Labs/kartoteka
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

обновление конфигов nginx и docker

Browse Source
This commit is contained in:
brusnitsyn
2025-12-19 17:01:47 +09:00
parent 9057d3e8ad
commit 2bafa7f073
5 changed files with 431 additions and 141 deletions
Download Patch File Download Diff File Expand all files Collapse all files

257
Dockerfile
View File

@@ -1,146 +1,163 @@
ARG NODE_VERSION=24.12.0
FROM php:8.3-fpm-alpine AS phpbuild
# Этап 1: PHP зависимости
FROM php:8.3-fpm-bookworm AS phpbuild
# Install base dependencies
RUN apk add --no-cache \
bash \
# Установка системных зависимостей
RUN apt-get update && apt-get install -y \
git \
curl \
git \
wget
# Установка Composer
COPY --from=composer:2.7.8 /usr/bin/composer /usr/bin/composer
WORKDIR /var/www
# Копирование необходимых файлов и изменение разрешений
COPY . .
RUN chown -R www:www /var/www \
&& chmod -R 775 /var/www/storage \
&& chmod -R 775 /var/www/bootstrap/cache
# Установка php и зависимостей
RUN composer install --no-dev --prefer-dist
RUN chown -R www:www /var/www/vendor \
&& chmod -R 775 /var/www/vendor
FROM node:${NODE_VERSION} AS jsbuild
WORKDIR /var/www
COPY . .
# Установка node.js зависимостей
RUN npm install \
&& npm run build
FROM php:8.3-fpm-alpine
# 1. Сначала обновляем и ставим минимальные зависимости
RUN apk add --no-cache \
git \
wget \
gnupg
# 2. Устанавливаем зависимости для самых важных расширений
RUN apk add --no-cache \
unzip \
libzip-dev \
libxml2-dev \
libonig-dev \
libicu-dev \
libcurl4-openssl-dev \
libonig-dev \
libpng-dev \
libjpeg-dev \
libfreetype6-dev \
libwebp-dev \
libpq-dev \
libxslt1-dev \
libexif-dev \
libffi-dev \
pkg-config \
libssl-dev \
zlib1g-dev
&& rm -rf /var/lib/apt/lists/*
# 3. Устанавливаем БАЗОВЫЕ расширения (которые точно работают)
RUN docker-php-ext-install \
# Установка PHP расширений
RUN docker-php-ext-configure gd \
--with-freetype \
--with-jpeg \
--with-webp \
&& docker-php-ext-install -j$(nproc) \
bcmath \
intl \
mbstring \
zip \
opcache \
pdo
# 4. Устанавливаем зависимости для GD
RUN apk add --no-cache \
libpng-dev \
libjpeg-dev \
libfreetype6-dev \
libwebp-dev
# 5. Настраиваем и устанавливаем GD
RUN docker-php-ext-configure gd --with-freetype --with-jpeg --with-webp \
&& docker-php-ext-install gd
# 6. Устанавливаем зависимости для баз данных
RUN apk add --no-cache \
libpq-dev
# 7. Устанавливаем расширения для баз данных
RUN docker-php-ext-install \
mysqli \
pdo \
pdo_mysql \
pdo_pgsql \
pgsql
# 8. Устанавливаем оставшиеся расширения
RUN docker-php-ext-install \
calendar \
ctype \
curl \
fileinfo \
ftp \
gettext \
iconv \
phar \
posix \
xml \
dom \
simplexml \
sockets
# 9. Устанавливаем зависимости для системных расширений
RUN apk add --no-cache \
libxslt-dev \
libexif-dev \
libffi-dev \
# 10. Устанавливаем системные расширения
RUN docker-php-ext-install \
xsl \
gd \
exif \
sockets \
xsl \
ffi \
shmop
pcntl
# 11. Установка Redis
RUN cd /tmp && \
git clone --branch 6.3.0 --depth 1 https://github.com/phpredis/phpredis.git && \
cd phpredis && \
phpize && \
./configure && \
make -j$(nproc) && \
make install && \
docker-php-ext-enable redis && \
rm -rf /tmp/phpredis
# Установка Redis расширения
RUN pecl install redis && docker-php-ext-enable redis
# 12. Установка Composer
#RUN curl -sS https://getcomposer.org/installer | php -- \
# --install-dir=/usr/local/bin --filename=composer
# Настройка opcache для production
RUN echo "opcache.enable=1" >> /usr/local/etc/php/conf.d/opcache.ini && \
echo "opcache.memory_consumption=256" >> /usr/local/etc/php/conf.d/opcache.ini && \
echo "opcache.interned_strings_buffer=32" >> /usr/local/etc/php/conf.d/opcache.ini && \
echo "opcache.max_accelerated_files=32531" >> /usr/local/etc/php/conf.d/opcache.ini && \
echo "opcache.validate_timestamps=0" >> /usr/local/etc/php/conf.d/opcache.ini
# 13. Создание пользователя
RUN groupadd -g 1000 www && \
useradd -u 1000 -ms /bin/ash -g www www
# 14. Копирование файлов проекта
COPY --chown=www:www --from=phpbuild /var/www /var/www
COPY --chown=www:www --from=jsbuild /var/www/node_modules /var/www/node_modules
# Установка Composer
COPY --from=composer:2.7 /usr/bin/composer /usr/bin/composer
WORKDIR /var/www
# 15. Смена пользователя
USER www
# Копирование файлов для установки зависимостей
COPY composer.json composer.lock ./
# Установка PHP зависимостей
RUN composer install \
--no-progress \
--no-scripts \
--prefer-dist \
--optimize-autoloader \
--apcu-autoloader
# Копируем исходный код
COPY . .
# Установка прав
RUN chown -R www-data:www-data /var/www && \
chmod -R 775 /var/www/storage /var/www/bootstrap/cache
# Этап 2: Сборка фронтенда (Inertia + Vue 3)
FROM node:20-bookworm-slim AS jsbuild
# Установка дополнительных зависимостей для сборки
RUN apt-get update && apt-get install -y \
python3 \
make \
g++ \
&& rm -rf /var/lib/apt/lists/*
WORKDIR /var/www
# Копируем зависимости Node.js
COPY package.json package-lock.json* ./
# Установка зависимостей Node.js
RUN npm ci \
--no-audit \
--progress=false
# Копируем файлы для сборки фронтенда
COPY vite.config.js ./
COPY resources/js ./resources/js/
COPY resources/css ./resources/css/
# Сборка ассетов Vite
RUN npm run build
# Этап 3: Финальный образ
FROM php:8.3-fpm-bookworm
# Установка runtime зависимостей
RUN apt-get update && apt-get install -y \
libzip4 \
libxml2 \
libicu72 \
libonig5 \
libpng16-16 \
libjpeg62-turbo \
libfreetype6 \
libwebp7 \
libpq5 \
libxslt1.1 \
libexif12 \
libffi8 \
supervisor \
cron \
&& rm -rf /var/lib/apt/lists/*
# Копируем PHP расширения из первого этапа
COPY --from=phpbuild /usr/local/etc/php/conf.d/ /usr/local/etc/php/conf.d/
COPY --from=phpbuild /usr/local/lib/php/extensions/no-debug-non-zts-20230831/ /usr/local/lib/php/extensions/no-debug-non-zts-20230831/
COPY --from=phpbuild /usr/local/bin/ /usr/local/bin/
# Создаем пользователя
RUN groupadd -g 1000 www && \
useradd -u 1000 -ms /bin/bash -g www www
# Копируем конфигурации
COPY docker/nginx.conf /etc/nginx/nginx.conf
COPY docker/app.conf /etc/nginx/conf.d/default.conf
#COPY docker/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
WORKDIR /var/www
# Копируем приложение
COPY --chown=www:www --from=phpbuild /var/www .
COPY --chown=www:www --from=jsbuild /var/www/public/build ./public/build
COPY --chown=www:www --from=jsbuild /var/www/node_modules ./node_modules
# Настройка прав и оптимизация Laravel
RUN mkdir -p /var/log/supervisor && \
chown -R www:www /var/www /var/log/supervisor && \
chmod -R 775 /var/www/storage /var/www/bootstrap/cache
# Оптимизация Laravel
RUN php artisan config:cache && \
php artisan route:cache && \
php artisan view:cache && \
php artisan storage:link
# 16. Expose port 9000 и запуск php-fpm
EXPOSE 9000
CMD ["php-fpm"]

7
docker-compose.yml
View File

@@ -15,12 +15,13 @@ services:
volumes:
- ./.env:/var/www/.env
- ./docker/php.ini:/usr/local/etc/php/conf.d/app.ini
- ./storage/logs:/var/www/storage/logs
networks:
- app-network
#Nginx Service
webserver:
image: nginx:alpine
image: nginx:1.29.4
container_name: kartoteka_nginx
restart: unless-stopped
tty: true
@@ -28,7 +29,9 @@ services:
- "8090:80"
volumes:
- ./:/var/www
- ./docker/nginx.conf:/etc/nginx/conf.d/default.conf
- ./docker/app.conf:/etc/nginx/conf.d/default.conf
- ./docker/nginx.conf:/etc/nginx/nginx.conf
- ./docker/blocked_ips.map:/etc/nginx/blocked_ips.map
networks:
- app-network

208
docker/app.conf Normal file
View File

@@ -0,0 +1,208 @@
# Определяем переменную для блокировки
map $remote_addr $blocked_ip {
default 0;
include /etc/nginx/blocked_ips.map;
}
# Определяем типы запросов
map $request_uri $request_type {
default "general";
# API endpoints
~*^/api/ "api";
# Auth endpoints
~*^/(login|register|password-reset|auth|forgot-password|verify-email) "auth";
# Admin endpoints
~*^/(admin|dashboard|cp|control-panel|manager) "admin";
# Static files by extension
~*\.(jpg|jpeg|png|gif|ico|css|js|woff2?|ttf|eot|svg|pdf|zip|mp4|webm)$ "static";
# Static files by directory
~*^/(storage|uploads|media|images|css|js|fonts)/ "static";
}
server {
listen 80;
server_name _;
root /var/www/public;
index index.php index.html;
# ========== ОСНОВНЫЕ НАСТРОЙКИ БЕЗОПАСНОСТИ ==========
# Защитные заголовки
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# ========== ПРЕДВАРИТЕЛЬНЫЕ ПРОВЕРКИ ==========
# Если IP в черном списке
if ($blocked_ip) {
return 444;
}
# Блокировка пустых User-Agent
if ($http_user_agent = "") {
return 444;
}
# Блокировка нестандартных методов
if ($request_method !~ ^(GET|HEAD|POST|OPTIONS)$) {
return 444;
}
# ========== ГЛОБАЛЬНЫЕ ОГРАНИЧЕНИЯ ==========
limit_conn conn_limit_per_ip 25;
limit_req zone=req_limit_per_ip burst=30 delay=15;
# ========== СТАТИЧЕСКИЕ ФАЙЛЫ ==========
location ~* \.(jpg|jpeg|png|gif|ico|webp|avif)$ {
limit_req zone=static_limit burst=100 nodelay;
limit_conn conn_limit_per_ip 100;
expires 1y;
add_header Cache-Control "public, immutable";
add_header Pragma "public";
try_files $uri =404;
access_log off;
log_not_found off;
}
location ~* \.(css|js)$ {
limit_req zone=static_limit burst=80 nodelay;
limit_conn conn_limit_per_ip 80;
expires 1y;
add_header Cache-Control "public, immutable";
add_header X-Content-Type-Options "nosniff";
try_files $uri =404;
access_log off;
}
location ~* \.(woff2?|ttf|eot|svg)$ {
limit_req zone=static_limit burst=60 nodelay;
limit_conn conn_limit_per_ip 60;
expires 1y;
add_header Cache-Control "public, immutable";
add_header Access-Control-Allow-Origin "*";
try_files $uri =404;
access_log off;
}
# ========== API ENDPOINTS ==========
location ~* ^/api/ {
limit_req zone=api_limit burst=15 delay=8;
limit_conn conn_limit_per_ip 15;
access_log /var/log/nginx/api_access.log main;
try_files $uri $uri/ /index.php?$query_string;
}
# ========== АУТЕНТИФИКАЦИЯ ==========
location ~* ^/(login|register|password-reset|auth|forgot-password|verify-email) {
limit_req zone=auth_limit burst=5 delay=3;
limit_conn conn_limit_per_ip 5;
access_log /var/log/nginx/auth_access.log main;
try_files $uri $uri/ /index.php?$query_string;
}
# ========== ОБРАБОТКА PHP ==========
location ~ \.php$ {
# Дефолтные лимиты для всех PHP запросов
limit_req zone=req_limit_per_ip burst=20 delay=10;
limit_conn conn_limit_per_ip 20;
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass app:9000;
fastcgi_index index.php;
# Оптимизация из основного конфига
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
fastcgi_busy_buffers_size 240k;
fastcgi_temp_file_write_size 256k;
# Таймауты
fastcgi_connect_timeout 10s;
fastcgi_send_timeout 30s;
fastcgi_read_timeout 30s;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
# ========== ОСНОВНОЙ LOCATION ==========
location / {
# Блокировка сканирования
if ($request_uri ~* "(%0|%A|%0A|%0D|%0a|%0d)") {
return 444;
}
if ($query_string ~* "(union|select|insert|update|delete|drop|create|alter|exec)") {
return 444;
}
if ($request_uri ~ "//") {
return 444;
}
try_files $uri $uri/ /index.php?$query_string;
gzip_static on;
gzip_vary on;
}
# ========== HEALTH CHECK ==========
location = /health {
access_log off;
# Прямой прокси в Laravel
try_files $uri /index.php?$query_string;
add_header Cache-Control "no-store, no-cache, must-revalidate";
}
# ========== ЗАЩИТА ФАЙЛОВОЙ СИСТЕМЫ ==========
location ~ /\. {
deny all;
access_log off;
log_not_found off;
return 404;
}
location ~* (\.env|\.git|\.svn|\.htaccess|composer\.json|composer\.lock) {
deny all;
return 404;
}
location ~* (eval|base64_encode|system\(|shell_exec|passthru|exec|phpinfo) {
deny all;
return 444;
}
}

0
docker/blocked_ips.map Normal file
View File

100
docker/nginx.conf
View File

@@ -1,20 +1,82 @@
server {
listen 80;
index index.php index.html;
error_log /var/log/nginx/error.log;
access_log /var/log/nginx/access.log;
root /var/www/public;
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass app:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
location / {
try_files $uri $uri/ /index.php?$query_string;
gzip_static on;
}
user nginx;
worker_processes auto;
worker_rlimit_nofile 65535;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 4096;
use epoll;
multi_accept on;
accept_mutex_delay 100ms;
}
http {
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=6r/s;
limit_req_zone $binary_remote_addr zone=auth_limit:10m rate=3r/s;
limit_req_zone $binary_remote_addr zone=bot_limit:10m rate=1r/s;
limit_req_zone $binary_remote_addr zone=static_limit:10m rate=100r/s;
limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=10r/s;
map $http_user_agent $limit_bots {
default "";
~*(googlebot|bingbot|yandex|baiduspider) $binary_remote_addr;
}
limit_req_zone $limit_bots zone=bots:10m rate=20r/m;
limit_req_zone $request_method zone=post_limit:10m rate=5r/s;
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m max_size=1g inactive=40m use_temp_path=off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
keepalive_requests 100;
types_hash_max_size 2048;
server_tokens off;
client_max_body_size 10m;
client_body_buffer_size 128k;
client_body_timeout 12;
client_header_timeout 12;
send_timeout 10;
reset_timedout_connection on;
client_header_buffer_size 1k;
large_client_header_buffers 4 8k;
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss
application/atom+xml image/svg+xml;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'rt=$request_time uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"';
log_format ddos_log '$remote_addr - [$time_local] "$request" $status '
'rate=$limit_req_status conn=$limit_conn_status '
'user_agent="$http_user_agent"';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log warn;
limit_req_status 429;
limit_conn_status 429;
include /etc/nginx/conf.d/*.conf;
}