Merge pull request #2 from praserx/base-images-php-fpm

Switched from apache to php-fpm base image with NGINX due to php session issues

CHANGELOG.md

@@ -1,3 +1,10 @@
+# v1.7.41.2
+
+* PHP: v8.2.7
+* Grav: v1.7.41.2
+* Switched from Apache to NGINX (due to some session start issues)
+  * Switched base image from php:8.2.6-apache to php:8.2.7-fpm
+
 # v1.7.41.1
 
 * PHP: v8.2.6

Dockerfile

@@ -1,15 +1,11 @@
-FROM php:8.2.6-apache
+FROM php:8.2.7-fpm
 LABEL maintainer="PraserX <praserx@gmail.com>"
 LABEL description="Unofficial up-to-date Dockerfile for Grav based on \
     offical docker-grav"
 
-# Enable Apache Rewrite + Expires Module
-RUN a2enmod rewrite expires && \
-    sed -i 's/ServerTokens OS/ServerTokens ProductOnly/g' \
-    /etc/apache2/conf-available/security.conf
-
 # Install dependencies
-RUN apt-get update && apt-get install -y --no-install-recommends \
+RUN apt-get update -y && apt-get install -y --no-install-recommends \
+    nginx \
     unzip \
     libfreetype6-dev \
     libjpeg62-turbo-dev \
@@ -23,6 +19,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     git \
     cron \
     vim \
+    procps \
+    supervisor \
     && rm -rf /var/lib/apt/lists/*
 
 # Install PHP extensions
@@ -39,6 +37,20 @@ RUN pecl channel-update pecl.php.net \
     && pecl install apcu yaml \ 
     && docker-php-ext-enable apcu yaml
 
+RUN rm -rf /usr/local/etc/php-fpm.d/zz-docker.conf
+
+# Configure nginx - http
+COPY config/nginx.conf /etc/nginx/nginx.conf
+# Configure nginx - default server
+COPY config/conf.d /etc/nginx/conf.d/
+
+# Configure PHP-FPM
+COPY config/fpm-pool.conf /usr/local/etc/php-fpm.d/www.conf
+COPY config/php.ini /usr/local/etc/php/conf.d/custom.ini
+
+# Configure supervisord
+COPY config/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
+
 # set recommended PHP.ini settings
 # see https://secure.php.net/manual/en/opcache.installation.php
 RUN { \
@@ -58,12 +70,13 @@ RUN chown www-data:www-data /var/www
 USER www-data
 
 # Define Grav specific version of Grav or use latest stable
-ARG GRAV_VERSION=1.7.41.1
+ARG GRAV_VERSION=1.7.41.2
 
 # Install Grav (with admin extension)
 WORKDIR /var/www
 RUN curl -o grav-admin.zip -SL https://getgrav.org/download/core/grav-admin/${GRAV_VERSION} && \
     unzip grav-admin.zip && \
+    rm -rf /var/www/html && \
     mv -T /var/www/grav-admin /var/www/html && \
     rm grav-admin.zip
 
@@ -73,15 +86,13 @@ RUN cd /var/www/html && bin/gpm install simplesearch breadcrumbs auto-date
 # Create cron job for Grav maintenance scripts
 RUN (crontab -l; echo "* * * * * cd /var/www/html;/usr/local/bin/php bin/grav scheduler 1>> /dev/null 2>&1") | crontab -
 
-# Return to root user
-USER root
-
-# Copy init scripts
-# COPY docker-entrypoint.sh /entrypoint.sh
-
 # provide container inside image for data persistence
 VOLUME ["/var/www/html"]
 
-# ENTRYPOINT ["/entrypoint.sh"]
-# CMD ["apache2-foreground"]
-CMD ["sh", "-c", "cron && apache2-foreground"]
+USER root
+
+# Let supervisord start nginx & php-fpm
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]
+
+# Configure a healthcheck to validate that everything is up&running
+HEALTHCHECK --timeout=10s CMD curl --silent --fail http://127.0.0.1:8080/fpm-ping

README.md

@@ -1,6 +1,10 @@
 # Grav Docker Image
 
-Unofficial up-to-date docker image build for Grav (getgrav.org) based on [docker-grav](https://github.com/getgrav/docker-grav).
+Unofficial up-to-date docker image build for Grav (getgrav.org).
+
+```
+sudo docker run -d --name grav -p 127.0.0.1:8080:8080 praserx/grav:latest
+```
 
 ## Versioning
 

config/conf.d/default.conf

@@ -0,0 +1,117 @@
+# Default server definition
+server {
+    listen [::]:8080 default_server;
+    listen 8080 default_server;
+    server_name _;
+
+    sendfile off;
+    tcp_nodelay on;
+    absolute_redirect off;
+
+    root /var/www/html;
+    index index.php index.html;
+
+    location / {
+        # First attempt to serve request as file, then
+        # as directory, then fall back to index.php
+        try_files $uri $uri/ /index.php?$query_string;
+    }
+
+    # Redirect server error pages to the static page /50x.html
+    error_page 500 502 503 504 /50x.html;
+    location = /50x.html {
+        root /var/lib/nginx/html;
+    }
+
+    ## Begin - Security
+    # deny all direct access for these folders
+    location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; }
+    # deny running scripts inside core system folders
+    location ~* /(system|vendor)/.*\.(txt|xml|md|html|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
+    # deny running scripts inside user folder
+    location ~* /user/.*\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
+    # deny access to specific files in the root folder
+    location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; }
+    ## End - Security
+
+    # Pass the PHP scripts to PHP-FPM listening on php-fpm.sock
+    location ~ \.php$ {
+        # try_files $uri =404;
+        # fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass unix:/run/php-fpm.sock;
+        # fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        # fastcgi_param SCRIPT_NAME $fastcgi_script_name;
+        # fastcgi_index index.php;
+        # include fastcgi_params;
+
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_index index.php;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
+    }
+
+    # Set the cache-control headers on assets to cache for 5 days
+    location ~* \.(jpg|jpeg|gif|png|css|js|ico|xml)$ {
+        expires 5d;
+    }
+
+    # Deny access to . files, for security
+    # location ~ /\. {
+    #     log_not_found off;
+    #     deny all;
+    # }
+
+    # Allow fpm ping and status from localhost
+    location ~ ^/(fpm-status|fpm-ping)$ {
+        access_log off;
+        allow 127.0.0.1;
+        deny all;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        include fastcgi_params;
+        fastcgi_pass unix:/run/php-fpm.sock;
+    }
+}
+
+# server {
+#     listen :8080 default_server;
+#     index index.html index.php;
+
+#     ## Begin - Server Info
+#     root /var/www/html;
+#     server_name _;
+#     ## End - Server Info
+
+#     ## Begin - Index
+#     # for subfolders, simply adjust:
+#     # `location /subfolder {`
+#     # and the rewrite to use `/subfolder/index.php`
+#     location / {
+#         try_files $uri $uri/ /index.php?$query_string;
+#     }
+#     ## End - Index
+
+#     ## Begin - Security
+#     # deny all direct access for these folders
+#     location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; }
+#     # deny running scripts inside core system folders
+#     location ~* /(system|vendor)/.*\.(txt|xml|md|html|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
+#     # deny running scripts inside user folder
+#     location ~* /user/.*\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
+#     # deny access to specific files in the root folder
+#     location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; }
+#     ## End - Security
+
+#     ## Begin - PHP
+#     location ~ \.php$ {
+#         # Choose either a socket or TCP/IP address
+#         fastcgi_pass unix:/var/run/php/php-fpm.sock;
+#         # fastcgi_pass unix:/var/run/php5-fpm.sock; #legacy
+#         # fastcgi_pass 127.0.0.1:9000;
+
+#         fastcgi_split_path_info ^(.+\.php)(/.+)$;
+#         fastcgi_index index.php;
+#         include fastcgi_params;
+#         fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
+#     }
+#     ## End - PHP
+# }

config/fpm-pool.conf

@@ -0,0 +1,77 @@
+[global]
+; Log to stderr
+error_log = /dev/stderr
+
+[www]
+; Unix user/group of the child processes. This can be used only if the master
+; process running user is root. It is set after the child process is created.
+; The user and group can be specified either by their name or by their numeric
+; IDs.
+; Note: If the user is root, the executable needs to be started with
+;       --allow-to-run-as-root option to work.
+; Default Values: The user is set to master process running user by default.
+;                 If the group is not set, the user's group is used.
+user = www-data
+group = www-data
+
+; The address on which to accept FastCGI requests.
+; Valid syntaxes are:
+;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
+;                            a specific port;
+;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
+;                            a specific port;
+;   'port'                 - to listen on a TCP socket to all addresses
+;                            (IPv6 and IPv4-mapped) on a specific port;
+;   '/path/to/unix/socket' - to listen on a unix socket.
+; Note: This value is mandatory.
+listen = /run/php-fpm.sock
+
+; Set permissions for unix socket, if one is used. In Linux, read/write
+; permissions must be set in order to allow connections from a web server. Many
+; BSD-derived systems allow connections regardless of permissions. The owner
+; and group can be specified either by name or by their numeric IDs.
+; Default Values: Owner is set to the master process running user. If the group
+;                 is not set, the owner's group is used. Mode is set to 0660.
+listen.owner = www-data
+listen.group = www-data
+listen.mode = 0660
+
+; Enable status page
+pm.status_path = /fpm-status
+
+; Ondemand process manager
+pm = ondemand
+
+; The number of child processes to be created when pm is set to 'static' and the
+; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
+; This value sets the limit on the number of simultaneous requests that will be
+; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
+; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
+; CGI. The below defaults are based on a server without much resources. Don't
+; forget to tweak pm.* to fit your needs.
+; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
+; Note: This value is mandatory.
+pm.max_children = 100
+
+; The number of seconds after which an idle process will be killed.
+; Note: Used only when pm is set to 'ondemand'
+; Default Value: 10s
+pm.process_idle_timeout = 10s;
+
+; The number of requests each child process should execute before respawning.
+; This can be useful to work around memory leaks in 3rd party libraries. For
+; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
+; Default Value: 0
+pm.max_requests = 1000
+
+; Make sure the FPM workers can reach the environment variables for configuration
+clear_env = no
+
+; Catch output from PHP
+catch_workers_output = yes
+
+; Remove the 'child 10 said into stderr' prefix in the log and only show the actual message
+decorate_workers_output = no
+
+; Enable ping page to use in healthcheck
+ping.path = /fpm-ping

config/nginx.conf

@@ -0,0 +1,46 @@
+worker_processes auto;
+error_log stderr warn;
+pid /run/nginx.pid;
+user www-data www-data;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    include mime.types;
+    default_type application/octet-stream;
+
+    # Define custom log format to include reponse times
+    log_format main_timed '$remote_addr - $remote_user [$time_local] "$request" '
+                          '$status $body_bytes_sent "$http_referer" '
+                          '"$http_user_agent" "$http_x_forwarded_for" '
+                          '$request_time $upstream_response_time $pipe $upstream_cache_status';
+
+    access_log /dev/stdout main_timed;
+    error_log /dev/stderr notice;
+
+    keepalive_timeout 65;
+
+    # Write temporary files to /tmp so they can be created as a non-privileged user
+    client_body_temp_path /tmp/client_temp;
+    proxy_temp_path /tmp/proxy_temp_path;
+    fastcgi_temp_path /tmp/fastcgi_temp;
+    uwsgi_temp_path /tmp/uwsgi_temp;
+    scgi_temp_path /tmp/scgi_temp;
+
+    # Hardening
+    proxy_hide_header X-Powered-By;
+    fastcgi_hide_header X-Powered-By;
+    server_tokens off;
+
+    # Enable gzip compression by default
+    gzip on;
+    gzip_proxied any;
+    gzip_types text/plain application/xml text/css text/js text/xml application/x-javascript text/javascript application/json application/xml+rss;
+    gzip_vary on;
+    gzip_disable "msie6";
+
+    # Include server configs
+    include /etc/nginx/conf.d/*.conf;
+}

config/php.ini

@@ -0,0 +1,3 @@
+[Date]
+date.timezone="UTC"
+expose_php= Off

config/supervisord.conf

@@ -0,0 +1,23 @@
+[supervisord]
+nodaemon=true
+logfile=/dev/null
+logfile_maxbytes=0
+pidfile=/run/supervisord.pid
+
+[program:php-fpm]
+command=php-fpm
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+autorestart=false
+startretries=0
+
+[program:nginx]
+command=nginx -g 'daemon off;'
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+autorestart=false
+startretries=0