parent
8ad95a56e9
commit
60b596ddb2
@ -1,70 +1,49 @@
|
||||
FROM alpine:3.11
|
||||
|
||||
MAINTAINER PrivateBin <support@privatebin.org>
|
||||
LABEL maintainer="andrey.arapov@nixaid.com"
|
||||
|
||||
ENV RELEASE 1.3.4
|
||||
ENV PBURL https://github.com/PrivateBin/PrivateBin/
|
||||
ENV S6RELEASE v1.22.1.0
|
||||
ENV S6URL https://github.com/just-containers/s6-overlay/releases/download/
|
||||
ENV S6_READ_ONLY_ROOT 1
|
||||
|
||||
RUN \
|
||||
# Install dependencies
|
||||
apk add --no-cache gnupg nginx php7-fpm php7-json php7-gd \
|
||||
apk add --no-cache gnupg php7-fpm php7-json php7-gd \
|
||||
php7-opcache php7-pdo_mysql php7-pdo_pgsql tzdata \
|
||||
&& apk upgrade --no-cache \
|
||||
# Remove (some of the) default nginx config
|
||||
&& rm -f /etc/nginx.conf /etc/nginx/conf.d/default.conf /etc/php7/php-fpm.d/www.conf \
|
||||
&& rm -rf /etc/nginx/sites-* \
|
||||
# Ensure nginx logs, even if the config has errors, are written to stderr
|
||||
&& ln -s /dev/stderr /var/log/nginx/error.log \
|
||||
# Install PrivateBin
|
||||
&& export GNUPGHOME="$(mktemp -d)" \
|
||||
&& gpg2 --list-public-keys || /bin/true \
|
||||
&& wget -qO - https://privatebin.info/key/release.asc | gpg2 --import - \
|
||||
&& rm -rf /var/www/* \
|
||||
&& cd /tmp \
|
||||
&& wget -qO ${RELEASE}.tar.gz.asc ${PBURL}releases/download/${RELEASE}/PrivateBin-${RELEASE}.tar.gz.asc \
|
||||
&& wget -q ${PBURL}archive/${RELEASE}.tar.gz \
|
||||
&& gpg2 --verify ${RELEASE}.tar.gz.asc \
|
||||
&& mkdir /var/www \
|
||||
&& cd /var/www \
|
||||
&& tar -xzf /tmp/${RELEASE}.tar.gz --strip 1 \
|
||||
&& rm *.md cfg/conf.sample.php \
|
||||
&& mv cfg lib tpl vendor /srv \
|
||||
&& mkdir -p /srv/data \
|
||||
&& mkdir /srv/data \
|
||||
&& sed -i "s#define('PATH', '');#define('PATH', '/srv/');#" index.php \
|
||||
# Install s6 overlay for service management
|
||||
&& wget -qO - https://keybase.io/justcontainers/key.asc | gpg2 --import - \
|
||||
&& cd /tmp \
|
||||
&& S6ARCH=$(uname -m) \
|
||||
&& case ${S6ARCH} in \
|
||||
x86_64) S6ARCH=amd64;; \
|
||||
armv7l) S6ARCH=armhf;; \
|
||||
esac \
|
||||
&& wget -q ${S6URL}${S6RELEASE}/s6-overlay-${S6ARCH}.tar.gz.sig \
|
||||
&& wget -q ${S6URL}${S6RELEASE}/s6-overlay-${S6ARCH}.tar.gz \
|
||||
&& gpg2 --verify s6-overlay-${S6ARCH}.tar.gz.sig \
|
||||
&& tar -xzf s6-overlay-${S6ARCH}.tar.gz -C / \
|
||||
# Support running s6 under a non-root user
|
||||
&& mkdir -p /etc/services.d/nginx/supervise /etc/services.d/php-fpm7/supervise \
|
||||
&& mkfifo \
|
||||
/etc/services.d/nginx/supervise/control \
|
||||
/etc/services.d/php-fpm7/supervise/control \
|
||||
/etc/s6/services/s6-fdholderd/supervise/control \
|
||||
&& adduser nobody www-data \
|
||||
&& chown -R nobody.www-data /etc/services.d /etc/s6 /run /srv/* /var/lib/nginx /var/www \
|
||||
# Clean up
|
||||
&& rm -rf "${GNUPGHOME}" /tmp/* \
|
||||
&& apk del gnupg
|
||||
|
||||
COPY etc/ /etc/
|
||||
|
||||
WORKDIR /var/www
|
||||
USER nobody:www-data
|
||||
# nginx group id must match to the nginx group id of the container running nginx (e.g. "nginx:mainline-alpine")
|
||||
ENV NGINXGID 101
|
||||
RUN addgroup -S -g $NGINXGID nginx
|
||||
|
||||
# mark dirs as volumes that need to be writable, allows running the container --read-only
|
||||
VOLUME /run /srv/data /tmp /var/lib/nginx/tmp
|
||||
# Create the application user under which PHP-FPM will run
|
||||
ENV USER user
|
||||
ENV UID 1000
|
||||
ENV HOME /home/$USER
|
||||
ENV DATA /var/www
|
||||
RUN adduser -D -u $UID -h $HOME -s /bin/true $USER && \
|
||||
mkdir -p $DATA && \
|
||||
chown -Rh $USER:$NGINXGID $DATA /srv
|
||||
|
||||
EXPOSE 8080
|
||||
# Copy the php-fpm & nginx configs
|
||||
COPY etc/ /etc/
|
||||
|
||||
ENTRYPOINT ["/init"]
|
||||
WORKDIR $DATA
|
||||
USER $USER
|
||||
CMD php-fpm7 -F
|
||||
|
@ -1,5 +0,0 @@
|
||||
# Log access to this file
|
||||
# This is only used when you don't override it on a server{} level
|
||||
access_log /dev/stdout main;
|
||||
|
||||
# Note: Feel free to overwrite this file if you want a custom logging format!
|
@ -1,19 +0,0 @@
|
||||
# This tells Nginx to cache open file handles, "not found" errors, metadata about files and their permissions, etc.
|
||||
#
|
||||
# The upside of this is that Nginx can immediately begin sending data when a popular file is requested,
|
||||
# and will also know to immediately send a 404 if a file is missing on disk, and so on.
|
||||
#
|
||||
# However, it also means that the server won't react immediately to changes on disk, which may be undesirable.
|
||||
#
|
||||
# In the below configuration, inactive files are released from the cache after 20 seconds, whereas
|
||||
# active (recently requested) files are re-validated every 30 seconds.
|
||||
#
|
||||
# Descriptors will not be cached unless they are used at least 2 times within 20 seconds (the inactive time).
|
||||
#
|
||||
# A maximum of the 1000 most recently used file descriptors can be cached at any time.
|
||||
#
|
||||
# Production servers with stable file collections will definitely want to enable the cache.
|
||||
open_file_cache max=1000 inactive=20s;
|
||||
open_file_cache_valid 30s;
|
||||
open_file_cache_min_uses 2;
|
||||
open_file_cache_errors on;
|
@ -1,56 +0,0 @@
|
||||
# Enable gzip compression.
|
||||
gzip on;
|
||||
|
||||
# Compression level (1-9).
|
||||
# 5 is a perfect compromise between size and CPU usage, offering about
|
||||
# 75% reduction for most ASCII files (almost identical to level 9).
|
||||
gzip_comp_level 5;
|
||||
|
||||
# Don't compress anything that's already small and unlikely to shrink much
|
||||
# if at all (the default is 20 bytes, which is bad as that usually leads to
|
||||
# larger files after gzipping).
|
||||
gzip_min_length 256;
|
||||
|
||||
# Compress data even for clients that are connecting to us via proxies,
|
||||
# identified by the "Via" header (required for CloudFront).
|
||||
gzip_proxied any;
|
||||
|
||||
# Tell proxies to cache both the gzipped and regular version of a resource
|
||||
# whenever the client's Accept-Encoding capabilities header varies;
|
||||
# Avoids the issue where a non-gzip capable client (which is extremely rare
|
||||
# today) would display gibberish if their proxy gave them the gzipped version.
|
||||
gzip_vary on;
|
||||
|
||||
# Compress all output labeled with one of the following MIME-types.
|
||||
gzip_types
|
||||
application/atom+xml
|
||||
application/javascript
|
||||
application/json
|
||||
application/ld+json
|
||||
application/manifest+json
|
||||
application/rss+xml
|
||||
application/vnd.geo+json
|
||||
application/vnd.ms-fontobject
|
||||
application/x-font-ttf
|
||||
application/x-web-app-manifest+json
|
||||
application/xhtml+xml
|
||||
application/xml
|
||||
font/opentype
|
||||
image/bmp
|
||||
image/svg+xml
|
||||
image/x-icon
|
||||
text/cache-manifest
|
||||
text/css
|
||||
text/plain
|
||||
text/vcard
|
||||
text/vnd.rim.location.xloc
|
||||
text/vtt
|
||||
text/x-component
|
||||
text/x-cross-domain-policy;
|
||||
# text/html is always compressed by gzip module
|
||||
|
||||
# This should be turned on if you are going to have pre-compressed copies (.gz) of
|
||||
# static files available. If not it should be left off as it will cause extra I/O
|
||||
# for the check. It is best if you enable this in a location{} block for
|
||||
# a specific directory, or on an individual server{} level.
|
||||
# gzip_static on;
|
@ -0,0 +1,24 @@
|
||||
server {
|
||||
listen 80 default_server;
|
||||
|
||||
root /var/www;
|
||||
index index.php index.html index.htm;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ /index.php$is_args$args;
|
||||
}
|
||||
|
||||
# since I am running in Docker
|
||||
resolver 127.0.0.11 ipv6=off;
|
||||
set $privatebin privatebin-fpm:9000;
|
||||
|
||||
location ~ \.php$ {
|
||||
fastcgi_pass $privatebin;
|
||||
fastcgi_index index.php;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
include fastcgi_params;
|
||||
|
||||
# Prevent exposing nginx + version to $_SERVER
|
||||
fastcgi_param SERVER_SOFTWARE "";
|
||||
}
|
||||
}
|
@ -1,75 +0,0 @@
|
||||
# Run as a unique, less privileged user for security reasons.
|
||||
user nobody www-data;
|
||||
|
||||
# Sets the worker threads to the number of CPU cores available in the system for best performance.
|
||||
# Should be > the number of CPU cores.
|
||||
# Maximum number of connections = worker_processes * worker_connections
|
||||
worker_processes auto;
|
||||
|
||||
# Maximum number of open files per worker process.
|
||||
# Should be > worker_connections.
|
||||
worker_rlimit_nofile 8192;
|
||||
|
||||
events {
|
||||
# If you need more connections than this, you start optimizing your OS.
|
||||
# That's probably the point at which you hire people who are smarter than you as this is *a lot* of requests.
|
||||
# Should be < worker_rlimit_nofile.
|
||||
worker_connections 8000;
|
||||
}
|
||||
|
||||
# Log errors and warnings to this file
|
||||
# This is only used when you don't override it on a server{} level
|
||||
error_log /dev/stderr warn;
|
||||
|
||||
# The file storing the process ID of the main process
|
||||
pid /run/nginx.pid;
|
||||
|
||||
# The process is managed in the docker-env
|
||||
daemon off;
|
||||
|
||||
# Free some CPU cycles
|
||||
timer_resolution 500ms;
|
||||
|
||||
http {
|
||||
# Specify MIME types for files.
|
||||
include mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
# Update charset_types to match updated mime.types.
|
||||
# text/html is always included by charset module.
|
||||
charset_types text/css text/plain text/vnd.wap.wml application/javascript application/json application/rss+xml application/xml;
|
||||
|
||||
# Include $http_x_forwarded_for within default format used in log files
|
||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||
|
||||
# Hide used software
|
||||
server_tokens off;
|
||||
|
||||
# Default charset
|
||||
charset utf-8;
|
||||
|
||||
# How long to allow each connection to stay idle.
|
||||
# Longer values are better for each individual client, particularly for SSL,
|
||||
# but means that worker connections are tied up longer.
|
||||
keepalive_timeout 20s;
|
||||
|
||||
# Speed up file transfers by using sendfile() to copy directly
|
||||
# between descriptors rather than using read()/write().
|
||||
# For performance reasons, on FreeBSD systems w/ ZFS
|
||||
# this option should be disabled as ZFS's ARC caches
|
||||
# frequently used files in RAM by default.
|
||||
sendfile on;
|
||||
|
||||
# Don't send out partial frames; this increases throughput
|
||||
# since TCP frames are filled up before being sent out.
|
||||
tcp_nopush on;
|
||||
|
||||
# Allow up to 15 MiB payload, privatebin defaults to 10 MiB.
|
||||
client_max_body_size 15M;
|
||||
|
||||
# Load even moar configs
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
include /etc/nginx/sites-enabled/*.conf;
|
||||
}
|
@ -1,24 +0,0 @@
|
||||
server {
|
||||
listen 8080 default_server;
|
||||
|
||||
root /var/www;
|
||||
index index.php index.html index.htm;
|
||||
|
||||
location / {
|
||||
include /etc/nginx/location.d/*.conf;
|
||||
try_files $uri $uri/ /index.php$is_args$args;
|
||||
}
|
||||
|
||||
location ~ \.php$ {
|
||||
include /etc/nginx/location.d/*.conf;
|
||||
fastcgi_pass unix:/run/php-fpm.sock;
|
||||
fastcgi_index index.php;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
include fastcgi_params;
|
||||
|
||||
# Prevent exposing nginx + version to $_SERVER
|
||||
fastcgi_param SERVER_SOFTWARE "";
|
||||
}
|
||||
|
||||
include /etc/nginx/server.d/*.conf;
|
||||
}
|
@ -1 +0,0 @@
|
||||
/etc/nginx/sites-available/site.conf
|
@ -1,18 +0,0 @@
|
||||
[global]
|
||||
pid = /run/php-fpm7.pid
|
||||
daemonize = no
|
||||
error_log = /dev/stderr
|
||||
|
||||
[www]
|
||||
user = nobody
|
||||
group = www-data
|
||||
listen = /run/php-fpm.sock
|
||||
listen.owner = nobody
|
||||
listen.group = www-data
|
||||
access.log = /dev/null
|
||||
clear_env = On
|
||||
pm = dynamic
|
||||
pm.max_children = 5
|
||||
pm.start_servers = 2
|
||||
pm.min_spare_servers = 1
|
||||
pm.max_spare_servers = 3
|
@ -0,0 +1,18 @@
|
||||
[global]
|
||||
daemonize = no
|
||||
error_log = /dev/stderr
|
||||
|
||||
[www]
|
||||
user = user
|
||||
group = user
|
||||
listen = 0.0.0.0:9000
|
||||
pm = dynamic
|
||||
pm.max_children = 5
|
||||
pm.start_servers = 2
|
||||
pm.min_spare_servers = 1
|
||||
pm.max_spare_servers = 3
|
||||
clear_env = On
|
||||
;access.log = /dev/null
|
||||
;php_admin_value[upload_max_filesize] = 15M
|
||||
;php_admin_value[post_max_size] = 15M
|
||||
;php_admin_value[output_buffering] = 0
|
@ -1,2 +0,0 @@
|
||||
#!/usr/bin/execlineb -P
|
||||
/usr/sbin/nginx
|
@ -1,2 +0,0 @@
|
||||
#!/usr/bin/execlineb -P
|
||||
/usr/sbin/php-fpm7
|
Loading…
Reference in new issue