a2g_dockerized/traefik_typo3
Template
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: a2g_dockerized:testing
Branches Tags
a2g_dockerized:main a2g_dockerized:testing
..
compare: a2g_dockerized:1b9d5425427a2dac323cbd7c2a9d180883845db0
Branches Tags
a2g_dockerized:testing a2g_dockerized:main

2 Commits
testing ... 1b9d542542

Author SHA1 Message Date
rama
1b9d542542 Merge pull request 'changed sql driver and clean up' (#2) from testing into main 
Reviewed-on: #2
 2023-11-29 12:20:05 +01:00
rama
428e3e25df Merge pull request 'fixed missing configs and install' (#1) from testing into main 
Reviewed-on: #1
 2023-11-28 21:08:53 +01:00
8 changed files with 431 additions and 425 deletions
Expand all files Collapse all files

158
Dockerfile Normal file
View File

@ -0,0 +1,158 @@
# Dockerfile
# Docker image for TYPO3 CMS
FROM php:8.2-apache
LABEL maintainer="Raphael Martin <raphy.martin@protonmail.ch>"
# set envirement
ENV LANG=de_AT.UTF-8
ENV APACHE_RUN_USER a2g-www
ENV TYPO3_VERSION 12.4.8
ENV TYPO3_SHA256CHECKSUM 8293b3441ec133fc8f9174fab5b88f450044ded0e188a0f12de37ad60a8bf8b3
# change apache user
RUN adduser --uid 1000 --gecos 'Apache User' --disabled-password $APACHE_RUN_USER \
&& chown -R "$APACHE_RUN_USER:$APACHE_RUN_USER" /var/lock/apache2 /var/run/apache2
# update system
RUN apt-get update -y && apt-get upgrade -y
# Install wget and locales
RUN apt-get install -y --no-install-recommends \
wget \
locales
RUN export LANG=${LANG} && \
export LC_ALL=${LANG} && \
export LC_TIME=${LANG} && \
export LANGUAGE=${LANG} && \
echo "${LANG} UTF-8" > /etc/locale.gen && \
/usr/sbin/locale-gen
# Export env vars
RUN { \
echo "export LC_ALL=${LANG}"; \
echo "export LANG=${LANG}"; \
echo "export LANGUAGE=${LANG}"; \
} >> ~/.bashrc
RUN cp ~/.bashrc /home/${APACHE_RUN_USER} && \
chown -R "$APACHE_RUN_USER:$APACHE_RUN_USER" /home/${APACHE_RUN_USER}/.bashrc
# Download TYPO3
RUN cd /tmp && \
wget -O download.tar.gz https://get.typo3.org/${TYPO3_VERSION} && \
echo "${TYPO3_SHA256CHECKSUM} /tmp/download.tar.gz" > /tmp/download.tar.gz.sum
RUN sha256sum -c "/tmp/download.tar.gz.sum"
# Install
RUN set -ex; \
\
apt-get install -y --no-install-recommends \
# Configure PHP
libxml2-dev \
libfreetype6-dev \
libjpeg62-turbo-dev \
libmcrypt-dev \
libpng-dev \
libpq-dev \
zlib1g-dev \
sendmail \
graphicsmagick
RUN docker-php-ext-configure gd --with-libdir=/usr/include/ --with-jpeg --with-freetype
RUN docker-php-ext-install -j$(nproc) \
pdo \
pdo_mysql \
soap \
gd \
opcache \
intl
RUN apt-get -y purge \
libxml2-dev libfreetype6-dev \
libjpeg62-turbo-dev \
libmcrypt-dev \
libpng-dev \
zlib1g-dev \
wget && \
apt-get autoremove -y
RUN apt-get install -y --no-install-recommends \
libzip-dev \
zip
RUN docker-php-ext-install -j$(nproc) \
zip
# Clean
RUN apt-get -y purge \
libzip-dev && \
apt-get clean && \
rm -rf /var/lib/apt/lists/* /usr/src/*
# Configure Apache
RUN set -eux; \
docker-php-ext-enable opcache; \
{ \
echo 'opcache.memory_consumption=128'; \
echo 'opcache.interned_strings_buffer=8'; \
echo 'opcache.max_accelerated_files=4000'; \
echo 'opcache.revalidate_freq=2'; \
} > /usr/local/etc/php/conf.d/opcache-recommended.ini
RUN { \
echo 'error_reporting = E_ERROR | E_WARNING | E_PARSE | E_CORE_ERROR | E_CORE_WARNING | E_COMPILE_ERROR | E_COMPILE_WARNING | E_RECOVERABLE_ERROR'; \
echo 'display_errors = Off'; \
echo 'display_startup_errors = Off'; \
echo 'log_errors = On'; \
echo 'error_log = /dev/stderr'; \
echo 'log_errors_max_len = 1024'; \
echo 'ignore_repeated_errors = On'; \
echo 'ignore_repeated_source = Off'; \
echo 'html_errors = Off'; \
} > /usr/local/etc/php/conf.d/error-logging.ini
RUN set -eux; \
a2enmod rewrite expires remoteip headers; \
{ \
echo 'RemoteIPHeader X-Forwarded-For'; \
# these IP ranges are reserved for "private" use and should thus *usually* be safe inside Docker
echo 'RemoteIPInternalProxy 10.0.0.0/8'; \
echo 'RemoteIPInternalProxy 172.16.0.0/12'; \
echo 'RemoteIPInternalProxy 192.168.0.0/16'; \
echo 'RemoteIPInternalProxy 169.254.0.0/16'; \
echo 'RemoteIPInternalProxy 127.0.0.0/8'; \
} > /etc/apache2/conf-available/remoteip.conf; \
a2enconf remoteip; \
find /etc/apache2 -type f -name '*.conf' -exec sed -ri 's/([[:space:]]*LogFormat[[:space:]]+"[^"]*)%h([^"]*")/\1%a\2/g' '{}' +
# install TYPO3 surf
# RUN mkdir /usr/local/surf && \
# curl -L https://github.com/TYPO3/Surf/releases/download/3.4.6/surf.phar -o /usr/local/surf/surf.phar && \
# chmod +x /usr/local/surf/surf.phar && \
# ln -s /usr/local/surf/surf.phar /usr/local/bin/surf
# install TYPO3
RUN tar -xzf /tmp/download.tar.gz -C /var/www/ && \
rm /tmp/download*
RUN cd /var/www/html && \
ln -s ../typo3_src-* typo3_src && \
ln -s typo3_src/index.php && \
ln -s typo3_src/typo3
RUN chown -R $APACHE_RUN_USER:$APACHE_RUN_USER /var/www/html && \
chown -R $APACHE_RUN_USER:$APACHE_RUN_USER /var/www/typo3_src-* && \
chown -R root:root /etc/apache2/sites-enabled
RUN { \
echo "ServerSignature Off"; \
echo "ServerTokens Prod"; \
} >> /etc/apache2/apache2.conf
VOLUME /var/www

2
LICENSE
View File

@ -1,6 +1,6 @@
MIT License
Copyright (c) 2023 altogether
Copyright (c) 2023 a2g_dockerized
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

14
README.md
View File

@ -33,19 +33,9 @@ for development:
'transport_sendmail_command' => '/usr/sbin/sendmail -bs',
and append / set:
and append:
['SYS'][
...
'systemLocale' => 'de_AT.UTF-8',
'reverseProxyHeaderMultiValue' => 'first',
'reverseProxyIP' => '127.0.0.1',
'features' => [
...
'security.backend.enforceReferrer] => false,
'security.backend.enforceContentSecurityPolicy' => false,
]
]
['SYS']['features']['security.backend.enforceReferrer'] = true
because we are behind the reverse proxy.

395
apache-conf/.htaccess
View File

@ -1,395 +0,0 @@
#####
#
# Example .htaccess file for TYPO3 CMS - for use with Apache Webserver
#
# This file includes settings for the following configuration options:
#
# - Compression
# - Caching
# - MIME types
# - Cross Origin requests
# - Rewriting and Access
# - Miscellaneous
# - PHP optimisation
#
# If you want to use it, you have to copy it to the root folder of your TYPO3 installation (if its
# not there already) and rename it to '.htaccess'. To make .htaccess files work, you might need to
# adjust the 'AllowOverride' directive in your Apache configuration file.
#
# IMPORTANT: You may need to change this file depending on your TYPO3 installation!
# Consider adding this file's content to your webserver's configuration directly for speed improvement
#
# Lots of the options are taken from https://github.com/h5bp/html5-boilerplate/blob/master/dist/.htaccess
#
####
### Begin: Compression ###
# Compressing resource files will save bandwidth and so improve loading speed especially for users
# with slower internet connections. TYPO3 can compress the .js and .css files for you.
# *) Uncomment the following lines and
# *) Set $GLOBALS['TYPO3_CONF_VARS']['BE']['compressionLevel'] = 9 for the Backend
# *) Set $GLOBALS['TYPO3_CONF_VARS']['FE']['compressionLevel'] = 9 together with the TypoScript properties
# config.compressJs and config.compressCss for GZIP compression of Frontend JS and CSS files.
#<FilesMatch "\.js\.gz">
# AddType "text/javascript" .gz
#</FilesMatch>
#<FilesMatch "\.css\.gz">
# AddType "text/css" .gz
#</FilesMatch>
#AddEncoding x-gzip .gz
<IfModule mod_deflate.c>
# Force compression for mangled `Accept-Encoding` request headers
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
</IfModule>
</IfModule>
# Compress all output labeled with one of the following media types.
#
# (!) For Apache versions below version 2.3.7 you don't need to
# enable `mod_filter` and can remove the `<IfModule mod_filter.c>`
# and `</IfModule>` lines as `AddOutputFilterByType` is still in
# the core directives.
#
# https://httpd.apache.org/docs/current/mod/mod_filter.html#addoutputfilterbytype
<IfModule mod_filter.c>
AddOutputFilterByType DEFLATE application/atom+xml \
application/javascript \
application/json \
application/ld+json \
application/manifest+json \
application/rdf+xml \
application/rss+xml \
application/schema+json \
application/vnd.geo+json \
application/geo+json \
application/vnd.ms-fontobject \
application/x-font-ttf \
application/x-javascript \
application/x-web-app-manifest+json \
application/xhtml+xml \
application/xml \
font/eot \
font/opentype \
font/otf \
font/ttf \
image/bmp \
image/svg+xml \
image/vnd.microsoft.icon \
image/x-icon \
text/cache-manifest \
text/css \
text/html \
text/javascript \
text/plain \
text/vcard \
text/vnd.rim.location.xloc \
text/vtt \
text/x-component \
text/x-cross-domain-policy \
text/xml
</IfModule>
<IfModule mod_mime.c>
AddEncoding gzip svgz
</IfModule>
</IfModule>
### End: Compression ###
### Begin: Browser caching of resource files ###
# This affects Frontend and Backend and increases performance.
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 month"
ExpiresByType text/css "access plus 1 year"
ExpiresByType application/json "access plus 0 seconds"
ExpiresByType application/ld+json "access plus 0 seconds"
ExpiresByType application/schema+json "access plus 0 seconds"
ExpiresByType application/vnd.geo+json "access plus 0 seconds"
ExpiresByType application/geo+json "access plus 0 seconds"
ExpiresByType application/xml "access plus 0 seconds"
ExpiresByType text/xml "access plus 0 seconds"
ExpiresByType image/vnd.microsoft.icon "access plus 1 week"
ExpiresByType image/x-icon "access plus 1 week"
ExpiresByType text/x-component "access plus 1 month"
ExpiresByType text/html "access plus 0 seconds"
ExpiresByType application/javascript "access plus 1 year"
ExpiresByType application/x-javascript "access plus 1 year"
ExpiresByType text/javascript "access plus 1 year"
ExpiresByType application/manifest+json "access plus 1 week"
ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
ExpiresByType text/cache-manifest "access plus 0 seconds"
ExpiresByType audio/ogg "access plus 1 month"
ExpiresByType image/apng "access plus 1 month"
ExpiresByType image/avif "access plus 1 month"
ExpiresByType image/avif-sequence "access plus 1 month"
ExpiresByType image/bmp "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/jxl "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType image/svg+xml "access plus 1 month"
ExpiresByType image/webp "access plus 1 month"
ExpiresByType video/mp4 "access plus 1 month"
ExpiresByType video/ogg "access plus 1 month"
ExpiresByType video/webm "access plus 1 month"
ExpiresByType application/atom+xml "access plus 1 hour"
ExpiresByType application/rdf+xml "access plus 1 hour"
ExpiresByType application/rss+xml "access plus 1 hour"
ExpiresByType font/collection "access plus 1 month"
ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
ExpiresByType font/eot "access plus 1 month"
ExpiresByType font/opentype "access plus 1 month"
ExpiresByType font/otf "access plus 1 month"
ExpiresByType application/x-font-ttf "access plus 1 month"
ExpiresByType font/ttf "access plus 1 month"
ExpiresByType application/font-woff "access plus 1 month"
ExpiresByType application/x-font-woff "access plus 1 month"
ExpiresByType font/woff "access plus 1 month"
ExpiresByType application/font-woff2 "access plus 1 month"
ExpiresByType font/woff2 "access plus 1 month"
ExpiresByType text/x-cross-domain-policy "access plus 1 week"
</IfModule>
### End: Browser caching of resource files ###
### Begin: MIME types ###
# Proper MIME types for all files
<IfModule mod_mime.c>
# Security configuration
RemoveType .html .htm
<FilesMatch ".+\.html?$">
AddType text/html .html .htm
</FilesMatch>
RemoveType .svg .svgz
<FilesMatch ".+\.svgz?$">
AddType image/svg+xml .svg .svgz
</FilesMatch>
# Data interchange
AddType application/atom+xml atom
AddType application/json json map topojson
AddType application/ld+json jsonld
AddType application/rss+xml rss
AddType application/vnd.geo+json geojson
AddType application/xml rdf xml
# JavaScript
AddType application/javascript js
# Manifest files
AddType application/manifest+json webmanifest
AddType application/x-web-app-manifest+json webapp
AddType text/cache-manifest appcache
# Media files
AddType audio/mp4 f4a f4b m4a
AddType audio/ogg oga ogg opus
AddType image/avif avif
AddType image/avif-sequence avifs
AddType image/bmp bmp
AddType image/jxl jxl
AddType image/webp webp
AddType video/mp4 f4v f4p m4v mp4
AddType video/ogg ogv
AddType video/webm webm
AddType video/x-flv flv
AddType image/x-icon cur ico
# Web fonts
AddType font/woff woff
AddType font/woff2 woff2
AddType application/vnd.ms-fontobject eot
AddType font/ttf ttc ttf
AddType font/otf otf
# Other
AddType application/octet-stream safariextz
AddType application/x-bb-appworld bbaw
AddType application/x-chrome-extension crx
AddType application/x-opera-extension oex
AddType application/x-xpinstall xpi
AddType text/vcard vcard vcf
AddType text/vnd.rim.location.xloc xloc
AddType text/vtt vtt
AddType text/x-component htc
</IfModule>
# UTF-8 encoding
AddDefaultCharset utf-8
<IfModule mod_mime.c>
AddCharset utf-8 .atom .css .js .json .manifest .rdf .rss .vtt .webapp .webmanifest .xml
</IfModule>
### End: MIME types ###
### Begin: Cross Origin ###
# Send the CORS header for images when browsers request it.
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
<FilesMatch "\.(avifs?|bmp|cur|gif|ico|jpe?g|png|svgz?|webp)$">
SetEnvIf Origin ":" IS_CORS
Header set Access-Control-Allow-Origin "*" env=IS_CORS
</FilesMatch>
</IfModule>
</IfModule>
# Allow cross-origin access to web fonts.
<IfModule mod_headers.c>
<FilesMatch "\.(eot|otf|tt[cf]|woff2?)$">
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
</IfModule>
### End: Cross Origin ###
### Begin: Rewriting and Access ###
<IfModule mod_rewrite.c>
# Enable URL rewriting
RewriteEngine On
# Store the current location in an environment variable CWD to use
# mod_rewrite in .htaccess files without knowing the RewriteBase
RewriteCond $0#%{REQUEST_URI} ([^#]*)#(.*)\1$
RewriteRule ^.*$ - [E=CWD:%2]
# Rules to set ApplicationContext based on hostname
#RewriteCond %{HTTP_HOST} ^dev\.example\.com$
#RewriteRule .? - [E=TYPO3_CONTEXT:Development]
#RewriteCond %{HTTP_HOST} ^staging\.example\.com$
#RewriteRule .? - [E=TYPO3_CONTEXT:Production/Staging]
#RewriteCond %{HTTP_HOST} ^www\.example\.com$
#RewriteRule .? - [E=TYPO3_CONTEXT:Production]
# Rule for versioned static files, configured through:
# - $GLOBALS['TYPO3_CONF_VARS']['BE']['versionNumberInFilename']
# - $GLOBALS['TYPO3_CONF_VARS']['FE']['versionNumberInFilename']
# IMPORTANT: This rule has to be the very first RewriteCond in order to work!
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)\.(\d+)\.(php|js|css|png|jpg|gif|gz)$ %{ENV:CWD}$1.$3 [L]
# Access block for folders
RewriteRule _(?:recycler|temp)_/ - [F]
RewriteRule fileadmin/templates/.*\.(?:txt|ts)$ - [F]
RewriteRule ^(?:vendor|typo3_src|typo3temp/var) - [F]
RewriteRule (?:typo3conf/ext|typo3/sysext|typo3/ext)/[^/]+/(?:Configuration|Resources/Private|Tests?|Documentation|docs?)/ - [F]
# Block access to all hidden files and directories with the exception of
# the visible content from within the `/.well-known/` hidden directory (RFC 5785).
RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC]
RewriteCond %{SCRIPT_FILENAME} -d [OR]
RewriteCond %{SCRIPT_FILENAME} -f
RewriteRule (?:^|/)\. - [F]
# Stop rewrite processing, if we are in any other known directory
# NOTE: Add your additional local storages here
RewriteRule ^(?:fileadmin/|typo3conf/|typo3temp/|uploads/) - [L]
# If the file/symlink/directory does not exist but is below /typo3/, redirect to the TYPO3 Backend entry point.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-l
RewriteRule ^typo3/(.*)$ %{ENV:CWD}typo3/index.php [QSA,L]
# If the file/symlink/directory does not exist => Redirect to index.php.
# For httpd.conf, you need to prefix each '%{REQUEST_FILENAME}' with '%{DOCUMENT_ROOT}'.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-l
RewriteRule ^.*$ %{ENV:CWD}index.php [QSA,L]
</IfModule>
# Access block for files
# Apache < 2.3
<IfModule !mod_authz_core.c>
<FilesMatch "(?i:^\.|^#.*#|^(?:ChangeLog|ToDo|Readme|License)(?:\.md|\.txt)?|^composer\.(?:json|lock)|^ext_conf_template\.txt|^ext_typoscript_constants\.txt|^ext_typoscript_setup\.txt|flexform[^.]*\.xml|locallang[^.]*\.(?:xml|xlf)|\.(?:bak|co?nf|cfg|ya?ml|ts|typoscript|tsconfig|dist|fla|in[ci]|log|sh|sql(?:\..*)?|sqlite(?:\..*)?|sw[op]|git.*|rc)|.*~)$">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
</IfModule>
# Apache ≥ 2.3
<IfModule mod_authz_core.c>
<If "%{REQUEST_URI} =~ m#(?i:/\.|/\x23.*\x23|/(?:ChangeLog|ToDo|Readme|License)(?:\.md|\.txt)?|/composer\.(?:json|lock)|/ext_conf_template\.txt|/ext_typoscript_constants\.txt|/ext_typoscript_setup\.txt|flexform[^.]*\.xml|locallang[^.]*\.(?:xml|xlf)|\.(?:bak|co?nf|cfg|ya?ml|ts|typoscript|tsconfig|dist|fla|in[ci]|log|sh|sql(?:\..*)?|sqlite(?:\..*)?|sw[op]|git.*|rc)|.*~)$#">
Require all denied
</If>
</IfModule>
# Block access to vcs directories
<IfModule mod_alias.c>
RedirectMatch 404 /\.(?:git|svn|hg)/
</IfModule>
### End: Rewriting and Access ###
### Begin: Miscellaneous ###
# 404 error prevention for non-existing redirected folders
Options -MultiViews
# Make sure that directory listings are disabled.
<IfModule mod_autoindex.c>
Options -Indexes
</IfModule>
<IfModule mod_headers.c>
# Force IE to render pages in the highest available mode
Header set X-UA-Compatible "IE=edge"
<FilesMatch "\.(appcache|avifs?|crx|css|eot|gif|htc|ico|jpe?g|js|m4a|m4v|manifest|mp4|oex|oga|ogg|ogv|otf|pdf|png|safariextz|svgz?|ttf|vcf|webapp|webm|webp|woff2?|xml|xpi)$">
Header unset X-UA-Compatible
</FilesMatch>
# Reducing MIME type security risks
Header set X-Content-Type-Options "nosniff"
</IfModule>
# ETag removal
<IfModule mod_headers.c>
Header unset ETag
</IfModule>
FileETag None
### End: Miscellaneous ###
# Add your own rules here.

246
apache-conf/apache.conf Normal file
View File

@ -0,0 +1,246 @@
# This is the main Apache server configuration file. It contains the
# configuration directives that give the server its instructions.
# See http://httpd.apache.org/docs/2.4/ for detailed information about
# the directives and /usr/share/doc/apache2/README.Debian about Debian specific
# hints.
#
#
# Summary of how the Apache 2 configuration works in Debian:
# The Apache 2 web server configuration in Debian is quite different to
# upstream's suggested way to configure the web server. This is because Debian's
# default Apache2 installation attempts to make adding and removing modules,
# virtual hosts, and extra configuration directives as flexible as possible, in
# order to make automating the changes and administering the server as easy as
# possible.
# It is split into several files forming the configuration hierarchy outlined
# below, all located in the /etc/apache2/ directory:
#
# /etc/apache2/
# |-- apache2.conf
# | `-- ports.conf
# |-- mods-enabled
# | |-- *.load
# | `-- *.conf
# |-- conf-enabled
# | `-- *.conf
# `-- sites-enabled
# `-- *.conf
#
#
# * apache2.conf is the main configuration file (this file). It puts the pieces
# together by including all remaining configuration files when starting up the
# web server.
#
# * ports.conf is always included from the main configuration file. It is
# supposed to determine listening ports for incoming connections which can be
# customized anytime.
#
# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/
# directories contain particular configuration snippets which manage modules,
# global configuration fragments, or virtual host configurations,
# respectively.
#
# They are activated by symlinking available configuration files from their
# respective *-available/ counterparts. These should be managed by using our
# helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See
# their respective man pages for detailed information.
#
# * The binary is called apache2. Due to the use of environment variables, in
# the default configuration, apache2 needs to be started/stopped with
# /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
# work with the default configuration.
# Global configuration
#
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE! If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the Mutex documentation (available
# at <URL:http://httpd.apache.org/docs/2.4/mod/core.html#mutex>);
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
#ServerRoot "/etc/apache2"
#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
#Mutex file:${APACHE_LOCK_DIR} default
#
# The directory where shm and other runtime files will be stored.
#
DefaultRuntimeDir ${APACHE_RUN_DIR}
#
# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars
#
PidFile ${APACHE_PID_FILE}
#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 260
#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On
#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100
#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 5
# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog ${APACHE_LOG_DIR}/error.log
#
# LogLevel: Control the severity of messages logged to the error_log.
# Available values: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the log level for particular modules, e.g.
# "LogLevel info ssl:warn"
#
LogLevel warn
# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
# Include list of ports to listen on
Include ports.conf
# Sets the default security model of the Apache2 HTTPD server. It does
# not allow access to the root filesystem outside of /usr/share and /var/www.
# The former is used by web applications packaged in Debian,
# the latter may be used for local directories served by the web server. If
# your system is serving content from a sub-directory in /srv you must allow
# access here, or in any related virtual host.
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<Directory /home/www/>
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
#<Directory /srv/>
# Options Indexes FollowSymLinks
# AllowOverride None
# Require all granted
#</Directory>
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives. See also the AllowOverride
# directive.
#
AccessFileName .htaccess
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
#
# The following directives define some format nicknames for use with
# a CustomLog directive.
#
# These deviate from the Common Log Format definitions in that they use %O
# (the actual bytes sent including headers) instead of %b (the size of the
# requested file), because the latter makes it impossible to detect partial
# requests.
#
# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
# Use mod_remoteip instead.
#
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
Header set X-XSS-Protection "1; mode=block"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set Referrer-Policy "same-origin"
Header always set Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()"
Header always set X-Content-Type-Options "nosniff"
# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.
# Include generic snippets of statements
IncludeOptional conf-enabled/*.conf
# Include the virtual host configurations:
IncludeOptional sites-enabled/*.conf
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
# hide apache version
ServerSignature Off
ServerTokens Prod

22
apache-conf/sites-enabled/typo3.localhost.conf
View File

@ -21,12 +21,24 @@
</IfModule>
</IfModule>
<VirtualHost *:80>
DocumentRoot /var/www/html
# ServerName typo3.localhost
UseCanonicalName On
</VirtualHost>
# ServerAlias altogether.at
<VirtualHost *:443>
DocumentRoot /var/www/html
UseCanonicalName On
</VirtualHost>
# RewriteEngine on
# RewriteCond %{HTTP_HOST} ^altogether\.at$ [NC]
# RewriteCond %{HTTP_HOST} !^www\. [NC]
# RewriteRule ^(.*)$ https://www.%1altogether.at%{REQUEST_URI} [R=301,L]
# SSLEngine on
# SSLOptions +StrictRequire
# SSLCertificateFile /etc/ssl/certs/CF-altogether.at.crt
# SSLCertificateKeyFile /etc/ssl/private/CF-altogether.at.key
# Header always set Content-Security-Policy "default-src 'self'; font-src *;img-src *; script-src 'none'; style-src 'unsafe-inline' *; connect-src 'self'"
# Header set Content-Security-Policy "default-src 'self' 'unsafe-inline'; img-src * data:; font-src 'self' data:;"
</VirtualHost>

18
docker-compose.yml
View File

@ -1,4 +1,4 @@
version: '3.8'
version: '1'
networks:
default:
@ -12,8 +12,7 @@ services:
typo3:
container_name: "${PROJECT_NAME}_typo3"
hostname: "${PROJECT_URL}"
image: "altogether/typo3:12.4.8-apache"
user: "1000"
build: .
networks:
- "traefik"
- "default"
@ -23,28 +22,23 @@ services:
- "${PROJECT_DATA}/${PROJECT_NAME}-typo3/protected:/var/www/protected"
- "${PROJECT_DATA}/${PROJECT_NAME}-typo3/typo3conf:/var/www/html/typo3conf"
- "./apache-conf/sites-enabled:/etc/apache2/sites-enabled"
- "./apache-conf/.htaccess:/var/www/html/.htaccess"
- "./php-conf/php.ini:/usr/local/etc/php/php.ini:ro"
## use for the first install
#- "./LICENSE:/var/www/html/FIRST_INSTALL:ro"
# - "./LICENSE:/var/www/html/FIRST_INSTALL:ro"
- "/etc/timezone:/etc/timezone:ro"
- "/etc/localtime:/etc/localtime:ro"
depends_on:
- "db"
labels:
# Watchtower add to auto update
- "com.centurylinklabs.watchtower.enable=false"
- "com.centurylinklabs.watchtower.enable=true"
# traefik
- "traefik.enable=true"
- "traefik.docker.network=${TRAEFIK_NETWORK}"
- "traefik.http.routers.${PROJECT_NAME}_typo3.rule=Host(`${PROJECT_URL}`)"
- "traefik.http.routers.${PROJECT_NAME}_typo3.entrypoints=websecure"
- "traefik.http.routers.${PROJECT_NAME}_typo3.tls=true"
- "traefik.http.services.${PROJECT_NAME}_typo3.loadbalancer.server.port=443"
# Use the special Traefik service api@internal with the web UI/Dashboard
# - traefik.http.routers.${PROJECT_NAME}_typo3.service=api@internal
# Use the "le" (Let's Encrypt) resolver created below
# - traefik.http.routers.${PROJECT_NAME}_typo3.tls.certresolver=le
- "traefik.http.services.${PROJECT_NAME}_typo3.loadbalancer.server.port=80"
db:
image: "mariadb:latest"
container_name: "${PROJECT_NAME}_typo3_db"
@ -56,7 +50,7 @@ services:
- "--collation-server=utf8mb4_unicode_ci"
env_file: ".env"
volumes:
- "${PROJECT_DATA}/${PROJECT_NAME}-typo3/db:/var/lib/mysql"
- "${PROJECT_DATA}/${PROJECT_NAME}-typo3/db:/var/lib/mysql"
labels:
# Watchtower add to auto update
- "com.centurylinklabs.watchtower.enable=true"

1
init
View File

@ -2,6 +2,7 @@
source ./.env
mkdir -p ${PROJECT_DATA}/${PROJECT_NAME}-typo3/fileadmin
mkdir -p ${PROJECT_DATA}/${PROJECT_NAME}-typo3/uploads
mkdir -p ${PROJECT_DATA}/${PROJECT_NAME}-typo3/protected