feat: harden security (merge pull request #37 from rare-magma/harden-security)

feat: harden security
This commit is contained in:
Ahwx 2024-07-08 08:48:13 +00:00 committed by GitHub
commit 34214fed33
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 23 additions and 10 deletions

View file

@ -1,17 +1,22 @@
FROM alpine:3.20
RUN apk add php83 php83-fpm php83-dom php83-curl php83-json php83-openssl nginx --no-cache
RUN sed -i 's/user nginx;/user nobody;/' /etc/nginx/nginx.conf \
&& sed -i 's/listen = 127.0.0.1:9000/listen = \/run\/php-fpm83.sock/' /etc/php83/php-fpm.d/www.conf \
&& sed -i 's/;listen.owner/listen.owner/' /etc/php83/php-fpm.d/www.conf \
&& sed -i 's/;listen.group/listen.group/' /etc/php83/php-fpm.d/www.conf \
RUN sed -i '/user nginx;/d' /etc/nginx/nginx.conf \
&& sed -i 's/^user = nobody/; user = nobody/' /etc/php83/php-fpm.d/www.conf \
&& sed -i 's/^group = nobody/; group = nobody/' /etc/php83/php-fpm.d/www.conf \
&& sed -i 's/listen = 127.0.0.1:9000/listen = \/run\/php\/php-fpm83.sock/' /etc/php83/php-fpm.d/www.conf \
&& sed -i 's/;listen.owner = nobody/listen.owner = nginx/' /etc/php83/php-fpm.d/www.conf \
&& sed -i 's/;listen.group = nobody/listen.group = nginx/' /etc/php83/php-fpm.d/www.conf \
&& sed -i 's/;listen.mode/listen.mode/' /etc/php83/php-fpm.d/www.conf \
&& sed -i 's/;listen.allowed_clients/listen.allowed_clients/' /etc/php83/php-fpm.d/www.conf
RUN mkdir -p /var/www/binternet
RUN mkdir -p /var/www/binternet /run/php
COPY . /var/www/binternet
COPY nginx.conf /etc/nginx/http.d/binternet.conf
RUN rm /var/www/binternet/nginx.conf /etc/nginx/http.d/default.conf
RUN rm /var/www/binternet/nginx.conf /etc/nginx/http.d/default.conf \
&& chown -R nginx:nginx /var/log/php83/ /run
EXPOSE 80
USER nginx
EXPOSE 8080
ENTRYPOINT ["/bin/sh", "-c" , "/usr/sbin/php-fpm83 -D && /usr/sbin/nginx -c /etc/nginx/nginx.conf -g 'daemon off;'"]
HEALTHCHECK --timeout=5s CMD wget --no-verbose --tries=1 --spider 127.0.0.1:8080 || exit 1

View file

@ -2,5 +2,13 @@ services:
binternet:
container_name: binternet
image: ghcr.io/ahwxorg/binternet:latest
read_only: true
cap_drop:
- ALL
security_opt:
- no-new-privileges:true
ports:
- '8080:80'
- '8080:8080'
tmpfs:
- /var/log:noexec,nosuid,nodev
- /var/lib:noexec,nosuid,nodev

View file

@ -1,12 +1,12 @@
server {
listen 80 default_server;
listen 8080 default_server;
server_name _;
root /var/www/binternet;
index index.php;
location ~ \.php$ {
fastcgi_pass unix:/run/php-fpm83.sock;
fastcgi_pass unix:/run/php/php-fpm83.sock;
fastcgi_index index.php;
fastcgi_param PATH_INFO $path_info;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;