Skip to content

Commit 3a70f32

Browse files
authored
Merge branch 'release/bugfixes-and-dependency-updates' into fix/laravel-automations
2 parents 4c4a436 + 919fd47 commit 3a70f32

File tree

11 files changed

+154
-111
lines changed

11 files changed

+154
-111
lines changed

.github/workflows/action_update-dockerhub-readme.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ jobs:
1414
name: Push README to Docker Hub
1515
steps:
1616
- name: git checkout
17-
uses: actions/checkout@v5
17+
uses: actions/checkout@v6
1818
with:
1919
ref: main
2020

.github/workflows/scheduled-task_update-sponsors.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ jobs:
88
runs-on: ubuntu-24.04
99
steps:
1010
- name: Checkout 🛎️
11-
uses: actions/checkout@v5
11+
uses: actions/checkout@v6
1212

1313
- name: Generate Sponsors 💖
1414
uses: JamesIves/github-sponsors-readme-action@v1

.github/workflows/service_docker-build-and-publish.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@ jobs:
3939
php-version-map-json: ${{ steps.get-php-versions.outputs.php-version-map-json }}
4040
steps:
4141
- name: Check out code
42-
uses: actions/checkout@v5
42+
uses: actions/checkout@v6
4343
with:
4444
ref: ${{ inputs.ref }}
4545

@@ -67,25 +67,25 @@ jobs:
6767
echo "${MATRIX_JSON}" | jq '.'
6868
6969
- name: Upload the php-versions.yml file
70-
uses: actions/upload-artifact@v4
70+
uses: actions/upload-artifact@v6
7171
with:
7272
name: php-versions.yml
7373
path: ${{ inputs.php-versions-file }}
7474

7575
docker-publish:
7676
needs: setup-matrix
77-
runs-on: depot-ubuntu-24.04-4
77+
runs-on: depot-ubuntu-24.04-8
7878
strategy:
7979
matrix: ${{fromJson(needs.setup-matrix.outputs.php-version-map-json)}}
8080

8181
steps:
8282
- name: Check out code.
83-
uses: actions/checkout@v5
83+
uses: actions/checkout@v6
8484
with:
8585
ref: ${{ inputs.ref }}
8686

8787
- name: Download PHP Versions file
88-
uses: actions/download-artifact@v5
88+
uses: actions/download-artifact@v7
8989
with:
9090
name: php-versions.yml
9191
path: ./artifacts

docs/content/docs/1.getting-started/4.these-images-vs-others.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -197,7 +197,7 @@ FROM serversideup/php:8.5-cli
197197
USER root
198198
199199
# Install any PHP extension easily
200-
RUN install-php-extensions redis imagick mongodb
200+
RUN install-php-extensions bcmath imagick mongodb
201201
202202
# Switch back to unprivileged user
203203
USER www-data
@@ -322,4 +322,4 @@ We're here to help! Check out these resources:
322322

323323
::tip
324324
Join our community! Star us on [GitHub](https://github.com/serversideup/docker-php) and follow updates.
325-
::
325+
::

docs/content/docs/1.getting-started/6.default-configurations.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -75,7 +75,7 @@ Environment variables give you a ton of flexibility to customize your container
7575
| **PHP INI file** | **Description** |
7676
|-----------------|-----------------|
7777
| **Image Default** <br /><br /> `/usr/local/etc/php/conf.d/serversideup-docker-php.ini` | This is our production-ready PHP ini file that accepts environment variables. You can [review it in greater detail on GitHub](https://github.com/serversideup/docker-php/blob/main/src/common/usr/local/etc/php/conf.d/serversideup-docker-php.ini){target="_blank"}. |
78-
| **Adding your own PHP INI file** <br /><br /> `/usr/local/etc/php/conf.d/*.ini` | If you want to use our defaults, you can simple create a `.ini` file in the `/usr/local/etc/php/conf.d/` directory and it will be loaded automatically. This will be loaded *after* our default ini file, so whatever you set in your own ini file will override the default values. |
78+
| **Adding your own PHP INI file** <br /><br /> `/usr/local/etc/php/conf.d/*.ini` | To set your own PHP settings, simply create a `.ini` file in the `/usr/local/etc/php/conf.d/` directory. It will be loaded automatically *after* our default ini file, so any settings you define will override the defaults. |
7979

8080
:u-button{to="/docs/customizing-the-image/changing-common-php-settings" label="Learn more about changing common PHP settings" aria-label="Learn more about changing common PHP settings" size="md" color="primary" variant="outline" trailing-icon="i-lucide-arrow-right" class="font-bold ring ring-inset ring-blue-600 text-blue-600 hover:ring-blue-500 hover:text-blue-500"}
8181

Lines changed: 64 additions & 79 deletions
Original file line numberDiff line numberDiff line change
@@ -1,98 +1,83 @@
1+
##
2+
# Security Configuration
3+
##
4+
5+
# This configuration follows security best practices from:
16
#
2-
# Disable access to the entire file system except for the directories that
3-
# are explicitly allowed later.
7+
# H5BP Server Configs (Apache)
8+
# https://github.com/h5bp/server-configs-apache
49
#
5-
# This currently breaks the configurations that come with some web application
6-
# Debian packages.
10+
# OWASP Secure Headers Project
11+
# https://owasp.org/www-project-secure-headers/
712
#
8-
#<Directory />
9-
# AllowOverride None
10-
# Require all denied
11-
#</Directory>
12-
13+
# RFC 8615 - Well-Known URIs
14+
# https://www.rfc-editor.org/rfc/rfc8615
15+
#
16+
# ##############################################################################
1317

14-
# Changing the following options will not really affect the security of the
15-
# server, but might make attacks slightly more difficult in some cases.
18+
# ------------------------------------------------------------------------------
19+
# | Server Software Information |
20+
# ------------------------------------------------------------------------------
1621

17-
#
18-
# ServerTokens
19-
# This directive configures what you return as the Server HTTP response
20-
# Header. The default is 'Full' which sends information about the OS-Type
21-
# and compiled in modules.
22-
# Set to one of: Full | OS | Minimal | Minor | Major | Prod
23-
# where Full conveys the most information, and Prod the least.
24-
#ServerTokens Minimal
25-
# ServerTokens OS
26-
# #ServerTokens Full
22+
# Minimize information sent about the server
23+
# https://httpd.apache.org/docs/current/mod/core.html#servertokens
2724
ServerTokens Prod
2825

29-
#
30-
# Optionally add a line containing the server version and virtual host
31-
# name to server-generated pages (internal error documents, FTP directory
32-
# listings, mod_status and mod_info output etc., but not CGI generated
33-
# documents or custom error documents).
34-
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
35-
# Set to one of: On | Off | EMail
26+
# Disable server signature on error pages
27+
# https://httpd.apache.org/docs/current/mod/core.html#serversignature
3628
ServerSignature Off
37-
# ServerSignature On
3829

39-
#
40-
# Allow TRACE method
41-
#
42-
# Set to "extended" to also reflect the request body (only for testing and
43-
# diagnostic purposes).
44-
#
45-
# Set to one of: On | Off | extended
30+
# Disable TRACE HTTP method to prevent XST attacks
31+
# https://owasp.org/www-community/attacks/Cross_Site_Tracing
4632
TraceEnable Off
47-
#TraceEnable On
4833

49-
#
50-
# Forbid access to version control directories
51-
#
52-
# If you use version control systems in your document root, you should
53-
# probably deny access to their directories. For example, for subversion:
54-
#
55-
<DirectoryMatch "/\.git">
56-
Require all denied
34+
# ------------------------------------------------------------------------------
35+
# | Security Headers |
36+
# ------------------------------------------------------------------------------
37+
38+
# Prevent clickjacking attacks by disabling iframe embedding
39+
# https://owasp.org/www-project-secure-headers/#x-frame-options
40+
Header always set X-Frame-Options "SAMEORIGIN"
41+
42+
# Prevent MIME type sniffing attacks
43+
# https://owasp.org/www-project-secure-headers/#x-content-type-options
44+
Header always set X-Content-Type-Options "nosniff"
45+
46+
# Control referrer information sent with requests
47+
# https://owasp.org/www-project-secure-headers/#referrer-policy
48+
Header always set Referrer-Policy "strict-origin-when-cross-origin"
49+
50+
# Enable HTTP Strict Transport Security (HSTS)
51+
# https://owasp.org/www-project-secure-headers/#strict-transport-security
52+
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
53+
54+
# ------------------------------------------------------------------------------
55+
# | File Access Restrictions |
56+
# ------------------------------------------------------------------------------
57+
58+
# Block PHP execution in storage directory to prevent uploaded malicious PHP files from running
59+
# Reference: Livewire arbitrary file upload (GHSA-29cq-5w36-x7w3)
60+
<LocationMatch "^/storage/.*\.php$">
61+
Require all denied
62+
</LocationMatch>
63+
64+
# Block access to all hidden files and directories (dotfiles)
65+
# EXCEPT for the "/.well-known/" directory which is required by RFC 8615
66+
# for ACME challenges, security.txt, and other standardized endpoints.
67+
# https://www.rfc-editor.org/rfc/rfc8615
68+
# https://github.com/h5bp/server-configs-apache
69+
<DirectoryMatch "/\.(?!well-known/)">
70+
Require all denied
5771
</DirectoryMatch>
5872

59-
# Prevent Apache from serving Gitlab files
60-
<FilesMatch "\.gitlab-ci.yml$">
61-
Require all denied
73+
# Block access to files that may expose sensitive information
74+
# Based on H5BP server configs: https://github.com/h5bp/server-configs-apache
75+
<FilesMatch "(^#.*#|\.(bak|conf|config|dist|inc|ini|log|sh|sql|sw[op])|~)$">
76+
Require all denied
6277
</FilesMatch>
6378

6479
# Disable XML-RPC on all wordpress sites
6580
<Files xmlrpc.php>
6681
Require all denied
6782
# allow from xxx.xxx.xxx.xxx
68-
</Files>
69-
70-
#
71-
# Setting this header will prevent MSIE from interpreting files as something
72-
# else than declared by the content type in the HTTP headers.
73-
# Requires mod_headers to be enabled.
74-
#
75-
Header always set X-Content-Type-Options: "nosniff"
76-
77-
#
78-
# Setting this header will prevent other sites from embedding pages from this
79-
# site as frames. This defends against clickjacking attacks.
80-
# Requires mod_headers to be enabled.
81-
#
82-
Header always set X-Frame-Options: "sameorigin"
83-
84-
#
85-
# Referrer policy
86-
#
87-
Header always set Referrer-Policy "no-referrer-when-downgrade"
88-
89-
#
90-
# Content Security Policy
91-
# UPDATE - September 2020: Commenting this out until we grasp better security requirements
92-
#
93-
#Header always set Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'"
94-
95-
#
96-
# Strict-Transport-Security Policy (set HSTS)
97-
#
98-
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
83+
</Files>
Lines changed: 38 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,24 +1,51 @@
1+
##
2+
# Security Configuration
3+
##
4+
5+
# This configuration follows security best practices from:
6+
#
7+
# H5BP Server Configs (nginx)
8+
# https://github.com/h5bp/server-configs-nginx
19
#
2-
# Security Headers
10+
# OWASP Secure Headers Project
11+
# https://owasp.org/www-project-secure-headers/
312
#
13+
# RFC 8615 - Well-Known URIs
14+
# https://www.rfc-editor.org/rfc/rfc8615
15+
#
16+
# ##############################################################################
417

5-
# Prevent IFRAME spoofing attacks
18+
# Prevent clickjacking attacks by disabling iframe embedding
19+
# https://owasp.org/www-project-secure-headers/#x-frame-options
620
add_header X-Frame-Options "SAMEORIGIN" always;
721

8-
# Prevent MIME attacks
22+
# Prevent MIME type sniffing attacks
23+
# https://owasp.org/www-project-secure-headers/#x-content-type-options
924
add_header X-Content-Type-Options "nosniff" always;
1025

11-
# Prevent Referrer URL from being leaked
12-
add_header Referrer-Policy "no-referrer-when-downgrade" always;
13-
14-
# Configure Content Security Policy
15-
# UPDATE - September 2020: Commenting this out until we grasp better security requirements
16-
#add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
26+
# Control referrer information sent with requests
27+
# https://owasp.org/www-project-secure-headers/#referrer-policy
28+
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
1729

18-
# Enable HSTS
30+
# Enable HTTP Strict Transport Security (HSTS)
31+
# https://owasp.org/www-project-secure-headers/#strict-transport-security
1932
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
2033

21-
# Prevent access to . files (the well-known directory)
34+
# ------------------------------------------------------------------------------
35+
# | File Access Restrictions |
36+
# ------------------------------------------------------------------------------
37+
38+
# Block access to hidden files and directories (dotfiles)
39+
# EXCEPT for the "/.well-known/" directory which is required by RFC 8615
40+
# for ACME challenges, security.txt, and other standardized endpoints.
41+
# https://www.rfc-editor.org/rfc/rfc8615
42+
# https://github.com/h5bp/server-configs-nginx
2243
location ~ /\.(?!well-known) {
2344
deny all;
45+
}
46+
47+
# Block access to files that may expose sensitive information
48+
# Based on H5BP server configs: https://github.com/h5bp/server-configs-nginx
49+
location ~* (?:#.*#|\.(?:bak|conf|config|dist|inc|ini|log|sh|sql|sw[op])|~)$ {
50+
deny all;
2451
}

src/variations/fpm-nginx/etc/nginx/site-opts.d/http.conf.template

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,12 @@ location / {
3030
try_files $uri $uri/ /index.php?$query_string;
3131
}
3232

33+
# Block PHP execution in storage directory to prevent uploaded malicious PHP files from running
34+
# Reference: Livewire arbitrary file upload (GHSA-29cq-5w36-x7w3)
35+
location ~* ^/storage/.*\.php$ {
36+
deny all;
37+
}
38+
3339
# Pass "*.php" files to PHP-FPM
3440
location ~ \.php$ {
3541
fastcgi_pass 127.0.0.1:9000;

src/variations/fpm-nginx/etc/nginx/site-opts.d/https.conf.template

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,12 @@ location / {
3636
try_files $uri $uri/ /index.php?$query_string;
3737
}
3838

39+
# Block PHP execution in storage directory to prevent uploaded malicious PHP files from running
40+
# Reference: Livewire arbitrary file upload (GHSA-29cq-5w36-x7w3)
41+
location ~* ^/storage/.*\.php$ {
42+
deny all;
43+
}
44+
3945
# Pass "*.php" files to PHP-FPM
4046
location ~ \.php$ {
4147
fastcgi_pass 127.0.0.1:9000;

src/variations/frankenphp/Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
ARG BASE_OS_VERSION='trixie'
33
ARG PHP_VERSION='8.5'
44
ARG BASE_IMAGE="php:${PHP_VERSION}-zts-${BASE_OS_VERSION}"
5-
ARG FRANKENPHP_VERSION='1.10.1'
5+
ARG FRANKENPHP_VERSION='1.11.1'
66
ARG GOLANG_VERSION='1.25'
77

88
########################

0 commit comments

Comments
 (0)