-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerfile.apache
More file actions
130 lines (117 loc) · 4.94 KB
/
Dockerfile.apache
File metadata and controls
130 lines (117 loc) · 4.94 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
FROM wordpress:php8.3-apache
RUN apt-get update && apt-get install -y \
mariadb-client \
redis-tools \
&& rm -rf /var/lib/apt/lists/* \
&& curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar \
&& curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar.sha512 \
&& echo "$(cat wp-cli.phar.sha512) wp-cli.phar" | sha512sum -c - \
&& chmod +x wp-cli.phar \
&& mv wp-cli.phar /usr/local/bin/wp \
&& rm wp-cli.phar.sha512
RUN docker-php-ext-install sockets
RUN pecl install igbinary redis \
&& docker-php-ext-enable igbinary redis
COPY docker-entrypoint-apache.sh /usr/local/bin/
RUN chmod +x /usr/local/bin/docker-entrypoint-apache.sh
ENTRYPOINT ["docker-entrypoint-apache.sh"]
CMD ["apache2-foreground"]
RUN a2enmod rewrite headers expires remoteip deflate
RUN echo '<IfModule mod_deflate.c>\n\
AddOutputFilterByType DEFLATE text/plain\n\
AddOutputFilterByType DEFLATE text/html\n\
AddOutputFilterByType DEFLATE text/xml\n\
AddOutputFilterByType DEFLATE text/css\n\
AddOutputFilterByType DEFLATE text/javascript\n\
AddOutputFilterByType DEFLATE application/xml\n\
AddOutputFilterByType DEFLATE application/xhtml+xml\n\
AddOutputFilterByType DEFLATE application/rss+xml\n\
AddOutputFilterByType DEFLATE application/javascript\n\
AddOutputFilterByType DEFLATE application/x-javascript\n\
AddOutputFilterByType DEFLATE application/json\n\
AddOutputFilterByType DEFLATE image/svg+xml\n\
SetEnvIfNoCase Request_URI \\.(?:gif|jpe?g|png|ico|zip|pdf)$ no-gzip\n\
BrowserMatch ^Mozilla/4 gzip-only-text/html\n\
BrowserMatch ^Mozilla/4\\.0[678] no-gzip\n\
BrowserMatch \\bMSIE !no-gzip !gzip-only-text/html\n\
Header append Vary User-Agent env=!dont-vary\n\
</IfModule>' > /etc/apache2/conf-available/deflate.conf \
&& a2enconf deflate
RUN echo 'Header always set X-Content-Type-Options "nosniff"\n\
Header always set X-Frame-Options "SAMEORIGIN"\n\
Header always set Referrer-Policy "strict-origin-when-cross-origin"\n\
Header always set X-XSS-Protection "1; mode=block"' > /etc/apache2/conf-available/security-headers.conf \
&& a2enconf security-headers
RUN echo "ServerName localhost" >> /etc/apache2/apache2.conf
RUN sed -i '/^Timeout /d' /etc/apache2/apache2.conf
RUN echo '<IfModule mpm_prefork_module>\n\
StartServers 10\n\
MinSpareServers 10\n\
MaxSpareServers 30\n\
MaxRequestWorkers 80\n\
MaxConnectionsPerChild 200\n\
ServerLimit 80\n\
</IfModule>\n\
\n\
Timeout 60\n\
RLimitMEM 268435456 268435456\n\
\n\
KeepAlive On\n\
MaxKeepAliveRequests 100\n\
KeepAliveTimeout 5' >> /etc/apache2/apache2.conf
RUN echo '<IfModule mod_remoteip.c>\n\
RemoteIPHeader CF-Connecting-IP\n\
RemoteIPHeader X-Forwarded-For\n\
RemoteIPInternalProxy 10.0.0.0/8\n\
RemoteIPInternalProxy 172.16.0.0/12\n\
RemoteIPInternalProxy 192.168.0.0/16\n\
RemoteIPTrustedProxy 173.245.48.0/20\n\
RemoteIPTrustedProxy 103.21.244.0/22\n\
RemoteIPTrustedProxy 103.22.200.0/22\n\
RemoteIPTrustedProxy 103.31.4.0/22\n\
RemoteIPTrustedProxy 141.101.64.0/18\n\
RemoteIPTrustedProxy 108.162.192.0/18\n\
RemoteIPTrustedProxy 190.93.240.0/20\n\
RemoteIPTrustedProxy 188.114.96.0/20\n\
RemoteIPTrustedProxy 197.234.240.0/22\n\
RemoteIPTrustedProxy 198.41.128.0/17\n\
RemoteIPTrustedProxy 162.158.0.0/15\n\
RemoteIPTrustedProxy 104.16.0.0/13\n\
RemoteIPTrustedProxy 104.24.0.0/14\n\
RemoteIPTrustedProxy 172.64.0.0/13\n\
RemoteIPTrustedProxy 131.0.72.0/22\n\
</IfModule>\n\
\n\
SetEnvIf X-Forwarded-Proto "https" HTTPS=on\n\
SetEnvIf CF-Visitor "https" HTTPS=on' > /etc/apache2/conf-available/reverse-proxy.conf \
&& a2enconf reverse-proxy
RUN mkdir -p /usr/local/bin/scripts && \
{ \
echo '#!/bin/bash'; \
echo 'UPLOADS_DIR="/var/www/html/wp-content/uploads"'; \
echo 'if [ -d "$UPLOADS_DIR" ]; then'; \
echo ' cat > "$UPLOADS_DIR/.htaccess" <<'\''HTACCESS'\'''; \
echo '<Files *.php>'; \
echo ' deny from all'; \
echo '</Files>'; \
echo '<FilesMatch "\\.ph(p[3-7]?|t|tml)$">'; \
echo ' deny from all'; \
echo '</FilesMatch>'; \
echo 'HTACCESS'; \
echo ' chown www-data:www-data "$UPLOADS_DIR/.htaccess" 2>/dev/null || true'; \
echo 'fi'; \
} > /usr/local/bin/scripts/secure-uploads.sh && \
chmod +x /usr/local/bin/scripts/secure-uploads.sh
RUN { \
echo 'upload_max_filesize = 256M'; \
echo 'post_max_size = 256M'; \
echo 'max_execution_time = 60'; \
echo 'max_input_time = 120'; \
echo 'memory_limit = 384M'; \
echo 'max_input_vars = 5000'; \
echo 'opcache.enable = 1'; \
echo 'opcache.memory_consumption = 256'; \
echo 'opcache.interned_strings_buffer = 16'; \
echo 'opcache.max_accelerated_files = 10000'; \
echo 'opcache.revalidate_freq = 60'; \
} > /usr/local/etc/php/conf.d/custom.ini