updated README, sample docker-compose.yml file, and added other nginx recipies

045dd93c · Dave Lane · 10f69db3 · 045dd93c · 045dd93c · 045dd93c
Commit 045dd93c authored Nov 26, 2018 by Dave Lane
4 changed files
--- a/README.md
+++ b/README.md
-This [Docker Compose](https://docs.docker.com/compose/) recipe creates a set of 3 Docker containers which should let you run a very efficient [Grav](https://getgrav.org) website (or multiple sites).
+This [Docker Compose](https://docs.docker.com/compose/) recipe creates a set of 2 Docker containers which should let you run a very efficient [Piwigo](https://piwigo.org) media gallery website (or multiple sites).

 It provides a container based on Debian Stretch running the latest PHP (7.2 as of this edit) in FPM mode, with an Nginx container for serving it (you will need to have a reverse proxy to serve it and - I recommend - provide HTTPS support - I provide an example Nginx proxy configuration for this), and, for caching performance, an optional Redis container. Support for all of these is compiled into the PHP container.


--- a/docker-compose.yml-sample
+++ b/docker-compose.yml-sample
 version: "3"

 services:
-    redis:
-        image: redis:4-alpine
-        restart:
-            unless-stopped
-        networks:
-            default:
-                aliases:
-                    - redis.[grav.local]
    app:
-        image: kiwilightweight/grav
-        links:
-            - redis
+        image: kiwilightweight/piwigo-php7fpm
        volumes:
-            - [path-to-my-grav-data]:/var/www/html
+            - [path-to-my-piwigo-install]:/var/www/html
        restart:
            unless-stopped
        networks:
            default:
                aliases:
-                    - [grav.local]
+                    - [piwigo.local]
    nginx:
-        image: kiwilightweight/nginx-grav
+        image: kiwilightweight/nginx-piwigo
        links:
            - app
-            - redis
        ports:
-            - "127.0.0.1:8081:80"
+            - "127.0.0.1:[available port]:80"
        volumes:
            - ./nginx:/etc/nginx/conf.d
-            - ./nginx/cache:/var/cache/nginx
-            - [path-to-my-grav-data]:/var/www/html
+            - [path-to-my-piwigo-install]:/var/www/html
        restart: unless-stopped
        networks:
            default:
                aliases:
-                    - nginx.[grav.local]
+                    - nginx.[piwigo.local]
--- a/nginx/defaults/grav-default.conf
+++ b/nginx/defaults/grav-default.conf
+server {
+    listen 0.0.0.0:80;
+    index index.html index.php;
+
+    ## Web root and Domain Name
+    root /var/www/html;
+    server_name default;
+
+    ## Begin - Index
+    # for subfolders, simply adjust the rewrite:
+    # to use `/subfolder/index.php`
+    location / {
+        try_files $uri $uri/ /index.php?$query_string;
+        #try_files $uri $uri/ /index.php;
+    }
+    ## End - Index
+
+    ## Begin - Security
+    # deny all direct access for these folders
+    location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; }
+    # deny running scripts inside core system folders
+    location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
+    # deny running scripts inside user folder
+    location ~* /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
+    # deny access to specific files in the root folder
+    location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; }
+    ## End - Security
+
+    ## Begin - PHP
+    location ~ \.php$ {
+        # Choose either a socket or TCP/IP address
+        #fastcgi_pass unix:/var/run/php5-fpm.sock;
+        fastcgi_pass app:9000;
+
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_index index.php;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
+    }
+    client_max_body_size 100m;
+ 
+    ## Begin - Security
+    # deny all direct access for these folders
+    location ~* /(\.git|cache|bin|logs|backups)/.*$ { return 403; }
+    # deny running scripts inside core system folders
+    location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
+    # deny running scripts inside user folder
+    location ~* /user/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
+    # deny access to specific files in the root folder
+    location ~ /(LICENSEi\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; }
+    ## End - Security
+ }
--- a/nginx/defaults/silverstripe-default.conf
+++ b/nginx/defaults/silverstripe-default.conf
+# this is for silverstripe
+
+server {
+    listen 0.0.0.0:80;
+    include mime.types;
+    default_type  application/octet-stream;
+    client_max_body_size 0; # Manage this in php.ini (upload_max_filesize & post_max_size)
+    root /var/www/html;
+    server_name default;
+
+    # Defend against SS-2015-013 -- http://www.silverstripe.org/software/download/security-releases/ss-2015-013
+    if ($http_x_forwarded_host) {
+        return 400;
+    }
+    location / {
+        try_files $uri /index.php?$query_string;
+    }
+
+    error_page 404 /assets/error-404.html;
+    error_page 500 /assets/error-500.html;
+    # See caveats
+    error_page 502 /assets/error-500.html;
+    error_page 503 /assets/error-500.html;
+
+    location ^~ /assets/ {
+        sendfile on;
+        try_files $uri =404;
+    }
+
+    location /index.php {
+        fastcgi_buffer_size 32k;
+        fastcgi_busy_buffers_size 64k;
+        fastcgi_buffers 4 32k;
+        fastcgi_keep_conn on;
+        fastcgi_pass   127.0.0.1:9000;
+        fastcgi_index  index.php;
+        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        include        fastcgi_params;
+    }
+}