From 8a06c00d4aeda8bacf0c9823e3d9d504d61c2e56 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Thu, 14 Oct 2021 16:16:43 -0500 Subject: [PATCH 1/4] Use standard nginx.conf from lsio alpine nginx base image --- Dockerfile | 51 ++++++++----- Dockerfile.aarch64 | 51 ++++++++----- Dockerfile.armhf | 51 ++++++++----- README.md | 3 +- readme-vars.yml | 3 +- root/app/grav-admin/index.html | 40 +++++++++++ root/defaults/default | 61 ---------------- .../nginx/site-confs/default.conf.sample | 71 +++++++++++++++++++ root/etc/cont-init.d/50-config | 24 ++++--- root/etc/crontabs/abc | 2 +- 10 files changed, 230 insertions(+), 127 deletions(-) create mode 100644 root/app/grav-admin/index.html delete mode 100644 root/defaults/default create mode 100644 root/defaults/nginx/site-confs/default.conf.sample diff --git a/Dockerfile b/Dockerfile index 2b0b2d3..90f3c63 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/linuxserver/baseimage-alpine-nginx:3.14 +FROM ghcr.io/linuxserver/baseimage-alpine-nginx:3.15 ARG BUILD_DATE ARG VERSION @@ -7,42 +7,57 @@ LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DA LABEL maintainer="TheSpad" RUN \ - apk add --update --no-cache \ - curl \ - composer \ - php7-dom \ - php7-gd \ - php7-tokenizer \ - php7-opcache \ - php7-pecl-apcu \ - php7-pecl-yaml \ - php7-intl \ - php7-redis \ + echo "**** install runtime packages ****" && \ + apk add --no-cache \ busybox-suid \ + composer \ + curl \ + php8-ctype \ + php8-curl \ + php8-dom \ + php8-gd \ + php8-intl \ + php8-json \ + php8-mbstring \ + php8-opcache \ + php8-openssl \ + php8-pecl-apcu \ + php8-pecl-yaml \ + php8-phar \ + php8-redis \ + php8-session \ + php8-simplexml \ + php8-tokenizer \ + php8-xml \ + php8-zip \ unzip && \ + echo "**** setup php opcache ****" && \ { \ echo 'opcache.memory_consumption=128'; \ echo 'opcache.interned_strings_buffer=8'; \ echo 'opcache.max_accelerated_files=4000'; \ echo 'opcache.revalidate_freq=2'; \ echo 'opcache.enable_cli=1'; \ - } > /etc/php7/conf.d/php-opcache.ini && \ + } > /etc/php8/conf.d/php-opcache.ini && \ if [ -z ${GRAV_RELEASE+x} ]; then \ GRAV_RELEASE=$(curl -sX GET "https://api.github.com/repos/getgrav/grav/releases/latest" \ | awk '/tag_name/{print $4;exit}' FS='[""]'); \ fi && \ echo "*** Installing Grav ***" && \ + mkdir -p \ + /app/www/public && \ curl -o \ /tmp/grav.zip -L \ "https://github.com/getgrav/grav/releases/download/${GRAV_RELEASE}/grav-admin-v${GRAV_RELEASE}.zip" && \ unzip -q \ - /tmp/grav.zip -d /app && \ - echo "*** Cleaning Up ***" && \ + /tmp/grav.zip -d /tmp/grav && \ + mv /tmp/grav/grav-admin/* /app/www/public/ && \ + echo "**** cleanup ****" && \ rm -rf \ + /root/.composer \ + /root/.cache \ /tmp/* COPY root/ / -EXPOSE 80 - -VOLUME /config +EXPOSE 80 443 diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 1573cab..b9b7383 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -1,4 +1,4 @@ -FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm64v8-3.14 +FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm64v8-3.15 ARG BUILD_DATE ARG VERSION @@ -7,42 +7,57 @@ LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DA LABEL maintainer="TheSpad" RUN \ - apk add --update --no-cache \ - curl \ - composer \ - php7-dom \ - php7-gd \ - php7-tokenizer \ - php7-opcache \ - php7-pecl-apcu \ - php7-pecl-yaml \ - php7-intl \ - php7-redis \ + echo "**** install runtime packages ****" && \ + apk add --no-cache \ busybox-suid \ + composer \ + curl \ + php8-ctype \ + php8-curl \ + php8-dom \ + php8-gd \ + php8-intl \ + php8-json \ + php8-mbstring \ + php8-opcache \ + php8-openssl \ + php8-pecl-apcu \ + php8-pecl-yaml \ + php8-phar \ + php8-redis \ + php8-session \ + php8-simplexml \ + php8-tokenizer \ + php8-xml \ + php8-zip \ unzip && \ + echo "**** setup php opcache ****" && \ { \ echo 'opcache.memory_consumption=128'; \ echo 'opcache.interned_strings_buffer=8'; \ echo 'opcache.max_accelerated_files=4000'; \ echo 'opcache.revalidate_freq=2'; \ echo 'opcache.enable_cli=1'; \ - } > /etc/php7/conf.d/php-opcache.ini && \ + } > /etc/php8/conf.d/php-opcache.ini && \ if [ -z ${GRAV_RELEASE+x} ]; then \ GRAV_RELEASE=$(curl -sX GET "https://api.github.com/repos/getgrav/grav/releases/latest" \ | awk '/tag_name/{print $4;exit}' FS='[""]'); \ fi && \ echo "*** Installing Grav ***" && \ + mkdir -p \ + /app/www/public && \ curl -o \ /tmp/grav.zip -L \ "https://github.com/getgrav/grav/releases/download/${GRAV_RELEASE}/grav-admin-v${GRAV_RELEASE}.zip" && \ unzip -q \ - /tmp/grav.zip -d /app && \ - echo "*** Cleaning Up ***" && \ + /tmp/grav.zip -d /tmp/grav && \ + mv /tmp/grav/grav-admin/* /app/www/public/ && \ + echo "**** cleanup ****" && \ rm -rf \ + /root/.composer \ + /root/.cache \ /tmp/* COPY root/ / -EXPOSE 80 - -VOLUME /config +EXPOSE 80 443 diff --git a/Dockerfile.armhf b/Dockerfile.armhf index 1eb5e94..4c0d565 100644 --- a/Dockerfile.armhf +++ b/Dockerfile.armhf @@ -1,4 +1,4 @@ -FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm32v7-3.14 +FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm32v7-3.15 ARG BUILD_DATE ARG VERSION @@ -7,42 +7,57 @@ LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DA LABEL maintainer="TheSpad" RUN \ - apk add --update --no-cache \ - curl \ - composer \ - php7-dom \ - php7-gd \ - php7-tokenizer \ - php7-opcache \ - php7-pecl-apcu \ - php7-pecl-yaml \ - php7-intl \ - php7-redis \ + echo "**** install runtime packages ****" && \ + apk add --no-cache \ busybox-suid \ + composer \ + curl \ + php8-ctype \ + php8-curl \ + php8-dom \ + php8-gd \ + php8-intl \ + php8-json \ + php8-mbstring \ + php8-opcache \ + php8-openssl \ + php8-pecl-apcu \ + php8-pecl-yaml \ + php8-phar \ + php8-redis \ + php8-session \ + php8-simplexml \ + php8-tokenizer \ + php8-xml \ + php8-zip \ unzip && \ + echo "**** setup php opcache ****" && \ { \ echo 'opcache.memory_consumption=128'; \ echo 'opcache.interned_strings_buffer=8'; \ echo 'opcache.max_accelerated_files=4000'; \ echo 'opcache.revalidate_freq=2'; \ echo 'opcache.enable_cli=1'; \ - } > /etc/php7/conf.d/php-opcache.ini && \ + } > /etc/php8/conf.d/php-opcache.ini && \ if [ -z ${GRAV_RELEASE+x} ]; then \ GRAV_RELEASE=$(curl -sX GET "https://api.github.com/repos/getgrav/grav/releases/latest" \ | awk '/tag_name/{print $4;exit}' FS='[""]'); \ fi && \ echo "*** Installing Grav ***" && \ + mkdir -p \ + /app/www/public && \ curl -o \ /tmp/grav.zip -L \ "https://github.com/getgrav/grav/releases/download/${GRAV_RELEASE}/grav-admin-v${GRAV_RELEASE}.zip" && \ unzip -q \ - /tmp/grav.zip -d /app && \ - echo "*** Cleaning Up ***" && \ + /tmp/grav.zip -d /tmp/grav && \ + mv /tmp/grav/grav-admin/* /app/www/public/ && \ + echo "**** cleanup ****" && \ rm -rf \ + /root/.composer \ + /root/.cache \ /tmp/* COPY root/ / -EXPOSE 80 - -VOLUME /config +EXPOSE 80 443 diff --git a/README.md b/README.md index f6ec1d6..0d3d6de 100644 --- a/README.md +++ b/README.md @@ -223,6 +223,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64 ## Versions -* **03.09.21** - Added support for Redis caching. +* **20.08.22:** - Rebasing to alpine 3.15 with php8. Restructure nginx configs ([see changes announcement](https://info.linuxserver.io/issues/2022-08-20-nginx-base)). +* **03.09.21:** - Added support for Redis caching. * **01.07.21:** - Rebase to Alpine 3.14. * **09.04.21:** - Initial Release. diff --git a/readme-vars.yml b/readme-vars.yml index d933ba4..4c470f0 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -40,6 +40,7 @@ app_setup_block: | # changelog changelogs: - - { date: "03.09.21", desc: "Added support for Redis caching."} + - { date: "20.08.22:", desc: "Rebasing to alpine 3.15 with php8. Restructure nginx configs ([see changes announcement](https://info.linuxserver.io/issues/2022-08-20-nginx-base))." } + - { date: "03.09.21:", desc: "Added support for Redis caching."} - { date: "01.07.21:", desc: "Rebase to Alpine 3.14." } - { date: "09.04.21:", desc: "Initial Release." } diff --git a/root/app/grav-admin/index.html b/root/app/grav-admin/index.html new file mode 100644 index 0000000..2ac31be --- /dev/null +++ b/root/app/grav-admin/index.html @@ -0,0 +1,40 @@ + + + Upgrade Required! + + + +
+

Upgrade Required!

+

The application inside this image has been moved to a new folder.

+

You will need to update your /config/nginx/nginx.conf and /config/nginx/site-confs/default.conf in order for the application to work.

+

New config samples are located at /config/nginx/nginx.conf.sample and /config/nginx/site-confs/default.conf.sample

+

Please review our announcement: Significant changes to nginx based images

+
+ + diff --git a/root/defaults/default b/root/defaults/default deleted file mode 100644 index 110a60a..0000000 --- a/root/defaults/default +++ /dev/null @@ -1,61 +0,0 @@ -#config-v1 -server { - listen 80 default_server; - - listen 443 ssl; - - root /app/grav-admin; - index index.html index.htm index.php; - - server_name _; - - ssl_certificate /config/keys/cert.crt; - ssl_certificate_key /config/keys/cert.key; - - client_max_body_size 0; - - location / { - try_files $uri $uri/ /index.php?$query_string; - } - - location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; } - - # deny running scripts inside core system folders - location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } - - # deny running scripts inside user folder - location ~* /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } - - # deny access to specific files in the root folder - location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; } - - location ~* \.(?:ico|css|js|gif|jpe?g|png)$ { - expires 30d; - add_header Vary Accept-Encoding; - log_not_found off; - } - - location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|woff2|svg)$ { - access_log off; - expires 30d; - add_header Cache-Control public; - - ## No need to bleed constant updates. Send the all shebang in one - ## fell swoop. - tcp_nodelay off; - - ## Set the OS file cache. - open_file_cache max=3000 inactive=120s; - open_file_cache_valid 45s; - open_file_cache_min_uses 2; - open_file_cache_errors off; - } - - location ~ \.php$ { - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass 127.0.0.1:9000; - fastcgi_index index.php; - include /etc/nginx/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; - } -} diff --git a/root/defaults/nginx/site-confs/default.conf.sample b/root/defaults/nginx/site-confs/default.conf.sample new file mode 100644 index 0000000..5978857 --- /dev/null +++ b/root/defaults/nginx/site-confs/default.conf.sample @@ -0,0 +1,71 @@ +## Version 2022/08/20 - Changelog: https://github.com/linuxserver/docker-grav/commits/main/root/defaults/nginx/site-confs/default.conf.sample + +server { + listen 80 default_server; + listen [::]:80 default_server; + + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name _; + + root /app/www/public; + index index.html index.htm index.php; + + location / { + # enable for basic auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + try_files $uri $uri/ /index.php?$query_string; + } + + ## https://github.com/getgrav/grav/blob/develop/webserver-configs/nginx.conf + ## Begin - Security + # deny all direct access for these folders + location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; } + # deny running scripts inside core system folders + location ~* /(system|vendor)/.*\.(txt|xml|md|html|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } + # deny running scripts inside user folder + location ~* /user/.*\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } + # deny access to specific files in the root folder + location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; } + ## End - Security + + ## https://learn.getgrav.org/17/webservers-hosting/servers/nginx#nginx-cache-headers-for-a + ## Begin - Caching + location ~* \.(?:ico|css|js|gif|jpe?g|png)$ { + expires 30d; + add_header Vary Accept-Encoding; + log_not_found off; + } + + location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|woff2|svg)$ { + access_log off; + expires 30d; + add_header Cache-Control public; + + ## No need to bleed constant updates. Send the all shebang in one + ## fell swoop. + tcp_nodelay off; + + ## Set the OS file cache. + open_file_cache max=3000 inactive=120s; + open_file_cache_valid 45s; + open_file_cache_min_uses 2; + open_file_cache_errors off; + } + ## End - Caching + + location ~ ^(.+\.php)(.*)$ { + fastcgi_split_path_info ^(.+\.php)(.*)$; + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } + + # deny access to .htaccess/.htpasswd files + location ~ /\.ht { + deny all; + } +} diff --git a/root/etc/cont-init.d/50-config b/root/etc/cont-init.d/50-config index 491db5d..f06ffe2 100644 --- a/root/etc/cont-init.d/50-config +++ b/root/etc/cont-init.d/50-config @@ -1,21 +1,27 @@ #!/usr/bin/with-contenv bash -if ! grep -q 'config-v1' /config/nginx/site-confs/default; then - cp /defaults/default /config/nginx/site-confs +if ! grep -q 'Version 2022/08/20' /config/nginx/site-confs/default.conf; then + cp /defaults/nginx/site-confs/default.conf.sample /config/nginx/site-confs/default.conf fi symlinks=( \ -/app/grav-admin/backup \ -/app/grav-admin/logs \ -/app/grav-admin/user \ +/app/www/public/backup \ +/app/www/public/logs \ +/app/www/public/user \ ) shopt -s globstar dotglob for i in "${symlinks[@]}"; do -[[ -d /config/www/"$(basename "$i")" && ! -L "$i" ]] && rm -rf "$i" -[[ ! -d /config/www/"$(basename "$i")" && ! -L "$i" ]] && mv "$i" /config/www/ -[[ -d /config/www/"$(basename "$i")" && ! -L "$i" ]] && ln -s /config/www/"$(basename "$i")" "$i" +if [[ -d /config/www/"$(basename "$i")" && ! -L "$i" ]]; then + rm -rf "$i" +fi +if [[ ! -d /config/www/"$(basename "$i")" && ! -L "$i" ]]; then + mv "$i" /config/www/ +fi +if [[ -d /config/www/"$(basename "$i")" && ! -L "$i" ]]; then + ln -s /config/www/"$(basename "$i")" "$i" +fi done shopt -u globstar dotglob @@ -24,4 +30,4 @@ sed -i 's/enable_auto_updates_check: true/enable_auto_updates_check: false/' /co chown -R abc:abc \ /app \ - /config \ No newline at end of file + /config diff --git a/root/etc/crontabs/abc b/root/etc/crontabs/abc index 7ec6660..0c82001 100644 --- a/root/etc/crontabs/abc +++ b/root/etc/crontabs/abc @@ -1,2 +1,2 @@ # min hour day month weekday command -* * * * * cd /app/grav-admin;/usr/bin/php bin/grav scheduler 1>> /dev/null 2>&1 \ No newline at end of file +* * * * * cd /app/www/public;/usr/bin/php bin/grav scheduler 1>> /dev/null 2>&1 From 8431b51631d1de768073f1ad6cbed32496fb55cc Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Sat, 20 Aug 2022 18:54:16 -0500 Subject: [PATCH 2/4] Add default location migration --- root/migrations/02-default-location | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 root/migrations/02-default-location diff --git a/root/migrations/02-default-location b/root/migrations/02-default-location new file mode 100644 index 0000000..722ce55 --- /dev/null +++ b/root/migrations/02-default-location @@ -0,0 +1,10 @@ +#!/usr/bin/with-contenv bash + +DEFAULT_CONF="/config/nginx/site-confs/default.conf" +OLD_ROOT="root /app/grav-admin;" +NEW_ROOT="root /app/www/public;" + +if grep -q "${OLD_ROOT}" "${DEFAULT_CONF}";then + echo "updating root in ${DEFAULT_CONF}" + sed -i "s|${OLD_ROOT}|${NEW_ROOT}|" "${DEFAULT_CONF}" +fi From 5ee7f7edfd0983f160c79ad0200b43024efee51b Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Sun, 21 Aug 2022 16:53:51 -0500 Subject: [PATCH 3/4] Keep /config volume consistently --- Dockerfile | 1 + Dockerfile.aarch64 | 1 + Dockerfile.armhf | 1 + 3 files changed, 3 insertions(+) diff --git a/Dockerfile b/Dockerfile index 90f3c63..4307d50 100644 --- a/Dockerfile +++ b/Dockerfile @@ -61,3 +61,4 @@ RUN \ COPY root/ / EXPOSE 80 443 +VOLUME /config diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index b9b7383..2031ba0 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -61,3 +61,4 @@ RUN \ COPY root/ / EXPOSE 80 443 +VOLUME /config diff --git a/Dockerfile.armhf b/Dockerfile.armhf index 4c0d565..9161413 100644 --- a/Dockerfile.armhf +++ b/Dockerfile.armhf @@ -61,3 +61,4 @@ RUN \ COPY root/ / EXPOSE 80 443 +VOLUME /config From 88e30e6747206a4217df3056e13aa038abf5206b Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Sun, 21 Aug 2022 17:04:59 -0500 Subject: [PATCH 4/4] Keep /config volume consistently --- Dockerfile | 2 ++ Dockerfile.aarch64 | 2 ++ Dockerfile.armhf | 2 ++ 3 files changed, 6 insertions(+) diff --git a/Dockerfile b/Dockerfile index 4307d50..53aa458 100644 --- a/Dockerfile +++ b/Dockerfile @@ -58,7 +58,9 @@ RUN \ /root/.cache \ /tmp/* +# copy local files COPY root/ / +# ports and volumes EXPOSE 80 443 VOLUME /config diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 2031ba0..d3044f9 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -58,7 +58,9 @@ RUN \ /root/.cache \ /tmp/* +# copy local files COPY root/ / +# ports and volumes EXPOSE 80 443 VOLUME /config diff --git a/Dockerfile.armhf b/Dockerfile.armhf index 9161413..e337895 100644 --- a/Dockerfile.armhf +++ b/Dockerfile.armhf @@ -58,7 +58,9 @@ RUN \ /root/.cache \ /tmp/* +# copy local files COPY root/ / +# ports and volumes EXPOSE 80 443 VOLUME /config