From c351cba62359879b2d413f81addf2de0175667ea Mon Sep 17 00:00:00 2001 From: Ricardo Paes Date: Wed, 28 Aug 2024 13:17:09 -0300 Subject: [PATCH 1/4] =?UTF-8?q?=F0=9F=9A=91=EF=B8=8F=20Fix=20ssl?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .docker/ssl/.gitignore | 2 ++ Dockerfile | 2 +- config/include.d/ssl.conf | 5 ++--- docker-compose.ssl.yml | 43 +++++++++++++++++++++++++++++++++++++++ sh/98-configure-nginx.sh | 4 ++-- 5 files changed, 50 insertions(+), 6 deletions(-) create mode 100644 .docker/ssl/.gitignore create mode 100644 docker-compose.ssl.yml diff --git a/.docker/ssl/.gitignore b/.docker/ssl/.gitignore new file mode 100644 index 0000000..c96a04f --- /dev/null +++ b/.docker/ssl/.gitignore @@ -0,0 +1,2 @@ +* +!.gitignore \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 82998b8..8ec7813 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:10-slim as htpasswd +FROM debian:10-slim AS htpasswd WORKDIR / ARG PHP_FPM_PASSWORD=123456 RUN apt update && apt install apache2-utils -y diff --git a/config/include.d/ssl.conf b/config/include.d/ssl.conf index eca251f..5c58788 100644 --- a/config/include.d/ssl.conf +++ b/config/include.d/ssl.conf @@ -1,6 +1,5 @@ -listen 443 ssl http2; - -http2_push_preload on; +listen 443 ssl; +http2 on; ssl_prefer_server_ciphers on; ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; diff --git a/docker-compose.ssl.yml b/docker-compose.ssl.yml new file mode 100644 index 0000000..6a838e5 --- /dev/null +++ b/docker-compose.ssl.yml @@ -0,0 +1,43 @@ +networks: + nginx: + driver: bridge + +services: + + app: + image: likesistemas/php:latest + container_name: nginx_app + command: sleep 4 + environment: + - PHP_NAME=nginx_app + - PHP_PM=dynamic + - PHP_PM_MAX_CHILDREN=2 + - PHP_PM_START_SERVERS=1 + - PHP_PM_MIN_SPARE_SERVERS=1 + - PHP_PM_MAX_SPARE_SERVERS=1 + - PHP_PM_MAX_REQUESTS=500 + volumes: + - ./www/:/var/www/public/ + networks: + - nginx + + nginx: + image: likesistemas/nginx:dev + build: + context: . + args: + - PHP_FPM_PASSWORD=${PHP_FPM_PASSWORD:-password} + environment: + - HOST_PHP=nginx_app + - PORTA_PHP=9000 + ports: + - 444:443 + volumes: + - ./www/:/var/www/public/ + - ./.docker/ssl/:/var/www/ssl/ + links: + - app + depends_on: + - app + networks: + - nginx \ No newline at end of file diff --git a/sh/98-configure-nginx.sh b/sh/98-configure-nginx.sh index 2b7436f..1295281 100644 --- a/sh/98-configure-nginx.sh +++ b/sh/98-configure-nginx.sh @@ -83,7 +83,7 @@ fi; # CONFIGURANDO SSL if [ -d "/var/www/ssl/" ]; then echo "Configurando SSL..."; - sed -i "10a include include.d/ssl.conf;" ${PASTA_NGINX_SITE}/default.conf; + sed -i "10a include site.d/ssl.conf;" ${PASTA_NGINX_SITE}/default.conf; fi; # CONFIGURANDO PARA ELB @@ -103,7 +103,7 @@ fi; if [ -z "$HTTPS_IPV6" ] || [ "$HTTPS_IPV6" == "true" ]; then echo "Habilitando IPV6 do HTTPS"; - echo "listen [::]:443 ssl http2;" >> ${PASTA_NGINX_INCLUDE}/ssl.conf; + echo "listen [::]:443 ssl;" >> ${PASTA_NGINX_INCLUDE}/ssl.conf; cat ${PASTA_NGINX_INCLUDE}/ssl.conf; fi; From 5f9e7378f0fb91119eff59837876ebfeb06b2400 Mon Sep 17 00:00:00 2001 From: Ricardo Paes Date: Wed, 28 Aug 2024 15:00:49 -0300 Subject: [PATCH 2/4] =?UTF-8?q?=E2=9C=A8=20Generate=20self-signed=20certif?= =?UTF-8?q?icate=20and=20test=20ssl?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .docker/ssl/.gitignore | 2 -- .github/workflows/docker-publish.yml | 16 +++++++++++ Dockerfile | 23 ++++++++++++---- config/site.d/ssl.conf | 4 +-- docker-compose.ssl.yml | 13 ++------- sh/98-configure-nginx.sh | 40 +++++++++++++++++++--------- 6 files changed, 66 insertions(+), 32 deletions(-) delete mode 100644 .docker/ssl/.gitignore diff --git a/.docker/ssl/.gitignore b/.docker/ssl/.gitignore deleted file mode 100644 index c96a04f..0000000 --- a/.docker/ssl/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -* -!.gitignore \ No newline at end of file diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index b2cd274..37af306 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -90,6 +90,22 @@ jobs: exit 1; fi + - name: Setup SSL + run: | + echo "PHP_FPM_PASSWORD=123456" > .env + docker compose -f docker-compose.ssl.yml up --build -d + sleep 10 + + - name: Test SSL + run: | + CONTENT=$(curl -s "https://127.0.0.1:444/"); + echo "CHAMADA HTTP: ${CONTENT}"; + + if [ "${CONTENT}" != "php" ]; then + echo "Chamada HTTP retornou errado: ${CONTENT}" + exit 1; + fi + push: needs: test diff --git a/Dockerfile b/Dockerfile index 8ec7813..2974114 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,3 +1,11 @@ +FROM debian:10-slim AS ssl +WORKDIR /ssl/ +RUN apt update && apt-get install -y libnss3-tools curl +RUN curl -JLO "https://dl.filippo.io/mkcert/latest?for=linux/amd64" +RUN chmod +x mkcert-v*-linux-amd64 +RUN mv mkcert-v*-linux-amd64 /usr/local/bin/mkcert +RUN mkcert -key-file privkey.pem -cert-file fullchain.pem localhost 127.0.0.1 ::1 + FROM debian:10-slim AS htpasswd WORKDIR / ARG PHP_FPM_PASSWORD=123456 @@ -5,16 +13,19 @@ RUN apt update && apt install apache2-utils -y RUN htpasswd -bc fpm_passwd admin $PHP_FPM_PASSWORD RUN htpasswd -bv fpm_passwd admin $PHP_FPM_PASSWORD +FROM debian:10-slim AS dockerize +ENV DOCKERIZE_VERSION v0.8.0 +RUN apt-get update \ + && apt-get install -y wget \ + && wget -O - https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz | tar xzf - -C /usr/local/bin \ + && apt-get autoremove -yqq --purge wget && rm -rf /var/lib/apt/lists/* + FROM nginx:latest ENV PORTA_PHP=9000 ENV TIMEOUT_PHP=60s -ENV DOCKERIZE_VERSION v0.6.1 -RUN apt-get update && apt-get install -y wget \ - && wget https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz \ - && tar -C /usr/local/bin -xzvf dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz \ - && rm dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz +COPY --from=dockerize /usr/local/bin/dockerize /usr/local/bin/dockerize ENV PUBLIC_HTML="/var/www/public" ENV SRC_CONFIG_TEMPLATES="/etc/nginx-templetes/" @@ -26,6 +37,8 @@ COPY config/ ${SRC_CONFIG_TEMPLATES} COPY --from=htpasswd /fpm_passwd /etc/nginx/fpm_passwd COPY www/fpm_status.html /var/php/status.html +COPY --from=ssl /ssl/ /etc/nginx/ssl/ + EXPOSE 80 443 COPY sh/ /docker-entrypoint.d/ diff --git a/config/site.d/ssl.conf b/config/site.d/ssl.conf index 23bbd93..fdf68c9 100644 --- a/config/site.d/ssl.conf +++ b/config/site.d/ssl.conf @@ -1,3 +1,3 @@ include include.d/ssl.conf; -ssl_certificate /var/www/ssl/fullchain.pem; -ssl_certificate_key /var/www/ssl/privkey.pem; \ No newline at end of file +ssl_certificate /etc/nginx/ssl/fullchain.pem; +ssl_certificate_key /etc/nginx/ssl/privkey.pem; \ No newline at end of file diff --git a/docker-compose.ssl.yml b/docker-compose.ssl.yml index 6a838e5..e7e9e07 100644 --- a/docker-compose.ssl.yml +++ b/docker-compose.ssl.yml @@ -6,16 +6,6 @@ services: app: image: likesistemas/php:latest - container_name: nginx_app - command: sleep 4 - environment: - - PHP_NAME=nginx_app - - PHP_PM=dynamic - - PHP_PM_MAX_CHILDREN=2 - - PHP_PM_START_SERVERS=1 - - PHP_PM_MIN_SPARE_SERVERS=1 - - PHP_PM_MAX_SPARE_SERVERS=1 - - PHP_PM_MAX_REQUESTS=500 volumes: - ./www/:/var/www/public/ networks: @@ -28,8 +18,9 @@ services: args: - PHP_FPM_PASSWORD=${PHP_FPM_PASSWORD:-password} environment: - - HOST_PHP=nginx_app + - HOST_PHP=app - PORTA_PHP=9000 + - SSL=true ports: - 444:443 volumes: diff --git a/sh/98-configure-nginx.sh b/sh/98-configure-nginx.sh index 1295281..f31bec3 100644 --- a/sh/98-configure-nginx.sh +++ b/sh/98-configure-nginx.sh @@ -1,5 +1,9 @@ #!/bin/bash +step() { + echo -e "\e[30mnginx\e[0m >> \e[33m${1}\e[0m" +} + mkdir -p ${SRC_CONFIG} cp -R ${SRC_CONFIG_TEMPLATES}/. ${SRC_CONFIG} @@ -8,24 +12,24 @@ PASTA_NGINX_CONF=${SRC_CONFIG}/conf.d; PASTA_NGINX_INCLUDE=${SRC_CONFIG}/include.d; if [ -d "/var/nginx/conf.d/" ]; then - echo "Copiando config extras..."; + step "Copiando config extras..."; cp -Rv /var/nginx/conf.d/*.conf ${PASTA_NGINX_CONF} fi; if [ -d "/var/nginx/site.d/extras/" ]; then - echo "Copiando config site.d extras..."; + step "Copiando config site.d extras..."; cp -Rv /var/nginx/site.d/extras/*.conf ${PASTA_NGINX_SITE}/extras/ fi; # CONFIGURANDO LIMITS if [ -n "$LIMIT_NO_FILE" ]; then - echo "Configurando Limits '${LIMIT_NO_FILE}'..."; + step "Configurando Limits '${LIMIT_NO_FILE}'..."; sed -i "s/worker_rlimit_nofile 1024;/worker_rlimit_nofile ${LIMIT_NO_FILE};/g" ${SRC_CONFIG}/nginx.conf; fi; # CONFIGURANDO HOST\PORTA PHP if [ -n "$HOST_PHP" ]; then - echo "Configurando Host\Porta PHP..."; + step "Configurando Host\Porta PHP..."; if [ -n "$EXTENSAO_PHP" ]; then sed -i "14a location ~ \.php$ { include site.d/php.conf; }" ${PASTA_NGINX_SITE}/default.conf; @@ -46,6 +50,7 @@ if [ -n "$HOST_PHP" ]; then fi; cat ${PASTA_NGINX_SITE}/php.conf; + echo -e "\n\n"; fi; # INDEX FILE @@ -57,15 +62,16 @@ fi; # CONFIGURANDO TRY FILES if [ "$TRYFILES" == "1" ]; then - echo "Configurando tryfiles..."; + step "Configurando tryfiles..."; sed -i "12a include site.d/tryfiles.conf;" ${PASTA_NGINX_SITE}/default.conf; cat ${PASTA_NGINX_SITE}/tryfiles.conf; + echo -e "\n\n"; fi; # CONFIGURANDO REWRITE if [ "$REWRITE" == "1" ]; then - echo "Configurando rewrite..."; + step "Configurando rewrite..."; sed -i "14a include site.d/rewrite.conf;" ${PASTA_NGINX_SITE}/default.conf; if [ -n "$REWRITE_ROLE" ]; then @@ -78,35 +84,45 @@ if [ "$REWRITE" == "1" ]; then fi; cat ${PASTA_NGINX_SITE}/rewrite.conf; + echo -e "\n\n"; fi; # CONFIGURANDO SSL -if [ -d "/var/www/ssl/" ]; then - echo "Configurando SSL..."; +SSL_CERTIFICATE="/etc/nginx/ssl/fullchain.pem" +SSL_CERTIFICATE_KEY="/etc/nginx/ssl/privkey.pem" + +if [ "${SSL}" == "true" ] && [ -f "${SSL_CERTIFICATE}" ] && [ -f "${SSL_CERTIFICATE_KEY}" ]; then + step "Configurando SSL..."; sed -i "10a include site.d/ssl.conf;" ${PASTA_NGINX_SITE}/default.conf; -fi; +fi # CONFIGURANDO PARA ELB if [ -n "$REALIP_FROM" ]; then - echo "Configurando Real IP..."; + step "Configurando Real IP..."; REALIP_FROM_CONFIG=${PASTA_NGINX_CONF}/realip.conf echo "real_ip_header X-Forwarded-For;" >> $REALIP_FROM_CONFIG echo "set_real_ip_from ${REALIP_FROM};" >> $REALIP_FROM_CONFIG fi if [ -z "$HTTP_IPV6" ] || [ "$HTTP_IPV6" == "true" ]; then - echo "Habilitando IPV6 do HTTP"; + step "Habilitando IPV6 do HTTP"; echo "listen [::]:80;" >> ${PASTA_NGINX_INCLUDE}/80.conf; cat ${PASTA_NGINX_INCLUDE}/80.conf; + echo -e "\n\n"; fi; if [ -z "$HTTPS_IPV6" ] || [ "$HTTPS_IPV6" == "true" ]; then - echo "Habilitando IPV6 do HTTPS"; + step "Habilitando IPV6 do HTTPS"; echo "listen [::]:443 ssl;" >> ${PASTA_NGINX_INCLUDE}/ssl.conf; cat ${PASTA_NGINX_INCLUDE}/ssl.conf; + echo -e "\n\n"; fi; +step "Configurações do Nginx"; cat ${SRC_CONFIG}/nginx.conf; + +echo -e "\n\n"; +step "Configurações do Site"; cat ${PASTA_NGINX_SITE}/default.conf; \ No newline at end of file From e5d36961f4e08dd63947ed352b8ca33fae71d976 Mon Sep 17 00:00:00 2001 From: Ricardo Paes Date: Wed, 28 Aug 2024 15:12:57 -0300 Subject: [PATCH 3/4] =?UTF-8?q?=E2=9C=A8=20Fix=20tests=20and=20add=20logs?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/docker-publish.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 37af306..98dc29b 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -90,11 +90,17 @@ jobs: exit 1; fi + - name: Down environment + run: | + docker compose down --remove-orphans + - name: Setup SSL run: | echo "PHP_FPM_PASSWORD=123456" > .env docker compose -f docker-compose.ssl.yml up --build -d - sleep 10 + sleep 15 + docker compose -f docker-compose.ssl.yml ps + docker compose -f docker-compose.ssl.yml logs - name: Test SSL run: | From 3a2d1d904e7a3ee179837f1d24a442090c602e7b Mon Sep 17 00:00:00 2001 From: Ricardo Paes Date: Wed, 28 Aug 2024 15:24:30 -0300 Subject: [PATCH 4/4] =?UTF-8?q?=E2=9C=A8=20Fix=20tests?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/docker-publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 98dc29b..ecc80fa 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -98,13 +98,13 @@ jobs: run: | echo "PHP_FPM_PASSWORD=123456" > .env docker compose -f docker-compose.ssl.yml up --build -d - sleep 15 + sleep 10 docker compose -f docker-compose.ssl.yml ps docker compose -f docker-compose.ssl.yml logs - name: Test SSL run: | - CONTENT=$(curl -s "https://127.0.0.1:444/"); + CONTENT=$(curl -s -k "https://localhost:444/"); echo "CHAMADA HTTP: ${CONTENT}"; if [ "${CONTENT}" != "php" ]; then