chore: complete update
This commit is contained in:
@@ -1,33 +1,73 @@
|
||||
FROM nginx:alpine
|
||||
FROM macbre/nginx-http3
|
||||
|
||||
# Standard-Konfiguration entfernen
|
||||
RUN rm /etc/nginx/conf.d/default.conf
|
||||
# Zurück zu root wechseln
|
||||
USER root
|
||||
|
||||
# Verzeichnisse erstellen mit korrekten Berechtigungen
|
||||
RUN mkdir -p /var/cache/nginx /var/log/nginx /etc/nginx/template && \
|
||||
chmod -R 777 /var/cache/nginx /var/log/nginx
|
||||
# Entferne Default-Site
|
||||
RUN rm -f /etc/nginx/conf.d/default.conf || true
|
||||
|
||||
# Kopiere die Template-Konfiguration
|
||||
# Verzeichnisse erstellen
|
||||
RUN mkdir -p /var/cache/nginx /var/log/nginx /var/www/ssl && \
|
||||
chmod 755 /var/cache/nginx /var/log/nginx /var/www/ssl
|
||||
|
||||
# Konfigurationen kopieren
|
||||
COPY ./nginx.conf /etc/nginx/nginx.conf
|
||||
COPY ./default.conf /etc/nginx/conf.d/default.conf
|
||||
COPY ./ssl/ /var/www/ssl/
|
||||
|
||||
# Kopiere die SSL-Zertifikate
|
||||
COPY ./ssl/ /etc/nginx/ssl/
|
||||
# Entry-Script kopieren
|
||||
COPY ./docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
|
||||
RUN chmod +x /usr/local/bin/docker-entrypoint.sh
|
||||
|
||||
# Startup-Skript zum Ersetzen der Variablen
|
||||
COPY ./docker-entrypoint.sh /
|
||||
RUN chmod +x /docker-entrypoint.sh
|
||||
# su-exec und netcat installieren
|
||||
RUN apk add --no-cache su-exec netcat-openbsd
|
||||
|
||||
#Install Netcat
|
||||
RUN apk add --no-cache netcat-openbsd
|
||||
# Berechtigungen für stdout/stderr anpassen
|
||||
RUN chmod a+rw /dev/stdout /dev/stderr
|
||||
|
||||
|
||||
# Als user www-data laufen lassen
|
||||
RUN addgroup -g 1000 www && adduser -D -G www -u 1000 www-data \
|
||||
&& chown -R www-data:www /var/cache/nginx /var/log/nginx /etc/nginx
|
||||
USER www-data
|
||||
# Ordner-Berechtigungen für den nginx-User setzen
|
||||
RUN chown -R nginx:nginx /var/cache/nginx /var/log/nginx /var/www/ssl
|
||||
|
||||
EXPOSE 80 443
|
||||
|
||||
ENTRYPOINT ["/docker-entrypoint.sh"]
|
||||
CMD ["nginx", "-g", "daemon off;"]
|
||||
ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
|
||||
#CMD ["nginx", "-g", "daemon off;"]
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
## Standard-Konfiguration entfernen
|
||||
#RUN rm -f /etc/nginx/conf.d/default.conf
|
||||
#
|
||||
## Verzeichnisse erstellen mit korrekten Berechtigungen
|
||||
#RUN mkdir -p /var/cache/nginx /var/log/nginx /etc/nginx/template && \
|
||||
# chmod -R 777 /var/cache/nginx /var/log/nginx
|
||||
#
|
||||
## Kopiere die Template-Konfiguration
|
||||
#COPY ./nginx.conf /etc/nginx/nginx.conf
|
||||
#COPY ./default.conf /etc/nginx/conf.d/default.conf
|
||||
#
|
||||
## Kopiert config Include
|
||||
#COPY ./vite-proxy.inc.dev /etc/nginx/vite-proxy.inc
|
||||
#
|
||||
## Kopiere die SSL-Zertifikate
|
||||
#COPY ./ssl/ /etc/nginx/ssl/
|
||||
#
|
||||
## Startup-Skript zum Ersetzen der Variablen
|
||||
#COPY ./docker-entrypoint.sh /
|
||||
#RUN chmod +x /docker-entrypoint.sh
|
||||
#
|
||||
##Install Netcat
|
||||
#RUN apk add --no-cache netcat-openbsd
|
||||
#
|
||||
#
|
||||
## Als user www-data laufen lassen
|
||||
#RUN addgroup -g 1000 www && adduser -D -G www -u 1000 www-data \
|
||||
# && chown -R www-data:www /var/cache/nginx /var/log/nginx /etc/nginx
|
||||
#USER www-data
|
||||
#
|
||||
#EXPOSE 80 443
|
||||
#
|
||||
#ENTRYPOINT ["/docker-entrypoint.sh"]
|
||||
#CMD ["nginx", "-g", "daemon off;"]
|
||||
|
||||
@@ -18,8 +18,8 @@ map $env_mode $should_skip_cache {
|
||||
|
||||
# Skip-Cache für Sessions und basierend auf Umgebung
|
||||
map $http_cookie$should_skip_cache $skip_cache {
|
||||
"~PHPSESSID" 1; # Sessions nie cachen
|
||||
"1" 1; # Cache überspringen, wenn should_skip_cache = 1
|
||||
"~ms_context" 1; # Sessions nie cachen
|
||||
"~1$" 1; # Cache überspringen, wenn should_skip_cache = 1
|
||||
default 0; # Ansonsten cachen
|
||||
}
|
||||
|
||||
@@ -41,23 +41,38 @@ server {
|
||||
server {
|
||||
# Korrigierte HTTP/2 Syntax
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
listen 443 quic; # QUIC für HTTP/3 // Removed "reuseport"
|
||||
listen [::]:443 quic;
|
||||
|
||||
http2 on; # Neue Syntax für HTTP/2
|
||||
http3 on;
|
||||
|
||||
add_header Alt-Svc 'h3=":443"; ma=86400; persist=1, h2=":443"; ma=86400';
|
||||
|
||||
server_name localhost;
|
||||
|
||||
#ssl_certificate /etc/nginx/ssl/localhost+2.pem;
|
||||
#ssl_certificate_key /etc/nginx/ssl/localhost+2-key.pem;
|
||||
ssl_certificate /etc/nginx/ssl/fullchain.pem;
|
||||
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
|
||||
#ssl_certificate /etc/nginx/ssl/fullchain.pem;
|
||||
#ssl_certificate_key /etc/nginx/ssl/privkey.pem;
|
||||
|
||||
ssl_certificate /var/www/ssl/fullchain.pem;
|
||||
ssl_certificate_key /var/www/ssl/privkey.pem;
|
||||
|
||||
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
# add_header Alt-Svc 'h3=":443"'; # Für HTTP/3 Unterstützung
|
||||
#add_header QUIC-Status $quic;
|
||||
|
||||
|
||||
ssl_protocols TLSv1.3 TLSv1.2;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
|
||||
|
||||
# Verbesserte SSL-Konfiguration
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_tickets off;
|
||||
#ssl_session_timeout 1d;
|
||||
#ssl_session_cache shared:SSL:10m;
|
||||
#ssl_session_tickets off;
|
||||
|
||||
# OCSP Stapling (auskommentiert, wenn Zertifikate fehlen)
|
||||
# ssl_stapling on;
|
||||
@@ -68,6 +83,11 @@ server {
|
||||
root /var/www/html/public;
|
||||
index index.php index.html;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ /index.php?$query_string;
|
||||
autoindex off;
|
||||
}
|
||||
|
||||
# Debug-Header für die Entwicklung
|
||||
add_header X-Environment $env_mode always;
|
||||
|
||||
@@ -88,6 +108,34 @@ server {
|
||||
client_max_body_size 10m;
|
||||
large_client_header_buffers 2 1k;
|
||||
|
||||
brotli on;
|
||||
brotli_comp_level 6;
|
||||
brotli_types
|
||||
application/atom+xml
|
||||
application/javascript
|
||||
application/json
|
||||
application/ld+json
|
||||
application/manifest+json
|
||||
application/rss+xml
|
||||
application/vnd.geo+json
|
||||
application/vnd.ms-fontobject
|
||||
application/x-font-ttf
|
||||
application/x-web-app-manifest+json
|
||||
application/xhtml+xml
|
||||
application/xml
|
||||
font/opentype
|
||||
image/bmp
|
||||
image/svg+xml
|
||||
image/x-icon
|
||||
text/cache-manifest
|
||||
text/css
|
||||
text/plain
|
||||
text/vcard
|
||||
text/vnd.rim.location.xloc
|
||||
text/vtt
|
||||
text/x-componentFs
|
||||
text/x-cross-domain-policy;
|
||||
|
||||
# Verbesserte Gzip-Kompression
|
||||
gzip on;
|
||||
gzip_vary on;
|
||||
@@ -119,33 +167,43 @@ server {
|
||||
text/vcard
|
||||
text/vnd.rim.location.xloc
|
||||
text/vtt
|
||||
text/x-component
|
||||
text/x-componentFs
|
||||
text/x-cross-domain-policy;
|
||||
|
||||
# Logs
|
||||
access_log /var/log/nginx/access.log combined;
|
||||
error_log /var/log/nginx/error.log error;
|
||||
#access_log /var/log/nginx/access.log combined;
|
||||
#error_log /var/log/nginx/error.log error;
|
||||
access_log /dev/stdout;
|
||||
error_log /dev/stderr warn;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ /index.php?$query_string;
|
||||
autoindex off;
|
||||
# läuft aktuell oben über dynamischen include!
|
||||
#location / {
|
||||
# try_files $uri $uri/ /index.php?$query_string;
|
||||
# autoindex off;
|
||||
#}
|
||||
|
||||
# Service-Worker explizit erlauben (auch im Production-Server ungefährlich!)
|
||||
location = /sw.js {
|
||||
# je nach Build-Ordner anpassen!
|
||||
alias /var/www/html/public/sw.js;
|
||||
add_header Cache-Control "no-cache, must-revalidate";
|
||||
}
|
||||
|
||||
# Caching Header für statische Dateien
|
||||
location ~* \.(jpg|jpeg|png|gif|ico|svg|woff|woff2|ttf|eot)$ {
|
||||
expires 1y;
|
||||
add_header Cache-Control "public, immutable, max-age=31536000";
|
||||
}
|
||||
#location ~* \.(jpg|jpeg|png|gif|ico|svg|woff|woff2|ttf|eot)$ {
|
||||
# expires 1y;
|
||||
# add_header Cache-Control "public, immutable, max-age=31536000";
|
||||
#}
|
||||
|
||||
location ~* \.(css|js)$ {
|
||||
expires 1w;
|
||||
add_header Cache-Control "public, max-age=604800";
|
||||
}
|
||||
|
||||
location ~* \.(json|xml)$ {
|
||||
expires 1d;
|
||||
add_header Cache-Control "public, max-age=86400";
|
||||
}
|
||||
# location ~* \.(json|xml)$ {
|
||||
# expires 1d;
|
||||
# add_header Cache-Control "public, max-age=86400";
|
||||
# }
|
||||
|
||||
location ~ \.php$ {
|
||||
try_files $uri =404;
|
||||
@@ -182,6 +240,8 @@ server {
|
||||
|
||||
# Für bessere Performance
|
||||
fastcgi_keep_conn on;
|
||||
|
||||
fastcgi_hide_header X-Powered-By;
|
||||
}
|
||||
|
||||
# Sicherheitseinstellungen
|
||||
|
||||
@@ -1,20 +1,58 @@
|
||||
#!/bin/sh
|
||||
set -e
|
||||
#!/bin/sh
|
||||
set -e
|
||||
|
||||
# Umgebungsvariablen-Substitution in Nginx-Konfiguration
|
||||
if [ -n "$APP_ENV" ]; then
|
||||
echo "Setting APP_ENV to: $APP_ENV"
|
||||
sed -i "s/\${APP_ENV}/$APP_ENV/g" /etc/nginx/conf.d/default.conf
|
||||
fi
|
||||
|
||||
# Warte auf PHP-FPM Container
|
||||
echo "Waiting for PHP-FPM to be ready..."
|
||||
while ! nc -z php 9000; do
|
||||
sleep 1
|
||||
done
|
||||
echo "PHP-FPM is ready!"
|
||||
|
||||
# SSL-Zertifikate prüfen
|
||||
if [ ! -f "/var/www/ssl/fullchain.pem" ] || [ ! -f "/var/www/ssl/privkey.pem" ]; then
|
||||
echo "Warning: SSL certificates not found. HTTPS may not work properly."
|
||||
fi
|
||||
|
||||
# Nginx-Konfiguration testen
|
||||
echo "Testing Nginx configuration..."
|
||||
nginx -t
|
||||
|
||||
# Nginx starten
|
||||
echo "Starting Nginx..."
|
||||
exec "$@"
|
||||
until nc -z -w 2 php 9000; do
|
||||
echo "Warte auf PHP-FPM..."
|
||||
sleep 1
|
||||
done
|
||||
|
||||
|
||||
# Optional: eigene Umgebungsvariable mit Default setzen
|
||||
export APP_ENV="${APP_ENV:-production}"
|
||||
|
||||
echo "Starte Nginx mit APP_ENV=$APP_ENV"
|
||||
|
||||
# Ersetze Umgebungsvariablen wie ${APP_ENV} in der Nginx-Config per envsubst
|
||||
envsubst '${APP_ENV}' < /etc/nginx/conf.d/default.conf > /etc/nginx/conf.d/default.conf.tmp
|
||||
mv /etc/nginx/conf.d/default.conf.tmp /etc/nginx/conf.d/default.conf
|
||||
# Ersetze Platzhalter in temporäre Datei
|
||||
envsubst '${APP_ENV}' < /etc/nginx/conf.d/default.conf > /tmp/default.conf
|
||||
|
||||
# Starte Nginx (Foreground)
|
||||
# Ersetzte Originalkonfiguration
|
||||
cp /tmp/default.conf /etc/nginx/conf.d/default.conf
|
||||
|
||||
# WICHTIG: Rechte für stdout/stderr anpassen
|
||||
chmod a+rw /dev/stdout /dev/stderr
|
||||
|
||||
# Nginx-Ordner Rechte anpassen
|
||||
mkdir -p /var/cache/nginx /var/log/nginx
|
||||
chown -R nginx:nginx /var/cache/nginx /var/log/nginx
|
||||
|
||||
# Stelle sicher, dass das SSL-Verzeichnis existiert
|
||||
mkdir -p /var/www/ssl
|
||||
|
||||
# Jetzt kann nginx sicher starten
|
||||
exec nginx -g 'daemon off;'
|
||||
|
||||
@@ -1,37 +1,78 @@
|
||||
# Standard Nginx User
|
||||
user nginx;
|
||||
worker_processes auto;
|
||||
pid /tmp/nginx.pid;
|
||||
error_log /var/log/nginx/error.log notice;
|
||||
pid /var/run/nginx.pid;
|
||||
|
||||
# Worker-Prozess-Einstellungen
|
||||
events {
|
||||
worker_connections 1024;
|
||||
use epoll;
|
||||
multi_accept on;
|
||||
}
|
||||
|
||||
http {
|
||||
# MIME-Types
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
# Server-Tokens für Sicherheit ausblenden
|
||||
server_tokens off;
|
||||
|
||||
# Rate-Limiting für besseren DDoS-Schutz
|
||||
# Rate-Limiting
|
||||
limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;
|
||||
|
||||
# Logging-Einstellungen
|
||||
# Logging-Format
|
||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||
'"$http_user_agent" "$http_x_forwarded_for" '
|
||||
'rt=$request_time uct="$upstream_connect_time" '
|
||||
'uht="$upstream_header_time" urt="$upstream_response_time"';
|
||||
|
||||
access_log /var/log/nginx/access.log main;
|
||||
error_log /var/log/nginx/error.log warn;
|
||||
# Container-optimierte Logs
|
||||
access_log /dev/stdout main;
|
||||
error_log /dev/stderr warn;
|
||||
|
||||
# Performance-Optimierungen
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
keepalive_timeout 65;
|
||||
types_hash_max_size 2048;
|
||||
client_max_body_size 64M;
|
||||
|
||||
# TLS-Einstellungen
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_timeout 10m;
|
||||
# Gzip-Kompression
|
||||
gzip on;
|
||||
gzip_vary on;
|
||||
gzip_min_length 1024;
|
||||
gzip_proxied any;
|
||||
gzip_comp_level 6;
|
||||
gzip_types
|
||||
text/plain
|
||||
text/css
|
||||
text/xml
|
||||
text/javascript
|
||||
application/json
|
||||
application/javascript
|
||||
application/xml+rss
|
||||
application/atom+xml
|
||||
image/svg+xml
|
||||
application/rss+xml
|
||||
application/vnd.ms-fontobject
|
||||
application/x-font-ttf
|
||||
font/opentype;
|
||||
|
||||
# Include server configs
|
||||
# Basis-Sicherheits-Header
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header Referrer-Policy "no-referrer-when-downgrade" always;
|
||||
|
||||
# SSL-Session-Cache
|
||||
# ssl_session_cache shared:SSL:10m;
|
||||
# ssl_session_timeout 10m;
|
||||
# ssl_session_tickets off;
|
||||
|
||||
# Server-Konfigurationen einbinden
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
}
|
||||
|
||||
4
docker/nginx/vite-proxy.inc.dev
Normal file
4
docker/nginx/vite-proxy.inc.dev
Normal file
@@ -0,0 +1,4 @@
|
||||
location / {
|
||||
try_files $uri $uri/ /index.php?$query_string;
|
||||
autoindex off;
|
||||
}
|
||||
4
docker/nginx/vite-proxy.inc.prod
Normal file
4
docker/nginx/vite-proxy.inc.prod
Normal file
@@ -0,0 +1,4 @@
|
||||
location / {
|
||||
try_files $uri $uri/ /index.php?$query_string;
|
||||
autoindex off;
|
||||
}
|
||||
Reference in New Issue
Block a user