updating the stack

Author: offeringofpie

.dockerignore

@@ -1,5 +1,11 @@
 *
-!code/themes
-!code/plugins
-!data/php/multisite.htaccess
-!data/php/docker-entrypoint.sh
+wp-content/themes/**/src
+!wp-content/themes
+!wp-content/plugins
+!data/docker-entrypoint.sh
+!data/.well-known
+!data/wpcli-user.sh
+!data/cron.conf
+!data/multisite.htaccess
+!data/uploads.ini
+

.gitignore

@@ -1,25 +1,34 @@
-.DS_Store
-/.htaccess
-/code/plugins/akismet
-/code/plugins/hello.php
-/code/plugins/index.php
-/code/tests/shots
-/code/themes/**/*.css.map
-/code/themes/**/*.js.map
-/code/themes/index.php
-/code/themes/twenty*
-/index.php
-/license.txt
-/local-config.php
-/npm-debug.log
-/readme.html
-/wp-*.php
-/wp-admin
-/wp-includes
-/xmlrpc.php
-data/db/.db
+/*
+data/mysql/.db
 data/nginx/log
-data/uploads
-data/wordpress*
+data/wordpress
 data/certs
-node_modules
+!.gitignore
+!.gitmodules
+!.dockerignore
+!.editorconfig
+!.gitlab-ci.yml
+!logo.png
+!changelog.md
+!LICENSE
+!deploy.sh
+!docker-compose.yml
+!Dockerfile
+!package.json
+!postcss.config.js
+!README.md
+!test.docker-compose.yml
+!tsconfig.json
+!webpack.config.js
+!wp-content
+wp-content/*
+!tests
+!wp-content/plugins
+!wp-content/themes
+wp-content/plugins/hello.php
+wp-content/plugins/akismet
+wp-content/themes/twenty*
+wp-content/themes/index.php
+!data/
+*.DS_Store
+!kubernetes

Dockerfile

@@ -1,54 +1,63 @@
-FROM php:7.1-apache
+FROM php:7.3-apache
+
 # install the PHP extensions we need
-RUN set -ex; \
-  \
-  apt-get update; \
-  apt-get install -y \
-    libjpeg-dev \
-    libpng-dev \
-  ; \
-  rm -rf /var/lib/apt/lists/*; \
-  \
-  docker-php-ext-configure gd --with-png-dir=/usr --with-jpeg-dir=/usr; \
-  docker-php-ext-install gd mysqli opcache
-
-RUN echo 'installing WP-CLI'; \
-    curl -o /usr/local/bin/wp https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar; \
-    chmod +x /usr/local/bin/wp
-# TODO consider removing the *-dev deps and only keeping the necessary lib* packages
+RUN apt-get update \
+  && apt-get install -y \
+  libjpeg-dev \
+  libpng-dev \
+  sudo \
+  && rm -rf /var/lib/apt/lists/* \
+  && docker-php-ext-configure gd --with-png-dir=/usr --with-jpeg-dir=/usr \
+  && docker-php-ext-install gd mysqli opcache
+
+RUN curl -o /usr/local/bin/wp-cli.phar https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
+COPY ./data/wpcli-user.sh /usr/local/bin/wp
+RUN chmod +x /usr/local/bin/wp
+RUN chmod +x /usr/local/bin/wp-cli.phar
 
 # set recommended PHP.ini settings
 # see https://secure.php.net/manual/en/opcache.installation.php
 RUN { \
-    echo 'opcache.memory_consumption=128'; \
-    echo 'opcache.interned_strings_buffer=8'; \
-    echo 'opcache.max_accelerated_files=4000'; \
-    echo 'opcache.revalidate_freq=2'; \
-    echo 'opcache.fast_shutdown=1'; \
-    echo 'opcache.enable_cli=1'; \
+  echo 'opcache.memory_consumption=128'; \
+  echo 'opcache.interned_strings_buffer=8'; \
+  echo 'opcache.max_accelerated_files=4000'; \
+  echo 'opcache.revalidate_freq=2'; \
+  echo 'opcache.fast_shutdown=1'; \
+  echo 'opcache.enable_cli=1'; \
   } > /usr/local/etc/php/conf.d/opcache-recommended.ini
 
-RUN a2enmod rewrite expires
 
-COPY ./code/themes /var/www/html/wp-content/themes
-COPY ./code/plugins /var/www/html/wp-content/plugins
+# Adding 404 injection protection
+# CVE-2007-0450
+RUN { \
+  echo 'AllowEncodedSlashes NoDecode'; \
+  echo 'ServerSignature Off'; \
+  echo 'ServerTokens Prod'; \
+  echo 'ErrorDocument 404 "404: The requested resource could not be found."'; \
+  echo 'ErrorDocument 403 "403: Access Denied. The requested resource requires authentication."'; \
+  } >> /etc/apache2/apache2.conf
+
+RUN a2enmod rewrite expires headers
+
+COPY ./wp-content/ /var/www/html/wp-content/
+COPY ./data/uploads.ini /usr/local/etc/php/conf.d/uploads.ini
 
 VOLUME /var/www/html
 
 EXPOSE 80
 
-ENV WORDPRESS_VERSION 4.9.1
-ENV WORDPRESS_SHA1 5376cf41403ae26d51ca55c32666ef68b10e35a4
+ENV WORDPRESS_VERSION 5.2.4
 
 RUN set -ex; \
-	curl -o wordpress.tar.gz -fSL "https://wordpress.org/wordpress-${WORDPRESS_VERSION}.tar.gz"; \
+  curl -o wordpress.tar.gz -fSL "https://wordpress.org/wordpress-${WORDPRESS_VERSION}.tar.gz"; \
   tar -xzf wordpress.tar.gz -C /usr/src/; \
   rm wordpress.tar.gz; \
   chown -R www-data:www-data /usr/src/wordpress
 
-COPY ./data/php/multisite.htaccess /usr/src/wordpress/multisite.htaccess
-COPY ./data/php/docker-entrypoint.sh /usr/local/bin/
-RUN chmod +x /usr/local/bin/docker-entrypoint.sh
+COPY ./data/multisite.htaccess /usr/src/wordpress/multisite.htaccess
+COPY ./data/docker-entrypoint.sh /usr/local/bin/
+COPY ./data/cron.conf /etc/crontabs/www-data
+RUN chmod 600 /etc/crontabs/www-data
 
 ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
 CMD ["apache2-foreground"]

code/themes/test/dist/scripts.min.js

@@ -0,0 +1,2 @@
+# Cron configuration file, set to run WordPress cron once every minute
+* * * * * php /usr/src/wordpress/wp-cron.php

code/themes/test/functions.php

@@ -126,11 +126,7 @@ EOPHP
 			echo "$@" | sed -e 's/[\/&]/\\&/g'
 		}
 		php_escape() {
-			local escaped="$(php -r 'var_export(('"$2"') $argv[1]);' -- "$1")"
-			if [ "$2" = 'string' ] && [ "${escaped:0:1}" = "'" ]; then
-				escaped="${escaped//$'\n'/"' + \"\\n\" + '"}"
-			fi
-			echo "$escaped"
+			php -r 'var_export(('$2') $argv[1]);' -- "$1"
 		}
 		set_config() {
 			key="$1"
@@ -220,12 +216,35 @@ EOPHP
 	done
 fi
 
-# if [ -z "${WORDPRESS_LOCAL_DEV+x}" ]; then
-#   wp --allow-root core multisite-convert
-#   mv .htaccess backup.htaccess
-#   mv multisite.htaccess .htaccess
-#   wp --allow-root search-replace "/blog/%year%/%monthnum%/%day%/%postname%/" "/%postname%" wp_options
-#   wp --allow-root rewrite flush
-# fi
+if [ -z "${WORDPRESS_LOCAL_DEV+x}" ] && [ ! -f backup.htaccess ]; then
+  wp core is-installed || wp core multisite-install --skip-config --title="test" --admin_email="[email protected]"
+  mv .htaccess backup.htaccess
+  mv multisite.htaccess .htaccess
+  wp search-replace "/blog/%year%/%monthnum%/%day%/%postname%/" "blog/%postname%" wp_options
+  wp rewrite flush
+fi
+
+if [ -d "/var/www/html/wp-content/uploads/cache" ]; then
+	chown -R www-data:www-data /var/www/html/wp-content/uploads/cache
+fi
+if [ -d "/var/www/html/wp-content/cache" ]; then
+	chown -R www-data:www-data /var/www/html/wp-content/cache
+fi
+
+
+if [ -d "/var/www/html/wp-content/uploads/cache" ]; then
+	chown -R www-data:www-data /var/www/html/wp-content/uploads/cache
+fi
+if [ -d "/var/www/html/wp-content/cache" ]; then
+	chown -R www-data:www-data /var/www/html/wp-content/cache
+fi
+
+
+	sed -i "/stop editing/i \
+\@ini_set('session.cookie_httponly', true);\n \
+\@ini_set('session.cookie_secure', true);\n \
+\@ini_set('session.use_only_cookies', true);\n \
+define('WP_MEMORY_LIMIT', '256M');\n \
+define( 'WP_MAX_MEMORY_LIMIT', '256M' );" wp-config.php
 
 exec "$@"

data/cron.conf

@@ -1,11 +1,11 @@
-# BEGIN WordPress
-<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /
 RewriteRule ^index\.php$ - [L]
 
-# uploaded files
-RewriteRule ^([_0-9a-zA-Z-]+/)?files/(.+) wp-includes/ms-files.php?file=$2 [L]
+# Allow access from all domains for webfonts.
+  <FilesMatch "\.(ttf|ttc|otf|eot|woff|woff2|font.css|css|webmanifest)$">
+    Header set Access-Control-Allow-Origin "*"
+  </FilesMatch>
 
 # add a trailing slash to /wp-admin
 RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]
@@ -16,5 +16,3 @@ RewriteRule ^ - [L]
 RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]
 RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
 RewriteRule . index.php [L]
-</IfModule>
-# END WordPress

data/php/docker-entrypoint.sh renamed to data/docker-entrypoint.sh

@@ -0,0 +1,36 @@
+upstream localhost {
+    server wp:80;
+}
+
+server {
+  listen 80;
+  server_name localhost;
+  index index.php index.html;
+  error_page 404 index.php?error=404;
+  client_max_body_size 0;
+  root /var/www/html;
+
+  location / {
+    rewrite ^(.*) https://$host$1 permanent;
+  }
+}
+
+server {
+  listen 443 ssl;
+  server_name localhost;
+  root /var/www/html;
+  index index.php;
+  client_max_body_size 0;
+
+  location / {
+    proxy_pass http://localhost;
+    proxy_set_header X-Forwarded-Proto https;
+  }
+
+
+  #ssl on;
+
+  ssl_certificate /etc/nginx/certs/nginx-selfsigned.crt;
+  ssl_certificate_key /etc/nginx/certs/nginx-selfsigned.key;
+  ssl_dhparam /etc/nginx/certs/dhparam.pem;
+}

data/php/multisite.htaccess renamed to data/multisite.htaccess

@@ -0,0 +1,5 @@
+file_uploads = On
+memory_limit = 256M
+upload_max_filesize = 60M
+post_max_size = 60M
+max_execution_time = 600

data/nginx/default.conf

@@ -0,0 +1,4 @@
+#!/bin/sh
+# This is a wrapper so that wp-cli can run as the www-data user so that permissions
+# remain correct
+/usr/local/bin/wp-cli.phar --allow-root "$@"