From ab1061db34f2dfa0842d572953888e47a6e3b8c8 Mon Sep 17 00:00:00 2001
From: Robin ALEXANDER <64310405+colisee@users.noreply.github.com>
Date: Mon, 18 Dec 2023 11:40:22 +0100
Subject: [PATCH] Miscellaneous changes (#83)

* Remove customized file security.conf

Header directives can be set by librebooking itself.

* Handle remote ip when behind a reverse proxy

* Review instructions for 2nd option of the building process

---------

Co-authored-by: Robin Alexander <robin.alexander@netplus.ch>
---
 BUILD.md      |  4 ++--
 Dockerfile    | 13 +++++++++---
 security.conf | 56 ---------------------------------------------------
 3 files changed, 12 insertions(+), 61 deletions(-)
 delete mode 100644 security.conf

diff --git a/BUILD.md b/BUILD.md
index 0025911..4174beb 100644
--- a/BUILD.md
+++ b/BUILD.md
@@ -70,8 +70,8 @@ Run the following commands on your host:
    # Log to the docker hub
    docker login --username <your_docker_hub_profile>
 
-   # Setup the QEMU emulation for foreign architectures
-   docker run --privileged tonistiigi/binfmt -install all
+   # If needed, create a docker-container based build instance
+   docker buildx create --driver docker-container --use
 
    # Build the docker image
    docker buildx build \
diff --git a/Dockerfile b/Dockerfile
index ffa44d9..05e2acc 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -3,7 +3,6 @@ FROM php:${PHP_VERSION}-apache
 
 COPY entrypoint.sh /usr/local/bin/
 RUN  chmod +x /usr/local/bin/entrypoint.sh
-COPY security.conf /etc/apache2/conf-available/security.conf
 
 # Install composer
 COPY --from=composer/composer:latest-bin /composer /usr/bin/composer
@@ -22,17 +21,25 @@ RUN set -ex; \
     apt-get clean; \
     rm -rf /var/lib/apt/lists/*
 
-# Customize php environment
+# Customize apache and php settings
 RUN set -ex; \
     cp "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"; \
+    { \
+     echo 'RemoteIPHeader X-Real-IP'; \
+     echo 'RemoteIPInternalProxy 10.0.0.0/8'; \
+     echo 'RemoteIPInternalProxy 172.16.0.0/12'; \
+     echo 'RemoteIPInternalProxy 192.168.0.0/16'; \
+    } > /etc/apache2/conf-available/remoteip.conf; \
+    a2enconf remoteip; \
     a2enmod rewrite; \
     a2enmod headers; \
+    a2enmod remoteip; \
     docker-php-ext-configure gd --with-jpeg; \
     docker-php-ext-install mysqli gd ldap; \
     pecl install timezonedb; \
     docker-php-ext-enable timezonedb;
 
-# Get application and customize
+# Get and customize librebooking
 USER www-data
 RUN set -ex; \
     curl \
diff --git a/security.conf b/security.conf
deleted file mode 100644
index 320f66a..0000000
--- a/security.conf
+++ /dev/null
@@ -1,56 +0,0 @@
-# Changing the following options will not really affect the security of the
-# server, but might make attacks slightly more difficult in some cases.
-
-#
-# ServerTokens
-# This directive configures what you return as the Server HTTP response
-# Header. The default is 'Full' which sends information about the OS-Type
-# and compiled in modules.
-# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
-# where Full conveys the most information, and Prod the least.
-ServerTokens Prod
-
-#
-# Optionally add a line containing the server version and virtual host
-# name to server-generated pages (internal error documents, FTP directory
-# listings, mod_status and mod_info output etc., but not CGI generated
-# documents or custom error documents).
-# Set to "EMail" to also include a mailto: link to the ServerAdmin.
-# Set to one of:  On | Off | EMail
-ServerSignature Off
-
-#
-# Allow TRACE method
-#
-# Set to "extended" to also reflect the request body (only for testing and
-# diagnostic purposes).
-#
-# Set to one of:  On | Off | extended
-TraceEnable Off
-
-#
-# Setting this header will prevent MSIE from interpreting files as something
-# else than declared by the content type in the HTTP headers.
-# Requires mod_headers to be enabled.
-#
-Header set X-Content-Type-Options: "nosniff"
-
-#
-# Setting this header will prevent other sites from embedding pages from this
-# site as frames. This defends against clickjacking attacks.
-# Requires mod_headers to be enabled.
-#
-Header set X-Frame-Options: "sameorigin"
-
-#
-# Setting this header will control how much information the browser includes
-# with navigations away from a document and should be set by all sites.
-#
-Header set Referrer-Policy: "no-referrer"
-
-#
-# Setting this header will control which features and APIs can be used
-# in the browser
-Header set permissions-policy: "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()"
-
-# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
\ No newline at end of file