diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..5bf2d04 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "sshd"] + path = sshd + url = https://git.audio-lab.org/lrullo/sshd.git diff --git a/Dockerfile b/Dockerfile index 660383a..eae8f02 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,12 @@ FROM registry.sindominio.net/php-fpm +ENV TZ=Europe/Madrid + RUN apt-get update && \ - apt-get -qy install \ - php-mysql php-curl php-gd php-mbstring php-xml php-xmlrpc php-soap php-intl php-zip \ - wget less tar curl ca-certificates &&\ + apt-get -qy install \ + php-mysql php-curl php-gd php-imagick php-mbstring php-xml php-xmlrpc php-soap php-intl php-zip \ + wget less tar curl ca-certificates\ + mailutils sendmail &&\ apt-get clean RUN mkdir -p /app/ diff --git a/README.md b/README.md index a7b026b..38a89f8 100644 --- a/README.md +++ b/README.md @@ -51,3 +51,94 @@ docker-compose exec wordpress wp theme update --all --path="/app/wordpress/" docker-compose exec wordpress wp plugin update --all --path="/app/wordpress/" docker-compose exec wordpress wp core update --path="/app/wordpress/" ``` + +# Wordpress MultiUser Config + +wp-config.php + +``` +/* Multisite */ +define( 'WP_ALLOW_MULTISITE', true ); + +define('MULTISITE', true); +define('SUBDOMAIN_INSTALL', false); +define('DOMAIN_CURRENT_SITE', 'domain.new'); +define('PATH_CURRENT_SITE', '/'); +define('SITE_ID_CURRENT_SITE', 1); +define('BLOG_ID_CURRENT_SITE', 1); +``` + +# Worpress Cerber Config for Proxy Reverse + +wp-config.php + +``` +define('CERBER_IP_KEY', 'HTTP_X_REAL_IP' ); +``` + +# Nginx Proxy Reverse + +Example: + +``` +server { + listen 443 ssl http2; + server_name domain.new; + + ssl_certificate /etc/letsencrypt/live/domain.new/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/domain.new/privkey.pem; + + ssl on; + ssl_session_cache builtin:1000 shared:SSL:10m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + ssl_prefer_server_ciphers on; + + include snippets/xss.conf; + + access_log /var/log/nginx/domain.access.log; + + location / { + + include snippets/proxy_headers.conf; + proxy_pass https://localhost:8243; + proxy_redirect https://localhost:8243 https://domain.new; + } +} + + +server { + listen 80; + server_name domain.new; + access_log /var/log/nginx/domain.access.log; + return 301 https://$host$request_uri; +} + +``` + +/etc/nginx/snippets/xss.conf + +``` + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; +``` + +/etc/nginx/snippets/proxy_headers.conf + +``` +proxy_http_version 1.1; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection "upgrade"; +proxy_set_header Host $host; + +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forward-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forward-Proto $scheme; +proxy_set_header X-Nginx-Proxy true; +``` diff --git a/config/apache-wordpress.conf b/config/apache-wordpress.conf new file mode 100644 index 0000000..db67c07 --- /dev/null +++ b/config/apache-wordpress.conf @@ -0,0 +1,18 @@ + + ServerName default + DocumentRoot /app/wordpress + + + Options -Indexes +FollowSymLinks +MultiViews + AllowOverride All + Require all granted + + + + # 2.4.10+ can proxy to unix socket + SetHandler "proxy:fcgi://wordpress:9000" + + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + diff --git a/config/wordpress.conf b/config/wordpress.conf deleted file mode 100644 index d9224b9..0000000 --- a/config/wordpress.conf +++ /dev/null @@ -1,88 +0,0 @@ - server { - listen 80; - - root /app/wordpress/; - - index index.php; - - server_name _; - - access_log /var/log/nginx/access.log; - - location = /favicon.ico { - log_not_found off; - access_log off; - } - - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - - location / { - try_files $uri $uri/ /index.php?$args; - } - - location ~ \.php$ { - try_files $uri /index.php =404; - fastcgi_pass wordpress:9000; - fastcgi_index index.php; - include fastcgi_params; - - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - set $path_info $fastcgi_path_info; - fastcgi_param PATH_INFO $path_info; - fastcgi_param REMOTE_ADDR $http_x_real_ip; - fastcgi_read_timeout 300; - fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; - } - - location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { - expires max; - access_log off; - log_not_found off; - } - - } - - - server { - listen 443 ssl default_server; - - include snippets/snakeoil.conf; - - root /app/wordpress/; - - index index.php index.html; - - server_name _; - - access_log /var/log/nginx/access.log; - - location / { - try_files $uri $uri/ /index.php?$args ; - } - - location ~ \.php$ { - try_files $uri /index.php =404; - fastcgi_pass wordpress:9000; - fastcgi_index index.php; - include fastcgi_params; - - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - set $path_info $fastcgi_path_info; - fastcgi_param PATH_INFO $path_info; - fastcgi_param REMOTE_ADDR $http_x_real_ip; - fastcgi_read_timeout 300; - fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; - } - - location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { - expires max; - access_log off; - log_not_found off; - } - - } - diff --git a/docker-compose.yml b/docker-compose.yml index 4b56999..a3f3b44 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -28,11 +28,11 @@ services: nginx: image: registry.sindominio.net/nginx ports: - - ${NGINX_PORT_HTTP}:80 - - ${NGINX_PORT_HTTPS}:443 + - ${NGINX_PORT_HTTP}:8081 + - ${NGINX_PORT_HTTPS}:4443 volumes: - ./config/nginx.conf:/etc/nginx/nginx.conf:ro - - ./config/wordpress.conf:/etc/nginx/conf.d/wordpress.conf:ro + - ./config/nginx-wordpress-multisite.conf:/etc/nginx/conf.d/wordpress.conf:ro - ./data:/app restart: always diff --git a/entrypoint.sh b/entrypoint.sh index 2612c6b..3111a60 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -17,8 +17,10 @@ config() { if [ -n $MYSQL_PASSWORD ]; then sed -i "s:MYSQL_PASSWORD:$MYSQL_PASSWORD:" /app/wordpress/wp-config.php; fi if [ -n $MYSQL_HOST ]; then sed -i "s:MYSQL_HOST:$MYSQL_HOST:" /app/wordpress/wp-config.php; fi - SALT_KEYS=$(curl -s https://api.wordpress.org/secret-key/1.1/salt) - echo $SALT_KEYS >> /app/wordpress/wp-config.php; + curl -s https://api.wordpress.org/secret-key/1.1/salt | tee -a /app/wordpress/wp-config.php + + #SALT_KEYS=$(curl -s https://api.wordpress.org/secret-key/1.1/salt) + #echo $SALT_KEYS >> /app/wordpress/wp-config.php; } update() {