feat(docker): add selfserve application Docker image (#78)

* updated dockerfile

* update dockerfile

* updated docker file

* updated dockerfile and selfserve config

* nginx config updated with map

* updated nginx config with maps

* fix: 💄

---------

Co-authored-by: JoshuaLicense <[email protected]>

infra/docker/api/api.conf

@@ -38,15 +38,14 @@ server {
   }
 
   location / {
-   try_files $uri /index.php?q=$uri&$args;
+   try_files $uri /index.php?$query_string;
   }
 
   location ~ \.php$ {
     try_files $uri =404;
     fastcgi_split_path_info ^(.+\.php)(/.+)$;
     fastcgi_pass unix:/run/php-fpm.socket;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-    fastcgi_read_timeout 600;
     fastcgi_index index.php;
     include fastcgi_params;
   }

infra/docker/api/php.ini

@@ -5,10 +5,8 @@
 
 [opcache]
 ; The maximum number of keys (and therefore scripts) in the OPcache hash table
-; The Allowed value is between 200 and 100000. Recommendation is to have this
-; number approximately equal to the total number of php files in your project
-; https://programmer.group/php7-enables-opcache-to-create-powerful-performance.html#:~:text=opcache.max_accelerated_files
-opcache.max_accelerated_files=20000
+; The Allowed value is between 200 and 100000.
+opcache.max_accelerated_files=4000
 
 ; Validate timestamps of scripts on each request.
 opcache.validate_timestamps=1

infra/docker/selfserve/Dockerfile

@@ -1 +1,25 @@
-FROM php:8.2-fpm
+# hadolint global ignore=DL3018,SC2086
+FROM ghcr.io/dvsa/dvsa-docker-images/php/7.4/fpm-nginx:0
+
+USER root
+
+# Installing require dependencies
+RUN apk add --no-cache pcre-dev~=8.45 $PHPIZE_DEPS \
+    && pecl install igbinary \
+    && pecl install -D "enable-redis-igbinary='yes' enable-redis-lzf='no' enable-redis-zstd='no'" redis \
+    && docker-php-ext-enable redis igbinary \
+    && apk del pcre-dev $PHPIZE_DEPS
+
+RUN apk add --no-cache icu-dev \
+    && docker-php-ext-configure intl \
+    && docker-php-ext-install pdo_mysql opcache intl
+
+# PHP config file
+COPY ./php.ini ${PHP_INI_DIR}/conf.d/1000-php.ini
+
+ADD --chown=www-data ./selfserve.tar.gz /var/www/html
+
+# nginx server config file
+COPY selfserve.conf /etc/nginx/conf.d/selfserve.conf
+
+USER www-data

infra/docker/selfserve/php.ini

@@ -0,0 +1,19 @@
+; PHP's initialization file, generally called php.ini, is responsible for
+; configuring many of the aspects of PHP's behavior.
+; For more information on the config file, please see:
+; https://www.php.net/manual/en/index.php
+
+[opcache]
+; The maximum number of keys (and therefore scripts) in the OPcache hash table
+; The Allowed value is between 200 and 100000.
+opcache.max_accelerated_files=4000
+
+; Validate timestamps of scripts on each request.
+opcache.validate_timestamps=1
+
+; Specifies the frequency at which OPcache checks for changes to PHP scripts
+; in the filesystem. The value is in seconds.
+opcache.revalidate_freq=60
+
+; Enable the cli
+opcache.enable_cli=1

infra/docker/selfserve/selfserve.conf

@@ -0,0 +1,142 @@
+# Add Access-Control-Allow-Origin.
+map $sent_http_content_type $cors {
+  # Images
+  ~*image/                        "*";
+
+  # Web fonts
+  ~*font/                         "*";
+  ~*application/vnd.ms-fontobject "*";
+  ~*application/x-font-ttf        "*";
+  ~*application/font-woff         "*";
+  ~*application/x-font-woff       "*";
+  ~*application/font-woff2        "*";
+}
+
+# Add Referrer-Policy for HTML documents.
+map $sent_http_content_type $referrer_policy {
+  ~*text/(css|html|javascript)|application\/pdf|xml "strict-origin-when-cross-origin";
+}
+
+server {
+  listen 8080;
+  listen [::]:8080;
+
+  server_name _;
+
+  root /var/www/public;
+
+  # Protect website against clickjacking.
+  #
+  # The example below sends the `X-Frame-Options` response header with the value
+  # `DENY`, informing browsers not to display the content of the web page in any
+  # frame.
+  #
+  # This might not be the best setting for everyone. You should read about the
+  # other two possible values the `X-Frame-Options` header field can have:
+  # `SAMEORIGIN` and `ALLOW-FROM`.
+  # https://tools.ietf.org/html/rfc7034#section-2.1.
+  #
+  # Keep in mind that while you could send the `X-Frame-Options` header for all
+  # of your website's pages, this has the potential downside that it forbids even
+  # non-malicious framing of your content.
+  #
+  # Nonetheless, you should ensure that you send the `X-Frame-Options` header for
+  # all pages that allow a user to make a state-changing operation (e.g: pages
+  # that contain one-click purchase links, checkout or bank-transfer confirmation
+  # pages, pages that make permanent configuration changes, etc.).
+  #
+  # Sending the `X-Frame-Options` header can also protect your website against
+  # more than just clickjacking attacks.
+  # https://cure53.de/xfo-clickjacking.pdf.
+  #
+  # (!) The `Content-Security-Policy` header has a `frame-ancestors` directive
+  #     which obsoletes this header for supporting browsers.
+  #
+  # https://tools.ietf.org/html/rfc7034
+  # https://owasp.org/www-project-secure-headers/#x-frame-options
+  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+  # https://docs.microsoft.com/archive/blogs/ieinternals/combating-clickjacking-with-x-frame-options
+
+  add_header X-Frame-Options $x_frame_options always;
+
+  # Prevent some browsers from MIME-sniffing the response.
+  #
+  # This reduces exposure to drive-by download attacks and cross-origin data
+  # leaks, and should be left uncommented, especially if the server is serving
+  # user-uploaded content or content that could potentially be treated as
+  # executable by the browser.
+  #
+  # https://owasp.org/www-project-secure-headers/#x-content-type-options
+  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+  # https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-v-comprehensive-protection/
+  # https://mimesniff.spec.whatwg.org/
+
+  add_header X-Content-Type-Options nosniff always;
+
+  # Allow cross-origin requests.
+  #
+  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
+  # https://enable-cors.org/
+  # https://www.w3.org/TR/cors/
+
+  # (!) Do not use this without understanding the consequences.
+  #     This will permit access from any other website.
+  #     Instead of using this file, consider using a specific rule such as
+  #     allowing access based on (sub)domain:
+  #
+  #         add_header Access-Control-Allow-Origin "subdomain.example.com";
+
+  add_header Access-Control-Allow-Origin $cors;
+
+  # Set a strict Referrer Policy to mitigate information leakage.
+  #
+  # (1) The `Referrer-Policy` header is included in responses for resources
+  #     that are able to request (or navigate to) other resources.
+  #
+  #     This includes the commonly used resource types:
+  #     HTML, CSS, XML/SVG, PDF documents, scripts and workers.
+  #
+  # To prevent referrer leakage entirely, specify the `no-referrer` value
+  # instead. Note that the effect could impact analytics metrics negatively.
+  #
+  # To check your Referrer Policy, you can use an online service, such as:
+  # https://securityheaders.com/
+  # https://observatory.mozilla.org/
+  #
+  # https://www.w3.org/TR/referrer-policy/
+  # https://owasp.org/www-project-secure-headers/#referrer-policy
+  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
+  # https://scotthelme.co.uk/a-new-security-header-referrer-policy/
+
+  add_header Referrer-Policy $referrer_policy always;
+
+  # Block access to files that can expose sensitive information.
+  #
+  # By default, block access to backup and source files that may be left by some
+  # text editors and can pose a security risk when anyone has access to them.
+  #
+  # https://feross.org/cmsploit/
+  #
+  # (!) Update the `location` regular expression from below to include any files
+  #     that might end up on your production server and can expose sensitive
+  #     information about your website. These files may include: configuration
+  #     files, files that contain metadata about the project (e.g.: project
+  #     dependencies, build scripts, etc.).
+
+  location ~* (?:#.*#|\.(?:bak|conf|dist|fla|in[ci]|log|orig|psd|sh|sql|sw[op])|~)$ {
+      deny all;
+  }
+
+  location / {
+      try_files $uri /index.php?$query_string;
+  }
+
+  location ~ \.php$ {
+    try_files $uri =404;
+    fastcgi_split_path_info ^(.+\.php)(/.+)$;
+    fastcgi_pass unix:/run/php-fpm.socket;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    fastcgi_index index.php;
+    include fastcgi_params;
+  }
+}