Merge pull request #24 from kool-dev/nginx-optimize

Optmising Nginx

Author: fabriciojs

.github/workflows/ci-cd.yml

@@ -59,15 +59,18 @@ jobs:
           docker push kooldev/php:${{ matrix.version }}${{ matrix.type }}
           docker push kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }}
 
-  trigger-wordpress:
-    name: Trigger docker-wordpress
+  trigger-extended-builds:
+    name: Trigger Extended Builds
     runs-on: ubuntu-latest
     needs: build
+    strategy:
+      matrix:
+        image: ['kool-dev/docker-wordpress', 'kool-dev/docker-php-sqlsrv', 'kool-dev/docker-php-oci8']
     steps:
-      - name: Trigger build on kool-dev/docker-wordpress
+      - name: Trigger build on ${{ matrix.image }}
         uses: benc-uk/workflow-dispatch@v1.1
         if: github.ref == 'refs/heads/master' && github.repository == 'kool-dev/docker-php'
         with:
           workflow: CI/CD
-          repo: kool-dev/docker-wordpress
+          repo: ${{ matrix.image }}
           token: ${{ secrets.WORKFLOW_TOKEN }}

7.1-nginx-prod/Dockerfile

@@ -13,11 +13,21 @@ ENV PHP_FPM_LISTEN=/run/php-fpm.sock \
 RUN curl -L https://github.com/ochinchina/supervisord/releases/download/v0.6.3/supervisord_static_0.6.3_linux_amd64 -o /usr/local/bin/supervisord \
     && chmod +x /usr/local/bin/supervisord \
     && apk add --no-cache nginx \
-    && sed -i "s|^user .*|user\ kool kool;|g" /etc/nginx/nginx.conf \
     && chown -R kool:kool /var/tmp/nginx \
     && chmod 770 /var/tmp/nginx \
     && ln -sf /dev/stdout /var/log/nginx/access.log \
-    && ln -sf /dev/stderr /var/log/nginx/error.log
+    && ln -sf /dev/stderr /var/log/nginx/error.log \
+    # add h5bp/server-configs-nginx
+    && mkdir /etc/nginx/h5bp \
+    && cd /etc/nginx/h5bp \
+    && wget https://github.com/h5bp/server-configs-nginx/archive/refs/tags/3.3.0.tar.gz -O h5bp.tgz \
+    && tar xzvf h5bp.tgz \
+    && rm -f h5bp.tgz \
+    && mv server-configs-nginx-*/h5bp/* . \
+    && mv server-configs-nginx-*/nginx.conf /etc/nginx/nginx.conf \
+    && sed -i "s|^user .*|user\ kool kool;|g" /etc/nginx/nginx.conf \
+    && mv server-configs-nginx-*/mime.types /etc/nginx/mime.types \
+    && rm -rf server-configs-nginx-*
 
 COPY supervisor.conf /kool/supervisor.conf
 COPY default.tmpl /kool/default.tmpl

7.1-nginx-prod/default.tmpl

@@ -30,4 +30,15 @@ server {
     location ~ /\.ht {
         deny all;
     }
+
+    # basic H5BP suggestions
+    include h5bp/internet_explorer/x-ua-compatible.conf;
+    include h5bp/security/referrer-policy.conf;
+    include h5bp/security/x-content-type-options.conf;
+    include h5bp/security/x-frame-options.conf;
+    include h5bp/security/x-xss-protection.conf;
+
+    # performance enhancements (mostly for caching static data)
+    include h5bp/web_performance/cache-file-descriptors.conf;
+    include h5bp/web_performance/pre-compressed_content_gzip.conf;
 }

7.1-nginx-prod/supervisor.conf

@@ -1,6 +1,6 @@
 [program:nginx]
 depends_on = php-fpm
-command = nginx -g "pid /run/nginx.pid; daemon off;"
+command = nginx -g "daemon off;"
 stopasgroup = true
 stderr_logfile = /dev/stderr
 stdout_logfile = /dev/stdout

7.1-nginx/Dockerfile

@@ -13,11 +13,21 @@ ENV PHP_FPM_LISTEN=/run/php-fpm.sock \
 RUN curl -L https://github.com/ochinchina/supervisord/releases/download/v0.6.3/supervisord_static_0.6.3_linux_amd64 -o /usr/local/bin/supervisord \
     && chmod +x /usr/local/bin/supervisord \
     && apk add --no-cache nginx \
-    && sed -i "s|^user .*|user\ kool kool;|g" /etc/nginx/nginx.conf \
     && chown -R kool:kool /var/tmp/nginx \
     && chmod 770 /var/tmp/nginx \
     && ln -sf /dev/stdout /var/log/nginx/access.log \
-    && ln -sf /dev/stderr /var/log/nginx/error.log
+    && ln -sf /dev/stderr /var/log/nginx/error.log \
+    # add h5bp/server-configs-nginx
+    && mkdir /etc/nginx/h5bp \
+    && cd /etc/nginx/h5bp \
+    && wget https://github.com/h5bp/server-configs-nginx/archive/refs/tags/3.3.0.tar.gz -O h5bp.tgz \
+    && tar xzvf h5bp.tgz \
+    && rm -f h5bp.tgz \
+    && mv server-configs-nginx-*/h5bp/* . \
+    && mv server-configs-nginx-*/nginx.conf /etc/nginx/nginx.conf \
+    && sed -i "s|^user .*|user\ kool kool;|g" /etc/nginx/nginx.conf \
+    && mv server-configs-nginx-*/mime.types /etc/nginx/mime.types \
+    && rm -rf server-configs-nginx-*
 
 COPY supervisor.conf /kool/supervisor.conf
 COPY default.tmpl /kool/default.tmpl

7.1-nginx/default.tmpl

@@ -30,4 +30,15 @@ server {
     location ~ /\.ht {
         deny all;
     }
+
+    # basic H5BP suggestions
+    include h5bp/internet_explorer/x-ua-compatible.conf;
+    include h5bp/security/referrer-policy.conf;
+    include h5bp/security/x-content-type-options.conf;
+    include h5bp/security/x-frame-options.conf;
+    include h5bp/security/x-xss-protection.conf;
+
+    # performance enhancements (mostly for caching static data)
+    include h5bp/web_performance/cache-file-descriptors.conf;
+    include h5bp/web_performance/pre-compressed_content_gzip.conf;
 }

7.1-nginx/supervisor.conf

@@ -1,6 +1,6 @@
 [program:nginx]
 depends_on = php-fpm
-command = nginx -g "pid /run/nginx.pid; daemon off;"
+command = nginx -g "daemon off;"
 stopasgroup = true
 stderr_logfile = /dev/stderr
 stdout_logfile = /dev/stdout

7.2-nginx-prod/Dockerfile

@@ -13,11 +13,21 @@ ENV PHP_FPM_LISTEN=/run/php-fpm.sock \
 RUN curl -L https://github.com/ochinchina/supervisord/releases/download/v0.6.3/supervisord_static_0.6.3_linux_amd64 -o /usr/local/bin/supervisord \
     && chmod +x /usr/local/bin/supervisord \
     && apk add --no-cache nginx \
-    && sed -i "s|^user .*|user\ kool kool;|g" /etc/nginx/nginx.conf \
     && chown -R kool:kool /var/lib/nginx \
     && chmod 770 /var/lib/nginx/tmp \
     && ln -sf /dev/stdout /var/log/nginx/access.log \
-    && ln -sf /dev/stderr /var/log/nginx/error.log
+    && ln -sf /dev/stderr /var/log/nginx/error.log \
+    # add h5bp/server-configs-nginx
+    && mkdir /etc/nginx/h5bp \
+    && cd /etc/nginx/h5bp \
+    && wget https://github.com/h5bp/server-configs-nginx/archive/refs/tags/3.3.0.tar.gz -O h5bp.tgz \
+    && tar xzvf h5bp.tgz \
+    && rm -f h5bp.tgz \
+    && mv server-configs-nginx-*/h5bp/* . \
+    && mv server-configs-nginx-*/nginx.conf /etc/nginx/nginx.conf \
+    && sed -i "s|^user .*|user\ kool kool;|g" /etc/nginx/nginx.conf \
+    && mv server-configs-nginx-*/mime.types /etc/nginx/mime.types \
+    && rm -rf server-configs-nginx-*
 
 COPY supervisor.conf /kool/supervisor.conf
 COPY default.tmpl /kool/default.tmpl

7.2-nginx-prod/default.tmpl

@@ -30,4 +30,15 @@ server {
     location ~ /\.ht {
         deny all;
     }
+
+    # basic H5BP suggestions
+    include h5bp/internet_explorer/x-ua-compatible.conf;
+    include h5bp/security/referrer-policy.conf;
+    include h5bp/security/x-content-type-options.conf;
+    include h5bp/security/x-frame-options.conf;
+    include h5bp/security/x-xss-protection.conf;
+
+    # performance enhancements (mostly for caching static data)
+    include h5bp/web_performance/cache-file-descriptors.conf;
+    include h5bp/web_performance/pre-compressed_content_gzip.conf;
 }

7.2-nginx-prod/supervisor.conf

@@ -1,6 +1,6 @@
 [program:nginx]
 depends_on = php-fpm
-command = nginx -g "pid /run/nginx.pid; daemon off;"
+command = nginx -g "daemon off;"
 stopasgroup = true
 stderr_logfile = /dev/stderr
 stdout_logfile = /dev/stdout