dvsa · JoshuaLicense · Apr 18, 2024 · Feb 27, 2024 · Feb 27, 2024 · Feb 29, 2024
@@ -1 +1,27 @@
-FROM php:8.2-fpm
+# hadolint global ignore=DL3018,SC2086
+FROM ghcr.io/dvsa/dvsa-docker-images/php/7.4/fpm-nginx:0
+
+USER root
+
+# Install redis with igbinary
+RUN apk add --no-cache pcre-dev~=8.45 $PHPIZE_DEPS \
+    && pecl install igbinary \
+    && pecl install -D "enable-redis-igbinary="yes" enable-redis-lzf="no" enable-redis-zstd="no"" redis \
+    && docker-php-ext-enable redis igbinary \
+    && apk del pcre-dev $PHPIZE_DEPS
+
+RUN apk add --no-cache icu-dev~=71.1 \
+    && docker-php-ext-install mysqli pdo_mysql \
+    && docker-php-ext-install opcache \
+    && docker-php-ext-configure intl && docker-php-ext-install intl \
+    && apk del icu-dev
+
+# PHP config file
+COPY ./php.ini ${PHP_INI_DIR}/conf.d/1000-php.ini
+
+ADD --chown=www-data ./api.tar.gz /var/www/html
+
+# nginx server config file
+COPY api.conf /etc/nginx/conf.d/api.conf
+
+USER www-data
@@ -0,0 +1,53 @@
+server {
+  listen 80;
+  listen [::]:80;
+
+  server_name _;
+
+  root /var/www/html/public;
+
+  # Prevent some browsers from MIME-sniffing the response.
+  #
+  # This reduces exposure to drive-by download attacks and cross-origin data
+  # leaks, and should be left uncommented, especially if the server is serving
+  # user-uploaded content or content that could potentially be treated as
+  # executable by the browser.
+  #
+  # https://owasp.org/www-project-secure-headers/#x-content-type-options
+  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+  # https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-v-comprehensive-protection/
+  # https://mimesniff.spec.whatwg.org/
+
+  add_header X-Content-Type-Options nosniff always;
+
+  # Block access to files that can expose sensitive information.
+  #
+  # By default, block access to backup and source files that may be left by some
+  # text editors and can pose a security risk when anyone has access to them.
+  #
+  # https://feross.org/cmsploit/
+  #
+  # (!) Update the `location` regular expression from below to include any files
+  #     that might end up on your production server and can expose sensitive
+  #     information about your website. These files may include: configuration
+  #     files, files that contain metadata about the project (e.g.: project
+  #     dependencies, build scripts, etc.).
+
+  location ~* (?:#.*#|\.(?:bak|conf|dist|fla|in[ci]|log|orig|psd|sh|sql|sw[op])|~)$ {
+    deny all;
+  }
+
+  location / {
+   try_files $uri /index.php?q=$uri&$args;
+  }
+
+  location ~ \.php$ {
+    try_files $uri =404;
+    fastcgi_split_path_info ^(.+\.php)(/.+)$;
+    fastcgi_pass unix:/run/php-fpm.socket;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    fastcgi_read_timeout 600;
+    fastcgi_index index.php;
+    include fastcgi_params;
+  }
+}
@@ -0,0 +1,21 @@
+; PHP's initialization file, generally called php.ini, is responsible for
+; configuring many of the aspects of PHP's behavior.
+; For more information on the config file, please see:
+; https://www.php.net/manual/en/index.php
+
+[opcache]
+; The maximum number of keys (and therefore scripts) in the OPcache hash table
+; The Allowed value is between 200 and 100000. Recommendation is to have this
+; number approximately equal to the total number of php files in your project
+; https://programmer.group/php7-enables-opcache-to-create-powerful-performance.html#:~:text=opcache.max_accelerated_files
+opcache.max_accelerated_files=20000
+
+; Validate timestamps of scripts on each request.
+opcache.validate_timestamps=1
+
+; Specifies the frequency at which OPcache checks for changes to PHP scripts
+; in the filesystem. The value is in seconds.
+opcache.revalidate_freq=60
+
+; Enable the cli
+opcache.enable_cli=1