From e4c573596678ca896ff619e030c56195f3d27fff Mon Sep 17 00:00:00 2001 From: Raphael Martin Date: Tue, 28 Nov 2023 20:59:53 +0100 Subject: [PATCH] fixed missing configs and install --- Dockerfile | 123 +++++++-- apache-conf/apache.conf | 246 ++++++++++++++++++ .../sites-enabled/typo3.localhost.conf | 44 ++++ docker-compose.yml | 10 +- init | 2 +- 5 files changed, 404 insertions(+), 21 deletions(-) create mode 100644 apache-conf/apache.conf create mode 100644 apache-conf/sites-enabled/typo3.localhost.conf diff --git a/Dockerfile b/Dockerfile index 73aed4c..e516049 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,12 +3,16 @@ # Docker image for TYPO3 CMS FROM php:8.2-apache + LABEL maintainer="Raphael Martin " +# set envirement +ENV LANG=de_AT ENV APACHE_RUN_USER a2g-www ENV TYPO3_VERSION 12.4.8 ENV TYPO3_SHA256CHECKSUM 8293b3441ec133fc8f9174fab5b88f450044ded0e188a0f12de37ad60a8bf8b3 + # change apache user RUN adduser --uid 1000 --gecos 'Apache User' --disabled-password $APACHE_RUN_USER \ && chown -R "$APACHE_RUN_USER:$APACHE_RUN_USER" /var/lock/apache2 /var/run/apache2 @@ -16,21 +20,61 @@ RUN adduser --uid 1000 --gecos 'Apache User' --disabled-password $APACHE_RUN_USE # update system RUN apt-get update -y && apt-get upgrade -y -# Install TYPO3 +# Install wget and locales RUN apt-get install -y --no-install-recommends \ wget \ + locales + +RUN export LANG=${LANG} && \ + echo "${LANG}.UTF-8 UTF-8" > /etc/locale.gen && \ + /usr/sbin/locale-gen + +# Export env vars +RUN { \ + echo "export LC_ALL=${LANG}.UTF-8"; \ + echo "export LANG=${LANG}.UTF-8"; \ + echo "export LANGUAGE=${LANG}.UTF-8"; \ +} >> ~/.bashrc + +RUN cp ~/.bashrc /home/${APACHE_RUN_USER} && \ + chown -R "$APACHE_RUN_USER:$APACHE_RUN_USER" /home/${APACHE_RUN_USER}/.bashrc + +# Download TYPO3 +RUN cd /tmp && \ + wget -O download.tar.gz https://get.typo3.org/${TYPO3_VERSION} && \ + echo "${TYPO3_SHA256CHECKSUM} /tmp/download.tar.gz" > /tmp/download.tar.gz.sum + +RUN sha256sum -c "/tmp/download.tar.gz.sum" + +# Install +RUN set -ex; \ + \ + apt-get install -y --no-install-recommends \ # Configure PHP - libxml2-dev libfreetype6-dev \ + libxml2-dev \ + libfreetype6-dev \ libjpeg62-turbo-dev \ libmcrypt-dev \ libpng-dev \ libpq-dev \ libzip-dev \ zlib1g-dev \ + unzip \ + zip \ sendmail \ - graphicsmagick && \ - docker-php-ext-configure gd --with-libdir=/usr/include/ --with-jpeg --with-freetype && \ - docker-php-ext-install -j$(nproc) mysqli soap gd zip opcache intl pgsql pdo_pgsql + graphicsmagick + + +RUN docker-php-ext-configure gd --with-libdir=/usr/include/ --with-jpeg --with-freetype && \ + docker-php-ext-configure zip + +RUN docker-php-ext-install -j$(nproc) \ + pdo_mysql \ + soap \ + gd \ + zip \ + opcache \ + intl # Clean RUN apt-get -y purge \ @@ -43,28 +87,73 @@ RUN apt-get -y purge \ apt-get clean && \ rm -rf /var/lib/apt/lists/* /usr/src/* -RUN mkdir /usr/local/surf && \ - curl -L https://github.com/TYPO3/Surf/releases/download/3.4.6/surf.phar -o /usr/local/surf/surf.phar && \ - chmod +x /usr/local/surf/surf.phar && \ - ln -s /usr/local/surf/surf.phar /usr/local/bin/surf # Configure Apache as needed -RUN a2enmod rewrite -RUN cd /tmp && \ - wget -O download.tar.gz https://get.typo3.org/${TYPO3_VERSION} && \ - echo "${TYPO3_SHA256CHECKSUM} /tmp/download.tar.gz" > /tmp/download.tar.gz.sum +RUN set -eux; \ + docker-php-ext-enable opcache; \ + { \ + echo 'opcache.memory_consumption=128'; \ + echo 'opcache.interned_strings_buffer=8'; \ + echo 'opcache.max_accelerated_files=4000'; \ + echo 'opcache.revalidate_freq=2'; \ + } > /usr/local/etc/php/conf.d/opcache-recommended.ini + +RUN { \ + echo 'error_reporting = E_ERROR | E_WARNING | E_PARSE | E_CORE_ERROR | E_CORE_WARNING | E_COMPILE_ERROR | E_COMPILE_WARNING | E_RECOVERABLE_ERROR'; \ + echo 'display_errors = Off'; \ + echo 'display_startup_errors = Off'; \ + echo 'log_errors = On'; \ + echo 'error_log = /dev/stderr'; \ + echo 'log_errors_max_len = 1024'; \ + echo 'ignore_repeated_errors = On'; \ + echo 'ignore_repeated_source = Off'; \ + echo 'html_errors = Off'; \ + } > /usr/local/etc/php/conf.d/error-logging.ini + +RUN set -eux; \ + a2enmod rewrite expires; \ + \ + a2enmod remoteip; \ + { \ + echo 'RemoteIPHeader X-Forwarded-For'; \ +# these IP ranges are reserved for "private" use and should thus *usually* be safe inside Docker + echo 'RemoteIPInternalProxy 10.0.0.0/8'; \ + echo 'RemoteIPInternalProxy 172.16.0.0/12'; \ + echo 'RemoteIPInternalProxy 192.168.0.0/16'; \ + echo 'RemoteIPInternalProxy 169.254.0.0/16'; \ + echo 'RemoteIPInternalProxy 127.0.0.0/8'; \ + } > /etc/apache2/conf-available/remoteip.conf; \ + a2enconf remoteip; \ + find /etc/apache2 -type f -name '*.conf' -exec sed -ri 's/([[:space:]]*LogFormat[[:space:]]+"[^"]*)%h([^"]*")/\1%a\2/g' '{}' + + + +# install TYPO3 surf +# RUN mkdir /usr/local/surf && \ +# curl -L https://github.com/TYPO3/Surf/releases/download/3.4.6/surf.phar -o /usr/local/surf/surf.phar && \ +# chmod +x /usr/local/surf/surf.phar && \ +# ln -s /usr/local/surf/surf.phar /usr/local/bin/surf + -RUN sha256sum -c "/tmp/download.tar.gz.sum" RUN tar -xzf /tmp/download.tar.gz -C /var/www/ && \ rm /tmp/download* - + RUN cd /var/www/html && \ ln -s ../typo3_src-* typo3_src && \ ln -s typo3_src/index.php && \ ln -s typo3_src/typo3 && \ touch FIRST_INSTALL - + RUN chown -R $APACHE_RUN_USER:$APACHE_RUN_USER /var/www/html && \ - chown -R $APACHE_RUN_USER:$APACHE_RUN_USER /var/www/typo3_src-* + chown -R $APACHE_RUN_USER:$APACHE_RUN_USER /var/www/typo3_src-* && \ + chown -R root:root /etc/apache2/sites-enabled + +RUN { \ + echo "ServerSignature Off"; \ + echo "ServerTokens Prod"; \ + } >> /etc/apache2/apache2.conf + +RUN a2enmod headers + +VOLUME /var/www \ No newline at end of file diff --git a/apache-conf/apache.conf b/apache-conf/apache.conf new file mode 100644 index 0000000..5b219b6 --- /dev/null +++ b/apache-conf/apache.conf @@ -0,0 +1,246 @@ +# This is the main Apache server configuration file. It contains the +# configuration directives that give the server its instructions. +# See http://httpd.apache.org/docs/2.4/ for detailed information about +# the directives and /usr/share/doc/apache2/README.Debian about Debian specific +# hints. +# +# +# Summary of how the Apache 2 configuration works in Debian: +# The Apache 2 web server configuration in Debian is quite different to +# upstream's suggested way to configure the web server. This is because Debian's +# default Apache2 installation attempts to make adding and removing modules, +# virtual hosts, and extra configuration directives as flexible as possible, in +# order to make automating the changes and administering the server as easy as +# possible. + +# It is split into several files forming the configuration hierarchy outlined +# below, all located in the /etc/apache2/ directory: +# +# /etc/apache2/ +# |-- apache2.conf +# | `-- ports.conf +# |-- mods-enabled +# | |-- *.load +# | `-- *.conf +# |-- conf-enabled +# | `-- *.conf +# `-- sites-enabled +# `-- *.conf +# +# +# * apache2.conf is the main configuration file (this file). It puts the pieces +# together by including all remaining configuration files when starting up the +# web server. +# +# * ports.conf is always included from the main configuration file. It is +# supposed to determine listening ports for incoming connections which can be +# customized anytime. +# +# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/ +# directories contain particular configuration snippets which manage modules, +# global configuration fragments, or virtual host configurations, +# respectively. +# +# They are activated by symlinking available configuration files from their +# respective *-available/ counterparts. These should be managed by using our +# helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See +# their respective man pages for detailed information. +# +# * The binary is called apache2. Due to the use of environment variables, in +# the default configuration, apache2 needs to be started/stopped with +# /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not +# work with the default configuration. + + +# Global configuration +# + +# +# ServerRoot: The top of the directory tree under which the server's +# configuration, error, and log files are kept. +# +# NOTE! If you intend to place this on an NFS (or otherwise network) +# mounted filesystem then please read the Mutex documentation (available +# at ); +# you will save yourself a lot of trouble. +# +# Do NOT add a slash at the end of the directory path. +# +#ServerRoot "/etc/apache2" + +# +# The accept serialization lock file MUST BE STORED ON A LOCAL DISK. +# +#Mutex file:${APACHE_LOCK_DIR} default + +# +# The directory where shm and other runtime files will be stored. +# + +DefaultRuntimeDir ${APACHE_RUN_DIR} + +# +# PidFile: The file in which the server should record its process +# identification number when it starts. +# This needs to be set in /etc/apache2/envvars +# +PidFile ${APACHE_PID_FILE} + +# +# Timeout: The number of seconds before receives and sends time out. +# +Timeout 260 + +# +# KeepAlive: Whether or not to allow persistent connections (more than +# one request per connection). Set to "Off" to deactivate. +# +KeepAlive On + +# +# MaxKeepAliveRequests: The maximum number of requests to allow +# during a persistent connection. Set to 0 to allow an unlimited amount. +# We recommend you leave this number high, for maximum performance. +# +MaxKeepAliveRequests 100 + +# +# KeepAliveTimeout: Number of seconds to wait for the next request from the +# same client on the same connection. +# +KeepAliveTimeout 5 + + +# These need to be set in /etc/apache2/envvars +User ${APACHE_RUN_USER} +Group ${APACHE_RUN_GROUP} + +# +# HostnameLookups: Log the names of clients or just their IP addresses +# e.g., www.apache.org (on) or 204.62.129.132 (off). +# The default is off because it'd be overall better for the net if people +# had to knowingly turn this feature on, since enabling it means that +# each client request will result in AT LEAST one lookup request to the +# nameserver. +# +HostnameLookups Off + +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a +# container, that host's errors will be logged there and not here. +# +ErrorLog ${APACHE_LOG_DIR}/error.log + +# +# LogLevel: Control the severity of messages logged to the error_log. +# Available values: trace8, ..., trace1, debug, info, notice, warn, +# error, crit, alert, emerg. +# It is also possible to configure the log level for particular modules, e.g. +# "LogLevel info ssl:warn" +# +LogLevel warn + +# Include module configuration: +IncludeOptional mods-enabled/*.load +IncludeOptional mods-enabled/*.conf + +# Include list of ports to listen on +Include ports.conf + + +# Sets the default security model of the Apache2 HTTPD server. It does +# not allow access to the root filesystem outside of /usr/share and /var/www. +# The former is used by web applications packaged in Debian, +# the latter may be used for local directories served by the web server. If +# your system is serving content from a sub-directory in /srv you must allow +# access here, or in any related virtual host. + + Options FollowSymLinks + AllowOverride None + Require all denied + + + + AllowOverride None + Require all granted + + + + Options Indexes FollowSymLinks + AllowOverride None + Require all granted + + + Options FollowSymLinks + AllowOverride None + Require all denied + + + + +# +# Options Indexes FollowSymLinks +# AllowOverride None +# Require all granted +# + + + + +# AccessFileName: The name of the file to look for in each directory +# for additional configuration directives. See also the AllowOverride +# directive. +# +AccessFileName .htaccess + +# +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. +# + + Require all denied + + + +# +# The following directives define some format nicknames for use with +# a CustomLog directive. +# +# These deviate from the Common Log Format definitions in that they use %O +# (the actual bytes sent including headers) instead of %b (the size of the +# requested file), because the latter makes it impossible to detect partial +# requests. +# +# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended. +# Use mod_remoteip instead. +# +LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined +LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined +LogFormat "%h %l %u %t \"%r\" %>s %O" common +LogFormat "%{Referer}i -> %U" referer +LogFormat "%{User-agent}i" agent + +Header set X-XSS-Protection "1; mode=block" +Header always set X-Frame-Options "SAMEORIGIN" +Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" +Header always set Referrer-Policy "same-origin" +Header always set Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()" +Header always set X-Content-Type-Options "nosniff" + +# Include of directories ignores editors' and dpkg's backup files, +# see README.Debian for details. + +# Include generic snippets of statements +IncludeOptional conf-enabled/*.conf + +# Include the virtual host configurations: +IncludeOptional sites-enabled/*.conf + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet + +# hide apache version +ServerSignature Off +ServerTokens Prod + diff --git a/apache-conf/sites-enabled/typo3.localhost.conf b/apache-conf/sites-enabled/typo3.localhost.conf new file mode 100644 index 0000000..e8f8a5d --- /dev/null +++ b/apache-conf/sites-enabled/typo3.localhost.conf @@ -0,0 +1,44 @@ + + Options FollowSymLinks + AllowOverride All + Require all granted + + + + RemoveType .html .htm + + AddType text/html .html + AddType text/html .htm + + + RemoveType .svg .svgz + + AddType image/svg+xml .svg + AddType image/svg+xml .svgz + + + #Header set Content-Security-Policy "default-src 'self' 'unsafe-inline'; img-src * data:; font-src 'self' data:;" + + + + + + DocumentRoot /var/www/html +# ServerName typo3.localhost + UseCanonicalName On + # ServerAlias altogether.at + +# RewriteEngine on +# RewriteCond %{HTTP_HOST} ^altogether\.at$ [NC] +# RewriteCond %{HTTP_HOST} !^www\. [NC] +# RewriteRule ^(.*)$ https://www.%1altogether.at%{REQUEST_URI} [R=301,L] + +# SSLEngine on +# SSLOptions +StrictRequire +# SSLCertificateFile /etc/ssl/certs/CF-altogether.at.crt +# SSLCertificateKeyFile /etc/ssl/private/CF-altogether.at.key + +# Header always set Content-Security-Policy "default-src 'self'; font-src *;img-src *; script-src 'none'; style-src 'unsafe-inline' *; connect-src 'self'" +# Header set Content-Security-Policy "default-src 'self' 'unsafe-inline'; img-src * data:; font-src 'self' data:;" + + diff --git a/docker-compose.yml b/docker-compose.yml index c595b58..407e52d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -4,7 +4,6 @@ networks: default: name: "${PROJECT_NAME}_typo3_db_net" external: false - traefik: name: "${TRAEFIK_NETWORK}" external: true @@ -16,11 +15,14 @@ services: build: . networks: - "traefik" + - "default" volumes: + - "${PROJECT_DATA}/${PROJECT_NAME}-typo3/fileadmin:/var/www/html/fileadmin" - - "${PROJECT_DATA}/${PROJECT_NAME}-typo3/typo3conf:/var/www/html/typo3conf" - "${PROJECT_DATA}/${PROJECT_NAME}-typo3/uploads:/var/www/html/uploads" - "${PROJECT_DATA}/${PROJECT_NAME}-typo3/protected:/var/www/protected" + - "${PROJECT_DATA}/${PROJECT_NAME}-typo3/typo3conf:/var/www/html/typo3conf" + - "./apache-conf/sites-enabled:/etc/apache2/sites-enabled" - "./php-conf/php.ini:/usr/local/etc/php/php.ini:ro" - "/etc/timezone:/etc/timezone:ro" - "/etc/localtime:/etc/localtime:ro" @@ -40,6 +42,8 @@ services: image: "mariadb:latest" container_name: "${PROJECT_NAME}_typo3_db" restart: "unless-stopped" + networks: + - "default" command: - "--character-set-server=utf8mb4" - "--collation-server=utf8mb4_unicode_ci" @@ -47,12 +51,12 @@ services: volumes: - "db:/var/lib/mysql" # - "${PROJECT_DATA}/${PROJECT_NAME}-typo3/db:/var/lib/mysql" - labels: # Watchtower add to auto update - "com.centurylinklabs.watchtower.enable=true" # traefik - "traefik.enable=false" + volumes: db: name: "${PROJECT_NAME}_db" \ No newline at end of file diff --git a/init b/init index 1b9d660..8c95487 100755 --- a/init +++ b/init @@ -4,9 +4,9 @@ source ./.env mkdir -p ${PROJECT_DATA}/${PROJECT_NAME}-typo3/fileadmin -mkdir -p ${PROJECT_DATA}/${PROJECT_NAME}-typo3/typo3conf mkdir -p ${PROJECT_DATA}/${PROJECT_NAME}-typo3/uploads mkdir -p ${PROJECT_DATA}/${PROJECT_NAME}-typo3/protected +mkdir -p ${PROJECT_DATA}/${PROJECT_NAME}-typo3/typo3conf mkdir -p ${PROJECT_DATA}/${PROJECT_NAME}-typo3/db docker network create $TRAEFIK_NETWORK