Manage SSL with Nginx

.gitignore

@@ -47,3 +47,5 @@
 /yarn-error.log
 /yarn.lock
 ###< symfony/webpack-encore-bundle ###
+
+/certs/

Dockerfile

@@ -127,6 +127,10 @@ WORKDIR /srv/sylius
 COPY --from=base        /srv/sylius/public public/
 COPY --from=sylius_node /srv/sylius/public public/
 
+FROM sylius_nginx as sylius_nginx_inte
+
+COPY docker/nginx/conf.d/default-inte.conf /etc/nginx/conf.d/default.conf
+
 FROM sylius_php_prod AS sylius_php_dev
 
 COPY docker/php/dev/php.ini        $PHP_INI_DIR/php.ini

docker-compose.inte.yml

@@ -0,0 +1,9 @@
+services:
+  nginx:
+    build:
+      context: .
+      target: sylius_nginx_inte
+    volumes:
+      - ./certs:/root/ssl/
+    ports:
+      - "${HTTPS_PORT:-443}:443"

docker/nginx/conf.d/default-inte.conf

@@ -0,0 +1,61 @@
+server {
+    root /srv/sylius/public;
+    listen *:80;
+
+    location / {
+        # try to serve file directly, fallback to index.php
+        try_files $uri /index.php$is_args$args;
+    }
+
+    location ~ ^/index\.php(/|$) {
+        resolver 127.0.0.11 valid=10s ipv6=off;
+        set $backendfpm "php:9000";
+        # Comment the next line and uncomment the next to enable dynamic resolution (incompatible with Kubernetes);
+        fastcgi_pass $backendfpm;
+        #resolver 127.0.0.11;
+        #set $upstream_host php;
+        #fastcgi_pass $upstream_host:9000;
+
+        fastcgi_split_path_info ^(.+\.php)(/.*)$;
+        include fastcgi_params;
+        # When you are using symlinks to link the document root to the
+        # current version of your application, you should pass the real
+        # application path instead of the path to the symlink to PHP
+        # FPM.
+        # Otherwise, PHP's OPcache may not properly detect changes to
+        # your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126
+        # for more information).
+        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
+        fastcgi_param DOCUMENT_ROOT $realpath_root;
+        # Prevents URIs that include the front controller. This will 404:
+        # http://domain.tld/index.php/some-path
+        # Remove the internal directive to allow URIs like this
+        internal;
+    }
+
+    # return 404 for all other php files not matching the front controller
+    # this prevents access to other php files you don't want to be accessible.
+    location ~ \.php$ {
+      return 404;
+    }
+
+    client_max_body_size 6m;
+}
+
+server {
+    listen                  443 ssl;
+    listen                  [::]:443 ssl;
+    server_name             localhost;
+    ssl_certificate         /root/ssl/cert.pem;
+    ssl_certificate_key     /root/ssl/key.pem;
+
+    location / {
+        proxy_pass "http://localhost/";
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+    }
+
+    error_page   500 502 503 504  /50x.html;
+}