ac8b6a6791
Deliver the full Docker stack for Bloc 5 DevOps (Cr 7.c.3 and 7.c.4):
- docker/apache/ Custom httpd:2.4-alpine with hardened main config,
MPM event tuning and 3 vhosts (healthz, kiosk static,
admin reverse FCGI to wakdo-app:9000). Kiosk vhost
explicitly denies .php to enforce Bloc 1 isolation.
- docker/php-fpm/ Custom php:8.3-fpm-alpine3.20 with pdo_mysql, opcache,
intl, exif, zip and tini for signal handling.
Dynamic pool 3-10 workers listening on TCP 9000.
- docker/cron/ Custom alpine:3.20 with dcron, mariadb-client, gzip.
Nightly mysqldump at 03h00 with 14-day rotation and
512-byte sanity check. Purge and stats jobs templated.
- docker-compose.yml 4 services orchestrated on 2 networks (internal
bridge + external reverse-proxy). 2 named volumes
for DB and uploads, bind-mount for backups.
Traefik labels for 2 routers with HTTPS redirect.
Makefile adds `make backup` (manual dump) and `make backup-ls`.
.gitignore adds /var/ for backup bind-mount path.
docs/journal/2026-04-24--infra-docker.md documents 5 decisions with
alternatives, maps 16 RNCP criteria to artefacts and prepares 6 jury Q&A.
Validated: `docker compose config --quiet` passes. Smoke test deferred
to next session (requires server .env).
99 lines
3.5 KiB
ApacheConf
99 lines
3.5 KiB
ApacheConf
#
|
|
# Wakdo - configuration Apache httpd 2.4 (main)
|
|
#
|
|
# Derivee de la conf par defaut fournie par httpd:2.4-alpine, adaptee au
|
|
# projet : on active les modules necessaires, on pointe les vhosts Wakdo,
|
|
# on desactive les defaults indesirables.
|
|
#
|
|
|
|
ServerRoot "/usr/local/apache2"
|
|
Listen 80
|
|
|
|
# === Modules charges ===
|
|
# Core :
|
|
LoadModule mpm_event_module modules/mod_mpm_event.so
|
|
LoadModule authn_file_module modules/mod_authn_file.so
|
|
LoadModule authn_core_module modules/mod_authn_core.so
|
|
LoadModule authz_host_module modules/mod_authz_host.so
|
|
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
|
|
LoadModule authz_user_module modules/mod_authz_user.so
|
|
LoadModule authz_core_module modules/mod_authz_core.so
|
|
LoadModule access_compat_module modules/mod_access_compat.so
|
|
LoadModule auth_basic_module modules/mod_auth_basic.so
|
|
LoadModule reqtimeout_module modules/mod_reqtimeout.so
|
|
LoadModule filter_module modules/mod_filter.so
|
|
LoadModule mime_module modules/mod_mime.so
|
|
LoadModule log_config_module modules/mod_log_config.so
|
|
LoadModule env_module modules/mod_env.so
|
|
LoadModule headers_module modules/mod_headers.so
|
|
LoadModule setenvif_module modules/mod_setenvif.so
|
|
LoadModule version_module modules/mod_version.so
|
|
LoadModule unixd_module modules/mod_unixd.so
|
|
LoadModule status_module modules/mod_status.so
|
|
LoadModule autoindex_module modules/mod_autoindex.so
|
|
LoadModule dir_module modules/mod_dir.so
|
|
LoadModule alias_module modules/mod_alias.so
|
|
LoadModule rewrite_module modules/mod_rewrite.so
|
|
LoadModule deflate_module modules/mod_deflate.so
|
|
|
|
# Reverse proxy FastCGI vers PHP-FPM (le coeur de notre setup) :
|
|
LoadModule proxy_module modules/mod_proxy.so
|
|
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
|
|
|
|
# === Identite du serveur ===
|
|
# User/Group : utilisateur par defaut de l'image httpd:2.4-alpine.
|
|
# Ne lit pas le code PHP (PHP-FPM s'en charge dans son propre conteneur).
|
|
User daemon
|
|
Group daemon
|
|
|
|
# Masquer la version Apache dans les headers et les pages d'erreur.
|
|
# Defense en profondeur : en cas de breach, un attaquant doit faire du work
|
|
# pour identifier la version exacte.
|
|
ServerTokens Prod
|
|
ServerSignature Off
|
|
|
|
# ServerName par defaut evite le warning "Could not reliably determine
|
|
# the server's fully qualified domain name". Les vrais hostnames sont
|
|
# dans les vhosts.
|
|
ServerName wakdo-web
|
|
|
|
# === Limites et timeouts (defense anti-slowloris) ===
|
|
Timeout 30
|
|
KeepAlive On
|
|
MaxKeepAliveRequests 100
|
|
KeepAliveTimeout 5
|
|
RequestReadTimeout header=10-20,MinRate=500 body=20,MinRate=500
|
|
|
|
# === Types MIME ===
|
|
TypesConfig conf/mime.types
|
|
|
|
# === Logs ===
|
|
# stderr du conteneur = agregation par docker logs (Cr 7.d.1 observabilite).
|
|
ErrorLog /proc/self/fd/2
|
|
LogLevel warn
|
|
|
|
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
|
|
LogFormat "%h %l %u %t \"%r\" %>s %b" common
|
|
CustomLog /proc/self/fd/1 combined
|
|
|
|
# === Securite des headers par defaut (les vhosts peuvent surcharger) ===
|
|
<IfModule mod_headers.c>
|
|
Header always set X-Content-Type-Options "nosniff"
|
|
Header always set X-Frame-Options "SAMEORIGIN"
|
|
Header always set Referrer-Policy "strict-origin-when-cross-origin"
|
|
Header unset Server
|
|
</IfModule>
|
|
|
|
# === MPM event (tuning workers) ===
|
|
Include conf/extra/wakdo-mpm.conf
|
|
|
|
# === Configuration root globale (refus par defaut) ===
|
|
# Refuse tout acces hors des <Directory> explicitement autorises dans le vhost.
|
|
<Directory />
|
|
AllowOverride none
|
|
Require all denied
|
|
</Directory>
|
|
|
|
# === Vhosts du projet ===
|
|
# Kiosk (borne, sert du statique + relaye les API calls) et admin (back-office).
|
|
Include conf/extra/wakdo-vhost.conf
|