Add support for nginx web server

nginx is only the web server frontend.  PHP-FPM is used to run the
FastCGI end.

Piwigo only runs on PHP7, so use this version in dependencies.

5 files changed, 156 insertions, 10 deletions

diff --git a/.SRCINFO b/.SRCINFO
index a639fe75179d..0cbcd5da9e53 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,27 +1,37 @@
 pkgbase = piwigo
 	pkgdesc = Photo gallery software for the web
 	pkgver = 11.5.0
-	pkgrel = 4
+	pkgrel = 5
 	url = https://piwigo.org/
 	arch = any
 	license = GPL
 	makedepends = unzip
-	depends = php
+	depends = php7
 	depends = mariadb
-	depends = php-apache
-	optdepends = php-gd: graphic library (one graphic library is required)
+	optdepends = php7-gd: graphic library (one graphic library is required)
 	optdepends = imagemagick: graphic library (one graphic library is required)
+	optdepends = php7-apache: Apache Web Server (one web server is required)
+	optdepends = nginx: nginx Web Server (one web server is required)
+	optdepends = php7-fpm: FastCGI, required with nginx Web Server
 	optdepends = exiftool: Write Metadata plugin or any other plugin dealing with EXIF/IPTC metadata
 	optdepends = ffmpeg: VideoJS plugin to create video poster
 	optdepends = jpegtran: RotateImage plugin to rotate images with no compression
 	optdepends = pdftoppm: generate poster from PDF files (instead of ImageMagick)
 	options = emptydirs
 	backup = etc/webapps/piwigo/apache.conf
+	backup = etc/nginx/sites-available/piwigo.conf
+	backup = etc/php7/php-fpm.d/piwigo.conf
 	source = piwigo.zip::https://piwigo.org/download/dlcounter.php?code=latest
 	source = apache.conf
 	source = piwigo.perm.sh
+	source = nginx.conf
+	source = php-fpm7.conf
+	source = php-fpm7.service.conf
 	sha256sums = bfecdd743c62cdb4e1936662178d019af264ea763d26c8c832da836fbe09652d
 	sha256sums = 64435b2f5fe29ab6201e00a755bff5dbe77bc4450559a2668a21e750ce13f8be
 	sha256sums = 0e6d4af6552f4eead62825999eee115152cf5f884f2c65b759379ac5b15d36f7
+	sha256sums = c27d837157cc6b189f62e36b43532efdf9881f5db8059ba5a430be2ad9154937
+	sha256sums = af481516383faae67bb02d604dbe07778e352aa01fc548e0cd641a902fddbfb7
+	sha256sums = 4fd0561c64ab8a1b166e69b4ce9985f343bcd351d33fc055604edf94f11317f4
 
 pkgname = piwigo
diff --git a/PKGBUILD b/PKGBUILD
index 7267ae263f95..5d80217b310b 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,26 +1,40 @@
+# Maintainer: Fanch
+# Contributor: Henry-Joseph Audéoud <h.audeoud@gmail.com>
+
 pkgname=piwigo
 pkgver=11.5.0
-pkgrel=4
+pkgrel=5
 pkgdesc='Photo gallery software for the web'
 arch=(any)
 url="https://piwigo.org/"
 license=("GPL")
-depends=('php' 'mariadb' 'php-apache')
-optdepends=('php-gd: graphic library (one graphic library is required)'
+depends=('php7' 'mariadb')
+optdepends=('php7-gd: graphic library (one graphic library is required)'
             'imagemagick: graphic library (one graphic library is required)'
+            'php7-apache: Apache Web Server (one web server is required)'
+            'nginx: nginx Web Server (one web server is required)'
+            'php7-fpm: FastCGI, required with nginx Web Server'
             'exiftool: Write Metadata plugin or any other plugin dealing with EXIF/IPTC metadata'
             'ffmpeg: VideoJS plugin to create video poster'
             'jpegtran: RotateImage plugin to rotate images with no compression'
             'pdftoppm: generate poster from PDF files (instead of ImageMagick)')
 makedepends=("unzip")
-backup=("etc/webapps/piwigo/apache.conf")
+backup=('etc/webapps/piwigo/apache.conf'
+        'etc/nginx/sites-available/piwigo.conf'
+        'etc/php7/php-fpm.d/piwigo.conf')
 options=(emptydirs)
 source=('piwigo.zip::https://piwigo.org/download/dlcounter.php?code=latest'
         'apache.conf'
-        'piwigo.perm.sh')
+        'piwigo.perm.sh'
+        'nginx.conf'
+        'php-fpm7.conf'
+        'php-fpm7.service.conf')
 sha256sums=('bfecdd743c62cdb4e1936662178d019af264ea763d26c8c832da836fbe09652d'
             '64435b2f5fe29ab6201e00a755bff5dbe77bc4450559a2668a21e750ce13f8be'
-            '0e6d4af6552f4eead62825999eee115152cf5f884f2c65b759379ac5b15d36f7')
+            '0e6d4af6552f4eead62825999eee115152cf5f884f2c65b759379ac5b15d36f7'
+            'c27d837157cc6b189f62e36b43532efdf9881f5db8059ba5a430be2ad9154937'
+            'af481516383faae67bb02d604dbe07778e352aa01fc548e0cd641a902fddbfb7'
+            '4fd0561c64ab8a1b166e69b4ce9985f343bcd351d33fc055604edf94f11317f4')
 
 package() {
     install_path="${pkgdir}/usr/share/webapps/piwigo"
@@ -44,6 +58,9 @@ package() {
 
     # Install apache & nginx conf'
     install -D -m644 apache.conf "${pkgdir}/etc/webapps/piwigo/apache.conf"
+    install -D -m644 nginx.conf "${pkgdir}/etc/nginx/sites-available/piwigo.conf"
+    install -D -m644 php-fpm7.conf "${pkgdir}/etc/php7/php-fpm.d/piwigo.conf"
+    install -D -m644 php-fpm7.service.conf "${pkgdir}/usr/lib/systemd/system/php-fpm7.service.d/piwigo.conf"
 
     # database.inc.php should be writeable in ${install_path}/local/config,
     # with no way to select the path of this file.  Make that directory
diff --git a/nginx.conf b/nginx.conf
new file mode 100644
index 000000000000..6bcb194e7a69
--- /dev/null
+++ b/nginx.conf
@@ -0,0 +1,94 @@
+# Example nginx configuration file, from https://ubuntu.self-hosted.fr/installation-piwigo-nginx-mariadb/
+
+server {
+    listen 443      ssl http2;
+    listen [::]:443 ssl http2;
+    server_name     piwigo.domain.tld;  # TODO: edit-me
+    # TODO: generate certificate
+    ssl_certificate     /path/to/fullchain.pem;
+    ssl_certificate_key /path/to/privkey.pem;
+    include snippets/ssl.conf;
+    include snippets/hsts.conf;
+
+    # Path to the root of your installation
+    root                          /usr/share/webapps/piwigo/;
+
+    # Add headers to serve security related headers
+    add_header                    X-Frame-Options "SAMEORIGIN";
+    add_header                    X-Content-Type-Options nosniff;
+    add_header                    X-XSS-Protection "1; mode=block";
+    add_header                    X-Robots-Tag none;
+    add_header                    X-Download-Options noopen;
+    add_header                    X-Permitted-Cross-Domain-Policies none;
+    add_header                    Strict-Transport-Security 'max-age=31536000; includeSubDomains;';
+    add_header                    Referrer-Policy no-referrer always;
+
+    # set max upload size
+    client_max_body_size          512M;
+    fastcgi_buffers               64 4K;
+
+    # Enable gzip but do not remove ETag headers
+    gzip                          on;
+    gzip_vary                     on;
+    gzip_comp_level               4;
+    gzip_min_length               256;
+    gzip_proxied                  expired no-cache no-store private no_last_modified no_etag auth;
+    gzip_types                    application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+    location / {
+        index                     index.php;
+        try_files                 $uri $uri/ @rewrite;
+    }
+
+    location @rewrite {
+        rewrite                   ^/picture((/|$).*)$ /picture.php$1 last;
+        rewrite                   ^/index((/|$).*)$ /index.php$1 last;
+        rewrite                   ^/i((/|$).*)$ /i.php$1 last;
+    }
+
+    location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ {
+        try_files                 $script_name = 404;
+        include                   /etc/nginx/fastcgi_params;
+        fastcgi_pass              unix:/run/php-fpm7/piwigo.sock;
+        fastcgi_param             PATH_INFO $path_info;
+        fastcgi_param             SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    }
+
+    location ~ ^/favicon.ico$ {
+        log_not_found             off;
+        access_log                off;
+        expires                   max;
+    }
+
+    location = /robots.txt {
+        allow                     all;
+        log_not_found             off;
+        access_log                off;
+    }
+
+    # piwigo distribution files
+    location ~ ^/(README|doc)$ {
+        deny                      all;
+    }
+
+    # prevent direct acces to uploaded images, derivates and logs
+    location ~ ^/(_data/(i|logs)|upload)/ {
+        deny                      all;
+    }
+
+    # prevent any hotlinks and direct access to alias URIs (/i/upload/...)
+    # which are not from Piwigo itself (happens when exporting from lightroom via ws.php)
+    set                           $check_referal "";
+
+    # very restrictive
+    valid_referers                *.domain.tld;  # TODO: edit-me
+    # if you want google etc to be able to show your images:
+    #valid_referers ~google\.com ~bing\.com *.domain.tld
+
+    if ($invalid_referer) {
+        set                       $check_referal "invalid";
+    }
+    if ($http_user_agent !~ "Piwigo") {
+        set                       $check_referal "${check_referal}+not_piwigo";
+    }
+}
diff --git a/php-fpm7.conf b/php-fpm7.conf
new file mode 100644
index 000000000000..844e1d4d6a06
--- /dev/null
+++ b/php-fpm7.conf
@@ -0,0 +1,19 @@
+[piwigo]
+listen = /run/php-fpm7/piwigo.sock
+
+listen.owner = http
+listen.group = http
+
+user = http
+group = http
+
+pm = ondemand
+pm.max_children = 30
+pm.process_idle_timeout = 60s
+pm.max_requests = 500
+
+env[HOSTNAME] = $HOSTNAME
+env[PATH] = /usr/local/bin:/usr/bin:/bin
+env[TMP] = /tmp
+env[TMPDIR] = /tmp
+env[TEMP] = /tmp
diff --git a/php-fpm7.service.conf b/php-fpm7.service.conf
new file mode 100644
index 000000000000..9e7f22c02521
--- /dev/null
+++ b/php-fpm7.service.conf
@@ -0,0 +1,6 @@
+# php-fpm7 is set with ProtectSystem=full, which makes /usr
+# non-writable.  However, piwigo needs access to its installation
+# directory (for _data, upload and local/config directories mainly).
+# Let's allow it.
+[Service]
+ReadWritePaths=/usr/share/webapps/piwigo/