examples

Author: Tob1as

examples/README.md

@@ -1,7 +1,8 @@
 # PHP - Examples
 
-All examples for WSC!
+All examples for [WSC (WoltLab Suite Core)](https://www.woltlab.com/en/woltlab-suite-download/)!
 
-* fpm-nginx-dhi
-* apache
-* ...
+* fpm-nginx-dhi: php-fpm, nginx, mysql, traefik, prometheus-exporters - only using DHI (Docker Hardened Images)
+* fpm-nginx: like fpm-nginx-dhi, but offical docker community images and other (Notice: mysql replaced by mariadb) 
+* fpm-nginx-aio: like fpm-nginx, but php-fpm and nginx in single container/image
+* apache: apache2 and php in single container/image, mariadb, traefik, prometheus-exporters

examples/apache/docker-compose.yml

@@ -19,6 +19,7 @@ services:
       PHP_UPLOAD_MAX_FILESIZE: 250
       PHP_MAX_FILE_UPLOADS: 20
       PHP_MAX_EXECUTION_TIME: 120
+      PHP_SET_OPCACHE_SETTINGS: 1
       ## next env only with apache
       ENABLE_APACHE_REWRITE: 1
       ENABLE_APACHE_ALLOWOVERRIDE: 1

examples/fpm-nginx-aio/config/mysql_exporter-user.sh

@@ -0,0 +1,21 @@
+#!/bin/sh
+set -e
+
+# SOURCE: https://github.com/Tob1as/docker-kubernetes-collection/blob/master/examples_docker-compose/config_mariadb/20_exporter-user.sh
+
+: "${EXPORTER_USER:="exporter"}"
+: "${EXPORTER_PASSWORD:="Exp0rt3r!"}"
+: "${EXPORTER_MAXUSERCONNECTIONS:="3"}"
+host='%' # set '%' to allow from all host
+
+mariadb -h localhost -u root --password="${MARIADB_ROOT_PASSWORD}" -sNe \
+"SELECT user FROM mysql.user WHERE user = '${EXPORTER_USER}' GROUP BY user;" \
+| grep -q ${EXPORTER_USER}} \
+|| mariadb -h localhost -u root --password="${MARIADB_ROOT_PASSWORD}" -sN <<EOSQL
+    CREATE USER '${EXPORTER_USER}'@'${host}' IDENTIFIED BY '${EXPORTER_PASSWORD}' WITH MAX_USER_CONNECTIONS ${EXPORTER_MAXUSERCONNECTIONS};
+    GRANT PROCESS, REPLICATION CLIENT, SELECT, SLAVE MONITOR ON *.* TO '${EXPORTER_USER}'@'${host}';
+    GRANT SELECT ON performance_schema.* TO '${EXPORTER_USER}'@'${host}';
+    FLUSH PRIVILEGES;
+EOSQL
+
+mariadb -h localhost -u root --password=${MARIADB_ROOT_PASSWORD} -e "SELECT user, host, max_user_connections FROM mysql.user;"

examples/fpm-nginx-aio/config/mysql_wsc.cnf

@@ -0,0 +1,2 @@
+[server]
+innodb_buffer_pool_size = 512M

examples/fpm-nginx-aio/config/traefik/dynamic/disable-traefik-default-cert.yml

@@ -0,0 +1,21 @@
+# https://github.com/traefik/traefik/issues/9945#issuecomment-1590229681
+# https://doc.traefik.io/traefik/reference/routing-configuration/http/tls/tls-certificates/#strict-sni-checking
+# https://www.ssllabs.com/ssltest/
+tls:
+  options:
+    default:
+      sniStrict: true            # <-----  Strict SNI Checking
+    #  minVersion: VersionTLS12
+    #  cipherSuites:
+    #    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 # TLS 1.2
+    #    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305  # TLS 1.2
+    #    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   # TLS 1.2
+    #    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305    # TLS 1.2
+    #    - TLS_AES_256_GCM_SHA384                  # TLS 1.3
+    #    - TLS_CHACHA20_POLY1305_SHA256            # TLS 1.3
+    #    - TLS_FALLBACK_SCSV                       # TLS FALLBACK
+    #  curvePreferences:
+    #    - secp521r1
+    #    - secp384r1
+    #modern:
+    #  minVersion: VersionTLS13

examples/fpm-nginx-aio/config/traefik/dynamic/redirect-to-https.yml

@@ -0,0 +1,7 @@
+http:
+  middlewares:
+    redirect-to-https:
+      redirectScheme:
+        scheme: https
+        permanent: true
+        #port: 443

examples/fpm-nginx-aio/config/traefik/dynamic/ssl.yml

@@ -0,0 +1,14 @@
+tls:
+  #stores:
+  #  default:
+  #    defaultCertificate:
+  #      certFile: /config/certs/ssl.crt
+  #      keyFile: /config/certs/ssl.key
+  certificates:
+    # first certificate
+    - certFile: /config/certs/ssl.crt
+      keyFile: /config/certs/ssl.key
+    # second certificate
+    #- certFile: /config/certs/other.crt
+    #  keyFile: /config/certs/other.key
+    # and more ...

examples/fpm-nginx-aio/docker-compose.yml

@@ -0,0 +1,295 @@
+services:
+
+  # https://github.com/Tob1as/docker-php
+  # based on: https://hub.docker.com/_/php (https://github.com/docker-library/php)
+  # command: mkdir ./html && chown 33:33 ./html
+  wsc-php:
+    image: docker.io/tobi312/php:8.4-fpm-nginx-alpine-wsc
+    container_name: wsc-php
+    restart: unless-stopped
+    #ports:
+    #  - 80:80/tcp
+    volumes:
+      - ./html:/var/www/html:rw
+    environment:
+      TZ: "${TIMEZONE:-Europe/Berlin}"
+      PHP_ERRORS: 0
+      PHP_MEM_LIMIT: 256
+      PHP_POST_MAX_SIZE: 250
+      PHP_UPLOAD_MAX_FILESIZE: 250
+      PHP_MAX_FILE_UPLOADS: 20
+      PHP_MAX_EXECUTION_TIME: 120
+      ENABLE_PHP_FPM_STATUS: 1
+      PHP_SET_OPCACHE_SETTINGS: 1
+      # nginx
+      ENABLE_NGINX_REMOTEIP: 1
+      ENABLE_NGINX_STATUS: 1
+    #depends_on:
+    #  wsc-db:
+    #    condition: service_started   # service_started or service_healthy
+    networks:
+      - wsc-net
+      - traefik-net
+    labels:
+      # Explicitly tell Traefik to expose this container
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik-net"
+      # Tell Traefik to use the http port to connect to container
+      - "traefik.http.services.wsc.loadbalancer.server.port=80"
+      - "traefik.http.services.wsc.loadbalancer.server.scheme=http"  # when "https" then set "--serversTransport.insecureSkipVerify=true" for traefik
+      # http
+      - "traefik.http.routers.wsc-http.rule=Host(`${DOMAIN}`)"
+      - "traefik.http.routers.wsc-http.entrypoints=web"
+      - "traefik.http.routers.wsc-http.service=wsc"
+      # https
+      - "traefik.http.routers.wsc-https.tls=true"
+      - "traefik.http.routers.wsc-https.rule=Host(`${DOMAIN}`)"
+      - "traefik.http.routers.wsc-https.entrypoints=websecure"
+      - "traefik.http.routers.wsc-https.service=wsc"
+      # load middlewares for routes
+      #- "traefik.http.routers.wsc-http.middlewares=wsc-https@docker"
+      - "traefik.http.routers.wsc-http.middlewares=redirect-to-https@file"
+      #- "traefik.http.routers.wsc-https.middlewares="
+      # http to https redirect      
+      #- "traefik.http.middlewares.wsc-https.redirectscheme.scheme=https"
+      #- "traefik.http.middlewares.wsc-https.redirectscheme.permanent=true"
+      #- "traefik.http.middlewares.wsc-https.redirectscheme.port=443"
+    healthcheck:
+      test: curl --silent --fail --insecure http://localhost:80/php_fpm_ping || exit 1
+      #start_period: 10s
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      # check with: "docker inspect --format='{{json .State.Health}}' wsc-php | jq"
+
+  # https://hub.docker.com/_/mariadb
+  # https://github.com/MariaDB/mariadb-docker
+  # command: mkdir ./data-db && chown 999:999 ./data-db
+  wsc-db:
+    image: docker.io/library/mariadb:11.4
+    container_name: wsc-db
+    restart: unless-stopped
+    volumes:
+      - ./data-db:/var/lib/mysql:rw
+      - ./config/mysql_wsc.cnf:/etc/mysql/conf.d/70-wsc.cnf:ro
+      - ./config/mysql_exporter-user.sh:/docker-entrypoint-initdb.d/20_exporter-user.sh:ro
+    environment:
+      TZ: "${TIMEZONE:-Europe/Berlin}"
+      MARIADB_ROOT_PASSWORD: "${MYSQL_ROOT_PASSWORD}"
+      MARIADB_DATABASE: "${MYSQL_DATABASE:-wcf}"
+      MARIADB_USER: "${MYSQL_USER}"
+      MARIADB_PASSWORD: "${MYSQL_PASSWORD}"
+      MARIADB_MYSQL_LOCALHOST_USER: "true"
+      #MARIADB_AUTO_UPGRADE: 1
+      # Exporter (mounted by script)
+      EXPORTER_USER: "${MYSQL_EXPORTER_USER}"
+      EXPORTER_PASSWORD: "${MYSQL_EXPORTER_PASSWORD}"
+      #EXPORTER_MAXUSERCONNECTIONS: "3"
+    #ports:
+    #  - 127.0.0.1:3306:3306/tcp
+    networks:
+      wsc-net:
+        aliases:
+        - wsc-database
+        - wsc-mysql
+        - wsc-mariadb
+    healthcheck:
+      test:  mariadb-admin ping -h localhost -u root --password=$$MARIADB_ROOT_PASSWORD || exit 1
+      #test:  mariadb-admin ping -h localhost -u $$MARIADB_USER --password=$$MARIADB_PASSWORD || exit 1
+      #start_period: 10s
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      # check with: "docker inspect --format='{{json .State.Health}}' wsc-db | jq"
+  
+#  # https://github.com/prometheus/mysqld_exporter
+#  wsc-db-exporter:
+#    image: docker.io/prom/mysqld-exporter:latest  # quay.io/prometheus/mysqld-exporter:latest
+#    container_name: wsc-db-exporter
+#    restart: unless-stopped
+#    command:
+#      - --web.listen-address=:9104
+#      - --web.telemetry-path=/metrics
+#      - --mysqld.address=wsc-db:3306
+#      - --mysqld.username=${MYSQL_EXPORTER_USER}
+#      - --log.level=info
+#    environment:
+#      MYSQLD_EXPORTER_PASSWORD: ${MYSQL_EXPORTER_PASSWORD}
+#    ports:
+#      - 127.0.0.1:9104:9104/tcp
+#    networks:
+#      - wsc-net
+#      #- monitoring-net
+#    depends_on:
+#      wsc-db:
+#        condition: service_started   # service_started or service_healthy
+#    # Test: curl http://localhost:9104/metrics
+#  
+#  # https://github.com/nginx/nginx-prometheus-exporter
+#  wsc-nginx-exporter:
+#    image: docker.io/nginx/nginx-prometheus-exporter:latest
+#    container_name: wsc-nginx-exporter
+#    restart: unless-stopped
+#    command:
+#      - --web.listen-address=:9113
+#      - --web.telemetry-path=/metrics
+#      - --nginx.scrape-uri=http://wsc-php:80/nginx_status
+#      #- --no-nginx.ssl-verify
+#      - --log.level=info
+#    ports:
+#      - 127.0.0.1:9113:9113/tcp
+#    networks:
+#      - wsc-net
+#      #- monitoring-net
+#    depends_on:
+#      wsc-php:
+#        condition: service_started   # service_started or service_healthy
+#    # Test: curl http://127.0.0.1:9113/metrics
+#
+#  # https://github.com/hipages/php-fpm_exporter
+#  wsc-php-fpm-exporter:
+#    image: docker.io/hipages/php-fpm_exporter:latest  # ghcr.io/hipages/php-fpm_exporter:latest
+#    container_name: wsc-php-fpm-exporter
+#    restart: unless-stopped
+#    command:
+#      - --web.listen-address=:9253
+#      - --web.telemetry-path=/metrics
+#      - --phpfpm.scrape-uri=tcp://wsc-php:9001/php_fpm_status
+#      - --phpfpm.fix-process-count=false
+#      - --log.level=info
+#    ports:
+#      - 127.0.0.1:9253:9253/tcp
+#    networks:
+#      - wsc-net
+#      #- monitoring-net
+#    depends_on:
+#      wsc-php:
+#        condition: service_started   # service_started or service_healthy
+#    # Test: curl http://127.0.0.1:9253/metrics
+
+  # https://hub.docker.com/_/traefik
+  # https://github.com/traefik/traefik/
+  # Docs: https://doc.traefik.io/traefik/
+  traefik:
+    image: docker.io/library/traefik:3
+    container_name: traefik
+    restart: unless-stopped
+    environment:
+      - TZ="${TIMEZONE:-Europe/Berlin}"
+    ports:
+      - "80:80/tcp"                # http
+      - "443:443/tcp"              # https (tcp)
+      - "443:443/udp"              # https (udp) / HTTP3
+      - "127.0.0.1:8082:8082/tcp"  # Traefik Metrics
+      #- "127.0.0.1:8080:8080/tcp" # Traefik Dashboard (if insecure enabled)
+    command:
+      # Entrypoints and Ports
+      - "--entrypoints.web.address=:80"
+      - "--entrypoints.websecure.address=:443"
+      - "--entryPoints.websecure.http3"
+      #- "--entryPoints.websecure.http3.advertisedport=443"
+      - "--entryPoints.traefik.address=:8080"
+      - "--entryPoints.metrics.address=:8082"
+      # Monitoring (Prometheus and Ping)
+      - "--entryPoints.metrics.address=:8082"
+      - "--metrics.prometheus=true"
+      - "--metrics.prometheus.entryPoint=metrics"
+      - "--metrics.prometheus.buckets=0.1,0.3,1.2,5.0"
+      - "--metrics.prometheus.addEntryPointsLabels=true"
+      - "--metrics.prometheus.addrouterslabels=true"
+      - "--metrics.prometheus.addServicesLabels=true"
+      - "--ping=true"
+      - "--ping.entryPoint=metrics"
+      # API and Dashboard
+      - "--api=true"
+      - "--api.dashboard=true"
+      - "--api.basePath=/traefik"
+      #- "--api.insecure=true"
+      # Log and AccessLog
+      - "--log.level=ERROR"         # TRACE, DEBUG, INFO, WARN, ERROR, FATAL, and PANIC
+      - "--log.format=common"       # common, json
+      - "--accesslog=true"
+      - "--accesslog.format=common" # common, genericCLF , json
+      - "--accesslog.addinternals"
+      - "--accesslog.fields.names.StartUTC=drop"  # TimeZone (set to "drop", for use from env)
+      # ServersTransport (internal/backend CA-Cert/SSL)
+      - "--serversTransport.insecureSkipVerify=true"
+      #- "--serversTransport.rootCAs=/config/certs/ca.crt"
+      # Dynamic Configs
+      - "--providers.file.directory=/config/dynamic"
+      - "--providers.file.watch=true"
+      # Optional: Plugins <https://plugins.traefik.io/plugins>
+      # https://plugins.traefik.io/plugins/62947307108ecc83915d7783/rewrite-body
+      #- "--experimental.plugins.rewrite.modulename=github.com/traefik/plugin-rewritebody"
+      #- "--experimental.plugins.rewrite.version=v0.3.1"
+      # https://plugins.traefik.io/plugins/62947354108ecc83915d778e/block-path
+      #- "--experimental.plugins.block.modulename=github.com/traefik/plugin-blockpath"
+      #- "--experimental.plugins.block.version=v0.2.1"
+      # https://plugins.traefik.io/plugins/62947302108ecc83915d7781/geoblock
+      #- "--experimental.plugins.geoblock.modulename=github.com/nscuro/traefik-plugin-geoblock"
+      #- "--experimental.plugins.geoblock.version=v0.14.0"
+      # Docker Provider (Traefik must run as root)
+      - "--providers.docker=true"
+      #- "--providers.docker.endpoint=unix:///var/run/docker.sock"
+      - "--providers.docker.exposedbydefault=false"
+      #- "--providers.docker.network=traefik"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro                # docker.sock for read labels
+      - ./config/traefik/dynamic/:/config/dynamic/:ro               # dynamic config files
+      - ./ssl-certs/:/config/certs/:ro                              # ssl certs files
+    networks:
+      - traefik-net
+    healthcheck:
+      test: ['CMD', 'traefik', 'healthcheck', '--ping', "--entryPoints.ping.address=:8082", "--ping.entryPoint=ping"]
+      #start_period: 10s
+      interval: 30s
+      timeout: 5s
+      retries: 3
+    # check with: "docker inspect --format='{{json .State.Health}}' traefik | jq"
+    labels:
+      # Explicitly tell Traefik to expose this container
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik-net"
+      # http
+      - "traefik.http.routers.traefik-http.rule=Host(`${DOMAIN}`) && PathPrefix(`/traefik`)"
+      - "traefik.http.routers.traefik-http.entrypoints=web"
+      - "traefik.http.routers.traefik-http.service=api@internal"
+      # https
+      - "traefik.http.routers.traefik-https.tls=true"
+      - "traefik.http.routers.traefik-https.rule=Host(`${DOMAIN}`) && PathPrefix(`/traefik`)"
+      - "traefik.http.routers.traefik-https.entrypoints=websecure"
+      - "traefik.http.routers.traefik-https.service=api@internal"
+      # load middlewares for routes
+      #- "traefik.http.routers.traefik-http.middlewares=traefik-https@docker,traefik-auth@docker"
+      - "traefik.http.routers.traefik-http.middlewares=redirect-to-https@file,traefik-auth@docker"
+      - "traefik.http.routers.traefik-https.middlewares=traefik-auth@docker"
+      # Middleware: http to https redirect      
+      #- "traefik.http.middlewares.traefik-https.redirectscheme.scheme=https"
+      #- "traefik.http.middlewares.traefik-https.redirectscheme.permanent=true"
+      #- "traefik.http.middlewares.traefik-https.redirectscheme.port=443"
+      # Middleware: auth
+      # basic auth with htpasswd (You may need to escape any $ with another $ in password. create password: "docker run --rm tobi312/tools:htpasswd -bn admin 'passw0rd' | sed 's/\$/\$\$/g'"  OR  only for Password: "openssl passwd -apr1 'passw0rd' | sed 's/\$/\$\$/g'")
+      - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$6Yq5UCPq$$ZmXnIrJwqH0qfKRurLAiR1,traefik:$$apr1$$zIohxmBm$$TVYfYKcqYXOdONsU93L8w0"
+    # URL for Webbrowser: https://example.com/traefik
+
+networks:
+  wsc-net:
+    name: wsc-net
+  #monitoring-net:
+  #  name: monitoring-net
+  #  external: true
+  traefik-net:
+    name: traefik-net
+    # external, script? https://github.com/Tob1as/docker-kubernetes-collection/blob/master/examples_docker-compose/docker_network_create.sh
+    #external: true
+    # not external, but with IPv4 and IPv6:
+    #driver: bridge
+    #attachable: true
+    #enable_ipv6: true
+    #labels:
+    #  created.by: "docker-compose_WSC"
+    #ipam:
+    #  driver: default
+    #  config:
+    #    - subnet: 172.20.0.0/24        # IPv4 Subnet
+    #    - subnet: fd00:dead:beef::/48  # IPv6 Subnet