build on every push

.gitea/workflows/build_and_publish.yaml

@@ -7,10 +7,8 @@ env:
 
 on:
   push:
-    branches:
-      - master
   schedule:
-    - cron: "0 12 3 * *"
+    - cron: "0 12 * * 3"
   workflow_dispatch:
   workflow_call:
   workflow_run:
@@ -48,7 +46,7 @@ jobs:
         run: |
           docker build \
             --tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }} \
-            --platform linux/${{ matrix.arch }} -f Dockerfile .
+            --platform linux/${{ matrix.arch }} --no-cache -f Dockerfile .
           docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }}
 
 

.gitea/workflows/build_and_publish_php74.yaml

@@ -39,7 +39,7 @@ jobs:
         run: |
           docker build \
             --tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-${{ matrix.arch }} \
-            --platform linux/${{ matrix.arch }} -f Dockerfile-php74 .
+            --platform linux/${{ matrix.arch }} --no-cache -f Dockerfile-php74 .
           docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-${{ matrix.arch }}
 
 

.gitea/workflows/vulnscan.yaml

@@ -62,4 +62,4 @@ jobs:
           token: ${{ secrets.TELEGRAM_TOKEN }}
           format: markdown
           message: |
-            Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ github.repository }}`
+            Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.tag }}`

README.md

@@ -12,7 +12,6 @@ services:
     image: docker.asperti.com/paspo/webserver-nginx
     ports:
       - 8888:80 # web server
-      - 8889:8081 # stats page
       - 8890:8080 # webdav access
       - 2222:22 # sftp access
     volumes:
@@ -21,7 +20,6 @@ services:
     environment:
       LOG_DAYS: 14              # default 7
       WEBDAV_PORT: 8080         # default: 8080
-      STATS_PORT: 8081          # default: 8081
       PHP: php84                # none (default), php82, php83, php84
       POSTSIZE: 256M            # default: 256M
       PUID: 1000                # default: 1000
@@ -36,6 +34,8 @@ services:
       DISABLE_WEBROOT_CHOWN: 1  # default: 0
       DISABLE_SFTP: 1           # default: 0
       DISABLE_STATS: 1          # default: 0
+      DISABLE_STATS_HOURLY: 1   # default: 0
+      DISABLE_WEBDAV: 1         # default: 0
 ```
 
 The `/data/www` and `/data/logs` directories and their contents will be chowned to `$PUID:$PGID` and chmodded to `0755` for directories and `0644` for files at container start.

rootfs-php74/app/entrypoint.sh

@@ -79,7 +79,9 @@ if [ -f /ssh/authorized_keys ] ; then
   chown "${USERNAME}:${GROUPNAME}" /ssh/authorized_keys
 fi
 
-chmod 0700 "${WEBROOT}/.ssh"
+if [ -d "${PATH_WEBROOT}/.ssh" ] ; then
+  chmod 0700 "${PATH_WEBROOT}/.ssh"
+fi
 /usr/sbin/sshd -e
 
 cat > /etc/nginx/conf.d/user.conf <<EOF

rootfs-php74/etc/nginx/nginx.conf

@@ -9,7 +9,7 @@ worker_processes auto;
 pcre_jit on;
 
 # Configures default error logger.
-error_log /data/logs/nginx-error.log warn;
+error_log /var/log/nginx/error.log warn;
 
 # Includes files with directives to load dynamic modules.
 include /etc/nginx/modules/*.conf;
@@ -89,6 +89,10 @@ http {
                 '' close;
         }
 
+	# use real IPs instead of docker ones
+	set_real_ip_from 172.18.0.0/16;
+	real_ip_header X-Forwarded-For;
+	real_ip_recursive on;
 
         # Specifies the main log format.
         log_format main '$remote_addr - $remote_user [$time_local] "$request" '
@@ -96,7 +100,7 @@ http {
                         '"$http_user_agent" "$http_x_forwarded_for"';
 
         # Sets the path, format, and configuration for a buffered log write.
-        access_log /data/logs/nginx-access.log main;
+        access_log /var/log/nginx/access.log main;
 
 
         # Includes virtual hosts configs.

rootfs/app/entrypoint.sh

@@ -9,7 +9,6 @@ PATH_AUTH=${PATH_BASE}/auth
 PATH_SSH_HOST=${PATH_BASE}/ssh
 
 WEBDAV_PORT=${WEBDAV_PORT:-8080}
-STATS_PORT=${STATS_PORT:-8081}
 LOG_DAYS=${LOG_DAYS:-7}
 
 PHP=${PHP:-none}
@@ -27,6 +26,8 @@ FPM_MAX_SPARE_SERVERS=${FPM_MAX_SPARE_SERVERS:-3}
 DISABLE_WEBROOT_CHOWN=${DISABLE_WEBROOT_CHOWN:-0}
 DISABLE_SFTP=${DISABLE_SFTP:-0}
 DISABLE_STATS=${DISABLE_STATS:-0}
+DISABLE_STATS_HOURLY=${DISABLE_STATS_HOURLY:-0}
+DISABLE_WEBDAV=${DISABLE_WEBDAV:-0}
 
 export USERNAME
 export GROUPNAME
@@ -38,7 +39,6 @@ export PATH_LOGS
 export PATH_AUTH
 export PATH_SSH_HOST
 export WEBDAV_PORT
-export STATS_PORT
 export POSTSIZE
 export LOG_DAYS
 export PHP
@@ -53,6 +53,8 @@ export FPM_MAX_SPARE_SERVERS
 export DISABLE_WEBROOT_CHOWN
 export DISABLE_SFTP
 export DISABLE_STATS
+export DISABLE_STATS_HOURLY
+export DISABLE_WEBDAV
 
 # run all scripts in order
 run-parts /app/entrypoint.sh.d
@@ -80,8 +82,10 @@ echo "# Starting cron"
 crond -b
 
 # start ssh
+if [ "${DISABLE_SFTP}" -ne 1 ] ; then
   echo "# Starting ssh"
   /usr/sbin/sshd -e
+fi
 
 # start nginx
 echo "# Starting nginx"

rootfs/app/entrypoint.sh.d/90_logs.sh

@@ -15,6 +15,7 @@ ${PATH_LOGS}/nginx-access.log {
     compress
     delaycompress
     sharedscripts
+    nodateext
     su ${USERNAME} ${GROUPNAME}
     postrotate
         /usr/sbin/nginx -s reopen

rootfs/app/entrypoint.sh.d/90_stats.sh

@@ -12,26 +12,11 @@ touch "${PATH_AUTH}/stats"
 chown -R "${USERNAME}:${GROUPNAME}" "${PATH_AUTH}" "${PATH_STATS}" "${PATH_STATSDB}"
 
 # stats endpoint
-cat > /etc/nginx/http.d/stats.conf <<EOF
-server {
-    listen ${STATS_PORT} default_server;
-    listen [::]:${STATS_PORT} default_server;
+cat > /etc/nginx/local.d/stats.conf <<EOF
+location ^~ /stats {
     root ${PATH_STATS};
-
-    location = / {
-        index index.html;
-        try_files /index.html =404;
-    }
-
-    location /index.html {
-        try_files /index.html =404;
-    }
-
-    location / {
-        return 404;
-    }
-
     auth_basic "Restricted area";
     auth_basic_user_file ${PATH_AUTH}/stats;
+    try_files /index.html =404;
 }
 EOF

rootfs/app/entrypoint.sh.d/90_stats_hourly.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+if [ ${DISABLE_STATS} -eq 1 ] ; then
+  exit 0
+fi
+
+if [ ${DISABLE_STATS_HOURLY} -eq 1 ] ; then
+  exit 0
+fi
+
+echo "# Configuring hourly stats"
+
+# stats endpoint
+ln -s /app/stats_hourly.sh /etc/periodic/hourly/stats

rootfs/app/entrypoint.sh.d/90_webdav.sh

@@ -1,5 +1,9 @@
 #!/bin/sh
 
+if [ ${DISABLE_WEBDAV} -eq 1 ] ; then
+  exit 0
+fi
+
 echo "# Configuring webdav"
 
 cat > /etc/nginx/http.d/webdav.conf <<EOF

rootfs/app/stats_hourly.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+if [ "${DISABLE_STATS:-0}" -eq 1 ] ; then
+  exit 0
+fi
+
+PATH_BASE=/data
+PATH_STATS=${PATH_BASE}/stats
+PATH_STATSDB=${PATH_BASE}/stats.db
+PATH_LOGS=${PATH_BASE}/logs
+
+/usr/bin/goaccess "${PATH_LOGS}/nginx-access.log" \
+    --agent-list --anonymize-ip --real-os --exclude-ip 127.0.0.1 \
+    --output "${PATH_STATS}/index.html" --log-format COMBINED \
+    --tz="${TZ}" "--db-path=${PATH_STATSDB}" --persist --restore 

rootfs/etc/nginx/nginx.conf

@@ -85,6 +85,10 @@ http {
 		'' close;
 	}
 
+	# use real IPs instead of docker ones
+	set_real_ip_from 172.18.0.0/16;
+	real_ip_header X-Forwarded-For;
+	real_ip_recursive on;
 
 	# Specifies the main log format.
 	log_format main '$remote_addr - $remote_user [$time_local] "$request" '