diff --git a/.docker/nginx.conf b/.docker/nginx.conf index 43dbd195..d0a557b1 100644 --- a/.docker/nginx.conf +++ b/.docker/nginx.conf @@ -1,6 +1,6 @@ worker_processes auto; -error_log /var/log/nginx/error.log notice; +error_log /dev/stderr notice; pid /tmp/nginx.pid; events { @@ -26,11 +26,9 @@ http { '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; - access_log /var/log/nginx/access.log main; + access_log /dev/stdout main; sendfile on; - #tcp_nopush on; - keepalive_timeout 65; gzip on; diff --git a/.docker/templates/default.conf.template b/.docker/templates/default.conf.template new file mode 100644 index 00000000..2da35cc2 --- /dev/null +++ b/.docker/templates/default.conf.template @@ -0,0 +1,94 @@ +server { + listen ${NGINX_PORT}; + server_name localhost; + + root ${NGINX_WEB_ROOT}; + + client_max_body_size ${NGINX_MAX_BODY_SIZE}; + + location = /favicon.ico { + log_not_found off; + access_log off; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location ~* \.(txt|log)$ { + deny all; + } + + location ~ \..*/.*\.php$ { + return 403; + } + + location ~ ^/sites/.*/private/ { + return 403; + } + + # Block access to scripts in site files directory + location ~ ^/sites/[^/]+/files/.*\.php$ { + deny all; + } + + # Block access to "hidden" files and directories whose names begin with a + # period. + location ~ (^|/)\. { + return 403; + } + + location / { + try_files $uri /index.php?$query_string; + } + + location @rewrite { + rewrite ^ /index.php; + } + + # Don't allow direct access to PHP files in the vendor directory. + location ~ /vendor/.*\.php$ { + deny all; + return 404; + } + + # Protect files and directories from prying eyes. + location ~* \.(engine|inc|install|make|module|profile|po|sh|.*sql|.tar|.gz|.bz2|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ { + deny all; + return 404; + } + + location ~ '\.php$|^/update.php' { + include fastcgi_params; + + fastcgi_buffers 16 32k; + fastcgi_buffer_size 64k; + fastcgi_busy_buffers_size 64k; + + fastcgi_split_path_info ^(.+?\.php)(|/.*)$; + + # Ensure the php file exists. Mitigates CVE-2019-11043 + try_files $fastcgi_script_name =404; + + fastcgi_param HTTP_PROXY ""; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param QUERY_STRING $query_string; + + fastcgi_intercept_errors on; + fastcgi_pass ${NGINX_FPM_SERVICE}; + } + + # Enforce clean URLs + # + # Removes index.php from urls like www.example.com/index.php/my-page --> www.example.com/my-page + # Could be done with 301 for permanent or other redirect codes. + if ($request_uri ~* "^(.*/)index\.php/(.*)") { + return 307 $1$2; + } + + error_log /dev/stderr; + access_log /dev/stdout main; +} diff --git a/CHANGELOG.md b/CHANGELOG.md index cf9a70f2..998a9a27 100755 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,9 @@ Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] +* [PR-409](https://github.com/itk-dev/hoeringsportal/pull/409) + Enabled and configured log_stdout + ## [4.4.0] - 2024-05-14 * [PR-407](https://github.com/itk-dev/hoeringsportal/pull/407) diff --git a/composer.json b/composer.json index 250740f9..31135e2f 100755 --- a/composer.json +++ b/composer.json @@ -137,6 +137,7 @@ "drupal/image_widget_crop": "^2.2", "drupal/inline_entity_form": "^3.0", "drupal/jquery_ui_accordion": "^2.0", + "drupal/log_stdout": "^1.5", "drupal/maxlength": "^2.1", "drupal/openid_connect": "^3.0@alpha", "drupal/paragraphs": "^1.3", diff --git a/composer.lock b/composer.lock index ad8919ce..e85960be 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "4f8794843385438d16c45e2c581cc7b8", + "content-hash": "61aa53a5a6375a828a96b9beb65bcc4e", "packages": [ { "name": "asm89/stack-cors", @@ -4031,6 +4031,64 @@ "issues": "https://www.drupal.org/project/issues/jquery_ui_touch_punch" } }, + { + "name": "drupal/log_stdout", + "version": "1.5.0", + "source": { + "type": "git", + "url": "https://git.drupalcode.org/project/log_stdout.git", + "reference": "8.x-1.5" + }, + "dist": { + "type": "zip", + "url": "https://ftp.drupal.org/files/projects/log_stdout-8.x-1.5.zip", + "reference": "8.x-1.5", + "shasum": "2adb5d992618ee0a26bb8ca2cf80137654d9e0eb" + }, + "require": { + "drupal/core": "^8.8 || ^9 || ^10" + }, + "type": "drupal-module", + "extra": { + "drupal": { + "version": "8.x-1.5", + "datestamp": "1696840633", + "security-coverage": { + "status": "covered", + "message": "Covered by Drupal's security advisory policy" + } + } + }, + "notification-url": "https://packages.drupal.org/8/downloads", + "license": [ + "GPL-2.0+" + ], + "authors": [ + { + "name": "Bladedu", + "homepage": "https://www.drupal.org/user/436000" + }, + { + "name": "Bohun Tak", + "homepage": "https://www.drupal.org/user/1205098" + }, + { + "name": "mrhanlon", + "homepage": "https://www.drupal.org/user/764624" + }, + { + "name": "singularo", + "homepage": "https://www.drupal.org/user/143" + } + ], + "description": "This module provides an hook for Drupal Watchdog that directs log messages to php://stdout or php://stderr for better log handling with Docker.", + "homepage": "https://www.drupal.org/project/log_stdout", + "support": { + "source": "https://git.drupalcode.org/project/log_stdout", + "issues": "https://www.drupal.org/project/issues/log_stdout", + "irc": "irc://irc.freenode.org/drupal-support" + } + }, { "name": "drupal/maxlength", "version": "2.1.2", diff --git a/config/sync/core.extension.yml b/config/sync/core.extension.yml index 068b9bc7..0c76d5fe 100644 --- a/config/sync/core.extension.yml +++ b/config/sync/core.extension.yml @@ -72,6 +72,7 @@ module: layout_discovery: 0 link: 0 locale: 0 + log_stdout: 0 maxlength: 0 media: 0 menu_ui: 0 diff --git a/config/sync/log_stdout.settings.yml b/config/sync/log_stdout.settings.yml new file mode 100644 index 00000000..e686002d --- /dev/null +++ b/config/sync/log_stdout.settings.yml @@ -0,0 +1,5 @@ +_core: + default_config_hash: CkmpJe8_0UrxS99diNYffcf6SJcbRtIxgQTeCOxeOhQ +format: '[@severity] [@type] [@date] @message | uid: @uid | request-uri: @request_uri | refer: @referer | ip: @ip | link: @link' +use_stderr: '1' +langcode: da diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml index 7693fef4..4ac6fe33 100644 --- a/docker-compose.dev.yml +++ b/docker-compose.dev.yml @@ -1,6 +1,4 @@ -# itk-version: 3.1.0 -version: "3" - +# itk-version: 3.2.1 services: phpfpm: environment: diff --git a/docker-compose.redirect.yml b/docker-compose.redirect.yml index ac81f43c..66f26e97 100644 --- a/docker-compose.redirect.yml +++ b/docker-compose.redirect.yml @@ -1,6 +1,4 @@ -# itk-version: 3.1.0 -version: "3" - +# itk-version: 3.2.1 services: nginx: labels: diff --git a/docker-compose.server.yml b/docker-compose.server.yml index 1de16a25..d6f1b07d 100644 --- a/docker-compose.server.yml +++ b/docker-compose.server.yml @@ -1,6 +1,4 @@ -# itk-version: 3.1.1 -version: "3" - +# itk-version: 3.2.1 networks: frontend: external: true @@ -33,12 +31,15 @@ services: - frontend depends_on: - phpfpm - ports: - - '8080' volumes: - - ./.docker/vhost.conf:/etc/nginx/conf.d/default.conf:ro + - ./.docker/templates:/etc/nginx/templates:ro - ./.docker/nginx.conf:/etc/nginx/nginx.conf:ro - - ./:/app:rw + - .:/app + environment: + NGINX_FPM_SERVICE: ${COMPOSE_PROJECT_NAME}-phpfpm-1:9000 + NGINX_WEB_ROOT: /app/web + NGINX_PORT: 8080 + NGINX_MAX_BODY_SIZE: 5M labels: - "traefik.enable=true" - "traefik.docker.network=frontend" diff --git a/docker-compose.yml b/docker-compose.yml index eb6c2f86..dd90e9a6 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,6 +1,4 @@ -# itk-version: 3.1.1 -version: "3" - +# itk-version: 3.2.1 networks: frontend: external: true @@ -35,7 +33,7 @@ services: - PHP_XDEBUG_MODE=${PHP_XDEBUG_MODE:-off} - PHP_MAX_EXECUTION_TIME=30 - PHP_MEMORY_LIMIT=256M - # Depending on the setup you may have to remove --read-envelope-from from msmtp (cf. https://marlam.de/msmtp/msmtp.html) or use SMTP to send mail + # Depending on the setup, you may have to remove --read-envelope-from from msmtp (cf. https://marlam.de/msmtp/msmtp.html) or use SMTP to send mail - PHP_SENDMAIL_PATH=/usr/bin/msmtp --host=mail --port=1025 --read-recipients --read-envelope-from - DOCKER_HOST_DOMAIN=${COMPOSE_DOMAIN} - COMPOSER_VERSION=2 @@ -56,8 +54,13 @@ services: ports: - '8080' volumes: - - ./.docker/vhost.conf:/etc/nginx/conf.d/default.conf:ro + - ./.docker/templates:/etc/nginx/templates:ro - .:/app + environment: + NGINX_FPM_SERVICE: ${COMPOSE_PROJECT_NAME}-phpfpm-1:9000 + NGINX_WEB_ROOT: /app/web + NGINX_PORT: 8080 + NGINX_MAX_BODY_SIZE: 5M labels: - "traefik.enable=true" - "traefik.docker.network=frontend"