d9890cfb5d
Three issues surfaced when running 'make init' on the deployment host and were fixed in place: - wakdo_internal network: explicit subnet 192.168.148.0/24 (RFC 1918, in the free 192.168.144-159 gap). The host's Docker daemon has its default address pools saturated by other stacks, so auto-allocation failed. An explicit subnet bypasses the allocator and isolates Wakdo from neighbour churn. - wakdo-cron: init: true added so Docker injects tini as PID 1. Without it, dcron loops on 'setpgid: Operation not permitted' because PID 1 in a container without an init system cannot change process groups for its children. - healthz vhost: served as a static file from /usr/local/apache2/htdocs/ instead of a RewriteRule [R=200] that triggered Apache's ErrorDocument template (and leaked 'internal error' wording into a 200 response). The file lives outside /var/www/html/ which is bind-mounted at runtime and would otherwise mask the COPY.
153 lines
6 KiB
Text
153 lines
6 KiB
Text
#
|
|
# Wakdo - vhosts applicatifs
|
|
#
|
|
# Un seul conteneur Apache derriere Traefik sert **les deux** FQDN :
|
|
# - TRAEFIK_DOMAIN_KIOSK -> /var/www/html/public/borne (borne client, Bloc 1)
|
|
# - TRAEFIK_DOMAIN_ADMIN -> /var/www/html/public/admin (back-office + API, Bloc 2)
|
|
#
|
|
# Comme Traefik termine TLS en amont et communique en HTTP clair avec Apache
|
|
# sur le reseau docker, les vhosts ecoutent sur :80 et font confiance aux
|
|
# headers X-Forwarded-* fournis par Traefik.
|
|
#
|
|
# Le SetHandler "proxy:fcgi://wakdo-app:9000" est le coeur du reverse FastCGI :
|
|
# toute requete *.php est relayee au pool PHP-FPM via TCP sur le reseau interne
|
|
# wakdo_internal. wakdo-app n'est JAMAIS joignable directement depuis l'exterieur.
|
|
#
|
|
|
|
# === Healthcheck interne Docker (non expose publiquement) ===
|
|
# Listen sans ServerName = catch-all. Utilise par le HEALTHCHECK du Dockerfile.
|
|
# Sert un fichier statique healthz.txt (body = "OK\n") au lieu d'un
|
|
# RewriteRule [R=200] qui declenchait le template ErrorDocument generique
|
|
# et faisait apparaitre la mention "internal error" dans le body d'un 200.
|
|
# Le fichier vit dans /usr/local/apache2/htdocs/ (chemin Apache natif, jamais
|
|
# bind-monte) et non dans /var/www/html/ qui est ecrase par le bind-mount
|
|
# ./src au runtime.
|
|
<VirtualHost *:80>
|
|
DocumentRoot "/usr/local/apache2/htdocs"
|
|
|
|
Alias /healthz /usr/local/apache2/htdocs/healthz.txt
|
|
|
|
<Directory "/usr/local/apache2/htdocs">
|
|
Require all granted
|
|
</Directory>
|
|
|
|
<Files "healthz.txt">
|
|
# Pas de cache : la sonde doit toujours toucher Apache.
|
|
Header set Cache-Control "no-store"
|
|
</Files>
|
|
</VirtualHost>
|
|
|
|
# === Borne client (Bloc 1 - front vanilla HTML/CSS/JS) ===
|
|
<VirtualHost *:80>
|
|
# Hostname injecte par la var d'env TRAEFIK_DOMAIN_KIOSK au runtime.
|
|
ServerName ${TRAEFIK_DOMAIN_KIOSK}
|
|
|
|
DocumentRoot "/var/www/html/public/borne"
|
|
|
|
# Confiance aux headers X-Forwarded-* de Traefik.
|
|
# mod_remoteip pourrait etre active pour restaurer la vraie IP client
|
|
# dans les logs, mais en l'etat le header X-Forwarded-For est loggue
|
|
# dans combined, ce qui suffit pour un projet RNCP.
|
|
<Directory "/var/www/html/public/borne">
|
|
Options -Indexes +FollowSymLinks
|
|
AllowOverride None
|
|
Require all granted
|
|
|
|
# SPA-like fallback : toute URL non-fichier -> index.html
|
|
# (pour permettre de bookmarker un chemin profond dans la borne).
|
|
RewriteEngine On
|
|
RewriteCond %{REQUEST_FILENAME} !-f
|
|
RewriteCond %{REQUEST_FILENAME} !-d
|
|
RewriteRule ^ index.html [L]
|
|
</Directory>
|
|
|
|
# Securite supplementaire : expose uniquement public/borne, pas la racine.
|
|
<Directory "/var/www/html/public/borne/..">
|
|
Require all denied
|
|
</Directory>
|
|
|
|
# Compression text/html, css, js, json (Cr 1.e.8 temps de chargement).
|
|
<IfModule mod_deflate.c>
|
|
AddOutputFilterByType DEFLATE text/html text/css text/javascript \
|
|
application/javascript application/json image/svg+xml
|
|
</IfModule>
|
|
|
|
# Cache long sur les assets versionnes (futur : hash dans le nom de fichier).
|
|
<FilesMatch "\.(jpg|jpeg|png|gif|ico|svg|webp|woff2|woff)$">
|
|
Header set Cache-Control "public, max-age=604800"
|
|
</FilesMatch>
|
|
|
|
# Borne : pas de code PHP execute cote kiosk (Bloc 1 = front only).
|
|
# Si une requete *.php arrive ici, on la refuse pour forcer l'isolation.
|
|
<FilesMatch "\.php$">
|
|
Require all denied
|
|
</FilesMatch>
|
|
|
|
ErrorLog /proc/self/fd/2
|
|
CustomLog /proc/self/fd/1 combined
|
|
</VirtualHost>
|
|
|
|
# === Back-office + API REST (Bloc 2 - PHP from scratch + MVC) ===
|
|
<VirtualHost *:80>
|
|
ServerName ${TRAEFIK_DOMAIN_ADMIN}
|
|
|
|
DocumentRoot "/var/www/html/public/admin"
|
|
|
|
<Directory "/var/www/html/public/admin">
|
|
Options -Indexes +FollowSymLinks
|
|
AllowOverride None
|
|
Require all granted
|
|
|
|
# Front controller MVC : toute requete non-fichier passe par index.php
|
|
# qui dispatche via le Router (src/Core/Router.php a venir en P2).
|
|
RewriteEngine On
|
|
RewriteCond %{REQUEST_FILENAME} !-f
|
|
RewriteCond %{REQUEST_FILENAME} !-d
|
|
RewriteRule ^ index.php [L]
|
|
</Directory>
|
|
|
|
# Reverse FastCGI : toute requete *.php est executee par wakdo-app:9000.
|
|
# Format proxy:fcgi://<host>:<port><path-to-proxy>
|
|
# SetHandler s'applique au chemin courant du <FilesMatch>.
|
|
<FilesMatch "\.php$">
|
|
SetHandler "proxy:fcgi://wakdo-app:9000"
|
|
</FilesMatch>
|
|
|
|
# Protection des fichiers sensibles du projet si jamais un chemin se
|
|
# retrouve sous DocumentRoot par erreur (.env, .git, config/).
|
|
<FilesMatch "^\.(env|git|htaccess)">
|
|
Require all denied
|
|
</FilesMatch>
|
|
<DirectoryMatch "/\.(git|env)">
|
|
Require all denied
|
|
</DirectoryMatch>
|
|
|
|
# CORS : l'API admin sous /api/* doit accepter les requetes venant
|
|
# de la borne kiosk (TRAEFIK_DOMAIN_KIOSK). Wildcard interdit.
|
|
# La vraie valeur vient de CORS_ALLOWED_ORIGIN dans .env, lue cote PHP.
|
|
# Ici on pose juste les headers de prealable OPTIONS.
|
|
<Location /api>
|
|
<IfModule mod_headers.c>
|
|
# Les headers definitifs sont poses par le middleware PHP.
|
|
# Apache ne fait que relayer le preflight sans le casser.
|
|
Header set X-Wakdo-Handled-By "apache-vhost"
|
|
</IfModule>
|
|
</Location>
|
|
|
|
# Compression back-office (HTML admin + JSON API)
|
|
<IfModule mod_deflate.c>
|
|
AddOutputFilterByType DEFLATE text/html text/css text/javascript \
|
|
application/javascript application/json
|
|
</IfModule>
|
|
|
|
# Securite : cookies httpOnly + secure sont forces cote PHP (voir php.ini).
|
|
# Ici on ajoute un header CSP minimal : l'admin n'a pas besoin de charger
|
|
# de resources externes pour un MVP (pas de CDN, pas d'analytics).
|
|
<IfModule mod_headers.c>
|
|
Header always set Content-Security-Policy "default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self'"
|
|
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
|
|
</IfModule>
|
|
|
|
ErrorLog /proc/self/fd/2
|
|
CustomLog /proc/self/fd/1 combined
|
|
</VirtualHost>
|