build on every push

.gitea/workflows/build_and_publish.yaml

@@ -7,10 +7,8 @@ env:
 
 on:
   push:
-    tags:
-      - '*'
   schedule:
-    - cron: "0 12 3 * *"
+    - cron: "0 12 * * 3"
   workflow_dispatch:
   workflow_call:
   workflow_run:
@@ -48,16 +46,9 @@ jobs:
         run: |
           docker build \
             --tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }} \
-            --platform linux/${{ matrix.arch }} -f Dockerfile .
+            --platform linux/${{ matrix.arch }} --no-cache -f Dockerfile .
           docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }}
 
-      - name: Build and publish php74
-        run: |
-          docker build \
-            --tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-${{ matrix.arch }} \
-            --platform linux/${{ matrix.arch }} -f Dockerfile-php74 .
-          docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-${{ matrix.arch }}
-
 
   manifest:
     name: update docker manifest
@@ -82,10 +73,3 @@ jobs:
             --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-arm64
           docker manifest push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest
 
-      - name: latest
-        run: |
-          docker manifest create \
-            ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74 \
-            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-amd64 \
-            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-arm64
-          docker manifest push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74

.gitea/workflows/build_and_publish_php74.yaml

@@ -0,0 +1,67 @@
+---
+name: Container Publish - php7.4 version
+
+env:
+  REGISTRY: docker.asperti.com
+  REPOSITORY: paspo/webserver-nginx
+
+on:
+  workflow_dispatch:
+
+jobs:
+  on-success-skip:
+    runs-on:
+      labels: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    steps:
+      - run: exit_with_success
+
+  build-image:
+    runs-on:
+      labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
+    container:
+      image: catthehacker/ubuntu:act-latest
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: Build and publish php74
+        run: |
+          docker build \
+            --tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-${{ matrix.arch }} \
+            --platform linux/${{ matrix.arch }} --no-cache -f Dockerfile-php74 .
+          docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-${{ matrix.arch }}
+
+
+  manifest:
+    name: update docker manifest
+    needs: build-image
+    runs-on: ubuntu-latest
+    container:
+      image: catthehacker/ubuntu:act-latest
+
+    steps:
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: latest
+        run: |
+          docker manifest create \
+            ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74 \
+            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-amd64 \
+            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-arm64
+          docker manifest push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74

.gitea/workflows/vulnscan.yaml

@@ -62,4 +62,4 @@ jobs:
           token: ${{ secrets.TELEGRAM_TOKEN }}
           format: markdown
           message: |
-            Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ github.repository }}`
+            Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.tag }}`

README.md

@@ -12,18 +12,14 @@ services:
     image: docker.asperti.com/paspo/webserver-nginx
     ports:
       - 8888:80 # web server
-      - 8889:8081 # stats page
       - 8890:8080 # webdav access
       - 2222:22 # sftp access
     volumes:
       - ./data:/data
-      - ./ssh:/ssh # add authorized_keys file here
       - ./extra_nginx.conf:/etc/nginx/custom.d/extra.conf # optional
-      - ./htpasswd:/app/htpasswd # optional, for webdav auth
     environment:
       LOG_DAYS: 14              # default 7
       WEBDAV_PORT: 8080         # default: 8080
-      STATS_PORT: 8081 # default: 8081
       PHP: php84                # none (default), php82, php83, php84
       POSTSIZE: 256M            # default: 256M
       PUID: 1000                # default: 1000
@@ -35,6 +31,22 @@ services:
       FPM_START_SERVERS: 1      # default: 1
       FPM_MIN_SPARE_SERVERS: 1  # default: 1
       FPM_MAX_SPARE_SERVERS: 3  # default: 3
+      DISABLE_WEBROOT_CHOWN: 1  # default: 0
+      DISABLE_SFTP: 1           # default: 0
+      DISABLE_STATS: 1          # default: 0
+      DISABLE_STATS_HOURLY: 1   # default: 0
+      DISABLE_WEBDAV: 1         # default: 0
 ```
 
 The `/data/www` and `/data/logs` directories and their contents will be chowned to `$PUID:$PGID` and chmodded to `0755` for directories and `0644` for files at container start.
+
+## data direcvtory layout
+
+| directory | content                                       |
+|-----------|-----------------------------------------------|
+| auth      | htpasswd files for stats and webdav           |
+| logs      | nginx access logs (logrotated) and error logs |
+| ssh       | host keys and authorized keys                 |
+| stats     | html statistical report                       |
+| stats.db  | internal statistical db                       |
+| www       | webroot                                       |

docker-compose-sample.yaml

@@ -1,11 +0,0 @@
-services:
-  web:
-    image: docker.asperti.com/paspo/webserver-nginx
-    ports:
-      - 8888:80
-      - 2222:22
-    volumes:
-      - ./www:/data/www
-      - ./ssh:/ssh # add authorized_keys file here
-    environment:
-      PHP: php84 # none (default), php82, php83, php84

rootfs-php74/app/entrypoint.sh

@@ -79,7 +79,9 @@ if [ -f /ssh/authorized_keys ] ; then
   chown "${USERNAME}:${GROUPNAME}" /ssh/authorized_keys
 fi
 
-chmod 0700 "${WEBROOT}/.ssh"
+if [ -d "${PATH_WEBROOT}/.ssh" ] ; then
+  chmod 0700 "${PATH_WEBROOT}/.ssh"
+fi
 /usr/sbin/sshd -e
 
 cat > /etc/nginx/conf.d/user.conf <<EOF

rootfs-php74/etc/nginx/nginx.conf

@@ -9,7 +9,7 @@ worker_processes auto;
 pcre_jit on;
 
 # Configures default error logger.
-error_log /data/logs/nginx-error.log warn;
+error_log /var/log/nginx/error.log warn;
 
 # Includes files with directives to load dynamic modules.
 include /etc/nginx/modules/*.conf;
@@ -89,6 +89,10 @@ http {
                 '' close;
         }
 
+	# use real IPs instead of docker ones
+	set_real_ip_from 172.18.0.0/16;
+	real_ip_header X-Forwarded-For;
+	real_ip_recursive on;
 
         # Specifies the main log format.
         log_format main '$remote_addr - $remote_user [$time_local] "$request" '
@@ -96,7 +100,7 @@ http {
                         '"$http_user_agent" "$http_x_forwarded_for"';
 
         # Sets the path, format, and configuration for a buffered log write.
-        access_log /data/logs/nginx-access.log main;
+        access_log /var/log/nginx/access.log main;
 
 
         # Includes virtual hosts configs.

rootfs/app/entrypoint.sh

@@ -9,7 +9,6 @@ PATH_AUTH=${PATH_BASE}/auth
 PATH_SSH_HOST=${PATH_BASE}/ssh
 
 WEBDAV_PORT=${WEBDAV_PORT:-8080}
-STATS_PORT=${STATS_PORT:-8081}
 LOG_DAYS=${LOG_DAYS:-7}
 
 PHP=${PHP:-none}
@@ -24,6 +23,12 @@ FPM_START_SERVERS=${FPM_START_SERVERS:-1}
 FPM_MIN_SPARE_SERVERS=${FPM_MIN_SPARE_SERVERS:-1}
 FPM_MAX_SPARE_SERVERS=${FPM_MAX_SPARE_SERVERS:-3}
 
+DISABLE_WEBROOT_CHOWN=${DISABLE_WEBROOT_CHOWN:-0}
+DISABLE_SFTP=${DISABLE_SFTP:-0}
+DISABLE_STATS=${DISABLE_STATS:-0}
+DISABLE_STATS_HOURLY=${DISABLE_STATS_HOURLY:-0}
+DISABLE_WEBDAV=${DISABLE_WEBDAV:-0}
+
 export USERNAME
 export GROUPNAME
 export PATH_BASE
@@ -34,7 +39,6 @@ export PATH_LOGS
 export PATH_AUTH
 export PATH_SSH_HOST
 export WEBDAV_PORT
-export STATS_PORT
 export POSTSIZE
 export LOG_DAYS
 export PHP
@@ -46,6 +50,12 @@ export FPM_START_SERVERS
 export FPM_MIN_SPARE_SERVERS
 export FPM_MAX_SPARE_SERVERS
 
+export DISABLE_WEBROOT_CHOWN
+export DISABLE_SFTP
+export DISABLE_STATS
+export DISABLE_STATS_HOURLY
+export DISABLE_WEBDAV
+
 # run all scripts in order
 run-parts /app/entrypoint.sh.d
 
@@ -72,8 +82,10 @@ echo "# Starting cron"
 crond -b
 
 # start ssh
+if [ "${DISABLE_SFTP}" -ne 1 ] ; then
   echo "# Starting ssh"
   /usr/sbin/sshd -e
+fi
 
 # start nginx
 echo "# Starting nginx"

rootfs/app/entrypoint.sh.d/90_chown_webroot.sh

@@ -1,7 +1,12 @@
 #!/bin/sh
 
-echo "# chowning ${PATH_WEBROOT} to ${PUID}:${GROUPNAME}..."
+echo "# Started background chowning of ${PATH_WEBROOT} to ${USERNAME}:${GROUPNAME} (${PUID}:${PGID})..."
 
-chown "${PUID}:${GROUPNAME}" "${PATH_WEBROOT}" -R
-find "${PATH_WEBROOT}" -type d -exec chmod 0755 {} \;
-find "${PATH_WEBROOT}" -type f -exec chmod 0644 {} \;
+if [ ${DISABLE_WEBROOT_CHOWN} -eq 1 ] ; then
+  echo chowning skipped because of DISABLE_WEBROOT_CHOWN
+  exit 0
+fi
+
+chown "${USERNAME}:${GROUPNAME}" "${PATH_WEBROOT}" -R
+find "${PATH_WEBROOT}" -type d -exec chmod 0755 {} \; &
+find "${PATH_WEBROOT}" -type f -exec chmod 0644 {} \; &

rootfs/app/entrypoint.sh.d/90_logs.sh

@@ -15,10 +15,11 @@ ${PATH_LOGS}/nginx-access.log {
     compress
     delaycompress
     sharedscripts
+    nodateext
     su ${USERNAME} ${GROUPNAME}
     postrotate
         /usr/sbin/nginx -s reopen
-        nice -n 19 /usr/bin/goaccess ${PATH_LOGS}/nginx-access.log.1 --agent-list --anonymize-ip --real-os --output ${PATH_STATS}/index.html --log-format COMBINED --tz="${TZ}" --db-path=${PATH_STATSDB} --persist --restore 
+        nice -n 19 /app/stats.sh
     endscript
 }
 EOF

rootfs/app/entrypoint.sh.d/90_ssh.sh

@@ -1,5 +1,9 @@
 #!/bin/sh
 
+if [ ${DISABLE_SFTP} -eq 1 ] ; then
+  exit 0
+fi
+
 echo "# Configuring ssh"
 
 # make sure directory exists
@@ -23,8 +27,7 @@ if [ -d "${PATH_WEBROOT}/.ssh" ] ; then
   chmod 0700 "${PATH_WEBROOT}/.ssh"
 fi
 
-
-
+# configure sshd
 cat >/etc/ssh/sshd_config.d/sshd.conf <<EOF
 HostKey ${PATH_SSH_HOST}/ssh_host_rsa_key
 HostKey ${PATH_SSH_HOST}/ssh_host_ecdsa_key

rootfs/app/entrypoint.sh.d/90_stats.sh

@@ -1,5 +1,9 @@
 #!/bin/sh
 
+if [ ${DISABLE_STATS} -eq 1 ] ; then
+  exit 0
+fi
+
 echo "# Configuring stats"
 
 # make sure paths exists
@@ -8,26 +12,11 @@ touch "${PATH_AUTH}/stats"
 chown -R "${USERNAME}:${GROUPNAME}" "${PATH_AUTH}" "${PATH_STATS}" "${PATH_STATSDB}"
 
 # stats endpoint
-cat > /etc/nginx/http.d/stats.conf <<EOF
-server {
-    listen ${STATS_PORT} default_server;
-    listen [::]:${STATS_PORT} default_server;
+cat > /etc/nginx/local.d/stats.conf <<EOF
+location ^~ /stats {
     root ${PATH_STATS};
-
-    location = / {
-        index index.html;
-        try_files /index.html =404;
-    }
-
-    location /index.html {
-        try_files /index.html =404;
-    }
-
-    location / {
-        return 404;
-    }
-
     auth_basic "Restricted area";
     auth_basic_user_file ${PATH_AUTH}/stats;
+    try_files /index.html =404;
 }
 EOF

rootfs/app/entrypoint.sh.d/90_stats_hourly.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+if [ ${DISABLE_STATS} -eq 1 ] ; then
+  exit 0
+fi
+
+if [ ${DISABLE_STATS_HOURLY} -eq 1 ] ; then
+  exit 0
+fi
+
+echo "# Configuring hourly stats"
+
+# stats endpoint
+ln -s /app/stats_hourly.sh /etc/periodic/hourly/stats

rootfs/app/entrypoint.sh.d/90_webdav.sh

@@ -1,5 +1,9 @@
 #!/bin/sh
 
+if [ ${DISABLE_WEBDAV} -eq 1 ] ; then
+  exit 0
+fi
+
 echo "# Configuring webdav"
 
 cat > /etc/nginx/http.d/webdav.conf <<EOF

rootfs/app/stats.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+if [ "${DISABLE_STATS:-0}" -eq 1 ] ; then
+  exit 0
+fi
+
+PATH_BASE=/data
+PATH_STATS=${PATH_BASE}/stats
+PATH_STATSDB=${PATH_BASE}/stats.db
+PATH_LOGS=${PATH_BASE}/logs
+
+/usr/bin/goaccess "${PATH_LOGS}/nginx-access.log.1" \
+    --agent-list --anonymize-ip --real-os --exclude-ip 127.0.0.1 \
+    --output "${PATH_STATS}/index.html" --log-format COMBINED \
+    --tz="${TZ}" "--db-path=${PATH_STATSDB}" --persist --restore 

rootfs/app/stats_hourly.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+if [ "${DISABLE_STATS:-0}" -eq 1 ] ; then
+  exit 0
+fi
+
+PATH_BASE=/data
+PATH_STATS=${PATH_BASE}/stats
+PATH_STATSDB=${PATH_BASE}/stats.db
+PATH_LOGS=${PATH_BASE}/logs
+
+/usr/bin/goaccess "${PATH_LOGS}/nginx-access.log" \
+    --agent-list --anonymize-ip --real-os --exclude-ip 127.0.0.1 \
+    --output "${PATH_STATS}/index.html" --log-format COMBINED \
+    --tz="${TZ}" "--db-path=${PATH_STATSDB}" --persist --restore 

rootfs/etc/nginx/nginx.conf

@@ -85,6 +85,10 @@ http {
 		'' close;
 	}
 
+	# use real IPs instead of docker ones
+	set_real_ip_from 172.18.0.0/16;
+	real_ip_header X-Forwarded-For;
+	real_ip_recursive on;
 
 	# Specifies the main log format.
 	log_format main '$remote_addr - $remote_user [$time_local] "$request" '