🦈🏠🐜❗ Initial Commit ❗🐜🦈🏠

files/nginx.conf

@@ -0,0 +1,102 @@
+daemon off;
+
+error_log stderr notice;
+pid /var/run/nginx/nginx.pid;
+env DB_HOST;
+env DB_NAME;
+env DB_USER;
+env DB_PASS;
+
+worker_processes  1;
+events {
+    worker_connections  1024;
+}
+
+http {
+  sendfile on;
+  include    /etc/nginx/mime.types;
+  include    /etc/nginx/fastcgi.conf;
+  default_type application/octet-stream;
+  access_log stdout;
+  tcp_nopush   on;
+  client_body_temp_path /tmp/nginx/body 1 2;
+  fastcgi_temp_path /tmp/nginx/fastcgi_temp 1 2;
+
+  log_format blocked '$time_local: Blocked request from $http_x_real_ip $request';
+
+  log_format specialLog '$http_x_real_ip - $remote_user [$time_local]  '
+                        '"$request" $status $body_bytes_sent '
+                        '"$http_referer" "$http_user_agent"';
+
+  client_max_body_size 512M;
+
+  server {
+
+    listen       80;
+
+    root /usr/html;
+    index  index.php index.html index.htm;
+    access_log stdout;
+    error_log stderr notice;
+
+    disable_symlinks off;
+
+    location = /robots.txt {
+      allow all;
+      log_not_found off;
+      access_log off;
+    }
+
+    location / {
+      try_files $uri $uri/ /index.php?$args;
+    }
+
+    location ~* /(?:uploads|files)/.*\.php$ {
+    	deny all;
+    }
+
+    location ~* \.(jpg|jpeg|gif|png|css|js|ico|xml)$ {
+        access_log        off;
+        log_not_found     off;
+        expires           360d;
+    }
+
+    location ~ [^/]\.php(/|$) {
+      fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+      if (!-f $document_root$fastcgi_script_name) {
+        return 404;
+      }
+      fastcgi_pass unix:/var/run/php-fpm.sock;
+      fastcgi_index index.php;
+      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+      include fastcgi_params;
+    }
+
+    ## Block SQL injections
+    location ~* union.*select.*\( { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
+    location ~* union.*all.*select.* { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
+    location ~* concat.*\( { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
+
+    ## Block common exploits
+    location ~* (<|%3C).*script.*(>|%3E) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
+    location ~* base64_(en|de)code\(.*\) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
+    location ~* (%24&x) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
+    location ~* (%0|%A|%B|%C|%D|%E|%F|127\.0) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
+    location ~* \.\.\/  { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
+    location ~* ~$ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
+    location ~* proc/self/environ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
+    location ~* /\.(htaccess|htpasswd|svn) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
+
+    ## Block file injections
+    location ~* [a-zA-Z0-9_]=(\.\.//?)+ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
+    location ~* [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
+
+    ## wordpress security
+    location ~* wp-config.php { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
+    location ~* wp-admin/includes { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
+    location ~* wp-app\.log { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
+    location ~* (licence|readme|license)\.(html|txt) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
+
+  }
+
+}

files/php-fpm.conf

@@ -0,0 +1,34 @@
+error_log = /usr/logs/php8/php-fpm.log
+log_level = warning
+
+[www]
+user = nginx
+group = nginx
+listen = /var/run/php-fpm.sock
+listen.owner = nginx
+listen.group = nginx
+pm = ondemand
+
+; Total RAM dedicated to the web server / Max child process size
+pm.max_children = 75
+
+pm.process_idle_timeout = 10s
+pm.max_requests = 500
+chdir = /usr/html
+php_flag[display_errors] = on
+php_admin_value[memory_limit] = 128M
+php_admin_value[upload_max_filesize] = 32M
+php_admin_value[post_max_size] = 32M
+php_admin_value[output_buffering] = 0
+php_admin_value[openssl.cafile] = /etc/ssl/certs/ca-certificates.crt
+php_admin_value[openssl.capath] = /etc/ssl/certs
+php_admin_value[max_input_nesting_level] = 256
+php_admin_value[max_input_vars] = 10000
+
+catch_workers_output = yes
+
+; Database variables passed via -e argument on Docker
+env["DB_HOST"] = "$DB_HOST"
+env["DB_USER"] = "$DB_USER"
+env["DB_PASS"] = "$DB_PASS"
+env["DB_NAME"] = "$DB_NAME"

files/run.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+if [ "$1" = "healthcheck" ]; then
+  curl -q -SIs "http://localhost:80" | grep -qE 'HTTP/[1,2]*' &&
+    ls var/run/php-fpm.sock /var/run/mysqld/mysqld.sock /var/run/nginx/nginx.pid &>/dev/null &&
+    exit 0 || exit 1
+fi
+
+[ -f /run-pre.sh ] && /run-pre.sh
+
+if [ ! -d "/usr/html/wp-admin" ] && [ ! -f "/usr/html/wp-config.php" ]; then
+  echo "[i] Installing wordpress..."
+  cd /tmp || exit 1
+  wget https://wordpress.org/latest.tar.gz -O /tmp/latest.tar.gz &&
+    tar -xzf /tmp/latest.tar.gz &&
+    cp -Rf /tmp/wordpress/. /usr/html/ &&
+    rm -Rf /tmp/wordpress /tmp/latest.tar.gz &&
+    chown -Rf nginx:nginx /usr/html
+else
+  echo "[i] Fixing permissions..."
+  chown -R nginx:nginx /usr/html
+fi
+
+mkdir -p /usr/logs/php8
+mkdir -p /usr/logs/nginx
+mkdir -p /tmp/nginx
+
+chown -Rf nginx /tmp/nginx
+chown -Rf mysql:mysql /var/lib/mysql /run/mysqld
+
+/usr/bin/php-fpm &
+mysqld_safe --datadir=/var/lib/mysql &
+
+if [ ! -d "/var/lib/mysql/wordpress" ]; then
+  sleep 10
+  mysql -uroot -p$DB_PASS -e "CREATE DATABASE $DB_NAME"
+  mysql -uroot -p$DB_PASS -e "GRANT ALL PRIVILEGES ON $DB_NAME.* TO $DB_NAME@localhost IDENTIFIED BY '$DB_PASS'"
+fi
+
+[ -z "$DB_HOST" ] && echo "Database host: not set" || echo "Database host: $DB_HOST"
+[ -z "$DB_NAME" ] && echo "Database name: not set" || echo "Database name: $DB_NAME"
+[ -z "$DB_USER" ] && echo "Database user: not set" || echo "Database user: $DB_USER"
+[ -z "$DB_PASS" ] && echo "Database pass: not set" || echo "Database pass: $DB_PASS"
+
+nginx