_all_ the timeouts

dannylamb · Nigel Banks · commit a9928b367698 · 2022-03-03T18:05:22.000Z
diff --git a/crayfish/rootfs/etc/confd/conf.d/default.conf.toml b/crayfish/rootfs/etc/confd/conf.d/default.conf.toml
@@ -0,0 +1,7 @@
+[template]
+src = "default.conf.tmpl"
+dest = "/etc/nginx/http.d/default.conf"
+uid = 100
+gid = 101
+mode = "0644"
+keys = [ "/" ]
diff --git a/crayfish/rootfs/etc/confd/templates/default.conf.tmpl b/crayfish/rootfs/etc/confd/templates/default.conf.tmpl
@@ -15,6 +15,18 @@ server {
 
         fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
         fastcgi_param DOCUMENT_ROOT $realpath_root;
+
+        fastcgi_read_timeout {{ getenv "NGINX_FASTCGI_READ_TIMEOUT" }};
+        fastcgi_send_timeout {{ getenv "NGINX_FASTCGI_SEND_TIMEOUT" }};
+        fastcgi_connect_timeout {{ getenv "NGINX_FASTCGI_CONNECT_TIMEOUT" }};
+        proxy_read_timeout {{ getenv "NGINX_PROXY_READ_TIMEOUT" }};
+        proxy_send_timeout {{ getenv "NGINX_PROXY_SEND_TIMEOUT" }};
+        proxy_connect_timeout {{ getenv "NGINX_PROXY_CONNECT_TIMEOUT" }};
+        send_timeout {{ getenv "NGINX_SEND_TIMEOUT" }};
+        keepalive_timeout {{ getenv "NGINX_KEEPALIVE_TIMEOUT" }};
+        client_body_timeout {{ getenv "NGINX_CLIENT_BODY_TIMEOUT" }};
+        lingering_timeout {{ getenv "NGINX_LINGERING_TIMEOUT" }};
+
         # Prevents URIs that include the front controller. This will 404:
         # http://domain.tld/index.php/some-path
         # Remove the internal directive to allow URIs like this
diff --git a/demo/Dockerfile b/demo/Dockerfile
@@ -58,6 +58,6 @@ RUN --mount=type=cache,id=demo-composer,sharing=locked,target=/root/.composer/ca
     mkdir -p /var/www/drupal/web/sites/default/files/library-definitions && \
     cp /var/www/drupal/web/modules/contrib/openseadragon/openseadragon.json /var/www/drupal/web/sites/default/files/library-definitions
 
-FROM ${repository}/drupal:${tag}
+FROM ${repository}/drupal:${tag} AS drupal
 
 COPY --from=composer --chown=nginx:nginx /var/www /var/www
diff --git a/drupal/rootfs/etc/confd/conf.d/drupal.fpm.conf.toml b/drupal/rootfs/etc/confd/conf.d/drupal.fpm.conf.toml
@@ -0,0 +1,7 @@
+[template]
+src = "drupal.fpm.conf.tmpl"
+dest = "/etc/nginx/shared/drupal.fpm.conf"
+uid = 100
+gid = 101
+mode = "0644"
+keys = [ "/" ]
diff --git a/drupal/rootfs/etc/confd/templates/drupal.fpm.conf.tmpl b/drupal/rootfs/etc/confd/templates/drupal.fpm.conf.tmpl
@@ -0,0 +1,44 @@
+# In Drupal 8, we must also match new paths where the '.php' appears in
+# the middle, such as update.php/selection. The rule we use is strict,
+# and only allows this pattern with the update.php front controller.
+# This allows legacy path aliases in the form of
+# blog/index.php/legacy-path to continue to route to Drupal nodes. If
+# you do not have any paths like that, then you might prefer to use a
+# laxer rule, such as:
+#   location ~ \.php(/|$) {
+# The laxer rule will continue to work if Drupal uses this new URL
+# pattern with front controllers other than update.php in a future
+# release.
+location ~ '\.php$|^/update.php' {
+    fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+    # Ensure the php file exists. Mitigates CVE-2019-11043
+    try_files $fastcgi_script_name =404;
+    # Security note: If you're running a version of PHP older than the
+    # latest 5.3, you should have "cgi.fix_pathinfo = 0;" in php.ini.
+    # See http://serverfault.com/q/627903/94922 for details.
+    include fastcgi_params;
+    # Block httpoxy attacks. See https://httpoxy.org/.
+    fastcgi_param HTTP_PROXY "";
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    fastcgi_param PATH_INFO $fastcgi_path_info;
+    fastcgi_param QUERY_STRING $query_string;
+    fastcgi_param HTTPS on;
+    fastcgi_param HTTP_SCHEME https;
+    fastcgi_intercept_errors on;
+    fastcgi_buffers 16 16k;
+    fastcgi_buffer_size 32k;
+    # PHP 7 socket location.
+    fastcgi_pass unix:/var/run/php-fpm7/php-fpm7.sock;
+
+    # _ALL_ the timeouts
+    fastcgi_read_timeout {{ getenv "NGINX_FASTCGI_READ_TIMEOUT" }};
+    fastcgi_send_timeout {{ getenv "NGINX_FASTCGI_SEND_TIMEOUT" }};
+    fastcgi_connect_timeout {{ getenv "NGINX_FASTCGI_CONNECT_TIMEOUT" }};
+    proxy_read_timeout {{ getenv "NGINX_PROXY_READ_TIMEOUT" }};
+    proxy_send_timeout {{ getenv "NGINX_PROXY_SEND_TIMEOUT" }};
+    proxy_connect_timeout {{ getenv "NGINX_PROXY_CONNECT_TIMEOUT" }};
+    send_timeout {{ getenv "NGINX_SEND_TIMEOUT" }};
+    keepalive_timeout {{ getenv "NGINX_KEEPALIVE_TIMEOUT" }};
+    client_body_timeout {{ getenv "NGINX_CLIENT_BODY_TIMEOUT" }};
+    lingering_timeout {{ getenv "NGINX_LINGERING_TIMEOUT" }};
+}
diff --git a/drupal/rootfs/etc/nginx/shared/drupal.fpm.conf b/drupal/rootfs/etc/nginx/shared/drupal.fpm.conf
@@ -29,4 +29,14 @@ location ~ '\.php$|^/update.php' {
     fastcgi_buffer_size 32k;
     # PHP 7 socket location.
     fastcgi_pass unix:/var/run/php-fpm7/php-fpm7.sock;
+    fastcgi_read_timeout 3600;
+    fastcgi_send_timeout 3600;
+    fastcgi_connect_timeout 3600;
+    proxy_read_timeout 3600;
+    proxy_send_timeout 3600;
+    proxy_connect_timeout 3600;
+    send_timeout 3600;
+    keepalive_timeout 3600;
+    client_body_timeout 3600;
+    lingering_timeout 3600;
 }
diff --git a/homarus/Dockerfile b/homarus/Dockerfile
@@ -19,7 +19,7 @@ RUN --mount=type=cache,id=homarus-apk,sharing=locked,from=cache,target=/var/cach
 
 ENV HOMARUS_LOG_LEVEL=debug
 
-COPY --from=crayfish /etc/nginx/http.d/default.conf /etc/nginx/http.d/default.conf
+COPY --from=crayfish /etc/confd /etc/confd
 COPY --from=crayfish --chown=nginx:nginx /var/www /var/www
 
 COPY rootfs /
diff --git a/houdini/Dockerfile b/houdini/Dockerfile
@@ -21,7 +21,7 @@ RUN --mount=type=bind,from=imagemagick,source=/packages,target=/packages \
 
 ENV HOUDINI_LOG_LEVEL=debug
 
-COPY --from=crayfish /etc/nginx/http.d/default.conf /etc/nginx/http.d/default.conf
+COPY --from=crayfish /etc/confd /etc/confd
 COPY --from=crayfish --chown=nginx:nginx /var/www /var/www
 
 COPY rootfs /
diff --git a/hypercube/Dockerfile b/hypercube/Dockerfile
@@ -32,7 +32,7 @@ ENV \
     HYPERCUBE_FCREPO_URL=fcrepo/fcrepo/rest \
     HYPERCUBE_LOG_LEVEL=debug
 
-COPY --from=crayfish /etc/nginx/http.d/default.conf /etc/nginx/http.d/default.conf
+COPY --from=crayfish /etc/confd /etc/confd
 COPY --from=crayfish --chown=nginx:nginx /var/www /var/www
 
 COPY rootfs /
diff --git a/milliner/Dockerfile b/milliner/Dockerfile
@@ -17,7 +17,7 @@ ENV \
     MILLINER_FEDORA6=false \
     MILLINER_LOG_LEVEL=debug
 
-COPY --from=crayfish /etc/nginx/http.d/default.conf /etc/nginx/http.d/default.conf
+COPY --from=crayfish /etc/confd /etc/confd
 COPY --from=crayfish --chown=nginx:nginx /var/www /var/www
 
 COPY rootfs /
diff --git a/nginx/Dockerfile b/nginx/Dockerfile
@@ -39,9 +39,18 @@ RUN --mount=type=cache,id=nginx-apk,sharing=locked,from=cache,target=/var/cache/
     cleanup.sh
 
 ENV \
+    NGINX_CLIENT_BODY_TIMEOUT=60 \
     NGINX_CLIENT_MAX_BODY_SIZE=0 \
     NGINX_ERROR_LOG_LEVEL=warn \
+    NGINX_FASTCGI_READ_TIMEOUT=60 \
+    NGINX_FASTCGI_SEND_TIMEOUT=60 \
+    NGINX_FASTCGI_CONNECT_TIMEOUT=60 \
     NGINX_KEEPALIVE_TIMEOUT=65 \
+    NGINX_LINGERING_TIMEOUT=60 \
+    NGINX_PROXY_READ_TIMEOUT=60 \
+    NGINX_PROXY_SEND_TIMEOUT=60 \
+    NGINX_PROXY_CONNECT_TIMEOUT=60 \
+    NGINX_SEND_TIMEOUT=60 \
     NGINX_WORKER_CONNECTIONS=1024 \
     NGINX_WORKER_PROCESSES=auto \
     PHP_DEFAULT_SOCKET_TIMEOUT=60 \
@@ -53,6 +62,8 @@ ENV \
     PHP_MAX_INPUT_VARS=3000 \
     PHP_MEMORY_LIMIT=256M \
     PHP_POST_MAX_SIZE=128M \
+    PHP_PROCESS_CONTROL_TIMEOUT=60 \
+    PHP_REQUEST_TERMINATE_TIMEOUT=60 \
     PHP_UPLOAD_MAX_FILESIZE=128M
 
 COPY --from=composer /usr/bin/composer /usr/bin/composer
diff --git a/nginx/rootfs/etc/confd/templates/nginx.conf.tmpl b/nginx/rootfs/etc/confd/templates/nginx.conf.tmpl
@@ -106,4 +106,4 @@ http {
 }
 
 # TIP: Uncomment if you use stream module.
-#include /etc/nginx/stream.conf;
+#include /etc/nginx/stream.conf;
diff --git a/nginx/rootfs/etc/confd/templates/php-fpm.conf.tmpl b/nginx/rootfs/etc/confd/templates/php-fpm.conf.tmpl
@@ -77,7 +77,7 @@ log_limit = {{ getenv "PHP_LOG_LIMIT" }}
 ; Available units: s(econds), m(inutes), h(ours), or d(ays)
 ; Default Unit: seconds
 ; Default Value: 0
-;process_control_timeout = 0
+process_control_timeout = {{ getenv "PHP_PROCESS_CONTROL_TIMEOUT" }}
 
 ; The maximum number of processes FPM will fork. This has been designed to control
 ; the global number of processes when using dynamic PM within a lot of pools.
diff --git a/nginx/rootfs/etc/confd/templates/www.conf.tmpl b/nginx/rootfs/etc/confd/templates/www.conf.tmpl
@@ -337,7 +337,7 @@ pm.max_spare_servers = 3
 ; does not stop script execution for some reason. A value of '0' means 'off'.
 ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
 ; Default Value: 0
-;request_terminate_timeout = 0
+request_terminate_timeout = {{ getenv "PHP_REQUEST_TERMINATE_TIMEOUT" }}
 
 ; The timeout set by 'request_terminate_timeout' ini option is not engaged after
 ; application calls 'fastcgi_finish_request' or when application has finished and
diff --git a/recast/Dockerfile b/recast/Dockerfile
@@ -16,7 +16,7 @@ ENV \
     RECAST_FCREPO_URL=islandora.traefik.me:8081/fcrepo/rest \
     RECAST_LOG_LEVEL=debug
 
-COPY --from=crayfish /etc/nginx/http.d/default.conf /etc/nginx/http.d/default.conf
+COPY --from=crayfish /etc/confd /etc/confd
 COPY --from=crayfish --chown=nginx:nginx /var/www /var/www
 
 COPY rootfs /
diff --git a/tomcat/Dockerfile b/tomcat/Dockerfile
@@ -29,6 +29,20 @@ RUN --mount=type=cache,id=tomcat-apk,sharing=locked,from=cache,target=/var/cache
     cleanup.sh
 
 ENV \
+    NGINX_CLIENT_BODY_TIMEOUT=60 \
+    NGINX_CLIENT_MAX_BODY_SIZE=0 \
+    NGINX_ERROR_LOG_LEVEL=warn \
+    NGINX_FASTCGI_READ_TIMEOUT=60 \
+    NGINX_FASTCGI_SEND_TIMEOUT=60 \
+    NGINX_FASTCGI_CONNECT_TIMEOUT=60 \
+    NGINX_KEEPALIVE_TIMEOUT=65 \
+    NGINX_LINGERING_TIMEOUT=60 \
+    NGINX_PROXY_READ_TIMEOUT=60 \
+    NGINX_PROXY_SEND_TIMEOUT=60 \
+    NGINX_PROXY_CONNECT_TIMEOUT=60 \
+    NGINX_SEND_TIMEOUT=60 \
+    NGINX_WORKER_CONNECTIONS=1024 \
+    NGINX_WORKER_PROCESSES=auto \
     TOMCAT_ADMIN_NAME=admin \
     TOMCAT_ADMIN_PASSWORD=password \
     TOMCAT_ADMIN_ROLES=manager-gui \
@@ -43,4 +57,4 @@ COPY --from=download /opt /opt
 COPY rootfs /
 COPY --chown=tomcat:tomcat rootfs/opt/tomcat /opt/tomcat
 
-WORKDIR /opt/tomcat
+WORKDIR /opt/tomcat
diff --git a/tomcat/rootfs/etc/confd/templates/default.conf.tmpl b/tomcat/rootfs/etc/confd/templates/default.conf.tmpl
@@ -5,5 +5,15 @@ server {
         proxy_set_header   X-Forwarded-For $remote_addr;
         proxy_set_header   Host $http_host;
         proxy_pass         "http://127.0.0.1:8080";
+        fastcgi_read_timeout {{ getenv "NGINX_FASTCGI_READ_TIMEOUT" }};
+        fastcgi_send_timeout {{ getenv "NGINX_FASTCGI_SEND_TIMEOUT" }};
+        fastcgi_connect_timeout {{ getenv "NGINX_FASTCGI_CONNECT_TIMEOUT" }};
+        proxy_read_timeout {{ getenv "NGINX_PROXY_READ_TIMEOUT" }};
+        proxy_send_timeout {{ getenv "NGINX_PROXY_SEND_TIMEOUT" }};
+        proxy_connect_timeout {{ getenv "NGINX_PROXY_CONNECT_TIMEOUT" }};
+        send_timeout {{ getenv "NGINX_SEND_TIMEOUT" }};
+        keepalive_timeout {{ getenv "NGINX_KEEPALIVE_TIMEOUT" }};
+        client_body_timeout {{ getenv "NGINX_CLIENT_BODY_TIMEOUT" }};
+        lingering_timeout {{ getenv "NGINX_LINGERING_TIMEOUT" }};
     }
 }
