michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: lots of changes

Browse Source
This commit is contained in:
Michael Schiemer
2025-05-24 07:09:22 +02:00
parent 77ee769d5e
commit 899227b0a4
178 changed files with 5145 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
docker/nginx/Dockerfile Normal file
View File

@@ -0,0 +1,33 @@
FROM nginx:alpine
# Standard-Konfiguration entfernen
RUN rm /etc/nginx/conf.d/default.conf
# Verzeichnisse erstellen mit korrekten Berechtigungen
RUN mkdir -p /var/cache/nginx /var/log/nginx /etc/nginx/template && \
chmod -R 777 /var/cache/nginx /var/log/nginx
# Kopiere die Template-Konfiguration
COPY ./nginx.conf /etc/nginx/nginx.conf
COPY ./default.conf /etc/nginx/conf.d/default.conf
# Kopiere die SSL-Zertifikate
COPY ./ssl/ /etc/nginx/ssl/
# Startup-Skript zum Ersetzen der Variablen
COPY ./docker-entrypoint.sh /
RUN chmod +x /docker-entrypoint.sh
#Install Netcat
RUN apk add --no-cache netcat-openbsd
# Als user www-data laufen lassen
RUN addgroup -g 1000 www && adduser -D -G www -u 1000 www-data \
&& chown -R www-data:www /var/cache/nginx /var/log/nginx /etc/nginx
USER www-data
EXPOSE 80 443
ENTRYPOINT ["/docker-entrypoint.sh"]
CMD ["nginx", "-g", "daemon off;"]

228
docker/nginx/default.conf Normal file
View File

@@ -0,0 +1,228 @@
# FastCGI-Cache-Einstellungen
fastcgi_cache_path /var/cache/nginx levels=1:2 keys_zone=PHPCACHE:100m inactive=60m;
fastcgi_cache_key "$scheme$request_method$host$request_uri";
fastcgi_cache_use_stale error timeout invalid_header http_500;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
# Hardcoded Umgebungsmodus basierend auf Template-Ersetzung
map $http_host $env_mode {
default "${APP_ENV}";
}
# Dynamische Cache-Kontrolle basierend auf Umgebungsvariable
map $env_mode $should_skip_cache {
default 0; # Standard (Produktion): Cache aktivieren
development 1; # Entwicklung: Cache deaktivieren
testing 1; # Testing: Cache deaktivieren
}
# Skip-Cache für Sessions und basierend auf Umgebung
map $http_cookie$should_skip_cache $skip_cache {
"~PHPSESSID" 1; # Sessions nie cachen
"1" 1; # Cache überspringen, wenn should_skip_cache = 1
default 0; # Ansonsten cachen
}
map $host $block_health {
default 1; # Blockiere alles
localhost 0; # Erlaube nur Host "localhost"
}
upstream php-upstream {
server php:9000; # „php“ ist durch Network-Alias immer erreichbar
}
server {
listen 80;
server_name localhost;
return 301 https://$host$request_uri;
}
server {
# Korrigierte HTTP/2 Syntax
listen 443 ssl;
http2 on; # Neue Syntax für HTTP/2
server_name localhost;
#ssl_certificate /etc/nginx/ssl/localhost+2.pem;
#ssl_certificate_key /etc/nginx/ssl/localhost+2-key.pem;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
# Verbesserte SSL-Konfiguration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# OCSP Stapling (auskommentiert, wenn Zertifikate fehlen)
# ssl_stapling on;
# ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1 valid=300s;
resolver_timeout 5s;
root /var/www/html/public;
index index.php index.html;
# Debug-Header für die Entwicklung
add_header X-Environment $env_mode always;
# Sicherheits-Header
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Permissions-Policy "geolocation=(), microphone=()" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
# CSP Header
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'" always;
# Buffer-Größen anpassen
client_body_buffer_size 10K;
client_header_buffer_size 1k;
client_max_body_size 10m;
large_client_header_buffers 2 1k;
# Verbesserte Gzip-Kompression
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/bmp
image/svg+xml
image/x-icon
text/cache-manifest
text/css
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
# Logs
access_log /var/log/nginx/access.log combined;
error_log /var/log/nginx/error.log error;
location / {
try_files $uri $uri/ /index.php?$query_string;
autoindex off;
}
# Caching Header für statische Dateien
location ~* \.(jpg|jpeg|png|gif|ico|svg|woff|woff2|ttf|eot)$ {
expires 1y;
add_header Cache-Control "public, immutable, max-age=31536000";
}
location ~* \.(css|js)$ {
expires 1w;
add_header Cache-Control "public, max-age=604800";
}
location ~* \.(json|xml)$ {
expires 1d;
add_header Cache-Control "public, max-age=86400";
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass php-upstream;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# Wichtig: APP_ENV an PHP weitergeben
fastcgi_param APP_ENV $env_mode;
# Timeout-Einstellungen
fastcgi_read_timeout 60s;
fastcgi_connect_timeout 60s;
fastcgi_send_timeout 60s;
# Caching-Einstellungen
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
# Cache FastCGI-Antworten
fastcgi_cache_bypass $skip_cache;
fastcgi_no_cache $skip_cache;
fastcgi_cache PHPCACHE;
fastcgi_cache_valid 200 60m;
# Debug-Header hinzufügen
add_header X-Cache-Status $upstream_cache_status;
add_header X-Cache-Environment $env_mode;
add_header X-Cache-Skip $skip_cache;
# Für bessere Performance
fastcgi_keep_conn on;
}
# Sicherheitseinstellungen
location ~ /\.(?!well-known).* {
deny all;
}
server_tokens off;
limit_req zone=mylimit burst=20 nodelay;
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
# Healthcheck-Endpunkt
location = /ping {
access_log off;
add_header Content-Type text/plain;
return 200 'pong';
}
location = /health {
if ($block_health) {
return 404;
}
try_files /health.php =404;
allow 127.0.0.1; # Lokal erlaubt (Ansible, Docker, Monitoring intern)
allow ::1;
allow 192.168.0.0/16; # Optional: internes Netz (z.B. für internen Loadbalancer)
deny all;
error_page 403 =404;
}
error_page 404 /errors/404.html;
error_page 403 /errors/403.html;
error_page 500 502 503 504 /errors/50x.html;
location /errors/ {
internal; # Verhindert direkten Zugriff
}
}

20
docker/nginx/docker-entrypoint.sh Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/sh
set -e
until nc -z -w 2 php 9000; do
echo "Warte auf PHP-FPM..."
sleep 1
done
# Optional: eigene Umgebungsvariable mit Default setzen
export APP_ENV="${APP_ENV:-production}"
echo "Starte Nginx mit APP_ENV=$APP_ENV"
# Ersetze Umgebungsvariablen wie ${APP_ENV} in der Nginx-Config per envsubst
envsubst '${APP_ENV}' < /etc/nginx/conf.d/default.conf > /etc/nginx/conf.d/default.conf.tmp
mv /etc/nginx/conf.d/default.conf.tmp /etc/nginx/conf.d/default.conf
# Starte Nginx (Foreground)
exec nginx -g 'daemon off;'

37
docker/nginx/nginx.conf Normal file
View File

@@ -0,0 +1,37 @@
worker_processes auto;
pid /tmp/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
server_tokens off;
# Rate-Limiting für besseren DDoS-Schutz
limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;
# Logging-Einstellungen
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log warn;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# TLS-Einstellungen
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# Include server configs
include /etc/nginx/conf.d/*.conf;
}

28
docker/nginx/ssl/localhost+2-key.pem Normal file
View File

@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDAzwS8FGSCDwDg
7QX8OpGkX1SbSwbUyzXNjEta319BvAH2OfcFFCj6u/iqfL7gKOM83t8u71VBFsCx
ZlxX2Ilyu2+r72sCdGBXcK6riTHrkjTs4uV6YV98eJuYhvAzSijpsRQjwnwQ587c
axtCXZhOzee3Tnbtzq4plqmOKR10D+cvrOZxuoKI914blXpGe8ds3vWEixewrex0
CYhzPj/zEF3yfCoSXeTmFBUbmmH/JwcCK8uO5t6XR1Dyo3M4GOMrmGtO7U4nuL6e
7JsbZfPaEW9wKtDjEwFDJSLy0ALEpiNWvbW4OaZWNkJk0jfKYwyBunNSs62B4307
oF8lqVo1AgMBAAECggEAbPlU0ryv5fZ256nvlRTBVmbvGep4zPKh0TA3MwBHBY8u
iK1QWVWAp95v+GQTOfzCGphZCl0JEYW7mUiibqAbZ3Za8pGaKMP/48vzXU5ooZ18
PlsrmlTItEAyqS2zOznyD8se9+snViK+f0QmHwdpWzjze15kx5nmQ+k8ofXJCNwq
q3dJIMI/WNuc0e/mMHYjZBsIwuoUi6YJHCE6RkWhGcnvlyXdKUV73/n8Loy6DUtW
VmshXag7+GfbVZIesMCjfnJ0gr9OG+XrFl6AcggzFA1ZHRoQliraVYGB2duQlIpW
o1wJMhFSGFPZxvl67hwXHJeo7ghHHfqNYXS1OuhV7QKBgQDBrvyzLtav51LzqOUY
2HPvaH86arbARc4Fy6ZJ0TaSlmKQ5GzRG0lG2CR03oZz+OcMV/BU8xUMM7CX0zUq
9RAmbE7rvXYOvqTe8pcdHeKKflzsr5p0HNROaeZdpMu8xoK1KLelAo6UCEBUGEny
oMtQWapuYvmdlHR2el2ICRGNzwKBgQD+1/iM1LcF9CYvEc8Sly9XuoRsdUCxavQa
sssv7eG5kkL8HroNs1pGZU8lNuZaT1V0ekWVOFk+X3+dGgCXg5/e/CluK9K7qOHX
3IkyUnZLEH5sDXGMGBzYA9AQTaB1PMTQYku6GNWYab6LFQTvpvvLcIILaFHokq8p
D/dGVJH8uwKBgQCBOxDBPe9hTye6DGdQPJyekUrS34EwqWLd2xQJDN8sz8rUgpVY
sKwj6PPqRs/PcbQ4ODTTeZ4BljuuEe7XyswL1xiRksjC7dF0MMlDVD1jywyVoFWe
Q94ks+RRdzO5sXplBdYC88HOY/MIKWytxzvhUPK21LNYwUU0CFGAAw0DYQKBgQD4
mT/qSdscoLXa9tl0fiz9vIJPtvXb3MSxgra5U6n9t9NGVMcUdGBdCZjyaaK+eGOZ
U2mrjiNouAop++KV6x26jWvxACj7TVy6kXT4tP6WbUmWKGsaya7hfp6qOL+NfjFU
Qn8y0+URYB4zWNbO3asFIwSJEkPMx8K9IMkMP5WF3wKBgCYiqAhPDF4WxA3fAqP7
95px8Clrety0mwOtE/rMQRf1nKJ78oA4pr+/VXRbyghAxtD4psbmBQofX3iwnn3B
o1DV3FLpNw004mvcKGScUcNwHQtWAtWX2nVDcxes5R2DgN+lpmWmf5Tq47p0r5ZP
nRb92drrnf8FoBv78CxLjIu+
-----END PRIVATE KEY-----

25
docker/nginx/ssl/localhost+2.pem Normal file
View File

@@ -0,0 +1,25 @@
-----BEGIN CERTIFICATE-----
MIIEHjCCAoagAwIBAgIQLqhFNHvvWJKUpuypArU2CjANBgkqhkiG9w0BAQsFADBb
MR4wHAYDVQQKExVta2NlcnQgZGV2ZWxvcG1lbnQgQ0ExGDAWBgNVBAsMD21pY2hh
ZWxATWlrZS1QQzEfMB0GA1UEAwwWbWtjZXJ0IG1pY2hhZWxATWlrZS1QQzAeFw0y
NTA1MTgxOTUyMDlaFw0yNzA4MTgxOTUyMDlaMEMxJzAlBgNVBAoTHm1rY2VydCBk
ZXZlbG9wbWVudCBjZXJ0aWZpY2F0ZTEYMBYGA1UECwwPbWljaGFlbEBNaWtlLVBD
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwM8EvBRkgg8A4O0F/DqR
pF9Um0sG1Ms1zYxLWt9fQbwB9jn3BRQo+rv4qny+4CjjPN7fLu9VQRbAsWZcV9iJ
crtvq+9rAnRgV3Cuq4kx65I07OLlemFffHibmIbwM0oo6bEUI8J8EOfO3GsbQl2Y
Ts3nt0527c6uKZapjikddA/nL6zmcbqCiPdeG5V6RnvHbN71hIsXsK3sdAmIcz4/
8xBd8nwqEl3k5hQVG5ph/ycHAivLjubel0dQ8qNzOBjjK5hrTu1OJ7i+nuybG2Xz
2hFvcCrQ4xMBQyUi8tACxKYjVr21uDmmVjZCZNI3ymMMgbpzUrOtgeN9O6BfJala
NQIDAQABo3YwdDAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEw
HwYDVR0jBBgwFoAUhhzxUvThIGRX4MSoX91Vzm1zZ9AwLAYDVR0RBCUwI4IJbG9j
YWxob3N0hwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3DQEBCwUAA4IB
gQDUFLYZPo8RrfZh/vwT15LcIce8brdVegms6DvPK9lMZX6C4sGf4+rTJCwPuqHW
dqVZAhHdvcsyGI15xvVPT4qSh89RN1JB9uIHCk+weIzp+Rn06MMrB49m4abAvWp2
hB8bCo80hMVIsCb3Wr9sHg7CsJItsdGz8jHYCvHpvPLR7gWhYjm1g0meglT3tZqd
TsKDMb3Vj/vsivEueM6Oj/of8xbamVSSkqljWbRls7Ti7xqXMbmf7nl0WvG9IXg3
5Ucv1AWJIFEeLnMM5V0nEbO3sAhbNMLXieGPBWHXOgHuvVnQyu1mBESjgc5bjwfN
UjYBHluFkF9aYw3mGcFqAlb1FpGoMtHwTw0uGZzHzj5FY8oZix5edq/upriV6cU2
t0tidlfhvkJNSSO4zjAPjU1wd+/QRZwY2PcB5kBxs5MzSmiMlEjTkGgHWqMWMBf1
NPbyaxtjL69xBVonxpqD6BLJ2qLatgCs6fkZZF7AT38OFXr8Cv5vxt1rR5fs1P6X
mI0=
-----END CERTIFICATE-----