From 6de65f09c110acbf3ace9b047428f94ee4164eeb Mon Sep 17 00:00:00 2001 From: Matt Kilgore Date: Tue, 23 Jul 2024 20:27:10 -0400 Subject: [PATCH] fix: #1 solves the security configuration warning --- .env.example | 11 +++++++--- .github/workflows/publish-docker.yml | 16 +++++++-------- README.md | 2 ++ docker-compose-build.yml | 7 ------- docker-compose.yml | 7 ------- php/conf.d/Caddyfile | 30 +++++++++++++++++++--------- 6 files changed, 39 insertions(+), 34 deletions(-) diff --git a/.env.example b/.env.example index 62828a4..6a7f058 100644 --- a/.env.example +++ b/.env.example @@ -1,6 +1,8 @@ GLPI_LANG="en_US" VERSION="10.0.16" -GLPI_MARKETPLACE_DIR=/var/www/html/marketplace + +# You should in general leave these configs as they are +GLPI_MARKETPLACE_DIR=/app/public/marketplace GLPI_VAR_DIR=/var/lib/glpi GLPI_DOC_DIR=/var/lib/glpi GLPI_CRON_DIR=/var/lib/glpi/_cron @@ -16,10 +18,13 @@ GLPI_TMP_DIR=/var/lib/glpi/_tmp GLPI_UPLOAD_DIR=/var/lib/glpi/_uploads GLPI_CACHE_DIR=/var/lib/glpi/_cache GLPI_CONFIG_DIR=/etc/glpi/config + +# You should leave this as is unless you're using an external MariaDB instance MARIADB_HOST="mariadb" MARIADB_PORT="3306" MARIADB_DATABASE="glpi" +# Do not change the MARIADB username unless you intend to connect to an extenal MySQL/MariaDB Instance +# Changing this will result in a broken timezone configuration MARIADB_USER="glpi" MARIADB_PASSWORD="glpi" -MARIADB_ROOT_PASSWORD="my-secret-pw" -# MARIADB_RANDOM_ROOT_PASSWORD="1" \ No newline at end of file +MARIADB_ROOT_PASSWORD="my-secret-pw" \ No newline at end of file diff --git a/.github/workflows/publish-docker.yml b/.github/workflows/publish-docker.yml index 529d25f..b32c172 100644 --- a/.github/workflows/publish-docker.yml +++ b/.github/workflows/publish-docker.yml @@ -75,11 +75,11 @@ jobs: build-args: | VERSION=${{ steps.glpi-version.outputs.release }} - - name: Attest - uses: actions/attest-build-provenance@v1 - id: attest - if: ${{ github.event_name != 'pull_request' }} - with: - subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - subject-digest: ${{ steps.build-and-push.outputs.digest }} - push-to-registry: true \ No newline at end of file +# - name: Attest +# uses: actions/attest-build-provenance@v1 +# id: attest +# if: ${{ github.event_name != 'pull_request' }} +# with: +# subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} +# subject-digest: ${{ steps.build-and-push.outputs.digest }} +# push-to-registry: true \ No newline at end of file diff --git a/README.md b/README.md index 3aca0f1..b923a1b 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,8 @@ Manifest files for build and deploy the **GLPI** as Containers with Docker and F This version can handle a significant number of users, with extremely low page loading times and overall operates extremely well. +Additionally, this version comes build and prepared to run straight out the box with cron jobs and redis caching, just copy the .env.example file to .env, setup the passwords and secrets, and launch with `docker compose up -d`. + Original Inspiration: https://github.com/eftechcombr/glpi ## Credentials diff --git a/docker-compose-build.yml b/docker-compose-build.yml index adf1690..5f05468 100644 --- a/docker-compose-build.yml +++ b/docker-compose-build.yml @@ -24,7 +24,6 @@ services: - glpi-marketplace:/app/public/marketplace:rw - glpi-files:/var/lib/glpi:rw - glpi-etc:/etc/glpi:rw - - glpi-config:/app/public/config:rw depends_on: - mariadb command: @@ -37,7 +36,6 @@ services: - glpi-marketplace:/app/public/marketplace:rw - glpi-files:/var/lib/glpi:rw - glpi-etc:/etc/glpi:rw - - glpi-config:/app/public/config:rw env_file: ./.env depends_on: - glpi-db-install @@ -51,7 +49,6 @@ services: - glpi-marketplace:/app/public/marketplace:rw - glpi-files:/var/lib/glpi:rw - glpi-etc:/etc/glpi:rw - - glpi-config:/app/public/config:rw env_file: ./.env depends_on: - glpi-verify-dir @@ -70,7 +67,6 @@ services: - glpi-marketplace:/app/public/marketplace:rw - glpi-files:/var/lib/glpi:rw - glpi-etc:/etc/glpi:rw - - glpi-config:/app/public/config:rw env_file: ./.env depends_on: - glpi-verify-dir @@ -86,7 +82,6 @@ services: - glpi-marketplace:/app/public/marketplace:rw - glpi-files:/var/lib/glpi:rw - glpi-etc:/etc/glpi:rw - - glpi-config:/app/public/config:rw env_file: ./.env depends_on: - mariadb @@ -103,7 +98,6 @@ services: - glpi-marketplace:/app/public/marketplace:rw - glpi-files:/var/lib/glpi:rw - glpi-etc:/etc/glpi:rw - - glpi-config:/app/public/config:rw env_file: ./.env depends_on: - php @@ -114,6 +108,5 @@ volumes: glpi-marketplace: glpi-files: glpi-etc: - glpi-config: glpi-install: mariadb-glpi-volume: \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index e95db40..0b63abe 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -24,7 +24,6 @@ services: - glpi-marketplace:/app/public/marketplace:rw - glpi-files:/var/lib/glpi:rw - glpi-etc:/etc/glpi:rw - - glpi-config:/app/public/config:rw depends_on: - mariadb command: @@ -37,7 +36,6 @@ services: - glpi-marketplace:/app/public/marketplace:rw - glpi-files:/var/lib/glpi:rw - glpi-etc:/etc/glpi:rw - - glpi-config:/app/public/config:rw env_file: ./.env depends_on: - glpi-db-install @@ -51,7 +49,6 @@ services: - glpi-marketplace:/app/public/marketplace:rw - glpi-files:/var/lib/glpi:rw - glpi-etc:/etc/glpi:rw - - glpi-config:/app/public/config:rw env_file: ./.env depends_on: - glpi-verify-dir @@ -70,7 +67,6 @@ services: - glpi-marketplace:/app/public/marketplace:rw - glpi-files:/var/lib/glpi:rw - glpi-etc:/etc/glpi:rw - - glpi-config:/app/public/config:rw env_file: ./.env depends_on: - glpi-verify-dir @@ -85,7 +81,6 @@ services: - glpi-marketplace:/app/public/marketplace:rw - glpi-files:/var/lib/glpi:rw - glpi-etc:/etc/glpi:rw - - glpi-config:/app/public/config:rw env_file: ./.env depends_on: - mariadb @@ -102,7 +97,6 @@ services: - glpi-marketplace:/app/public/marketplace:rw - glpi-files:/var/lib/glpi:rw - glpi-etc:/etc/glpi:rw - - glpi-config:/app/public/config:rw env_file: ./.env depends_on: - php @@ -113,6 +107,5 @@ volumes: glpi-marketplace: glpi-files: glpi-etc: - glpi-config: glpi-install: mariadb-glpi-volume: \ No newline at end of file diff --git a/php/conf.d/Caddyfile b/php/conf.d/Caddyfile index a469947..034027e 100644 --- a/php/conf.d/Caddyfile +++ b/php/conf.d/Caddyfile @@ -4,24 +4,36 @@ } http://*:9000 { - root * /app/public + root * /app/public/public @insecure { header X-Forwarded-Proto http } - # Enable compression (optional) + # Enable compression encode zstd br gzip # Execute PHP files in the current directory and serve assets route { - rewrite /api/* /apirest.php/{path} + @blocked path src/* config/* files/* vendor/* - handle { - respond @blocked "Access Denied" 403 { - close - } + respond @blocked "Access Denied" 403 { + close } - - php_server + # Add trailing slash for directory requests + @canonicalPath { + file {path}/index.php + not path */ + } + redir @canonicalPath {path}/ 308 + # If the requested file does not exist, try index files + @indexFiles file { + try_files {path} {path}/index.php index.php + split_path .php + } + rewrite @indexFiles {http.matchers.file.relative} + # FrankenPHP! + @phpFiles path *.php + php @phpFiles + file_server } } \ No newline at end of file