From b5f20b951d31063332bf2b70188c3aad341c21ed Mon Sep 17 00:00:00 2001
From: Jason Kendall <coolacid@gmail.com>
Date: Wed, 19 Feb 2020 20:21:49 -0500
Subject: [PATCH] First stab at nginx

---
 docker-compose.yml                            |  2 +-
 server/Dockerfile                             | 24 ++++-----------
 ...trypoint_apache.sh => entrypoint_nginx.sh} | 28 +++++++++---------
 server/files/etc/apache2/ports.conf           | 15 ----------
 .../etc/apache2/sites-enabled/misp-ssl.conf   | 29 -------------------
 .../files/etc/apache2/sites-enabled/misp.conf | 21 --------------
 server/files/etc/supervisor/supervisor.conf   | 15 ++++++++--
 7 files changed, 34 insertions(+), 100 deletions(-)
 rename server/files/{entrypoint_apache.sh => entrypoint_nginx.sh} (91%)
 delete mode 100644 server/files/etc/apache2/ports.conf
 delete mode 100644 server/files/etc/apache2/sites-enabled/misp-ssl.conf
 delete mode 100644 server/files/etc/apache2/sites-enabled/misp.conf

diff --git a/docker-compose.yml b/docker-compose.yml
index cbfac47..6692762 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -35,7 +35,7 @@ services:
       - "./server-configs/:/var/www/MISP/app/Config/"
       - "./logs/:/var/www/MISP/app/tmp/logs/"
       - "./files/:/var/www/MISP/app/files"
-      - "./ssl/:/etc/apache2/ssl/"
+      - "./ssl/:/etc/ssl/"
     environment:
       - "CRON_USER_ID=1"
       - "REDIS_FQDN=redis"
diff --git a/server/Dockerfile b/server/Dockerfile
index 790760c..893761b 100644
--- a/server/Dockerfile
+++ b/server/Dockerfile
@@ -68,7 +68,7 @@ ARG PHP_VER
     RUN apt-get update; apt-get install -y --no-install-recommends \
         # Requirements:
         sudo \
-        apache2 \
+        nginx \
         supervisor \
         git \
         cron \
@@ -88,6 +88,7 @@ ARG PHP_VER
         php-mysql \
         php-redis \
         php-gd \
+        php-fpm \
         # Unsure we need these
         zip unzip \
         && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
@@ -116,29 +117,16 @@ ARG PHP_VER
     # To use the scheduler worker for scheduled tasks, do the following:
         ;cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.php
 
-# Apache
-    # add HTTP MISP Config
-    RUN rm /etc/apache2/sites-enabled/*;
-    COPY files/etc/apache2/sites-enabled/misp.conf /etc/apache2/sites-enabled/
-    COPY files/etc/apache2/sites-enabled/misp-ssl.conf /etc/apache2/sites-enabled/
-    COPY files/etc/apache2/ports.conf /etc/apache2/ports.conf
-    RUN set -eu \
-        ;chmod 640 /etc/apache2/ports.conf \
-        ;chown root.root /etc/apache2/ports.conf \
-        ;chmod 640 /etc/apache2/sites-available/* \
-        ;chown root.root /etc/apache2/sites-available/* \
-    # Configure Apache
-        ;a2dismod status \
-        ;a2enmod ssl \
-        ;a2enmod rewrite \
-        ;a2enmod headers
+# nginx
+    RUN rm /etc/nginx/sites-enabled/*; mkdir /run/php
+    COPY files/etc/nginx/misp /etc/nginx/sites-enabled/misp
 
 # Make a copy of the file store, so we can sync from it
     RUN cp -R /var/www/MISP/app/files /var/www/MISP/app/files.dist
 
 # Entrypoints
     COPY files/etc/supervisor/supervisor.conf /etc/supervisor/conf.d/supervisord.conf
-    COPY files/entrypoint_apache.sh /
+    COPY files/entrypoint_nginx.sh /
     COPY files/entrypoint_cron.sh /
     COPY files/entrypoint_workers.sh /
     COPY files/entrypoint.sh /
diff --git a/server/files/entrypoint_apache.sh b/server/files/entrypoint_nginx.sh
similarity index 91%
rename from server/files/entrypoint_apache.sh
rename to server/files/entrypoint_nginx.sh
index f92618e..aaf9f30 100755
--- a/server/files/entrypoint_apache.sh
+++ b/server/files/entrypoint_nginx.sh
@@ -13,7 +13,7 @@ ENTRYPOINT_PID_FILE="/entrypoint_apache.install"
 [ ! -f $ENTRYPOINT_PID_FILE ] && touch $ENTRYPOINT_PID_FILE
 
 change_php_vars(){
-    for FILE in /etc/php/*/apache2/php.ini
+    for FILE in /etc/php/*/fpm/php.ini
     do  
         [[ -e $FILE ]] || break
         sed -i "s/memory_limit = .*/memory_limit = 2048M/" "$FILE"
@@ -66,11 +66,11 @@ init_misp_files(){
 }
 
 init_ssl() {
-    if [[ (! -f /etc/apache2/ssl/dhparams.pem) ||
-          (! -f /etc/apache2/ssl/cert.pem) ||
-          (! -f /etc/apache2/ssl/key.pem) ||
-          (! -f /etc/apache2/ssl/chain.pem) ]]; then
-        cd /etc/apache2/ssl
+    if [[ (! -f /etc/ssl/dhparams.pem) ||
+          (! -f /etc/ssl/cert.pem) ||
+          (! -f /etc/ssl/key.pem) ||
+          (! -f /etc/ssl/chain.pem) ]]; then
+        cd /etc/ssl
         openssl dhparam -out dhparams.pem 2048
         openssl req -x509 -subj '/CN=localhost' -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
         cp cert.pem chain.pem
@@ -99,12 +99,12 @@ init_mysql(){
     $MYSQLCMD < /var/www/MISP/INSTALL/MYSQL.sql
 }
 
-start_apache() {
-    # Apache gets grumpy about PID files pre-existing
-    rm -f /run/apache2/apache2.pid
-    # execute APACHE2
-    /usr/sbin/apache2ctl -D FOREGROUND -k "$1"
-}
+#start_apache() {
+#    # Apache gets grumpy about PID files pre-existing
+#    rm -f /run/apache2/apache2.pid
+#    # execute APACHE2
+#    /usr/sbin/apache2ctl -D FOREGROUND -k "$1"
+#}
 
 # Things we should do when we have the INITIALIZE Env Flag
 if [[ "$INIT" == true ]]; then
@@ -129,5 +129,5 @@ echo "... chmod -R g+ws /var/www/MISP/app/files/scripts/tmp ..." && chmod -R g+w
 # delete pid file
 [ -f $ENTRYPOINT_PID_FILE ] && rm $ENTRYPOINT_PID_FILE
 
-# execute apache
-start_apache start
+# Start NGINX
+nginx -g 'daemon off;'
diff --git a/server/files/etc/apache2/ports.conf b/server/files/etc/apache2/ports.conf
deleted file mode 100644
index 80afbb9..0000000
--- a/server/files/etc/apache2/ports.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# If you just change the port or add more ports here, you will likely also
-# have to change the VirtualHost statement in
-# /etc/apache2/sites-enabled/000-default.conf
-
-Listen 80
-
-<IfModule ssl_module>
-        Listen 443
-</IfModule>
-
-<IfModule mod_gnutls.c>
-        Listen 443
-</IfModule>
-
-# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
\ No newline at end of file
diff --git a/server/files/etc/apache2/sites-enabled/misp-ssl.conf b/server/files/etc/apache2/sites-enabled/misp-ssl.conf
deleted file mode 100644
index 9da61fd..0000000
--- a/server/files/etc/apache2/sites-enabled/misp-ssl.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-<VirtualHost *:443>
-    ServerName misp-server
-    DocumentRoot /var/www/MISP/app/webroot
-    <Directory /var/www/MISP/app/webroot>
-        Options -Indexes
-        AllowOverride all
-        Order allow,deny
-        allow from all
-    </Directory>
-
-    SSLEngine On
-    SSLProtocol             all -SSLv2 -SSLv3
-    SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
-    SSLHonorCipherOrder     on
-
-    SSLOpenSSLConfCmd DHParameters "/etc/apache2/ssl/dhparams.pem"
-    SSLCertificateFile /etc/apache2/ssl/cert.pem
-    SSLCertificateKeyFile /etc/apache2/ssl/key.pem
-    SSLCertificateChainFile /etc/apache2/ssl/chain.pem
-
-    LogLevel warn
-
-    ErrorLog /dev/stdout
-    CustomLog /dev/stdout combined
-
-    ServerSignature Off
-#    Header set X-Content-Type-Options nosniff
-#    Header set X-Frame-Options DENY
-</VirtualHost>
diff --git a/server/files/etc/apache2/sites-enabled/misp.conf b/server/files/etc/apache2/sites-enabled/misp.conf
deleted file mode 100644
index 2bea870..0000000
--- a/server/files/etc/apache2/sites-enabled/misp.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-<VirtualHost *:80>
-    ServerName misp-server
-    DocumentRoot /var/www/MISP/app/webroot
-    <Directory /var/www/MISP/app/webroot>
-          Options -Indexes
-          AllowOverride all
-          Require all granted
-    </Directory>
-    LogLevel warn
-
-    ErrorLog /dev/stdout
-    CustomLog /dev/stdout combined
-
-    ServerSignature Off
-    Header set X-Content-Type-Options nosniff
-    Header set X-Frame-Options DENY
-
-    RewriteEngine On
-    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
-
-</VirtualHost>
diff --git a/server/files/etc/supervisor/supervisor.conf b/server/files/etc/supervisor/supervisor.conf
index fcb011c..f5cd065 100644
--- a/server/files/etc/supervisor/supervisor.conf
+++ b/server/files/etc/supervisor/supervisor.conf
@@ -6,14 +6,25 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 
-[program:apache2]
-command=/entrypoint_apache.sh
+[program:nginx]
+command=/entrypoint_nginx.sh
 autorestart=true
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 
+[program:php-fpm]
+command=/usr/sbin/php-fpm7.3 -R -F
+process_name=%(program_name)s_%(process_num)02d
+numprocs=1
+autostart=true
+autorestart=false
+startsecs=0
+redirect_stderr=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+
 [program:workers]
 command=/entrypoint_workers.sh
 stdout_logfile=/dev/stdout