Makussu/bunkerweb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

examples improvement - added some README.md stubs

Browse Source
This commit is contained in:
florian
2021-08-05 00:10:21 +02:00
parent 55186bbef5
commit 22e2fe869f
27 changed files with 255 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
examples/multisite-custom-confs/README.md Normal file
View File

@@ -0,0 +1,11 @@
# Multisite with custom configurations
This is a basic example for hosting multiple web services with custom configurations.
## Architecture
<img src="https://github.com/bunkerity/bunkerized-nginx/blob/dev/examples/multisite-custom-confs/architecture.png?raw=true" />
## Docker
See [docker-compose.yml](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/multisite-custom-confs/docker-compose.yml).

100
examples/multisite-custom-confs/docker-compose.yml Normal file
View File

@@ -0,0 +1,100 @@
version: '3'
services:
mywww:
image: bunkerity/bunkerized-nginx
restart: always
depends_on:
- mywp
- mync
ports:
- 80:8080
- 443:8443
# bunkerized-nginx runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
volumes:
- ./web-files:/www:ro
- ./letsencrypt:/etc/letsencrypt
- ./server-confs:/server-confs:ro
- ./modsec-confs:/modsec-confs:ro
- ./modsec-crs-confs:/modsec-crs-confs:ro
environment:
- SERVER_NAME=wp.example.com nc.example.com # replace with your domains
- MULTISITE=yes
- AUTO_LETS_ENCRYPT=yes
- REDIRECT_HTTP_TO_HTTPS=yes
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- wp.example.com_REMOTE_PHP=mywp
- wp.example.com_REMOTE_PHP_PATH=/var/www/html
- nc.example.com_REMOTE_PHP=mync
- nc.example.com_REMOTE_PHP_PATH=/var/www/html
- nc.example.com_LIMIT_REQ_RATE=5r/s
- nc.example.com_LIMIT_REQ_BURST=10
- nc.example.com_ALLOWED_METHODS=GET|POST|HEAD|COPY|DELETE|LOCK|MKCOL|MOVE|PROPFIND|PROPPATCH|PUT|UNLOCK|OPTIONS
- nc.example.com_X_FRAME_OPTIONS=SAMEORIGIN
- nc.example.com_BAD_BEHAVIOR_STATUS_CODES=400 401 403 405 444
- nc.example.com_WHITELIST_USER_AGENT=WebDAV
networks:
- net1
- net2
mywp:
image: wordpress:fpm-alpine
restart: always
volumes:
- ./web-files/wp.example.com:/var/www/html
environment:
- WORDPRESS_DB_HOST=mywpdb
- WORDPRESS_DB_NAME=wp
- WORDPRESS_DB_USER=user
- WORDPRESS_DB_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
- WORDPRESS_TABLE_PREFIX=prefix_ # best practice : replace with a random prefix
networks:
- net1
mywpdb:
image: mariadb
restart: always
volumes:
- ./wp-db-data:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=wp
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match WORDPRESS_DB_PASSWORD)
networks:
- net1
mync:
image: nextcloud:stable-fpm
restart: always
volumes:
- ./web-files/nc.example.com:/var/www/html
environment:
- MYSQL_HOST=myncdb
- MYSQL_DATABASE=nc
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
networks:
- net2
myncdb:
image: mariadb
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
restart: always
volumes:
- ./nc-db-data:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=nc
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
networks:
- net2
networks:
net1:
net2:

2
examples/multisite-custom-confs/modsec-confs/nc.example.com/nextcloud.conf Normal file
View File

@@ -0,0 +1,2 @@
SecRuleRemoveById 921110
SecRule REQUEST_FILENAME "@contains /remote.php/webdav" "id:1,nolog,pass,ctl:ruleRemoveByTag=OWASP_CRS"

4
examples/multisite-custom-confs/modsec-confs/wp.example.com/wordpress.conf Normal file
View File

@@ -0,0 +1,4 @@
SecRule REQUEST_FILENAME "/wp-admin/admin-ajax.php" "id:1,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-rce"
SecRule REQUEST_FILENAME "/wp-admin/options.php" "id:2,ctl:ruleRemoveByTag=attack-xss"
SecRule REQUEST_FILENAME "^/wp-json/yoast" "id:3,ctl:ruleRemoveById=930120"
SecRuleRemoveById 953120

15
examples/multisite-custom-confs/modsec-crs-confs/nc.example.com/nextcloud.conf Normal file
View File

@@ -0,0 +1,15 @@
SecAction \
"id:900130,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:tx.crs_exclusions_nextcloud=1"
SecAction \
"id:900200,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_methods=GET POST HEAD COPY DELETE LOCK MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK OPTIONS'"

7
examples/multisite-custom-confs/modsec-crs-confs/wp.example.com/wordpress.conf Normal file
View File

@@ -0,0 +1,7 @@
SecAction \
"id:900130,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:tx.crs_exclusions_wordpress=1"

32
examples/multisite-custom-confs/server-confs/nc.example.com/nextcloud.conf Normal file
View File

@@ -0,0 +1,32 @@
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include /etc/nginx/nc.example.com/fastcgi.conf;
fastcgi_param SCRIPT_FILENAME /var/www/html/$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass mync:9000;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ \.(?:css|js|svg|gif)$ {
try_files $uri /index.php$request_uri;
expires 6M; # Cache-Control policy borrowed from `.htaccess`
}
location ~ \.woff2?$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
}
location / {
try_files $uri /index.php$request_uri;
}

4
examples/multisite-custom-confs/server-confs/wp.example.com/permalinks.conf Normal file
View File

@@ -0,0 +1,4 @@
location / {
index index.php index.html index.htm;
try_files $uri $uri/ /index.php?$args;
}