dvsa · JoshuaLicense · Apr 22, 2024 · Mar 19, 2024 · Mar 19, 2024 · Mar 20, 2024
@@ -1 +1,39 @@
-FROM php:8.2-fpm
+# installing the base image from ECR, tag is appended with v0.1
+FROM 245185850403.dkr.ecr.eu-west-1.amazonaws.com/php-7.4:v0.1
+
+USER root
+
+# Installing require dependencies
+RUN apk add --update --no-cache \
+                      icu-dev \
+                      autoconf \
+                      g++ \
+                      make \
+    && pecl install igbinary \
+    && pecl install -D 'enable-redis-igbinary="yes"' redis \
+    && docker-php-ext-enable igbinary redis \
+    && apk del --purge autoconf g++ make
+
+RUN docker-php-ext-install intl pdo_mysql opcache
+
+USER www-data
+
+# pass the tar.gz bundle via docker build command
+# e.g. docker build --build-arg olcs_internal=olcs_internal.tar.gz --build-arg olcs_static=olcs_static.tar.gz
+ARG olcs_internal
+ARG olcs_static
+
+# php config file
+COPY ./php.ini ${PHP_INI_DIR}/conf.d/1000-php.ini
+
+# nginx server config file
+COPY ./backend.conf /etc/nginx/conf.d/backend.conf
+
+
+# place holder for copying selfserv application
+ADD $olcs_internal /var/www/
+
+# copy the web static content
+ADD $olcs_static /var/www/public/static
+
+# Default startup command when container is launched is in the base image
diff --git a/infra/docker/internal/backend.conf b/infra/docker/internal/backend.conf
@@ -0,0 +1,41 @@
+# Server configuration, http configuration is defined in base image
+server {
+    listen 8080;
+    listen [::]:8080;
+    index index.php index.html;
+
+    root /var/www/public;
+
+    # HTTP security headers
+
+    #help prevent xss injection attack, 
+    #default-src 'self' - only allow content to be loaded from the same origin ('self'). 
+    #this means that resources like scripts, stylesheets, fonts, and images can only be 
+    #loaded from the same domain as the web page itself, however specific directives takes precedence over default-src
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline';  style-src 'self' 'unsafe-inline'; img-src 'self'; frame-ancestors 'self'";
+
+    #The X-Frame-Options header is used to control whether a web page can be displayed 
+    #in a frame or iframe, helping to mitigate clickjacking attacks.
+    #always - X-Frame-Options header is added to all responses, regardless of their status code.
+    add_header X-Frame-Options "SAMEORIGIN" always;
+
+    # mitigate MIME-sniffing attacks in web browsers
+    # Setting it to nosniff instructs the browser not to perform MIME-sniffing and to trust the 
+    # Content-Type header provided by the server.
+    add_header X-Content-Type-Options "nosniff" always;
+
+    location ~ \.php$ {
+        try_files $uri =404;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+
+        fastcgi_index index.php;
+        include fastcgi_params;
+        fastcgi_pass unix:/run/php-fpm.socket;  # Path to PHP-FPM socket file
+
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $fastcgi_path_info;
+    }
+    location / {
+        try_files $uri $uri/ /index.php?$query_string;
+    }
+}
@@ -0,0 +1,21 @@
+; PHP's initialization file, generally called php.ini, is responsible for
+; configuring many of the aspects of PHP's behavior.
+; For more information on the config file, please see:
+; https://www.php.net/manual/en/index.php
+
+[opcache]
+; The maximum number of keys (and therefore scripts) in the OPcache hash table
+; The Allowed value is between 200 and 100000. Recommendation is to have this 
+;number approximately equal to the total number of php files in your project
+;https://programmer.group/php7-enables-opcache-to-create-powerful-performance.html#:~:text=opcache.max_accelerated_files
+opcache.max_accelerated_files=20000
+
+; Validate timestamps of scripts on each request. 
+opcache.validate_timestamps=1
+
+; Specifies the frequency at which OPcache checks for changes to PHP scripts
+; in the filesystem. The value is in seconds.
+opcache.revalidate_freq=60
+
+;enable the cli
+opcache.enable_cli=1