Browse Source

initial commit

master
commit
161fabc51b
  1. 82
      Dockerfile
  2. 1
      conf/etc/aliases
  3. 31
      conf/etc/apache2/conf-enabled/block_bots.conf
  4. 1
      conf/etc/apache2/conf-enabled/keep.conf
  5. 3
      conf/etc/apache2/conf-enabled/protection.conf
  6. 7
      conf/etc/apache2/mods-available/mpm_prefork.conf
  7. 15
      conf/etc/apache2/mods-enabled/rpaf.conf
  8. 29
      conf/etc/apache2/sites-available/001-docker.conf
  9. 1
      conf/etc/mail.rc
  10. 20
      conf/etc/rsyslog.d/log.conf
  11. 9
      conf/etc/supervisor/conf.d/cron.conf
  12. 11
      conf/etc/supervisor/conf.d/start.conf
  13. 11
      conf/etc/supervisor/disabled/perm.conf
  14. 11
      conf/etc/supervisor/disabled/php.conf
  15. 8
      conf/etc/supervisor/disabled/td-agent-bit.conf
  16. 50
      conf/etc/tpl/001-docker.tpl
  17. 8
      conf/health.sh
  18. 107
      conf/start.sh

82
Dockerfile

@ -0,0 +1,82 @@
FROM debian:buster-slim
LABEL nl.rug.webhosting.version="0.1.9" nl.rug.webhosting.release-date="2021-01-04" nl.rug.webhosting.version.is-production="true"
# ONBUILD apt-get update && apt-get upgrade -y
ENV DEBIAN_FRONTEND noninteractive
RUN export LANG=en_US.UTF-8 \
&& apt-get update && apt-get install --no-install-recommends -y wget curl apt-transport-https ca-certificates gnupg2 \
&& wget -4 --no-check-certificate https://packages.microsoft.com/keys/microsoft.asc -O /tmp/microsoft.asc \
&& cat /tmp/microsoft.asc | apt-key add - \
&& wget --no-check-certificate -q https://packages.sury.org/php/apt.gpg -O- | apt-key add - \
&& curl https://packages.microsoft.com/config/debian/10/prod.list > /etc/apt/sources.list.d/mssql-release.list \
&& echo "deb https://packages.sury.org/php/ buster main" > /etc/apt/sources.list.d/php.list \
&& apt-get update && apt-get upgrade -y \
&& ACCEPT_EULA=Y apt-get -y install --no-install-recommends msodbcsql17 php8.0 php8.0-xml php8.0-cli php8.0-common php8.0-curl php8.0-mbstring php8.0-mysql \
php8.0-xml apache2 php8.0-mysqli libimage-exiftool-perl imagemagick \
libapache2-mod-php8.0 ghostscript libimage-exiftool-perl libodbc1 odbcinst1debian2 php8.0-odbc \
php-pear nano ruby locales cron logrotate mailutils msmtp msmtp-mta && \
apt-get autoclean && \
apt-get clean
RUN apt-get -y install --no-install-recommends make g++ gcc php8.0-dev unixodbc-dev
RUN pecl channel-update pecl.php.net \
&& pecl install sqlsrv \
&& pecl install pdo_sqlsrv \
&& pecl install pecl mongodb \
&& printf "; priority=20\nextension=sqlsrv.so\n" > /etc/php/8.0/mods-available/sqlsrv.ini \
&& printf "; priority=30\nextension=pdo_sqlsrv.so\n" > /etc/php/8.0/mods-available/pdo_sqlsrv.ini \
&& printf "; priority=40\nextension=pdo_mongodb.so\n" > /etc/php/8.0/mods-available/pdo_mongodb.ini \
&& phpenmod sqlsrv pdo_sqlsrv mongodb
RUN apt-get remove make g++ gcc php8.0-dev unixodbc-dev -y \
&& apt-get autoremove -y
RUN a2enmod headers \
&& a2enmod rewrite \
&& a2enmod proxy \
&& a2enmod remoteip \
&& a2enmod expires \
&& a2enmod proxy_fcgi \
&& a2dismod status \
&& a2dissite 000-default \
&& rm /etc/localtime \
&& ln -s /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime \
&& echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \
&& echo "nl_NL.UTF-8 UTF-8" >> /etc/locale.gen \
&& locale-gen \
&& echo "TLS_REQCERT never" >> /etc/ldap/ldap.conf
ENV LANG=en_US.UTF-8 \
LC_ALL=en_US.UTF-8 \
APACHE_RUN_USER=www-data \
APACHE_RUN_GROUP=www-data \
APACHE_CGI_DIR=/home/www/cgi-bin \
APACHE_LOG_DIR=/home/www/log \
APACHE_SERVERADMIN=webhosting.cit@rug.nl \
APACHE_SERVERNAME=localhost \
APACHE_SERVER_NAME=localhost \
APACHE_SERVERALIAS=web.rug.nl \
APACHE_DOCUMENTROOT=/home/www/site \
APACHE_CRON_DIR=/home/www/crons \
APACHE_HOME_DIR=/home/www \
APACHE_RUN_DIR=/var/run/apache2 \
APACHE_PID_FILE=/var/run/apache2/apache2.pid \
APACHE_LOCK_DIR=/var/lock/apache2 \
PHP_MEMORY_LIMIT="512M"
RUN env
RUN mkdir -p $APACHE_RUN_DIR DIR $APACHE_LOCK_DIR
ADD ./conf /
WORKDIR /home/www
RUN chmod +x /start.sh
ENTRYPOINT ["/start.sh"]
CMD ["apache2", "-DFOREGROUND"]

1
conf/etc/aliases

@ -0,0 +1 @@
root: webhosting.cit@rug.nl

31
conf/etc/apache2/conf-enabled/block_bots.conf

@ -0,0 +1,31 @@
<LocationMatch ".*">
SetEnvIfNoCase User-Agent "MJ12bot" bad_user
SetEnvIfNoCase User-Agent "YandexBot" bad_user
SetEnvIfNoCase User-Agent "YAhrefsBot" bad_user
SetEnvIfNoCase User-Agent " SemrushBot" bad_user
Deny from env=bad_user
</LocationMatch>
<If "%{HTTP_USER_AGENT} == 'MJ12bot'">
Deny from all
</If>
<If "%{HTTP_USER_AGENT} == 'YandexBot'">
Deny from all
</If>
<If "%{HTTP_USER_AGENT} == 'YAhrefsBot'">
Deny from all
</If>
<If "%{HTTP_USER_AGENT} == ' SemrushBot'">
Deny from all
</If>
<Directory />
SetEnvIfNoCase User-Agent "MJ12bot" bad_user
SetEnvIfNoCase User-Agent "YandexBot" bad_user
SetEnvIfNoCase User-Agent "YAhrefsBot" bad_user
SetEnvIfNoCase User-Agent " SemrushBot" bad_user
Deny from env=bad_user
</Directory>

1
conf/etc/apache2/conf-enabled/keep.conf

@ -0,0 +1 @@
KeepAlive Off

3
conf/etc/apache2/conf-enabled/protection.conf

@ -0,0 +1,3 @@
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff

7
conf/etc/apache2/mods-available/mpm_prefork.conf

@ -0,0 +1,7 @@
<IfModule mpm_prefork_module>
StartServers 2
MinSpareServers 2
MaxSpareServers 10
MaxRequestWorkers 250
MaxConnectionsPerChild 0
</IfModule>

15
conf/etc/apache2/mods-enabled/rpaf.conf

@ -0,0 +1,15 @@
<IfModule rpaf_module>
RPAFenable On
# When enabled, take the incoming X-Host header and
# update the virtualhost settings accordingly:
RPAFsethostname On
# Define which IP's are your frontend proxies that sends
# the correct X-Forwarded-For headers:
RPAFproxy_ips 127.0.0.1 ::1 10.42.0.0/16 192.168.64.0/24
# Change the header name to parse from the default
# X-Forwarded-For to something of your choice:
RPAFheader X-Forwarded-For
</IfModule>

29
conf/etc/apache2/sites-available/001-docker.conf

@ -0,0 +1,29 @@
<VirtualHost *:80>
ServerAdmin ${APACHE_SERVERADMIN}
ServerName ${APACHE_SERVERNAME}
ServerAlias ${APACHE_SERVERALIAS}
DocumentRoot ${APACHE_DOCUMENTROOT}
<Directory ${APACHE_DOCUMENTROOT}>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
Alias /cgi-bin/ ${APACHE_CGI_DIR}
<Directory /home/www/${APACHE_CGI_DIR}>
Options +ExecCGI
AddHandler cgi-script cgi pl
</Directory>
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/${APACHE_SERVERNAME}_error.log
CustomLog ${APACHE_LOG_DIR}/${APACHE_SERVERNAME}_access.log combined
</VirtualHost>

1
conf/etc/mail.rc

@ -0,0 +1 @@
set sendmail="/usr/bin/msmtp -t"

20
conf/etc/rsyslog.d/log.conf

@ -0,0 +1,20 @@
$MODLOAD IMFILE
$INPUTFILEPOLLINTERVAL 10
$PRIVDROPTOGROUP ADM
$WORKDIRECTORY /VAR/SPOOL/RSYSLOG
# APACHE ACCESS FILE:
$INPUTFILENAME ${APACHE_LOG_DIR}/${APACHE_SERVERNAME}_access.log
$INPUTFILETAG APACHE-ACCESS:
$INPUTFILESTATEFILE STAT-APACHE-ACCESS
$INPUTFILESEVERITY INFO
$INPUTFILEPERSISTSTATEINTERVAL 20000
$INPUTRUNFILEMONITOR
#APACHE ERROR FILE:
$INPUTFILENAME ${APACHE_LOG_DIR}/${APACHE_SERVERNAME}_error.log
$INPUTFILETAG APACHE-ERROR:
$INPUTFILESTATEFILE STAT-APACHE-ERROR
$INPUTFILESEVERITY ERROR
$INPUTFILEPERSISTSTATEINTERVAL 20000
$INPUTRUNFILEMONITOR

9
conf/etc/supervisor/conf.d/cron.conf

@ -0,0 +1,9 @@
[supervisord]
nodaemon=true
[program:cron]
command=/usr/sbin/cron -f -L 15
stdout_logfile=/var/log/supervisor/%(program_name)s.log
stderr_logfile=/var/log/supervisor/%(program_name)s.log
autorestart=false
priority=10

11
conf/etc/supervisor/conf.d/start.conf

@ -0,0 +1,11 @@
[supervisord]
nodaemon=true
[program:start]
command=/start.sh
stdout_logfile=/var/log/supervisor/%(program_name)s.log
stderr_logfile=/var/log/supervisor/%(program_name)s.log
startsecs=0
autorestart=false
priority=1

11
conf/etc/supervisor/disabled/perm.conf

@ -0,0 +1,11 @@
[supervisord]
nodaemon=true
[program:perm]
command=/perm.sh
stdout_logfile=/var/log/supervisor/%(program_name)s.log
stderr_logfile=/var/log/supervisor/%(program_name)s.log
priority=999
autorestart=false

11
conf/etc/supervisor/disabled/php.conf

@ -0,0 +1,11 @@
[supervisord]
nodaemon=true
user=root
[program:php]
command=/usr/sbin/php5-fpm -F -O
stdout_logfile=/var/log/supervisor/%(program_name)s.log
stderr_logfile=/var/log/supervisor/%(program_name)s.log
priority=90
autorestart=true
startsecs = 65

8
conf/etc/supervisor/disabled/td-agent-bit.conf

@ -0,0 +1,8 @@
[supervisord]
nodaemon=true
[program:td-agent-bit]
command=/opt/td-agent-bit/bin/td-agent-bit -i tail -p path=%(ENV_APACHE_LOG_DIR)s/%(ENV_APACHE_SERVERNAME)s_*.log -t apache.access -o forward://192.168.64.12:5001 -p -R /opt/parser.conf
stdout_logfile=/var/log/supervisor/%(program_name)s.log
stderr_logfile=/var/log/supervisor/%(program_name)s.log
priority=20

50
conf/etc/tpl/001-docker.tpl

@ -0,0 +1,50 @@
cat<<EOD
<VirtualHost *:80>
ServerAdmin ${APACHE_SERVERADMIN}
ServerName ${APACHE_SERVERNAME}
ServerAlias ${APACHE_SERVERALIAS}
DocumentRoot ${APACHE_DOCUMENTROOT}
<IfModule mod_ruid2.c>
RMode config
RDefaultUidGid ${APACHE_RUN_USER} ${APACHE_RUN_USER}
RUidGid ${APACHE_RUN_USER} ${APACHE_RUN_USER}
RGroups ${APACHE_RUN_USER}
</IfModule>
DirectoryIndex index.html index.htm index.php welcome.html
<Directory ${APACHE_DOCUMENTROOT}>
Options Indexes FollowSymLinks
AllowOverride All
SetEnvIfNoCase User-agent "^Baidu" bad_bot
SetEnvIfNoCase User-agent "^Yandex" bad_bot
SetEnvIfNoCase User-agent "^Sosospider" bad_bot
SetEnvIfNoCase User-agent "^AhrefsBot" bad_bot
SetEnvIfNoCase User-agent "^linkdexbot" bad_bot
<RequireAll>
Require all granted
Require not env bad_bot
</RequireAll>
</Directory>
Alias /cgi-bin/ ${APACHE_CGI_DIR}
<Directory /home/www/${APACHE_CGI_DIR}>
Options +ExecCGI
AddHandler cgi-script cgi pl
</Directory>
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/${APACHE_SERVERNAME}_error.log
CustomLog ${APACHE_LOG_DIR}/${APACHE_SERVERNAME}_access.log combined
</VirtualHost>
EOD

8
conf/health.sh

@ -0,0 +1,8 @@
#!/bin/bash
test=`/usr/bin/curl -s -o /dev/null -w "%{http_code}" http://localhost | awk {'print $1'}`
if [ "$test" == "200" ] || [ "$test" == "302" ] || [ "$test" == "301" ]; then
exit "$?"
else
exit 1
fi

107
conf/start.sh

@ -0,0 +1,107 @@
#!/bin/bash
/usr/sbin/useradd -d /home/www -s /bin/false -M ${APACHE_RUN_USER}
/usr/sbin/adduser ${APACHE_RUN_USER} crontab
if [[ ! $RUN_USER == lokaal ]]; then
USER_UID=`echo ${APACHE_RUN_USER} | tr -d '{p,f},'`
if echo ${APACHE_RUN_USER} | grep "p" ; then
sed -i "s/1000/10${USER_UID}/g" /etc/passwd
sed -i "s/1000/10${USER_UID}/g" /etc/group
fi
if echo ${APACHE_RUN_USER} | grep "f" ;then
sed -i "s/1000/20${USER_UID}/g" /etc/passwd
sed -i "s/1000/20${USER_UID}/g" /etc/group
fi
if echo ${APACHE_RUN_USER} | grep "s" ;then
sed -i "s/1000/3${USER_UID}/g" /etc/passwd
sed -i "s/1000/3${USER_UID}/g" /etc/group
fi
fi
sed -i "s/memory_limit = 128M/memory_limit = ${PHP_MEMORY_LIMIT}/g" /etc/php/7.3/apache2/php.ini
sed -i 's@;mail.log = syslog@mail.log = /home/www/log/mail.log@g' /etc/php/7.3/apache2/php.ini
sed -i 's@SMTP = localhost@SMTP = smtp.rug.nl@g' /etc/php/7.3/apache2/php.ini
echo "$APACHE_SERVERNAME" > /etc/mailname
cat> /etc/php/7.3/apache2/conf.d/10-opcache.ini << EOF
zend_extension=opcache.so
opcache.enable=1
opcache.validate_timestamps=1
opcache.revalidate_freq=60
opcache.max_accelerated_files=10000
opcache.memory_consumption=64
opcache.interned_strings_buffer=8
opcache.fast_shutdown=1
EOF
. /etc/tpl/001-docker.tpl > /etc/apache2/sites-enabled/001-docker.conf
if [ ! -d ${APACHE_DOCUMENTROOT} ]; then
mkdir ${APACHE_DOCUMENTROOT} -p
chown ${APACHE_RUN_USER}:${APACHE_RUN_USER} $APACHE_DOCUMENTROOT
fi
[[ -d $APACHE_LOG_DIR ]] || mkdir -p $APACHE_LOG_DIR && chown $APACHE_RUN_USER:$APACHE_RUN_USER $APACHE_LOG_DIR
if [ ! -d ${APACHE_CRON_DIR} ]; then
mkdir ${APACHE_CRON_DIR} -p
touch ${APACHE_CRON_DIR}/${APACHE_RUN_USER}
chmod 600 ${APACHE_CRON_DIR}/${APACHE_RUN_USER}
chown -R ${APACHE_RUN_USER}:crontab ${APACHE_CRON_DIR}/${APACHE_RUN_USER}
fi
if [ ! -d ${APACHE_CGI_DIR} ]; then
mkdir ${APACHE_CGI_DIR} -p
chmod 755 ${APACHE_CGI_DIR}
chown -R ${APACHE_RUN_USER}:${APACHE_RUN_USER} ${APACHE_CGI_DIR}
fi
cp ${APACHE_CRON_DIR}/${APACHE_RUN_USER} /var/spool/cron/crontabs/${APACHE_RUN_USER}
chmod 600 /var/spool/cron/crontabs/${APACHE_RUN_USER}
chown -R ${APACHE_RUN_USER}:crontab /var/spool/cron/crontabs/${APACHE_RUN_USER}
cat << EOF > /etc/msmtprc
defaults
port 25
logfile ${APACHE_LOG_DIR}/mail.log
tls off
account rug
host smtp.rug.nl
from no-reply@${APACHE_SERVERNAME}
auth off
# Set a default account
account default: rug
aliases /etc/aliases
EOF
chmod 666 ${APACHE_LOG_DIR}/msmtp.log
cat << EOF > /etc/logrotate.d/apache2
${APACHE_LOG_DIR}/*.log {
weekly
missingok
rotate 52
compress
delaycompress
notifempty
sharedscripts
create 664 root ${APACHE_RUN_USER}
postrotate
/usr/sbin/apachectl graceful > /dev/null 2>/dev/null || true
endscript
}
EOF
/etc/init.d/cron start
exec "$@"
Loading…
Cancel
Save