Skip to content

Commit

Permalink
Merge branch 'master' into PHRAS-3770_quarantine-enhancement
Browse files Browse the repository at this point in the history
  • Loading branch information
@jygaulier
jygaulier authored Sep 19, 2023
2 parents 60f6e9e + 7d23b76 commit 7057595
Show file tree
Hide file tree
Showing 37 changed files with 3,529 additions and 604 deletions.
53 changes: 49 additions & 4 deletions .env
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@
# - "pullAssets"
# - "recordsActions"
# - "subdefCreation"
# - "subtitle"
# - "subtitle" Not working (fixed in a future version)
# - "validationReminder"
# - "webhook"
# - "writeMetadatas"
Expand All @@ -90,7 +90,7 @@
# - COMPOSE_FILE=docker-compose.yml:docker-compose.datastores.yml:docker-compose.tools.yml:docker-compose.override.yml
# - COMPOSE_PROFILES=app,setup,db,pma,elasticsearch,redis,redis-session,rabbitmq,workers,mailhog,builder,gateway-classic
#
# For testing with debug:
# For testing with tools:
# - COMPOSE_FILE=docker-compose.yml:docker-compose.datastores.yml:docker-compose.tools.yml
# - COMPOSE_PROFILES=app,setup,db,pma,elasticsearch,rabbitmq,redis,redis-session,worker,workers,mailhog,gateway-classic
#
Expand All @@ -106,7 +106,7 @@
# - COMPOSE_FILE=docker-compose.yml:docker-compose.datastores.yml:docker-compose.tools.yml
# - COMPOSE_PROFILES=app,setup,gateway-classic,db,elasticsearch,redis,redis-session,rabbitmq,pma,mailhog,assetsInjest,createRecord,deleteRecord,editRecord,
# exportMail,exposeUpload,exportFtp,mainQueue,populateIndex,pullAssets,recordsActions,subdefCreation,
# subtitle,validationReminder,webhook,writeMetadatas,shareBasket,scheduler,elk,db-backup,phraseanet-saml-sp
# validationReminder,webhook,writeMetadatas,shareBasket,scheduler,elk,db-backup,phraseanet-saml-sp
#


Expand All @@ -133,7 +133,7 @@ PHRASEANET_DOCKER_REGISTRY=local

# Docker images tag.
# @run
PHRASEANET_DOCKER_TAG=4.1.8-rc5
PHRASEANET_DOCKER_TAG=4.1.8-rc6

# Stack Name
# An optionnal Name for the stack
Expand Down Expand Up @@ -194,6 +194,11 @@ GATEWAY_USERS=
# @run
GATEWAY_FASTCGI_HTTPS=off

# Content Security Policy (CSP)
# security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting
## @run
GATEWAY_CSP="default-src 'self' 127.0.0.1 https://apiws.carrick-skills.com:8443 https://apiws.carrick-flow.com:8443 https://fonts.gstatic.com *.tiles.mapbox.com https://api.mapbox.com https://events.mapbox.com *.axept.io *.matomo.cloud *.newrelic.com *.nr-data.net https://www.googletagmanager.com *.google-analytics.com *.phrasea.io https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443 https://maxcdn.bootstrapcdn.com data: ; script-src 'unsafe-inline' 'unsafe-eval' 'self' https://www.gstatic.com *.alchemyasp.com *.axept.io *.matomo.cloud *.newrelic.com https://www.googletagmanager.com https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443 https://maxcdn.bootstrapcdn.com data: blob: ; style-src 'self' 'unsafe-inline' https://fonts.gstatic.com https://fonts.googleapis.com https://www.google.com https://www.gstatic.com https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443 https://maxcdn.bootstrapcdn.com ; img-src 'self' data: blob: *.tiles.mapbox.com https://axeptio.imgix.net *.cloudfront.net *.phrasea.io *.amazonaws.com https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443 https://maxcdn.bootstrapcdn.com https://www.gnu.org/graphics/ ; object-src 'self'; frame-ancestors 'self'"

# --- RabbitMQ settings ------------------------------------------------------------------------------------------------

# RabbitMQ user account : create an account in RabbitMQ container and use it
Expand Down Expand Up @@ -260,6 +265,12 @@ MAX_INPUT_TIME=60
# @run
REQUEST_TERMINATE_TIMEOUT=300s

# Maximum amount of memory a script may consume (128MB)
# http://php.net/memory-limit
FPM_MEMORY_LIMIT=2048M
PHP_CLI_MEMORY_LIMIT=2048M


# Php Opcache status. See [opcache Php documentation|
# https://www.php.net/manual/en/intro.opcache.php].
# Avalaible values: "0" | "1"
Expand Down Expand Up @@ -288,6 +299,40 @@ SESSION_SAVE_PATH=tcp://redis-session:6379
#only works if the application is under ssl protection
COOKIE_SECURE=false

# FPM
# Choose how the process manager will control the number of child processes.
# Possible Values:
# static - a fixed number (pm.max_children) of child processes;
# dynamic - the number of child processes are set dynamically based on the
FPM_PM_TYPE=dynamic

# FPM
# The number of child processes to be created when pm is set to 'static' and the
# maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
FPM_MAXCHILDREN=9

# FPM
# The number of child processes created on startup.
# Note: Used only when pm is set to 'dynamic'

FPM_STARTSERVERS=3

# FPM
# The desired minimum number of idle server processes.
# Note: Used only when pm is set to 'dynamic'
# Note: Mandatory when pm is set to 'dynamic'
FPM_MINSPARESERVER=2

# FPM
# The desired maximum number of idle server processes.
# Note: Used only when pm is set to 'dynamic'
# Note: Mandatory when pm is set to 'dynamic'
FPM_MAXSPARESERVER=4

# FPM
# The number of requests each child process should execute before respawning.
FPM_MAX_REQUESTS=1000

# --- MySQL settings ---------------------------------------------------------------------------------------------------

# MySQL root password.
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,8 @@ jobs:
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
with:
mask-password: 'true'

- uses: docker/setup-qemu-action@v2
- uses: docker/setup-buildx-action@v2
Expand Down
31 changes: 31 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,36 @@
# CHANGELOG

## 4.1.8-rc6

### Update instructions

- Migration patch: no patch to play, just run upgrade for bump version
- Elasticsearch index action : a "drop", "create", "populate" of elasticsearch index can be useful.

### Version summary

- Improvement and bugfix

### Stack (docker compose)

- PHP setting improvement
- FPM setting improvement

## What's Changed
* PHRAS-3893 prod - advanced search - control calendar missing for created_on and updated_on by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4360
* PHRAS-3785 update composer dependencies for imagine by @moctardiouf in https://github.com/alchemy-fr/Phraseanet/pull/4362
* PHRAS-3252 Prod - Export - The captions are not being sent when doing an export by email by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4363
* PHRAS-3387 php fpm optimization by @moctardiouf in https://github.com/alchemy-fr/Phraseanet/pull/4364
* PHRAS-3890: Admin - add "auth failure" - display and purge auth failure - only for super U by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4368
* PHRAS-3903 Admin - object inspector - record index debug tools by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4369
* PHRAS-3904 Add server port on fastcgi - SAML multi provider support https conf by @moctardiouf in https://github.com/alchemy-fr/Phraseanet/pull/4370
* PHRAS-3889 Worker - metadata write - mime/type whitelist - write metadatas only on whitelisted files by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4366
* PHRAS-3910 fix redis php extension build by @moctardiouf in https://github.com/alchemy-fr/Phraseanet/pull/4373


**Full Changelog**: https://github.com/alchemy-fr/Phraseanet/compare/4.1.8-rc5...4.1.8-rc6


## 4.1.8-rc5

### Update instructions
Expand Down
2 changes: 1 addition & 1 deletion Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,7 @@ RUN echo "BUILDING PHP PECL EXTENTIONS" \
&& docker-php-ext-install php-ext-jq \
# --- end of extension jq \
&& pecl install \
redis \
redis-5.3.7 \
amqp-1.9.3 \
zmq-beta \
imagick-beta \
Expand Down
32 changes: 30 additions & 2 deletions docker-compose.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ services:
- GATEWAY_ALLOWED_IPS
- GATEWAY_DENIED_IPS
- GATEWAY_USERS
- GATEWAY_CSP
ports:
- ${PHRASEANET_APP_PORT}:80
networks:
Expand Down Expand Up @@ -68,6 +69,7 @@ services:
- GATEWAY_DENIED_IPS
- GATEWAY_USERS
- GATEWAY_FASTCGI_HTTPS
- GATEWAY_CSP
networks:
- internal
labels:
Expand Down Expand Up @@ -102,6 +104,7 @@ services:
- OPCACHE_ENABLED
- SESSION_CACHE_LIMITER
- PHP_LOG_LEVEL
- PHP_CLI_MEMORY_LIMIT
- PHRASEANET_ADMIN_ACCOUNT_ID
- PHRASEANET_ADMIN_ACCOUNT_EMAIL
- PHRASEANET_ADMIN_ACCOUNT_PASSWORD
Expand Down Expand Up @@ -254,7 +257,13 @@ services:
- SESSION_SAVE_HANDLER
- SESSION_SAVE_PATH
- PHRASEANET_MAINTENANCE

- FPM_MEMORY_LIMIT
- FPM_PM_TYPE
- FPM_MAXCHILDREN
- FPM_STARTSERVERS
- FPM_MINSPARESERVER
- FPM_MAXSPARESERVER
- FPM_MAX_REQUESTS
volumes:
- ${PHRASEANET_CONFIG_DIR}:/var/alchemy/Phraseanet/config:rw
- ${PHRASEANET_LOGS_DIR}:/var/alchemy/Phraseanet/logs:rw
Expand Down Expand Up @@ -284,6 +293,7 @@ services:
- OPCACHE_ENABLED
- SESSION_CACHE_LIMITER
- PHP_LOG_LEVEL
- PHP_CLI_MEMORY_LIMIT
- LC_MESSAGES=C.UTF-8
- LC_COLLATE=C.UTF-8
- LC_IDENTIFICATION=C.UTF-8
Expand Down Expand Up @@ -353,6 +363,7 @@ services:
- OPCACHE_ENABLED
- SESSION_CACHE_LIMITER
- PHP_LOG_LEVEL
- PHP_CLI_MEMORY_LIMIT
- LC_MESSAGES=C.UTF-8
- LC_COLLATE=C.UTF-8
- LC_IDENTIFICATION=C.UTF-8
Expand Down Expand Up @@ -407,6 +418,7 @@ services:
- OPCACHE_ENABLED
- SESSION_CACHE_LIMITER
- PHP_LOG_LEVEL
- PHP_CLI_MEMORY_LIMIT
- LC_MESSAGES=C.UTF-8
- LC_COLLATE=C.UTF-8
- LC_IDENTIFICATION=C.UTF-8
Expand Down Expand Up @@ -460,6 +472,7 @@ services:
- OPCACHE_ENABLED
- SESSION_CACHE_LIMITER
- PHP_LOG_LEVEL
- PHP_CLI_MEMORY_LIMIT
- LC_MESSAGES=C.UTF-8
- LC_COLLATE=C.UTF-8
- LC_IDENTIFICATION=C.UTF-8
Expand Down Expand Up @@ -514,6 +527,7 @@ services:
- OPCACHE_ENABLED
- SESSION_CACHE_LIMITER
- PHP_LOG_LEVEL
- PHP_CLI_MEMORY_LIMIT
- LC_MESSAGES=C.UTF-8
- LC_COLLATE=C.UTF-8
- LC_IDENTIFICATION=C.UTF-8
Expand Down Expand Up @@ -567,6 +581,7 @@ services:
- OPCACHE_ENABLED
- SESSION_CACHE_LIMITER
- PHP_LOG_LEVEL
- PHP_CLI_MEMORY_LIMIT
- LC_MESSAGES=C.UTF-8
- LC_COLLATE=C.UTF-8
- LC_IDENTIFICATION=C.UTF-8
Expand Down Expand Up @@ -620,6 +635,7 @@ services:
- OPCACHE_ENABLED
- SESSION_CACHE_LIMITER
- PHP_LOG_LEVEL
- PHP_CLI_MEMORY_LIMIT
- LC_MESSAGES=C.UTF-8
- LC_COLLATE=C.UTF-8
- LC_IDENTIFICATION=C.UTF-8
Expand Down Expand Up @@ -673,6 +689,7 @@ services:
- OPCACHE_ENABLED
- SESSION_CACHE_LIMITER
- PHP_LOG_LEVEL
- PHP_CLI_MEMORY_LIMIT
- LC_MESSAGES=C.UTF-8
- LC_COLLATE=C.UTF-8
- LC_IDENTIFICATION=C.UTF-8
Expand Down Expand Up @@ -726,6 +743,7 @@ services:
- OPCACHE_ENABLED
- SESSION_CACHE_LIMITER
- PHP_LOG_LEVEL
- PHP_CLI_MEMORY_LIMIT
- LC_MESSAGES=C.UTF-8
- LC_COLLATE=C.UTF-8
- LC_IDENTIFICATION=C.UTF-8
Expand Down Expand Up @@ -779,6 +797,7 @@ services:
- OPCACHE_ENABLED
- SESSION_CACHE_LIMITER
- PHP_LOG_LEVEL
- PHP_CLI_MEMORY_LIMIT
- LC_MESSAGES=C.UTF-8
- LC_COLLATE=C.UTF-8
- LC_IDENTIFICATION=C.UTF-8
Expand Down Expand Up @@ -832,6 +851,7 @@ services:
- OPCACHE_ENABLED
- SESSION_CACHE_LIMITER
- PHP_LOG_LEVEL
- PHP_CLI_MEMORY_LIMIT
- LC_MESSAGES=C.UTF-8
- LC_COLLATE=C.UTF-8
- LC_IDENTIFICATION=C.UTF-8
Expand Down Expand Up @@ -885,6 +905,7 @@ services:
- OPCACHE_ENABLED
- SESSION_CACHE_LIMITER
- PHP_LOG_LEVEL
- PHP_CLI_MEMORY_LIMIT
- LC_MESSAGES=C.UTF-8
- LC_COLLATE=C.UTF-8
- LC_IDENTIFICATION=C.UTF-8
Expand Down Expand Up @@ -941,6 +962,7 @@ services:
- OPCACHE_ENABLED
- SESSION_CACHE_LIMITER
- PHP_LOG_LEVEL
- PHP_CLI_MEMORY_LIMIT
- LC_MESSAGES=C.UTF-8
- LC_COLLATE=C.UTF-8
- LC_IDENTIFICATION=C.UTF-8
Expand Down Expand Up @@ -994,6 +1016,7 @@ services:
- OPCACHE_ENABLED
- SESSION_CACHE_LIMITER
- PHP_LOG_LEVEL
- PHP_CLI_MEMORY_LIMIT
- LC_MESSAGES=C.UTF-8
- LC_COLLATE=C.UTF-8
- LC_IDENTIFICATION=C.UTF-8
Expand Down Expand Up @@ -1038,7 +1061,7 @@ services:
- SSH_PRIVATE_KEY=${PHRASEANET_SSH_PRIVATE_KEY}
- PHRASEANET_PLUGINS=${PHRASEANET_PLUGINS}
image: $PHRASEANET_DOCKER_REGISTRY/phraseanet-worker:$PHRASEANET_DOCKER_TAG
profiles: ["workers", "subtitle"]
profiles: ["subtitle"]
restart: on-failure
depends_on:
- phraseanet
Expand All @@ -1047,6 +1070,7 @@ services:
- OPCACHE_ENABLED
- SESSION_CACHE_LIMITER
- PHP_LOG_LEVEL
- PHP_CLI_MEMORY_LIMIT
- LC_MESSAGES=C.UTF-8
- LC_COLLATE=C.UTF-8
- LC_IDENTIFICATION=C.UTF-8
Expand Down Expand Up @@ -1100,6 +1124,7 @@ services:
- OPCACHE_ENABLED
- SESSION_CACHE_LIMITER
- PHP_LOG_LEVEL
- PHP_CLI_MEMORY_LIMIT
- LC_MESSAGES=C.UTF-8
- LC_COLLATE=C.UTF-8
- LC_IDENTIFICATION=C.UTF-8
Expand Down Expand Up @@ -1153,6 +1178,7 @@ services:
- OPCACHE_ENABLED
- SESSION_CACHE_LIMITER
- PHP_LOG_LEVEL
- PHP_CLI_MEMORY_LIMIT
- LC_MESSAGES=C.UTF-8
- LC_COLLATE=C.UTF-8
- LC_IDENTIFICATION=C.UTF-8
Expand Down Expand Up @@ -1206,6 +1232,7 @@ services:
- OPCACHE_ENABLED
- SESSION_CACHE_LIMITER
- PHP_LOG_LEVEL
- PHP_CLI_MEMORY_LIMIT
- LC_MESSAGES=C.UTF-8
- LC_COLLATE=C.UTF-8
- LC_IDENTIFICATION=C.UTF-8
Expand Down Expand Up @@ -1259,6 +1286,7 @@ services:
- OPCACHE_ENABLED
- SESSION_CACHE_LIMITER
- PHP_LOG_LEVEL
- PHP_CLI_MEMORY_LIMIT
- LC_MESSAGES=C.UTF-8
- LC_COLLATE=C.UTF-8
- LC_IDENTIFICATION=C.UTF-8
Expand Down
17 changes: 15 additions & 2 deletions docker/nginx/root/entrypoint.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,13 +13,26 @@ else
fi

if [ ! -z "$GATEWAY_FASTCGI_HTTPS" ]; then

echo "GATEWAY_FASTCGI_HTTPS is defined : $GATEWAY_FASTCGI_HTTPS"
GATEWAY_FASTCGI_HTTPS="fastcgi_param HTTPS $GATEWAY_FASTCGI_HTTPS;"
if [ "$GATEWAY_FASTCGI_HTTPS" = "on" ] || [ "$GATEWAY_FASTCGI_HTTPS" = "1" ];then
echo "SETTING SERVER_PORT TO: 443"
GATEWAY_FASTCGI_HTTPS="fastcgi_param HTTPS on;fastcgi_param SERVER_PORT 443;"
else
GATEWAY_FASTCGI_HTTPS="fastcgi_param HTTPS $GATEWAY_FASTCGI_HTTPS;"
fi
else
echo "NO GATEWAY_FASTCGI_HTTPS is defined"
GATEWAY_FASTCGI_HTTPS="fastcgi_param HTTPS on;fastcgi_param SERVER_PORT 443;"
fi

if [ ! -z "$GATEWAY_CSP" ]; then
echo "Content Security policies is defined to : $GATEWAY_CSP"
envsubst < "/securitycontentpolicies.sample.conf" > /etc/nginx/conf.d/securitycontentpolicies.conf
else
echo "Content Security policies is defined"
export GATEWAY_CSP="default-src 'self' 127.0.0.1 https://apiws.carrick-skills.com:8443 https://apiws.carrick-flow.com:8443 https://fonts.gstatic.com *.tiles.mapbox.com https://api.mapbox.com https://events.mapbox.com *.axept.io *.matomo.cloud *.newrelic.com *.nr-data.net https://www.googletagmanager.com *.google-analytics.com *.phrasea.io https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443 https://maxcdn.bootstrapcdn.com data: ; script-src 'unsafe-inline' 'unsafe-eval' 'self' https://www.gstatic.com *.alchemyasp.com *.axept.io *.matomo.cloud *.newrelic.com https://www.googletagmanager.com https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443 https://maxcdn.bootstrapcdn.com data: blob: ; style-src 'self' 'unsafe-inline' https://fonts.gstatic.com https://fonts.googleapis.com https://www.google.com https://www.gstatic.com https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443 https://maxcdn.bootstrapcdn.com ; img-src 'self' data: blob: *.tiles.mapbox.com https://axeptio.imgix.net *.cloudfront.net *.phrasea.io *.amazonaws.com https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443 https://maxcdn.bootstrapcdn.com https://www.gnu.org/graphics/ ; object-src 'self'; frame-ancestors 'self'"
echo "setting Security policies to : " $GATEWAY_CSP
envsubst < "/securitycontentpolicies.sample.conf" > /etc/nginx/conf.d/securitycontentpolicies.conf
fi

cat /nginx.conf.sample | sed "s/\$MAX_BODY_SIZE/$MAX_BODY_SIZE/g" | sed "s/\$GATEWAY_SEND_TIMEOUT/$GATEWAY_SEND_TIMEOUT/g" | sed "s/\$GATEWAY_FASTCGI_TIMEOUT/$GATEWAY_FASTCGI_TIMEOUT/g" | sed "s/\$MAX_BODY_SIZE/$MAX_BODY_SIZE/g" | sed "s/\$GATEWAY_PROXY_TIMEOUT/$GATEWAY_PROXY_TIMEOUT/g" | sed "s/\$NEW_TARGET/$NEW_TARGET/g" | sed "s/\$NEW_RESOLVER/$NEW_RESOLVER/g" | sed "s/\$GATEWAY_FASTCGI_HTTPS/$GATEWAY_FASTCGI_HTTPS/g" > /etc/nginx/conf.d/default.conf
Expand Down
Loading

0 comments on commit 7057595

Please sign in to comment.