Develop Reference

File permissions for mounted volumes in docker

Currently using WSL2 ubuntu with docker-desktop for windows with WSL integration.
docker-compose.yml file
version: '3.9'
services:
wordpress:
# default port 9000 (FastCGI)
image: wordpress:6.1.1-fpm
container_name: wp-wordpress
env_file:
- .env
restart: unless-stopped
networks:
- wordpress
depends_on:
- database
volumes:
- ${WORDPRESS_LOCAL_HOME}:/var/www/html
- ${WORDPRESS_UPLOADS_CONFIG}:/usr/local/etc/php/conf.d/uploads.ini
# - /path/to/repo/myTheme/:/var/www/html/wp-content/themes/myTheme
environment:
- WORDPRESS_DB_HOST=${WORDPRESS_DB_HOST}
- WORDPRESS_DB_NAME=${WORDPRESS_DB_NAME}
- WORDPRESS_DB_USER=${WORDPRESS_DB_USER}
- WORDPRESS_DB_PASSWORD=${WORDPRESS_DB_PASSWORD}
database:
# default port 3306
image: mysql:latest
container_name: wp-database
env_file:
- .env
restart: unless-stopped
networks:
- wordpress
environment:
- MYSQL_DATABASE=${MYSQL_DATABASE}
- MYSQL_USER=${MYSQL_USER}
- MYSQL_PASSWORD=${MYSQL_PASSWORD}
- MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
volumes:
- ${MYSQL_LOCAL_HOME}:/var/lib/mysql
command:
- '--default-authentication-plugin=mysql_native_password'
nginx:
# default ports 80, 443 - expose mapping as needed to host
image: nginx:latest
container_name: wp-nginx
env_file:
- .env
restart: unless-stopped
networks:
- wordpress
depends_on:
- wordpress
ports:
- 8080:80 # http
- 8443:443 # https
volumes:
- ${WORDPRESS_LOCAL_HOME}:/var/www/html
- ${NGINX_CONF}:/etc/nginx/conf.d/default.conf
- ${NGINX_SSL_CERTS}:/etc/nginx/certs
- ${NGINX_LOGS}:/var/log/nginx
adminer:
# default port 8080
image: adminer:latest
container_name: wp-adminer
restart: unless-stopped
networks:
- wordpress
depends_on:
- database
ports:
- "9000:8080"
networks:
wordpress:
name: wp-wordpress
driver: bridge
I'm just starting out with development using docker. The file on the local storage(in the Linux file system) was initially owned by www-data so I changed it to my linux username using sudo chown -R username:username wordpress/ because it wasn't writeable. But doing this doesn't allow me to upload files(from wordpress interface) or write to files inside the nginx container unless the ownership is changed back to www-data:www-data.
Things I've tried:
Starting a bash session inside the nginx container with docker exec -it <cname> bash and changing the ownership of the uploads directory and writing files to my username.(after adding user with adduser username)
Changing the nginx user within the bash session to my username using user username username
I don't know what else to try except sudo chmod -R a+rwx in the main directory.
default.conf:
# default.conf
# redirect to HTTPS
server {
listen 80;
listen [::]:80;
server_name wordpress-docker.test;
location / {
# update port as needed for host mapped https
rewrite ^ https://wordpress-docker.test:8443$request_uri? permanent;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name wordpress-docker.test;
index index.php index.html index.htm;
root /var/www/html;
server_tokens off;
client_max_body_size 75M;
# update ssl files as required by your deployment
ssl_certificate /etc/nginx/certs/localhost+2.pem;
ssl_certificate_key /etc/nginx/certs/localhost+2-key.pem;
# logging
access_log /var/log/nginx/wordpress.access.log;
error_log /var/log/nginx/wordpress.error.log;
# some security headers ( optional )
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
try_files $uri = 404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass wordpress:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
location ~ /\.ht {
deny all;
}
location = /favicon.ico {
log_not_found off; access_log off;
}
location = /favicon.svg {
log_not_found off; access_log off;
}
location = /robots.txt {
log_not_found off; access_log off; allow all;
}
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
expires max;
log_not_found off;
}
}
Folder struct:
|-config
|--uploads.ini
|-dbdata
|-logs
|-nginx
|--certs
|--default.conf
|-wordpress
|-.env
|-docker-compose.yml

Refering to this answer, this is how I resolved my issue:
Add your user to the www-data group
sudo usermod -a -G www-data username
Give rw permissions to the www-data group(f flag applies the permissions only to files and leaves the directories)
sudo find wordpress -type f -exec chmod g+rw {} +

Docker ngnix with tag nginx:latest seems causes a major issue - direct acces to web directory

Upgrading Nginx docker with image tag Nginx:latest causes not executing PHP files and give direct access to web directory!
Upgrading docker-compose.yml from nginx:1.18.0 to Nginx:latest seems to cause a major issue.
Ngnix container not executing PHP files anymore and give direct access to all content of web repository
Details:
Extract of docker-compose.yml (full reproductible example below)
webserver:
#image: nginx:1.8.0
image: nginx:latest
and then "docker-composer up -d"
raises the issue.
Effect:
Nginx 1.18.0 not executing PHP files (using php7.4-fpm) and give direct access to web contains
eg: domain.com/index.php can then be directly downloaded!
First elements:
image nginx:latest or image nginx produce the same effect
image nginx:1.8.0 (nor any explicit x.y.z tag) does not produce this issue
Troubling facts:
nginx image with tag: nginx:mainline download version # nginx version: nginx/1.21.5
nginx image with tag: nginx:latest download a 1.8.0 version # nginx version: nginx/1.8.0
Probable issue :
image nginx:latest has the following file (extract)
/etc/nginx/nginx.conf
html {
(...)
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*; # THIS LINE IS NEW - instantiated a default site
}
Don't know if this point has been noticed
Is a Dockerfile with "rm /etc/nginx/sites-enabled/" cmd an acceptable workaround or a prerequisite?
Reproducible example
docker-compose.yml
version: "3"
services:
cms_php:
image: php:7.4-fpm
container_name: cms_php
restart: unless-stopped
networks:
- internal
- external
volumes:
- ./src:/var/www/html
webserver:
# image: nginx:1.18.0 # OK
# image: nginx:1.17.0 # OK
# image: nginx:mainline # OK
image: nginx:latest # NOK
# image: nginx # NOK
container_name: webserver
depends_on:
- cms_php
restart: unless-stopped
ports:
- 80:80
volumes:
- ./src:/var/www/html
- ./nginx-conf:/etc/nginx/conf.d/
networks:
- external
networks:
external:
driver: bridge
internal:
driver: bridge
nginx-conf/nginx.conf
server {
listen 80;
listen [::]:80;
server_name localhost;
index index.php index.html index.htm;
root /var/www/html;
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass cms_php:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
location ~ /\.ht {
deny all;
}
location = /favicon.ico {
log_not_found off; access_log off;
}
location = /robots.txt {
log_not_found off; access_log off; allow all;
}
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
expires max;
log_not_found off;
}
}
src/index.php
<?php echo "Hi..."; ?>

With the below setup, I am able to get the desired data. I didn't have to make changes to your files. You may have an issue with your paths/setup. Try to imitate my setup. I am using nginx:latest.
$ curl localhost:80
Hi...
Running docker processes in this setup
$ docker-compose ps
Name Command State Ports
-----------------------------------------------------------------------
cms_php docker-php-entrypoint php-fpm Up 9000/tcp
webserver /docker-entrypoint.sh ngin ... Up 0.0.0.0:80->80/tcp
Folder structure
$ tree
.
├── docker-compose.yaml
├── nginx-conf
│ └── nginx.conf
└── src
└── index.php
2 directories, 3 files
src/index.php
$ cat src/index.php
<?php echo "Hi..."; ?>
docker-compose.yaml
$ cat docker-compose.yaml
version: "3"
services:
cms_php:
image: php:7.4-fpm
container_name: cms_php
restart: unless-stopped
networks:
- internal
- external
volumes:
- ./src:/var/www/html
webserver:
image: nginx:latest
container_name: webserver
depends_on:
- cms_php
restart: unless-stopped
ports:
- 80:80
volumes:
- ./src:/var/www/html
- ./nginx-conf:/etc/nginx/conf.d/
networks:
- external
networks:
external:
driver: bridge
internal:
driver: bridge
nginx-conf/nginx.conf
$ cat nginx-conf/nginx.conf
server {
listen 80;
listen [::]:80;
server_name localhost;
index index.php index.html index.htm;
root /var/www/html;
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass cms_php:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
location ~ /\.ht {
deny all;
}
location = /favicon.ico {
log_not_found off; access_log off;
}
location = /robots.txt {
log_not_found off; access_log off; allow all;
}
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
expires max;
log_not_found off;
}
}

Lumen Nginx assets path issues

Having the following nginx configuration in docker container for Lumen
Docker compose nginx service
version: '3'
services:
nginx:
container_name: ${PROJECT_SUFFIX}_nginx
build: docker/nginx
command: nginx -g "daemon off;"
links:
- php
ports:
- "8099:80"
#volumes:
# - ./app/public:/var/www/html/app/public
Docker install
FROM nginx:1.17-alpine
ADD nginx.conf /etc/nginx/conf.d/default.conf
Lumen Nginx
server {
listen 80;
root /var/www/html/public;
index index.php index.htm index.html;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location /index.php {
include fastcgi_params;
fastcgi_connect_timeout 10s;
fastcgi_read_timeout 10s;
fastcgi_buffers 256 4k;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass php:9000;
}
}
none of the assets files are loaded. I'm getting 404 (example http://localhost:8099/front/css/app.css) as response however the path is correct. How can I debug this issue correctly

Multiple nginx websites with one container

So, first let me explain what I am trying to do. I have 2 websites, a frontend and a backend, the frontend is just HTML and vue, which uses the backend to store information (an api)
Websites:
- erp.test (frontend)
- api.erp.test (backend; php, api)
docker-compose.yml
version: '3'
services:
#web
frontend:
build:
context: .
dockerfile: ./environment/nginx/Dockerfile
container_name: frontend
restart: always
ports:
- 80:80
- 442:442
volumes:
- ./environment/nginx/sites-enabled:/etc/nginx/sites-enabled
- ./frontend/public:/usr/share/nginx/html/frontend
- ./api:/usr/share/nginx/html/api
links:
- php
php:
build:
context: .
args:
version: 7.3.0-fpm
dockerfile: ./environment/php/Dockerfile
container_name: php_backend
restart: always
depends_on:
- mysql
mysql:
build:
context: .
args:
version: 5.7
dockerfile: ./environment/mysql/Dockerfile
restart: always
volumes:
- ./environment/mysql/data:/var/lib/mysql
environment:
MYSQL_ROOT_PASSWORD: laravel
MYSQL_DATABASE: laravel
ports:
- 13306:3306
command:
build:
context: .
dockerfile: ./environment/command/Dockerfile
container_name: command
restart: always
command: "tail -f /dev/null"
volumes:
- ./frontend:/frontend
This uses the following files for the sites-enabled.
My dockerfile for the nginx environment is the following:
FROM nginx
Config files for the websites:
etc/nginx/sites-enabled/api.erp.test
server {
listen 80;
listen [::]:80;
server_name api.erp.test;
root /usr/share/nginx/html/backend/public;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
index index.html index.htm index.php;
charset utf-8;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php7.3.0-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.(?!well-known).* {
deny all;
}
}
etc/nginx/sites-enabled/erp.test
server {
listen 80;
listen [::]:80;
server_name erp.test;
root /usr/share/nginx/html/frontend/public;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
index index.html;
location / {
try_files $uri $uri/ =404;
}
charset utf-8;
}
Both of them files should (I assume) be enabled and work. I checked the container and the files are in the correct position, and I've even added the IP address of the container to my hosts file on my machine like so:
172.18.0.3 erp.test
172.18.0.3 api.erp.test
Whenever I visit them urls, it just goes to the default nginx url and not the specific websites. Any idea what I am doing wrong?

I believe for nginx in docker the virtual host files need to go into /etc/nginx/conf.d not /etc/nginx/sites-enabled
So in your docker-compose.yml change
./environment/nginx/sites-enabled:/etc/nginx/sites-enabled
to
./environment/nginx/sites-enabled:/etc/nginx/conf.d

ERR_TOO_MANY_REDIRECTS in backoffice when running Prestashop in Docker

I'm trying to make a docker environment for a Prestashop project. I have it almost working but for some reason, the back office is inaccessible - it gives me a ERR_TOO_MANY_REDIRECTS error.
I changed the urls in shop_url table and changed PS_SHOP_DOMAIN and PS_SHOP_DOMAIN_SSL to no vain. I tried to disable friendly URLs, enable/disable SSL - but the problem persists.
I'm using a custom image for a webserver:
luken-wodby-nginx-prestashop Dockerfile:
FROM wodby/nginx:1.10
ENV WODBY_DIR_FILES /mnt/files
RUN rm /etc/gotpl/default-vhost.conf.tpl && \
mkdir -p $WODBY_DIR_FILES && \
mkdir -p /var/log/nginx
COPY prestashop.conf.tpl /etc/gotpl/
COPY init/* /docker-entrypoint-init.d/
docker-compose.yml:
version: "2"
services:
mariadb:
image: wodby/mariadb:10.1-2.0.0
environment:
MYSQL_ROOT_PASSWORD: password
MYSQL_DATABASE: organic
MYSQL_USER: prestashop
MYSQL_PASSWORD: prestashop
volumes:
- ./database:/docker-entrypoint-initdb.d
ports:
- "33060:3306"
php:
image: wodby/php:5.6-2.0.0
environment:
PHP_SENDMAIL_PATH: /usr/sbin/sendmail -t -i -S mailhog:1025
PHP_XDEBUG: 1
PHP_XDEBUG_DEFAULT_ENABLE: 1
volumes:
- ./:/var/www/html
nginx:
image: luken-wodby-nginx-prestashop:latest
depends_on:
- php
environment:
NGINX_BACKEND_HOST: php
NGINX_SERVER_NAME: prestashop.docker.localhost
NGINX_SERVER_ROOT: /var/www/html/public_html
volumes:
- ./:/var/www/html
ports:
- "8000:80"
mailhog:
image: mailhog/mailhog
ports:
- "8002:8025"
Nginx virtual host configuration:
server {
listen 80;
server_name {{ getenv "NGINX_SERVER_NAME" "prestashop" }};
root {{ getenv "NGINX_SERVER_ROOT" "/var/www/html/" }};
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
index index.php index.html;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
auth_basic off;
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 1;
gzip_buffers 16 8k;
gzip_http_version 1.0;
gzip_types application/json text/css application/javascript;
rewrite ^/api/?(.*)$ /webservice/dispatcher.php?url=$1 last;
rewrite ^/([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+.jpg$ /img/p/$1/$1$2$3.jpg last;
rewrite ^/([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+.jpg$ /img/p/$1/$2/$1$2$3$4.jpg last;
rewrite ^/([0-9])([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+.jpg$ /img/p/$1/$2/$3/$1$2$3$4$5.jpg last;
rewrite ^/([0-9])([0-9])([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+.jpg$ /img/p/$1/$2/$3/$4/$1$2$3$4$5$6.jpg last;
rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+.jpg$ /img/p/$1/$2/$3/$4/$5/$1$2$3$4$5$6$7.jpg last;
rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$1$2$3$4$5$6$7$8.jpg last;
rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$7/$1$2$3$4$5$6$7$8$9.jpg last;
rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$7/$8/$1$2$3$4$5$6$7$8$9$10.jpg last;
rewrite ^/c/([0-9]+)(-[.*_a-zA-Z0-9-]*)(-[0-9]+)?/.+.jpg$ /img/c/$1$2$3.jpg last;
rewrite ^/c/([a-zA-Z_-]+)(-[0-9]+)?/.+.jpg$ /img/c/$1$2.jpg last;
rewrite ^/images_ie/?([^/]+).(jpe?g|png|gif)$ /js/jquery/plugins/fancybox/images/$1.$2 last;
rewrite ^/order$ /index.php?controller=order last;
location /panel_adm/ { #Change this to your admin folder
if (!-e $request_filename) {
rewrite ^/.*$ /panel_adm/index.php last; #Change this to your admin folder
}
}
location / {
if (!-e $request_filename) {
rewrite ^/.*$ /index.php last;
}
}
location ~ .php$ {
fastcgi_split_path_info ^(.+.php)(/.*)$;
try_files $uri =404;
fastcgi_keep_conn on;
include /etc/nginx/fastcgi_params;
fastcgi_pass backend; #Change this to your PHP-FPM location
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
Website works just fine, only the back office is inaccessible and gives ERR_TOO_MANY_REDIRECTS error.
Any ideas what can be wrong?

I found the cause of the problem. The wodby/nginx nginx container is using a custom fastcgi_params file. This file strangely enough doesn't have fastcgi_param QUERY_STRING $query_string; line (in contrast to the original file that comes with nginx). This makes it incompatible by default with some ready nginx templates that you can find on the internet. It manifests itself by query parameters not getting passed to the script (I created an issue for it here: https://github.com/wodby/nginx/issues/3 ).
Now, Prestashop's back office not having an important controller parameter freaks out, because it doesn't know which controller to run. If there is no controller, it does a redirection to the URL with a default controller as a parameter, but because there is never a "controller" parameter available for Prestashop, it ends in redirection loop causing ERR_TOO_MANY_REDIRECTS.
The fix for this is to add fastcgi_param QUERY_STRING $query_string; in your nginx configuration to pass query parameters to the script.

As far as I remember, on installation, Prestashop needs to be with full folder permissions, whereas it causes thoses kind of problems.
So for instance :
chmod 755 -R /var/www/html
should do the job. Do not forget to change the permissions after the installation to something more secure like :
chmod 644 -R /var/www/html
chmod 755 -R cache app var modules img
(Updated after #abkrim comments on security)