commit 161fabc51b347e6160f275c1dc2a9d32aa50a8fe Author: henk Date: Mon Sep 20 15:53:30 2021 +0200 initial commit diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..20d901e --- /dev/null +++ b/Dockerfile @@ -0,0 +1,82 @@ +FROM debian:buster-slim + +LABEL nl.rug.webhosting.version="0.1.9" nl.rug.webhosting.release-date="2021-01-04" nl.rug.webhosting.version.is-production="true" + +# ONBUILD apt-get update && apt-get upgrade -y + +ENV DEBIAN_FRONTEND noninteractive + +RUN export LANG=en_US.UTF-8 \ + && apt-get update && apt-get install --no-install-recommends -y wget curl apt-transport-https ca-certificates gnupg2 \ + && wget -4 --no-check-certificate https://packages.microsoft.com/keys/microsoft.asc -O /tmp/microsoft.asc \ + && cat /tmp/microsoft.asc | apt-key add - \ + && wget --no-check-certificate -q https://packages.sury.org/php/apt.gpg -O- | apt-key add - \ + && curl https://packages.microsoft.com/config/debian/10/prod.list > /etc/apt/sources.list.d/mssql-release.list \ + && echo "deb https://packages.sury.org/php/ buster main" > /etc/apt/sources.list.d/php.list \ + && apt-get update && apt-get upgrade -y \ + && ACCEPT_EULA=Y apt-get -y install --no-install-recommends msodbcsql17 php8.0 php8.0-xml php8.0-cli php8.0-common php8.0-curl php8.0-mbstring php8.0-mysql \ + php8.0-xml apache2 php8.0-mysqli libimage-exiftool-perl imagemagick \ + libapache2-mod-php8.0 ghostscript libimage-exiftool-perl libodbc1 odbcinst1debian2 php8.0-odbc \ + php-pear nano ruby locales cron logrotate mailutils msmtp msmtp-mta && \ + apt-get autoclean && \ + apt-get clean + +RUN apt-get -y install --no-install-recommends make g++ gcc php8.0-dev unixodbc-dev + +RUN pecl channel-update pecl.php.net \ + && pecl install sqlsrv \ + && pecl install pdo_sqlsrv \ + && pecl install pecl mongodb \ + && printf "; priority=20\nextension=sqlsrv.so\n" > /etc/php/8.0/mods-available/sqlsrv.ini \ + && printf "; priority=30\nextension=pdo_sqlsrv.so\n" > /etc/php/8.0/mods-available/pdo_sqlsrv.ini \ + && printf "; priority=40\nextension=pdo_mongodb.so\n" > /etc/php/8.0/mods-available/pdo_mongodb.ini \ + && phpenmod sqlsrv pdo_sqlsrv mongodb + +RUN apt-get remove make g++ gcc php8.0-dev unixodbc-dev -y \ + && apt-get autoremove -y + +RUN a2enmod headers \ + && a2enmod rewrite \ + && a2enmod proxy \ + && a2enmod remoteip \ + && a2enmod expires \ + && a2enmod proxy_fcgi \ + && a2dismod status \ + && a2dissite 000-default \ + && rm /etc/localtime \ + && ln -s /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime \ + && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \ + && echo "nl_NL.UTF-8 UTF-8" >> /etc/locale.gen \ + && locale-gen \ + && echo "TLS_REQCERT never" >> /etc/ldap/ldap.conf + +ENV LANG=en_US.UTF-8 \ + LC_ALL=en_US.UTF-8 \ + APACHE_RUN_USER=www-data \ + APACHE_RUN_GROUP=www-data \ + APACHE_CGI_DIR=/home/www/cgi-bin \ + APACHE_LOG_DIR=/home/www/log \ + APACHE_SERVERADMIN=webhosting.cit@rug.nl \ + APACHE_SERVERNAME=localhost \ + APACHE_SERVER_NAME=localhost \ + APACHE_SERVERALIAS=web.rug.nl \ + APACHE_DOCUMENTROOT=/home/www/site \ + APACHE_CRON_DIR=/home/www/crons \ + APACHE_HOME_DIR=/home/www \ + APACHE_RUN_DIR=/var/run/apache2 \ + APACHE_PID_FILE=/var/run/apache2/apache2.pid \ + APACHE_LOCK_DIR=/var/lock/apache2 \ + PHP_MEMORY_LIMIT="512M" +RUN env + +RUN mkdir -p $APACHE_RUN_DIR DIR $APACHE_LOCK_DIR + +ADD ./conf / + +WORKDIR /home/www + +RUN chmod +x /start.sh + +ENTRYPOINT ["/start.sh"] +CMD ["apache2", "-DFOREGROUND"] + diff --git a/conf/etc/aliases b/conf/etc/aliases new file mode 100644 index 0000000..df5c9f6 --- /dev/null +++ b/conf/etc/aliases @@ -0,0 +1 @@ +root: webhosting.cit@rug.nl diff --git a/conf/etc/apache2/conf-enabled/block_bots.conf b/conf/etc/apache2/conf-enabled/block_bots.conf new file mode 100644 index 0000000..a4385bc --- /dev/null +++ b/conf/etc/apache2/conf-enabled/block_bots.conf @@ -0,0 +1,31 @@ + + SetEnvIfNoCase User-Agent "MJ12bot" bad_user + SetEnvIfNoCase User-Agent "YandexBot" bad_user + SetEnvIfNoCase User-Agent "YAhrefsBot" bad_user + SetEnvIfNoCase User-Agent " SemrushBot" bad_user + Deny from env=bad_user + + + + Deny from all + + + + Deny from all + + + + Deny from all + + + + Deny from all + + + + SetEnvIfNoCase User-Agent "MJ12bot" bad_user + SetEnvIfNoCase User-Agent "YandexBot" bad_user + SetEnvIfNoCase User-Agent "YAhrefsBot" bad_user + SetEnvIfNoCase User-Agent " SemrushBot" bad_user + Deny from env=bad_user + diff --git a/conf/etc/apache2/conf-enabled/keep.conf b/conf/etc/apache2/conf-enabled/keep.conf new file mode 100644 index 0000000..a25c259 --- /dev/null +++ b/conf/etc/apache2/conf-enabled/keep.conf @@ -0,0 +1 @@ +KeepAlive Off diff --git a/conf/etc/apache2/conf-enabled/protection.conf b/conf/etc/apache2/conf-enabled/protection.conf new file mode 100644 index 0000000..9e83f2f --- /dev/null +++ b/conf/etc/apache2/conf-enabled/protection.conf @@ -0,0 +1,3 @@ +Header set X-XSS-Protection "1; mode=block" +Header always append X-Frame-Options SAMEORIGIN +Header set X-Content-Type-Options nosniff diff --git a/conf/etc/apache2/mods-available/mpm_prefork.conf b/conf/etc/apache2/mods-available/mpm_prefork.conf new file mode 100644 index 0000000..3d5b602 --- /dev/null +++ b/conf/etc/apache2/mods-available/mpm_prefork.conf @@ -0,0 +1,7 @@ + + StartServers 2 + MinSpareServers 2 + MaxSpareServers 10 + MaxRequestWorkers 250 + MaxConnectionsPerChild 0 + diff --git a/conf/etc/apache2/mods-enabled/rpaf.conf b/conf/etc/apache2/mods-enabled/rpaf.conf new file mode 100644 index 0000000..6fc7ddf --- /dev/null +++ b/conf/etc/apache2/mods-enabled/rpaf.conf @@ -0,0 +1,15 @@ + + RPAFenable On + + # When enabled, take the incoming X-Host header and + # update the virtualhost settings accordingly: + RPAFsethostname On + + # Define which IP's are your frontend proxies that sends + # the correct X-Forwarded-For headers: + RPAFproxy_ips 127.0.0.1 ::1 10.42.0.0/16 192.168.64.0/24 + + # Change the header name to parse from the default + # X-Forwarded-For to something of your choice: + RPAFheader X-Forwarded-For + diff --git a/conf/etc/apache2/sites-available/001-docker.conf b/conf/etc/apache2/sites-available/001-docker.conf new file mode 100644 index 0000000..0c3ab47 --- /dev/null +++ b/conf/etc/apache2/sites-available/001-docker.conf @@ -0,0 +1,29 @@ + + ServerAdmin ${APACHE_SERVERADMIN} + + ServerName ${APACHE_SERVERNAME} + ServerAlias ${APACHE_SERVERALIAS} + + DocumentRoot ${APACHE_DOCUMENTROOT} + + Options Indexes FollowSymLinks + AllowOverride All + Require all granted + + + Alias /cgi-bin/ ${APACHE_CGI_DIR} + + Options +ExecCGI + AddHandler cgi-script cgi pl + + + # Possible values include: debug, info, notice, warn, error, crit, + # alert, emerg. + LogLevel warn + + + ErrorLog ${APACHE_LOG_DIR}/${APACHE_SERVERNAME}_error.log + CustomLog ${APACHE_LOG_DIR}/${APACHE_SERVERNAME}_access.log combined + + + diff --git a/conf/etc/mail.rc b/conf/etc/mail.rc new file mode 100644 index 0000000..83135fb --- /dev/null +++ b/conf/etc/mail.rc @@ -0,0 +1 @@ +set sendmail="/usr/bin/msmtp -t" diff --git a/conf/etc/rsyslog.d/log.conf b/conf/etc/rsyslog.d/log.conf new file mode 100644 index 0000000..de73a48 --- /dev/null +++ b/conf/etc/rsyslog.d/log.conf @@ -0,0 +1,20 @@ +$MODLOAD IMFILE +$INPUTFILEPOLLINTERVAL 10 +$PRIVDROPTOGROUP ADM +$WORKDIRECTORY /VAR/SPOOL/RSYSLOG + +# APACHE ACCESS FILE: +$INPUTFILENAME ${APACHE_LOG_DIR}/${APACHE_SERVERNAME}_access.log +$INPUTFILETAG APACHE-ACCESS: +$INPUTFILESTATEFILE STAT-APACHE-ACCESS +$INPUTFILESEVERITY INFO +$INPUTFILEPERSISTSTATEINTERVAL 20000 +$INPUTRUNFILEMONITOR + +#APACHE ERROR FILE: +$INPUTFILENAME ${APACHE_LOG_DIR}/${APACHE_SERVERNAME}_error.log +$INPUTFILETAG APACHE-ERROR: +$INPUTFILESTATEFILE STAT-APACHE-ERROR +$INPUTFILESEVERITY ERROR +$INPUTFILEPERSISTSTATEINTERVAL 20000 +$INPUTRUNFILEMONITOR \ No newline at end of file diff --git a/conf/etc/supervisor/conf.d/cron.conf b/conf/etc/supervisor/conf.d/cron.conf new file mode 100644 index 0000000..af6b01c --- /dev/null +++ b/conf/etc/supervisor/conf.d/cron.conf @@ -0,0 +1,9 @@ +[supervisord] +nodaemon=true + +[program:cron] +command=/usr/sbin/cron -f -L 15 +stdout_logfile=/var/log/supervisor/%(program_name)s.log +stderr_logfile=/var/log/supervisor/%(program_name)s.log +autorestart=false +priority=10 diff --git a/conf/etc/supervisor/conf.d/start.conf b/conf/etc/supervisor/conf.d/start.conf new file mode 100644 index 0000000..5d94c04 --- /dev/null +++ b/conf/etc/supervisor/conf.d/start.conf @@ -0,0 +1,11 @@ +[supervisord] +nodaemon=true + +[program:start] +command=/start.sh +stdout_logfile=/var/log/supervisor/%(program_name)s.log +stderr_logfile=/var/log/supervisor/%(program_name)s.log +startsecs=0 +autorestart=false +priority=1 + diff --git a/conf/etc/supervisor/disabled/perm.conf b/conf/etc/supervisor/disabled/perm.conf new file mode 100644 index 0000000..1a17d15 --- /dev/null +++ b/conf/etc/supervisor/disabled/perm.conf @@ -0,0 +1,11 @@ +[supervisord] +nodaemon=true + +[program:perm] +command=/perm.sh +stdout_logfile=/var/log/supervisor/%(program_name)s.log +stderr_logfile=/var/log/supervisor/%(program_name)s.log +priority=999 +autorestart=false + + diff --git a/conf/etc/supervisor/disabled/php.conf b/conf/etc/supervisor/disabled/php.conf new file mode 100644 index 0000000..799abfc --- /dev/null +++ b/conf/etc/supervisor/disabled/php.conf @@ -0,0 +1,11 @@ +[supervisord] +nodaemon=true +user=root + +[program:php] +command=/usr/sbin/php5-fpm -F -O +stdout_logfile=/var/log/supervisor/%(program_name)s.log +stderr_logfile=/var/log/supervisor/%(program_name)s.log +priority=90 +autorestart=true +startsecs = 65 \ No newline at end of file diff --git a/conf/etc/supervisor/disabled/td-agent-bit.conf b/conf/etc/supervisor/disabled/td-agent-bit.conf new file mode 100644 index 0000000..3c99dda --- /dev/null +++ b/conf/etc/supervisor/disabled/td-agent-bit.conf @@ -0,0 +1,8 @@ +[supervisord] +nodaemon=true + +[program:td-agent-bit] +command=/opt/td-agent-bit/bin/td-agent-bit -i tail -p path=%(ENV_APACHE_LOG_DIR)s/%(ENV_APACHE_SERVERNAME)s_*.log -t apache.access -o forward://192.168.64.12:5001 -p -R /opt/parser.conf +stdout_logfile=/var/log/supervisor/%(program_name)s.log +stderr_logfile=/var/log/supervisor/%(program_name)s.log +priority=20 diff --git a/conf/etc/tpl/001-docker.tpl b/conf/etc/tpl/001-docker.tpl new file mode 100644 index 0000000..2de5575 --- /dev/null +++ b/conf/etc/tpl/001-docker.tpl @@ -0,0 +1,50 @@ +cat< + ServerAdmin ${APACHE_SERVERADMIN} + + ServerName ${APACHE_SERVERNAME} + ServerAlias ${APACHE_SERVERALIAS} + + DocumentRoot ${APACHE_DOCUMENTROOT} + + + + + RMode config + + RDefaultUidGid ${APACHE_RUN_USER} ${APACHE_RUN_USER} + RUidGid ${APACHE_RUN_USER} ${APACHE_RUN_USER} + RGroups ${APACHE_RUN_USER} + + + DirectoryIndex index.html index.htm index.php welcome.html + + + Options Indexes FollowSymLinks + AllowOverride All + + SetEnvIfNoCase User-agent "^Baidu" bad_bot + SetEnvIfNoCase User-agent "^Yandex" bad_bot + SetEnvIfNoCase User-agent "^Sosospider" bad_bot + SetEnvIfNoCase User-agent "^AhrefsBot" bad_bot + SetEnvIfNoCase User-agent "^linkdexbot" bad_bot + + + Require all granted + Require not env bad_bot + + + + Alias /cgi-bin/ ${APACHE_CGI_DIR} + + Options +ExecCGI + AddHandler cgi-script cgi pl + + + LogLevel warn + + ErrorLog ${APACHE_LOG_DIR}/${APACHE_SERVERNAME}_error.log + CustomLog ${APACHE_LOG_DIR}/${APACHE_SERVERNAME}_access.log combined + + +EOD diff --git a/conf/health.sh b/conf/health.sh new file mode 100644 index 0000000..094f64f --- /dev/null +++ b/conf/health.sh @@ -0,0 +1,8 @@ +#!/bin/bash +test=`/usr/bin/curl -s -o /dev/null -w "%{http_code}" http://localhost | awk {'print $1'}` + +if [ "$test" == "200" ] || [ "$test" == "302" ] || [ "$test" == "301" ]; then +exit "$?" + else +exit 1 +fi diff --git a/conf/start.sh b/conf/start.sh new file mode 100644 index 0000000..be9e812 --- /dev/null +++ b/conf/start.sh @@ -0,0 +1,107 @@ +#!/bin/bash + +/usr/sbin/useradd -d /home/www -s /bin/false -M ${APACHE_RUN_USER} +/usr/sbin/adduser ${APACHE_RUN_USER} crontab + +if [[ ! $RUN_USER == lokaal ]]; then + +USER_UID=`echo ${APACHE_RUN_USER} | tr -d '{p,f},'` + +if echo ${APACHE_RUN_USER} | grep "p" ; then +sed -i "s/1000/10${USER_UID}/g" /etc/passwd +sed -i "s/1000/10${USER_UID}/g" /etc/group +fi + +if echo ${APACHE_RUN_USER} | grep "f" ;then +sed -i "s/1000/20${USER_UID}/g" /etc/passwd +sed -i "s/1000/20${USER_UID}/g" /etc/group +fi + +if echo ${APACHE_RUN_USER} | grep "s" ;then +sed -i "s/1000/3${USER_UID}/g" /etc/passwd +sed -i "s/1000/3${USER_UID}/g" /etc/group +fi + +fi + +sed -i "s/memory_limit = 128M/memory_limit = ${PHP_MEMORY_LIMIT}/g" /etc/php/7.3/apache2/php.ini +sed -i 's@;mail.log = syslog@mail.log = /home/www/log/mail.log@g' /etc/php/7.3/apache2/php.ini +sed -i 's@SMTP = localhost@SMTP = smtp.rug.nl@g' /etc/php/7.3/apache2/php.ini + +echo "$APACHE_SERVERNAME" > /etc/mailname + +cat> /etc/php/7.3/apache2/conf.d/10-opcache.ini << EOF +zend_extension=opcache.so +opcache.enable=1 +opcache.validate_timestamps=1 +opcache.revalidate_freq=60 +opcache.max_accelerated_files=10000 +opcache.memory_consumption=64 +opcache.interned_strings_buffer=8 +opcache.fast_shutdown=1 +EOF + +. /etc/tpl/001-docker.tpl > /etc/apache2/sites-enabled/001-docker.conf + +if [ ! -d ${APACHE_DOCUMENTROOT} ]; then +mkdir ${APACHE_DOCUMENTROOT} -p +chown ${APACHE_RUN_USER}:${APACHE_RUN_USER} $APACHE_DOCUMENTROOT +fi + +[[ -d $APACHE_LOG_DIR ]] || mkdir -p $APACHE_LOG_DIR && chown $APACHE_RUN_USER:$APACHE_RUN_USER $APACHE_LOG_DIR + +if [ ! -d ${APACHE_CRON_DIR} ]; then +mkdir ${APACHE_CRON_DIR} -p +touch ${APACHE_CRON_DIR}/${APACHE_RUN_USER} +chmod 600 ${APACHE_CRON_DIR}/${APACHE_RUN_USER} +chown -R ${APACHE_RUN_USER}:crontab ${APACHE_CRON_DIR}/${APACHE_RUN_USER} +fi + +if [ ! -d ${APACHE_CGI_DIR} ]; then +mkdir ${APACHE_CGI_DIR} -p +chmod 755 ${APACHE_CGI_DIR} +chown -R ${APACHE_RUN_USER}:${APACHE_RUN_USER} ${APACHE_CGI_DIR} +fi + +cp ${APACHE_CRON_DIR}/${APACHE_RUN_USER} /var/spool/cron/crontabs/${APACHE_RUN_USER} +chmod 600 /var/spool/cron/crontabs/${APACHE_RUN_USER} +chown -R ${APACHE_RUN_USER}:crontab /var/spool/cron/crontabs/${APACHE_RUN_USER} + +cat << EOF > /etc/msmtprc +defaults +port 25 +logfile ${APACHE_LOG_DIR}/mail.log +tls off + +account rug +host smtp.rug.nl +from no-reply@${APACHE_SERVERNAME} +auth off + +# Set a default account +account default: rug + +aliases /etc/aliases +EOF + +chmod 666 ${APACHE_LOG_DIR}/msmtp.log + + +cat << EOF > /etc/logrotate.d/apache2 +${APACHE_LOG_DIR}/*.log { + weekly + missingok + rotate 52 + compress + delaycompress + notifempty + sharedscripts + create 664 root ${APACHE_RUN_USER} + postrotate + /usr/sbin/apachectl graceful > /dev/null 2>/dev/null || true + endscript +} +EOF +/etc/init.d/cron start + +exec "$@"