Update: Tiki with Manticore

Dockerfile

@@ -1,5 +1,9 @@
 FROM debian:stable-slim
 
+ARG BRANCH=25.x
+ARG UID=1000
+ARG GID=1000
+
 RUN apt update && apt dist-upgrade -y
 
 RUN apt-get -y install lsb-release ca-certificates curl
@@ -12,7 +16,8 @@ RUN apt install -y \
 	sqlite3 php7.4-sqlite3 build-essential elinks unzip xlsx2csv psutils \
 	php7.4-memcached php7.4-memcached php7.4-opcache php7.4-intl php7.4-gd \
 	php7.4-mysql php7.4-ldap php7.4-dom php7.4-zip php7.4-ldap \
-	php7.4-fpm php7.4-mysql php7.4-mbstring \
+	php7.4-fpm php7.4-mysql php7.4-mbstring php7.4-bz2 \
+	php-dompdf \
 	composer curl
 
 RUN apt install -y \
@@ -20,20 +25,37 @@ RUN apt install -y \
 
 RUN a2enmod rewrite alias authz_user ssl
 
-WORKDIR /var/www/html/
+RUN apt install -y \
-
+	tesseract-ocr 
-RUN git clone https://gitlab.com/tikiwiki/tiki.git
-
-WORKDIR ./tiki
-
-RUN chown -R www-data:www-data /var/www/html/tiki
-
-COPY conf/www.conf /etc/php/7.4/fpm/pool.d/www.conf
-COPY conf/php-fpm.conf /etc/php/7.4/fpm/php-fpm.conf
 
 ADD start.sh /start.sh
+
 ADD entrypoint.sh /entrypoint.sh
 
+RUN addgroup --gid ${GID} tikiwiki
+
+RUN adduser \
+   --system \
+   --uid ${UID} \
+   --gid ${GID} \
+   --shell /usr/sbin/nologin \
+   --gecos 'Tikiwiki' \
+   --disabled-password \
+   --home /var/www/html/tiki \
+   tikiwiki
+
+RUN adduser www-data tikiwiki
+
+WORKDIR /var/www/html/tiki
+
+USER tikiwiki
+
+RUN git clone -b ${BRANCH} https://gitlab.com/tikiwiki/tiki.git .
+
+USER root
+
+RUN mkdir -p files/forums && chmod -R 777 files/forums
+
 VOLUME ["/uploads"]
 
 ENTRYPOINT [ "/bin/sh", "/entrypoint.sh" ]

conf/default-ssl.conf

@@ -1,3 +1,520 @@
+
+#<!-- listen 80 -->
+<VirtualHost *:80>
+	ServerAdmin webmaster@localhost
+	DocumentRoot /var/www/html/tiki/
+	ErrorLog ${APACHE_LOG_DIR}/error.log
+	CustomLog ${APACHE_LOG_DIR}/access.log combined
+	<FilesMatch "\.(cgi|shtml|phtml|php)$">
+			SSLOptions +StdEnvVars
+	</FilesMatch>
+	<Directory /usr/lib/cgi-bin>
+			SSLOptions +StdEnvVars
+	</Directory>
+
+	<Directory "/var/www/html/tiki">
+		<FilesMatch "\.(bak|inc|lib|sh|tpl|sql)$">
+    		<IfModule mod_authz_core.c>
+       			Require all denied
+    		</IfModule>
+    		<IfModule !mod_authz_core.c>
+        		order deny,allow
+        		deny from all
+    		</IfModule>
+		</FilesMatch>
+		<FilesMatch "(changelog.txt|_htaccess)$">
+    		<IfModule mod_authz_core.c>
+       			Require all denied
+    		</IfModule>
+   	 	<IfModule !mod_authz_core.c>
+        		order deny,allow
+        		deny from all
+    		</IfModule>
+	</FilesMatch>
+
+<IfModule mod_dir.c>
+	DirectoryIndex index.php
+</IfModule>
+
+<IfModule mod_deflate.c>
+	<IfModule mod_headers.c>
+		# Make sure proxies don't deliver the wrong content.
+		Header append Vary User-Agent env=!dont-vary
+	</IfModule>
+	AddOutputFilterByType DEFLATE text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/json
+	<IfModule mod_mime.c>
+		# DEFLATE by extension.
+		AddOutputFilter DEFLATE js css htm html xml svg
+	</IfModule>
+</IfModule>
+
+FileETag none
+
+<IfModule mod_headers.c>
+    Header unset Cache-Control
+
+    <IfModule mod_setenvif.c>
+    # Mod_headers, y u no match by Content-Type?!
+        <FilesMatch "(?i)\.(gif|png|jpe?g|svgz?|ico)$">
+            SetEnvIf Origin ":" IS_CORS
+            Header set Access-Control-Allow-Origin "*" env=IS_CORS
+        </FilesMatch>
+    </IfModule>
+
+    <FilesMatch "(?i)\.(ttf|ttc|otf|eot|woff2?|css|js)$">
+        Header set Access-Control-Allow-Origin "*"
+    </FilesMatch>
+
+</IfModule>
+
+<IfModule mod_expires.c>
+	<FilesMatch "(?i)\.(gif|png|jpe?g|svgz?|ico)$">
+		ExpiresActive on
+		ExpiresDefault "access plus 1 month"
+	</FilesMatch>
+	<FilesMatch "(?i)\.(js|css)$">
+		ExpiresActive on
+		ExpiresDefault "access plus 1 month"
+	</FilesMatch>
+</IfModule>
+
+<IfModule mod_rewrite.c>
+
+    RewriteEngine On
+
+    # -- Apache Authorization Header -- #
+    # Rewrite rules for passing authorization with Apache running in CGI or FastCGI mode
+    RewriteCond %{HTTP:Authorization} ^(.*)
+    RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]
+
+    # -- SVN Checkout Enabled Tiki -- #
+    # Prevents reading of SVN specific files, if your website is using this. (Development only normally)
+    RewriteRule	.*/\.svn/.*	-	[F,L]
+
+    # -- If the URL Points to a File Then do Nothing -- #
+    RewriteCond %{REQUEST_FILENAME} -s [OR]
+    RewriteCond %{REQUEST_FILENAME} -l [OR]
+    RewriteCond %{REQUEST_FILENAME} -f [OR]
+    RewriteCond %{REQUEST_FILENAME} -d
+    RewriteRule (.*) - [L]
+
+        # -- Tiki URL Rewriting -- #
+    # Read more: https://dev.tiki.org/URL+Rewriting+Revamp
+    RewriteRule .*                     route.php                                [L]
+
+</IfModule>
+
+</Directory>
+<Directory "/var/www/html/tiki/admin">
+<FilesMatch ".*">
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		order deny,allow
+		deny from all
+	</IfModule>
+</FilesMatch>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+</Directory>
+<Directory "/var/www/html/tiki/db">
+<FilesMatch ".*">
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		order deny,allow
+		deny from all
+	</IfModule>
+</FilesMatch>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+</Directory>
+<Directory "/var/www/html/tiki/doc">
+<FilesMatch ".*">
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		order deny,allow
+		deny from all
+	</IfModule>
+</FilesMatch>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+</Directory>
+<Directory "/var/www/html/tiki/dump">
+<FilesMatch ".*">
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		order deny,allow
+		deny from all
+	</IfModule>
+</FilesMatch>
+<FilesMatch "\.(zip|tar)$">
+	<IfModule mod_authz_core.c>
+		Require all granted
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+	  order deny,allow
+	  allow from all
+	</IfModule>
+</FilesMatch>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+</Directory>
+<Directory "/var/www/html/tiki/img">
+<FilesMatch ".*">
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		order deny,allow
+		deny from all
+	</IfModule>
+</FilesMatch>
+
+<FilesMatch "\.(jpe?g|png|svg|gif)$">
+	<IfModule mod_authz_core.c>
+		Require all granted
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		Allow from all
+	</IfModule>
+</FilesMatch>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+</Directory>
+<Directory "/var/www/html/tiki/installer">
+<FilesMatch ".*">
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		order deny,allow
+		deny from all
+	</IfModule>
+</FilesMatch>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+</Directory>
+<Directory "/var/www/html/tiki/lang">
+<FilesMatch ".*">
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		order deny,allow
+		deny from all
+	</IfModule>
+</FilesMatch>
+
+
+<FilesMatch "\.(js)$">
+	<IfModule mod_authz_core.c>
+		Require all granted
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		Allow from all
+	</IfModule>
+</FilesMatch>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+</Directory>
+<Directory "/var/www/html/tiki/lib">
+<FilesMatch ".*">
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		order deny,allow
+		deny from all
+	</IfModule>
+</FilesMatch>
+#remaining files		- unknown browser access
+<FilesMatch "\.(js|swf|css|gif|png|svg|as|fla|ttf|xml)$">
+	<IfModule mod_authz_core.c>
+		Require all granted
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		Allow from all
+	</IfModule>
+</FilesMatch>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+</Directory>
+<Directory "/var/www/html/tiki/lists">
+<FilesMatch ".*">
+    <IfModule mod_authz_core.c>
+        Require all denied
+    </IfModule>
+    <IfModule !mod_authz_core.c>
+        order deny,allow
+        deny from all
+    </IfModule>
+</FilesMatch>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+</Directory>
+<Directory "/var/www/html/tiki/modules">
+<FilesMatch ".*">
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		order deny,allow
+		deny from all
+	</IfModule>
+</FilesMatch>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+</Directory>
+<Directory "/var/www/html/tiki/permissioncheck">
+
+AuthUserFile /PATH_TO_TIKI_PERMISSIONCHECK/.htpasswd
+AuthName "permissioncheck prepare password protection first"
+AuthType Basic
+<Limit GET POST PUT>
+	require valid-user
+</Limit>
+
+<FilesMatch "\.(bak|inc|inc\.php|lib|sh|sql|tpl)$">
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		order deny,allow
+		deny from all
+	</IfModule>
+</FilesMatch>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+</Directory>
+<Directory "/var/www/html/tiki/storage">
+<FilesMatch ".*">
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		order deny,allow
+		deny from all
+	</IfModule>
+</FilesMatch>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+</Directory>
+<Directory "/var/www/html/tiki/storage/public">
+<FilesMatch ".*">
+    <IfModule mod_authz_core.c>
+       Require all granted
+    </IfModule>
+    <IfModule !mod_authz_core.c>
+      order deny,allow
+      allow from all
+    </IfModule>
+</FilesMatch>
+</Directory>
+<Directory "/var/www/html/tiki/temp">
+<FilesMatch ".*">
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		order deny,allow
+		deny from all
+	</IfModule>
+</FilesMatch>
+<FilesMatch "\.png$">
+	<IfModule mod_authz_core.c>
+		Require all granted
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+	  order deny,allow
+	  allow from all
+	</IfModule>
+</FilesMatch>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+</Directory>
+<Directory "/var/www/html/tiki/temp/public">
+<FilesMatch ".*">
+    <IfModule mod_authz_core.c>
+       Require all granted
+    </IfModule>
+    <IfModule !mod_authz_core.c>
+      order deny,allow
+      allow from all
+    </IfModule>
+</FilesMatch>
+<IfModule mod_expires.c>
+<FilesMatch "^avatar_.*">
+	ExpiresActive on
+	ExpiresDefault "modification"
+</FilesMatch>
+</IfModule>
+
+</Directory>
+<Directory "/var/www/html/tiki/templates">
+<FilesMatch ".*">
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		order deny,allow
+		deny from all
+	</IfModule>
+</FilesMatch>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+</Directory>
+<Directory "/var/www/html/tiki/themes">
+<FilesMatch ".*">
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		order deny,allow
+		deny from all
+	</IfModule>
+</FilesMatch>
+
+<FilesMatch "(?i)\.(css|js|jpe?g|png|ico|gif|svgz?|bmp|json|xml|ttf|eot|woff2?|otf|swf|map|less)$">
+	#the map and less files are allowed for developer deugging tools.
+	<IfModule mod_authz_core.c>
+		Require all granted
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		Allow from all
+	</IfModule>
+</FilesMatch>
+</Directory>
+<Directory "/var/www/html/tiki/var/www/html/tiki_tests">
+<FilesMatch ".*">
+    <IfModule mod_authz_core.c>
+       Require all denied
+    </IfModule>
+    <IfModule !mod_authz_core.c>
+        order deny,allow
+        deny from all
+    </IfModule>
+</FilesMatch>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+
+</Directory>
+<Directory "/var/www/html/tiki/vendor">
+
+<IfModule mod_rewrite.c>
+	RewriteEngine On
+
+	# -- Always Allow These File Types -- #
+	RewriteRule "\.(jpe?g|png|ico|gif|svgz?|ttf|eot|woff2?|otf|js|css)$" "-" [PT,L]
+
+	# -- Allow Access to files used by Developer Dubugging Tools -- #
+	RewriteRule "\.(map|less|scss)$" "-" [PT,L]
+
+	# -- Deny Everything Not Matched Above -- #
+	RewriteRule "/*" "-" [F]
+
+</IfModule>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+
+</Directory>
+<Directory "/var/www/html/tiki/vendor_bundled">
+
+<IfModule mod_rewrite.c>
+	RewriteEngine On
+
+	# -- Always Allow These File Types -- #
+	RewriteRule "\.(jpe?g|png|ico|gif|svgz?|ttf|eot|woff2?|otf|js|css)$" "-" [PT,L]
+
+	# -- Allow Access to files used by Developer Dubugging Tools -- #
+	RewriteRule "\.(map|less|scss)$" "-" [PT,L]
+
+	# -- Vendor Exception List -- #
+	# These are file types by vendor file that will bypass the default filtering
+	#
+	# If you are adding a new vendor that needs browser access, adding a file
+	#  type exception will be required.
+
+	RewriteRule "^(vendor/player/).*/.*\.swf$" "-" [PT,L]
+	RewriteRule "^(vendor/fortawesome/).*/.*\.swf$" "-" [PT,L]
+	RewriteRule "^(vendor/jquery/).*/.*\.swf$" "-" [PT,L]
+	RewriteRule "^(vendor/studio-42/).*/.*\.wav$" "-" [PT,L]
+
+	# -- Deny Everything Not Matched Above -- #
+	RewriteRule "/*" "-" [F]
+
+</IfModule>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+
+</Directory>
+<Directory "/var/www/html/tiki/vendor_bundled/vendor/ezyang/htmlpurifier/benchmarks">
+Deny from all
+
+</Directory>
+<Directory "/var/www/html/tiki/vendor_bundled/vendor/ezyang/htmlpurifier/maintenance">
+Deny from all
+
+</Directory>
+<Directory "/var/www/html/tiki/vendor_bundled/vendor/phenx/php-font-lib">
+#deny from all
+</Directory>
+<Directory "/var/www/html/tiki/vendor_bundled/vendor/studio-42/elfinder/php/.tmp">
+order deny,allow
+deny from all
+
+</Directory>
+<Directory "/var/www/html/tiki/vendor_extra">
+<FilesMatch ".*">
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		order deny,allow
+		deny from all
+	</IfModule>
+</FilesMatch>
+
+<FilesMatch "\.(jpg|png|gif|css|js)$">
+	<IfModule mod_authz_core.c>
+		Require all granted
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		Allow from all
+	</IfModule>
+</FilesMatch>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+</Directory>
+
+	</VirtualHost>
+#<!-- end listen 80 -->
+
+#<!-- listen 443 -->
 <IfModule mod_ssl.c>
 	<VirtualHost _default_:443>
 		ServerAdmin webmaster@localhost
@@ -523,4 +1040,4 @@ Options -Indexes
 	</VirtualHost>
 </IfModule>
 
-
+#<!-- end listen 443 -->

conf/envvars

@@ -6,8 +6,8 @@ else
 	SUFFIX=
 fi
 
-export APACHE_RUN_USER=www-data
+export APACHE_RUN_USER=tikiwiki
-export APACHE_RUN_GROUP=www-data
+export APACHE_RUN_GROUP=tikiwiki
 export APACHE_PID_FILE=/tmp/apache2$SUFFIX/apache2.pid
 export APACHE_RUN_DIR=/tmp/apache2$SUFFIX
 export APACHE_LOCK_DIR=/tmp/apache2$SUFFIX

docker-compose.yml

@@ -1,28 +1,52 @@
 version: '3'
 
-volumes:
-  uploads:
-  db:
-
 services:
+  phpmyadmin:
+    image: phpmyadmin
+    restart: always
+    ports:
+      - 8080:80
+    environment:
+      - PMA_ARBITRARY=1
   tikiwiki:
     image: registry.audio-lab.org/tikiwiki:latest
-    build: .
+    build: 
+      context: .
+      args:
+        - BRANCH=25.x
+        - UID=1000
+        - GID=1000
     ports:
-      - 8443:443
+      - 443:443
-      - 8480:80
+      - 80:80
     volumes:
-      - uploads:/uploads
+      - ./uploads:/var/www/html/uploads
+      - /tmp:/tmp
       - ./conf/envvars:/etc/apache2/envvars:ro
       - ./conf/default-ssl.conf:/etc/apache2/sites-available/000-default.conf:ro
     restart: always
-  db:
-    image: mariadb:10
-    restart: always
-    volumes:
-      - db:/var/lib/mysql
     environment:
-      MYSQL_DATABASE: tikiwiki
+      MYSQL_DATABASE: dockertiki
       MYSQL_USER: tiki
-      MYSQL_RANDOM_ROOT_PASSWORD: '1'
+      MYSQL_PASSWORD: wiki
-      MYSQL_PASSWORD: wiki # CHANGE PASSW
+      MYSQL_HOST: 172.16.0.240
+  manticore:
+    container_name: manticore
+    image: manticoresearch/manticore
+    environment:
+      - EXTRA=1
+    restart: always
+    ports:
+      - 172.16.0.240:9306:9306
+      - 172.16.0.240:9308:9308
+    ulimits:
+      nproc: 65535
+      nofile:
+         soft: 65535
+         hard: 65535
+      memlock:
+        soft: -1
+        hard: -1
+    volumes:
+      - ./manticore:/var/lib/manticore
+      - /tmp:/tmp

entrypoint.sh

@@ -1,5 +1,36 @@
 #!/bin/bash
 
-sudo -u www-data setup.sh -n composer
+set -e
+
+echo "Starting Tikiwiki"
+
+bash setup.sh -n composer
+
+install() {
+	echo "Install"
+	echo $MYSQL_HOST $MYSQL_USER $MYSQL_PASSWORD $MYSQL_DATABASE
+	php7.4 console.php database:configure --host $MYSQL_HOST $MYSQL_USER $MYSQL_PASSWORD $MYSQL_DATABASE
+	php7.4 console.php database:install 
+	php7.4 console.php installer:lock
+	update
+}
+
+update() {
+	echo "Update"
+	php7.4 console.php database:update
+	php7.4 console.php package:install TikiManager
+	php7.4 console.php package:install PDFjsViewer
+	php7.4 console.php package:install MediaAlchemyst
+	php7.4 console.php package:install diagram
+	php7.4 console.php package:install mPDF
+	php7.4 console.php package:install Lozad
+	php7.4 console.php package:install FakerPHP
+	php7.4 console.php package:install Expose
+	php7.4 console.php package:install CasperJS
+	php7.4 console.php package:update
+}
+
+[ -s ./db/local.php ] && update || install
+
 
 exec $@