4.……
.关闭 PHP 的版本输出,这样别人访问我的网站就不知道我使用哪个 PHP 版本了,安全无小事!
# 堆代码 duidaima.com FROM php:5.6.40-fpm-alpine3.8 LABEL maintainer="??? <???@???.com>" ENV TZ=Asia/Shanghai RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.aliyun.com/g' /etc/apk/repositories && \ # deps apk --no-cache add bind-tools \ git \ make \ openssh-client \ php5-mcrypt \ php5-sysvmsg \ php5-sysvsem \ php5-sysvshm \ tzdata \ freetype-dev \ gettext-dev \ imagemagick-dev \ libmemcached-dev \ libpng-dev \ libzip-dev \ jpeg-dev \ rabbitmq-c-dev \ && \ cp /usr/lib/php5/modules/mcrypt.so /usr/local/lib/php/extensions/no-debug-non-zts-20131226/ && \ cp /usr/lib/php5/modules/sysvmsg.so /usr/local/lib/php/extensions/no-debug-non-zts-20131226/ && \ cp /usr/lib/php5/modules/sysvsem.so /usr/local/lib/php/extensions/no-debug-non-zts-20131226/ && \ cp /usr/lib/php5/modules/sysvshm.so /usr/local/lib/php/extensions/no-debug-non-zts-20131226/ && \ # DNS [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf && \ # timezone ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && \ echo '$TZ' > /etc/timezone && \ # /www # /wwwlog # /app addgroup -g 500 -S www && \ adduser -u 500 -D -S -G www www && \ mkdir /www && mkdir /wwwlog && mkdir -p /app && \ chown -R www:www /www && chown -R www:www /wwwlog && chown -R www:www /app && \ addgroup www tty && \ sed -i 's/\/home\/www:\/bin\/false/\/home\/www:\/bin\/ash/g' /etc/passwd && \ deluser --remove-home www-data && \ # password passwd root -d "!!!Production!!!" && \ passwd www -d "!!!Production!!!" && \ # ssh-key mkdir -p /root/.ssh && \ echo ???==|base64 -d>/root/.gitconfig && \ echo ???==|base64 -d>/root/.ssh/config && \ echo ???==|base64 -d>/root/.ssh/id_rsa && \ echo ???==|base64 -d>/root/.ssh/id_rsa.pub && \ echo ???==|base64 -d>/root/.ssh/known_hosts && \ chmod 600 /root/.ssh/id_rsa && \ # composer wget -O /usr/local/bin/composer https://mirrors.cloud.tencent.com/composer/composer.phar && \ chmod +x /usr/local/bin/composer && \ /usr/local/bin/composer config -g repos.packagist composer https://mirrors.cloud.tencent.com/composer/ && \ # ext docker-php-ext-configure zip --with-libzip && \ docker-php-ext-configure gd --with-jpeg-dir=/usr/lib --with-freetype-dir=/usr/include/freetype2 && \ pecl install -o -f amqp-1.10.2 && \ pecl install -o -f memcached-2.2.0 && \ pecl install -o -f imagick-3.4.4 && \ pecl install -o -f rar-4.2.0 && \ pecl install -o -f redis-4.3.0 && \ pecl download yaf-2.3.5 && tar zxvf yaf-2.3.5.tgz && cd yaf-2.3.5 && phpize && ./configure && \ make && make install && cd .. && rm -rf yaf-2.3.5 && \ docker-php-ext-install bcmath gettext mysqli pcntl sockets pdo_mysql mysqli mbstring gd zip opcache && \ docker-php-ext-enable amqp mcrypt memcached imagick rar redis sysvmsg sysvsem sysvshm yaf && \ rm -rf /tmp/pear /var/cache/apk/* /tmp/* && \ # php-fpm.conf echo "[global]" > /usr/local/etc/php-fpm.d/zz-docker.conf && \ echo "daemonize = no" >> /usr/local/etc/php-fpm.d/zz-docker.conf && \ # www.conf rm -f /usr/local/etc/php-fpm.d/www.conf.default && \ sed -i "s/www-data/www/g" /usr/local/etc/php-fpm.d/www.conf && \ sed -i "s/pm.max_children = 5/pm.max_children = 128/g" /usr/local/etc/php-fpm.d/www.conf && \ sed -i "s/listen = 127.0.0.1:9000/listen = 127.0.0.1:9056/g" /usr/local/etc/php-fpm.d/www.conf && \ sed -i "s/;pm.max_requests = 500/pm.max_requests = 1024/g" /usr/local/etc/php-fpm.d/www.conf && \ sed -i "s/;request_slowlog_timeout = 0/request_slowlog_timeout = 5/g" /usr/local/etc/php-fpm.d/www.conf && \ sed -i "s/;request_terminate_timeout = 0/request_terminate_timeout = 30/g" /usr/local/etc/php-fpm.d/www.conf && \ sed -i 's/;slowlog = log\/\$pool.log.slow/slowlog = \/proc\/self\/fd\/2/g' /usr/local/etc/php-fpm.d/www.conf && \ sed -i "s/;access.format/access.format/g" /usr/local/etc/php-fpm.d/www.conf && \ # php.ini cp /usr/local/etc/php/php.ini-production /usr/local/etc/php/php.ini && \ sed -i "s/;opcache.enable_cli=0/opcache.enable_cli=1/g" /usr/local/etc/php/php.ini && \ sed -i "s/expose_php = On/expose_php = Off/g" /usr/local/etc/php/php.ini WORKDIR /app适用于生产环境的 PHP 7 Dockerfile:
FROM php:7.2.34-fpm-alpine3.12 LABEL maintainer="??? <???@???.com>" ENV TZ=Asia/Shanghai RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.aliyun.com/g' /etc/apk/repositories && \ # deps apk update && \ apk --no-cache add bind-tools \ git \ make \ openssh-client \ tzdata \ freetype-dev \ libmemcached-dev \ libpng-dev \ jpeg-dev \ && \ # DNS [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf && \ # timezone ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && \ echo '$TZ' > /etc/timezone && \ # /www # /wwwlog # /app addgroup -g 500 -S www && \ adduser -u 500 -D -S -G www www && \ mkdir /www && mkdir /wwwlog && mkdir -p /app && \ chown -R www:www /www && chown -R www:www /wwwlog && chown -R www:www /app && \ addgroup www tty && \ sed -i 's/\/home\/www:\/sbin\/nologin/\/home\/www:\/bin\/ash/g' /etc/passwd && \ deluser --remove-home www-data && \ # password passwd -u root -d "!!!Production!!!" && \ passwd -u www -d "!!!Production!!!" && \ # ssh-key mkdir -p /root/.ssh && \ echo ???==|base64 -d>/root/.gitconfig && \ echo ???==|base64 -d>/root/.ssh/config && \ echo ???==|base64 -d>/root/.ssh/id_rsa && \ echo ???==|base64 -d>/root/.ssh/id_rsa.pub && \ echo ???==|base64 -d>/root/.ssh/known_hosts && \ chmod 600 /root/.ssh/id_rsa && \ # composer wget -O /usr/local/bin/composer https://mirrors.cloud.tencent.com/composer/composer.phar && \ chmod +x /usr/local/bin/composer && \ /usr/local/bin/composer config -g repos.packagist composer https://mirrors.cloud.tencent.com/composer/ && \ # ext docker-php-ext-configure gd --with-jpeg-dir=/usr/lib --with-freetype-dir=/usr/include/freetype2 && \ pecl install -o -f memcached-3.1.5 && \ pecl install -o -f redis-5.3.4 && \ docker-php-ext-install bcmath pdo_mysql gd opcache && \ docker-php-ext-enable memcached redis && \ rm -rf /tmp/pear /var/cache/apk/* /tmp/* && \ # php-fpm.conf echo "[global]" > /usr/local/etc/php-fpm.d/zz-docker.conf && \ echo "daemonize = no" >> /usr/local/etc/php-fpm.d/zz-docker.conf && \ # www.conf rm -f /usr/local/etc/php-fpm.d/www.conf.default && \ sed -i "s/www-data/www/g" /usr/local/etc/php-fpm.d/www.conf && \ sed -i "s/pm.max_children = 5/pm.max_children = 256/g" /usr/local/etc/php-fpm.d/www.conf && \ sed -i "s/listen = 127.0.0.1:9000/listen = 127.0.0.1:9072/g" /usr/local/etc/php-fpm.d/www.conf && \ sed -i "s/;pm.max_requests = 500/pm.max_requests = 1000/g" /usr/local/etc/php-fpm.d/www.conf && \ sed -i "s/;request_slowlog_timeout = 0/request_slowlog_timeout = 5/g" /usr/local/etc/php-fpm.d/www.conf && \ sed -i "s/;request_terminate_timeout = 0/request_terminate_timeout = 30/g" /usr/local/etc/php-fpm.d/www.conf && \ sed -i 's/;slowlog = log\/\$pool.log.slow/slowlog = \/proc\/self\/fd\/2/g' /usr/local/etc/php-fpm.d/www.conf && \ # php.ini cp /usr/local/etc/php/php.ini-production /usr/local/etc/php/php.ini && \ sed -i "s/;opcache.enable_cli=0/opcache.enable_cli=1/g" /usr/local/etc/php/php.ini && \ sed -i "s/expose_php = On/expose_php = Off/g" /usr/local/etc/php/php.ini WORKDIR /app适用于生产环境的 openresty Dockerfile:
FROM openresty/openresty:1.19.3.2-alpine-apk LABEL maintainer="??? <???@???.com>" ENV TZ=Asia/Shanghai RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.aliyun.com/g' /etc/apk/repositories && \ # deps apk update && \ apk --no-cache add bind-tools \ tzdata \ && \ # DNS [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf && \ # timezone ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && \ echo '$TZ' > /etc/timezone && \ # /www # /wwwlog # /app addgroup -g 500 -S www && \ adduser -u 500 -D -S -G www www && \ mkdir /www && mkdir /wwwlog && mkdir -p /app && \ chown -R www:www /www && chown -R www:www /wwwlog && chown -R www:www /app && \ addgroup www tty && \ sed -i 's/\/home\/www:\/sbin\/nologin/\/home\/www:\/bin\/ash/g' /etc/passwd && \ # password passwd -u root -d "!!!Production!!!" && \ passwd -u www -d "!!!Production!!!" COPY conf/nginx.conf /usr/local/openresty/nginx/conf/nginx.conf pcre_jit on; user www www; worker_processes 1; error_log /usr/local/openresty/nginx/logs/error.log error; worker_rlimit_nofile 65535; events { use epoll; worker_connections 65535; } http { include mime.types; default_type application/octet-stream; server_tokens off; sendfile on; tcp_nopush on; tcp_nodelay on; server_names_hash_bucket_size 512; client_max_body_size 8m; client_header_buffer_size 32k; large_client_header_buffers 4 32k; proxy_buffers 32 128k; proxy_buffer_size 128k; proxy_busy_buffers_size 128k; client_body_timeout 10; client_header_timeout 10; send_timeout 30; keepalive_timeout 60; log_format main escape=json '{"@timestamp":"$time_iso8601",' '"scheme":"$scheme",' '"remote_host":"$host",' '"clientip":"$remote_addr",' '"bytes":$body_bytes_sent,' '"cost":$request_time,' '"referer":"$http_referer",' '"agent":"$http_user_agent",' '"time_local":"$time_local",' '"xforward":"$http_x_forwarded_for",' '"method":"$request_method",' '"request":"$request_uri",' '"uri":"$uri",' '"postData":"$request_body",' '"cookieData":"$http_cookie",' '"httpversion":"$server_protocol",' '"reqid":"$reqid",' '"remote_port":"$remote_port",' '"server_port":"$server_port",' '"status":$status}'; fastcgi_connect_timeout 300; fastcgi_send_timeout 300; fastcgi_read_timeout 300; fastcgi_buffer_size 64k; fastcgi_buffers 4 64k; fastcgi_busy_buffers_size 128k; fastcgi_temp_file_write_size 256k; fastcgi_intercept_errors on; gzip on; gzip_vary on; gzip_comp_level 5; gzip_buffers 16 8k; gzip_min_length 1k; gzip_proxied any; gzip_http_version 1.0; gzip_disable "msie6"; gzip_proxied expired no-cache no-store private auth; gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss application/json; server { listen 80 default_server; server_name _; return 444; access_log /usr/local/openresty/nginx/logs/access.log main; include add_header_reqid.conf; } include /usr/local/openresty/nginx/conf/vhost/*.conf; }嗯,真实的生产环境配置十分混乱,我做了格式化,大家拿去用吧 😃