From 9ff210bed89e7759dcfcbc2103ca2e5444077aae Mon Sep 17 00:00:00 2001
From: bunkerity <contact@bunkerity.com>
Date: Sun, 25 Oct 2020 18:30:34 +0100
Subject: [PATCH] wordpress and nextcloud examples

---
 examples/nextcloud/docker-compose.yml         | 49 +++++++++++++++++++
 .../nextcloud/modsec-crs-confs/nextcloud.conf |  7 +++
 .../nextcloud/server-confs/nextcloud.conf     | 42 ++++++++++++++++
 examples/wordpress/docker-compose.yml         | 46 +++++++++++++++++
 .../wordpress/modsec-crs-confs/wordpress.conf |  7 +++
 .../wordpress/server-confs/permalinks.conf    |  4 ++
 examples/wordpress/web-files/index.php        |  5 ++
 7 files changed, 160 insertions(+)
 create mode 100644 examples/nextcloud/docker-compose.yml
 create mode 100644 examples/nextcloud/modsec-crs-confs/nextcloud.conf
 create mode 100644 examples/nextcloud/server-confs/nextcloud.conf
 create mode 100644 examples/wordpress/docker-compose.yml
 create mode 100644 examples/wordpress/modsec-crs-confs/wordpress.conf
 create mode 100644 examples/wordpress/server-confs/permalinks.conf
 create mode 100644 examples/wordpress/web-files/index.php

diff --git a/examples/nextcloud/docker-compose.yml b/examples/nextcloud/docker-compose.yml
new file mode 100644
index 0000000..c07544c
--- /dev/null
+++ b/examples/nextcloud/docker-compose.yml
@@ -0,0 +1,49 @@
+version: '3'
+
+services:
+
+  mywww:
+    image: bunkerity/bunkerized-nginx
+    restart: always
+    ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - ./nc-files:/www
+      - ./letsencrypt:/etc/letsencrypt
+      - ./server-confs:/server-confs         # custom nginx confs at server context to make Nextcloud working
+      - ./modsec-crs-confs:/modsec-crs-confs # custom Core Rule Set confs to add Nextcloud exclusions
+    environment:
+      - SERVER_NAME=www.website.com          # replace with your domain
+      - AUTO_LETS_ENCRYPT=yes
+      - REDIRECT_HTTP_TO_HTTPS=yes
+      - DISABLE_DEFAULT_SERVER=yes
+      - MAX_CLIENT_SIZE=10G
+      - REMOTE_PHP=mync
+      - REMOTE_PHP_PATH=/var/www/html
+      - LIMIT_REQ_RATE=40r/s
+      - LIMIT_REQ_BURST=60
+      - ALLOWED_METHODS=GET|POST|HEAD|PROPFIND|DELETE|PUT
+
+  mync:
+    image: nextcloud:stable-fpm
+    restart: always
+    volumes:
+      - ./nc-files:/var/www/html
+    environment:
+      - MYSQL_HOST=mydb
+      - MYSQL_DATABASE=nc
+      - MYSQL_USER=user
+      - MYSQL_PASSWORD=db-user-pwd           # replace with a stronger password (must match MYSQL_PASSWORD)
+
+  mydb:
+    image: mariadb
+    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
+    restart: always
+    volumes:
+      - ./db-data:/var/lib/mysql
+    environment:
+      - MYSQL_ROOT_PASSWORD=db-root-pwd      # replace with a stronger password
+      - MYSQL_DATABASE=nc
+      - MYSQL_USER=user
+      - MYSQL_PASSWORD=db-user-pwd           # replace with a stronger password (must match MYSQL_PASSWORD)
diff --git a/examples/nextcloud/modsec-crs-confs/nextcloud.conf b/examples/nextcloud/modsec-crs-confs/nextcloud.conf
new file mode 100644
index 0000000..91872d7
--- /dev/null
+++ b/examples/nextcloud/modsec-crs-confs/nextcloud.conf
@@ -0,0 +1,7 @@
+SecAction \
+ "id:900130,\
+  phase:1,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:tx.crs_exclusions_nextcloud=1"
diff --git a/examples/nextcloud/server-confs/nextcloud.conf b/examples/nextcloud/server-confs/nextcloud.conf
new file mode 100644
index 0000000..be2802f
--- /dev/null
+++ b/examples/nextcloud/server-confs/nextcloud.conf
@@ -0,0 +1,42 @@
+location / {
+	rewrite ^ /index.php;
+}
+
+location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
+	deny all;
+}
+
+location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
+	deny all;
+}
+
+location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
+	include fastcgi_params;
+	fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
+	set $path_info $fastcgi_path_info;
+	try_files $fastcgi_script_name =404;
+	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+	fastcgi_param PATH_INFO $path_info;
+	fastcgi_param HTTPS on;
+	fastcgi_param modHeadersAvailable true;
+	fastcgi_param front_controller_active true;
+	fastcgi_pass mync:9000;
+	fastcgi_intercept_errors on;
+	fastcgi_request_buffering off;
+	include fastcgi.conf;
+}
+
+location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
+	try_files $uri/ =404;
+	index index.php;
+}
+
+location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
+	try_files $uri /index.php$request_uri;
+	add_header Cache-Control "public, max-age=15778463";
+}
+
+location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
+	try_files $uri /index.php$request_uri;
+}
+
diff --git a/examples/wordpress/docker-compose.yml b/examples/wordpress/docker-compose.yml
new file mode 100644
index 0000000..7f4e557
--- /dev/null
+++ b/examples/wordpress/docker-compose.yml
@@ -0,0 +1,46 @@
+version: '3'
+
+services:
+
+  mywww:
+    image: bunkerity/bunkerized-nginx
+    restart: always
+    ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - ./wp-files:/www
+      - ./letsencrypt:/etc/letsencrypt
+      - ./server-confs:/server-confs         # custom confs at server context for permalinks
+      - ./modsec-crs-confs:/modsec-crs-confs # custom Core Rule Set confs to add Wordpress exclusions
+    environment:
+      - SERVER_NAME=www.website.com          # replace with your domain
+      - AUTO_LETS_ENCRYPT=yes
+      - REDIRECT_HTTP_TO_HTTPS=yes
+      - DISABLE_DEFAULT_SERVER=yes
+      - MAX_CLIENT_SIZE=50m
+      - REMOTE_PHP=mywp
+      - REMOTE_PHP_PATH=/var/www/html
+
+  mywp:
+    image: wordpress:fpm-alpine
+    restart: always
+    volumes:
+      - ./wp-files:/var/www/html
+    environment:
+      - WORDPRESS_DB_HOST=mydb
+      - WORDPRESS_DB_NAME=wp
+      - WORDPRESS_DB_USER=user
+      - WORDPRESS_DB_PASSWORD=db-user-pwd    # replace with a stronger password (must match MYSQL_PASSWORD)
+      - WORDPRESS_TABLE_PREFIX=prefix_       # best practice : replace with a random prefix
+
+  mydb:
+    image: mariadb
+    restart: always
+    volumes:
+      - ./db-data:/var/lib/mysql
+    environment:
+      - MYSQL_ROOT_PASSWORD=db-root-pwd      # replace with a stronger password
+      - MYSQL_DATABASE=wp
+      - MYSQL_USER=user
+      - MYSQL_PASSWORD=db-user-pwd           # replace with a stronger password (must match WORDPRESS_DB_PASSWORD)
diff --git a/examples/wordpress/modsec-crs-confs/wordpress.conf b/examples/wordpress/modsec-crs-confs/wordpress.conf
new file mode 100644
index 0000000..60b1c03
--- /dev/null
+++ b/examples/wordpress/modsec-crs-confs/wordpress.conf
@@ -0,0 +1,7 @@
+SecAction \
+ "id:900130,\
+  phase:1,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:tx.crs_exclusions_wordpress=1"
diff --git a/examples/wordpress/server-confs/permalinks.conf b/examples/wordpress/server-confs/permalinks.conf
new file mode 100644
index 0000000..e90c33f
--- /dev/null
+++ b/examples/wordpress/server-confs/permalinks.conf
@@ -0,0 +1,4 @@
+location / {
+    index index.php index.html index.htm;
+    try_files $uri $uri/ /index.php?$args;
+}
diff --git a/examples/wordpress/web-files/index.php b/examples/wordpress/web-files/index.php
new file mode 100644
index 0000000..61d3ee1
--- /dev/null
+++ b/examples/wordpress/web-files/index.php
@@ -0,0 +1,5 @@
+<?php
+
+echo "Hello World!";
+
+?>