First stab at nginx

docker-compose.yml

@@ -35,7 +35,7 @@ services:
       - "./server-configs/:/var/www/MISP/app/Config/"
       - "./logs/:/var/www/MISP/app/tmp/logs/"
       - "./files/:/var/www/MISP/app/files"
-      - "./ssl/:/etc/apache2/ssl/"
+      - "./ssl/:/etc/ssl/"
     environment:
       - "CRON_USER_ID=1"
       - "REDIS_FQDN=redis"

server/Dockerfile

@@ -68,7 +68,7 @@ ARG PHP_VER
     RUN apt-get update; apt-get install -y --no-install-recommends \
         # Requirements:
         sudo \
-        apache2 \
+        nginx \
         supervisor \
         git \
         cron \
@@ -88,6 +88,7 @@ ARG PHP_VER
         php-mysql \
         php-redis \
         php-gd \
+        php-fpm \
         # Unsure we need these
         zip unzip \
         && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
@@ -116,29 +117,16 @@ ARG PHP_VER
     # To use the scheduler worker for scheduled tasks, do the following:
         ;cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.php
 
-# Apache
-    # add HTTP MISP Config
-    RUN rm /etc/apache2/sites-enabled/*;
-    COPY files/etc/apache2/sites-enabled/misp.conf /etc/apache2/sites-enabled/
-    COPY files/etc/apache2/sites-enabled/misp-ssl.conf /etc/apache2/sites-enabled/
-    COPY files/etc/apache2/ports.conf /etc/apache2/ports.conf
-    RUN set -eu \
-        ;chmod 640 /etc/apache2/ports.conf \
-        ;chown root.root /etc/apache2/ports.conf \
-        ;chmod 640 /etc/apache2/sites-available/* \
-        ;chown root.root /etc/apache2/sites-available/* \
-    # Configure Apache
-        ;a2dismod status \
-        ;a2enmod ssl \
-        ;a2enmod rewrite \
-        ;a2enmod headers
+# nginx
+    RUN rm /etc/nginx/sites-enabled/*; mkdir /run/php
+    COPY files/etc/nginx/misp /etc/nginx/sites-enabled/misp
 
 # Make a copy of the file store, so we can sync from it
     RUN cp -R /var/www/MISP/app/files /var/www/MISP/app/files.dist
 
 # Entrypoints
     COPY files/etc/supervisor/supervisor.conf /etc/supervisor/conf.d/supervisord.conf
-    COPY files/entrypoint_apache.sh /
+    COPY files/entrypoint_nginx.sh /
     COPY files/entrypoint_cron.sh /
     COPY files/entrypoint_workers.sh /
     COPY files/entrypoint.sh /

server/files/entrypoint_nginx.sh

@@ -13,7 +13,7 @@ ENTRYPOINT_PID_FILE="/entrypoint_apache.install"
 [ ! -f $ENTRYPOINT_PID_FILE ] && touch $ENTRYPOINT_PID_FILE
 
 change_php_vars(){
-    for FILE in /etc/php/*/apache2/php.ini
+    for FILE in /etc/php/*/fpm/php.ini
     do  
         [[ -e $FILE ]] || break
         sed -i "s/memory_limit = .*/memory_limit = 2048M/" "$FILE"
@@ -66,11 +66,11 @@ init_misp_files(){
 }
 
 init_ssl() {
-    if [[ (! -f /etc/apache2/ssl/dhparams.pem) ||
-          (! -f /etc/apache2/ssl/cert.pem) ||
-          (! -f /etc/apache2/ssl/key.pem) ||
-          (! -f /etc/apache2/ssl/chain.pem) ]]; then
-        cd /etc/apache2/ssl
+    if [[ (! -f /etc/ssl/dhparams.pem) ||
+          (! -f /etc/ssl/cert.pem) ||
+          (! -f /etc/ssl/key.pem) ||
+          (! -f /etc/ssl/chain.pem) ]]; then
+        cd /etc/ssl
         openssl dhparam -out dhparams.pem 2048
         openssl req -x509 -subj '/CN=localhost' -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
         cp cert.pem chain.pem
@@ -99,12 +99,12 @@ init_mysql(){
     $MYSQLCMD < /var/www/MISP/INSTALL/MYSQL.sql
 }
 
-start_apache() {
-    # Apache gets grumpy about PID files pre-existing
-    rm -f /run/apache2/apache2.pid
-    # execute APACHE2
-    /usr/sbin/apache2ctl -D FOREGROUND -k "$1"
-}
+#start_apache() {
+#    # Apache gets grumpy about PID files pre-existing
+#    rm -f /run/apache2/apache2.pid
+#    # execute APACHE2
+#    /usr/sbin/apache2ctl -D FOREGROUND -k "$1"
+#}
 
 # Things we should do when we have the INITIALIZE Env Flag
 if [[ "$INIT" == true ]]; then
@@ -129,5 +129,5 @@ echo "... chmod -R g+ws /var/www/MISP/app/files/scripts/tmp ..." && chmod -R g+w
 # delete pid file
 [ -f $ENTRYPOINT_PID_FILE ] && rm $ENTRYPOINT_PID_FILE
 
-# execute apache
-start_apache start
+# Start NGINX
+nginx -g 'daemon off;'

server/files/etc/apache2/ports.conf

@@ -1,15 +0,0 @@
-# If you just change the port or add more ports here, you will likely also
-# have to change the VirtualHost statement in
-# /etc/apache2/sites-enabled/000-default.conf
-
-Listen 80
-
-<IfModule ssl_module>
-        Listen 443
-</IfModule>
-
-<IfModule mod_gnutls.c>
-        Listen 443
-</IfModule>
-
-# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

server/files/etc/apache2/sites-enabled/misp-ssl.conf

@@ -1,29 +0,0 @@
-<VirtualHost *:443>
-    ServerName misp-server
-    DocumentRoot /var/www/MISP/app/webroot
-    <Directory /var/www/MISP/app/webroot>
-        Options -Indexes
-        AllowOverride all
-        Order allow,deny
-        allow from all
-    </Directory>
-
-    SSLEngine On
-    SSLProtocol             all -SSLv2 -SSLv3
-    SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
-    SSLHonorCipherOrder     on
-
-    SSLOpenSSLConfCmd DHParameters "/etc/apache2/ssl/dhparams.pem"
-    SSLCertificateFile /etc/apache2/ssl/cert.pem
-    SSLCertificateKeyFile /etc/apache2/ssl/key.pem
-    SSLCertificateChainFile /etc/apache2/ssl/chain.pem
-
-    LogLevel warn
-
-    ErrorLog /dev/stdout
-    CustomLog /dev/stdout combined
-
-    ServerSignature Off
-#    Header set X-Content-Type-Options nosniff
-#    Header set X-Frame-Options DENY
-</VirtualHost>

server/files/etc/apache2/sites-enabled/misp.conf

@@ -1,21 +0,0 @@
-<VirtualHost *:80>
-    ServerName misp-server
-    DocumentRoot /var/www/MISP/app/webroot
-    <Directory /var/www/MISP/app/webroot>
-          Options -Indexes
-          AllowOverride all
-          Require all granted
-    </Directory>
-    LogLevel warn
-
-    ErrorLog /dev/stdout
-    CustomLog /dev/stdout combined
-
-    ServerSignature Off
-    Header set X-Content-Type-Options nosniff
-    Header set X-Frame-Options DENY
-
-    RewriteEngine On
-    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
-
-</VirtualHost>

server/files/etc/supervisor/supervisor.conf

@@ -6,14 +6,25 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 
-[program:apache2]
-command=/entrypoint_apache.sh
+[program:nginx]
+command=/entrypoint_nginx.sh
 autorestart=true
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 
+[program:php-fpm]
+command=/usr/sbin/php-fpm7.3 -R -F
+process_name=%(program_name)s_%(process_num)02d
+numprocs=1
+autostart=true
+autorestart=false
+startsecs=0
+redirect_stderr=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+
 [program:workers]
 command=/entrypoint_workers.sh
 stdout_logfile=/dev/stdout