diff --git a/README.md b/README.md new file mode 100644 index 0000000..526de07 --- /dev/null +++ b/README.md @@ -0,0 +1,2 @@ +# Deprecated repo +Please use https://github.com/php-microservices/docker-v2 instead of this repo. V2 has versions locked and uses branches instead of tags diff --git a/docker-compose.yml b/docker-compose.yml index 21299b0..4259361 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -45,6 +45,7 @@ services: - BACKEND=microservice-battle-fpm - CONSUL=autodiscovery ports: + - 8443:443 - 8081:80 - 9091:9090 @@ -128,6 +129,17 @@ services: ports: - 6666:3306 + microservice_secret_database_mariadb: + build: ./microservices/secret/mariadb/ + environment: + - CONSUL=autodiscovery + - MYSQL_ROOT_PASSWORD=mysecret + - MYSQL_DATABASE=finding_secrets + - MYSQL_USER=secret + - MYSQL_PASSWORD=mysecret + ports: + - 7777:3306 + ## # User Microservice ## @@ -167,6 +179,77 @@ services: - 6379 ports: - 6379:6379 + + ## + # Telemetry: prometheus + ## + telemetry: + build: ./telemetry/ + links: + - autodiscovery + expose: + - 9090 + ports: + - 9090:9090 + + ## + # Sentry + ## + sentry_redis: + image: redis + expose: + - 6379 + + sentry_postgres: + image: postgres + environment: + - POSTGRES_PASSWORD=sentry + - POSTGRES_USER=sentry + volumes: + - /var/lib/postgresql/data + expose: + - 5432 + + sentry: + image: sentry + links: + - sentry_redis + - sentry_postgres + ports: + - 9876:9000 + environment: + SENTRY_SECRET_KEY: mymicrosecret + SENTRY_POSTGRES_HOST: sentry_postgres + SENTRY_REDIS_HOST: sentry_redis + SENTRY_DB_USER: sentry + SENTRY_DB_PASSWORD: sentry + + sentry_celery-beat: + image: sentry + links: + - sentry_redis + - sentry_postgres + command: sentry celery beat + environment: + SENTRY_SECRET_KEY: mymicrosecret + SENTRY_POSTGRES_HOST: sentry_postgres + SENTRY_REDIS_HOST: sentry_redis + SENTRY_DB_USER: sentry + SENTRY_DB_PASSWORD: sentry + + sentry_celery-worker: + image: sentry + links: + - sentry_redis + - sentry_postgres + command: sentry celery worker + environment: + SENTRY_SECRET_KEY: mymicrosecret + SENTRY_POSTGRES_HOST: sentry_postgres + SENTRY_REDIS_HOST: sentry_redis + SENTRY_DB_USER: sentry + SENTRY_DB_PASSWORD: sentry + ## # Source containers ## @@ -192,4 +275,4 @@ services: image: nginx:stable volumes: - ../source/user:/var/www/html - command: "true" \ No newline at end of file + command: "true" diff --git a/microservices/battle/nginx/Dockerfile b/microservices/battle/nginx/Dockerfile index d158125..606f2df 100644 --- a/microservices/battle/nginx/Dockerfile +++ b/microservices/battle/nginx/Dockerfile @@ -32,6 +32,16 @@ COPY scripts/ /usr/local/bin RUN chmod +x /usr/local/bin/reload.sh RUN chmod +x /usr/local/bin/sensor.sh +RUN echo 01 > ca.srl \ + && openssl genrsa -out ca-key.pem 2048 \ + && openssl req -new -x509 -days 365 -subj "/CN=*" -key ca-key.pem -out ca.pem \ + && openssl genrsa -out server-key.pem 2048 \ + && openssl req -subj "/CN=*" -new -key server-key.pem -out server.csr \ + && openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -out server-cert.pem \ + && openssl rsa -in server-key.pem -out server-key.pem \ + && cp *.pem /etc/nginx/ \ + && cp *.csr /etc/nginx/ + CMD [ "/usr/local/bin/containerpilot", \ "nginx", \ "-g", \ diff --git a/microservices/battle/nginx/config/nginx/nginx.conf.ctmpl b/microservices/battle/nginx/config/nginx/nginx.conf.ctmpl index 86021c8..53b33ad 100644 --- a/microservices/battle/nginx/config/nginx/nginx.conf.ctmpl +++ b/microservices/battle/nginx/config/nginx/nginx.conf.ctmpl @@ -81,4 +81,47 @@ http { } {{ end }} } + + server { + listen 443 ssl; + server_name _; + root /var/www/html/public; + index index.php index.html; + + ssl on; + ssl_certificate /etc/nginx/server-cert.pem; + ssl_certificate_key /etc/nginx/server-key.pem; + + location = /favicon.ico { access_log off; log_not_found off; } + location = /robots.txt { access_log off; log_not_found off; } + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log error; + + sendfile off; + + client_max_body_size 100m; + + location / { + try_files $uri $uri/ /index.php?_url=$uri&$args; + } + + location ~ /\.ht { + deny all; + } + + {{ if service $backend }} + location ~ \.php$ { + try_files $uri =404; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass {{ $backend }}; + fastcgi_index /index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_intercept_errors off; + fastcgi_buffer_size 16k; + fastcgi_buffers 4 16k; + } + {{ end }} + } } diff --git a/microservices/secret/database/Dockerfile b/microservices/secret/database/Dockerfile index d9ce9b0..07834c4 100644 --- a/microservices/secret/database/Dockerfile +++ b/microservices/secret/database/Dockerfile @@ -1 +1,7 @@ FROM percona:5.7 + +RUN mkdir -p /mount/mysql-keyring/ \ + && touch /mount/mysql-keyring/keyring \ + && chown -R mysql:mysql /mount/mysql-keyring + +COPY etc/ /etc/mysql/conf.d/ diff --git a/microservices/secret/database/etc/encryption.cnf b/microservices/secret/database/etc/encryption.cnf new file mode 100644 index 0000000..4314af2 --- /dev/null +++ b/microservices/secret/database/etc/encryption.cnf @@ -0,0 +1,3 @@ +[mysqld] +early-plugin-load=keyring_file.so +keyring_file_data=/mount/mysql-keyring/keyring \ No newline at end of file diff --git a/microservices/secret/mariadb/Dockerfile b/microservices/secret/mariadb/Dockerfile new file mode 100644 index 0000000..1406bb3 --- /dev/null +++ b/microservices/secret/mariadb/Dockerfile @@ -0,0 +1,13 @@ +FROM mariadb:latest + +RUN apt-get update \ + && apt-get autoremove && apt-get autoclean \ + && rm -rf /var/lib/apt/lists/* + +#RUN openssl enc -aes-256-ctr -k secret@phpmicroservices.com -P -md sha1 +RUN mkdir -p /volumes/keys/ +RUN echo "1;C472621BA1708682BEDC9816D677A4FDC51456B78659F183555A9A895EAC9218" > /volumes/keys/keys.txt + +RUN openssl enc -aes-256-cbc -md sha1 -k secret -in /volumes/keys/keys.txt -out /volumes/keys/keys.enc + +COPY etc/ /etc/mysql/conf.d/ diff --git a/microservices/secret/mariadb/etc/encryption.cnf b/microservices/secret/mariadb/etc/encryption.cnf new file mode 100644 index 0000000..b428ceb --- /dev/null +++ b/microservices/secret/mariadb/etc/encryption.cnf @@ -0,0 +1,12 @@ +[mysqld] +datadir=/var/lib/mysql +plugin-load-add=file_key_management.so +file_key_management_encryption_algorithm=aes_cb +file_key_management_filekey = secret +file_key_management_filename = /volumes/keys/keys.enc +innodb-encrypt-tables = 1 +innodb-encrypt-log = 1 +innodb-encryption-threads=1 +encrypt-tmp-disk-tables=1 +encrypt-tmp-files=0 +encrypt-binlog=1 \ No newline at end of file diff --git a/telemetry/Dockerfile b/telemetry/Dockerfile new file mode 100644 index 0000000..c61ee4e --- /dev/null +++ b/telemetry/Dockerfile @@ -0,0 +1,2 @@ +FROM prom/prometheus:latest +ADD ./etc/prometheus.yml /etc/prometheus/ \ No newline at end of file diff --git a/telemetry/etc/prometheus.yml b/telemetry/etc/prometheus.yml new file mode 100644 index 0000000..4914118 --- /dev/null +++ b/telemetry/etc/prometheus.yml @@ -0,0 +1,12 @@ +global: + scrape_interval: 15s + evaluation_interval: 15s + external_labels: + monitor: 'codelab-monitor' + +scrape_configs: +- job_name: 'containerpilot-telemetry' + + consul_sd_configs: + - server: 'autodiscovery:8500' + services: ['containerpilot']