Upgrade to latest nginx and anonymize ips

Author: Daniel Haus

Dockerfile

@@ -1,7 +1,11 @@
 FROM jedisct1/phusion-baseimage-latest:16.04
 
 RUN (curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -) \
-    && echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list \
+    && (curl -sS http://nginx.org/keys/nginx_signing.key | sudo apt-key add -) \
+    && echo "deb https://dl.yarnpkg.com/debian/ stable main" \
+      | sudo tee /etc/apt/sources.list.d/yarn.list \
+    && echo "deb http://nginx.org/packages/mainline/ubuntu/ xenial nginx" \
+      | sudo tee /etc/apt/sources.list.d/nginx.list \
     && apt-get update \
     && DEBIAN_FRONTEND=noninteractive \
         apt-get install -yq --no-install-recommends \
@@ -49,8 +53,8 @@ RUN (curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -) \
     && sed -i "s/;date.timezone =.*/date.timezone = UTC/" \
         /etc/php/7.1/fpm/php.ini \
         /etc/php/7.1/cli/php.ini \
-    && echo "daemon off;" >> /etc/nginx/nginx.conf \
-    && sed -i "s/;daemonize\s*=\s*yes/daemonize = no/g"    /etc/php/7.1/fpm/php-fpm.conf \
+    && sed -i "/listen\./s/www-data/nginx/g"               /etc/php/7.1/fpm/pool.d/www.conf \
+    && sed -i "s/;daemonize\s*=\s*yes/daemonize = no/"     /etc/php/7.1/fpm/php-fpm.conf \
     && sed -i "s/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/"  /etc/php/7.1/fpm/php.ini \
     && sed -i "s/;clear_env\s*=\s*no/clear_env = no/"      /etc/php/7.1/fpm/pool.d/www.conf \
     && mkdir -p \
@@ -59,8 +63,9 @@ RUN (curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -) \
         /etc/service/nginx \
         /etc/service/phpfpm
 
-COPY etc/default.conf /etc/nginx/sites-available/default
-COPY etc/gzip.conf etc/security.conf etc/uploads.conf /etc/nginx/conf.d/
+COPY nginx.conf /etc/nginx/
+COPY etc/*.conf /etc/nginx/conf.d/
+
 COPY nginx.sh /etc/service/nginx/run
 COPY phpfpm.sh /etc/service/phpfpm/run
 

etc/default.conf

@@ -1,58 +1,53 @@
-# open_file_cache                 max=10000 inactive=5m;
-# open_file_cache_valid           1m;
-# open_file_cache_min_uses        1;
-# open_file_cache_errors          on;
+# vim: ft=nginx ts=2 sw=2
 
 server {
-    listen 80 default_server;
-    listen [::]:80 default_server ipv6only=on;
+  listen 80 default_server;
+  listen [::]:80 default_server ipv6only=on;
 
-    add_header X-Frame-Options "SAMEORIGIN";
-    add_header X-XSS-Protection "1; mode=block";
+  add_header X-Frame-Options "SAMEORIGIN";
+  add_header X-XSS-Protection "1; mode=block";
 
+  # Make site accessible from http://localhost/
+  server_name localhost;
+
+  location / {
     root /var/www/html;
     index index.php index.html index.htm;
 
-    # Make site accessible from http://localhost/
-    server_name localhost;
-
-    location / {
-        server_tokens off;
-        # First attempt to serve request as file, then as directory, then
-        # /index.php.
-        try_files $uri $uri/ @reroute;
-        # Uncomment to enable naxsi on this location
-        # include /etc/nginx/naxsi.rules
-    }
-
-    location = /favicon.ico { log_not_found off; access_log off; }
-    location = /robots.txt  { access_log off; log_not_found off; }
-
-    location @reroute {
-        rewrite ^ /index.php last;
-    }
-
-    # error_page 404 /index.php;
-
-    # pass the PHP scripts to php-fpm
-    # Note: \.php$ is susceptible to file upload attacks
-    # Consider using: "location ~ ^/(index|app|app_dev|config)\.php(/|$) {"
-    location ~ \.php$ {
-        fastcgi_split_path_info ^(.+\.php)(/.+)$;
-        # With php5-fpm:
-        fastcgi_pass unix:/run/php/php7.1-fpm.sock;
-        fastcgi_index index.php;
-        include fastcgi_params;
-        include fastcgi.conf;
-        fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
-        fastcgi_param LARA_ENV local; # Environment variable for Laravel
-        fastcgi_param HTTPS off;
-    }
-
-    # deny access to .htaccess files, if Apache's document root
-    # concurs with nginx's one
-
-    location ~ /\.ht {
-        deny all;
-    }
+    server_tokens off;
+    # First attempt to serve request as file, then as directory, then
+    # /index.php.
+    try_files $uri $uri/ @reroute;
+    # include /etc/nginx/naxsi.rules
+  }
+
+  location = /favicon.ico { log_not_found off; access_log off; }
+  location = /robots.txt  { access_log off; log_not_found off; }
+
+  location @reroute {
+    rewrite ^ /index.php last;
+  }
+
+  # error_page 404 /index.php;
+
+  # pass the PHP scripts to php-fpm
+  # Note: \.php$ is susceptible to file upload attacks
+  # Consider using: "location ~ ^/(index|app|app_dev|config)\.php(/|$) {"
+  location ~ \.php$ {
+    root /var/www/html;
+    fastcgi_index index.php;
+    fastcgi_split_path_info ^(.+\.php)(/.+)$;
+    fastcgi_pass unix:/run/php/php7.1-fpm.sock;
+    include fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
+    fastcgi_param LARA_ENV local; # Environment variable for Laravel
+    fastcgi_param HTTPS off;
+  }
+
+  # deny access to .htaccess files, if Apache's document root
+  # concurs with nginx's one
+
+  location ~ /\.ht {
+    deny all;
+  }
 }

nginx.conf

@@ -0,0 +1,40 @@
+user  nginx;
+worker_processes  1;
+
+error_log  /var/log/nginx/error.log warn;
+pid    /var/run/nginx.pid;
+
+
+events {
+  worker_connections  1024;
+}
+
+
+http {
+  include     /etc/nginx/mime.types;
+  default_type  application/octet-stream;
+
+  # open_file_cache             max=10000 inactive=5m;
+  # open_file_cache_valid       1m;
+  # open_file_cache_min_uses    1;
+  # open_file_cache_errors      on;
+
+  map $remote_addr $remote_addr_anon {
+    ~(?P<ip>\d+\.\d+\.\d+)\.  $ip.0;
+    ~(?P<ip>[^:]+:[^:]+):     $ip::;
+    default                   0.0.0.0;
+  }
+
+  log_format  main  '$remote_addr_anon - $remote_user [$time_local] "$request" '
+              '$status $body_bytes_sent "$http_referer" '
+              '"$http_user_agent" "$http_x_forwarded_for"';
+
+  access_log  /var/log/nginx/access.log  main;
+
+  sendfile    on;
+  #tcp_nopush   on;
+
+  keepalive_timeout  65;
+
+  include /etc/nginx/conf.d/*.conf;
+}

nginx.sh

@@ -1,3 +1,3 @@
 #!/bin/sh
 
-nginx
+nginx -g "daemon off;"