Custom tikiwiki

Dockerfile

@@ -0,0 +1,41 @@
+FROM debian:stable-slim
+
+RUN apt update && apt dist-upgrade -y
+
+RUN apt-get -y install lsb-release ca-certificates curl
+RUN curl -sSLo /usr/share/keyrings/deb.sury.org-php.gpg https://packages.sury.org/php/apt.gpg
+RUN sh -c 'echo "deb [signed-by=/usr/share/keyrings/deb.sury.org-php.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
+RUN apt-get update
+
+RUN apt install -y \
+	php7.4-dom php7.4-gd php7.4-curl php7.4-intl php7.4-zip php7.4-bcmath \
+	sqlite3 php7.4-sqlite3 build-essential elinks unzip xlsx2csv psutils \
+	php7.4-memcached php7.4-memcached php7.4-opcache php7.4-intl php7.4-gd \
+	php7.4-mysql php7.4-ldap php7.4-dom php7.4-zip php7.4-ldap \
+	php7.4-fpm php7.4-mysql php7.4-mbstring \
+	composer curl
+
+RUN apt install -y \
+	apache2 apache2-utils libapache2-mod-php7.4
+
+RUN a2enmod rewrite alias authz_user ssl
+
+WORKDIR /var/www/html/
+
+RUN git clone https://gitlab.com/tikiwiki/tiki.git
+
+WORKDIR ./tiki
+
+RUN chown -R www-data:www-data /var/www/html/tiki
+
+COPY conf/www.conf /etc/php/7.4/fpm/pool.d/www.conf
+COPY conf/php-fpm.conf /etc/php/7.4/fpm/php-fpm.conf
+
+ADD start.sh /start.sh
+ADD entrypoint.sh /entrypoint.sh
+
+VOLUME ["/uploads"]
+
+ENTRYPOINT [ "/bin/sh", "/entrypoint.sh" ]
+
+CMD "/start.sh"

Dockerfile.nginx

@@ -0,0 +1,28 @@
+FROM registry.audio-lab.org/tikiwiki:latest
+
+RUN apt-get update && \
+    apt-get -qy install nginx-full ssl-cert && \
+    apt-get clean
+
+# Basic nginx directories
+RUN mkdir -p /var/lib/nginx/body && \ 
+    mkdir -p /var/lib/nginx/proxy && \
+    mkdir -p /var/lib/nginx/fastcgi && \
+    mkdir -p /var/lib/nginx/scgi && \
+    mkdir -p /var/lib/nginx/uwsgi
+    
+# Logging to stdout
+RUN ln -sf /proc/self/fd /dev/
+RUN ln -sf /dev/stdout /var/log/nginx/access.log && ln -sf /dev/stderr /var/log/nginx/error.log
+
+# PID nginx for non-root users
+RUN mkdir -p /run/nginx && \
+    chmod 777 /run/nginx && \
+    chmod -R 777 /var/lib/nginx
+
+# Use port 8080
+RUN sed -i 's/80/8080/g' /etc/nginx/sites-enabled/default
+
+EXPOSE 8080
+
+ENTRYPOINT ["/usr/sbin/nginx"]

conf/000-default.conf

@@ -0,0 +1,37 @@
+<VirtualHost *:80>
+	# The ServerName directive sets the request scheme, hostname and port that
+	# the server uses to identify itself. This is used when creating
+	# redirection URLs. In the context of virtual hosts, the ServerName
+	# specifies what hostname must appear in the request's Host: header to
+	# match this virtual host. For the default virtual host (this file) this
+	# value is not decisive as it is used as a last resort host regardless.
+	# However, you must set it for any further virtual host explicitly.
+	#ServerName www.example.com
+
+	ServerAdmin webmaster@localhost
+	DocumentRoot /var/www/html/orig 
+
+	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+	# error, crit, alert, emerg.
+	# It is also possible to configure the loglevel for particular
+	# modules, e.g.
+	#LogLevel info ssl:warn
+
+	ErrorLog ${APACHE_LOG_DIR}/error.log
+	CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+	<Directory "/var/www/html/orig">
+    		Options +MultiViews
+    		AllowOverride All
+        	Require all granted
+	</Directory>
+
+	# For most configuration files from conf-available/, which are
+	# enabled or disabled at a global level, it is possible to
+	# include a line for only one particular virtual host. For example the
+	# following line enables the CGI configuration for this host only
+	# after it has been globally disabled with "a2disconf".
+	#Include conf-available/serve-cgi-bin.conf
+</VirtualHost>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

conf/default-ssl.conf

@@ -0,0 +1,526 @@
+<IfModule mod_ssl.c>
+	<VirtualHost _default_:443>
+		ServerAdmin webmaster@localhost
+
+		DocumentRoot /var/www/html/tiki/
+		ErrorLog ${APACHE_LOG_DIR}/error.log
+		CustomLog ${APACHE_LOG_DIR}/access.log combined
+		SSLEngine on
+		SSLCertificateFile	/etc/ssl/certs/ssl-cert-snakeoil.pem
+		SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+		<FilesMatch "\.(cgi|shtml|phtml|php)$">
+				SSLOptions +StdEnvVars
+		</FilesMatch>
+		<Directory /usr/lib/cgi-bin>
+				SSLOptions +StdEnvVars
+		</Directory>
+
+	#<Directory "/var/www/html/tiki">
+    	#	Options +MultiViews
+    	#	AllowOverride All
+        #	Require all granted
+	#</Directory>
+
+<Directory "/var/www/html/tiki">
+<FilesMatch "\.(bak|inc|lib|sh|tpl|sql)$">
+    <IfModule mod_authz_core.c>
+       Require all denied
+    </IfModule>
+    <IfModule !mod_authz_core.c>
+        order deny,allow
+        deny from all
+    </IfModule>
+</FilesMatch>
+<FilesMatch "(changelog.txt|_htaccess)$">
+    <IfModule mod_authz_core.c>
+       Require all denied
+    </IfModule>
+    <IfModule !mod_authz_core.c>
+        order deny,allow
+        deny from all
+    </IfModule>
+</FilesMatch>
+
+<IfModule mod_dir.c>
+	DirectoryIndex index.php
+</IfModule>
+
+<IfModule mod_deflate.c>
+	<IfModule mod_headers.c>
+		# Make sure proxies don't deliver the wrong content.
+		Header append Vary User-Agent env=!dont-vary
+	</IfModule>
+	AddOutputFilterByType DEFLATE text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/json
+	<IfModule mod_mime.c>
+		# DEFLATE by extension.
+		AddOutputFilter DEFLATE js css htm html xml svg
+	</IfModule>
+</IfModule>
+
+FileETag none
+
+<IfModule mod_headers.c>
+    Header unset Cache-Control
+
+    <IfModule mod_setenvif.c>
+    # Mod_headers, y u no match by Content-Type?!
+        <FilesMatch "(?i)\.(gif|png|jpe?g|svgz?|ico)$">
+            SetEnvIf Origin ":" IS_CORS
+            Header set Access-Control-Allow-Origin "*" env=IS_CORS
+        </FilesMatch>
+    </IfModule>
+
+    <FilesMatch "(?i)\.(ttf|ttc|otf|eot|woff2?|css|js)$">
+        Header set Access-Control-Allow-Origin "*"
+    </FilesMatch>
+
+</IfModule>
+
+<IfModule mod_expires.c>
+	<FilesMatch "(?i)\.(gif|png|jpe?g|svgz?|ico)$">
+		ExpiresActive on
+		ExpiresDefault "access plus 1 month"
+	</FilesMatch>
+	<FilesMatch "(?i)\.(js|css)$">
+		ExpiresActive on
+		ExpiresDefault "access plus 1 month"
+	</FilesMatch>
+</IfModule>
+
+<IfModule mod_rewrite.c>
+
+    RewriteEngine On
+
+    # -- Apache Authorization Header -- #
+    # Rewrite rules for passing authorization with Apache running in CGI or FastCGI mode
+    RewriteCond %{HTTP:Authorization} ^(.*)
+    RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]
+
+    # -- SVN Checkout Enabled Tiki -- #
+    # Prevents reading of SVN specific files, if your website is using this. (Development only normally)
+    RewriteRule	.*/\.svn/.*	-	[F,L]
+
+    # -- If the URL Points to a File Then do Nothing -- #
+    RewriteCond %{REQUEST_FILENAME} -s [OR]
+    RewriteCond %{REQUEST_FILENAME} -l [OR]
+    RewriteCond %{REQUEST_FILENAME} -f [OR]
+    RewriteCond %{REQUEST_FILENAME} -d
+    RewriteRule (.*) - [L]
+
+        # -- Tiki URL Rewriting -- #
+    # Read more: https://dev.tiki.org/URL+Rewriting+Revamp
+    RewriteRule .*                     route.php                                [L]
+
+</IfModule>
+
+</Directory>
+<Directory "/var/www/html/tiki/admin">
+<FilesMatch ".*">
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		order deny,allow
+		deny from all
+	</IfModule>
+</FilesMatch>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+</Directory>
+<Directory "/var/www/html/tiki/db">
+<FilesMatch ".*">
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		order deny,allow
+		deny from all
+	</IfModule>
+</FilesMatch>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+</Directory>
+<Directory "/var/www/html/tiki/doc">
+<FilesMatch ".*">
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		order deny,allow
+		deny from all
+	</IfModule>
+</FilesMatch>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+</Directory>
+<Directory "/var/www/html/tiki/dump">
+<FilesMatch ".*">
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		order deny,allow
+		deny from all
+	</IfModule>
+</FilesMatch>
+<FilesMatch "\.(zip|tar)$">
+	<IfModule mod_authz_core.c>
+		Require all granted
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+	  order deny,allow
+	  allow from all
+	</IfModule>
+</FilesMatch>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+</Directory>
+<Directory "/var/www/html/tiki/img">
+<FilesMatch ".*">
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		order deny,allow
+		deny from all
+	</IfModule>
+</FilesMatch>
+
+<FilesMatch "\.(jpe?g|png|svg|gif)$">
+	<IfModule mod_authz_core.c>
+		Require all granted
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		Allow from all
+	</IfModule>
+</FilesMatch>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+</Directory>
+<Directory "/var/www/html/tiki/installer">
+<FilesMatch ".*">
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		order deny,allow
+		deny from all
+	</IfModule>
+</FilesMatch>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+</Directory>
+<Directory "/var/www/html/tiki/lang">
+<FilesMatch ".*">
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		order deny,allow
+		deny from all
+	</IfModule>
+</FilesMatch>
+
+
+<FilesMatch "\.(js)$">
+	<IfModule mod_authz_core.c>
+		Require all granted
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		Allow from all
+	</IfModule>
+</FilesMatch>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+</Directory>
+<Directory "/var/www/html/tiki/lib">
+<FilesMatch ".*">
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		order deny,allow
+		deny from all
+	</IfModule>
+</FilesMatch>
+#remaining files		- unknown browser access
+<FilesMatch "\.(js|swf|css|gif|png|svg|as|fla|ttf|xml)$">
+	<IfModule mod_authz_core.c>
+		Require all granted
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		Allow from all
+	</IfModule>
+</FilesMatch>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+</Directory>
+<Directory "/var/www/html/tiki/lists">
+<FilesMatch ".*">
+    <IfModule mod_authz_core.c>
+        Require all denied
+    </IfModule>
+    <IfModule !mod_authz_core.c>
+        order deny,allow
+        deny from all
+    </IfModule>
+</FilesMatch>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+</Directory>
+<Directory "/var/www/html/tiki/modules">
+<FilesMatch ".*">
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		order deny,allow
+		deny from all
+	</IfModule>
+</FilesMatch>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+</Directory>
+<Directory "/var/www/html/tiki/permissioncheck">
+
+AuthUserFile /PATH_TO_TIKI_PERMISSIONCHECK/.htpasswd
+AuthName "permissioncheck prepare password protection first"
+AuthType Basic
+<Limit GET POST PUT>
+	require valid-user
+</Limit>
+
+<FilesMatch "\.(bak|inc|inc\.php|lib|sh|sql|tpl)$">
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		order deny,allow
+		deny from all
+	</IfModule>
+</FilesMatch>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+</Directory>
+<Directory "/var/www/html/tiki/storage">
+<FilesMatch ".*">
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		order deny,allow
+		deny from all
+	</IfModule>
+</FilesMatch>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+</Directory>
+<Directory "/var/www/html/tiki/storage/public">
+<FilesMatch ".*">
+    <IfModule mod_authz_core.c>
+       Require all granted
+    </IfModule>
+    <IfModule !mod_authz_core.c>
+      order deny,allow
+      allow from all
+    </IfModule>
+</FilesMatch>
+</Directory>
+<Directory "/var/www/html/tiki/temp">
+<FilesMatch ".*">
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		order deny,allow
+		deny from all
+	</IfModule>
+</FilesMatch>
+<FilesMatch "\.png$">
+	<IfModule mod_authz_core.c>
+		Require all granted
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+	  order deny,allow
+	  allow from all
+	</IfModule>
+</FilesMatch>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+</Directory>
+<Directory "/var/www/html/tiki/temp/public">
+<FilesMatch ".*">
+    <IfModule mod_authz_core.c>
+       Require all granted
+    </IfModule>
+    <IfModule !mod_authz_core.c>
+      order deny,allow
+      allow from all
+    </IfModule>
+</FilesMatch>
+<IfModule mod_expires.c>
+<FilesMatch "^avatar_.*">
+	ExpiresActive on
+	ExpiresDefault "modification"
+</FilesMatch>
+</IfModule>
+
+</Directory>
+<Directory "/var/www/html/tiki/templates">
+<FilesMatch ".*">
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		order deny,allow
+		deny from all
+	</IfModule>
+</FilesMatch>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+</Directory>
+<Directory "/var/www/html/tiki/themes">
+<FilesMatch ".*">
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		order deny,allow
+		deny from all
+	</IfModule>
+</FilesMatch>
+
+<FilesMatch "(?i)\.(css|js|jpe?g|png|ico|gif|svgz?|bmp|json|xml|ttf|eot|woff2?|otf|swf|map|less)$">
+	#the map and less files are allowed for developer deugging tools.
+	<IfModule mod_authz_core.c>
+		Require all granted
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		Allow from all
+	</IfModule>
+</FilesMatch>
+</Directory>
+<Directory "/var/www/html/tiki/var/www/html/tiki_tests">
+<FilesMatch ".*">
+    <IfModule mod_authz_core.c>
+       Require all denied
+    </IfModule>
+    <IfModule !mod_authz_core.c>
+        order deny,allow
+        deny from all
+    </IfModule>
+</FilesMatch>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+
+</Directory>
+<Directory "/var/www/html/tiki/vendor">
+
+<IfModule mod_rewrite.c>
+	RewriteEngine On
+
+	# -- Always Allow These File Types -- #
+	RewriteRule "\.(jpe?g|png|ico|gif|svgz?|ttf|eot|woff2?|otf|js|css)$" "-" [PT,L]
+
+	# -- Allow Access to files used by Developer Dubugging Tools -- #
+	RewriteRule "\.(map|less|scss)$" "-" [PT,L]
+
+	# -- Deny Everything Not Matched Above -- #
+	RewriteRule "/*" "-" [F]
+
+</IfModule>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+
+</Directory>
+<Directory "/var/www/html/tiki/vendor_bundled">
+
+<IfModule mod_rewrite.c>
+	RewriteEngine On
+
+	# -- Always Allow These File Types -- #
+	RewriteRule "\.(jpe?g|png|ico|gif|svgz?|ttf|eot|woff2?|otf|js|css)$" "-" [PT,L]
+
+	# -- Allow Access to files used by Developer Dubugging Tools -- #
+	RewriteRule "\.(map|less|scss)$" "-" [PT,L]
+
+	# -- Vendor Exception List -- #
+	# These are file types by vendor file that will bypass the default filtering
+	#
+	# If you are adding a new vendor that needs browser access, adding a file
+	#  type exception will be required.
+
+	RewriteRule "^(vendor/player/).*/.*\.swf$" "-" [PT,L]
+	RewriteRule "^(vendor/fortawesome/).*/.*\.swf$" "-" [PT,L]
+	RewriteRule "^(vendor/jquery/).*/.*\.swf$" "-" [PT,L]
+	RewriteRule "^(vendor/studio-42/).*/.*\.wav$" "-" [PT,L]
+
+	# -- Deny Everything Not Matched Above -- #
+	RewriteRule "/*" "-" [F]
+
+</IfModule>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+
+</Directory>
+<Directory "/var/www/html/tiki/vendor_bundled/vendor/ezyang/htmlpurifier/benchmarks">
+Deny from all
+
+</Directory>
+<Directory "/var/www/html/tiki/vendor_bundled/vendor/ezyang/htmlpurifier/maintenance">
+Deny from all
+
+</Directory>
+<Directory "/var/www/html/tiki/vendor_bundled/vendor/phenx/php-font-lib">
+#deny from all
+</Directory>
+<Directory "/var/www/html/tiki/vendor_bundled/vendor/studio-42/elfinder/php/.tmp">
+order deny,allow
+deny from all
+
+</Directory>
+<Directory "/var/www/html/tiki/vendor_extra">
+<FilesMatch ".*">
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		order deny,allow
+		deny from all
+	</IfModule>
+</FilesMatch>
+
+<FilesMatch "\.(jpg|png|gif|css|js)$">
+	<IfModule mod_authz_core.c>
+		Require all granted
+	</IfModule>
+	<IfModule !mod_authz_core.c>
+		Allow from all
+	</IfModule>
+</FilesMatch>
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+</Directory>
+
+	</VirtualHost>
+</IfModule>
+
+

conf/envvars

@@ -0,0 +1,18 @@
+unset HOME
+
+if [ "${APACHE_CONFDIR##/etc/apache2-}" != "${APACHE_CONFDIR}" ] ; then
+	SUFFIX="-${APACHE_CONFDIR##/etc/apache2-}"
+else
+	SUFFIX=
+fi
+
+export APACHE_RUN_USER=www-data
+export APACHE_RUN_GROUP=www-data
+export APACHE_PID_FILE=/tmp/apache2$SUFFIX/apache2.pid
+export APACHE_RUN_DIR=/tmp/apache2$SUFFIX
+export APACHE_LOCK_DIR=/tmp/apache2$SUFFIX
+export APACHE_LOG_DIR=/tmp/apache2$SUFFIX
+
+export LANG=C
+export LANG
+

conf/nginx.conf

@@ -0,0 +1,88 @@
+worker_processes auto;                                                                                                                                                  
+pid /run/nginx/nginx.pid;                                                                                                                                         
+error_log stderr info;
+daemon off;
+master_process off;
+
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+        worker_connections 768;
+        # multi_accept on;
+}
+
+http {
+
+        ##
+        # Basic Settings
+        ##
+
+        sendfile on;
+        tcp_nopush on;
+        tcp_nodelay on;
+        keepalive_timeout 65;
+        types_hash_max_size 2048;
+        server_tokens off;
+
+        server_names_hash_bucket_size 128;
+
+        include /etc/nginx/mime.types;
+        default_type application/octet-stream;
+
+        ##
+        # SSL Settings
+        ##
+
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
+        ssl_prefer_server_ciphers on;
+
+        ##
+        # Logging Settings
+        ##
+
+        access_log /dev/stdout;
+
+        ##
+        # Gzip Settings
+        ##
+
+        gzip on;
+        gzip_disable "msie6";
+
+        ##
+        # Virtual Host Configs
+        ##
+
+        include /etc/nginx/conf.d/*.conf;
+
+	server {
+		listen 80;
+    		listen       443 ssl;
+    		server_name  default_server;
+
+    include snippets/snakeoil.conf;
+
+    root /tiki;
+    index tiki-index.php index.php index.html;
+
+    location / {
+        # Use route.php to have SEO-friendly URLs
+        try_files $uri $uri/ /route.php?q=$uri&$args;
+    }
+
+    location ~ \.(bak|exe|inc|ini|lib|pl|py|sh|sql|tpl)$ {
+        deny all;
+    }
+
+    location ~ \.php$ {
+        include fastcgi_params;
+        fastcgi_read_timeout 300; 
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
+        # Avoid issues with HTTP header injections
+        fastcgi_param  HTTP_PROXY         "";
+        fastcgi_pass   tikiwiki:9000;
+    }
+}
+
+}

conf/php-fpm.conf

@@ -0,0 +1,146 @@
+;;;;;;;;;;;;;;;;;;;;;
+; FPM Configuration ;
+;;;;;;;;;;;;;;;;;;;;;
+
+; All relative paths in this configuration file are relative to PHP's install
+; prefix (/usr). This prefix can be dynamically changed by using the
+; '-p' argument from the command line.
+
+;;;;;;;;;;;;;;;;;;
+; Global Options ;
+;;;;;;;;;;;;;;;;;;
+
+[global]
+; Pid file
+; Note: the default prefix is /var
+; Default Value: none
+; Warning: if you change the value here, you need to modify systemd
+; service PIDFile= setting to match the value here.
+pid = /tmp/php7.4-fpm.pid
+;pid = /run/php/php7.4-fpm.pid
+
+; Error log file
+; If it's set to "syslog", log is sent to syslogd instead of being written
+; into a local file.
+; Note: the default prefix is /var
+; Default Value: log/php-fpm.log
+error_log = syslog
+
+; syslog_facility is used to specify what type of program is logging the
+; message. This lets syslogd specify that messages from different facilities
+; will be handled differently.
+; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON)
+; Default Value: daemon
+;syslog.facility = daemon
+
+; syslog_ident is prepended to every message. If you have multiple FPM
+; instances running on the same server, you can change the default value
+; which must suit common needs.
+; Default Value: php-fpm
+;syslog.ident = php-fpm
+
+; Log level
+; Possible Values: alert, error, warning, notice, debug
+; Default Value: notice
+;log_level = notice
+
+; Log limit on number of characters in the single line (log entry). If the
+; line is over the limit, it is wrapped on multiple lines. The limit is for
+; all logged characters including message prefix and suffix if present. However
+; the new line character does not count into it as it is present only when
+; logging to a file descriptor. It means the new line character is not present
+; when logging to syslog.
+; Default Value: 1024
+;log_limit = 4096
+
+; Log buffering specifies if the log line is buffered which means that the
+; line is written in a single write operation. If the value is false, then the
+; data is written directly into the file descriptor. It is an experimental
+; option that can potentionaly improve logging performance and memory usage
+; for some heavy logging scenarios. This option is ignored if logging to syslog
+; as it has to be always buffered.
+; Default value: yes
+;log_buffering = no
+
+; If this number of child processes exit with SIGSEGV or SIGBUS within the time
+; interval set by emergency_restart_interval then FPM will restart. A value
+; of '0' means 'Off'.
+; Default Value: 0
+;emergency_restart_threshold = 0
+
+; Interval of time used by emergency_restart_interval to determine when
+; a graceful restart will be initiated.  This can be useful to work around
+; accidental corruptions in an accelerator's shared memory.
+; Available Units: s(econds), m(inutes), h(ours), or d(ays)
+; Default Unit: seconds
+; Default Value: 0
+;emergency_restart_interval = 0
+
+; Time limit for child processes to wait for a reaction on signals from master.
+; Available units: s(econds), m(inutes), h(ours), or d(ays)
+; Default Unit: seconds
+; Default Value: 0
+;process_control_timeout = 0
+
+; The maximum number of processes FPM will fork. This has been designed to control
+; the global number of processes when using dynamic PM within a lot of pools.
+; Use it with caution.
+; Note: A value of 0 indicates no limit
+; Default Value: 0
+; process.max = 128
+
+; Specify the nice(2) priority to apply to the master process (only if set)
+; The value can vary from -19 (highest priority) to 20 (lowest priority)
+; Note: - It will only work if the FPM master process is launched as root
+;       - The pool process will inherit the master process priority
+;         unless specified otherwise
+; Default Value: no set
+; process.priority = -19
+
+; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging.
+; Default Value: yes
+;daemonize = yes
+
+; Set open file descriptor rlimit for the master process.
+; Default Value: system defined value
+;rlimit_files = 1024
+
+; Set max core size rlimit for the master process.
+; Possible Values: 'unlimited' or an integer greater or equal to 0
+; Default Value: system defined value
+;rlimit_core = 0
+
+; Specify the event mechanism FPM will use. The following is available:
+; - select     (any POSIX os)
+; - poll       (any POSIX os)
+; - epoll      (linux >= 2.5.44)
+; - kqueue     (FreeBSD >= 4.1, OpenBSD >= 2.9, NetBSD >= 2.0)
+; - /dev/poll  (Solaris >= 7)
+; - port       (Solaris >= 10)
+; Default Value: not set (auto detection)
+;events.mechanism = epoll
+
+; When FPM is built with systemd integration, specify the interval,
+; in seconds, between health report notification to systemd.
+; Set to 0 to disable.
+; Available Units: s(econds), m(inutes), h(ours)
+; Default Unit: seconds
+; Default value: 10
+;systemd_interval = 10
+
+;;;;;;;;;;;;;;;;;;;;
+; Pool Definitions ;
+;;;;;;;;;;;;;;;;;;;;
+
+; Multiple pools of child processes may be started with different listening
+; ports and different management options.  The name of the pool will be
+; used in logs and stats. There is no limitation on the number of pools which
+; FPM can handle. Your system will tell you anyway :)
+
+; Include one or more files. If glob(3) exists, it is used to include a bunch of
+; files from a glob(3) pattern. This directive can be used everywhere in the
+; file.
+; Relative path can also be used. They will be prefixed by:
+;  - the global prefix if it's been set (-p argument)
+;  - /usr otherwise
+include=/etc/php/7.4/fpm/pool.d/*.conf

conf/www.conf

@@ -0,0 +1,21 @@
+[www]
+user = www-data
+group = www-data
+listen = '9000'
+listen.owner = www-data
+listen.group = www-data
+pm = dynamic
+pm.max_children = 10
+pm.start_servers = 4
+pm.min_spare_servers = 2
+pm.max_spare_servers = 6
+access.log = /var/log/$pool.access.log
+catch_workers_output = yes
+chdir = /
+security.limit_extensions = .php .php3 .php4 .php5
+php_admin_value[allow_url_fopen] = off
+php_flag[display_errors] = on
+php_flag[html_errors] = on
+php_admin_value[error_log] = syslog
+php_admin_flag[log_errors] = on
+php_admin_value[memory_limit] = 512M

docker-compose.yml

@@ -0,0 +1,28 @@
+version: '3'
+
+volumes:
+  uploads:
+  db:
+
+services:
+  tikiwiki:
+    image: registry.audio-lab.org/tikiwiki:latest
+    build: .
+    ports:
+      - 8443:443
+      - 8480:80
+    volumes:
+      - uploads:/uploads
+      - ./conf/envvars:/etc/apache2/envvars:ro
+      - ./conf/default-ssl.conf:/etc/apache2/sites-available/000-default.conf:ro
+    restart: always
+  db:
+    image: mariadb:10
+    restart: always
+    volumes:
+      - db:/var/lib/mysql
+    environment:
+      MYSQL_DATABASE: tikiwiki
+      MYSQL_USER: tiki
+      MYSQL_RANDOM_ROOT_PASSWORD: '1'
+      MYSQL_PASSWORD: wiki # CHANGE PASSW

entrypoint.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+sudo -u www-data setup.sh -n composer
+
+exec $@

start.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+apache2ctl start
+tail -f /tmp/apache2/*log