version: '3'

services:

  mybunker:
    image: bunkerity/bunkerweb:1.4.0
    # dropping all capabilities
    cap_drop:
      - ALL
    # disable setuid/setgid
    security_opt:
      - no-new-privileges
    # read-only file system
    read_only: true
    # folders that need write access
    tmpfs:
      - /tmp:mode=0770,uid=0,gid=101
      - /opt/bunkerweb/tmp:mode=0770,uid=0,gid=101
      - /etc/nginx:mode=0770,uid=0,gid=101
    ports:
      - 80:8080
      - 443:8443
    # ⚠️ read this if you use local folders for volumes ⚠️
    # bunkerweb runs as an unprivileged user with UID/GID 101
    # don't forget to edit the permissions of the files and folders accordingly
    # example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
    # another example for existing folder : chown -R root:101 folder && chmod -R 770 folder
    # more info at https://docs.bunkerweb.io
    volumes:
      - bw_data:/data
    environment:
      - SERVER_NAME=www.example.com # replace with your domain
      - AUTO_LETS_ENCRYPT=yes
      - DISABLE_DEFAULT_SERVER=yes
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
      - USE_REVERSE_PROXY=yes
      - REVERSE_PROXY_URL=/
      - REVERSE_PROXY_HOST=http://myapp
      - REMOTE_PHP_PATH=/app

  myapp:
    image: tutum/hello-world

volumes:
  bw_data: