#3: Refactor everything into RKD

Author: blackandred

Dockerfile

@@ -7,7 +7,14 @@ MAINTAINER RiotKit <[email protected]>
 
 ARG RIOTKIT_IMAGE_VERSION=""
 
+# The credentials does not need to be top secret, at least those credentials needs to protect against automatic bots
+# default basic auth credentials: riotkit, riotkit
+# to change credentials just replace file "/opt/htpsswd" using volume mount or customized image
+
 ENV AUTO_UPDATE_CRON="0 5 * * SAT" \
+    BASIC_AUTH_ENABLED=true \
+    BASIC_AUTH_USER=riotkit \
+    BASIC_AUTH_PASSWORD=riotkit \
     PHP_DISPLAY_ERRORS="Off" \
     PHP_ERROR_REPORTING="E_ALL & ~E_DEPRECATED & ~E_STRICT" \
     PHP_POST_MAX_SIZE="32M" \
@@ -16,19 +23,18 @@ ENV AUTO_UPDATE_CRON="0 5 * * SAT" \
     RKD_PATH="/opt/.rkd" \
     PYTHONUNBUFFERED=1
 
-ADD ./opt/.rkd /opt/.rkd
+ADD ./container-files/opt/.rkd /opt/.rkd
 
-RUN apk --update add nginx supervisor python3 py3-pip \
+RUN apk --update add nginx supervisor python3 py3-pip nano apache2-utils \
     && curl "https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar" --output /usr/bin/wp \
     && mkdir -p /var/tmp/nginx/ /var/lib/nginx/tmp/ \
     && chown www-data:www-data /var/tmp/nginx/ /var/lib/nginx/tmp/ -R \
     && chmod +x /usr/bin/wp \
     && pip3 install -r /opt/.rkd/requirements.txt
 
-ADD etc/supervisor.conf /etc/supervisor.conf
-ADD etc/nginx/nginx.conf /etc/nginx/nginx.conf
 ADD ./wp-config-sample.php /usr/src/wordpress/wp-config-sample.php
 ADD ./wp-config-riotkit.php /usr/src/wordpress/wp-config-riotkit.php
-ADD ./usr /templates/usr
+ADD ./container-files /templates
+ADD htpasswd /opt/htpasswd
 
 ENTRYPOINT ["rkd", ":entrypoint"]

README.md

@@ -7,6 +7,22 @@ Patched version of official Wordpress container.
 - Scheduled updates via wp-cli
 - **NGINX instead of Apache**
 - Support for RiotKit Harbor and NGINX-PROXY (VIRTUAL_HOST environment variable)
+- Basic Auth enabled by default to protect wp-login and wp-admin against bots (default user: `riotkit`, password: `riotkit`)
+
+Changing basic auth password or disabling it at all
+===================================================
+
+**Disabling:**
+
+```bash
+-e BASIC_AUTH_ENABLED=false
+```
+
+**Changing password:**
+
+```bash
+-e BASIC_AUTH_USER=some-user -e BASIC_AUTH_PASSWORD=some-password
+```
 
 Versions
 ========
@@ -39,6 +55,11 @@ services:
             WORDPRESS_DB_PASSWORD: "${DB_PASSWORD_THERE}"
             WORDPRESS_DB_NAME: "your_app"
             AUTO_UPDATE_CRON: "0 5 * * SAT"
+          
+            # basic auth on administrative endpoints
+            BASIC_AUTH_ENABLED=true
+            BASIC_AUTH_USER: john
+            BASIC_AUTH_PASSWORD: secret
 
             # main page URL
             WP_PAGE_URL: "zsp.net.pl"
@@ -48,6 +69,19 @@ services:
 
 ```
 
+Building and debugging image
+----------------------------
+
+**Build and run a snapshot locally:**
+
+```bash
+# build
+rkd :boat-ci:specific-release -v 1.0 --app-version 5.5 --dir . --dest-docker-repo="quay.io/riotkit/wp-auto-update" --docker-build-opts="" --become=root
+
+# run
+docker run -p 8001:80 --rm --name wp quay.io/riotkit/wp-auto-update:1.0
+```
+
 From authors
 ============
 

container-files/etc/nginx/nginx.conf.j2

@@ -0,0 +1,125 @@
+user www-data;
+daemon off;
+worker_processes 3;
+pid /var/run/nginx.pid;
+
+events {
+    worker_connections 768;
+}
+
+http {
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 4096;
+
+    client_max_body_size 512M;
+    client_body_temp_path /tmp 1 2;
+    client_body_buffer_size 256k;
+    client_body_in_file_only off;
+
+    server_tokens off;
+    max_ranges 1;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    fastcgi_temp_file_write_size 20m;
+    fastcgi_busy_buffers_size 786k;
+    fastcgi_buffer_size 512k;
+    fastcgi_buffers 16 512k;
+
+    access_log /dev/stdout;
+    error_log /dev/stderr info;
+
+    # should be enabled on gateway
+    gzip off;
+
+    server {
+        listen 80 default_server;
+        root /var/www/html;
+        index index.html index.php;
+        server_name _;
+
+        index index.php;
+
+        fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+        fastcgi_param  SERVER_SOFTWARE    Nginx;
+        fastcgi_param  QUERY_STRING       $query_string;
+        fastcgi_param  REQUEST_METHOD     $request_method;
+        fastcgi_param  CONTENT_TYPE       $content_type;
+        fastcgi_param  CONTENT_LENGTH     $content_length;
+        fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
+        fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+        fastcgi_param  REQUEST_URI        $request_uri;
+        fastcgi_param  DOCUMENT_URI       $document_uri;
+        fastcgi_param  DOCUMENT_ROOT      $document_root;
+        fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+        fastcgi_param  REMOTE_ADDR        $remote_addr;
+        fastcgi_param  REMOTE_PORT        $remote_port;
+        fastcgi_param  SERVER_ADDR        $server_addr;
+        fastcgi_param  SERVER_PORT        $server_port;
+        fastcgi_param  SERVER_NAME        $server_name;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+
+
+        set $path_info $fastcgi_path_info;
+        fastcgi_param PATH_INFO $path_info;
+        fastcgi_index index.php;
+        fastcgi_read_timeout 60s;
+
+        location = /favicon.ico {
+            log_not_found off;
+            access_log off;
+        }
+
+        location = /robots.txt {
+            allow all;
+            log_not_found off;
+            access_log off;
+        }
+
+        {% if BASIC_AUTH_ENABLED %}
+        location ^~ /wp-login.php {
+            auth_basic "Access secured";
+            auth_basic_user_file /opt/htpasswd;
+
+            try_files $fastcgi_script_name =404;
+            fastcgi_pass localhost:9000;
+
+            break;
+        }
+
+        location ~ /wp-admin {
+            auth_basic "Access secured";
+            auth_basic_user_file /opt/htpasswd;
+
+            try_files $fastcgi_script_name =404;
+            fastcgi_pass localhost:9000;
+
+            break;
+        }
+        {% endif %}
+
+        location / {
+            # This is cool because no php is touched for static content.
+            # include the "?$args" part so non-default permalinks doesn't break when using query string
+            try_files $uri $uri/ /index.php?$args;
+        }
+
+        location ~ \.php$ {
+            try_files $fastcgi_script_name =404;
+            fastcgi_pass localhost:9000;
+        }
+
+        location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
+            expires max;
+            log_not_found off;
+        }
+
+        location ~ /\.ht {
+            deny all;
+        }
+    }
+}

etc/supervisor.conf renamed to container-files/etc/supervisor.conf

@@ -11,8 +11,18 @@ tasks:
             %RKD% :setup:crontab \
                   :setup:configs \
                   :setup:wordpress-files \
+                  :setup:basicauth \
                   :run:supervisor
 
+    :setup:basicauth:
+        steps: |
+            if [[ "${BASIC_AUTH_USER}" ]] && [[ "${BASIC_AUTH_PASSWORD}" ]]; then
+                echo " >> Writing to basic auth file - /opt/htpasswd"
+                htpasswd -b -c /opt/htpasswd "${BASIC_AUTH_USER}" "${BASIC_AUTH_PASSWORD}"
+            else
+                echo " >> No user or password set, skipping writing to /opt/htpasswd"
+            fi
+
     :run:supervisor:
         description: Run supervisor with applications
         steps: supervisord -c /etc/supervisor.conf
@@ -28,7 +38,6 @@ tasks:
             %RKD% :j2:directory-to-directory \
                 --source=/templates \
                 --target=/ \
-                --delete-source-files \
                 --pattern="(.*).j2" \
                 --copy-not-matching-files
 

opt/.rkd/README.md renamed to container-files/opt/.rkd/README.md

@@ -0,0 +1 @@
+riotkit:$apr1$UmjxQSi2$0YCrneUIpiAjetzQrhqoj.