nginx + php-fpm + wordpress

nginx in enclave: - do not fork workers due to gramineproject/gramine#468 (also generally dont) - use select instead of epoll due to gramineproject/gramine#489 - link pcre static due to undetermined dynloader bug php in enclave: - patch away sockopt SO_LISTENQLEN and TCP_INFO due to gramineproject/gramine#503 - do not fork workers - manually force linking libm static, because the ld loader implements glibc versions incorrectly - remove apparmor from AC wordpress in enclave: - installer loads fine but needs mysql server to proceed
enclaive · Apr 8, 2022 · 689fc2c · 689fc2c
1 parent e5cbc43
commit 689fc2c
Show file tree

Hide file tree

Showing 2,780 changed files with 1,272,504 additions and 82 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,2 @@
+.git
+Dockerfile
diff --git a/Dockerfile b/Dockerfile
@@ -1,54 +1,103 @@
-FROM enclaive/gramine-os:latest
+FROM enclaive/debug-gramine:latest
 
 ARG NGX_VERSION=1.18.0
 
-RUN apt-get update 
-RUN apt-get install -y build-essential apache2-utils libssl-dev zlib1g zlib1g-dev
+RUN apt-get update &&\
+    apt-get install -y build-essential libssl-dev zlib1g zlib1g-dev wget \
+    re2c libmariadb-dev libxml2-dev bison libsqlite3-dev libcurl4-openssl-dev libargon2-dev \
+    libpng-dev libreadline-dev libz-dev  zlib1g-dev libzip-dev libbz2-dev libc-client2007e-dev \
+    libkrb5-dev
 
-# download source
-WORKDIR /entrypoint
+WORKDIR /src
 
-ADD https://nginx.org/download/nginx-${NGX_VERSION}.tar.gz ./
-RUN tar -xzf nginx-${NGX_VERSION}.tar.gz 
-RUN rm nginx-${NGX_VERSION}.tar.gz
+#build pcre
+RUN wget https://sourceforge.net/projects/pcre/files/pcre/8.45/pcre-8.45.zip &&\
+    unzip pcre-8.45.zip &&\
+    cd pcre-8.45  &&\
+    ./configure --disable-shared --enable-static --prefix /usr &&\
+    make -j &&\
+    make install
 
-# add nginx.conf
-COPY ./conf /entrypoint/conf
-
-# add /html
-WORKDIR /entrypoint/html
-
-COPY ./html .
 
 # build nginx
-WORKDIR /entrypoint/nginx-${NGX_VERSION}
-
-RUN ./configure \
-    --prefix=/entrypoint \
-    --without-http_rewrite_module \
-    --with-http_ssl_module 
-RUN make 
-RUN make install     
-
-# generate server.cert
-WORKDIR /entrypoint/conf
-
-COPY ./ssl .
-RUN chmod +x cert-gen.sh 
-RUN ./cert-gen.sh               # creates self-signed server certificate if /ssl is empty
-
-# create manifest
-WORKDIR /manifest
-
-COPY nginx.manifest.template .
-RUN /manifest/manifest.sh nginx
-
-# clean up
-RUN rm -rf /entrypoint/nginx-${NGX_VERSION} /entrypoint/conf/ca.* /entrypoint/conf/cert-gen.sh 
-
-# start enclaived nginx
-ENTRYPOINT [ "/entrypoint/enclaive.sh" ]
-CMD [ "nginx" ]
+RUN wget https://nginx.org/download/nginx-${NGX_VERSION}.tar.gz &&\
+    tar xvf nginx-${NGX_VERSION}.tar.gz &&\
+    rm nginx-${NGX_VERSION}.tar.gz &&\
+    cd nginx-* ;\
+        ./configure \
+        --prefix=/app \
+        --with-pcre=/src/pcre-8.45 \
+        --with-http_ssl_module \
+        --with-select_module &&\
+    make -j &&\
+    make install &&\
+    rm -rf nginx-*
+
+
+# build php
+RUN wget https://www.php.net/distributions/php-8.1.4.tar.gz &&\
+    tar xvf php-8.1.4.tar.gz
+
+# patch out sockopts
+ADD php_sapi_fpm_config.m4 /src/php-8.1.4/sapi/fpm/config.m4
+
+RUN cp /usr/lib/libc-client.* /usr/lib/x86_64-linux-gnu/ &&\
+    cd php-8.1.4 &&\
+    ./buildconf --force &&\
+    ./configure \
+        --enable-dba \
+        --enable-fpm \
+        --enable-gd \
+        --enable-mysqlnd \
+        --with-password-argon2 \
+        --with-bz2 \
+        --with-curl \
+        --with-imap \
+        --with-imap-ssl \
+        --with-kerberos \
+        --with-mysqli=mysqlnd \
+        --with-openssl \
+        --with-pdo-mysql=mysqlnd \
+        --with-pdo-sqlite \
+        --with-readline \
+        --with-zip \
+        --with-zlib &&\
+    make -j &&\
+    ldd ./sapi/fpm/php-fpm &&\
+    make install
+
+ADD . /app
+WORKDIR /app
+
+# creates self-signed server certificate if /ssl is empty
+RUN cd /app/conf && ./cert-gen.sh
+
+# create nginx manifest
+RUN cd /app &&\
+    gramine-sgx-gen-private-key &&\
+    gramine-manifest \
+        -Dlog_level=error \
+        -Darch_libdir=/lib/x86_64-linux-gnu \
+        nginx.manifest.template nginx.manifest &&\
+    gramine-sgx-sign \
+        --manifest nginx.manifest \
+        --output nginx.manifest.sgx
+
+COPY fpm.conf /usr/local/etc/php-fpm.conf
+
+# create php manifest
+RUN cd /app &&\
+    gramine-manifest \
+        -Dlog_level=error \
+        -Darch_libdir=/lib/x86_64-linux-gnu \
+        php.manifest.template php.manifest &&\
+    gramine-sgx-sign \
+        --manifest php.manifest \
+        --output php.manifest.sgx
+
+
+
+ENTRYPOINT ["/app/entrypoint.sh"]
 
 # ports
 EXPOSE 80 443
diff --git a/Makefile b/Makefile
@@ -0,0 +1,4 @@
+docker: .PHONY
+	docker build . -t enclaive/nginx
+
+.PHONY:
diff --git a/ssl/ca.conf → conf/ca.conf b/ssl/ca.conf → conf/ca.conf
diff --git a/ssl/cert-gen.sh → conf/cert-gen.sh b/ssl/cert-gen.sh → conf/cert-gen.sh
diff --git a/conf/nginx.conf b/conf/nginx.conf
@@ -1,7 +1,6 @@
 # This configuration file is based on nginx.conf.default from Nginx v1.16.1.
 #
 # The following changes are made:
-# - Number of worker processes in increased from 1 to 4
 # - Number of worker connections is decrease from 1024 to 768 (because Linux by default
 #   limits FDs to 1024, and Gramine uses ~100 FDs for its own purposes, so we are left with
 #   about 900 FDs available for Nginx application itself)
@@ -14,7 +13,7 @@
 # Uncomment "user nobody;" below to switch to this user. If you run under root, use
 # "user root;" instead. Typically there is no need to specify a non-default user.
 #user  nobody;
-worker_processes 4;
+worker_processes 1;
 
 #error_log  logs/error.log;
 #error_log  logs/error.log  notice;
@@ -24,6 +23,7 @@ worker_processes 4;
 
 events {
     worker_connections  768;
+    use select;
 }
 
 http {
@@ -46,19 +46,64 @@ http {
         ssl_ciphers                HIGH:!aNULL:!MD5;
         ssl_prefer_server_ciphers  on;
 
+        root /app/html/wordpress;
+        index index.html index.htm index.php;
+
         location / {
-            root   html;
-            index  index.html index.htm;
+            try_files $uri $uri/ =404;
         }
 
-        # redirect server error pages to the static page /50x.html
-        error_page   500 502 503 504  /50x.html;
-        location = /50x.html {
-            root   html;
+        location ~ \.php$ {
+
+
+            # regex to split $uri to $fastcgi_script_name and $fastcgi_path
+            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+
+            # Check that the PHP script exists before passing it
+            try_files $fastcgi_script_name =404;
+
+            # Bypass the fact that try_files resets $fastcgi_path_info
+            # see: http://trac.nginx.org/nginx/ticket/321
+            set $path_info $fastcgi_path_info;
+            fastcgi_param PATH_INFO $path_info;
+
+            fastcgi_index index.php;
+
+            fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
+            fastcgi_param  QUERY_STRING       $query_string;
+            fastcgi_param  REQUEST_METHOD     $request_method;
+            fastcgi_param  CONTENT_TYPE       $content_type;
+            fastcgi_param  CONTENT_LENGTH     $content_length;
+
+            fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+            fastcgi_param  REQUEST_URI        $request_uri;
+            fastcgi_param  DOCUMENT_URI       $document_uri;
+            fastcgi_param  DOCUMENT_ROOT      $document_root;
+            fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+            fastcgi_param  REQUEST_SCHEME     $scheme;
+            fastcgi_param  HTTPS              $https if_not_empty;
+
+            fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+            fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+            fastcgi_param  REMOTE_ADDR        $remote_addr;
+            fastcgi_param  REMOTE_PORT        $remote_port;
+            fastcgi_param  REMOTE_USER        $remote_user;
+            fastcgi_param  SERVER_ADDR        $server_addr;
+            fastcgi_param  SERVER_PORT        $server_port;
+            fastcgi_param  SERVER_NAME        $server_name;
+
+            # PHP only, required if PHP was built with --enable-force-cgi-redirect
+            fastcgi_param  REDIRECT_STATUS    200;
+
+
+
+            fastcgi_pass 127.0.0.1:9000;
+
         }
 
         access_log off;
     }
 }
 
-daemon off;
+daemon off;
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+set -e
+
+
+
+cd /app
+
+gramine-sgx-get-token --output php.token --sig php.sig
+gramine-sgx php --force-stderr --nodaemonize &
+
+gramine-sgx-get-token --output nginx.token --sig nginx.sig
+gramine-sgx nginx
diff --git a/fpm.conf b/fpm.conf
@@ -0,0 +1,15 @@
+[global]
+pid = /app/logs/php-fpm.pid
+error_log = /app/logs/php-fpm.log
+
+[www]
+user = www-data
+group = www-data
+listen = 127.0.0.1:9000
+listen.owner = www-data
+listen.group = www-data
+pm = dynamic
+pm.max_children = 1
+pm.start_servers = 1
+pm.min_spare_servers = 1
+pm.max_spare_servers = 1
diff --git a/html/index.php b/html/index.php
@@ -0,0 +1 @@
+<?php phpinfo(); ?>
diff --git a/html/wordpress/index.php b/html/wordpress/index.php
@@ -0,0 +1,17 @@
+<?php
+/**
+ * Front to the WordPress application. This file doesn't do anything, but loads
+ * wp-blog-header.php which does and tells WordPress to load the theme.
+ *
+ * @package WordPress
+ */
+
+/**
+ * Tells WordPress to load the WordPress theme and output it.
+ *
+ * @var bool
+ */
+define( 'WP_USE_THEMES', true );
+
+/** Loads the WordPress Environment and Template */
+require __DIR__ . '/wp-blog-header.php';