examples

Author: Tob1as

examples/apache/docker-compose.yml

@@ -49,11 +49,12 @@ services:
       - "traefik.http.routers.wsc-https.entrypoints=websecure"
       - "traefik.http.routers.wsc-https.service=wsc"
       # load middlewares for routes
-      - "traefik.http.routers.wsc-http.middlewares=wsc-https@docker"
+      #- "traefik.http.routers.wsc-http.middlewares=wsc-https@docker"
+      - "traefik.http.routers.wsc-http.middlewares=redirect-to-https@file"
       #- "traefik.http.routers.wsc-https.middlewares="
       # http to https redirect      
-      - "traefik.http.middlewares.wsc-https.redirectscheme.scheme=https"
-      - "traefik.http.middlewares.wsc-https.redirectscheme.permanent=true"
+      #- "traefik.http.middlewares.wsc-https.redirectscheme.scheme=https"
+      #- "traefik.http.middlewares.wsc-https.redirectscheme.permanent=true"
       #- "traefik.http.middlewares.wsc-https.redirectscheme.port=443"
 
   # https://hub.docker.com/_/mariadb
@@ -81,20 +82,20 @@ services:
       #EXPORTER_MAXUSERCONNECTIONS: "3"
     #ports:
     #  - 127.0.0.1:3306:3306/tcp
-    healthcheck:
-      test:  mariadb-admin ping -h 127.0.0.1 -u root --password=$$MARIADB_ROOT_PASSWORD || exit 1
-      #test:  mariadb-admin ping -h 127.0.0.1 -u $$MARIADB_USER --password=$$MARIADB_PASSWORD || exit 1
-      #start_period: 10s
-      interval: 30s
-      timeout: 5s
-      retries: 3
     networks:
       wsc-net:
         aliases:
         - wsc-database
         - wsc-mysql
         - wsc-mariadb
-    # check with: "docker inspect --format='{{json .State.Health}}' wsc-db | jq"
+    healthcheck:
+      test:  mariadb-admin ping -h localhost -u root --password=$$MARIADB_ROOT_PASSWORD || exit 1
+      #test:  mariadb-admin ping -h localhost -u $$MARIADB_USER --password=$$MARIADB_PASSWORD || exit 1
+      #start_period: 10s
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      # check with: "docker inspect --format='{{json .State.Health}}' wsc-db | jq"
 
 #  # https://github.com/prometheus/mysqld_exporter
 #  wsc-db-exporter:
@@ -232,11 +233,12 @@ services:
       - "traefik.http.routers.traefik-https.entrypoints=websecure"
       - "traefik.http.routers.traefik-https.service=api@internal"
       # load middlewares for routes
-      - "traefik.http.routers.traefik-http.middlewares=traefik-https@docker,traefik-auth@docker"
+      #- "traefik.http.routers.traefik-http.middlewares=traefik-https@docker,traefik-auth@docker"
+      - "traefik.http.routers.traefik-http.middlewares=redirect-to-https@file,traefik-auth@docker"
       - "traefik.http.routers.traefik-https.middlewares=traefik-auth@docker"
       # Middleware: http to https redirect      
-      - "traefik.http.middlewares.traefik-https.redirectscheme.scheme=https"
-      - "traefik.http.middlewares.traefik-https.redirectscheme.permanent=true"
+      #- "traefik.http.middlewares.traefik-https.redirectscheme.scheme=https"
+      #- "traefik.http.middlewares.traefik-https.redirectscheme.permanent=true"
       #- "traefik.http.middlewares.traefik-https.redirectscheme.port=443"
       # Middleware: auth
       # basic auth with htpasswd (You may need to escape any $ with another $ in password. create password: "docker run --rm tobi312/tools:htpasswd -bn admin 'passw0rd' | sed 's/\$/\$\$/g'"  OR  only for Password: "openssl passwd -apr1 'passw0rd' | sed 's/\$/\$\$/g'")

examples/fpm-nginx/config/mysql_exporter-user.sh

@@ -0,0 +1,21 @@
+#!/bin/sh
+set -e
+
+# SOURCE: https://github.com/Tob1as/docker-kubernetes-collection/blob/master/examples_docker-compose/config_mariadb/20_exporter-user.sh
+
+: "${EXPORTER_USER:="exporter"}"
+: "${EXPORTER_PASSWORD:="Exp0rt3r!"}"
+: "${EXPORTER_MAXUSERCONNECTIONS:="3"}"
+host='%' # set '%' to allow from all host
+
+mariadb -h localhost -u root --password="${MARIADB_ROOT_PASSWORD}" -sNe \
+"SELECT user FROM mysql.user WHERE user = '${EXPORTER_USER}' GROUP BY user;" \
+| grep -q ${EXPORTER_USER}} \
+|| mariadb -h localhost -u root --password="${MARIADB_ROOT_PASSWORD}" -sN <<EOSQL
+    CREATE USER '${EXPORTER_USER}'@'${host}' IDENTIFIED BY '${EXPORTER_PASSWORD}' WITH MAX_USER_CONNECTIONS ${EXPORTER_MAXUSERCONNECTIONS};
+    GRANT PROCESS, REPLICATION CLIENT, SELECT, SLAVE MONITOR ON *.* TO '${EXPORTER_USER}'@'${host}';
+    GRANT SELECT ON performance_schema.* TO '${EXPORTER_USER}'@'${host}';
+    FLUSH PRIVILEGES;
+EOSQL
+
+mariadb -h localhost -u root --password=${MARIADB_ROOT_PASSWORD} -e "SELECT user, host, max_user_connections FROM mysql.user;"

examples/fpm-nginx/config/mysql_wsc.cnf

@@ -0,0 +1,2 @@
+[server]
+innodb_buffer_pool_size = 512M

examples/fpm-nginx/config/nginx_default.conf

@@ -0,0 +1,96 @@
+# enable ONLY behind PROXY (Traefik, other NGINX, Caddy, lighttpd, K8s Ingress, ...) (ngx_http_realip_module)
+set_real_ip_from 172.16.0.0/12;
+set_real_ip_from fd00::/8;
+real_ip_header X-Forwarded-For;
+#real_ip_recursive on;
+
+# Server (http)
+server {
+    listen 8080;
+    listen [::]:8080;
+    server_name _;
+    
+    # disable any limits to avoid HTTP 413 for large image uploads
+    client_max_body_size 0;
+    
+    # Error Page
+    location  @error_page {
+        add_header Content-Type text/plain;
+        return 200 'Maintenance mode!';
+    }
+    
+    root /var/www/html;
+    index index.php index.html test.php;
+    
+    location / {
+        #root /var/www/html;
+        #index index.php index.html;
+        
+        try_files $uri $uri/ /index.php?$query_string;
+    }
+    
+    location ~ \.php$ {
+        #root /var/www/html;
+        
+        try_files $uri =404;
+        
+        fastcgi_pass wsc-php:9000;
+        fastcgi_index index.php;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        include fastcgi_params;
+        
+        # Error Page (redirect)
+        error_page 502 503 504 = @error_page;
+    }
+    
+    # nginx status
+    location /nginx_status {
+        stub_status on;
+        access_log off;
+        allow 127.0.0.1;
+        allow 10.0.0.0/8;
+        allow 172.16.0.0/12;
+        allow 192.168.0.0/16;
+        allow ::1;
+        allow fd00::/8;
+        deny all;
+    }
+
+    # nginx ping
+    location /nginx_ping {
+        add_header Content-Type text/plain;
+        return 200 'pong';
+        access_log off;
+        allow 127.0.0.1;
+        allow 10.0.0.0/8;
+        allow 172.16.0.0/12;
+        allow 192.168.0.0/16;
+        allow ::1;
+        allow fd00::/8;
+        deny all;
+    }
+    
+    # php-fpm status/ping
+    location ~ ^/(php_fpm_status|php_fpm_ping)$ {
+        fastcgi_pass wsc-php:9001;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        include fastcgi_params;
+        access_log off;
+        allow 127.0.0.1;
+        allow 10.0.0.0/8;
+        allow 172.16.0.0/12;
+        allow 192.168.0.0/16;
+        allow ::1;
+        allow fd00::/8;
+        deny all;
+        
+        # Error Page (redirect)
+        error_page 502 503 504 = @error_page;
+    }
+    
+    location ~ /\.ht {
+        deny all;
+    }
+    #location = /favicon.ico { log_not_found off; access_log off; }
+    #location = /robots.txt { log_not_found off; access_log off; }
+}

examples/fpm-nginx/config/traefik/dynamic/disable-traefik-default-cert.yml

@@ -0,0 +1,21 @@
+# https://github.com/traefik/traefik/issues/9945#issuecomment-1590229681
+# https://doc.traefik.io/traefik/reference/routing-configuration/http/tls/tls-certificates/#strict-sni-checking
+# https://www.ssllabs.com/ssltest/
+tls:
+  options:
+    default:
+      sniStrict: true            # <-----  Strict SNI Checking
+    #  minVersion: VersionTLS12
+    #  cipherSuites:
+    #    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 # TLS 1.2
+    #    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305  # TLS 1.2
+    #    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   # TLS 1.2
+    #    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305    # TLS 1.2
+    #    - TLS_AES_256_GCM_SHA384                  # TLS 1.3
+    #    - TLS_CHACHA20_POLY1305_SHA256            # TLS 1.3
+    #    - TLS_FALLBACK_SCSV                       # TLS FALLBACK
+    #  curvePreferences:
+    #    - secp521r1
+    #    - secp384r1
+    #modern:
+    #  minVersion: VersionTLS13

examples/fpm-nginx/config/traefik/dynamic/redirect-to-https.yml

@@ -0,0 +1,7 @@
+http:
+  middlewares:
+    redirect-to-https:
+      redirectScheme:
+        scheme: https
+        permanent: true
+        #port: 443

examples/fpm-nginx/config/traefik/dynamic/ssl.yml

@@ -0,0 +1,14 @@
+tls:
+  #stores:
+  #  default:
+  #    defaultCertificate:
+  #      certFile: /config/certs/ssl.crt
+  #      keyFile: /config/certs/ssl.key
+  certificates:
+    # first certificate
+    - certFile: /config/certs/ssl.crt
+      keyFile: /config/certs/ssl.key
+    # second certificate
+    #- certFile: /config/certs/other.crt
+    #  keyFile: /config/certs/other.key
+    # and more ...