From 3e5ca583c9da6e299ffa9e098105b21b690e9d93 Mon Sep 17 00:00:00 2001
From: bunkerity <contact@bunkerity.com>
Date: Fri, 18 Sep 2020 22:50:56 +0200
Subject: [PATCH] remote PHP-FPM support

---
 README.md      | 26 +++++++++++++++-----------
 confs/php.conf |  2 +-
 entrypoint.sh  |  4 ++++
 3 files changed, 20 insertions(+), 12 deletions(-)

diff --git a/README.md b/README.md
index 027cb35..82ea454 100644
--- a/README.md
+++ b/README.md
@@ -292,55 +292,60 @@ Default value : *no*
 Is set to yes, will block TOR clients.
 
 ## PHP
+`REMOTE_PHP`  
+Values : *\<any valid IP/hostname\>*  
+Default value :  
+Set the IP/hostname address of a remote PHP-FPM to execute .php files. See `USE_PHP` if you want to run a PHP-FPM instance on the same container as bunkerized-nginx.
+
 `USE_PHP`  
 Values : *yes* | *no*  
 Default value : *yes*  
-If set to yes, PHP files will be executed by the server.
+If set to yes, a local PHP-FPM instance will be run inside the container to execute PHP files.
 
 `PHP_DISPLAY_ERRORS`  
 Values : *yes* | *no*  
 Default value : *no*  
-If set to yes, PHP errors will be shown to clients.
+If set to yes, PHP errors will be shown to clients. Only meaningful if `USE_PHP` is set to *yes*.
 
 `PHP_EXPOSE`  
 Values : *yes* | *no*  
 Default value : *no*  
-If set to yes, the PHP version will be sent within the X-Powered-By header.
+If set to yes, the PHP version will be sent within the X-Powered-By header. Only meaningful if `USE_PHP` is set to *yes*.
 
 `PHP_OPEN_BASEDIR`  
 Values : *\<directories separated with : char\>*  
 Default value : */www/:/tmp/*  
-Limits access to files within the given directories. For example include() or fopen() calls outside the directory will fail.
+Limits access to files within the given directories. For example include() or fopen() calls outside the directory will fail. Only meaningful if `USE_PHP` is set to *yes*.
 
 `PHP_ALLOW_URL_FOPEN`  
 Values : *yes* | *no*  
 Default value : *no*  
-If set to yes, allows using url in fopen() calls (i.e. : ftp://, http://, ...). 
+If set to yes, allows using url in fopen() calls (i.e. : ftp://, http://, ...). Only meaningful if `USE_PHP` is set to *yes*.
 
 `PHP_ALLOW_URL_INCLUDE`  
 Values : *yes* | *no*  
 Default value : *no*  
-If set to yes, allows using url in include() calls (i.e. : ftp://, http://, ...). 
+If set to yes, allows using url in include() calls (i.e. : ftp://, http://, ...). Only meaningful if `USE_PHP` is set to *yes*.
 
 `PHP_FILE_UPLOADS`  
 Values : *yes* | *no*  
 Default value : *yes*  
-If set to yes, allows clients to upload files.
+If set to yes, allows clients to upload files. Only meaningful if `USE_PHP` is set to *yes*.
 
 `PHP_UPLOAD_MAX_FILESIZE`  
 Values : *\<size in bytes\>* | *XM*  
 Default value : *10M*  
-Sets the maximum file size allowed when uploading files.
+Sets the maximum file size allowed when uploading files. Only meaningful if `USE_PHP` is set to *yes*.
 
 `PHP_POST_MAX_SIZE`  
 Values : *\<size in bytes\>* | *XM*  
 Default value : *10M*  
-Sets the maximum POST size allowed for clients.
+Sets the maximum POST size allowed for clients. Only meaningful if `USE_PHP` is set to *yes*.
 
 `PHP_DISABLE_FUNCTIONS`  
 Values : *\<function 1\>, \<function 2\> ...*  
 Default value : *system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo*  
-List of PHP functions blacklisted separated with commas. They can't be used anywhere in PHP code.
+List of PHP functions blacklisted separated with commas. They can't be used anywhere in PHP code. Only meaningful if `USE_PHP` is set to *yes*.
 
 ## Fail2ban
 `USE_FAIL2BAN`  
@@ -445,4 +450,3 @@ docker run ... -v /path/to/http/confs:/http-confs ... bunkerity/bunkerized-nginx
 - HSTS preload, HPKP
 - Web UI
 - Full documentation
-- nginx compile flags ?
diff --git a/confs/php.conf b/confs/php.conf
index abad9a4..7e81af3 100644
--- a/confs/php.conf
+++ b/confs/php.conf
@@ -1,5 +1,5 @@
 location ~ \.php$ {
-	fastcgi_pass      127.0.0.1:9000;
+	fastcgi_pass      %REMOTE_PHP%:9000;
 	fastcgi_index     index.php;
 	include           fastcgi.conf;
 }
diff --git a/entrypoint.sh b/entrypoint.sh
index 82cec5e..5c9c1ee 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -127,6 +127,7 @@ replace_in_file "/etc/nginx/gzip.conf" "%GZIP_MIN_LENGTH%" "$GZIP_MIN_LENGTH"
 replace_in_file "/etc/nginx/gzip.conf" "%GZIP_TYPES%" "$GZIP_TYPES"
 if [ "$USE_PHP" = "yes" ] ; then
 	replace_in_file "/etc/nginx/server.conf" "%USE_PHP%" "include /etc/nginx/php.conf;"
+	replace_in_file "/etc/nginx/php.conf" "%REMOTE_PHP%" "127.0.0.1"
 	if [ "$PHP_EXPOSE" = "yes" ] ; then
 		replace_in_file "/etc/php7/php.ini" "%PHP_EXPOSE%" "On"
 	else
@@ -157,6 +158,9 @@ if [ "$USE_PHP" = "yes" ] ; then
 	replace_in_file "/etc/php7/php.ini" "%PHP_DISABLE_FUNCTIONS%" "$PHP_DISABLE_FUNCTIONS"
 	replace_in_file "/etc/php7/php.ini" "%PHP_POST_MAX_SIZE%" "$PHP_POST_MAX_SIZE"
 	replace_in_file "/etc/php7/php.ini" "%ROOT_FOLDER%" "$ROOT_FOLDER"
+elif [ "$REMOTE_PHP" != "" ] ; then
+	replace_in_file "/etc/nginx/server.conf" "%USE_PHP%" "include /etc/nginx/php.conf;"
+	replace_in_file "/etc/nginx/php.conf" "%REMOTE_PHP%" "$REMOTE_PHP"
 else
 	replace_in_file "/etc/nginx/server.conf" "%USE_PHP%" ""
 fi