Merge pull request #1 from lehigh-university-libraries/nginx

Add nginx

.github/workflows/nginx-1.25.yml

@@ -0,0 +1,19 @@
+name: Build and push nginx 1.25
+on:
+  push:
+    paths:
+      - 'nginx/**'
+      - '.github/workflows/nginx-1.25.yml'
+      - '.github/workflows/build-push.yml'
+
+jobs:
+  deploy:
+    uses: ./.github/workflows/build-push.yml
+    with:
+      dir: nginx
+      major_version: 1.25
+      build_arg: NGINX_VERSION=1.25.1
+    permissions:
+      contents: read
+      id-token: write
+    secrets: inherit

nginx/Dockerfile

@@ -0,0 +1,9 @@
+ARG NGINX_VERSION=1.25.1
+
+FROM nginx:${NGINX_VERSION}
+
+COPY conf/fastcgi_params /etc/nginx/fastcgi_params
+COPY conf/nginx.conf /etc/nginx/nginx.conf
+
+RUN rm /docker-entrypoint.d/* /etc/nginx/conf.d/*.conf && \
+    mkdir -p /code/web

nginx/conf/fastcgi_params

@@ -0,0 +1,24 @@
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  REQUEST_SCHEME     $scheme;
+fastcgi_param  HTTPS              off;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $server_name;
+
+fastcgi_param  REDIRECT_STATUS    200;
+

nginx/conf/nginx.conf

@@ -0,0 +1,139 @@
+user  nginx;
+worker_processes  1;
+error_log  /dev/stderr warn;
+pid        /var/run/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    error_log /dev/stderr warn;
+
+    log_format compression '$remote_addr - $remote_user [$time_local] '
+                           '"$request" $status $body_bytes_sent '
+                           '"$http_referer" "$http_user_agent" "$gzip_ratio"';
+    access_log /dev/stderr compression;
+
+    sendfile        on;
+    keepalive_timeout  65;
+    include /etc/nginx/conf.d/*.conf;
+    proxy_read_timeout 600;
+    fastcgi_read_timeout 600;
+
+    upstream php_fpm_service {
+        server php-fpm:9000;
+    }
+
+    server {
+        root /code/web;
+
+        listen 80 default;
+
+        location = /robots.txt {
+            allow all;
+        }
+
+        # Very rarely should these ever be accessed outside of your lan
+        location ~* \.(txt|log)$ {
+            deny all;
+        }
+
+        location ~ \..*/.*\.php$ {
+            return 403;
+        }
+
+        location ~ ^/sites/.*/private/ {
+            return 403;
+        }
+
+        # Block access to scripts in site files directory
+        location ~ ^/sites/[^/]+/files/.*\.php$ {
+            deny all;
+        }
+
+        # Allow "Well-Known URIs" as per RFC 5785
+        location ~* ^/.well-known/ {
+            allow all;
+        }
+
+        # Block access to "hidden" files and directories whose names begin with a
+        # period. This includes directories used by version control systems such
+        # as Subversion or Git to store control files.
+        location ~ (^|/)\. {
+            return 403;
+        }
+
+        location / {
+            try_files $uri /index.php?$query_string; # For Drupal >= 7
+        }
+
+        location @rewrite {
+            rewrite ^ /index.php; # For Drupal >= 7
+        }
+
+        # Don't allow direct access to PHP files in the vendor directory.
+        location ~ /vendor/.*\.php$ {
+            deny all;
+            return 404;
+        }
+
+        # Protect files and directories from prying eyes.
+        location ~* \.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ {
+            deny all;
+            return 404;
+        }
+
+        location ~ '\.php$|^/update.php' {
+            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+
+            # Ensure the php file exists. Mitigates CVE-2019-11043
+            try_files $fastcgi_script_name =404;
+
+            fastcgi_index index.php;
+            include fastcgi_params;
+
+            # Block httpoxy attacks. See https://httpoxy.org/.
+            fastcgi_param HTTP_PROXY "";
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_param PATH_INFO $fastcgi_path_info;
+            fastcgi_param QUERY_STRING $query_string;
+            fastcgi_intercept_errors on;
+
+            fastcgi_pass php_fpm_service;
+        }
+
+        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
+            try_files $uri @rewrite;
+            expires max;
+            log_not_found off;
+        }
+
+        # Fighting with Styles? This little gem is amazing.
+        location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
+            try_files $uri @rewrite;
+        }
+
+        # Handle private files through Drupal. Private file's path can come
+        # with a language prefix.
+        location ~ ^(/[a-z\-]+)?/system/files/ {
+            try_files $uri /index.php?$query_string;
+        }
+
+        # Enforce clean URLs
+        # Removes index.php from urls like www.example.com/index.php/my-page --> www.example.com/my-page
+        # Could be done with 301 for permanent or other redirect codes.
+        if ($request_uri ~* "^(.*/)index\.php/(.*)") {
+            return 307 $1$2;
+        }
+
+        location ~ ^/(status|ping)$ {
+             allow all;
+             include fastcgi_params;
+             fastcgi_pass php_fpm_service;
+        }
+    }
+}