From 808638e77dd45cea3af2eee06a62aa632d1dfc9a Mon Sep 17 00:00:00 2001
From: Dale Davies <dale@daledavies.co.uk>
Date: Thu, 10 Feb 2022 14:32:39 +0000
Subject: [PATCH] Improve container config, entrypoint etc

---
 Dockerfile           | 57 ++++++++++++++++++++------
 docker/entrypoint.sh | 37 +++++++++++++++++
 docker/fpm-pool.conf | 18 +++++++++
 docker/nginx.conf    | 95 ++++++++++++++++++++++++++++++++++++++++++++
 docker/php.ini       |  2 +
 5 files changed, 197 insertions(+), 12 deletions(-)
 create mode 100644 docker/entrypoint.sh
 create mode 100644 docker/fpm-pool.conf
 create mode 100644 docker/nginx.conf
 create mode 100644 docker/php.ini

diff --git a/Dockerfile b/Dockerfile
index 5a0b5f5..6f58eba 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -8,21 +8,54 @@ RUN composer install --no-dev \
   --no-progress
 
 # Switch to trafex/php-nginx image and copy application files into it.
-FROM trafex/php-nginx
-COPY --chown=nginx --from=builder /app /var/www/html
+FROM alpine:latest
 
-# The trafex/php-nginx image runs as "nobody" user so we need to switch to root
-# so we can make changes inside the container.
-USER root
+WORKDIR /var/www/html
 
-# We need the following PHP extensions.
-RUN apk add php8-fileinfo
+# Create a non-root user for running nginx and php.
+RUN addgroup -S jumpapp && \
+    adduser \
+      --disabled-password \
+      --ingroup jumpapp \
+      --no-create-home \
+      jumpapp
 
-# Create the cache directories.
+# Copy the built files from composer, chowning as jumpapp or they will
+# be owned by root.
+COPY --chown=jumpapp --from=builder /app /usr/src/jumpapp
+
+# Install required packages.
+RUN apk add --no-cache \
+  bash \
+  curl \
+  nginx \
+  php8 \
+  php8-fileinfo \
+  php8-fpm \
+  php8-json \
+  php8-opcache \
+  php8-zlib
+
+# Create symlink for anything expecting to use "php".
+RUN ln -s /usr/bin/php8 /usr/bin/php
+
+# Nginx config.
+COPY docker/nginx.conf /etc/nginx/nginx.conf
+
+# PHP/FPM config.
+COPY docker/fpm-pool.conf /etc/php8/php-fpm.d/www.conf
+COPY docker/php.ini /etc/php8/conf.d/custom.ini
+
+COPY docker/entrypoint.sh /usr/local/bin/
+
+# Create the cache directories and change owner of everything we need.
 RUN mkdir -p /var/www/cache/application \
-    && chown nobody:nobody /var/www/cache/application \
     && mkdir -p /var/www/cache/icons \
-    && chown nobody:nobody /var/www/cache/icons
+    && chown -R jumpapp:jumpapp /var/www/html /var/www/cache/icons \
+    /var/www/cache/application \
+    && chmod +x /usr/local/bin/entrypoint.sh
 
-# Switch back to the nobody user so we're not running as root forever.
-USER nobody
\ No newline at end of file
+# Expose the port we configured for nginx.
+EXPOSE 8080
+
+ENTRYPOINT ["entrypoint.sh"]
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
new file mode 100644
index 0000000..f64ab52
--- /dev/null
+++ b/docker/entrypoint.sh
@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+echo >&2 "-------------------------------------------------------------"
+
+echo >&2 "- Repopulating web root with application files."
+if [ "$(ls -A /var/www/html)" ]; then
+    rm /var/www/html/* -r
+fi
+cp /usr/src/jumpapp/* /var/www/html -r
+
+echo >&2 "- Check if backgrounds or sites volumes have been mounted."
+if [ -e "/backgrounds" ]; then
+    echo >&2 "   - Backgrounds directory is mapped... symlinking."
+    rm /var/www/html/assets/backgrounds -r
+    ln -s /backgrounds /var/www/html/assets/
+    if [ ! "$(ls -A /backgrounds)" ]; then
+        echo >&2 "     -- Empty so populating with default files."
+        cp /usr/src/jumpapp/assets/backgrounds/* /backgrounds -r
+    fi
+fi
+
+if [ -e "/sites" ]; then
+    echo >&2 "   - Sites directory is mapped... symlinking."
+    rm /var/www/html/sites -r
+    ln -s /sites /var/www/html/
+    if [ ! "$(ls -A /sites)" ]; then
+        echo >&2 "     -- Empty so populating with default files."
+        cp /usr/src/jumpapp/sites/* /sites -r
+    fi
+fi
+
+echo >&2 "- All done! Starting nginx/php services now."
+echo >&2 "-------------------------------------------------------------"
+
+php-fpm8
+nginx -g 'daemon off;'
diff --git a/docker/fpm-pool.conf b/docker/fpm-pool.conf
new file mode 100644
index 0000000..446d368
--- /dev/null
+++ b/docker/fpm-pool.conf
@@ -0,0 +1,18 @@
+[global]
+error_log = /dev/stderr
+
+[www]
+user = jumpapp
+listen = /run/php-fpm.sock
+listen.owner = jumpapp
+
+pm.status_path = /fpm-status
+pm = ondemand
+pm.max_children = 100
+pm.process_idle_timeout = 10s
+pm.max_requests = 1000
+
+clear_env = no
+catch_workers_output = yes
+decorate_workers_output = no
+ping.path = /fpm-ping
\ No newline at end of file
diff --git a/docker/nginx.conf b/docker/nginx.conf
new file mode 100644
index 0000000..617748c
--- /dev/null
+++ b/docker/nginx.conf
@@ -0,0 +1,95 @@
+user jumpapp;
+worker_processes auto;
+error_log /dev/stderr warn;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    include mime.types;
+    default_type application/octet-stream;
+
+    # Define custom log format to include reponse times
+    log_format main_timed '$remote_addr - $remote_user [$time_local] "$request" '
+                          '$status $body_bytes_sent "$http_referer" '
+                          '"$http_user_agent" "$http_x_forwarded_for" '
+                          '$request_time $upstream_response_time $pipe $upstream_cache_status';
+
+    access_log /dev/stdout main_timed;
+    error_log /dev/stderr notice;
+
+    keepalive_timeout 5;
+
+    # Write temporary files to /tmp so they can be created as a non-privileged user
+    client_body_temp_path /tmp/client_temp;
+    proxy_temp_path /tmp/proxy_temp_path;
+    fastcgi_temp_path /tmp/fastcgi_temp;
+    uwsgi_temp_path /tmp/uwsgi_temp;
+    scgi_temp_path /tmp/scgi_temp;
+
+    # Default server definition
+    server {
+        listen [::]:8080 default_server;
+        listen 8080 default_server;
+        server_name _;
+
+        sendfile off;
+        absolute_redirect off;
+
+        root /var/www/html;
+        index index.php index.html;
+
+        location / {
+            # First attempt to serve request as file, then
+            # as directory, then fall back to index.php
+            try_files $uri $uri/ /index.php?q=$uri&$args;
+        }
+
+        # Redirect server error pages to the static page /50x.html
+        error_page 500 502 503 504 /50x.html;
+        location = /50x.html {
+            root /var/lib/nginx/html;
+        }
+
+        # Pass the PHP scripts to PHP-FPM listening on php-fpm.sock
+        location ~ \.php$ {
+            try_files $uri =404;
+            fastcgi_split_path_info ^(.+\.php)(/.+)$;
+            fastcgi_pass unix:/run/php-fpm.sock;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_param SCRIPT_NAME $fastcgi_script_name;
+            fastcgi_index index.php;
+            include fastcgi_params;
+        }
+
+        location ~* \.(jpg|jpeg|gif|png|css|js|ico|xml)$ {
+            expires 5d;
+        }
+
+        # Deny access to . files, for security
+        location ~ /\. {
+            log_not_found off;
+            deny all;
+        }
+
+        # Allow fpm ping and status from localhost
+        location ~ ^/(fpm-status|fpm-ping)$ {
+            access_log off;
+            allow 127.0.0.1;
+            deny all;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            include fastcgi_params;
+            fastcgi_pass unix:/run/php-fpm.sock;
+        }
+    }
+
+    gzip on;
+    gzip_proxied any;
+    gzip_types text/plain application/xml text/css text/js text/xml application/x-javascript text/javascript application/json application/xml+rss;
+    gzip_vary on;
+    gzip_disable "msie6";
+
+    # Include other server configs
+    include /etc/nginx/conf.d/*.conf;
+}
diff --git a/docker/php.ini b/docker/php.ini
new file mode 100644
index 0000000..e6b8b77
--- /dev/null
+++ b/docker/php.ini
@@ -0,0 +1,2 @@
+[Date]
+date.timezone="UTC"
\ No newline at end of file