-
Notifications
You must be signed in to change notification settings - Fork 1.1k
/
Copy pathapache-extras.template
26 lines (26 loc) · 1.25 KB
/
apache-extras.template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
RUN set -eux; \
a2enmod rewrite expires; \
\
# https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html
a2enmod remoteip; \
{ \
echo 'RemoteIPHeader X-Forwarded-For'; \
# these IP ranges are reserved for "private" use and should thus *usually* be safe inside Docker
echo 'RemoteIPTrustedProxy 10.0.0.0/8'; \
echo 'RemoteIPTrustedProxy 172.16.0.0/12'; \
echo 'RemoteIPTrustedProxy 192.168.0.0/16'; \
echo 'RemoteIPTrustedProxy 169.254.0.0/16'; \
echo 'RemoteIPTrustedProxy 127.0.0.0/8'; \
} > /etc/apache2/conf-available/remoteip.conf; \
a2enconf remoteip; \
# https://github.com/docker-library/wordpress/issues/383#issuecomment-507886512
# (replace all instances of "%h" with "%a" in LogFormat)
find /etc/apache2 -type f -name '*.conf' -exec sed -ri 's/([[:space:]]*LogFormat[[:space:]]+"[^"]*)%h([^"]*")/\1%a\2/g' '{}' +; \
# apply sensible security defaults: 403 hidden files/dirs + common backup/source filetypes
{ \
echo 'RedirectMatch 403 /\..*$'; \
echo '<FilesMatch "(\.(bak|back|backup|config|dist|fla|inc|ini|log|psd|sh|sql|swp)|~)$">'; \
echo 'Require all denied'; \
echo '</FilesMatch>'; \
} > /etc/apache2/conf-available/forbidden.conf; \
a2enconf forbidden