diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index b2cd274..ecc80fa 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -90,6 +90,28 @@ jobs: exit 1; fi + - name: Down environment + run: | + docker compose down --remove-orphans + + - name: Setup SSL + run: | + echo "PHP_FPM_PASSWORD=123456" > .env + docker compose -f docker-compose.ssl.yml up --build -d + sleep 10 + docker compose -f docker-compose.ssl.yml ps + docker compose -f docker-compose.ssl.yml logs + + - name: Test SSL + run: | + CONTENT=$(curl -s -k "https://localhost:444/"); + echo "CHAMADA HTTP: ${CONTENT}"; + + if [ "${CONTENT}" != "php" ]; then + echo "Chamada HTTP retornou errado: ${CONTENT}" + exit 1; + fi + push: needs: test diff --git a/Dockerfile b/Dockerfile index 82998b8..2974114 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,20 +1,31 @@ -FROM debian:10-slim as htpasswd +FROM debian:10-slim AS ssl +WORKDIR /ssl/ +RUN apt update && apt-get install -y libnss3-tools curl +RUN curl -JLO "https://dl.filippo.io/mkcert/latest?for=linux/amd64" +RUN chmod +x mkcert-v*-linux-amd64 +RUN mv mkcert-v*-linux-amd64 /usr/local/bin/mkcert +RUN mkcert -key-file privkey.pem -cert-file fullchain.pem localhost 127.0.0.1 ::1 + +FROM debian:10-slim AS htpasswd WORKDIR / ARG PHP_FPM_PASSWORD=123456 RUN apt update && apt install apache2-utils -y RUN htpasswd -bc fpm_passwd admin $PHP_FPM_PASSWORD RUN htpasswd -bv fpm_passwd admin $PHP_FPM_PASSWORD +FROM debian:10-slim AS dockerize +ENV DOCKERIZE_VERSION v0.8.0 +RUN apt-get update \ + && apt-get install -y wget \ + && wget -O - https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz | tar xzf - -C /usr/local/bin \ + && apt-get autoremove -yqq --purge wget && rm -rf /var/lib/apt/lists/* + FROM nginx:latest ENV PORTA_PHP=9000 ENV TIMEOUT_PHP=60s -ENV DOCKERIZE_VERSION v0.6.1 -RUN apt-get update && apt-get install -y wget \ - && wget https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz \ - && tar -C /usr/local/bin -xzvf dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz \ - && rm dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz +COPY --from=dockerize /usr/local/bin/dockerize /usr/local/bin/dockerize ENV PUBLIC_HTML="/var/www/public" ENV SRC_CONFIG_TEMPLATES="/etc/nginx-templetes/" @@ -26,6 +37,8 @@ COPY config/ ${SRC_CONFIG_TEMPLATES} COPY --from=htpasswd /fpm_passwd /etc/nginx/fpm_passwd COPY www/fpm_status.html /var/php/status.html +COPY --from=ssl /ssl/ /etc/nginx/ssl/ + EXPOSE 80 443 COPY sh/ /docker-entrypoint.d/ diff --git a/config/include.d/ssl.conf b/config/include.d/ssl.conf index eca251f..5c58788 100644 --- a/config/include.d/ssl.conf +++ b/config/include.d/ssl.conf @@ -1,6 +1,5 @@ -listen 443 ssl http2; - -http2_push_preload on; +listen 443 ssl; +http2 on; ssl_prefer_server_ciphers on; ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; diff --git a/config/site.d/ssl.conf b/config/site.d/ssl.conf index 23bbd93..fdf68c9 100644 --- a/config/site.d/ssl.conf +++ b/config/site.d/ssl.conf @@ -1,3 +1,3 @@ include include.d/ssl.conf; -ssl_certificate /var/www/ssl/fullchain.pem; -ssl_certificate_key /var/www/ssl/privkey.pem; \ No newline at end of file +ssl_certificate /etc/nginx/ssl/fullchain.pem; +ssl_certificate_key /etc/nginx/ssl/privkey.pem; \ No newline at end of file diff --git a/docker-compose.ssl.yml b/docker-compose.ssl.yml new file mode 100644 index 0000000..e7e9e07 --- /dev/null +++ b/docker-compose.ssl.yml @@ -0,0 +1,34 @@ +networks: + nginx: + driver: bridge + +services: + + app: + image: likesistemas/php:latest + volumes: + - ./www/:/var/www/public/ + networks: + - nginx + + nginx: + image: likesistemas/nginx:dev + build: + context: . + args: + - PHP_FPM_PASSWORD=${PHP_FPM_PASSWORD:-password} + environment: + - HOST_PHP=app + - PORTA_PHP=9000 + - SSL=true + ports: + - 444:443 + volumes: + - ./www/:/var/www/public/ + - ./.docker/ssl/:/var/www/ssl/ + links: + - app + depends_on: + - app + networks: + - nginx \ No newline at end of file diff --git a/sh/98-configure-nginx.sh b/sh/98-configure-nginx.sh index 2b7436f..f31bec3 100644 --- a/sh/98-configure-nginx.sh +++ b/sh/98-configure-nginx.sh @@ -1,5 +1,9 @@ #!/bin/bash +step() { + echo -e "\e[30mnginx\e[0m >> \e[33m${1}\e[0m" +} + mkdir -p ${SRC_CONFIG} cp -R ${SRC_CONFIG_TEMPLATES}/. ${SRC_CONFIG} @@ -8,24 +12,24 @@ PASTA_NGINX_CONF=${SRC_CONFIG}/conf.d; PASTA_NGINX_INCLUDE=${SRC_CONFIG}/include.d; if [ -d "/var/nginx/conf.d/" ]; then - echo "Copiando config extras..."; + step "Copiando config extras..."; cp -Rv /var/nginx/conf.d/*.conf ${PASTA_NGINX_CONF} fi; if [ -d "/var/nginx/site.d/extras/" ]; then - echo "Copiando config site.d extras..."; + step "Copiando config site.d extras..."; cp -Rv /var/nginx/site.d/extras/*.conf ${PASTA_NGINX_SITE}/extras/ fi; # CONFIGURANDO LIMITS if [ -n "$LIMIT_NO_FILE" ]; then - echo "Configurando Limits '${LIMIT_NO_FILE}'..."; + step "Configurando Limits '${LIMIT_NO_FILE}'..."; sed -i "s/worker_rlimit_nofile 1024;/worker_rlimit_nofile ${LIMIT_NO_FILE};/g" ${SRC_CONFIG}/nginx.conf; fi; # CONFIGURANDO HOST\PORTA PHP if [ -n "$HOST_PHP" ]; then - echo "Configurando Host\Porta PHP..."; + step "Configurando Host\Porta PHP..."; if [ -n "$EXTENSAO_PHP" ]; then sed -i "14a location ~ \.php$ { include site.d/php.conf; }" ${PASTA_NGINX_SITE}/default.conf; @@ -46,6 +50,7 @@ if [ -n "$HOST_PHP" ]; then fi; cat ${PASTA_NGINX_SITE}/php.conf; + echo -e "\n\n"; fi; # INDEX FILE @@ -57,15 +62,16 @@ fi; # CONFIGURANDO TRY FILES if [ "$TRYFILES" == "1" ]; then - echo "Configurando tryfiles..."; + step "Configurando tryfiles..."; sed -i "12a include site.d/tryfiles.conf;" ${PASTA_NGINX_SITE}/default.conf; cat ${PASTA_NGINX_SITE}/tryfiles.conf; + echo -e "\n\n"; fi; # CONFIGURANDO REWRITE if [ "$REWRITE" == "1" ]; then - echo "Configurando rewrite..."; + step "Configurando rewrite..."; sed -i "14a include site.d/rewrite.conf;" ${PASTA_NGINX_SITE}/default.conf; if [ -n "$REWRITE_ROLE" ]; then @@ -78,35 +84,45 @@ if [ "$REWRITE" == "1" ]; then fi; cat ${PASTA_NGINX_SITE}/rewrite.conf; + echo -e "\n\n"; fi; # CONFIGURANDO SSL -if [ -d "/var/www/ssl/" ]; then - echo "Configurando SSL..."; - sed -i "10a include include.d/ssl.conf;" ${PASTA_NGINX_SITE}/default.conf; -fi; +SSL_CERTIFICATE="/etc/nginx/ssl/fullchain.pem" +SSL_CERTIFICATE_KEY="/etc/nginx/ssl/privkey.pem" + +if [ "${SSL}" == "true" ] && [ -f "${SSL_CERTIFICATE}" ] && [ -f "${SSL_CERTIFICATE_KEY}" ]; then + step "Configurando SSL..."; + sed -i "10a include site.d/ssl.conf;" ${PASTA_NGINX_SITE}/default.conf; +fi # CONFIGURANDO PARA ELB if [ -n "$REALIP_FROM" ]; then - echo "Configurando Real IP..."; + step "Configurando Real IP..."; REALIP_FROM_CONFIG=${PASTA_NGINX_CONF}/realip.conf echo "real_ip_header X-Forwarded-For;" >> $REALIP_FROM_CONFIG echo "set_real_ip_from ${REALIP_FROM};" >> $REALIP_FROM_CONFIG fi if [ -z "$HTTP_IPV6" ] || [ "$HTTP_IPV6" == "true" ]; then - echo "Habilitando IPV6 do HTTP"; + step "Habilitando IPV6 do HTTP"; echo "listen [::]:80;" >> ${PASTA_NGINX_INCLUDE}/80.conf; cat ${PASTA_NGINX_INCLUDE}/80.conf; + echo -e "\n\n"; fi; if [ -z "$HTTPS_IPV6" ] || [ "$HTTPS_IPV6" == "true" ]; then - echo "Habilitando IPV6 do HTTPS"; - echo "listen [::]:443 ssl http2;" >> ${PASTA_NGINX_INCLUDE}/ssl.conf; + step "Habilitando IPV6 do HTTPS"; + echo "listen [::]:443 ssl;" >> ${PASTA_NGINX_INCLUDE}/ssl.conf; cat ${PASTA_NGINX_INCLUDE}/ssl.conf; + echo -e "\n\n"; fi; +step "Configurações do Nginx"; cat ${SRC_CONFIG}/nginx.conf; + +echo -e "\n\n"; +step "Configurações do Site"; cat ${PASTA_NGINX_SITE}/default.conf; \ No newline at end of file