diff --git a/dd-apps/docker/moodle/Dockerfile b/dd-apps/docker/moodle/Dockerfile index b43c44e..fa343d9 100644 --- a/dd-apps/docker/moodle/Dockerfile +++ b/dd-apps/docker/moodle/Dockerfile @@ -9,6 +9,7 @@ COPY 02-configure-moodle.sh /docker-entrypoint-init.d/ COPY 03-plugins.sh /docker-entrypoint-init.d/ COPY src/rootfs/var/www/html/admin/cli/isinstalled.php / COPY is_moodle_ready.sh / +COPY nginx.conf /etc/nginx/ RUN echo "user=nobody" >> /etc/php7/php-fpm.d/www.conf RUN echo "group=nobody" >> /etc/php7/php-fpm.d/www.conf RUN apk add --no-cache dcron libcap && \ diff --git a/dd-apps/docker/moodle/dd-patch b/dd-apps/docker/moodle/dd-patch index 7289a65..e779db7 100644 --- a/dd-apps/docker/moodle/dd-patch +++ b/dd-apps/docker/moodle/dd-patch @@ -3,3 +3,4 @@ 02-configure-moodle.sh MIT https://github.com/erseco/ https://raw.githubusercontent.com/erseco/alpine-moodle/63b8b80d333eaec1cdffa2e768a364e973d6c1ee/rootfs/docker-entrypoint-init.d/02-configure-moodle.sh Dockerfile MIT https://github.com/erseco/ https://raw.githubusercontent.com/erseco/alpine-moodle/63b8b80d333eaec1cdffa2e768a364e973d6c1ee/Dockerfile moodle.yml MIT https://github.com/erseco/ https://raw.githubusercontent.com/erseco/alpine-moodle/63b8b80d333eaec1cdffa2e768a364e973d6c1ee/docker-compose.yml +nginx.conf MIT https://github.com/erseco/ https://raw.githubusercontent.com/erseco/alpine-moodle/63b8b80d333eaec1cdffa2e768a364e973d6c1ee/rootfs/etc/nginx/nginx.conf diff --git a/dd-apps/docker/moodle/nginx.conf b/dd-apps/docker/moodle/nginx.conf new file mode 100644 index 0000000..435f1ed --- /dev/null +++ b/dd-apps/docker/moodle/nginx.conf @@ -0,0 +1,108 @@ +worker_processes 1; +error_log stderr warn; +pid /run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + + # Define custom log format to include reponse times + log_format main_timed '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for" ' + '$request_time $upstream_response_time $pipe $upstream_cache_status'; + + access_log /dev/stdout main_timed; + error_log /dev/stderr notice; + + keepalive_timeout 65; + + # Write temporary files to /tmp so they can be created as a non-privileged user + client_body_temp_path /tmp/client_temp; + proxy_temp_path /tmp/proxy_temp_path; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + + set_real_ip_from 10.0.0.0/8; + set_real_ip_from 172.16.0.0/12; + set_real_ip_from 192.168.0.0/16; + real_ip_header X-Forwarded-For; + + # Default server definition + server { + listen 8080 default_server; + server_name _; + + sendfile off; + + # Increase proxy buffers for large requests + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; + + # Upload limit + client_max_body_size 200M; + client_body_buffer_size 128k; + + root /var/www/html; + index index.php index.html; + + location / { + # First attempt to serve request as file, then + # as directory, then fall back to index.php + try_files $uri $uri/ /index.php?q=$uri&$args; + } + + # Redirect server error pages to the static page /50x.html + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /var/lib/nginx/html; + } + + # Pass the PHP scripts to PHP-FPM listening on 127.0.0.1:9000 + location ~ [^/]\.php(/|$) { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass 127.0.0.1:9000; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param SCRIPT_NAME $fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_index index.php; + include fastcgi_params; + } + + location ~* \.(jpg|jpeg|gif|png|css|js|ico|xml)$ { + expires 5d; + } + + # Deny access to . files, for security + location ~ /\. { + log_not_found off; + deny all; + } + + # Allow fpm ping and status from localhost + location ~ ^/(fpm-status|fpm-ping)$ { + access_log off; + allow 127.0.0.1; + deny all; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + fastcgi_pass 127.0.0.1:9000; + } + } + + # Include other server configs + include /etc/nginx/conf.d/*.conf; + + gzip on; + gzip_proxied any; + gzip_types text/plain application/xml text/css text/js text/xml application/x-javascript text/javascript application/json application/xml+rss; + gzip_vary on; + gzip_disable "msie6"; + +} diff --git a/dd-apps/docker/nextcloud/nginx.conf b/dd-apps/docker/nextcloud/nginx.conf index c38f179..9897fdd 100644 --- a/dd-apps/docker/nextcloud/nginx.conf +++ b/dd-apps/docker/nextcloud/nginx.conf @@ -25,7 +25,7 @@ http { set_real_ip_from 10.0.0.0/8; set_real_ip_from 172.16.0.0/12; set_real_ip_from 192.168.0.0/16; - real_ip_header X-Real-IP; + real_ip_header X-Forwarded-For; upstream php-handler { server dd-apps-nextcloud-app:9000; } diff --git a/dd-sso/docker/haproxy/haproxy.cnf.parts/backends.cnf b/dd-sso/docker/haproxy/haproxy.cnf.parts/backends.cnf index 8467433..715c4a4 100644 --- a/dd-sso/docker/haproxy/haproxy.cnf.parts/backends.cnf +++ b/dd-sso/docker/haproxy/haproxy.cnf.parts/backends.cnf @@ -7,10 +7,6 @@ backend letsencrypt backend be_api mode http http-request set-path /img/favicon.ico if { path_end -i favicon.ico } or { path_end -i favicon } or { path_beg -i /apps/theming/favicon/ } - acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found - acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found - http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host - http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto # Nextcloud use /avatar/username/32 /avatar/username/64 and /avatar/username/128 http-request set-path %[path,regsub(\"^(/avatar/[^/]+).*\",\"\1\")] server api dd-sso-api:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none @@ -18,74 +14,40 @@ backend be_api backend be_sso mode http option httpclose - option forwardfor - acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found - acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found - http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host - http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto http-response replace-header Set-Cookie (KEYCLOAK_LOCALE=[^;]*);(.*) \1;Domain="${DOMAIN}";Version=1;Path=/;Secure; server keycloak dd-sso-keycloak:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none backend be_admin mode http - option forwardfor timeout queue 600s timeout server 600s timeout connect 600s - acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found - acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found - http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host - http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto server dd-sso-admin dd-sso-admin:9000 check port 9000 inter 5s rise 2 fall 10 resolvers mydns init-addr none ## APPS backend be_moodle mode http - acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found - acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found - http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host - http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto server moodle dd-apps-moodle:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none backend be_moodle_long mode http timeout server 900s - acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found - acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found - http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host - http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto server moodle dd-apps-moodle:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none backend be_nextcloud mode http - acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found - acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found - http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host - http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto server nextcloud dd-apps-nextcloud-nginx:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none backend be_etherpad mode http - acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found - acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found - http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host - http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto server etherpad dd-apps-etherpad:9001 check port 9001 inter 5s rise 2 fall 10 resolvers mydns init-addr none backend be_oof mode http - acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found - acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found - http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host - http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto server onlyoffice dd-apps-onlyoffice:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none backend be_wp mode http - acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found - acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found - http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host - http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto http-request set-header X-SSL %[ssl_fc] http-request set-header X-Forwarded-Proto https diff --git a/dd-sso/docker/haproxy/haproxy.cnf.parts/bind-direct.cnf b/dd-sso/docker/haproxy/haproxy.cnf.parts/bind-direct.cnf index d9b3a5d..7784f4f 100644 --- a/dd-sso/docker/haproxy/haproxy.cnf.parts/bind-direct.cnf +++ b/dd-sso/docker/haproxy/haproxy.cnf.parts/bind-direct.cnf @@ -7,6 +7,11 @@ http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ if { ssl_fc_has_crt } bind :443 ssl crt /certs/chain.pem + # This comes from the internet, do not trust the forwarding headers + http-request del-header X-Forwarded-For + http-request del-header X-Forwarded-Proto + # But add our forwarding headers instead + option forwardfor # New line to test URI to see if its a letsencrypt request acl letsencrypt-acl path_beg /.well-known/acme-challenge/ diff --git a/dd-sso/docker/waf-modsecurity/000-default.conf b/dd-sso/docker/waf-modsecurity/000-default.conf index 953f305..afee66b 100644 --- a/dd-sso/docker/waf-modsecurity/000-default.conf +++ b/dd-sso/docker/waf-modsecurity/000-default.conf @@ -7,8 +7,10 @@ CustomLog /var/log/apache2/access.log combined ProxyPreserveHost On - ProxyRequests off - ProxyVia Off + ProxyRequests off + ProxyVia Off + # Do not touch the proxy headers, these are set by HAProxy before + ProxyAddHeaders off ProxyPass "/" "http://dd-sso-haproxy:81/" ProxyPassReverse "/" "http://dd-sso-haproxy:81/"