Skip to content

Update logging, add include folder for custom locations #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
nenych wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update logging, add include folder for custom locations #13

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,16 @@ mkdir -p /data/example-com/html
docker run -e VIRTUAL_HOST=www.example.com,example.com -v /data/example-com/html:/usr/html -p 80:80 yobasystems/alpine-php-wordpress:latest
```

### Nginx access logs

Nginx access logs (including blocked/security logs) are enabled by default and written to stdout.

To disable all nginx access logs (for example, if Envoy already captures request logs), set `NGINX_ACCESS_LOG=off`.

```bash
docker run -e NGINX_ACCESS_LOG=off -e VIRTUAL_HOST=www.example.com,example.com -v /data/example-com/html:/usr/html -p 80:80 yobasystems/alpine-php-wordpress:latest
```

The following user and group id are used, the files should be set to this:
User ID:1001
Group ID: 1001
Expand Down Expand Up @@ -249,6 +259,7 @@ wordpress:
image: yobasystems/alpine-php-wordpress:latest
environment:
VIRTUAL_HOST: example.com
NGINX_ACCESS_LOG: "off" # optional
expose:
- "80"
volumes:
Expand Down
5 changes: 4 additions & 1 deletion alpine-php-wordpress-aarch64/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,10 @@ ADD files/nginx.conf /etc/nginx/
ADD files/php-fpm.conf /etc/php84/
ADD files/run.sh /
RUN chmod +x /run.sh && \
curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar && chmod +x wp-cli.phar && mv wp-cli.phar /usr/bin/wp-cli && chown nginx:nginx /usr/bin/wp-cli
curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar && chmod +x wp-cli.phar && mv wp-cli.phar /usr/bin/wp-cli && chown nginx:nginx /usr/bin/wp-cli && \
mkdir -p /usr/html /tmp/nginx /etc/nginx/server_includes && \
chown -R nginx:www-data /usr/html && \
chown nginx:nginx /tmp/nginx

EXPOSE 80
VOLUME ["/usr/html"]
Expand Down
39 changes: 20 additions & 19 deletions alpine-php-wordpress-aarch64/files/nginx.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ http {
include /etc/nginx/mime.types;
include /etc/nginx/fastcgi.conf;
default_type application/octet-stream;
access_log stdout;
access_log /dev/stdout;
tcp_nopush on;
client_body_temp_path /tmp/nginx/body 1 2;
fastcgi_temp_path /tmp/nginx/fastcgi_temp 1 2;
Expand All @@ -36,10 +36,11 @@ http {

root /usr/html;
index index.php index.html index.htm;
access_log stdout;
access_log /dev/stdout;
error_log stderr notice;

disable_symlinks off;
include /etc/nginx/server_includes/*.conf;

location = /robots.txt {
allow all;
Expand Down Expand Up @@ -73,29 +74,29 @@ http {
}

## Block SQL injections
location ~* union.*select.*\( { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* union.*all.*select.* { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* concat.*\( { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* union.*select.*\( { access_log /dev/stdout blocked; deny all; }
location ~* union.*all.*select.* { access_log /dev/stdout blocked; deny all; }
location ~* concat.*\( { access_log /dev/stdout blocked; deny all; }

## Block common exploits
location ~* (<|%3C).*script.*(>|%3E) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* base64_(en|de)code\(.*\) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* (%24&x) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* (%0|%A|%B|%C|%D|%E|%F|127\.0) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* \.\.\/ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* ~$ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* proc/self/environ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* /\.(htaccess|htpasswd|svn) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* (<|%3C).*script.*(>|%3E) { access_log /dev/stdout blocked; deny all; }
location ~* base64_(en|de)code\(.*\) { access_log /dev/stdout blocked; deny all; }
location ~* (%24&x) { access_log /dev/stdout blocked; deny all; }
location ~* (%0|%A|%B|%C|%D|%E|%F|127\.0) { access_log /dev/stdout blocked; deny all; }
location ~* \.\.\/ { access_log /dev/stdout blocked; deny all; }
location ~* ~$ { access_log /dev/stdout blocked; deny all; }
location ~* proc/self/environ { access_log /dev/stdout blocked; deny all; }
location ~* /\.(htaccess|htpasswd|svn) { access_log /dev/stdout blocked; deny all; }

## Block file injections
location ~* [a-zA-Z0-9_]=(\.\.//?)+ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* [a-zA-Z0-9_]=(\.\.//?)+ { access_log /dev/stdout blocked; deny all; }
location ~* [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ { access_log /dev/stdout blocked; deny all; }

## wordpress security
location ~* wp-config.php { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* wp-admin/includes { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* wp-app\.log { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* (licence|readme|license)\.(html|txt) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* wp-config.php { access_log /dev/stdout blocked; deny all; }
location ~* wp-admin/includes { access_log /dev/stdout blocked; deny all; }
location ~* wp-app\.log { access_log /dev/stdout blocked; deny all; }
location ~* (licence|readme|license)\.(html|txt) { access_log /dev/stdout blocked; deny all; }

}

Expand Down
6 changes: 5 additions & 1 deletion alpine-php-wordpress-aarch64/files/php-fpm.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
error_log = /usr/logs/php-fpm/php-fpm.log
error_log = /proc/1/fd/2
log_level = warning

[www]
Expand All @@ -9,12 +9,16 @@ listen.owner = nginx
listen.group = nginx
pm = ondemand

; Do not clear environment variables
clear_env = no

; Total RAM dedicated to the web server / Max child process size
pm.max_children = 75

pm.process_idle_timeout = 10s
pm.max_requests = 500
chdir = /usr/html
access.log = /proc/1/fd/1
php_flag[display_errors] = on
php_admin_value[memory_limit] = 128M
php_admin_value[upload_max_filesize] = 32M
Expand Down
28 changes: 16 additions & 12 deletions alpine-php-wordpress-aarch64/files/run.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,24 +2,28 @@

[ -f /run-pre.sh ] && /run-pre.sh

if [ ! -d /usr/html ] ; then
echo "[i] Creating directories..."
mkdir -p /usr/html
echo "[i] Fixing permissions..."
chown -R nginx:nginx /usr/html
else
echo "[i] Fixing permissions..."
chown -R nginx:nginx /usr/html
fi
for entrypoint in /entrypoint.d/*.sh; do
[ -f "$entrypoint" ] || continue
echo "[i] Sourcing $entrypoint..."
. "$entrypoint"
done

echo "[i] Fixing permissions..."
chown -R nginx:www-data /usr/html

NGINX_ACCESS_LOG=${NGINX_ACCESS_LOG:-on}

case "$NGINX_ACCESS_LOG" in
[Oo][Ff][Ff] | [Ff][Aa][Ll][Ss][Ee] | 0 | [Nn][Oo])
echo "[i] Disabling nginx access logs..."
sed -i 's#access_log /dev/stdout blocked;#access_log off;#g' /etc/nginx/nginx.conf
sed -i 's#access_log /dev/stdout;#access_log off;#g' /etc/nginx/nginx.conf
;;
esac

# start php-fpm
mkdir -p /usr/logs/php-fpm
php-fpm84

# start nginx
mkdir -p /usr/logs/nginx
mkdir -p /tmp/nginx
chown nginx /tmp/nginx
nginx
5 changes: 4 additions & 1 deletion alpine-php-wordpress-amd64/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,10 @@ ADD files/nginx.conf /etc/nginx/
ADD files/php-fpm.conf /etc/php84/
ADD files/run.sh /
RUN chmod +x /run.sh && \
curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar && chmod +x wp-cli.phar && mv wp-cli.phar /usr/bin/wp-cli && chown nginx:nginx /usr/bin/wp-cli
curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar && chmod +x wp-cli.phar && mv wp-cli.phar /usr/bin/wp-cli && chown nginx:nginx /usr/bin/wp-cli && \
mkdir -p /usr/html /tmp/nginx /etc/nginx/server_includes && \
chown -R nginx:www-data /usr/html && \
chown nginx:nginx /tmp/nginx

EXPOSE 80
VOLUME ["/usr/html"]
Expand Down
39 changes: 20 additions & 19 deletions alpine-php-wordpress-amd64/files/nginx.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ http {
include /etc/nginx/mime.types;
include /etc/nginx/fastcgi.conf;
default_type application/octet-stream;
access_log stdout;
access_log /dev/stdout;
tcp_nopush on;
client_body_temp_path /tmp/nginx/body 1 2;
fastcgi_temp_path /tmp/nginx/fastcgi_temp 1 2;
Expand All @@ -36,10 +36,11 @@ http {

root /usr/html;
index index.php index.html index.htm;
access_log stdout;
access_log /dev/stdout;
error_log stderr notice;

disable_symlinks off;
include /etc/nginx/server_includes/*.conf;

location = /robots.txt {
allow all;
Expand Down Expand Up @@ -73,29 +74,29 @@ http {
}

## Block SQL injections
location ~* union.*select.*\( { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* union.*all.*select.* { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* concat.*\( { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* union.*select.*\( { access_log /dev/stdout blocked; deny all; }
location ~* union.*all.*select.* { access_log /dev/stdout blocked; deny all; }
location ~* concat.*\( { access_log /dev/stdout blocked; deny all; }

## Block common exploits
location ~* (<|%3C).*script.*(>|%3E) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* base64_(en|de)code\(.*\) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* (%24&x) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* (%0|%A|%B|%C|%D|%E|%F|127\.0) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* \.\.\/ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* ~$ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* proc/self/environ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* /\.(htaccess|htpasswd|svn) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* (<|%3C).*script.*(>|%3E) { access_log /dev/stdout blocked; deny all; }
location ~* base64_(en|de)code\(.*\) { access_log /dev/stdout blocked; deny all; }
location ~* (%24&x) { access_log /dev/stdout blocked; deny all; }
location ~* (%0|%A|%B|%C|%D|%E|%F|127\.0) { access_log /dev/stdout blocked; deny all; }
location ~* \.\.\/ { access_log /dev/stdout blocked; deny all; }
location ~* ~$ { access_log /dev/stdout blocked; deny all; }
location ~* proc/self/environ { access_log /dev/stdout blocked; deny all; }
location ~* /\.(htaccess|htpasswd|svn) { access_log /dev/stdout blocked; deny all; }

## Block file injections
location ~* [a-zA-Z0-9_]=(\.\.//?)+ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* [a-zA-Z0-9_]=(\.\.//?)+ { access_log /dev/stdout blocked; deny all; }
location ~* [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ { access_log /dev/stdout blocked; deny all; }

## wordpress security
location ~* wp-config.php { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* wp-admin/includes { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* wp-app\.log { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* (licence|readme|license)\.(html|txt) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* wp-config.php { access_log /dev/stdout blocked; deny all; }
location ~* wp-admin/includes { access_log /dev/stdout blocked; deny all; }
location ~* wp-app\.log { access_log /dev/stdout blocked; deny all; }
location ~* (licence|readme|license)\.(html|txt) { access_log /dev/stdout blocked; deny all; }

}

Expand Down
6 changes: 5 additions & 1 deletion alpine-php-wordpress-amd64/files/php-fpm.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
error_log = /usr/logs/php-fpm/php-fpm.log
error_log = /proc/1/fd/2
log_level = warning

[www]
Expand All @@ -9,12 +9,16 @@ listen.owner = nginx
listen.group = nginx
pm = ondemand

; Do not clear environment variables
clear_env = no

; Total RAM dedicated to the web server / Max child process size
pm.max_children = 75

pm.process_idle_timeout = 10s
pm.max_requests = 500
chdir = /usr/html
access.log = /proc/1/fd/1
php_flag[display_errors] = on
php_admin_value[memory_limit] = 128M
php_admin_value[upload_max_filesize] = 32M
Expand Down
28 changes: 16 additions & 12 deletions alpine-php-wordpress-amd64/files/run.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,24 +2,28 @@

[ -f /run-pre.sh ] && /run-pre.sh

if [ ! -d /usr/html ] ; then
echo "[i] Creating directories..."
mkdir -p /usr/html
echo "[i] Fixing permissions..."
chown -R nginx:nginx /usr/html
else
echo "[i] Fixing permissions..."
chown -R nginx:nginx /usr/html
fi
for entrypoint in /entrypoint.d/*.sh; do
[ -f "$entrypoint" ] || continue
echo "[i] Sourcing $entrypoint..."
. "$entrypoint"
done

echo "[i] Fixing permissions..."
chown -R nginx:www-data /usr/html

NGINX_ACCESS_LOG=${NGINX_ACCESS_LOG:-on}

case "$NGINX_ACCESS_LOG" in
[Oo][Ff][Ff] | [Ff][Aa][Ll][Ss][Ee] | 0 | [Nn][Oo])
echo "[i] Disabling nginx access logs..."
sed -i 's#access_log /dev/stdout blocked;#access_log off;#g' /etc/nginx/nginx.conf
sed -i 's#access_log /dev/stdout;#access_log off;#g' /etc/nginx/nginx.conf
;;
esac

# start php-fpm
mkdir -p /usr/logs/php-fpm
php-fpm84

# start nginx
mkdir -p /usr/logs/nginx
mkdir -p /tmp/nginx
chown nginx /tmp/nginx
nginx
5 changes: 4 additions & 1 deletion alpine-php-wordpress-armhf/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,10 @@ ADD files/nginx.conf /etc/nginx/
ADD files/php-fpm.conf /etc/php84/
ADD files/run.sh /
RUN chmod +x /run.sh && \
curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar && chmod +x wp-cli.phar && mv wp-cli.phar /usr/bin/wp-cli && chown nginx:nginx /usr/bin/wp-cli
curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar && chmod +x wp-cli.phar && mv wp-cli.phar /usr/bin/wp-cli && chown nginx:nginx /usr/bin/wp-cli && \
mkdir -p /usr/html /tmp/nginx /etc/nginx/server_includes && \
chown -R nginx:www-data /usr/html && \
chown nginx:nginx /tmp/nginx

EXPOSE 80
VOLUME ["/usr/html"]
Expand Down
39 changes: 20 additions & 19 deletions alpine-php-wordpress-armhf/files/nginx.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ http {
include /etc/nginx/mime.types;
include /etc/nginx/fastcgi.conf;
default_type application/octet-stream;
access_log stdout;
access_log /dev/stdout;
tcp_nopush on;
client_body_temp_path /tmp/nginx/body 1 2;
fastcgi_temp_path /tmp/nginx/fastcgi_temp 1 2;
Expand All @@ -36,10 +36,11 @@ http {

root /usr/html;
index index.php index.html index.htm;
access_log stdout;
access_log /dev/stdout;
error_log stderr notice;

disable_symlinks off;
include /etc/nginx/server_includes/*.conf;

location = /robots.txt {
allow all;
Expand Down Expand Up @@ -73,29 +74,29 @@ http {
}

## Block SQL injections
location ~* union.*select.*\( { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* union.*all.*select.* { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* concat.*\( { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* union.*select.*\( { access_log /dev/stdout blocked; deny all; }
location ~* union.*all.*select.* { access_log /dev/stdout blocked; deny all; }
location ~* concat.*\( { access_log /dev/stdout blocked; deny all; }

## Block common exploits
location ~* (<|%3C).*script.*(>|%3E) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* base64_(en|de)code\(.*\) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* (%24&x) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* (%0|%A|%B|%C|%D|%E|%F|127\.0) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* \.\.\/ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* ~$ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* proc/self/environ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* /\.(htaccess|htpasswd|svn) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* (<|%3C).*script.*(>|%3E) { access_log /dev/stdout blocked; deny all; }
location ~* base64_(en|de)code\(.*\) { access_log /dev/stdout blocked; deny all; }
location ~* (%24&x) { access_log /dev/stdout blocked; deny all; }
location ~* (%0|%A|%B|%C|%D|%E|%F|127\.0) { access_log /dev/stdout blocked; deny all; }
location ~* \.\.\/ { access_log /dev/stdout blocked; deny all; }
location ~* ~$ { access_log /dev/stdout blocked; deny all; }
location ~* proc/self/environ { access_log /dev/stdout blocked; deny all; }
location ~* /\.(htaccess|htpasswd|svn) { access_log /dev/stdout blocked; deny all; }

## Block file injections
location ~* [a-zA-Z0-9_]=(\.\.//?)+ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* [a-zA-Z0-9_]=(\.\.//?)+ { access_log /dev/stdout blocked; deny all; }
location ~* [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ { access_log /dev/stdout blocked; deny all; }

## wordpress security
location ~* wp-config.php { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* wp-admin/includes { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* wp-app\.log { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* (licence|readme|license)\.(html|txt) { access_log /usr/logs/nginx/blocked.log blocked; deny all; }
location ~* wp-config.php { access_log /dev/stdout blocked; deny all; }
location ~* wp-admin/includes { access_log /dev/stdout blocked; deny all; }
location ~* wp-app\.log { access_log /dev/stdout blocked; deny all; }
location ~* (licence|readme|license)\.(html|txt) { access_log /dev/stdout blocked; deny all; }

}

Expand Down
Loading