examples update and multiple REVERSE_PROXY_* on single site

2020-11-15 14:55:48 +01:00 · 2020-11-15 14:55:48 +01:00 · ed451877ae
commit ed451877ae
parent 0f18e9c552
29 changed files with 195 additions and 74 deletions
--- a/examples/load-balancer/server-confs/reverse-proxy.conf
+++ b/examples/load-balancer/server-confs/reverse-proxy.conf
@ -1,6 +1,3 @@
 proxy_set_header Host $host;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
-location / {
-	proxy_pass http://app;
-}
+proxy_set_header X-Real-IP $remote_addr;
--- a/confs/site/reverse-proxy.conf
+++ b/confs/site/reverse-proxy.conf
@ -1,7 +1,3 @@
-proxy_set_header Host $host;
-proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-proxy_set_header X-Real-IP $remote_addr;
-
 location %REVERSE_PROXY_URL% {
 	proxy_pass %REVERSE_PROXY_LOCATION%;
 }
--- a/entrypoint/defaults.sh
+++ b/entrypoint/defaults.sh
@ -1,5 +1,6 @@
 #!/bin/bash

+MULTISITE="${MULTISITE-yes}"
 HTTP_PORT="${HTTP_PORT-8080}"
 HTTPS_PORT="${HTTPS_PORT-8443}"
 MAX_CLIENT_SIZE="${MAX_CLIENT_SIZE-10m}"
--- a/entrypoint/site-config.sh
+++ b/entrypoint/site-config.sh
@ -44,10 +44,20 @@ replace_in_file "{NGINX_PREFIX}server.conf" "%SERVER_TOKENS%" "$SERVER_TOKENS"

 # reverse proxy
 if [ "$USE_REVERSE_PROXY" = "yes" ] ; then
-	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_REVERSE_PROXY%" "include ${NGINX_PREFIX}reverse-proxy.conf"
-	replace_in_file "${NGINX_PREFIX}reverse-proxy.conf" "%REVERSE_PROXY_URL%" "$REVERSE_PROXY_URL"
-	replace_in_file "${NGINX_PREFIX}reverse-proxy.conf" "%REVERSE_PROXY_HOST%" "$REVERSE_PROXY_HOST"
-
+	i=1
+	for var in $(env) ; do
+		check=$(echo "$var" | grep "^REVERSE_PROXY_URL")
+		if [ "$check" != "" ] ; then
+			name=$(echo "$var" | cut -d '=' -f 1)
+			value=$(echo "$var" | sed "s/${name}//")
+			host=$(echo "$name" | sed "s/URL/HOST//")
+			cp "${NGINX_PREFIX}reverse-proxy.conf" "${NGINX_PREFIX}reverse-proxy-${i}.conf"
+			replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_URL%" "$value"
+			replace_in_file "${NGINX_PREFIX}reverse-proxy.${i}conf" "%REVERSE_PROXY_HOST%" "${!host}"
+			i=$(($i + 1))
+		fi
+	done
+	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_REVERSE_PROXY%" "include ${NGINX_PREFIX}reverse-proxy-*.conf"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_REVERSE_PROXY%" ""
 fi
--- a/examples/basic-website-with-php/docker-compose.yml
+++ b/examples/basic-website-with-php/docker-compose.yml
@ -9,7 +9,7 @@ services:
      - 80:8080
      - 443:8443
    volumes:
-      - ./web-files:/www
+      - ./web-files:/www:ro
      - ./letsencrypt:/etc/letsencrypt
    environment:
      - SERVER_NAME=www.website.com # replace with your domain
@ -17,6 +17,8 @@ services:
      - REDIRECT_HTTP_TO_HTTPS=yes
      - DISABLE_DEFAULT_SERVER=yes
      - USE_CLIENT_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes
      - REMOTE_PHP=myphp
      - REMOTE_PHP_PATH=/app

--- a/examples/behind-traefik/docker-compose.yml
+++ b/examples/behind-traefik/docker-compose.yml
@ -12,43 +12,70 @@ services:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik/traefik.toml:/traefik.toml
      - ./traefik/acme.json:/acme.json
+    networks:
+      - netwww1
+      - netwww2

  mywww1:
    image: bunkerity/bunkerized-nginx
    restart: always
    volumes:
-      - ./web1:/www
+      - ./web1:/www:ro
    environment:
+      - SERVER_NAME=app1.website.com
      - PROXY_REAL_IP=yes
+      - USE_CLIENT_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes
      - REMOTE_PHP=myphp1
      - REMOTE_PHP_PATH=/app
    labels:
      - 'traefik.enable=true'
      - 'traefik.port=8080'
      - 'traefik.frontend.rule=Host:app1.website.com' # replace with your domain
+    networks:
+      - netwww1
+      - netphp1

  mywww2:
    image: bunkerity/bunkerized-nginx
    restart: always
    volumes:
-      - ./web2:/www
+      - ./web2:/www:ro
    environment:
+      - SERVER_NAME=app2.website.com
      - PROXY_REAL_IP=yes
+      - USE_CLIENT_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes
      - REMOTE_PHP=myphp2
      - REMOTE_PHP_PATH=/app
    labels:
      - 'traefik.enable=true'
      - 'traefik.port=8080'
      - 'traefik.frontend.rule=Host:app2.website.com' # replace with your domain
+    networks:
+      - netwww2
+      - netphp2

  myphp1:
    image: php:fpm
    restart: always
    volumes:
      - ./web1:/app
+    networks:
+      - netphp1

  myphp2:
    image: php:fpm
    restart: always
    volumes:
      - ./web2:/app
+    networks:
+      - netphp2
+
+  networks:
+    netwww1:
+    netwww2:
+    netphp1:
+    netphp2:
--- a/examples/load-balancer/docker-compose.yml
+++ b/examples/load-balancer/docker-compose.yml
@ -10,14 +10,19 @@ services:
      - 443:8443
    volumes:
      - ./letsencrypt:/etc/letsencrypt
-      - ./http-confs:/http-confs
-      - ./server-confs:/server-confs
+      - ./http-confs:/http-confs:ro
    environment:
      - SERVER_NAME=www.website.com # replace with your domain
      - SERVE_FILES=no
      - DISABLE_DEFAULT_SERVER=yes
      - REDIRECT_HTTP_TO_HTTPS=yes
      - AUTO_LETS_ENCRYPT=yes
+      - USE_PROXY_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes
+      - USE_REVERSE_PROXY=yes
+      - REVERSE_PROXY_URL=/
+      - REVERSE_PROXY_HOST=http://app

  app1:
    build: js-app
--- a/examples/moodle/docker-compose.yml
+++ b/examples/moodle/docker-compose.yml
@ -10,13 +10,19 @@ services:
      - 443:8443
    volumes:
      - ./letsencrypt:/etc/letsencrypt
-      - ./server-confs:/server-confs         # custom confs to reverse proxy to moodle
    environment:
      - SERVER_NAME=www.website.com          # replace with your domain
      - AUTO_LETS_ENCRYPT=yes
      - REDIRECT_HTTP_TO_HTTPS=yes
      - DISABLE_DEFAULT_SERVER=yes
      - MAX_CLIENT_SIZE=50m
+      - SERVE_FILES=no
+      - USE_PROXY_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes
+      - USE_REVERSE_PROXY=yes
+      - REVERSE_PROXY_URL=/
+      - REVERSE_PROXY_HOST=https://mymoodle:8443

  mymoodle:
    image: bitnami/moodle
--- a/examples/moodle/server-confs/reverse-proxy.conf
+++ b/examples/moodle/server-confs/reverse-proxy.conf
@ -1,6 +0,0 @@
-proxy_set_header Host $host;
-proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
-location / {
-	proxy_pass https://mymoodle:8443;
-}
--- a/examples/multisite-basic/docker-compose.yml
+++ b/examples/multisite-basic/docker-compose.yml
@ -9,9 +9,8 @@ services:
      - 80:8080
      - 443:8443
    volumes:
-      - ./web-files:/www
+      - ./web-files:/www:ro
      - ./letsencrypt:/etc/letsencrypt
-      - ./server-confs:/server-confs
    environment:
      - SERVER_NAME=app1.website.com app2.website.com app3.website.com # replace with your domains
      - MULTISITE=yes
@ -19,12 +18,18 @@ services:
      - REDIRECT_HTTP_TO_HTTPS=yes
      - DISABLE_DEFAULT_SERVER=yes
      - USE_CLIENT_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes
      - app1.website.com_REMOTE_PHP=myapp1
      - app1.website.com_REMOTE_PHP_PATH=/app
      - app2.website.com_REMOTE_PHP=myapp2
      - app2.website.com_REMOTE_PHP_PATH=/app
      - app3.website.com_SERVE_FILES=no
      - app3.website.com_USE_CLIENT_CACHE=no
+      - app3.website.com_USE_PROXY_CACHE=yes
+      - app3.website.com_USE_REVERSE_PROXY=yes
+      - app3.website.com_REVERSE_PROXY_URL=/
+      - app3.website.com_REVERSE_PROXY_HOST=http://myapp3:3000
    networks:
      - net1
      - net2
--- a/examples/multisite-custom-server-confs/docker-compose.yml
+++ b/examples/multisite-custom-server-confs/docker-compose.yml
@ -9,11 +9,11 @@ services:
      - 80:8080
      - 443:8443
    volumes:
-      - ./web-files:/www
+      - ./web-files:/www:ro
      - ./letsencrypt:/etc/letsencrypt
-      - ./server-confs:/server-confs
-      - ./modsec-confs:/modsec-confs
-      - ./modsec-crs-confs:/modsec-crs-conf
+      - ./server-confs:/server-confs:ro
+      - ./modsec-confs:/modsec-confs:ro
+      - ./modsec-crs-confs:/modsec-crs-conf:ro
    environment:
      - SERVER_NAME=wp.website.com nc.website.com # replace with your domains
      - MULTISITE=yes
@ -21,6 +21,8 @@ services:
      - REDIRECT_HTTP_TO_HTTPS=yes
      - DISABLE_DEFAULT_SERVER=yes
      - USE_CLIENT_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes
      - wp.website.com_REMOTE_PHP=mywp
      - wp.website.com_REMOTE_PHP_PATH=/var/www/html
      - nc.website.com_REMOTE_PHP=mync
--- a/examples/multisite-custom-server-confs/modsec-confs/nc.website.com/nextcloud.conf
+++ b/examples/multisite-custom-server-confs/modsec-confs/nc.website.com/nextcloud.conf
--- a/examples/multisite-custom-server-confs/modsec-crs-confs/nc.website.com/nextcloud.conf
+++ b/examples/multisite-custom-server-confs/modsec-crs-confs/nc.website.com/nextcloud.conf
--- a/examples/multisite-custom-server-confs/modsec-crs-confs/wp.website.com/wordpress.conf
+++ b/examples/multisite-custom-server-confs/modsec-crs-confs/wp.website.com/wordpress.conf
--- a/examples/multisite-custom-server-confs/server-confs/nc.website.com/nextcloud.conf
+++ b/examples/multisite-custom-server-confs/server-confs/nc.website.com/nextcloud.conf
--- a/examples/multisite-custom-server-confs/server-confs/wp.website.com/permalinks.conf
+++ b/examples/multisite-custom-server-confs/server-confs/wp.website.com/permalinks.conf
--- a/examples/nextcloud/docker-compose.yml
+++ b/examples/nextcloud/docker-compose.yml
@ -9,11 +9,11 @@ services:
      - 80:8080
      - 443:8443
    volumes:
-      - ./nc-files:/www
+      - ./nc-files:/www:ro
      - ./letsencrypt:/etc/letsencrypt
-      - ./server-confs:/server-confs         # custom nginx confs at server context to make Nextcloud working
-      - ./modsec-crs-confs:/modsec-crs-confs # custom Core Rule Set confs to add Nextcloud exclusions
-      - ./modsec-confs:/modsec-confs         # disable some false positive
+      - ./server-confs:/server-confs:ro         # custom nginx confs at server context to make Nextcloud working
+      - ./modsec-crs-confs:/modsec-crs-confs:ro # custom Core Rule Set confs to add Nextcloud exclusions
+      - ./modsec-confs:/modsec-confs:ro         # disable some false positive
    environment:
      - SERVER_NAME=www.website.com          # replace with your domain
      - AUTO_LETS_ENCRYPT=yes
@ -27,6 +27,9 @@ services:
      - LIMIT_REQ_BURST=60
      - ALLOWED_METHODS=GET|POST|HEAD|PROPFIND|DELETE|PUT|MKCOL|MOVE|COPY|PROPPATCH|REPORT
      - X_FRAME_OPTIONS=SAMEORIGIN
+      - USE_CLIENT_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes

  mync:
    image: nextcloud:stable-fpm
--- a/examples/passbolt/docker-compose.yml
+++ b/examples/passbolt/docker-compose.yml
@ -10,25 +10,31 @@ services:
      - 443:8443
    volumes:
      - ./letsencrypt:/etc/letsencrypt
-      - ./server-confs:/server-confs              # custom confs to reverse proxy to passbolt
-      - ./modsec-crs-confs:/modsec-crs-confs      # disable some false positive
-      - ./modsec-confs:/modsec-confs              # disable some false positive
+      - ./modsec-crs-confs:/modsec-crs-confs:ro      # disable some false positive
+      - ./modsec-confs:/modsec-confs:ro              # disable some false positive
    environment:
-      - SERVER_NAME=www.website.com               # replace with your domain
+      - SERVER_NAME=www.website.com                  # replace with your domain
      - AUTO_LETS_ENCRYPT=yes
      - REDIRECT_HTTP_TO_HTTPS=yes
      - DISABLE_DEFAULT_SERVER=yes
      - ALLOWED_METHODS=GET|POST|HEAD|PUT|DELETE
+      - SERVE_FILES=no
+      - USE_PROXY_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes
+      - USE_REVERSE_PROXY=yes
+      - REVERSE_PROXY_URL=/
+      - REVERSE_PROXY_HOST=https://mypassbolt

  mypassbolt:
    image: passbolt/passbolt
    restart: always
    environment:
      - DATASOURCES_DEFAULT_HOST=mydb
-      - DATASOURCES_DEFAULT_PASSWORD=db-user-pwd  # replace with a stronger password (must match MYSQL_PASSWORD)
+      - DATASOURCES_DEFAULT_PASSWORD=db-user-pwd     # replace with a stronger password (must match MYSQL_PASSWORD)
      - DATASOURCES_DEFAULT_USERNAME=user
      - DATASOURCES_DEFAULT_DATABASE=passbolt
-      - APP_FULL_BASE_URL=https://www.website.com # replace with your URL
+      - APP_FULL_BASE_URL=https://www.website.com    # replace with your URL

  mydb:
    image: mariadb
@ -36,7 +42,7 @@ services:
    volumes:
      - ./db-data:/var/lib/mysql
    environment:
-      - MYSQL_ROOT_PASSWORD=db-root-pwd           # replace with a stronger password
+      - MYSQL_ROOT_PASSWORD=db-root-pwd              # replace with a stronger password
      - MYSQL_DATABASE=passbolt
      - MYSQL_USER=user
-      - MYSQL_PASSWORD=db-user-pwd                # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD)
+      - MYSQL_PASSWORD=db-user-pwd                   # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD)
--- a/examples/passbolt/server-confs/reverse-proxy.conf
+++ b/examples/passbolt/server-confs/reverse-proxy.conf
@ -1,7 +0,0 @@
-proxy_set_header Host $host;
-proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
-location / {
-	proxy_pass https://mypassbolt;
-}
-
--- a/examples/reverse-proxy-multisite/docker-compose.yml
+++ b/examples/reverse-proxy-multisite/docker-compose.yml
@ -10,13 +10,21 @@ services:
      - 443:8443
    volumes:
      - ./letsencrypt:/etc/letsencrypt
-      - ./server-confs:/server-confs
    environment:
-      - SERVER_NAME=app1.website.com app2.website.com # replace with your domains
+      - USE_MULTISITE=yes
+      - SERVER_NAME=app1.website.com app2.website.com # replace with your domain
      - SERVE_FILES=no
      - DISABLE_DEFAULT_SERVER=yes
      - REDIRECT_HTTP_TO_HTTPS=yes
      - AUTO_LETS_ENCRYPT=yes
+      - USE_PROXY_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes
+      - USE_REVERSE_PROXY=yes
+      - app1.website.com_REVERSE_PROXY_URL=/
+      - app1.website.com_REVERSE_PROXY_HOST=http://app1:3000
+      - app2.website.com_REVERSE_PROXY_URL=/
+      - app2.website.com_REVERSE_PROXY_HOST=http://app2

  app1:
    image: node
--- a/examples/reverse-proxy-multisite/js-app/index.js
+++ b/examples/reverse-proxy-multisite/js-app/index.js
--- a/examples/reverse-proxy-multisite/js-app/package.json
+++ b/examples/reverse-proxy-multisite/js-app/package.json
--- a/examples/reverse-proxy-singlesite/docker-compose.yml
+++ b/examples/reverse-proxy-singlesite/docker-compose.yml
@ -0,0 +1,43 @@
+version: '3'
+
+services:
+
+  myreverse:
+    image: bunkerity/bunkerized-nginx
+    restart: always
+    ports:
+      - 80:8080
+      - 443:8443
+    volumes:
+      - ./letsencrypt:/etc/letsencrypt
+    environment:
+      - SERVER_NAME=www.website.com                          # replace with your domain
+      - SERVE_FILES=no
+      - DISABLE_DEFAULT_SERVER=yes
+      - REDIRECT_HTTP_TO_HTTPS=yes
+      - AUTO_LETS_ENCRYPT=yes
+      - USE_PROXY_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes
+      - USE_REVERSE_PROXY=yes
+      - REVERSE_PROXY_URL_1=/app1
+      - REVERSE_PROXY_HOST_1=http://app1:3000
+      - REVERSE_PROXY_URL_2=/app2
+      - REVERSE_PROXY_HOST_2=http://app2
+
+  app1:
+    image: node
+    restart: always
+    working_dir: /home/node/app
+    volumes:
+      - ./js-app:/home/node/app
+    environment:
+      - NODE_ENV=production
+    command: bash -c "npm install express && node index.js"
+
+  app2:
+    image: phpmyadmin:apache
+    restart: always
+    environment:
+      - PMA_ARBITRARY=1
+      - PMA_ABSOLUTE_URI=https://www.website.com/app2        # replace with your absolute URI
--- a/examples/reverse-proxy-singlesite/js-app/index.js
+++ b/examples/reverse-proxy-singlesite/js-app/index.js
@ -0,0 +1,12 @@
+const express = require('express')
+const app = express()
+const port = 3000
+
+app.get('/', (req, res) => {
+  res.send('Hello World!')
+})
+
+app.listen(port, () => {
+  console.log(`Example app listening at http://localhost:${port}`)
+})
+
--- a/examples/reverse-proxy-singlesite/js-app/package.json
+++ b/examples/reverse-proxy-singlesite/js-app/package.json
@ -0,0 +1,14 @@
+{
+  "name": "js-app",
+  "version": "1.0.0",
+  "description": "demo",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "express": "^4.17.1"
+  }
+}
--- a/examples/reverse-proxy/server-confs/reverse-proxy.conf
+++ b/examples/reverse-proxy/server-confs/reverse-proxy.conf
@ -1,12 +0,0 @@
-proxy_set_header Host $host;
-proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
-location / {
-	if ($host = app1.website.com) {
-		proxy_pass http://app1:3000;
-	}
-
-	if ($host = app2.website.com) {
-		proxy_pass http://app2;
-	}
-}
--- a/examples/tomcat/docker-compose.yml
+++ b/examples/tomcat/docker-compose.yml
@ -10,13 +10,18 @@ services:
      - 443:8443
    volumes:
      - ./letsencrypt:/etc/letsencrypt
-      - ./server-confs:/server-confs
    environment:
-      - SERVER_NAME=app1.website.com         # replace with your domain
+      - SERVER_NAME=www.website.com                     # replace with your domain
      - SERVE_FILES=no
      - DISABLE_DEFAULT_SERVER=yes
      - REDIRECT_HTTP_TO_HTTPS=yes
      - AUTO_LETS_ENCRYPT=yes
+      - USE_PROXY_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes
+      - USE_REVERSE_PROXY=yes
+      - REVERSE_PROXY_URL=/
+      - REVERSE_PROXY_HOST=http://mytomcat:8080/sample

  mytomcat:
    image: tomcat
--- a/examples/tor-hidden-service/docker-compose.yml
+++ b/examples/tor-hidden-service/docker-compose.yml
@ -15,7 +15,7 @@ services:
    image: bunkerity/bunkerized-nginx
    restart: always
    volumes:
-      - ./web-files:/www
+      - ./web-files:/www:ro
    environment:
      - BLOCK_TOR_EXIT_NODE=no
      - BLOCK_ABUSERS=no
@ -28,6 +28,8 @@ services:
      - USE_BLACKLIST_REVERSE=no
      - USE_FAIL2BAN=no
      - USE_CLIENT_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes
      - REMOTE_PHP=myphp
      - REMOTE_PHP_PATH=/app

--- a/examples/wordpress/docker-compose.yml
+++ b/examples/wordpress/docker-compose.yml
@ -9,17 +9,19 @@ services:
      - 80:8080
      - 443:8443
    volumes:
-      - ./wp-files:/www
+      - ./wp-files:/www:ro
      - ./letsencrypt:/etc/letsencrypt
-      - ./server-confs:/server-confs         # custom confs at server context for permalinks
-      - ./modsec-crs-confs:/modsec-crs-confs # custom Core Rule Set confs to add Wordpress exclusions
+      - ./server-confs:/server-confs:ro         # custom confs at server context for permalinks
+      - ./modsec-crs-confs:/modsec-crs-confs:ro # custom Core Rule Set confs to add Wordpress exclusions
    environment:
-      - SERVER_NAME=www.website.com          # replace with your domain
+      - SERVER_NAME=www.website.com             # replace with your domain
      - AUTO_LETS_ENCRYPT=yes
      - REDIRECT_HTTP_TO_HTTPS=yes
      - DISABLE_DEFAULT_SERVER=yes
      - MAX_CLIENT_SIZE=50m
      - USE_CLIENT_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes
      - REMOTE_PHP=mywp
      - REMOTE_PHP_PATH=/var/www/html

@ -32,8 +34,8 @@ services:
      - WORDPRESS_DB_HOST=mydb
      - WORDPRESS_DB_NAME=wp
      - WORDPRESS_DB_USER=user
-      - WORDPRESS_DB_PASSWORD=db-user-pwd    # replace with a stronger password (must match MYSQL_PASSWORD)
-      - WORDPRESS_TABLE_PREFIX=prefix_       # best practice : replace with a random prefix
+      - WORDPRESS_DB_PASSWORD=db-user-pwd       # replace with a stronger password (must match MYSQL_PASSWORD)
+      - WORDPRESS_TABLE_PREFIX=prefix_          # best practice : replace with a random prefix

  mydb:
    image: mariadb
@ -41,7 +43,7 @@ services:
    volumes:
      - ./db-data:/var/lib/mysql
    environment:
-      - MYSQL_ROOT_PASSWORD=db-root-pwd      # replace with a stronger password
+      - MYSQL_ROOT_PASSWORD=db-root-pwd         # replace with a stronger password
      - MYSQL_DATABASE=wp
      - MYSQL_USER=user
-      - MYSQL_PASSWORD=db-user-pwd           # replace with a stronger password (must match WORDPRESS_DB_PASSWORD)
+      - MYSQL_PASSWORD=db-user-pwd              # replace with a stronger password (must match WORDPRESS_DB_PASSWORD)