From f403e7711db74c486f8fed0a95108485600998c1 Mon Sep 17 00:00:00 2001 From: rare-magma Date: Sun, 7 Jul 2024 12:43:16 +0200 Subject: [PATCH 1/3] feat: harden security Signed-off-by: rare-magma --- Dockerfile | 15 ++++++++++----- docker-compose.yml | 9 ++++++++- nginx.conf | 2 +- 3 files changed, 19 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 158bf67..c3fbd4f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,17 +1,22 @@ FROM alpine:3.20 RUN apk add php83 php83-fpm php83-dom php83-curl php83-json php83-openssl nginx --no-cache -RUN sed -i 's/user nginx;/user nobody;/' /etc/nginx/nginx.conf \ +RUN sed -i '/user nginx;/d' /etc/nginx/nginx.conf \ + && sed -i 's/user = nobody/; user = nobody/' /etc/php83/php-fpm.d/www.conf \ + && sed -i 's/group = nobody/; group = nobody/' /etc/php83/php-fpm.d/www.conf \ && sed -i 's/listen = 127.0.0.1:9000/listen = \/run\/php-fpm83.sock/' /etc/php83/php-fpm.d/www.conf \ - && sed -i 's/;listen.owner/listen.owner/' /etc/php83/php-fpm.d/www.conf \ - && sed -i 's/;listen.group/listen.group/' /etc/php83/php-fpm.d/www.conf \ + && sed -i 's/;listen.owner = nobody/listen.owner = nginx/' /etc/php83/php-fpm.d/www.conf \ + && sed -i 's/;listen.group = nobody/listen.group = nginx/' /etc/php83/php-fpm.d/www.conf \ && sed -i 's/;listen.mode/listen.mode/' /etc/php83/php-fpm.d/www.conf \ && sed -i 's/;listen.allowed_clients/listen.allowed_clients/' /etc/php83/php-fpm.d/www.conf RUN mkdir -p /var/www/binternet COPY . /var/www/binternet COPY nginx.conf /etc/nginx/http.d/binternet.conf -RUN rm /var/www/binternet/nginx.conf /etc/nginx/http.d/default.conf +RUN rm /var/www/binternet/nginx.conf /etc/nginx/http.d/default.conf \ + && chown -R nginx:nginx /var/log/php83/ /run -EXPOSE 80 +USER nginx +EXPOSE 8080 ENTRYPOINT ["/bin/sh", "-c" , "/usr/sbin/php-fpm83 -D && /usr/sbin/nginx -c /etc/nginx/nginx.conf -g 'daemon off;'"] +HEALTHCHECK --timeout=5s CMD wget --no-verbose --tries=1 --spider 127.0.0.1:8080 || exit 1 diff --git a/docker-compose.yml b/docker-compose.yml index 17f286e..bdb1294 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,5 +2,12 @@ services: binternet: container_name: binternet image: ghcr.io/ahwxorg/binternet:latest + read_only: true + cap_drop: + - ALL + security_opt: + - no-new-privileges:true ports: - - '8080:80' + - '8080:8080' + tmpfs: + - /var/log:noexec,nosuid,nodev diff --git a/nginx.conf b/nginx.conf index c8081b7..7389c25 100644 --- a/nginx.conf +++ b/nginx.conf @@ -1,5 +1,5 @@ server { - listen 80 default_server; + listen 8080 default_server; server_name _; root /var/www/binternet; From 4d069b3a1b7d175655a037045437cb546f8facfe Mon Sep 17 00:00:00 2001 From: rare-magma Date: Sun, 7 Jul 2024 13:19:55 +0200 Subject: [PATCH 2/3] fix: sed replacement Signed-off-by: rare-magma --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index c3fbd4f..972c621 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,8 +2,8 @@ FROM alpine:3.20 RUN apk add php83 php83-fpm php83-dom php83-curl php83-json php83-openssl nginx --no-cache RUN sed -i '/user nginx;/d' /etc/nginx/nginx.conf \ - && sed -i 's/user = nobody/; user = nobody/' /etc/php83/php-fpm.d/www.conf \ - && sed -i 's/group = nobody/; group = nobody/' /etc/php83/php-fpm.d/www.conf \ + && sed -i 's/^user = nobody/; user = nobody/' /etc/php83/php-fpm.d/www.conf \ + && sed -i 's/^group = nobody/; group = nobody/' /etc/php83/php-fpm.d/www.conf \ && sed -i 's/listen = 127.0.0.1:9000/listen = \/run\/php-fpm83.sock/' /etc/php83/php-fpm.d/www.conf \ && sed -i 's/;listen.owner = nobody/listen.owner = nginx/' /etc/php83/php-fpm.d/www.conf \ && sed -i 's/;listen.group = nobody/listen.group = nginx/' /etc/php83/php-fpm.d/www.conf \ From ce3c0577a8a8f0cfd9829754fc8d04562bfa0a08 Mon Sep 17 00:00:00 2001 From: rare-magma Date: Sun, 7 Jul 2024 13:29:10 +0200 Subject: [PATCH 3/3] fix: socket permissions Signed-off-by: rare-magma --- Dockerfile | 4 ++-- docker-compose.yml | 1 + nginx.conf | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 972c621..307b194 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,13 +4,13 @@ RUN apk add php83 php83-fpm php83-dom php83-curl php83-json php83-openssl nginx RUN sed -i '/user nginx;/d' /etc/nginx/nginx.conf \ && sed -i 's/^user = nobody/; user = nobody/' /etc/php83/php-fpm.d/www.conf \ && sed -i 's/^group = nobody/; group = nobody/' /etc/php83/php-fpm.d/www.conf \ - && sed -i 's/listen = 127.0.0.1:9000/listen = \/run\/php-fpm83.sock/' /etc/php83/php-fpm.d/www.conf \ + && sed -i 's/listen = 127.0.0.1:9000/listen = \/run\/php\/php-fpm83.sock/' /etc/php83/php-fpm.d/www.conf \ && sed -i 's/;listen.owner = nobody/listen.owner = nginx/' /etc/php83/php-fpm.d/www.conf \ && sed -i 's/;listen.group = nobody/listen.group = nginx/' /etc/php83/php-fpm.d/www.conf \ && sed -i 's/;listen.mode/listen.mode/' /etc/php83/php-fpm.d/www.conf \ && sed -i 's/;listen.allowed_clients/listen.allowed_clients/' /etc/php83/php-fpm.d/www.conf -RUN mkdir -p /var/www/binternet +RUN mkdir -p /var/www/binternet /run/php COPY . /var/www/binternet COPY nginx.conf /etc/nginx/http.d/binternet.conf RUN rm /var/www/binternet/nginx.conf /etc/nginx/http.d/default.conf \ diff --git a/docker-compose.yml b/docker-compose.yml index bdb1294..d094955 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -11,3 +11,4 @@ services: - '8080:8080' tmpfs: - /var/log:noexec,nosuid,nodev + - /var/lib:noexec,nosuid,nodev diff --git a/nginx.conf b/nginx.conf index 7389c25..1a8da45 100644 --- a/nginx.conf +++ b/nginx.conf @@ -6,7 +6,7 @@ server { index index.php; location ~ \.php$ { - fastcgi_pass unix:/run/php-fpm83.sock; + fastcgi_pass unix:/run/php/php-fpm83.sock; fastcgi_index index.php; fastcgi_param PATH_INFO $path_info; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;