diff options
author | Henry-Joseph Audéoud | 2021-09-16 15:27:10 +0200 |
---|---|---|
committer | Henry-Joseph Audéoud | 2021-10-18 11:15:51 +0200 |
commit | a45280364e018365ecef3770d0e13281dd69deb6 (patch) | |
tree | fe355bc6af140d5ed7c6382297f73607848bd0fd | |
parent | f0c2c46002a7ce1b314d17434c800bb9bf7f6e51 (diff) | |
download | aur-a45280364e018365ecef3770d0e13281dd69deb6.tar.gz |
Add support for nginx web server
nginx is only the web server frontend. PHP-FPM is used to run the
FastCGI end.
Piwigo only runs on PHP7, so use this version in dependencies.
-rw-r--r-- | .SRCINFO | 18 | ||||
-rw-r--r-- | PKGBUILD | 29 | ||||
-rw-r--r-- | nginx.conf | 94 | ||||
-rw-r--r-- | php-fpm7.conf | 19 | ||||
-rw-r--r-- | php-fpm7.service.conf | 6 |
5 files changed, 156 insertions, 10 deletions
@@ -1,27 +1,37 @@ pkgbase = piwigo pkgdesc = Photo gallery software for the web pkgver = 11.5.0 - pkgrel = 4 + pkgrel = 5 url = https://piwigo.org/ arch = any license = GPL makedepends = unzip - depends = php + depends = php7 depends = mariadb - depends = php-apache - optdepends = php-gd: graphic library (one graphic library is required) + optdepends = php7-gd: graphic library (one graphic library is required) optdepends = imagemagick: graphic library (one graphic library is required) + optdepends = php7-apache: Apache Web Server (one web server is required) + optdepends = nginx: nginx Web Server (one web server is required) + optdepends = php7-fpm: FastCGI, required with nginx Web Server optdepends = exiftool: Write Metadata plugin or any other plugin dealing with EXIF/IPTC metadata optdepends = ffmpeg: VideoJS plugin to create video poster optdepends = jpegtran: RotateImage plugin to rotate images with no compression optdepends = pdftoppm: generate poster from PDF files (instead of ImageMagick) options = emptydirs backup = etc/webapps/piwigo/apache.conf + backup = etc/nginx/sites-available/piwigo.conf + backup = etc/php7/php-fpm.d/piwigo.conf source = piwigo.zip::https://piwigo.org/download/dlcounter.php?code=latest source = apache.conf source = piwigo.perm.sh + source = nginx.conf + source = php-fpm7.conf + source = php-fpm7.service.conf sha256sums = bfecdd743c62cdb4e1936662178d019af264ea763d26c8c832da836fbe09652d sha256sums = 64435b2f5fe29ab6201e00a755bff5dbe77bc4450559a2668a21e750ce13f8be sha256sums = 0e6d4af6552f4eead62825999eee115152cf5f884f2c65b759379ac5b15d36f7 + sha256sums = c27d837157cc6b189f62e36b43532efdf9881f5db8059ba5a430be2ad9154937 + sha256sums = af481516383faae67bb02d604dbe07778e352aa01fc548e0cd641a902fddbfb7 + sha256sums = 4fd0561c64ab8a1b166e69b4ce9985f343bcd351d33fc055604edf94f11317f4 pkgname = piwigo @@ -1,26 +1,40 @@ +# Maintainer: Fanch +# Contributor: Henry-Joseph Audéoud <h.audeoud@gmail.com> + pkgname=piwigo pkgver=11.5.0 -pkgrel=4 +pkgrel=5 pkgdesc='Photo gallery software for the web' arch=(any) url="https://piwigo.org/" license=("GPL") -depends=('php' 'mariadb' 'php-apache') -optdepends=('php-gd: graphic library (one graphic library is required)' +depends=('php7' 'mariadb') +optdepends=('php7-gd: graphic library (one graphic library is required)' 'imagemagick: graphic library (one graphic library is required)' + 'php7-apache: Apache Web Server (one web server is required)' + 'nginx: nginx Web Server (one web server is required)' + 'php7-fpm: FastCGI, required with nginx Web Server' 'exiftool: Write Metadata plugin or any other plugin dealing with EXIF/IPTC metadata' 'ffmpeg: VideoJS plugin to create video poster' 'jpegtran: RotateImage plugin to rotate images with no compression' 'pdftoppm: generate poster from PDF files (instead of ImageMagick)') makedepends=("unzip") -backup=("etc/webapps/piwigo/apache.conf") +backup=('etc/webapps/piwigo/apache.conf' + 'etc/nginx/sites-available/piwigo.conf' + 'etc/php7/php-fpm.d/piwigo.conf') options=(emptydirs) source=('piwigo.zip::https://piwigo.org/download/dlcounter.php?code=latest' 'apache.conf' - 'piwigo.perm.sh') + 'piwigo.perm.sh' + 'nginx.conf' + 'php-fpm7.conf' + 'php-fpm7.service.conf') sha256sums=('bfecdd743c62cdb4e1936662178d019af264ea763d26c8c832da836fbe09652d' '64435b2f5fe29ab6201e00a755bff5dbe77bc4450559a2668a21e750ce13f8be' - '0e6d4af6552f4eead62825999eee115152cf5f884f2c65b759379ac5b15d36f7') + '0e6d4af6552f4eead62825999eee115152cf5f884f2c65b759379ac5b15d36f7' + 'c27d837157cc6b189f62e36b43532efdf9881f5db8059ba5a430be2ad9154937' + 'af481516383faae67bb02d604dbe07778e352aa01fc548e0cd641a902fddbfb7' + '4fd0561c64ab8a1b166e69b4ce9985f343bcd351d33fc055604edf94f11317f4') package() { install_path="${pkgdir}/usr/share/webapps/piwigo" @@ -44,6 +58,9 @@ package() { # Install apache & nginx conf' install -D -m644 apache.conf "${pkgdir}/etc/webapps/piwigo/apache.conf" + install -D -m644 nginx.conf "${pkgdir}/etc/nginx/sites-available/piwigo.conf" + install -D -m644 php-fpm7.conf "${pkgdir}/etc/php7/php-fpm.d/piwigo.conf" + install -D -m644 php-fpm7.service.conf "${pkgdir}/usr/lib/systemd/system/php-fpm7.service.d/piwigo.conf" # database.inc.php should be writeable in ${install_path}/local/config, # with no way to select the path of this file. Make that directory diff --git a/nginx.conf b/nginx.conf new file mode 100644 index 000000000000..6bcb194e7a69 --- /dev/null +++ b/nginx.conf @@ -0,0 +1,94 @@ +# Example nginx configuration file, from https://ubuntu.self-hosted.fr/installation-piwigo-nginx-mariadb/ + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name piwigo.domain.tld; # TODO: edit-me + # TODO: generate certificate + ssl_certificate /path/to/fullchain.pem; + ssl_certificate_key /path/to/privkey.pem; + include snippets/ssl.conf; + include snippets/hsts.conf; + + # Path to the root of your installation + root /usr/share/webapps/piwigo/; + + # Add headers to serve security related headers + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains;'; + add_header Referrer-Policy no-referrer always; + + # set max upload size + client_max_body_size 512M; + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + location / { + index index.php; + try_files $uri $uri/ @rewrite; + } + + location @rewrite { + rewrite ^/picture((/|$).*)$ /picture.php$1 last; + rewrite ^/index((/|$).*)$ /index.php$1 last; + rewrite ^/i((/|$).*)$ /i.php$1 last; + } + + location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ { + try_files $script_name = 404; + include /etc/nginx/fastcgi_params; + fastcgi_pass unix:/run/php-fpm7/piwigo.sock; + fastcgi_param PATH_INFO $path_info; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + } + + location ~ ^/favicon.ico$ { + log_not_found off; + access_log off; + expires max; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # piwigo distribution files + location ~ ^/(README|doc)$ { + deny all; + } + + # prevent direct acces to uploaded images, derivates and logs + location ~ ^/(_data/(i|logs)|upload)/ { + deny all; + } + + # prevent any hotlinks and direct access to alias URIs (/i/upload/...) + # which are not from Piwigo itself (happens when exporting from lightroom via ws.php) + set $check_referal ""; + + # very restrictive + valid_referers *.domain.tld; # TODO: edit-me + # if you want google etc to be able to show your images: + #valid_referers ~google\.com ~bing\.com *.domain.tld + + if ($invalid_referer) { + set $check_referal "invalid"; + } + if ($http_user_agent !~ "Piwigo") { + set $check_referal "${check_referal}+not_piwigo"; + } +} diff --git a/php-fpm7.conf b/php-fpm7.conf new file mode 100644 index 000000000000..844e1d4d6a06 --- /dev/null +++ b/php-fpm7.conf @@ -0,0 +1,19 @@ +[piwigo] +listen = /run/php-fpm7/piwigo.sock + +listen.owner = http +listen.group = http + +user = http +group = http + +pm = ondemand +pm.max_children = 30 +pm.process_idle_timeout = 60s +pm.max_requests = 500 + +env[HOSTNAME] = $HOSTNAME +env[PATH] = /usr/local/bin:/usr/bin:/bin +env[TMP] = /tmp +env[TMPDIR] = /tmp +env[TEMP] = /tmp diff --git a/php-fpm7.service.conf b/php-fpm7.service.conf new file mode 100644 index 000000000000..9e7f22c02521 --- /dev/null +++ b/php-fpm7.service.conf @@ -0,0 +1,6 @@ +# php-fpm7 is set with ProtectSystem=full, which makes /usr +# non-writable. However, piwigo needs access to its installation +# directory (for _data, upload and local/config directories mainly). +# Let's allow it. +[Service] +ReadWritePaths=/usr/share/webapps/piwigo/ |