elabftw + nginx + mysql with docker-compose

.gitignore

@@ -0,0 +1,2 @@
+*~
+docker-compose.yml

50proxy

@@ -0,0 +1 @@
+Acquire::http::proxy "http://www-cache.curie.fr:3128";

Dockerfile

@@ -0,0 +1,44 @@
+# elabftw in docker, without sql
+FROM ubuntu:14.04
+MAINTAINER Nicolas CARPi <[email protected]>
+
+# uncomment for dev build in behind curie proxy
+#ADD ./50proxy /etc/apt/apt.conf.d/50proxy
+#ENV http_proxy http://www-cache.curie.fr:3128
+#ENV https_proxy https://www-cache.curie.fr:3128
+
+# install nginx and php-fpm
+RUN apt-get update
+RUN DEBIAN_FRONTEND=noninteractive apt-get install -y \
+    nginx \
+    openssl \
+    php5-fpm \
+    php5-mysql \
+    php-apc \
+    php5-gd \
+    php5-curl \
+    curl \
+    git \
+    unzip \
+    supervisor && \
+    rm -rf /var/lib/apt/lists/*
+
+# only HTTPS
+EXPOSE 443
+
+# add files
+ADD ./nginx443.conf /etc/nginx/sites-available/elabftw-ssl
+ADD ./nginx80.conf /etc/nginx/sites-available/default
+ADD ./supervisord.conf /etc/supervisord.conf
+ADD ./start.sh /start.sh
+
+# elabftw
+RUN git clone --depth 1 -b next https://github.com/elabftw/elabftw.git /elabftw
+#ADD ./elabftw-next.zip /elabftw.zip
+#RUN unzip /elabftw.zip && mv /elabftw-next /elabftw
+
+# start
+CMD ["/start.sh"]
+
+# define mountable directories.
+VOLUME ["/var/log/nginx", "/elabftw/uploads"]

README.md

@@ -0,0 +1,9 @@
+# elabftw docker nosql
+
+Build an elabftw container with nginx + php-fpm but without sql.
+You need to link this container to an SQL container.
+And you also need to import the [sql structure](https://raw.githubusercontent.com/NicolasCARPi/elabftw/master/install/elabftw.sql) into your sql database.
+
+It expects the certs to be server.key and server.crt.
+
+Look at the fig.yml-EXAMPLE file and adapt it to your use case.

docker-compose.yml-EXAMPLE

@@ -0,0 +1,24 @@
+web:
+    image: nicolascarpi/elabftw-docker
+    environment:
+        - DB_NAME=elabftw
+        - DB_USER=elabftw
+        - DB_PASSWORD=secr3t
+    ports:
+        - "9000:443"
+        - "8000:80"
+    volumes:
+        - /dok/uploads:/elabftw/uploads
+        - /dok/mysql:/var/lib/mysql
+        - /dok/log:/var/log/nginx
+    links:
+        - mysql
+mysql:
+    image: mysql:latest
+    environment:
+        - MYSQL_ROOT_PASSWORD=secr3t
+        - MYSQL_DATABASE=elabftw
+        - MYSQL_USER=elabftw
+        - MYSQL_PASSWORD=secr3t
+    volumes:
+        - /dok/mysql:/var/lib/mysql

nginx443.conf

@@ -0,0 +1,47 @@
+# https server for /elabftw
+server {
+	listen 443 ssl;
+	server_name localhost;
+
+	root /elabftw;
+	index index.php;
+
+    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
+	ssl_certificate /etc/nginx/certs/server.crt;
+	ssl_certificate_key /etc/nginx/certs/server.key;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+
+    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
+    ssl_dhparam /etc/nginx/certs/dhparam.pem;
+
+# modern configuration. tweak to your needs.
+    ssl_protocols TLSv1.1 TLSv1.2;
+    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
+    ssl_prefer_server_ciphers on;
+
+    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+    add_header Strict-Transport-Security max-age=15768000;
+
+    # OCSP Stapling ---
+    # fetch OCSP records from URL in ssl_certificate and cache them
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
+    #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
+
+#    resolver 127.0.0.1 [::1]:53;
+
+	location / {
+		try_files $uri $uri/ =404;
+	}
+    location ~ \.php$ {
+            include         /etc/nginx/fastcgi_params;
+            if (-f $request_filename) {
+            fastcgi_pass   unix:/var/run/php5-fpm.sock;
+            }
+            fastcgi_index  index.php;
+            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
+    }
+}

nginx80.conf

@@ -0,0 +1,7 @@
+# http server for /elabftw
+# just redirect to https server
+server {
+    listen         80;
+    server_name    localhost;
+    return         301 https://$server_name$request_uri;
+}

start.sh

@@ -0,0 +1,79 @@
+#!/bin/bash
+# elabftw-docker start script
+
+# generate self-signed certificates for nginx server
+if [ ! -f /etc/nginx/certs/server.crt ]; then
+    openssl req \
+        -new \
+        -newkey rsa:4096 \
+        -days 9999 \
+        -nodes \
+        -x509 \
+        -subj "/C=FR/ST=France/L=Paris/O=elabftw/CN=www.example.com" \
+        -keyout /etc/nginx/certs/server.key \
+        -out /etc/nginx/certs/server.crt
+fi
+
+# generate Diffie-Hellman parameter for DHE ciphersuites
+if [ ! -f /etc/nginx/certs/dhparam.pem ]; then
+    openssl dhparam -outform PEM -out /etc/nginx/certs/dhparam.pem 2048
+fi
+
+# write config file from env var
+db_host=$(grep mysql /etc/hosts | awk '{print $1}')
+if [ -z "$db_host" ]; then
+    db_host=${DB_HOST}
+fi
+db_name=${DB_NAME:-elabftw}
+db_user=${DB_USER:-elabftw}
+db_password=${DB_PASSWORD}
+elab_root='/elabftw/'
+server_name=${SERVER_NAME:-localhost}
+disable_https=${DISABLE_HTTPS:-false}
+
+cat << EOF > /elabftw/config.php
+<?php
+define('DB_HOST', '${db_host}');
+define('DB_NAME', '${db_name}');
+define('DB_USER', '${db_user}');
+define('DB_PASSWORD', '${db_password}');
+define('ELAB_ROOT', '${elab_root}');
+EOF
+
+# nginx config
+echo "daemon off;" >> /etc/nginx/nginx.conf
+sed -i -e "s/keepalive_timeout\s*65/keepalive_timeout 2/" /etc/nginx/nginx.conf
+sed -i -e "s/keepalive_timeout 2/keepalive_timeout 2;\n\tclient_max_body_size 100m/" /etc/nginx/nginx.conf
+# remove the default site
+#rm /etc/nginx-sites-enabled/default
+
+# false by default
+if ($disable_https); then
+    # put the right server_name
+    sed -i -e "s/localhost/$server_name/" /etc/nginx/sites-available/elabftw-no-ssl
+    # activate an HTTP server listening on port 443
+    ln -s /etc/nginx/sites-available/elabftw-no-ssl /etc/nginx/sites-enabled/elabftw-no-ssl
+    # now we need to disable the checks in elab
+
+else
+    # put the right server_name
+    sed -i -e "s/localhost/$server_name/" /etc/nginx/sites-available/elabftw-ssl
+    # activate an HTTPS server listening on port 443
+    ln -s /etc/nginx/sites-available/elabftw-ssl /etc/nginx/sites-enabled/elabftw-ssl
+fi
+
+# php-fpm config
+sed -i -e "s/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g" /etc/php5/fpm/php.ini
+sed -i -e "s/upload_max_filesize\s*=\s*2M/upload_max_filesize = 100M/g" /etc/php5/fpm/php.ini
+sed -i -e "s/post_max_size\s*=\s*8M/post_max_size = 100M/g" /etc/php5/fpm/php.ini
+sed -i -e "s/;daemonize\s*=\s*yes/daemonize = no/g" /etc/php5/fpm/php-fpm.conf
+sed -i -e "s/;catch_workers_output\s*=\s*yes/catch_workers_output = yes/g" /etc/php5/fpm/pool.d/www.conf
+
+# elabftw
+mkdir -p /elabftw/uploads/{tmp,export}
+chmod -R 777 /elabftw/uploads
+chown -R www-data:www-data /elabftw
+chmod -R u+x /elabftw/*
+
+# start all the services
+/usr/bin/supervisord -c /etc/supervisord.conf -n

supervisord.conf

@@ -0,0 +1,29 @@
+[unix_http_server]
+file=/tmp/supervisor.sock   ; (the path to the socket file)
+
+[supervisord]
+logfile=/tmp/supervisord.log ; (main log file;default $CWD/supervisord.log)
+logfile_maxbytes=50MB        ; (max main logfile bytes b4 rotation;default 50MB)
+logfile_backups=10           ; (num of main logfile rotation backups;default 10)
+loglevel=info                ; (log level;default info; others: debug,warn,trace)
+pidfile=/tmp/supervisord.pid ; (supervisord pidfile;default supervisord.pid)
+nodaemon=false               ; (start in foreground if true;default false)
+minfds=1024                  ; (min. avail startup file descriptors;default 1024)
+minprocs=200                 ; (min. avail process descriptors;default 200)
+
+[rpcinterface:supervisor]
+supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
+
+[supervisorctl]
+serverurl=unix:///tmp/supervisor.sock ; use a unix:// URL  for a unix socket
+
+[inet_http_server]
+port = 127.0.0.1:9001
+username = t
+password = t
+
+[program:php5-fpm]
+command=/usr/sbin/php5-fpm -c /etc/php5/fpm
+
+[program:nginx]
+command=/usr/sbin/nginx