h2 and HTTPS support

dunglas · dunglas · commit 0097dba7a195 · 2017-10-19T12:13:22.000+02:00
diff --git a/Dockerfile b/Dockerfile
@@ -37,27 +37,25 @@ RUN set -xe \
 # https://getcomposer.org/doc/03-cli.md#composer-allow-superuser
 ENV COMPOSER_ALLOW_SUPERUSER 1
 
-RUN composer global require "hirak/prestissimo:^0.3" --prefer-dist --no-progress --no-suggest --optimize-autoloader --classmap-authoritative \
-	&& composer clear-cache
+# Use prestissimo to speed up builds
+RUN composer global require "hirak/prestissimo:^0.3" --prefer-dist --no-progress --no-suggest --optimize-autoloader --classmap-authoritative
+
+COPY docker/app/docker-entrypoint.sh /usr/local/bin/docker-app-entrypoint
+RUN chmod +x /usr/local/bin/docker-app-entrypoint
+
+# Download the Symfony skeleton and leverage Docker cache layers
+ENV SKELETON_COMPOSER_JSON https://raw.githubusercontent.com/symfony/skeleton/v3.3.4/composer.json
 
 WORKDIR /srv/app
+RUN php -r "copy('$SKELETON_COMPOSER_JSON', 'composer.json');" \
+    && composer install --prefer-dist --no-dev --no-progress --no-suggest --no-autoloader --no-scripts --no-plugins --no-interaction
 
 COPY . .
-# Cleanup unneeded files
-RUN rm -Rf docker/
-
-# Download the Symfony skeleton
-ENV SKELETON_COMPOSER_JSON https://raw.githubusercontent.com/symfony/skeleton/v3.3.2/composer.json
-RUN [ -f composer.json ] || php -r "copy('$SKELETON_COMPOSER_JSON', 'composer.json');"
 
 RUN mkdir -p var/cache var/logs var/sessions \
     && composer install --prefer-dist --no-dev --no-progress --no-suggest --optimize-autoloader --classmap-authoritative --no-interaction \
 	&& composer clear-cache \
-# Permissions hack because setfacl does not work on Mac and Windows
-	&& chown -R www-data var
-
-COPY docker/app/docker-entrypoint.sh /usr/local/bin/docker-app-entrypoint
-RUN chmod +x /usr/local/bin/docker-app-entrypoint
+	&& chown -R www-data var # Permissions hack because setfacl does not work on Mac and Windows
 
 ENTRYPOINT ["docker-app-entrypoint"]
 CMD ["php-fpm"]
diff --git a/Dockerfile.h2-proxy b/Dockerfile.h2-proxy
@@ -0,0 +1,25 @@
+FROM httpd:2.4-alpine
+
+RUN apk add --no-cache --virtual .persistent-deps openssl
+
+# Use this self-generated certificate only in dev, IT IS NOT SECURE!
+RUN openssl genrsa -des3 -passout pass:NotSecure -out server.pass.key 2048 \
+    && openssl rsa \
+        -passin pass:NotSecure \
+        -in server.pass.key \
+        -out /usr/local/apache2/conf/server.key \
+    && rm server.pass.key \
+    && openssl req \
+        -new \
+        -passout pass:NotSecure \
+        -subj '/C=SS/ST=SS/L=Gotham City/O=Symfony/CN=localhost' \
+        -key /usr/local/apache2/conf/server.key \
+        -out /usr/local/apache2/conf/server.csr \
+    && openssl x509 \
+        -req -sha256 \
+        -days 365 \
+        -in /usr/local/apache2/conf/server.csr \
+        -signkey /usr/local/apache2/conf/server.key \
+        -out /usr/local/apache2/conf/server.crt
+
+COPY ./docker/httpd/httpd.conf /usr/local/apache2/conf/httpd.conf
diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -12,7 +12,6 @@ services:
       - /srv/app/var/cache/
       - /srv/app/var/logs/
       - /srv/app/var/sessions/
-      - /srv/app/vendor/
 
   nginx:
     build:
@@ -24,3 +23,14 @@ services:
       - ./public:/srv/app/public:ro
     ports:
       - '80:80'
+
+  # This HTTP/2 proxy is not secure: it should only be used in dev
+  h2-proxy:
+    build:
+      context: .
+      dockerfile: ./Dockerfile.h2-proxy
+    volumes:
+      # Comment out the next line in production
+      - ./docker/httpd/httpd.conf:/usr/local/apache2/conf/httpd.conf:ro
+    ports:
+      - '443:443'
diff --git a/docker/httpd/httpd.conf b/docker/httpd/httpd.conf
@@ -0,0 +1,27 @@
+ServerName localhost
+Listen 443
+
+SSLEngine on
+SSLCertificateFile "/usr/local/apache2/conf/server.crt"
+SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"
+SSLSessionCache "shmcb:/usr/local/apache2/logs/ssl_scache(512000)"
+
+User daemon
+Group daemon
+
+ErrorLog /proc/self/fd/2
+CustomLog /proc/self/fd/1 "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
+
+Protocols h2 http/1.1
+
+ProxyPass / http://nginx/
+ProxyPassReverse / http://nginx/
+
+LoadModule authz_core_module modules/mod_authz_core.so
+LoadModule http2_module modules/mod_http2.so
+LoadModule log_config_module modules/mod_log_config.so
+LoadModule proxy_module modules/mod_proxy.so
+LoadModule proxy_http_module modules/mod_proxy_http.so
+LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
+LoadModule ssl_module modules/mod_ssl.so
+LoadModule unixd_module modules/mod_unixd.so
