Convert dev environment to use more secure nginx+fpm configuration wi…

…th split admin/frontend urls.
OpenMage · Sep 16, 2020 · d43c337 · d43c337
1 parent 7974e12
commit d43c337
Show file tree

Hide file tree

Showing 9 changed files with 168 additions and 10 deletions.
diff --git a/dev/openmage/README.md b/dev/openmage/README.md
@@ -47,6 +47,10 @@ You can override some defaults using environment variables defined in a file tha
   - `openmage-7f000001.nip.io` is used by default to resolve to `127.0.0.1`. See [nip.io](https://nip.io) for more info.
 - `HOST_PORT=8888`
    - `80` is used by default 
+- `ADMIN_HOST_NAME`
+  - `openmage-admin-7f000001.nip.io` is used by default to resolve to `127.0.0.1`. See [nip.io](https://nip.io) for more info.
+- `ADMIN_HOST_PORT`
+  - `81` is used by default to avoid conflicts with the frontend port
 - `ADMIN_EMAIL`
 - `ADMIN_USERNAME`
 - `ADMIN_PASSWORD`
@@ -70,6 +74,8 @@ clone the source files into this directory and then run `docker-compose build`.
 $ git clone https://github.com/meanbee/docker-magento.git
 $ docker build -t openmage/php-dev:7.3-cli docker-magento/7.3/cli
 $ docker push openmage/php-dev:7.3-cli
+$ docker build -t openmage/php-dev:7.3-fpm docker-magento/7.3/fpm
+$ docker push openmage/php-dev:7.3-fpm
 $ docker build -t openmage/php-dev:7.3-apache docker-magento/7.3/apache
 $ docker push openmage/php-dev:7.3-apache
 ```
diff --git a/dev/openmage/docker-compose.yml b/dev/openmage/docker-compose.yml
@@ -1,11 +1,8 @@
 version: "3.7"
 
 services:
-  apache:
-    image: openmage/php-dev:7.3-apache
-    hostname: ${HOST_NAME:-openmage-7f000001.nip.io}
-    ports:
-      - "${HOST_PORT:-80}:80"
+  php-fpm:
+    image: openmage/php-dev:7.3-fpm
     volumes:
       - ../..:/var/www/html
     environment:
@@ -14,6 +11,34 @@ services:
     links:
       - mysql
 
+  frontend:
+    image: library/nginx:latest
+    hostname: ${HOST_NAME:-openmage-7f000001.nip.io}
+    ports:
+      - "${HOST_PORT:-80}:80"
+    environment:
+      - NGINX_MAGE_RUN_CODE=default
+      - NGINX_MAGE_RUN_TYPE=store
+    links:
+      - php-fpm
+    volumes:
+      - ./nginx-frontend.conf:/etc/nginx/templates/default.conf.template:ro
+      - ../..:/var/www/html
+
+  admin:
+    image: library/nginx:latest
+    hostname: ${ADMIN_HOST_NAME:-openmage-admin-7f000001.nip.io}
+    ports:
+      - "${ADMIN_HOST_PORT:-81}:80"
+    environment:
+      - NGINX_MAGE_RUN_CODE=admin
+      - NGINX_MAGE_RUN_TYPE=store
+    links:
+      - php-fpm
+    volumes:
+      - ./nginx-admin.conf:/etc/nginx/templates/default.conf.template:ro
+      - ../..:/var/www/html
+
   cron:
     image: openmage/php-dev:7.3-cli
     working_dir: /var/www/html
@@ -29,8 +54,8 @@ services:
   cli:
     image: openmage/php-dev:7.3-cli
     working_dir: /var/www/html
-    command: /bin/true
-    user: www-data
+#    command: /bin/true
+#    user: www-data
     volumes:
       - ../..:/var/www/html
 #    environment:
@@ -41,7 +66,8 @@ services:
 #      - AWS_MEDIA_BUCKET=magemm
     links:
       - mysql
-      - "apache:${HOST_NAME:-openmage-7f000001.nip.io}"
+      - "frontend:${HOST_NAME:-openmage-7f000001.nip.io}"
+      - "admin:${ADMIN_HOST_NAME:-openmage-admin-7f000001.nip.io}"
 
   mysql:
     image: mysql:5.7

diff --git a/dev/openmage/install.sh b/dev/openmage/install.sh
@@ -18,6 +18,9 @@ done
 HOST_PORT=":${HOST_PORT:-80}"
 test "$HOST_PORT" = ":80" && HOST_PORT=""
 BASE_URL="http://${HOST_NAME:-openmage-7f000001.nip.io}${HOST_PORT}/"
+ADMIN_HOST_PORT=":${ADMIN_HOST_PORT:-81}"
+test "$ADMIN_HOST_PORT" = ":80" && ADMIN_HOST_PORT=""
+ADMIN_URL="http://${ADMIN_HOST_NAME:-openmage-admin-7f000001.nip.io}${ADMIN_HOST_PORT}/"
 ADMIN_EMAIL="${ADMIN_EMAIL:-admin@example.com}"
 ADMIN_USERNAME="${ADMIN_USERNAME:-admin}"
 ADMIN_PASSWORD="${ADMIN_PASSWORD:-veryl0ngpassw0rd}"
@@ -43,8 +46,11 @@ docker-compose run --rm cli php install.php \
   --admin_email "$ADMIN_EMAIL" \
   --admin_username "$ADMIN_USERNAME" \
   --admin_password "$ADMIN_PASSWORD"
-
+docker-compose run --rm cli magerun \
+  config:set -n --scope="stores" --scope-id="0" --force web/secure/base_url "${ADMIN_URL}"
 echo ""
 echo "Setup is complete!"
-echo "Visit ${BASE_URL}admin and login with '$ADMIN_USERNAME' : '$ADMIN_PASSWORD'"
+echo "Admin URL: ${ADMIN_URL}admin"
+echo "Admin login: $ADMIN_USERNAME : $ADMIN_PASSWORD"
+echo "Frontend URL: ${BASE_URL}"
 echo "MySQL server IP: $(docker exec openmage_apache_1 getent hosts mysql | awk '{print $1}')"
diff --git a/dev/openmage/nginx-admin.conf b/dev/openmage/nginx-admin.conf
@@ -0,0 +1,57 @@
+server {
+    listen 80;
+    server_name _ "";
+
+    if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS)$) { return 405; }
+
+    set $fastcgi_script_filename "";  # Required because it is used in a log format
+    set $fastcgi_php_value "";        # Pre/Append to add more PHP FPM config
+
+    location / {
+        root /var/www/html/dev/openmage/pub/${NGINX_MAGE_RUN_CODE};   # Only files in this directory can be loaded directly
+        set $fastcgi_script_filename /var/www/html/index.php;         # Hard-coded to prevent loading other PHP files
+        try_files $uri @php-fpm;
+    }
+
+    location /skin/ {
+        root /var/www/html;
+        gzip on;
+        location ~* \.(eot|ttf|otf|woff|woff2|svg)$ {
+            add_header Access-Control-Allow-Origin "*";
+        }
+    }
+    location /media/ {
+        root /var/www/html;
+        gzip on;
+        location ~* \.(eot|ttf|otf|woff|woff2|svg)$ {
+            add_header Access-Control-Allow-Origin "*";
+        }
+        # TODO - support get.php
+    }
+    location /js/ {
+        root /var/www/html;
+        # TODO - support js/index.php?
+    }
+    location /errors/ {
+        root /var/www/html;
+        location ~* \.(!(css|jpg|jpeg|gif|png|ico))$ { return 404; }
+    }
+    # TODO - support api.php
+
+    # Proxy the PHP scripts to PHP FPM listening
+    location @php-fpm {
+        root /var/www/html;
+        fastcgi_pass php-fpm:9000;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $fastcgi_script_filename;
+        fastcgi_param SERVER_PORT '80';
+        fastcgi_param MAGE_RUN_CODE ${NGINX_MAGE_RUN_CODE};
+        fastcgi_param MAGE_RUN_TYPE ${NGINX_MAGE_RUN_TYPE};
+        fastcgi_param PHP_VALUE "error_log=\"/var/www/html/var/log/php_errors-${NGINX_MAGE_RUN_CODE}.log\"\n$fastcgi_php_value";
+
+        # FastCGI tuning parameters
+        fastcgi_connect_timeout         6s;
+        fastcgi_send_timeout           60s;
+        fastcgi_read_timeout           20m;
+    }
+}
diff --git a/dev/openmage/nginx-frontend.conf b/dev/openmage/nginx-frontend.conf
@@ -0,0 +1,59 @@
+server {
+    listen 80;
+    server_name _ "";
+
+    if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS)$) { return 405; }
+
+    set $fastcgi_script_filename "";  # Required because it is used in a log format
+    set $fastcgi_php_value "";        # Pre/Append to add more PHP FPM config
+
+    location / {
+        root /var/www/html/dev/openmage/pub/${NGINX_MAGE_RUN_CODE};   # Only files in this directory can be loaded directly
+        set $fastcgi_script_filename /var/www/html/index.php;         # Hard-coded to prevent loading other PHP files
+        try_files $uri @php-fpm;
+    }
+
+    location /skin/ {
+        root /var/www/html;
+        gzip on;
+        location ~* \.(eot|ttf|otf|woff|woff2|svg)$ {
+            add_header Access-Control-Allow-Origin "*";
+        }
+    }
+    location /media/ {
+        root /var/www/html;
+        gzip on;
+        location ~* \.(eot|ttf|otf|woff|woff2|svg)$ {
+            add_header Access-Control-Allow-Origin "*";
+        }
+        # TODO - support get.php
+    }
+    location /js/ {
+        root /var/www/html;
+    }
+    location /errors/ {
+        root /var/www/html;
+        location ~* \.(!(css|jpg|jpeg|gif|png|ico))$ { return 404; }
+    }
+
+    # Admin is disabled for frontend config
+    location /index.php/ { return 404; }
+    location /admin/ { return 404; }
+
+    # Proxy the PHP scripts to PHP FPM listening
+    location @php-fpm {
+        root /var/www/html;
+        fastcgi_pass php-fpm:9000;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $fastcgi_script_filename;
+        fastcgi_param SERVER_PORT '80';
+        fastcgi_param MAGE_RUN_CODE ${NGINX_MAGE_RUN_CODE};
+        fastcgi_param MAGE_RUN_TYPE ${NGINX_MAGE_RUN_TYPE};
+        fastcgi_param PHP_VALUE "error_log=\"/var/www/html/var/log/php_errors-${NGINX_MAGE_RUN_CODE}.log\"\n$fastcgi_php_value";
+
+        # FastCGI tuning parameters
+        fastcgi_connect_timeout         6s;
+        fastcgi_send_timeout           60s;
+        fastcgi_read_timeout           20m;
+    }
+}
diff --git a/dev/openmage/pub/admin/favicon.ico b/dev/openmage/pub/admin/favicon.ico
diff --git a/dev/openmage/pub/admin/robots.txt b/dev/openmage/pub/admin/robots.txt
@@ -0,0 +1,2 @@
+User-Agent: *
+Disallow: /
diff --git a/dev/openmage/pub/default/favicon.ico b/dev/openmage/pub/default/favicon.ico
diff --git a/dev/openmage/pub/default/robots.txt b/dev/openmage/pub/default/robots.txt
@@ -0,0 +1,2 @@
+User-Agent: *
+Disallow: