From 60ea64a7dbc44112e3f65269d99b5b55da8463f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9otime=20L=C3=A9v=C3=AAque?= Date: Fri, 22 Dec 2023 15:18:46 +0100 Subject: [PATCH 1/7] feat(config): move apache2 configuration from runtime to build time This commit is the first of a PR that will aim at dropping requirement to run containers with root permissions. This commit leverages PassEnv rather than sed & dynamic environment substitution in the config files. --- Dockerfile | 3 + configs/apache2/httpd.conf | 489 +++++++++++++++++++++++++++++++++++++ configs/apache2/ssl.conf | 300 +++++++++++++++++++++++ docker-entrypoint.sh | 29 --- 4 files changed, 792 insertions(+), 29 deletions(-) create mode 100644 configs/apache2/httpd.conf create mode 100644 configs/apache2/ssl.conf diff --git a/Dockerfile b/Dockerfile index 77d34ce..11f69a9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -38,6 +38,9 @@ RUN apk --no-cache --update \ && mkdir /htdocs COPY linkstack /htdocs +COPY configs/apache2/httpd.conf /etc/apache2/httpd.conf +COPY configs/apache2/ssl.conf /etc/apache2/conf.d/ssl.conf + RUN chown -R apache:apache /htdocs RUN find /htdocs -type d -print0 | xargs -0 chmod 0755 RUN find /htdocs -type f -print0 | xargs -0 chmod 0644 diff --git a/configs/apache2/httpd.conf b/configs/apache2/httpd.conf new file mode 100644 index 0000000..07611bf --- /dev/null +++ b/configs/apache2/httpd.conf @@ -0,0 +1,489 @@ +# +# This is the main Apache HTTP server configuration file. It contains the +# configuration directives that give the server its instructions. +# See for detailed information. +# In particular, see +# +# for a discussion of each configuration directive. +# +# Do NOT simply read the instructions in here without understanding +# what they do. They're here only as hints or reminders. If you are unsure +# consult the online docs. You have been warned. +# +# Configuration and logfile names: If the filenames you specify for many +# of the server's control files begin with "/" (or "drive:/" for Win32), the +# server will use that explicit path. If the filenames do *not* begin +# with "/", the value of ServerRoot is prepended -- so "logs/access_log" +# with ServerRoot set to "/usr/local/apache2" will be interpreted by the +# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log" +# will be interpreted as '/logs/access_log'. + +# +# ServerTokens +# This directive configures what you return as the Server HTTP response +# Header. The default is 'Full' which sends information about the OS-Type +# and compiled in modules. +# Set to one of: Full | OS | Minor | Minimal | Major | Prod +# where Full conveys the most information, and Prod the least. +# +ServerTokens OS + +# +# ServerRoot: The top of the directory tree under which the server's +# configuration, error, and log files are kept. +# +# Do not add a slash at the end of the directory path. If you point +# ServerRoot at a non-local disk, be sure to specify a local disk on the +# Mutex directive, if file-based mutexes are used. If you wish to share the +# same ServerRoot for multiple httpd daemons, you will need to change at +# least PidFile. +# +ServerRoot /var/www + +# +# Mutex: Allows you to set the mutex mechanism and mutex file directory +# for individual mutexes, or change the global defaults +# +# Uncomment and change the directory if mutexes are file-based and the default +# mutex file directory is not on a local disk or is not appropriate for some +# other reason. +# +# Mutex default:/run/apache2 + +# +# Listen: Allows you to bind Apache to specific IP addresses and/or +# ports, instead of the default. See also the +# directive. +# +# Change this to Listen on specific IP addresses as shown below to +# prevent Apache from glomming onto all bound IP addresses. +# +#Listen 12.34.56.78:80 +Listen 80 + +# +# Dynamic Shared Object (DSO) Support +# +# To be able to use the functionality of a module which was built as a DSO you +# have to place corresponding `LoadModule' lines at this location so the +# directives contained in it are actually available _before_ they are used. +# Statically compiled modules (those listed by `httpd -l') do not need +# to be loaded here. +# +# Example: +# LoadModule foo_module modules/mod_foo.so +# +#LoadModule mpm_event_module modules/mod_mpm_event.so +LoadModule mpm_prefork_module modules/mod_mpm_prefork.so +#LoadModule mpm_worker_module modules/mod_mpm_worker.so +LoadModule authn_file_module modules/mod_authn_file.so +#LoadModule authn_dbm_module modules/mod_authn_dbm.so +#LoadModule authn_anon_module modules/mod_authn_anon.so +#LoadModule authn_dbd_module modules/mod_authn_dbd.so +#LoadModule authn_socache_module modules/mod_authn_socache.so +LoadModule authn_core_module modules/mod_authn_core.so +LoadModule authz_host_module modules/mod_authz_host.so +LoadModule authz_groupfile_module modules/mod_authz_groupfile.so +LoadModule authz_user_module modules/mod_authz_user.so +#LoadModule authz_dbm_module modules/mod_authz_dbm.so +#LoadModule authz_owner_module modules/mod_authz_owner.so +#LoadModule authz_dbd_module modules/mod_authz_dbd.so +LoadModule authz_core_module modules/mod_authz_core.so +LoadModule access_compat_module modules/mod_access_compat.so +LoadModule auth_basic_module modules/mod_auth_basic.so +#LoadModule auth_form_module modules/mod_auth_form.so +#LoadModule auth_digest_module modules/mod_auth_digest.so +#LoadModule allowmethods_module modules/mod_allowmethods.so +#LoadModule file_cache_module modules/mod_file_cache.so +#LoadModule cache_module modules/mod_cache.so +#LoadModule cache_disk_module modules/mod_cache_disk.so +#LoadModule cache_socache_module modules/mod_cache_socache.so +#LoadModule socache_shmcb_module modules/mod_socache_shmcb.so +#LoadModule socache_dbm_module modules/mod_socache_dbm.so +#LoadModule socache_memcache_module modules/mod_socache_memcache.so +#LoadModule socache_redis_module modules/mod_socache_redis.so +#LoadModule watchdog_module modules/mod_watchdog.so +#LoadModule macro_module modules/mod_macro.so +#LoadModule dbd_module modules/mod_dbd.so +#LoadModule dumpio_module modules/mod_dumpio.so +#LoadModule echo_module modules/mod_echo.so +#LoadModule buffer_module modules/mod_buffer.so +#LoadModule data_module modules/mod_data.so +#LoadModule ratelimit_module modules/mod_ratelimit.so +LoadModule reqtimeout_module modules/mod_reqtimeout.so +#LoadModule ext_filter_module modules/mod_ext_filter.so +#LoadModule request_module modules/mod_request.so +#LoadModule include_module modules/mod_include.so +LoadModule filter_module modules/mod_filter.so +#LoadModule reflector_module modules/mod_reflector.so +#LoadModule substitute_module modules/mod_substitute.so +#LoadModule sed_module modules/mod_sed.so +#LoadModule charset_lite_module modules/mod_charset_lite.so +LoadModule deflate_module modules/mod_deflate.so +#LoadModule brotli_module modules/mod_brotli.so +LoadModule mime_module modules/mod_mime.so +LoadModule log_config_module modules/mod_log_config.so +#LoadModule log_debug_module modules/mod_log_debug.so +#LoadModule log_forensic_module modules/mod_log_forensic.so +LoadModule logio_module modules/mod_logio.so +LoadModule env_module modules/mod_env.so +#LoadModule mime_magic_module modules/mod_mime_magic.so +LoadModule expires_module modules/mod_expires.so +LoadModule headers_module modules/mod_headers.so +#LoadModule usertrack_module modules/mod_usertrack.so +#LoadModule unique_id_module modules/mod_unique_id.so +LoadModule setenvif_module modules/mod_setenvif.so +LoadModule version_module modules/mod_version.so +#LoadModule remoteip_module modules/mod_remoteip.so +#LoadModule session_module modules/mod_session.so +#LoadModule session_cookie_module modules/mod_session_cookie.so +#LoadModule session_crypto_module modules/mod_session_crypto.so +#LoadModule session_dbd_module modules/mod_session_dbd.so +#LoadModule slotmem_shm_module modules/mod_slotmem_shm.so +#LoadModule slotmem_plain_module modules/mod_slotmem_plain.so +#LoadModule dialup_module modules/mod_dialup.so +#LoadModule http2_module modules/mod_http2.so +LoadModule unixd_module modules/mod_unixd.so +#LoadModule heartbeat_module modules/mod_heartbeat.so +#LoadModule heartmonitor_module modules/mod_heartmonitor.so +LoadModule status_module modules/mod_status.so +LoadModule autoindex_module modules/mod_autoindex.so +#LoadModule asis_module modules/mod_asis.so +#LoadModule info_module modules/mod_info.so +#LoadModule suexec_module modules/mod_suexec.so + + #LoadModule cgid_module modules/mod_cgid.so + + + #LoadModule cgi_module modules/mod_cgi.so + +#LoadModule vhost_alias_module modules/mod_vhost_alias.so +#LoadModule negotiation_module modules/mod_negotiation.so +LoadModule dir_module modules/mod_dir.so +#LoadModule actions_module modules/mod_actions.so +#LoadModule speling_module modules/mod_speling.so +#LoadModule userdir_module modules/mod_userdir.so +LoadModule alias_module modules/mod_alias.so +LoadModule rewrite_module modules/mod_rewrite.so + +LoadModule negotiation_module modules/mod_negotiation.so + + +# +# If you wish httpd to run as a different user or group, you must run +# httpd as root initially and it will switch. +# +# User/Group: The name (or #number) of the user/group to run httpd as. +# It is usually good practice to create a dedicated user and group for +# running httpd, as with most system services. +# +User apache +Group apache + + + +# 'Main' server configuration +# +# The directives in this section set up the values used by the 'main' +# server, which responds to any requests that aren't handled by a +# definition. These values also provide defaults for +# any containers you may define later in the file. +# +# All of these directives may appear inside containers, +# in which case these default settings will be overridden for the +# virtual host being defined. +# + +# +# ServerAdmin: Your address, where problems with the server should be +# e-mailed. This address appears on some server-generated pages, such +# as error documents. e.g. admin@your-domain.com +# +PassEnv SERVER_ADMIN +ServerAdmin ${SERVER_ADMIN} + +# +# Optionally add a line containing the server version and virtual host +# name to server-generated pages (internal error documents, FTP directory +# listings, mod_status and mod_info output etc., but not CGI generated +# documents or custom error documents). +# Set to "EMail" to also include a mailto: link to the ServerAdmin. +# Set to one of: On | Off | EMail +# +ServerSignature On + +# +# ServerName gives the name and port that the server uses to identify itself. +# This can often be determined automatically, but we recommend you specify +# it explicitly to prevent problems during startup. +# +# If your host doesn't have a registered DNS name, enter its IP address here. +# +PassEnv HTTP_SERVER_NAME +ServerName ${HTTP_SERVER_NAME} + +# +# Deny access to the entirety of your server's filesystem. You must +# explicitly permit access to web content directories in other +# blocks below. +# + + AllowOverride none + Require all denied + + +# +# Note that from this point forward you must specifically allow +# particular features to be enabled - so if something's not working as +# you might expect, make sure that you have specifically enabled it +# below. +# + +# +# DocumentRoot: The directory out of which you will serve your +# documents. By default, all requests are taken from this directory, but +# symbolic links and aliases may be used to point to other locations. +# +DocumentRoot "/htdocs" + + # + # Possible values for the Options directive are "None", "All", + # or any combination of: + # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews + # + # Note that "MultiViews" must be named *explicitly* --- "Options All" + # doesn't give it to you. + # + # The Options directive is both complicated and important. Please see + # http://httpd.apache.org/docs/2.4/mod/core.html#options + # for more information. + # + Options Indexes FollowSymLinks + + # + # AllowOverride controls what directives may be placed in .htaccess files. + # It can be "All", "None", or any combination of the keywords: + # AllowOverride FileInfo AuthConfig Limit + # + AllowOverride All + + # + # Controls who can get stuff from this server. + # + Require all granted + + +# +# DirectoryIndex: sets the file that Apache will serve if a directory +# is requested. +# + + DirectoryIndex index.html + + +# +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. +# + + Require all denied + + +# +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a +# container, that host's errors will be logged there and not here. +# +ErrorLog /dev/stderr + +# +# LogLevel: Control the number of messages logged to the error_log. +# Possible values include: debug, info, notice, warn, error, crit, +# alert, emerg. +# +PassEnv LOG_LEVEL +LogLevel ${LOG_LEVEL} + + + # + # The following directives define some format nicknames for use with + # a CustomLog directive (see below). + # + LogFormat "[%{%a %b %d %H:%M:%S}t.%{usec_frac}t %{%Y}t] [httpd.conf] %h %l %u \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "[%{%a %b %d %H:%M:%S}t.%{usec_frac}t %{%Y}t] [httpd.conf] %h %l %u \"%r\" %>s %b" common + + + # You need to enable mod_logio.c to use %I and %O + LogFormat "[%{%a %b %d %H:%M:%S}t.%{usec_frac}t %{%Y}t] [httpd.conf] %h %l %u \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio + + + # + # The location and format of the access logfile (Common Logfile Format). + # If you do not define any access logfiles within a + # container, they will be logged here. Contrariwise, if you *do* + # define per- access logfiles, transactions will be + # logged therein and *not* in this file. + # + #CustomLog logs/access.log common + + # + # If you prefer a logfile with access, agent, and referer information + # (Combined Logfile Format) you can use the following directive. + # + BrowserMatchNoCase ^healthcheck nolog + + CustomLog /dev/stdout combinedio env=!nolog + + + + + # + # Redirect: Allows you to tell clients about documents that used to + # exist in your server's namespace, but do not anymore. The client + # will make a new request for the document at its new location. + # Example: + # Redirect permanent /foo http://www.example.com/bar + + # + # Alias: Maps web paths into filesystem paths and is used to + # access content that does not live under the DocumentRoot. + # Example: + # Alias /webpath /full/filesystem/path + # + # If you include a trailing / on /webpath then the server will + # require it to be present in the URL. You will also likely + # need to provide a section to allow access to + # the filesystem path. + + # + # ScriptAlias: This controls which directories contain server scripts. + # ScriptAliases are essentially the same as Aliases, except that + # documents in the target directory are treated as applications and + # run by the server when requested rather than as documents sent to the + # client. The same rules about trailing "/" apply to ScriptAlias + # directives as to Alias. + # + ScriptAlias /cgi-bin/ "/var/www/localhost/cgi-bin/" + + + + + # + # ScriptSock: On threaded servers, designate the path to the UNIX + # socket used to communicate with the CGI daemon of mod_cgid. + # + #Scriptsock cgisock + + +# +# "/var/www/localhost/cgi-bin" should be changed to whatever your ScriptAliased +# CGI directory exists, if you have that configured. +# + + AllowOverride All + Options None + Require all granted + + + + # + # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied + # backend servers which have lingering "httpoxy" defects. + # 'Proxy' request header is undefined by the IETF, not listed by IANA + # + RequestHeader unset Proxy early + + + + # + # TypesConfig points to the file containing the list of mappings from + # filename extension to MIME-type. + # + TypesConfig /etc/apache2/mime.types + + # + # AddType allows you to add to or override the MIME configuration + # file specified in TypesConfig for specific file types. + # + #AddType application/x-gzip .tgz + # + # AddEncoding allows you to have certain browsers uncompress + # information on the fly. Note: Not all browsers support this. + # + #AddEncoding x-compress .Z + #AddEncoding x-gzip .gz .tgz + # + # If the AddEncoding directives above are commented-out, then you + # probably should define those extensions to indicate media types: + # + AddType application/x-compress .Z + AddType application/x-gzip .gz .tgz + + # + # AddHandler allows you to map certain file extensions to "handlers": + # actions unrelated to filetype. These can be either built into the server + # or added with the Action directive (see below) + # + # To use CGI scripts outside of ScriptAliased directories: + # (You will also need to add "ExecCGI" to the "Options" directive.) + # + #AddHandler cgi-script .cgi + + # For type maps (negotiated resources): + #AddHandler type-map var + + # + # Filters allow you to process content before it is sent to the client. + # + # To parse .shtml files for server-side includes (SSI): + # (You will also need to add "Includes" to the "Options" directive.) + # + #AddType text/html .shtml + #AddOutputFilter INCLUDES .shtml + + +# +# The mod_mime_magic module allows the server to use various hints from the +# contents of the file itself to determine its type. The MIMEMagicFile +# directive tells the module where the hint definitions are located. +# + + MIMEMagicFile /etc/apache2/magic + + +# +# Customizable error responses come in three flavors: +# 1) plain text 2) local redirects 3) external redirects +# +# Some examples: +#ErrorDocument 500 "The server made a boo boo." +#ErrorDocument 404 /missing.html +#ErrorDocument 404 "/cgi-bin/missing_handler.pl" +#ErrorDocument 402 http://www.example.com/subscription_info.html +# + +# +# MaxRanges: Maximum number of Ranges in a request before +# returning the entire resource, or one of the special +# values 'default', 'none' or 'unlimited'. +# Default setting is to accept 200 Ranges. +#MaxRanges unlimited + +# +# EnableMMAP and EnableSendfile: On systems that support it, +# memory-mapping or the sendfile syscall may be used to deliver +# files. This usually improves server performance, but must +# be turned off when serving from networked-mounted +# filesystems or if support for these functions is otherwise +# broken on your system. +# Defaults: EnableMMAP On, EnableSendfile Off +# +#EnableMMAP off +#EnableSendfile on + +# Load config files from the config directory "/etc/apache2/conf.d". +# +IncludeOptional /etc/apache2/conf.d/*.conf +AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/javascript application/json diff --git a/configs/apache2/ssl.conf b/configs/apache2/ssl.conf new file mode 100644 index 0000000..fe18523 --- /dev/null +++ b/configs/apache2/ssl.conf @@ -0,0 +1,300 @@ +# +# This is the Apache server configuration file providing SSL support. +# It contains the configuration directives to instruct the server how to +# serve pages over an https connection. For detailed information about these +# directives see +# +# Do NOT simply read the instructions in here without understanding +# what they do. They're here only as hints or reminders. If you are unsure +# consult the online docs. You have been warned. +# +# Required modules: mod_log_config, mod_setenvif, mod_ssl, +# socache_shmcb_module (for default value of SSLSessionCache) +LoadModule ssl_module modules/mod_ssl.so +LoadModule socache_shmcb_module modules/mod_socache_shmcb.so + +# +# Pseudo Random Number Generator (PRNG): +# Configure one or more sources to seed the PRNG of the SSL library. +# The seed data should be of good random quality. +# WARNING! On some platforms /dev/random blocks if not enough entropy +# is available. This means you then cannot use the /dev/random device +# because it would lead to very long connection times (as long as +# it requires to make more entropy available). But usually those +# platforms additionally provide a /dev/urandom device which doesn't +# block. So, if available, use this one instead. Read the mod_ssl User +# Manual for more details. +# +#SSLRandomSeed startup file:/dev/random 512 +SSLRandomSeed startup file:/dev/urandom 512 +SSLRandomSeed connect builtin +#SSLRandomSeed connect file:/dev/random 512 +#SSLRandomSeed connect file:/dev/urandom 512 + + +# +# When we also provide SSL we have to listen to the +# standard HTTP port (see above) and to the HTTPS port +# +Listen 443 + +## +## SSL Global Context +## +## All SSL configuration in this context applies both to +## the main server and all SSL-enabled virtual hosts. +## + +# SSL Cipher Suite: +# List the ciphers that the client is permitted to negotiate, +# and that httpd will negotiate as the client of a proxied server. +# See the OpenSSL documentation for a complete list of ciphers, and +# ensure these follow appropriate best practices for this deployment. +# httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers, +# while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a. +SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES:!ADH +SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES:!ADH + +# By the end of 2016, only TLSv1.2 ciphers should remain in use. +# Older ciphers should be disallowed as soon as possible, while the +# kRSA ciphers do not offer forward secrecy. These changes inhibit +# older clients (such as IE6 SP2 or IE8 on Windows XP, or other legacy +# non-browser tooling) from successfully connecting. +# +# To restrict mod_ssl to use only TLSv1.2 ciphers, and disable +# those protocols which do not support forward secrecy, replace +# the SSLCipherSuite and SSLProxyCipherSuite directives above with +# the following two directives, as soon as practical. +# SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA +# SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA + +# User agents such as web browsers are not configured for the user's +# own preference of either security or performance, therefore this +# must be the prerogative of the web server administrator who manages +# cpu load versus confidentiality, so enforce the server's cipher order. +SSLHonorCipherOrder on + +# SSL Protocol support: +# List the protocol versions which clients are allowed to connect with. +# Disable SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be +# disabled as quickly as practical. By the end of 2016, only the TLSv1.2 +# protocol or later should remain in use. +SSLProtocol all -SSLv3 +SSLProxyProtocol all -SSLv3 + +# Pass Phrase Dialog: +# Configure the pass phrase gathering process. +# The filtering dialog program (`builtin' is an internal +# terminal dialog) has to provide the pass phrase on stdout. +SSLPassPhraseDialog builtin + +# Inter-Process Session Cache: +# Configure the SSL Session Cache: First the mechanism +# to use and second the expiring timeout (in seconds). +#SSLSessionCache "dbm:/run/apache2/ssl_scache" +SSLSessionCache "shmcb:/var/cache/mod_ssl/scache(512000)" +SSLSessionCacheTimeout 300 + +# OCSP Stapling (requires OpenSSL 0.9.8h or later) +# +# This feature is disabled by default and requires at least +# the two directives SSLUseStapling and SSLStaplingCache. +# Refer to the documentation on OCSP Stapling in the SSL/TLS +# How-To for more information. +# +# Enable stapling for all SSL-enabled servers: +#SSLUseStapling On + +# Define a relatively small cache for OCSP Stapling using +# the same mechanism that is used for the SSL session cache +# above. If stapling is used with more than a few certificates, +# the size may need to be increased. (AH01929 will be logged.) +#SSLStaplingCache "shmcb:/run/apache2/ssl_stapling(32768)" + +# Seconds before valid OCSP responses are expired from the cache +#SSLStaplingStandardCacheTimeout 3600 + +# Seconds before invalid OCSP responses are expired from the cache +#SSLStaplingErrorCacheTimeout 600 + +## +## SSL Virtual Host Context +## + + + +# General setup for the virtual host +DocumentRoot "/htdocs" +PassEnv HTTP_SERVER_NAME +ServerName ${HTTP_SERVER_NAME} + +PassEnv SERVER_ADMIN +ServerAdmin ${SERVER_ADMIN} + +ErrorLog /dev/stderr +#TransferLog "logs/ssl-transfer.log" +PassEnv LOG_LEVEL +LogLevel ${LOG_LEVEL} + +# SSL Engine Switch: +# Enable/Disable SSL for this virtual host. +SSLEngine on + +# Server Certificate: +# Point SSLCertificateFile at a PEM encoded certificate. If +# the certificate is encrypted, then you will be prompted for a +# pass phrase. Note that a kill -HUP will prompt again. Keep +# in mind that if you have both an RSA and a DSA certificate you +# can configure both in parallel (to also allow the use of DSA +# ciphers, etc.) +# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt) +# require an ECC certificate which can also be configured in +# parallel. +SSLCertificateFile /etc/ssl/apache2/server.pem +#SSLCertificateFile /etc/ssl/apache2/server-dsa.pem +#SSLCertificateFile /etc/ssl/apache2/server-ecc.pem + +# Server Private Key: +# If the key is not combined with the certificate, use this +# directive to point at the key file. Keep in mind that if +# you've both a RSA and a DSA private key you can configure +# both in parallel (to also allow the use of DSA ciphers, etc.) +# ECC keys, when in use, can also be configured in parallel +SSLCertificateKeyFile /etc/ssl/apache2/server.key +#SSLCertificateKeyFile /etc/ssl/apache2/server-dsa.key +#SSLCertificateKeyFile /etc/ssl/apache2/server-ecc.key + +# Server Certificate Chain: +# Point SSLCertificateChainFile at a file containing the +# concatenation of PEM encoded CA certificates which form the +# certificate chain for the server certificate. Alternatively +# the referenced file can be the same as SSLCertificateFile +# when the CA certificates are directly appended to the server +# certificate for convenience. +#SSLCertificateChainFile /etc/ssl/apache2/server-ca.pem + +# Certificate Authority (CA): +# Set the CA certificate verification path where to find CA +# certificates for client authentication or alternatively one +# huge file containing all of them (file must be PEM encoded) +# Note: Inside SSLCACertificatePath you need hash symlinks +# to point to the certificate files. Use the provided +# Makefile to update the hash symlinks after changes. +#SSLCACertificatePath /etc/ssl/apache2/ssl.crt +#SSLCACertificateFile /etc/ssl/apache2/ssl.crt/ca-bundle.pem + +# Certificate Revocation Lists (CRL): +# Set the CA revocation path where to find CA CRLs for client +# authentication or alternatively one huge file containing all +# of them (file must be PEM encoded). +# The CRL checking mode needs to be configured explicitly +# through SSLCARevocationCheck (defaults to "none" otherwise). +# Note: Inside SSLCARevocationPath you need hash symlinks +# to point to the certificate files. Use the provided +# Makefile to update the hash symlinks after changes. +#SSLCARevocationPath /etc/ssl/apache2/ssl.crl +#SSLCARevocationFile /etc/ssl/apache2/ssl.crl/ca-bundle.crl +#SSLCARevocationCheck chain + +# Client Authentication (Type): +# Client certificate verification type and depth. Types are +# none, optional, require and optional_no_ca. Depth is a +# number which specifies how deeply to verify the certificate +# issuer chain before deciding the certificate is not valid. +#SSLVerifyClient require +#SSLVerifyDepth 10 + +# TLS-SRP mutual authentication: +# Enable TLS-SRP and set the path to the OpenSSL SRP verifier +# file (containing login information for SRP user accounts). +# Requires OpenSSL 1.0.1 or newer. See the mod_ssl FAQ for +# detailed instructions on creating this file. Example: +# "openssl srp -srpvfile /etc/apache2/passwd.srpv -add username" +#SSLSRPVerifierFile "/etc/apache2/passwd.srpv" + +# Access Control: +# With SSLRequire you can do per-directory access control based +# on arbitrary complex boolean expressions containing server +# variable checks and other lookup directives. The syntax is a +# mixture between C and Perl. See the mod_ssl documentation +# for more details. +# +#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ +# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ +# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ +# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ +# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ +# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ +# + +# SSL Engine Options: +# Set various options for the SSL engine. +# o FakeBasicAuth: +# Translate the client X.509 into a Basic Authorisation. This means that +# the standard Auth/DBMAuth methods can be used for access control. The +# user name is the `one line' version of the client's X.509 certificate. +# Note that no password is obtained from the user. Every entry in the user +# file needs this password: `xxj31ZMTZzkVA'. +# o ExportCertData: +# This exports two additional environment variables: SSL_CLIENT_CERT and +# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the +# server (always existing) and the client (only existing when client +# authentication is used). This can be used to import the certificates +# into CGI scripts. +# o StdEnvVars: +# This exports the standard SSL/TLS related `SSL_*' environment variables. +# Per default this exportation is switched off for performance reasons, +# because the extraction step is an expensive operation and is usually +# useless for serving static content. So one usually enables the +# exportation for CGI and SSI requests only. +# o StrictRequire: +# This denies access when "SSLRequireSSL" or "SSLRequire" applied even +# under a "Satisfy any" situation, i.e. when it applies access is denied +# and no other module can change it. +# o OptRenegotiate: +# This enables optimized SSL connection renegotiation handling when SSL +# directives are used in per-directory context. +#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + +# SSL Protocol Adjustments: +# The safe and default but still SSL/TLS standard compliant shutdown +# approach is that mod_ssl sends the close notify alert but doesn't wait for +# the close notify alert from client. When you need a different shutdown +# approach you can use one of the following variables: +# o ssl-unclean-shutdown: +# This forces an unclean shutdown when the connection is closed, i.e. no +# SSL close notify alert is sent or allowed to be received. This violates +# the SSL/TLS standard but is needed for some brain-dead browsers. Use +# this when you receive I/O errors because of the standard approach where +# mod_ssl sends the close notify alert. +# o ssl-accurate-shutdown: +# This forces an accurate shutdown when the connection is closed, i.e. a +# SSL close notify alert is send and mod_ssl waits for the close notify +# alert of the client. This is 100% SSL/TLS standard compliant, but in +# practice often causes hanging connections with brain-dead browsers. Use +# this only for browsers where you know that their SSL implementation +# works correctly. +# Notice: Most problems of broken clients are also related to the HTTP +# keep-alive facility, so you usually additionally want to disable +# keep-alive for those clients, too. Use variable "nokeepalive" for this. +# Similarly, one has to force some clients to use HTTP/1.0 to workaround +# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and +# "force-response-1.0" for this. +BrowserMatch "MSIE [2-5]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + +# Per-Server Logging: +# The home of a custom SSL log file. Use this when you want a +# compact non-error SSL logfile on a virtual host basis. +LogFormat "[%{%a %b %d %H:%M:%S}t.%{usec_frac}t %{%Y}t] [ssl.conf] %h %l %u \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + +CustomLog /dev/stderr combined + + diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index c0257d2..9f41ad8 100644 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -41,26 +41,6 @@ echo '| Updating Configuration: Apache Base (/etc/apache2/httpd.conf) |' if [[ ${DEBUG} == "TRUE" && -d /debug ]]; then cp /etc/apache2/httpd.conf /debug/httpd.BEFORE.conf;fi -sed -i "s/ServerAdmin\ you@example.com/ServerAdmin\ ${SERVER_ADMIN}/" /etc/apache2/httpd.conf -sed -i "s/#ServerName\ www.example.com:80/ServerName\ ${HTTP_SERVER_NAME}/" /etc/apache2/httpd.conf -sed -i 's#^DocumentRoot ".*#DocumentRoot "/htdocs"#g' /etc/apache2/httpd.conf -sed -i 's#Directory "/var/www/localhost/htdocs"#Directory "/htdocs"#g' /etc/apache2/httpd.conf -sed -i 's#AllowOverride None#AllowOverride All#' /etc/apache2/httpd.conf - -# ALTER: TransferLog after ErrorLog. -sed -i 's#^ErrorLog .*#ErrorLog "logs/error.log"#g' /etc/apache2/httpd.conf -sed -i 's#LogFormat .* %t#LogFormat "[%{%a %b %d %H:%M:%S}t.%{usec_frac}t %{%Y}t] [httpd.conf] %h %l %u#g' /etc/apache2/httpd.conf -sed -i 's#CustomLog logs.* combined#BrowserMatchNoCase ^healthcheck nolog\n\n CustomLog "logs/access.log" combinedio env=!nolog\n#g' /etc/apache2/httpd.conf - -# ALTER: LogLevel. -sed -i "s#^LogLevel .*#LogLevel ${LOG_LEVEL}#g" /etc/apache2/httpd.conf - -# Enable commonly used apache modules -sed -i 's/#LoadModule\ deflate_module/LoadModule\ deflate_module/' /etc/apache2/httpd.conf -sed -i 's/#LoadModule\ expires_module/LoadModule\ expires_module/' /etc/apache2/httpd.conf -sed -i 's/#LoadModule\ logio_module/LoadModule\ logio_module/' /etc/apache2/httpd.conf -sed -i 's/#LoadModule\ rewrite_module/LoadModule\ rewrite_module/' /etc/apache2/httpd.conf - if [[ ${DEBUG} == "TRUE" && -d /debug ]]; then cp /etc/apache2/httpd.conf /debug/httpd.AFTER.conf;fi # + -------------- + # @@ -73,15 +53,6 @@ echo '| Updating Configuration: Apache SSL (/etc/apache2/conf.d/ssl.conf) |' if [[ ${DEBUG} == "TRUE" && -d /debug ]]; then cp /etc/apache2/conf.d/ssl.conf /debug/ssl.BEFORE.conf;fi -sed -i 's#^ErrorLog .*#ErrorLog "logs/ssl-error.log"#g' /etc/apache2/conf.d/ssl.conf -sed -i "s/^TransferLog .*/#TransferLog \"logs\/ssl-transfer.log\"\nLogLevel ${LOG_LEVEL}/g" /etc/apache2/conf.d/ssl.conf -sed -i 's#^DocumentRoot ".*#DocumentRoot "/htdocs"#g' /etc/apache2/conf.d/ssl.conf -sed -i "s/ServerAdmin\ you@example.com/ServerAdmin\ ${SERVER_ADMIN}/" /etc/apache2/conf.d/ssl.conf -sed -i "s/ServerName\ www.example.com:443/ServerName\ ${HTTPS_SERVER_NAME}/" /etc/apache2/conf.d/ssl.conf - -sed -i 's#CustomLog .*#LogFormat "[%{%a %b %d %H:%M:%S}t.%{usec_frac}t %{%Y}t] [ssl.conf] %h %l %u \\"%r\\" %>s %b \\"%{Referer}i\\" \\"%{User-Agent}i\\"" combined\n\nCustomLog "logs/ssl-access.log" combined#g' /etc/apache2/conf.d/ssl.conf -sed -i '/.*%{SSL_PROTOCOL}x.*/d' /etc/apache2/conf.d/ssl.conf - if [[ ${DEBUG} == "TRUE" && -d /debug ]]; then cp /etc/apache2/conf.d/ssl.conf /debug/ssl.AFTER.conf;fi # + ------------- + # From 52f17a764cb447eb45a8f2bc2217fe9c23184ea8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9otime=20L=C3=A9v=C3=AAque?= Date: Fri, 22 Dec 2023 15:24:25 +0100 Subject: [PATCH 2/7] feat(config): move PHP configuration from runtime to build time This commit is the second of a PR that will aim at dropping requirement to run containers with root permissions. This commit leverages env vars rather than sed & dynamic environment substitution for php.ini file. --- Dockerfile | 3 ++- configs/php/php.ini | 0 docker-compose.yml | 16 ++++++++++++---- docker-entrypoint.sh | 7 ------- 4 files changed, 14 insertions(+), 12 deletions(-) create mode 100644 configs/php/php.ini diff --git a/Dockerfile b/Dockerfile index 11f69a9..f3b1e05 100644 --- a/Dockerfile +++ b/Dockerfile @@ -40,6 +40,7 @@ RUN apk --no-cache --update \ COPY linkstack /htdocs COPY configs/apache2/httpd.conf /etc/apache2/httpd.conf COPY configs/apache2/ssl.conf /etc/apache2/conf.d/ssl.conf +COPY configs/php/php.ini /etc/php8.2/php.ini RUN chown -R apache:apache /htdocs RUN find /htdocs -type d -print0 | xargs -0 chmod 0755 @@ -80,4 +81,4 @@ RUN sed -i 's/#LoadModule deflate_module/LoadModule deflate_module/' /etc/apache # Set console entry path WORKDIR /htdocs -CMD ["docker-entrypoint.sh"] \ No newline at end of file +CMD ["docker-entrypoint.sh"] diff --git a/configs/php/php.ini b/configs/php/php.ini new file mode 100644 index 0000000..e69de29 diff --git a/docker-compose.yml b/docker-compose.yml index 2bc9df8..75bba42 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,7 +1,6 @@ version: "3.8" services: - linkstack: hostname: 'linkstack' image: 'linkstackorg/linkstack:latest' @@ -16,10 +15,19 @@ services: volumes: - 'linkstack_data:/htdocs' ports: - - '8188:80' - - '8190:443' + - '8080:80' + - '8081:443' + depends_on: + - mysql + links: + - mysql restart: unless-stopped + mysql: + image: mysql:8 + environment: + MYSQL_ROOT_PASSWORD: xeFgUGb5mPPn5q2d + ports: + - 3306:3306 volumes: linkstack_data: - diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 9f41ad8..3eb60e3 100644 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -63,13 +63,6 @@ echo '| Updating Configuration: PHP (/etc/php82/php.ini) |' if [[ ${DEBUG} == "TRUE" && -d /debug ]]; then cp /etc/php82/php.ini /debug/php.BEFORE.ini;fi -# ALTER: Modify php memory limit and timezone -sed -i "s/memory_limit = .*/memory_limit = ${PHP_MEMORY_LIMIT}/" /etc/php82/php.ini -sed -i "s/upload_max_filesize = .*/upload_max_filesize = ${UPLOAD_MAX_FILESIZE}/" /etc/php82/php.ini -sed -i "s#^;date.timezone =\$#date.timezone = \"${TZ}\"#" /etc/php82/php.ini - -echo "is_llc_docker = true" >> /etc/php82/php.ini - if [[ ${DEBUG} == "TRUE" && -d /debug ]]; then cp /etc/php82/php.ini /debug/php.AFTER.ini;fi # + ---------- + # From 548dbc09fe7e90ebb1b0d022372a7378932ac0e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9otime=20L=C3=A9v=C3=AAque?= Date: Fri, 22 Dec 2023 15:27:41 +0100 Subject: [PATCH 3/7] refactor(docker-entrypoint): remove unused DEBUG related references As the configuration is now defined at build time and overriden at runtime strictly through environment variables, it s not necessary anymore to capture config file changes as they become immutable. --- docker-entrypoint.sh | 35 ----------------------------------- 1 file changed, 35 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 3eb60e3..56fb8df 100644 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -15,11 +15,6 @@ TZ="${TZ:-UTC}" PHP_MEMORY_LIMIT="${PHP_MEMORY_LIMIT:-256M}" UPLOAD_MAX_FILESIZE="${UPLOAD_MAX_FILESIZE:-8M}" -# If TRUE, outputs pre and post-change config files, if a /debug folder has also been mounted. -# i.e. - '/opt/docker/configs/linkstack/debug:/debug:rw' -# Useful for comparing (and fixing) changes, if necessary. -DEBUG="TRUE" - # Read Current LLC Version # When version.json has CR/LF, it fx up, so have to add tr to remove the line endings. v="$(cat /htdocs/version.json | tr -d '\r\n')" @@ -35,41 +30,11 @@ printf '| LINKSTACK v%s%*s|\n' "${v}" "$vlen" | tr ' ' " " # + ---------------- + # echo '+ ------------------------------------------------------------------ +' -echo '| Updating Configuration: Apache Base (/etc/apache2/httpd.conf) |' - -# ALTER: Server Admin, Name, Document Root. - -if [[ ${DEBUG} == "TRUE" && -d /debug ]]; then cp /etc/apache2/httpd.conf /debug/httpd.BEFORE.conf;fi - -if [[ ${DEBUG} == "TRUE" && -d /debug ]]; then cp /etc/apache2/httpd.conf /debug/httpd.AFTER.conf;fi - -# + -------------- + # -# | -- SSL.CONF -- | # -# + -------------- + # - -echo '| Updating Configuration: Apache SSL (/etc/apache2/conf.d/ssl.conf) |' - -# ALTER: SSL DocumentRoot and Log locations - -if [[ ${DEBUG} == "TRUE" && -d /debug ]]; then cp /etc/apache2/conf.d/ssl.conf /debug/ssl.BEFORE.conf;fi - -if [[ ${DEBUG} == "TRUE" && -d /debug ]]; then cp /etc/apache2/conf.d/ssl.conf /debug/ssl.AFTER.conf;fi - -# + ------------- + # -# | -- PHP.INI -- | # -# + ------------- + # - -echo '| Updating Configuration: PHP (/etc/php82/php.ini) |' - -if [[ ${DEBUG} == "TRUE" && -d /debug ]]; then cp /etc/php82/php.ini /debug/php.BEFORE.ini;fi - -if [[ ${DEBUG} == "TRUE" && -d /debug ]]; then cp /etc/php82/php.ini /debug/php.AFTER.ini;fi # + ---------- + # # | -- MISC -- | # # + ---------- + # -echo '| Updating Configuration: Complete |' echo '| ------------------------------------------------------------------ |' echo '| Running Apache |' echo '+ ------------------------------------------------------------------ +' From 9da49c588610393d3a9b3f9b444196b489ad5b68 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9otime=20L=C3=A9v=C3=AAque?= Date: Fri, 22 Dec 2023 15:33:02 +0100 Subject: [PATCH 4/7] refactor(Dockerfile): replace apache2 & php files by static config file. Just as for the docker-entrypoint.sh, as the configuration is now defined at build time and overriden at runtime strictly through environment variables, it's not necessary anymore to capture config file changes as they become immutable. --- Dockerfile | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/Dockerfile b/Dockerfile index f3b1e05..e24488d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -50,21 +50,6 @@ COPY --chmod=0755 docker-entrypoint.sh /usr/local/bin/ HEALTHCHECK CMD curl -f http://localhost -A "HealthCheck" || exit 1 -# Enable compression -RUN sed -i '/LoadModule mime_module/s/^#//g' /etc/apache2/httpd.conf \ - && sed -i '/LoadModule deflate_module/s/^#//g' /etc/apache2/httpd.conf \ - && sed -i '/AddOutputFilterByType text\/html/s/^#//g' /etc/apache2/httpd.conf \ - && sed -i '/AddOutputFilterByType text\/plain/s/^#//g' /etc/apache2/httpd.conf \ - && sed -i '/AddOutputFilterByType text\/xml/s/^#//g' /etc/apache2/httpd.conf \ - && sed -i '/AddOutputFilterByType application\/javascript/s/^#//g' /etc/apache2/httpd.conf \ - && sed -i '/AddOutputFilterByType text\/css/s/^#//g' /etc/apache2/httpd.conf \ - && sed -i '/AddOutputFilterByType image\/svg\+xml/s/^#//g' /etc/apache2/httpd.conf \ - && sed -i '/AddOutputFilterByType application\/x-font-ttf/s/^#//g' /etc/apache2/httpd.conf \ - && sed -i '/AddOutputFilterByType font\/opentype/s/^#//g' /etc/apache2/httpd.conf \ - && sed -i '/AddOutputFilterByType image\/jpeg/s/^#//g' /etc/apache2/httpd.conf \ - && sed -i '/AddOutputFilterByType image\/png/s/^#//g' /etc/apache2/httpd.conf \ - && sed -i '/AddOutputFilterByType image\/gif/s/^#//g' /etc/apache2/httpd.conf - # Forward Apache access and error logs to Docker's log collector. # Optional last line adds extra verbosity with for example: # [ssl:info] [pid 33] [client 10.0.5.8:45542] AH01964: Connection to child 2 established (server your.domain:443) @@ -73,11 +58,6 @@ RUN ln -sf /dev/stdout /var/www/logs/access.log \ && ln -sf /dev/stderr /var/www/logs/ssl-access.log # && ln -sf /dev/stderr /var/www/logs/ssl-error.log -# Enable mod_deflate for text compression -RUN sed -i 's/#LoadModule deflate_module/LoadModule deflate_module/' /etc/apache2/httpd.conf \ - && sed -i 's/#LoadModule filter_module/LoadModule filter_module/' /etc/apache2/httpd.conf \ - && echo 'AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/javascript application/json' >> /etc/apache2/httpd.conf - # Set console entry path WORKDIR /htdocs From b56846d0adcee6136c3958dbd6ca20dfcf8bcdc7 Mon Sep 17 00:00:00 2001 From: thylong Date: Wed, 27 Dec 2023 12:34:04 +0100 Subject: [PATCH 5/7] fix(log): drop /var/log symlinks --- Dockerfile | 8 -------- 1 file changed, 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index e24488d..c64320a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -50,14 +50,6 @@ COPY --chmod=0755 docker-entrypoint.sh /usr/local/bin/ HEALTHCHECK CMD curl -f http://localhost -A "HealthCheck" || exit 1 -# Forward Apache access and error logs to Docker's log collector. -# Optional last line adds extra verbosity with for example: -# [ssl:info] [pid 33] [client 10.0.5.8:45542] AH01964: Connection to child 2 established (server your.domain:443) -RUN ln -sf /dev/stdout /var/www/logs/access.log \ - && ln -sf /dev/stderr /var/www/logs/error.log \ - && ln -sf /dev/stderr /var/www/logs/ssl-access.log -# && ln -sf /dev/stderr /var/www/logs/ssl-error.log - # Set console entry path WORKDIR /htdocs From 32305b4d3a306e72ab62a823bf2eeac621d58885 Mon Sep 17 00:00:00 2001 From: thylong Date: Wed, 27 Dec 2023 17:31:07 +0100 Subject: [PATCH 6/7] feat(non-root): run container as non-root with read-only fs This commit allows any container based on linkstack image to be run as non-root with apache user and limit to RO the filesystem permissions. Ensuring a much more secured runtime. --- Dockerfile | 5 +++++ configs/apache2/httpd.conf | 6 ++++++ docker-compose.yml | 4 +++- docker-entrypoint.sh | 3 +++ 4 files changed, 17 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index c64320a..ef6f116 100644 --- a/Dockerfile +++ b/Dockerfile @@ -42,12 +42,17 @@ COPY configs/apache2/httpd.conf /etc/apache2/httpd.conf COPY configs/apache2/ssl.conf /etc/apache2/conf.d/ssl.conf COPY configs/php/php.ini /etc/php8.2/php.ini +RUN chown apache:apache /etc/ssl/apache2/server.pem +RUN chown apache:apache /etc/ssl/apache2/server.key + RUN chown -R apache:apache /htdocs RUN find /htdocs -type d -print0 | xargs -0 chmod 0755 RUN find /htdocs -type f -print0 | xargs -0 chmod 0644 COPY --chmod=0755 docker-entrypoint.sh /usr/local/bin/ +USER apache:apache + HEALTHCHECK CMD curl -f http://localhost -A "HealthCheck" || exit 1 # Set console entry path diff --git a/configs/apache2/httpd.conf b/configs/apache2/httpd.conf index 07611bf..7339f53 100644 --- a/configs/apache2/httpd.conf +++ b/configs/apache2/httpd.conf @@ -487,3 +487,9 @@ LogLevel ${LOG_LEVEL} # IncludeOptional /etc/apache2/conf.d/*.conf AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/javascript application/json + +# +# The PidFile directive sets the file to which the server records the +# process id of the daemon. If the filename is not absolute, then it +# is assumed to be relative to the ServerRoot. +PidFile /htdocs/httpd.pid diff --git a/docker-compose.yml b/docker-compose.yml index 75bba42..c3c6eda 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -17,11 +17,13 @@ services: ports: - '8080:80' - '8081:443' + restart: unless-stopped + user: apache:apache + # read_only: true depends_on: - mysql links: - mysql - restart: unless-stopped mysql: image: mysql:8 environment: diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 56fb8df..8e9a50f 100644 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -35,6 +35,9 @@ echo '+ ------------------------------------------------------------------ +' # | -- MISC -- | # # + ---------- + # +# Apache gets grumpy about PID files pre-existing +rm -f /htdocs/httpd.pid + echo '| ------------------------------------------------------------------ |' echo '| Running Apache |' echo '+ ------------------------------------------------------------------ +' From ccf51b0782e17aec0978c41ec4e8a3f0c495d438 Mon Sep 17 00:00:00 2001 From: thylong Date: Wed, 27 Dec 2023 17:52:27 +0100 Subject: [PATCH 7/7] feat(volume): convert to anonymous volume --- docker-compose.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index c3c6eda..11ff380 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -13,7 +13,7 @@ services: PHP_MEMORY_LIMIT: '256M' UPLOAD_MAX_FILESIZE: '8M' volumes: - - 'linkstack_data:/htdocs' + - '/htdocs' ports: - '8080:80' - '8081:443' @@ -30,6 +30,3 @@ services: MYSQL_ROOT_PASSWORD: xeFgUGb5mPPn5q2d ports: - 3306:3306 - -volumes: - linkstack_data: