librewolf
/
bunkerized-nginx
mirror of https://github.com/bunkerity/bunkerized-nginx
4
0
Fork 1
Code Issues Projects Releases Wiki Activity

readme improve

This commit is contained in:
bunkerity 2020-08-01 17:47:06 +02:00
parent 76bd069f25
commit 4f5e5f013e
2 changed files with 38 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
README.md
View File

@ -28,6 +28,8 @@ Non-exhaustive list of features :
* [PHP](#php)
* [Fail2ban](#fail2ban)
* [ClamAV](#clamav)
* [Misc](#misc)
- [Include custom configurations](#include-custom-configurations)
- [Create your own image](#create-your-own-image)
- [TODO](#todo)
@ -50,12 +52,12 @@ docker run -p 80:80 -p 443:443 -v /path/to/web/files:/www -v /where/to/save/cert
```
Certificates are stored in the /etc/letsencrypt directory, you should save it on your local drive.
If you don't want your webserver to listen on HTTP add the environment variable LISTEN_HTTP with a "no" value. But Let's Encrypt needs the port 80 to be opened so redirecting the port is mandatory.
If you don't want your webserver to listen on HTTP add the environment variable `LISTEN_HTTP` with a "no" value. But Let's Encrypt needs the port 80 to be opened so redirecting the port is mandatory.
Here you have three environment variables :
- SERVER_NAME : define the FQDN of your webserver, this is mandatory for Let's Encrypt (www.yourdomain.com should point to your IP address)
- AUTO_LETS_ENCRYPT : enable automatic Let's Encrypt creation and renewal of certificates
- REDIRECT_HTTP_TO_HTTPS : enable HTTP to HTTPS redirection
- `SERVER_NAME` : define the FQDN of your webserver, this is mandatory for Let's Encrypt (www.yourdomain.com should point to your IP address)
- `AUTO_LETS_ENCRYPT` : enable automatic Let's Encrypt creation and renewal of certificates
- `REDIRECT_HTTP_TO_HTTPS` : enable HTTP to HTTPS redirection
## Reverse proxy
You can setup a reverse proxy by adding your own custom configurations at server context.
@ -77,12 +79,12 @@ docker run -p 80:80 -e SERVER_NAME="www.website1.com www.website2.com" -e SERVE_
```
Here you have three environment variables :
- SERVER_NAME : list of valid Host headers sent by clients
- SERVE_FILES : nginx will not serve files from /www directory
- DISABLE_DEFAULT_SERVER : nginx will not respond to requests if Host header is not in the SERVER_NAME list
- `SERVER_NAME` : list of valid Host headers sent by clients
- `SERVE_FILES` : nginx will not serve files from the /www directory
- `DISABLE_DEFAULT_SERVER` : nginx will not respond to requests if Host header is not in the SERVER_NAME list
# Tutorials
TODO : link tutorials from bunkerity website
You will find some tutorials about bunkerized-nginx in our [blog](https://www.bunkerity.com/category/bunkerized-nginx/).
# List of environment variables
@ -127,8 +129,8 @@ Sets the host names of the webserver separated with spaces. This must match the
Useful when used with `AUTO_LETSENCRYPT=yes` and/or `DISABLE_DEFAULT_SERVER=yes`.
`WRITE_ACCESS`
Values : *yes* | *no*
Default value : *no*
Values : *yes* | *no*
Default value : *no*
If set to yes, nginx will be granted write access to the /www directory.
Set it to yes if your website uses file upload or creates dynamic files for example.
@ -291,9 +293,9 @@ Default value : *no*
If set to yes, the PHP version will be sent within the X-Powered-By header.
`PHP_OPEN_BASEDIR`
Values : *\<directory\>*
Default value : */www/*
Limits access to files within the given directory. For example include() or fopen() calls outside the directory will fail.
Values : *\<directories separated with : char\>*
Default value : */www/:/tmp/*
Limits access to files within the given directories. For example include() or fopen() calls outside the directory will fail.
`PHP_ALLOW_URL_FOPEN`
Values : *yes* | *no*
@ -315,6 +317,11 @@ Values : *\<size in bytes\>* | *XM*
Default value : *10M*
Sets the maximum file size allowed when uploading files.
`PHP_POST_MAX_SIZE`
Values : *\<size in bytes\>* | *XM*
Default value : *10M*
Sets the maximum POST size allowed for clients.
`PHP_DISABLE_FUNCTIONS`
Values : *\<function 1\>, \<function 2\> ...*
Default value : *system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo*
@ -364,6 +371,13 @@ Values : *yes* | *no*
Default value : *yes*
If set to yes, ClamAV will automatically remove the detected files.
## Misc
`ADDITIONAL_MODULES`
Values : *\<list of packages separated with space\>*
Default value :
You can specify additional modules to install. All [alpine packages](https://pkgs.alpinelinux.org/packages) are valid.
A use case is to use this to install PHP extensions (e.g. : php7-json php7-xml php7-curl ...).
# Create your own image
You can use bunkerity/bunkerized-nginx as a base image for your web application.
@ -384,8 +398,17 @@ ENV PHP_UPLOAD_MAX_FILESIZE 100M
ENV WRITE_ACCESS yes
```
# Include custom configurations
Custom configurations files (ending with .conf suffix) can be added in some directory inside the container :
- /http-confs : http context
- /server-confs : server context
You just need to use a volume like this :
```
docker run ... -v /path/to/http/confs:/http-confs ... bunkerity/bunkerized-nginx
```
# TODO
- README improve
- docker tags
- Tutorials
- Full documentation

2
entrypoint.sh
View File

@ -91,7 +91,7 @@ USE_FAIL2BAN="${USE_FAIL2BAN-yes}"
FAIL2BAN_STATUS_CODES="${FAIL2BAN_STATUS_CODES-400|401|403|404|405|444}"
FAIL2BAN_BANTIME="${FAIL2BAN_BANTIME-3600}"
FAIL2BAN_FINDTIME="${FAIL2BAN_FINDTIME-60}"
FAIL2BAN_MAXRETRY="${FAIL2BAN_MAXRETRY-10}"
FAIL2BAN_MAXRETRY="${FAIL2BAN_MAXRETRY-20}"
USE_CLAMAV_UPLOAD="${USE_CLAMAV_UPLOAD-yes}"
USE_CLAMAV_SCAN="${USE_CLAMAV_SCAN-yes}"
CLAMAV_SCAN_REMOVE="${CLAMAV_SCAN_REMOVE-yes}"