added image building

Author: zxpower

Dockerfile

@@ -0,0 +1,44 @@
+FROM php:8.4.11-fpm-alpine3.21
+
+RUN apk add -U --no-cache \
+        nginx \
+        ca-certificates \
+        bash \
+        sed \
+        curl \
+        tar \
+        git \
+        openssl \
+        openssh \
+        libpng-dev \
+        libjpeg-turbo-dev \
+        freetype-dev \
+        libzip-dev \
+        unzip
+
+RUN docker-php-ext-configure gd --with-freetype --with-jpeg && docker-php-ext-install gd
+RUN docker-php-ext-install bcmath ftp mysqli pdo_mysql zip
+
+ENV TERM="xterm" \
+    PAGER="more" \
+    DB_HOST="mysql" \
+    DB_NAME="" \
+    DB_USER=""\
+    DB_PASS="" \
+    PATH="/DATA/bin:$PATH"
+
+COPY files/nginx.conf /etc/nginx/
+COPY files/php-fpm.conf /usr/local/etc/
+COPY files/php.ini /usr/local/etc/php/
+COPY files/run.sh /
+RUN chmod +x /run.sh
+
+RUN curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar && chmod +x wp-cli.phar && mv wp-cli.phar /usr/bin/wp-cli && chown www-data:www-data /usr/bin/wp-cli
+
+EXPOSE 80
+
+VOLUME ["/DATA"]
+
+WORKDIR /DATA
+
+CMD ["/run.sh"]

docker-build.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+docker build --no-cache -t ghcr.io/digiblink/alpine-nginx-php-fpm .

files/nginx.conf

@@ -0,0 +1,144 @@
+# run nginx in foreground
+daemon off;
+error_log /DATA/logs/nginx/error.log warn;
+pid /var/run/nginx.pid;
+env DB_HOST;
+env DB_NAME;
+env DB_USER;
+env DB_PASS;
+worker_processes  auto;
+events {
+    worker_connections  4096;
+}
+http {
+  sendfile on;
+  include    /etc/nginx/mime.types;
+  include    /etc/nginx/fastcgi.conf;
+  default_type application/octet-stream;
+  tcp_nopush   on;
+  client_body_temp_path /tmp/nginx/body 1 2;
+  client_max_body_size 0;
+  fastcgi_temp_path /tmp/nginx/fastcgi_temp 1 2;
+  #a new log format for detecting bad bots.
+  log_format blocked '$time_local: Blocked request from $http_x_real_ip $request';
+  ## This log format makes it so we can see real requester's IP address \
+  ##    not just the reverse proxy server's IP address. Also note, that \
+  ##    "specialLog" can be replaced with any name you would like to \
+  ##    give to this log format.
+  log_format specialLog '$http_x_real_ip - $remote_user [$time_local]  '
+                        '"$request" $status $body_bytes_sent '
+                        '"$http_referer" "$http_user_agent"';
+  # client_max_body_size 2G;
+  server {
+    #listen       [::]:80; #uncomment for IPv6 support
+    listen       80;
+    root /DATA/htdocs/current;
+    index  index.php index.html index.htm;
+    access_log /DATA/logs/nginx/access.log specialLog;
+    error_log /DATA/logs/nginx/error.log;
+    disable_symlinks off;
+    location = /robots.txt {
+      allow all;
+      log_not_found off;
+      access_log off;
+    }
+    # deny dot-files
+    location ~ /\. {
+      deny all;
+      access_log off;
+      log_not_found off;
+    }
+    #Yoast SEO Sitemaps
+    location ~ ([^/]*)sitemap(.*).x(m|s)l$ {
+      ## this redirects sitemap.xml to /sitemap_index.xml
+      rewrite ^/sitemap.xml$ /sitemap_index.xml permanent;
+      ## this makes the XML sitemaps work
+      rewrite ^/([a-z]+)?-?sitemap.xsl$ /index.php?xsl=$1 last;
+      rewrite ^/sitemap_index.xml$ /index.php?sitemap=1 last;
+      rewrite ^/([^/]+?)-sitemap([0-9]+)?.xml$ /index.php?sitemap=$1&sitemap_n=$2 last;
+      ## The following lines are optional for the premium extensions
+      ## News SEO
+      rewrite ^/news-sitemap.xml$ /index.php?sitemap=wpseo_news last;
+      ## Local SEO
+      rewrite ^/locations.kml$ /index.php?sitemap=wpseo_local_kml last;
+      rewrite ^/geo-sitemap.xml$ /index.php?sitemap=wpseo_local last;
+      ## Video SEO
+      rewrite ^/video-sitemap.xsl$ /index.php?xsl=video last;
+    }
+    location / {
+      try_files $uri $uri/ /index.php?$args;
+    }
+    # Deny access to any files with a .php extension in the uploads directory
+    # Works in sub-directory installs and also in multisite network
+    # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
+    location ~* /(?:uploads|files)/.*\.php$ {
+      deny all;
+    }
+    ## Disable .htaccess and other hidden files
+    location ~ /\. {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+    location ~* \.(jpg|jpeg|gif|png|css|js|ico|xml)$ {
+        access_log        off;
+        log_not_found     off;
+        expires           360d;
+    }
+    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
+    location ~ [^/]\.php(/|$) {
+      fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+      if (!-f $document_root$fastcgi_script_name) {
+        return 404;
+      }
+      fastcgi_pass 127.0.0.1:9000;
+      fastcgi_index index.php;
+      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+      include fastcgi_params;
+      fastcgi_buffers 16 16k;
+      fastcgi_buffer_size 32k;
+    }
+    ## Block SQL injections
+    location ~* union.*select.*\( { access_log /DATA/logs/nginx/blocked.log blocked; deny all; }
+    location ~* union.*all.*select.* { access_log /DATA/logs/nginx/blocked.log blocked; deny all; }
+    location ~* concat.*\( { access_log /DATA/logs/nginx/blocked.log blocked; deny all; }
+    ## Block common exploits
+    location ~* (<|%3C).*script.*(>|%3E) { access_log /DATA/logs/nginx/blocked.log blocked; deny all; }
+    location ~* base64_(en|de)code\(.*\) { access_log /DATA/logs/nginx/blocked.log blocked; deny all; }
+    location ~* (%24&x) { access_log /DATA/logs/nginx/blocked.log blocked; deny all; }
+    location ~* (%0|%A|%B|%C|%D|%E|%F|127\.0) { access_log /DATA/logs/nginx/blocked.log blocked; deny all; }
+    location ~* \.\.\/  { access_log /DATA/logs/nginx/blocked.log blocked; deny all; }
+    location ~* ~$ { access_log /DATA/logs/nginx/blocked.log blocked; deny all; }
+    location ~* proc/self/environ { access_log /DATA/logs/nginx/blocked.log blocked; deny all; }
+    location ~* /\.(htaccess|htpasswd|svn) { access_log /DATA/logs/nginx/blocked.log blocked; deny all; }
+    ## Block file injections
+    location ~* [a-zA-Z0-9_]=(\.\.//?)+ { access_log /DATA/logs/nginx/blocked.log blocked; deny all; }
+    location ~* [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ { access_log /DATA/logs/nginx/blocked.log blocked; deny all; }
+    ## wordpress security
+    location ~* wp-config.php { access_log /DATA/logs/nginx/blocked.log blocked; deny all; }
+    location ~* wp-admin/includes { access_log /DATA/logs/nginx/blocked.log blocked; deny all; }
+    location ~* wp-app\.log { access_log /DATA/logs/nginx/blocked.log blocked; deny all; }
+    location ~* (licence|readme|license)\.(html|txt) { access_log /DATA/logs/nginx/blocked.log blocked; deny all; }
+    location ~* xmlrpc.php { access_log /DATA/logs/nginx/blocked.log blocked; deny all; }
+ #   location ~ ^(wp-admin|wp-login.php) {
+ #     try_files $uri $uri/ /index.php?$args;
+ #     index index.html index.htm index.php;
+ #     allow 91.105.68.253; # First IP to allow access
+ #     allow x.x.x.x; # Second IP to allow access
+ #     allow x.x.x.x; # Third IP to allow access
+ #     deny all;
+ #     error_page 403 = @wp_admin_ban;
+ #   }
+    location @wp_admin_ban {
+      rewrite ^(.*) http://localhost permanent;
+    }
+    gzip on;
+    gzip_disable "msie6";
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_buffers 16 8k;
+    gzip_http_version 1.1;
+    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+  }
+}

files/php-fpm.conf

@@ -0,0 +1,38 @@
+error_log = /DATA/logs/php-fpm/php-fpm.log 
+log_level = warning
+
+[www]
+user = nginx
+group = www-data
+listen = 127.0.0.1:9000
+listen.owner = nginx
+listen.group = www-data
+pm = ondemand
+
+; Total RAM dedicated to the web server / Max child process size
+pm.max_children = 75
+
+pm.process_idle_timeout = 10s
+pm.max_requests = 500
+chdir = /DATA/htdocs
+php_flag[display_errors] = off
+; php_admin_value[memory_limit] = 256M
+; php_admin_value[upload_max_filesize] = 1G
+; php_admin_value[post_max_size] = 1G
+; php_admin_value[output_buffering] = 0
+; php_admin_value[php_value max_input_time] = 3600
+php_admin_value[openssl.cafile] = /etc/ssl/certs/ca-certificates.crt
+php_admin_value[openssl.capath] = /etc/ssl/certs
+; php_admin_value[max_input_nesting_level] = 256
+; php_admin_value[max_input_vars] = 10000
+
+; Redirect worker stdout and stderr into main error log. If not set, stdout and
+; stderr will be redirected to /dev/null according to FastCGI specs.
+; Default Value: no
+catch_workers_output = yes
+
+; Database variables passed via -e argument on Docker
+env["DB_HOST"] = "$DB_HOST"
+env["DB_USER"] = "$DB_USER"
+env["DB_PASS"] = "$DB_PASS"
+env["DB_NAME"] = "$DB_NAME"