PERMANENTLY MOVED TO https://github.com/spacetab-io/static-server-php
Specific static server with support corporate standard of configuration and more.. This server is a simple wrapper for nginx or an any web server.
Server created for javascript SPA apps like: Vue, React, Angular, etc.
- Special created for modern web app's.
- Secure headers by default.
- If backend app will be hacked, the hacker may write a letter to us, because email address injected to head section of index (console message) :)
- Corporate config standard supported by default and injected too.
- Brotli-compression (Gzip used as fallback for outdated browsers). Enabled by default. More.
- Deny all
robots.txtby default. - Hot reload
FROM microparts/static-server-php:2.0.3
ARG VCS_SHA1
ARG STAGE
# dist & frontend yaml configuration
COPY dist/ /app
COPY ./configuration /app/configurationFull example can be founded here. And with local use here.
CLI usage implies 2 commands for usage:
- Start server:
server runResult:
[2019-12-18 17:38:30] Server.INFO: State: STAGE=local SHA1= VERSION=2.0.3 CONFIG_PATH=/Users/roquie/google_drive/projects/microparts/static-server-php/configuration
[2019-12-18 17:38:30] Server.INFO: Files modification enabled. Have fun!.
[2019-12-18 17:38:30] Server.INFO: Nginx Brotli module not installed. Turning off this compression method.
[2019-12-18 17:38:30] Server.INFO: Check if platform supports async io...
[2019-12-18 17:38:30] Server.INFO: Platform does not supports async io, turning it off.
[2019-12-18 17:38:30] Server.INFO: Prerender is not enabled, skip check.
[2019-12-18 17:38:30] Server.INFO: Nginx PID location: /tmp/spa_nginx.pid
[2019-12-18 17:38:30] Server.INFO: nginx: the configuration file /tmp/generated_nginx.conf syntax is ok
[2019-12-18 17:38:30] Server.INFO: nginx: configuration file /tmp/generated_nginx.conf test is successful
[2019-12-18 17:38:30] Server.INFO: Server started at: 0.0.0.0:8080- Reload
After editing files or configuration you can reload server without restart master process.
server reloadReload command result:
[2019-12-18 17:41:44] Server.INFO: Reload configuration
[2019-12-18 17:41:44] Server.INFO: State: STAGE=local SHA1= VERSION=2.0.3 CONFIG_PATH=/Users/roquie/google_drive/projects/microparts/static-server-php/configuration
[2019-12-18 17:41:44] Server.INFO: Files modification enabled. Have fun!.
[2019-12-18 17:41:44] Server.INFO: Nginx Brotli module not installed. Turning off this compression method.
[2019-12-18 17:41:44] Server.INFO: Check if platform supports async io...
[2019-12-18 17:41:44] Server.INFO: Platform does not supports async io, turning it off.
[2019-12-18 17:41:44] Server.INFO: Prerender is not enabled, skip check.
[2019-12-18 17:41:44] Server.INFO: Nginx PID location: /tmp/spa_nginx.pid
[2019-12-18 17:41:44] Server.INFO: nginx: the configuration file /tmp/generated_nginx.conf syntax is ok
[2019-12-18 17:41:44] Server.INFO: nginx: configuration file /tmp/generated_nginx.conf test is successful
[2019-12-18 17:41:44] Server.INFO: Configuration reloaded- Dump loaded configuration:
server dumpResult:
CONFIG_PATH = /app/configuration
STAGE = dev
server:
host: 0.0.0.0
port: 8080
root: ./dist
index: index.html
modify:
enabled: true
root: ./dist/modified
inject: before_script
handler:
name: nginx
options:
pid: /tmp/spa_nginx.pid
config: /tmp/generated_nginx.conf
prerender:
enabled: false
url: null
resolver: "8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1"
headers: []
service_worker:
enabled: false
log_info: '%%cSTAGE=%s SHA1=%s; %%cSecurity bugs: [email protected], Job/partnership: [email protected]'
logger:
enabled: true
level: info
security_txt:
contact: [email protected]
preferred_lang: 'en, ru'
headers:
csp:
- 'default-src ''self'''
- 'script-src ''self'' ''unsafe-inline'' cdnjs.cloudflare.com'
- 'img-src ''self'' data:'
- 'style-src ''self'' ''unsafe-inline'' fonts.googleapis.com cdnjs.cloudflare.com'
- 'font-src ''self'' data: fonts.gstatic.com cdnjs.cloudflare.com'
- 'form-action ''self'''
feature_policy:
- 'geolocation ''none'''
- 'payment ''none'''
- 'microphone ''none'''
- 'camera ''none'''
- 'autoplay ''none'''
referer_policy: no-referrer
pragma: public
xss_protection: '1; mode=block'
x_content_type: nosniff
x_content_type_options: nosniff
x_ua_compatible: IE=edge
sts: 'max-age=86400; includeSubDomains; preload'Comments about server configuration can be found here.
Server reads files from dist, then modifying index.html on the fly and append configuration before first <script> tag will be founded.
Also available insert config before first tag to <head> section (but it blocks page painting).
Injected config file (__config.js) has following content:
window.__stage = 'local';
window.__config = JSON.parse('{}' /* frontend config from yaml here */);
window.__vcs = '%s';
console.log('%%cSTAGE=dev SHA1=55b5293; %%cSecurity bugs: [email protected], Job/partnership: [email protected]','color:#F44336','color:#009688');Also, will be injected <link> tag with rel=preload. More.
Then, starts the nginx server.
By default will be added following headers to response:
Pragma: public
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type: nosniff
X-Content-Type-Options: nosniff
X-Ua-Compatible: IE=edge
Referrer-Policy: no-referrer
Feature-Policy: geolocation 'none'; payment 'none'; microphone 'none'; camera 'none'; autoplay 'none'
Content-Security-Policy: default-src 'self'; script-src 'self' cdnjs.cloudflare.com; img-src 'self' data:; style-src 'self' 'unsafe-inline' fonts.googleapis.com cdnjs.cloudflare.com; font-src 'self' data: fonts.gstatic.com cdnjs.cloudflare.com; form-action 'self'
Strict-Transport-Security: max-age=604800; includeSubDomains; preloadA+ rating issued by the site https://securityheaders.com.
Frontend-developer should be use Content Security Policy protection,
i.e configure server himself.
It creates a server.yaml config file and add it to stage directory
dev/prod/local (or only to defaults folder) with following contents:
dev:
server:
headers:
csp:
- default-src 'self' *.teamcsrv.com *.teamc.io
- script-src 'self'
- "img-src 'self' data:"
- style-src 'self' 'unsafe-inline' fonts.googleapis.com
- "font-src 'self' data: fonts.gstatic.com"
- form-action 'self'And it edit in accordance with business logic of application.
As new feature since 1.1.4 version you able to use Link header
for server configuration.
- How it use for
<link rel=preload>requirements (lighthouse), – https://w3c.github.io/preload/#example-3 , https://w3c.github.io/preload/#example-6 - Specification https://tools.ietf.org/html/rfc5988#section-5
Example:
dev:
server:
headers:
link:
- value: </app/style.css>; rel=preload; as=style; nopush
- value:
- <https://example.com/app/script.js>
- rel=preload
- as=scriptBy default server use Brotli-compression algorithm developed by Google Inc.
If a more effective (up to 21%) lossless compression algorithm than gzip and deflate.
For the present, his support all modern browsers:
https://caniuse.com/#search=Brotli
Server read the following environment variables:
CONFIG_PATH – server and frontend configuration.
STAGE – server and frontend mode to start: prod/dev/local
VCS_SHA1 – build commit sha1 for debugBy default root directory is /app. It special for container-based usage.
Root directory contains following files from scratch:
.
├── favicon.ico
├── index.html
└── robots.txt
favicon.ico– is a transparent.icofile (for prevent error logs).index.html– simple index file with hello message.robots.txt– the file which blocks all robots by default./.well-known/security.txt– https://securitytxt.org/
Each file can be replaced.
Install packages for development using composer and just run following command:
vendor/bin/phpunit
PHPUnit 8.5.0 by Sebastian Bergmann and contributors.
Runtime: PHP 7.4.0 with Xdebug 2.9.0
Configuration: /Users/roquie/google_drive/projects/microparts/static-server-php/phpunit.xml
...................... 22 / 22 (100%)
Time: 403 ms, Memory: 10.00 MB
OK (22 tests, 40 assertions)
GNU GPL v3