From 021c77422725ee357b784aa75ef166dde386678b Mon Sep 17 00:00:00 2001 From: El RIDO Date: Mon, 28 May 2018 21:02:58 +0200 Subject: [PATCH] Updating documentation --- .dockerignore | 4 +- README.md | 71 +++++++++++++++++++ examples/00-phpinfo/docker-compose.yml | 8 --- examples/00-phpinfo/index.php | 3 - examples/01-phpinfo-behind-https/Caddyfile | 7 -- .../docker-compose.yml | 13 ---- examples/01-phpinfo-behind-https/index.php | 3 - examples/02-extra-headers/docker-compose.yml | 9 --- examples/02-extra-headers/headers.conf | 25 ------- examples/02-extra-headers/index.html | 3 - 10 files changed, 73 insertions(+), 73 deletions(-) create mode 100644 README.md delete mode 100644 examples/00-phpinfo/docker-compose.yml delete mode 100644 examples/00-phpinfo/index.php delete mode 100644 examples/01-phpinfo-behind-https/Caddyfile delete mode 100644 examples/01-phpinfo-behind-https/docker-compose.yml delete mode 100644 examples/01-phpinfo-behind-https/index.php delete mode 100644 examples/02-extra-headers/docker-compose.yml delete mode 100644 examples/02-extra-headers/headers.conf delete mode 100644 examples/02-extra-headers/index.html diff --git a/.dockerignore b/.dockerignore index b871a43..3eabb63 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,5 +1,5 @@ -# Examples -examples/ +# Docs +README.md # Git .git/ diff --git a/README.md b/README.md new file mode 100644 index 0000000..8d935fa --- /dev/null +++ b/README.md @@ -0,0 +1,71 @@ +# [PrivateBin](https://privatebin.info/) + +**PrivateBin** is a minimalist, open source online [pastebin](https://en.wikipedia.org/wiki/Pastebin) +where the server has zero knowledge of pasted data. Data is encrypted and decrypted in the browser +using 256bit AES in [Galois Counter mode](https://en.wikipedia.org/wiki/Galois/Counter_Mode). + +This repository contains the Dockerfile and resources needed to create a docker image with a pre-installed +PrivateBin instance in a secure default configuration. The images are based on the docker hub php/fpm-alpine +image, extended with the GD module required to generate comment avatars and the Nginx webserver to serve +static JavaScript libraries, CSS & logos. All logs of php-fpm and Nginx (access & errors) are forwarded to +docker. + +## Running the image + +Assuming you have docker successfully installed and internet access, you can fetch and run the image from +the docker hub like this: + +```bash +docker run -d --restart="always" --read-only -p 8080:80 -v privatebin-data:/srv/data privatebin/nginx-fpm-alpine:1.1.1 +``` + +The parameters explained, in order of importance: + +- `-v privatebin-data:/srv/data` - replace `privatebin-data` with the path to the folder on your system, where the + pastes and other service data should be persisted. This guarantees that your pastes aren't lost after you stop + and restart the image or when you replace it. Can be skipped if you just want to test the image. +- `-p 8080:80` - The Nginx webserver inside the container listens on port 80, this parameter exposes it on your system + on port 8080. Be sure to use a reverse proxy for HTTPS termination in front of it in production environments. +- `--read-only` - This image supports running in read-only mode. Using this reduces the attack surface slightly, + since an exploit in one of the images services can't overwrite arbitrary files in the container. Only /tmp, /var/tmp, + /var/run & /srv/data may be written into. +- `-d` - launches the container in the background. You can use docker ps and docker logs to check if the container is + alive and well. +- `--restart="always"` - restart the container if it crashes, mainly useful for production setups + +### Custom configuration + +In case you want to use a customized [conf.php](https://github.com/PrivateBin/PrivateBin/blob/master/cfg/conf.sample.php) +file, for example one that has file uploads enabled or that uses a different template, add the file as a volume: + +```bash +docker run -d --restart="always" --read-only -p 8080:80 -v conf.php:/srv/cfg/conf.php:ro -v privatebin-data:/srv/data privatebin/nginx-fpm-alpine:1.1.1 +``` + +Note: Only the `Filesystem` data storage is supported, as the image doesn't include any PDO modules required for the +`Database` one. + +## Rolling your own image + +To reproduce the image, just run: + +```bash +docker build -t privatebin/nginx-fpm-alpine:1.1.1 . +``` + +### Behind the scenes + +The two processes, Nginx and php-fpm, are started by supervisord, which will also try to restart the services in case +they crash. + +Nginx is required to serve static files and will also cache these for a bit. Requests to the index.php (which is the +only PHP file exposed in the document root at /var/www) are passed on to php-fpm via fastCGI to port 9000. All other +PHP files and the data are stored in /srv. + +The Nginx setup supports only HTTP, so make sure that you run another webserver as reverse proxy in front of this for +HTTPS offloading and reducing the attack surface on your TLS stack. The Nginx in this image is set up to deflate/gzip +text content. + +During the build of the image, the opcache & GD PHP modules are compiled from source and the PrivateBin release archive +is downloaded from Github. All the downloaded Alpine packages and the PrivateBin archive are validated using cryptographic +signatures to ensure the have not been tempered with, before deploying them in the image. diff --git a/examples/00-phpinfo/docker-compose.yml b/examples/00-phpinfo/docker-compose.yml deleted file mode 100644 index b3f2655..0000000 --- a/examples/00-phpinfo/docker-compose.yml +++ /dev/null @@ -1,8 +0,0 @@ -version: '3' -services: - backend: - build: ../../ - volumes: - - './index.php:/var/www/index.php' - ports: - - '80:80' diff --git a/examples/00-phpinfo/index.php b/examples/00-phpinfo/index.php deleted file mode 100644 index 83f1549..0000000 --- a/examples/00-phpinfo/index.php +++ /dev/null @@ -1,3 +0,0 @@ -Extra Headers - -

Please open your browsers dev-tools to inspect the respone headers!