Adds docker-compose configuration

.docker/mysql/aa_init.sql

@@ -0,0 +1,2 @@
+CREATE DATABASE IF NOT EXISTS pathfinder CHARACTER SET utf8 COLLATE utf8_general_ci;
+CREATE DATABASE IF NOT EXISTS eve_universe CHARACTER SET utf8 COLLATE utf8_general_ci;

.docker/nginx/Dockerfile

@@ -0,0 +1,15 @@
+FROM nginx:1.17.2-alpine
+
+COPY --chown=nginx:nginx . /usr/share/nginx/html/
+COPY ./.docker/nginx/nginx.conf /etc/nginx/nginx.conf
+COPY ./.docker/nginx/pathfinder-http.conf /etc/nginx/conf.d/default.conf
+COPY ./.docker/nginx/h5bp/ /etc/nginx/h5bp/
+COPY ./.docker/nginx/mime.types /etc/nginx/mime.types
+
+RUN apk add --no-cache apache2-utils
+
+COPY ./.docker/nginx/entrypoint.sh /root/entrypoint.sh
+RUN chmod +x /root/entrypoint.sh
+RUN chmod 0766 /usr/share/nginx/html/logs
+
+ENTRYPOINT ["sh", "-c", "/root/entrypoint.sh"]

.docker/nginx/entrypoint.sh

@@ -0,0 +1,4 @@
+#!/bin/ash
+
+htpasswd -B -b -c /etc/nginx/.setup_pass "$SETUP_USER" "$SETUP_PASS" && \
+nginx

.docker/nginx/h5bp/basic.conf

@@ -0,0 +1,9 @@
+# Nginx Server Configs | MIT License
+# https://github.com/h5bp/server-configs-nginx
+
+include h5bp/security/referrer-policy.conf;
+include h5bp/security/x-content-type-options.conf;
+include h5bp/security/x-frame-options.conf;
+include h5bp/security/x-xss-protection.conf;
+include h5bp/location/security_file_access.conf;
+include h5bp/cross-origin/requests.conf;

.docker/nginx/h5bp/cross-origin/requests.conf

@@ -0,0 +1,18 @@
+# ----------------------------------------------------------------------
+# | Cross-origin requests                                              |
+# ----------------------------------------------------------------------
+
+# Allow cross-origin requests.
+#
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
+# https://enable-cors.org/
+# https://www.w3.org/TR/cors/
+
+# (!) Do not use this without understanding the consequences.
+#     This will permit access from any other website.
+#     Instead of using this file, consider using a specific rule such as
+#     allowing access based on (sub)domain:
+#
+#         add_header Access-Control-Allow-Origin "subdomain.example.com";
+
+add_header Access-Control-Allow-Origin $cors;

.docker/nginx/h5bp/cross-origin/resource_timing.conf

@@ -0,0 +1,15 @@
+# ----------------------------------------------------------------------
+# | Cross-origin resource timing                                       |
+# ----------------------------------------------------------------------
+
+# Allow cross-origin access to the timing information for all resources.
+#
+# If a resource isn't served with a `Timing-Allow-Origin` header that would
+# allow its timing information to be shared with the document, some of the
+# attributes of the `PerformanceResourceTiming` object will be set to zero.
+#
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Timing-Allow-Origin
+# https://www.w3.org/TR/resource-timing/
+# https://www.stevesouders.com/blog/2014/08/21/resource-timing-practical-tips/
+
+add_header Timing-Allow-Origin "*";

.docker/nginx/h5bp/errors/custom_errors.conf

@@ -0,0 +1,9 @@
+# ----------------------------------------------------------------------
+# | Custom error messages/pages                                        |
+# ----------------------------------------------------------------------
+
+# Customize what Nginx returns to the client in case of an error.
+#
+# https://nginx.org/en/docs/http/ngx_http_core_module.html#error_page
+
+error_page 404 /404.html;

.docker/nginx/h5bp/internet_explorer/x-ua-compatible.conf

@@ -0,0 +1,19 @@
+# ----------------------------------------------------------------------
+# | Document modes                                                     |
+# ----------------------------------------------------------------------
+
+# Force Internet Explorer 8/9/10 to render pages in the highest mode
+# available in the various cases when it may not.
+#
+# https://hsivonen.fi/doctype/#ie8
+#
+# (!) Starting with Internet Explorer 11, document modes are deprecated.
+#     If your business still relies on older web apps and services that were
+#     designed for older versions of Internet Explorer, you might want to
+#     consider enabling `Enterprise Mode` throughout your company.
+#
+# https://msdn.microsoft.com/en-us/library/ie/bg182625.aspx#docmode
+# https://blogs.msdn.microsoft.com/ie/2014/04/02/stay-up-to-date-with-enterprise-mode-for-internet-explorer-11/
+# https://msdn.microsoft.com/en-us/library/ff955275.aspx
+
+add_header X-UA-Compatible $x_ua_compatible;

.docker/nginx/h5bp/location/security_file_access.conf

@@ -0,0 +1,41 @@
+# ----------------------------------------------------------------------
+# | File access                                                        |
+# ----------------------------------------------------------------------
+
+# Block access to all hidden files and directories with the exception of the
+# visible content from within the `/.well-known/` hidden directory.
+#
+# These types of files usually contain user preferences or the preserved state
+# of a utility, and can include rather private places like, for example, the
+# `.git` or `.svn` directories.
+#
+# The `/.well-known/` directory represents the standard (RFC 5785) path prefix
+# for "well-known locations" (e.g.: `/.well-known/manifest.json`,
+# `/.well-known/keybase.txt`), and therefore, access to its visible content
+# should not be blocked.
+#
+# https://www.mnot.net/blog/2010/04/07/well-known
+# https://tools.ietf.org/html/rfc5785
+
+location ~* /\.(?!well-known\/) {
+  deny all;
+}
+
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+# Block access to files that can expose sensitive information.
+#
+# By default, block access to backup and source files that may be left by some
+# text editors and can pose a security risk when anyone has access to them.
+#
+# https://feross.org/cmsploit/
+#
+# (!) Update the `location` regular expression from below to include any files
+#     that might end up on your production server and can expose sensitive
+#     information about your website. These files may include: configuration
+#     files, files that contain metadata about the project (e.g.: project
+#     dependencies, build scripts, etc.).
+
+location ~* (?:#.*#|\.(?:bak|conf|dist|fla|in[ci]|log|orig|psd|sh|sql|sw[op])|~)$ {
+  deny all;
+}

.docker/nginx/h5bp/location/web_performance_filename-based_cache_busting.conf

@@ -0,0 +1,14 @@
+# ----------------------------------------------------------------------
+# | Filename-based cache busting                                       |
+# ----------------------------------------------------------------------
+
+# If you're not using a build process to manage your filename version revving,
+# you might want to consider enabling the following directives.
+#
+# To understand why this is important and even a better solution than using
+# something like `*.css?v231`, please see:
+# https://www.stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring/
+
+location ~* (.+)\.(?:\w+)\.(bmp|css|cur|gif|ico|jpe?g|m?js|png|svgz?|webp|webmanifest)$ {
+  try_files $uri $1.$2;
+}

.docker/nginx/h5bp/location/web_performance_svgz-compression.conf

@@ -0,0 +1,14 @@
+# ----------------------------------------------------------------------
+# | SVGZ Compression                                                   |
+# ----------------------------------------------------------------------
+
+# SVGZ files are already compressed.
+# Disable gzip function for `.svgz` files.
+
+location ~* \.svgz$ {
+    gzip off;
+    add_header Content-Encoding gzip;
+
+    include h5bp/security/x-content-type-options.conf;
+    include h5bp/cross-origin/requests.conf;
+}

.docker/nginx/h5bp/media_types/character_encodings.conf

@@ -0,0 +1,32 @@
+# ----------------------------------------------------------------------
+# | Character encodings                                                |
+# ----------------------------------------------------------------------
+
+# Serve all resources labeled as `text/html` or `text/plain` with the media type
+# `charset` parameter set to `UTF-8`.
+#
+# https://nginx.org/en/docs/http/ngx_http_charset_module.html#charset
+
+charset utf-8;
+
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+# Update charset_types to match updated mime.types.
+# `text/html` is always included by charset module.
+# Default: text/html text/xml text/plain text/vnd.wap.wml application/javascript application/rss+xml
+#
+# https://nginx.org/en/docs/http/ngx_http_charset_module.html#charset_types
+
+charset_types
+    text/css
+    text/plain
+    text/vnd.wap.wml
+    text/javascript
+    text/markdown
+    text/calendar
+    text/x-component
+    text/vcard
+    text/cache-manifest
+    text/vtt
+    application/json
+    application/manifest+json;

.docker/nginx/h5bp/media_types/media_types.conf

@@ -0,0 +1,18 @@
+# ----------------------------------------------------------------------
+# | Media types                                                        |
+# ----------------------------------------------------------------------
+
+# Serve resources with the proper media types (f.k.a. MIME types).
+#
+# https://www.iana.org/assignments/media-types/media-types.xhtml
+# https://nginx.org/en/docs/http/ngx_http_core_module.html#types
+
+include mime.types;
+
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+# Default: text/plain
+#
+# https://nginx.org/en/docs/http/ngx_http_core_module.html#default_type
+
+default_type application/octet-stream;

.docker/nginx/h5bp/security/content-security-policy.conf

@@ -0,0 +1,27 @@
+# ----------------------------------------------------------------------
+# | Content Security Policy (CSP)                                      |
+# ----------------------------------------------------------------------
+
+# Mitigate the risk of cross-site scripting and other content-injection
+# attacks.
+#
+# This can be done by setting a `Content Security Policy` which whitelists
+# trusted sources of content for your website.
+#
+# There is no policy that fits all websites, you will have to modify the
+# `Content-Security-Policy` directives in the example depending on your needs.
+#
+# To make your CSP implementation easier, you can use an online CSP header
+# generator such as:
+# https://report-uri.com/home/generate/
+#
+# It is encouraged that you validate your CSP header using a CSP validator
+# such as:
+# https://csp-evaluator.withgoogle.com
+#
+# https://csp.withgoogle.com/docs/
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+# https://www.html5rocks.com/en/tutorials/security/content-security-policy/
+# https://www.w3.org/TR/CSP/
+
+add_header Content-Security-Policy $content_security_policy always;

.docker/nginx/h5bp/security/referrer-policy.conf

@@ -0,0 +1,18 @@
+# ----------------------------------------------------------------------
+# | Referrer Policy                                                    |
+# ----------------------------------------------------------------------
+
+# A web application uses HTTPS and a URL-based session identifier.
+# The web application might wish to link to HTTPS resources on other web
+# sites without leaking the user's session identifier in the URL.
+#
+# This can be done by setting a `Referrer Policy` which whitelists trusted
+# sources of content for your website.
+#
+# To check your referrer policy, you can use an online service such as:
+# https://securityheaders.io/.
+#
+# https://scotthelme.co.uk/a-new-security-header-referrer-policy/
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
+
+add_header Referrer-Policy $referrer_policy always;

.docker/nginx/h5bp/security/server_software_information.conf

@@ -0,0 +1,9 @@
+# ----------------------------------------------------------------------
+# | Server software information                                        |
+# ----------------------------------------------------------------------
+
+# Prevent Nginx from sending its version number in the "Server" response header.
+#
+# https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens
+
+server_tokens off;

.docker/nginx/h5bp/security/strict-transport-security.conf

@@ -0,0 +1,43 @@
+# ----------------------------------------------------------------------
+# | HTTP Strict Transport Security (HSTS)                              |
+# ----------------------------------------------------------------------
+
+# Force client-side SSL redirection.
+#
+# If a user types `example.com` in their browser, even if the server redirects
+# them to the secure version of the website, that still leaves a window of
+# opportunity (the initial HTTP connection) for an attacker to downgrade or
+# redirect the request.
+#
+# The following header ensures that browser will ONLY connect to your server
+# via HTTPS, regardless of what the users type in the browser's address bar.
+#
+# (!) Be aware that this, once published, is not revokable and you must ensure
+#     being able to serve the site via SSL for the duration you've specified
+#     in max-age. When you don't have a valid SSL connection (anymore) your
+#     visitors will see a nasty error message even when attempting to connect
+#     via simple HTTP.
+#
+# (!) Remove the `includeSubDomains` optional directive if the website's
+#     subdomains are not using HTTPS.
+#
+# (1) If you want to submit your site for HSTS preload (2) you must
+#     * ensure the `includeSubDomains` directive to be present
+#     * the `preload` directive to be specified
+#     * the `max-age` to be at least 31536000 seconds (1 year) according to the
+#       current status.
+#
+#     It is also advised (3) to only serve the HSTS header via a secure
+#     connection.
+#
+# (2) https://hstspreload.org/
+# (3) https://tools.ietf.org/html/rfc6797#section-7.2
+#
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+# https://tools.ietf.org/html/rfc6797#section-6.1
+# https://www.html5rocks.com/en/tutorials/security/transport-layer-security/
+# https://blogs.msdn.microsoft.com/ieinternals/2014/08/18/strict-transport-security/
+
+add_header Strict-Transport-Security "max-age=16070400; includeSubDomains" always;
+# (1) or if HSTS preloading is desired (respect (2) for current requirements):
+# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

.docker/nginx/h5bp/security/x-content-type-options.conf

@@ -0,0 +1,16 @@
+# ----------------------------------------------------------------------
+# | Content Type Options                                               |
+# ----------------------------------------------------------------------
+
+# Prevent some browsers from MIME-sniffing the response.
+#
+# This reduces exposure to drive-by download attacks and cross-origin data
+# leaks, and should be left uncommented, especially if the server is serving
+# user-uploaded content or content that could potentially be treated as
+# executable by the browser.
+#
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+# https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-v-comprehensive-protection/
+# https://mimesniff.spec.whatwg.org/
+
+add_header X-Content-Type-Options nosniff always;

.docker/nginx/h5bp/security/x-frame-options.conf

@@ -0,0 +1,35 @@
+# ----------------------------------------------------------------------
+# | Frame Options                                                      |
+# ----------------------------------------------------------------------
+
+# Protect website against clickjacking.
+#
+# The example below sends the `X-Frame-Options` response header with the value
+# `DENY`, informing browsers not to display the content of the web page in any
+# frame.
+#
+# This might not be the best setting for everyone. You should read about the
+# other two possible values the `X-Frame-Options` header field can have:
+# `SAMEORIGIN` and `ALLOW-FROM`.
+# https://tools.ietf.org/html/rfc7034#section-2.1.
+#
+# Keep in mind that while you could send the `X-Frame-Options` header for all
+# of your website’s pages, this has the potential downside that it forbids even
+# non-malicious framing of your content (e.g.: when users visit your website
+# using a Google Image Search results page).
+#
+# Nonetheless, you should ensure that you send the `X-Frame-Options` header for
+# all pages that allow a user to make a state-changing operation (e.g: pages
+# that contain one-click purchase links, checkout or bank-transfer confirmation
+# pages, pages that make permanent configuration changes, etc.).
+#
+# Sending the `X-Frame-Options` header can also protect your website against
+# more than just clickjacking attacks.
+# https://cure53.de/xfo-clickjacking.pdf.
+#
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+# https://tools.ietf.org/html/rfc7034
+# https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/
+# https://www.owasp.org/index.php/Clickjacking
+
+add_header X-Frame-Options $x_frame_options always;