From 7a7aacc1f14be75e2dcc7ff06c98bb8b83859235 Mon Sep 17 00:00:00 2001 From: Rahul Sharma Date: Tue, 19 Mar 2024 15:28:07 +0000 Subject: [PATCH 01/14] docker file updated --- infra/docker/internal/Dockerfile | 45 +++++++++++++++++++++++++++- infra/docker/internal/backend.conf | 47 ++++++++++++++++++++++++++++++ infra/docker/internal/php.ini | 25 ++++++++++++++++ 3 files changed, 116 insertions(+), 1 deletion(-) create mode 100644 infra/docker/internal/backend.conf create mode 100644 infra/docker/internal/php.ini diff --git a/infra/docker/internal/Dockerfile b/infra/docker/internal/Dockerfile index aafda6f37a..eadcd3c21e 100644 --- a/infra/docker/internal/Dockerfile +++ b/infra/docker/internal/Dockerfile @@ -1 +1,44 @@ -FROM php:8.2-fpm +## + # Copyright © Amazon.com and Affiliates: This deliverable is considered Developed Content as defined in the AWS Service Terms and the SOW between the parties dated 2024-01-16. +## + +# installing the base image from ECR, tag is appended with v0.1 +# FROM 245185850403.dkr.ecr.eu-west-1.amazonaws.com/php-7.4:v0.1 +FROM php-7.4:v0.1 + +USER root + +# Installing require dependencies +RUN apk add --update --no-cache \ + icu-dev \ + autoconf \ + g++ \ + make \ + && pecl install igbinary \ + && pecl install -D 'enable-redis-igbinary="yes"' redis \ + && docker-php-ext-enable igbinary redis \ + && apk del --purge autoconf g++ make + +RUN docker-php-ext-install intl pdo_mysql opcache + +# check opcache enabled and configured ?? + +USER www-data + +ARG olcs_internal +ARG olcs_static + +# php config file +COPY ./php.ini ${PHP_INI_DIR}/conf.d/1000-php.ini + +# nginx server config file +COPY ./backend.conf /etc/nginx/conf.d/backend.conf + + +# place holder for copying selfserv application +ADD $olcs_internal /var/www/ + +# copy the web static content +ADD $olcs_static /var/www/public/static + +# Default startup command when container is launched is in the base image \ No newline at end of file diff --git a/infra/docker/internal/backend.conf b/infra/docker/internal/backend.conf new file mode 100644 index 0000000000..47eb0ff1c4 --- /dev/null +++ b/infra/docker/internal/backend.conf @@ -0,0 +1,47 @@ +## + # Copyright © Amazon.com and Affiliates: This deliverable is considered Developed Content as defined in the AWS Service Terms and the SOW between the parties dated 2024-01-16. +## + +# Server configuration, http configuration is defined in base image +server { + listen 8080; + listen [::]:8080; + index index.php index.html; + + root /var/www/public; + + # HTTP security headers + + #help prevent xss injection attack, + #default-src 'self' - only allow content to be loaded from the same origin ('self'). + #This means that resources like scripts, stylesheets, fonts, and images can only be + #loaded from the same domain as the web page itself. + #always - This modifier ensures that the specified header is added to all responses, + #regardless of the status code returned by the server. + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; frame-ancestors 'self'"; + + #The X-Frame-Options header is used to control whether a web page can be displayed + #in a frame or iframe, helping to mitigate clickjacking attacks. + #always - X-Frame-Options header is added to all responses, regardless of their status code. + add_header X-Frame-Options "SAMEORIGIN" always; + + # mitigate MIME-sniffing attacks in web browsers + # Setting it to nosniff instructs the browser not to perform MIME-sniffing and to trust the + # Content-Type header provided by the server. + add_header X-Content-Type-Options "nosniff" always; + + location ~ \.php$ { + try_files $uri =404; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + + fastcgi_index index.php; + include fastcgi_params; + fastcgi_pass unix:/run/php-fpm.socket; # Path to PHP-FPM socket file + + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + } + location / { + try_files $uri $uri/ /index.php?$query_string; + } +} \ No newline at end of file diff --git a/infra/docker/internal/php.ini b/infra/docker/internal/php.ini new file mode 100644 index 0000000000..1ac598e21e --- /dev/null +++ b/infra/docker/internal/php.ini @@ -0,0 +1,25 @@ +## + # Copyright © Amazon.com and Affiliates: This deliverable is considered Developed Content as defined in the AWS Service Terms and the SOW between the parties dated 2024-01-16. +## + +; PHP's initialization file, generally called php.ini, is responsible for +; configuring many of the aspects of PHP's behavior. +; For more information on the config file, please see: +; https://www.php.net/manual/en/index.php + +[opcache] +; The maximum number of keys (and therefore scripts) in the OPcache hash table +; The Allowed value is between 200 and 100000. Recommendation is to have this +;number approximately equal to the total number of php files in your project +;https://programmer.group/php7-enables-opcache-to-create-powerful-performance.html#:~:text=opcache.max_accelerated_files +opcache.max_accelerated_files=20000 + +; Validate timestamps of scripts on each request. +opcache.validate_timestamps=1 + +; Specifies the frequency at which OPcache checks for changes to PHP scripts +; in the filesystem. The value is in seconds. +opcache.revalidate_freq=60 + +;enable the cli +opcache.enable_cli=1 \ No newline at end of file From faeeba7cec4539ae7359c2b11c0b85d1a23a408b Mon Sep 17 00:00:00 2001 From: Rahul Sharma Date: Tue, 19 Mar 2024 23:02:43 +0000 Subject: [PATCH 02/14] dockerfile cleaned up --- infra/docker/internal/Dockerfile | 7 +++---- infra/docker/internal/backend.conf | 6 ++---- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/infra/docker/internal/Dockerfile b/infra/docker/internal/Dockerfile index eadcd3c21e..b81ddc9a72 100644 --- a/infra/docker/internal/Dockerfile +++ b/infra/docker/internal/Dockerfile @@ -3,8 +3,7 @@ ## # installing the base image from ECR, tag is appended with v0.1 -# FROM 245185850403.dkr.ecr.eu-west-1.amazonaws.com/php-7.4:v0.1 -FROM php-7.4:v0.1 +FROM 245185850403.dkr.ecr.eu-west-1.amazonaws.com/php-7.4:v0.1 USER root @@ -21,10 +20,10 @@ RUN apk add --update --no-cache \ RUN docker-php-ext-install intl pdo_mysql opcache -# check opcache enabled and configured ?? - USER www-data +# pass the tar.gz bundle via docker build command +# e.g. docker build --build-arg olcs_internal=olcs_internal.tar.gz --build-arg olcs_static=olcs_static.tar.gz ARG olcs_internal ARG olcs_static diff --git a/infra/docker/internal/backend.conf b/infra/docker/internal/backend.conf index 47eb0ff1c4..9bfe1f00d3 100644 --- a/infra/docker/internal/backend.conf +++ b/infra/docker/internal/backend.conf @@ -14,10 +14,8 @@ server { #help prevent xss injection attack, #default-src 'self' - only allow content to be loaded from the same origin ('self'). - #This means that resources like scripts, stylesheets, fonts, and images can only be - #loaded from the same domain as the web page itself. - #always - This modifier ensures that the specified header is added to all responses, - #regardless of the status code returned by the server. + #this means that resources like scripts, stylesheets, fonts, and images can only be + #loaded from the same domain as the web page itself, however specific directives takes precedence over default-src add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; frame-ancestors 'self'"; #The X-Frame-Options header is used to control whether a web page can be displayed From 6f8bcff04b9007be9e7f7a1922dbd3e9a296518d Mon Sep 17 00:00:00 2001 From: rahul-dvsa <141035405+rahul-dvsa@users.noreply.github.com> Date: Wed, 20 Mar 2024 09:39:53 +0000 Subject: [PATCH 03/14] Update Dockerfile removed aws headers --- infra/docker/internal/Dockerfile | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/infra/docker/internal/Dockerfile b/infra/docker/internal/Dockerfile index b81ddc9a72..17b571785b 100644 --- a/infra/docker/internal/Dockerfile +++ b/infra/docker/internal/Dockerfile @@ -1,7 +1,3 @@ -## - # Copyright © Amazon.com and Affiliates: This deliverable is considered Developed Content as defined in the AWS Service Terms and the SOW between the parties dated 2024-01-16. -## - # installing the base image from ECR, tag is appended with v0.1 FROM 245185850403.dkr.ecr.eu-west-1.amazonaws.com/php-7.4:v0.1 @@ -40,4 +36,4 @@ ADD $olcs_internal /var/www/ # copy the web static content ADD $olcs_static /var/www/public/static -# Default startup command when container is launched is in the base image \ No newline at end of file +# Default startup command when container is launched is in the base image From 98385ad09778a48451fc64b36cbe9cf599955660 Mon Sep 17 00:00:00 2001 From: rahul-dvsa <141035405+rahul-dvsa@users.noreply.github.com> Date: Wed, 20 Mar 2024 09:40:18 +0000 Subject: [PATCH 04/14] Update backend.conf removed headers --- infra/docker/internal/backend.conf | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/infra/docker/internal/backend.conf b/infra/docker/internal/backend.conf index 9bfe1f00d3..b0b7ace817 100644 --- a/infra/docker/internal/backend.conf +++ b/infra/docker/internal/backend.conf @@ -1,7 +1,3 @@ -## - # Copyright © Amazon.com and Affiliates: This deliverable is considered Developed Content as defined in the AWS Service Terms and the SOW between the parties dated 2024-01-16. -## - # Server configuration, http configuration is defined in base image server { listen 8080; @@ -42,4 +38,4 @@ server { location / { try_files $uri $uri/ /index.php?$query_string; } -} \ No newline at end of file +} From 499d042ae886891847f2d7977cdfb888c11cf8bb Mon Sep 17 00:00:00 2001 From: rahul-dvsa <141035405+rahul-dvsa@users.noreply.github.com> Date: Wed, 20 Mar 2024 09:40:42 +0000 Subject: [PATCH 05/14] Update php.ini removed aws headers --- infra/docker/internal/php.ini | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/infra/docker/internal/php.ini b/infra/docker/internal/php.ini index 1ac598e21e..36b5ac8ac8 100644 --- a/infra/docker/internal/php.ini +++ b/infra/docker/internal/php.ini @@ -1,7 +1,3 @@ -## - # Copyright © Amazon.com and Affiliates: This deliverable is considered Developed Content as defined in the AWS Service Terms and the SOW between the parties dated 2024-01-16. -## - ; PHP's initialization file, generally called php.ini, is responsible for ; configuring many of the aspects of PHP's behavior. ; For more information on the config file, please see: @@ -22,4 +18,4 @@ opcache.validate_timestamps=1 opcache.revalidate_freq=60 ;enable the cli -opcache.enable_cli=1 \ No newline at end of file +opcache.enable_cli=1 From 1b0823405a1bc4d687861402e3b836c44ee1a952 Mon Sep 17 00:00:00 2001 From: Rahul Sharma Date: Wed, 20 Mar 2024 13:02:01 +0000 Subject: [PATCH 06/14] updated font-src in backend.conf --- infra/docker/internal/backend.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/docker/internal/backend.conf b/infra/docker/internal/backend.conf index b0b7ace817..3f75311b08 100644 --- a/infra/docker/internal/backend.conf +++ b/infra/docker/internal/backend.conf @@ -12,7 +12,7 @@ server { #default-src 'self' - only allow content to be loaded from the same origin ('self'). #this means that resources like scripts, stylesheets, fonts, and images can only be #loaded from the same domain as the web page itself, however specific directives takes precedence over default-src - add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; frame-ancestors 'self'"; + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; font-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; frame-ancestors 'self'"; #The X-Frame-Options header is used to control whether a web page can be displayed #in a frame or iframe, helping to mitigate clickjacking attacks. From 507f357b791b2c8f53da39e80c1aecba4df44c33 Mon Sep 17 00:00:00 2001 From: Rahul Sharma Date: Mon, 25 Mar 2024 17:39:56 +0000 Subject: [PATCH 07/14] introduced the package version --- infra/docker/internal/Dockerfile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/infra/docker/internal/Dockerfile b/infra/docker/internal/Dockerfile index 17b571785b..2e1f7693cc 100644 --- a/infra/docker/internal/Dockerfile +++ b/infra/docker/internal/Dockerfile @@ -5,10 +5,10 @@ USER root # Installing require dependencies RUN apk add --update --no-cache \ - icu-dev \ - autoconf \ - g++ \ - make \ + icu-dev~=71.1 \ + autoconf~=2.71 \ + g++~=11.2.1 \ + make=~4.3 \ && pecl install igbinary \ && pecl install -D 'enable-redis-igbinary="yes"' redis \ && docker-php-ext-enable igbinary redis \ From 6e1965e9b697cf6c17c0a937b89e89c23ace7f2c Mon Sep 17 00:00:00 2001 From: rahul-dvsa <141035405+rahul-dvsa@users.noreply.github.com> Date: Tue, 26 Mar 2024 13:23:22 +0000 Subject: [PATCH 08/14] Update Dockerfile --- infra/docker/internal/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/docker/internal/Dockerfile b/infra/docker/internal/Dockerfile index 2e1f7693cc..44ed1c38ea 100644 --- a/infra/docker/internal/Dockerfile +++ b/infra/docker/internal/Dockerfile @@ -8,7 +8,7 @@ RUN apk add --update --no-cache \ icu-dev~=71.1 \ autoconf~=2.71 \ g++~=11.2.1 \ - make=~4.3 \ + make~=4.3 \ && pecl install igbinary \ && pecl install -D 'enable-redis-igbinary="yes"' redis \ && docker-php-ext-enable igbinary redis \ From 3271a4a2d921059e4349c56b2bde78e1809c0244 Mon Sep 17 00:00:00 2001 From: Rahul Sharma Date: Fri, 19 Apr 2024 13:44:38 +0100 Subject: [PATCH 09/14] feat: updated dockerfile and security headers --- infra/docker/internal/Dockerfile | 40 ++++++++----------- .../internal/{backend.conf => internal.conf} | 21 +++++++++- 2 files changed, 35 insertions(+), 26 deletions(-) rename infra/docker/internal/{backend.conf => internal.conf} (68%) diff --git a/infra/docker/internal/Dockerfile b/infra/docker/internal/Dockerfile index 44ed1c38ea..8a371ebd26 100644 --- a/infra/docker/internal/Dockerfile +++ b/infra/docker/internal/Dockerfile @@ -1,39 +1,31 @@ -# installing the base image from ECR, tag is appended with v0.1 -FROM 245185850403.dkr.ecr.eu-west-1.amazonaws.com/php-7.4:v0.1 +# hadolint global ignore=DL3018,SC2086 +FROM ghcr.io/dvsa/dvsa-docker-images/php/7.4/fpm-nginx:0 USER root # Installing require dependencies -RUN apk add --update --no-cache \ - icu-dev~=71.1 \ - autoconf~=2.71 \ - g++~=11.2.1 \ - make~=4.3 \ +RUN apk add --no-cache pcre-dev~=8.45 $PHPIZE_DEPS \ && pecl install igbinary \ - && pecl install -D 'enable-redis-igbinary="yes"' redis \ - && docker-php-ext-enable igbinary redis \ - && apk del --purge autoconf g++ make + && pecl install -D "enable-redis-igbinary='yes' enable-redis-lzf='no' enable-redis-zstd='no'" redis \ + && docker-php-ext-enable redis igbinary \ + && apk del pcre-dev $PHPIZE_DEPS -RUN docker-php-ext-install intl pdo_mysql opcache - -USER www-data - -# pass the tar.gz bundle via docker build command -# e.g. docker build --build-arg olcs_internal=olcs_internal.tar.gz --build-arg olcs_static=olcs_static.tar.gz -ARG olcs_internal -ARG olcs_static +RUN apk add --no-cache icu-dev \ + && docker-php-ext-configure intl \ + && docker-php-ext-install pdo_mysql opcache intl # php config file COPY ./php.ini ${PHP_INI_DIR}/conf.d/1000-php.ini -# nginx server config file -COPY ./backend.conf /etc/nginx/conf.d/backend.conf - - # place holder for copying selfserv application -ADD $olcs_internal /var/www/ +ADD --chown=www-data ./internal.tar.gz /var/www/ # copy the web static content -ADD $olcs_static /var/www/public/static +ADD --chown=www-data ./static.tar.gz /var/www/public/static + +# nginx server config file +COPY ./internal.conf /etc/nginx/conf.d/internal.conf + +USER www-data # Default startup command when container is launched is in the base image diff --git a/infra/docker/internal/backend.conf b/infra/docker/internal/internal.conf similarity index 68% rename from infra/docker/internal/backend.conf rename to infra/docker/internal/internal.conf index 3f75311b08..25109e6536 100644 --- a/infra/docker/internal/backend.conf +++ b/infra/docker/internal/internal.conf @@ -24,17 +24,34 @@ server { # Content-Type header provided by the server. add_header X-Content-Type-Options "nosniff" always; + # Block access to files that can expose sensitive information. + # + # By default, block access to backup and source files that may be left by some + # text editors and can pose a security risk when anyone has access to them. + # + # https://feross.org/cmsploit/ + # + # (!) Update the `location` regular expression from below to include any files + # that might end up on your production server and can expose sensitive + # information about your website. These files may include: configuration + # files, files that contain metadata about the project (e.g.: project + # dependencies, build scripts, etc.). + + location ~* (?:#.*#|\.(?:bak|conf|dist|fla|in[ci]|log|orig|psd|sh|sql|sw[op])|~)$ { + deny all; + } + location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_index index.php; include fastcgi_params; fastcgi_pass unix:/run/php-fpm.socket; # Path to PHP-FPM socket file - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_read_timeout 600; } + location / { try_files $uri $uri/ /index.php?$query_string; } From 725fbd93b22bfb0c7311551fc688b9b5090b82de Mon Sep 17 00:00:00 2001 From: Rahul Sharma Date: Fri, 19 Apr 2024 13:58:22 +0100 Subject: [PATCH 10/14] feat: commented application ADD layer since app doesn't exist --- infra/docker/internal/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/infra/docker/internal/Dockerfile b/infra/docker/internal/Dockerfile index 8a371ebd26..9b931efc06 100644 --- a/infra/docker/internal/Dockerfile +++ b/infra/docker/internal/Dockerfile @@ -18,10 +18,10 @@ RUN apk add --no-cache icu-dev \ COPY ./php.ini ${PHP_INI_DIR}/conf.d/1000-php.ini # place holder for copying selfserv application -ADD --chown=www-data ./internal.tar.gz /var/www/ +# ADD --chown=www-data ./internal.tar.gz /var/www/ # copy the web static content -ADD --chown=www-data ./static.tar.gz /var/www/public/static +# ADD --chown=www-data ./static.tar.gz /var/www/public/static # nginx server config file COPY ./internal.conf /etc/nginx/conf.d/internal.conf From 6c25013dac4668e68686bc445b898939c8be5fe0 Mon Sep 17 00:00:00 2001 From: Rahul Sharma Date: Sun, 21 Apr 2024 23:22:00 +0100 Subject: [PATCH 11/14] implmented review comments --- infra/docker/internal/Dockerfile | 6 +- infra/docker/internal/internal.conf | 85 +++++++++++++++++++++++++---- 2 files changed, 74 insertions(+), 17 deletions(-) diff --git a/infra/docker/internal/Dockerfile b/infra/docker/internal/Dockerfile index 9b931efc06..50756ed0f3 100644 --- a/infra/docker/internal/Dockerfile +++ b/infra/docker/internal/Dockerfile @@ -17,11 +17,7 @@ RUN apk add --no-cache icu-dev \ # php config file COPY ./php.ini ${PHP_INI_DIR}/conf.d/1000-php.ini -# place holder for copying selfserv application -# ADD --chown=www-data ./internal.tar.gz /var/www/ - -# copy the web static content -# ADD --chown=www-data ./static.tar.gz /var/www/public/static +ADD --chown=www-data ./internal.tar.gz /var/www/ # nginx server config file COPY ./internal.conf /etc/nginx/conf.d/internal.conf diff --git a/infra/docker/internal/internal.conf b/infra/docker/internal/internal.conf index 25109e6536..7b698bacef 100644 --- a/infra/docker/internal/internal.conf +++ b/infra/docker/internal/internal.conf @@ -8,22 +8,83 @@ server { # HTTP security headers - #help prevent xss injection attack, - #default-src 'self' - only allow content to be loaded from the same origin ('self'). - #this means that resources like scripts, stylesheets, fonts, and images can only be - #loaded from the same domain as the web page itself, however specific directives takes precedence over default-src - add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; font-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; frame-ancestors 'self'"; - - #The X-Frame-Options header is used to control whether a web page can be displayed - #in a frame or iframe, helping to mitigate clickjacking attacks. - #always - X-Frame-Options header is added to all responses, regardless of their status code. + # Protect website against clickjacking. + + # Keep in mind that while you could send the `X-Frame-Options` header for all + # of your website's pages, this has the potential downside that it forbids even + # non-malicious framing of your content. + # + # Nonetheless, you should ensure that you send the `X-Frame-Options` header for + # all pages that allow a user to make a state-changing operation (e.g: pages + # that contain one-click purchase links, checkout or bank-transfer confirmation + # pages, pages that make permanent configuration changes, etc.). + # + # Sending the `X-Frame-Options` header can also protect your website against + # more than just clickjacking attacks. + # https://cure53.de/xfo-clickjacking.pdf. + # + # (!) The `Content-Security-Policy` header has a `frame-ancestors` directive + # which obsoletes this header for supporting browsers. + # + # https://tools.ietf.org/html/rfc7034 + # https://owasp.org/www-project-secure-headers/#x-frame-options + # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + # https://docs.microsoft.com/archive/blogs/ieinternals/combating-clickjacking-with-x-frame-options + # https://tools.ietf.org/html/rfc7034#section-2.1. + add_header X-Frame-Options "SAMEORIGIN" always; - # mitigate MIME-sniffing attacks in web browsers - # Setting it to nosniff instructs the browser not to perform MIME-sniffing and to trust the - # Content-Type header provided by the server. + # Prevent some browsers from MIME-sniffing the response. + # This reduces exposure to drive-by download attacks and cross-origin data + # leaks, and should be left uncommented, especially if the server is serving + # user-uploaded content or content that could potentially be treated as + # executable by the browser. + # https://owasp.org/www-project-secure-headers/#x-content-type-options + # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options + # https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-v-comprehensive-protection/ + # https://mimesniff.spec.whatwg.org/ + add_header X-Content-Type-Options "nosniff" always; + + #Allow cross-origin requests. + + # https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS + # https://enable-cors.org/ + # https://www.w3.org/TR/cors/ + + # (!) Do not use this without understanding the consequences. + # This will permit access from any other website. + # Instead of using this file, consider using a specific rule such as + # allowing access based on (sub)domain: + + # add_header Access-Control-Allow-Origin "subdomain.example.com"; + + add_header Access-Control-Allow-Origin *; + + + # Set a strict Referrer Policy to mitigate information leakage. + # + # (1) The `Referrer-Policy` header is included in responses for resources + # that are able to request (or navigate to) other resources. + # + # This includes the commonly used resource types: + # HTML, CSS, XML/SVG, PDF documents, scripts and workers. + # + # To prevent referrer leakage entirely, specify the `no-referrer` value + # instead. Note that the effect could impact analytics metrics negatively. + # + # To check your Referrer Policy, you can use an online service, such as: + # https://securityheaders.com/ + # https://observatory.mozilla.org/ + # + # https://www.w3.org/TR/referrer-policy/ + # https://owasp.org/www-project-secure-headers/#referrer-policy + # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy + # https://scotthelme.co.uk/a-new-security-header-referrer-policy/ + + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + # Block access to files that can expose sensitive information. # # By default, block access to backup and source files that may be left by some From 3de158e12aed5cfdb4a088f54c8a8cb50e3aa27d Mon Sep 17 00:00:00 2001 From: Rahul Sharma Date: Mon, 22 Apr 2024 12:31:47 +0100 Subject: [PATCH 12/14] updated internal nginx config with maps --- infra/docker/internal/internal.conf | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/infra/docker/internal/internal.conf b/infra/docker/internal/internal.conf index 7b698bacef..70087f4a58 100644 --- a/infra/docker/internal/internal.conf +++ b/infra/docker/internal/internal.conf @@ -1,4 +1,24 @@ # Server configuration, http configuration is defined in base image + +# Add Access-Control-Allow-Origin. +map $sent_http_content_type $cors { + # Images + ~*image/ "*"; + + # Web fonts + ~*font/ "*"; + ~*application/vnd.ms-fontobject "*"; + ~*application/x-font-ttf "*"; + ~*application/font-woff "*"; + ~*application/x-font-woff "*"; + ~*application/font-woff2 "*"; +} + +# Add Referrer-Policy for HTML documents. +map $sent_http_content_type $referrer_policy { + ~*text/(css|html|javascript)|application\/pdf|xml "strict-origin-when-cross-origin"; +} + server { listen 8080; listen [::]:8080; @@ -60,7 +80,7 @@ server { # add_header Access-Control-Allow-Origin "subdomain.example.com"; - add_header Access-Control-Allow-Origin *; + add_header Access-Control-Allow-Origin $cors; # Set a strict Referrer Policy to mitigate information leakage. @@ -83,7 +103,7 @@ server { # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy # https://scotthelme.co.uk/a-new-security-header-referrer-policy/ - add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Referrer-Policy $referrer_policy always; # Block access to files that can expose sensitive information. # From f3f5c26bc1e377630cc76114114dfee5b275b59b Mon Sep 17 00:00:00 2001 From: JoshuaLicense Date: Mon, 22 Apr 2024 14:29:07 +0100 Subject: [PATCH 13/14] fix: :lipstick: --- infra/docker/api/Dockerfile | 12 +- infra/docker/internal/Dockerfile | 20 +-- infra/docker/internal/internal.conf | 261 ++++++++++++++-------------- infra/docker/internal/php.ini | 12 +- infra/docker/selfserve/Dockerfile | 12 +- 5 files changed, 158 insertions(+), 159 deletions(-) diff --git a/infra/docker/api/Dockerfile b/infra/docker/api/Dockerfile index ecabe2b159..82cafb9baf 100644 --- a/infra/docker/api/Dockerfile +++ b/infra/docker/api/Dockerfile @@ -5,14 +5,14 @@ USER root # Install redis with igbinary RUN apk add --no-cache pcre-dev~=8.45 $PHPIZE_DEPS \ - && pecl install igbinary \ - && pecl install -D "enable-redis-igbinary='yes' enable-redis-lzf='no' enable-redis-zstd='no'" redis \ - && docker-php-ext-enable redis igbinary \ - && apk del pcre-dev $PHPIZE_DEPS + && pecl install igbinary \ + && pecl install -D "enable-redis-igbinary='yes' enable-redis-lzf='no' enable-redis-zstd='no'" redis \ + && docker-php-ext-enable redis igbinary \ + && apk del pcre-dev $PHPIZE_DEPS RUN apk add --no-cache icu-dev \ - && docker-php-ext-configure intl \ - && docker-php-ext-install pdo_mysql opcache intl + && docker-php-ext-configure intl \ + && docker-php-ext-install pdo_mysql opcache intl # PHP config file COPY ./php.ini ${PHP_INI_DIR}/conf.d/1000-php.ini diff --git a/infra/docker/internal/Dockerfile b/infra/docker/internal/Dockerfile index 50756ed0f3..57fac73b69 100644 --- a/infra/docker/internal/Dockerfile +++ b/infra/docker/internal/Dockerfile @@ -5,23 +5,21 @@ USER root # Installing require dependencies RUN apk add --no-cache pcre-dev~=8.45 $PHPIZE_DEPS \ - && pecl install igbinary \ - && pecl install -D "enable-redis-igbinary='yes' enable-redis-lzf='no' enable-redis-zstd='no'" redis \ - && docker-php-ext-enable redis igbinary \ - && apk del pcre-dev $PHPIZE_DEPS + && pecl install igbinary \ + && pecl install -D "enable-redis-igbinary='yes' enable-redis-lzf='no' enable-redis-zstd='no'" redis \ + && docker-php-ext-enable redis igbinary \ + && apk del pcre-dev $PHPIZE_DEPS RUN apk add --no-cache icu-dev \ - && docker-php-ext-configure intl \ - && docker-php-ext-install pdo_mysql opcache intl + && docker-php-ext-configure intl \ + && docker-php-ext-install pdo_mysql opcache intl -# php config file +# PHP config file COPY ./php.ini ${PHP_INI_DIR}/conf.d/1000-php.ini -ADD --chown=www-data ./internal.tar.gz /var/www/ +ADD --chown=www-data ./selfserve.tar.gz /var/www/html # nginx server config file -COPY ./internal.conf /etc/nginx/conf.d/internal.conf +COPY internal.conf /etc/nginx/conf.d/internal.conf USER www-data - -# Default startup command when container is launched is in the base image diff --git a/infra/docker/internal/internal.conf b/infra/docker/internal/internal.conf index 70087f4a58..e92c906043 100644 --- a/infra/docker/internal/internal.conf +++ b/infra/docker/internal/internal.conf @@ -1,139 +1,142 @@ -# Server configuration, http configuration is defined in base image - # Add Access-Control-Allow-Origin. map $sent_http_content_type $cors { - # Images - ~*image/ "*"; - - # Web fonts - ~*font/ "*"; - ~*application/vnd.ms-fontobject "*"; - ~*application/x-font-ttf "*"; - ~*application/font-woff "*"; - ~*application/x-font-woff "*"; - ~*application/font-woff2 "*"; + # Images + ~*image/ "*"; + + # Web fonts + ~*font/ "*"; + ~*application/vnd.ms-fontobject "*"; + ~*application/x-font-ttf "*"; + ~*application/font-woff "*"; + ~*application/x-font-woff "*"; + ~*application/font-woff2 "*"; } # Add Referrer-Policy for HTML documents. map $sent_http_content_type $referrer_policy { - ~*text/(css|html|javascript)|application\/pdf|xml "strict-origin-when-cross-origin"; + ~*text/(css|html|javascript)|application\/pdf|xml "strict-origin-when-cross-origin"; } server { - listen 8080; - listen [::]:8080; - index index.php index.html; - - root /var/www/public; - - # HTTP security headers - - # Protect website against clickjacking. - - # Keep in mind that while you could send the `X-Frame-Options` header for all - # of your website's pages, this has the potential downside that it forbids even - # non-malicious framing of your content. - # - # Nonetheless, you should ensure that you send the `X-Frame-Options` header for - # all pages that allow a user to make a state-changing operation (e.g: pages - # that contain one-click purchase links, checkout or bank-transfer confirmation - # pages, pages that make permanent configuration changes, etc.). - # - # Sending the `X-Frame-Options` header can also protect your website against - # more than just clickjacking attacks. - # https://cure53.de/xfo-clickjacking.pdf. - # - # (!) The `Content-Security-Policy` header has a `frame-ancestors` directive - # which obsoletes this header for supporting browsers. - # - # https://tools.ietf.org/html/rfc7034 - # https://owasp.org/www-project-secure-headers/#x-frame-options - # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options - # https://docs.microsoft.com/archive/blogs/ieinternals/combating-clickjacking-with-x-frame-options - # https://tools.ietf.org/html/rfc7034#section-2.1. - - add_header X-Frame-Options "SAMEORIGIN" always; - - # Prevent some browsers from MIME-sniffing the response. - # This reduces exposure to drive-by download attacks and cross-origin data - # leaks, and should be left uncommented, especially if the server is serving - # user-uploaded content or content that could potentially be treated as - # executable by the browser. - # https://owasp.org/www-project-secure-headers/#x-content-type-options - # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options - # https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-v-comprehensive-protection/ - # https://mimesniff.spec.whatwg.org/ - - add_header X-Content-Type-Options "nosniff" always; - - - #Allow cross-origin requests. - - # https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS - # https://enable-cors.org/ - # https://www.w3.org/TR/cors/ - - # (!) Do not use this without understanding the consequences. - # This will permit access from any other website. - # Instead of using this file, consider using a specific rule such as - # allowing access based on (sub)domain: - - # add_header Access-Control-Allow-Origin "subdomain.example.com"; - - add_header Access-Control-Allow-Origin $cors; - - - # Set a strict Referrer Policy to mitigate information leakage. - # - # (1) The `Referrer-Policy` header is included in responses for resources - # that are able to request (or navigate to) other resources. - # - # This includes the commonly used resource types: - # HTML, CSS, XML/SVG, PDF documents, scripts and workers. - # - # To prevent referrer leakage entirely, specify the `no-referrer` value - # instead. Note that the effect could impact analytics metrics negatively. - # - # To check your Referrer Policy, you can use an online service, such as: - # https://securityheaders.com/ - # https://observatory.mozilla.org/ - # - # https://www.w3.org/TR/referrer-policy/ - # https://owasp.org/www-project-secure-headers/#referrer-policy - # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy - # https://scotthelme.co.uk/a-new-security-header-referrer-policy/ - - add_header Referrer-Policy $referrer_policy always; - - # Block access to files that can expose sensitive information. - # - # By default, block access to backup and source files that may be left by some - # text editors and can pose a security risk when anyone has access to them. - # - # https://feross.org/cmsploit/ - # - # (!) Update the `location` regular expression from below to include any files - # that might end up on your production server and can expose sensitive - # information about your website. These files may include: configuration - # files, files that contain metadata about the project (e.g.: project - # dependencies, build scripts, etc.). - - location ~* (?:#.*#|\.(?:bak|conf|dist|fla|in[ci]|log|orig|psd|sh|sql|sw[op])|~)$ { - deny all; - } - - location ~ \.php$ { - try_files $uri =404; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_index index.php; - include fastcgi_params; - fastcgi_pass unix:/run/php-fpm.socket; # Path to PHP-FPM socket file - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_read_timeout 600; - } - - location / { - try_files $uri $uri/ /index.php?$query_string; - } + listen 8080; + listen [::]:8080; + + server_name _; + + root /var/www/public; + + # Protect website against clickjacking. + # + # The example below sends the `X-Frame-Options` response header with the value + # `DENY`, informing browsers not to display the content of the web page in any + # frame. + # + # This might not be the best setting for everyone. You should read about the + # other two possible values the `X-Frame-Options` header field can have: + # `SAMEORIGIN` and `ALLOW-FROM`. + # https://tools.ietf.org/html/rfc7034#section-2.1. + # + # Keep in mind that while you could send the `X-Frame-Options` header for all + # of your website's pages, this has the potential downside that it forbids even + # non-malicious framing of your content. + # + # Nonetheless, you should ensure that you send the `X-Frame-Options` header for + # all pages that allow a user to make a state-changing operation (e.g: pages + # that contain one-click purchase links, checkout or bank-transfer confirmation + # pages, pages that make permanent configuration changes, etc.). + # + # Sending the `X-Frame-Options` header can also protect your website against + # more than just clickjacking attacks. + # https://cure53.de/xfo-clickjacking.pdf. + # + # (!) The `Content-Security-Policy` header has a `frame-ancestors` directive + # which obsoletes this header for supporting browsers. + # + # https://tools.ietf.org/html/rfc7034 + # https://owasp.org/www-project-secure-headers/#x-frame-options + # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + # https://docs.microsoft.com/archive/blogs/ieinternals/combating-clickjacking-with-x-frame-options + + add_header X-Frame-Options $x_frame_options always; + + # Prevent some browsers from MIME-sniffing the response. + # + # This reduces exposure to drive-by download attacks and cross-origin data + # leaks, and should be left uncommented, especially if the server is serving + # user-uploaded content or content that could potentially be treated as + # executable by the browser. + # + # https://owasp.org/www-project-secure-headers/#x-content-type-options + # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options + # https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-v-comprehensive-protection/ + # https://mimesniff.spec.whatwg.org/ + + add_header X-Content-Type-Options nosniff always; + + # Allow cross-origin requests. + # + # https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS + # https://enable-cors.org/ + # https://www.w3.org/TR/cors/ + + # (!) Do not use this without understanding the consequences. + # This will permit access from any other website. + # Instead of using this file, consider using a specific rule such as + # allowing access based on (sub)domain: + # + # add_header Access-Control-Allow-Origin "subdomain.example.com"; + + add_header Access-Control-Allow-Origin $cors; + + # Set a strict Referrer Policy to mitigate information leakage. + # + # (1) The `Referrer-Policy` header is included in responses for resources + # that are able to request (or navigate to) other resources. + # + # This includes the commonly used resource types: + # HTML, CSS, XML/SVG, PDF documents, scripts and workers. + # + # To prevent referrer leakage entirely, specify the `no-referrer` value + # instead. Note that the effect could impact analytics metrics negatively. + # + # To check your Referrer Policy, you can use an online service, such as: + # https://securityheaders.com/ + # https://observatory.mozilla.org/ + # + # https://www.w3.org/TR/referrer-policy/ + # https://owasp.org/www-project-secure-headers/#referrer-policy + # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy + # https://scotthelme.co.uk/a-new-security-header-referrer-policy/ + + add_header Referrer-Policy $referrer_policy always; + + # Block access to files that can expose sensitive information. + # + # By default, block access to backup and source files that may be left by some + # text editors and can pose a security risk when anyone has access to them. + # + # https://feross.org/cmsploit/ + # + # (!) Update the `location` regular expression from below to include any files + # that might end up on your production server and can expose sensitive + # information about your website. These files may include: configuration + # files, files that contain metadata about the project (e.g.: project + # dependencies, build scripts, etc.). + + location ~* (?:#.*#|\.(?:bak|conf|dist|fla|in[ci]|log|orig|psd|sh|sql|sw[op])|~)$ { + deny all; + } + + location / { + try_files $uri /index.php?$query_string; + } + + location ~ \.php$ { + try_files $uri =404; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:/run/php-fpm.socket; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_index index.php; + include fastcgi_params; + } } diff --git a/infra/docker/internal/php.ini b/infra/docker/internal/php.ini index 36b5ac8ac8..33f4afe176 100644 --- a/infra/docker/internal/php.ini +++ b/infra/docker/internal/php.ini @@ -5,17 +5,15 @@ [opcache] ; The maximum number of keys (and therefore scripts) in the OPcache hash table -; The Allowed value is between 200 and 100000. Recommendation is to have this -;number approximately equal to the total number of php files in your project -;https://programmer.group/php7-enables-opcache-to-create-powerful-performance.html#:~:text=opcache.max_accelerated_files -opcache.max_accelerated_files=20000 +; The Allowed value is between 200 and 100000. +opcache.max_accelerated_files=4000 -; Validate timestamps of scripts on each request. +; Validate timestamps of scripts on each request. opcache.validate_timestamps=1 ; Specifies the frequency at which OPcache checks for changes to PHP scripts ; in the filesystem. The value is in seconds. opcache.revalidate_freq=60 -;enable the cli -opcache.enable_cli=1 +; Enable the cli +opcache.enable_cli=1 diff --git a/infra/docker/selfserve/Dockerfile b/infra/docker/selfserve/Dockerfile index 0964fd0907..9d9a217657 100644 --- a/infra/docker/selfserve/Dockerfile +++ b/infra/docker/selfserve/Dockerfile @@ -5,14 +5,14 @@ USER root # Installing require dependencies RUN apk add --no-cache pcre-dev~=8.45 $PHPIZE_DEPS \ - && pecl install igbinary \ - && pecl install -D "enable-redis-igbinary='yes' enable-redis-lzf='no' enable-redis-zstd='no'" redis \ - && docker-php-ext-enable redis igbinary \ - && apk del pcre-dev $PHPIZE_DEPS + && pecl install igbinary \ + && pecl install -D "enable-redis-igbinary='yes' enable-redis-lzf='no' enable-redis-zstd='no'" redis \ + && docker-php-ext-enable redis igbinary \ + && apk del pcre-dev $PHPIZE_DEPS RUN apk add --no-cache icu-dev \ - && docker-php-ext-configure intl \ - && docker-php-ext-install pdo_mysql opcache intl + && docker-php-ext-configure intl \ + && docker-php-ext-install pdo_mysql opcache intl # PHP config file COPY ./php.ini ${PHP_INI_DIR}/conf.d/1000-php.ini From 0a5e73622645f4d64c927ca35e30a876ae703ccd Mon Sep 17 00:00:00 2001 From: JoshuaLicense Date: Mon, 22 Apr 2024 14:37:07 +0100 Subject: [PATCH 14/14] fixup! fix: :lipstick: --- infra/docker/internal/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/docker/internal/Dockerfile b/infra/docker/internal/Dockerfile index 57fac73b69..70fb2cb67c 100644 --- a/infra/docker/internal/Dockerfile +++ b/infra/docker/internal/Dockerfile @@ -17,7 +17,7 @@ RUN apk add --no-cache icu-dev \ # PHP config file COPY ./php.ini ${PHP_INI_DIR}/conf.d/1000-php.ini -ADD --chown=www-data ./selfserve.tar.gz /var/www/html +ADD --chown=www-data ./internal.tar.gz /var/www/html # nginx server config file COPY internal.conf /etc/nginx/conf.d/internal.conf