...
 
Commits (3)
commento_password.txt
commento_config.txt
db_password.txt
db_root_password.txt
.env
secrets/
db_data/
wp_themes/
......
......@@ -23,16 +23,16 @@
# paths:
# -
# build:
# image: docker:stable
# services:
# - docker:dind
# variables:
# DOCKER_HOST: tcp://docker:2375
# DOCKER_DRIVER: overlay2
# stage: build
# script:
# - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
# - cd wordpress
# - docker build -t $CI_REGISTRY:latest .
# - docker push $CI_REGISTRY:latest
build:
image: docker:stable
services:
- docker:dind
variables:
DOCKER_HOST: tcp://docker:2375
DOCKER_DRIVER: overlay2
stage: build
script:
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
- cd wordpress-container
- docker build -t $CI_REGISTRY:latest .
- docker push $CI_REGISTRY:latest
# wordpress-container
My wordpress container
\ No newline at end of file
My wordpress container
Need to install OCache or APCu
\ No newline at end of file
......@@ -6,7 +6,7 @@ services:
image: containrrr/watchtower
volumes:
- /var/run/docker.sock:/var/run/docker.sock
# - ./watchtower-config.json:/config.json:ro
- ./secrets/watchtower-config.json:/config.json:ro
command: --cleanup --label-enable
restart: always
......@@ -29,15 +29,16 @@ services:
wordpress:
container_name: wordpress
# Not using my custom image, because building snuffleupagus is proving to be more irritating than it's worth
#image: gitlab-registry.light.kow.is/kowis-projects/wordpress-container
image: wordpress:php7.3-fpm
image: gitlab-registry.light.kow.is/kowis-projects/wordpress-container
#image: wordpress:php7.3-fpm
restart: always
volumes:
- ./wordpress:/var/www/html
- ./php-uploads.ini:/usr/local/etc/php/conf.d/uploads.ini
- ./php-custom.ini:/usr/local/etc/php/conf.d/custom.ini
# - ./my.rules:/usr/local/etc/php/snuffleupagus/rules/my.rules
# - ./secrets/secret.rules:/usr/local/etc/php/snuffleupagus/rules/secret.rules
environment:
WORDPRESS_DB_HOST: db:3306
WORDPRESS_DB_HOST: wordpress_db:3306
WORDPRESS_DB_USER: wordpress
WORDPRESS_DB_PASSWORD_FILE: /run/secrets/db_password
WORDPRESS_DB_NAME: wordpress
......@@ -45,12 +46,12 @@ services:
- db_password
networks:
- wp_net
- db_net
- wordpress_db_net
labels:
- com.centurylinklabs.watchtower.enable=true
db:
container_name: db
wordpress_db:
container_name: wordpress_db
image: mariadb:10
restart: always
volumes:
......@@ -64,16 +65,62 @@ services:
- db_root_password
- db_password
networks:
- db_net
- wordpress_db_net
labels:
- com.centurylinklabs.watchtower.enable=true
# commento_db:
# container_name: commento_db
# image: postgres:12
# volumes:
# - ./pg_data:/var/lib/postgresql/data
# environment:
# POSTGRES_DB: commento
# POSTGRES_USER: commento
# POSTGRES_PASSWORD_FILE: /run/secrets/commento_password
# labels:
# - com.centurylinklabs.watchtower.enable=true
# networks:
# - commento_db_net
# secrets:
# - commento_password
# commento:
# container_name: commento
# depends_on:
# - commento_db
# image: registry.gitlab.com/commento/commento:v1.7.0
# ports:
# - '8081:8080'
# environment:
# COMMENTO_POSTGRES: "postgres://commento:${COMMENTO_PASSWORD}@commento_db:5432/commento?sslmode=disable"
# COMMENTO_ORIGIN: https://commento.kow.is
# COMMENTO_PORT: "8080"
# COMMENTO_GZIP_STATIC: "true"
# COMMENTO_FORBID_NEW_OWNERS: "true"
# COMMENTO_SMTP_HOST: mail.kow.is
# COMMENTO_SMTP_PORT: "587"
# COMMENTO_SMTP_USERNAME: ${COMMENTO_EMAIL_USERNAME}
# COMMENTO_SMTP_PASSWORD: ${COMMENTO_PASSWORD}
# COMMENTO_SMTP_FROM_ADDRESS: no-reply@kow.is
# networks:
# - commento_db_net
# labels:
# - com.centurylinklabs.watchtower.enable=true
# secrets:
# - commento_config
secrets:
db_password:
file: db_password.txt
file: secrets/db_password.txt
db_root_password:
file: db_root_password.txt
file: secrets/db_root_password.txt
commento_password:
file: secrets/commento_password.txt
commento_config:
file: secrets/commento_config.txt
networks:
db_net:
wp_net:
\ No newline at end of file
wordpress_db_net:
wp_net:
# commento_db_net:
# This is the default configuration file for Snuffleupagus (https://snuffleupagus.rtfd.io).
# It contains "reasonable" defaults that won't break your websites,
# and a lot of commented directives that you can enable if you want to
# have a better protection.
# Harden the PRNG
sp.harden_random.enable();
# Disabled XXE
sp.disable_xxe.enable();
# Global configuration variables
# sp.global.secret_key("YOU _DO_ NEED TO CHANGE THIS WITH SOME RANDOM CHARACTERS.");
# Globally activate strict mode
# https://secure.php.net/manual/en/functions.arguments.php#functions.arguments.type-declaration.strict
# sp.global_strict.enable();
# Prevent unserialize-related exploits
sp.unserialize_hmac.enable();
# Only allow execution of read-only files. This is a low-hanging fruit that you should enable.
sp.readonly_exec.enable();
# Php has a lot of wrappers, most of them aren't usually useful, you should
# only enable the ones you're using.
# sp.wrappers_whitelist.list("file,php,phar");
# Prevent sloppy comparisons.
sp.sloppy_comparison.enable();
# use SameSite on session cookie
# https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery
sp.cookie.name("PHPSESSID").samesite("lax");
# Harden the `chmod` function
sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();
# Prevent various `mail`-related vulnerabilities
sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
# Since it's now burned, me might as well mitigate it publicly
sp.disable_function.function("putenv").param("setting").value_r("LD_").drop()
# This is also burned:
ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd'));
# Since we have no way of matching on two parameters at the same time, we're
# blocking calls to open_basedir altogether: nobody is using it via ini_set anyway.
# Moreover, there are non-public bypasses that are also using this vector ;)
sp.disable_function.function("ini_set").param("varname").value_r("open_basedir").drop()
##Prevent various `include`-related vulnerabilities
sp.disable_function.function("require_once").value_r("\.(inc|phtml|php)$").allow();
sp.disable_function.function("include_once").value_r("\.(inc|phtml|php)$").allow();
sp.disable_function.function("require").value_r("\.(inc|phtml|php)$").allow();
sp.disable_function.function("include").value_r("\.(inc|phtml|php)$").allow();
sp.disable_function.function("require_once").drop()
sp.disable_function.function("include_once").drop()
sp.disable_function.function("require").drop()
sp.disable_function.function("include").drop()
# Prevent `system`-related injections
sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
# Prevent runtime modification of interesting things
sp.disable_function.function("ini_set").param("var_name").value("assert.active").drop();
sp.disable_function.function("ini_set").param("var_name").value("zend.assertions").drop();
sp.disable_function.function("ini_set").param("var_name").value("memory_limit").drop();
sp.disable_function.function("ini_set").param("var_name").value("include_path").drop();
sp.disable_function.function("ini_set").param("var_name").value("open_basedir").drop();
# Detect some backdoors via environnement recon
sp.disable_function.function("ini_get").param("var_name").value("allow_url_fopen").drop();
sp.disable_function.function("ini_get").param("var_name").value("open_basedir").drop();
sp.disable_function.function("ini_get").param("var_name").value_r("suhosin").drop();
sp.disable_function.function("function_exists").param("function_name").value("eval").drop();
sp.disable_function.function("function_exists").param("function_name").value("exec").drop();
sp.disable_function.function("function_exists").param("function_name").value("system").drop();
sp.disable_function.function("function_exists").param("function_name").value("shell_exec").drop();
sp.disable_function.function("function_exists").param("function_name").value("proc_open").drop();
sp.disable_function.function("function_exists").param("function_name").value("passthru").drop();
sp.disable_function.function("is_callable").param("var").value("eval").drop();
sp.disable_function.function("is_callable").param("var").value("exec").drop();
sp.disable_function.function("is_callable").param("var").value("system").drop();
sp.disable_function.function("is_callable").param("var").value("shell_exec").drop();
sp.disable_function.function("is_callable").param("var").value("proc_open").drop();
sp.disable_function.function("is_callable").param("var").value("passthru").drop();
# Commenting sqli related stuff to improve performance.
# TODO figure out why these functions can't be hooked at startup
# Ghetto sqli hardening
# sp.disable_function.function("mysql_query").param("query").value_r("/\\*").drop();
# sp.disable_function.function("mysql_query").param("query").value_r("--").drop();
# sp.disable_function.function("mysql_query").param("query").value_r("#").drop();
# sp.disable_function.function("mysql_query").param("query").value_r(";.*;").drop();
# sp.disable_function.function("mysql_query").param("query").value_r("benchmark").drop();
# sp.disable_function.function("mysql_query").param("query").value_r("sleep").drop();
# sp.disable_function.function("mysql_query").param("query").value_r("information_schema").drop();
# sp.disable_function.function("mysqli_query").param("query").value_r("/\\*").drop();
# sp.disable_function.function("mysqli_query").param("query").value_r("--").drop();
# sp.disable_function.function("mysqli_query").param("query").value_r("#").drop();
# sp.disable_function.function("mysqli_query").param("query").value_r(";.*;").drop();
# sp.disable_function.function("mysqli_query").param("query").value_r("benchmark").drop();
# sp.disable_function.function("mysqli_query").param("query").value_r("sleep").drop();
# sp.disable_function.function("mysqli_query").param("query").value_r("information_schema").drop();
# sp.disable_function.function("PDO::query").param("query").value_r("/\\*").drop();
# sp.disable_function.function("PDO::query").param("query").value_r("--").drop();
# sp.disable_function.function("PDO::query").param("query").value_r("#").drop();
# sp.disable_function.function("PDO::query").param("query").value_r(";.*;").drop();
# sp.disable_function.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop();
# sp.disable_function.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop();
# sp.disable_function.function("PDO::query").param("query").value_r("information_schema").drop();
# Ghetto sqli detection
# sp.disable_function.function("mysql_query").ret("FALSE").drop();
# sp.disable_function.function("mysqli_query").ret("FALSE").drop();
# sp.disable_function.function("PDO::query").ret("FALSE").drop();
# Ensure that certificates are properly verified
sp.disable_function.function("curl_setopt").param("value").value("1").allow();
sp.disable_function.function("curl_setopt").param("value").value("2").allow();
# `81` is SSL_VERIFYHOST and `64` SSL_VERIFYPEER
sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYCLIENT off.");
sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off.");
#File upload
sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
\ No newline at end of file
......@@ -6,15 +6,90 @@ server {
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
include mime.types;
default_type application/octet-stream;
gzip on;
#
# Allow larger file uploads
#
client_max_body_size 64M;
#W3 TOTAL CACHE CHECK
set $cache_uri $request_uri;
# POST requests and urls with a query string should always go to PHP
if ($request_method = POST) {
set $cache_uri 'null cache';
}
if ($query_string != "") {
set $cache_uri 'null cache';
}
# Don't cache uris containing the following segments
if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml)") {
set $cache_uri 'null cache';
}
# Don't use the cache for logged in users or recent commenters
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_logged_in") {
set $cache_uri 'null cache';
}
# START MOBILE
# Mobile browsers section to server them non-cached version. COMMENTED by default as most modern wordpress themes including twenty-eleven are responsive. Uncomment config lines in this section if you want to use a plugin like WP-Touch
if ($http_x_wap_profile) {
set $cache_uri 'null cache';
}
if ($http_profile) {
set $cache_uri 'null cache';
}
if ($http_user_agent ~* (2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800)) {
set $cache_uri 'null cache';
}
if ($http_user_agent ~* (w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-)) {
set $cache_uri 'null cache';
}
#END MOBILE
#APPEND A CODE BLOCK FROM BELOW...
# Use cached or actual file if they exists, otherwise pass request to WordPress
location / {
try_files $uri $uri/ /index.php?$args;
try_files /wp-content/w3tc/pgcache/$cache_uri/_index.html $uri $uri/ /index.php?$args ;
}
# Global restrictions configuration file.
# Designed to be included in any server {} block.
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~ /\. {
deny all;
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
# Original non-cached logic
# location / {
# try_files $uri $uri/ /index.php?$args;
# }
location ~ \.php$ {
try_files $uri =404;
......
......@@ -6,4 +6,8 @@ file_uploads = On
memory_limit = 64M
upload_max_filesize = 64M
post_max_size = 64M
max_execution_time = 600
\ No newline at end of file
max_execution_time = 600
# configure snuffleupagus
# Not ready yet, have to figure out how to get snuffleupagus working
# sp.configuration_file=/usr/local/etc/php/snuffleupagus/rules/my.rules
\ No newline at end of file
FROM wordpress:php7.3-fpm-alpine
FROM wordpress:php7.3-fpm
# going to add the snuffleupagus security php module
# RUN curl https://github.com/nbs-system/snuffleupagus/releases/download/v0.5.0/snuffleupagus_0.5.0_amd64.deb -o snuffleupagus_0.5.0_amd64.deb \
# && apt -y update \
# && apt-get -y install ./snuffleupagus_0.5.0_amd64.deb \
# && apt -y clean
# # going to add the snuffleupagus security php module
# # https://github.com/nbs-system/snuffleupagus/releases/download/v0.5.0/snuffleupagus_0.5.0_amd64.deb
# RUN curl -fSsL https://github.com/nbs-system/snuffleupagus/releases/download/v0.5.0/snuffleupagus_0.5.0_amd64.deb -o snuffleupagus_0.5.0_amd64.deb \
# && apt-get -y update && apt-get -y upgrade\
# && apt -y install apt-transport-https lsb-release ca-certificates \
# && curl -fSsL https://packages.sury.org/php/apt.gpg -o /etc/apt/trusted.gpg.d/php.gpg \
# && sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list' \
# && apt -y update && apt -y install libpcre3 \
# && apt -y install ./snuffleupagus_0.5.0_amd64.deb \
# && apt -y clean \
# && mkdir -p /tmp/snuffleupagus \
# && echo "Installing snuffleupagus into the docker stuff" \
# && mv /usr/lib/php/20170718/snuffleupagus.so /usr/local/lib/php/extensions/no-debug-non-zts-20180731/snuffleupagus.so \
# && mv /etc/php/7.2/mods-available/snuffleupagus.ini /usr/local/etc/php/conf.d/snuffleupagus.ini \
# && docker-php-ext-enable snuffleupagus \
# && mkdir -p /usr/local/etc/php/snuffleupagus/rules
# Adding php cache fun
# Used by W3 cache
RUN pecl install apcu_bc \
&& docker-php-ext-enable apcu \
&& docker-php-ext-enable apc
# adding brotli compression
# used by W3 Cache
RUN cd /tmp \
&& apk update \
&& apk add git \
&& git clone https://github.com/nbs-system/snuffleupagus \
&& cd snuffleupagus \
&& git checkout v0.5.0 \
&& apk add alpine-sdk \
&& abuild -r
\ No newline at end of file
&& apt update \
&& apt -y install git \
&& cd /tmp \
&& git clone --recursive --depth=1 https://github.com/kjdev/php-ext-brotli.git \
&& cd php-ext-brotli \
&& docker-php-ext-configure /tmp/php-ext-brotli \
&& docker-php-ext-install /tmp/php-ext-brotli \
&& rm -r /tmp/php-ext-brotli \
&& cd / \
&& apt -y autoremove git \
&& apt-get -y clean