examples

Author: Tob1as

examples/README.md

@@ -7,4 +7,5 @@ All examples for [WSC (WoltLab Suite Core)](https://www.woltlab.com/en/woltlab-s
 * fpm-nginx-doi: like fpm-nginx-dhi, but Docker Offical Images (DOI, from Community) and also without entrypoint script.
 * fpm-nginx: like fpm-nginx-doi, but Docker Offical Images with entrypoint script from this repo. (Notice: mysql replaced by mariadb) 
 * fpm-nginx-aio: like fpm-nginx, but php-fpm and nginx in single container/image with entrypoint script from this repo.
-* apache: apache2 and php in single container/image, mariadb, traefik, prometheus-exporters with entrypoint script from this repo.
+* apache: apache2 and php in single container/image, mariadb, traefik, prometheus-exporters with entrypoint script from this repo.
+* apache-doi: like apache, but without entryoint script.

examples/apache-doi/.env.example

@@ -0,0 +1,11 @@
+# General
+DOMAIN=example.com
+TIMEZONE=Europe/Berlin
+# Database (MySQL/MariaDB)
+MYSQL_ROOT_PASSWORD=my-secret-pw
+MYSQL_DATABASE=woltlab_suite
+MYSQL_USER=woltlab_suite
+MYSQL_PASSWORD=my-secret-pw
+# Exporter
+MYSQL_EXPORTER_USER=exporter
+MYSQL_EXPORTER_PASSWORD=my-secret-pw

examples/apache-doi/README.md

@@ -0,0 +1,4 @@
+# PHP - Examples: [PHP & Apache2] & MariaDB (using DOI)
+
+> PHP & Apache2 
+> ... without entrypoint Script from this repo! Or you must mount it.

examples/apache-doi/config/mysql_exporter-user.sh

@@ -0,0 +1,21 @@
+#!/bin/sh
+set -e
+
+# SOURCE: https://github.com/Tob1as/docker-kubernetes-collection/blob/master/examples_docker-compose/config_mariadb/20_exporter-user.sh
+
+: "${EXPORTER_USER:="exporter"}"
+: "${EXPORTER_PASSWORD:="Exp0rt3r!"}"
+: "${EXPORTER_MAXUSERCONNECTIONS:="3"}"
+host='%' # set '%' to allow from all host
+
+mariadb -h localhost -u root --password="${MARIADB_ROOT_PASSWORD}" -sNe \
+"SELECT user FROM mysql.user WHERE user = '${EXPORTER_USER}' GROUP BY user;" \
+| grep -q ${EXPORTER_USER}} \
+|| mariadb -h localhost -u root --password="${MARIADB_ROOT_PASSWORD}" -sN <<EOSQL
+    CREATE USER '${EXPORTER_USER}'@'${host}' IDENTIFIED BY '${EXPORTER_PASSWORD}' WITH MAX_USER_CONNECTIONS ${EXPORTER_MAXUSERCONNECTIONS};
+    GRANT PROCESS, REPLICATION CLIENT, SELECT, SLAVE MONITOR ON *.* TO '${EXPORTER_USER}'@'${host}';
+    GRANT SELECT ON performance_schema.* TO '${EXPORTER_USER}'@'${host}';
+    FLUSH PRIVILEGES;
+EOSQL
+
+mariadb -h localhost -u root --password=${MARIADB_ROOT_PASSWORD} -e "SELECT user, host, max_user_connections FROM mysql.user;"

examples/apache-doi/config/mysql_wsc.cnf

@@ -0,0 +1,2 @@
+[server]
+innodb_buffer_pool_size = 512M

examples/apache-doi/config/php_wsc.ini

@@ -0,0 +1,19 @@
+[PHP]
+date.timezone=Europe/Berlin
+display_errors = Off
+memory_limit = 256M
+post_max_size = 250M
+upload_max_filesize = 250M
+max_file_uploads = 20
+max_execution_time = 120
+
+; https://www.php.net/manual/en/opcache.configuration.php
+[opcache]
+opcache.enable=1
+opcache.memory_consumption=192
+opcache.interned_strings_buffer=16
+opcache.max_accelerated_files=10000
+opcache.max_wasted_percentage=10
+opcache.validate_timestamps=1
+opcache.revalidate_freq=2
+opcache.save_comments=1

examples/apache-doi/config/traefik/dynamic/disable-traefik-default-cert.yml

@@ -0,0 +1,21 @@
+# https://github.com/traefik/traefik/issues/9945#issuecomment-1590229681
+# https://doc.traefik.io/traefik/reference/routing-configuration/http/tls/tls-certificates/#strict-sni-checking
+# https://www.ssllabs.com/ssltest/
+tls:
+  options:
+    default:
+      sniStrict: true            # <-----  Strict SNI Checking
+    #  minVersion: VersionTLS12
+    #  cipherSuites:
+    #    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 # TLS 1.2
+    #    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305  # TLS 1.2
+    #    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   # TLS 1.2
+    #    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305    # TLS 1.2
+    #    - TLS_AES_256_GCM_SHA384                  # TLS 1.3
+    #    - TLS_CHACHA20_POLY1305_SHA256            # TLS 1.3
+    #    - TLS_FALLBACK_SCSV                       # TLS FALLBACK
+    #  curvePreferences:
+    #    - secp521r1
+    #    - secp384r1
+    #modern:
+    #  minVersion: VersionTLS13

examples/apache-doi/config/traefik/dynamic/redirect-to-https.yml

@@ -0,0 +1,7 @@
+http:
+  middlewares:
+    redirect-to-https:
+      redirectScheme:
+        scheme: https
+        permanent: true
+        #port: 443

examples/apache-doi/config/traefik/dynamic/ssl.yml

@@ -0,0 +1,14 @@
+tls:
+  #stores:
+  #  default:
+  #    defaultCertificate:
+  #      certFile: /config/certs/ssl.crt
+  #      keyFile: /config/certs/ssl.key
+  certificates:
+    # first certificate
+    - certFile: /config/certs/ssl.crt
+      keyFile: /config/certs/ssl.key
+    # second certificate
+    #- certFile: /config/certs/other.crt
+    #  keyFile: /config/certs/other.key
+    # and more ...

examples/apache-doi/docker-compose.yml

@@ -0,0 +1,241 @@
+services:
+
+  # https://github.com/Tob1as/docker-php
+  # based on: https://hub.docker.com/_/php (https://github.com/docker-library/php)
+  # command: mkdir ./html && chown 33:33 ./html
+  wsc-php:
+    image: docker.io/tobi312/php:8.4-doi-apache-debian-wsc
+    container_name: wsc-php
+    restart: unless-stopped
+    #ports:
+    #  - 80:80/tcp
+    volumes:
+      - ./html:/var/www/html:rw
+      - ./config/php_wsc.ini:/usr/local/etc/php/conf.d/60-wsc.ini:ro   # use for php settings when not mount entrypoint.sh
+      #- ./config/entrypoint.sh:/usr/local/bin/entrypoint.sh:ro        # source: https://github.com/Tob1as/docker-php/raw/refs/heads/master/entrypoint.sh
+    #entrypoint: [ "entrypoint.sh" ]
+    #command: [ "apache2-foreground" ]  
+    environment:
+      TZ: "${TIMEZONE:-Europe/Berlin}"
+      ## next ENVs only works when mount entrypoint.sh !
+      #PHP_ERRORS: 0
+      #PHP_MEM_LIMIT: 256
+      #PHP_POST_MAX_SIZE: 250
+      #PHP_UPLOAD_MAX_FILESIZE: 250
+      #PHP_MAX_FILE_UPLOADS: 20
+      #PHP_MAX_EXECUTION_TIME: 120
+      #PHP_SET_OPCACHE_SETTINGS: 1
+      #ENABLE_APACHE_REWRITE: 1
+      #ENABLE_APACHE_ALLOWOVERRIDE: 1
+      #ENABLE_APACHE_REMOTEIP: 1
+      #ENABLE_APACHE_STATUS: 1
+      #APACHE_SERVER_NAME: "${DOMAIN}"
+      #APACHE_SERVER_ADMIN: "webmaster@${DOMAIN}"
+    #depends_on:
+    #  wsc-mariadb:
+    #    condition: service_started # service_started or service_healthy
+    networks:
+      - wsc-net
+      - traefik-net
+    healthcheck:
+      test: ["CMD-SHELL", "nc -zv -w 3 127.0.0.1 80 || exit 1"]
+      #start_period: 10s
+      interval: 30s
+      timeout: 5s
+      retries: 3
+    labels:
+      # Explicitly tell Traefik to expose this container
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik-net"
+      # Tell Traefik to use the http port 80 to connect to container
+      - "traefik.http.services.wsc.loadbalancer.server.port=80"
+      - "traefik.http.services.wsc.loadbalancer.server.scheme=http"  # when "https" then set "--serversTransport.insecureSkipVerify=true" for traefik
+      # http
+      - "traefik.http.routers.wsc-http.rule=Host(`${DOMAIN}`) && PathPrefix(`/`)"
+      - "traefik.http.routers.wsc-http.entrypoints=web"
+      - "traefik.http.routers.wsc-http.service=wsc"
+      # https
+      - "traefik.http.routers.wsc-https.tls=true"
+      - "traefik.http.routers.wsc-https.rule=Host(`${DOMAIN}`) && PathPrefix(`/`)"
+      - "traefik.http.routers.wsc-https.entrypoints=websecure"
+      - "traefik.http.routers.wsc-https.service=wsc"
+      # load middlewares for routes
+      #- "traefik.http.routers.wsc-http.middlewares=wsc-https@docker"
+      - "traefik.http.routers.wsc-http.middlewares=redirect-to-https@file"
+      #- "traefik.http.routers.wsc-https.middlewares="
+      # http to https redirect      
+      #- "traefik.http.middlewares.wsc-https.redirectscheme.scheme=https"
+      #- "traefik.http.middlewares.wsc-https.redirectscheme.permanent=true"
+      #- "traefik.http.middlewares.wsc-https.redirectscheme.port=443"
+
+  # https://hub.docker.com/_/mariadb
+  # https://github.com/MariaDB/mariadb-docker
+  # command: mkdir ./data-db && chown 999:999 ./data-db
+  wsc-db:
+    image: docker.io/library/mariadb:11.4
+    container_name: wsc-db
+    restart: unless-stopped
+    volumes:
+      - ./data-db:/var/lib/mysql:rw
+      - ./config/mysql_wsc.cnf:/etc/mysql/conf.d/70-wsc.cnf:ro
+      - ./config/mysql_exporter-user.sh:/docker-entrypoint-initdb.d/20_exporter-user.sh:ro
+    environment:
+      TZ: "${TIMEZONE:-Europe/Berlin}"
+      MARIADB_ROOT_PASSWORD: "${MYSQL_ROOT_PASSWORD}"
+      MARIADB_DATABASE: "${MYSQL_DATABASE:-wcf}"
+      MARIADB_USER: "${MYSQL_USER}"
+      MARIADB_PASSWORD: "${MYSQL_PASSWORD}"
+      MARIADB_MYSQL_LOCALHOST_USER: "true"
+      #MARIADB_AUTO_UPGRADE: 1
+      # Exporter (mounted by script)
+      EXPORTER_USER: "${MYSQL_EXPORTER_USER}"
+      EXPORTER_PASSWORD: "${MYSQL_EXPORTER_PASSWORD}"
+      #EXPORTER_MAXUSERCONNECTIONS: "3"
+    #ports:
+    #  - 127.0.0.1:3306:3306/tcp
+    networks:
+      wsc-net:
+        aliases:
+        - wsc-database
+        - wsc-mysql
+        - wsc-mariadb
+    healthcheck:
+      test:  mariadb-admin ping -h localhost -u root --password=$$MARIADB_ROOT_PASSWORD || exit 1
+      #test:  mariadb-admin ping -h localhost -u $$MARIADB_USER --password=$$MARIADB_PASSWORD || exit 1
+      #start_period: 10s
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      # check with: "docker inspect --format='{{json .State.Health}}' wsc-db | jq"
+  
+  # need exporter ?, then :
+  # 1. mount entrypoint.sh
+  # 2. copy wsc-db-exporter and wsc-apache-exporter
+  #    from https://raw.githubusercontent.com/Tob1as/docker-php/refs/heads/master/examples/apache/docker-compose.yml
+    
+  # https://hub.docker.com/_/traefik
+  # https://github.com/traefik/traefik/
+  # Docs: https://doc.traefik.io/traefik/
+  traefik:
+    image: docker.io/library/traefik:3
+    container_name: traefik
+    restart: unless-stopped
+    environment:
+      - TZ="${TIMEZONE:-Europe/Berlin}"
+    ports:
+      - "80:80/tcp"                # http
+      - "443:443/tcp"              # https (tcp)
+      - "443:443/udp"              # https (udp) / HTTP3
+      - "127.0.0.1:8082:8082/tcp"  # Traefik Metrics
+      #- "127.0.0.1:8080:8080/tcp" # Traefik Dashboard (if insecure enabled)
+    command:
+      # Entrypoints and Ports
+      - "--entrypoints.web.address=:80"
+      - "--entrypoints.websecure.address=:443"
+      - "--entryPoints.websecure.http3"
+      #- "--entryPoints.websecure.http3.advertisedport=443"
+      - "--entryPoints.traefik.address=:8080"
+      - "--entryPoints.metrics.address=:8082"
+      # Monitoring (Prometheus and Ping)
+      - "--entryPoints.metrics.address=:8082"
+      - "--metrics.prometheus=true"
+      - "--metrics.prometheus.entryPoint=metrics"
+      - "--metrics.prometheus.buckets=0.1,0.3,1.2,5.0"
+      - "--metrics.prometheus.addEntryPointsLabels=true"
+      - "--metrics.prometheus.addrouterslabels=true"
+      - "--metrics.prometheus.addServicesLabels=true"
+      - "--ping=true"
+      - "--ping.entryPoint=metrics"
+      # API and Dashboard
+      - "--api=true"
+      - "--api.dashboard=true"
+      - "--api.basePath=/traefik"
+      #- "--api.insecure=true"
+      # Log and AccessLog
+      - "--log.level=ERROR"         # TRACE, DEBUG, INFO, WARN, ERROR, FATAL, and PANIC
+      - "--log.format=common"       # common, json
+      - "--accesslog=true"
+      - "--accesslog.format=common" # common, genericCLF , json
+      - "--accesslog.addinternals"
+      - "--accesslog.fields.names.StartUTC=drop"  # TimeZone (set to "drop", for use from env)
+      # ServersTransport (internal/backend CA-Cert/SSL)
+      - "--serversTransport.insecureSkipVerify=true"
+      #- "--serversTransport.rootCAs=/config/certs/ca.crt"
+      # Dynamic Configs
+      - "--providers.file.directory=/config/dynamic"
+      - "--providers.file.watch=true"
+      # Optional: Plugins <https://plugins.traefik.io/plugins>
+      # https://plugins.traefik.io/plugins/62947307108ecc83915d7783/rewrite-body
+      #- "--experimental.plugins.rewrite.modulename=github.com/traefik/plugin-rewritebody"
+      #- "--experimental.plugins.rewrite.version=v0.3.1"
+      # https://plugins.traefik.io/plugins/62947354108ecc83915d778e/block-path
+      #- "--experimental.plugins.block.modulename=github.com/traefik/plugin-blockpath"
+      #- "--experimental.plugins.block.version=v0.2.1"
+      # https://plugins.traefik.io/plugins/62947302108ecc83915d7781/geoblock
+      #- "--experimental.plugins.geoblock.modulename=github.com/nscuro/traefik-plugin-geoblock"
+      #- "--experimental.plugins.geoblock.version=v0.14.0"
+      # Docker Provider (Traefik must run as root)
+      - "--providers.docker=true"
+      #- "--providers.docker.endpoint=unix:///var/run/docker.sock"
+      - "--providers.docker.exposedbydefault=false"
+      #- "--providers.docker.network=traefik"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro                # docker.sock for read labels
+      - ./config/traefik/dynamic/:/config/dynamic/:ro               # dynamic config files
+      - ./ssl-certs/:/config/certs/:ro                              # ssl certs files
+    networks:
+      - traefik-net
+    healthcheck:
+      test: ['CMD', 'traefik', 'healthcheck', '--ping', "--entryPoints.ping.address=:8082", "--ping.entryPoint=ping"]
+      #start_period: 10s
+      interval: 30s
+      timeout: 5s
+      retries: 3
+    # check with: "docker inspect --format='{{json .State.Health}}' traefik | jq"
+    labels:
+      # Explicitly tell Traefik to expose this container
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik-net"
+      # http
+      - "traefik.http.routers.traefik-http.rule=Host(`${DOMAIN}`) && PathPrefix(`/traefik`)"
+      - "traefik.http.routers.traefik-http.entrypoints=web"
+      - "traefik.http.routers.traefik-http.service=api@internal"
+      # https
+      - "traefik.http.routers.traefik-https.tls=true"
+      - "traefik.http.routers.traefik-https.rule=Host(`${DOMAIN}`) && PathPrefix(`/traefik`)"
+      - "traefik.http.routers.traefik-https.entrypoints=websecure"
+      - "traefik.http.routers.traefik-https.service=api@internal"
+      # load middlewares for routes
+      #- "traefik.http.routers.traefik-http.middlewares=traefik-https@docker,traefik-auth@docker"
+      - "traefik.http.routers.traefik-http.middlewares=redirect-to-https@file,traefik-auth@docker"
+      - "traefik.http.routers.traefik-https.middlewares=traefik-auth@docker"
+      # Middleware: http to https redirect      
+      #- "traefik.http.middlewares.traefik-https.redirectscheme.scheme=https"
+      #- "traefik.http.middlewares.traefik-https.redirectscheme.permanent=true"
+      #- "traefik.http.middlewares.traefik-https.redirectscheme.port=443"
+      # Middleware: auth
+      # basic auth with htpasswd (You may need to escape any $ with another $ in password. create password: "docker run --rm tobi312/tools:htpasswd -bn admin 'passw0rd' | sed 's/\$/\$\$/g'"  OR  only for Password: "openssl passwd -apr1 'passw0rd' | sed 's/\$/\$\$/g'")
+      - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$6Yq5UCPq$$ZmXnIrJwqH0qfKRurLAiR1,traefik:$$apr1$$zIohxmBm$$TVYfYKcqYXOdONsU93L8w0"
+    # URL for Webbrowser: https://example.com/traefik
+
+networks:
+  wsc-net:
+    name: wsc-net
+  #monitoring-net:
+  #  name: monitoring-net
+  #  external: true
+  traefik-net:
+    name: traefik-net
+    # external, script? https://github.com/Tob1as/docker-kubernetes-collection/blob/master/examples_docker-compose/docker_network_create.sh
+    #external: true
+    # not external, but with IPv4 and IPv6:
+    #driver: bridge
+    #attachable: true
+    #enable_ipv6: true
+    #labels:
+    #  created.by: "docker-compose_WSC"
+    #ipam:
+    #  driver: default
+    #  config:
+    #    - subnet: 172.20.0.0/24        # IPv4 Subnet
+    #    - subnet: fd00:dead:beef::/48  # IPv6 Subnet