multisite examples and certbot renew fix

2020-11-13 15:10:29 +01:00 · 2020-11-13 15:10:29 +01:00 · 8cdc155ac0
parent 1abe1da89e
commit 8cdc155ac0
14 changed files with 272 additions and 17 deletions
--- a/examples/multisite-basic/docker-compose.yml
+++ b/examples/multisite-basic/docker-compose.yml
@ -0,0 +1,62 @@
+version: '3'
+
+services:
+
+  mywww:
+    image: bunkerity/bunkerized-nginx
+    restart: always
+    ports:
+      - 80:8080
+      - 443:8443
+    volumes:
+      - ./web-files:/www
+      - ./letsencrypt:/etc/letsencrypt
+      - ./server-confs:/server-confs
+    environment:
+      - SERVER_NAME=app1.website.com app2.website.com app3.website.com # replace with your domains
+      - MULTISITE=yes
+      - AUTO_LETS_ENCRYPT=yes
+      - REDIRECT_HTTP_TO_HTTPS=yes
+      - DISABLE_DEFAULT_SERVER=yes
+      - app1.website.com_REMOTE_PHP=myapp1
+      - app1.website.com_REMOTE_PHP_PATH=/app
+      - app2.website.com_REMOTE_PHP=myapp2
+      - app2.website.com_REMOTE_PHP_PATH=/app
+      - app3.website.com_SERVE_FILES=no
+    networks:
+      - net1
+      - net2
+      - net3
+
+  myapp1:
+    image: php:fpm
+    restart: always
+    volumes:
+      - ./web-files/app1:/app
+    networks:
+      - net1
+
+  myapp2:
+    image: php:fpm
+    restart: always
+    volumes:
+      - ./web-files/app2:/app
+    networks:
+      - net2
+
+  myapp3:
+    image: node
+    restart: always
+    working_dir: /home/node/app
+    volumes:
+      - ./js-app:/home/node/app
+    environment:
+      - NODE_ENV=production
+    command: bash -c "npm install express && node index.js"
+    networks:
+      - net3
+
+  networks:
+    net1:
+    net2:
+    net3:
--- a/examples/multisite-basic/js-app/index.js
+++ b/examples/multisite-basic/js-app/index.js
@ -0,0 +1,12 @@
+const express = require('express')
+const app = express()
+const port = 3000
+
+app.get('/', (req, res) => {
+  res.send('hello from app3 !')
+})
+
+app.listen(port, () => {
+  console.log(`Example app listening at http://localhost:${port}`)
+})
+
--- a/examples/multisite-basic/js-app/package.json
+++ b/examples/multisite-basic/js-app/package.json
@ -0,0 +1,14 @@
+{
+  "name": "js-app",
+  "version": "1.0.0",
+  "description": "demo",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "express": "^4.17.1"
+  }
+}
--- a/examples/multisite-basic/server-confs/app3.website.com/reverse-proxy.conf
+++ b/examples/multisite-basic/server-confs/app3.website.com/reverse-proxy.conf
@ -0,0 +1,6 @@
+proxy_set_header Host $host;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+location / {
+	proxy_pass http://myapp3:3000$request_uri;
+}
--- a/examples/multisite-basic/web-files/app1.website.com/index.php
+++ b/examples/multisite-basic/web-files/app1.website.com/index.php
@ -0,0 +1,5 @@
+<?php
+
+echo "hello from app1 !";
+
+?>
--- a/examples/multisite-basic/web-files/app2.website.com/index.php
+++ b/examples/multisite-basic/web-files/app2.website.com/index.php
@ -0,0 +1,5 @@
+<?php
+
+echo "hello from app2 !";
+
+?>
--- a/examples/multisite-complex/docker-compose.yml
+++ b/examples/multisite-complex/docker-compose.yml
@ -0,0 +1,87 @@
+version: '3'
+
+services:
+
+  mywww:
+    image: bunkerity/bunkerized-nginx
+    restart: always
+    ports:
+      - 80:8080
+      - 443:8443
+    volumes:
+      - ./web-files:/www
+      - ./letsencrypt:/etc/letsencrypt
+      - ./server-confs:/server-confs
+      - ./modsec-confs:/modsec-confs
+      - ./modsec-crs-confs:/modsec-crs-conf
+    environment:
+      - SERVER_NAME=wp.website.com nc.website.com # replace with your domains
+      - MULTISITE=yes
+      - AUTO_LETS_ENCRYPT=yes
+      - REDIRECT_HTTP_TO_HTTPS=yes
+      - DISABLE_DEFAULT_SERVER=yes
+      - wp.website.com_REMOTE_PHP=mywp
+      - wp.website.com_REMOTE_PHP_PATH=/var/www/html
+      - nc.website.com_REMOTE_PHP=mync
+      - nc.website.com_REMOTE_PHP_PATH=/var/www/html
+      - nc.website.com_LIMIT_REQ_RATE=40r/s
+      - nc.website.com_LIMIT_REQ_BURST=60
+      - nc.website.com_ALLOWED_METHODS=GET|POST|HEAD|PROPFIND|DELETE|PUT|MKCOL|MOVE|COPY|PROPPATCH|REPORT
+      - nc.website.com_X_FRAME_OPTIONS=SAMEORIGIN
+    networks:
+      - net1
+      - net2
+
+  mywp:
+    image: wordpress:fpm-alpine
+    restart: always
+    volumes:
+      - ./web-files/wp.website.com:/var/www/html
+    environment:
+      - WORDPRESS_DB_HOST=mywpdb
+      - WORDPRESS_DB_NAME=wp
+      - WORDPRESS_DB_USER=user
+      - WORDPRESS_DB_PASSWORD=db-user-pwd    # replace with a stronger password (must match MYSQL_PASSWORD)
+      - WORDPRESS_TABLE_PREFIX=prefix_       # best practice : replace with a random prefix
+    networks:
+      - net1
+
+  mywpdb:
+    image: mariadb
+    restart: always
+    volumes:
+      - ./wp-db-data:/var/lib/mysql
+    environment:
+      - MYSQL_ROOT_PASSWORD=db-root-pwd      # replace with a stronger password
+      - MYSQL_DATABASE=wp
+      - MYSQL_USER=user
+      - MYSQL_PASSWORD=db-user-pwd           # replace with a stronger password (must match WORDPRESS_DB_PASSWORD)
+    networks:
+      - net1
+
+  mync:
+    image: nextcloud:stable-fpm
+    restart: always
+    volumes:
+      - ./web-files/nc.website.com:/var/www/html
+    environment:
+      - MYSQL_HOST=myncdb
+      - MYSQL_DATABASE=nc
+      - MYSQL_USER=user
+      - MYSQL_PASSWORD=db-user-pwd           # replace with a stronger password (must match MYSQL_PASSWORD)
+    networks:
+      - net2
+
+  myncdb:
+    image: mariadb
+    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
+    restart: always
+    volumes:
+      - ./nc-db-data:/var/lib/mysql
+    environment:
+      - MYSQL_ROOT_PASSWORD=db-root-pwd      # replace with a stronger password
+      - MYSQL_DATABASE=nc
+      - MYSQL_USER=user
+      - MYSQL_PASSWORD=db-user-pwd           # replace with a stronger password (must match MYSQL_PASSWORD)
+    networks:
+      - net2
--- a/examples/multisite-complex/modsec-confs/nc.website.com/nextcloud.conf
+++ b/examples/multisite-complex/modsec-confs/nc.website.com/nextcloud.conf
@ -0,0 +1 @@
+SecRuleRemoveById 921110
--- a/examples/multisite-complex/modsec-crs-confs/nc.website.com/nextcloud.conf
+++ b/examples/multisite-complex/modsec-crs-confs/nc.website.com/nextcloud.conf
@ -0,0 +1,15 @@
+SecAction \
+ "id:900130,\
+  phase:1,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:tx.crs_exclusions_nextcloud=1"
+
+SecAction \
+ "id:900200,\
+  phase:1,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:'tx.allowed_methods=GET HEAD POST PROPFIND DELETE PUT MKCOL MOVE COPY PROPPATCH REPORT'"
--- a/examples/multisite-complex/modsec-crs-confs/wp.website.com/wordpress.conf
+++ b/examples/multisite-complex/modsec-crs-confs/wp.website.com/wordpress.conf
@ -0,0 +1,7 @@
+SecAction \
+ "id:900130,\
+  phase:1,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:tx.crs_exclusions_wordpress=1"
--- a/examples/multisite-complex/server-confs/nc.website.com/nextcloud.conf
+++ b/examples/multisite-complex/server-confs/nc.website.com/nextcloud.conf
@ -0,0 +1,42 @@
+location / {
+	rewrite ^ /index.php;
+}
+
+location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
+	deny all;
+}
+
+location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
+	deny all;
+}
+
+location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
+	include fastcgi_params;
+	fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
+	set $path_info $fastcgi_path_info;
+	try_files $fastcgi_script_name =404;
+	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+	fastcgi_param PATH_INFO $path_info;
+	fastcgi_param HTTPS on;
+	fastcgi_param modHeadersAvailable true;
+	fastcgi_param front_controller_active true;
+	fastcgi_pass mync:9000;
+	fastcgi_intercept_errors on;
+	fastcgi_request_buffering off;
+	include fastcgi.conf;
+}
+
+location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
+	try_files $uri/ =404;
+	index index.php;
+}
+
+location ~ \.(?:css|js|woff2?|svg|gif|map|mp4)$ {
+	try_files $uri /index.php$request_uri;
+	add_header Cache-Control "public, max-age=15778463";
+}
+
+location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
+	try_files $uri /index.php$request_uri;
+}
+
--- a/examples/multisite-complex/server-confs/wp.website.com/permalinks.conf
+++ b/examples/multisite-complex/server-confs/wp.website.com/permalinks.conf
@ -0,0 +1,4 @@
+location / {
+    index index.php index.html index.htm;
+    try_files $uri $uri/ /index.php?$args;
+}
--- a/examples/wordpress/web-files/index.php
+++ b/examples/wordpress/web-files/index.php
@ -1,5 +0,0 @@
-<?php
-
-echo "Hello World!";
-
-?>
--- a/scripts/certbot-renew.sh
+++ b/scripts/certbot-renew.sh
@ -7,23 +7,23 @@ function replace_in_file() {
 	sed -i "s/$pattern/$replace/g" "$1"
 }

-# check if HTTP enabled
-# and disable it temporarily if needed
-if grep -q "listen" "/etc/nginx/server.conf" ; then
-	replace_in_file "/etc/nginx/server.conf" "listen" "#listen"
-	if [ -f /tmp/nginx.pid ] ; then
-		/usr/sbin/nginx -s reload
-		sleep 10
-	fi
+# disable HTTP
+servers="$(find /etc/nginx -name server.conf)"
+for f in $servers ; do
+	replace_in_file "$f" "listen" "#listen"
+done
+if [ -f /tmp/nginx.pid ] ; then
+	/usr/sbin/nginx -s reload
+	sleep 10
 fi

 # ask a new certificate if needed
 certbot renew

-# enable HTTP again if needed
-if grep -q "#listen" "/etc/nginx/server.conf" ; then
-	replace_in_file "/etc/nginx/server.conf" "#listen" "listen"
-fi
+# enable HTTP again
+for f in $servers ; do
+	replace_in_file "$f" "#listen" "listen"
+done

 chown -R root:nginx /etc/letsencrypt
 chmod -R 740 /etc/letsencrypt