From d8b185de524fa469d24bef67bdc569fc6e6efb2a Mon Sep 17 00:00:00 2001 From: rahul-dvsa <141035405+rahul-dvsa@users.noreply.github.com> Date: Mon, 22 Apr 2024 14:23:27 +0100 Subject: [PATCH] feat(docker): add selfserve application Docker image (#78) * updated dockerfile * update dockerfile * updated docker file * updated dockerfile and selfserve config * nginx config updated with map * updated nginx config with maps * fix: :lipstick: --------- Co-authored-by: JoshuaLicense --- infra/docker/api/api.conf | 3 +- infra/docker/api/php.ini | 6 +- infra/docker/selfserve/Dockerfile | 26 ++++- infra/docker/selfserve/php.ini | 19 ++++ infra/docker/selfserve/selfserve.conf | 142 ++++++++++++++++++++++++++ 5 files changed, 189 insertions(+), 7 deletions(-) create mode 100644 infra/docker/selfserve/php.ini create mode 100644 infra/docker/selfserve/selfserve.conf diff --git a/infra/docker/api/api.conf b/infra/docker/api/api.conf index 972ada81a8..8056d06f7d 100644 --- a/infra/docker/api/api.conf +++ b/infra/docker/api/api.conf @@ -38,7 +38,7 @@ server { } location / { - try_files $uri /index.php?q=$uri&$args; + try_files $uri /index.php?$query_string; } location ~ \.php$ { @@ -46,7 +46,6 @@ server { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/run/php-fpm.socket; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_read_timeout 600; fastcgi_index index.php; include fastcgi_params; } diff --git a/infra/docker/api/php.ini b/infra/docker/api/php.ini index 9e3c23466e..33f4afe176 100644 --- a/infra/docker/api/php.ini +++ b/infra/docker/api/php.ini @@ -5,10 +5,8 @@ [opcache] ; The maximum number of keys (and therefore scripts) in the OPcache hash table -; The Allowed value is between 200 and 100000. Recommendation is to have this -; number approximately equal to the total number of php files in your project -; https://programmer.group/php7-enables-opcache-to-create-powerful-performance.html#:~:text=opcache.max_accelerated_files -opcache.max_accelerated_files=20000 +; The Allowed value is between 200 and 100000. +opcache.max_accelerated_files=4000 ; Validate timestamps of scripts on each request. opcache.validate_timestamps=1 diff --git a/infra/docker/selfserve/Dockerfile b/infra/docker/selfserve/Dockerfile index aafda6f37a..0964fd0907 100644 --- a/infra/docker/selfserve/Dockerfile +++ b/infra/docker/selfserve/Dockerfile @@ -1 +1,25 @@ -FROM php:8.2-fpm +# hadolint global ignore=DL3018,SC2086 +FROM ghcr.io/dvsa/dvsa-docker-images/php/7.4/fpm-nginx:0 + +USER root + +# Installing require dependencies +RUN apk add --no-cache pcre-dev~=8.45 $PHPIZE_DEPS \ + && pecl install igbinary \ + && pecl install -D "enable-redis-igbinary='yes' enable-redis-lzf='no' enable-redis-zstd='no'" redis \ + && docker-php-ext-enable redis igbinary \ + && apk del pcre-dev $PHPIZE_DEPS + +RUN apk add --no-cache icu-dev \ + && docker-php-ext-configure intl \ + && docker-php-ext-install pdo_mysql opcache intl + +# PHP config file +COPY ./php.ini ${PHP_INI_DIR}/conf.d/1000-php.ini + +ADD --chown=www-data ./selfserve.tar.gz /var/www/html + +# nginx server config file +COPY selfserve.conf /etc/nginx/conf.d/selfserve.conf + +USER www-data diff --git a/infra/docker/selfserve/php.ini b/infra/docker/selfserve/php.ini new file mode 100644 index 0000000000..33f4afe176 --- /dev/null +++ b/infra/docker/selfserve/php.ini @@ -0,0 +1,19 @@ +; PHP's initialization file, generally called php.ini, is responsible for +; configuring many of the aspects of PHP's behavior. +; For more information on the config file, please see: +; https://www.php.net/manual/en/index.php + +[opcache] +; The maximum number of keys (and therefore scripts) in the OPcache hash table +; The Allowed value is between 200 and 100000. +opcache.max_accelerated_files=4000 + +; Validate timestamps of scripts on each request. +opcache.validate_timestamps=1 + +; Specifies the frequency at which OPcache checks for changes to PHP scripts +; in the filesystem. The value is in seconds. +opcache.revalidate_freq=60 + +; Enable the cli +opcache.enable_cli=1 diff --git a/infra/docker/selfserve/selfserve.conf b/infra/docker/selfserve/selfserve.conf new file mode 100644 index 0000000000..e92c906043 --- /dev/null +++ b/infra/docker/selfserve/selfserve.conf @@ -0,0 +1,142 @@ +# Add Access-Control-Allow-Origin. +map $sent_http_content_type $cors { + # Images + ~*image/ "*"; + + # Web fonts + ~*font/ "*"; + ~*application/vnd.ms-fontobject "*"; + ~*application/x-font-ttf "*"; + ~*application/font-woff "*"; + ~*application/x-font-woff "*"; + ~*application/font-woff2 "*"; +} + +# Add Referrer-Policy for HTML documents. +map $sent_http_content_type $referrer_policy { + ~*text/(css|html|javascript)|application\/pdf|xml "strict-origin-when-cross-origin"; +} + +server { + listen 8080; + listen [::]:8080; + + server_name _; + + root /var/www/public; + + # Protect website against clickjacking. + # + # The example below sends the `X-Frame-Options` response header with the value + # `DENY`, informing browsers not to display the content of the web page in any + # frame. + # + # This might not be the best setting for everyone. You should read about the + # other two possible values the `X-Frame-Options` header field can have: + # `SAMEORIGIN` and `ALLOW-FROM`. + # https://tools.ietf.org/html/rfc7034#section-2.1. + # + # Keep in mind that while you could send the `X-Frame-Options` header for all + # of your website's pages, this has the potential downside that it forbids even + # non-malicious framing of your content. + # + # Nonetheless, you should ensure that you send the `X-Frame-Options` header for + # all pages that allow a user to make a state-changing operation (e.g: pages + # that contain one-click purchase links, checkout or bank-transfer confirmation + # pages, pages that make permanent configuration changes, etc.). + # + # Sending the `X-Frame-Options` header can also protect your website against + # more than just clickjacking attacks. + # https://cure53.de/xfo-clickjacking.pdf. + # + # (!) The `Content-Security-Policy` header has a `frame-ancestors` directive + # which obsoletes this header for supporting browsers. + # + # https://tools.ietf.org/html/rfc7034 + # https://owasp.org/www-project-secure-headers/#x-frame-options + # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + # https://docs.microsoft.com/archive/blogs/ieinternals/combating-clickjacking-with-x-frame-options + + add_header X-Frame-Options $x_frame_options always; + + # Prevent some browsers from MIME-sniffing the response. + # + # This reduces exposure to drive-by download attacks and cross-origin data + # leaks, and should be left uncommented, especially if the server is serving + # user-uploaded content or content that could potentially be treated as + # executable by the browser. + # + # https://owasp.org/www-project-secure-headers/#x-content-type-options + # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options + # https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-v-comprehensive-protection/ + # https://mimesniff.spec.whatwg.org/ + + add_header X-Content-Type-Options nosniff always; + + # Allow cross-origin requests. + # + # https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS + # https://enable-cors.org/ + # https://www.w3.org/TR/cors/ + + # (!) Do not use this without understanding the consequences. + # This will permit access from any other website. + # Instead of using this file, consider using a specific rule such as + # allowing access based on (sub)domain: + # + # add_header Access-Control-Allow-Origin "subdomain.example.com"; + + add_header Access-Control-Allow-Origin $cors; + + # Set a strict Referrer Policy to mitigate information leakage. + # + # (1) The `Referrer-Policy` header is included in responses for resources + # that are able to request (or navigate to) other resources. + # + # This includes the commonly used resource types: + # HTML, CSS, XML/SVG, PDF documents, scripts and workers. + # + # To prevent referrer leakage entirely, specify the `no-referrer` value + # instead. Note that the effect could impact analytics metrics negatively. + # + # To check your Referrer Policy, you can use an online service, such as: + # https://securityheaders.com/ + # https://observatory.mozilla.org/ + # + # https://www.w3.org/TR/referrer-policy/ + # https://owasp.org/www-project-secure-headers/#referrer-policy + # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy + # https://scotthelme.co.uk/a-new-security-header-referrer-policy/ + + add_header Referrer-Policy $referrer_policy always; + + # Block access to files that can expose sensitive information. + # + # By default, block access to backup and source files that may be left by some + # text editors and can pose a security risk when anyone has access to them. + # + # https://feross.org/cmsploit/ + # + # (!) Update the `location` regular expression from below to include any files + # that might end up on your production server and can expose sensitive + # information about your website. These files may include: configuration + # files, files that contain metadata about the project (e.g.: project + # dependencies, build scripts, etc.). + + location ~* (?:#.*#|\.(?:bak|conf|dist|fla|in[ci]|log|orig|psd|sh|sql|sw[op])|~)$ { + deny all; + } + + location / { + try_files $uri /index.php?$query_string; + } + + location ~ \.php$ { + try_files $uri =404; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:/run/php-fpm.socket; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_index index.php; + include fastcgi_params; + } +}