arno/privatebin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

improving documentation

Browse Source
This commit is contained in:
El RIDO 2018-05-29 19:09:14 +02:00
parent 021c774227
commit f9687a65df
1 changed files with 17 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
README.md
View File

@ -5,10 +5,10 @@ where the server has zero knowledge of pasted data. Data is encrypted and decryp
using 256bit AES in [Galois Counter mode](https://en.wikipedia.org/wiki/Galois/Counter_Mode). using 256bit AES in [Galois Counter mode](https://en.wikipedia.org/wiki/Galois/Counter_Mode).
This repository contains the Dockerfile and resources needed to create a docker image with a pre-installed This repository contains the Dockerfile and resources needed to create a docker image with a pre-installed
PrivateBin instance in a secure default configuration. The images are based on the docker hub php/fpm-alpine PrivateBin instance in a secure default configuration. The images are based on the docker hub php:fpm-alpine
image, extended with the GD module required to generate comment avatars and the Nginx webserver to serve image, extended with the GD module required to generate discussion avatars and the Nginx webserver to serve
static JavaScript libraries, CSS & logos. All logs of php-fpm and Nginx (access & errors) are forwarded to static JavaScript libraries, CSS & the logos. All logs of php-fpm and Nginx (access & errors) are forwarded
docker. to docker logs.
## Running the image ## Running the image
@ -19,38 +19,39 @@ the docker hub like this:
docker run -d --restart="always" --read-only -p 8080:80 -v privatebin-data:/srv/data privatebin/nginx-fpm-alpine:1.1.1 docker run -d --restart="always" --read-only -p 8080:80 -v privatebin-data:/srv/data privatebin/nginx-fpm-alpine:1.1.1
``` ```
The parameters explained, in order of importance: The parameters in detail:
- `-v privatebin-data:/srv/data` - replace `privatebin-data` with the path to the folder on your system, where the - `-v privatebin-data:/srv/data` - replace `privatebin-data` with the path to the folder on your system, where the
pastes and other service data should be persisted. This guarantees that your pastes aren't lost after you stop pastes and other service data should be persisted. This guarantees that your pastes aren't lost after you stop
and restart the image or when you replace it. Can be skipped if you just want to test the image. and restart the image or when you replace it. May be skipped if you just want to test the image.
- `-p 8080:80` - The Nginx webserver inside the container listens on port 80, this parameter exposes it on your system - `-p 8080:80` - The Nginx webserver inside the container listens on port 80, this parameter exposes it on your system
on port 8080. Be sure to use a reverse proxy for HTTPS termination in front of it in production environments. on port 8080. Be sure to use a reverse proxy for HTTPS termination in front of it for production environments.
- `--read-only` - This image supports running in read-only mode. Using this reduces the attack surface slightly, - `--read-only` - This image supports running in read-only mode. Using this reduces the attack surface slightly,
since an exploit in one of the images services can't overwrite arbitrary files in the container. Only /tmp, /var/tmp, since an exploit in one of the images services can't overwrite arbitrary files in the container. Only /tmp, /var/tmp,
/var/run & /srv/data may be written into. /var/run & /srv/data may be written into.
- `-d` - launches the container in the background. You can use docker ps and docker logs to check if the container is - `-d` - launches the container in the background. You can use `docker ps` and `docker logs` to check if the container is
alive and well. alive and well.
- `--restart="always"` - restart the container if it crashes, mainly useful for production setups - `--restart="always"` - restart the container if it crashes, mainly useful for production setups
### Custom configuration ### Custom configuration
In case you want to use a customized [conf.php](https://github.com/PrivateBin/PrivateBin/blob/master/cfg/conf.sample.php) In case you want to use a customized [conf.php](https://github.com/PrivateBin/PrivateBin/blob/master/cfg/conf.sample.php)
file, for example one that has file uploads enabled or that uses a different template, add the file as a volume: file, for example one that has file uploads enabled or that uses a different template, add the file as a second volume:
```bash ```bash
docker run -d --restart="always" --read-only -p 8080:80 -v conf.php:/srv/cfg/conf.php:ro -v privatebin-data:/srv/data privatebin/nginx-fpm-alpine:1.1.1 docker run -d --restart="always" --read-only -p 8080:80 -v conf.php:/srv/cfg/conf.php:ro -v privatebin-data:/srv/data privatebin/nginx-fpm-alpine:1.1.1
``` ```
Note: Only the `Filesystem` data storage is supported, as the image doesn't include any PDO modules required for the Note: The `Filesystem` data storage is supported out of the box. The image includes PDO modules for MySQL and SQLite,
`Database` one. required for the `Database` one, but you still need to keep the /srv/data persisted for the server salt and the traffic
limiter.
## Rolling your own image ## Rolling your own image
To reproduce the image, just run: To reproduce the image, run:
```bash ```bash
docker build -t privatebin/nginx-fpm-alpine:1.1.1 . docker build -t privatebin/nginx-fpm-alpine .
``` ```
### Behind the scenes ### Behind the scenes
@ -58,9 +59,9 @@ docker build -t privatebin/nginx-fpm-alpine:1.1.1 .
The two processes, Nginx and php-fpm, are started by supervisord, which will also try to restart the services in case The two processes, Nginx and php-fpm, are started by supervisord, which will also try to restart the services in case
they crash. they crash.
Nginx is required to serve static files and will also cache these for a bit. Requests to the index.php (which is the Nginx is required to serve static files and caches them, too. Requests to the index.php (which is the only PHP file
only PHP file exposed in the document root at /var/www) are passed on to php-fpm via fastCGI to port 9000. All other exposed in the document root at /var/www) are passed on to php-fpm via fastCGI to port 9000. All other PHP files and
PHP files and the data are stored in /srv. the data are stored in /srv.
The Nginx setup supports only HTTP, so make sure that you run another webserver as reverse proxy in front of this for The Nginx setup supports only HTTP, so make sure that you run another webserver as reverse proxy in front of this for
HTTPS offloading and reducing the attack surface on your TLS stack. The Nginx in this image is set up to deflate/gzip HTTPS offloading and reducing the attack surface on your TLS stack. The Nginx in this image is set up to deflate/gzip