From 015f7efe64fe6d21b856a64044d5766db5aa0ddf Mon Sep 17 00:00:00 2001 From: NicolasCARPi Date: Wed, 13 May 2015 16:55:13 +0200 Subject: [PATCH] elabftw + nginx + mysql with docker-compose --- .gitignore | 2 + 50proxy | 1 + Dockerfile | 44 +++++++++++++++++++++ README.md | 9 +++++ docker-compose.yml-EXAMPLE | 24 ++++++++++++ nginx443.conf | 47 +++++++++++++++++++++++ nginx80.conf | 7 ++++ start.sh | 79 ++++++++++++++++++++++++++++++++++++++ supervisord.conf | 29 ++++++++++++++ 9 files changed, 242 insertions(+) create mode 100644 .gitignore create mode 100644 50proxy create mode 100644 Dockerfile create mode 100644 README.md create mode 100644 docker-compose.yml-EXAMPLE create mode 100644 nginx443.conf create mode 100644 nginx80.conf create mode 100755 start.sh create mode 100644 supervisord.conf diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e9c110e --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +*~ +docker-compose.yml diff --git a/50proxy b/50proxy new file mode 100644 index 0000000..c6af400 --- /dev/null +++ b/50proxy @@ -0,0 +1 @@ +Acquire::http::proxy "http://www-cache.curie.fr:3128"; diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..69b2c2c --- /dev/null +++ b/Dockerfile @@ -0,0 +1,44 @@ +# elabftw in docker, without sql +FROM ubuntu:14.04 +MAINTAINER Nicolas CARPi + +# uncomment for dev build in behind curie proxy +#ADD ./50proxy /etc/apt/apt.conf.d/50proxy +#ENV http_proxy http://www-cache.curie.fr:3128 +#ENV https_proxy https://www-cache.curie.fr:3128 + +# install nginx and php-fpm +RUN apt-get update +RUN DEBIAN_FRONTEND=noninteractive apt-get install -y \ + nginx \ + openssl \ + php5-fpm \ + php5-mysql \ + php-apc \ + php5-gd \ + php5-curl \ + curl \ + git \ + unzip \ + supervisor && \ + rm -rf /var/lib/apt/lists/* + +# only HTTPS +EXPOSE 443 + +# add files +ADD ./nginx443.conf /etc/nginx/sites-available/elabftw-ssl +ADD ./nginx80.conf /etc/nginx/sites-available/default +ADD ./supervisord.conf /etc/supervisord.conf +ADD ./start.sh /start.sh + +# elabftw +RUN git clone --depth 1 -b next https://github.com/elabftw/elabftw.git /elabftw +#ADD ./elabftw-next.zip /elabftw.zip +#RUN unzip /elabftw.zip && mv /elabftw-next /elabftw + +# start +CMD ["/start.sh"] + +# define mountable directories. +VOLUME ["/var/log/nginx", "/elabftw/uploads"] diff --git a/README.md b/README.md new file mode 100644 index 0000000..c98eee1 --- /dev/null +++ b/README.md @@ -0,0 +1,9 @@ +# elabftw docker nosql + +Build an elabftw container with nginx + php-fpm but without sql. +You need to link this container to an SQL container. +And you also need to import the [sql structure](https://raw.githubusercontent.com/NicolasCARPi/elabftw/master/install/elabftw.sql) into your sql database. + +It expects the certs to be server.key and server.crt. + +Look at the fig.yml-EXAMPLE file and adapt it to your use case. diff --git a/docker-compose.yml-EXAMPLE b/docker-compose.yml-EXAMPLE new file mode 100644 index 0000000..8c577cb --- /dev/null +++ b/docker-compose.yml-EXAMPLE @@ -0,0 +1,24 @@ +web: + image: nicolascarpi/elabftw-docker + environment: + - DB_NAME=elabftw + - DB_USER=elabftw + - DB_PASSWORD=secr3t + ports: + - "9000:443" + - "8000:80" + volumes: + - /dok/uploads:/elabftw/uploads + - /dok/mysql:/var/lib/mysql + - /dok/log:/var/log/nginx + links: + - mysql +mysql: + image: mysql:latest + environment: + - MYSQL_ROOT_PASSWORD=secr3t + - MYSQL_DATABASE=elabftw + - MYSQL_USER=elabftw + - MYSQL_PASSWORD=secr3t + volumes: + - /dok/mysql:/var/lib/mysql diff --git a/nginx443.conf b/nginx443.conf new file mode 100644 index 0000000..7a3028b --- /dev/null +++ b/nginx443.conf @@ -0,0 +1,47 @@ +# https server for /elabftw +server { + listen 443 ssl; + server_name localhost; + + root /elabftw; + index index.php; + + # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate + ssl_certificate /etc/nginx/certs/server.crt; + ssl_certificate_key /etc/nginx/certs/server.key; + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + + # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits + ssl_dhparam /etc/nginx/certs/dhparam.pem; + +# modern configuration. tweak to your needs. + ssl_protocols TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; + ssl_prefer_server_ciphers on; + + # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) + add_header Strict-Transport-Security max-age=15768000; + + # OCSP Stapling --- + # fetch OCSP records from URL in ssl_certificate and cache them + ssl_stapling on; + ssl_stapling_verify on; + + ## verify chain of trust of OCSP response using Root CA and Intermediate certs + #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; + +# resolver 127.0.0.1 [::1]:53; + + location / { + try_files $uri $uri/ =404; + } + location ~ \.php$ { + include /etc/nginx/fastcgi_params; + if (-f $request_filename) { + fastcgi_pass unix:/var/run/php5-fpm.sock; + } + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + } +} diff --git a/nginx80.conf b/nginx80.conf new file mode 100644 index 0000000..2a787ec --- /dev/null +++ b/nginx80.conf @@ -0,0 +1,7 @@ +# http server for /elabftw +# just redirect to https server +server { + listen 80; + server_name localhost; + return 301 https://$server_name$request_uri; +} diff --git a/start.sh b/start.sh new file mode 100755 index 0000000..ad83789 --- /dev/null +++ b/start.sh @@ -0,0 +1,79 @@ +#!/bin/bash +# elabftw-docker start script + +# generate self-signed certificates for nginx server +if [ ! -f /etc/nginx/certs/server.crt ]; then + openssl req \ + -new \ + -newkey rsa:4096 \ + -days 9999 \ + -nodes \ + -x509 \ + -subj "/C=FR/ST=France/L=Paris/O=elabftw/CN=www.example.com" \ + -keyout /etc/nginx/certs/server.key \ + -out /etc/nginx/certs/server.crt +fi + +# generate Diffie-Hellman parameter for DHE ciphersuites +if [ ! -f /etc/nginx/certs/dhparam.pem ]; then + openssl dhparam -outform PEM -out /etc/nginx/certs/dhparam.pem 2048 +fi + +# write config file from env var +db_host=$(grep mysql /etc/hosts | awk '{print $1}') +if [ -z "$db_host" ]; then + db_host=${DB_HOST} +fi +db_name=${DB_NAME:-elabftw} +db_user=${DB_USER:-elabftw} +db_password=${DB_PASSWORD} +elab_root='/elabftw/' +server_name=${SERVER_NAME:-localhost} +disable_https=${DISABLE_HTTPS:-false} + +cat << EOF > /elabftw/config.php +> /etc/nginx/nginx.conf +sed -i -e "s/keepalive_timeout\s*65/keepalive_timeout 2/" /etc/nginx/nginx.conf +sed -i -e "s/keepalive_timeout 2/keepalive_timeout 2;\n\tclient_max_body_size 100m/" /etc/nginx/nginx.conf +# remove the default site +#rm /etc/nginx-sites-enabled/default + +# false by default +if ($disable_https); then + # put the right server_name + sed -i -e "s/localhost/$server_name/" /etc/nginx/sites-available/elabftw-no-ssl + # activate an HTTP server listening on port 443 + ln -s /etc/nginx/sites-available/elabftw-no-ssl /etc/nginx/sites-enabled/elabftw-no-ssl + # now we need to disable the checks in elab + +else + # put the right server_name + sed -i -e "s/localhost/$server_name/" /etc/nginx/sites-available/elabftw-ssl + # activate an HTTPS server listening on port 443 + ln -s /etc/nginx/sites-available/elabftw-ssl /etc/nginx/sites-enabled/elabftw-ssl +fi + +# php-fpm config +sed -i -e "s/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g" /etc/php5/fpm/php.ini +sed -i -e "s/upload_max_filesize\s*=\s*2M/upload_max_filesize = 100M/g" /etc/php5/fpm/php.ini +sed -i -e "s/post_max_size\s*=\s*8M/post_max_size = 100M/g" /etc/php5/fpm/php.ini +sed -i -e "s/;daemonize\s*=\s*yes/daemonize = no/g" /etc/php5/fpm/php-fpm.conf +sed -i -e "s/;catch_workers_output\s*=\s*yes/catch_workers_output = yes/g" /etc/php5/fpm/pool.d/www.conf + +# elabftw +mkdir -p /elabftw/uploads/{tmp,export} +chmod -R 777 /elabftw/uploads +chown -R www-data:www-data /elabftw +chmod -R u+x /elabftw/* + +# start all the services +/usr/bin/supervisord -c /etc/supervisord.conf -n diff --git a/supervisord.conf b/supervisord.conf new file mode 100644 index 0000000..92585be --- /dev/null +++ b/supervisord.conf @@ -0,0 +1,29 @@ +[unix_http_server] +file=/tmp/supervisor.sock ; (the path to the socket file) + +[supervisord] +logfile=/tmp/supervisord.log ; (main log file;default $CWD/supervisord.log) +logfile_maxbytes=50MB ; (max main logfile bytes b4 rotation;default 50MB) +logfile_backups=10 ; (num of main logfile rotation backups;default 10) +loglevel=info ; (log level;default info; others: debug,warn,trace) +pidfile=/tmp/supervisord.pid ; (supervisord pidfile;default supervisord.pid) +nodaemon=false ; (start in foreground if true;default false) +minfds=1024 ; (min. avail startup file descriptors;default 1024) +minprocs=200 ; (min. avail process descriptors;default 200) + +[rpcinterface:supervisor] +supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface + +[supervisorctl] +serverurl=unix:///tmp/supervisor.sock ; use a unix:// URL for a unix socket + +[inet_http_server] +port = 127.0.0.1:9001 +username = t +password = t + +[program:php5-fpm] +command=/usr/sbin/php5-fpm -c /etc/php5/fpm + +[program:nginx] +command=/usr/sbin/nginx