librewolf
/
bunkerized-nginx
mirror of https://github.com/bunkerity/bunkerized-nginx
4
0
Fork 1
Code Issues Projects Releases Wiki Activity

custom modules and write access

This commit is contained in:
bunkerity 2020-01-19 14:48:03 +00:00
parent 5bcdb0219e
commit d5f8c7647d
3 changed files with 17 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Dockerfile
View File

@ -10,7 +10,7 @@ COPY confs/ /opt/confs
COPY scripts/ /opt/scripts
COPY misc/GeoLite2-Country.mmdb /etc/nginx/geoip.mmdb
RUN apk --no-cache add php7-fpm php7-session certbot libstdc++ libmaxminddb geoip pcre yajl && \
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl && \
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
mkdir /www && \
adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx

5
README.md
View File

@ -197,6 +197,9 @@ Default value : system, exec, shell_exec, passthru, phpinfo, show_source, highli
List of PHP functions blacklisted. They can't be used anywhere in PHP code.
## TODO
- File permissions hardening
- run php7-fpm as nginx
- Edit CONTENT_SECURITY_POLICY default value
- Possibility to disable stuff with "free" values
- Custom TLS certificates
- Documentation
- Certificate Transparency

13
entrypoint.sh
View File

@ -50,7 +50,7 @@ HTTP2="${HTTP2:-yes}"
STRICT_TRANSPORT_SECURITY="${STRICT_TRANSPORT_SECURITY:-max-age=31536000}"
PHP_EXPOSE="${PHP_EXPOSE:-no}"
PHP_DISPLAY_ERRORS="${PHP_DISPLAY_ERRORS:-no}"
PHP_OPEN_BASEDIR="${PHP_OPEN_BASEDIR:-/www/}"
PHP_OPEN_BASEDIR="${PHP_OPEN_BASEDIR:-/www/:/tmp/}"
PHP_ALLOW_URL_FOPEN="${PHP_ALLOW_URL_FOPEN:-no}"
PHP_ALLOW_URL_INCLUDE="${PHP_ALLOW_URL_INCLUDE:-no}"
PHP_FILE_UPLOADS="${PHP_FILE_UPLOADS:-yes}"
@ -60,6 +60,12 @@ USE_MODSECURITY="${USE_MODSECURITY:-yes}"
CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY:-default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; reflected-xss block; base-uri 'self'; referrer no-referrer}"
COOKIE_FLAGS="${COOKIE_FLAGS:-* HttpOnly}"
SERVE_FILES="${SERVE_FILES:-yes}"
WRITE_ACCESS="${WRITE_ACCESS:-no}"
# install additional modules if needed
if [ "$ADDITIONAL_MODULES" != "" ] ; then
apk add $ADDITIONAL_MODULES
fi
# replace values
replace_in_file "/etc/nginx/nginx.conf" "%MAX_CLIENT_SIZE%" "$MAX_CLIENT_SIZE"
@ -239,6 +245,11 @@ else
replace_in_file "/etc/nginx/server.conf" "%SERVE_FILES%" ""
fi
# edit access if needed
if [ "$WRITE_ACCESS" = "yes" ] ; then
chown -R root:nginx /www
chmod g+w -R /www
fi
# start PHP
if [ "$USE_PHP" = "yes" ] ; then