diff --git a/docker-compose.yml b/docker-compose.yml
index cbfac47..6692762 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -35,7 +35,7 @@ services:
- "./server-configs/:/var/www/MISP/app/Config/"
- "./logs/:/var/www/MISP/app/tmp/logs/"
- "./files/:/var/www/MISP/app/files"
- - "./ssl/:/etc/apache2/ssl/"
+ - "./ssl/:/etc/ssl/"
environment:
- "CRON_USER_ID=1"
- "REDIS_FQDN=redis"
diff --git a/server/Dockerfile b/server/Dockerfile
index 790760c..893761b 100644
--- a/server/Dockerfile
+++ b/server/Dockerfile
@@ -68,7 +68,7 @@ ARG PHP_VER
RUN apt-get update; apt-get install -y --no-install-recommends \
# Requirements:
sudo \
- apache2 \
+ nginx \
supervisor \
git \
cron \
@@ -88,6 +88,7 @@ ARG PHP_VER
php-mysql \
php-redis \
php-gd \
+ php-fpm \
# Unsure we need these
zip unzip \
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
@@ -116,29 +117,16 @@ ARG PHP_VER
# To use the scheduler worker for scheduled tasks, do the following:
;cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.php
-# Apache
- # add HTTP MISP Config
- RUN rm /etc/apache2/sites-enabled/*;
- COPY files/etc/apache2/sites-enabled/misp.conf /etc/apache2/sites-enabled/
- COPY files/etc/apache2/sites-enabled/misp-ssl.conf /etc/apache2/sites-enabled/
- COPY files/etc/apache2/ports.conf /etc/apache2/ports.conf
- RUN set -eu \
- ;chmod 640 /etc/apache2/ports.conf \
- ;chown root.root /etc/apache2/ports.conf \
- ;chmod 640 /etc/apache2/sites-available/* \
- ;chown root.root /etc/apache2/sites-available/* \
- # Configure Apache
- ;a2dismod status \
- ;a2enmod ssl \
- ;a2enmod rewrite \
- ;a2enmod headers
+# nginx
+ RUN rm /etc/nginx/sites-enabled/*; mkdir /run/php
+ COPY files/etc/nginx/misp /etc/nginx/sites-enabled/misp
# Make a copy of the file store, so we can sync from it
RUN cp -R /var/www/MISP/app/files /var/www/MISP/app/files.dist
# Entrypoints
COPY files/etc/supervisor/supervisor.conf /etc/supervisor/conf.d/supervisord.conf
- COPY files/entrypoint_apache.sh /
+ COPY files/entrypoint_nginx.sh /
COPY files/entrypoint_cron.sh /
COPY files/entrypoint_workers.sh /
COPY files/entrypoint.sh /
diff --git a/server/files/entrypoint_apache.sh b/server/files/entrypoint_nginx.sh
similarity index 91%
rename from server/files/entrypoint_apache.sh
rename to server/files/entrypoint_nginx.sh
index f92618e..aaf9f30 100755
--- a/server/files/entrypoint_apache.sh
+++ b/server/files/entrypoint_nginx.sh
@@ -13,7 +13,7 @@ ENTRYPOINT_PID_FILE="/entrypoint_apache.install"
[ ! -f $ENTRYPOINT_PID_FILE ] && touch $ENTRYPOINT_PID_FILE
change_php_vars(){
- for FILE in /etc/php/*/apache2/php.ini
+ for FILE in /etc/php/*/fpm/php.ini
do
[[ -e $FILE ]] || break
sed -i "s/memory_limit = .*/memory_limit = 2048M/" "$FILE"
@@ -66,11 +66,11 @@ init_misp_files(){
}
init_ssl() {
- if [[ (! -f /etc/apache2/ssl/dhparams.pem) ||
- (! -f /etc/apache2/ssl/cert.pem) ||
- (! -f /etc/apache2/ssl/key.pem) ||
- (! -f /etc/apache2/ssl/chain.pem) ]]; then
- cd /etc/apache2/ssl
+ if [[ (! -f /etc/ssl/dhparams.pem) ||
+ (! -f /etc/ssl/cert.pem) ||
+ (! -f /etc/ssl/key.pem) ||
+ (! -f /etc/ssl/chain.pem) ]]; then
+ cd /etc/ssl
openssl dhparam -out dhparams.pem 2048
openssl req -x509 -subj '/CN=localhost' -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
cp cert.pem chain.pem
@@ -99,12 +99,12 @@ init_mysql(){
$MYSQLCMD < /var/www/MISP/INSTALL/MYSQL.sql
}
-start_apache() {
- # Apache gets grumpy about PID files pre-existing
- rm -f /run/apache2/apache2.pid
- # execute APACHE2
- /usr/sbin/apache2ctl -D FOREGROUND -k "$1"
-}
+#start_apache() {
+# # Apache gets grumpy about PID files pre-existing
+# rm -f /run/apache2/apache2.pid
+# # execute APACHE2
+# /usr/sbin/apache2ctl -D FOREGROUND -k "$1"
+#}
# Things we should do when we have the INITIALIZE Env Flag
if [[ "$INIT" == true ]]; then
@@ -129,5 +129,5 @@ echo "... chmod -R g+ws /var/www/MISP/app/files/scripts/tmp ..." && chmod -R g+w
# delete pid file
[ -f $ENTRYPOINT_PID_FILE ] && rm $ENTRYPOINT_PID_FILE
-# execute apache
-start_apache start
+# Start NGINX
+nginx -g 'daemon off;'
diff --git a/server/files/etc/apache2/ports.conf b/server/files/etc/apache2/ports.conf
deleted file mode 100644
index 80afbb9..0000000
--- a/server/files/etc/apache2/ports.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# If you just change the port or add more ports here, you will likely also
-# have to change the VirtualHost statement in
-# /etc/apache2/sites-enabled/000-default.conf
-
-Listen 80
-
-
- Listen 443
-
-
-
- Listen 443
-
-
-# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
\ No newline at end of file
diff --git a/server/files/etc/apache2/sites-enabled/misp-ssl.conf b/server/files/etc/apache2/sites-enabled/misp-ssl.conf
deleted file mode 100644
index 9da61fd..0000000
--- a/server/files/etc/apache2/sites-enabled/misp-ssl.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-
- ServerName misp-server
- DocumentRoot /var/www/MISP/app/webroot
-
- Options -Indexes
- AllowOverride all
- Order allow,deny
- allow from all
-
-
- SSLEngine On
- SSLProtocol all -SSLv2 -SSLv3
- SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
- SSLHonorCipherOrder on
-
- SSLOpenSSLConfCmd DHParameters "/etc/apache2/ssl/dhparams.pem"
- SSLCertificateFile /etc/apache2/ssl/cert.pem
- SSLCertificateKeyFile /etc/apache2/ssl/key.pem
- SSLCertificateChainFile /etc/apache2/ssl/chain.pem
-
- LogLevel warn
-
- ErrorLog /dev/stdout
- CustomLog /dev/stdout combined
-
- ServerSignature Off
-# Header set X-Content-Type-Options nosniff
-# Header set X-Frame-Options DENY
-
diff --git a/server/files/etc/apache2/sites-enabled/misp.conf b/server/files/etc/apache2/sites-enabled/misp.conf
deleted file mode 100644
index 2bea870..0000000
--- a/server/files/etc/apache2/sites-enabled/misp.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-
- ServerName misp-server
- DocumentRoot /var/www/MISP/app/webroot
-
- Options -Indexes
- AllowOverride all
- Require all granted
-
- LogLevel warn
-
- ErrorLog /dev/stdout
- CustomLog /dev/stdout combined
-
- ServerSignature Off
- Header set X-Content-Type-Options nosniff
- Header set X-Frame-Options DENY
-
- RewriteEngine On
- RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
-
-
diff --git a/server/files/etc/nginx/misp b/server/files/etc/nginx/misp
new file mode 100644
index 0000000..092710b
--- /dev/null
+++ b/server/files/etc/nginx/misp
@@ -0,0 +1,32 @@
+server {
+ listen 80 default_server;
+ listen [::]:80;
+
+ server_name _;
+
+ return 301 https://$host$request_uri;
+}
+
+server {
+
+ server_name misp-server;
+ listen 443 ssl http2 spdy;
+ root /var/www/MISP/app/webroot;
+ index index.php;
+
+ ssl_certificate /etc/ssl/cert.pem;
+ ssl_certificate_key /etc/ssl/key.pem;
+
+ # enable HSTS
+ add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
+ add_header X-Frame-Options SAMEORIGIN;
+
+ location / {
+ try_files $uri $uri/ /index.php;
+ }
+
+ location ~ \.php$ {
+ include snippets/fastcgi-php.conf;
+ fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
+ }
+}
diff --git a/server/files/etc/supervisor/supervisor.conf b/server/files/etc/supervisor/supervisor.conf
index fcb011c..f5cd065 100644
--- a/server/files/etc/supervisor/supervisor.conf
+++ b/server/files/etc/supervisor/supervisor.conf
@@ -6,14 +6,25 @@ stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
-[program:apache2]
-command=/entrypoint_apache.sh
+[program:nginx]
+command=/entrypoint_nginx.sh
autorestart=true
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
+[program:php-fpm]
+command=/usr/sbin/php-fpm7.3 -R -F
+process_name=%(program_name)s_%(process_num)02d
+numprocs=1
+autostart=true
+autorestart=false
+startsecs=0
+redirect_stderr=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+
[program:workers]
command=/entrypoint_workers.sh
stdout_logfile=/dev/stdout