From 7c5df1c10ea2bd35707632d12d99fe387116f45f Mon Sep 17 00:00:00 2001 From: Jason Date: Fri, 24 Jun 2022 14:04:55 -0400 Subject: [PATCH] =?UTF-8?q?=20=F0=9F=A6=88=F0=9F=8F=A0=F0=9F=90=9C?= =?UTF-8?q?=E2=9D=97=20Initial=20Commit=20=E2=9D=97=F0=9F=90=9C?= =?UTF-8?q?=F0=9F=A6=88=F0=9F=8F=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .gitignore | 19 +++++++++ Dockerfile | 70 +++++++++++++++++++++++++++++++ LICENSE.md | 13 ++++++ README.md | 43 +++++++++++++++++++ files/nginx.conf | 102 +++++++++++++++++++++++++++++++++++++++++++++ files/php-fpm.conf | 34 +++++++++++++++ files/run.sh | 45 ++++++++++++++++++++ 7 files changed, 326 insertions(+) create mode 100644 .gitignore create mode 100644 Dockerfile create mode 100644 LICENSE.md create mode 100644 README.md create mode 100644 files/nginx.conf create mode 100644 files/php-fpm.conf create mode 100644 files/run.sh diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4dc77e7 --- /dev/null +++ b/.gitignore @@ -0,0 +1,19 @@ +# gitignore created on 06/24/22 at 14:04 +# Disable reminder in prompt +ignoredirmessage + +# OS generated files +.DS_Store +.DS_Store? +._* +.Spotlight-V100 +.Trashes +ehthumbs.db +Thumbs.db + +# Other +.installed + + +# ignore commit message +.gitcommit diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..bcfbfa0 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,70 @@ +FROM alpine:latest + +ARG BUILD_DATE +ARG VCS_REF + +LABEL maintainer="CasjaysDev " \ + alpine-version="latest" \ + nginx-version="latest" \ + php-version="latest" \ + wordpress-version="latest" \ + build="24-June-2022" \ + org.opencontainers.image.title="alpine-php-wordpress" \ + org.opencontainers.image.description="Wordpress image running on Alpine Linux" \ + org.opencontainers.image.authors="CasjaysDev " \ + org.opencontainers.image.vendor="CasjaysDev" \ + org.opencontainers.image.version="latest" \ + org.opencontainers.image.url="https://hub.docker.com/r/casjaysdev/wordpress/" \ + org.opencontainers.image.source="https://github.com/casjaysdev/wordpress" \ + org.opencontainers.image.revision=$VCS_REF \ + org.opencontainers.image.created=$BUILD_DATE + +ENV TERM="xterm" \ + DB_HOST="localhost" \ + DB_NAME="wordpress" \ + DB_USER="root"\ + DB_PASS="wordpress_pass" + +RUN apk -U upgrade && \ + apk add --no-cache bash curl less vim nginx ca-certificates git tzdata zip \ + libmcrypt-dev zlib-dev gmp-dev \ + freetype-dev libjpeg-turbo-dev libpng-dev \ + php-fpm php-json php-zlib php-xml php-xmlwriter \ + php-simplexml php-pdo php-phar php-openssl \ + php-pdo_mysql php-mysqli php-session \ + php-gd php-iconv php-gmp php-zip \ + php-curl php-opcache php-ctype \ + php-intl php-bcmath php-dom php-mbstring php-xmlreader \ + mysql-client mysql curl && \ + apk add -u musl && \ + rm -rf /var/cache/apk/* && \ + ln -sf /usr/sbin/php-fpm8 /usr/bin/php-fpm + +RUN /usr/bin/mysql_install_db --user=mysql --datadir=/var/lib/mysql && \ + sed -i 's|skip-networking|#skip-networking|g' /etc/my.cnf && \ + sed -i 's|#bind-address=.*|bind-address=127.0.0.1|g' /etc/my.cnf.d/mariadb-server.cnf && \ + sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php8/php.ini && \ + sed -i 's/expose_php = On/expose_php = Off/g' /etc/php8/php.ini && \ + sed -i "s/nginx:x:100:101:nginx:\/var\/lib\/nginx:\/sbin\/nologin/nginx:x:100:101:nginx:\/usr:\/bin\/bash/g" /etc/passwd && \ + sed -i "s/nginx:x:100:101:nginx:\/var\/lib\/nginx:\/sbin\/nologin/nginx:x:100:101:nginx:\/usr:\/bin\/bash/g" /etc/passwd- && \ + echo "mysqld_safe --datadir=/var/lib/mysql --port=3306 &" > /tmp/config && \ + echo "mysqladmin --silent --wait=30 ping || exit 1" >> /tmp/config && \ + echo "mysqladmin -u root password 'wordpress_pass'" >> /tmp/config && \ + bash /tmp/config && \ + rm -f /tmp/config + +ADD files/nginx.conf /etc/nginx/ +ADD files/php-fpm.conf /etc/php8/ +ADD files/run.sh /usr/local/bin/entrypoint-wordpress.sh +RUN chmod +x /usr/local/bin/entrypoint-wordpress.sh && \ + curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar && \ + chmod +x wp-cli.phar && \ + mv wp-cli.phar /usr/bin/wp-cli && \ + chown nginx:nginx /usr/bin/wp-cli && \ + chown -Rf mysql:mysql /var/lib/mysql /run/mysqld + +EXPOSE 80 +VOLUME ["/usr/html", "/var/lib/mysql"] + +HEALTHCHECK CMD ["usr/local/bin/entrypoint-wordpress.sh", "healthcheck"] +ENTRYPOINT ["/usr/local/bin/entrypoint-wordpress.sh"] diff --git a/LICENSE.md b/LICENSE.md new file mode 100644 index 0000000..86d4345 --- /dev/null +++ b/LICENSE.md @@ -0,0 +1,13 @@ + DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE + Version 2, December 2004 + + Copyright (C) 2022 Jason Hempstead + + Everyone is permitted to copy and distribute verbatim or modified + copies of this license document, and changing it is allowed as long + as the name is changed. + + DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 1. You just DO WHAT THE FUCK YOU WANT TO. diff --git a/README.md b/README.md new file mode 100644 index 0000000..3526d4e --- /dev/null +++ b/README.md @@ -0,0 +1,43 @@ +# 👋 wordpress Readme 👋 + +wordpress README + +## Run container + +### via command line + +```shell +docker run -d \ +--restart always \ +--name wordpress \ +--hostname wordpress \ +-e TZ=${TIMEZONE:-America/New_York} \ +-v $PWD/wordpress/data:/var/lib/mysql \ +-v $PWD/wordpress/config:/usr/html \ +-p 80:80 \ +casjaysdev/wordpress:latest +``` + +### via docker-compose + +```yaml +version: "2" +services: + wordpress: + image: casjaysdev/wordpress + container_name: wordpress + environment: + - TZ=America/New_York + - HOSTNAME=wordpress + volumes: + - $HOME/.local/share/docker/storage/wordpress/data:/var/lib/mysql + - $HOME/.local/share/docker/storage/wordpress/config:/usr/html + ports: + - 80:80 + restart: always +``` + +## Authors + +🤖 Casjay: [Github](https://github.com/casjay) [Docker](https://hub.docker.com/casjay) 🤖 +⛵ CasjaysDev: [Github](https://github.com/casjaysdev) [Docker](https://hub.docker.com/casjaysdev) ⛵ diff --git a/files/nginx.conf b/files/nginx.conf new file mode 100644 index 0000000..ca37cc4 --- /dev/null +++ b/files/nginx.conf @@ -0,0 +1,102 @@ +daemon off; + +error_log stderr notice; +pid /var/run/nginx/nginx.pid; +env DB_HOST; +env DB_NAME; +env DB_USER; +env DB_PASS; + +worker_processes 1; +events { + worker_connections 1024; +} + +http { + sendfile on; + include /etc/nginx/mime.types; + include /etc/nginx/fastcgi.conf; + default_type application/octet-stream; + access_log stdout; + tcp_nopush on; + client_body_temp_path /tmp/nginx/body 1 2; + fastcgi_temp_path /tmp/nginx/fastcgi_temp 1 2; + + log_format blocked '$time_local: Blocked request from $http_x_real_ip $request'; + + log_format specialLog '$http_x_real_ip - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + + client_max_body_size 512M; + + server { + + listen 80; + + root /usr/html; + index index.php index.html index.htm; + access_log stdout; + error_log stderr notice; + + disable_symlinks off; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location / { + try_files $uri $uri/ /index.php?$args; + } + + location ~* /(?:uploads|files)/.*\.php$ { + deny all; + } + + location ~* \.(jpg|jpeg|gif|png|css|js|ico|xml)$ { + access_log off; + log_not_found off; + expires 360d; + } + + location ~ [^/]\.php(/|$) { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + fastcgi_pass unix:/var/run/php-fpm.sock; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + } + + ## Block SQL injections + location ~* union.*select.*\( { access_log /usr/logs/nginx/blocked.log blocked; deny all; } + location ~* union.*all.*select.* { access_log /usr/logs/nginx/blocked.log blocked; deny all; } + location ~* concat.*\( { access_log /usr/logs/nginx/blocked.log blocked; deny all; } + + ## Block common exploits + location ~* (<|%3C).*script.*(>|%3E) { access_log /usr/logs/nginx/blocked.log blocked; deny all; } + location ~* base64_(en|de)code\(.*\) { access_log /usr/logs/nginx/blocked.log blocked; deny all; } + location ~* (%24&x) { access_log /usr/logs/nginx/blocked.log blocked; deny all; } + location ~* (%0|%A|%B|%C|%D|%E|%F|127\.0) { access_log /usr/logs/nginx/blocked.log blocked; deny all; } + location ~* \.\.\/ { access_log /usr/logs/nginx/blocked.log blocked; deny all; } + location ~* ~$ { access_log /usr/logs/nginx/blocked.log blocked; deny all; } + location ~* proc/self/environ { access_log /usr/logs/nginx/blocked.log blocked; deny all; } + location ~* /\.(htaccess|htpasswd|svn) { access_log /usr/logs/nginx/blocked.log blocked; deny all; } + + ## Block file injections + location ~* [a-zA-Z0-9_]=(\.\.//?)+ { access_log /usr/logs/nginx/blocked.log blocked; deny all; } + location ~* [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ { access_log /usr/logs/nginx/blocked.log blocked; deny all; } + + ## wordpress security + location ~* wp-config.php { access_log /usr/logs/nginx/blocked.log blocked; deny all; } + location ~* wp-admin/includes { access_log /usr/logs/nginx/blocked.log blocked; deny all; } + location ~* wp-app\.log { access_log /usr/logs/nginx/blocked.log blocked; deny all; } + location ~* (licence|readme|license)\.(html|txt) { access_log /usr/logs/nginx/blocked.log blocked; deny all; } + + } + +} diff --git a/files/php-fpm.conf b/files/php-fpm.conf new file mode 100644 index 0000000..66b260a --- /dev/null +++ b/files/php-fpm.conf @@ -0,0 +1,34 @@ +error_log = /usr/logs/php8/php-fpm.log +log_level = warning + +[www] +user = nginx +group = nginx +listen = /var/run/php-fpm.sock +listen.owner = nginx +listen.group = nginx +pm = ondemand + +; Total RAM dedicated to the web server / Max child process size +pm.max_children = 75 + +pm.process_idle_timeout = 10s +pm.max_requests = 500 +chdir = /usr/html +php_flag[display_errors] = on +php_admin_value[memory_limit] = 128M +php_admin_value[upload_max_filesize] = 32M +php_admin_value[post_max_size] = 32M +php_admin_value[output_buffering] = 0 +php_admin_value[openssl.cafile] = /etc/ssl/certs/ca-certificates.crt +php_admin_value[openssl.capath] = /etc/ssl/certs +php_admin_value[max_input_nesting_level] = 256 +php_admin_value[max_input_vars] = 10000 + +catch_workers_output = yes + +; Database variables passed via -e argument on Docker +env["DB_HOST"] = "$DB_HOST" +env["DB_USER"] = "$DB_USER" +env["DB_PASS"] = "$DB_PASS" +env["DB_NAME"] = "$DB_NAME" diff --git a/files/run.sh b/files/run.sh new file mode 100644 index 0000000..e4ed7c0 --- /dev/null +++ b/files/run.sh @@ -0,0 +1,45 @@ +#!/bin/bash + +if [ "$1" = "healthcheck" ]; then + curl -q -SIs "http://localhost:80" | grep -qE 'HTTP/[1,2]*' && + ls var/run/php-fpm.sock /var/run/mysqld/mysqld.sock /var/run/nginx/nginx.pid &>/dev/null && + exit 0 || exit 1 +fi + +[ -f /run-pre.sh ] && /run-pre.sh + +if [ ! -d "/usr/html/wp-admin" ] && [ ! -f "/usr/html/wp-config.php" ]; then + echo "[i] Installing wordpress..." + cd /tmp || exit 1 + wget https://wordpress.org/latest.tar.gz -O /tmp/latest.tar.gz && + tar -xzf /tmp/latest.tar.gz && + cp -Rf /tmp/wordpress/. /usr/html/ && + rm -Rf /tmp/wordpress /tmp/latest.tar.gz && + chown -Rf nginx:nginx /usr/html +else + echo "[i] Fixing permissions..." + chown -R nginx:nginx /usr/html +fi + +mkdir -p /usr/logs/php8 +mkdir -p /usr/logs/nginx +mkdir -p /tmp/nginx + +chown -Rf nginx /tmp/nginx +chown -Rf mysql:mysql /var/lib/mysql /run/mysqld + +/usr/bin/php-fpm & +mysqld_safe --datadir=/var/lib/mysql & + +if [ ! -d "/var/lib/mysql/wordpress" ]; then + sleep 10 + mysql -uroot -p$DB_PASS -e "CREATE DATABASE $DB_NAME" + mysql -uroot -p$DB_PASS -e "GRANT ALL PRIVILEGES ON $DB_NAME.* TO $DB_NAME@localhost IDENTIFIED BY '$DB_PASS'" +fi + +[ -z "$DB_HOST" ] && echo "Database host: not set" || echo "Database host: $DB_HOST" +[ -z "$DB_NAME" ] && echo "Database name: not set" || echo "Database name: $DB_NAME" +[ -z "$DB_USER" ] && echo "Database user: not set" || echo "Database user: $DB_USER" +[ -z "$DB_PASS" ] && echo "Database pass: not set" || echo "Database pass: $DB_PASS" + +nginx