Docker and Ghost CMS overhaul

etc/ghost/config.production.json

@@ -0,0 +1,29 @@
+{
+  "database": {
+    "client": "mysql",
+    "connection": {
+      "host": "mysql",
+      "port": 3306,
+      "password": "root",
+      "user": "root",
+      "database": "ghost"
+    }
+  },
+  "url": "http://localhost:2368/blog",
+  "server": {
+    "port": 2368,
+    "host": "0.0.0.0"
+  },
+  "mail": {
+    "transport": "Direct"
+  },
+  "logging": {
+    "transports": [
+      "file"
+    ]
+  },
+  "process": "local",
+  "paths": {
+    "contentPath": "/opt/bitnami/ghost/content"
+  }
+}

etc/ghost/content/logs

@@ -0,0 +1 @@
+/opt/bitnami/ghost/logs

etc/ghost/content/themes/casper

@@ -0,0 +1 @@
+/opt/bitnami/ghost/current/content/themes/casper

etc/ghost/ghost/config.production.json

@@ -0,0 +1,29 @@
+{
+  "database": {
+    "client": "mysql",
+    "connection": {
+      "host": "mysql",
+      "port": 3306,
+      "password": "root",
+      "user": "root",
+      "database": "ghost"
+    }
+  },
+  "url": "http://localhost:2368/blog",
+  "server": {
+    "port": 2368,
+    "host": "0.0.0.0"
+  },
+  "mail": {
+    "transport": "Direct"
+  },
+  "logging": {
+    "transports": [
+      "file"
+    ]
+  },
+  "process": "local",
+  "paths": {
+    "contentPath": "/opt/bitnami/ghost/content"
+  }
+}

etc/nginx/HTTPS_default.conf.BAK

@@ -0,0 +1,119 @@
+upstream tomcat {
+    server tomcat:8080;
+}
+
+upstream ghost {
+    server ghost:2368;
+}
+
+# HTTP
+server {
+    listen 8080                             default_server;
+    listen [::]:8080                        default_server ipv6only=on;
+    server_name                             ${NGINX_HOST};
+
+    error_log                               /opt/bitnami/nginx/logs/error.log;
+    access_log                              /opt/bitnami/nginx/logs/access.log;
+
+    rewrite ^ https://$http_host$request_uri? permanent; #Redirect traffic to HTTPS
+
+    root /app;
+    index index.html index.htm index.php index.jsp;
+
+    client_max_body_size                    100M;
+
+    location / {
+        try_files $uri $uri/index.html;
+    }
+
+    ####### Proxies #######
+    # PHP proxy
+    location ~ \.php$ {
+        fastcgi_pass php:9001;
+        fastcgi_index index.php;
+        include fastcgi.conf;
+    }
+
+    # Ghost proxy
+    location /blog {
+        proxy_pass http://ghost;
+        proxy_set_header  Host              $http_host;   # required for docker client's sake
+        proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
+        proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header  X-Forwarded-Proto $scheme;
+        proxy_read_timeout                  900;
+    }
+
+    # Tomcat proxy
+    location ~ \.(do|jspa|obr|jsp|txt|zip) {
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_pass                          http://tomcat;
+    }
+
+}
+
+# HTTPS
+server {
+    listen      443           ssl http2;
+    listen [::]:443           ssl http2;
+    server_name               ${NGINX_HOST};
+
+    error_log                 /opt/bitnami/nginx/logs/error.log;
+    access_log                /opt/bitnami/nginx/logs/access.log;
+
+    add_header                Strict-Transport-Security "max-age=31536000" always;
+    ssl_session_cache         shared:SSL:20m;
+    ssl_session_timeout       10m;
+    ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers               "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;";
+    ssl_stapling              on;
+    ssl_stapling_verify       on;
+    resolver                  8.8.8.8 1.1.1.1;
+    ssl_certificate           /etc/letsencrypt/live/${NGINX_HOST}/fullchain.pem;
+    ssl_certificate_key       /etc/letsencrypt/live/${NGINX_HOST}/privkey.pem;
+    ssl_trusted_certificate   /etc/letsencrypt/live/${NGINX_HOST}/chain.pem;
+
+    root /app;
+    index index.html index.htm index.php index.jsp;
+
+    client_max_body_size                    100M;
+
+    location / {
+        try_files $uri $uri/index.html;
+    }
+
+    ####### Proxies #######
+    # PHP proxy
+    location ~ \.php$ {
+        fastcgi_pass php:9001;
+        fastcgi_index index.php;
+        include fastcgi.conf;
+    }
+
+    # Ghost proxy
+    location /blog {
+        proxy_pass http://ghost;
+        proxy_set_header  Host              $http_host;   # required for docker client's sake
+        proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
+        proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header  X-Forwarded-Proto $scheme;
+        proxy_read_timeout                  900;
+    }
+
+    # Tomcat proxy
+    location ~ \.(do|jspa|obr|jsp|txt|zip) {
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_pass                          http://tomcat;
+    }
+
+    # Certbot for HTTPS cert renewal
+    location ~ ^/.well-known {
+        root /data/letsencrypt/;
+    }
+
+}

etc/nginx/HTTPS_default.template.conf

@@ -1,109 +0,0 @@
-# Nginx configuration for HTTPS
-
-server_tokens off;
-add_header X-XSS-Protection "1; mode=block";
-add_header X-Content-Type-Options nosniff;
-
-upstream dev_tomcat_1 {
-    server tomcat;
-}
-
-upstream dev_ghost_1 {
-    server ghost:2368;
-}
-
-# HTTP
-server {
-    listen 80 default_server;
-    listen [::]:80 default_server;
-		gzip on;
-		gzip_static on;
-		gzip_vary on;
-		gzip_http_version 1.1;
-		gzip_min_length 700;
-		gzip_comp_level 6;
-    server_name ${NGINX_HOST};
-    error_log  /var/log/nginx/error.log;
-    access_log /var/log/nginx/access.log;
-    root /var/www/html/public;
-		index index.html index.htm index.jsp;
-
-    # Redirect all requests to HTTPS on :443
-    location / {
-        rewrite ^ https://$host$request_uri? permanent;
-    }
-
-    # Certbot for HTTPS cert renewal
-    location ^~ /.well-known {
-        allow all;
-        root  /data/letsencrypt/;
-    }
-}
-
-# HTTPS
-server {
-    listen      443           ssl http2;
-    listen [::]:443           ssl http2;
-    server_name               ${NGINX_HOST};
-    add_header                Strict-Transport-Security "max-age=31536000" always;
-    ssl_session_cache         shared:SSL:20m;
-    ssl_session_timeout       10m;
-    ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
-    ssl_prefer_server_ciphers on;
-    ssl_ciphers               "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;";
-    ssl_stapling              on;
-    ssl_stapling_verify       on;
-    resolver                  8.8.8.8 1.1.1.1;
-    ssl_certificate           /etc/letsencrypt/live/openrsc.com/fullchain.pem;
-    ssl_certificate_key       /etc/letsencrypt/live/openrsc.com/privkey.pem;
-    ssl_trusted_certificate   /etc/letsencrypt/live/openrsc.com/chain.pem;
-    index index.php index.html index.jsp;
-    error_log  /var/log/nginx/error.log;
-    access_log /var/log/nginx/access.log;
-    root /var/www/html/public;
-
-    ####### Proxies #######
-    # Ghost proxy
-    location ~ {
-        proxy_set_header X-Forwarded-Host $host;
-        proxy_set_header X-Forwarded-Server $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_pass http://ghost:2368;
-    }
-
-    # Tomcat proxy
-    location ~ \.(do|jspa|obr|jsp|txt|zip) {
-        proxy_set_header X-Forwarded-Host $host;
-        proxy_set_header X-Forwarded-Server $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_pass http://tomcat:8080;
-    }
-
-    ####### Protections and efficiencies #######
-    # Deny access to files beginning with .ht, such as .htaccess and .htpasswd
-    location ~ /\.ht {
-    		deny all;
-    }
-
-    # Block accidental directory listing
-    location / {
-        try_files $uri $uri/ =404;
-     }
-
-    # Instructs visitor browser to cache files for 1 month
-    location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
-        expires 1M;
-    }
-
-    # Deny access to version control system directories.
-    location ~ /\.git {
-        deny all;
-        internal;
-    }
-
-    # Certbot for HTTPS cert renewal
-    location ^~ /.well-known {
-        allow all;
-        root  /data/letsencrypt/;
-    }
-}

etc/nginx/default.conf

@@ -1,70 +0,0 @@
-# Nginx configuration for HTTP
-
-server_tokens off;
-add_header X-XSS-Protection "1; mode=block";
-add_header X-Content-Type-Options nosniff;
-
-upstream dev_tomcat_1 {
-    server tomcat;
-}
-
-upstream dev_ghost_1 {
-    server ghost:2368;
-}
-
-# HTTP
-server {
-    listen 80 default_server;
-    listen [::]:80 default_server;
-		gzip on;
-		gzip_static on;
-		gzip_vary on;
-		gzip_http_version 1.1;
-		gzip_min_length 700;
-		gzip_comp_level 6;
-    server_name localhost;
-    error_log  /var/log/nginx/error.log;
-    access_log /var/log/nginx/access.log;
-    root /var/www/html/public;
-		index index.html index.htm index.jsp;
-
-    ####### Proxies #######
-    # Ghost proxy
-    location ~ {
-        proxy_set_header X-Forwarded-Host $host;
-        proxy_set_header X-Forwarded-Server $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_pass http://ghost:2368;
-    }
-
-    # Tomcat proxy
-    location ~ \.(do|jspa|obr|jsp|txt|zip) {
-        proxy_set_header X-Forwarded-Host $host;
-        proxy_set_header X-Forwarded-Server $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_pass http://tomcat:8080;
-    }
-
-    ####### Protections and efficiencies #######
-    # Deny access to files beginning with .ht, such as .htaccess and .htpasswd
-    location ~ /\.ht {
-    		deny all;
-    }
-
-    # Instructs visitor browser to cache files for 1 month
-    location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
-        expires 1M;
-    }
-
-    # Deny access to version control system directories.
-    location ~ /\.git {
-        deny all;
-        internal;
-    }
-
-    # Certbot for HTTPS cert renewal
-    location ^~ /.well-known {
-        allow all;
-        root  /data/letsencrypt/;
-    }
-}

etc/nginx/default.template.conf

@@ -1,70 +0,0 @@
-# Nginx configuration for HTTP
-
-server_tokens off;
-add_header X-XSS-Protection "1; mode=block";
-add_header X-Content-Type-Options nosniff;
-
-upstream dev_tomcat_1 {
-    server tomcat;
-}
-
-upstream dev_ghost_1 {
-    server ghost:2368;
-}
-
-# HTTP
-server {
-    listen 80 default_server;
-    listen [::]:80 default_server;
-		gzip on;
-		gzip_static on;
-		gzip_vary on;
-		gzip_http_version 1.1;
-		gzip_min_length 700;
-		gzip_comp_level 6;
-    server_name ${NGINX_HOST};
-    error_log  /var/log/nginx/error.log;
-    access_log /var/log/nginx/access.log;
-    root /var/www/html/public;
-		index index.html index.htm index.jsp;
-
-    ####### Proxies #######
-    # Ghost proxy
-    location ~ {
-        proxy_set_header X-Forwarded-Host $host;
-        proxy_set_header X-Forwarded-Server $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_pass http://ghost:2368;
-    }
-
-    # Tomcat proxy
-    location ~ \.(do|jspa|obr|jsp|txt|zip) {
-        proxy_set_header X-Forwarded-Host $host;
-        proxy_set_header X-Forwarded-Server $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_pass http://tomcat:8080;
-    }
-
-    ####### Protections and efficiencies #######
-    # Deny access to files beginning with .ht, such as .htaccess and .htpasswd
-    location ~ /\.ht {
-    		deny all;
-    }
-
-    # Instructs visitor browser to cache files for 1 month
-    location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
-        expires 1M;
-    }
-
-    # Deny access to version control system directories.
-    location ~ /\.git {
-        deny all;
-        internal;
-    }
-
-    # Certbot for HTTPS cert renewal
-    location ^~ /.well-known {
-        allow all;
-        root  /data/letsencrypt/;
-    }
-}

etc/nginx/nginx.conf

@@ -0,0 +1,55 @@
+upstream tomcat {
+    server tomcat:8080;
+}
+
+upstream ghost {
+    server ghost:2368;
+}
+
+# HTTP
+server {
+    listen 8080                             default_server;
+    listen [::]:8080                        default_server ipv6only=on;
+    server_name                             ${NGINX_HOST};
+
+    error_log                               /opt/bitnami/nginx/logs/error.log;
+    access_log                              /opt/bitnami/nginx/logs/access.log;
+
+    #rewrite ^ https://$http_host$request_uri? permanent; #Redirect traffic to HTTPS
+
+    root /app;
+    index index.html index.htm index.php index.jsp;
+
+    client_max_body_size                    100M;
+
+    location / {
+        try_files $uri $uri/index.html;
+    }
+
+    ####### Proxies #######
+    # PHP proxy
+    location ~ \.php$ {
+        fastcgi_pass php:9001;
+        fastcgi_index index.php;
+        include fastcgi.conf;
+    }
+
+    # Ghost proxy
+    location /blog {
+        proxy_pass http://ghost;
+        proxy_set_header  Host              $http_host;   # required for docker client's sake
+        proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
+        proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header  X-Forwarded-Proto $scheme;
+        proxy_read_timeout                  900;
+    }
+
+    # Tomcat proxy
+    location ~ \.(do|jspa|obr|jsp|txt|zip) {
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_pass                          http://tomcat;
+    }
+
+}