Custom tikiwiki
This commit is contained in:
commit
83bc84eec5
41
Dockerfile
Normal file
41
Dockerfile
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
FROM debian:stable-slim
|
||||||
|
|
||||||
|
RUN apt update && apt dist-upgrade -y
|
||||||
|
|
||||||
|
RUN apt-get -y install lsb-release ca-certificates curl
|
||||||
|
RUN curl -sSLo /usr/share/keyrings/deb.sury.org-php.gpg https://packages.sury.org/php/apt.gpg
|
||||||
|
RUN sh -c 'echo "deb [signed-by=/usr/share/keyrings/deb.sury.org-php.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
|
||||||
|
RUN apt-get update
|
||||||
|
|
||||||
|
RUN apt install -y \
|
||||||
|
php7.4-dom php7.4-gd php7.4-curl php7.4-intl php7.4-zip php7.4-bcmath \
|
||||||
|
sqlite3 php7.4-sqlite3 build-essential elinks unzip xlsx2csv psutils \
|
||||||
|
php7.4-memcached php7.4-memcached php7.4-opcache php7.4-intl php7.4-gd \
|
||||||
|
php7.4-mysql php7.4-ldap php7.4-dom php7.4-zip php7.4-ldap \
|
||||||
|
php7.4-fpm php7.4-mysql php7.4-mbstring \
|
||||||
|
composer curl
|
||||||
|
|
||||||
|
RUN apt install -y \
|
||||||
|
apache2 apache2-utils libapache2-mod-php7.4
|
||||||
|
|
||||||
|
RUN a2enmod rewrite alias authz_user ssl
|
||||||
|
|
||||||
|
WORKDIR /var/www/html/
|
||||||
|
|
||||||
|
RUN git clone https://gitlab.com/tikiwiki/tiki.git
|
||||||
|
|
||||||
|
WORKDIR ./tiki
|
||||||
|
|
||||||
|
RUN chown -R www-data:www-data /var/www/html/tiki
|
||||||
|
|
||||||
|
COPY conf/www.conf /etc/php/7.4/fpm/pool.d/www.conf
|
||||||
|
COPY conf/php-fpm.conf /etc/php/7.4/fpm/php-fpm.conf
|
||||||
|
|
||||||
|
ADD start.sh /start.sh
|
||||||
|
ADD entrypoint.sh /entrypoint.sh
|
||||||
|
|
||||||
|
VOLUME ["/uploads"]
|
||||||
|
|
||||||
|
ENTRYPOINT [ "/bin/sh", "/entrypoint.sh" ]
|
||||||
|
|
||||||
|
CMD "/start.sh"
|
28
Dockerfile.nginx
Normal file
28
Dockerfile.nginx
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
FROM registry.audio-lab.org/tikiwiki:latest
|
||||||
|
|
||||||
|
RUN apt-get update && \
|
||||||
|
apt-get -qy install nginx-full ssl-cert && \
|
||||||
|
apt-get clean
|
||||||
|
|
||||||
|
# Basic nginx directories
|
||||||
|
RUN mkdir -p /var/lib/nginx/body && \
|
||||||
|
mkdir -p /var/lib/nginx/proxy && \
|
||||||
|
mkdir -p /var/lib/nginx/fastcgi && \
|
||||||
|
mkdir -p /var/lib/nginx/scgi && \
|
||||||
|
mkdir -p /var/lib/nginx/uwsgi
|
||||||
|
|
||||||
|
# Logging to stdout
|
||||||
|
RUN ln -sf /proc/self/fd /dev/
|
||||||
|
RUN ln -sf /dev/stdout /var/log/nginx/access.log && ln -sf /dev/stderr /var/log/nginx/error.log
|
||||||
|
|
||||||
|
# PID nginx for non-root users
|
||||||
|
RUN mkdir -p /run/nginx && \
|
||||||
|
chmod 777 /run/nginx && \
|
||||||
|
chmod -R 777 /var/lib/nginx
|
||||||
|
|
||||||
|
# Use port 8080
|
||||||
|
RUN sed -i 's/80/8080/g' /etc/nginx/sites-enabled/default
|
||||||
|
|
||||||
|
EXPOSE 8080
|
||||||
|
|
||||||
|
ENTRYPOINT ["/usr/sbin/nginx"]
|
37
conf/000-default.conf
Normal file
37
conf/000-default.conf
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
<VirtualHost *:80>
|
||||||
|
# The ServerName directive sets the request scheme, hostname and port that
|
||||||
|
# the server uses to identify itself. This is used when creating
|
||||||
|
# redirection URLs. In the context of virtual hosts, the ServerName
|
||||||
|
# specifies what hostname must appear in the request's Host: header to
|
||||||
|
# match this virtual host. For the default virtual host (this file) this
|
||||||
|
# value is not decisive as it is used as a last resort host regardless.
|
||||||
|
# However, you must set it for any further virtual host explicitly.
|
||||||
|
#ServerName www.example.com
|
||||||
|
|
||||||
|
ServerAdmin webmaster@localhost
|
||||||
|
DocumentRoot /var/www/html/orig
|
||||||
|
|
||||||
|
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
|
||||||
|
# error, crit, alert, emerg.
|
||||||
|
# It is also possible to configure the loglevel for particular
|
||||||
|
# modules, e.g.
|
||||||
|
#LogLevel info ssl:warn
|
||||||
|
|
||||||
|
ErrorLog ${APACHE_LOG_DIR}/error.log
|
||||||
|
CustomLog ${APACHE_LOG_DIR}/access.log combined
|
||||||
|
|
||||||
|
<Directory "/var/www/html/orig">
|
||||||
|
Options +MultiViews
|
||||||
|
AllowOverride All
|
||||||
|
Require all granted
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
# For most configuration files from conf-available/, which are
|
||||||
|
# enabled or disabled at a global level, it is possible to
|
||||||
|
# include a line for only one particular virtual host. For example the
|
||||||
|
# following line enables the CGI configuration for this host only
|
||||||
|
# after it has been globally disabled with "a2disconf".
|
||||||
|
#Include conf-available/serve-cgi-bin.conf
|
||||||
|
</VirtualHost>
|
||||||
|
|
||||||
|
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
|
526
conf/default-ssl.conf
Normal file
526
conf/default-ssl.conf
Normal file
@ -0,0 +1,526 @@
|
|||||||
|
<IfModule mod_ssl.c>
|
||||||
|
<VirtualHost _default_:443>
|
||||||
|
ServerAdmin webmaster@localhost
|
||||||
|
|
||||||
|
DocumentRoot /var/www/html/tiki/
|
||||||
|
ErrorLog ${APACHE_LOG_DIR}/error.log
|
||||||
|
CustomLog ${APACHE_LOG_DIR}/access.log combined
|
||||||
|
SSLEngine on
|
||||||
|
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||||
|
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
|
||||||
|
<FilesMatch "\.(cgi|shtml|phtml|php)$">
|
||||||
|
SSLOptions +StdEnvVars
|
||||||
|
</FilesMatch>
|
||||||
|
<Directory /usr/lib/cgi-bin>
|
||||||
|
SSLOptions +StdEnvVars
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
#<Directory "/var/www/html/tiki">
|
||||||
|
# Options +MultiViews
|
||||||
|
# AllowOverride All
|
||||||
|
# Require all granted
|
||||||
|
#</Directory>
|
||||||
|
|
||||||
|
<Directory "/var/www/html/tiki">
|
||||||
|
<FilesMatch "\.(bak|inc|lib|sh|tpl|sql)$">
|
||||||
|
<IfModule mod_authz_core.c>
|
||||||
|
Require all denied
|
||||||
|
</IfModule>
|
||||||
|
<IfModule !mod_authz_core.c>
|
||||||
|
order deny,allow
|
||||||
|
deny from all
|
||||||
|
</IfModule>
|
||||||
|
</FilesMatch>
|
||||||
|
<FilesMatch "(changelog.txt|_htaccess)$">
|
||||||
|
<IfModule mod_authz_core.c>
|
||||||
|
Require all denied
|
||||||
|
</IfModule>
|
||||||
|
<IfModule !mod_authz_core.c>
|
||||||
|
order deny,allow
|
||||||
|
deny from all
|
||||||
|
</IfModule>
|
||||||
|
</FilesMatch>
|
||||||
|
|
||||||
|
<IfModule mod_dir.c>
|
||||||
|
DirectoryIndex index.php
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
<IfModule mod_deflate.c>
|
||||||
|
<IfModule mod_headers.c>
|
||||||
|
# Make sure proxies don't deliver the wrong content.
|
||||||
|
Header append Vary User-Agent env=!dont-vary
|
||||||
|
</IfModule>
|
||||||
|
AddOutputFilterByType DEFLATE text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/json
|
||||||
|
<IfModule mod_mime.c>
|
||||||
|
# DEFLATE by extension.
|
||||||
|
AddOutputFilter DEFLATE js css htm html xml svg
|
||||||
|
</IfModule>
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
FileETag none
|
||||||
|
|
||||||
|
<IfModule mod_headers.c>
|
||||||
|
Header unset Cache-Control
|
||||||
|
|
||||||
|
<IfModule mod_setenvif.c>
|
||||||
|
# Mod_headers, y u no match by Content-Type?!
|
||||||
|
<FilesMatch "(?i)\.(gif|png|jpe?g|svgz?|ico)$">
|
||||||
|
SetEnvIf Origin ":" IS_CORS
|
||||||
|
Header set Access-Control-Allow-Origin "*" env=IS_CORS
|
||||||
|
</FilesMatch>
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
<FilesMatch "(?i)\.(ttf|ttc|otf|eot|woff2?|css|js)$">
|
||||||
|
Header set Access-Control-Allow-Origin "*"
|
||||||
|
</FilesMatch>
|
||||||
|
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
<IfModule mod_expires.c>
|
||||||
|
<FilesMatch "(?i)\.(gif|png|jpe?g|svgz?|ico)$">
|
||||||
|
ExpiresActive on
|
||||||
|
ExpiresDefault "access plus 1 month"
|
||||||
|
</FilesMatch>
|
||||||
|
<FilesMatch "(?i)\.(js|css)$">
|
||||||
|
ExpiresActive on
|
||||||
|
ExpiresDefault "access plus 1 month"
|
||||||
|
</FilesMatch>
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
<IfModule mod_rewrite.c>
|
||||||
|
|
||||||
|
RewriteEngine On
|
||||||
|
|
||||||
|
# -- Apache Authorization Header -- #
|
||||||
|
# Rewrite rules for passing authorization with Apache running in CGI or FastCGI mode
|
||||||
|
RewriteCond %{HTTP:Authorization} ^(.*)
|
||||||
|
RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]
|
||||||
|
|
||||||
|
# -- SVN Checkout Enabled Tiki -- #
|
||||||
|
# Prevents reading of SVN specific files, if your website is using this. (Development only normally)
|
||||||
|
RewriteRule .*/\.svn/.* - [F,L]
|
||||||
|
|
||||||
|
# -- If the URL Points to a File Then do Nothing -- #
|
||||||
|
RewriteCond %{REQUEST_FILENAME} -s [OR]
|
||||||
|
RewriteCond %{REQUEST_FILENAME} -l [OR]
|
||||||
|
RewriteCond %{REQUEST_FILENAME} -f [OR]
|
||||||
|
RewriteCond %{REQUEST_FILENAME} -d
|
||||||
|
RewriteRule (.*) - [L]
|
||||||
|
|
||||||
|
# -- Tiki URL Rewriting -- #
|
||||||
|
# Read more: https://dev.tiki.org/URL+Rewriting+Revamp
|
||||||
|
RewriteRule .* route.php [L]
|
||||||
|
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
</Directory>
|
||||||
|
<Directory "/var/www/html/tiki/admin">
|
||||||
|
<FilesMatch ".*">
|
||||||
|
<IfModule mod_authz_core.c>
|
||||||
|
Require all denied
|
||||||
|
</IfModule>
|
||||||
|
<IfModule !mod_authz_core.c>
|
||||||
|
order deny,allow
|
||||||
|
deny from all
|
||||||
|
</IfModule>
|
||||||
|
</FilesMatch>
|
||||||
|
|
||||||
|
# -- Prevent Directory Browsing -- #
|
||||||
|
Options -Indexes
|
||||||
|
</Directory>
|
||||||
|
<Directory "/var/www/html/tiki/db">
|
||||||
|
<FilesMatch ".*">
|
||||||
|
<IfModule mod_authz_core.c>
|
||||||
|
Require all denied
|
||||||
|
</IfModule>
|
||||||
|
<IfModule !mod_authz_core.c>
|
||||||
|
order deny,allow
|
||||||
|
deny from all
|
||||||
|
</IfModule>
|
||||||
|
</FilesMatch>
|
||||||
|
|
||||||
|
# -- Prevent Directory Browsing -- #
|
||||||
|
Options -Indexes
|
||||||
|
</Directory>
|
||||||
|
<Directory "/var/www/html/tiki/doc">
|
||||||
|
<FilesMatch ".*">
|
||||||
|
<IfModule mod_authz_core.c>
|
||||||
|
Require all denied
|
||||||
|
</IfModule>
|
||||||
|
<IfModule !mod_authz_core.c>
|
||||||
|
order deny,allow
|
||||||
|
deny from all
|
||||||
|
</IfModule>
|
||||||
|
</FilesMatch>
|
||||||
|
|
||||||
|
# -- Prevent Directory Browsing -- #
|
||||||
|
Options -Indexes
|
||||||
|
</Directory>
|
||||||
|
<Directory "/var/www/html/tiki/dump">
|
||||||
|
<FilesMatch ".*">
|
||||||
|
<IfModule mod_authz_core.c>
|
||||||
|
Require all denied
|
||||||
|
</IfModule>
|
||||||
|
<IfModule !mod_authz_core.c>
|
||||||
|
order deny,allow
|
||||||
|
deny from all
|
||||||
|
</IfModule>
|
||||||
|
</FilesMatch>
|
||||||
|
<FilesMatch "\.(zip|tar)$">
|
||||||
|
<IfModule mod_authz_core.c>
|
||||||
|
Require all granted
|
||||||
|
</IfModule>
|
||||||
|
<IfModule !mod_authz_core.c>
|
||||||
|
order deny,allow
|
||||||
|
allow from all
|
||||||
|
</IfModule>
|
||||||
|
</FilesMatch>
|
||||||
|
|
||||||
|
# -- Prevent Directory Browsing -- #
|
||||||
|
Options -Indexes
|
||||||
|
</Directory>
|
||||||
|
<Directory "/var/www/html/tiki/img">
|
||||||
|
<FilesMatch ".*">
|
||||||
|
<IfModule mod_authz_core.c>
|
||||||
|
Require all denied
|
||||||
|
</IfModule>
|
||||||
|
<IfModule !mod_authz_core.c>
|
||||||
|
order deny,allow
|
||||||
|
deny from all
|
||||||
|
</IfModule>
|
||||||
|
</FilesMatch>
|
||||||
|
|
||||||
|
<FilesMatch "\.(jpe?g|png|svg|gif)$">
|
||||||
|
<IfModule mod_authz_core.c>
|
||||||
|
Require all granted
|
||||||
|
</IfModule>
|
||||||
|
<IfModule !mod_authz_core.c>
|
||||||
|
Allow from all
|
||||||
|
</IfModule>
|
||||||
|
</FilesMatch>
|
||||||
|
|
||||||
|
# -- Prevent Directory Browsing -- #
|
||||||
|
Options -Indexes
|
||||||
|
</Directory>
|
||||||
|
<Directory "/var/www/html/tiki/installer">
|
||||||
|
<FilesMatch ".*">
|
||||||
|
<IfModule mod_authz_core.c>
|
||||||
|
Require all denied
|
||||||
|
</IfModule>
|
||||||
|
<IfModule !mod_authz_core.c>
|
||||||
|
order deny,allow
|
||||||
|
deny from all
|
||||||
|
</IfModule>
|
||||||
|
</FilesMatch>
|
||||||
|
|
||||||
|
# -- Prevent Directory Browsing -- #
|
||||||
|
Options -Indexes
|
||||||
|
</Directory>
|
||||||
|
<Directory "/var/www/html/tiki/lang">
|
||||||
|
<FilesMatch ".*">
|
||||||
|
<IfModule mod_authz_core.c>
|
||||||
|
Require all denied
|
||||||
|
</IfModule>
|
||||||
|
<IfModule !mod_authz_core.c>
|
||||||
|
order deny,allow
|
||||||
|
deny from all
|
||||||
|
</IfModule>
|
||||||
|
</FilesMatch>
|
||||||
|
|
||||||
|
|
||||||
|
<FilesMatch "\.(js)$">
|
||||||
|
<IfModule mod_authz_core.c>
|
||||||
|
Require all granted
|
||||||
|
</IfModule>
|
||||||
|
<IfModule !mod_authz_core.c>
|
||||||
|
Allow from all
|
||||||
|
</IfModule>
|
||||||
|
</FilesMatch>
|
||||||
|
|
||||||
|
# -- Prevent Directory Browsing -- #
|
||||||
|
Options -Indexes
|
||||||
|
</Directory>
|
||||||
|
<Directory "/var/www/html/tiki/lib">
|
||||||
|
<FilesMatch ".*">
|
||||||
|
<IfModule mod_authz_core.c>
|
||||||
|
Require all denied
|
||||||
|
</IfModule>
|
||||||
|
<IfModule !mod_authz_core.c>
|
||||||
|
order deny,allow
|
||||||
|
deny from all
|
||||||
|
</IfModule>
|
||||||
|
</FilesMatch>
|
||||||
|
#remaining files - unknown browser access
|
||||||
|
<FilesMatch "\.(js|swf|css|gif|png|svg|as|fla|ttf|xml)$">
|
||||||
|
<IfModule mod_authz_core.c>
|
||||||
|
Require all granted
|
||||||
|
</IfModule>
|
||||||
|
<IfModule !mod_authz_core.c>
|
||||||
|
Allow from all
|
||||||
|
</IfModule>
|
||||||
|
</FilesMatch>
|
||||||
|
|
||||||
|
# -- Prevent Directory Browsing -- #
|
||||||
|
Options -Indexes
|
||||||
|
</Directory>
|
||||||
|
<Directory "/var/www/html/tiki/lists">
|
||||||
|
<FilesMatch ".*">
|
||||||
|
<IfModule mod_authz_core.c>
|
||||||
|
Require all denied
|
||||||
|
</IfModule>
|
||||||
|
<IfModule !mod_authz_core.c>
|
||||||
|
order deny,allow
|
||||||
|
deny from all
|
||||||
|
</IfModule>
|
||||||
|
</FilesMatch>
|
||||||
|
|
||||||
|
# -- Prevent Directory Browsing -- #
|
||||||
|
Options -Indexes
|
||||||
|
</Directory>
|
||||||
|
<Directory "/var/www/html/tiki/modules">
|
||||||
|
<FilesMatch ".*">
|
||||||
|
<IfModule mod_authz_core.c>
|
||||||
|
Require all denied
|
||||||
|
</IfModule>
|
||||||
|
<IfModule !mod_authz_core.c>
|
||||||
|
order deny,allow
|
||||||
|
deny from all
|
||||||
|
</IfModule>
|
||||||
|
</FilesMatch>
|
||||||
|
|
||||||
|
# -- Prevent Directory Browsing -- #
|
||||||
|
Options -Indexes
|
||||||
|
</Directory>
|
||||||
|
<Directory "/var/www/html/tiki/permissioncheck">
|
||||||
|
|
||||||
|
AuthUserFile /PATH_TO_TIKI_PERMISSIONCHECK/.htpasswd
|
||||||
|
AuthName "permissioncheck prepare password protection first"
|
||||||
|
AuthType Basic
|
||||||
|
<Limit GET POST PUT>
|
||||||
|
require valid-user
|
||||||
|
</Limit>
|
||||||
|
|
||||||
|
<FilesMatch "\.(bak|inc|inc\.php|lib|sh|sql|tpl)$">
|
||||||
|
<IfModule mod_authz_core.c>
|
||||||
|
Require all denied
|
||||||
|
</IfModule>
|
||||||
|
<IfModule !mod_authz_core.c>
|
||||||
|
order deny,allow
|
||||||
|
deny from all
|
||||||
|
</IfModule>
|
||||||
|
</FilesMatch>
|
||||||
|
|
||||||
|
# -- Prevent Directory Browsing -- #
|
||||||
|
Options -Indexes
|
||||||
|
</Directory>
|
||||||
|
<Directory "/var/www/html/tiki/storage">
|
||||||
|
<FilesMatch ".*">
|
||||||
|
<IfModule mod_authz_core.c>
|
||||||
|
Require all denied
|
||||||
|
</IfModule>
|
||||||
|
<IfModule !mod_authz_core.c>
|
||||||
|
order deny,allow
|
||||||
|
deny from all
|
||||||
|
</IfModule>
|
||||||
|
</FilesMatch>
|
||||||
|
|
||||||
|
# -- Prevent Directory Browsing -- #
|
||||||
|
Options -Indexes
|
||||||
|
</Directory>
|
||||||
|
<Directory "/var/www/html/tiki/storage/public">
|
||||||
|
<FilesMatch ".*">
|
||||||
|
<IfModule mod_authz_core.c>
|
||||||
|
Require all granted
|
||||||
|
</IfModule>
|
||||||
|
<IfModule !mod_authz_core.c>
|
||||||
|
order deny,allow
|
||||||
|
allow from all
|
||||||
|
</IfModule>
|
||||||
|
</FilesMatch>
|
||||||
|
</Directory>
|
||||||
|
<Directory "/var/www/html/tiki/temp">
|
||||||
|
<FilesMatch ".*">
|
||||||
|
<IfModule mod_authz_core.c>
|
||||||
|
Require all denied
|
||||||
|
</IfModule>
|
||||||
|
<IfModule !mod_authz_core.c>
|
||||||
|
order deny,allow
|
||||||
|
deny from all
|
||||||
|
</IfModule>
|
||||||
|
</FilesMatch>
|
||||||
|
<FilesMatch "\.png$">
|
||||||
|
<IfModule mod_authz_core.c>
|
||||||
|
Require all granted
|
||||||
|
</IfModule>
|
||||||
|
<IfModule !mod_authz_core.c>
|
||||||
|
order deny,allow
|
||||||
|
allow from all
|
||||||
|
</IfModule>
|
||||||
|
</FilesMatch>
|
||||||
|
|
||||||
|
# -- Prevent Directory Browsing -- #
|
||||||
|
Options -Indexes
|
||||||
|
</Directory>
|
||||||
|
<Directory "/var/www/html/tiki/temp/public">
|
||||||
|
<FilesMatch ".*">
|
||||||
|
<IfModule mod_authz_core.c>
|
||||||
|
Require all granted
|
||||||
|
</IfModule>
|
||||||
|
<IfModule !mod_authz_core.c>
|
||||||
|
order deny,allow
|
||||||
|
allow from all
|
||||||
|
</IfModule>
|
||||||
|
</FilesMatch>
|
||||||
|
<IfModule mod_expires.c>
|
||||||
|
<FilesMatch "^avatar_.*">
|
||||||
|
ExpiresActive on
|
||||||
|
ExpiresDefault "modification"
|
||||||
|
</FilesMatch>
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
</Directory>
|
||||||
|
<Directory "/var/www/html/tiki/templates">
|
||||||
|
<FilesMatch ".*">
|
||||||
|
<IfModule mod_authz_core.c>
|
||||||
|
Require all denied
|
||||||
|
</IfModule>
|
||||||
|
<IfModule !mod_authz_core.c>
|
||||||
|
order deny,allow
|
||||||
|
deny from all
|
||||||
|
</IfModule>
|
||||||
|
</FilesMatch>
|
||||||
|
|
||||||
|
# -- Prevent Directory Browsing -- #
|
||||||
|
Options -Indexes
|
||||||
|
</Directory>
|
||||||
|
<Directory "/var/www/html/tiki/themes">
|
||||||
|
<FilesMatch ".*">
|
||||||
|
<IfModule mod_authz_core.c>
|
||||||
|
Require all denied
|
||||||
|
</IfModule>
|
||||||
|
<IfModule !mod_authz_core.c>
|
||||||
|
order deny,allow
|
||||||
|
deny from all
|
||||||
|
</IfModule>
|
||||||
|
</FilesMatch>
|
||||||
|
|
||||||
|
<FilesMatch "(?i)\.(css|js|jpe?g|png|ico|gif|svgz?|bmp|json|xml|ttf|eot|woff2?|otf|swf|map|less)$">
|
||||||
|
#the map and less files are allowed for developer deugging tools.
|
||||||
|
<IfModule mod_authz_core.c>
|
||||||
|
Require all granted
|
||||||
|
</IfModule>
|
||||||
|
<IfModule !mod_authz_core.c>
|
||||||
|
Allow from all
|
||||||
|
</IfModule>
|
||||||
|
</FilesMatch>
|
||||||
|
</Directory>
|
||||||
|
<Directory "/var/www/html/tiki/var/www/html/tiki_tests">
|
||||||
|
<FilesMatch ".*">
|
||||||
|
<IfModule mod_authz_core.c>
|
||||||
|
Require all denied
|
||||||
|
</IfModule>
|
||||||
|
<IfModule !mod_authz_core.c>
|
||||||
|
order deny,allow
|
||||||
|
deny from all
|
||||||
|
</IfModule>
|
||||||
|
</FilesMatch>
|
||||||
|
|
||||||
|
# -- Prevent Directory Browsing -- #
|
||||||
|
Options -Indexes
|
||||||
|
|
||||||
|
</Directory>
|
||||||
|
<Directory "/var/www/html/tiki/vendor">
|
||||||
|
|
||||||
|
<IfModule mod_rewrite.c>
|
||||||
|
RewriteEngine On
|
||||||
|
|
||||||
|
# -- Always Allow These File Types -- #
|
||||||
|
RewriteRule "\.(jpe?g|png|ico|gif|svgz?|ttf|eot|woff2?|otf|js|css)$" "-" [PT,L]
|
||||||
|
|
||||||
|
# -- Allow Access to files used by Developer Dubugging Tools -- #
|
||||||
|
RewriteRule "\.(map|less|scss)$" "-" [PT,L]
|
||||||
|
|
||||||
|
# -- Deny Everything Not Matched Above -- #
|
||||||
|
RewriteRule "/*" "-" [F]
|
||||||
|
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
# -- Prevent Directory Browsing -- #
|
||||||
|
Options -Indexes
|
||||||
|
|
||||||
|
</Directory>
|
||||||
|
<Directory "/var/www/html/tiki/vendor_bundled">
|
||||||
|
|
||||||
|
<IfModule mod_rewrite.c>
|
||||||
|
RewriteEngine On
|
||||||
|
|
||||||
|
# -- Always Allow These File Types -- #
|
||||||
|
RewriteRule "\.(jpe?g|png|ico|gif|svgz?|ttf|eot|woff2?|otf|js|css)$" "-" [PT,L]
|
||||||
|
|
||||||
|
# -- Allow Access to files used by Developer Dubugging Tools -- #
|
||||||
|
RewriteRule "\.(map|less|scss)$" "-" [PT,L]
|
||||||
|
|
||||||
|
# -- Vendor Exception List -- #
|
||||||
|
# These are file types by vendor file that will bypass the default filtering
|
||||||
|
#
|
||||||
|
# If you are adding a new vendor that needs browser access, adding a file
|
||||||
|
# type exception will be required.
|
||||||
|
|
||||||
|
RewriteRule "^(vendor/player/).*/.*\.swf$" "-" [PT,L]
|
||||||
|
RewriteRule "^(vendor/fortawesome/).*/.*\.swf$" "-" [PT,L]
|
||||||
|
RewriteRule "^(vendor/jquery/).*/.*\.swf$" "-" [PT,L]
|
||||||
|
RewriteRule "^(vendor/studio-42/).*/.*\.wav$" "-" [PT,L]
|
||||||
|
|
||||||
|
# -- Deny Everything Not Matched Above -- #
|
||||||
|
RewriteRule "/*" "-" [F]
|
||||||
|
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
# -- Prevent Directory Browsing -- #
|
||||||
|
Options -Indexes
|
||||||
|
|
||||||
|
</Directory>
|
||||||
|
<Directory "/var/www/html/tiki/vendor_bundled/vendor/ezyang/htmlpurifier/benchmarks">
|
||||||
|
Deny from all
|
||||||
|
|
||||||
|
</Directory>
|
||||||
|
<Directory "/var/www/html/tiki/vendor_bundled/vendor/ezyang/htmlpurifier/maintenance">
|
||||||
|
Deny from all
|
||||||
|
|
||||||
|
</Directory>
|
||||||
|
<Directory "/var/www/html/tiki/vendor_bundled/vendor/phenx/php-font-lib">
|
||||||
|
#deny from all
|
||||||
|
</Directory>
|
||||||
|
<Directory "/var/www/html/tiki/vendor_bundled/vendor/studio-42/elfinder/php/.tmp">
|
||||||
|
order deny,allow
|
||||||
|
deny from all
|
||||||
|
|
||||||
|
</Directory>
|
||||||
|
<Directory "/var/www/html/tiki/vendor_extra">
|
||||||
|
<FilesMatch ".*">
|
||||||
|
<IfModule mod_authz_core.c>
|
||||||
|
Require all denied
|
||||||
|
</IfModule>
|
||||||
|
<IfModule !mod_authz_core.c>
|
||||||
|
order deny,allow
|
||||||
|
deny from all
|
||||||
|
</IfModule>
|
||||||
|
</FilesMatch>
|
||||||
|
|
||||||
|
<FilesMatch "\.(jpg|png|gif|css|js)$">
|
||||||
|
<IfModule mod_authz_core.c>
|
||||||
|
Require all granted
|
||||||
|
</IfModule>
|
||||||
|
<IfModule !mod_authz_core.c>
|
||||||
|
Allow from all
|
||||||
|
</IfModule>
|
||||||
|
</FilesMatch>
|
||||||
|
|
||||||
|
# -- Prevent Directory Browsing -- #
|
||||||
|
Options -Indexes
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
</VirtualHost>
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
|
18
conf/envvars
Normal file
18
conf/envvars
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
unset HOME
|
||||||
|
|
||||||
|
if [ "${APACHE_CONFDIR##/etc/apache2-}" != "${APACHE_CONFDIR}" ] ; then
|
||||||
|
SUFFIX="-${APACHE_CONFDIR##/etc/apache2-}"
|
||||||
|
else
|
||||||
|
SUFFIX=
|
||||||
|
fi
|
||||||
|
|
||||||
|
export APACHE_RUN_USER=www-data
|
||||||
|
export APACHE_RUN_GROUP=www-data
|
||||||
|
export APACHE_PID_FILE=/tmp/apache2$SUFFIX/apache2.pid
|
||||||
|
export APACHE_RUN_DIR=/tmp/apache2$SUFFIX
|
||||||
|
export APACHE_LOCK_DIR=/tmp/apache2$SUFFIX
|
||||||
|
export APACHE_LOG_DIR=/tmp/apache2$SUFFIX
|
||||||
|
|
||||||
|
export LANG=C
|
||||||
|
export LANG
|
||||||
|
|
88
conf/nginx.conf
Normal file
88
conf/nginx.conf
Normal file
@ -0,0 +1,88 @@
|
|||||||
|
worker_processes auto;
|
||||||
|
pid /run/nginx/nginx.pid;
|
||||||
|
error_log stderr info;
|
||||||
|
daemon off;
|
||||||
|
master_process off;
|
||||||
|
|
||||||
|
include /etc/nginx/modules-enabled/*.conf;
|
||||||
|
|
||||||
|
events {
|
||||||
|
worker_connections 768;
|
||||||
|
# multi_accept on;
|
||||||
|
}
|
||||||
|
|
||||||
|
http {
|
||||||
|
|
||||||
|
##
|
||||||
|
# Basic Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
sendfile on;
|
||||||
|
tcp_nopush on;
|
||||||
|
tcp_nodelay on;
|
||||||
|
keepalive_timeout 65;
|
||||||
|
types_hash_max_size 2048;
|
||||||
|
server_tokens off;
|
||||||
|
|
||||||
|
server_names_hash_bucket_size 128;
|
||||||
|
|
||||||
|
include /etc/nginx/mime.types;
|
||||||
|
default_type application/octet-stream;
|
||||||
|
|
||||||
|
##
|
||||||
|
# SSL Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
|
##
|
||||||
|
# Logging Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
access_log /dev/stdout;
|
||||||
|
|
||||||
|
##
|
||||||
|
# Gzip Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
gzip on;
|
||||||
|
gzip_disable "msie6";
|
||||||
|
|
||||||
|
##
|
||||||
|
# Virtual Host Configs
|
||||||
|
##
|
||||||
|
|
||||||
|
include /etc/nginx/conf.d/*.conf;
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name default_server;
|
||||||
|
|
||||||
|
include snippets/snakeoil.conf;
|
||||||
|
|
||||||
|
root /tiki;
|
||||||
|
index tiki-index.php index.php index.html;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
# Use route.php to have SEO-friendly URLs
|
||||||
|
try_files $uri $uri/ /route.php?q=$uri&$args;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ \.(bak|exe|inc|ini|lib|pl|py|sh|sql|tpl)$ {
|
||||||
|
deny all;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ \.php$ {
|
||||||
|
include fastcgi_params;
|
||||||
|
fastcgi_read_timeout 300;
|
||||||
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||||
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||||
|
# Avoid issues with HTTP header injections
|
||||||
|
fastcgi_param HTTP_PROXY "";
|
||||||
|
fastcgi_pass tikiwiki:9000;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
146
conf/php-fpm.conf
Normal file
146
conf/php-fpm.conf
Normal file
@ -0,0 +1,146 @@
|
|||||||
|
;;;;;;;;;;;;;;;;;;;;;
|
||||||
|
; FPM Configuration ;
|
||||||
|
;;;;;;;;;;;;;;;;;;;;;
|
||||||
|
|
||||||
|
; All relative paths in this configuration file are relative to PHP's install
|
||||||
|
; prefix (/usr). This prefix can be dynamically changed by using the
|
||||||
|
; '-p' argument from the command line.
|
||||||
|
|
||||||
|
;;;;;;;;;;;;;;;;;;
|
||||||
|
; Global Options ;
|
||||||
|
;;;;;;;;;;;;;;;;;;
|
||||||
|
|
||||||
|
[global]
|
||||||
|
; Pid file
|
||||||
|
; Note: the default prefix is /var
|
||||||
|
; Default Value: none
|
||||||
|
; Warning: if you change the value here, you need to modify systemd
|
||||||
|
; service PIDFile= setting to match the value here.
|
||||||
|
pid = /tmp/php7.4-fpm.pid
|
||||||
|
;pid = /run/php/php7.4-fpm.pid
|
||||||
|
|
||||||
|
; Error log file
|
||||||
|
; If it's set to "syslog", log is sent to syslogd instead of being written
|
||||||
|
; into a local file.
|
||||||
|
; Note: the default prefix is /var
|
||||||
|
; Default Value: log/php-fpm.log
|
||||||
|
error_log = syslog
|
||||||
|
|
||||||
|
; syslog_facility is used to specify what type of program is logging the
|
||||||
|
; message. This lets syslogd specify that messages from different facilities
|
||||||
|
; will be handled differently.
|
||||||
|
; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON)
|
||||||
|
; Default Value: daemon
|
||||||
|
;syslog.facility = daemon
|
||||||
|
|
||||||
|
; syslog_ident is prepended to every message. If you have multiple FPM
|
||||||
|
; instances running on the same server, you can change the default value
|
||||||
|
; which must suit common needs.
|
||||||
|
; Default Value: php-fpm
|
||||||
|
;syslog.ident = php-fpm
|
||||||
|
|
||||||
|
; Log level
|
||||||
|
; Possible Values: alert, error, warning, notice, debug
|
||||||
|
; Default Value: notice
|
||||||
|
;log_level = notice
|
||||||
|
|
||||||
|
; Log limit on number of characters in the single line (log entry). If the
|
||||||
|
; line is over the limit, it is wrapped on multiple lines. The limit is for
|
||||||
|
; all logged characters including message prefix and suffix if present. However
|
||||||
|
; the new line character does not count into it as it is present only when
|
||||||
|
; logging to a file descriptor. It means the new line character is not present
|
||||||
|
; when logging to syslog.
|
||||||
|
; Default Value: 1024
|
||||||
|
;log_limit = 4096
|
||||||
|
|
||||||
|
; Log buffering specifies if the log line is buffered which means that the
|
||||||
|
; line is written in a single write operation. If the value is false, then the
|
||||||
|
; data is written directly into the file descriptor. It is an experimental
|
||||||
|
; option that can potentionaly improve logging performance and memory usage
|
||||||
|
; for some heavy logging scenarios. This option is ignored if logging to syslog
|
||||||
|
; as it has to be always buffered.
|
||||||
|
; Default value: yes
|
||||||
|
;log_buffering = no
|
||||||
|
|
||||||
|
; If this number of child processes exit with SIGSEGV or SIGBUS within the time
|
||||||
|
; interval set by emergency_restart_interval then FPM will restart. A value
|
||||||
|
; of '0' means 'Off'.
|
||||||
|
; Default Value: 0
|
||||||
|
;emergency_restart_threshold = 0
|
||||||
|
|
||||||
|
; Interval of time used by emergency_restart_interval to determine when
|
||||||
|
; a graceful restart will be initiated. This can be useful to work around
|
||||||
|
; accidental corruptions in an accelerator's shared memory.
|
||||||
|
; Available Units: s(econds), m(inutes), h(ours), or d(ays)
|
||||||
|
; Default Unit: seconds
|
||||||
|
; Default Value: 0
|
||||||
|
;emergency_restart_interval = 0
|
||||||
|
|
||||||
|
; Time limit for child processes to wait for a reaction on signals from master.
|
||||||
|
; Available units: s(econds), m(inutes), h(ours), or d(ays)
|
||||||
|
; Default Unit: seconds
|
||||||
|
; Default Value: 0
|
||||||
|
;process_control_timeout = 0
|
||||||
|
|
||||||
|
; The maximum number of processes FPM will fork. This has been designed to control
|
||||||
|
; the global number of processes when using dynamic PM within a lot of pools.
|
||||||
|
; Use it with caution.
|
||||||
|
; Note: A value of 0 indicates no limit
|
||||||
|
; Default Value: 0
|
||||||
|
; process.max = 128
|
||||||
|
|
||||||
|
; Specify the nice(2) priority to apply to the master process (only if set)
|
||||||
|
; The value can vary from -19 (highest priority) to 20 (lowest priority)
|
||||||
|
; Note: - It will only work if the FPM master process is launched as root
|
||||||
|
; - The pool process will inherit the master process priority
|
||||||
|
; unless specified otherwise
|
||||||
|
; Default Value: no set
|
||||||
|
; process.priority = -19
|
||||||
|
|
||||||
|
; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging.
|
||||||
|
; Default Value: yes
|
||||||
|
;daemonize = yes
|
||||||
|
|
||||||
|
; Set open file descriptor rlimit for the master process.
|
||||||
|
; Default Value: system defined value
|
||||||
|
;rlimit_files = 1024
|
||||||
|
|
||||||
|
; Set max core size rlimit for the master process.
|
||||||
|
; Possible Values: 'unlimited' or an integer greater or equal to 0
|
||||||
|
; Default Value: system defined value
|
||||||
|
;rlimit_core = 0
|
||||||
|
|
||||||
|
; Specify the event mechanism FPM will use. The following is available:
|
||||||
|
; - select (any POSIX os)
|
||||||
|
; - poll (any POSIX os)
|
||||||
|
; - epoll (linux >= 2.5.44)
|
||||||
|
; - kqueue (FreeBSD >= 4.1, OpenBSD >= 2.9, NetBSD >= 2.0)
|
||||||
|
; - /dev/poll (Solaris >= 7)
|
||||||
|
; - port (Solaris >= 10)
|
||||||
|
; Default Value: not set (auto detection)
|
||||||
|
;events.mechanism = epoll
|
||||||
|
|
||||||
|
; When FPM is built with systemd integration, specify the interval,
|
||||||
|
; in seconds, between health report notification to systemd.
|
||||||
|
; Set to 0 to disable.
|
||||||
|
; Available Units: s(econds), m(inutes), h(ours)
|
||||||
|
; Default Unit: seconds
|
||||||
|
; Default value: 10
|
||||||
|
;systemd_interval = 10
|
||||||
|
|
||||||
|
;;;;;;;;;;;;;;;;;;;;
|
||||||
|
; Pool Definitions ;
|
||||||
|
;;;;;;;;;;;;;;;;;;;;
|
||||||
|
|
||||||
|
; Multiple pools of child processes may be started with different listening
|
||||||
|
; ports and different management options. The name of the pool will be
|
||||||
|
; used in logs and stats. There is no limitation on the number of pools which
|
||||||
|
; FPM can handle. Your system will tell you anyway :)
|
||||||
|
|
||||||
|
; Include one or more files. If glob(3) exists, it is used to include a bunch of
|
||||||
|
; files from a glob(3) pattern. This directive can be used everywhere in the
|
||||||
|
; file.
|
||||||
|
; Relative path can also be used. They will be prefixed by:
|
||||||
|
; - the global prefix if it's been set (-p argument)
|
||||||
|
; - /usr otherwise
|
||||||
|
include=/etc/php/7.4/fpm/pool.d/*.conf
|
1947
conf/php.ini
Normal file
1947
conf/php.ini
Normal file
File diff suppressed because it is too large
Load Diff
21
conf/www.conf
Normal file
21
conf/www.conf
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
[www]
|
||||||
|
user = www-data
|
||||||
|
group = www-data
|
||||||
|
listen = '9000'
|
||||||
|
listen.owner = www-data
|
||||||
|
listen.group = www-data
|
||||||
|
pm = dynamic
|
||||||
|
pm.max_children = 10
|
||||||
|
pm.start_servers = 4
|
||||||
|
pm.min_spare_servers = 2
|
||||||
|
pm.max_spare_servers = 6
|
||||||
|
access.log = /var/log/$pool.access.log
|
||||||
|
catch_workers_output = yes
|
||||||
|
chdir = /
|
||||||
|
security.limit_extensions = .php .php3 .php4 .php5
|
||||||
|
php_admin_value[allow_url_fopen] = off
|
||||||
|
php_flag[display_errors] = on
|
||||||
|
php_flag[html_errors] = on
|
||||||
|
php_admin_value[error_log] = syslog
|
||||||
|
php_admin_flag[log_errors] = on
|
||||||
|
php_admin_value[memory_limit] = 512M
|
28
docker-compose.yml
Normal file
28
docker-compose.yml
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
version: '3'
|
||||||
|
|
||||||
|
volumes:
|
||||||
|
uploads:
|
||||||
|
db:
|
||||||
|
|
||||||
|
services:
|
||||||
|
tikiwiki:
|
||||||
|
image: registry.audio-lab.org/tikiwiki:latest
|
||||||
|
build: .
|
||||||
|
ports:
|
||||||
|
- 8443:443
|
||||||
|
- 8480:80
|
||||||
|
volumes:
|
||||||
|
- uploads:/uploads
|
||||||
|
- ./conf/envvars:/etc/apache2/envvars:ro
|
||||||
|
- ./conf/default-ssl.conf:/etc/apache2/sites-available/000-default.conf:ro
|
||||||
|
restart: always
|
||||||
|
db:
|
||||||
|
image: mariadb:10
|
||||||
|
restart: always
|
||||||
|
volumes:
|
||||||
|
- db:/var/lib/mysql
|
||||||
|
environment:
|
||||||
|
MYSQL_DATABASE: tikiwiki
|
||||||
|
MYSQL_USER: tiki
|
||||||
|
MYSQL_RANDOM_ROOT_PASSWORD: '1'
|
||||||
|
MYSQL_PASSWORD: wiki # CHANGE PASSW
|
5
entrypoint.sh
Executable file
5
entrypoint.sh
Executable file
@ -0,0 +1,5 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
sudo -u www-data setup.sh -n composer
|
||||||
|
|
||||||
|
exec $@
|
Loading…
Reference in New Issue
Block a user