diff --git a/000-default.conf b/000-default.conf index 086fe3c..9263580 100644 --- a/000-default.conf +++ b/000-default.conf @@ -1,16 +1,22 @@ -# Global log redirection to stdout and stderr -ErrorLog "|/usr/bin/tee -a /var/log/apache2/error.log" -CustomLog "|/usr/bin/tee -a /var/log/apache2/access.log" combined - + ServerName localhost + DocumentRoot /data/public + - Options Indexes FollowSymLinks + Options FollowSymLinks AllowOverride All Require all granted - - # Remote IP configuration - RemoteIPHeader X-Forwarded-For - RemoteIPTrustedProxy 127.0.0.1 - + + DirectoryIndex index.php index.html + + # PHP-FPM handler + + SetHandler "proxy:unix:/run/php/php8.5-fpm.sock|fcgi://localhost/" + + + # Docker-friendly logging + ErrorLog /proc/self/fd/2 + CustomLog /proc/self/fd/1 combined + \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index c7611e3..72f489b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,23 +1,92 @@ -FROM debian:bookworm-20250224 +FROM debian:trixie-20260316 WORKDIR /data -# Install necessary packages and configure PHP repository +# Install base packages + Apache + PHP repo RUN apt-get update && apt-get install -y \ - lsb-release ca-certificates curl apt-transport-https logrotate ssl-cert apache2 && \ - echo "ServerName localhost" >> /etc/apache2/apache2.conf && \ - curl -sSLo /tmp/debsuryorg-archive-keyring.deb https://packages.sury.org/debsuryorg-archive-keyring.deb && \ - dpkg -i /tmp/debsuryorg-archive-keyring.deb && \ - sh -c 'echo "deb [signed-by=/usr/share/keyrings/deb.sury.org-php.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list' && \ - apt-get update && \ - apt-get install -y \ - php8.4 php8.4-cli php8.4-fpm php8.4-mysql php8.4-xml php8.4-mbstring php8.4-curl php8.4-zip php8.4-redis libapache2-mod-php8.4 && \ - apt-get autoremove -y && \ - apt-get clean && \ - rm -rf /var/lib/apt/lists/* /tmp/* + lsb-release \ + ca-certificates \ + curl \ + logrotate \ + ssl-cert \ + apache2 \ + && echo "ServerName localhost" >> /etc/apache2/apache2.conf \ + \ + # Add Sury PHP repo + && curl -sSLo /tmp/debsuryorg-archive-keyring.deb https://packages.sury.org/debsuryorg-archive-keyring.deb \ + && dpkg -i /tmp/debsuryorg-archive-keyring.deb \ + && echo "deb [signed-by=/usr/share/keyrings/deb.sury.org-php.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list \ + \ + && apt-get update \ + \ + # Install PHP 8.5 + extensions + && apt-get install -y \ + php8.5 \ + php8.5-cli \ + php8.5-fpm \ + php8.5-mysql \ + php8.5-xml \ + php8.5-mbstring \ + php8.5-curl \ + php8.5-zip \ + php8.5-redis \ + \ + # Cleanup + && apt-get autoremove -y \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* /tmp/* -# log management -RUN cat < /etc/logrotate.d/apache2 +# Apache + PHP-FPM configuration + performance tuning +RUN \ + # Enable modules + a2enmod proxy_fcgi setenvif expires headers rewrite remoteip socache_shmcb ssl deflate \ + \ + # Switch to MPM event + && a2dismod mpm_prefork \ + && a2enmod mpm_event \ + \ + # Enable PHP-FPM + && a2enconf php8.5-fpm \ + \ + # Remote IP config + && echo 'RemoteIPHeader X-Forwarded-For' > /etc/apache2/conf-available/remoteip.conf \ + && echo 'RemoteIPTrustedProxy 127.0.0.1' >> /etc/apache2/conf-available/remoteip.conf \ + && a2enconf remoteip \ + && sed -ri 's/([[:space:]]*LogFormat[[:space:]]+"[^"]*)%h([^"]*")/\1%a\2/g' /etc/apache2/*.conf \ + \ + # Security headers + && echo 'Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"' >> /etc/apache2/conf-available/security.conf \ + && echo 'Header always set X-Content-Type-Options "nosniff"' >> /etc/apache2/conf-available/security.conf \ + && echo 'Header always set X-Frame-Options "SAMEORIGIN"' >> /etc/apache2/conf-available/security.conf \ + \ + # Compression + && echo 'AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/javascript application/json' > /etc/apache2/conf-available/compression.conf \ + && a2enconf compression \ + \ + # KeepAlive tuning + && cat < /etc/apache2/conf-available/keepalive.conf +KeepAlive On +MaxKeepAliveRequests 100 +KeepAliveTimeout 2 +EOF \ + && a2enconf keepalive \ + \ + # MPM Event tuning + && cat < /etc/apache2/conf-available/mpm-event-tuning.conf + + StartServers 2 + MinSpareThreads 25 + MaxSpareThreads 75 + ThreadLimit 64 + ThreadsPerChild 25 + MaxRequestWorkers 150 + MaxConnectionsPerChild 1000 + +EOF \ + && a2enconf mpm-event-tuning \ + \ + # Logrotate + && cat < /etc/logrotate.d/apache2 /var/log/apache2/*.log { weekly missingok @@ -29,25 +98,23 @@ RUN cat < /etc/logrotate.d/apache2 } EOF -RUN echo 'RemoteIPHeader X-Forwarded-For' > /etc/apache2/conf-available/remoteip.conf && \ - echo 'RemoteIPTrustedProxy 127.0.0.1' >> /etc/apache2/conf-available/remoteip.conf && \ - a2enconf remoteip && \ - sed -ri 's/([[:space:]]*LogFormat[[:space:]]+"[^"]*)%h([^"]*")/\1%a\2/g' /etc/apache2/*.conf +# PHP-FPM tuning +RUN sed -i 's/^pm = .*/pm = dynamic/' /etc/php/8.5/fpm/pool.d/www.conf && \ + sed -i 's/^pm.max_children = .*/pm.max_children = 20/' /etc/php/8.5/fpm/pool.d/www.conf && \ + sed -i 's/^pm.start_servers = .*/pm.start_servers = 2/' /etc/php/8.5/fpm/pool.d/www.conf && \ + sed -i 's/^pm.min_spare_servers = .*/pm.min_spare_servers = 2/' /etc/php/8.5/fpm/pool.d/www.conf && \ + sed -i 's/^pm.max_spare_servers = .*/pm.max_spare_servers = 5/' /etc/php/8.5/fpm/pool.d/www.conf +# PHP custom config RUN mkdir -p /php && echo "PHP_INI_SCAN_DIR=/php" > /etc/environment + COPY php.ini /php/php.ini COPY 000-default.conf /etc/apache2/sites-available/000-default.conf -# Security headers for Apache -RUN echo 'Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"' >> /etc/apache2/conf-available/security.conf && \ - echo 'Header always set X-Content-Type-Options "nosniff"' >> /etc/apache2/conf-available/security.conf && \ - echo 'Header always set X-XSS-Protection "1; mode=block"' >> /etc/apache2/conf-available/security.conf && \ - echo 'Header always set X-Frame-Options "SAMEORIGIN"' >> /etc/apache2/conf-available/security.conf - -RUN a2enmod expires headers rewrite remoteip socache_shmcb ssl - EXPOSE 80 -CMD ["apachectl", "-D", "FOREGROUND"] -HEALTHCHECK --interval=30s --timeout=10s --retries=3 \ - CMD curl --silent --fail localhost:80 || exit 1 +# Startup +COPY start.sh /start.sh +RUN chmod +x /start.sh + +CMD ["/start.sh"] \ No newline at end of file diff --git a/README.md b/README.md index 762afb9..0bd38f0 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ It provides a streamlined stack featuring Apache, the latest PHP version, Redis, ## Features -- **PHP Version**: 8.4.5 +- **PHP Version**: 8.5.3 - **Apache Web Server**: Configured to run PHP applications - **Support for**: - `remoteip` (reverse proxy) @@ -33,12 +33,21 @@ cd corxn ```bash sudo su -docker buildx build --no-cache -t 4lights/corxn:6.0.0 -t 4lights/corxn:latest --load . -docker login -docker push 4lights/corxn:6.0.0 +docker buildx build --no-cache -t 4lights/corxn:8.5.3 -t 4lights/corxn:latest --load . +docker login -u +docker push 4lights/corxn:8.5.3 docker push 4lights/corxn:latest ``` +# Testing -# References And Notes +Here is how to text the build: +```bash +mkdir -p data/uploads && sudo chown -R 33:33 data/uploads && chmod 775 data/uploads +docker compose up -d +# Visit: http://localhost:8000/test.php +# Test: file upload and that green checkmarks exist +``` -Test using test.php +# Logs + +```docker logs corxn``` diff --git a/docker-compose.yml b/docker-compose.yml index 778962f..66ac80a 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,26 +1,26 @@ # Sample Docker Compose services: corxn: - image: 4lights/corxn:6.0.0 + image: 4lights/corxn:latest ports: - "8000:80" volumes: - - ./:/data # looks for /data/public - - ./php.ini:/php/php.ini # Optional override php.ini - - ./data/logs:/var/log/apache2 # Optional Logs + - ./test:/data # looks for /data/public + - ./php.ini:/php/php.ini:ro # Optional override php.ini + - ./data/uploads:/data/public/uploads restart: unless-stopped networks: - proxy - internal redis: - image: redis:latest + image: redis:7 networks: - internal restart: unless-stopped mariadb: - image: mariadb:latest + image: mariadb:11 environment: - MYSQL_ROOT_PASSWORD=rootpassword - MYSQL_DATABASE=dbname diff --git a/php.ini b/php.ini index 7706bf4..279f22c 100644 --- a/php.ini +++ b/php.ini @@ -1,55 +1,53 @@ [PHP] -; Basic PHP settings +; Performance max_execution_time = 30 -memory_limit = 500M +max_input_time = 60 +memory_limit = 512M + +; Uploads upload_max_filesize = 100M post_max_size = 100M -max_input_time = 60 + +; Timezone date.timezone = America/Vancouver -; Error handling -display_errors = On -display_startup_errors = On +; Errors (production-safe) +display_errors = Off +display_startup_errors = Off log_errors = On -error_log = /var/log/php_errors.log +error_log = /proc/self/fd/2 -; Session settings +; Sessions session.save_path = "/var/lib/php/sessions" session.gc_maxlifetime = 1440 session.cookie_lifetime = 0 session.use_strict_mode = 1 +; File handling +file_uploads = On +allow_url_fopen = On + ; Realpath cache realpath_cache_size = 4096k realpath_cache_ttl = 120 -; File upload settings -file_uploads = On -allow_url_fopen = On - -; Redis settings (ensure Redis extension is loaded) -extension=redis.so - -; mbstring settings (useful for multi-byte encoding handling) -mbstring.language = Japanese -mbstring.internal_encoding = UTF-8 -mbstring.http_input = auto -mbstring.http_output = UTF-8 -mbstring.detect_order = auto -mbstring.substitute_character = none - -; cURL settings +; cURL curl.cainfo = "/etc/ssl/certs/ca-certificates.crt" -; SMTP settings (for sending mail, if needed) +; Mail (optional) SMTP = localhost sendmail_path = /usr/sbin/sendmail -t -i -; Extension loading -extension=curl -extension=mbstring -extension=redis -extension=xml -extension=mysqli -extension=pdo_mysql -extension=zip \ No newline at end of file +; OPcache (IMPORTANT) +opcache.enable=1 +opcache.enable_cli=1 +opcache.memory_consumption=192 +opcache.interned_strings_buffer=16 +opcache.max_accelerated_files=20000 +opcache.validate_timestamps=0 +opcache.revalidate_freq=0 +opcache.fast_shutdown=1 + +; Redis +session.save_handler = redis +session.save_path = "tcp://redis:6379" diff --git a/start.sh b/start.sh new file mode 100644 index 0000000..c2db930 --- /dev/null +++ b/start.sh @@ -0,0 +1,6 @@ +#!/bin/bash +set -e + +service php8.5-fpm start + +exec apachectl -D FOREGROUND \ No newline at end of file diff --git a/public/test.php b/test/public/test.php similarity index 95% rename from public/test.php rename to test/public/test.php index 3ee7e71..f8dca05 100644 --- a/public/test.php +++ b/test/public/test.php @@ -74,7 +74,7 @@

PHP Container Test Script

-

Four Lights PHP Container

+

Four Lights PHP Container: CORXN

Server Information

@@ -129,11 +129,7 @@