Enable Discovery debug logging for production troubleshooting

- Add DISCOVERY_LOG_LEVEL=debug - Add DISCOVERY_SHOW_PROGRESS=true - Temporary changes for debugging InitializerProcessor fixes on production
2025-08-11 20:13:26 +02:00
parent 59fd3dd3b1
commit 55a330b223
3683 changed files with 2956207 additions and 16948 deletions
--- a/docker/mysql/conf.d/security.cnf
+++ b/docker/mysql/conf.d/security.cnf
@@ -0,0 +1,51 @@
+[mysqld]
+# Security Configuration for MariaDB
+# This file hardens the database server for production use
+
+# Network Security
+bind-address = 0.0.0.0
+skip-networking = false
+skip-name-resolve = true
+
+# Connection Security  
+max_connections = 100
+max_connect_errors = 10
+max_user_connections = 50
+
+# SSL/TLS Configuration (Enable in production)
+# ssl-ca = /etc/mysql/ssl/ca-cert.pem
+# ssl-cert = /etc/mysql/ssl/server-cert.pem  
+# ssl-key = /etc/mysql/ssl/server-key.pem
+# require_secure_transport = ON
+
+# Authentication Security
+default_authentication_plugin = mysql_native_password
+
+# Logging Security
+log-error = /var/log/mysql/error.log
+general_log = ON
+general_log_file = /var/log/mysql/general.log
+slow_query_log = ON
+slow_query_log_file = /var/log/mysql/slow.log
+long_query_time = 2
+
+# Disable dangerous functions
+secure_file_priv = ""
+local_infile = OFF
+
+# Performance & Resource Limits
+max_allowed_packet = 64M
+innodb_buffer_pool_size = 256M
+innodb_log_file_size = 64M
+query_cache_size = 64M
+query_cache_limit = 2M
+
+# Character Set
+character-set-server = utf8mb4
+collation-server = utf8mb4_unicode_ci
+
+[mysql]
+default-character-set = utf8mb4
+
+[client]
+default-character-set = utf8mb4
--- a/docker/nginx/default.conf
+++ b/docker/nginx/default.conf
@@ -189,15 +189,18 @@ server {
        add_header Cache-Control "no-cache, must-revalidate";
    }

-    # Caching Header für statische Dateien
-    #location ~* \.(jpg|jpeg|png|gif|ico|svg|woff|woff2|ttf|eot)$ {
-    #    expires 1y;
-    #    add_header Cache-Control "public, immutable, max-age=31536000";
-    #}
+    # Caching Header für statische Dateien ohne Rate-Limiting
+    location ~* \.(jpg|jpeg|png|gif|ico|svg|woff|woff2|ttf|eot)$ {
+        expires 1y;
+        add_header Cache-Control "public, immutable, max-age=31536000";
+        # Keine Rate-Limits für statische Dateien
+    }

-    location ~* \.(css|js)$ {
+    # Assets ohne Rate-Limiting für ES6 Module Performance
+    location ~* \.(css|js|map)$ {
        expires 1w;
        add_header Cache-Control "public, max-age=604800";
+        # Keine Rate-Limits für statische Assets
    }

 #     location ~* \.(json|xml)$ {
@@ -216,6 +219,12 @@ server {
        # Wichtig: APP_ENV an PHP weitergeben
        fastcgi_param APP_ENV $env_mode;

+        # HTTP Headers für SPA-Support weitergeben
+        fastcgi_param HTTP_X_REQUESTED_WITH $http_x_requested_with;
+        fastcgi_param HTTP_X_SPA_REQUEST $http_x_spa_request;
+        fastcgi_param HTTP_CONTENT_TYPE $content_type;
+        fastcgi_param HTTP_ACCEPT $http_accept;
+
        # Timeout-Einstellungen
        fastcgi_read_timeout 60s;
        fastcgi_connect_timeout 60s;
@@ -250,7 +259,8 @@ server {
    }

    server_tokens off;
-    limit_req zone=mylimit burst=20 nodelay;
+    # Massiv erhöhter Burst für ES6 Module mit 18+ parallelen Requests
+    limit_req zone=mylimit burst=100 nodelay;

    location ~* /(?:uploads|files)/.*\.php$ {
        deny all;
@@ -263,19 +273,6 @@ server {
        return 200 'pong';
    }

-    location = /health {
-        if ($block_health) {
-            return 404;
-        }
-
-        try_files /health.php =404;
-
-        allow 127.0.0.1;        # Lokal erlaubt (Ansible, Docker, Monitoring intern)
-        allow ::1;
-        allow 192.168.0.0/16;   # Optional: internes Netz (z.B. für internen Loadbalancer)
-        deny all;
-        error_page 403 =404;
-    }


    error_page 404 /errors/404.html;
--- a/docker/nginx/nginx.conf
+++ b/docker/nginx/nginx.conf
@@ -19,8 +19,8 @@ http {
    # Server-Tokens für Sicherheit ausblenden
    server_tokens off;

-    # Rate-Limiting
-    limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;
+    # Rate-Limiting - Hochoptimiert für ES6 Module mit massiv parallelen Requests
+    limit_req_zone $binary_remote_addr zone=mylimit:10m rate=300r/s;

    # Logging-Format
    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
--- a/docker/php/Dockerfile
+++ b/docker/php/Dockerfile
@@ -13,6 +13,7 @@ RUN apt-get update && apt-get install -y \
    libwebp-dev \
    libavif-dev \
    libxpm-dev \
+    libsodium-dev \
    && apt-get clean \
        && rm -rf /var/lib/apt/lists/*

@@ -31,10 +32,15 @@ RUN docker-php-ext-install -j$(nproc) \
    opcache \
    pcntl \
    posix \
-    shmop
+    shmop \
+    bcmath \
+    sodium

-RUN pecl install apcu \
-    && docker-php-ext-enable apcu
+RUN pecl install apcu redis \
+    && docker-php-ext-enable apcu redis
+
+RUN echo "apc.enable_cli=1" >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini \
+    && echo "apc.shm_size=128M" >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini

 # Composer installieren
 RUN curl -sS https://getcomposer.org/installer | php \
@@ -49,32 +55,23 @@ RUN if [ "$ENV" = "dev" ]; then \

 WORKDIR /var/www/html

-# Kopiere composer.json
-COPY composer.json ./
-
-# Kopiere composer.lock falls vorhanden (robuste Lösung)
-COPY composer.loc[k] ./
-
-# Falls keine composer.lock existiert, erstelle eine leere um Layer-Caching zu ermöglichen
-RUN [ ! -f composer.lock ] && touch composer.lock || true
-
-# Remove potentially corrupted composer.lock and install dependencies
-RUN rm -f composer.lock && \
-    if [ "$ENV" = "prod" ]; then \
+# Composer Dependencies (für besseres Caching)
+COPY composer.json composer.loc[k] ./
+RUN if [ "$ENV" = "prod" ]; then \
        composer install --no-dev --no-scripts --no-autoloader --optimize-autoloader; \
    else \
        composer install --no-scripts --no-autoloader; \
    fi

+
 # Kopiere PHP-Konfigurationen
 COPY docker/php/php.common.ini /usr/local/etc/php/php.common.ini
 COPY docker/php/php.${ENV}.ini /usr/local/etc/php/php.ini

-# Wenn dev, kopiere auch xdebug-Konfiguration
-RUN if [ "$ENV" = "dev" ]; then \
-    mkdir -p /usr/local/etc/php/conf.d/; \
+# Xdebug-Konfiguration nur wenn dev
+RUN if [ "$ENV" = "dev" ] && [ -f docker/php/xdebug.ini ]; then \
+    cp docker/php/xdebug.ini /usr/local/etc/php/conf.d/docker-php-ext-xdebug.ini; \
    fi
-COPY docker/php/xdebug.ini /usr/local/etc/php/conf.d/docker-php-ext-xdebug.ini

 # Kopiere den Rest des Projekts
 COPY . .
@@ -86,15 +83,22 @@ RUN composer dump-autoload --optimize
 COPY docker/php/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
 RUN chmod +x /usr/local/bin/docker-entrypoint.sh

+RUN mkdir -p /var/www/html/cache \
+    /var/www/html/storage \
+    /var/www/html/storage/logs \
+    /var/www/html/storage/cache \
+    /var/www/html/storage/analytics \
+    /var/www/html/var \
+    /var/www/html/var/cache \
+    /var/www/html/var/logs
+
+# Erstelle uploads-Verzeichnis
+RUN mkdir -p /var/www/html/storage/uploads
+
 # Danach erst den Nutzer wechseln!
 RUN groupadd -g 1000 appuser && useradd -u 1000 -g appuser -m appuser
 RUN chown -R appuser:appuser /var/www/html
-
 USER appuser

-RUN mkdir -p /var/www/html/cache && \
-    chown -R 1000:1000 /var/www/html/cache && \
-    chmod -R 775 /var/www/html/cache
-
 ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
 CMD ["php-fpm"]
--- a/docker/php/docker-entrypoint.sh
+++ b/docker/php/docker-entrypoint.sh
@@ -1,4 +1,20 @@
 #!/bin/bash
-chown -R www-data:www-data /var/www/html/cache
-chmod -R 775 /var/www/html/cache
+
+# Ensure storage directories exist and have correct permissions
+mkdir -p /var/www/html/storage/analytics \
+         /var/www/html/storage/logs \
+         /var/www/html/storage/cache \
+         /var/www/html/var/cache \
+         /var/www/html/var/logs \
+         /var/www/html/cache
+
+# Set correct ownership and permissions for appuser
+chown -R appuser:appuser /var/www/html/storage \
+                        /var/www/html/var \
+                        /var/www/html/cache
+                        
+chmod -R 775 /var/www/html/storage \
+            /var/www/html/var \
+            /var/www/html/cache
+
 exec "$@"
--- a/docker/php/php.common.ini
+++ b/docker/php/php.common.ini
@@ -7,4 +7,14 @@ session.cookie_samesite = Lax

 date.timezone = Europe/Berlin

-opcache.preload=/var/www/michaelschiemer/src/preload.php
+; OPcache Configuration for Development
+opcache.enable=1
+opcache.memory_consumption=256
+opcache.interned_strings_buffer=16
+opcache.max_accelerated_files=10000
+opcache.validate_timestamps=1
+opcache.revalidate_freq=0
+opcache.save_comments=1
+opcache.enable_file_override=1
+opcache.optimization_level=0x7FFEBFFF
+; opcache.preload=/var/www/html/src/preload.php
--- a/docker/redis/redis-secure.conf
+++ b/docker/redis/redis-secure.conf
@@ -0,0 +1,56 @@
+# Secure Redis Configuration
+# This configuration hardens Redis for production use
+
+# Network Security
+bind 127.0.0.1
+protected-mode yes
+port 6379
+
+# Authentication - Password will be loaded from Docker secret
+# requirepass will be set dynamically via init script
+
+# Data Persistence
+dir /data
+save 900 1
+save 300 10  
+save 60 10000
+appendonly yes
+appendfilename "appendonly.aof"
+appendfsync everysec
+
+# Security Settings
+rename-command FLUSHDB ""
+rename-command FLUSHALL ""
+rename-command EVAL ""
+rename-command DEBUG ""
+rename-command CONFIG "CONFIG_b835fb49a134d7c5"
+rename-command SHUTDOWN "SHUTDOWN_91084e14c1c7f98a"
+
+# Resource Limits
+maxmemory 200mb
+maxmemory-policy allkeys-lru
+timeout 300
+tcp-keepalive 300
+
+# Logging
+loglevel notice
+logfile ""
+syslog-enabled yes
+syslog-ident redis
+
+# Disable dangerous commands
+disable-thp yes
+
+# Client Connection Limits
+maxclients 100
+
+# Performance Settings  
+tcp-backlog 128
+databases 1
+
+# Lua Scripting Security
+lua-time-limit 5000
+
+# Slow Log
+slowlog-log-slower-than 10000
+slowlog-max-len 128