diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 48e8ea62..0f0b4b1c 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -1,11 +1,8 @@ # DO NOT MODIFY THIS FILE DIRECTLY. IT IS AUTO-GENERATED BY .devcontainer/scripts/generate-dockerfile.sh # ---/Dockerfile--- -# Builder stage performs venv creation and installs some tools which are not needed in the final image. -# By separating the image, we are able to discard build tools and reduce the final image size. FROM alpine:3.22 AS builder - ARG INSTALL_DIR=/app ENV PYTHONUNBUFFERED=1 @@ -17,8 +14,6 @@ RUN apk add --no-cache bash shadow python3 python3-dev gcc musl-dev libffi-dev o # Enable venv ENV PATH="/opt/venv/bin:$PATH" - - RUN pip install openwrt-luci-rpc asusrouter asyncio aiohttp graphene flask flask-cors unifi-sm-api tplink-omada-client wakeonlan pycryptodome requests paho-mqtt scapy cron-converter pytz json2table dhcp-leases pyunifi speedtest-cli chardet python-nmap dnspython librouteros yattag zeroconf git+https://github.com/foreign-sub/aiofreepybox.git @@ -26,20 +21,12 @@ RUN pip install openwrt-luci-rpc asusrouter asyncio aiohttp graphene flask flask # The runner is used for both devcontainer, and as a base for the hardened stage. FROM alpine:3.22 AS runner -RUN addgroup -g 20211 netalertx && \ - adduser -u 20211 -G netalertx -D -h /app netalertx - ARG INSTALL_DIR=/app - -# Enable venv ENV PATH="/opt/venv/bin:/usr/bin:/sbin:/bin:$PATH" - - -ENV PORT=20211 LISTEN_ADDR=0.0.0.0 GRAPHQL_PORT=20212 # NetAlertX app directories -ENV NETALERTX_APP=/app +ENV NETALERTX_APP=${INSTALL_DIR} ENV NETALERTX_CONFIG=${NETALERTX_APP}/config ENV NETALERTX_FRONT=${NETALERTX_APP}/front ENV NETALERTX_SERVER=${NETALERTX_APP}/server @@ -48,8 +35,6 @@ ENV NETALERTX_DB=${NETALERTX_APP}/db ENV NETALERTX_BACK=${NETALERTX_APP}/back ENV NETALERTX_LOG=${NETALERTX_APP}/log ENV NETALERTX_PLUGINS_LOG=${NETALERTX_LOG}/plugins -ENV NETALERTX_NGINIX_CONFIG=${NETALERTX_APP}/services/nginx -ENV NETALERTX_SERVICES=${NETALERTX_APP}/services # NetAlertX log files ENV LOG_IP_CHANGES=${NETALERTX_LOG}/IP_changes.log @@ -65,84 +50,113 @@ ENV LOG_REPORT_OUTPUT_JSON=${NETALERTX_LOG}/report_output.json ENV LOG_STDOUT=${NETALERTX_LOG}/stdout.log ENV LOG_CROND=${NETALERTX_LOG}/crond.log -# Important configuration files -ENV NGINX_CONFIG_FILE=${NETALERTX_NGINIX_CONFIG}/nginx.conf +# System Services configuration files +ENV SYSTEM_SERVICES=/services +ENV SYSTEM_SERVICES_CONFIG=${SYSTEM_SERVICES}/config +ENV SYSTEM_NGINIX_CONFIG=${SYSTEM_SERVICES_CONFIG}/nginx +ENV NGINX_CONFIG_FILE=${SYSTEM_NGINIX_CONFIG}/nginx.conf ENV NETALERTX_CONFIG_FILE=${NETALERTX_CONFIG}/app.conf ENV NETALERTX_DB_FILE=${NETALERTX_DB}/app.db -ENV PHP_FPM_CONFIG_FILE=/etc/php83/php-fpm.conf -ENV PHP_WWW_CONF_FILE=/etc/php83/php-fpm.d/www.conf -ENV SYSTEM_SERVICES=/services +ENV SYSTEM_SERVICES_PHP_FOLDER=${SYSTEM_SERVICES_CONFIG}/php +ENV SYSTEM_SERVICES_PHP_FPM_D=${SYSTEM_SERVICES_PHP_FOLDER}/php-fpm.d +ENV SYSTEM_SERVICES_CROND=${SYSTEM_SERVICES_CONFIG}/crond +ENV PHP_FPM_CONFIG_FILE=${SYSTEM_SERVICES_PHP_FOLDER}/php-fpm.conf -RUN apk add --no-cache bash libbsd zip lsblk gettext-envsubst sudo mtr tzdata curl arp-scan iproute2 \ - iproute2-ss nmap nmap-scripts traceroute nbtscan openrc dbus net-tools net-snmp-tools bind-tools awake \ - ca-certificates sqlite php83 php83-fpm php83-cgi php83-curl php83-sqlite3 php83-session python3 nginx sudo && \ - rm -rf /var/cache/apk/* && \ - rm -f /etc/nginx/http.d/default.conf +ENV PYTHONPATH=${NETALERTX_SERVER} +RUN apk add --no-cache bash mtr libbsd zip lsblk sudo tzdata curl arp-scan iproute2 \ +iproute2-ss nmap nmap-scripts traceroute nbtscan net-tools net-snmp-tools bind-tools awake \ +ca-certificates sqlite php83 php83-fpm php83-cgi php83-curl php83-sqlite3 php83-session python3 \ +nginx sudo libcap shadow && \ +rm -rf /var/cache/apk/* && \ +rm -f /etc/nginx/http.d/default.conf + +#Create netalertx user and group +RUN addgroup -g 20211 netalertx && \ + adduser -u 20211 -D -h ${NETALERTX_APP} -G netalertx netalertx + # Install application, copy files, set permissions COPY --from=builder /opt/venv /opt/venv COPY --from=builder /usr/sbin/usermod /usr/sbin/groupmod /usr/sbin/ -COPY --chown=netalertx:netalertx install/alpine-docker/ / +COPY --chown=netalertx:netalertx install/production-filesystem/ / COPY --chown=netalertx:netalertx --chmod=755 back ${NETALERTX_BACK} COPY --chown=netalertx:netalertx --chmod=755 front ${NETALERTX_FRONT} COPY --chown=netalertx:netalertx --chmod=755 server ${NETALERTX_SERVER} RUN install -d -o netalertx -g netalertx -m 755 ${NETALERTX_API} && \ install -d -o netalertx -g netalertx -m 755 ${NETALERTX_LOG} && \ sh -c "find ${NETALERTX_APP} -type f \( -name '*.sh' -o -name 'speedtest-cli' \) \ - -exec chmod 750 {} \;" + -exec chmod 750 {} \;" +# setcap to allow network tools with raw packet access to run without root +RUN setcap cap_net_raw,cap_net_admin+eip /usr/bin/nmap && \ + setcap cap_net_raw,cap_net_admin+eip /usr/bin/arp-scan && \ + setcap cap_net_raw,cap_net_admin+eip /usr/bin/traceroute && \ + setcap cap_net_raw,cap_net_admin+eip /opt/venv/bin/scapy #initialize each service with the dockerfiles/init-*.sh scripts, once. -RUN sh /build/init-nginx.sh && \ - sh /build/init-php-fpm.sh && \ - sh /build/init-crond.sh && \ - sh /build/init-backend.sh && \ - rm -rf /build/* - +RUN /bin/sh /build/init-nginx.sh && \ + /bin/sh /build/init-php-fpm.sh && \ + /bin/sh /build/init-crond.sh && \ + /bin/sh /build/init-backend.sh && \ + rm -rf /build # set netalertx to allow sudoers for any command, no password RUN echo "netalertx ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers ENTRYPOINT ["/bin/sh","-c","sleep infinity"] + # Final hardened stage to improve security by setting correct permissions and removing sudo access # When complete, if the image is compromised, there's not much that can be done with it. FROM runner AS hardened - # create readonly user and group with no shell access RUN addgroup -g 20212 readonly && \ - adduser -u 20212 -G readonly -D -h /app readonly - + adduser -u 20212 -G readonly -D -h /app readonly && \ + usermod -s /sbin/nologin readonly + + # remove netalertx from sudoers -RUN sh -c "sed -i '/netalertx ALL=(ALL) NOPASSWD: ALL/d' /etc/sudoers" -RUN chown -R readonly:readonly ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER} ${SYSTEM_SERVICES} ${NETALERTX_SERVICES} -RUN chmod -R 004 ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER} -RUN chmod 005 ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER} -RUN chmod -R 005 ${SYSTEM_SERVICES} ${NETALERTX_SERVICES} +RUN chown -R readonly:readonly ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER} ${SYSTEM_SERVICES} ${SYSTEM_SERVICES} && \ + chmod -R 004 ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER} && \ + find ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER} -type d -exec chmod 005 {} + && \ + chmod -R 005 ${SYSTEM_SERVICES} ${SYSTEM_SERVICES}/* && \ + chown -R netalertx:netalertx ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_API} ${NETALERTX_LOG} && \ + chmod -R 600 ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_API} ${NETALERTX_LOG} && \ + chmod 700 ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_API} ${NETALERTX_LOG} ${NETALERTX_PLUGINS_LOG} && \ + chown readonly:readonly / && \ + chown -R netalertx:netalertx /var/log/nginx /var/lib/nginx /run && \ + find / -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o \ + -path /run -prune -o -path /var/log -prune -o -path /tmp -prune -o \ + -group 0 -o -user 0 -exec chown readonly:readonly {} + -RUN chown -R netalertx:netalertx ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_API} ${NETALERTX_LOG} && \ - chmod -R 600 ${NETALERTX_CONFIG} ${NETALERTX_DB} {NETALERTX_API} ${NETALERTX_LOG} && \ - chmod 700 ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_API} ${NETALERTX_LOG} ${NETALERTX_PLUGINS_LOG} +# +# remove sudo and alpine installers pacakges +RUN apk del sudo libcap apk-tools && \ + rm -rf /var/cache/apk/* +# remove all users and groups except readonly and netalertx without userdel/groupdel binaries +# RUN awk -F: '($1 != "readonly" && $1 != "netalertx") {print $1}' /etc/passwd | xargs -r -n 1 deluser -r && \ +# awk -F: '($1 != "readonly" && $1 != "netalertx") {print $1}' /etc/group | xargs -r -n 1 delgroup +# Remove all sudoers +RUN rm -Rf /etc/sudoers.d/* /etc/shadow /etc/gshadow /etc/sudoers \ + /lib/apk /lib/firmware /lib/modules-load.d /lib/sysctl.d /mnt /home/ /root \ + /srv /media && \ + sed -i -n -e '/^readonly:/p' -e '/^netalertx:/p' /etc/passwd && \ + sed -i -n -e '/^readonly:/p' -e '/^netalertx:/p' /etc/group && \ + echo -ne '#!/bin/sh\n"$@"\n' > /usr/bin/sudo && chmod +x /usr/bin/sudo -RUN chown readonly:readonly / -RUN chown -R netalertx:netalertx /var/log/nginx /var/lib/nginx /run -RUN echo -ne '#!/bin/bash\nexit 0\n' > /usr/bin/sudo && chmod +x /usr/bin/sudo - -RUN find / -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o -path /run -prune -o -path /var/log -prune -o -path /tmp -prune -o -group 0 -o -user 0 -exec chown readonly:readonly {} + USER netalertx HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \ -CMD /usr/local/bin/healthcheck.sh - -ENTRYPOINT ["/entrypoint.sh"] - + CMD /usr/local/bin/healthcheck.sh +#ENTRYPOINT [ "/bin/sh" ] +ENTRYPOINT [ "/bin/sh", "/entrypoint.sh" ] # ---/resources/devcontainer-Dockerfile--- @@ -153,25 +167,17 @@ ENTRYPOINT ["/entrypoint.sh"] # Prefer to place dev-only setup here; use setup.sh only for runtime fixes. FROM runner AS netalertx-devcontainer -USER root ENV INSTALL_DIR=/app ENV PYTHONPATH=/workspaces/NetAlertX/test:/workspaces/NetAlertX/server:/app:/app/server:/opt/venv/lib/python3.12/site-packages -ENV HOME=/workspaces COPY .devcontainer/resources/99-xdebug.ini /etc/php83/conf.d/99-xdebug.ini # Install common tools, create user, and set up sudo -RUN apk add --no-cache git nano vim jq php83-pecl-xdebug py3-pip nodejs sudo gpgconf pytest pytest-cov shadow github-cli fish - +RUN apk add --no-cache git nano vim jq php83-pecl-xdebug py3-pip nodejs sudo gpgconf pytest pytest-cov # Install debugpy in the virtualenv if present, otherwise into system python3 RUN /bin/sh -c '(/opt/venv/bin/python3 -m pip install --no-cache-dir debugpy) || (python3 -m pip install --no-cache-dir debugpy) || true' -RUN /opt/venv/bin/python -m pip install -U pytest pytest-cov +RUN python -m pip install -U pytest pytest-cov -USER netalertx - -WORKDIR /workspaces/ -RUN mkdir -p /workspaces && \ - sudo chmod 777 /workspaces - -USER netalertx +ENTRYPOINT ["/bin/sh","-c","sleep infinity"] + \ No newline at end of file diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index a6d7072e..66079e0d 100755 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -4,7 +4,9 @@ "build": { "dockerfile": "./Dockerfile", "context": "../", - "target": "netalertx-devcontainer" + "target": "netalertx-devcontainer", + "pull": true, + "noCache": true }, "workspaceFolder": "/workspaces/NetAlertX", "runArgs": [ @@ -34,7 +36,9 @@ "pamaron.pytest-runner", "coderabbit.coderabbit-vscode", "ms-python.black-formatter", - "jeff-hykin.better-dockerfile-syntax" + "jeff-hykin.better-dockerfile-syntax", + "GitHub.codespaces", + "ms-azuretools.vscode-containers" ] , "settings": { diff --git a/.devcontainer/resources/devcontainer-Dockerfile b/.devcontainer/resources/devcontainer-Dockerfile index fe0eec7c..cec4cd1f 100755 --- a/.devcontainer/resources/devcontainer-Dockerfile +++ b/.devcontainer/resources/devcontainer-Dockerfile @@ -15,7 +15,7 @@ RUN apk add --no-cache git nano vim jq php83-pecl-xdebug py3-pip nodejs sudo gpg # Install debugpy in the virtualenv if present, otherwise into system python3 RUN /bin/sh -c '(/opt/venv/bin/python3 -m pip install --no-cache-dir debugpy) || (python3 -m pip install --no-cache-dir debugpy) || true' -RUN sudo /env/bin/python -m pip install -U pytest pytest-cov +RUN python -m pip install -U pytest pytest-cov -RUN ["/bin/sh","-c","sleep infinity"] +ENTRYPOINT ["/bin/sh","-c","sleep infinity"] \ No newline at end of file diff --git a/.devcontainer/scripts/generate-dockerfile.sh b/.devcontainer/scripts/generate-dockerfile.sh index 95a94b6a..c4f24652 100755 --- a/.devcontainer/scripts/generate-dockerfile.sh +++ b/.devcontainer/scripts/generate-dockerfile.sh @@ -21,7 +21,7 @@ echo "# DO NOT MODIFY THIS FILE DIRECTLY. IT IS AUTO-GENERATED BY .devcontainer/ echo "" >> "$OUT_FILE" echo "# ---/Dockerfile---" >> "$OUT_FILE" -sed '/${INSTALL_DIR}/d' "${ROOT_DIR}/Dockerfile" >> "$OUT_FILE" +cat "${ROOT_DIR}/Dockerfile" >> "$OUT_FILE" echo "" >> "$OUT_FILE" echo "# ---/resources/devcontainer-Dockerfile---" >> "$OUT_FILE" diff --git a/.devcontainer/scripts/isDevContainer.sh b/.devcontainer/scripts/isDevContainer.sh new file mode 100755 index 00000000..408c757d --- /dev/null +++ b/.devcontainer/scripts/isDevContainer.sh @@ -0,0 +1,8 @@ +#!/bin/bash +if [ ! -d /workspaces/NetAlertX/.devcontainer ]; then + echo --------------------------------------------------- + echo "This script may only be run inside a devcontainer." + echo "Not in a devcontainer, exiting..." + echo --------------------------------------------------- + exit 255 +fi \ No newline at end of file diff --git a/.devcontainer/scripts/setup.sh b/.devcontainer/scripts/setup.sh index aae220ff..5f1e923c 100755 --- a/.devcontainer/scripts/setup.sh +++ b/.devcontainer/scripts/setup.sh @@ -10,7 +10,6 @@ id export APP_DIR="/app" export APP_COMMAND="/workspaces/NetAlertX/.devcontainer/scripts/restart-backend.sh" export PHP_FPM_BIN="/usr/sbin/php-fpm83" -export NGINX_BIN="/workspaces/NetAlertX/.devcontainer/scripts/start-nginx.sh" export CROND_BIN="/usr/sbin/crond -f" @@ -32,6 +31,8 @@ export SOURCE_DIR="/workspaces/NetAlertX" main() { echo "=== NetAlertX Development Container Setup ===" + killall php-fpm83 nginx crond python3 2>/dev/null + echo "Setting up ${SOURCE_DIR}..." sudo chown $(id -u):$(id -g) /workspaces sudo chown 755 /workspaces @@ -44,19 +45,36 @@ main() { start_services } +isRamDisk() { + if [ -z "$1" ] || [ ! -d "$1" ]; then + echo "Usage: isRamDisk " >&2 + return 2 + fi + + local fstype + fstype=$(df -T "$1" | awk 'NR==2 {print $2}') + + if [[ "$fstype" == "tmpfs" || "$fstype" == "ramfs" ]]; then + return 0 # Success (is a ramdisk) + else + return 1 # Failure (is not a ramdisk) + fi +} # Setup source directory configure_source() { echo "[1/3] Configuring Source..." echo " -> Cleaning up previous instances" - sudo umount "${INSTALL_DIR}/log" 2>/dev/null - sudo umount "${INSTALL_DIR}/api" 2>/dev/null - sudo rm -Rf ${INSTALL_DIR} || true + isRamDisk ${NETALERTX_LOG} && sudo umount "${NETALERTX_LOG}" + isRamDisk ${NETALERTX_API} && sudo umount "${NETALERTX_API}" + sleep 1 + sudo rm -Rf ${NETALERTX_APP}/ - echo " -> Linking source to ${INSTALL_DIR}" - sudo ln -s ${SOURCE_DIR} ${INSTALL_DIR} + echo " -> Linking source to ${NETALERTX_APP}" + sudo ln -s ${SOURCE_DIR}/ ${NETALERTX_APP} echo " -> Mounting ramdisks for /log and /api" + mkdir -p ${NETALERTX_LOG} ${NETALERTX_API} sudo mount -o uid=$(id -u netalertx),gid=$(id -g netalertx),mode=775 -t tmpfs -o size=256M tmpfs "${NETALERTX_LOG}" sudo mount -o uid=$(id -u netalertx),gid=$(id -g netalertx),mode=775 -t tmpfs -o size=256M tmpfs "${NETALERTX_API}" mkdir -p ${NETALERTX_PLUGINS_LOG} @@ -82,9 +100,9 @@ configure_source() { # configure_php: configure PHP-FPM and enable dev debug options configure_php() { echo "[2/3] Configuring PHP-FPM..." - sudo killall php-fpm83 &>/dev/null || true sudo chown netalertx:netalertx /run/php/ 2>/dev/null || true - sudo cp /workspaces/NetAlertX/.devcontainer/resources/99-xdebug.ini /etc/php83/conf.d/99-xdebug.ini + + sudo cp /workspaces/NetAlertX/.devcontainer/resources/99-xdebug.ini ${SYSTEM_SERVICES_PHP_FPM_D}/99-xdebug.ini } @@ -92,17 +110,11 @@ configure_php() { start_services() { echo "[3/3] Starting services..." - killall nohup &>/dev/null || true - - killall php-fpm83 &>/dev/null || true - killall crond &>/dev/null || true - # Give the OS a moment to release the php-fpm socket - sleep 0.3 echo " -> Starting CronD" - setsid nohup $CROND_BIN &>/dev/null & + setsid nohup /services/start-crond.sh &>/dev/null & echo " -> Starting PHP-FPM" - setsid nohup $PHP_FPM_BIN &>/dev/null & + setsid nohup services/start-php-fpm.sh &>/dev/null & sudo killall nginx &>/dev/null || true # Wait for the previous nginx processes to exit and for the port to free up @@ -114,9 +126,9 @@ start_services() { done sleep 0.2 echo " -> Starting Nginx" - setsid nohup $NGINX_BIN &>/dev/null & + setsid nohup /services/start-nginx.sh &>/dev/null & echo " -> Starting Backend ${APP_DIR}/server..." - $APP_COMMAND + /services/start-backend.sh sleep 2 } diff --git a/.devcontainer/scripts/start-nginx.sh b/.devcontainer/scripts/start-nginx.sh index 73f832fd..77c88390 100755 --- a/.devcontainer/scripts/start-nginx.sh +++ b/.devcontainer/scripts/start-nginx.sh @@ -1,11 +1,4 @@ #create /services/nginx directory for nginx system files -sudo install -d /services/nginx -m 755 -o netalertx -g netalertx -sudo install -d /services/nginx -m 755 -o netalertx -g netalertx -sudo chown -R netalertx:netalertx /var/lib/nginx -cp /workspaces/NetAlertX/install/alpine-docker/app/services/nginx/nginx.conf /services/nginx/nginx.conf -sed -i 's|/app/services/nginx/netalertx.conf|/services/nginx/netalertx.conf|' /services/nginx/nginx.conf -cp /workspaces/NetAlertX/install/alpine-docker/app/services/nginx/netalertx.conf /services/nginx/netalertx.conf -cp /workspaces/NetAlertX/install/alpine-docker/app/services/nginx/fastcgi_params /services/nginx/fastcgi_params nginx -c "/services/nginx/nginx.conf" -g "daemon off;" 2>&1 >/app/log/app_front.log \ No newline at end of file diff --git a/.gitignore b/.gitignore index bf06f085..895d8ac8 100755 --- a/.gitignore +++ b/.gitignore @@ -17,6 +17,7 @@ db/pialert.db db/app.db front/log/* /log/* +/log/plugins/* front/api/* /api/* **/plugins/**/*.log diff --git a/.vscode/tasks.json b/.vscode/tasks.json index 81705106..51037982 100755 --- a/.vscode/tasks.json +++ b/.vscode/tasks.json @@ -2,7 +2,7 @@ "version": "2.0.0", "tasks": [ { - "label": "Generate Dockerfile", + "label": "[Any Linux] Generate Dockerfile", "type": "shell", "command": "${workspaceFolder:NetAlertX}/.devcontainer/scripts/generate-dockerfile.sh", "presentation": { @@ -25,27 +25,32 @@ } }, { - "label": "Re-Run Startup Script", + "label": "[Dev Container] Re-Run Startup Script", "type": "shell", - "command": "test ! -d /workspaces && echo not in container && exit 1; ${workspaceFolder:NetAlertX}/.devcontainer/scripts/setup.sh", + "command": "./isDevContainer.sh || exit 1;${workspaceFolder:NetAlertX}/.devcontainer/scripts/setup.sh", + "options": { + "cwd": "${workspaceFolder:NetAlertX}/.devcontainer/scripts" + }, "presentation": { "echo": true, "reveal": "always", "panel": "shared", "showReuseMessage": false }, - + "problemMatcher": [], "icon": { "id": "beaker", "color": "terminal.ansiBlue" } - }, { - "label": "Start Backend (Python)", + "label": "[Dev Container] Start Backend (Python)", "type": "shell", - "command": "test ! -d /workspaces && echo not in container && exit 1; /workspaces/NetAlertX/.devcontainer/scripts/restart-backend.sh", + "command": "./isDevContainer.sh || exit 1; killall python2>/dev/null; /services/start-backend.sh", + "options": { + "cwd": "${workspaceFolder:NetAlertX}/.devcontainer/scripts" + }, "presentation": { "echo": true, "reveal": "always", @@ -60,9 +65,12 @@ } }, { - "label": "Start Frontend (nginx and PHP-FPM)", + "label": "[Dev Container] Start CronD (Scheduler)", "type": "shell", - "command": "test ! -d /workspaces && echo not in container && exit 1; killall php-fpm83 nginx 2>/dev/null || true; sleep 1; php-fpm83 & nginx", + "command": "./isDevContainer.sh || exit 1; killall crond>/dev/null; /services/start-crond.sh", + "options": { + "cwd": "${workspaceFolder:NetAlertX}/.devcontainer/scripts" + }, "presentation": { "echo": true, "reveal": "always", @@ -77,9 +85,33 @@ } }, { - "label": "Stop Frontend & Backend Services", + "label": "[Dev Container] Start Frontend (nginx and PHP-FPM)", "type": "shell", - "command": "test ! -d /workspaces && echo not in container && exit 1; pkill -f 'php-fpm83|nginx|crond|python3' || true", + "command": "./isDevContainer.sh || exit 1; killall php-fpm83 nginx 2>/dev/nulltrue; sleep 1; /services/start-php-fpm.sh & /sevices/start-nginx.sh &", + "options": { + "cwd": "${workspaceFolder:NetAlertX}/.devcontainer/scripts" + + }, + "presentation": { + "echo": true, + "reveal": "always", + "panel": "shared", + "showReuseMessage": false, + "clear": false + }, + "problemMatcher": [], + "icon": { + "id": "debug-restart", + "color": "terminal.ansiGreen" + } + }, + { + "label": "[Dev Container] Stop Frontend & Backend Services", + "type": "shell", + "command": "./isDevContainer.sh || exit 1; pkill -f 'php-fpm83|nginx|crond|python3' || true", + "options": { + "cwd": "${workspaceFolder:NetAlertX}/.devcontainer/scripts" + }, "presentation": { "echo": true, "reveal": "always", @@ -93,4 +125,4 @@ } } ] -} \ No newline at end of file +} diff --git a/Dockerfile b/Dockerfile index ddbc2077..70d3f32c 100755 --- a/Dockerfile +++ b/Dockerfile @@ -13,6 +13,8 @@ ENV PATH="/opt/venv/bin:$PATH" RUN pip install openwrt-luci-rpc asusrouter asyncio aiohttp graphene flask flask-cors unifi-sm-api tplink-omada-client wakeonlan pycryptodome requests paho-mqtt scapy cron-converter pytz json2table dhcp-leases pyunifi speedtest-cli chardet python-nmap dnspython librouteros yattag zeroconf git+https://github.com/foreign-sub/aiofreepybox.git +RUN chown -R 20212:20212 /opt && \ + chmod -R u-rwx,g-rwx /opt # second stage is the main runtime stage with just the minimum required to run the application # The runner is used for both devcontainer, and as a base for the hardened stage. @@ -54,21 +56,25 @@ ENV SYSTEM_NGINIX_CONFIG=${SYSTEM_SERVICES_CONFIG}/nginx ENV NGINX_CONFIG_FILE=${SYSTEM_NGINIX_CONFIG}/nginx.conf ENV NETALERTX_CONFIG_FILE=${NETALERTX_CONFIG}/app.conf ENV NETALERTX_DB_FILE=${NETALERTX_DB}/app.db -ENV PHP_FPM_CONFIG_FILE=/etc/php83/php-fpm.conf -ENV PHP_WWW_CONF_FILE=/etc/php83/php-fpm.d/www.conf +ENV SYSTEM_SERVICES_PHP_FOLDER=${SYSTEM_SERVICES_CONFIG}/php +ENV SYSTEM_SERVICES_PHP_FPM_D=${SYSTEM_SERVICES_PHP_FOLDER}/php-fpm.d +ENV SYSTEM_SERVICES_CROND=${SYSTEM_SERVICES_CONFIG}/crond +ENV PHP_FPM_CONFIG_FILE=${SYSTEM_SERVICES_PHP_FOLDER}/php-fpm.conf + ENV PYTHONPATH=${NETALERTX_SERVER} -#Create netalertx user and group -RUN addgroup -g 20211 netalertx && \ - adduser -u 20211 -G netalertx -D -h ${NETALERTX_APP} netalertx RUN apk add --no-cache bash mtr libbsd zip lsblk sudo tzdata curl arp-scan iproute2 \ - iproute2-ss nmap nmap-scripts traceroute nbtscan net-tools net-snmp-tools bind-tools awake \ - ca-certificates sqlite php83 php83-fpm php83-cgi php83-curl php83-sqlite3 php83-session python3 \ - nginx sudo libcap && \ - rm -rf /var/cache/apk/* && \ - rm -f /etc/nginx/http.d/default.conf +iproute2-ss nmap nmap-scripts traceroute nbtscan net-tools net-snmp-tools bind-tools awake \ +ca-certificates sqlite php83 php83-fpm php83-cgi php83-curl php83-sqlite3 php83-session python3 \ +nginx sudo libcap shadow && \ +rm -rf /var/cache/apk/* && \ +rm -f /etc/nginx/http.d/default.conf + +#Create netalertx user and group +RUN addgroup -g 20211 netalertx && \ + adduser -u 20211 -D -h ${NETALERTX_APP} -G netalertx netalertx # Install application, copy files, set permissions COPY --from=builder /opt/venv /opt/venv @@ -119,11 +125,9 @@ RUN chown -R readonly:readonly ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_ chown -R netalertx:netalertx ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_API} ${NETALERTX_LOG} && \ chmod -R 600 ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_API} ${NETALERTX_LOG} && \ chmod 700 ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_API} ${NETALERTX_LOG} ${NETALERTX_PLUGINS_LOG} && \ - chown readonly:readonly / && \ chown -R netalertx:netalertx /var/log/nginx /var/lib/nginx /run && \ - find / -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o \ - -path /run -prune -o -path /var/log -prune -o -path /tmp -prune -o \ - -group 0 -o -user 0 -exec chown readonly:readonly {} + + chown readonly:readonly /entrypoint.sh && \ + chmod 005 /entrypoint.sh # # remove sudo and alpine installers pacakges diff --git a/install/production-filesystem/build/init-crond.sh b/install/production-filesystem/build/init-crond.sh index 4d141404..af464d3e 100644 --- a/install/production-filesystem/build/init-crond.sh +++ b/install/production-filesystem/build/init-crond.sh @@ -1,7 +1,4 @@ #!/bin/bash echo "Initializing crond..." -# Add crontab file -rm /etc/crontabs/root -chmod 600 /etc/crontabs/netalertx -chown netalertx:netalertx /etc/crontabs/netalertx +#Future crond initializations can go here. echo "crond initialized." diff --git a/install/production-filesystem/build/init-nginx.sh b/install/production-filesystem/build/init-nginx.sh index c5e5e9e8..f846cd07 100644 --- a/install/production-filesystem/build/init-nginx.sh +++ b/install/production-filesystem/build/init-nginx.sh @@ -1,3 +1,4 @@ #!/bin/bash echo "Initializing nginx..." -# Nothing to do here, nginx is configured at runtime \ No newline at end of file +#Future crond initializations can go here. +echo "nginx initialized." \ No newline at end of file diff --git a/install/production-filesystem/build/init-php-fpm.sh b/install/production-filesystem/build/init-php-fpm.sh index 336c9a5a..3c1db8d0 100644 --- a/install/production-filesystem/build/init-php-fpm.sh +++ b/install/production-filesystem/build/init-php-fpm.sh @@ -2,21 +2,6 @@ echo "Initializing php-fpm..." # Set up PHP-FPM directories and socket configuration install -d -o netalertx -g netalertx /run/php/ -sed -i "/^;pid/c\pid = /run/php/php8.3-fpm.pid" /etc/php83/php-fpm.conf -sed -i "/^listen/c\listen = /run/php/php8.3-fpm.sock" /etc/php83/php-fpm.d/www.conf -sed -i "/^;listen.owner/c\listen.owner = netalertx" /etc/php83/php-fpm.d/www.conf -sed -i "/^;listen.group/c\listen.group = netalertx" /etc/php83/php-fpm.d/www.conf -sed -i "/^user/c\user = netalertx" /etc/php83/php-fpm.d/www.conf -sed -i "/^group/c\group = netalertx" /etc/php83/php-fpm.d/www.conf -# Increase max child process count -sed -i -e 's/pm.max_children = 5/pm.max_children = 10/' /etc/php83/php-fpm.d/www.conf - -# Set error log path -sed -i "/^;*error_log\s*=/c\error_log = ${LOG_APP_PHP_ERRORS}" /etc/php83/php-fpm.conf -# If the line was not found, append it to the end of the file -if ! grep -q '^error_log\s*=' /etc/php83/php-fpm.conf; then - echo "error_log = ${LOG_APP_PHP_ERRORS}" >> /etc/php83/php-fpm.conf -fi echo "php-fpm initialized." diff --git a/install/production-filesystem/etc/crontabs/netalertx b/install/production-filesystem/services/config/crond/netalertx similarity index 100% rename from install/production-filesystem/etc/crontabs/netalertx rename to install/production-filesystem/services/config/crond/netalertx diff --git a/install/production-filesystem/services/config/nginx/netalertx.conf b/install/production-filesystem/services/config/nginx/netalertx.conf index f0e6e505..0b427278 100644 --- a/install/production-filesystem/services/config/nginx/netalertx.conf +++ b/install/production-filesystem/services/config/nginx/netalertx.conf @@ -51,7 +51,7 @@ server { location ~* \.php$ { # Set Cache-Control header to prevent caching on the first load add_header Cache-Control "no-store"; - fastcgi_pass unix:/run/php/php8.3-fpm.sock; + fastcgi_pass 127.0.0.1:9000; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_NAME $fastcgi_script_name; diff --git a/install/production-filesystem/services/config/php/php-fpm.conf b/install/production-filesystem/services/config/php/php-fpm.conf new file mode 100644 index 00000000..777304ad --- /dev/null +++ b/install/production-filesystem/services/config/php/php-fpm.conf @@ -0,0 +1,12 @@ +; NETALERTX PHP FPM config +; +; This was created with the following command on a fresh install: +; grep -v -e ';' -e '^$' /etc/php83/php-fpm.conf| sed 's/\\n\\n//g' +; +; error_log and include are modified +; + +[global] +pid = /run/php/php8.3-fpm.pid +error_log = /app/log/app.php_errors.log +include=/services/config/php/php-fpm.d/*.conf diff --git a/install/production-filesystem/services/config/php/php-fpm.d/www.conf b/install/production-filesystem/services/config/php/php-fpm.d/www.conf new file mode 100644 index 00000000..67a9369f --- /dev/null +++ b/install/production-filesystem/services/config/php/php-fpm.d/www.conf @@ -0,0 +1,495 @@ +; NetAlertX php-fpm www.conf +; +; Commented out user/group +; No further changes + +; Start a new pool named 'www'. +; the variable $pool can be used in any directive and will be replaced by the +; pool name ('www' here) +[www] + +; Per pool prefix +; It only applies on the following directives: +; - 'access.log' +; - 'slowlog' +; - 'listen' (unixsocket) +; - 'chroot' +; - 'chdir' +; - 'php_values' +; - 'php_admin_values' +; When not set, the global prefix (or /usr) applies instead. +; Note: This directive can also be relative to the global prefix. +; Default Value: none +;prefix = /path/to/pools/$pool + +; Unix user/group of the child processes. This can be used only if the master +; process running user is root. It is set after the child process is created. +; The user and group can be specified either by their name or by their numeric +; IDs. +; Note: If the user is root, the executable needs to be started with +; --allow-to-run-as-root option to work. +; Default Values: The user is set to master process running user by default. +; If the group is not set, the user's group is used. +; user = nobody +; group = nobody + +; The address on which to accept FastCGI requests. +; Valid syntaxes are: +; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on +; a specific port; +; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on +; a specific port; +; 'port' - to listen on a TCP socket to all addresses +; (IPv6 and IPv4-mapped) on a specific port; +; '/path/to/unix/socket' - to listen on a unix socket. +; Note: This value is mandatory. +listen = 127.0.0.1:9000 + +; Set listen(2) backlog. +; Default Value: 511 (-1 on Linux, FreeBSD and OpenBSD) +;listen.backlog = 511 + +; Set permissions for unix socket, if one is used. In Linux, read/write +; permissions must be set in order to allow connections from a web server. Many +; BSD-derived systems allow connections regardless of permissions. The owner +; and group can be specified either by name or by their numeric IDs. +; Default Values: Owner is set to the master process running user. If the group +; is not set, the owner's group is used. Mode is set to 0660. +;listen.owner = nobody +;listen.group = nobody +;listen.mode = 0660 + +; When POSIX Access Control Lists are supported you can set them using +; these options, value is a comma separated list of user/group names. +; When set, listen.owner and listen.group are ignored +;listen.acl_users = +;listen.acl_groups = + +; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect. +; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original +; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address +; must be separated by a comma. If this value is left blank, connections will be +; accepted from any ip address. +; Default Value: any +;listen.allowed_clients = 127.0.0.1 + +; Set the associated the route table (FIB). FreeBSD only +; Default Value: -1 +;listen.setfib = 1 + +; Specify the nice(2) priority to apply to the pool processes (only if set) +; The value can vary from -19 (highest priority) to 20 (lower priority) +; Note: - It will only work if the FPM master process is launched as root +; - The pool processes will inherit the master process priority +; unless it specified otherwise +; Default Value: no set +; process.priority = -19 + +; Set the process dumpable flag (PR_SET_DUMPABLE prctl for Linux or +; PROC_TRACE_CTL procctl for FreeBSD) even if the process user +; or group is different than the master process user. It allows to create process +; core dump and ptrace the process for the pool user. +; Default Value: no +; process.dumpable = yes + +; Choose how the process manager will control the number of child processes. +; Possible Values: +; static - a fixed number (pm.max_children) of child processes; +; dynamic - the number of child processes are set dynamically based on the +; following directives. With this process management, there will be +; always at least 1 children. +; pm.max_children - the maximum number of children that can +; be alive at the same time. +; pm.start_servers - the number of children created on startup. +; pm.min_spare_servers - the minimum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is less than this +; number then some children will be created. +; pm.max_spare_servers - the maximum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is greater than this +; number then some children will be killed. +; pm.max_spawn_rate - the maximum number of rate to spawn child +; processes at once. +; ondemand - no children are created at startup. Children will be forked when +; new requests will connect. The following parameter are used: +; pm.max_children - the maximum number of children that +; can be alive at the same time. +; pm.process_idle_timeout - The number of seconds after which +; an idle process will be killed. +; Note: This value is mandatory. +pm = dynamic + +; The number of child processes to be created when pm is set to 'static' and the +; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'. +; This value sets the limit on the number of simultaneous requests that will be +; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. +; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP +; CGI. The below defaults are based on a server without much resources. Don't +; forget to tweak pm.* to fit your needs. +; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' +; Note: This value is mandatory. +pm.max_children = 10 + +; The number of child processes created on startup. +; Note: Used only when pm is set to 'dynamic' +; Default Value: (min_spare_servers + max_spare_servers) / 2 +pm.start_servers = 2 + +; The desired minimum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.min_spare_servers = 1 + +; The desired maximum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.max_spare_servers = 3 + +; The number of rate to spawn child processes at once. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +; Default Value: 32 +;pm.max_spawn_rate = 32 + +; The number of seconds after which an idle process will be killed. +; Note: Used only when pm is set to 'ondemand' +; Default Value: 10s +;pm.process_idle_timeout = 10s; + +; The number of requests each child process should execute before respawning. +; This can be useful to work around memory leaks in 3rd party libraries. For +; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. +; Default Value: 0 +;pm.max_requests = 500 + +; The URI to view the FPM status page. If this value is not set, no URI will be +; recognized as a status page. It shows the following information: +; pool - the name of the pool; +; process manager - static, dynamic or ondemand; +; start time - the date and time FPM has started; +; start since - number of seconds since FPM has started; +; accepted conn - the number of request accepted by the pool; +; listen queue - the number of request in the queue of pending +; connections (see backlog in listen(2)); +; max listen queue - the maximum number of requests in the queue +; of pending connections since FPM has started; +; listen queue len - the size of the socket queue of pending connections; +; idle processes - the number of idle processes; +; active processes - the number of active processes; +; total processes - the number of idle + active processes; +; max active processes - the maximum number of active processes since FPM +; has started; +; max children reached - number of times, the process limit has been reached, +; when pm tries to start more children (works only for +; pm 'dynamic' and 'ondemand'); +; Value are updated in real time. +; Example output: +; pool: www +; process manager: static +; start time: 01/Jul/2011:17:53:49 +0200 +; start since: 62636 +; accepted conn: 190460 +; listen queue: 0 +; max listen queue: 1 +; listen queue len: 42 +; idle processes: 4 +; active processes: 11 +; total processes: 15 +; max active processes: 12 +; max children reached: 0 +; +; By default the status page output is formatted as text/plain. Passing either +; 'html', 'xml' or 'json' in the query string will return the corresponding +; output syntax. Example: +; http://www.foo.bar/status +; http://www.foo.bar/status?json +; http://www.foo.bar/status?html +; http://www.foo.bar/status?xml +; +; By default the status page only outputs short status. Passing 'full' in the +; query string will also return status for each pool process. +; Example: +; http://www.foo.bar/status?full +; http://www.foo.bar/status?json&full +; http://www.foo.bar/status?html&full +; http://www.foo.bar/status?xml&full +; The Full status returns for each process: +; pid - the PID of the process; +; state - the state of the process (Idle, Running, ...); +; start time - the date and time the process has started; +; start since - the number of seconds since the process has started; +; requests - the number of requests the process has served; +; request duration - the duration in µs of the requests; +; request method - the request method (GET, POST, ...); +; request URI - the request URI with the query string; +; content length - the content length of the request (only with POST); +; user - the user (PHP_AUTH_USER) (or '-' if not set); +; script - the main script called (or '-' if not set); +; last request cpu - the %cpu the last request consumed +; it's always 0 if the process is not in Idle state +; because CPU calculation is done when the request +; processing has terminated; +; last request memory - the max amount of memory the last request consumed +; it's always 0 if the process is not in Idle state +; because memory calculation is done when the request +; processing has terminated; +; If the process is in Idle state, then informations are related to the +; last request the process has served. Otherwise informations are related to +; the current request being served. +; Example output: +; ************************ +; pid: 31330 +; state: Running +; start time: 01/Jul/2011:17:53:49 +0200 +; start since: 63087 +; requests: 12808 +; request duration: 1250261 +; request method: GET +; request URI: /test_mem.php?N=10000 +; content length: 0 +; user: - +; script: /home/fat/web/docs/php/test_mem.php +; last request cpu: 0.00 +; last request memory: 0 +; +; Note: There is a real-time FPM status monitoring sample web page available +; It's available in: /usr/share/php83/fpm/status.html +; +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +;pm.status_path = /status + +; The address on which to accept FastCGI status request. This creates a new +; invisible pool that can handle requests independently. This is useful +; if the main pool is busy with long running requests because it is still possible +; to get the status before finishing the long running requests. +; +; Valid syntaxes are: +; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on +; a specific port; +; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on +; a specific port; +; 'port' - to listen on a TCP socket to all addresses +; (IPv6 and IPv4-mapped) on a specific port; +; '/path/to/unix/socket' - to listen on a unix socket. +; Default Value: value of the listen option +;pm.status_listen = 127.0.0.1:9001 + +; The ping URI to call the monitoring page of FPM. If this value is not set, no +; URI will be recognized as a ping page. This could be used to test from outside +; that FPM is alive and responding, or to +; - create a graph of FPM availability (rrd or such); +; - remove a server from a group if it is not responding (load balancing); +; - trigger alerts for the operating team (24/7). +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +;ping.path = /ping + +; This directive may be used to customize the response of a ping request. The +; response is formatted as text/plain with a 200 response code. +; Default Value: pong +;ping.response = pong + +; The access log file +; Default: not set +;access.log = log/php83/$pool.access.log + +; The access log format. +; The following syntax is allowed +; %%: the '%' character +; %C: %CPU used by the request +; it can accept the following format: +; - %{user}C for user CPU only +; - %{system}C for system CPU only +; - %{total}C for user + system CPU (default) +; %d: time taken to serve the request +; it can accept the following format: +; - %{seconds}d (default) +; - %{milliseconds}d +; - %{milli}d +; - %{microseconds}d +; - %{micro}d +; %e: an environment variable (same as $_ENV or $_SERVER) +; it must be associated with embraces to specify the name of the env +; variable. Some examples: +; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e +; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e +; %f: script filename +; %l: content-length of the request (for POST request only) +; %m: request method +; %M: peak of memory allocated by PHP +; it can accept the following format: +; - %{bytes}M (default) +; - %{kilobytes}M +; - %{kilo}M +; - %{megabytes}M +; - %{mega}M +; %n: pool name +; %o: output header +; it must be associated with embraces to specify the name of the header: +; - %{Content-Type}o +; - %{X-Powered-By}o +; - %{Transfert-Encoding}o +; - .... +; %p: PID of the child that serviced the request +; %P: PID of the parent of the child that serviced the request +; %q: the query string +; %Q: the '?' character if query string exists +; %r: the request URI (without the query string, see %q and %Q) +; %R: remote IP address +; %s: status (response code) +; %t: server time the request was received +; it can accept a strftime(3) format: +; %d/%b/%Y:%H:%M:%S %z (default) +; The strftime(3) format must be encapsulated in a %{}t tag +; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t +; %T: time the log has been written (the request has finished) +; it can accept a strftime(3) format: +; %d/%b/%Y:%H:%M:%S %z (default) +; The strftime(3) format must be encapsulated in a %{}t tag +; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t +; %u: remote user +; +; Default: "%R - %u %t \"%m %r\" %s" +;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%" + +; A list of request_uri values which should be filtered from the access log. +; +; As a security precuation, this setting will be ignored if: +; - the request method is not GET or HEAD; or +; - there is a request body; or +; - there are query parameters; or +; - the response code is outwith the successful range of 200 to 299 +; +; Note: The paths are matched against the output of the access.format tag "%r". +; On common configurations, this may look more like SCRIPT_NAME than the +; expected pre-rewrite URI. +; +; Default Value: not set +;access.suppress_path[] = /ping +;access.suppress_path[] = /health_check.php + +; The log file for slow requests +; Default Value: not set +; Note: slowlog is mandatory if request_slowlog_timeout is set +;slowlog = log/php83/$pool.slow.log + +; The timeout for serving a single request after which a PHP backtrace will be +; dumped to the 'slowlog' file. A value of '0s' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +;request_slowlog_timeout = 0 + +; Depth of slow log stack trace. +; Default Value: 20 +;request_slowlog_trace_depth = 20 + +; The timeout for serving a single request after which the worker process will +; be killed. This option should be used when the 'max_execution_time' ini option +; does not stop script execution for some reason. A value of '0' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +;request_terminate_timeout = 0 + +; The timeout set by 'request_terminate_timeout' ini option is not engaged after +; application calls 'fastcgi_finish_request' or when application has finished and +; shutdown functions are being called (registered via register_shutdown_function). +; This option will enable timeout limit to be applied unconditionally +; even in such cases. +; Default Value: no +;request_terminate_timeout_track_finished = no + +; Set open file descriptor rlimit. +; Default Value: system defined value +;rlimit_files = 1024 + +; Set max core size rlimit. +; Possible Values: 'unlimited' or an integer greater or equal to 0 +; Default Value: system defined value +;rlimit_core = 0 + +; Chroot to this directory at the start. This value must be defined as an +; absolute path. When this value is not set, chroot is not used. +; Note: you can prefix with '$prefix' to chroot to the pool prefix or one +; of its subdirectories. If the pool prefix is not set, the global prefix +; will be used instead. +; Note: chrooting is a great security feature and should be used whenever +; possible. However, all PHP paths will be relative to the chroot +; (error_log, sessions.save_path, ...). +; Default Value: not set +;chroot = + +; Chdir to this directory at the start. +; Note: relative path can be used. +; Default Value: current directory or / when chroot +;chdir = /var/www + +; Redirect worker stdout and stderr into main error log. If not set, stdout and +; stderr will be redirected to /dev/null according to FastCGI specs. +; Note: on highloaded environment, this can cause some delay in the page +; process time (several ms). +; Default Value: no +;catch_workers_output = yes + +; Decorate worker output with prefix and suffix containing information about +; the child that writes to the log and if stdout or stderr is used as well as +; log level and time. This options is used only if catch_workers_output is yes. +; Settings to "no" will output data as written to the stdout or stderr. +; Default value: yes +;decorate_workers_output = no + +; Clear environment in FPM workers +; Prevents arbitrary environment variables from reaching FPM worker processes +; by clearing the environment in workers before env vars specified in this +; pool configuration are added. +; Setting to "no" will make all environment variables available to PHP code +; via getenv(), $_ENV and $_SERVER. +; Default Value: yes +;clear_env = no + +; Limits the extensions of the main script FPM will allow to parse. This can +; prevent configuration mistakes on the web server side. You should only limit +; FPM to .php extensions to prevent malicious users to use other extensions to +; execute php code. +; Note: set an empty value to allow all extensions. +; Default Value: .php +;security.limit_extensions = .php .php3 .php4 .php5 .php7 + +; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from +; the current environment. +; Default Value: clean env +;env[HOSTNAME] = $HOSTNAME +;env[PATH] = /usr/local/bin:/usr/bin:/bin +;env[TMP] = /tmp +;env[TMPDIR] = /tmp +;env[TEMP] = /tmp + +; Additional php.ini defines, specific to this pool of workers. These settings +; overwrite the values previously defined in the php.ini. The directives are the +; same as the PHP SAPI: +; php_value/php_flag - you can set classic ini defines which can +; be overwritten from PHP call 'ini_set'. +; php_admin_value/php_admin_flag - these directives won't be overwritten by +; PHP call 'ini_set' +; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. + +; Defining 'extension' will load the corresponding shared extension from +; extension_dir. Defining 'disable_functions' or 'disable_classes' will not +; overwrite previously defined php.ini values, but will append the new value +; instead. + +; Note: path INI options can be relative and will be expanded with the prefix +; (pool, global or /usr) + +; Default Value: nothing is defined by default except the values in php.ini and +; specified at startup with the -d argument +;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com +;php_flag[display_errors] = off +;php_admin_value[error_log] = /var/log/php83/$pool.error.log +;php_admin_flag[log_errors] = on +;php_admin_value[memory_limit] = 32M diff --git a/install/production-filesystem/services/start-crond.sh b/install/production-filesystem/services/start-crond.sh index e577d5cd..b0a9c6b8 100755 --- a/install/production-filesystem/services/start-crond.sh +++ b/install/production-filesystem/services/start-crond.sh @@ -1,3 +1,3 @@ #!/bin/bash echo "Starting crond..." -exec /usr/sbin/crond -f -L "${LOG_CROND}" +exec /usr/sbin/crond -c ${SYSTEM_SERVICES_CROND} -f -L "${LOG_CROND}" diff --git a/install/production-filesystem/services/start-php-fpm.sh b/install/production-filesystem/services/start-php-fpm.sh index 97048d42..9af0313d 100755 --- a/install/production-filesystem/services/start-php-fpm.sh +++ b/install/production-filesystem/services/start-php-fpm.sh @@ -1,3 +1,3 @@ #!/bin/bash echo "Starting php-fpm..." -exec /usr/sbin/php-fpm83 -F >> "${LOG_APP_PHP_ERRORS}" 2>&1 +exec /usr/sbin/php-fpm83 -y ${PHP_FPM_CONFIG_FILE} -F >> "${LOG_APP_PHP_ERRORS}" 2>&1