From 8852444a851f951a00312bf999187f482ba3883b Mon Sep 17 00:00:00 2001 From: Sean Norwood Date: Sat, 17 Aug 2019 13:41:17 -0500 Subject: [PATCH 1/7] initial: add docker files for the stack --- .docker/mysql/aa_init.sql | 2 + .docker/nginx/Dockerfile | 15 + .docker/nginx/entrypoint.sh | 4 + .docker/nginx/h5bp/basic.conf | 9 + .docker/nginx/h5bp/conf.d/default.conf | 0 .docker/nginx/h5bp/cross-origin/requests.conf | 18 + .../h5bp/cross-origin/resource_timing.conf | 15 + .docker/nginx/h5bp/errors/custom_errors.conf | 9 + .../internet_explorer/x-ua-compatible.conf | 19 + .../h5bp/location/security_file_access.conf | 41 + ...formance_filename-based_cache_busting.conf | 14 + .../web_performance_svgz-compression.conf | 14 + .../h5bp/media_types/character_encodings.conf | 32 + .../nginx/h5bp/media_types/media_types.conf | 18 + .docker/nginx/h5bp/mime.types | 0 .docker/nginx/h5bp/nginx.conf | 0 .../security/content-security-policy.conf | 27 + .../nginx/h5bp/security/referrer-policy.conf | 18 + .../security/server_software_information.conf | 9 + .../security/strict-transport-security.conf | 43 + .../h5bp/security/x-content-type-options.conf | 16 + .../nginx/h5bp/security/x-frame-options.conf | 35 + .../nginx/h5bp/security/x-xss-protection.conf | 38 + .docker/nginx/h5bp/ssl/certificate_files.conf | 32 + .docker/nginx/h5bp/ssl/ocsp_stapling.conf | 34 + .docker/nginx/h5bp/ssl/policy_deprecated.conf | 30 + .../nginx/h5bp/ssl/policy_intermediate.conf | 24 + .docker/nginx/h5bp/ssl/policy_modern.conf | 45 + .docker/nginx/h5bp/ssl/ssl_engine.conf | 43 + .../cache-file-descriptors.conf | 34 + .../web_performance/cache_expiration.conf | 76 + .../h5bp/web_performance/compression.conf | 67 + .../h5bp/web_performance/no-transform.conf | 29 + .../pre-compressed_content_brotli.conf | 17 + .../pre-compressed_content_gzip.conf | 13 + .docker/nginx/mime.types | 139 ++ .docker/nginx/nginx.conf | 149 ++ .docker/nginx/nginx.conf.old | 242 ++ .docker/nginx/pathfinder-http.conf | 84 + .docker/php/Dockerfile | 26 + .docker/php/php.ini | 1939 +++++++++++++++++ .docker/php/www.conf | 417 ++++ .docker/redis/redis.conf | 2 + .docker/websocket | 1 + 44 files changed, 3839 insertions(+) create mode 100644 .docker/mysql/aa_init.sql create mode 100644 .docker/nginx/Dockerfile create mode 100644 .docker/nginx/entrypoint.sh create mode 100644 .docker/nginx/h5bp/basic.conf create mode 100755 .docker/nginx/h5bp/conf.d/default.conf create mode 100644 .docker/nginx/h5bp/cross-origin/requests.conf create mode 100644 .docker/nginx/h5bp/cross-origin/resource_timing.conf create mode 100644 .docker/nginx/h5bp/errors/custom_errors.conf create mode 100644 .docker/nginx/h5bp/internet_explorer/x-ua-compatible.conf create mode 100644 .docker/nginx/h5bp/location/security_file_access.conf create mode 100644 .docker/nginx/h5bp/location/web_performance_filename-based_cache_busting.conf create mode 100644 .docker/nginx/h5bp/location/web_performance_svgz-compression.conf create mode 100644 .docker/nginx/h5bp/media_types/character_encodings.conf create mode 100644 .docker/nginx/h5bp/media_types/media_types.conf create mode 100755 .docker/nginx/h5bp/mime.types create mode 100755 .docker/nginx/h5bp/nginx.conf create mode 100644 .docker/nginx/h5bp/security/content-security-policy.conf create mode 100644 .docker/nginx/h5bp/security/referrer-policy.conf create mode 100644 .docker/nginx/h5bp/security/server_software_information.conf create mode 100644 .docker/nginx/h5bp/security/strict-transport-security.conf create mode 100644 .docker/nginx/h5bp/security/x-content-type-options.conf create mode 100644 .docker/nginx/h5bp/security/x-frame-options.conf create mode 100644 .docker/nginx/h5bp/security/x-xss-protection.conf create mode 100644 .docker/nginx/h5bp/ssl/certificate_files.conf create mode 100644 .docker/nginx/h5bp/ssl/ocsp_stapling.conf create mode 100644 .docker/nginx/h5bp/ssl/policy_deprecated.conf create mode 100644 .docker/nginx/h5bp/ssl/policy_intermediate.conf create mode 100644 .docker/nginx/h5bp/ssl/policy_modern.conf create mode 100644 .docker/nginx/h5bp/ssl/ssl_engine.conf create mode 100644 .docker/nginx/h5bp/web_performance/cache-file-descriptors.conf create mode 100644 .docker/nginx/h5bp/web_performance/cache_expiration.conf create mode 100644 .docker/nginx/h5bp/web_performance/compression.conf create mode 100644 .docker/nginx/h5bp/web_performance/no-transform.conf create mode 100644 .docker/nginx/h5bp/web_performance/pre-compressed_content_brotli.conf create mode 100644 .docker/nginx/h5bp/web_performance/pre-compressed_content_gzip.conf create mode 100644 .docker/nginx/mime.types create mode 100644 .docker/nginx/nginx.conf create mode 100644 .docker/nginx/nginx.conf.old create mode 100644 .docker/nginx/pathfinder-http.conf create mode 100644 .docker/php/Dockerfile create mode 100644 .docker/php/php.ini create mode 100644 .docker/php/www.conf create mode 100644 .docker/redis/redis.conf create mode 160000 .docker/websocket diff --git a/.docker/mysql/aa_init.sql b/.docker/mysql/aa_init.sql new file mode 100644 index 000000000..f3af1d257 --- /dev/null +++ b/.docker/mysql/aa_init.sql @@ -0,0 +1,2 @@ +CREATE DATABASE IF NOT EXISTS pathfinder CHARACTER SET utf8 COLLATE utf8_general_ci; +CREATE DATABASE IF NOT EXISTS eve_universe CHARACTER SET utf8 COLLATE utf8_general_ci; \ No newline at end of file diff --git a/.docker/nginx/Dockerfile b/.docker/nginx/Dockerfile new file mode 100644 index 000000000..09e525f64 --- /dev/null +++ b/.docker/nginx/Dockerfile @@ -0,0 +1,15 @@ +FROM nginx:1.17.2-alpine + +COPY --chown=nginx:nginx . /usr/share/nginx/html/ +COPY ./.docker/nginx/nginx.conf /etc/nginx/nginx.conf +COPY ./.docker/nginx/pathfinder-http.conf /etc/nginx/conf.d/default.conf +COPY ./.docker/nginx/h5bp/ /etc/nginx/h5bp/ +COPY ./.docker/nginx/mime.types /etc/nginx/mime.types + +RUN apk add --no-cache apache2-utils + +COPY ./.docker/nginx/entrypoint.sh /root/entrypoint.sh +RUN chmod +x /root/entrypoint.sh +RUN chmod 0766 /usr/share/nginx/html/logs + +ENTRYPOINT ["sh", "-c", "/root/entrypoint.sh"] \ No newline at end of file diff --git a/.docker/nginx/entrypoint.sh b/.docker/nginx/entrypoint.sh new file mode 100644 index 000000000..cb3a19913 --- /dev/null +++ b/.docker/nginx/entrypoint.sh @@ -0,0 +1,4 @@ +#!/bin/ash + +htpasswd -B -b -c /etc/nginx/.setup_pass "$SETUP_USER" "$SETUP_PASS" && \ +nginx \ No newline at end of file diff --git a/.docker/nginx/h5bp/basic.conf b/.docker/nginx/h5bp/basic.conf new file mode 100644 index 000000000..59927acd0 --- /dev/null +++ b/.docker/nginx/h5bp/basic.conf @@ -0,0 +1,9 @@ +# Nginx Server Configs | MIT License +# https://github.com/h5bp/server-configs-nginx + +include h5bp/security/referrer-policy.conf; +include h5bp/security/x-content-type-options.conf; +include h5bp/security/x-frame-options.conf; +include h5bp/security/x-xss-protection.conf; +include h5bp/location/security_file_access.conf; +include h5bp/cross-origin/requests.conf; diff --git a/.docker/nginx/h5bp/conf.d/default.conf b/.docker/nginx/h5bp/conf.d/default.conf new file mode 100755 index 000000000..e69de29bb diff --git a/.docker/nginx/h5bp/cross-origin/requests.conf b/.docker/nginx/h5bp/cross-origin/requests.conf new file mode 100644 index 000000000..976961fe2 --- /dev/null +++ b/.docker/nginx/h5bp/cross-origin/requests.conf @@ -0,0 +1,18 @@ +# ---------------------------------------------------------------------- +# | Cross-origin requests | +# ---------------------------------------------------------------------- + +# Allow cross-origin requests. +# +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS +# https://enable-cors.org/ +# https://www.w3.org/TR/cors/ + +# (!) Do not use this without understanding the consequences. +# This will permit access from any other website. +# Instead of using this file, consider using a specific rule such as +# allowing access based on (sub)domain: +# +# add_header Access-Control-Allow-Origin "subdomain.example.com"; + +add_header Access-Control-Allow-Origin $cors; diff --git a/.docker/nginx/h5bp/cross-origin/resource_timing.conf b/.docker/nginx/h5bp/cross-origin/resource_timing.conf new file mode 100644 index 000000000..c706a7731 --- /dev/null +++ b/.docker/nginx/h5bp/cross-origin/resource_timing.conf @@ -0,0 +1,15 @@ +# ---------------------------------------------------------------------- +# | Cross-origin resource timing | +# ---------------------------------------------------------------------- + +# Allow cross-origin access to the timing information for all resources. +# +# If a resource isn't served with a `Timing-Allow-Origin` header that would +# allow its timing information to be shared with the document, some of the +# attributes of the `PerformanceResourceTiming` object will be set to zero. +# +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Timing-Allow-Origin +# https://www.w3.org/TR/resource-timing/ +# https://www.stevesouders.com/blog/2014/08/21/resource-timing-practical-tips/ + +add_header Timing-Allow-Origin "*"; diff --git a/.docker/nginx/h5bp/errors/custom_errors.conf b/.docker/nginx/h5bp/errors/custom_errors.conf new file mode 100644 index 000000000..6b3e79664 --- /dev/null +++ b/.docker/nginx/h5bp/errors/custom_errors.conf @@ -0,0 +1,9 @@ +# ---------------------------------------------------------------------- +# | Custom error messages/pages | +# ---------------------------------------------------------------------- + +# Customize what Nginx returns to the client in case of an error. +# +# https://nginx.org/en/docs/http/ngx_http_core_module.html#error_page + +error_page 404 /404.html; diff --git a/.docker/nginx/h5bp/internet_explorer/x-ua-compatible.conf b/.docker/nginx/h5bp/internet_explorer/x-ua-compatible.conf new file mode 100644 index 000000000..b109bad04 --- /dev/null +++ b/.docker/nginx/h5bp/internet_explorer/x-ua-compatible.conf @@ -0,0 +1,19 @@ +# ---------------------------------------------------------------------- +# | Document modes | +# ---------------------------------------------------------------------- + +# Force Internet Explorer 8/9/10 to render pages in the highest mode +# available in the various cases when it may not. +# +# https://hsivonen.fi/doctype/#ie8 +# +# (!) Starting with Internet Explorer 11, document modes are deprecated. +# If your business still relies on older web apps and services that were +# designed for older versions of Internet Explorer, you might want to +# consider enabling `Enterprise Mode` throughout your company. +# +# https://msdn.microsoft.com/en-us/library/ie/bg182625.aspx#docmode +# https://blogs.msdn.microsoft.com/ie/2014/04/02/stay-up-to-date-with-enterprise-mode-for-internet-explorer-11/ +# https://msdn.microsoft.com/en-us/library/ff955275.aspx + +add_header X-UA-Compatible $x_ua_compatible; diff --git a/.docker/nginx/h5bp/location/security_file_access.conf b/.docker/nginx/h5bp/location/security_file_access.conf new file mode 100644 index 000000000..80c1d4b40 --- /dev/null +++ b/.docker/nginx/h5bp/location/security_file_access.conf @@ -0,0 +1,41 @@ +# ---------------------------------------------------------------------- +# | File access | +# ---------------------------------------------------------------------- + +# Block access to all hidden files and directories with the exception of the +# visible content from within the `/.well-known/` hidden directory. +# +# These types of files usually contain user preferences or the preserved state +# of a utility, and can include rather private places like, for example, the +# `.git` or `.svn` directories. +# +# The `/.well-known/` directory represents the standard (RFC 5785) path prefix +# for "well-known locations" (e.g.: `/.well-known/manifest.json`, +# `/.well-known/keybase.txt`), and therefore, access to its visible content +# should not be blocked. +# +# https://www.mnot.net/blog/2010/04/07/well-known +# https://tools.ietf.org/html/rfc5785 + +location ~* /\.(?!well-known\/) { + deny all; +} + +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +# Block access to files that can expose sensitive information. +# +# By default, block access to backup and source files that may be left by some +# text editors and can pose a security risk when anyone has access to them. +# +# https://feross.org/cmsploit/ +# +# (!) Update the `location` regular expression from below to include any files +# that might end up on your production server and can expose sensitive +# information about your website. These files may include: configuration +# files, files that contain metadata about the project (e.g.: project +# dependencies, build scripts, etc.). + +location ~* (?:#.*#|\.(?:bak|conf|dist|fla|in[ci]|log|orig|psd|sh|sql|sw[op])|~)$ { + deny all; +} diff --git a/.docker/nginx/h5bp/location/web_performance_filename-based_cache_busting.conf b/.docker/nginx/h5bp/location/web_performance_filename-based_cache_busting.conf new file mode 100644 index 000000000..9a2768408 --- /dev/null +++ b/.docker/nginx/h5bp/location/web_performance_filename-based_cache_busting.conf @@ -0,0 +1,14 @@ +# ---------------------------------------------------------------------- +# | Filename-based cache busting | +# ---------------------------------------------------------------------- + +# If you're not using a build process to manage your filename version revving, +# you might want to consider enabling the following directives. +# +# To understand why this is important and even a better solution than using +# something like `*.css?v231`, please see: +# https://www.stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring/ + +location ~* (.+)\.(?:\w+)\.(bmp|css|cur|gif|ico|jpe?g|m?js|png|svgz?|webp|webmanifest)$ { + try_files $uri $1.$2; +} diff --git a/.docker/nginx/h5bp/location/web_performance_svgz-compression.conf b/.docker/nginx/h5bp/location/web_performance_svgz-compression.conf new file mode 100644 index 000000000..469806b21 --- /dev/null +++ b/.docker/nginx/h5bp/location/web_performance_svgz-compression.conf @@ -0,0 +1,14 @@ +# ---------------------------------------------------------------------- +# | SVGZ Compression | +# ---------------------------------------------------------------------- + +# SVGZ files are already compressed. +# Disable gzip function for `.svgz` files. + +location ~* \.svgz$ { + gzip off; + add_header Content-Encoding gzip; + + include h5bp/security/x-content-type-options.conf; + include h5bp/cross-origin/requests.conf; +} diff --git a/.docker/nginx/h5bp/media_types/character_encodings.conf b/.docker/nginx/h5bp/media_types/character_encodings.conf new file mode 100644 index 000000000..955c1db33 --- /dev/null +++ b/.docker/nginx/h5bp/media_types/character_encodings.conf @@ -0,0 +1,32 @@ +# ---------------------------------------------------------------------- +# | Character encodings | +# ---------------------------------------------------------------------- + +# Serve all resources labeled as `text/html` or `text/plain` with the media type +# `charset` parameter set to `UTF-8`. +# +# https://nginx.org/en/docs/http/ngx_http_charset_module.html#charset + +charset utf-8; + +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +# Update charset_types to match updated mime.types. +# `text/html` is always included by charset module. +# Default: text/html text/xml text/plain text/vnd.wap.wml application/javascript application/rss+xml +# +# https://nginx.org/en/docs/http/ngx_http_charset_module.html#charset_types + +charset_types + text/css + text/plain + text/vnd.wap.wml + text/javascript + text/markdown + text/calendar + text/x-component + text/vcard + text/cache-manifest + text/vtt + application/json + application/manifest+json; diff --git a/.docker/nginx/h5bp/media_types/media_types.conf b/.docker/nginx/h5bp/media_types/media_types.conf new file mode 100644 index 000000000..b7d6f9e08 --- /dev/null +++ b/.docker/nginx/h5bp/media_types/media_types.conf @@ -0,0 +1,18 @@ +# ---------------------------------------------------------------------- +# | Media types | +# ---------------------------------------------------------------------- + +# Serve resources with the proper media types (f.k.a. MIME types). +# +# https://www.iana.org/assignments/media-types/media-types.xhtml +# https://nginx.org/en/docs/http/ngx_http_core_module.html#types + +include mime.types; + +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +# Default: text/plain +# +# https://nginx.org/en/docs/http/ngx_http_core_module.html#default_type + +default_type application/octet-stream; diff --git a/.docker/nginx/h5bp/mime.types b/.docker/nginx/h5bp/mime.types new file mode 100755 index 000000000..e69de29bb diff --git a/.docker/nginx/h5bp/nginx.conf b/.docker/nginx/h5bp/nginx.conf new file mode 100755 index 000000000..e69de29bb diff --git a/.docker/nginx/h5bp/security/content-security-policy.conf b/.docker/nginx/h5bp/security/content-security-policy.conf new file mode 100644 index 000000000..6284d2365 --- /dev/null +++ b/.docker/nginx/h5bp/security/content-security-policy.conf @@ -0,0 +1,27 @@ +# ---------------------------------------------------------------------- +# | Content Security Policy (CSP) | +# ---------------------------------------------------------------------- + +# Mitigate the risk of cross-site scripting and other content-injection +# attacks. +# +# This can be done by setting a `Content Security Policy` which whitelists +# trusted sources of content for your website. +# +# There is no policy that fits all websites, you will have to modify the +# `Content-Security-Policy` directives in the example depending on your needs. +# +# To make your CSP implementation easier, you can use an online CSP header +# generator such as: +# https://report-uri.com/home/generate/ +# +# It is encouraged that you validate your CSP header using a CSP validator +# such as: +# https://csp-evaluator.withgoogle.com +# +# https://csp.withgoogle.com/docs/ +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +# https://www.html5rocks.com/en/tutorials/security/content-security-policy/ +# https://www.w3.org/TR/CSP/ + +add_header Content-Security-Policy $content_security_policy always; diff --git a/.docker/nginx/h5bp/security/referrer-policy.conf b/.docker/nginx/h5bp/security/referrer-policy.conf new file mode 100644 index 000000000..7233e29e8 --- /dev/null +++ b/.docker/nginx/h5bp/security/referrer-policy.conf @@ -0,0 +1,18 @@ +# ---------------------------------------------------------------------- +# | Referrer Policy | +# ---------------------------------------------------------------------- + +# A web application uses HTTPS and a URL-based session identifier. +# The web application might wish to link to HTTPS resources on other web +# sites without leaking the user's session identifier in the URL. +# +# This can be done by setting a `Referrer Policy` which whitelists trusted +# sources of content for your website. +# +# To check your referrer policy, you can use an online service such as: +# https://securityheaders.io/. +# +# https://scotthelme.co.uk/a-new-security-header-referrer-policy/ +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy + +add_header Referrer-Policy $referrer_policy always; diff --git a/.docker/nginx/h5bp/security/server_software_information.conf b/.docker/nginx/h5bp/security/server_software_information.conf new file mode 100644 index 000000000..f80048f9a --- /dev/null +++ b/.docker/nginx/h5bp/security/server_software_information.conf @@ -0,0 +1,9 @@ +# ---------------------------------------------------------------------- +# | Server software information | +# ---------------------------------------------------------------------- + +# Prevent Nginx from sending its version number in the "Server" response header. +# +# https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens + +server_tokens off; diff --git a/.docker/nginx/h5bp/security/strict-transport-security.conf b/.docker/nginx/h5bp/security/strict-transport-security.conf new file mode 100644 index 000000000..d6f49f16e --- /dev/null +++ b/.docker/nginx/h5bp/security/strict-transport-security.conf @@ -0,0 +1,43 @@ +# ---------------------------------------------------------------------- +# | HTTP Strict Transport Security (HSTS) | +# ---------------------------------------------------------------------- + +# Force client-side SSL redirection. +# +# If a user types `example.com` in their browser, even if the server redirects +# them to the secure version of the website, that still leaves a window of +# opportunity (the initial HTTP connection) for an attacker to downgrade or +# redirect the request. +# +# The following header ensures that browser will ONLY connect to your server +# via HTTPS, regardless of what the users type in the browser's address bar. +# +# (!) Be aware that this, once published, is not revokable and you must ensure +# being able to serve the site via SSL for the duration you've specified +# in max-age. When you don't have a valid SSL connection (anymore) your +# visitors will see a nasty error message even when attempting to connect +# via simple HTTP. +# +# (!) Remove the `includeSubDomains` optional directive if the website's +# subdomains are not using HTTPS. +# +# (1) If you want to submit your site for HSTS preload (2) you must +# * ensure the `includeSubDomains` directive to be present +# * the `preload` directive to be specified +# * the `max-age` to be at least 31536000 seconds (1 year) according to the +# current status. +# +# It is also advised (3) to only serve the HSTS header via a secure +# connection. +# +# (2) https://hstspreload.org/ +# (3) https://tools.ietf.org/html/rfc6797#section-7.2 +# +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +# https://tools.ietf.org/html/rfc6797#section-6.1 +# https://www.html5rocks.com/en/tutorials/security/transport-layer-security/ +# https://blogs.msdn.microsoft.com/ieinternals/2014/08/18/strict-transport-security/ + +add_header Strict-Transport-Security "max-age=16070400; includeSubDomains" always; +# (1) or if HSTS preloading is desired (respect (2) for current requirements): +# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; diff --git a/.docker/nginx/h5bp/security/x-content-type-options.conf b/.docker/nginx/h5bp/security/x-content-type-options.conf new file mode 100644 index 000000000..ec1880349 --- /dev/null +++ b/.docker/nginx/h5bp/security/x-content-type-options.conf @@ -0,0 +1,16 @@ +# ---------------------------------------------------------------------- +# | Content Type Options | +# ---------------------------------------------------------------------- + +# Prevent some browsers from MIME-sniffing the response. +# +# This reduces exposure to drive-by download attacks and cross-origin data +# leaks, and should be left uncommented, especially if the server is serving +# user-uploaded content or content that could potentially be treated as +# executable by the browser. +# +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options +# https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-v-comprehensive-protection/ +# https://mimesniff.spec.whatwg.org/ + +add_header X-Content-Type-Options nosniff always; diff --git a/.docker/nginx/h5bp/security/x-frame-options.conf b/.docker/nginx/h5bp/security/x-frame-options.conf new file mode 100644 index 000000000..ae37b7fb2 --- /dev/null +++ b/.docker/nginx/h5bp/security/x-frame-options.conf @@ -0,0 +1,35 @@ +# ---------------------------------------------------------------------- +# | Frame Options | +# ---------------------------------------------------------------------- + +# Protect website against clickjacking. +# +# The example below sends the `X-Frame-Options` response header with the value +# `DENY`, informing browsers not to display the content of the web page in any +# frame. +# +# This might not be the best setting for everyone. You should read about the +# other two possible values the `X-Frame-Options` header field can have: +# `SAMEORIGIN` and `ALLOW-FROM`. +# https://tools.ietf.org/html/rfc7034#section-2.1. +# +# Keep in mind that while you could send the `X-Frame-Options` header for all +# of your website’s pages, this has the potential downside that it forbids even +# non-malicious framing of your content (e.g.: when users visit your website +# using a Google Image Search results page). +# +# Nonetheless, you should ensure that you send the `X-Frame-Options` header for +# all pages that allow a user to make a state-changing operation (e.g: pages +# that contain one-click purchase links, checkout or bank-transfer confirmation +# pages, pages that make permanent configuration changes, etc.). +# +# Sending the `X-Frame-Options` header can also protect your website against +# more than just clickjacking attacks. +# https://cure53.de/xfo-clickjacking.pdf. +# +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +# https://tools.ietf.org/html/rfc7034 +# https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/ +# https://www.owasp.org/index.php/Clickjacking + +add_header X-Frame-Options $x_frame_options always; diff --git a/.docker/nginx/h5bp/security/x-xss-protection.conf b/.docker/nginx/h5bp/security/x-xss-protection.conf new file mode 100644 index 000000000..471345ee5 --- /dev/null +++ b/.docker/nginx/h5bp/security/x-xss-protection.conf @@ -0,0 +1,38 @@ +# ---------------------------------------------------------------------- +# | Cross-Site Scripting (XSS) Protection | +# ---------------------------------------------------------------------- + +# Protect website reflected Cross-Site Scripting (XSS) attacks. +# +# (1) Try to re-enable the cross-site scripting (XSS) filter built into most +# web browsers. +# +# The filter is usually enabled by default, but in some cases it may be +# disabled by the user. However, in Internet Explorer for example, it can be +# re-enabled just by sending the `X-XSS-Protection` header with the value +# of `1`. +# +# (2) Prevent web browsers from rendering the web page if a potential reflected +# (a.k.a non-persistent) XSS attack is detected by the filter. +# +# By default, if the filter is enabled and browsers detect a reflected XSS +# attack, they will attempt to block the attack by making the smallest +# possible modifications to the returned web page. +# +# Unfortunately, in some browsers (e.g.: Internet Explorer), this default +# behavior may allow the XSS filter to be exploited. Therefore, it's better +# to inform browsers to prevent the rendering of the page altogether, +# instead of attempting to modify it. +# +# https://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities +# +# (!) Do not rely on the XSS filter to prevent XSS attacks! Ensure that you are +# taking all possible measures to prevent XSS attacks, the most obvious +# being: validating and sanitizing your website's inputs. +# +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection +# https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-iv-the-xss-filter/ +# https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter/ +# https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 + +add_header X-XSS-Protection $x_xss_protection always; diff --git a/.docker/nginx/h5bp/ssl/certificate_files.conf b/.docker/nginx/h5bp/ssl/certificate_files.conf new file mode 100644 index 000000000..27a104208 --- /dev/null +++ b/.docker/nginx/h5bp/ssl/certificate_files.conf @@ -0,0 +1,32 @@ +# ---------------------------------------------------------------------- +# | Certificate files | +# ---------------------------------------------------------------------- + +# This default SSL certificate will be served whenever the client lacks support +# for SNI (Server Name Indication). +# Make it a symlink to the most important certificate you have, so that +# users of IE 8 and below on WinXP can see your main site without SSL errors. +# +# (1) Certificate and key files location +# The certificate file can contain intermediate certificate. +# +# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate +# +# (2) Intermediate certificate location if loaded certificate (1) does not +# contain intermediate certificate when enabling OCSP stapling. +# +# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate +# +# (3) CA certificate file location for client certificate authentication +# +# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_client_certificate + +# (1) +ssl_certificate /etc/nginx/certs/default.crt; +ssl_certificate_key /etc/nginx/certs/default.key; + +# (2) +# ssl_trusted_certificate /path/to/ca.crt; + +# (3) +# ssl_client_certificate /etc/nginx/default_ssl.crt; diff --git a/.docker/nginx/h5bp/ssl/ocsp_stapling.conf b/.docker/nginx/h5bp/ssl/ocsp_stapling.conf new file mode 100644 index 000000000..4a16fbc9d --- /dev/null +++ b/.docker/nginx/h5bp/ssl/ocsp_stapling.conf @@ -0,0 +1,34 @@ +# ---------------------------------------------------------------------- +# | Online Certificate Status Protocol stapling | +# ---------------------------------------------------------------------- + +# OCSP is a lightweight, only one record to help clients verify the validity of +# the server certificate. +# OCSP stapling allows the server to send its cached OCSP record during the TLS +# handshake, without the need of 3rd party OCSP responder. +# +# https://wiki.mozilla.org/Security/Server_Side_TLS#OCSP_Stapling +# https://tools.ietf.org/html/rfc6066#section-8 +# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling +# +# (1) Use Cloudflare 1.1.1.1 DNS resolver +# https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/ +# +# (2) Use Google 8.8.8.8 DNS resolver +# https://developers.google.com/speed/public-dns/docs/using +# +# (3) Use OpenDNS resolver +# https://use.opendns.com + +ssl_stapling on; +ssl_stapling_verify on; + +resolver + # (1) + 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] + # (2) + 8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844] + # (3) + # 208.67.222.222 208.67.220.220 [2620:119:35::35] [2620:119:53::53] + valid=60s; +resolver_timeout 2s; diff --git a/.docker/nginx/h5bp/ssl/policy_deprecated.conf b/.docker/nginx/h5bp/ssl/policy_deprecated.conf new file mode 100644 index 000000000..2155c3425 --- /dev/null +++ b/.docker/nginx/h5bp/ssl/policy_deprecated.conf @@ -0,0 +1,30 @@ +# ---------------------------------------------------------------------- +# | SSL policy - Deprecated | +# ---------------------------------------------------------------------- + +# For services that don't need compatibility with legacy clients (mostly WinXP), +# but still need to support a wide range of clients, this configuration is +# recommended. +# +# Protect against the BEAST and POODLE attacks by not using SSLv3 at all. +# If you need to support older browsers (IE6) you may need to add SSLv3 to the +# list of protocols. +# +# Based on intermediate profile recommended by Mozilla. +# https://mozilla.github.io/server-side-tls/ssl-config-generator/ +# +# (1) Diffie-Hellman parameter for DHE cipher suites +# A 4096 bits or more DH parameter is recommended. +# (!) A DH parameter generation is required to enable this directive. +# openssl dhparam -out /etc/nginx/dhparam.pem 4096 +# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam +# +# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations +# https://nginx.org/en/docs/http/ngx_http_ssl_module.html + +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA; +ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1; + +# (1) +# ssl_dhparam /etc/nginx/dhparam.pem; diff --git a/.docker/nginx/h5bp/ssl/policy_intermediate.conf b/.docker/nginx/h5bp/ssl/policy_intermediate.conf new file mode 100644 index 000000000..7e2faca43 --- /dev/null +++ b/.docker/nginx/h5bp/ssl/policy_intermediate.conf @@ -0,0 +1,24 @@ +# ---------------------------------------------------------------------- +# | SSL policy - Intermediate | +# ---------------------------------------------------------------------- + +# For services that don't need backward compatibility, the parameters below +# provide a higher level of security. +# +# (!) This policy enforces a strong SSL configuration, which may raise errors +# with old clients. +# If a more compatible profile is required, use the intermediate policy. +# +# (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known to be weak +# and potentially vulnerable but are required to support Microsoft Edge +# and Safari. +# https://safecurves.cr.yp.to/ +# +# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations +# https://nginx.org/en/docs/http/ngx_http_ssl_module.html + +ssl_protocols TLSv1.2; +ssl_ciphers EECDH+CHACHA20:EECDH+AES; + +# (1) +ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1; diff --git a/.docker/nginx/h5bp/ssl/policy_modern.conf b/.docker/nginx/h5bp/ssl/policy_modern.conf new file mode 100644 index 000000000..e89cbd48f --- /dev/null +++ b/.docker/nginx/h5bp/ssl/policy_modern.conf @@ -0,0 +1,45 @@ +# ---------------------------------------------------------------------- +# | SSL policy - Modern | +# ---------------------------------------------------------------------- + +# For services that want to be on the bleeding edge, the parameters below +# sacrifice compatibility for the highest level of security and performance. +# +# (!) TLSv1.3 and it's 0-RTT feature require NGINX >=1.15.4 and OpenSSL >=1.1.1 +# to be installed. +# +# (!) Don't enable `ssl_early_data` blindly! Requests sent within early data are +# subject to replay attacks. +# +# (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known to be weak +# and potentially vulnerable. +# +# Add them back to the parameter `ssl_ecdh_curve` below to support +# Microsoft Edge and Safari. +# +# https://safecurves.cr.yp.to/ +# +# (2) Enables TLS 1.3 0-RTT, allows for faster resumption of TLS sessions. +# +# (!) Requests sent within early data are subject to replay attacks. +# To protect against such attacks at the application layer, the +# $ssl_early_data variable should be used: +# proxy_set_header Early-Data $ssl_early_data; +# +# The application should return response code 425 "Too Early" for anything +# that could contain user supplied data. +# +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/425 +# +# https://github.com/certbot/certbot/issues/6367 +# https://github.com/mozilla/server-side-tls/issues/217 +# https://nginx.org/en/docs/http/ngx_http_ssl_module.html + +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers EECDH+CHACHA20:EECDH+AES; + +# (1) +ssl_ecdh_curve X25519; + +# (2) +#ssl_early_data on; diff --git a/.docker/nginx/h5bp/ssl/ssl_engine.conf b/.docker/nginx/h5bp/ssl/ssl_engine.conf new file mode 100644 index 000000000..6f66f8800 --- /dev/null +++ b/.docker/nginx/h5bp/ssl/ssl_engine.conf @@ -0,0 +1,43 @@ +# ---------------------------------------------------------------------- +# | SSL engine | +# ---------------------------------------------------------------------- + +# (1) Optimize SSL by caching session parameters for 10 minutes. +# This cuts down on the number of expensive SSL handshakes. +# By enabling a cache, we tell the client to re-use the already +# negotiated state. +# A 1Mb cache can hold about 4000 sessions, so we can hold 40000 sessions. +# +# (2) Use a higher keepalive timeout to reduce the need for repeated handshakes +# (!) Shouldn't be done unless you serve primarily HTTPS. +# Default is 75s +# +# (3) SSL buffer size +# Set 1400 bytes to fit in one MTU. +# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size +# +# (4) Disable session tickets +# Session tickets keys are not auto-rotated. Only a HUP / restart will do +# so and when a restart is performed the previous key is lost, which resets +# all previous sessions. +# Only enable session tickets if you set up a manual rotation mechanism. +# https://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx +# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets +# +# (5) Basic security improvements + +# (1) +ssl_session_cache shared:SSL:10m; +ssl_session_timeout 24h; + +# (2) +keepalive_timeout 300s; + +# (3) +# ssl_buffer_size 1400; + +# (4) +ssl_session_tickets off; + +# (5) +ssl_prefer_server_ciphers on; diff --git a/.docker/nginx/h5bp/web_performance/cache-file-descriptors.conf b/.docker/nginx/h5bp/web_performance/cache-file-descriptors.conf new file mode 100644 index 000000000..5f5e1769c --- /dev/null +++ b/.docker/nginx/h5bp/web_performance/cache-file-descriptors.conf @@ -0,0 +1,34 @@ +# ---------------------------------------------------------------------- +# | Cache file-descriptors | +# ---------------------------------------------------------------------- + +# This tells Nginx to cache open file handles, "Not Found" errors and +# metadata about files and their permissions. +# +# Based on these cached metadata, Nginx can immediately begin sending data when +# a popular file is requested, and will also know to immediately send a 404 if a +# file is missing on disk, and so on. +# +# (!) It also means that the server won't react immediately to changes on disk, +# which may be undesirable. +# As only metadata are cached, edited files may be truncated until the cache +# is refreshed. +# https://github.com/h5bp/server-configs-nginx/issues/203 +# +# In the below configuration, inactive files are released from the cache after +# 20 seconds, whereas active (recently requested) files are re-validated every +# 30 seconds. +# Descriptors will not be cached unless they are used at least 2 times within +# 20 seconds (the inactive time). +# A maximum of the 1000 most recently used file descriptors can be cached at +# any time. +# +# Production servers with stable file collections will definitely want to enable +# the cache. +# +# https://nginx.org/en/docs/http/ngx_http_core_module.html#open_file_cache + +open_file_cache max=1000 inactive=20s; +open_file_cache_valid 30s; +open_file_cache_min_uses 2; +open_file_cache_errors on; diff --git a/.docker/nginx/h5bp/web_performance/cache_expiration.conf b/.docker/nginx/h5bp/web_performance/cache_expiration.conf new file mode 100644 index 000000000..849a13188 --- /dev/null +++ b/.docker/nginx/h5bp/web_performance/cache_expiration.conf @@ -0,0 +1,76 @@ +# ---------------------------------------------------------------------- +# | Cache expiration | +# ---------------------------------------------------------------------- + +# Serve resources with far-future expiration date. +# +# (!) If you don't control versioning with filename-based cache busting, you +# should consider lowering the cache times to something like one week. +# +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expires +# https://nginx.org/en/docs/http/ngx_http_headers_module.html#expires + +map $sent_http_content_type $expires { + default 1M; + + # No content + "" off; + + # CSS + ~*text/css 1y; + + # Data interchange + ~*application/atom\+xml 1h; + ~*application/rdf\+xml 1h; + ~*application/rss\+xml 1h; + + ~*application/json 0; + ~*application/ld\+json 0; + ~*application/schema\+json 0; + ~*application/geo\+json 0; + ~*application/xml 0; + ~*text/calendar 0; + ~*text/xml 0; + + # Favicon (cannot be renamed!) and cursor images + ~*image/vnd.microsoft.icon 1w; + ~*image/x-icon 1w; + + # HTML + ~*text/html 0; + + # JavaScript + ~*application/javascript 1y; + ~*application/x-javascript 1y; + ~*text/javascript 1y; + + # Manifest files + ~*application/manifest\+json 1w; + ~*application/x-web-app-manifest\+json 0; + ~*text/cache-manifest 0; + + # Markdown + ~*text/markdown 0; + + # Media files + ~*audio/ 1M; + ~*image/ 1M; + ~*video/ 1M; + + # WebAssembly + ~*application/wasm 1y; + + # Web fonts + ~*font/ 1M; + ~*application/vnd.ms-fontobject 1M; + ~*application/x-font-ttf 1M; + ~*application/x-font-woff 1M; + ~*application/font-woff 1M; + ~*application/font-woff2 1M; + + # Other + ~*text/x-cross-domain-policy 1w; +} + +expires $expires; diff --git a/.docker/nginx/h5bp/web_performance/compression.conf b/.docker/nginx/h5bp/web_performance/compression.conf new file mode 100644 index 000000000..b9026ca81 --- /dev/null +++ b/.docker/nginx/h5bp/web_performance/compression.conf @@ -0,0 +1,67 @@ +# ---------------------------------------------------------------------- +# | Compression | +# ---------------------------------------------------------------------- + +# https://nginx.org/en/docs/http/ngx_http_gzip_module.html + +# Enable gzip compression. +# Default: off +gzip on; + +# Compression level (1-9). +# 5 is a perfect compromise between size and CPU usage, offering about 75% +# reduction for most ASCII files (almost identical to level 9). +# Default: 1 +gzip_comp_level 5; + +# Don't compress anything that's already small and unlikely to shrink much if at +# all (the default is 20 bytes, which is bad as that usually leads to larger +# files after gzipping). +# Default: 20 +gzip_min_length 256; + +# Compress data even for clients that are connecting to us via proxies, +# identified by the "Via" header (required for CloudFront). +# Default: off +gzip_proxied any; + +# Tell proxies to cache both the gzipped and regular version of a resource +# whenever the client's Accept-Encoding capabilities header varies; +# Avoids the issue where a non-gzip capable client (which is extremely rare +# today) would display gibberish if their proxy gave them the gzipped version. +# Default: off +gzip_vary on; + +# Compress all output labeled with one of the following MIME-types. +# `text/html` is always compressed by gzip module. +# Default: text/html +gzip_types + application/atom+xml + application/geo+json + application/javascript + application/x-javascript + application/json + application/ld+json + application/manifest+json + application/rdf+xml + application/rss+xml + application/vnd.ms-fontobject + application/wasm + application/x-web-app-manifest+json + application/xhtml+xml + application/xml + font/otf + image/bmp + image/svg+xml + text/cache-manifest + text/calendar + text/css + text/javascript + text/markdown + text/plain + text/xml + text/vcard + text/vnd.rim.location.xloc + text/vtt + text/x-component + text/x-cross-domain-policy; diff --git a/.docker/nginx/h5bp/web_performance/no-transform.conf b/.docker/nginx/h5bp/web_performance/no-transform.conf new file mode 100644 index 000000000..0de6ddc68 --- /dev/null +++ b/.docker/nginx/h5bp/web_performance/no-transform.conf @@ -0,0 +1,29 @@ +# ---------------------------------------------------------------------- +# | Content transformation | +# ---------------------------------------------------------------------- + +# Prevent intermediate caches or proxies (such as those used by mobile +# network providers) and browsers data-saving features from modifying +# the website's content using the `cache-control: no-transform` directive. +# +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control +# https://tools.ietf.org/html/rfc7234#section-5.2.2.4 +# +# (!) Carefully consider the impact on your visitors before disabling +# content transformation. These transformations are performed to +# improve the experience for data- and cost-constrained users +# (e.g. users on a 2G connection). +# +# You can test the effects of content transformation applied by +# Google's Lite Mode by visiting: https://googleweblight.com/i?u=https://www.example.com +# +# https://support.google.com/webmasters/answer/6211428 +# +# (!) If you are using `ngx_pagespeed`, note that disabling this will +# prevent `PageSpeed` from rewriting HTML files, and, if the +# `pagespeed DisableRewriteOnNoTransform` directive isn't set to +# `off`, also from rewriting other resources. +# +# https://developers.google.com/speed/pagespeed/module/configuration#notransform + +add_header Cache-Control "no-transform"; diff --git a/.docker/nginx/h5bp/web_performance/pre-compressed_content_brotli.conf b/.docker/nginx/h5bp/web_performance/pre-compressed_content_brotli.conf new file mode 100644 index 000000000..fda88062e --- /dev/null +++ b/.docker/nginx/h5bp/web_performance/pre-compressed_content_brotli.conf @@ -0,0 +1,17 @@ +# ---------------------------------------------------------------------- +# | Brotli pre-compressed content | +# ---------------------------------------------------------------------- + +# Serve brotli compressed files if they exist and if the client accepts brotli +# encoding. +# +# (!) To make this part relevant, you need to generate encoded files by your +# own. Enabling this part will not auto-generate brotlied files. +# +# Note that some clients (eg. browsers) require a secure connection to request +# brotli-compressed resources. +# https://www.chromestatus.com/feature/5420797577396224 +# +# https://github.com/eustas/ngx_brotli/#brotli_static + +brotli_static on; diff --git a/.docker/nginx/h5bp/web_performance/pre-compressed_content_gzip.conf b/.docker/nginx/h5bp/web_performance/pre-compressed_content_gzip.conf new file mode 100644 index 000000000..1809bfed5 --- /dev/null +++ b/.docker/nginx/h5bp/web_performance/pre-compressed_content_gzip.conf @@ -0,0 +1,13 @@ +# ---------------------------------------------------------------------- +# | GZip pre-compressed content | +# ---------------------------------------------------------------------- + +# Serve gzip compressed files if they exist and if the client accepts gzip +# encoding. +# +# (!) To make this part relevant, you need to generate encoded files by your +# own. Enabling this part will not auto-generate gziped files. +# +# https://nginx.org/en/docs/http/ngx_http_gzip_static_module.html + +gzip_static on; diff --git a/.docker/nginx/mime.types b/.docker/nginx/mime.types new file mode 100644 index 000000000..0d039d893 --- /dev/null +++ b/.docker/nginx/mime.types @@ -0,0 +1,139 @@ +types { + + # Data interchange + + application/atom+xml atom; + application/json json map topojson; + application/ld+json jsonld; + application/rss+xml rss; + # Normalize to standard type. + # https://tools.ietf.org/html/rfc7946#section-12 + application/geo+json geojson; + application/xml xml; + # Normalize to standard type. + # https://tools.ietf.org/html/rfc3870#section-2 + application/rdf+xml rdf; + + + # JavaScript + + # Servers should use text/javascript for JavaScript resources. + # https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages + text/javascript js mjs; + application/wasm wasm; + + + # Manifest files + + application/manifest+json webmanifest; + application/x-web-app-manifest+json webapp; + text/cache-manifest appcache; + + + # Media files + + audio/midi mid midi kar; + audio/mp4 aac f4a f4b m4a; + audio/mpeg mp3; + audio/ogg oga ogg opus; + audio/x-realaudio ra; + audio/x-wav wav; + audio/x-matroska mka; + image/bmp bmp; + image/gif gif; + image/jpeg jpeg jpg; + image/jxr jxr hdp wdp; + image/png png; + image/svg+xml svg svgz; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/webp webp; + image/x-jng jng; + video/3gpp 3gp 3gpp; + video/mp4 f4p f4v m4v mp4; + video/mpeg mpeg mpg; + video/ogg ogv; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-mng mng; + video/x-ms-asf asf asx; + video/x-ms-wmv wmv; + video/x-msvideo avi; + video/x-matroska mkv mk3d; + + # Serving `.ico` image files with a different media type + # prevents Internet Explorer from displaying then as images: + # https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee + + image/x-icon cur ico; + + + # Microsoft Office + + application/msword doc; + application/vnd.ms-excel xls; + application/vnd.ms-powerpoint ppt; + application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; + application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; + + + # Web fonts + + font/woff woff; + font/woff2 woff2; + application/vnd.ms-fontobject eot; + font/ttf ttf; + font/collection ttc; + font/otf otf; + + + # Other + + application/java-archive ear jar war; + application/mac-binhex40 hqx; + application/octet-stream bin deb dll dmg exe img iso msi msm msp safariextz; + application/pdf pdf; + application/postscript ai eps ps; + application/rtf rtf; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/vnd.wap.wmlc wmlc; + application/x-7z-compressed 7z; + application/x-bb-appworld bbaw; + application/x-bittorrent torrent; + application/x-chrome-extension crx; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-opera-extension oex; + application/x-perl pl pm; + application/x-pilot pdb prc; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert crt der pem; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xslt+xml xsl; + application/zip zip; + text/calendar ics; + text/css css; + text/csv csv; + text/html htm html shtml; + text/markdown md markdown; + text/mathml mml; + text/plain txt; + text/vcard vcard vcf; + text/vnd.rim.location.xloc xloc; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/vtt vtt; + text/x-component htc; + +} diff --git a/.docker/nginx/nginx.conf b/.docker/nginx/nginx.conf new file mode 100644 index 000000000..e7227787f --- /dev/null +++ b/.docker/nginx/nginx.conf @@ -0,0 +1,149 @@ + +user nginx; +worker_processes 4; +worker_rlimit_nofile 20000; + +daemon off; + +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; + multi_accept on; + use epoll; +} + + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + charset_types text/css text/plain text/vnd.wap.wml application/javascript application/json application/rss+xml application/xml; + + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + log_format main_ext '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for" ' + '"$host" sn="$server_name" ' + 'rt=$request_time ' + 'ua="$upstream_addr" us="$upstream_status" ' + 'ut="$upstream_response_time" ul="$upstream_response_length" ' + 'cs=$upstream_cache_status' ; + + access_log /var/log/nginx/access.log main; + + sendfile on; + tcp_nopush off; + tcp_nodelay on; + + keepalive_timeout 65; + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + upstream ws_dev_map_update { + server websocket:8020; + } + + upstream ws_prod_map_update { + server websocket:8020; + } + + fastcgi_connect_timeout 5s; + fastcgi_read_timeout 40s; + fastcgi_send_timeout 15s; + + client_header_buffer_size 1k; + + # The maximum number and size of buffers for large client headers. + large_client_header_buffers 4 4k; + + # The maximum allowed size for a client request. If the maximum size is exceeded, then Nginx will spit out a 413 error or Request Entity Too Large. (Default: 1m) + # php max upload limit cannot be larger than this + client_max_body_size 8m; + + # This handles the client buffer size, meaning any POST actions sent to Nginx. POST actions are typically form submissions. + client_body_buffer_size 32k; + + output_buffers 2 32k; + + fastcgi_buffering on; + fastcgi_buffers 8 32k; + fastcgi_buffer_size 32k; + + # Caching ================================================================================================================== + + # Above sample tells nginx to cache a file information as long as minimum 2 requests are made during 5m window. + open_file_cache max=10000 inactive=5m; + open_file_cache_valid 2m; + open_file_cache_min_uses 1; + open_file_cache_errors on; + + # Enable Gzip compressed. + gzip on; + + # Compression level (1-9). + # 5 is a perfect compromise between size and cpu usage, offering about + # 75% reduction for most ascii files (almost identical to level 9). + gzip_comp_level 5; + + # Don't compress anything that's already small and unlikely to shrink much + # if at all (the default is 20 bytes, which is bad as that usually leads to + # larger files after gzipping). + gzip_min_length 256; + + # Compress data even for clients that are connecting to us via proxies, + # identified by the "Via" header (required for CloudFront). + # gzip_proxied expired no-cache no-store private auth; + gzip_proxied any; + + # Tell proxies to cache both the gzipped and regular version of a resource + # whenever the client's Accept-Encoding capabilities header varies; + # Avoids the issue where a non-gzip capable client (which is extremely rare + # today) would display gibberish if their proxy gave them the gzipped version. + gzip_vary on; + + # Compress all output labeled with one of the following MIME-types. + gzip_types + application/atom+xml + application/javascript + application/json + application/ld+json + application/manifest+json + application/rss+xml + application/vnd.geo+json + application/vnd.ms-fontobject + application/x-font-ttf + application/x-web-app-manifest+json + application/xhtml+xml + application/xml + font/opentype + image/bmp + image/svg+xml + image/x-icon + text/cache-manifest + text/css + text/plain + text/vcard + text/vnd.rim.location.xloc + text/vtt + text/x-component + text/x-cross-domain-policy; + # text/html; + + # This should be turned on if you are going to have pre-compressed copies (.gz) of + # static files available. If not it should be left off as it will cause extra I/O + # for the check. It is best if you enable this in a location{} block for + # a specific directory, or on an individual server{} level. + gzip_static off; + + include /etc/nginx/conf.d/*.conf; +} diff --git a/.docker/nginx/nginx.conf.old b/.docker/nginx/nginx.conf.old new file mode 100644 index 000000000..80667f62f --- /dev/null +++ b/.docker/nginx/nginx.conf.old @@ -0,0 +1,242 @@ +# nginx Configuration File +# http://wiki.nginx.org/Configuration + +# Run as a less privileged user for security reasons. +# user www-data www-data; + +# How many worker threads to run; +# "auto" sets it to the number of CPU cores available in the system, and +# offers the best performance. Don't set it higher than the number of CPU +# cores if changing this parameter. + +# The maximum number of connections for Nginx is calculated by: +# max_clients = worker_processes * worker_connections +# (2 Cores = 4 processes) check cores: grep processor /proc/cpuinfo | wc -l +#worker_processes auto; +worker_processes 4; + +# Maximum open file descriptors per process; +# should be > worker_connections. +worker_rlimit_nofile 20000; + +events { + # The worker_connections command tells our worker processes how many people can simultaneously be served by Nginx. + # When you need > 8000 * cpu_cores connections, you start optimizing your OS, + # and this is probably the point at which you hire people who are smarter than + # you, as this is *a lot* of requests. + # worker_connections 768; + worker_connections 19000; + multi_accept on; + use epoll; +} + +# Default error log file +# (this is only used when you don't override error_log on a server{} level) +error_log /dev/stdout warn; +pid /var/run/nginx.pid; + + +http { + + # Hide nginx version information. + server_tokens on; + + # Define the MIME types for files. + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # Update charset_types due to updated mime.types + charset_types text/css text/plain text/vnd.wap.wml application/javascript application/json application/rss+xml application/xml; + + # Speed up file transfers by using sendfile() to copy directly + # between descriptors rather than using read()/write(). + # For performance reasons, on FreeBSD systems w/ ZFS + # this option should be disabled as ZFS's ARC caches + # frequently used files in RAM by default. + sendfile on; + + # Tell Nginx not to send out partial frames; this increases throughput + # since TCP frames are filled up before being sent out. (adds TCP_CORK) + tcp_nopush off; + + # Send packages immediately (on). Otherwise nginx will "wait" 200ms for additional data to fullfill a package. + tcp_nodelay on; + + # Timeouts ================================================================================================================== + + # 'Body' and 'Header' max response timings. If neither a body or header is sent, the server will issue a 408 error or Request time out. (Default: 60s) + client_body_timeout 12; + client_header_timeout 12; + + # Assigns the timeout for keep-alive connections with the client. + # Simply put, Nginx will close connections with the client after this period of time.(Default: 65) + keepalive_timeout 20s; + + # Finally, the send_timeout is established not on the entire transfer of answer, but only between two operations of reading; + # if after this time client will take nothing, then Nginx is shutting down the connection. + send_timeout 10s; + + # Sets a timeout for name resolution. (Default: 30s) + resolver_timeout 5s; + + # Timeout period for connection with FastCGI-server. It should be noted that this value can't exceed 75 seconds. (Default: 60s) + fastcgi_connect_timeout 5s; + + # Amount of time for upstream to wait for a fastcgi process to send data. + # Change this directive if you have long running fastcgi processes that do not produce output until they have finished processing. + # If you are seeing an upstream timed out error in the error log, then increase this parameter to something more appropriate. (Default: 60s) + fastcgi_read_timeout 40s; + + # Request timeout to the server. The timeout is calculated between two write operations, not for the whole request. + # If no data have been written during this period then serve closes the connection. (Default: 60s) + fastcgi_send_timeout 15s; + + # WebSockets =============================================================================================================== + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + upstream ws_dev_map_update { + server 127.0.0.1:8020; + } + + upstream ws_prod_map_update { + server 127.0.0.1:8030; + } + + # Buffer ==================================================================================================================== + + # Similar to the previous directive, only instead it handles the client header size. + # For all intents and purposes, 1K is usually a decent size for this directive. + client_header_buffer_size 1k; + + # The maximum number and size of buffers for large client headers. + large_client_header_buffers 4 4k; + + # The maximum allowed size for a client request. If the maximum size is exceeded, then Nginx will spit out a 413 error or Request Entity Too Large. (Default: 1m) + # php max upload limit cannot be larger than this + client_max_body_size 8m; + + # This handles the client buffer size, meaning any POST actions sent to Nginx. POST actions are typically form submissions. + client_body_buffer_size 32k; + + output_buffers 2 32k; + + fastcgi_buffering on; + fastcgi_buffers 8 32k; + fastcgi_buffer_size 32k; + + # Caching ================================================================================================================== + + # Above sample tells nginx to cache a file information as long as minimum 2 requests are made during 5m window. + open_file_cache max=10000 inactive=5m; + open_file_cache_valid 2m; + open_file_cache_min_uses 1; + open_file_cache_errors on; + + # Fast CGI + # fastcgi_cache_path /etc/nginx/cache levels=1:2 keys_zone=MYAPP:100m inactive=60m; + # fastcgi_cache_key "$scheme$request_method$host$request_uri"; + + # Logging =================================================================================================================== + + # Format to use in log files + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + # Extended Logging (e.g. for Nginx Aplify log graphs) + log_format main_ext '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for" ' + '"$host" sn="$server_name" ' + 'rt=$request_time ' + 'ua="$upstream_addr" us="$upstream_status" ' + 'ut="$upstream_response_time" ul="$upstream_response_length" ' + 'cs=$upstream_cache_status' ; + + # This excludes 2xx and 3xx status codes from beeing loged + map $status $loggable { + ~^[23] 0; + default 1; + } + + # logs just 5xxx errors + map $status $log_production { + ~^[1234] 0; + default 1; + } + + # Default log file + # (this is only used when you don't override access_log on a server{} level) + access_log /dev/stdout main if=$loggable; + + # Compression =============================================================================================================== + + # Enable Gzip compressed. + gzip on; + + # Compression level (1-9). + # 5 is a perfect compromise between size and cpu usage, offering about + # 75% reduction for most ascii files (almost identical to level 9). + gzip_comp_level 5; + + # Don't compress anything that's already small and unlikely to shrink much + # if at all (the default is 20 bytes, which is bad as that usually leads to + # larger files after gzipping). + gzip_min_length 256; + + # Compress data even for clients that are connecting to us via proxies, + # identified by the "Via" header (required for CloudFront). + # gzip_proxied expired no-cache no-store private auth; + gzip_proxied any; + + # Tell proxies to cache both the gzipped and regular version of a resource + # whenever the client's Accept-Encoding capabilities header varies; + # Avoids the issue where a non-gzip capable client (which is extremely rare + # today) would display gibberish if their proxy gave them the gzipped version. + gzip_vary on; + + # Compress all output labeled with one of the following MIME-types. + gzip_types + application/atom+xml + application/javascript + application/json + application/ld+json + application/manifest+json + application/rss+xml + application/vnd.geo+json + application/vnd.ms-fontobject + application/x-font-ttf + application/x-web-app-manifest+json + application/xhtml+xml + application/xml + font/opentype + image/bmp + image/svg+xml + image/x-icon + text/cache-manifest + text/css + text/plain + text/vcard + text/vnd.rim.location.xloc + text/vtt + text/x-component + text/x-cross-domain-policy; + # text/html; + + # This should be turned on if you are going to have pre-compressed copies (.gz) of + # static files available. If not it should be left off as it will cause extra I/O + # for the check. It is best if you enable this in a location{} block for + # a specific directory, or on an individual server{} level. + gzip_static off; + + # Include files in the sites-enabled folder. server{} configuration files should be + # placed in the sites-available folder, and then the configuration should be enabled + # by creating a symlink to it in the sites-enabled folder. + # See doc/sites-enabled.md for more info. + # include /etc/nginx/conf.d/*.conf; + # include /etc/nginx/sites_enabled/*.conf; +} diff --git a/.docker/nginx/pathfinder-http.conf b/.docker/nginx/pathfinder-http.conf new file mode 100644 index 000000000..d46e307c5 --- /dev/null +++ b/.docker/nginx/pathfinder-http.conf @@ -0,0 +1,84 @@ +# www to non-www redirect -- duplicate content is BAD: +# https://github.com/h5bp/html5-boilerplate/blob/5370479476dceae7cc3ea105946536d6bc0ee468/.htaccess#L362 +# Choose between www and non-www, listen on the *wrong* one and redirect to +# the right one -- http://wiki.nginx.org/Pitfalls#Server_Name + +# listen to HTTP:/www.dev.localhost +server { + listen 80; + listen [::]:80; + + # The host name to respond + server_name tripwire.critical-horizon.com; + + # Path to static files + root /usr/share/nginx/html; + # index index.php index.html index.htm; + + # Specify a charset + charset utf-8; + + + # Logging =================================================================================================================== + # access_log /usr/share/nginx/html/logs/nginx_access.log main_ext if=$log_production; + error_log /usr/share/nginx/html/logs/nginx_error.log warn; + + location / { + # auth_basic "Admin Login"; + # auth_basic_user_file /etc/nginx/admin_pass; + index index.php; + try_files $uri $uri/ /index.php?$query_string; + } + + # Protct /setup with password + location /setup { + auth_basic "Setup Login"; + auth_basic_user_file /etc/nginx/.setup_pass; + try_files $uri $uri/ /index.php?$query_string; + } + + # PHP socket configuration + location ~ \.php$ { + try_files $uri =404; + fastcgi_pass php-fpm:9000; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + + # CGI caching + #fastcgi_cache MYAPP; + #fastcgi_cache_valid 200 60m; + + include fastcgi_params; + } + + # static sources + location /public/ { + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 10s; + sendfile_max_chunk 512k; + } + + # WebSocket ReverseProxy setup [optional] + location /ws/map/update { + proxy_pass http://websocket:8020; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Host $host; + + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_read_timeout 8h; + proxy_send_timeout 5s; + proxy_connect_timeout 3s; + proxy_buffering off; + } + + # Include the basic h5bp config set + # include h5bp/basic.conf; +} diff --git a/.docker/php/Dockerfile b/.docker/php/Dockerfile new file mode 100644 index 000000000..c99ddcc2c --- /dev/null +++ b/.docker/php/Dockerfile @@ -0,0 +1,26 @@ +FROM php:7.2-fpm-alpine + +RUN apk add --no-cache \ + curl-dev libpng-dev ${PHPIZE_DEPS} && \ + docker-php-ext-install curl gd pdo_mysql + +RUN pecl install -o -f redis && \ + docker-php-ext-enable redis + +RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer + +# RUN mkdir -p /usr/share/nginx/html && \ +# adduser -h /usr/share/nginx/html -D -u 1000 nginx + +# RUN chown -R nginx:nginx /usr/share/nginx/html +# USER nginx + +COPY --chown=www-data:www-data . /usr/share/nginx/html + +WORKDIR /usr/share/nginx/html + +RUN composer install + +RUN chmod 0766 ./logs + +RUN rm .htaccess diff --git a/.docker/php/php.ini b/.docker/php/php.ini new file mode 100644 index 000000000..815f34649 --- /dev/null +++ b/.docker/php/php.ini @@ -0,0 +1,1939 @@ +[PHP] + +;;;;;;;;;;;;;;;;;;; +; About php.ini ; +;;;;;;;;;;;;;;;;;;; +; PHP's initialization file, generally called php.ini, is responsible for +; configuring many of the aspects of PHP's behavior. + +; PHP attempts to find and load this configuration from a number of locations. +; The following is a summary of its search order: +; 1. SAPI module specific location. +; 2. The PHPRC environment variable. (As of PHP 5.2.0) +; 3. A number of predefined registry keys on Windows (As of PHP 5.2.0) +; 4. Current working directory (except CLI) +; 5. The web server's directory (for SAPI modules), or directory of PHP +; (otherwise in Windows) +; 6. The directory from the --with-config-file-path compile time option, or the +; Windows directory (C:\windows or C:\winnt) +; See the PHP docs for more specific information. +; http://php.net/configuration.file + +; The syntax of the file is extremely simple. Whitespace and lines +; beginning with a semicolon are silently ignored (as you probably guessed). +; Section headers (e.g. [Foo]) are also silently ignored, even though +; they might mean something in the future. + +; Directives following the section heading [PATH=/www/mysite] only +; apply to PHP files in the /www/mysite directory. Directives +; following the section heading [HOST=www.example.com] only apply to +; PHP files served from www.example.com. Directives set in these +; special sections cannot be overridden by user-defined INI files or +; at runtime. Currently, [PATH=] and [HOST=] sections only work under +; CGI/FastCGI. +; http://php.net/ini.sections + +; Directives are specified using the following syntax: +; directive = value +; Directive names are *case sensitive* - foo=bar is different from FOO=bar. +; Directives are variables used to configure PHP or PHP extensions. +; There is no name validation. If PHP can't find an expected +; directive because it is not set or is mistyped, a default value will be used. + +; The value can be a string, a number, a PHP constant (e.g. E_ALL or M_PI), one +; of the INI constants (On, Off, True, False, Yes, No and None) or an expression +; (e.g. E_ALL & ~E_NOTICE), a quoted string ("bar"), or a reference to a +; previously set variable or directive (e.g. ${foo}) + +; Expressions in the INI file are limited to bitwise operators and parentheses: +; | bitwise OR +; ^ bitwise XOR +; & bitwise AND +; ~ bitwise NOT +; ! boolean NOT + +; Boolean flags can be turned on using the values 1, On, True or Yes. +; They can be turned off using the values 0, Off, False or No. + +; An empty string can be denoted by simply not writing anything after the equal +; sign, or by using the None keyword: + +; foo = ; sets foo to an empty string +; foo = None ; sets foo to an empty string +; foo = "None" ; sets foo to the string 'None' + +; If you use constants in your value, and these constants belong to a +; dynamically loaded extension (either a PHP extension or a Zend extension), +; you may only use these constants *after* the line that loads the extension. + +;;;;;;;;;;;;;;;;;;; +; About this file ; +;;;;;;;;;;;;;;;;;;; +; PHP comes packaged with two INI files. One that is recommended to be used +; in production environments and one that is recommended to be used in +; development environments. + +; php.ini-production contains settings which hold security, performance and +; best practices at its core. But please be aware, these settings may break +; compatibility with older or less security conscience applications. We +; recommending using the production ini in production and testing environments. + +; php.ini-development is very similar to its production variant, except it is +; much more verbose when it comes to errors. We recommend using the +; development version only in development environments, as errors shown to +; application users can inadvertently leak otherwise secure information. + +; This is php.ini-production INI file. + +;;;;;;;;;;;;;;;;;;; +; Quick Reference ; +;;;;;;;;;;;;;;;;;;; +; The following are all the settings which are different in either the production +; or development versions of the INIs with respect to PHP's default behavior. +; Please see the actual settings later in the document for more details as to why +; we recommend these changes in PHP's behavior. + +; display_errors +; Default Value: On +; Development Value: On +; Production Value: Off + +; display_startup_errors +; Default Value: Off +; Development Value: On +; Production Value: Off + +; error_reporting +; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED +; Development Value: E_ALL +; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT + +; html_errors +; Default Value: On +; Development Value: On +; Production value: On + +; log_errors +; Default Value: Off +; Development Value: On +; Production Value: On + +; max_input_time +; Default Value: -1 (Unlimited) +; Development Value: 60 (60 seconds) +; Production Value: 60 (60 seconds) + +; output_buffering +; Default Value: Off +; Development Value: 4096 +; Production Value: 4096 + +; register_argc_argv +; Default Value: On +; Development Value: Off +; Production Value: Off + +; request_order +; Default Value: None +; Development Value: "GP" +; Production Value: "GP" + +; session.gc_divisor +; Default Value: 100 +; Development Value: 1000 +; Production Value: 1000 + +; session.sid_bits_per_character +; Default Value: 4 +; Development Value: 5 +; Production Value: 5 + +; short_open_tag +; Default Value: On +; Development Value: Off +; Production Value: Off + +; track_errors +; Default Value: Off +; Development Value: On +; Production Value: Off + +; variables_order +; Default Value: "EGPCS" +; Development Value: "GPCS" +; Production Value: "GPCS" + +;;;;;;;;;;;;;;;;;;;; +; php.ini Options ; +;;;;;;;;;;;;;;;;;;;; +; Name for user-defined php.ini (.htaccess) files. Default is ".user.ini" +;user_ini.filename = ".user.ini" + +; To disable this feature set this option to empty value +;user_ini.filename = + +; TTL for user-defined php.ini files (time-to-live) in seconds. Default is 300 seconds (5 minutes) +;user_ini.cache_ttl = 300 + +;;;;;;;;;;;;;;;;;;;; +; Language Options ; +;;;;;;;;;;;;;;;;;;;; + +; Enable the PHP scripting language engine under Apache. +; http://php.net/engine +engine = On + +; This directive determines whether or not PHP will recognize code between +; tags as PHP source which should be processed as such. It is +; generally recommended that should be used and that this feature +; should be disabled, as enabling it may result in issues when generating XML +; documents, however this remains supported for backward compatibility reasons. +; Note that this directive does not control the would work. +; http://php.net/syntax-highlighting +;highlight.string = #DD0000 +;highlight.comment = #FF9900 +;highlight.keyword = #007700 +;highlight.default = #0000BB +;highlight.html = #000000 + +; If enabled, the request will be allowed to complete even if the user aborts +; the request. Consider enabling it if executing long requests, which may end up +; being interrupted by the user or a browser timing out. PHP's default behavior +; is to disable this feature. +; http://php.net/ignore-user-abort +;ignore_user_abort = On + +; Determines the size of the realpath cache to be used by PHP. This value should +; be increased on systems where PHP opens many files to reflect the quantity of +; the file operations performed. +; Note: if open_basedir is set, the cache is disabled +; http://php.net/realpath-cache-size +;realpath_cache_size = 4096k + +; Duration of time, in seconds for which to cache realpath information for a given +; file or directory. For systems with rarely changing files, consider increasing this +; value. +; http://php.net/realpath-cache-ttl +;realpath_cache_ttl = 120 + +; Enables or disables the circular reference collector. +; http://php.net/zend.enable-gc +zend.enable_gc = On + +; If enabled, scripts may be written in encodings that are incompatible with +; the scanner. CP936, Big5, CP949 and Shift_JIS are the examples of such +; encodings. To use this feature, mbstring extension must be enabled. +; Default: Off +;zend.multibyte = Off + +; Allows to set the default encoding for the scripts. This value will be used +; unless "declare(encoding=...)" directive appears at the top of the script. +; Only affects if zend.multibyte is set. +; Default: "" +;zend.script_encoding = + +;;;;;;;;;;;;;;;;; +; Miscellaneous ; +;;;;;;;;;;;;;;;;; + +; Decides whether PHP may expose the fact that it is installed on the server +; (e.g. by adding its signature to the Web server header). It is no security +; threat in any way, but it makes it possible to determine whether you use PHP +; on your server or not. +; http://php.net/expose-php +expose_php = On + +;;;;;;;;;;;;;;;;;;; +; Resource Limits ; +;;;;;;;;;;;;;;;;;;; + +; Maximum execution time of each script, in seconds +; http://php.net/max-execution-time +; Note: This directive is hardcoded to 0 for the CLI SAPI +max_execution_time = 30 + +; Maximum amount of time each script may spend parsing request data. It's a good +; idea to limit this time on productions servers in order to eliminate unexpectedly +; long running scripts. +; Note: This directive is hardcoded to -1 for the CLI SAPI +; Default Value: -1 (Unlimited) +; Development Value: 60 (60 seconds) +; Production Value: 60 (60 seconds) +; http://php.net/max-input-time +max_input_time = 60 + +; Maximum input variable nesting level +; http://php.net/max-input-nesting-level +;max_input_nesting_level = 64 + +; How many GET/POST/COOKIE input variables may be accepted +max_input_vars = 3000 + +; Maximum amount of memory a script may consume (128MB) +; http://php.net/memory-limit +memory_limit = 128M + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +; Error handling and logging ; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +; This directive informs PHP of which errors, warnings and notices you would like +; it to take action for. The recommended way of setting values for this +; directive is through the use of the error level constants and bitwise +; operators. The error level constants are below here for convenience as well as +; some common settings and their meanings. +; By default, PHP is set to take action on all errors, notices and warnings EXCEPT +; those related to E_NOTICE and E_STRICT, which together cover best practices and +; recommended coding standards in PHP. For performance reasons, this is the +; recommend error reporting setting. Your production server shouldn't be wasting +; resources complaining about best practices and coding standards. That's what +; development servers and development settings are for. +; Note: The php.ini-development file has this setting as E_ALL. This +; means it pretty much reports everything which is exactly what you want during +; development and early testing. +; +; Error Level Constants: +; E_ALL - All errors and warnings (includes E_STRICT as of PHP 5.4.0) +; E_ERROR - fatal run-time errors +; E_RECOVERABLE_ERROR - almost fatal run-time errors +; E_WARNING - run-time warnings (non-fatal errors) +; E_PARSE - compile-time parse errors +; E_NOTICE - run-time notices (these are warnings which often result +; from a bug in your code, but it's possible that it was +; intentional (e.g., using an uninitialized variable and +; relying on the fact it is automatically initialized to an +; empty string) +; E_STRICT - run-time notices, enable to have PHP suggest changes +; to your code which will ensure the best interoperability +; and forward compatibility of your code +; E_CORE_ERROR - fatal errors that occur during PHP's initial startup +; E_CORE_WARNING - warnings (non-fatal errors) that occur during PHP's +; initial startup +; E_COMPILE_ERROR - fatal compile-time errors +; E_COMPILE_WARNING - compile-time warnings (non-fatal errors) +; E_USER_ERROR - user-generated error message +; E_USER_WARNING - user-generated warning message +; E_USER_NOTICE - user-generated notice message +; E_DEPRECATED - warn about code that will not work in future versions +; of PHP +; E_USER_DEPRECATED - user-generated deprecation warnings +; +; Common Values: +; E_ALL (Show all errors, warnings and notices including coding standards.) +; E_ALL & ~E_NOTICE (Show all errors, except for notices) +; E_ALL & ~E_NOTICE & ~E_STRICT (Show all errors, except for notices and coding standards warnings.) +; E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR (Show only errors) +; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED +; Development Value: E_ALL +; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT +; http://php.net/error-reporting +error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT + +; This directive controls whether or not and where PHP will output errors, +; notices and warnings too. Error output is very useful during development, but +; it could be very dangerous in production environments. Depending on the code +; which is triggering the error, sensitive information could potentially leak +; out of your application such as database usernames and passwords or worse. +; For production environments, we recommend logging errors rather than +; sending them to STDOUT. +; Possible Values: +; Off = Do not display any errors +; stderr = Display errors to STDERR (affects only CGI/CLI binaries!) +; On or stdout = Display errors to STDOUT +; Default Value: On +; Development Value: On +; Production Value: Off +; http://php.net/display-errors +display_errors = Off + +; The display of errors which occur during PHP's startup sequence are handled +; separately from display_errors. PHP's default behavior is to suppress those +; errors from clients. Turning the display of startup errors on can be useful in +; debugging configuration problems. We strongly recommend you +; set this to 'off' for production servers. +; Default Value: Off +; Development Value: On +; Production Value: Off +; http://php.net/display-startup-errors +display_startup_errors = Off + +; Besides displaying errors, PHP can also log errors to locations such as a +; server-specific log, STDERR, or a location specified by the error_log +; directive found below. While errors should not be displayed on productions +; servers they should still be monitored and logging is a great way to do that. +; Default Value: Off +; Development Value: On +; Production Value: On +; http://php.net/log-errors +log_errors = On + +; Set maximum length of log_errors. In error_log information about the source is +; added. The default is 1024 and 0 allows to not apply any maximum length at all. +; http://php.net/log-errors-max-len +log_errors_max_len = 1024 + +; Do not log repeated messages. Repeated errors must occur in same file on same +; line unless ignore_repeated_source is set true. +; http://php.net/ignore-repeated-errors +ignore_repeated_errors = Off + +; Ignore source of message when ignoring repeated messages. When this setting +; is On you will not log errors with repeated messages from different files or +; source lines. +; http://php.net/ignore-repeated-source +ignore_repeated_source = Off + +; If this parameter is set to Off, then memory leaks will not be shown (on +; stdout or in the log). This has only effect in a debug compile, and if +; error reporting includes E_WARNING in the allowed list +; http://php.net/report-memleaks +report_memleaks = On + +; This setting is on by default. +;report_zend_debug = 0 + +; Store the last error/warning message in $php_errormsg (boolean). Setting this value +; to On can assist in debugging and is appropriate for development servers. It should +; however be disabled on production servers. +; This directive is DEPRECATED. +; Default Value: Off +; Development Value: Off +; Production Value: Off +; http://php.net/track-errors +;track_errors = Off + +; Turn off normal error reporting and emit XML-RPC error XML +; http://php.net/xmlrpc-errors +;xmlrpc_errors = 0 + +; An XML-RPC faultCode +;xmlrpc_error_number = 0 + +; When PHP displays or logs an error, it has the capability of formatting the +; error message as HTML for easier reading. This directive controls whether +; the error message is formatted as HTML or not. +; Note: This directive is hardcoded to Off for the CLI SAPI +; Default Value: On +; Development Value: On +; Production value: On +; http://php.net/html-errors +html_errors = Off + +; If html_errors is set to On *and* docref_root is not empty, then PHP +; produces clickable error messages that direct to a page describing the error +; or function causing the error in detail. +; You can download a copy of the PHP manual from http://php.net/docs +; and change docref_root to the base URL of your local copy including the +; leading '/'. You must also specify the file extension being used including +; the dot. PHP's default behavior is to leave these settings empty, in which +; case no links to documentation are generated. +; Note: Never use this feature for production boxes. +; http://php.net/docref-root +; Examples +;docref_root = "/phpmanual/" + +; http://php.net/docref-ext +;docref_ext = .html + +; String to output before an error message. PHP's default behavior is to leave +; this setting blank. +; http://php.net/error-prepend-string +; Example: +;error_prepend_string = "" + +; String to output after an error message. PHP's default behavior is to leave +; this setting blank. +; http://php.net/error-append-string +; Example: +;error_append_string = "" + +; Log errors to specified file. PHP's default behavior is to leave this value +; empty. +; http://php.net/error-log +; Example: +;error_log = php_errors.log +; Log errors to syslog (Event Log on Windows). +;error_log = syslog + +;windows.show_crt_warning +; Default value: 0 +; Development value: 0 +; Production value: 0 + +;;;;;;;;;;;;;;;;; +; Data Handling ; +;;;;;;;;;;;;;;;;; + +; The separator used in PHP generated URLs to separate arguments. +; PHP's default setting is "&". +; http://php.net/arg-separator.output +; Example: +;arg_separator.output = "&" + +; List of separator(s) used by PHP to parse input URLs into variables. +; PHP's default setting is "&". +; NOTE: Every character in this directive is considered as separator! +; http://php.net/arg-separator.input +; Example: +;arg_separator.input = ";&" + +; This directive determines which super global arrays are registered when PHP +; starts up. G,P,C,E & S are abbreviations for the following respective super +; globals: GET, POST, COOKIE, ENV and SERVER. There is a performance penalty +; paid for the registration of these arrays and because ENV is not as commonly +; used as the others, ENV is not recommended on productions servers. You +; can still get access to the environment variables through getenv() should you +; need to. +; Default Value: "EGPCS" +; Development Value: "GPCS" +; Production Value: "GPCS"; +; http://php.net/variables-order +variables_order = "GPCS" + +; This directive determines which super global data (G,P & C) should be +; registered into the super global array REQUEST. If so, it also determines +; the order in which that data is registered. The values for this directive +; are specified in the same manner as the variables_order directive, +; EXCEPT one. Leaving this value empty will cause PHP to use the value set +; in the variables_order directive. It does not mean it will leave the super +; globals array REQUEST empty. +; Default Value: None +; Development Value: "GP" +; Production Value: "GP" +; http://php.net/request-order +request_order = "GP" + +; This directive determines whether PHP registers $argv & $argc each time it +; runs. $argv contains an array of all the arguments passed to PHP when a script +; is invoked. $argc contains an integer representing the number of arguments +; that were passed when the script was invoked. These arrays are extremely +; useful when running scripts from the command line. When this directive is +; enabled, registering these variables consumes CPU cycles and memory each time +; a script is executed. For performance reasons, this feature should be disabled +; on production servers. +; Note: This directive is hardcoded to On for the CLI SAPI +; Default Value: On +; Development Value: Off +; Production Value: Off +; http://php.net/register-argc-argv +register_argc_argv = Off + +; When enabled, the ENV, REQUEST and SERVER variables are created when they're +; first used (Just In Time) instead of when the script starts. If these +; variables are not used within a script, having this directive on will result +; in a performance gain. The PHP directive register_argc_argv must be disabled +; for this directive to have any affect. +; http://php.net/auto-globals-jit +auto_globals_jit = On + +; Whether PHP will read the POST data. +; This option is enabled by default. +; Most likely, you won't want to disable this option globally. It causes $_POST +; and $_FILES to always be empty; the only way you will be able to read the +; POST data will be through the php://input stream wrapper. This can be useful +; to proxy requests or to process the POST data in a memory efficient fashion. +; http://php.net/enable-post-data-reading +;enable_post_data_reading = Off + +; Maximum size of POST data that PHP will accept. +; Its value may be 0 to disable the limit. It is ignored if POST data reading +; is disabled through enable_post_data_reading. +; http://php.net/post-max-size +post_max_size = 8M + +; Automatically add files before PHP document. +; http://php.net/auto-prepend-file +auto_prepend_file = + +; Automatically add files after PHP document. +; http://php.net/auto-append-file +auto_append_file = + +; By default, PHP will output a media type using the Content-Type header. To +; disable this, simply set it to be empty. +; +; PHP's built-in default media type is set to text/html. +; http://php.net/default-mimetype +default_mimetype = "text/html" + +; PHP's default character set is set to UTF-8. +; http://php.net/default-charset +default_charset = "UTF-8" + +; PHP internal character encoding is set to empty. +; If empty, default_charset is used. +; http://php.net/internal-encoding +;internal_encoding = + +; PHP input character encoding is set to empty. +; If empty, default_charset is used. +; http://php.net/input-encoding +;input_encoding = + +; PHP output character encoding is set to empty. +; If empty, default_charset is used. +; See also output_buffer. +; http://php.net/output-encoding +;output_encoding = + +;;;;;;;;;;;;;;;;;;;;;;;;; +; Paths and Directories ; +;;;;;;;;;;;;;;;;;;;;;;;;; + +; UNIX: "/path1:/path2" +;include_path = ".:/php/includes" +; +; Windows: "\path1;\path2" +;include_path = ".;c:\php\includes" +; +; PHP's default setting for include_path is ".;/path/to/php/pear" +; http://php.net/include-path + +; The root of the PHP pages, used only if nonempty. +; if PHP was not compiled with FORCE_REDIRECT, you SHOULD set doc_root +; if you are running php as a CGI under any web server (other than IIS) +; see documentation for security issues. The alternate is to use the +; cgi.force_redirect configuration below +; http://php.net/doc-root +doc_root = + +; The directory under which PHP opens the script using /~username used only +; if nonempty. +; http://php.net/user-dir +user_dir = + +; Directory in which the loadable extensions (modules) reside. +; http://php.net/extension-dir +; extension_dir = "./" +; On windows: +; extension_dir = "ext" + +; Directory where the temporary files should be placed. +; Defaults to the system default (see sys_get_temp_dir) +; sys_temp_dir = "/tmp" + +; Whether or not to enable the dl() function. The dl() function does NOT work +; properly in multithreaded servers, such as IIS or Zeus, and is automatically +; disabled on them. +; http://php.net/enable-dl +enable_dl = Off + +; cgi.force_redirect is necessary to provide security running PHP as a CGI under +; most web servers. Left undefined, PHP turns this on by default. You can +; turn it off here AT YOUR OWN RISK +; **You CAN safely turn this off for IIS, in fact, you MUST.** +; http://php.net/cgi.force-redirect +;cgi.force_redirect = 1 + +; if cgi.nph is enabled it will force cgi to always sent Status: 200 with +; every request. PHP's default behavior is to disable this feature. +;cgi.nph = 1 + +; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape +; (iPlanet) web servers, you MAY need to set an environment variable name that PHP +; will look for to know it is OK to continue execution. Setting this variable MAY +; cause security issues, KNOW WHAT YOU ARE DOING FIRST. +; http://php.net/cgi.redirect-status-env +;cgi.redirect_status_env = + +; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's +; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok +; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting +; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting +; of zero causes PHP to behave as before. Default is 1. You should fix your scripts +; to use SCRIPT_FILENAME rather than PATH_TRANSLATED. +; http://php.net/cgi.fix-pathinfo +;cgi.fix_pathinfo=1 + +; if cgi.discard_path is enabled, the PHP CGI binary can safely be placed outside +; of the web tree and people will not be able to circumvent .htaccess security. +; http://php.net/cgi.dicard-path +;cgi.discard_path=1 + +; FastCGI under IIS (on WINNT based OS) supports the ability to impersonate +; security tokens of the calling client. This allows IIS to define the +; security context that the request runs under. mod_fastcgi under Apache +; does not currently support this feature (03/17/2002) +; Set to 1 if running under IIS. Default is zero. +; http://php.net/fastcgi.impersonate +;fastcgi.impersonate = 1 + +; Disable logging through FastCGI connection. PHP's default behavior is to enable +; this feature. +;fastcgi.logging = 0 + +; cgi.rfc2616_headers configuration option tells PHP what type of headers to +; use when sending HTTP response code. If set to 0, PHP sends Status: header that +; is supported by Apache. When this option is set to 1, PHP will send +; RFC2616 compliant header. +; Default is zero. +; http://php.net/cgi.rfc2616-headers +;cgi.rfc2616_headers = 0 + +; cgi.check_shebang_line controls whether CGI PHP checks for line starting with #! +; (shebang) at the top of the running script. This line might be needed if the +; script support running both as stand-alone script and via PHP CGI<. PHP in CGI +; mode skips this line and ignores its content if this directive is turned on. +; http://php.net/cgi.check-shebang-line +;cgi.check_shebang_line=1 + +;;;;;;;;;;;;;;;; +; File Uploads ; +;;;;;;;;;;;;;;;; + +; Whether to allow HTTP file uploads. +; http://php.net/file-uploads +file_uploads = On + +; Temporary directory for HTTP uploaded files (will use system default if not +; specified). +; http://php.net/upload-tmp-dir +;upload_tmp_dir = + +; Maximum allowed size for uploaded files. +; http://php.net/upload-max-filesize +upload_max_filesize = 2M + +; Maximum number of files that can be uploaded via a single request +max_file_uploads = 20 + +;;;;;;;;;;;;;;;;;; +; Fopen wrappers ; +;;;;;;;;;;;;;;;;;; + +; Whether to allow the treatment of URLs (like http:// or ftp://) as files. +; http://php.net/allow-url-fopen +allow_url_fopen = On + +; Whether to allow include/require to open URLs (like http:// or ftp://) as files. +; http://php.net/allow-url-include +allow_url_include = Off + +; Define the anonymous ftp password (your email address). PHP's default setting +; for this is empty. +; http://php.net/from +;from="john@doe.com" + +; Define the User-Agent string. PHP's default setting for this is empty. +; http://php.net/user-agent +;user_agent="PHP" + +; Default timeout for socket based streams (seconds) +; http://php.net/default-socket-timeout +default_socket_timeout = 60 + +; If your scripts have to deal with files from Macintosh systems, +; or you are running on a Mac and need to deal with files from +; unix or win32 systems, setting this flag will cause PHP to +; automatically detect the EOL character in those files so that +; fgets() and file() will work regardless of the source of the file. +; http://php.net/auto-detect-line-endings +;auto_detect_line_endings = Off + +;;;;;;;;;;;;;;;;;;;;;; +; Dynamic Extensions ; +;;;;;;;;;;;;;;;;;;;;;; + +; If you wish to have an extension loaded automatically, use the following +; syntax: +; +; extension=modulename +; +; For example: +; +; extension=mysqli +; +; When the extension library to load is not located in the default extension +; directory, You may specify an absolute path to the library file: +; +; extension=/path/to/extension/mysqli.so +; +; Note : The syntax used in previous PHP versions ('extension=.so' and +; 'extension='php_.dll') is supported for legacy reasons and may be +; deprecated in a future PHP major version. So, when it is possible, please +; move to the new ('extension=) syntax. +; +; Notes for Windows environments : +; +; - Many DLL files are located in the extensions/ (PHP 4) or ext/ (PHP 5+) +; extension folders as well as the separate PECL DLL download (PHP 5+). +; Be sure to appropriately set the extension_dir directive. +; +;extension=bz2 +;extension=curl +;extension=fileinfo +;extension=gd2 +;extension=gettext +;extension=gmp +;extension=intl +;extension=imap +;extension=interbase +;extension=ldap +;extension=mbstring +;extension=exif ; Must be after mbstring as it depends on it +;extension=mysqli +;extension=oci8_12c ; Use with Oracle Database 12c Instant Client +;extension=odbc +;extension=openssl +;extension=pdo_firebird +;extension=pdo_mysql +;extension=pdo_oci +;extension=pdo_odbc +;extension=pdo_pgsql +;extension=pdo_sqlite +;extension=pgsql +;extension=shmop + +; The MIBS data available in the PHP distribution must be installed. +; See http://www.php.net/manual/en/snmp.installation.php +;extension=snmp + +;extension=soap +;extension=sockets +;extension=sqlite3 +;extension=tidy +;extension=xmlrpc +;extension=xsl + +;;;;;;;;;;;;;;;;;;; +; Module Settings ; +;;;;;;;;;;;;;;;;;;; + +[CLI Server] +; Whether the CLI web server uses ANSI color coding in its terminal output. +cli_server.color = On + +[Date] +; Defines the default timezone used by the date functions +; http://php.net/date.timezone +;date.timezone = + +; http://php.net/date.default-latitude +;date.default_latitude = 31.7667 + +; http://php.net/date.default-longitude +;date.default_longitude = 35.2333 + +; http://php.net/date.sunrise-zenith +;date.sunrise_zenith = 90.583333 + +; http://php.net/date.sunset-zenith +;date.sunset_zenith = 90.583333 + +[filter] +; http://php.net/filter.default +;filter.default = unsafe_raw + +; http://php.net/filter.default-flags +;filter.default_flags = + +[iconv] +; Use of this INI entry is deprecated, use global input_encoding instead. +; If empty, default_charset or input_encoding or iconv.input_encoding is used. +; The precedence is: default_charset < intput_encoding < iconv.input_encoding +;iconv.input_encoding = + +; Use of this INI entry is deprecated, use global internal_encoding instead. +; If empty, default_charset or internal_encoding or iconv.internal_encoding is used. +; The precedence is: default_charset < internal_encoding < iconv.internal_encoding +;iconv.internal_encoding = + +; Use of this INI entry is deprecated, use global output_encoding instead. +; If empty, default_charset or output_encoding or iconv.output_encoding is used. +; The precedence is: default_charset < output_encoding < iconv.output_encoding +; To use an output encoding conversion, iconv's output handler must be set +; otherwise output encoding conversion cannot be performed. +;iconv.output_encoding = + +[imap] +; rsh/ssh logins are disabled by default. Use this INI entry if you want to +; enable them. Note that the IMAP library does not filter mailbox names before +; passing them to rsh/ssh command, thus passing untrusted data to this function +; with rsh/ssh enabled is insecure. +;imap.enable_insecure_rsh=0 + +[intl] +;intl.default_locale = +; This directive allows you to produce PHP errors when some error +; happens within intl functions. The value is the level of the error produced. +; Default is 0, which does not produce any errors. +;intl.error_level = E_WARNING +;intl.use_exceptions = 0 + +[sqlite3] +; Directory pointing to SQLite3 extensions +; http://php.net/sqlite3.extension-dir +;sqlite3.extension_dir = + +; SQLite defensive mode flag (only available from SQLite 3.26+) +; When the defensive flag is enabled, language features that allow ordinary +; SQL to deliberately corrupt the database file are disabled. This forbids +; writing directly to the schema, shadow tables (eg. FTS data tables), or +; the sqlite_dbpage virtual table. +; https://www.sqlite.org/c3ref/c_dbconfig_defensive.html +; (for older SQLite versions, this flag has no use) +;sqlite3.defensive = 1 + +[Pcre] +;PCRE library backtracking limit. +; http://php.net/pcre.backtrack-limit +;pcre.backtrack_limit=100000 + +;PCRE library recursion limit. +;Please note that if you set this value to a high number you may consume all +;the available process stack and eventually crash PHP (due to reaching the +;stack size limit imposed by the Operating System). +; http://php.net/pcre.recursion-limit +;pcre.recursion_limit=100000 + +;Enables or disables JIT compilation of patterns. This requires the PCRE +;library to be compiled with JIT support. +;pcre.jit=1 + +[Pdo] +; Whether to pool ODBC connections. Can be one of "strict", "relaxed" or "off" +; http://php.net/pdo-odbc.connection-pooling +;pdo_odbc.connection_pooling=strict + +;pdo_odbc.db2_instance_name + +[Pdo_mysql] +; If mysqlnd is used: Number of cache slots for the internal result set cache +; http://php.net/pdo_mysql.cache_size +pdo_mysql.cache_size = 2000 + +; Default socket name for local MySQL connects. If empty, uses the built-in +; MySQL defaults. +; http://php.net/pdo_mysql.default-socket +pdo_mysql.default_socket= + +[Phar] +; http://php.net/phar.readonly +;phar.readonly = On + +; http://php.net/phar.require-hash +;phar.require_hash = On + +;phar.cache_list = + +[mail function] +; For Win32 only. +; http://php.net/smtp +SMTP = localhost +; http://php.net/smtp-port +smtp_port = 25 + +; For Win32 only. +; http://php.net/sendmail-from +;sendmail_from = me@example.com + +; For Unix only. You may supply arguments as well (default: "sendmail -t -i"). +; http://php.net/sendmail-path +;sendmail_path = + +; Force the addition of the specified parameters to be passed as extra parameters +; to the sendmail binary. These parameters will always replace the value of +; the 5th parameter to mail(). +;mail.force_extra_parameters = + +; Add X-PHP-Originating-Script: that will include uid of the script followed by the filename +mail.add_x_header = Off + +; The path to a log file that will log all mail() calls. Log entries include +; the full path of the script, line number, To address and headers. +;mail.log = +; Log mail to syslog (Event Log on Windows). +;mail.log = syslog + +[ODBC] +; http://php.net/odbc.default-db +;odbc.default_db = Not yet implemented + +; http://php.net/odbc.default-user +;odbc.default_user = Not yet implemented + +; http://php.net/odbc.default-pw +;odbc.default_pw = Not yet implemented + +; Controls the ODBC cursor model. +; Default: SQL_CURSOR_STATIC (default). +;odbc.default_cursortype + +; Allow or prevent persistent links. +; http://php.net/odbc.allow-persistent +odbc.allow_persistent = On + +; Check that a connection is still valid before reuse. +; http://php.net/odbc.check-persistent +odbc.check_persistent = On + +; Maximum number of persistent links. -1 means no limit. +; http://php.net/odbc.max-persistent +odbc.max_persistent = -1 + +; Maximum number of links (persistent + non-persistent). -1 means no limit. +; http://php.net/odbc.max-links +odbc.max_links = -1 + +; Handling of LONG fields. Returns number of bytes to variables. 0 means +; passthru. +; http://php.net/odbc.defaultlrl +odbc.defaultlrl = 4096 + +; Handling of binary data. 0 means passthru, 1 return as is, 2 convert to char. +; See the documentation on odbc_binmode and odbc_longreadlen for an explanation +; of odbc.defaultlrl and odbc.defaultbinmode +; http://php.net/odbc.defaultbinmode +odbc.defaultbinmode = 1 + +;birdstep.max_links = -1 + +[Interbase] +; Allow or prevent persistent links. +ibase.allow_persistent = 1 + +; Maximum number of persistent links. -1 means no limit. +ibase.max_persistent = -1 + +; Maximum number of links (persistent + non-persistent). -1 means no limit. +ibase.max_links = -1 + +; Default database name for ibase_connect(). +;ibase.default_db = + +; Default username for ibase_connect(). +;ibase.default_user = + +; Default password for ibase_connect(). +;ibase.default_password = + +; Default charset for ibase_connect(). +;ibase.default_charset = + +; Default timestamp format. +ibase.timestampformat = "%Y-%m-%d %H:%M:%S" + +; Default date format. +ibase.dateformat = "%Y-%m-%d" + +; Default time format. +ibase.timeformat = "%H:%M:%S" + +[MySQLi] + +; Maximum number of persistent links. -1 means no limit. +; http://php.net/mysqli.max-persistent +mysqli.max_persistent = -1 + +; Allow accessing, from PHP's perspective, local files with LOAD DATA statements +; http://php.net/mysqli.allow_local_infile +;mysqli.allow_local_infile = On + +; Allow or prevent persistent links. +; http://php.net/mysqli.allow-persistent +mysqli.allow_persistent = On + +; Maximum number of links. -1 means no limit. +; http://php.net/mysqli.max-links +mysqli.max_links = -1 + +; If mysqlnd is used: Number of cache slots for the internal result set cache +; http://php.net/mysqli.cache_size +mysqli.cache_size = 2000 + +; Default port number for mysqli_connect(). If unset, mysqli_connect() will use +; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the +; compile-time value defined MYSQL_PORT (in that order). Win32 will only look +; at MYSQL_PORT. +; http://php.net/mysqli.default-port +mysqli.default_port = 3306 + +; Default socket name for local MySQL connects. If empty, uses the built-in +; MySQL defaults. +; http://php.net/mysqli.default-socket +mysqli.default_socket = + +; Default host for mysql_connect() (doesn't apply in safe mode). +; http://php.net/mysqli.default-host +mysqli.default_host = + +; Default user for mysql_connect() (doesn't apply in safe mode). +; http://php.net/mysqli.default-user +mysqli.default_user = + +; Default password for mysqli_connect() (doesn't apply in safe mode). +; Note that this is generally a *bad* idea to store passwords in this file. +; *Any* user with PHP access can run 'echo get_cfg_var("mysqli.default_pw") +; and reveal this password! And of course, any users with read access to this +; file will be able to reveal the password as well. +; http://php.net/mysqli.default-pw +mysqli.default_pw = + +; Allow or prevent reconnect +mysqli.reconnect = Off + +[mysqlnd] +; Enable / Disable collection of general statistics by mysqlnd which can be +; used to tune and monitor MySQL operations. +; http://php.net/mysqlnd.collect_statistics +mysqlnd.collect_statistics = On + +; Enable / Disable collection of memory usage statistics by mysqlnd which can be +; used to tune and monitor MySQL operations. +; http://php.net/mysqlnd.collect_memory_statistics +mysqlnd.collect_memory_statistics = Off + +; Records communication from all extensions using mysqlnd to the specified log +; file. +; http://php.net/mysqlnd.debug +;mysqlnd.debug = + +; Defines which queries will be logged. +; http://php.net/mysqlnd.log_mask +;mysqlnd.log_mask = 0 + +; Default size of the mysqlnd memory pool, which is used by result sets. +; http://php.net/mysqlnd.mempool_default_size +;mysqlnd.mempool_default_size = 16000 + +; Size of a pre-allocated buffer used when sending commands to MySQL in bytes. +; http://php.net/mysqlnd.net_cmd_buffer_size +;mysqlnd.net_cmd_buffer_size = 2048 + +; Size of a pre-allocated buffer used for reading data sent by the server in +; bytes. +; http://php.net/mysqlnd.net_read_buffer_size +;mysqlnd.net_read_buffer_size = 32768 + +; Timeout for network requests in seconds. +; http://php.net/mysqlnd.net_read_timeout +;mysqlnd.net_read_timeout = 31536000 + +; SHA-256 Authentication Plugin related. File with the MySQL server public RSA +; key. +; http://php.net/mysqlnd.sha256_server_public_key +;mysqlnd.sha256_server_public_key = + +[OCI8] + +; Connection: Enables privileged connections using external +; credentials (OCI_SYSOPER, OCI_SYSDBA) +; http://php.net/oci8.privileged-connect +;oci8.privileged_connect = Off + +; Connection: The maximum number of persistent OCI8 connections per +; process. Using -1 means no limit. +; http://php.net/oci8.max-persistent +;oci8.max_persistent = -1 + +; Connection: The maximum number of seconds a process is allowed to +; maintain an idle persistent connection. Using -1 means idle +; persistent connections will be maintained forever. +; http://php.net/oci8.persistent-timeout +;oci8.persistent_timeout = -1 + +; Connection: The number of seconds that must pass before issuing a +; ping during oci_pconnect() to check the connection validity. When +; set to 0, each oci_pconnect() will cause a ping. Using -1 disables +; pings completely. +; http://php.net/oci8.ping-interval +;oci8.ping_interval = 60 + +; Connection: Set this to a user chosen connection class to be used +; for all pooled server requests with Oracle 11g Database Resident +; Connection Pooling (DRCP). To use DRCP, this value should be set to +; the same string for all web servers running the same application, +; the database pool must be configured, and the connection string must +; specify to use a pooled server. +;oci8.connection_class = + +; High Availability: Using On lets PHP receive Fast Application +; Notification (FAN) events generated when a database node fails. The +; database must also be configured to post FAN events. +;oci8.events = Off + +; Tuning: This option enables statement caching, and specifies how +; many statements to cache. Using 0 disables statement caching. +; http://php.net/oci8.statement-cache-size +;oci8.statement_cache_size = 20 + +; Tuning: Enables statement prefetching and sets the default number of +; rows that will be fetched automatically after statement execution. +; http://php.net/oci8.default-prefetch +;oci8.default_prefetch = 100 + +; Compatibility. Using On means oci_close() will not close +; oci_connect() and oci_new_connect() connections. +; http://php.net/oci8.old-oci-close-semantics +;oci8.old_oci_close_semantics = Off + +[PostgreSQL] +; Allow or prevent persistent links. +; http://php.net/pgsql.allow-persistent +pgsql.allow_persistent = On + +; Detect broken persistent links always with pg_pconnect(). +; Auto reset feature requires a little overheads. +; http://php.net/pgsql.auto-reset-persistent +pgsql.auto_reset_persistent = Off + +; Maximum number of persistent links. -1 means no limit. +; http://php.net/pgsql.max-persistent +pgsql.max_persistent = -1 + +; Maximum number of links (persistent+non persistent). -1 means no limit. +; http://php.net/pgsql.max-links +pgsql.max_links = -1 + +; Ignore PostgreSQL backends Notice message or not. +; Notice message logging require a little overheads. +; http://php.net/pgsql.ignore-notice +pgsql.ignore_notice = 0 + +; Log PostgreSQL backends Notice message or not. +; Unless pgsql.ignore_notice=0, module cannot log notice message. +; http://php.net/pgsql.log-notice +pgsql.log_notice = 0 + +[bcmath] +; Number of decimal digits for all bcmath functions. +; http://php.net/bcmath.scale +bcmath.scale = 0 + +[browscap] +; http://php.net/browscap +;browscap = extra/browscap.ini + +[Session] +; Handler used to store/retrieve data. +; http://php.net/session.save-handler +session.save_handler = redis +session.save_path = "tcp://redis:6379?database=0" + +; Argument passed to save_handler. In the case of files, this is the path +; where data files are stored. Note: Windows users have to change this +; variable in order to use PHP's session functions. +; +; The path can be defined as: +; +; session.save_path = "N;/path" +; +; where N is an integer. Instead of storing all the session files in +; /path, what this will do is use subdirectories N-levels deep, and +; store the session data in those directories. This is useful if +; your OS has problems with many files in one directory, and is +; a more efficient layout for servers that handle many sessions. +; +; NOTE 1: PHP will not create this directory structure automatically. +; You can use the script in the ext/session dir for that purpose. +; NOTE 2: See the section on garbage collection below if you choose to +; use subdirectories for session storage +; +; The file storage module creates files using mode 600 by default. +; You can change that by using +; +; session.save_path = "N;MODE;/path" +; +; where MODE is the octal representation of the mode. Note that this +; does not overwrite the process's umask. +; http://php.net/session.save-path +;session.save_path = "/tmp" + +; Whether to use strict session mode. +; Strict session mode does not accept uninitialized session ID and regenerate +; session ID if browser sends uninitialized session ID. Strict mode protects +; applications from session fixation via session adoption vulnerability. It is +; disabled by default for maximum compatibility, but enabling it is encouraged. +; https://wiki.php.net/rfc/strict_sessions +session.use_strict_mode = 0 + +; Whether to use cookies. +; http://php.net/session.use-cookies +session.use_cookies = 1 + +; http://php.net/session.cookie-secure +;session.cookie_secure = + +; This option forces PHP to fetch and use a cookie for storing and maintaining +; the session id. We encourage this operation as it's very helpful in combating +; session hijacking when not specifying and managing your own session id. It is +; not the be-all and end-all of session hijacking defense, but it's a good start. +; http://php.net/session.use-only-cookies +session.use_only_cookies = 1 + +; Name of the session (used as cookie name). +; http://php.net/session.name +session.name = PHPSESSID + +; Initialize session on request startup. +; http://php.net/session.auto-start +session.auto_start = 0 + +; Lifetime in seconds of cookie or, if 0, until browser is restarted. +; http://php.net/session.cookie-lifetime +session.cookie_lifetime = 0 + +; The path for which the cookie is valid. +; http://php.net/session.cookie-path +session.cookie_path = / + +; The domain for which the cookie is valid. +; http://php.net/session.cookie-domain +session.cookie_domain = + +; Whether or not to add the httpOnly flag to the cookie, which makes it inaccessible to browser scripting languages such as JavaScript. +; http://php.net/session.cookie-httponly +session.cookie_httponly = + +; Handler used to serialize data. php is the standard serializer of PHP. +; http://php.net/session.serialize-handler +session.serialize_handler = php + +; Defines the probability that the 'garbage collection' process is started +; on every session initialization. The probability is calculated by using +; gc_probability/gc_divisor. Where session.gc_probability is the numerator +; and gc_divisor is the denominator in the equation. Setting this value to 1 +; when the session.gc_divisor value is 100 will give you approximately a 1% chance +; the gc will run on any give request. +; Default Value: 1 +; Development Value: 1 +; Production Value: 1 +; http://php.net/session.gc-probability +session.gc_probability = 1 + +; Defines the probability that the 'garbage collection' process is started on every +; session initialization. The probability is calculated by using the following equation: +; gc_probability/gc_divisor. Where session.gc_probability is the numerator and +; session.gc_divisor is the denominator in the equation. Setting this value to 1 +; when the session.gc_divisor value is 100 will give you approximately a 1% chance +; the gc will run on any give request. Increasing this value to 1000 will give you +; a 0.1% chance the gc will run on any give request. For high volume production servers, +; this is a more efficient approach. +; Default Value: 100 +; Development Value: 1000 +; Production Value: 1000 +; http://php.net/session.gc-divisor +session.gc_divisor = 1000 + +; After this number of seconds, stored data will be seen as 'garbage' and +; cleaned up by the garbage collection process. +; http://php.net/session.gc-maxlifetime +session.gc_maxlifetime = 1440 + +; NOTE: If you are using the subdirectory option for storing session files +; (see session.save_path above), then garbage collection does *not* +; happen automatically. You will need to do your own garbage +; collection through a shell script, cron entry, or some other method. +; For example, the following script would is the equivalent of +; setting session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes): +; find /path/to/sessions -cmin +24 -type f | xargs rm + +; Check HTTP Referer to invalidate externally stored URLs containing ids. +; HTTP_REFERER has to contain this substring for the session to be +; considered as valid. +; http://php.net/session.referer-check +session.referer_check = + +; Set to {nocache,private,public,} to determine HTTP caching aspects +; or leave this empty to avoid sending anti-caching headers. +; http://php.net/session.cache-limiter +session.cache_limiter = nocache + +; Document expires after n minutes. +; http://php.net/session.cache-expire +session.cache_expire = 180 + +; trans sid support is disabled by default. +; Use of trans sid may risk your users' security. +; Use this option with caution. +; - User may send URL contains active session ID +; to other person via. email/irc/etc. +; - URL that contains active session ID may be stored +; in publicly accessible computer. +; - User may access your site with the same session ID +; always using URL stored in browser's history or bookmarks. +; http://php.net/session.use-trans-sid +session.use_trans_sid = 0 + +; Set session ID character length. This value could be between 22 to 256. +; Shorter length than default is supported only for compatibility reason. +; Users should use 32 or more chars. +; http://php.net/session.sid-length +; Default Value: 32 +; Development Value: 26 +; Production Value: 26 +session.sid_length = 26 + +; The URL rewriter will look for URLs in a defined set of HTML tags. +;
is special; if you include them here, the rewriter will +; add a hidden field with the info which is otherwise appended +; to URLs. tag's action attribute URL will not be modified +; unless it is specified. +; Note that all valid entries require a "=", even if no value follows. +; Default Value: "a=href,area=href,frame=src,form=" +; Development Value: "a=href,area=href,frame=src,form=" +; Production Value: "a=href,area=href,frame=src,form=" +; http://php.net/url-rewriter.tags +session.trans_sid_tags = "a=href,area=href,frame=src,form=" + +; URL rewriter does not rewrite absolute URLs by default. +; To enable rewrites for absolute pathes, target hosts must be specified +; at RUNTIME. i.e. use ini_set() +; tags is special. PHP will check action attribute's URL regardless +; of session.trans_sid_tags setting. +; If no host is defined, HTTP_HOST will be used for allowed host. +; Example value: php.net,www.php.net,wiki.php.net +; Use "," for multiple hosts. No spaces are allowed. +; Default Value: "" +; Development Value: "" +; Production Value: "" +;session.trans_sid_hosts="" + +; Define how many bits are stored in each character when converting +; the binary hash data to something readable. +; Possible values: +; 4 (4 bits: 0-9, a-f) +; 5 (5 bits: 0-9, a-v) +; 6 (6 bits: 0-9, a-z, A-Z, "-", ",") +; Default Value: 4 +; Development Value: 5 +; Production Value: 5 +; http://php.net/session.hash-bits-per-character +session.sid_bits_per_character = 5 + +; Enable upload progress tracking in $_SESSION +; Default Value: On +; Development Value: On +; Production Value: On +; http://php.net/session.upload-progress.enabled +;session.upload_progress.enabled = On + +; Cleanup the progress information as soon as all POST data has been read +; (i.e. upload completed). +; Default Value: On +; Development Value: On +; Production Value: On +; http://php.net/session.upload-progress.cleanup +;session.upload_progress.cleanup = On + +; A prefix used for the upload progress key in $_SESSION +; Default Value: "upload_progress_" +; Development Value: "upload_progress_" +; Production Value: "upload_progress_" +; http://php.net/session.upload-progress.prefix +;session.upload_progress.prefix = "upload_progress_" + +; The index name (concatenated with the prefix) in $_SESSION +; containing the upload progress information +; Default Value: "PHP_SESSION_UPLOAD_PROGRESS" +; Development Value: "PHP_SESSION_UPLOAD_PROGRESS" +; Production Value: "PHP_SESSION_UPLOAD_PROGRESS" +; http://php.net/session.upload-progress.name +;session.upload_progress.name = "PHP_SESSION_UPLOAD_PROGRESS" + +; How frequently the upload progress should be updated. +; Given either in percentages (per-file), or in bytes +; Default Value: "1%" +; Development Value: "1%" +; Production Value: "1%" +; http://php.net/session.upload-progress.freq +;session.upload_progress.freq = "1%" + +; The minimum delay between updates, in seconds +; Default Value: 1 +; Development Value: 1 +; Production Value: 1 +; http://php.net/session.upload-progress.min-freq +;session.upload_progress.min_freq = "1" + +; Only write session data when session data is changed. Enabled by default. +; http://php.net/session.lazy-write +;session.lazy_write = On + +[Assertion] +; Switch whether to compile assertions at all (to have no overhead at run-time) +; -1: Do not compile at all +; 0: Jump over assertion at run-time +; 1: Execute assertions +; Changing from or to a negative value is only possible in php.ini! (For turning assertions on and off at run-time, see assert.active, when zend.assertions = 1) +; Default Value: 1 +; Development Value: 1 +; Production Value: -1 +; http://php.net/zend.assertions +zend.assertions = -1 + +; Assert(expr); active by default. +; http://php.net/assert.active +;assert.active = On + +; Throw an AssertationException on failed assertions +; http://php.net/assert.exception +;assert.exception = On + +; Issue a PHP warning for each failed assertion. (Overridden by assert.exception if active) +; http://php.net/assert.warning +;assert.warning = On + +; Don't bail out by default. +; http://php.net/assert.bail +;assert.bail = Off + +; User-function to be called if an assertion fails. +; http://php.net/assert.callback +;assert.callback = 0 + +; Eval the expression with current error_reporting(). Set to true if you want +; error_reporting(0) around the eval(). +; http://php.net/assert.quiet-eval +;assert.quiet_eval = 0 + +[COM] +; path to a file containing GUIDs, IIDs or filenames of files with TypeLibs +; http://php.net/com.typelib-file +;com.typelib_file = + +; allow Distributed-COM calls +; http://php.net/com.allow-dcom +;com.allow_dcom = true + +; autoregister constants of a components typlib on com_load() +; http://php.net/com.autoregister-typelib +;com.autoregister_typelib = true + +; register constants casesensitive +; http://php.net/com.autoregister-casesensitive +;com.autoregister_casesensitive = false + +; show warnings on duplicate constant registrations +; http://php.net/com.autoregister-verbose +;com.autoregister_verbose = true + +; The default character set code-page to use when passing strings to and from COM objects. +; Default: system ANSI code page +;com.code_page= + +[mbstring] +; language for internal character representation. +; This affects mb_send_mail() and mbstring.detect_order. +; http://php.net/mbstring.language +;mbstring.language = Japanese + +; Use of this INI entry is deprecated, use global internal_encoding instead. +; internal/script encoding. +; Some encoding cannot work as internal encoding. (e.g. SJIS, BIG5, ISO-2022-*) +; If empty, default_charset or internal_encoding or iconv.internal_encoding is used. +; The precedence is: default_charset < internal_encoding < iconv.internal_encoding +;mbstring.internal_encoding = + +; Use of this INI entry is deprecated, use global input_encoding instead. +; http input encoding. +; mbstring.encoding_traslation = On is needed to use this setting. +; If empty, default_charset or input_encoding or mbstring.input is used. +; The precedence is: default_charset < intput_encoding < mbsting.http_input +; http://php.net/mbstring.http-input +;mbstring.http_input = + +; Use of this INI entry is deprecated, use global output_encoding instead. +; http output encoding. +; mb_output_handler must be registered as output buffer to function. +; If empty, default_charset or output_encoding or mbstring.http_output is used. +; The precedence is: default_charset < output_encoding < mbstring.http_output +; To use an output encoding conversion, mbstring's output handler must be set +; otherwise output encoding conversion cannot be performed. +; http://php.net/mbstring.http-output +;mbstring.http_output = + +; enable automatic encoding translation according to +; mbstring.internal_encoding setting. Input chars are +; converted to internal encoding by setting this to On. +; Note: Do _not_ use automatic encoding translation for +; portable libs/applications. +; http://php.net/mbstring.encoding-translation +;mbstring.encoding_translation = Off + +; automatic encoding detection order. +; "auto" detect order is changed according to mbstring.language +; http://php.net/mbstring.detect-order +;mbstring.detect_order = auto + +; substitute_character used when character cannot be converted +; one from another +; http://php.net/mbstring.substitute-character +;mbstring.substitute_character = none + +; overload(replace) single byte functions by mbstring functions. +; mail(), ereg(), etc are overloaded by mb_send_mail(), mb_ereg(), +; etc. Possible values are 0,1,2,4 or combination of them. +; For example, 7 for overload everything. +; 0: No overload +; 1: Overload mail() function +; 2: Overload str*() functions +; 4: Overload ereg*() functions +; http://php.net/mbstring.func-overload +;mbstring.func_overload = 0 + +; enable strict encoding detection. +; Default: Off +;mbstring.strict_detection = On + +; This directive specifies the regex pattern of content types for which mb_output_handler() +; is activated. +; Default: mbstring.http_output_conv_mimetype=^(text/|application/xhtml\+xml) +;mbstring.http_output_conv_mimetype= + +[gd] +; Tell the jpeg decode to ignore warnings and try to create +; a gd image. The warning will then be displayed as notices +; disabled by default +; http://php.net/gd.jpeg-ignore-warning +;gd.jpeg_ignore_warning = 1 + +[exif] +; Exif UNICODE user comments are handled as UCS-2BE/UCS-2LE and JIS as JIS. +; With mbstring support this will automatically be converted into the encoding +; given by corresponding encode setting. When empty mbstring.internal_encoding +; is used. For the decode settings you can distinguish between motorola and +; intel byte order. A decode setting cannot be empty. +; http://php.net/exif.encode-unicode +;exif.encode_unicode = ISO-8859-15 + +; http://php.net/exif.decode-unicode-motorola +;exif.decode_unicode_motorola = UCS-2BE + +; http://php.net/exif.decode-unicode-intel +;exif.decode_unicode_intel = UCS-2LE + +; http://php.net/exif.encode-jis +;exif.encode_jis = + +; http://php.net/exif.decode-jis-motorola +;exif.decode_jis_motorola = JIS + +; http://php.net/exif.decode-jis-intel +;exif.decode_jis_intel = JIS + +[Tidy] +; The path to a default tidy configuration file to use when using tidy +; http://php.net/tidy.default-config +;tidy.default_config = /usr/local/lib/php/default.tcfg + +; Should tidy clean and repair output automatically? +; WARNING: Do not use this option if you are generating non-html content +; such as dynamic images +; http://php.net/tidy.clean-output +tidy.clean_output = Off + +[soap] +; Enables or disables WSDL caching feature. +; http://php.net/soap.wsdl-cache-enabled +soap.wsdl_cache_enabled=1 + +; Sets the directory name where SOAP extension will put cache files. +; http://php.net/soap.wsdl-cache-dir +soap.wsdl_cache_dir="/tmp" + +; (time to live) Sets the number of second while cached file will be used +; instead of original one. +; http://php.net/soap.wsdl-cache-ttl +soap.wsdl_cache_ttl=86400 + +; Sets the size of the cache limit. (Max. number of WSDL files to cache) +soap.wsdl_cache_limit = 5 + +[sysvshm] +; A default size of the shared memory segment +;sysvshm.init_mem = 10000 + +[ldap] +; Sets the maximum number of open links or -1 for unlimited. +ldap.max_links = -1 + +[dba] +;dba.default_handler= + +[opcache] +; Determines if Zend OPCache is enabled +;opcache.enable=1 + +; Determines if Zend OPCache is enabled for the CLI version of PHP +;opcache.enable_cli=0 + +; The OPcache shared memory storage size. +;opcache.memory_consumption=128 + +; The amount of memory for interned strings in Mbytes. +;opcache.interned_strings_buffer=8 + +; The maximum number of keys (scripts) in the OPcache hash table. +; Only numbers between 200 and 1000000 are allowed. +;opcache.max_accelerated_files=10000 + +; The maximum percentage of "wasted" memory until a restart is scheduled. +;opcache.max_wasted_percentage=5 + +; When this directive is enabled, the OPcache appends the current working +; directory to the script key, thus eliminating possible collisions between +; files with the same name (basename). Disabling the directive improves +; performance, but may break existing applications. +;opcache.use_cwd=1 + +; When disabled, you must reset the OPcache manually or restart the +; webserver for changes to the filesystem to take effect. +;opcache.validate_timestamps=1 + +; How often (in seconds) to check file timestamps for changes to the shared +; memory storage allocation. ("1" means validate once per second, but only +; once per request. "0" means always validate) +;opcache.revalidate_freq=2 + +; Enables or disables file search in include_path optimization +;opcache.revalidate_path=0 + +; If disabled, all PHPDoc comments are dropped from the code to reduce the +; size of the optimized code. +;opcache.save_comments=1 + +; Allow file existence override (file_exists, etc.) performance feature. +;opcache.enable_file_override=0 + +; A bitmask, where each bit enables or disables the appropriate OPcache +; passes +;opcache.optimization_level=0xffffffff + +;opcache.inherited_hack=1 +;opcache.dups_fix=0 + +; The location of the OPcache blacklist file (wildcards allowed). +; Each OPcache blacklist file is a text file that holds the names of files +; that should not be accelerated. The file format is to add each filename +; to a new line. The filename may be a full path or just a file prefix +; (i.e., /var/www/x blacklists all the files and directories in /var/www +; that start with 'x'). Line starting with a ; are ignored (comments). +;opcache.blacklist_filename= + +; Allows exclusion of large files from being cached. By default all files +; are cached. +;opcache.max_file_size=0 + +; Check the cache checksum each N requests. +; The default value of "0" means that the checks are disabled. +;opcache.consistency_checks=0 + +; How long to wait (in seconds) for a scheduled restart to begin if the cache +; is not being accessed. +;opcache.force_restart_timeout=180 + +; OPcache error_log file name. Empty string assumes "stderr". +;opcache.error_log= + +; All OPcache errors go to the Web server log. +; By default, only fatal errors (level 0) or errors (level 1) are logged. +; You can also enable warnings (level 2), info messages (level 3) or +; debug messages (level 4). +;opcache.log_verbosity_level=1 + +; Preferred Shared Memory back-end. Leave empty and let the system decide. +;opcache.preferred_memory_model= + +; Protect the shared memory from unexpected writing during script execution. +; Useful for internal debugging only. +;opcache.protect_memory=0 + +; Allows calling OPcache API functions only from PHP scripts which path is +; started from specified string. The default "" means no restriction +;opcache.restrict_api= + +; Mapping base of shared memory segments (for Windows only). All the PHP +; processes have to map shared memory into the same address space. This +; directive allows to manually fix the "Unable to reattach to base address" +; errors. +;opcache.mmap_base= + +; Enables and sets the second level cache directory. +; It should improve performance when SHM memory is full, at server restart or +; SHM reset. The default "" disables file based caching. +;opcache.file_cache= + +; Enables or disables opcode caching in shared memory. +;opcache.file_cache_only=0 + +; Enables or disables checksum validation when script loaded from file cache. +;opcache.file_cache_consistency_checks=1 + +; Implies opcache.file_cache_only=1 for a certain process that failed to +; reattach to the shared memory (for Windows only). Explicitly enabled file +; cache is required. +;opcache.file_cache_fallback=1 + +; Enables or disables copying of PHP code (text segment) into HUGE PAGES. +; This should improve performance, but requires appropriate OS configuration. +;opcache.huge_code_pages=1 + +; Validate cached file permissions. +;opcache.validate_permission=0 + +; Prevent name collisions in chroot'ed environment. +;opcache.validate_root=0 + +; If specified, it produces opcode dumps for debugging different stages of +; optimizations. +;opcache.opt_debug_level=0 + +[curl] +; A default value for the CURLOPT_CAINFO option. This is required to be an +; absolute path. +;curl.cainfo = + +[openssl] +; The location of a Certificate Authority (CA) file on the local filesystem +; to use when verifying the identity of SSL/TLS peers. Most users should +; not specify a value for this directive as PHP will attempt to use the +; OS-managed cert stores in its absence. If specified, this value may still +; be overridden on a per-stream basis via the "cafile" SSL stream context +; option. +;openssl.cafile= + +; If openssl.cafile is not specified or if the CA file is not found, the +; directory pointed to by openssl.capath is searched for a suitable +; certificate. This value must be a correctly hashed certificate directory. +; Most users should not specify a value for this directive as PHP will +; attempt to use the OS-managed cert stores in its absence. If specified, +; this value may still be overridden on a per-stream basis via the "capath" +; SSL stream context option. +;openssl.capath= + +; Local Variables: +; tab-width: 4 +; End: diff --git a/.docker/php/www.conf b/.docker/php/www.conf new file mode 100644 index 000000000..dec22e290 --- /dev/null +++ b/.docker/php/www.conf @@ -0,0 +1,417 @@ +; Start a new pool named 'www'. +; the variable $pool can we used in any directive and will be replaced by the +; pool name ('www' here) +[www] + +; Per pool prefix +; It only applies on the following directives: +; - 'access.log' +; - 'slowlog' +; - 'listen' (unixsocket) +; - 'chroot' +; - 'chdir' +; - 'php_values' +; - 'php_admin_values' +; When not set, the global prefix (or NONE) applies instead. +; Note: This directive can also be relative to the global prefix. +; Default Value: none +;prefix = /path/to/pools/$pool + +; Unix user/group of processes +; Note: The user is mandatory. If the group is not set, the default user's group +; will be used. +user = www-data +group = www-data + +; The address on which to accept FastCGI requests. +; Valid syntaxes are: +; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on +; a specific port; +; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on +; a specific port; +; 'port' - to listen on a TCP socket to all addresses +; (IPv6 and IPv4-mapped) on a specific port; +; '/path/to/unix/socket' - to listen on a unix socket. +; Note: This value is mandatory. +listen = 9000 + +; Set listen(2) backlog. +; Default Value: 511 (-1 on FreeBSD and OpenBSD) +;listen.backlog = 511 + +; Set permissions for unix socket, if one is used. In Linux, read/write +; permissions must be set in order to allow connections from a web server. Many +; BSD-derived systems allow connections regardless of permissions. +; Default Values: user and group are set as the running user +; mode is set to 0660 +listen.owner = www-data +listen.group = www-data +listen.mode = 0750 +; When POSIX Access Control Lists are supported you can set them using +; these options, value is a comma separated list of user/group names. +; When set, listen.owner and listen.group are ignored +;listen.acl_users = +;listen.acl_groups = + +; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect. +; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original +; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address +; must be separated by a comma. If this value is left blank, connections will be +; accepted from any ip address. +; Default Value: any +;listen.allowed_clients = 127.0.0.1 + +; Specify the nice(2) priority to apply to the pool processes (only if set) +; The value can vary from -19 (highest priority) to 20 (lower priority) +; Note: - It will only work if the FPM master process is launched as root +; - The pool processes will inherit the master process priority +; unless it specified otherwise +; Default Value: no set +; process.priority = -19 + +; Choose how the process manager will control the number of child processes. +; Possible Values: +; static - a fixed number (pm.max_children) of child processes; +; dynamic - the number of child processes are set dynamically based on the +; following directives. With this process management, there will be +; always at least 1 children. +; pm.max_children - the maximum number of children that can +; be alive at the same time. +; pm.start_servers - the number of children created on startup. +; pm.min_spare_servers - the minimum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is less than this +; number then some children will be created. +; pm.max_spare_servers - the maximum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is greater than this +; number then some children will be killed. +; ondemand - no children are created at startup. Children will be forked when +; new requests will connect. The following parameter are used: +; pm.max_children - the maximum number of children that +; can be alive at the same time. +; pm.process_idle_timeout - The number of seconds after which +; an idle process will be killed. +; Note: This value is mandatory. +pm = dynamic + +; The number of child processes to be created when pm is set to 'static' and the +; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'. +; This value sets the limit on the number of simultaneous requests that will be +; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. +; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP +; CGI. The below defaults are based on a server without much resources. Don't +; forget to tweak pm.* to fit your needs. +; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' +; Note: This value is mandatory. +pm.max_children = 9 + +; The number of child processes created on startup. +; Note: Used only when pm is set to 'dynamic' +; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 +pm.start_servers = 3 + +; The desired minimum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.min_spare_servers = 2 + +; The desired maximum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.max_spare_servers = 4 + +; The number of seconds after which an idle process will be killed. +; Note: Used only when pm is set to 'ondemand' +; Default Value: 10s +;pm.process_idle_timeout = 10s; + +; The number of requests each child process should execute before respawning. +; This can be useful to work around memory leaks in 3rd party libraries. For +; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. +; Default Value: 0 +pm.max_requests = 500 + +; The URI to view the FPM status page. If this value is not set, no URI will be +; recognized as a status page. It shows the following informations: +; pool - the name of the pool; +; process manager - static, dynamic or ondemand; +; start time - the date and time FPM has started; +; start since - number of seconds since FPM has started; +; accepted conn - the number of request accepted by the pool; +; listen queue - the number of request in the queue of pending +; connections (see backlog in listen(2)); +; max listen queue - the maximum number of requests in the queue +; of pending connections since FPM has started; +; listen queue len - the size of the socket queue of pending connections; +; idle processes - the number of idle processes; +; active processes - the number of active processes; +; total processes - the number of idle + active processes; +; max active processes - the maximum number of active processes since FPM +; has started; +; max children reached - number of times, the process limit has been reached, +; when pm tries to start more children (works only for +; pm 'dynamic' and 'ondemand'); +; Value are updated in real time. +; Example output: +; pool: www +; process manager: static +; start time: 01/Jul/2011:17:53:49 +0200 +; start since: 62636 +; accepted conn: 190460 +; listen queue: 0 +; max listen queue: 1 +; listen queue len: 42 +; idle processes: 4 +; active processes: 11 +; total processes: 15 +; max active processes: 12 +; max children reached: 0 +; +; By default the status page output is formatted as text/plain. Passing either +; 'html', 'xml' or 'json' in the query string will return the corresponding +; output syntax. Example: +; http://www.foo.bar/status +; http://www.foo.bar/status?json +; http://www.foo.bar/status?html +; http://www.foo.bar/status?xml +; +; By default the status page only outputs short status. Passing 'full' in the +; query string will also return status for each pool process. +; Example: +; http://www.foo.bar/status?full +; http://www.foo.bar/status?json&full +; http://www.foo.bar/status?html&full +; http://www.foo.bar/status?xml&full +; The Full status returns for each process: +; pid - the PID of the process; +; state - the state of the process (Idle, Running, ...); +; start time - the date and time the process has started; +; start since - the number of seconds since the process has started; +; requests - the number of requests the process has served; +; request duration - the duration in s of the requests; +; request method - the request method (GET, POST, ...); +; request URI - the request URI with the query string; +; content length - the content length of the request (only with POST); +; user - the user (PHP_AUTH_USER) (or '-' if not set); +; script - the main script called (or '-' if not set); +; last request cpu - the %cpu the last request consumed +; it's always 0 if the process is not in Idle state +; because CPU calculation is done when the request +; processing has terminated; +; last request memory - the max amount of memory the last request consumed +; it's always 0 if the process is not in Idle state +; because memory calculation is done when the request +; processing has terminated; +; If the process is in Idle state, then informations are related to the +; last request the process has served. Otherwise informations are related to +; the current request being served. +; Example output: +; ************************ +; pid: 31330 +; state: Running +; start time: 01/Jul/2011:17:53:49 +0200 +; start since: 63087 +; requests: 12808 +; request duration: 1250261 +; request method: GET +; request URI: /test_mem.php?N=10000 +; content length: 0 +; user: - +; script: /home/fat/web/docs/php/test_mem.php +; last request cpu: 0.00 +; last request memory: 0 +; +; Note: There is a real-time FPM status monitoring sample web page available +; It's available in: /usr/local/share/php/fpm/status.html +; +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +pm.status_path = /status + +; The ping URI to call the monitoring page of FPM. If this value is not set, no +; URI will be recognized as a ping page. This could be used to test from outside +; that FPM is alive and responding, or to +; - create a graph of FPM availability (rrd or such); +; - remove a server from a group if it is not responding (load balancing); +; - trigger alerts for the operating team (24/7). +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +ping.path = /ping + +; This directive may be used to customize the response of a ping request. The +; response is formatted as text/plain with a 200 response code. +; Default Value: pong +ping.response = pong + +; The access log file +; Default: not set +;access.log = log/$pool.access.log + +; The access log format. +; The following syntax is allowed +; %%: the '%' character +; %C: %CPU used by the request +; it can accept the following format: +; - %{user}C for user CPU only +; - %{system}C for system CPU only +; - %{total}C for user + system CPU (default) +; %d: time taken to serve the request +; it can accept the following format: +; - %{seconds}d (default) +; - %{miliseconds}d +; - %{mili}d +; - %{microseconds}d +; - %{micro}d +; %e: an environment variable (same as $_ENV or $_SERVER) +; it must be associated with embraces to specify the name of the env +; variable. Some exemples: +; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e +; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e +; %f: script filename +; %l: content-length of the request (for POST request only) +; %m: request method +; %M: peak of memory allocated by PHP +; it can accept the following format: +; - %{bytes}M (default) +; - %{kilobytes}M +; - %{kilo}M +; - %{megabytes}M +; - %{mega}M +; %n: pool name +; %o: output header +; it must be associated with embraces to specify the name of the header: +; - %{Content-Type}o +; - %{X-Powered-By}o +; - %{Transfert-Encoding}o +; - .... +; %p: PID of the child that serviced the request +; %P: PID of the parent of the child that serviced the request +; %q: the query string +; %Q: the '?' character if query string exists +; %r: the request URI (without the query string, see %q and %Q) +; %R: remote IP address +; %s: status (response code) +; %t: server time the request was received +; it can accept a strftime(3) format: +; %d/%b/%Y:%H:%M:%S %z (default) +; The strftime(3) format must be encapsuled in a %{}t tag +; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t +; %T: time the log has been written (the request has finished) +; it can accept a strftime(3) format: +; %d/%b/%Y:%H:%M:%S %z (default) +; The strftime(3) format must be encapsuled in a %{}t tag +; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t +; %u: remote user +; +; Default: "%R - %u %t \"%m %r\" %s" +;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%" + +; The log file for slow requests +; Default Value: not set +; Note: slowlog is mandatory if request_slowlog_timeout is set +;slowlog = log/$pool.log.slow + +; The timeout for serving a single request after which a PHP backtrace will be +; dumped to the 'slowlog' file. A value of '0s' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +;request_slowlog_timeout = 0 + +; The timeout for serving a single request after which the worker process will +; be killed. This option should be used when the 'max_execution_time' ini option +; does not stop script execution for some reason. A value of '0' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +request_terminate_timeout = 180 + +; Set open file descriptor rlimit. +; Default Value: system defined value +;rlimit_files = 1024 + +; Set max core size rlimit. +; Possible Values: 'unlimited' or an integer greater or equal to 0 +; Default Value: system defined value +;rlimit_core = 0 + +; Chroot to this directory at the start. This value must be defined as an +; absolute path. When this value is not set, chroot is not used. +; Note: you can prefix with '$prefix' to chroot to the pool prefix or one +; of its subdirectories. If the pool prefix is not set, the global prefix +; will be used instead. +; Note: chrooting is a great security feature and should be used whenever +; possible. However, all PHP paths will be relative to the chroot +; (error_log, sessions.save_path, ...). +; Default Value: not set +;chroot = + +; Chdir to this directory at the start. +; Note: relative path can be used. +; Default Value: current directory or / when chroot +chdir = /usr/share/nginx/html + +; Redirect worker stdout and stderr into main error log. If not set, stdout and +; stderr will be redirected to /dev/null according to FastCGI specs. +; Note: on highloaded environement, this can cause some delay in the page +; process time (several ms). +; Default Value: no +;catch_workers_output = yes + +; Clear environment in FPM workers +; Prevents arbitrary environment variables from reaching FPM worker processes +; by clearing the environment in workers before env vars specified in this +; pool configuration are added. +; Setting to "no" will make all environment variables available to PHP code +; via getenv(), $_ENV and $_SERVER. +; Default Value: yes +;clear_env = no + +; Limits the extensions of the main script FPM will allow to parse. This can +; prevent configuration mistakes on the web server side. You should only limit +; FPM to .php extensions to prevent malicious users to use other extensions to +; exectute php code. +; Note: set an empty value to allow all extensions. +; Default Value: .php +;security.limit_extensions = .php .php3 .php4 .php5 .php7 + +; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from +; the current environment. +; Default Value: clean env +;env[HOSTNAME] = $HOSTNAME +;env[PATH] = /usr/local/bin:/usr/bin:/bin +;env[TMP] = /tmp +;env[TMPDIR] = /tmp +;env[TEMP] = /tmp + +; Additional php.ini defines, specific to this pool of workers. These settings +; overwrite the values previously defined in the php.ini. The directives are the +; same as the PHP SAPI: +; php_value/php_flag - you can set classic ini defines which can +; be overwritten from PHP call 'ini_set'. +; php_admin_value/php_admin_flag - these directives won't be overwritten by +; PHP call 'ini_set' +; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. + +; Defining 'extension' will load the corresponding shared extension from +; extension_dir. Defining 'disable_functions' or 'disable_classes' will not +; overwrite previously defined php.ini values, but will append the new value +; instead. + +; Note: path INI options can be relative and will be expanded with the prefix +; (pool, global or /usr/local) + +; Default Value: nothing is defined by default except the values in php.ini and +; specified at startup with the -d argument +;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com +php_flag[display_errors] = off +php_admin_value[error_log] = /proc/self/fd/2 +php_admin_flag[log_errors] = on +;php_admin_value[memory_limit] = 32M + +php_admin_value[date.timezone] = 'UTC' +php_admin_value[upload_max_filesize] = 32M +php_admin_value[post_max_size] = 32M diff --git a/.docker/redis/redis.conf b/.docker/redis/redis.conf new file mode 100644 index 000000000..a389edf6b --- /dev/null +++ b/.docker/redis/redis.conf @@ -0,0 +1,2 @@ +maxmemory 64mb +maxmemory-policy allkeys-lru \ No newline at end of file diff --git a/.docker/websocket b/.docker/websocket new file mode 160000 index 000000000..71f77bb13 --- /dev/null +++ b/.docker/websocket @@ -0,0 +1 @@ +Subproject commit 71f77bb13b40591104f56396cf686a46f5d6947f From f2d54f7e46270664857659b2ecf39af93ae8bcd2 Mon Sep 17 00:00:00 2001 From: Sean Norwood Date: Sat, 17 Aug 2019 13:42:20 -0500 Subject: [PATCH 2/7] git: adds websocket as a submodule --- .gitmodules | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .gitmodules diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 000000000..9620fa133 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule ".docker/websocket"] + path = .docker/websocket + url = https://github.com/insuusvenerati/pathfinder_websocket From 55be48fd9c1328a6fcb793e180f1a412a50a12f2 Mon Sep 17 00:00:00 2001 From: Sean Norwood Date: Sat, 17 Aug 2019 13:43:42 -0500 Subject: [PATCH 3/7] config(pathfinder): adds recommended redis cache --- app/config.ini | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/config.ini b/app/config.ini index 8eb9ab6c8..017abe35a 100644 --- a/app/config.ini +++ b/app/config.ini @@ -53,7 +53,7 @@ SEED = {{ md5(@SERVER.SERVER_NAME) }} ; - Cache data is stored on disc ; redis=[SERVER] ; - Cache data is stored in Redis. redis=[host]:[port]:[db] (e.g. redis=localhost:6379:1) -CACHE = folder=tmp/cache/ +CACHE = redis=redis:6379:1 ; Cache backend for API data ; This sets the cache backend for API response data and other temp data relates to API requests. @@ -82,7 +82,7 @@ API_CACHE = {{@CACHE}} ; default ; - Session data get stored in PHPs default Session handler (php.ini → session.save_handler and session.save_path) ; PHPs default session.save_handler is `files` and each Session is written to disc (slowest) -SESSION_CACHE = mysql +SESSION_CACHE = default ; Callback functions ============================================================================== ONERROR = Controller\Controller->showError From e30a634cac1a0241fd48851fa8365d1cf86c5863 Mon Sep 17 00:00:00 2001 From: Sean Norwood Date: Sat, 17 Aug 2019 13:45:26 -0500 Subject: [PATCH 4/7] config(pathfinder): points the websocket host to the container --- app/environment.ini | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/environment.ini b/app/environment.ini index 409cdf589..4af2b118f 100644 --- a/app/environment.ini +++ b/app/environment.ini @@ -49,8 +49,8 @@ SMTP_FROM = pathfinder@localhost.com SMTP_ERROR = pathfinder@localhost.com ; TCP Socket configuration (optional) (advanced) -;SOCKET_HOST = 127.0.0.1 -;SOCKET_PORT = 5555 +SOCKET_HOST = websocket +SOCKET_PORT = 5555 [ENVIRONMENT.PRODUCTION] From abc5f5680f39e38e7a3f85f73d5ba3680f76db5c Mon Sep 17 00:00:00 2001 From: Sean Norwood Date: Sat, 17 Aug 2019 13:46:03 -0500 Subject: [PATCH 5/7] docs: adds docker instructions to readme --- README.md | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/README.md b/README.md index 8cc71042f..b253617cc 100644 --- a/README.md +++ b/README.md @@ -25,6 +25,40 @@ Issues should be reported in the [Issue](https://github.com/exodus4d/pathfinder/ *** +## Docker +### In this stack +- Redis +- PHP-fpm +- Nginx +- MySQL +- Pathfinder Websocket (PHP) + +## Docker Setup and Installation + +- Install Docker from docker.com + +```sh +curl -fsSL https://get.docker.com -o get-docker.sh + +sudo sh get-docker.sh +``` +- Clone the repo + +``` +git clone https://github.com/insuusvenerati/pathfinder +``` + +- Edit the required files to configure + - `app/environment.ini` - SSO and DB Information + - `app/pathfinder.ini` - Pathfinder specific information + - `app/routes.ini` - Uncomment the setup route to install / Recomment after setup done + - `docker-compose.yml` - Docker environment configuration + - See https://docs.docker.com/compose/compose-file/ + +> See the Pathfinder Wiki for information regarding the configuration options + +*** + ### Project structure ``` From 066c3db510d2d02c53a21ae28144616127ee3fa8 Mon Sep 17 00:00:00 2001 From: Sean Norwood Date: Sat, 17 Aug 2019 13:47:37 -0500 Subject: [PATCH 6/7] initial: adds initial docker-compose file --- docker-compose.yml | 72 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 docker-compose.yml diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 000000000..f77dd5952 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,72 @@ +version: "3.7" +services: + php-fpm: + container_name: pathfinder-php-fpm + build: + context: . + dockerfile: .docker/php/Dockerfile + volumes: + - ./.docker/php/www.conf:/usr/local/etc/php-fpm.d/www.conf + - ./.docker/php/php.ini:/usr/local/etc/php/php.ini + networks: + - web + nginx: + container_name: pathfinder-nginx + build: + context: . + dockerfile: ./.docker/nginx/Dockerfile + environment: + - SETUP_PASS=password + - SETUP_USER=critmebaby + networks: + - web + labels: + - "traefik.frontend.rule=Host:tripwire.critical-horizon.com" + - "traefik.docker.network=web" + - "traefik.port=80" + - "traefik.enable=true" + mysql: + container_name: pathfinder-mysql + image: mysql:5.7 + volumes: + - ./.docker/mysql/aa_init.sql:/docker-entrypoint-initdb.d/aa_init.sql + - ./export/sql/bb_eve_universe.sql:/eve_universe.sql + - mysql_data:/var/lib/mysql + networks: + - web + environment: + - MYSQL_ROOT_PASSWORD=password + redis: + container_name: pathfinder-redis + image: redis:5.0.5-alpine + volumes: + - ./.docker/redis/redis.conf:/usr/local/etc/redis/redis.conf + - redis_data:/data + networks: + - web + command: ["redis-server", "/usr/local/etc/redis/redis.conf", "--appendonly yes"] + websocket: + container_name: pathfinder-websocket + build: + context: ./.docker/websocket + dockerfile: Dockerfile + ports: + - 8020:8020 + - 8030:8030 + - 5555:5555 + networks: + - web + command: ["php", "/opt/app/cmd.php", "--debug", "3"] + # Development Only + adminer: + image: adminer + ports: + - 8081:8080 + +volumes: + mysql_data: + redis_data: + +networks: + web: + external: true From b7fc6c1229a3e832b109714d17c5a6b03356a0e8 Mon Sep 17 00:00:00 2001 From: Sean Norwood Date: Sat, 17 Aug 2019 13:49:57 -0500 Subject: [PATCH 7/7] git: update submodule for websocket --- .docker/websocket | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.docker/websocket b/.docker/websocket index 71f77bb13..f928c3ea4 160000 --- a/.docker/websocket +++ b/.docker/websocket @@ -1 +1 @@ -Subproject commit 71f77bb13b40591104f56396cf686a46f5d6947f +Subproject commit f928c3ea42569c78b9d0104c9c361b4c69ad74bd