup all container env for cron
7 | printenv | grep -v ^_= | grep -v "no_proxy" >> /etc/environment
8 |
9 | # Use default redis for cronlock if cronlock variables are not set
10 | if [ -n "$REDIS_HOST" ] && [ -z "$CRONLOCK_HOST" ] ; then
11 | echo "CRONLOCK_HOST=$REDIS_HOST" >> /etc/environment
12 | fi
13 | if [ -n "$REDIS_PASSWORD" ] && [ -z "$CRONLOCK_AUTH" ] ; then
14 | echo "CRONLOCK_AUTH=$REDIS_PASSWORD" >> /etc/environment
15 | fi
16 | if [ -n "$REDIS_PORT" ] && [ -z "$CRONLOCK_PORT" ] ; then
17 | echo "CRONLOCK_PORT=$REDIS_PORT" >> /etc/environment
18 | fi
19 | # env for running wp cron
20 | echo "CRON_URL=$CRON_URL" >> /etc/environment;
21 | # Copy cron template
22 | cp $PROJECT_ROOT/tasks.cron /var/spool/cron/crontabs/$WEB_USER
23 | chown $WEB_USER /var/spool/cron/crontabs/$WEB_USER
24 | chmod 0600 /var/spool/cron/crontabs/$WEB_USER
25 | else
26 | # No cronjobs found remove crond from s6
27 | if [ -f /etc/services.d/cron ]; then
28 | rm -r /etc/services.d/cron
29 | fi
30 | fi
31 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/cont-init.d/02-init-directories-and-files:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 |
3 | # Create uploads directory if not exists
4 | mkdir -p $UPLOADS_ROOT
5 | chown $WEB_USER:$WEB_GROUP $UPLOADS_ROOT
6 |
7 | # Create dir for nginx tmp files
8 | mkdir -p /tmp/nginx/body
9 | chown -R $WEB_USER:$WEB_GROUP /tmp/nginx
10 |
11 | # Create log directories if they don't exist already
12 | mkdir -p /var/log/{nginx,php,mail}
13 |
14 | # Create error.log so that php-fpm can write to it
15 | touch /var/log/php/error.log
16 |
17 | # Chown all files to wordpress
18 | chown -R $WEB_USER:$WEB_GROUP /var/log/{nginx,php,mail}
19 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/nginx/additional.types:
--------------------------------------------------------------------------------
1 | # If developers add .woff2 type font files we should provide good Content-Type headers
2 | types {
3 | # Add mime support for woff2
4 | # http://stackoverflow.com/questions/28235550/proper-mime-type-for-woff2-fonts
5 | font/woff2 woff2;
6 | }
7 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/nginx/cache/fastcgicache.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Add few rules which deny using cache
3 | ##
4 | include cache/fastcgicache_skip_rules.conf;
5 | include cache/helper_variables.conf;
6 | fastcgi_cache_bypass $skip_cache;
7 | fastcgi_no_cache $skip_cache;
8 |
9 | fastcgi_cache WORDPRESS;
10 | #proxy_ignore_headers Set-Cookie Expires Cache-Control;
11 |
12 | # Add header for easier cache debugging
13 | add_header X-Cache $upstream_cache_status always;
14 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/nginx/cache/fastcgicache_settings.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Basic settings of Fast cgi cache
3 | ##
4 | fastcgi_cache_path ${NGINX_CACHE_DIRECTORY} levels=1:2 keys_zone=WORDPRESS:100m max_size=1000m inactive=730h;
5 | fastcgi_cache_lock on;
6 | fastcgi_cache_valid ${NGINX_REDIS_CACHE_TTL_DEFAULT};
7 | add_header 'Cache-Control' ${NGINX_CACHE_CONTROL};
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/nginx/cache/helper_variables.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # This file creates few helper variables
3 | # $prefer_language_slug - 2 first letters from accept-language header to determine the language redirects from cache
4 | ##
5 |
6 | ##
7 | # Parse first two letters from accept-language header to determine right cache key
8 | ##
9 | set_by_lua_block $prefer_language_slug {
10 | if ngx.var.http_accept_language then
11 | return string.lower( string.match( ngx.var.http_accept_language, '%w%w' ) )
12 | else
13 | return 'en'
14 | end
15 | }
16 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/nginx/cache/redis_backend.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Adds internal locations for storing and getting full page cache from redis
3 | ##
4 |
5 | srcache_default_expire '${NGINX_REDIS_CACHE_TTL_DEFAULT}';
6 | srcache_max_expire '${NGINX_REDIS_CACHE_TTL_MAX}';
7 |
8 | location /redis-fetch {
9 | internal;
10 |
11 | ##
12 | # In order to use password authentication we use custom redis module which adds $redis_auth:
13 | # - https://github.com/Yongke/ngx_http_redis-0.3.7
14 | ##
15 |
16 | # Read the configuration from system envs
17 | set $redis_auth '${REDIS_PASSWORD}';
18 | set $redis_db ${REDIS_DATABASE};
19 |
20 | set $redis_key $args;
21 |
22 | redis_pass ${REDIS_HOST}:${REDIS_PORT};
23 | }
24 |
25 | location /redis-store {
26 | internal;
27 |
28 | set_unescape_uri $exptime $arg_exptime;
29 | set_unescape_uri $key $arg_key;
30 |
31 | # Fix caching problem for now
32 | # There's issue in github https://github.com/openresty/srcache-nginx-module/issues/61
33 | set_if_empty $srcache_expire '${NGINX_REDIS_CACHE_TTL_DEFAULT}';
34 |
35 | # redis module pipelines these 3 commands into single request
36 | redis2_query auth '${REDIS_PASSWORD}';
37 | redis2_query select ${REDIS_DATABASE};
38 |
39 | # Set and expire with one command: http://redis.io/commands/setex
40 | redis2_query setex $key $srcache_expire $echo_request_body;
41 |
42 | # Pass the request to redis
43 | redis2_pass ${REDIS_HOST}:${REDIS_PORT};
44 |
45 | }
46 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/nginx/cache/skip_rules.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Add few rules which deny using cache
3 | ##
4 |
5 | # Don't skip cache by default
6 | set $skip_cache 0;
7 |
8 | # POST requests and urls with a query string should always go to PHP
9 | if ($request_method = POST) {
10 | set $skip_cache 1;
11 | }
12 |
13 | # If theres any args skip cache
14 | if ($without != "") {
15 | set $skip_cache 1;
16 | }
17 |
18 | # Don't use the cache for logged in users or recent commenters
19 | if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|woocommerce_items_in_cart") {
20 | set $skip_cache 1;
21 | }
22 |
23 | # Don't cache responses from wp-admin, xmlrpc and wp-login.php
24 | if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php") {
25 | set $skip_cache 1;
26 | }
27 |
28 | # Skip fetch and skip if conditions are met
29 | srcache_fetch_skip $skip_cache;
30 | srcache_store_skip $skip_cache;
31 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/nginx/cache/srcache.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Add few rules which deny using cache
3 | ##
4 | include cache/skip_rules.conf;
5 | include cache/helper_variables.conf;
6 |
7 | # Use redis caching for all pages
8 | # Allow different cache key from env
9 | # Use 'wp_' prefix so that cache can be flushed with:
10 | # $ wp cache flush
11 | set $cache_key "${NGINX_CACHE_KEY}";
12 | set_escape_uri $escaped_cache_key $cache_key;
13 |
14 | srcache_response_cache_control on;
15 |
16 | srcache_fetch GET /redis-fetch $cache_key;
17 | srcache_store PUT /redis-store key=$escaped_cache_key;
18 |
19 | # Add header for easier cache debugging
20 | add_header X-Cache $srcache_fetch_status;
21 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/nginx/env.conf:
--------------------------------------------------------------------------------
1 | # Set custom enviromental variables that we need with lua here
2 | # These are used to dynamically load
3 | env PORT;
4 | env WEB_ROOT;
5 | env NGINX_MAX_BODY_SIZE;
6 | env NGINX_TIMEOUT;
7 |
8 | # For nginx redis cache
9 | env REDIS_HOST;
10 | env REDIS_PORT;
11 | env REDIS_DATABASE;
12 | env REDIS_PASSWORD;
13 | env CACHE_QUERYVARS;
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/nginx/error_pages.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Custom error pages
3 | ##
4 |
5 | ## 403 - Forbidden
6 | error_page 403 /403.html;
7 | location = /403.html {
8 | root /usr/share/nginx/html;
9 | internal;
10 | }
11 |
12 | ## 500 - Internal Server Error
13 | error_page 500 /500.html;
14 | location = /500.html {
15 | root /usr/share/nginx/html;
16 | internal;
17 | }
18 |
19 | ## 502 - Bad Gateway
20 | error_page 502 /502.html;
21 | location = /502.html {
22 | root /usr/share/nginx/html;
23 | internal;
24 | }
25 |
26 | ## 504 - Gateway Timeout
27 | error_page 504 /504.html;
28 | location = /504.html {
29 | root /usr/share/nginx/html;
30 | internal;
31 | }
32 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/nginx/fastcgi_params:
--------------------------------------------------------------------------------
1 | # These are just basic things form request
2 | fastcgi_param QUERY_STRING $query_string;
3 | fastcgi_param REQUEST_METHOD $request_method;
4 | fastcgi_param CONTENT_TYPE $content_type;
5 | fastcgi_param CONTENT_LENGTH $content_length;
6 |
7 | fastcgi_param SCRIPT_NAME $fastcgi_script_name;
8 | fastcgi_param REQUEST_URI $request_uri;
9 | fastcgi_param DOCUMENT_URI $document_uri;
10 | fastcgi_param DOCUMENT_ROOT $document_root;
11 | fastcgi_param SERVER_PROTOCOL $server_protocol;
12 |
13 | fastcgi_param GATEWAY_INTERFACE CGI/1.1;
14 | fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
15 |
16 | ##
17 | # Set these using the knowledge that we are behind proxy
18 | ##
19 | fastcgi_param REMOTE_ADDR $real_remote;
20 | fastcgi_param REMOTE_PORT $remote_port;
21 | fastcgi_param SERVER_ADDR $server_addr;
22 | fastcgi_param SERVER_PORT $real_port;
23 | fastcgi_param SERVER_NAME $real_host;
24 | fastcgi_param HTTPS $real_https;
25 | fastcgi_param REQUEST_SCHEME $real_scheme;
26 | fastcgi_param HTTP_HOST $real_host;
27 |
28 | # PHP only, required if PHP was built with --enable-force-cgi-redirect
29 | fastcgi_param REDIRECT_STATUS 200;
30 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/nginx/fastcgi_settings.conf:
--------------------------------------------------------------------------------
1 | # regex to split $uri to $fastcgi_script_name and $fastcgi_path
2 | fastcgi_split_path_info ^(.+\.php)(/.+)$;
3 |
4 | # Bypass the fact that try_files resets $fastcgi_path_info
5 | # see: http://trac.nginx.org/nginx/ticket/321
6 | set $path_info $fastcgi_path_info;
7 | fastcgi_param PATH_INFO $path_info;
8 |
9 | # Intercept errors from php-fpm
10 | # These can be:
11 | # - timeouts for long running requests
12 | # - requested php file might be missing or not existing in the first place
13 | fastcgi_intercept_errors on;
14 |
15 | fastcgi_index index.php;
16 |
17 | # Small optimisation on fastcgi buffer size
18 | # defaults are 8k;
19 | fastcgi_buffers 16 16k;
20 | fastcgi_buffer_size 16k;
21 |
22 | # Include basic fastcgi settings
23 | include fastcgi_params;
24 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/nginx/gzip.conf:
--------------------------------------------------------------------------------
1 | # Compression
2 |
3 | # Enable Gzip compressed.
4 | gzip on;
5 |
6 | # Compression level (1-9).
7 | # 5 is a perfect compromise between size and cpu usage, offering about
8 | # 75% reduction for most ascii files (almost identical to level 9).
9 | gzip_comp_level 5;
10 |
11 | # Don't compress anything that's already small and unlikely to shrink much
12 | # if at all (the default is 20 bytes, which is bad as that usually leads to
13 | # larger files after gzipping).
14 | gzip_min_length 256;
15 |
16 | # Compress data even for clients that are connecting to us via proxies,
17 | # identified by the "Via" header (required for CloudFront).
18 | gzip_proxied any;
19 |
20 | # Tell proxies to cache both the gzipped and regular version of a resource
21 | # whenever the client's Accept-Encoding capabilities header varies;
22 | # Avoids the issue where a non-gzip capable client (which is extremely rare
23 | # today) would display gibberish if their proxy gave them the gzipped version.
24 | gzip_vary on;
25 |
26 | # Compress all output labeled with one of the following MIME-types.
27 | gzip_types
28 | application/atom+xml
29 | application/javascript
30 | application/json
31 | application/ld+json
32 | application/manifest+json
33 | application/rss+xml
34 | application/vnd.geo+json
35 | application/vnd.ms-fontobject
36 | application/x-font-ttf
37 | application/x-web-app-manifest+json
38 | application/xhtml+xml
39 | application/xml
40 | font/opentype
41 | image/bmp
42 | image/svg+xml
43 | image/x-icon
44 | text/cache-manifest
45 | text/css
46 | text/plain
47 | text/vcard
48 | text/vnd.rim.location.xloc
49 | text/vtt
50 | text/x-component
51 | text/x-cross-domain-policy;
52 | # text/html is always compressed by HttpGzipModule
53 |
54 | # This should be turned on if you are going to have pre-compressed copies (.gz) of
55 | # static files available. If not it should be left off as it will cause extra I/O
56 | # for the check. It is best if you enable this in a location{} block for
57 | # a specific directory, or on an individual server{} level.
58 | # gzip_static on;
59 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/nginx/log_format.conf:
--------------------------------------------------------------------------------
1 | # Log cache status
2 | # Log real requester address
3 | log_format custom '[$time_local] $http_x_real_ip '
4 | '$host "$request" $status $body_bytes_sent $request_time '
5 | '"$http_referer" "$http_user_agent" $upstream_cache_status';
6 |
7 | ##
8 | # Legacy formats which might be in use somewhere
9 | ##
10 | # This log format makes it so we can see real requester's IP address \
11 | # not just the reverse proxy server's IP address. Also note, that \
12 | # "specialLog" can be replaced with any name you would like to \
13 | # give to this log format.
14 | log_format specialLog '[$time_local] $http_x_real_ip '
15 | '$host "$request" $status $body_bytes_sent $request_time '
16 | '"$http_referer" "$http_user_agent" $upstream_cache_status';
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/nginx/log_formats.conf:
--------------------------------------------------------------------------------
1 | # Log cache status
2 | # Log real requester address
3 | log_format custom '[$time_local] $http_x_forwarded_for '
4 | '$host "$request" $status $body_bytes_sent $request_time '
5 | '"$http_referer" "$http_user_agent" $upstream_cache_status';
6 |
7 | # A new log format for detecting bad bots.
8 | log_format blocked '[$time_local] Blocked request from $http_x_forwarded_for $request';
9 |
10 | ##
11 | # Legacy formats which might be in use somewhere
12 | ##
13 | # This log format makes it so we can see real requester's IP address \
14 | # not just the reverse proxy server's IP address. Also note, that \
15 | # "specialLog" can be replaced with any name you would like to \
16 | # give to this log format.
17 | log_format specialLog '[$time_local] $http_x_forwarded_for '
18 | '$host "$request" $status $body_bytes_sent $request_time '
19 | '"$http_referer" "$http_user_agent" $upstream_cache_status';
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/nginx/pagespeed/locations.conf:
--------------------------------------------------------------------------------
1 | # Ensure requests for pagespeed optimized resources go to the pagespeed handler
2 | # and no extraneous headers get set.
3 | location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" {
4 | add_header "" "";
5 | }
6 | location ~ "^/pagespeed_static/" { }
7 | location ~ "^/ngx_pagespeed_beacon$" { }
8 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/nginx/pagespeed/settings.conf:
--------------------------------------------------------------------------------
1 | # Hide pagespeed version and provide this header instaed
2 | pagespeed XHeaderValue "Enabled";
3 |
4 | # Don't alter Cache-Control headers
5 | pagespeed ModifyCachingHeaders off;
6 |
7 | # This is for pagespeed temporary files
8 | # Needs to exist and be writable by nginx. Use tmpfs for best performance.
9 | pagespeed FileCachePath /tmp/nginx/pagespeed;
10 |
11 | # Pagespeed sets default TTL from file to 300s, which is bad
12 | # This sets the time to be 1 year
13 | pagespeed LoadFromFileCacheTtlMs 2592000000;
14 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/nginx/proxy_real_variables.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Set few variables since we use jwilder/nginx-proxy in dev and proxy in production
3 | # So the fastcgi params need to be the original ones or you
4 | # will have redirect loops ('canonical_redirect' mostly)
5 | ##
6 |
7 | # Set $host first from proxy (if possible)
8 | set $real_host $http_x_forwarded_host;
9 | if ($real_host = '') {
10 | set $real_host $http_host;
11 | }
12 |
13 | # Set server port according to forwarded proto
14 | set $real_port 80;
15 | if ($http_x_forwarded_proto = 'https') {
16 | set $real_port 443;
17 | }
18 |
19 | # Set https according to used proto
20 | set $real_https off;
21 | if ($http_x_forwarded_proto = 'https') {
22 | set $real_https on;
23 | }
24 |
25 | # Set scheme according to used proto
26 | set $real_scheme 'http';
27 | if ($http_x_forwarded_proto = 'https') {
28 | set $real_scheme 'https';
29 | }
30 |
31 | # Set original remote
32 | set $real_remote $http_x_forwarded_for;
33 | if ($real_remote = '') {
34 | set $real_remote $remote_addr;
35 | }
36 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/nginx/security.conf:
--------------------------------------------------------------------------------
1 | ## Block SQL injections
2 | location ~* union.*select.*\( { access_log $blocked_log blocked; return 403; }
3 | location ~* union.*all.*select.* { access_log $blocked_log blocked; return 403; }
4 | location ~* concat.*\( { access_log $blocked_log blocked; return 403; }
5 |
6 | ## Block common exploits
7 | location ~* (<|%3C).*script.*(>|%3E) { access_log $blocked_log blocked; return 403; }
8 | location ~* base64_(en|de)code\(.*\) { access_log $blocked_log blocked; return 403; }
9 | location ~* (%24&x) { access_log $blocked_log blocked; return 403; }
10 | location ~* (%0|%A|%B|%C|%D|%E|%F|127\.0) { access_log $blocked_log blocked; return 403; }
11 | location ~* \.\.\/ { access_log $blocked_log blocked; return 403; }
12 | location ~* ~$ { access_log $blocked_log blocked; return 403; }
13 | location ~* proc/self/environ { access_log $blocked_log blocked; return 403; }
14 | location ~* /\.(htaccess|htpasswd|svn|git) { access_log $blocked_log blocked; return 403; }
15 |
16 | ## Block file injections
17 | location ~* [a-zA-Z0-9_]=(\.\.//?)+ { access_log $blocked_log blocked; return 403; }
18 | location ~* [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ { access_log $blocked_log blocked; return 403; }
19 |
20 | ## wordpress security
21 | location ~* wp-config.php { access_log $blocked_log blocked; return 403; }
22 | location ~* wp-load.php { access_log $blocked_log blocked; return 403; }
23 | location ~* wp-admin/includes { access_log $blocked_log blocked; return 403; }
24 | location ~* wp-app\.log { access_log $blocked_log blocked; return 403; }
25 | location ~* (licence|readme|license)\.(md|html|txt) { access_log $blocked_log blocked; return 403; }
26 | location ~* composer.json { access_log $blocked_log blocked; return 403; }
27 |
28 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/nginx/security_headers.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Security headers, source: https://gist.github.com/plentz/6737338
3 | ##
4 |
5 | # config to don't allow the browser to render the page inside an frame or iframe
6 | # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
7 | # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
8 | # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
9 | add_header X-Frame-Options SAMEORIGIN;
10 |
11 | # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
12 | # to disable content-type sniffing on some browsers.
13 | # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
14 | # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
15 | # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
16 | # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
17 | add_header X-Content-Type-Options nosniff always;
18 |
19 | # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
20 | # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
21 | # this particular website if it was disabled by the user.
22 | # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
23 | add_header X-XSS-Protection "1; mode=block";
24 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/nginx/static_files.conf:
--------------------------------------------------------------------------------
1 | # Use version numbers to bypass cache
2 | # Try to cache as long as we can
3 | expires max;
4 |
5 | ## No need to bleed constant updates. Send the all shebang in one
6 | ## fell swoop.
7 | tcp_nodelay off;
8 |
9 | ## Set the OS file cache.
10 | open_file_cache max=3000 inactive=120s;
11 | open_file_cache_valid 45s;
12 | open_file_cache_min_uses 2;
13 | open_file_cache_errors off;
14 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/nginx/upstreams.conf:
--------------------------------------------------------------------------------
1 | # Default php handler
2 | upstream php-fpm {
3 | server unix:/var/run/php-fpm.sock;
4 | }
5 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/php/7.2/cli/php.ini:
--------------------------------------------------------------------------------
1 | [PHP]
2 | ; This directive determines whether or not PHP will recognize code between
3 | ; tags as PHP source which should be processed as such.
4 | short_open_tag = Off
5 |
6 | ; Implicit flush tells PHP to tell the output layer to flush itself
7 | ; automatically after every output block.
8 | implicit_flush = Off
9 |
10 | ; This directive allows you to disable certain functions for security reasons.
11 | ; It receives a comma-delimited list of function names.
12 | ; http://php.net/disable-functions
13 | disable_functions =
14 |
15 | ; Enables or disables the circular reference collector.
16 | ; http://php.net/zend.enable-gc
17 | zend.enable_gc = On
18 |
19 | ;;;;;;;;;;;;;;;;;
20 | ; Miscellaneous ;
21 | ;;;;;;;;;;;;;;;;;
22 |
23 |
24 | ; Deny executing anything else than the exact path passed from fastcgi
25 | ; This causes the PHP interpreter to only try the literal path given and to stop processing if the file is not found.
26 | ; This is for security.
27 | ; https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#passing-uncontrolled-requests-to-php
28 | cgi.fix_pathinfo = 0
29 |
30 | expose_php = Off
31 |
32 | ;;;;;;;;;;;;;;;;;;;
33 | ; Resource Limits ;
34 | ;;;;;;;;;;;;;;;;;;;
35 |
36 | ; Maximum execution time of each script, in seconds
37 | max_execution_time = 600
38 |
39 | ; Maximum amount of time each script may spend parsing request data.
40 | max_input_time = 60
41 |
42 | ; How many GET/POST/COOKIE input variables may be accepted
43 | ; max_input_vars = 1000
44 |
45 | ; Maximum amount of memory a script may consume (128MB)
46 | memory_limit = ${PHP_MEMORY_LIMIT}
47 |
48 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
49 | ; Error handling and logging ;
50 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
51 |
52 | error_reporting = E_ALL
53 |
54 | display_errors = On
55 |
56 | display_startup_errors = On
57 |
58 | log_errors = On
59 |
60 | log_errors_max_len = 2048
61 |
62 | ignore_repeated_errors = Off
63 |
64 | ignore_repeated_source = Off
65 |
66 | report_memleaks = On
67 |
68 | ;This is deprecated from php7.2 so its disabled as of 5.4.2018
69 | ;track_errors = On
70 |
71 | html_errors = Off
72 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/php/7.2/fpm/conf.d/blocked.ini:
--------------------------------------------------------------------------------
1 | ; Disable some functions because they allow bad/vulnerable patterns
2 | ; We want to advocate good coding practises and these functions make it difficult
3 | ; You can use these with php cli but not with php-fpm
4 | disable_functions = exec,passthru,shell_exec,show_source,system,pcntl_exec,popen,posix_getpwuid,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,posix_setuid,posix_uname,proc_nice,proc_open,proc_close,proc_get_status
5 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/php/7.2/fpm/conf.d/common.ini:
--------------------------------------------------------------------------------
1 | [PHP]
2 |
3 | ; Don't brag that we have php 7.0
4 | expose_php = Off
5 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/php/7.2/fpm/conf.d/limits.ini:
--------------------------------------------------------------------------------
1 | ; filesize, time and input limits
2 | max_execution_time = ${NGINX_FASTCGI_TIMEOUT}
3 | max_input_time = -1
4 | max_input_vars = ${PHP_MAX_INPUT_VARS}
5 | memory_limit = ${PHP_MEMORY_LIMIT}
6 | post_max_size = ${NGINX_MAX_BODY_SIZE}
7 | upload_max_filesize = ${NGINX_MAX_BODY_SIZE}
8 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/php/7.2/fpm/conf.d/logging.ini:
--------------------------------------------------------------------------------
1 | ; Log all warnings and errors
2 | error_log = ${PHP_ERROR_LOG}
3 | log_level = ${PHP_ERROR_LOG_LEVEL}
4 | log_errors_max_len = ${PHP_ERROR_MAX_LEN}
5 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/php/7.2/fpm/conf.d/mail.ini:
--------------------------------------------------------------------------------
1 | [PHP]
2 | ; Use msmtp to send mail instead of sendmail
3 | sendmail_path = "/usr/sbin/sendmail"
4 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/php/7.2/fpm/conf.d/opcache.ini:
--------------------------------------------------------------------------------
1 | ; Enable php opcache to make site faster
2 | ; These are taken from: https://www.scalingphpbook.com/blog/2014/02/14/best-zend-opcache-settings.html
3 | [opcache]
4 | opcache.enable = 1
5 | opcache.enable_cli = 1
6 |
7 | ; Provides a faster mechanism for calling the deconstructors in your code at the end of a single request to speed up the response and recycle php workers so they're ready for the next incoming request faster.
8 | opcache.fast_shutdown = 1
9 |
10 | ; Give plenty of memory for php process for caching the code
11 | opcache.memory_consumption = ${PHP_OPCACHE_MAX_MEMORY}
12 |
13 | ; Log into container output
14 | opcache.error_log = /dev/stderr
15 |
16 | ; Log opcache warnings
17 | opcache.log_verbosity_level = 2
18 |
19 | ; PHP uses a technique called string interning to improve performance— so, for example, if you have the string "foobar" 1000 times in your code, internally PHP will store 1 immutable variable for this string and just use a pointer to it for the other 999 times you use it.
20 | ; This reserves 16MB to storing the most used strings
21 | opcache.interned_strings_buffer = 16
22 | opcache.max_accelerated_files = ${PHP_OPCACHE_MAX_FILES}
23 |
24 |
25 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/php/7.2/fpm/conf.d/opcache_invalidate.conf:
--------------------------------------------------------------------------------
1 | ; Don't revalidate php files in this container
2 | opcache.validate_timestamps = 0
3 |
4 | ; We don't need to cache php comments into opcache
5 | opcache.save_comments = 0
6 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/php/7.2/fpm/conf.d/sessions.ini:
--------------------------------------------------------------------------------
1 | ;;;;;;;;;;;;;;;;;;;;;;;;;;
2 | ; Define Session backend ;
3 | ;;;;;;;;;;;;;;;;;;;;;;;;;;
4 | ; These env can also contain redis as backend
5 | session.save_handler = ${PHP_SESSION_HANDLER}
6 | session.save_path = ${PHP_SESSION_SAVE_PATH}
7 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/php/7.2/fpm/conf.d/timezone.ini:
--------------------------------------------------------------------------------
1 | ; Timezone from env formatted like 'Europe/Helsinki'
2 | date.timezone = ${TZ}
3 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/php/7.2/fpm/php-fpm.conf:
--------------------------------------------------------------------------------
1 | ; Run this in foregroud so s6 can control it
2 | daemonize = no
3 |
4 | ; Log all warnings and errors
5 | error_log = ${PHP_ERROR_LOG}
6 | log_level = ${PHP_ERROR_LOG_LEVEL}
7 |
8 | [www]
9 | user = ${WEB_USER}
10 | group = ${WEB_GROUP}
11 | listen = /var/run/php-fpm.sock
12 | listen.owner = ${WEB_USER}
13 | listen.group = ${WEB_GROUP}
14 | pm = dynamic
15 |
16 | ; Total RAM dedicated to the web server / Max child process size
17 | pm.max_children = 30
18 |
19 | pm.start_servers = 1
20 | pm.min_spare_servers = 1
21 | pm.max_spare_servers = 3
22 |
23 | ; Redirect worker stdout and stderr into main error log. If not set, stdout and
24 | ; stderr will be redirected to /dev/null according to FastCGI specs.
25 | ; Default Value: no
26 | catch_workers_output = yes
27 |
28 | ; Project web root
29 | chdir = ${WEB_ROOT}
30 |
31 | pm.process_idle_timeout = 10s
32 | pm.max_requests = 500
33 |
34 | ; Include extra configs
35 | include=/etc/php/7.2/fpm/php-fpm.d/*.conf
36 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/php/7.2/fpm/php-fpm.d/preserve-env.conf:
--------------------------------------------------------------------------------
1 | ; Just use all envs from system when php-fpm starts
2 | ; By default php-fpm flushes all envs and they need to be whitelisted
3 | clear_env = no
4 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/php/7.2/fpm/php.ini:
--------------------------------------------------------------------------------
1 | ;;;
2 | ; Production settings for php and php-fpm
3 | ;;;
4 | ; All directives from /etc/php/7.0/fpm/conf.d are also included
5 | ;;;
6 |
7 | [PHP]
8 |
9 | ; Don't display errors into frontend
10 | display_errors = ${PHP_DISPLAY_ERRORS}
11 |
12 | ; disable ignoring of repeat errors
13 | ignore_repeated_errors = false
14 |
15 | ; disable ignoring of unique source errors
16 | ignore_repeated_source = false
17 |
18 | ; enable logging of php memory leaks
19 | report_memleaks = true
20 |
21 | ; Deny executing anything else than the exact path passed from fastcgi
22 | ; This causes the PHP interpreter to only try the literal path given and to stop processing if the file is not found.
23 | ; This is for security. Source: https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#passing-uncontrolled-requests-to-php
24 | cgi.fix_pathinfo = 0
25 |
26 | ; disable html markup of errors
27 | html_errors = false
28 |
29 | ; disable formatting of error reference links
30 | docref_root = 0
31 |
32 | ; disable formatting of error reference links
33 | docref_ext = 0
34 |
35 | ; disable max error string length ( by using so big number that bigger messages don't matter )
36 | log_errors_max_len = 10000
37 |
38 | ; Don't show startup errors
39 | display_startup_errors = Off
40 | ;This is deprecated from php7.2 so its disabled as of 5.4.2018
41 | ;track_errors = Off
42 |
43 | ; Redirect worker stdout and stderr into main error log. If not set, stdout and
44 | ; stderr will be redirected to /dev/null according to FastCGI specs.
45 | ; Default Value: no
46 | catch_workers_output = yes
47 |
48 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/services.d/cron/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv sh
2 | echo "[services.d] started cron daemon"
3 | # Runs cron daemon in foreground
4 | cron -l 2 -f
5 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/services.d/nginx/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv sh
2 |
3 | # Run nginx always in foreground
4 | exec nginx -g "daemon off;"
5 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/etc/services.d/php-fpm/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 |
3 | ##
4 | # Check which kind of session backend we should be using
5 | ##
6 | if [ -z "$PHP_SESSION_SAVE_PATH" ]; then
7 | echo "[php-fpm] configuring php-fpm session backend..."
8 |
9 | # Use 'files' as default session handler
10 | export PHP_SESSION_HANDLER=${PHP_SESSION_HANDLER-files}
11 |
12 | case "$PHP_SESSION_HANDLER" in
13 |
14 | files)
15 | mkdir -p /tmp/php
16 | chown $WEB_USER:$WEB_GROUP /tmp/php
17 |
18 | # export new env for php-fpm
19 | export PHP_SESSION_SAVE_PATH='/tmp/php'
20 | ;;
21 | redis)
22 | # Set defaults
23 | REDIS_HOST=${REDIS_HOST-$REDIS_1_PORT_6379_TCP_ADDR}
24 | REDIS_PORT=${REDIS_PORT-6379}
25 | REDIS_SCHEME=${REDIS_SCHEME-tcp}
26 | REDIS_PHP_SESSION_HOST=${REDIS_PHP_SESSION_HOST-$REDIS_1_PORT_6379_TCP_ADDR}
27 |
28 | # After this time php-fpm will timeout from requesting session data
29 | PHP_SESSION_REDIS_TIMEOUT=${PHP_SESSION_REDIS_TIMEOUT-5}
30 |
31 | PHP_SESSION_REDIS_PARAMS="timeout=$PHP_SESSION_REDIS_TIMEOUT"
32 |
33 | # Set these only if they are not 0 and '' because they add complexity for the query
34 | if [ "$PHP_SESSION_REDIS_DB" != "" ]; then
35 | PHP_SESSION_REDIS_PARAMS+="&database=$PHP_SESSION_REDIS_DB"
36 | fi
37 | if [ "$REDIS_PASSWORD" != "" ]; then
38 | PHP_SESSION_REDIS_PARAMS+="&auth=$REDIS_PASSWORD"
39 | fi
40 | if [ "$PHP_SESSION_REDIS_PREFIX" != "" ]; then
41 | PHP_SESSION_REDIS_PARAMS+="&prefix=$PHP_SESSION_REDIS_PREFIX"
42 | fi
43 |
44 | # export new env for php-fpm
45 | export PHP_SESSION_SAVE_PATH="$REDIS_SCHEME://$REDIS_PHP_SESSION_HOST:$REDIS_PORT?$PHP_SESSION_REDIS_PARAMS"
46 | ;;
47 | esac
48 | fi
49 | echo "[php-fpm] using $PHP_SESSION_SAVE_PATH for php sessions..."
50 |
51 | echo "[php-fpm] started php-fpm"
52 | exec php-fpm -c /etc/php/7.2/fpm/php.ini --fpm-config /etc/php/7.2/fpm/php-fpm.conf --pid /var/run/php-fpm.pid
53 |
54 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/usr/bin/wp:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | ##
3 | # WP-cli wrapper: Append path automatically so that user doesn't have to
4 | ##
5 | if [ "$(whoami)" = "root" ]; then
6 | # Run as wordpress user instead
7 | # This helps that we don't install things as root
8 | # Or run 3rd party code as root
9 | gosu $WEB_USER /usr/local/bin/wp-cli "$@" --path=$WP_CORE
10 | else
11 | /usr/local/bin/wp-cli "$@" --path=$WP_CORE
12 | fi
13 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/usr/local/bin/phinx:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | ##
3 | # Phinx wrapper
4 | # You need to install phinx through composer first
5 | ##
6 |
7 | # Export database host in prod and dev
8 | if [ ! -z "$MYSQL_HOST" ]; then
9 | export PHINX_DBHOST=$MYSQL_HOST
10 | elif [ ! -z "$DB_HOST" ]; then
11 | export PHINX_DBHOST=$DB_HOST
12 | elif [ ! -z "$DB_PORT_3306_TCP_ADDR" ]; then
13 | export PHINX_DBHOST=$DB_PORT_3306_TCP_ADDR
14 | else
15 | echo "ERROR: You need to set DB_HOST!"
16 | fi
17 |
18 | # Export phinx envs
19 | # Default to MYSQL_ envs but fallback to DB_
20 | export PHINX_DBPORT=${MYSQL_PORT-$DB_PORT}
21 | export PHINX_DBNAME=${MYSQL_DATABASE-$DB_NAME}
22 | export PHINX_DBUSER=${MYSQL_USER-$DB_USER}
23 | export PHINX_DBPASSWORD=${MYSQL_PWD-$DB_PASSWORD}
24 | export PHINX_ENVIRONMENT=$WP_ENV
25 |
26 | # Run phinx
27 | php $PROJECT_ROOT/vendor/bin/phinx $@
28 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/usr/local/bin/print-smtp-password:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # This is so that we can use msmtp without /etc/msmtprc config file
3 | # msmtp doesn't have --password option and it only has --passwordeval option
4 | # We use this script so that we can use it in passwordeval
5 | echo $SMTP_PASSWORD
6 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/usr/local/bin/wp-run-cron:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # Copyright © 2015 Bjørn Johansen
3 | # This work is free. You can redistribute it and/or modify it under the
4 | # terms of the Do What The Fuck You Want To Public License, Version 2,
5 | # as published by Sam Hocevar. See http://www.wtfpl.net/ for more details.
6 | # Source: https://bjornjohansen.no/wordpress-cron-wp-cli
7 | # Github: https://gist.github.com/bjornjohansen/a00a9fee5475c4dadb56#file-run-wp-cron-sh
8 |
9 | # This is modified for our container. In this container you don't need to use --path
10 | # because it's automatically included
11 |
12 | # Check if WP-CLI is available
13 | if ! hash wp 2>/dev/null; then
14 | echo "[wp-cron] ERROR: WP-CLI is not available"
15 | exit
16 | fi
17 |
18 | # If WordPress isn’t installed here, we bail
19 | if ! wp core is-installed --quiet >> /dev/null; then
20 | echo "[wp-cron] ERROR: WordPress is not installed here: ${WP_CORE}"
21 | exit
22 | fi
23 |
24 | # Get a list of site URLs
25 | if wp core is-installed --quiet --network >> /dev/null;
26 | then
27 | SITE_URLS=`wp site list --fields=url --archived=0 --deleted=0 --format=csv | sed 1d`
28 | else
29 | SITE_URLS=(`wp option get siteurl`)
30 | fi
31 |
32 | # Loop through all the sites
33 | for SITE_URL in $SITE_URLS
34 | do
35 | # replaced loop with better solution
36 | wp cron event run --due-now --url="$SITE_URL"
37 | # Run all event hooks that are due
38 | #for EVENT_HOOK in $(wp cron event list --format=csv --fields=hook,next_run_relative --url="$SITE_URL" | grep now$ | awk -F ',' '{print $1}')
39 | #do
40 | # wp cron event run "$EVENT_HOOK" --url="$SITE_URL" --quiet
41 | #done
42 | done
43 |
--------------------------------------------------------------------------------
/ubuntu-7.2/rootfs/usr/sbin/sendmail:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | ##
3 | # This is custom wrapper for msmtp which acts like good old sendmail
4 | # - It is used for php and cron
5 | # - This is easier to configure for external mail server than sendmail
6 | # - sendmail is just the default binary which other services will use
7 | # - It needs following env: SMTP_HOST, SMTP_PASSWORD, SMTP_PORT, SMTP_AUTH, SMTP_USER
8 | ##
9 |
10 | # Deduce all used msmtp options from system ENVs
11 | declare -a options
12 |
13 | # Act like sendmail
14 | options+=("-t")
15 |
16 | # Use system tls chain
17 | options+=("--tls-trust-file=/etc/ssl/certs/ca-certificates.crt")
18 |
19 | if [ -n "$SMTP_HOST" ]; then
20 | options+=("--host=$SMTP_HOST")
21 | else
22 | echo "[mail error] SMTP_HOST is not defined, mail can't be sent"
23 | exit 1
24 | fi
25 |
26 | # Log all mail requests
27 | # try /var/log/mail/sent.log but use stdout when logfile is not available
28 | if [ -n "$SMTP_LOG" ]; then
29 | options+=("--logfile=$SMTP_LOG")
30 | elif [ -f /var/log/mail/sent.log ]; then
31 | options+=("--logfile=/var/log/mail/sent.log")
32 | fi
33 |
34 | if [ -n "$SMTP_FROM" ]; then
35 | options+=("--from=$SMTP_FROM")
36 | fi
37 |
38 | # Default port for smtp is 25 and it will work even without this option
39 | if [ -n "$SMTP_PORT" ]; then
40 | options+=("--port=$SMTP_PORT")
41 | fi
42 |
43 | # Setup credentials
44 | if [ -n "$SMTP_USER" ]; then
45 | options+=("--user=$SMTP_USER")
46 | fi
47 |
48 | # msmtp doesn't provide password option because usually it's unsafe
49 | # Use local hack for passwordeval
50 | if [ -n "$SMTP_PASSWORD" ]; then
51 | options+=("--passwordeval=/usr/local/bin/print-smtp-password")
52 | fi
53 |
54 |
55 | if [ -n "$SMTP_AUTH" ]; then
56 | options+=("--auth=$SMTP_AUTH")
57 | elif [ -n "$SMTP_USER" ] || [ -n "$SMTP_PASSWORD" ]; then
58 | options+=("--auth=on")
59 | fi
60 |
61 | if [ -n "$SMTP_TLS" ]; then
62 | options+=("--tls=$SMTP_TLS")
63 | fi
64 |
65 | # Add our options and command line options for msmtp
66 | msmtp ${options[@]} "$@"
67 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/ImageMagick:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/cont-init.d/01-create-web-user:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 |
3 | ##
4 | # If $WEB_USER user and web group already exists just skip the user creation
5 | ##
6 | if id -u $WEB_USER > /dev/null 2>&1 && getent group $WEB_GROUP > /dev/null 2>&1; then
7 | echo "[cont-init.d] user:$WEB_USER and group:$WEB_GROUP already exist, skipping..."
8 | exit 0
9 | fi
10 |
11 | ##
12 | # Create $WEB_USER user with $WEB_UID and web group with $WEB_GID
13 | ##
14 |
15 | # Set defaults if they are not set
16 | export WEB_USER=${WEB_USER-wordpress}
17 | export WEB_GROUP=${WEB_GROUP-web}
18 | export WEB_UID=${WEB_UID-1000}
19 | export WEB_GID=${WEB_GID-1000}
20 |
21 | echo "[cont-init.d] Creating $WEB_USER user with id: $WEB_UID and group web with id: $WEB_GID"
22 |
23 | # Create web group
24 | if [ -n "$WEB_GID" ]; then
25 |
26 | # Check if group with $WEB_GID already exists
27 | web_group=$(getent group $WEB_GID | cut -d':' -f1)
28 |
29 | if [ -n "$web_group" ]; then
30 |
31 | # Replace the existing group name to web
32 | # This is done so that in local development we can just lookup permissions from mounted folders
33 | # This UID/GID can be same as something already existing inside container
34 | # This way we can use same uid/gid in container and host machine
35 | echo "[cont-init.d] Replacing pre-existing group name $web_group -> $WEB_GROUP"
36 | sed -i "s|$web_group|$WEB_GROUP|g" /etc/group
37 |
38 | else
39 | # Create new group
40 | echo "$ groupadd -g $WEB_GID $WEB_GROUP"
41 | groupadd -g $WEB_GID $WEB_GROUP
42 | fi
43 | else
44 | echo "[cont-init.d] ERROR: Please set web user group id in WEB_GID" 1>&2
45 | exit 2
46 | fi
47 |
48 | # Create $WEB_USER user
49 | if [ -n "$WEB_UID" ] && [ -n "$WEB_GID" ] ; then
50 | echo "$ useradd -u $WEB_UID -g $WEB_GROUP --home $PROJECT_ROOT $WEB_USER"
51 | useradd -u $WEB_UID -g $WEB_GROUP --home $PROJECT_ROOT $WEB_USER
52 | else
53 | echo "[cont-init.d] ERROR: Please set web user id in WEB_UID" 1>&2
54 | exit 2
55 | fi
56 |
57 | # Check that processes can write logs
58 | chown $WEB_USER:$WEB_GROUP /var/log
59 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/cont-init.d/02-init-crond:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 |
3 | # Copy cronjob from project and run as nginx
4 | if [ -f $PROJECT_ROOT/tasks.cron ]; then
5 |
6 | # Setup all container env for cron
7 | printenv | grep -v ^_= | grep -v "no_proxy" >> /etc/environment
8 |
9 | # Use default redis for cronlock if cronlock variables are not set
10 | if [ -n "$REDIS_HOST" ] && [ -z "$CRONLOCK_HOST" ] ; then
11 | echo "CRONLOCK_HOST=$REDIS_HOST" >> /etc/environment
12 | fi
13 | if [ -n "$REDIS_PASSWORD" ] && [ -z "$CRONLOCK_AUTH" ] ; then
14 | echo "CRONLOCK_AUTH=$REDIS_PASSWORD" >> /etc/environment
15 | fi
16 | if [ -n "$REDIS_PORT" ] && [ -z "$CRONLOCK_PORT" ] ; then
17 | echo "CRONLOCK_PORT=$REDIS_PORT" >> /etc/environment
18 | fi
19 | # env for running wp cron
20 | echo "CRON_URL=$CRON_URL" >> /etc/environment;
21 | # Copy cron template
22 | cp $PROJECT_ROOT/tasks.cron /var/spool/cron/crontabs/$WEB_USER
23 | chown $WEB_USER /var/spool/cron/crontabs/$WEB_USER
24 | chmod 0600 /var/spool/cron/crontabs/$WEB_USER
25 | else
26 | # No cronjobs found remove crond from s6
27 | if [ -f /etc/services.d/cron ]; then
28 | rm -r /etc/services.d/cron
29 | fi
30 | fi
31 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/cont-init.d/02-init-directories-and-files:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 |
3 | # Create uploads directory if not exists
4 | mkdir -p $UPLOADS_ROOT
5 | chown $WEB_USER:$WEB_GROUP $UPLOADS_ROOT
6 |
7 | # Create dir for nginx tmp files
8 | mkdir -p /tmp/nginx/body
9 | chown -R $WEB_USER:$WEB_GROUP /tmp/nginx
10 |
11 | # Create log directories if they don't exist already
12 | mkdir -p /var/log/{nginx,php,mail}
13 |
14 | # Create error.log so that php-fpm can write to it
15 | touch /var/log/php/error.log
16 |
17 | # Chown all files to wordpress
18 | chown -R $WEB_USER:$WEB_GROUP /var/log/{nginx,php,mail}
19 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/nginx/additional.types:
--------------------------------------------------------------------------------
1 | # If developers add .woff2 type font files we should provide good Content-Type headers
2 | types {
3 | # Add mime support for woff2
4 | # http://stackoverflow.com/questions/28235550/proper-mime-type-for-woff2-fonts
5 | font/woff2 woff2;
6 | }
7 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/nginx/cache/fastcgicache.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Add few rules which deny using cache
3 | ##
4 | include cache/fastcgicache_skip_rules.conf;
5 | include cache/helper_variables.conf;
6 | fastcgi_cache_bypass $skip_cache;
7 | fastcgi_no_cache $skip_cache;
8 |
9 | fastcgi_cache WORDPRESS;
10 | #proxy_ignore_headers Set-Cookie Expires Cache-Control;
11 |
12 | # Add header for easier cache debugging
13 | add_header X-Cache $upstream_cache_status always;
14 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/nginx/cache/fastcgicache_settings.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Basic settings of Fast cgi cache
3 | ##
4 | fastcgi_cache_path ${NGINX_CACHE_DIRECTORY} levels=1:2 keys_zone=WORDPRESS:100m max_size=1000m inactive=730h;
5 | fastcgi_cache_key $scheme$request_method$host$request_uri;
6 | fastcgi_cache_lock on;
7 | fastcgi_cache_background_update on;
8 | fastcgi_cache_use_stale ${NGINX_CACHE_USE_STALE};
9 | fastcgi_cache_valid ${NGINX_REDIS_CACHE_TTL_DEFAULT};
10 | add_header 'Cache-Control' ${NGINX_CACHE_CONTROL};
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/nginx/cache/helper_variables.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # This file creates few helper variables
3 | # $prefer_language_slug - 2 first letters from accept-language header to determine the language redirects from cache
4 | ##
5 |
6 | ##
7 | # Parse first two letters from accept-language header to determine right cache key
8 | ##
9 | set_by_lua_block $prefer_language_slug {
10 | if ngx.var.http_accept_language then
11 | return string.lower( string.match( ngx.var.http_accept_language, '%w%w' ) )
12 | else
13 | return 'en'
14 | end
15 | }
16 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/nginx/cache/redis_backend.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Adds internal locations for storing and getting full page cache from redis
3 | ##
4 |
5 | srcache_default_expire '${NGINX_REDIS_CACHE_TTL_DEFAULT}';
6 | srcache_max_expire '${NGINX_REDIS_CACHE_TTL_MAX}';
7 |
8 | location /redis-fetch {
9 | internal;
10 |
11 | ##
12 | # In order to use password authentication we use custom redis module which adds $redis_auth:
13 | # - https://github.com/Yongke/ngx_http_redis-0.3.7
14 | ##
15 |
16 | # Read the configuration from system envs
17 | set $redis_auth '${REDIS_PASSWORD}';
18 | set $redis_db ${REDIS_DATABASE};
19 |
20 | set $redis_key $args;
21 |
22 | redis_pass ${REDIS_HOST}:${REDIS_PORT};
23 | }
24 |
25 | location /redis-store {
26 | internal;
27 |
28 | set_unescape_uri $exptime $arg_exptime;
29 | set_unescape_uri $key $arg_key;
30 |
31 | # Fix caching problem for now
32 | # There's issue in github https://github.com/openresty/srcache-nginx-module/issues/61
33 | set_if_empty $srcache_expire '${NGINX_REDIS_CACHE_TTL_DEFAULT}';
34 |
35 | # redis module pipelines these 3 commands into single request
36 | redis2_query auth '${REDIS_PASSWORD}';
37 | redis2_query select ${REDIS_DATABASE};
38 |
39 | # Set and expire with one command: http://redis.io/commands/setex
40 | redis2_query setex $key $srcache_expire $echo_request_body;
41 |
42 | # Pass the request to redis
43 | redis2_pass ${REDIS_HOST}:${REDIS_PORT};
44 |
45 | }
46 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/nginx/cache/skip_rules.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Add few rules which deny using cache
3 | ##
4 |
5 | # Don't skip cache by default
6 | set $skip_cache 0;
7 |
8 | # POST requests and urls with a query string should always go to PHP
9 | if ($request_method = POST) {
10 | set $skip_cache 1;
11 | }
12 |
13 | # If theres any args skip cache
14 | if ($query_string != "") {
15 | set $skip_cache 1;
16 | }
17 |
18 | # Don't use the cache for logged in users or recent commenters
19 | if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|woocommerce_items_in_cart") {
20 | set $skip_cache 1;
21 | }
22 |
23 | # Don't cache responses from wp-admin, xmlrpc and wp-login.php
24 | if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php") {
25 | set $skip_cache 1;
26 | }
27 |
28 | # Skip fetch and skip if conditions are met
29 | srcache_fetch_skip $skip_cache;
30 | srcache_store_skip $skip_cache;
31 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/nginx/cache/srcache.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Add few rules which deny using cache
3 | ##
4 | include cache/skip_rules.conf;
5 | include cache/helper_variables.conf;
6 |
7 | # Use redis caching for all pages
8 | # Allow different cache key from env
9 | # Use 'wp_' prefix so that cache can be flushed with:
10 | # $ wp cache flush
11 | set $cache_key "${NGINX_CACHE_KEY}";
12 | set_escape_uri $escaped_cache_key $cache_key;
13 |
14 | srcache_response_cache_control on;
15 |
16 | srcache_fetch GET /redis-fetch $cache_key;
17 | srcache_store PUT /redis-store key=$escaped_cache_key;
18 |
19 | # Add header for easier cache debugging
20 | add_header X-Cache $srcache_fetch_status;
21 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/nginx/env.conf:
--------------------------------------------------------------------------------
1 | # Set custom enviromental variables that we need with lua here
2 | # These are used to dynamically load
3 | env PORT;
4 | env WEB_ROOT;
5 | env NGINX_MAX_BODY_SIZE;
6 | env NGINX_TIMEOUT;
7 |
8 | # For nginx redis cache
9 | env REDIS_HOST;
10 | env REDIS_PORT;
11 | env REDIS_DATABASE;
12 | env REDIS_PASSWORD;
13 | env CACHE_QUERYVARS;
14 | env CACHE_MODE;
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/nginx/error_pages.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Custom error pages
3 | ##
4 |
5 | ## 403 - Forbidden
6 | error_page 403 /403.html;
7 | location = /403.html {
8 | root /usr/share/nginx/html;
9 | internal;
10 | }
11 |
12 | ## 500 - Internal Server Error
13 | error_page 500 /500.html;
14 | location = /500.html {
15 | root /usr/share/nginx/html;
16 | internal;
17 | }
18 |
19 | ## 502 - Bad Gateway
20 | error_page 502 /502.html;
21 | location = /502.html {
22 | root /usr/share/nginx/html;
23 | internal;
24 | }
25 |
26 | ## 504 - Gateway Timeout
27 | error_page 504 /504.html;
28 | location = /504.html {
29 | root /usr/share/nginx/html;
30 | internal;
31 | }
32 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/nginx/fastcgi_params:
--------------------------------------------------------------------------------
1 | # These are just basic things form request
2 | fastcgi_param QUERY_STRING $query_string;
3 | fastcgi_param REQUEST_METHOD $request_method;
4 | fastcgi_param CONTENT_TYPE $content_type;
5 | fastcgi_param CONTENT_LENGTH $content_length;
6 |
7 | fastcgi_param SCRIPT_NAME $fastcgi_script_name;
8 | fastcgi_param REQUEST_URI $request_uri;
9 | fastcgi_param DOCUMENT_URI $document_uri;
10 | fastcgi_param DOCUMENT_ROOT $document_root;
11 | fastcgi_param SERVER_PROTOCOL $server_protocol;
12 |
13 | fastcgi_param GATEWAY_INTERFACE CGI/1.1;
14 | fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
15 |
16 | ##
17 | # Set these using the knowledge that we are behind proxy
18 | ##
19 | fastcgi_param REMOTE_ADDR $real_remote;
20 | fastcgi_param REMOTE_PORT $remote_port;
21 | fastcgi_param SERVER_ADDR $server_addr;
22 | fastcgi_param SERVER_PORT $real_port;
23 | fastcgi_param SERVER_NAME $real_host;
24 | fastcgi_param HTTPS $real_https;
25 | fastcgi_param REQUEST_SCHEME $real_scheme;
26 | fastcgi_param HTTP_HOST $real_host;
27 |
28 | # PHP only, required if PHP was built with --enable-force-cgi-redirect
29 | fastcgi_param REDIRECT_STATUS 200;
30 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/nginx/fastcgi_settings.conf:
--------------------------------------------------------------------------------
1 | # regex to split $uri to $fastcgi_script_name and $fastcgi_path
2 | fastcgi_split_path_info ^(.+\.php)(/.+)$;
3 |
4 | # Bypass the fact that try_files resets $fastcgi_path_info
5 | # see: http://trac.nginx.org/nginx/ticket/321
6 | set $path_info $fastcgi_path_info;
7 | fastcgi_param PATH_INFO $path_info;
8 |
9 | # Intercept errors from php-fpm
10 | # These can be:
11 | # - timeouts for long running requests
12 | # - requested php file might be missing or not existing in the first place
13 | fastcgi_intercept_errors on;
14 |
15 | fastcgi_index index.php;
16 |
17 | # Small optimisation on fastcgi buffer size
18 | # defaults are 8k;
19 | fastcgi_buffers 16 16k;
20 | fastcgi_buffer_size 16k;
21 |
22 | # Include basic fastcgi settings
23 | include fastcgi_params;
24 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/nginx/gzip.conf:
--------------------------------------------------------------------------------
1 | # Compression
2 |
3 | # Enable Gzip compressed.
4 | gzip on;
5 |
6 | # Compression level (1-9).
7 | # 5 is a perfect compromise between size and cpu usage, offering about
8 | # 75% reduction for most ascii files (almost identical to level 9).
9 | gzip_comp_level 5;
10 |
11 | # Don't compress anything that's already small and unlikely to shrink much
12 | # if at all (the default is 20 bytes, which is bad as that usually leads to
13 | # larger files after gzipping).
14 | gzip_min_length 256;
15 |
16 | # Compress data even for clients that are connecting to us via proxies,
17 | # identified by the "Via" header (required for CloudFront).
18 | gzip_proxied any;
19 |
20 | # Tell proxies to cache both the gzipped and regular version of a resource
21 | # whenever the client's Accept-Encoding capabilities header varies;
22 | # Avoids the issue where a non-gzip capable client (which is extremely rare
23 | # today) would display gibberish if their proxy gave them the gzipped version.
24 | gzip_vary on;
25 |
26 | # Compress all output labeled with one of the following MIME-types.
27 | gzip_types
28 | application/atom+xml
29 | application/javascript
30 | application/json
31 | application/ld+json
32 | application/manifest+json
33 | application/rss+xml
34 | application/vnd.geo+json
35 | application/vnd.ms-fontobject
36 | application/x-font-ttf
37 | application/x-web-app-manifest+json
38 | application/xhtml+xml
39 | application/xml
40 | font/opentype
41 | image/bmp
42 | image/svg+xml
43 | image/x-icon
44 | text/cache-manifest
45 | text/css
46 | text/plain
47 | text/vcard
48 | text/vnd.rim.location.xloc
49 | text/vtt
50 | text/x-component
51 | text/x-cross-domain-policy;
52 | # text/html is always compressed by HttpGzipModule
53 |
54 | # This should be turned on if you are going to have pre-compressed copies (.gz) of
55 | # static files available. If not it should be left off as it will cause extra I/O
56 | # for the check. It is best if you enable this in a location{} block for
57 | # a specific directory, or on an individual server{} level.
58 | # gzip_static on;
59 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/nginx/log_format.conf:
--------------------------------------------------------------------------------
1 | # Log cache status
2 | # Log real requester address
3 | log_format custom '[$time_local] $http_x_real_ip '
4 | '$host "$request" $status $body_bytes_sent $request_time '
5 | '"$http_referer" "$http_user_agent" $upstream_cache_status';
6 |
7 | ##
8 | # Legacy formats which might be in use somewhere
9 | ##
10 | # This log format makes it so we can see real requester's IP address \
11 | # not just the reverse proxy server's IP address. Also note, that \
12 | # "specialLog" can be replaced with any name you would like to \
13 | # give to this log format.
14 | log_format specialLog '[$time_local] $http_x_real_ip '
15 | '$host "$request" $status $body_bytes_sent $request_time '
16 | '"$http_referer" "$http_user_agent" $upstream_cache_status';
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/nginx/log_formats.conf:
--------------------------------------------------------------------------------
1 | # Log cache status
2 | # Log real requester address
3 | log_format custom '[$time_local] $http_x_forwarded_for '
4 | '$host "$request" $status $body_bytes_sent $request_time '
5 | '"$http_referer" "$http_user_agent" $upstream_cache_status';
6 |
7 | # A new log format for detecting bad bots.
8 | log_format blocked '[$time_local] Blocked request from $http_x_forwarded_for $request';
9 |
10 | ##
11 | # Legacy formats which might be in use somewhere
12 | ##
13 | # This log format makes it so we can see real requester's IP address \
14 | # not just the reverse proxy server's IP address. Also note, that \
15 | # "specialLog" can be replaced with any name you would like to \
16 | # give to this log format.
17 | log_format specialLog '[$time_local] $http_x_forwarded_for '
18 | '$host "$request" $status $body_bytes_sent $request_time '
19 | '"$http_referer" "$http_user_agent" $upstream_cache_status';
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/nginx/pagespeed/locations.conf:
--------------------------------------------------------------------------------
1 | # Ensure requests for pagespeed optimized resources go to the pagespeed handler
2 | # and no extraneous headers get set.
3 | location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" {
4 | add_header "" "";
5 | }
6 | location ~ "^/pagespeed_static/" { }
7 | location ~ "^/ngx_pagespeed_beacon$" { }
8 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/nginx/pagespeed/settings.conf:
--------------------------------------------------------------------------------
1 | # Hide pagespeed version and provide this header instaed
2 | pagespeed XHeaderValue "Enabled";
3 |
4 | # Don't alter Cache-Control headers
5 | pagespeed ModifyCachingHeaders off;
6 |
7 | # This is for pagespeed temporary files
8 | # Needs to exist and be writable by nginx. Use tmpfs for best performance.
9 | pagespeed FileCachePath /tmp/nginx/pagespeed;
10 |
11 | # Pagespeed sets default TTL from file to 300s, which is bad
12 | # This sets the time to be 1 year
13 | pagespeed LoadFromFileCacheTtlMs 2592000000;
14 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/nginx/proxy_real_variables.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Set few variables since we use jwilder/nginx-proxy in dev and proxy in production
3 | # So the fastcgi params need to be the original ones or you
4 | # will have redirect loops ('canonical_redirect' mostly)
5 | ##
6 |
7 | # Set $host first from proxy (if possible)
8 | set $real_host $http_x_forwarded_host;
9 | if ($real_host = '') {
10 | set $real_host $http_host;
11 | }
12 |
13 | # Set server port according to forwarded proto
14 | set $real_port 80;
15 | if ($http_x_forwarded_proto = 'https') {
16 | set $real_port 443;
17 | }
18 |
19 | # Set https according to used proto
20 | set $real_https off;
21 | if ($http_x_forwarded_proto = 'https') {
22 | set $real_https on;
23 | }
24 |
25 | # Set scheme according to used proto
26 | set $real_scheme 'http';
27 | if ($http_x_forwarded_proto = 'https') {
28 | set $real_scheme 'https';
29 | }
30 |
31 | # Set original remote
32 | set $real_remote $http_x_forwarded_for;
33 | if ($real_remote = '') {
34 | set $real_remote $remote_addr;
35 | }
36 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/nginx/security.conf:
--------------------------------------------------------------------------------
1 | ## Block SQL injections
2 | location ~* union.*select.*\( { access_log $blocked_log blocked; return 403; }
3 | location ~* union.*all.*select.* { access_log $blocked_log blocked; return 403; }
4 | location ~* concat.*\( { access_log $blocked_log blocked; return 403; }
5 |
6 | ## Block common exploits
7 | location ~* (<|%3C).*script.*(>|%3E) { access_log $blocked_log blocked; return 403; }
8 | location ~* base64_(en|de)code\(.*\) { access_log $blocked_log blocked; return 403; }
9 | location ~* (%24&x) { access_log $blocked_log blocked; return 403; }
10 | location ~* (%0|%A|%B|%C|%D|%E|%F|127\.0) { access_log $blocked_log blocked; return 403; }
11 | location ~* \.\.\/ { access_log $blocked_log blocked; return 403; }
12 | location ~* ~$ { access_log $blocked_log blocked; return 403; }
13 | location ~* proc/self/environ { access_log $blocked_log blocked; return 403; }
14 | location ~* /\.(htaccess|htpasswd|svn|git) { access_log $blocked_log blocked; return 403; }
15 |
16 | ## Block file injections
17 | location ~* [a-zA-Z0-9_]=(\.\.//?)+ { access_log $blocked_log blocked; return 403; }
18 | location ~* [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ { access_log $blocked_log blocked; return 403; }
19 |
20 | ## wordpress security
21 | location ~* wp-config.php { access_log $blocked_log blocked; return 403; }
22 | location ~* wp-load.php { access_log $blocked_log blocked; return 403; }
23 | location ~* wp-admin/includes { access_log $blocked_log blocked; return 403; }
24 | location ~* wp-app\.log { access_log $blocked_log blocked; return 403; }
25 | location ~* (licence|readme|license)\.(md|html|txt) { access_log $blocked_log blocked; return 403; }
26 | location ~* composer.json { access_log $blocked_log blocked; return 403; }
27 |
28 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/nginx/security_headers.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Security headers, source: https://gist.github.com/plentz/6737338
3 | ##
4 |
5 | # config to don't allow the browser to render the page inside an frame or iframe
6 | # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
7 | # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
8 | # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
9 | add_header X-Frame-Options SAMEORIGIN;
10 |
11 | # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
12 | # to disable content-type sniffing on some browsers.
13 | # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
14 | # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
15 | # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
16 | # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
17 | add_header X-Content-Type-Options nosniff always;
18 |
19 | # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
20 | # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
21 | # this particular website if it was disabled by the user.
22 | # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
23 | add_header X-XSS-Protection "1; mode=block";
24 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/nginx/static_files.conf:
--------------------------------------------------------------------------------
1 | # Use version numbers to bypass cache
2 | # Try to cache as long as we can
3 | expires max;
4 |
5 | ## No need to bleed constant updates. Send the all shebang in one
6 | ## fell swoop.
7 | tcp_nodelay off;
8 |
9 | ## Set the OS file cache.
10 | open_file_cache max=3000 inactive=120s;
11 | open_file_cache_valid 45s;
12 | open_file_cache_min_uses 2;
13 | open_file_cache_errors off;
14 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/nginx/upstreams.conf:
--------------------------------------------------------------------------------
1 | # Default php handler
2 | upstream php-fpm {
3 | server unix:/var/run/php-fpm.sock;
4 | }
5 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/php/7.3/cli/php.ini:
--------------------------------------------------------------------------------
1 | [PHP]
2 | ; This directive determines whether or not PHP will recognize code between
3 | ; tags as PHP source which should be processed as such.
4 | short_open_tag = Off
5 |
6 | ; Implicit flush tells PHP to tell the output layer to flush itself
7 | ; automatically after every output block.
8 | implicit_flush = Off
9 |
10 | ; This directive allows you to disable certain functions for security reasons.
11 | ; It receives a comma-delimited list of function names.
12 | ; http://php.net/disable-functions
13 | disable_functions =
14 |
15 | ; Enables or disables the circular reference collector.
16 | ; http://php.net/zend.enable-gc
17 | zend.enable_gc = On
18 |
19 | ;;;;;;;;;;;;;;;;;
20 | ; Miscellaneous ;
21 | ;;;;;;;;;;;;;;;;;
22 |
23 |
24 | ; Deny executing anything else than the exact path passed from fastcgi
25 | ; This causes the PHP interpreter to only try the literal path given and to stop processing if the file is not found.
26 | ; This is for security.
27 | ; https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#passing-uncontrolled-requests-to-php
28 | cgi.fix_pathinfo = 0
29 |
30 | expose_php = Off
31 |
32 | ;;;;;;;;;;;;;;;;;;;
33 | ; Resource Limits ;
34 | ;;;;;;;;;;;;;;;;;;;
35 |
36 | ; Maximum execution time of each script, in seconds
37 | max_execution_time = 600
38 |
39 | ; Maximum amount of time each script may spend parsing request data.
40 | max_input_time = 60
41 |
42 | ; How many GET/POST/COOKIE input variables may be accepted
43 | ; max_input_vars = 1000
44 |
45 | ; Maximum amount of memory a script may consume (128MB)
46 | memory_limit = ${PHP_MEMORY_LIMIT}
47 |
48 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
49 | ; Error handling and logging ;
50 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
51 |
52 | error_reporting = E_ALL
53 |
54 | display_errors = On
55 |
56 | display_startup_errors = On
57 |
58 | log_errors = On
59 |
60 | log_errors_max_len = 2048
61 |
62 | ignore_repeated_errors = Off
63 |
64 | ignore_repeated_source = Off
65 |
66 | report_memleaks = On
67 |
68 | ;This is deprecated from php7.2 so its disabled as of 5.4.2018
69 | ;track_errors = On
70 |
71 | html_errors = Off
72 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/php/7.3/fpm/conf.d/blocked.ini:
--------------------------------------------------------------------------------
1 | ; Disable some functions because they allow bad/vulnerable patterns
2 | ; We want to advocate good coding practises and these functions make it difficult
3 | ; You can use these with php cli but not with php-fpm
4 | disable_functions = exec,passthru,shell_exec,show_source,system,pcntl_exec,popen,posix_getpwuid,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,posix_setuid,posix_uname,proc_nice,proc_open,proc_close,proc_get_status
5 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/php/7.3/fpm/conf.d/common.ini:
--------------------------------------------------------------------------------
1 | [PHP]
2 |
3 | ; Don't brag that we have php 7.0
4 | expose_php = Off
5 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/php/7.3/fpm/conf.d/limits.ini:
--------------------------------------------------------------------------------
1 | ; filesize, time and input limits
2 | max_execution_time = ${NGINX_FASTCGI_TIMEOUT}
3 | max_input_time = -1
4 | max_input_vars = ${PHP_MAX_INPUT_VARS}
5 | memory_limit = ${PHP_MEMORY_LIMIT}
6 | post_max_size = ${NGINX_MAX_BODY_SIZE}
7 | upload_max_filesize = ${NGINX_MAX_BODY_SIZE}
8 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/php/7.3/fpm/conf.d/logging.ini:
--------------------------------------------------------------------------------
1 | ; Log all warnings and errors
2 | error_log = ${PHP_ERROR_LOG}
3 | log_level = ${PHP_ERROR_LOG_LEVEL}
4 | log_errors_max_len = ${PHP_ERROR_MAX_LEN}
5 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/php/7.3/fpm/conf.d/mail.ini:
--------------------------------------------------------------------------------
1 | [PHP]
2 | ; Use msmtp to send mail instead of sendmail
3 | sendmail_path = "/usr/sbin/sendmail"
4 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/php/7.3/fpm/conf.d/opcache.ini:
--------------------------------------------------------------------------------
1 | ; Enable php opcache to make site faster
2 | ; These are taken from: https://www.scalingphpbook.com/blog/2014/02/14/best-zend-opcache-settings.html
3 | [opcache]
4 | opcache.enable = 1
5 | opcache.enable_cli = 1
6 |
7 | ; Provides a faster mechanism for calling the deconstructors in your code at the end of a single request to speed up the response and recycle php workers so they're ready for the next incoming request faster.
8 | opcache.fast_shutdown = 1
9 |
10 | ; Give plenty of memory for php process for caching the code
11 | opcache.memory_consumption = ${PHP_OPCACHE_MAX_MEMORY}
12 |
13 | ; Log into container output
14 | opcache.error_log = /dev/stderr
15 |
16 | ; Log opcache warnings
17 | opcache.log_verbosity_level = 2
18 |
19 | ; PHP uses a technique called string interning to improve performance— so, for example, if you have the string "foobar" 1000 times in your code, internally PHP will store 1 immutable variable for this string and just use a pointer to it for the other 999 times you use it.
20 | ; This reserves 16MB to storing the most used strings
21 | opcache.interned_strings_buffer = 16
22 | opcache.max_accelerated_files = ${PHP_OPCACHE_MAX_FILES}
23 |
24 |
25 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/php/7.3/fpm/conf.d/opcache_invalidate.conf:
--------------------------------------------------------------------------------
1 | ; Don't revalidate php files in this container
2 | opcache.validate_timestamps = 0
3 |
4 | ; We don't need to cache php comments into opcache
5 | opcache.save_comments = 0
6 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/php/7.3/fpm/conf.d/sessions.ini:
--------------------------------------------------------------------------------
1 | ;;;;;;;;;;;;;;;;;;;;;;;;;;
2 | ; Define Session backend ;
3 | ;;;;;;;;;;;;;;;;;;;;;;;;;;
4 | ; These env can also contain redis as backend
5 | session.save_handler = ${PHP_SESSION_HANDLER}
6 | session.save_path = ${PHP_SESSION_SAVE_PATH}
7 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/php/7.3/fpm/conf.d/timezone.ini:
--------------------------------------------------------------------------------
1 | ; Timezone from env formatted like 'Europe/Helsinki'
2 | date.timezone = ${TZ}
3 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/php/7.3/fpm/php-fpm.conf:
--------------------------------------------------------------------------------
1 | ; Run this in foregroud so s6 can control it
2 | daemonize = no
3 |
4 | ; Log all warnings and errors
5 | error_log = ${PHP_ERROR_LOG}
6 | log_level = ${PHP_ERROR_LOG_LEVEL}
7 |
8 | [www]
9 | user = ${WEB_USER}
10 | group = ${WEB_GROUP}
11 | listen = /var/run/php-fpm.sock
12 | listen.owner = ${WEB_USER}
13 | listen.group = ${WEB_GROUP}
14 | pm = dynamic
15 |
16 | ; Total RAM dedicated to the web server / Max child process size
17 | pm.max_children = 30
18 |
19 | pm.start_servers = 1
20 | pm.min_spare_servers = 1
21 | pm.max_spare_servers = 5
22 |
23 | ; Redirect worker stdout and stderr into main error log. If not set, stdout and
24 | ; stderr will be redirected to /dev/null according to FastCGI specs.
25 | ; Default Value: no
26 | catch_workers_output = yes
27 |
28 | ; Project web root
29 | chdir = ${WEB_ROOT}
30 |
31 | pm.process_idle_timeout = 10s
32 | pm.max_requests = 500
33 |
34 | ; Include extra configs
35 | include=/etc/php/7.3/fpm/php-fpm.d/*.conf
36 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/php/7.3/fpm/php-fpm.d/preserve-env.conf:
--------------------------------------------------------------------------------
1 | ; Just use all envs from system when php-fpm starts
2 | ; By default php-fpm flushes all envs and they need to be whitelisted
3 | clear_env = no
4 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/php/7.3/fpm/php.ini:
--------------------------------------------------------------------------------
1 | ;;;
2 | ; Production settings for php and php-fpm
3 | ;;;
4 | ; All directives from /etc/php/7.0/fpm/conf.d are also included
5 | ;;;
6 |
7 | [PHP]
8 |
9 | ; Don't display errors into frontend
10 | display_errors = ${PHP_DISPLAY_ERRORS}
11 |
12 | ; disable ignoring of repeat errors
13 | ignore_repeated_errors = false
14 |
15 | ; disable ignoring of unique source errors
16 | ignore_repeated_source = false
17 |
18 | ; enable logging of php memory leaks
19 | report_memleaks = true
20 |
21 | ; Deny executing anything else than the exact path passed from fastcgi
22 | ; This causes the PHP interpreter to only try the literal path given and to stop processing if the file is not found.
23 | ; This is for security. Source: https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#passing-uncontrolled-requests-to-php
24 | cgi.fix_pathinfo = 0
25 |
26 | ; disable html markup of errors
27 | html_errors = false
28 |
29 | ; disable formatting of error reference links
30 | docref_root = 0
31 |
32 | ; disable formatting of error reference links
33 | docref_ext = 0
34 |
35 | ; disable max error string length ( by using so big number that bigger messages don't matter )
36 | log_errors_max_len = 10000
37 |
38 | ; Don't show startup errors
39 | display_startup_errors = Off
40 | ;This is deprecated from php7.2 so its disabled as of 5.4.2018
41 | ;track_errors = Off
42 |
43 | ; Redirect worker stdout and stderr into main error log. If not set, stdout and
44 | ; stderr will be redirected to /dev/null according to FastCGI specs.
45 | ; Default Value: no
46 | catch_workers_output = yes
47 |
48 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/services.d/cron/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv sh
2 | echo "[services.d] started cron daemon"
3 | # Runs cron daemon in foreground
4 | cron -l 2 -f
5 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/services.d/nginx/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv sh
2 |
3 | # Run nginx always in foreground
4 | exec nginx -g "daemon off;"
5 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/etc/services.d/php-fpm/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 |
3 | ##
4 | # Check which kind of session backend we should be using
5 | ##
6 | if [ -z "$PHP_SESSION_SAVE_PATH" ]; then
7 | echo "[php-fpm] configuring php-fpm session backend..."
8 |
9 | # Use 'files' as default session handler
10 | export PHP_SESSION_HANDLER=${PHP_SESSION_HANDLER-files}
11 |
12 | case "$PHP_SESSION_HANDLER" in
13 |
14 | files)
15 | mkdir -p /tmp/php
16 | chown $WEB_USER:$WEB_GROUP /tmp/php
17 |
18 | # export new env for php-fpm
19 | export PHP_SESSION_SAVE_PATH='/tmp/php'
20 | ;;
21 | redis)
22 | # Set defaults
23 | REDIS_HOST=${REDIS_HOST-$REDIS_1_PORT_6379_TCP_ADDR}
24 | REDIS_PORT=${REDIS_PORT-6379}
25 | REDIS_SCHEME=${REDIS_SCHEME-tcp}
26 | REDIS_PHP_SESSION_HOST=${REDIS_PHP_SESSION_HOST-$REDIS_1_PORT_6379_TCP_ADDR}
27 |
28 | # After this time php-fpm will timeout from requesting session data
29 | PHP_SESSION_REDIS_TIMEOUT=${PHP_SESSION_REDIS_TIMEOUT-5}
30 |
31 | PHP_SESSION_REDIS_PARAMS="timeout=$PHP_SESSION_REDIS_TIMEOUT"
32 |
33 | # Set these only if they are not 0 and '' because they add complexity for the query
34 | if [ "$PHP_SESSION_REDIS_DB" != "" ]; then
35 | PHP_SESSION_REDIS_PARAMS+="&database=$PHP_SESSION_REDIS_DB"
36 | fi
37 | if [ "$REDIS_PASSWORD" != "" ]; then
38 | PHP_SESSION_REDIS_PARAMS+="&auth=$REDIS_PASSWORD"
39 | fi
40 | if [ "$PHP_SESSION_REDIS_PREFIX" != "" ]; then
41 | PHP_SESSION_REDIS_PARAMS+="&prefix=$PHP_SESSION_REDIS_PREFIX"
42 | fi
43 |
44 | # export new env for php-fpm
45 | export PHP_SESSION_SAVE_PATH="$REDIS_SCHEME://$REDIS_PHP_SESSION_HOST:$REDIS_PORT?$PHP_SESSION_REDIS_PARAMS"
46 | ;;
47 | esac
48 | fi
49 | echo "[php-fpm] using $PHP_SESSION_SAVE_PATH for php sessions..."
50 |
51 | echo "[php-fpm] started php-fpm"
52 | exec php-fpm -c /etc/php/7.3/fpm/php.ini --fpm-config /etc/php/7.3/fpm/php-fpm.conf --pid /var/run/php-fpm.pid
53 |
54 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/usr/bin/wp:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | ##
3 | # WP-cli wrapper: Append path automatically so that user doesn't have to
4 | ##
5 | if [ "$(whoami)" = "root" ]; then
6 | # Run as wordpress user instead
7 | # This helps that we don't install things as root
8 | # Or run 3rd party code as root
9 | gosu $WEB_USER /usr/local/bin/wp-cli "$@" --path=$WP_CORE
10 | else
11 | /usr/local/bin/wp-cli "$@" --path=$WP_CORE
12 | fi
13 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/usr/local/bin/phinx:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | ##
3 | # Phinx wrapper
4 | # You need to install phinx through composer first
5 | ##
6 |
7 | # Export database host in prod and dev
8 | if [ ! -z "$MYSQL_HOST" ]; then
9 | export PHINX_DBHOST=$MYSQL_HOST
10 | elif [ ! -z "$DB_HOST" ]; then
11 | export PHINX_DBHOST=$DB_HOST
12 | elif [ ! -z "$DB_PORT_3306_TCP_ADDR" ]; then
13 | export PHINX_DBHOST=$DB_PORT_3306_TCP_ADDR
14 | else
15 | echo "ERROR: You need to set DB_HOST!"
16 | fi
17 |
18 | # Export phinx envs
19 | # Default to MYSQL_ envs but fallback to DB_
20 | export PHINX_DBPORT=${MYSQL_PORT-$DB_PORT}
21 | export PHINX_DBNAME=${MYSQL_DATABASE-$DB_NAME}
22 | export PHINX_DBUSER=${MYSQL_USER-$DB_USER}
23 | export PHINX_DBPASSWORD=${MYSQL_PWD-$DB_PASSWORD}
24 | export PHINX_ENVIRONMENT=$WP_ENV
25 |
26 | # Run phinx
27 | php $PROJECT_ROOT/vendor/bin/phinx $@
28 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/usr/local/bin/print-smtp-password:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # This is so that we can use msmtp without /etc/msmtprc config file
3 | # msmtp doesn't have --password option and it only has --passwordeval option
4 | # We use this script so that we can use it in passwordeval
5 | echo $SMTP_PASSWORD
6 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/usr/local/bin/wp-run-cron:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # Copyright © 2015 Bjørn Johansen
3 | # This work is free. You can redistribute it and/or modify it under the
4 | # terms of the Do What The Fuck You Want To Public License, Version 2,
5 | # as published by Sam Hocevar. See http://www.wtfpl.net/ for more details.
6 | # Source: https://bjornjohansen.no/wordpress-cron-wp-cli
7 | # Github: https://gist.github.com/bjornjohansen/a00a9fee5475c4dadb56#file-run-wp-cron-sh
8 |
9 | # This is modified for our container. In this container you don't need to use --path
10 | # because it's automatically included
11 |
12 | # Check if WP-CLI is available
13 | if ! hash wp 2>/dev/null; then
14 | echo "[wp-cron] ERROR: WP-CLI is not available"
15 | exit
16 | fi
17 |
18 | # If WordPress isn’t installed here, we bail
19 | if ! wp core is-installed --quiet >> /dev/null; then
20 | echo "[wp-cron] ERROR: WordPress is not installed here: ${WP_CORE}"
21 | exit
22 | fi
23 |
24 | # Get a list of site URLs
25 | if wp core is-installed --quiet --network >> /dev/null;
26 | then
27 | SITE_URLS=`wp site list --fields=url --archived=0 --deleted=0 --format=csv | sed 1d`
28 | else
29 | SITE_URLS=(`wp option get siteurl`)
30 | fi
31 |
32 | # Loop through all the sites
33 | for SITE_URL in $SITE_URLS
34 | do
35 | # replaced loop with better solution
36 | wp cron event run --due-now --url="$SITE_URL"
37 | # Run all event hooks that are due
38 | #for EVENT_HOOK in $(wp cron event list --format=csv --fields=hook,next_run_relative --url="$SITE_URL" | grep now$ | awk -F ',' '{print $1}')
39 | #do
40 | # wp cron event run "$EVENT_HOOK" --url="$SITE_URL" --quiet
41 | #done
42 | done
43 |
--------------------------------------------------------------------------------
/ubuntu-7.3/rootfs/usr/sbin/sendmail:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | ##
3 | # This is custom wrapper for msmtp which acts like good old sendmail
4 | # - It is used for php and cron
5 | # - This is easier to configure for external mail server than sendmail
6 | # - sendmail is just the default binary which other services will use
7 | # - It needs following env: SMTP_HOST, SMTP_PASSWORD, SMTP_PORT, SMTP_AUTH, SMTP_USER
8 | ##
9 |
10 | # Deduce all used msmtp options from system ENVs
11 | declare -a options
12 |
13 | # Act like sendmail
14 | options+=("-t")
15 |
16 | # Use system tls chain
17 | options+=("--tls-trust-file=/etc/ssl/certs/ca-certificates.crt")
18 |
19 | if [ -n "$SMTP_HOST" ]; then
20 | options+=("--host=$SMTP_HOST")
21 | else
22 | echo "[mail error] SMTP_HOST is not defined, mail can't be sent"
23 | exit 1
24 | fi
25 |
26 | # Log all mail requests
27 | # try /var/log/mail/sent.log but use stdout when logfile is not available
28 | if [ -n "$SMTP_LOG" ]; then
29 | options+=("--logfile=$SMTP_LOG")
30 | elif [ -f /var/log/mail/sent.log ]; then
31 | options+=("--logfile=/var/log/mail/sent.log")
32 | fi
33 |
34 | if [ -n "$SMTP_FROM" ]; then
35 | options+=("--from=$SMTP_FROM")
36 | fi
37 |
38 | # Default port for smtp is 25 and it will work even without this option
39 | if [ -n "$SMTP_PORT" ]; then
40 | options+=("--port=$SMTP_PORT")
41 | fi
42 |
43 | # Setup credentials
44 | if [ -n "$SMTP_USER" ]; then
45 | options+=("--user=$SMTP_USER")
46 | fi
47 |
48 | # msmtp doesn't provide password option because usually it's unsafe
49 | # Use local hack for passwordeval
50 | if [ -n "$SMTP_PASSWORD" ]; then
51 | options+=("--passwordeval=/usr/local/bin/print-smtp-password")
52 | fi
53 |
54 |
55 | if [ -n "$SMTP_AUTH" ]; then
56 | options+=("--auth=$SMTP_AUTH")
57 | elif [ -n "$SMTP_USER" ] || [ -n "$SMTP_PASSWORD" ]; then
58 | options+=("--auth=on")
59 | fi
60 |
61 | if [ -n "$SMTP_TLS" ]; then
62 | options+=("--tls=$SMTP_TLS")
63 | fi
64 |
65 | # Add our options and command line options for msmtp
66 | msmtp ${options[@]} "$@"
67 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/ImageMagick:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/cont-init.d/01-create-web-user:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 |
3 | ##
4 | # If $WEB_USER user and web group already exists just skip the user creation
5 | ##
6 | if id -u $WEB_USER > /dev/null 2>&1 && getent group $WEB_GROUP > /dev/null 2>&1; then
7 | echo "[cont-init.d] user:$WEB_USER and group:$WEB_GROUP already exist, skipping..."
8 | exit 0
9 | fi
10 |
11 | ##
12 | # Create $WEB_USER user with $WEB_UID and web group with $WEB_GID
13 | ##
14 |
15 | # Set defaults if they are not set
16 | export WEB_USER=${WEB_USER-wordpress}
17 | export WEB_GROUP=${WEB_GROUP-web}
18 | export WEB_UID=${WEB_UID-1000}
19 | export WEB_GID=${WEB_GID-1000}
20 |
21 | echo "[cont-init.d] Creating $WEB_USER user with id: $WEB_UID and group web with id: $WEB_GID"
22 |
23 | # Create web group
24 | if [ -n "$WEB_GID" ]; then
25 |
26 | # Check if group with $WEB_GID already exists
27 | web_group=$(getent group $WEB_GID | cut -d':' -f1)
28 |
29 | if [ -n "$web_group" ]; then
30 |
31 | # Replace the existing group name to web
32 | # This is done so that in local development we can just lookup permissions from mounted folders
33 | # This UID/GID can be same as something already existing inside container
34 | # This way we can use same uid/gid in container and host machine
35 | echo "[cont-init.d] Replacing pre-existing group name $web_group -> $WEB_GROUP"
36 | sed -i "s|$web_group|$WEB_GROUP|g" /etc/group
37 |
38 | else
39 | # Create new group
40 | echo "$ groupadd -g $WEB_GID $WEB_GROUP"
41 | groupadd -g $WEB_GID $WEB_GROUP
42 | fi
43 | else
44 | echo "[cont-init.d] ERROR: Please set web user group id in WEB_GID" 1>&2
45 | exit 2
46 | fi
47 |
48 | # Create $WEB_USER user
49 | if [ -n "$WEB_UID" ] && [ -n "$WEB_GID" ] ; then
50 | echo "$ useradd -u $WEB_UID -g $WEB_GROUP --home $PROJECT_ROOT $WEB_USER"
51 | useradd -u $WEB_UID -g $WEB_GROUP --home $PROJECT_ROOT $WEB_USER
52 | else
53 | echo "[cont-init.d] ERROR: Please set web user id in WEB_UID" 1>&2
54 | exit 2
55 | fi
56 |
57 | # Check that processes can write logs
58 | chown $WEB_USER:$WEB_GROUP /var/log
59 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/cont-init.d/02-init-crond:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 |
3 | # Copy cronjob from project and run as nginx
4 | if [ -f $PROJECT_ROOT/tasks.cron ]; then
5 |
6 | # Setup all container env for cron
7 | printenv | grep -v ^_= | grep -v "no_proxy" >> /etc/environment
8 |
9 | # Use default redis for cronlock if cronlock variables are not set
10 | if [ -n "$REDIS_HOST" ] && [ -z "$CRONLOCK_HOST" ] ; then
11 | echo "CRONLOCK_HOST=$REDIS_HOST" >> /etc/environment
12 | fi
13 | if [ -n "$REDIS_PASSWORD" ] && [ -z "$CRONLOCK_AUTH" ] ; then
14 | echo "CRONLOCK_AUTH=$REDIS_PASSWORD" >> /etc/environment
15 | fi
16 | if [ -n "$REDIS_PORT" ] && [ -z "$CRONLOCK_PORT" ] ; then
17 | echo "CRONLOCK_PORT=$REDIS_PORT" >> /etc/environment
18 | fi
19 | # env for running wp cron
20 | echo "CRON_URL=$CRON_URL" >> /etc/environment;
21 | # Copy cron template
22 | cp $PROJECT_ROOT/tasks.cron /var/spool/cron/crontabs/$WEB_USER
23 | chown $WEB_USER /var/spool/cron/crontabs/$WEB_USER
24 | chmod 0600 /var/spool/cron/crontabs/$WEB_USER
25 | else
26 | # No cronjobs found remove crond from s6
27 | if [ -f /etc/services.d/cron ]; then
28 | rm -r /etc/services.d/cron
29 | fi
30 | fi
31 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/cont-init.d/02-init-directories-and-files:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 |
3 | # Create uploads directory if not exists
4 | mkdir -p $UPLOADS_ROOT
5 | chown $WEB_USER:$WEB_GROUP $UPLOADS_ROOT
6 |
7 | # Create dir for nginx tmp files
8 | mkdir -p /tmp/nginx/body
9 | chown -R $WEB_USER:$WEB_GROUP /tmp/nginx
10 |
11 | # Create log directories if they don't exist already
12 | mkdir -p /var/log/{nginx,php,mail}
13 |
14 | # Create error.log so that php-fpm can write to it
15 | touch /var/log/php/error.log
16 |
17 | # Chown all files to wordpress
18 | chown -R $WEB_USER:$WEB_GROUP /var/log/{nginx,php,mail}
19 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/nginx/additional.types:
--------------------------------------------------------------------------------
1 | # If developers add .woff2 type font files we should provide good Content-Type headers
2 | types {
3 | # Add mime support for woff2
4 | # http://stackoverflow.com/questions/28235550/proper-mime-type-for-woff2-fonts
5 | font/woff2 woff2;
6 | }
7 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/nginx/cache/fastcgicache.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Add few rules which deny using cache
3 | ##
4 | include cache/fastcgicache_skip_rules.conf;
5 | include cache/helper_variables.conf;
6 | fastcgi_cache_bypass $skip_cache;
7 | fastcgi_no_cache $skip_cache;
8 |
9 | fastcgi_cache WORDPRESS;
10 | #proxy_ignore_headers Set-Cookie Expires Cache-Control;
11 |
12 | # Add header for easier cache debugging
13 | add_header X-Cache $upstream_cache_status always;
14 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/nginx/cache/fastcgicache_settings.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Basic settings of Fast cgi cache
3 | ##
4 | fastcgi_cache_path ${NGINX_CACHE_DIRECTORY} levels=1:2 keys_zone=WORDPRESS:100m max_size=1000m inactive=730h;
5 | fastcgi_cache_key $scheme$request_method$host$request_uri_path$cache_args;
6 | fastcgi_cache_lock on;
7 | fastcgi_cache_background_update on;
8 | fastcgi_cache_use_stale ${NGINX_CACHE_USE_STALE};
9 | fastcgi_cache_valid ${NGINX_REDIS_CACHE_TTL_DEFAULT};
10 | add_header 'Cache-Control' ${NGINX_CACHE_CONTROL};
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/nginx/cache/helper_variables.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # This file creates few helper variables
3 | # $prefer_language_slug - 2 first letters from accept-language header to determine the language redirects from cache
4 | ##
5 |
6 | ##
7 | # Parse first two letters from accept-language header to determine right cache key
8 | ##
9 | set_by_lua_block $prefer_language_slug {
10 | if ngx.var.http_accept_language then
11 | return string.lower( string.match( ngx.var.http_accept_language, '%w%w' ) )
12 | else
13 | return 'en'
14 | end
15 | }
16 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/nginx/cache/redis_backend.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Adds internal locations for storing and getting full page cache from redis
3 | ##
4 |
5 | srcache_default_expire '${NGINX_REDIS_CACHE_TTL_DEFAULT}';
6 | srcache_max_expire '${NGINX_REDIS_CACHE_TTL_MAX}';
7 |
8 | location /redis-fetch {
9 | internal;
10 |
11 | ##
12 | # In order to use password authentication we use custom redis module which adds $redis_auth:
13 | # - https://github.com/Yongke/ngx_http_redis-0.3.7
14 | ##
15 |
16 | # Read the configuration from system envs
17 | set $redis_auth '${REDIS_PASSWORD}';
18 | set $redis_db ${REDIS_DATABASE};
19 |
20 | set $redis_key $args;
21 |
22 | redis_pass ${REDIS_HOST}:${REDIS_PORT};
23 | }
24 |
25 | location /redis-store {
26 | internal;
27 |
28 | set_unescape_uri $exptime $arg_exptime;
29 | set_unescape_uri $key $arg_key;
30 |
31 | # Fix caching problem for now
32 | # There's issue in github https://github.com/openresty/srcache-nginx-module/issues/61
33 | set_if_empty $srcache_expire '${NGINX_REDIS_CACHE_TTL_DEFAULT}';
34 |
35 | # redis module pipelines these 3 commands into single request
36 | redis2_query auth '${REDIS_PASSWORD}';
37 | redis2_query select ${REDIS_DATABASE};
38 |
39 | # Set and expire with one command: http://redis.io/commands/setex
40 | redis2_query setex $key $srcache_expire $echo_request_body;
41 |
42 | # Pass the request to redis
43 | redis2_pass ${REDIS_HOST}:${REDIS_PORT};
44 |
45 | }
46 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/nginx/cache/skip_rules.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Add few rules which deny using cache
3 | ##
4 |
5 | # Don't skip cache by default
6 | set $skip_cache 0;
7 |
8 | # POST requests and urls with a query string should always go to PHP
9 | if ($request_method = POST) {
10 | set $skip_cache 1;
11 | }
12 |
13 | # If theres any args skip cache
14 | if ($query_string != "") {
15 | set $skip_cache 1;
16 | }
17 |
18 | # Don't use the cache for logged in users or recent commenters
19 | if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|woocommerce_items_in_cart") {
20 | set $skip_cache 1;
21 | }
22 |
23 | # Don't cache responses from wp-admin, xmlrpc and wp-login.php
24 | if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php") {
25 | set $skip_cache 1;
26 | }
27 |
28 | # Skip fetch and skip if conditions are met
29 | srcache_fetch_skip $skip_cache;
30 | srcache_store_skip $skip_cache;
31 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/nginx/cache/srcache.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Add few rules which deny using cache
3 | ##
4 | include cache/skip_rules.conf;
5 | include cache/helper_variables.conf;
6 |
7 | # Use redis caching for all pages
8 | # Allow different cache key from env
9 | # Use 'wp_' prefix so that cache can be flushed with:
10 | # $ wp cache flush
11 | set $cache_key "${NGINX_CACHE_KEY}";
12 | set_escape_uri $escaped_cache_key $cache_key;
13 |
14 | srcache_response_cache_control on;
15 |
16 | srcache_fetch GET /redis-fetch $cache_key;
17 | srcache_store PUT /redis-store key=$escaped_cache_key;
18 |
19 | # Add header for easier cache debugging
20 | add_header X-Cache $srcache_fetch_status;
21 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/nginx/env.conf:
--------------------------------------------------------------------------------
1 | # Set custom enviromental variables that we need with lua here
2 | # These are used to dynamically load
3 | env PORT;
4 | env WEB_ROOT;
5 | env NGINX_MAX_BODY_SIZE;
6 | env NGINX_TIMEOUT;
7 |
8 | # For nginx redis cache
9 | env REDIS_HOST;
10 | env REDIS_PORT;
11 | env REDIS_DATABASE;
12 | env REDIS_PASSWORD;
13 | env CACHE_MODE;
14 | env CACHE_QUERYVARS;
15 | env CACHE_QUERYVARS_IGNORE;
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/nginx/error_pages.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Custom error pages
3 | ##
4 |
5 | ## 403 - Forbidden
6 | error_page 403 /403.html;
7 | location = /403.html {
8 | root /usr/share/nginx/html;
9 | internal;
10 | }
11 |
12 | ## 500 - Internal Server Error
13 | error_page 500 /500.html;
14 | location = /500.html {
15 | root /usr/share/nginx/html;
16 | internal;
17 | }
18 |
19 | ## 502 - Bad Gateway
20 | error_page 502 /502.html;
21 | location = /502.html {
22 | root /usr/share/nginx/html;
23 | internal;
24 | }
25 |
26 | ## 504 - Gateway Timeout
27 | error_page 504 /504.html;
28 | location = /504.html {
29 | root /usr/share/nginx/html;
30 | internal;
31 | }
32 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/nginx/fastcgi_params:
--------------------------------------------------------------------------------
1 | # These are just basic things form request
2 | fastcgi_param QUERY_STRING $query_string;
3 | fastcgi_param REQUEST_METHOD $request_method;
4 | fastcgi_param CONTENT_TYPE $content_type;
5 | fastcgi_param CONTENT_LENGTH $content_length;
6 |
7 | fastcgi_param SCRIPT_NAME $fastcgi_script_name;
8 | fastcgi_param REQUEST_URI $request_uri;
9 | fastcgi_param DOCUMENT_URI $document_uri;
10 | fastcgi_param DOCUMENT_ROOT $document_root;
11 | fastcgi_param SERVER_PROTOCOL $server_protocol;
12 |
13 | fastcgi_param GATEWAY_INTERFACE CGI/1.1;
14 | fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
15 |
16 | ##
17 | # Set these using the knowledge that we are behind proxy
18 | ##
19 | fastcgi_param REMOTE_ADDR $real_remote;
20 | fastcgi_param REMOTE_PORT $remote_port;
21 | fastcgi_param SERVER_ADDR $server_addr;
22 | fastcgi_param SERVER_PORT $real_port;
23 | fastcgi_param SERVER_NAME $real_host;
24 | fastcgi_param HTTPS $real_https;
25 | fastcgi_param REQUEST_SCHEME $real_scheme;
26 | fastcgi_param HTTP_HOST $real_host;
27 |
28 | # PHP only, required if PHP was built with --enable-force-cgi-redirect
29 | fastcgi_param REDIRECT_STATUS 200;
30 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/nginx/fastcgi_settings.conf:
--------------------------------------------------------------------------------
1 | # regex to split $uri to $fastcgi_script_name and $fastcgi_path
2 | fastcgi_split_path_info ^(.+\.php)(/.+)$;
3 |
4 | # Bypass the fact that try_files resets $fastcgi_path_info
5 | # see: http://trac.nginx.org/nginx/ticket/321
6 | set $path_info $fastcgi_path_info;
7 | fastcgi_param PATH_INFO $path_info;
8 |
9 | # Intercept errors from php-fpm
10 | # These can be:
11 | # - timeouts for long running requests
12 | # - requested php file might be missing or not existing in the first place
13 | fastcgi_intercept_errors on;
14 |
15 | fastcgi_index index.php;
16 |
17 | # Small optimisation on fastcgi buffer size
18 | # defaults are 8k;
19 | fastcgi_buffers 16 16k;
20 | fastcgi_buffer_size 16k;
21 |
22 | # Include basic fastcgi settings
23 | include fastcgi_params;
24 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/nginx/gzip.conf:
--------------------------------------------------------------------------------
1 | # Compression
2 |
3 | # Enable Gzip compressed.
4 | gzip on;
5 |
6 | # Compression level (1-9).
7 | # 5 is a perfect compromise between size and cpu usage, offering about
8 | # 75% reduction for most ascii files (almost identical to level 9).
9 | gzip_comp_level 5;
10 |
11 | # Don't compress anything that's already small and unlikely to shrink much
12 | # if at all (the default is 20 bytes, which is bad as that usually leads to
13 | # larger files after gzipping).
14 | gzip_min_length 256;
15 |
16 | # Compress data even for clients that are connecting to us via proxies,
17 | # identified by the "Via" header (required for CloudFront).
18 | gzip_proxied any;
19 |
20 | # Tell proxies to cache both the gzipped and regular version of a resource
21 | # whenever the client's Accept-Encoding capabilities header varies;
22 | # Avoids the issue where a non-gzip capable client (which is extremely rare
23 | # today) would display gibberish if their proxy gave them the gzipped version.
24 | gzip_vary on;
25 |
26 | # Compress all output labeled with one of the following MIME-types.
27 | gzip_types
28 | application/atom+xml
29 | application/javascript
30 | application/json
31 | application/ld+json
32 | application/manifest+json
33 | application/rss+xml
34 | application/vnd.geo+json
35 | application/vnd.ms-fontobject
36 | application/x-font-ttf
37 | application/x-web-app-manifest+json
38 | application/xhtml+xml
39 | application/xml
40 | font/opentype
41 | image/bmp
42 | image/svg+xml
43 | image/x-icon
44 | text/cache-manifest
45 | text/css
46 | text/plain
47 | text/vcard
48 | text/vnd.rim.location.xloc
49 | text/vtt
50 | text/x-component
51 | text/x-cross-domain-policy;
52 | # text/html is always compressed by HttpGzipModule
53 |
54 | # This should be turned on if you are going to have pre-compressed copies (.gz) of
55 | # static files available. If not it should be left off as it will cause extra I/O
56 | # for the check. It is best if you enable this in a location{} block for
57 | # a specific directory, or on an individual server{} level.
58 | # gzip_static on;
59 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/nginx/log_format.conf:
--------------------------------------------------------------------------------
1 | # Log cache status
2 | # Log real requester address
3 | log_format custom '[$time_local] $http_x_real_ip '
4 | '$host "$request" $status $body_bytes_sent $request_time '
5 | '"$http_referer" "$http_user_agent" $upstream_cache_status';
6 |
7 | ##
8 | # Legacy formats which might be in use somewhere
9 | ##
10 | # This log format makes it so we can see real requester's IP address \
11 | # not just the reverse proxy server's IP address. Also note, that \
12 | # "specialLog" can be replaced with any name you would like to \
13 | # give to this log format.
14 | log_format specialLog '[$time_local] $http_x_real_ip '
15 | '$host "$request" $status $body_bytes_sent $request_time '
16 | '"$http_referer" "$http_user_agent" $upstream_cache_status';
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/nginx/log_formats.conf:
--------------------------------------------------------------------------------
1 | # Log cache status
2 | # Log real requester address
3 | log_format custom '[$time_local] $http_x_forwarded_for '
4 | '$host "$request" $status $body_bytes_sent $request_time '
5 | '"$http_referer" "$http_user_agent" $upstream_cache_status';
6 |
7 | # A new log format for detecting bad bots.
8 | log_format blocked '[$time_local] Blocked request from $http_x_forwarded_for $request';
9 |
10 | ##
11 | # Legacy formats which might be in use somewhere
12 | ##
13 | # This log format makes it so we can see real requester's IP address \
14 | # not just the reverse proxy server's IP address. Also note, that \
15 | # "specialLog" can be replaced with any name you would like to \
16 | # give to this log format.
17 | log_format specialLog '[$time_local] $http_x_forwarded_for '
18 | '$host "$request" $status $body_bytes_sent $request_time '
19 | '"$http_referer" "$http_user_agent" $upstream_cache_status';
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/nginx/pagespeed/locations.conf:
--------------------------------------------------------------------------------
1 | # Ensure requests for pagespeed optimized resources go to the pagespeed handler
2 | # and no extraneous headers get set.
3 | location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" {
4 | add_header "" "";
5 | }
6 | location ~ "^/pagespeed_static/" { }
7 | location ~ "^/ngx_pagespeed_beacon$" { }
8 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/nginx/pagespeed/settings.conf:
--------------------------------------------------------------------------------
1 | # Hide pagespeed version and provide this header instaed
2 | pagespeed XHeaderValue "Enabled";
3 |
4 | # Don't alter Cache-Control headers
5 | pagespeed ModifyCachingHeaders off;
6 |
7 | # This is for pagespeed temporary files
8 | # Needs to exist and be writable by nginx. Use tmpfs for best performance.
9 | pagespeed FileCachePath /tmp/nginx/pagespeed;
10 |
11 | # Pagespeed sets default TTL from file to 300s, which is bad
12 | # This sets the time to be 1 year
13 | pagespeed LoadFromFileCacheTtlMs 2592000000;
14 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/nginx/proxy_real_variables.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Set few variables since we use jwilder/nginx-proxy in dev and proxy in production
3 | # So the fastcgi params need to be the original ones or you
4 | # will have redirect loops ('canonical_redirect' mostly)
5 | ##
6 |
7 | # Set $host first from proxy (if possible)
8 | set $real_host $http_x_forwarded_host;
9 | if ($real_host = '') {
10 | set $real_host $http_host;
11 | }
12 |
13 | # Set server port according to forwarded proto
14 | set $real_port 80;
15 | if ($http_x_forwarded_proto = 'https') {
16 | set $real_port 443;
17 | }
18 |
19 | # Set https according to used proto
20 | set $real_https off;
21 | if ($http_x_forwarded_proto = 'https') {
22 | set $real_https on;
23 | }
24 |
25 | # Set scheme according to used proto
26 | set $real_scheme 'http';
27 | if ($http_x_forwarded_proto = 'https') {
28 | set $real_scheme 'https';
29 | }
30 |
31 | # Set original remote
32 | set $real_remote $http_x_forwarded_for;
33 | if ($real_remote = '') {
34 | set $real_remote $remote_addr;
35 | }
36 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/nginx/security.conf:
--------------------------------------------------------------------------------
1 | ## Block SQL injections
2 | location ~* union.*select.*\( { access_log $blocked_log blocked; return 403; }
3 | location ~* union.*all.*select.* { access_log $blocked_log blocked; return 403; }
4 | location ~* concat.*\( { access_log $blocked_log blocked; return 403; }
5 |
6 | ## Block common exploits
7 | location ~* (<|%3C).*script.*(>|%3E) { access_log $blocked_log blocked; return 403; }
8 | location ~* base64_(en|de)code\(.*\) { access_log $blocked_log blocked; return 403; }
9 | location ~* (%24&x) { access_log $blocked_log blocked; return 403; }
10 | location ~* (%0|%A|%B|%C|%D|%E|%F|127\.0) { access_log $blocked_log blocked; return 403; }
11 | location ~* \.\.\/ { access_log $blocked_log blocked; return 403; }
12 | location ~* ~$ { access_log $blocked_log blocked; return 403; }
13 | location ~* proc/self/environ { access_log $blocked_log blocked; return 403; }
14 | location ~* /\.(htaccess|htpasswd|svn|git) { access_log $blocked_log blocked; return 403; }
15 |
16 | ## Block file injections
17 | location ~* [a-zA-Z0-9_]=(\.\.//?)+ { access_log $blocked_log blocked; return 403; }
18 | location ~* [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ { access_log $blocked_log blocked; return 403; }
19 |
20 | ## wordpress security
21 | location ~* wp-config.php { access_log $blocked_log blocked; return 403; }
22 | location ~* wp-load.php { access_log $blocked_log blocked; return 403; }
23 | location ~* wp-admin/includes { access_log $blocked_log blocked; return 403; }
24 | location ~* wp-app\.log { access_log $blocked_log blocked; return 403; }
25 | location ~* (licence|readme|license)\.(md|html|txt) { access_log $blocked_log blocked; return 403; }
26 | location ~* composer.json { access_log $blocked_log blocked; return 403; }
27 |
28 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/nginx/security_headers.conf:
--------------------------------------------------------------------------------
1 | ##
2 | # Security headers, source: https://gist.github.com/plentz/6737338
3 | ##
4 |
5 | # config to don't allow the browser to render the page inside an frame or iframe
6 | # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
7 | # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
8 | # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
9 | add_header X-Frame-Options SAMEORIGIN;
10 |
11 | # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
12 | # to disable content-type sniffing on some browsers.
13 | # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
14 | # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
15 | # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
16 | # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
17 | add_header X-Content-Type-Options nosniff always;
18 |
19 | # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
20 | # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
21 | # this particular website if it was disabled by the user.
22 | # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
23 | add_header X-XSS-Protection "1; mode=block";
24 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/nginx/static_files.conf:
--------------------------------------------------------------------------------
1 | # Use version numbers to bypass cache
2 | # Try to cache as long as we can
3 | expires max;
4 |
5 | ## No need to bleed constant updates. Send the all shebang in one
6 | ## fell swoop.
7 | tcp_nodelay off;
8 |
9 | ## Set the OS file cache.
10 | open_file_cache max=3000 inactive=120s;
11 | open_file_cache_valid 45s;
12 | open_file_cache_min_uses 2;
13 | open_file_cache_errors off;
14 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/nginx/upstreams.conf:
--------------------------------------------------------------------------------
1 | # Default php handler
2 | upstream php-fpm {
3 | server unix:/var/run/php-fpm.sock;
4 | }
5 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/php/7.4/cli/php.ini:
--------------------------------------------------------------------------------
1 | [PHP]
2 | ; This directive determines whether or not PHP will recognize code between
3 | ; tags as PHP source which should be processed as such.
4 | short_open_tag = Off
5 |
6 | ; Implicit flush tells PHP to tell the output layer to flush itself
7 | ; automatically after every output block.
8 | implicit_flush = Off
9 |
10 | ; This directive allows you to disable certain functions for security reasons.
11 | ; It receives a comma-delimited list of function names.
12 | ; http://php.net/disable-functions
13 | disable_functions =
14 |
15 | ; Enables or disables the circular reference collector.
16 | ; http://php.net/zend.enable-gc
17 | zend.enable_gc = On
18 |
19 | ;;;;;;;;;;;;;;;;;
20 | ; Miscellaneous ;
21 | ;;;;;;;;;;;;;;;;;
22 |
23 |
24 | ; Deny executing anything else than the exact path passed from fastcgi
25 | ; This causes the PHP interpreter to only try the literal path given and to stop processing if the file is not found.
26 | ; This is for security.
27 | ; https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#passing-uncontrolled-requests-to-php
28 | cgi.fix_pathinfo = 0
29 |
30 | expose_php = Off
31 |
32 | ;;;;;;;;;;;;;;;;;;;
33 | ; Resource Limits ;
34 | ;;;;;;;;;;;;;;;;;;;
35 |
36 | ; Maximum execution time of each script, in seconds
37 | max_execution_time = 600
38 |
39 | ; Maximum amount of time each script may spend parsing request data.
40 | max_input_time = 60
41 |
42 | ; How many GET/POST/COOKIE input variables may be accepted
43 | ; max_input_vars = 1000
44 |
45 | ; Maximum amount of memory a script may consume (128MB)
46 | memory_limit = ${PHP_MEMORY_LIMIT}
47 |
48 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
49 | ; Error handling and logging ;
50 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
51 |
52 | error_reporting = E_ALL
53 |
54 | display_errors = On
55 |
56 | display_startup_errors = On
57 |
58 | log_errors = On
59 |
60 | log_errors_max_len = 2048
61 |
62 | ignore_repeated_errors = Off
63 |
64 | ignore_repeated_source = Off
65 |
66 | report_memleaks = On
67 |
68 | ;This is deprecated from php7.2 so its disabled as of 5.4.2018
69 | ;track_errors = On
70 |
71 | html_errors = Off
72 |
73 | ; Redis extension
74 | extension = redis.so
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/php/7.4/fpm/conf.d/blocked.ini:
--------------------------------------------------------------------------------
1 | ; Disable some functions because they allow bad/vulnerable patterns
2 | ; We want to advocate good coding practises and these functions make it difficult
3 | ; You can use these with php cli but not with php-fpm
4 | disable_functions = exec,passthru,shell_exec,show_source,system,pcntl_exec,popen,posix_getpwuid,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,posix_setuid,posix_uname,proc_nice,proc_open,proc_close,proc_get_status
5 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/php/7.4/fpm/conf.d/common.ini:
--------------------------------------------------------------------------------
1 | [PHP]
2 |
3 | ; Don't brag that we have php 7.0
4 | expose_php = Off
5 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/php/7.4/fpm/conf.d/limits.ini:
--------------------------------------------------------------------------------
1 | ; filesize, time and input limits
2 | max_execution_time = ${NGINX_FASTCGI_TIMEOUT}
3 | max_input_time = -1
4 | max_input_vars = ${PHP_MAX_INPUT_VARS}
5 | memory_limit = ${PHP_MEMORY_LIMIT}
6 | post_max_size = ${NGINX_MAX_BODY_SIZE}
7 | upload_max_filesize = ${NGINX_MAX_BODY_SIZE}
8 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/php/7.4/fpm/conf.d/logging.ini:
--------------------------------------------------------------------------------
1 | ; Log all warnings and errors
2 | error_log = ${PHP_ERROR_LOG}
3 | log_level = ${PHP_ERROR_LOG_LEVEL}
4 | log_errors_max_len = ${PHP_ERROR_MAX_LEN}
5 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/php/7.4/fpm/conf.d/mail.ini:
--------------------------------------------------------------------------------
1 | [PHP]
2 | ; Use msmtp to send mail instead of sendmail
3 | sendmail_path = "/usr/sbin/sendmail"
4 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/php/7.4/fpm/conf.d/opcache.ini:
--------------------------------------------------------------------------------
1 | ; Enable php opcache to make site faster
2 | ; These are taken from: https://www.scalingphpbook.com/blog/2014/02/14/best-zend-opcache-settings.html
3 | [opcache]
4 | opcache.enable = 1
5 | opcache.enable_cli = 1
6 |
7 | ; Provides a faster mechanism for calling the deconstructors in your code at the end of a single request to speed up the response and recycle php workers so they're ready for the next incoming request faster.
8 | opcache.fast_shutdown = 1
9 |
10 | ; Give plenty of memory for php process for caching the code
11 | opcache.memory_consumption = ${PHP_OPCACHE_MAX_MEMORY}
12 |
13 | ; Log into container output
14 | opcache.error_log = /dev/stderr
15 |
16 | ; Log opcache warnings
17 | opcache.log_verbosity_level = 2
18 |
19 | ; PHP uses a technique called string interning to improve performance— so, for example, if you have the string "foobar" 1000 times in your code, internally PHP will store 1 immutable variable for this string and just use a pointer to it for the other 999 times you use it.
20 | ; This reserves 16MB to storing the most used strings
21 | opcache.interned_strings_buffer = 16
22 | opcache.max_accelerated_files = ${PHP_OPCACHE_MAX_FILES}
23 |
24 |
25 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/php/7.4/fpm/conf.d/opcache_invalidate.conf:
--------------------------------------------------------------------------------
1 | ; Don't revalidate php files in this container
2 | opcache.validate_timestamps = 0
3 |
4 | ; We don't need to cache php comments into opcache
5 | opcache.save_comments = 0
6 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/php/7.4/fpm/conf.d/sessions.ini:
--------------------------------------------------------------------------------
1 | ;;;;;;;;;;;;;;;;;;;;;;;;;;
2 | ; Define Session backend ;
3 | ;;;;;;;;;;;;;;;;;;;;;;;;;;
4 | ; These env can also contain redis as backend
5 | session.save_handler = ${PHP_SESSION_HANDLER}
6 | session.save_path = ${PHP_SESSION_SAVE_PATH}
7 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/php/7.4/fpm/conf.d/timezone.ini:
--------------------------------------------------------------------------------
1 | ; Timezone from env formatted like 'Europe/Helsinki'
2 | date.timezone = ${TZ}
3 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/php/7.4/fpm/php-fpm.conf:
--------------------------------------------------------------------------------
1 | ; Run this in foregroud so s6 can control it
2 | daemonize = no
3 |
4 | ; Log all warnings and errors
5 | error_log = ${PHP_ERROR_LOG}
6 | log_level = ${PHP_ERROR_LOG_LEVEL}
7 |
8 | [www]
9 | user = ${WEB_USER}
10 | group = ${WEB_GROUP}
11 | listen = /var/run/php-fpm.sock
12 | listen.owner = ${WEB_USER}
13 | listen.group = ${WEB_GROUP}
14 | pm = dynamic
15 |
16 | ; Total RAM dedicated to the web server / Max child process size
17 | pm.max_children = 30
18 |
19 | pm.start_servers = 1
20 | pm.min_spare_servers = 1
21 | pm.max_spare_servers = 5
22 |
23 | ; Redirect worker stdout and stderr into main error log. If not set, stdout and
24 | ; stderr will be redirected to /dev/null according to FastCGI specs.
25 | ; Default Value: no
26 | catch_workers_output = yes
27 |
28 | ; Project web root
29 | chdir = ${WEB_ROOT}
30 |
31 | pm.process_idle_timeout = 10s
32 | pm.max_requests = 500
33 |
34 | ; Include extra configs
35 | include=/etc/php/7.4/fpm/php-fpm.d/*.conf
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/php/7.4/fpm/php-fpm.d/preserve-env.conf:
--------------------------------------------------------------------------------
1 | ; Just use all envs from system when php-fpm starts
2 | ; By default php-fpm flushes all envs and they need to be whitelisted
3 | clear_env = no
4 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/php/7.4/fpm/php.ini:
--------------------------------------------------------------------------------
1 | ;;;
2 | ; Production settings for php and php-fpm
3 | ;;;
4 | ; All directives from /etc/php/7.0/fpm/conf.d are also included
5 | ;;;
6 |
7 | [PHP]
8 |
9 | ; Don't display errors into frontend
10 | display_errors = ${PHP_DISPLAY_ERRORS}
11 |
12 | ; disable ignoring of repeat errors
13 | ignore_repeated_errors = false
14 |
15 | ; disable ignoring of unique source errors
16 | ignore_repeated_source = false
17 |
18 | ; enable logging of php memory leaks
19 | report_memleaks = true
20 |
21 | ; Deny executing anything else than the exact path passed from fastcgi
22 | ; This causes the PHP interpreter to only try the literal path given and to stop processing if the file is not found.
23 | ; This is for security. Source: https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#passing-uncontrolled-requests-to-php
24 | cgi.fix_pathinfo = 0
25 |
26 | ; disable html markup of errors
27 | html_errors = false
28 |
29 | ; disable formatting of error reference links
30 | docref_root = 0
31 |
32 | ; disable formatting of error reference links
33 | docref_ext = 0
34 |
35 | ; disable max error string length ( by using so big number that bigger messages don't matter )
36 | log_errors_max_len = 10000
37 |
38 | ; Don't show startup errors
39 | display_startup_errors = Off
40 | ;This is deprecated from php7.2 so its disabled as of 5.4.2018
41 | ;track_errors = Off
42 |
43 | ; Redirect worker stdout and stderr into main error log. If not set, stdout and
44 | ; stderr will be redirected to /dev/null according to FastCGI specs.
45 | ; Default Value: no
46 | catch_workers_output = yes
47 |
48 | ; Redis extension
49 | extension = redis.so
50 |
51 | ; JIT config
52 | opcache.jit_buffer_size=256M
53 | opcache.jit=1235
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/services.d/cron/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv sh
2 | echo "[services.d] started cron daemon"
3 | # Runs cron daemon in foreground
4 | cron -l 2 -f
5 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/services.d/nginx/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv sh
2 |
3 | # Run nginx always in foreground
4 | exec nginx -g "daemon off;"
5 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/etc/services.d/php-fpm/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 |
3 | ##
4 | # Check which kind of session backend we should be using
5 | ##
6 | if [ -z "$PHP_SESSION_SAVE_PATH" ]; then
7 | echo "[php-fpm] configuring php-fpm session backend..."
8 |
9 | # Use 'files' as default session handler
10 | export PHP_SESSION_HANDLER=${PHP_SESSION_HANDLER-files}
11 |
12 | case "$PHP_SESSION_HANDLER" in
13 |
14 | files)
15 | mkdir -p /tmp/php
16 | chown $WEB_USER:$WEB_GROUP /tmp/php
17 |
18 | # export new env for php-fpm
19 | export PHP_SESSION_SAVE_PATH='/tmp/php'
20 | ;;
21 | redis)
22 | # Set defaults
23 | REDIS_HOST=${REDIS_HOST-$REDIS_1_PORT_6379_TCP_ADDR}
24 | REDIS_PORT=${REDIS_PORT-6379}
25 | REDIS_SCHEME=${REDIS_SCHEME-tcp}
26 | REDIS_PHP_SESSION_HOST=${REDIS_PHP_SESSION_HOST-$REDIS_1_PORT_6379_TCP_ADDR}
27 |
28 | # After this time php-fpm will timeout from requesting session data
29 | PHP_SESSION_REDIS_TIMEOUT=${PHP_SESSION_REDIS_TIMEOUT-5}
30 |
31 | PHP_SESSION_REDIS_PARAMS="timeout=$PHP_SESSION_REDIS_TIMEOUT"
32 |
33 | # Set these only if they are not 0 and '' because they add complexity for the query
34 | if [ "$PHP_SESSION_REDIS_DB" != "" ]; then
35 | PHP_SESSION_REDIS_PARAMS+="&database=$PHP_SESSION_REDIS_DB"
36 | fi
37 | if [ "$REDIS_PASSWORD" != "" ]; then
38 | PHP_SESSION_REDIS_PARAMS+="&auth=$REDIS_PASSWORD"
39 | fi
40 | if [ "$PHP_SESSION_REDIS_PREFIX" != "" ]; then
41 | PHP_SESSION_REDIS_PARAMS+="&prefix=$PHP_SESSION_REDIS_PREFIX"
42 | fi
43 |
44 | # export new env for php-fpm
45 | export PHP_SESSION_SAVE_PATH="$REDIS_SCHEME://$REDIS_PHP_SESSION_HOST:$REDIS_PORT?$PHP_SESSION_REDIS_PARAMS"
46 | ;;
47 | esac
48 | fi
49 | echo "[php-fpm] using $PHP_SESSION_SAVE_PATH for php sessions..."
50 |
51 | echo "[php-fpm] started php-fpm"
52 | exec php-fpm -c /etc/php/7.4/fpm/php.ini --fpm-config /etc/php/7.4/fpm/php-fpm.conf --pid /var/run/php-fpm.pid
53 |
54 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/usr/bin/wp:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | ##
3 | # WP-cli wrapper: Append path automatically so that user doesn't have to
4 | ##
5 | if [ "$(whoami)" = "root" ]; then
6 | # Run as wordpress user instead
7 | # This helps that we don't install things as root
8 | # Or run 3rd party code as root
9 | gosu $WEB_USER /usr/local/bin/wp-cli "$@" --path=$WP_CORE
10 | else
11 | /usr/local/bin/wp-cli "$@" --path=$WP_CORE
12 | fi
13 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/usr/local/bin/phinx:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | ##
3 | # Phinx wrapper
4 | # You need to install phinx through composer first
5 | ##
6 |
7 | # Export database host in prod and dev
8 | if [ ! -z "$MYSQL_HOST" ]; then
9 | export PHINX_DBHOST=$MYSQL_HOST
10 | elif [ ! -z "$DB_HOST" ]; then
11 | export PHINX_DBHOST=$DB_HOST
12 | elif [ ! -z "$DB_PORT_3306_TCP_ADDR" ]; then
13 | export PHINX_DBHOST=$DB_PORT_3306_TCP_ADDR
14 | else
15 | echo "ERROR: You need to set DB_HOST!"
16 | fi
17 |
18 | # Export phinx envs
19 | # Default to MYSQL_ envs but fallback to DB_
20 | export PHINX_DBPORT=${MYSQL_PORT-$DB_PORT}
21 | export PHINX_DBNAME=${MYSQL_DATABASE-$DB_NAME}
22 | export PHINX_DBUSER=${MYSQL_USER-$DB_USER}
23 | export PHINX_DBPASSWORD=${MYSQL_PWD-$DB_PASSWORD}
24 | export PHINX_ENVIRONMENT=$WP_ENV
25 |
26 | # Run phinx
27 | php $PROJECT_ROOT/vendor/bin/phinx $@
28 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/usr/local/bin/print-smtp-password:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # This is so that we can use msmtp without /etc/msmtprc config file
3 | # msmtp doesn't have --password option and it only has --passwordeval option
4 | # We use this script so that we can use it in passwordeval
5 | echo $SMTP_PASSWORD
6 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/usr/local/bin/wp-run-cron:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # Copyright © 2015 Bjørn Johansen
3 | # This work is free. You can redistribute it and/or modify it under the
4 | # terms of the Do What The Fuck You Want To Public License, Version 2,
5 | # as published by Sam Hocevar. See http://www.wtfpl.net/ for more details.
6 | # Source: https://bjornjohansen.no/wordpress-cron-wp-cli
7 | # Github: https://gist.github.com/bjornjohansen/a00a9fee5475c4dadb56#file-run-wp-cron-sh
8 |
9 | # This is modified for our container. In this container you don't need to use --path
10 | # because it's automatically included
11 |
12 | # Check if WP-CLI is available
13 | if ! hash wp 2>/dev/null; then
14 | echo "[wp-cron] ERROR: WP-CLI is not available"
15 | exit
16 | fi
17 |
18 | # If WordPress isn’t installed here, we bail
19 | if ! wp core is-installed --quiet >> /dev/null; then
20 | echo "[wp-cron] ERROR: WordPress is not installed here: ${WP_CORE}"
21 | exit
22 | fi
23 |
24 | # Get a list of site URLs
25 | if wp core is-installed --quiet --network >> /dev/null;
26 | then
27 | SITE_URLS=`wp site list --fields=url --archived=0 --deleted=0 --format=csv | sed 1d`
28 | else
29 | SITE_URLS=(`wp option get siteurl`)
30 | fi
31 |
32 | # Loop through all the sites
33 | for SITE_URL in $SITE_URLS
34 | do
35 | # replaced loop with better solution
36 | wp cron event run --due-now --url="$SITE_URL"
37 | # Run all event hooks that are due
38 | #for EVENT_HOOK in $(wp cron event list --format=csv --fields=hook,next_run_relative --url="$SITE_URL" | grep now$ | awk -F ',' '{print $1}')
39 | #do
40 | # wp cron event run "$EVENT_HOOK" --url="$SITE_URL" --quiet
41 | #done
42 | done
43 |
--------------------------------------------------------------------------------
/ubuntu-7.4/rootfs/usr/sbin/sendmail:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | ##
3 | # This is custom wrapper for msmtp which acts like good old sendmail
4 | # - It is used for php and cron
5 | # - This is easier to configure for external mail server than sendmail
6 | # - sendmail is just the default binary which other services will use
7 | # - It needs following env: SMTP_HOST, SMTP_PASSWORD, SMTP_PORT, SMTP_AUTH, SMTP_USER
8 | ##
9 |
10 | # Deduce all used msmtp options from system ENVs
11 | declare -a options
12 |
13 | # Act like sendmail
14 | options+=("-t")
15 |
16 | # Use system tls chain
17 | options+=("--tls-trust-file=/etc/ssl/certs/ca-certificates.crt")
18 |
19 | if [ -n "$SMTP_HOST" ]; then
20 | options+=("--host=$SMTP_HOST")
21 | else
22 | echo "[mail error] SMTP_HOST is not defined, mail can't be sent"
23 | exit 1
24 | fi
25 |
26 | # Log all mail requests
27 | # try /var/log/mail/sent.log but use stdout when logfile is not available
28 | if [ -n "$SMTP_LOG" ]; then
29 | options+=("--logfile=$SMTP_LOG")
30 | elif [ -f /var/log/mail/sent.log ]; then
31 | options+=("--logfile=/var/log/mail/sent.log")
32 | fi
33 |
34 | if [ -n "$SMTP_FROM" ]; then
35 | options+=("--from=$SMTP_FROM")
36 | fi
37 |
38 | # Default port for smtp is 25 and it will work even without this option
39 | if [ -n "$SMTP_PORT" ]; then
40 | options+=("--port=$SMTP_PORT")
41 | fi
42 |
43 | # Setup credentials
44 | if [ -n "$SMTP_USER" ]; then
45 | options+=("--user=$SMTP_USER")
46 | fi
47 |
48 | # msmtp doesn't provide password option because usually it's unsafe
49 | # Use local hack for passwordeval
50 | if [ -n "$SMTP_PASSWORD" ]; then
51 | options+=("--passwordeval=/usr/local/bin/print-smtp-password")
52 | fi
53 |
54 |
55 | if [ -n "$SMTP_AUTH" ]; then
56 | options+=("--auth=$SMTP_AUTH")
57 | elif [ -n "$SMTP_USER" ] || [ -n "$SMTP_PASSWORD" ]; then
58 | options+=("--auth=on")
59 | fi
60 |
61 | if [ -n "$SMTP_TLS" ]; then
62 | options+=("--tls=$SMTP_TLS")
63 | fi
64 |
65 | # Add our options and command line options for msmtp
66 | msmtp ${options[@]} "$@"
67 |
--------------------------------------------------------------------------------
/web/info.php:
--------------------------------------------------------------------------------
1 |