hoellen/dockerfiles
1
0
Fork 0
mirror of https://github.com/hoellen/dockerfiles.git synced 2025-04-19 20:09:16 +00:00
Code Issues Projects Releases Wiki Activity

securing PrivateBin installation, by moving unneccessary bits out of the web root, making image support read-only operation, consistent white spaces in nginx config

Browse Source
This commit is contained in:
El RIDO 2018-08-01 16:33:51 +02:00
parent 503f526328
commit 7be188fda2
3 changed files with 38 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
privatebin/Dockerfile
View File

@ -12,23 +12,29 @@ ENV GID=991 UID=991 \
RUN BUILD_DEPS="tar gnupg" \ RUN BUILD_DEPS="tar gnupg" \
&& apk -U upgrade && apk add $BUILD_DEPS \ && apk -U upgrade && apk add $BUILD_DEPS \
&& mkdir privatebin && cd privatebin \ && mkdir -p privatebin/data privatebin/cfg \
&& export GNUPGHOME="$(mktemp -d)" \ && export GNUPGHOME="$(mktemp -d)" \
&& gpg2 --list-public-keys || /bin/true \ && gpg2 --list-public-keys || /bin/true \
&& wget -qO- https://privatebin.info/key/security.asc | gpg2 --import - \ && wget -qO- https://privatebin.info/key/security.asc | gpg2 --import - \
&& wget -qO /privatebin.tar.gz.asc https://github.com/PrivateBin/PrivateBin/releases/download/${PRIVATEBIN_VER}/PrivateBin-${PRIVATEBIN_VER}.tar.gz.asc \ && wget -qO /privatebin.tar.gz.asc https://github.com/PrivateBin/PrivateBin/releases/download/${PRIVATEBIN_VER}/PrivateBin-${PRIVATEBIN_VER}.tar.gz.asc \
&& wget -qO /privatebin.tar.gz https://github.com/PrivateBin/PrivateBin/archive/${PRIVATEBIN_VER}.tar.gz \ && wget -qO /privatebin.tar.gz https://github.com/PrivateBin/PrivateBin/archive/${PRIVATEBIN_VER}.tar.gz \
&& gpg2 --verify /privatebin.tar.gz.asc \ && gpg2 --verify /privatebin.tar.gz.asc \
&& cd srv \
&& tar -xzf /privatebin.tar.gz --strip 1 \ && tar -xzf /privatebin.tar.gz --strip 1 \
&& mv cfg/conf.sample.php cfg/conf.php \ && mv cfg /privatebin \
&& mv lib /privatebin \
&& mv tpl /privatebin \
&& mv vendor /privatebin \
&& sed -i "s#define('PATH', '');#define('PATH', '/privatebin/');#" index.php \
&& apk del $BUILD_DEPS \ && apk del $BUILD_DEPS \
&& rm -rf /var/cache/apk/* /privatebin.tar.gz* "${GNUPGHOME}" && rm -rf /var/cache/apk/* *.md /privatebin.tar.gz* "${GNUPGHOME}"
COPY rootfs / COPY rootfs /
RUN chmod +x /usr/local/bin/run.sh /etc/s6.d/*/* /etc/s6.d/.s6-svscan/* RUN chmod +x /usr/local/bin/run.sh /etc/s6.d/*/* /etc/s6.d/.s6-svscan/*
VOLUME /privatebin/data /php/session # mark dirs as volumes that need to be writable, allows running the container --read-only
VOLUME /privatebin/data /php /nginx /tmp /etc/s6.d
EXPOSE 8888 EXPOSE 8888

4
privatebin/rootfs/nginx/sites-enabled/nginx.conf
View File

@ -1,7 +1,7 @@
server { server {
listen 8888; listen 8888;
root /privatebin; root /srv;
index index.php index.html; index index.php;
location ~* \.(jpg|jpeg|gif|css|png|js|map|woff|woff2|ttf|svg|eot)$ { location ~* \.(jpg|jpeg|gif|css|png|js|map|woff|woff2|ttf|svg|eot)$ {
expires 30d; expires 30d;

2
privatebin/rootfs/usr/local/bin/run.sh
View File

@ -6,5 +6,5 @@ sed -i -e "s/<UPLOAD_MAX_SIZE>/$UPLOAD_MAX_SIZE/g" /nginx/conf/nginx.conf /php/e
-e "s/<PHP_MIN_SPARE_SERVERS>/$PHP_MIN_SPARE_SERVERS/g" /php/etc/php-fpm.conf \ -e "s/<PHP_MIN_SPARE_SERVERS>/$PHP_MIN_SPARE_SERVERS/g" /php/etc/php-fpm.conf \
-e "s/<PHP_MAX_SPARE_SERVERS>/$PHP_MAX_SPARE_SERVERS/g" /php/etc/php-fpm.conf -e "s/<PHP_MAX_SPARE_SERVERS>/$PHP_MAX_SPARE_SERVERS/g" /php/etc/php-fpm.conf
chown -R $UID:$GID /privatebin /nginx /php /tmp /etc/s6.d chown -R $UID:$GID /privatebin/data /nginx /php /tmp /etc/s6.d
exec su-exec $UID:$GID /bin/s6-svscan /etc/s6.d exec su-exec $UID:$GID /bin/s6-svscan /etc/s6.d