bunkerweb 1.4.0
This commit is contained in:
bunkerity
@@ -1,11 +0,0 @@
|
||||
# Hardened
|
||||
|
||||
Example on how you can harden the container executing bunkerized-nginx. See the [documentation](https://bunkerized-nginx.readthedocs.io/en/latest/security_tuning.html#container-hardening) for details.
|
||||
|
||||
## Architecture
|
||||
|
||||
<img src="https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/hardened/architecture.png?raw=true" />
|
||||
|
||||
## Docker
|
||||
|
||||
See [docker-compose.yml](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/hardened/docker-compose.yml).
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 8.4 KiB |
@@ -2,8 +2,8 @@ version: '3'
|
||||
|
||||
services:
|
||||
|
||||
mywww:
|
||||
image: bunkerity/bunkerized-nginx
|
||||
mybunker:
|
||||
image: bunkerity/bunkerweb:1.4.0
|
||||
# dropping all capabilities
|
||||
cap_drop:
|
||||
- ALL
|
||||
@@ -12,37 +12,35 @@ services:
|
||||
- no-new-privileges
|
||||
# read-only file system
|
||||
read_only: true
|
||||
# folders that need write access
|
||||
tmpfs:
|
||||
- /tmp
|
||||
restart: always
|
||||
depends_on:
|
||||
- myphp
|
||||
- /tmp:mode=0770,uid=0,gid=101
|
||||
- /opt/bunkerweb/tmp:mode=0770,uid=0,gid=101
|
||||
- /etc/nginx:mode=0770,uid=0,gid=101
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
# bunkerized-nginx runs as an unprivileged user with UID/GID 101
|
||||
# ⚠️ read this if you use local folders for volumes ⚠️
|
||||
# bunkerweb runs as an unprivileged user with UID/GID 101
|
||||
# don't forget to edit the permissions of the files and folders accordingly
|
||||
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
|
||||
# another example for existing folder : chown -R root:101 folder && chmod -R 770 folder
|
||||
# more info at https://docs.bunkerweb.io
|
||||
volumes:
|
||||
- cache:/cache
|
||||
- nginx_conf:/etc/nginx
|
||||
- ./web-files:/www:ro
|
||||
- ./letsencrypt:/etc/letsencrypt
|
||||
- bw_data:/data
|
||||
environment:
|
||||
- SERVER_NAME=www.example.com # replace with your domain
|
||||
- AUTO_LETS_ENCRYPT=yes
|
||||
- REDIRECT_HTTP_TO_HTTPS=yes
|
||||
- DISABLE_DEFAULT_SERVER=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- REMOTE_PHP=myphp
|
||||
- USE_REVERSE_PROXY=yes
|
||||
- REVERSE_PROXY_URL=/
|
||||
- REVERSE_PROXY_HOST=http://myapp
|
||||
- REMOTE_PHP_PATH=/app
|
||||
|
||||
myphp:
|
||||
image: php:fpm
|
||||
restart: always
|
||||
volumes:
|
||||
- ./web-files:/app
|
||||
myapp:
|
||||
image: tutum/hello-world
|
||||
|
||||
volumes:
|
||||
nginx_conf:
|
||||
cache:
|
||||
bw_data:
|
||||
|
||||
@@ -1,5 +0,0 @@
|
||||
<?php
|
||||
|
||||
echo "Hello World!";
|
||||
|
||||
?>
|
||||
Reference in New Issue
Block a user