I made some headway on this. I think the 502 problem was that I was targeting the external directory of the bind-mount. Those errors are gone, but it’s not exactly working.
The Good
wp-main_1 | [23-Apr-2018 00:02:50] NOTICE: fpm is running, pid 1
wp-main_1 | [23-Apr-2018 00:02:50] NOTICE: ready to handle connections
The Bad
When accessing https://blog.example.com I get Access denied. in the browser, and this in terminal:
403 security.limit_extension errors
wp-main_1 | 172.xx.xx.xx - 23/Apr/2018:00:14:00 +0000 "GET /" 403
wp-main_1 | [23-Apr-2018 00:14:00] WARNING: [pool www] child 57 said into stderr: "NOTICE: Access to the script '/var/www/html' has been denied (see security.limit_extensions)"
caddy_1 | 23/Apr/2018:00:14:00 +0000 [ERROR 0 /] Access to the script '/var/www/html' has been denied (see security.limit_extensions)
Then if I manually enter https://blog.example.com/wp-admin/install.php, I get an html-only page. There’s the expected content, but no .css or .js niceness. This is accompanied by this output:
CSS and JS security.limit_extensions errors
wp-main_1 | 172.xx.xx.xx - 23/Apr/2018:00:16:00 +0000 "GET /" 403
caddy_1 | 23/Apr/2018:00:16:00 +0000 [ERROR 0 /wp-includes/css/dashicons.min.css] Access to the script '/var/www/html/wp-includes/css/dashicons.min.css' has been denied (see security.limit_extensions)
caddy_1 | 23/Apr/2018:00:16:00 +0000 [ERROR 0 /wp-includes/js/jquery/jquery-migrate.min.js] Access to the script '/var/www/html/wp-includes/js/jquery/jquery-migrate.min.js' has been denied (see security.limit_extensions)
wp-main_1 | 172.xx.xx.xx - 23/Apr/2018:00:16:00 +0000 "GET /" 403
wp-main_1 | [23-Apr-2018 00:16:00] WARNING: [pool www] child 57 said into stderr: "NOTICE: Access to the script '/var/www/html/wp-admin/js/language-chooser.min.js' has been denied (see security.limit_extensions)"
caddy_1 | 23/Apr/2018:00:16:00 +0000 [ERROR 0 /wp-admin/js/language-chooser.min.js] Access to the script '/var/www/html/wp-admin/js/language-chooser.min.js' has been denied (see security.limit_extensions)
The Ugly
docker-compose.yml
version: '3.2'
services:
wp-main:
image: registry.gitlab.com/jetatomic/wordpress
depends_on:
- main-db
environment:
WORDPRESS_DB_PASSWORD: n0ne5hallp@55
WORDPRESS_DB_HOST: main-db
WORDPRESS_DB_USER: wpdrone
WORDPRESS_DB_NAME: wordpress
volumes:
- /var/www/main.wp:/var/www/html
restart: always
main-db:
image: mariadb
environment:
MYSQL_ROOT_PASSWORD: n0ne5hallp@55
MYSQL_USER: wpdrone
MYSQL_PASSWORD: n0ne5hallp@55
MYSQL_DATABASE: wordpress
volumes:
- /var/farm/mysql/main-db:/var/lib/mysql
restart: always
caddy:
image: abiosoft/caddy:0.10.12
command: ["-email", "letsencrypt@example.com",
"-conf", "/etc/Caddyfile",
"-agree"]
ports:
- 80:80
- 80:80/udp
- 443:443
- 443:443/udp
volumes:
- /var/farm/caddy/Caddyfile:/etc/Caddyfile
- /var/farm/caddy:/root/.caddy
- /var/discourse/shared/standalone:/sock
restart: always
Caddyfile
blog.example.com {
root /var/www/html
gzip
push
errors stdout
fastcgi / wp-main:9000
}
Dockerfile
FROM wordpress:4.9.5-php7.2-fpm-alpine
RUN apk add --no-cache \
libpng-dev \
wget \
unzip \
nano \
sudo \
&& docker-php-ext-configure gd --with-png-dir=/usr \
&& docker-php-ext-install gd zip
# Then more custom config junk
Since the security.limit_extensions is a PHP-FPM thing, I suspect there’s a package or config missing in the Dockerfile. Rewrite? Preliminary googling shows methods for tweaking that extension, but everything so far looks sketchy security-wise.
So I’ll keep researching, and update if I get a solution. Until then, I’m open to suggestions.
Edit: Related thread, but no clear solution.