From cc03d09fa6a75fae260e02f030196679199afb89 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Dunglas?= Date: Mon, 19 Oct 2020 15:30:43 +0200 Subject: [PATCH] feat: Use Caddy server (#75) * feat: Use Caddy server * cs --- Dockerfile | 55 ++++---------------------------- README.md | 9 ++++++ docker-compose.override.yml | 16 ++-------- docker-compose.yml | 19 ++++++++--- docker/caddy/Caddyfile | 12 +++++++ docker/h2-proxy/default.conf | 16 ---------- docker/nginx/conf.d/default.conf | 36 --------------------- 7 files changed, 44 insertions(+), 119 deletions(-) create mode 100644 docker/caddy/Caddyfile delete mode 100644 docker/h2-proxy/default.conf delete mode 100644 docker/nginx/conf.d/default.conf diff --git a/Dockerfile b/Dockerfile index da24d32..df0f7a1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,7 +5,7 @@ # https://docs.docker.com/engine/reference/builder/#understand-how-arg-and-from-interact ARG PHP_VERSION=7.4 -ARG NGINX_VERSION=1.19 +ARG CADDY_VERSION=2.1.1 # "php" stage FROM php:${PHP_VERSION}-fpm-alpine AS symfony_php @@ -109,56 +109,15 @@ RUN chmod +x /usr/local/bin/docker-entrypoint ENTRYPOINT ["docker-entrypoint"] CMD ["php-fpm"] +FROM caddy:${CADDY_VERSION}-builder-alpine AS symfony_caddy_builder -# "nginx" stage -# depends on the "php" stage above -FROM nginx:${NGINX_VERSION}-alpine AS symfony_nginx +RUN xcaddy build \ + --with github.com/dunglas/vulcain/caddy -COPY docker/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf +FROM caddy:${CADDY_VERSION} AS symfony_caddy WORKDIR /srv/app +COPY --from=symfony_caddy_builder /usr/bin/caddy /usr/bin/caddy COPY --from=symfony_php /srv/app/public public/ - -# "h2-proxy-cert" stage -FROM alpine:latest AS symfony_h2-proxy-cert - -RUN apk add --no-cache \ - ca-certificates \ - openssl \ - ; - -# Allow to set server name -ARG SERVER_NAME="localhost" -ENV SERVER_NAME=${SERVER_NAME} - -# Use this self-generated certificate only in dev, IT IS NOT SECURE! -# create the private key -RUN openssl genrsa -des3 -passout pass:NotSecure -out server.pass.key 2048 -RUN openssl rsa -passin pass:NotSecure -in server.pass.key -out server.key \ - && rm server.pass.key - -# create a request to sign certificate -RUN openssl req -new -passout pass:NotSecure -key server.key -out server.csr \ - -subj "/C=SS/ST=SS/L=Gotham City/O=Symfony/CN=${SERVER_NAME}" - -# create an extensions configuration file -RUN set -eux; \ - { \ - echo "[ v3_ca ]"; \ - echo "subjectAltName = DNS:${SERVER_NAME}"; \ - echo "extendedKeyUsage = serverAuth"; \ - } > extfile.cnf - -# create the signed certificate -RUN openssl x509 -req -sha256 -extensions v3_ca -extfile extfile.cnf -days 365 \ - -in server.csr -signkey server.key -out server.crt \ - && rm extfile.cnf \ - && update-ca-certificates - -### "h2-proxy" stage -FROM nginx:${NGINX_VERSION}-alpine AS symfony_h2-proxy - -RUN mkdir -p /etc/nginx/ssl/ -COPY --from=symfony_h2-proxy-cert server.key server.crt /etc/nginx/ssl/ -COPY ./docker/h2-proxy/default.conf /etc/nginx/conf.d/default.conf +COPY docker/caddy/Caddyfile /etc/caddy/Caddyfile diff --git a/README.md b/README.md index a1a13c4..ea6f4da 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,15 @@ A [Docker](https://www.docker.com/)-based installer and runtime for the [Symfony 2. Open `https://localhost` in your favorite web browser and [accept the auto-generated TLS certificate](https://stackoverflow.com/a/15076602/1352334) 3. **Enjoy!** +## Features + +* Production, development and CI ready +* Automatic HTTPS (in dev and in prod!) +* HTTP/2, HTTP/3 and [Server Push](https://symfony.com/doc/current/web_link.html) support +* [Vulcain](https://vulcain.rocks)-enabled +* Just 2 services (PHP FPM and Caddy server) +* Super-readable configuration + ## Selecting a Specific Symfony Version Use the `SYMFONY_VERSION` environment variable to select a specific Symfony version. diff --git a/docker-compose.override.yml b/docker-compose.override.yml index 9041173..d9b4c4d 100644 --- a/docker-compose.override.yml +++ b/docker-compose.override.yml @@ -11,19 +11,7 @@ services: environment: APP_ENV: dev - nginx: + caddy: volumes: - - ./docker/nginx/conf.d:/etc/nginx/conf.d:ro + - ./docker/caddy/Caddyfile:/etc/caddy/Caddyfile:ro - ./public:/srv/app/public:ro - - # This HTTP/2 proxy is not secure: it should only be used in dev - h2-proxy: - build: - context: . - target: symfony_h2-proxy - depends_on: - - nginx - volumes: - - ./docker/h2-proxy/default.conf:/etc/nginx/conf.d/default.conf:ro - ports: - - "443:443" diff --git a/docker-compose.yml b/docker-compose.yml index 7536bb3..8aeb17d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -8,7 +8,7 @@ services: args: SYMFONY_VERSION: ${SYMFONY_VERSION:-} STABILITY: ${STABILITY:-stable} - SERVER_NAME: ${SERVER_NAME:-localhost} + restart: unless-stopped healthcheck: interval: 10s timeout: 3s @@ -17,11 +17,20 @@ services: environment: SYMFONY_VERSION: - nginx: + caddy: build: context: . - target: symfony_nginx - depends_on: - - php + target: symfony_caddy + environment: + SERVER_NAME: ${SERVER_NAME:-localhost} + restart: unless-stopped ports: - "80:80" + - "443:443" + volumes: + - caddy_data:/data + - caddy_config:/config + +volumes: + caddy_data: + caddy_config: diff --git a/docker/caddy/Caddyfile b/docker/caddy/Caddyfile new file mode 100644 index 0000000..4584855 --- /dev/null +++ b/docker/caddy/Caddyfile @@ -0,0 +1,12 @@ +{ + experimental_http3 +} + +{$SERVER_NAME} + +route { + root * /srv/app/public + vulcain + push + php_fastcgi php:9000 +} diff --git a/docker/h2-proxy/default.conf b/docker/h2-proxy/default.conf deleted file mode 100644 index a8ed6fc..0000000 --- a/docker/h2-proxy/default.conf +++ /dev/null @@ -1,16 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - ssl_certificate /etc/nginx/ssl/server.crt; - ssl_certificate_key /etc/nginx/ssl/server.key; - - location / { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_pass http://nginx; - } -} diff --git a/docker/nginx/conf.d/default.conf b/docker/nginx/conf.d/default.conf deleted file mode 100644 index 8474564..0000000 --- a/docker/nginx/conf.d/default.conf +++ /dev/null @@ -1,36 +0,0 @@ -server { - root /srv/app/public; - - location / { - # try to serve file directly, fallback to index.php - try_files $uri /index.php$is_args$args; - } - location ~ ^/index\.php(/|$) { - #resolver 127.0.0.11; - #set $upstream_host php; - #fastcgi_pass $upstream_host:9000; - # Uncomment the previous lines and comment the next one to enable dynamic resolution (incompatible with Kubernetes) - fastcgi_pass php:9000; - fastcgi_split_path_info ^(.+\.php)(/.*)$; - include fastcgi_params; - # When you are using symlinks to link the document root to the - # current version of your application, you should pass the real - # application path instead of the path to the symlink to PHP - # FPM. - # Otherwise, PHP's OPcache may not properly detect changes to - # your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126 - # for more information). - fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; - fastcgi_param DOCUMENT_ROOT $realpath_root; - # Prevents URIs that include the front controller. This will 404: - # http://domain.tld/index.php/some-path - # Remove the internal directive to allow URIs like this - internal; - } - - # return 404 for all other php files not matching the front controller - # this prevents access to other php files you don't want to be accessible. - location ~ \.php$ { - return 404; - } -}