custom modules and write access
This commit is contained in:
parent
5bcdb0219e
commit
d5f8c7647d
|
@ -10,7 +10,7 @@ COPY confs/ /opt/confs
|
|||
COPY scripts/ /opt/scripts
|
||||
COPY misc/GeoLite2-Country.mmdb /etc/nginx/geoip.mmdb
|
||||
|
||||
RUN apk --no-cache add php7-fpm php7-session certbot libstdc++ libmaxminddb geoip pcre yajl && \
|
||||
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl && \
|
||||
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
|
||||
mkdir /www && \
|
||||
adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx
|
||||
|
|
|
@ -197,6 +197,9 @@ Default value : system, exec, shell_exec, passthru, phpinfo, show_source, highli
|
|||
List of PHP functions blacklisted. They can't be used anywhere in PHP code.
|
||||
|
||||
## TODO
|
||||
- File permissions hardening
|
||||
- run php7-fpm as nginx
|
||||
- Edit CONTENT_SECURITY_POLICY default value
|
||||
- Possibility to disable stuff with "free" values
|
||||
- Custom TLS certificates
|
||||
- Documentation
|
||||
- Certificate Transparency
|
||||
|
|
|
@ -50,7 +50,7 @@ HTTP2="${HTTP2:-yes}"
|
|||
STRICT_TRANSPORT_SECURITY="${STRICT_TRANSPORT_SECURITY:-max-age=31536000}"
|
||||
PHP_EXPOSE="${PHP_EXPOSE:-no}"
|
||||
PHP_DISPLAY_ERRORS="${PHP_DISPLAY_ERRORS:-no}"
|
||||
PHP_OPEN_BASEDIR="${PHP_OPEN_BASEDIR:-/www/}"
|
||||
PHP_OPEN_BASEDIR="${PHP_OPEN_BASEDIR:-/www/:/tmp/}"
|
||||
PHP_ALLOW_URL_FOPEN="${PHP_ALLOW_URL_FOPEN:-no}"
|
||||
PHP_ALLOW_URL_INCLUDE="${PHP_ALLOW_URL_INCLUDE:-no}"
|
||||
PHP_FILE_UPLOADS="${PHP_FILE_UPLOADS:-yes}"
|
||||
|
@ -60,6 +60,12 @@ USE_MODSECURITY="${USE_MODSECURITY:-yes}"
|
|||
CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY:-default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; reflected-xss block; base-uri 'self'; referrer no-referrer}"
|
||||
COOKIE_FLAGS="${COOKIE_FLAGS:-* HttpOnly}"
|
||||
SERVE_FILES="${SERVE_FILES:-yes}"
|
||||
WRITE_ACCESS="${WRITE_ACCESS:-no}"
|
||||
|
||||
# install additional modules if needed
|
||||
if [ "$ADDITIONAL_MODULES" != "" ] ; then
|
||||
apk add $ADDITIONAL_MODULES
|
||||
fi
|
||||
|
||||
# replace values
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%MAX_CLIENT_SIZE%" "$MAX_CLIENT_SIZE"
|
||||
|
@ -239,6 +245,11 @@ else
|
|||
replace_in_file "/etc/nginx/server.conf" "%SERVE_FILES%" ""
|
||||
fi
|
||||
|
||||
# edit access if needed
|
||||
if [ "$WRITE_ACCESS" = "yes" ] ; then
|
||||
chown -R root:nginx /www
|
||||
chmod g+w -R /www
|
||||
fi
|
||||
|
||||
# start PHP
|
||||
if [ "$USE_PHP" = "yes" ] ; then
|
||||
|
|
Loading…
Reference in New Issue