Added updated baseimage, NVM for node, New Relic APM and HTTPS configuration

Author: mstrazds

Changelog.md

@@ -1,3 +1,12 @@
+## 0.9.3 (release date: 2016-01-10)
+
+ * Removed latest version of nodejs installation
+ * Updated `phusion/baseimage` to `0.9.18`
+ * Added NVM `0.30.2` for switching node to `0.10.37`
+ * Added New Relic APM setup script for monitoring
+ * Added HTTPS configuration with generated certificate
+ * Added system timezone setting to: "Australia/Sydney"
+
 ## 0.9.2 (release date: 2015-11-30)
 
  * Added PostgreSQL Support

Dockerfile

@@ -1,4 +1,4 @@
-FROM phusion/baseimage:0.9.17
+FROM phusion/baseimage:0.9.18
 
 # Phusion setup
 ENV HOME /root
@@ -14,9 +14,25 @@ RUN apt-get update -y && sudo apt-get upgrade -y && apt-get install -y php5 php5
 					php5-pgsql php5-curl php5-gd php5-mcrypt php5-intl php5-imap php5-tidy \
 					php-pear php5-xmlrpc
 
-# Install latest version of nodejs
-RUN curl --silent --location https://deb.nodesource.com/setup_4.x | sudo bash -
-RUN apt-get install -y nodejs
+# Run update timezone replace city with relevant city. eg. "Australia/Sydney"
+RUN cp -p /usr/share/zoneinfo/Australia/Sydney /etc/localtime
+
+# Replace shell with bash so we can source files
+RUN rm /bin/sh && ln -s /bin/bash /bin/sh
+
+# Install Node Version Manager and install node specific version
+ENV NVM_DIR /usr/local/nvm
+ENV NODE_VERSION 0.10.37
+
+# Install nvm with node and npm
+RUN curl https://raw.githubusercontent.com/creationix/nvm/v0.30.2/install.sh | bash \
+    && source $NVM_DIR/nvm.sh \
+    && nvm install $NODE_VERSION \
+    && nvm alias default $NODE_VERSION \
+    && nvm use default
+
+ENV NODE_PATH $NVM_DIR/v$NODE_VERSION/lib/node_modules
+ENV PATH      $NVM_DIR/v$NODE_VERSION/bin:$PATH
 
 # Install nginx (full)
 RUN apt-get install -y nginx-full
@@ -55,6 +71,25 @@ ADD build/index.php /var/www/public/index.php
 RUN chown -R www-data:www-data /var/www
 RUN chmod -R 755 /var/www
 
+# Install New Relic daemon
+RUN apt-get update && \
+    apt-get -yq install wget && \
+    wget -O - https://download.newrelic.com/548C16BF.gpg | apt-key add - && \
+    echo "deb http://apt.newrelic.com/debian/ newrelic non-free" > /etc/apt/sources.list.d/newrelic.list
+
+RUN apt-get update && \
+    apt-get -yq install newrelic-php5
+
+# Add New Relic APM install script
+RUN mkdir -p /etc/my_init.d
+ADD build/newrelic.sh /etc/my_init.d/newrelic.sh
+RUN chmod +x /etc/my_init.d/newrelic.sh
+
+# Setup environment variables for initializing New Relic APM
+ENV NR_INSTALL_SILENT 1
+ENV NR_INSTALL_KEY **ChangeMe**
+ENV NR_APP_NAME "Docker PHP Application"
+
 # Set terminal environment
 ENV TERM=xterm
 

README.md

@@ -4,7 +4,7 @@
   </a>
 </p>
 -----
-# nginx-php56
+# nginx-php56 [![](https://badge.imagelayers.io/mstrazds/nginx-php56:latest.svg)](https://imagelayers.io/?images=mstrazds/nginx-php56:latest 'Get your own badge on imagelayers.io')
 A Nginx + PHP 5.6 (FPM) base container. Builds upon on the excellent [phusion/baseimage-docker](https://github.com/phusion/baseimage-docker) container. You can find the docker automated build [here](https://registry.hub.docker.com/u/mstrazds/nginx-php56/).
 
 ### Services
@@ -26,7 +26,32 @@ The following folder is specified as the default root web folder:
 
 ``/var/www/public``
 
-Note that the ``/var/www/public`` is the root folder for serving PHP files for your web server.
+Note that the ``/var/www/public`` is the root folder for serving PHP files for your web server. The following ports are exposed:
+
+* 80 (HTTP)
+* 443 (HTTPS/SSL)
+
+### SSL Self Signed Certificate
+The image generates a self-signed certificate for each container within the folder:
+
+``/etc/nginx/certs.d/``
+
+During build the ``build/default`` file is used to copy and configure nginx default settings. This includes a cipher suite for legacy browser (IE8+) support. See: [https://cipherli.st/](https://cipherli.st/)
+
+### Node + NVM
+The image contains installation and configuration of node ``0.10.37`` by default using NVM [(Node Version Manager)](https://github.com/creationix/nvm). This can be changed by running: ``nvm install $NODE_VERSION`` and using the new node version by running the following command: ``nvm use $NODE_VERSION``
+
+### New Relic APM
+Installs New Relic APM daemon on [container startup](https://github.com/phusion/baseimage-docker#running_startup_scripts) to monitor the php application within the image. See [this tutorial](http://code.tutsplus.com/tutorials/how-to-monitor-docker-based-applications-using-new-relic--cms-24891) for more information.
+
+The following environment variables are required in order to complete the New Relic configuration:
+
+* ``NR_INSTALL_KEY`` 134adf09dsfblahsomething
+* ``NR_APP_NAME`` "Docker PHP App Name"
+
+If the ``NR_INSTALL_KEY`` New Relic will not be setup. By default this will prevent monitoring as the key is invalid until entered on startup. Eg:
+
+``docker run --name nginx -e NR_INSTALL_KEY="134adf09dsfblahsomething" -e NR_APP_NAME="nginx-test" -p 80:80 -p 443:443 -d mstrazds/nginx-php56:latest``
 
 ### Build Folder (within repo)
 Contains nginx config files as well as php-fpm settings. Also include setup.sh file that offloads tasks from the Dockerfile to reduce layers.

build/default

@@ -36,6 +36,114 @@ server {
         fastcgi_param HTTPS off;
     }
 
+    # Deny .htaccess file access
+    location ~ /\.ht {
+        deny all;
+    }
+
+        # Redirect users to go to SSL Version
+        #if ($ssl_protocol = "") {
+        #    rewrite ^ https://$server_name$request_uri? permanent;
+        #}
+
+    }
+
+server {
+
+    listen 443 ssl;
+    server_name localhost;
+
+    # tell the browser we can only talk to self and google analytics.
+    #add_header X-Content-Security-Policy "default-src 'self'; \
+    #script-src 'self' https://ssl.google-analytics.com; \
+    #img-src 'self' https://ssl.google-analytics.com";
+
+    # SSL Settings (see: https://cipherli.st/ )
+
+    # ciphers chosen and ordered for mix of performance, interoperability and security (supports IE8+)
+    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout  10m;
+
+    # tell users to go to SSL version next time
+    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+
+    # tell the browser dont allow hosting in a frame
+    add_header X-Frame-Options DENY;
+
+    # certificate
+    ssl_certificate_key         certs.d/localhost.key;
+    ssl_certificate             certs.d/localhost.cer;
+
+    add_header X-Content-Type-Options nosniff;
+    ssl_session_tickets off;
+
+    # enable ocsp stapling
+    ssl_stapling on; # Requires nginx >= 1.3.7
+    ssl_stapling_verify on; # Requires nginx >= 1.3.7
+    resolver 8.8.8.8 4.4.4.4 valid=300s;
+    resolver_timeout 5s;
+
+    # ssl trusted certificate
+    ssl_trusted_certificate certs.d/localhost.cer;
+
+    root /var/www/public;
+    index index.html index.htm index.php;
+
+    access_log off;
+    error_log  /var/log/nginx/localhost-error.log error;
+    expires @30m;
+
+    #access_log /var/log/nginx/localhost.com-access.log;
+    #error_log  /var/log/nginx/localhost.com-error.log error;
+
+    charset utf-8;
+
+    location / {
+        try_files $uri $uri/ /index.html /index.php?$query_string;
+    }
+
+    location = /favicon.ico { log_not_found off; access_log off; }
+    location = /robots.txt  { access_log off; log_not_found off; }
+
+    error_page 404 /index.php;
+
+    # redirect server error pages to the static page /50x.html
+    #error_page   500 502 503 504  /50x.html;
+
+    #location = /50x.html {
+    #root   /usr/share/nginx/html;
+    #}
+
+    # pass the PHP scripts to php5-fpm
+    # Note: \.php$ is susceptible to file upload attacks
+    # Consider using: "location ~ ^/(index|app|app_dev|config)\.php(/|$) {"
+
+    location ~ \.php$ {
+
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+
+        # With php5-fpm:
+        fastcgi_pass unix:/var/run/php5-fpm.sock;
+        fastcgi_index index.php;
+        include fastcgi_params;
+        fastcgi_param REMOTE_ADDR $http_x_real_ip;
+        fastcgi_param PATH_TRANSLATED $document_root$fastcgi_script_name;
+
+        fastcgi_param	SCRIPT_FILENAME   $request_filename;
+        fastcgi_param	SCRIPT_NAME       $fastcgi_script_name;
+        fastcgi_param	REQUEST_URI       $request_uri;
+        fastcgi_param	DOCUMENT_URI      $document_uri;
+        fastcgi_param	DOCUMENT_ROOT     $document_root;
+        fastcgi_param	SERVER_PROTOCOL   $server_protocol;
+
+        fastcgi_param HTTPS on;
+    }
+
     # Deny .htaccess file access
     location ~ /\.ht {
         deny all;

build/newrelic.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -e
+
+echo "Enabling APM metrics for ${NR_APP_NAME}"
+newrelic-install install
+
+# Update the application name
+sed -i "s/newrelic.appname = \"PHP Application\"/newrelic.appname = \"${NR_APP_NAME}\"/" /etc/php5/fpm/conf.d/newrelic.ini

build/setup.sh

@@ -1,5 +1,11 @@
 #!/usr/bin/env bash
 
+##-------------------------------------------------------
+# SETUP SELF SIGNED SSL CERTIFICATES
+##-------------------------------------------------------
+mkdir -p /etc/nginx/certs.d
+openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/certs.d/localhost.key -out /etc/nginx/certs.d/localhost.cer -days 356 -subj /C=AU/ST=NSW/L=Sydney/O=IT/CN=localhost.com
+
 ##-------------------------------------------------------
 # UPDATE CONFIG FILES
 ##-------------------------------------------------------