Update: Multisite / Network Wordpress Config

.env.sample

@@ -0,0 +1,14 @@
+##
+## CHANGE VARIABLES ##
+##
+
+MYSQL_DATABASE=user
+MYSQL_USER=user
+MYSQL_PASSWORD=user
+MYSQL_HOST=db
+SSH_USER=user
+SSH_PASSWORD=user
+SSH_PORT=2222
+NGINX_PORT_HTTP=8080
+NGINX_PORT_HTTPS=8443
+USER_GROUP=1000:1000

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "sshd"]
+	path = sshd
+	url = https://git.audio-lab.org/lrullo/sshd.git

Dockerfile

@@ -1,9 +1,12 @@
 FROM registry.sindominio.net/php-fpm
 
+ENV TZ=Europe/Madrid
+
 RUN apt-get update && \
-                apt-get -qy install \
-                  php-mysql php-curl php-gd php-mbstring php-xml php-xmlrpc php-soap php-intl php-zip \
-									wget less tar curl ca-certificates &&\
+    apt-get -qy install \
+    php-mysql php-curl php-gd php-imagick php-mbstring php-xml php-xmlrpc php-soap php-intl php-zip \
+    wget less tar curl ca-certificates\
+    mailutils sendmail &&\
     apt-get clean
 
 RUN mkdir -p /app/

README.md

@@ -51,3 +51,94 @@ docker-compose exec wordpress wp theme update --all --path="/app/wordpress/"
 docker-compose exec wordpress wp plugin update --all --path="/app/wordpress/"
 docker-compose exec wordpress wp core update --path="/app/wordpress/"
 ```
+
+# Wordpress MultiUser Config
+
+wp-config.php
+
+```
+/* Multisite */
+define( 'WP_ALLOW_MULTISITE', true );
+
+define('MULTISITE', true);
+define('SUBDOMAIN_INSTALL', false);
+define('DOMAIN_CURRENT_SITE', 'domain.new');
+define('PATH_CURRENT_SITE', '/');
+define('SITE_ID_CURRENT_SITE', 1);
+define('BLOG_ID_CURRENT_SITE', 1);
+```
+
+# Worpress Cerber Config for Proxy Reverse
+
+wp-config.php
+
+```
+define('CERBER_IP_KEY', 'HTTP_X_REAL_IP' );
+```
+
+# Nginx Proxy Reverse 
+
+Example:
+
+```
+server {
+    	listen 443 ssl http2;
+	server_name domain.new;
+
+   	ssl_certificate           /etc/letsencrypt/live/domain.new/fullchain.pem;
+    	ssl_certificate_key       /etc/letsencrypt/live/domain.new/privkey.pem;
+
+    	ssl on;
+    	ssl_session_cache  builtin:1000  shared:SSL:10m;
+    	ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
+    	ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
+    	ssl_prefer_server_ciphers on;
+
+	include snippets/xss.conf;
+
+	access_log            /var/log/nginx/domain.access.log;
+
+        location / {
+
+		include snippets/proxy_headers.conf; 
+		proxy_pass          https://localhost:8243;
+		proxy_redirect	https://localhost:8243 https://domain.new;
+        }
+}
+
+
+server {
+    	listen 80;
+	server_name domain.new;
+	access_log /var/log/nginx/domain.access.log;
+  	return 301 https://$host$request_uri;
+}
+
+```
+
+/etc/nginx/snippets/xss.conf
+
+```
+    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
+    add_header Referrer-Policy                      "no-referrer"   always;
+    add_header X-Content-Type-Options               "nosniff"       always;
+    add_header X-Download-Options                   "noopen"        always;
+    add_header X-Frame-Options                      "SAMEORIGIN"    always;
+    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
+    add_header X-Robots-Tag                         "none"          always;
+    add_header X-XSS-Protection                     "1; mode=block" always;
+```
+
+/etc/nginx/snippets/proxy_headers.conf
+
+```
+proxy_http_version 1.1;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection "upgrade";
+proxy_set_header Host $host;
+
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forward-Proto $scheme;
+proxy_set_header X-Nginx-Proxy true;
+``` 

config/apache-wordpress.conf

@@ -0,0 +1,18 @@
+<VirtualHost *:80>
+    ServerName default
+    DocumentRoot /app/wordpress
+ 
+    <Directory /app/wordpress>
+        Options -Indexes +FollowSymLinks +MultiViews
+        AllowOverride All
+        Require all granted
+    </Directory>
+ 
+    <FilesMatch \.php$>
+        # 2.4.10+ can proxy to unix socket
+        SetHandler "proxy:fcgi://wordpress:9000"
+    </FilesMatch>
+ 
+    ErrorLog ${APACHE_LOG_DIR}/error.log
+    CustomLog ${APACHE_LOG_DIR}/access.log combined
+</VirtualHost>

config/nginx-wordpress-multisite.conf

@@ -0,0 +1,114 @@
+map $uri $blogname{
+    ~^(?P<blogpath>/[^/]+/)wp-content/uploads/sites/(.*)       $blogpath ;
+}
+
+map $blogname $blogid{
+    default -999;
+
+    #Ref: http://wordpress.org/extend/plugins/nginx-helper/
+    #include /var/www/wordpress/wp-content/plugins/nginx-helper/map.conf ;
+}
+
+server {
+	listen 4443 ssl default_server;
+	include snippets/snakeoil.conf;
+
+    server_name lafundicio.net;
+    server_name www.lafundicio.net;
+
+    root /app/wordpress;
+    index index.php;
+
+    client_max_body_size 25M;
+
+    location ~ /\. {
+        deny all;
+    }
+    
+    location ~* /(?:uploads|files)/.*\.php$ {
+        deny all;
+    }
+
+   location ~ ^(/[^/]+/)?wp-content/uploads/sites/(.+) {
+        try_files /wp-content/uploads/sites/$blogid/$2 /wp-includes/ms-files.php?file=$2 ;
+        access_log off;     
+        log_not_found off; expires max;
+    }
+
+    if (!-e $request_filename) {
+        rewrite /wp-admin$ $scheme://$host$uri/ permanent;
+        rewrite ^(/[^/]+)?(/wp-.*) $2 last;
+        rewrite ^(/[^/]+)?(/.*\.php) $2 last;
+    }
+
+    location / {
+        try_files $uri $uri/ /index.php?$args ;
+    }
+
+    location ~ \.php$ {
+        try_files $uri =404;
+        include fastcgi_params;
+	fastcgi_param   SCRIPT_FILENAME  $document_root$fastcgi_script_name;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_index index.php;
+	fastcgi_read_timeout 300;
+	fastcgi_send_timeout 300;
+	fastcgi_pass  wordpress:9000;
+    }
+
+    access_log /app/wordpress.access.log;
+    error_log /app/wordpress.error.log;
+
+}
+
+server {
+
+    listen 8081;
+
+    server_name lafundicio.net;
+    server_name www.lafundicio.net;
+
+    root /app/wordpress;
+    index index.php;
+
+    client_max_body_size 25M;
+
+    location ~ /\. {
+        deny all;
+    }
+    
+    location ~* /(?:uploads|files)/.*\.php$ {
+        deny all;
+    }
+
+   location ~ ^(/[^/]+/)?wp-content/uploads/sites/(.+) {
+        try_files /wp-content/uploads/sites/$blogid/$2 /wp-includes/ms-files.php?file=$2 ;
+        access_log off;     
+        log_not_found off; expires max;
+    }
+
+    if (!-e $request_filename) {
+        rewrite /wp-admin$ $scheme://$host$uri/ permanent;
+        rewrite ^(/[^/]+)?(/wp-.*) $2 last;
+        rewrite ^(/[^/]+)?(/.*\.php) $2 last;
+    }
+
+    location / {
+        try_files $uri $uri/ /index.php?$args ;
+    }
+
+    location ~ \.php$ {
+        try_files $uri =404;
+        include fastcgi_params;
+	fastcgi_param   SCRIPT_FILENAME  $document_root$fastcgi_script_name;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_index index.php;
+	fastcgi_read_timeout 300;
+	fastcgi_send_timeout 300;
+	fastcgi_pass  wordpress:9000;
+    }
+
+    access_log /app/wordpress.access.log;
+    error_log /app/wordpress.error.log;
+
+}

config/nginx-wordpress-site.conf

@@ -0,0 +1,54 @@
+map $uri $blogname{
+    ~^(?P<blogpath>/[^/]+/)files/(.*)       $blogpath ;
+}
+
+map $blogname $blogid{
+    default -999;
+}
+
+
+  server {
+	listen 4443 ssl default_server;
+	
+	include snippets/snakeoil.conf;
+
+        root /app/wordpress/;
+
+        index index.php index.html;
+
+        server_name _;
+
+        access_log /var/log/nginx/access.log;
+
+        location / {
+                try_files $uri $uri/ /index.php?$args ;
+        }
+
+        location ~ \.php$ {
+		try_files $uri /index.php =404;
+		fastcgi_pass  wordpress:9000;
+		fastcgi_index index.php;
+		include        fastcgi_params;
+					
+		fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+		set $path_info $fastcgi_path_info;
+		fastcgi_param PATH_INFO $path_info;
+                fastcgi_param REMOTE_ADDR $http_x_real_ip;
+                fastcgi_read_timeout 300; 
+		fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
+        }
+
+	location ~ ^/files/(.*)$ {
+                try_files /wp-content/blogs.dir/$blogid/$uri /wp-includes/ms-files.php?file=$1 ;
+                access_log off; log_not_found off;      expires max;
+        }
+
+
+    	location ^~ /blogs.dir {
+        	internal;
+        	alias /var/www/example.com/htdocs/wp-content/blogs.dir;
+        	access_log off;     log_not_found off;      expires max;
+    	}
+
+  }
+

config/wordpress.conf

@@ -1,88 +0,0 @@
-  server {
-	listen 80;
-	
-        root /app/wordpress/;
-
-        index index.php;
-
-        server_name _;
-
-        access_log /var/log/nginx/access.log;
-
-	location = /favicon.ico {
-                log_not_found off;
-                access_log off;
-        }
-
-        location = /robots.txt {
-                allow all;
-                log_not_found off;
-                access_log off;
-        }
-
-        location / {
-                try_files $uri $uri/ /index.php?$args;
-        }
-
-        location ~ \.php$ {
-		try_files $uri /index.php =404;
-		fastcgi_pass  wordpress:9000;
-		fastcgi_index index.php;
-		include fastcgi_params;
-								
-		fastcgi_split_path_info ^(.+?\.php)(/.*)$;
-		set $path_info $fastcgi_path_info;
-		fastcgi_param PATH_INFO $path_info;
-                fastcgi_param REMOTE_ADDR $http_x_real_ip;
-                fastcgi_read_timeout 300; 
-		fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
-        }
-
- 	location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
-                expires max;
-                access_log off;
-                log_not_found off;
-        }
-
-  }
-
-
-  server {
-	listen 443 ssl default_server;
-	
-	include snippets/snakeoil.conf;
-
-        root /app/wordpress/;
-
-        index index.php index.html;
-
-        server_name _;
-
-        access_log /var/log/nginx/access.log;
-
-        location / {
-                try_files $uri $uri/ /index.php?$args ;
-        }
-
-        location ~ \.php$ {
-								try_files $uri /index.php =404;
-								fastcgi_pass  wordpress:9000;
-								fastcgi_index index.php;
-								include        fastcgi_params;
-								
-								fastcgi_split_path_info ^(.+?\.php)(/.*)$;
-								set $path_info $fastcgi_path_info;
-								fastcgi_param PATH_INFO $path_info;
-                fastcgi_param REMOTE_ADDR $http_x_real_ip;
-                fastcgi_read_timeout 300; 
-								fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
-        }
-
-			  location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
-                expires max;
-                access_log off;
-                log_not_found off;
-        }
-
-  }
-

docker-compose.yml

@@ -28,11 +28,11 @@ services:
   nginx:
     image: registry.sindominio.net/nginx
     ports:
-      - ${NGINX_PORT_HTTP}:80
-      - ${NGINX_PORT_HTTPS}:443
+        - ${NGINX_PORT_HTTP}:8081
+        - ${NGINX_PORT_HTTPS}:4443
     volumes:
       - ./config/nginx.conf:/etc/nginx/nginx.conf:ro
-      - ./config/wordpress.conf:/etc/nginx/conf.d/wordpress.conf:ro
+      - ./config/nginx-wordpress-multisite.conf:/etc/nginx/conf.d/wordpress.conf:ro
       - ./data:/app
     restart: always
 

entrypoint.sh

@@ -17,8 +17,10 @@ config() {
 	if [ -n $MYSQL_PASSWORD ]; then sed -i "s:MYSQL_PASSWORD:$MYSQL_PASSWORD:" /app/wordpress/wp-config.php; fi
 	if [ -n $MYSQL_HOST ]; then sed -i "s:MYSQL_HOST:$MYSQL_HOST:" /app/wordpress/wp-config.php; fi
 
-	SALT_KEYS=$(curl -s https://api.wordpress.org/secret-key/1.1/salt)
-	echo $SALT_KEYS >> /app/wordpress/wp-config.php;
+	curl -s https://api.wordpress.org/secret-key/1.1/salt | tee -a /app/wordpress/wp-config.php
+
+	#SALT_KEYS=$(curl -s https://api.wordpress.org/secret-key/1.1/salt)
+	#echo $SALT_KEYS >> /app/wordpress/wp-config.php;
 }
 
 update() {