initial commit

2021-09-20 15:53:30 +02:00 · 2021-09-20 15:53:30 +02:00 · 161fabc51b
commit 161fabc51b
18 changed files with 405 additions and 0 deletions
--- a/82
+++ b/82
@ -0,0 +1,82 @@
+FROM debian:buster-slim
+
+LABEL nl.rug.webhosting.version="0.1.9" nl.rug.webhosting.release-date="2021-01-04" nl.rug.webhosting.version.is-production="true"
+
+# ONBUILD apt-get update && apt-get upgrade -y
+
+ENV DEBIAN_FRONTEND noninteractive
+
+RUN 	export LANG=en_US.UTF-8 \
+	&& apt-get update && apt-get install --no-install-recommends -y wget curl apt-transport-https ca-certificates gnupg2 \
+	&& wget -4 --no-check-certificate https://packages.microsoft.com/keys/microsoft.asc -O /tmp/microsoft.asc \
+	&& cat /tmp/microsoft.asc | apt-key add - \
+	&& wget --no-check-certificate -q https://packages.sury.org/php/apt.gpg -O- | apt-key add - \
+	&& curl https://packages.microsoft.com/config/debian/10/prod.list > /etc/apt/sources.list.d/mssql-release.list \
+	&& echo "deb https://packages.sury.org/php/ buster main" > /etc/apt/sources.list.d/php.list \
+	&& apt-get update && apt-get upgrade -y \
+    	&& ACCEPT_EULA=Y apt-get -y install --no-install-recommends msodbcsql17 php8.0 php8.0-xml php8.0-cli php8.0-common php8.0-curl php8.0-mbstring php8.0-mysql \
+    	   php8.0-xml apache2 php8.0-mysqli libimage-exiftool-perl imagemagick \
+	   libapache2-mod-php8.0 ghostscript libimage-exiftool-perl libodbc1 odbcinst1debian2 php8.0-odbc  \
+	   php-pear nano ruby locales cron logrotate mailutils msmtp msmtp-mta && \
+           apt-get autoclean && \
+           apt-get clean
+
+RUN	apt-get -y install --no-install-recommends make g++ gcc php8.0-dev unixodbc-dev
+
+RUN	pecl channel-update pecl.php.net \
+	&& pecl install sqlsrv \
+	&& pecl install pdo_sqlsrv \
+	&& pecl install pecl mongodb \
+	&& printf "; priority=20\nextension=sqlsrv.so\n" > /etc/php/8.0/mods-available/sqlsrv.ini \
+	&& printf "; priority=30\nextension=pdo_sqlsrv.so\n" > /etc/php/8.0/mods-available/pdo_sqlsrv.ini \
+	&& printf "; priority=40\nextension=pdo_mongodb.so\n" > /etc/php/8.0/mods-available/pdo_mongodb.ini \
+	&& phpenmod sqlsrv pdo_sqlsrv mongodb
+
+RUN	apt-get remove make g++ gcc php8.0-dev unixodbc-dev -y \
+	&& apt-get autoremove -y
+	
+RUN	a2enmod headers \
+	&& a2enmod rewrite \
+	&& a2enmod proxy \
+	&& a2enmod remoteip \
+	&& a2enmod expires \
+	&& a2enmod proxy_fcgi \
+	&& a2dismod status \
+	&& a2dissite 000-default \
+	&& rm /etc/localtime \
+	&& ln -s /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime \
+        && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \
+	&& echo "nl_NL.UTF-8 UTF-8" >> /etc/locale.gen \
+        && locale-gen \
+	&& echo "TLS_REQCERT never" >> /etc/ldap/ldap.conf
+
+ENV LANG=en_US.UTF-8 \
+    LC_ALL=en_US.UTF-8 \
+    APACHE_RUN_USER=www-data \
+    APACHE_RUN_GROUP=www-data \
+    APACHE_CGI_DIR=/home/www/cgi-bin \
+    APACHE_LOG_DIR=/home/www/log \
+    APACHE_SERVERADMIN=webhosting.cit@rug.nl \
+    APACHE_SERVERNAME=localhost \
+    APACHE_SERVER_NAME=localhost \
+    APACHE_SERVERALIAS=web.rug.nl \
+    APACHE_DOCUMENTROOT=/home/www/site \
+    APACHE_CRON_DIR=/home/www/crons \
+    APACHE_HOME_DIR=/home/www \
+    APACHE_RUN_DIR=/var/run/apache2 \
+    APACHE_PID_FILE=/var/run/apache2/apache2.pid  \
+    APACHE_LOCK_DIR=/var/lock/apache2 \
+    PHP_MEMORY_LIMIT="512M"
+RUN env
+
+RUN mkdir -p $APACHE_RUN_DIR DIR $APACHE_LOCK_DIR
+
+ADD ./conf /
+
+WORKDIR /home/www
+
+RUN chmod +x /start.sh
+
+ENTRYPOINT ["/start.sh"]
+CMD ["apache2", "-DFOREGROUND"]
+
--- a/conf/etc/aliases
+++ b/conf/etc/aliases
@ -0,0 +1 @@
+root: webhosting.cit@rug.nl
--- a/conf/etc/apache2/conf-enabled/block_bots.conf
+++ b/conf/etc/apache2/conf-enabled/block_bots.conf
@ -0,0 +1,31 @@
+<LocationMatch ".*">
+  SetEnvIfNoCase User-Agent "MJ12bot" bad_user
+  SetEnvIfNoCase User-Agent "YandexBot" bad_user
+  SetEnvIfNoCase User-Agent "YAhrefsBot" bad_user
+  SetEnvIfNoCase User-Agent " SemrushBot" bad_user
+  Deny from env=bad_user
+</LocationMatch>
+ 
+<If "%{HTTP_USER_AGENT} == 'MJ12bot'">
+  Deny from all
+</If>
+ 
+<If "%{HTTP_USER_AGENT} == 'YandexBot'">
+  Deny from all
+</If>
+
+<If "%{HTTP_USER_AGENT} == 'YAhrefsBot'">
+  Deny from all
+</If>
+
+<If "%{HTTP_USER_AGENT} == ' SemrushBot'">
+  Deny from all
+</If>
+
+ <Directory />
+  SetEnvIfNoCase User-Agent "MJ12bot" bad_user
+  SetEnvIfNoCase User-Agent "YandexBot" bad_user
+  SetEnvIfNoCase User-Agent "YAhrefsBot" bad_user
+  SetEnvIfNoCase User-Agent " SemrushBot" bad_user
+  Deny from env=bad_user
+</Directory>
--- a/conf/etc/apache2/conf-enabled/keep.conf
+++ b/conf/etc/apache2/conf-enabled/keep.conf
@ -0,0 +1 @@
+KeepAlive Off
--- a/conf/etc/apache2/conf-enabled/protection.conf
+++ b/conf/etc/apache2/conf-enabled/protection.conf
@ -0,0 +1,3 @@
+Header set X-XSS-Protection "1; mode=block"
+Header always append X-Frame-Options SAMEORIGIN
+Header set X-Content-Type-Options nosniff
--- a/conf/etc/apache2/mods-available/mpm_prefork.conf
+++ b/conf/etc/apache2/mods-available/mpm_prefork.conf
@ -0,0 +1,7 @@
+<IfModule mpm_prefork_module>
+        StartServers            2 
+        MinSpareServers          2 
+        MaxSpareServers          10
+        MaxRequestWorkers         250
+        MaxConnectionsPerChild   0
+</IfModule>
--- a/conf/etc/apache2/mods-enabled/rpaf.conf
+++ b/conf/etc/apache2/mods-enabled/rpaf.conf
@ -0,0 +1,15 @@
+<IfModule rpaf_module>
+    RPAFenable On
+
+    # When enabled, take the incoming X-Host header and
+    # update the virtualhost settings accordingly:
+    RPAFsethostname On
+
+    # Define which IP's are your frontend proxies that sends
+    # the correct X-Forwarded-For headers:
+    RPAFproxy_ips 127.0.0.1 ::1 10.42.0.0/16 192.168.64.0/24
+
+    # Change the header name to parse from the default
+    # X-Forwarded-For to something of your choice:
+    RPAFheader X-Forwarded-For
+</IfModule>
--- a/conf/etc/apache2/sites-available/001-docker.conf
+++ b/conf/etc/apache2/sites-available/001-docker.conf
@ -0,0 +1,29 @@
+<VirtualHost *:80>
+	ServerAdmin ${APACHE_SERVERADMIN}
+
+	ServerName ${APACHE_SERVERNAME}
+	ServerAlias ${APACHE_SERVERALIAS}
+
+	DocumentRoot ${APACHE_DOCUMENTROOT}
+	<Directory ${APACHE_DOCUMENTROOT}>
+		Options Indexes FollowSymLinks
+		AllowOverride All
+		Require all granted
+	</Directory>
+
+        Alias /cgi-bin/ ${APACHE_CGI_DIR}
+	<Directory /home/www/${APACHE_CGI_DIR}>
+	   Options +ExecCGI
+	   AddHandler cgi-script cgi pl
+	</Directory>
+
+	# Possible values include: debug, info, notice, warn, error, crit,
+	# alert, emerg.
+	LogLevel warn
+
+
+        ErrorLog ${APACHE_LOG_DIR}/${APACHE_SERVERNAME}_error.log
+        CustomLog ${APACHE_LOG_DIR}/${APACHE_SERVERNAME}_access.log combined
+
+
+</VirtualHost>
--- a/conf/etc/mail.rc
+++ b/conf/etc/mail.rc
@ -0,0 +1 @@
+set sendmail="/usr/bin/msmtp -t"
--- a/conf/etc/rsyslog.d/log.conf
+++ b/conf/etc/rsyslog.d/log.conf
@ -0,0 +1,20 @@
+$MODLOAD IMFILE
+$INPUTFILEPOLLINTERVAL 10 
+$PRIVDROPTOGROUP ADM
+$WORKDIRECTORY /VAR/SPOOL/RSYSLOG
+
+# APACHE ACCESS FILE:
+$INPUTFILENAME ${APACHE_LOG_DIR}/${APACHE_SERVERNAME}_access.log
+$INPUTFILETAG APACHE-ACCESS:
+$INPUTFILESTATEFILE STAT-APACHE-ACCESS
+$INPUTFILESEVERITY INFO
+$INPUTFILEPERSISTSTATEINTERVAL 20000
+$INPUTRUNFILEMONITOR
+
+#APACHE ERROR FILE: 
+$INPUTFILENAME ${APACHE_LOG_DIR}/${APACHE_SERVERNAME}_error.log
+$INPUTFILETAG APACHE-ERROR:
+$INPUTFILESTATEFILE STAT-APACHE-ERROR
+$INPUTFILESEVERITY ERROR
+$INPUTFILEPERSISTSTATEINTERVAL 20000
+$INPUTRUNFILEMONITOR
--- a/conf/etc/supervisor/conf.d/cron.conf
+++ b/conf/etc/supervisor/conf.d/cron.conf
@ -0,0 +1,9 @@
+[supervisord]
+nodaemon=true
+
+[program:cron]
+command=/usr/sbin/cron -f -L 15
+stdout_logfile=/var/log/supervisor/%(program_name)s.log
+stderr_logfile=/var/log/supervisor/%(program_name)s.log
+autorestart=false
+priority=10
--- a/conf/etc/supervisor/conf.d/start.conf
+++ b/conf/etc/supervisor/conf.d/start.conf
@ -0,0 +1,11 @@
+[supervisord]
+nodaemon=true
+
+[program:start]
+command=/start.sh
+stdout_logfile=/var/log/supervisor/%(program_name)s.log
+stderr_logfile=/var/log/supervisor/%(program_name)s.log
+startsecs=0
+autorestart=false
+priority=1
+
--- a/conf/etc/supervisor/disabled/perm.conf
+++ b/conf/etc/supervisor/disabled/perm.conf
@ -0,0 +1,11 @@
+[supervisord]
+nodaemon=true
+
+[program:perm]
+command=/perm.sh
+stdout_logfile=/var/log/supervisor/%(program_name)s.log
+stderr_logfile=/var/log/supervisor/%(program_name)s.log
+priority=999
+autorestart=false
+
+
--- a/conf/etc/supervisor/disabled/php.conf
+++ b/conf/etc/supervisor/disabled/php.conf
@ -0,0 +1,11 @@
+[supervisord]
+nodaemon=true
+user=root
+
+[program:php]
+command=/usr/sbin/php5-fpm -F -O
+stdout_logfile=/var/log/supervisor/%(program_name)s.log
+stderr_logfile=/var/log/supervisor/%(program_name)s.log
+priority=90
+autorestart=true
+startsecs = 65
--- a/conf/etc/supervisor/disabled/td-agent-bit.conf
+++ b/conf/etc/supervisor/disabled/td-agent-bit.conf
@ -0,0 +1,8 @@
+[supervisord]
+nodaemon=true
+
+[program:td-agent-bit]
+command=/opt/td-agent-bit/bin/td-agent-bit -i tail -p path=%(ENV_APACHE_LOG_DIR)s/%(ENV_APACHE_SERVERNAME)s_*.log -t apache.access -o forward://192.168.64.12:5001 -p -R /opt/parser.conf
+stdout_logfile=/var/log/supervisor/%(program_name)s.log
+stderr_logfile=/var/log/supervisor/%(program_name)s.log
+priority=20
--- a/conf/etc/tpl/001-docker.tpl
+++ b/conf/etc/tpl/001-docker.tpl
@ -0,0 +1,50 @@
+cat<<EOD
+<VirtualHost *:80>
+        ServerAdmin ${APACHE_SERVERADMIN}
+
+        ServerName ${APACHE_SERVERNAME}
+        ServerAlias ${APACHE_SERVERALIAS}
+
+        DocumentRoot ${APACHE_DOCUMENTROOT}
+
+
+	<IfModule mod_ruid2.c>
+
+	   RMode config
+
+	   RDefaultUidGid ${APACHE_RUN_USER} ${APACHE_RUN_USER}
+	   RUidGid ${APACHE_RUN_USER} ${APACHE_RUN_USER}
+    	   RGroups ${APACHE_RUN_USER}
+	</IfModule>
+
+	DirectoryIndex index.html index.htm index.php welcome.html
+
+        <Directory ${APACHE_DOCUMENTROOT}>
+                Options Indexes FollowSymLinks
+                AllowOverride All
+		
+		SetEnvIfNoCase User-agent "^Baidu" bad_bot
+		SetEnvIfNoCase User-agent "^Yandex" bad_bot
+		SetEnvIfNoCase User-agent "^Sosospider" bad_bot
+		SetEnvIfNoCase User-agent "^AhrefsBot" bad_bot
+		SetEnvIfNoCase User-agent "^linkdexbot" bad_bot
+	
+	<RequireAll>
+		Require all granted
+		Require not env bad_bot
+	</RequireAll>
+        </Directory>
+
+        Alias /cgi-bin/ ${APACHE_CGI_DIR}
+        <Directory /home/www/${APACHE_CGI_DIR}>
+           Options +ExecCGI
+           AddHandler cgi-script cgi pl
+        </Directory>
+
+        LogLevel warn
+
+ 	ErrorLog ${APACHE_LOG_DIR}/${APACHE_SERVERNAME}_error.log
+ 	CustomLog ${APACHE_LOG_DIR}/${APACHE_SERVERNAME}_access.log combined
+
+</VirtualHost>
+EOD
--- a/conf/health.sh
+++ b/conf/health.sh
@ -0,0 +1,8 @@
+#!/bin/bash
+test=`/usr/bin/curl -s -o /dev/null -w "%{http_code}" http://localhost | awk {'print $1'}`
+
+if [ "$test" == "200" ] || [ "$test" == "302" ]  || [ "$test" == "301" ]; then
+exit "$?"
+  else
+exit 1
+fi
--- a/conf/start.sh
+++ b/conf/start.sh
@ -0,0 +1,107 @@
+#!/bin/bash
+
+/usr/sbin/useradd -d /home/www -s /bin/false -M ${APACHE_RUN_USER}
+/usr/sbin/adduser ${APACHE_RUN_USER} crontab
+
+if [[ ! $RUN_USER == lokaal ]]; then
+
+USER_UID=`echo ${APACHE_RUN_USER} | tr -d '{p,f},'`
+
+if echo ${APACHE_RUN_USER} | grep "p" ; then
+sed -i "s/1000/10${USER_UID}/g" /etc/passwd
+sed -i "s/1000/10${USER_UID}/g" /etc/group
+fi
+
+if echo ${APACHE_RUN_USER} | grep "f" ;then
+sed -i "s/1000/20${USER_UID}/g" /etc/passwd
+sed -i "s/1000/20${USER_UID}/g" /etc/group
+fi
+
+if echo ${APACHE_RUN_USER} | grep "s" ;then
+sed -i "s/1000/3${USER_UID}/g" /etc/passwd
+sed -i "s/1000/3${USER_UID}/g" /etc/group
+fi
+
+fi
+
+sed -i "s/memory_limit = 128M/memory_limit = ${PHP_MEMORY_LIMIT}/g" /etc/php/7.3/apache2/php.ini
+sed -i 's@;mail.log = syslog@mail.log = /home/www/log/mail.log@g' /etc/php/7.3/apache2/php.ini
+sed -i 's@SMTP = localhost@SMTP = smtp.rug.nl@g' /etc/php/7.3/apache2/php.ini
+
+echo "$APACHE_SERVERNAME" > /etc/mailname
+
+cat> /etc/php/7.3/apache2/conf.d/10-opcache.ini << EOF
+zend_extension=opcache.so
+opcache.enable=1
+opcache.validate_timestamps=1
+opcache.revalidate_freq=60
+opcache.max_accelerated_files=10000
+opcache.memory_consumption=64
+opcache.interned_strings_buffer=8
+opcache.fast_shutdown=1
+EOF
+
+. /etc/tpl/001-docker.tpl > /etc/apache2/sites-enabled/001-docker.conf
+
+if [ ! -d ${APACHE_DOCUMENTROOT} ]; then
+mkdir ${APACHE_DOCUMENTROOT} -p
+chown ${APACHE_RUN_USER}:${APACHE_RUN_USER} $APACHE_DOCUMENTROOT
+fi
+
+[[ -d $APACHE_LOG_DIR ]] ||  mkdir -p $APACHE_LOG_DIR && chown $APACHE_RUN_USER:$APACHE_RUN_USER $APACHE_LOG_DIR
+
+if [ ! -d ${APACHE_CRON_DIR} ]; then
+mkdir ${APACHE_CRON_DIR} -p
+touch ${APACHE_CRON_DIR}/${APACHE_RUN_USER}
+chmod 600 ${APACHE_CRON_DIR}/${APACHE_RUN_USER}
+chown -R ${APACHE_RUN_USER}:crontab ${APACHE_CRON_DIR}/${APACHE_RUN_USER}
+fi
+
+if [ ! -d ${APACHE_CGI_DIR} ]; then
+mkdir ${APACHE_CGI_DIR} -p
+chmod 755 ${APACHE_CGI_DIR}
+chown -R ${APACHE_RUN_USER}:${APACHE_RUN_USER} ${APACHE_CGI_DIR}
+fi
+
+cp ${APACHE_CRON_DIR}/${APACHE_RUN_USER} /var/spool/cron/crontabs/${APACHE_RUN_USER}
+chmod 600  /var/spool/cron/crontabs/${APACHE_RUN_USER}
+chown -R ${APACHE_RUN_USER}:crontab /var/spool/cron/crontabs/${APACHE_RUN_USER}
+
+cat << EOF > /etc/msmtprc
+defaults
+port 25
+logfile ${APACHE_LOG_DIR}/mail.log
+tls off
+
+account rug
+host smtp.rug.nl
+from no-reply@${APACHE_SERVERNAME}
+auth off
+
+# Set a default account
+account default: rug
+
+aliases         /etc/aliases
+EOF
+
+chmod 666 ${APACHE_LOG_DIR}/msmtp.log
+
+
+cat << EOF > /etc/logrotate.d/apache2
+${APACHE_LOG_DIR}/*.log {
+        weekly
+        missingok
+        rotate 52
+        compress
+        delaycompress
+        notifempty
+        sharedscripts
+        create 664 root ${APACHE_RUN_USER}
+    postrotate
+        /usr/sbin/apachectl graceful > /dev/null 2>/dev/null || true
+    endscript
+}
+EOF
+/etc/init.d/cron start
+
+exec "$@"