add h5bp nginx configuration

Author: fabriciojs

README.md

@@ -4,6 +4,8 @@
 
 Minimal PHP Docker image focused on Laravel applications. It's use is intended for [kool.dev](https://github.com/kool-dev/kool), but can fit in any other PHP use-case.
 
+The images with Nginx include [`h5bp/server-configs-nginx`](https://github.com/h5bp/server-configs-nginx) with a hand picked set of configuration active by default. So if you want to change or add a new server configuration you can `include h5bp/...` as you see fit.
+
 ### Usage
 
 Simplest example:

template/Dockerfile-nginx.blade.php

@@ -13,7 +13,6 @@
 RUN curl -L https://github.com/ochinchina/supervisord/releases/download/v0.6.3/supervisord_static_0.6.3_linux_amd64 -o /usr/local/bin/supervisord \
     && chmod +x /usr/local/bin/supervisord \
     && apk add --no-cache nginx \
-    && sed -i "s|^user .*|user\ kool kool;|g" /etc/nginx/nginx.conf \
 @if (version_compare($version, '7.2', '>='))
     && chown -R kool:kool /var/lib/nginx \
     && chmod 770 /var/lib/nginx/tmp \
@@ -22,7 +21,18 @@
     && chmod 770 /var/tmp/nginx \
 @endif
     && ln -sf /dev/stdout /var/log/nginx/access.log \
-    && ln -sf /dev/stderr /var/log/nginx/error.log
+    && ln -sf /dev/stderr /var/log/nginx/error.log \
+    # add h5bp/server-configs-nginx
+    && mkdir /etc/nginx/h5bp \
+    && cd /etc/nginx/h5bp \
+    && wget https://github.com/h5bp/server-configs-nginx/archive/refs/tags/3.3.0.tar.gz -O h5bp.tgz \
+    && tar xzvf h5bp.tgz \
+    && rm -f h5bp.tgz \
+    && mv server-configs-nginx-*/h5bp/* . \
+    && mv server-configs-nginx-*/nginx.conf /etc/nginx/nginx.conf \
+    && sed -i "s|^user .*|user\ kool kool;|g" /etc/nginx/nginx.conf \
+    && mv server-configs-nginx-*/mime.types /etc/nginx/mime.types \
+    && rm -rf server-configs-nginx-*
 
 COPY supervisor.conf /kool/supervisor.conf
 COPY default.tmpl /kool/default.tmpl

template/default-tmpl.blade.php

@@ -30,4 +30,15 @@
     location ~ /\.ht {
         deny all;
     }
+
+    # basic H5BP suggestions
+    include h5bp/internet_explorer/x-ua-compatible.conf;
+    include h5bp/security/referrer-policy.conf;
+    include h5bp/security/x-content-type-options.conf;
+    include h5bp/security/x-frame-options.conf;
+    include h5bp/security/x-xss-protection.conf;
+
+    # performance enhancements (mostly for caching static data)
+    include h5bp/web_performance/cache-file-descriptors.conf;
+    include h5bp/web_performance/pre-compressed_content_gzip.conf;
 }

template/supervisor-conf.blade.php

@@ -1,6 +1,6 @@
 [program:nginx]
 depends_on = php-fpm
-command = nginx -g "pid /run/nginx.pid; daemon off;"
+command = nginx -g "daemon off;"
 stopasgroup = true
 stderr_logfile = /dev/stderr
 stdout_logfile = /dev/stdout