Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adds docker-compose configuration #843

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .docker/mysql/aa_init.sql
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
CREATE DATABASE IF NOT EXISTS pathfinder CHARACTER SET utf8 COLLATE utf8_general_ci;
CREATE DATABASE IF NOT EXISTS eve_universe CHARACTER SET utf8 COLLATE utf8_general_ci;
15 changes: 15 additions & 0 deletions .docker/nginx/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
FROM nginx:1.17.2-alpine

COPY --chown=nginx:nginx . /usr/share/nginx/html/
COPY ./.docker/nginx/nginx.conf /etc/nginx/nginx.conf
COPY ./.docker/nginx/pathfinder-http.conf /etc/nginx/conf.d/default.conf
COPY ./.docker/nginx/h5bp/ /etc/nginx/h5bp/
COPY ./.docker/nginx/mime.types /etc/nginx/mime.types

RUN apk add --no-cache apache2-utils

COPY ./.docker/nginx/entrypoint.sh /root/entrypoint.sh
RUN chmod +x /root/entrypoint.sh
RUN chmod 0766 /usr/share/nginx/html/logs

ENTRYPOINT ["sh", "-c", "/root/entrypoint.sh"]
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

container failed to start. sh: /root/entrypoint.sh: not found

4 changes: 4 additions & 0 deletions .docker/nginx/entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
#!/bin/ash

htpasswd -B -b -c /etc/nginx/.setup_pass "$SETUP_USER" "$SETUP_PASS" && \
nginx
9 changes: 9 additions & 0 deletions .docker/nginx/h5bp/basic.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# Nginx Server Configs | MIT License
# https://github.com/h5bp/server-configs-nginx

include h5bp/security/referrer-policy.conf;
include h5bp/security/x-content-type-options.conf;
include h5bp/security/x-frame-options.conf;
include h5bp/security/x-xss-protection.conf;
include h5bp/location/security_file_access.conf;
include h5bp/cross-origin/requests.conf;
Empty file.
18 changes: 18 additions & 0 deletions .docker/nginx/h5bp/cross-origin/requests.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# ----------------------------------------------------------------------
# | Cross-origin requests |
# ----------------------------------------------------------------------

# Allow cross-origin requests.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
# https://enable-cors.org/
# https://www.w3.org/TR/cors/

# (!) Do not use this without understanding the consequences.
# This will permit access from any other website.
# Instead of using this file, consider using a specific rule such as
# allowing access based on (sub)domain:
#
# add_header Access-Control-Allow-Origin "subdomain.example.com";

add_header Access-Control-Allow-Origin $cors;
15 changes: 15 additions & 0 deletions .docker/nginx/h5bp/cross-origin/resource_timing.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# ----------------------------------------------------------------------
# | Cross-origin resource timing |
# ----------------------------------------------------------------------

# Allow cross-origin access to the timing information for all resources.
#
# If a resource isn't served with a `Timing-Allow-Origin` header that would
# allow its timing information to be shared with the document, some of the
# attributes of the `PerformanceResourceTiming` object will be set to zero.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Timing-Allow-Origin
# https://www.w3.org/TR/resource-timing/
# https://www.stevesouders.com/blog/2014/08/21/resource-timing-practical-tips/

add_header Timing-Allow-Origin "*";
9 changes: 9 additions & 0 deletions .docker/nginx/h5bp/errors/custom_errors.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# ----------------------------------------------------------------------
# | Custom error messages/pages |
# ----------------------------------------------------------------------

# Customize what Nginx returns to the client in case of an error.
#
# https://nginx.org/en/docs/http/ngx_http_core_module.html#error_page

error_page 404 /404.html;
19 changes: 19 additions & 0 deletions .docker/nginx/h5bp/internet_explorer/x-ua-compatible.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# ----------------------------------------------------------------------
# | Document modes |
# ----------------------------------------------------------------------

# Force Internet Explorer 8/9/10 to render pages in the highest mode
# available in the various cases when it may not.
#
# https://hsivonen.fi/doctype/#ie8
#
# (!) Starting with Internet Explorer 11, document modes are deprecated.
# If your business still relies on older web apps and services that were
# designed for older versions of Internet Explorer, you might want to
# consider enabling `Enterprise Mode` throughout your company.
#
# https://msdn.microsoft.com/en-us/library/ie/bg182625.aspx#docmode
# https://blogs.msdn.microsoft.com/ie/2014/04/02/stay-up-to-date-with-enterprise-mode-for-internet-explorer-11/
# https://msdn.microsoft.com/en-us/library/ff955275.aspx

add_header X-UA-Compatible $x_ua_compatible;
41 changes: 41 additions & 0 deletions .docker/nginx/h5bp/location/security_file_access.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
# ----------------------------------------------------------------------
# | File access |
# ----------------------------------------------------------------------

# Block access to all hidden files and directories with the exception of the
# visible content from within the `/.well-known/` hidden directory.
#
# These types of files usually contain user preferences or the preserved state
# of a utility, and can include rather private places like, for example, the
# `.git` or `.svn` directories.
#
# The `/.well-known/` directory represents the standard (RFC 5785) path prefix
# for "well-known locations" (e.g.: `/.well-known/manifest.json`,
# `/.well-known/keybase.txt`), and therefore, access to its visible content
# should not be blocked.
#
# https://www.mnot.net/blog/2010/04/07/well-known
# https://tools.ietf.org/html/rfc5785

location ~* /\.(?!well-known\/) {
deny all;
}

# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

# Block access to files that can expose sensitive information.
#
# By default, block access to backup and source files that may be left by some
# text editors and can pose a security risk when anyone has access to them.
#
# https://feross.org/cmsploit/
#
# (!) Update the `location` regular expression from below to include any files
# that might end up on your production server and can expose sensitive
# information about your website. These files may include: configuration
# files, files that contain metadata about the project (e.g.: project
# dependencies, build scripts, etc.).

location ~* (?:#.*#|\.(?:bak|conf|dist|fla|in[ci]|log|orig|psd|sh|sql|sw[op])|~)$ {
deny all;
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# ----------------------------------------------------------------------
# | Filename-based cache busting |
# ----------------------------------------------------------------------

# If you're not using a build process to manage your filename version revving,
# you might want to consider enabling the following directives.
#
# To understand why this is important and even a better solution than using
# something like `*.css?v231`, please see:
# https://www.stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring/

location ~* (.+)\.(?:\w+)\.(bmp|css|cur|gif|ico|jpe?g|m?js|png|svgz?|webp|webmanifest)$ {
try_files $uri $1.$2;
}
14 changes: 14 additions & 0 deletions .docker/nginx/h5bp/location/web_performance_svgz-compression.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# ----------------------------------------------------------------------
# | SVGZ Compression |
# ----------------------------------------------------------------------

# SVGZ files are already compressed.
# Disable gzip function for `.svgz` files.

location ~* \.svgz$ {
gzip off;
add_header Content-Encoding gzip;

include h5bp/security/x-content-type-options.conf;
include h5bp/cross-origin/requests.conf;
}
32 changes: 32 additions & 0 deletions .docker/nginx/h5bp/media_types/character_encodings.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# ----------------------------------------------------------------------
# | Character encodings |
# ----------------------------------------------------------------------

# Serve all resources labeled as `text/html` or `text/plain` with the media type
# `charset` parameter set to `UTF-8`.
#
# https://nginx.org/en/docs/http/ngx_http_charset_module.html#charset

charset utf-8;

# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

# Update charset_types to match updated mime.types.
# `text/html` is always included by charset module.
# Default: text/html text/xml text/plain text/vnd.wap.wml application/javascript application/rss+xml
#
# https://nginx.org/en/docs/http/ngx_http_charset_module.html#charset_types

charset_types
text/css
text/plain
text/vnd.wap.wml
text/javascript
text/markdown
text/calendar
text/x-component
text/vcard
text/cache-manifest
text/vtt
application/json
application/manifest+json;
18 changes: 18 additions & 0 deletions .docker/nginx/h5bp/media_types/media_types.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# ----------------------------------------------------------------------
# | Media types |
# ----------------------------------------------------------------------

# Serve resources with the proper media types (f.k.a. MIME types).
#
# https://www.iana.org/assignments/media-types/media-types.xhtml
# https://nginx.org/en/docs/http/ngx_http_core_module.html#types

include mime.types;

# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

# Default: text/plain
#
# https://nginx.org/en/docs/http/ngx_http_core_module.html#default_type

default_type application/octet-stream;
Empty file added .docker/nginx/h5bp/mime.types
Empty file.
Empty file added .docker/nginx/h5bp/nginx.conf
Empty file.
27 changes: 27 additions & 0 deletions .docker/nginx/h5bp/security/content-security-policy.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# ----------------------------------------------------------------------
# | Content Security Policy (CSP) |
# ----------------------------------------------------------------------

# Mitigate the risk of cross-site scripting and other content-injection
# attacks.
#
# This can be done by setting a `Content Security Policy` which whitelists
# trusted sources of content for your website.
#
# There is no policy that fits all websites, you will have to modify the
# `Content-Security-Policy` directives in the example depending on your needs.
#
# To make your CSP implementation easier, you can use an online CSP header
# generator such as:
# https://report-uri.com/home/generate/
#
# It is encouraged that you validate your CSP header using a CSP validator
# such as:
# https://csp-evaluator.withgoogle.com
#
# https://csp.withgoogle.com/docs/
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
# https://www.html5rocks.com/en/tutorials/security/content-security-policy/
# https://www.w3.org/TR/CSP/

add_header Content-Security-Policy $content_security_policy always;
18 changes: 18 additions & 0 deletions .docker/nginx/h5bp/security/referrer-policy.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# ----------------------------------------------------------------------
# | Referrer Policy |
# ----------------------------------------------------------------------

# A web application uses HTTPS and a URL-based session identifier.
# The web application might wish to link to HTTPS resources on other web
# sites without leaking the user's session identifier in the URL.
#
# This can be done by setting a `Referrer Policy` which whitelists trusted
# sources of content for your website.
#
# To check your referrer policy, you can use an online service such as:
# https://securityheaders.io/.
#
# https://scotthelme.co.uk/a-new-security-header-referrer-policy/
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

add_header Referrer-Policy $referrer_policy always;
9 changes: 9 additions & 0 deletions .docker/nginx/h5bp/security/server_software_information.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# ----------------------------------------------------------------------
# | Server software information |
# ----------------------------------------------------------------------

# Prevent Nginx from sending its version number in the "Server" response header.
#
# https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens

server_tokens off;
43 changes: 43 additions & 0 deletions .docker/nginx/h5bp/security/strict-transport-security.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
# ----------------------------------------------------------------------
# | HTTP Strict Transport Security (HSTS) |
# ----------------------------------------------------------------------

# Force client-side SSL redirection.
#
# If a user types `example.com` in their browser, even if the server redirects
# them to the secure version of the website, that still leaves a window of
# opportunity (the initial HTTP connection) for an attacker to downgrade or
# redirect the request.
#
# The following header ensures that browser will ONLY connect to your server
# via HTTPS, regardless of what the users type in the browser's address bar.
#
# (!) Be aware that this, once published, is not revokable and you must ensure
# being able to serve the site via SSL for the duration you've specified
# in max-age. When you don't have a valid SSL connection (anymore) your
# visitors will see a nasty error message even when attempting to connect
# via simple HTTP.
#
# (!) Remove the `includeSubDomains` optional directive if the website's
# subdomains are not using HTTPS.
#
# (1) If you want to submit your site for HSTS preload (2) you must
# * ensure the `includeSubDomains` directive to be present
# * the `preload` directive to be specified
# * the `max-age` to be at least 31536000 seconds (1 year) according to the
# current status.
#
# It is also advised (3) to only serve the HSTS header via a secure
# connection.
#
# (2) https://hstspreload.org/
# (3) https://tools.ietf.org/html/rfc6797#section-7.2
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
# https://tools.ietf.org/html/rfc6797#section-6.1
# https://www.html5rocks.com/en/tutorials/security/transport-layer-security/
# https://blogs.msdn.microsoft.com/ieinternals/2014/08/18/strict-transport-security/

add_header Strict-Transport-Security "max-age=16070400; includeSubDomains" always;
# (1) or if HSTS preloading is desired (respect (2) for current requirements):
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
16 changes: 16 additions & 0 deletions .docker/nginx/h5bp/security/x-content-type-options.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# ----------------------------------------------------------------------
# | Content Type Options |
# ----------------------------------------------------------------------

# Prevent some browsers from MIME-sniffing the response.
#
# This reduces exposure to drive-by download attacks and cross-origin data
# leaks, and should be left uncommented, especially if the server is serving
# user-uploaded content or content that could potentially be treated as
# executable by the browser.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
# https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-v-comprehensive-protection/
# https://mimesniff.spec.whatwg.org/

add_header X-Content-Type-Options nosniff always;
35 changes: 35 additions & 0 deletions .docker/nginx/h5bp/security/x-frame-options.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
# ----------------------------------------------------------------------
# | Frame Options |
# ----------------------------------------------------------------------

# Protect website against clickjacking.
#
# The example below sends the `X-Frame-Options` response header with the value
# `DENY`, informing browsers not to display the content of the web page in any
# frame.
#
# This might not be the best setting for everyone. You should read about the
# other two possible values the `X-Frame-Options` header field can have:
# `SAMEORIGIN` and `ALLOW-FROM`.
# https://tools.ietf.org/html/rfc7034#section-2.1.
#
# Keep in mind that while you could send the `X-Frame-Options` header for all
# of your website’s pages, this has the potential downside that it forbids even
# non-malicious framing of your content (e.g.: when users visit your website
# using a Google Image Search results page).
#
# Nonetheless, you should ensure that you send the `X-Frame-Options` header for
# all pages that allow a user to make a state-changing operation (e.g: pages
# that contain one-click purchase links, checkout or bank-transfer confirmation
# pages, pages that make permanent configuration changes, etc.).
#
# Sending the `X-Frame-Options` header can also protect your website against
# more than just clickjacking attacks.
# https://cure53.de/xfo-clickjacking.pdf.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
# https://tools.ietf.org/html/rfc7034
# https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/
# https://www.owasp.org/index.php/Clickjacking

add_header X-Frame-Options $x_frame_options always;
Loading