From 22754f9bf936e65ee3d570d3a1bef38df8760d02 Mon Sep 17 00:00:00 2001
From: Robert Kaussow <mail@geeklabor.de>
Date: Sun, 29 Sep 2019 15:07:44 +0200
Subject: [PATCH] use a more strict vhost config

---
 CHANGELOG.md                        |  1 +
 Dockerfile.linux.amd64              |  1 +
 docker-compose.yml                  |  4 ++--
 overlay/etc/nginx/vhost.conf        | 21 +++++++++++++--------
 overlay/usr/local/bin/entrypoint.sh |  2 +-
 5 files changed, 18 insertions(+), 11 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4bd84ed..84a59ad 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,2 +1,3 @@
 * BUGFIX
   * fix port in healthcheck script
+  * use a more strict vhost
diff --git a/Dockerfile.linux.amd64 b/Dockerfile.linux.amd64
index 97f3655..b93cce3 100644
--- a/Dockerfile.linux.amd64
+++ b/Dockerfile.linux.amd64
@@ -24,6 +24,7 @@ RUN apk --update add --virtual .build-deps tar curl && \
     apk del .build-deps && \
     rm -rf /var/cache/apk/* && \
     rm -rf /tmp/* && \
+    rm -rf /var/www/app/ChangeLog /var/www/app/config.default.php && \
     mkdir -p /var/run/php && \
     chown -R nginx /var/run/php && \
     mkdir -p /var/lib/php/tmp_upload && \
diff --git a/docker-compose.yml b/docker-compose.yml
index 0154cdd..c6a5250 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -4,12 +4,12 @@ services:
   kanboard:
     image: xoxys/kanboard:latest
     ports:
-      - "80:80"
+      - "80:8080"
     volumes:
       - kanboard_data:/var/www/app/data
       - kanboard_plugins:/var/www/app/plugins
     environment:
-      KANBOARD_PLUGIN_INSTALLER: "true" 
+      KANBOARD_PLUGIN_INSTALLER: "true"
 
 volumes:
   kanboard_data:
diff --git a/overlay/etc/nginx/vhost.conf b/overlay/etc/nginx/vhost.conf
index 0dbd10d..df9e964 100644
--- a/overlay/etc/nginx/vhost.conf
+++ b/overlay/etc/nginx/vhost.conf
@@ -9,16 +9,12 @@ server {
         try_files $uri $uri/ /index.php$is_args$args;
     }
 
-    location ~ \.php$ {
-        try_files $uri =404;
-        fastcgi_split_path_info ^(.+\.php)(/.+)$;
-        fastcgi_pass unix:/var/run/php/php-fpm.sock;
-        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-        fastcgi_index index.php;
-        include fastcgi_params;
+    location ~ /plugins/.*/Assets/ {
+        allow all;
     }
 
-    location ~ /data {
+    location ~ /(app|data|libs|plugins|vendor|cli) {
+        deny all;
         return 404;
     }
 
@@ -30,6 +26,15 @@ server {
         return 404;
     }
 
+    location ~ \.php$ {
+        try_files $uri =404;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass unix:/var/run/php/php-fpm.sock;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_index index.php;
+        include fastcgi_params;
+    }
+
     location ~* ^.+\.(ico|jpg|gif|png|css|js|svg|eot|ttf|woff|woff2|otf)$ {
         log_not_found off;
         expires 7d;
diff --git a/overlay/usr/local/bin/entrypoint.sh b/overlay/usr/local/bin/entrypoint.sh
index cb37f51..4156433 100755
--- a/overlay/usr/local/bin/entrypoint.sh
+++ b/overlay/usr/local/bin/entrypoint.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 /usr/local/bin/gomplate -V -o /etc/php7/php.ini -f /etc/templates/php.ini.tmpl 1>/dev/null
-/usr/local/bin/gomplate -V -o /var/www/app/config.php -f /etc/templates/config.php.tmpl 1>/dev/null
+/usr/local/bin/gomplate -V -o /var/www/app/data/config.php -f /etc/templates/config.php.tmpl 1>/dev/null
 
 exec supercronic -split-logs /etc/crontabs/nginx 1>/dev/null &
 exec php-fpm7 -F &