diff --git a/.gitignore b/.gitignore index 4c49bd7..03bd412 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -.env +*.env diff --git a/docker-compose.certbot.yml b/docker-compose.certbot.yml index 7facd82..2c04307 100644 --- a/docker-compose.certbot.yml +++ b/docker-compose.certbot.yml @@ -20,7 +20,7 @@ services: #command: > # certonly --email bensuperpc@bensuperpc.fr --agree-tos --rsa-key-size 4096 --no-eff-email --verbose --noninteractive --force-renewal --webroot # --webroot-path=/var/www/wordpress --domain bensuperpc.org --domain www.bensuperpc.org - # --webroot-path=/var/www/jellyfin --domain jellyfin.bensuperpc.org --domain www.jellyfin.bensuperpc.org + # --webroot-path=/var/www/jellyfin --domain jellyfin.bensuperpc.org --domain www.jellyfin.bensuperpc.org command: > certonly --email bensuperpc@bensuperpc.fr --agree-tos --rsa-key-size 4096 --no-eff-email --verbose --noninteractive --keep-until-expiring --webroot diff --git a/docker-compose.nginx.yml b/docker-compose.nginx.yml index ad03a3d..05d26ac 100644 --- a/docker-compose.nginx.yml +++ b/docker-compose.nginx.yml @@ -4,7 +4,7 @@ services: webserver: depends_on: - wordpress - image: nginx:1.23 + image: nginx:1.24.0 container_name: webserver profiles: - webserver @@ -22,11 +22,3 @@ services: - app-network security_opt: - "no-new-privileges:true" - cap_drop: - - "ALL" - cap_add: - - "NET_RAW" - - "NET_BIND_SERVICE" - - "CAP_CHOWN" - - "SETGID" - - "SETUID" \ No newline at end of file diff --git a/docker-compose.wordpress.yml b/docker-compose.wordpress.yml index 9e48996..cd869a6 100644 --- a/docker-compose.wordpress.yml +++ b/docker-compose.wordpress.yml @@ -2,7 +2,7 @@ version: "3.9" services: wp_db: - image: mariadb:10.10.2 + image: mariadb:10.10.3 container_name: wp_db profiles: - wp_db @@ -17,28 +17,19 @@ services: wordpress: depends_on: - wp_db - image: wordpress:6.1.1-php8.1-fpm + image: wordpress:6.2.0-fpm container_name: wordpress profiles: - wordpress restart: unless-stopped env_file: - env/wordpress.env -# environment: -# - WORDPRESS_DB_HOST=wp_db:3306 volumes: - wordpress:/var/www/html networks: - app-network security_opt: - "no-new-privileges:true" - cap_drop: - - "ALL" - cap_add: - - "NET_RAW" - - "CAP_CHOWN" - - "SETGID" - - "SETUID" phpmyadmin: image: phpmyadmin:5.2.0 diff --git a/nginx/conf.d/jellyfin.conf b/nginx/conf.d/jellyfin.conf index f839ffb..2abc52c 100644 --- a/nginx/conf.d/jellyfin.conf +++ b/nginx/conf.d/jellyfin.conf @@ -14,6 +14,8 @@ server { listen 80; listen [::]:80; + root /var/www/jellyfin; + server_name jellyfin.bensuperpc.org www.jellyfin.bensuperpc.org; location ~ /.well-known/acme-challenge { @@ -39,11 +41,12 @@ server { ssl_certificate /etc/letsencrypt/live/bensuperpc.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/bensuperpc.org/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/bensuperpc.org/chain.pem; - #ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - #add_header Strict-Transport-Security "max-age=31536000" always; include /etc/nginx/conf.d/sub/options-ssl-nginx.conf; + #ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + #add_header Strict-Transport-Security "max-age=31536000" always; + # Security / XSS Mitigation Headers # NOTE: X-Frame-Options may cause issues with the webOS app add_header X-Frame-Options "SAMEORIGIN"; diff --git a/nginx/conf.d/phpmyadmin.conf b/nginx/conf.d/phpmyadmin.conf index 3023a48..d0aeccf 100644 --- a/nginx/conf.d/phpmyadmin.conf +++ b/nginx/conf.d/phpmyadmin.conf @@ -17,11 +17,11 @@ server { include /etc/nginx/conf.d/sub/gzip.conf; - location / { - proxy_pass http://phpmyadmin_server; - proxy_redirect off; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header X-Forwarded-For $remote_addr; + location ~ \.php$ { + try_files $uri =404; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass phpmyadmin_server; + fastcgi_index index.php; } # resolver 8.8.8.8; diff --git a/nginx/conf.d/sub/cache-fastcgi.conf b/nginx/conf.d/sub/cache-fastcgi.conf index 70445af..91da678 100644 --- a/nginx/conf.d/sub/cache-fastcgi.conf +++ b/nginx/conf.d/sub/cache-fastcgi.conf @@ -19,5 +19,10 @@ fastcgi_cache_valid 1d; # Don't use the following headers to define the cache variables fastcgi_ignore_headers Cache-Control Expires Set-Cookie; +fastcgi_buffer_size 128k; +fastcgi_buffers 256 16k; +fastcgi_busy_buffers_size 256k; +fastcgi_temp_file_write_size 256k; + # Some parts of this file are from # https://gist.github.com/TrafeX/6d582b6d040702088722 diff --git a/nginx/conf.d/sub/cache-proxy.conf b/nginx/conf.d/sub/cache-proxy.conf index 955db5b..c184c7f 100644 --- a/nginx/conf.d/sub/cache-proxy.conf +++ b/nginx/conf.d/sub/cache-proxy.conf @@ -18,3 +18,8 @@ proxy_cache_valid 1d; # Don't use the following headers to define the cache variables proxy_ignore_headers Cache-Control Expires Set-Cookie; + +# Increase proxy buffers for large requests +proxy_buffer_size 128k; +proxy_buffers 4 256k; +proxy_busy_buffers_size 256k; diff --git a/nginx/conf.d/wordpress.conf b/nginx/conf.d/wordpress.conf index 36e196a..e6e7362 100644 --- a/nginx/conf.d/wordpress.conf +++ b/nginx/conf.d/wordpress.conf @@ -14,14 +14,114 @@ server { server_name wordpress.bensuperpc.org www.wordpress.bensuperpc.org bensuperpc.org www.bensuperpc.org; + root /var/www/wordpress; + index index.php index.html index.htm; + + # Keepalive for 70 seconds + keepalive_timeout 70; + + # Number of requests per connection + keepalive_requests 100; + + reset_timedout_connection on; + + # Upload limit + client_max_body_size 50m; + client_body_buffer_size 128k; + + # Initialize the variable that specified to skip the cache + set $skip_cache 0; + + # POST requests and url's with a query string should always skip cache + if ($request_method = POST) { + set $skip_cache 1; + } + if ($query_string != "") { + set $skip_cache 1; + } + + # Don't cache url's containing the following segments + if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") { + set $skip_cache 1; + } + + # Don't use the cache for logged in users or recent commenters + if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") { + set $skip_cache 1; + } + + server_tokens off; + + include /etc/nginx/conf.d/sub/gzip.conf; + location ~ /.well-known/acme-challenge { allow all; root /var/www/wordpress; } location / { - return 301 https://$host$request_uri; + try_files $uri $uri/ /index.php$is_args$args; } + + location ~ \.php$ { + try_files $uri =404; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass wordpress_server; + fastcgi_index index.php; + include fastcgi_params; + + # Necessary to avoid 404 error when changing the wordpress path + #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name; + + fastcgi_param PATH_INFO $fastcgi_path_info; + + fastcgi_intercept_errors on; + + # Don't cache when $skip_cache is true + fastcgi_cache_bypass $skip_cache; + fastcgi_no_cache $skip_cache; + + # Use the WORDPRESS zone + fastcgi_cache WORDPRESS; + } + + # Don't write to accesslog for these files + location = /favicon.ico { + log_not_found off; + access_log off; + } + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # Media files with one of these extensions should be cached by the browser + location ~* \.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ { + expires max; + log_not_found off; + } + + # Deny access to .* files + location ~ /\. { + deny all; + access_log off; + log_not_found off; + } + + # Add cache status header for easy debugging + add_header X-cache $upstream_cache_status; + + # From cat /etc/resolv.conf + resolver 8.8.8.8; + + # Some parts of this file are from + # https://gist.github.com/TrafeX/6d582b6d040702088722 + + #location / { + # return 301 https://$host$request_uri; + #} } # Main server wordpress_server @@ -41,16 +141,6 @@ server { reset_timedout_connection on; - # Increase proxy buffers for large requests - proxy_buffer_size 128k; - proxy_buffers 4 256k; - proxy_busy_buffers_size 256k; - - fastcgi_buffer_size 128k; - fastcgi_buffers 256 16k; - fastcgi_busy_buffers_size 256k; - fastcgi_temp_file_write_size 256k; - # Upload limit client_max_body_size 50m; client_body_buffer_size 128k; @@ -91,6 +181,7 @@ server { access_log /var/log/nginx/wordpress.access.log; error_log /var/log/nginx/wordpress.error.log; + # Security add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always;