Merge pull request #224 from jdeathe/issue/217

CLOSES #217: Removes dependency on mod_php image.

Author: jdeathe

CHANGELOG.md

@@ -4,6 +4,13 @@
 
 Summary of release changes.
 
+### 1.13.1 - Unreleased
+
+- Updates php-hello-world to [0.13.0](https://github.com/jdeathe/php-hello-world/releases/tag/0.13.0).
+- Adds setting PHP `date.timezone` to `PHP_OPTIONS_DATE_TIMEZONE` into service configuration; removes dependency on app package configuration.
+- Adds session PHP settings into service configuration; removes dependency on app package configuration.
+- Removes dependency on `jdeathe/centos-ssh-apache-php`; source from `jdeathe/centos-ssh`.
+
 ### 1.13.0 - 2019-07-20
 
 - Updates image source to [1.13.0](https://github.com/jdeathe/centos-ssh-apache-php/releases/tag/1.13.0).

Dockerfile

@@ -1,20 +1,35 @@
-FROM jdeathe/centos-ssh-apache-php:1.13.0
+FROM jdeathe/centos-ssh:1.11.0
 
+# Use the form ([{fqdn}-]{package-name}|[{fqdn}-]{provider-name})
+ARG PACKAGE_NAME="app"
+ARG PACKAGE_PATH="/opt/${PACKAGE_NAME}"
+ARG PACKAGE_RELEASE_VERSION="0.13.0"
 ARG RELEASE_VERSION="1.13.0"
 
 # ------------------------------------------------------------------------------
 # Base install of required packages
 # ------------------------------------------------------------------------------
-RUN yum -y erase \
-		php-5.3.3-49.el6 \
-	&& yum -y install \
+RUN yum -y install \
 		--setopt=tsflags=nodocs \
 		--disableplugin=fastestmirror \
+		elinks-0.12-0.21.pre5.el6_3 \
 		fcgi-2.4.0-12.el6 \
+		httpd-2.2.15-69.el6.centos \
 		mod_fcgid-2.3.9-1.el6 \
+		mod_ssl-2.2.15-69.el6.centos \
+		php-cli-5.3.3-49.el6 \
+		php-common-5.3.3-49.el6 \
+		php-zts-5.3.3-49.el6 \
+		php-pecl-apc-3.1.9-2.el6 \
+		php-pecl-memcached-1.0.0-1.el6 \
+		php-pecl-redis-2.2.8-1.el6 \
 	&& yum versionlock add \
+		elinks \
 		fcgi \
+		httpd \
 		mod_fcgid \
+		mod_ssl \
+		php* \
 	&& rm -rf /var/cache/yum/* \
 	&& yum clean all
 
@@ -25,33 +40,217 @@ ADD src /
 
 # ------------------------------------------------------------------------------
 # Provisioning
+# - Add default system users
+# - Limit threads for the application user
+# - Disable Apache directory indexes and welcome page
+# - Disable Apache language based content negotiation
+# - Custom Apache configuration
+# - Disable all Apache modules and enable the minimum
 # - Disable Apache default fcgid configuration; replaced with 00-fcgid.conf
+# - Disable the default SSL Virtual Host
+# - Disable SSL
+# - Add default PHP configuration overrides to 00-php.ini drop-in.
+# - APC configuration
 # - Replace placeholders with values in systemd service unit template
 # - Set permissions
 # ------------------------------------------------------------------------------
-RUN truncate -s 0 \
+RUN useradd -r -M -d /var/www/app -s /sbin/nologin app \
+	&& useradd -r -M -d /var/www/app -s /sbin/nologin -G apache,app app-www \
+	&& usermod -a -G app-www app \
+	&& usermod -a -G app-www,app apache \
+	&& usermod -L app \
+	&& usermod -L app-www \
+	&& { printf -- \
+		'\n@apache\tsoft\tnproc\t%s\n@apache\thard\tnproc\t%s\n' \
+		'85' \
+		'170'; \
+	} >> /etc/security/limits.conf \
+	&& cp -pf \
+		/etc/httpd/conf/httpd.conf \
+		/etc/httpd/conf/httpd.conf.default \
+	&& sed -i \
+		-e 's~^KeepAlive .*$~KeepAlive On~g' \
+		-e 's~^MaxKeepAliveRequests .*$~MaxKeepAliveRequests 200~g' \
+		-e 's~^KeepAliveTimeout .*$~KeepAliveTimeout 2~g' \
+		-e 's~^ServerSignature On$~ServerSignature Off~g' \
+		-e 's~^ServerTokens OS$~ServerTokens Prod~g' \
+		-e 's~^NameVirtualHost \(.*\)$~#NameVirtualHost \1~g' \
+		-e 's~^User .*$~User ${APACHE_RUN_USER}~g' \
+		-e 's~^Group .*$~Group ${APACHE_RUN_GROUP}~g' \
+		-e 's~^DocumentRoot \(.*\)$~#DocumentRoot \1~g' \
+		-e 's~^IndexOptions \(.*\)$~#IndexOptions \1~g' \
+		-e 's~^IndexIgnore \(.*\)$~#IndexIgnore \1~g' \
+		-e 's~^AddIconByEncoding \(.*\)$~#AddIconByEncoding \1~g' \
+		-e 's~^AddIconByType \(.*\)$~#AddIconByType \1~g' \
+		-e 's~^AddIcon \(.*\)$~#AddIcon \1~g' \
+		-e 's~^DefaultIcon \(.*\)$~#DefaultIcon \1~g' \
+		-e 's~^ReadmeName \(.*\)$~#ReadmeName \1~g' \
+		-e 's~^HeaderName \(.*\)$~#HeaderName \1~g' \
+		-e 's~^LanguagePriority \(.*\)$~#LanguagePriority \1~g' \
+		-e 's~^ForceLanguagePriority \(.*\)$~#ForceLanguagePriority \1~g' \
+		-e 's~^AddLanguage \(.*\)$~#AddLanguage \1~g' \
+		-e '/#<Location \/server-status>/,/#<\/Location>/ s~^#~~' \
+		-e '/<Location \/server-status>/,/<\/Location>/ s~Allow from .example.com~Allow from localhost 127.0.0.1~' \
+		/etc/httpd/conf/httpd.conf \
+	&& { printf -- \
+		'\n%s\n%s\n%s\n%s\\\n%s%s\\\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n' \
+		'#' \
+		'# Custom configuration' \
+		'#' \
+		'LogFormat ' \
+		'  "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b' \
+		' \"%{Referer}i\" \"%{User-Agent}i\"" ' \
+		'  forwarded_for_combined' \
+		'Listen 8443' \
+		'Options -Indexes' \
+		'ServerSignature Off' \
+		'ServerTokens Prod' \
+		'TraceEnable Off' \
+		'UseCanonicalName On' \
+		'UseCanonicalPhysicalPort On'; \
+	} >> /etc/httpd/conf/httpd.conf \
+	&& sed -i \
+		-e 's~^\(LoadModule .*\)$~#\1~g' \
+		-e 's~^#\(LoadModule mime_module .*\)$~\1~' \
+		-e 's~^#\(LoadModule log_config_module .*\)$~\1~' \
+		-e 's~^#\(LoadModule setenvif_module .*\)$~\1~' \
+		-e 's~^#\(LoadModule status_module .*\)$~\1~' \
+		-e 's~^#\(LoadModule authz_host_module .*\)$~\1~' \
+		-e 's~^#\(LoadModule dir_module .*\)$~\1~' \
+		-e 's~^#\(LoadModule alias_module .*\)$~\1~' \
+		-e 's~^#\(LoadModule expires_module .*\)$~\1~' \
+		-e 's~^#\(LoadModule deflate_module .*\)$~\1~' \
+		-e 's~^#\(LoadModule headers_module .*\)$~\1~' \
+		-e 's~^#\(LoadModule alias_module .*\)$~\1~' \
+		-e 's~^#\(LoadModule version_module .*\)$~\1\n#LoadModule reqtimeout_module modules/mod_reqtimeout.so~g' \
+		/etc/httpd/conf/httpd.conf \
+	&& truncate -s 0 \
 		/etc/httpd/conf.d/fcgid.conf \
 	&& chmod 444 \
 		/etc/httpd/conf.d/fcgid.conf \
+	&& sed -i \
+		-e '/<VirtualHost _default_:443>/,/<\/VirtualHost>/ s~^~#~' \
+		/etc/httpd/conf.d/ssl.conf \
+	&& cat \
+		/etc/httpd/conf.d/ssl.conf \
+		> /etc/httpd/conf.d/ssl.conf.off \
+	&& truncate -s 0 \
+		/etc/httpd/conf.d/ssl.conf \
+	&& chmod 644 \
+		/etc/httpd/conf.d/ssl.conf \
+	&& sed \
+		-e 's~^; .*$~~' \
+		-e 's~^;*$~~' \
+		-e '/^$/d' \
+		-e 's~^\[~\n\[~g' \
+		/etc/php.ini \
+		> /etc/php.d/00-php.ini.default \
+	&& sed \
+		-e 's~^; .*$~~' \
+		-e 's~^;*$~~' \
+		-e '/^$/d' \
+		-e 's~^\[~\n\[~g' \
+		/etc/php.d/apc.ini \
+		> /etc/php.d/apc.ini.default \
+	&& sed -r \
+		-e 's~^;?(cgi.fix_pathinfo( )?=).*$~\1\21~g' \
+		-e 's~^;?(date.timezone( )?=).*$~\1\2"${PHP_OPTIONS_DATE_TIMEZONE:-UTC}"~g' \
+		-e 's~^;?(expose_php( )?=).*$~\1\2Off~g' \
+		-e 's~^;?(realpath_cache_size( )?=).*$~\1\24096k~' \
+		-e 's~^;?(realpath_cache_ttl( )?=).*$~\1\2600~' \
+		-e 's~^;?(session.cookie_httponly( )?=).*$~\1\21~' \
+		-e 's~^;?(session.name( )?=).*$~\1\2"${PHP_OPTIONS_SESSION_NAME:-PHPSESSID}"~' \
+		-e 's~^;?(session.save_handler( )?=).*$~\1\2"${PHP_OPTIONS_SESSION_SAVE_HANDLER:-files}"~' \
+		-e 's~^;?(session.save_path( )?=).*$~\1\2"${PHP_OPTIONS_SESSION_SAVE_PATH:-/var/lib/php/session}"~' \
+		-e 's~^;?(session.sid_bits_per_character( )?=).*$~\1\25~' \
+		-e 's~^;?(session.sid_length( )?=).*$~\1\264~' \
+		-e 's~^;?(session.use_strict_mode( )?=).*$~\1\21~' \
+		-e 's~^;?(user_ini.filename( )?=).*$~\1~g' \
+		/etc/php.d/00-php.ini.default \
+		> /etc/php.d/00-php.ini \
+	&& sed \
+		-e 's~^\(apc.stat=\).*$~\10~g' \
+		-e 's~^\(apc.shm_size=\).*$~\1128M~g' \
+		-e 's~^\(apc.enable_cli=\).*$~\11~g' \
+		-e 's~^\(apc.file_update_protection=\).*$~\10~g' \
+		/etc/php.d/apc.ini.default \
+		> /etc/php.d/apc.ini \
+	&& sed -i \
+		-e "s~'ADMIN_PASSWORD','password'~'ADMIN_PASSWORD','apc!123'~g" \
+		-e "s~'DATE_FORMAT', 'Y/m/d H:i:s'~'DATE_FORMAT', 'Y-m-d H:i:s'~g" \
+		-e "s~php_uname('n');~gethostname();~g" \
+		/usr/share/php-pecl-apc/apc.php \
 	&& sed -i \
 		-e "s~{{RELEASE_VERSION}}~${RELEASE_VERSION}~g" \
-		/etc/systemd/system/centos-ssh-apache-php-fcgi@.service
+		/etc/systemd/system/centos-ssh-apache-php-fcgi@.service \
+	&& chmod 644 \
+		/etc/supervisord.d/{20-httpd-bootstrap,70-httpd-wrapper}.conf \
+	&& chmod 700 \
+		/usr/{bin/healthcheck,sbin/httpd-{bootstrap,wrapper}}
 
 # ------------------------------------------------------------------------------
 # Package installation
 # ------------------------------------------------------------------------------
-RUN sed -i \
+RUN mkdir -p -m 750 ${PACKAGE_PATH} \
+	&& curl -Ls \
+		https://github.com/jdeathe/php-hello-world/archive/${PACKAGE_RELEASE_VERSION}.tar.gz \
+	| tar -xzpf - \
+		--strip-components=1 \
+		--exclude="*.gitkeep" \
+		-C ${PACKAGE_PATH} \
+	&& sed -i \
 		-e 's~^description =.*$~description = "This CentOS / Apache / PHP-CGI (FastCGI) service is running in a container."~' \
 		${PACKAGE_PATH}/etc/views/index.ini \
-	&& rm -f \
-		${PACKAGE_PATH}/bin/php-wrapper \
-		${PACKAGE_PATH}/etc/httpd/conf.d/50-fcgid.conf
+	&& mv \
+		${PACKAGE_PATH}/public \
+		${PACKAGE_PATH}/public_html \
+	&& $(\
+		if [[ -f /usr/share/php-pecl-apc/apc.php ]]; then \
+			cp \
+				/usr/share/php-pecl-apc/apc.php \
+				${PACKAGE_PATH}/public_html/_apc.php; \
+		fi \
+	) \
+	&& chown -R app:app-www ${PACKAGE_PATH} \
+	&& find ${PACKAGE_PATH} -type d -exec chmod 750 {} + \
+	&& find ${PACKAGE_PATH}/var -type d -exec chmod 770 {} + \
+	&& find ${PACKAGE_PATH} -type f -exec chmod 640 {} +
+
+EXPOSE 80 443 8443
 
 # ------------------------------------------------------------------------------
 # Set default environment variables used to configure the service container
 # ------------------------------------------------------------------------------
 ENV \
-	APACHE_MPM="worker"
+	APACHE_CONTENT_ROOT="/var/www/${PACKAGE_NAME}" \
+	APACHE_CUSTOM_LOG_FORMAT="combined" \
+	APACHE_CUSTOM_LOG_LOCATION="var/log/apache_access_log" \
+	APACHE_ERROR_LOG_LOCATION="var/log/apache_error_log" \
+	APACHE_ERROR_LOG_LEVEL="warn" \
+	APACHE_EXTENDED_STATUS_ENABLED="false" \
+	APACHE_HEADER_X_SERVICE_UID="{{HOSTNAME}}" \
+	APACHE_LOAD_MODULES="" \
+	APACHE_MOD_SSL_ENABLED="false" \
+	APACHE_MPM="worker" \
+	APACHE_OPERATING_MODE="production" \
+	APACHE_PUBLIC_DIRECTORY="public_html" \
+	APACHE_RUN_GROUP="app-www" \
+	APACHE_RUN_USER="app-www" \
+	APACHE_SERVER_ALIAS="" \
+	APACHE_SERVER_NAME="" \
+	APACHE_SSL_CERTIFICATE="" \
+	APACHE_SSL_CIPHER_SUITE="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS" \
+	APACHE_SSL_PROTOCOL="All -SSLv2 -SSLv3" \
+	APACHE_SYSTEM_USER="app" \
+	ENABLE_HTTPD_BOOTSTRAP="true" \
+	ENABLE_HTTPD_WRAPPER="true" \
+	ENABLE_SSHD_BOOTSTRAP="false" \
+	ENABLE_SSHD_WRAPPER="false" \
+	PACKAGE_PATH="${PACKAGE_PATH}" \
+	PHP_OPTIONS_DATE_TIMEZONE="UTC" \
+	PHP_OPTIONS_SESSION_NAME="PHPSESSID" \
+	PHP_OPTIONS_SESSION_SAVE_HANDLER="files" \
+	PHP_OPTIONS_SESSION_SAVE_PATH="var/session"
 
 # ------------------------------------------------------------------------------
 # Set image metadata

src/etc/httpd/conf.d/00-deflate.conf

@@ -0,0 +1,30 @@
+<IfModule deflate_module>
+    # Identify known cases of invalidated Accept-Encoding request headers.
+    <IfModule setenvif_module>
+        <IfModule headers_module>
+            SetEnvIfNoCase \
+                ^(Accept-EncodXng|X-cept-Encoding|[X~-]{15})$ \
+                ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ \
+                reset-accept-encoding
+            RequestHeader append Accept-Encoding "gzip, deflate" \
+                env=reset-accept-encoding
+        </IfModule>
+    </IfModule>
+
+    DeflateCompressionLevel 9
+    AddOutputFilterByType DEFLATE \
+        application/font-woff \
+        application/font-woff2 \
+        application/javascript \
+        application/rss+xml \
+        application/vnd.ms-fontobject \
+        application/x-font-ttf \
+        application/x-javascript \
+        text/css \
+        text/html \
+        text/javascript \
+        text/plain \
+        text/vcard \
+        text/xml \
+        image/svg+xml
+</IfModule>

src/etc/httpd/conf.d/00-etag.conf

@@ -0,0 +1,6 @@
+<IfVersion < 2.4>
+    # Change the default from "INode MTime Size".
+    # Note: If using WebDAV (mod_dav_fs) you must restore the default at the
+    # effected locations otherwise conditional requests will break.
+    FileETag MTime Size
+</IfVersion>

src/etc/httpd/conf.d/00-expires.conf

@@ -0,0 +1,17 @@
+<IfModule expires_module>
+    ExpiresActive On
+    ExpiresByType application/font-woff A604800
+    ExpiresByType application/font-woff2 A604800
+    ExpiresByType application/javascript A604800
+    ExpiresByType application/x-font-ttf A604800
+    ExpiresByType application/x-javascript A604800
+    ExpiresByType application/x-shockwave-flash A604800
+    ExpiresByType font/opentype A604800
+    ExpiresByType image/gif A604800
+    ExpiresByType image/jpeg A604800
+    ExpiresByType image/png A604800
+    ExpiresByType image/svg+xml A604800
+    ExpiresByType image/x-icon A604800
+    ExpiresByType text/css A604800
+    ExpiresByType text/javascript A604800
+</IfModule>

src/etc/httpd/conf.d/00-headers.conf

@@ -0,0 +1,12 @@
+<IfModule headers_module>
+    RequestHeader unset Proxy early
+    Header unset X-Service-Operating-Mode
+    <IfDefine development>
+        Header set X-Service-Operating-Mode development
+    </IfDefine>
+    <IfDefine debug>
+        Header set X-Service-Operating-Mode debug
+    </IfDefine>
+    Header unset X-Service-UID
+    Header set X-Service-UID "${APACHE_HEADER_X_SERVICE_UID}"
+</IfModule>

src/etc/httpd/conf.d/00-mime-type.conf

@@ -0,0 +1,9 @@
+<IfModule mime_module>
+    AddEncoding gzip svgz
+    AddType application/font-woff woff
+    AddType application/font-woff2 woff2
+    AddType application/javascript js
+    AddType application/x-font-ttf ttc ttf
+    AddType font/opentype otf
+    AddType image/x-icon cur ico
+</IfModule>

src/etc/httpd/conf.d/00-php-operating-mode.conf

@@ -0,0 +1,22 @@
+<IfModule php5_module>
+    # Operating mode is production default
+    <IfDefine !production>
+        php_value error_reporting 32767
+        php_value display_errors On
+        php_value html_errors On
+        php_value xdebug.show_exception_trace On
+        php_value xdebug.trace_enable_trigger On
+        php_value xdebug.trace_format 0
+        php_value xdebug.collect_params 4
+        php_value xdebug.collect_return On
+        php_value xdebug.show_mem_delta On
+        php_value xdebug.remote_enable true
+        php_value xdebug.remote_mode req
+        php_value xdebug.remote_connect_back On
+        php_value xdebug.profiler_enable_trigger On
+        <IfDefine debug>
+            php_value xdebug.trace_format 1
+            php_value xdebug.collect_params 2
+        </IfDefine>
+    </IfDefine>
+</IfModule>

src/etc/httpd/conf.d/00-reqtimeout.conf

@@ -0,0 +1,3 @@
+<IfModule reqtimeout_module>
+    RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
+</IfModule>

src/etc/httpd/conf.d/10-name-virtual-host.conf

@@ -0,0 +1,7 @@
+<IfVersion < 2.4>
+    NameVirtualHost *:80
+    NameVirtualHost *:8443
+    <IfModule ssl_module>
+        NameVirtualHost *:443
+    </IfModule>
+</IfVersion>